--- /dev/null
+From 85140ef275f577f64e8a2c5789447222dfc14fc4 Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Mon, 11 Jul 2022 14:25:59 +0300
+Subject: ACPI: property: Return type of acpi_add_nondev_subnodes() should be bool
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 85140ef275f577f64e8a2c5789447222dfc14fc4 upstream.
+
+The value acpi_add_nondev_subnodes() returns is bool so change the return
+type of the function to match that.
+
+Fixes: 445b0eb058f5 ("ACPI / property: Add support for data-only subnodes")
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/property.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/acpi/property.c
++++ b/drivers/acpi/property.c
+@@ -155,10 +155,10 @@ static bool acpi_nondev_subnode_ok(acpi_
+ return acpi_nondev_subnode_data_ok(handle, link, list, parent);
+ }
+
+-static int acpi_add_nondev_subnodes(acpi_handle scope,
+- const union acpi_object *links,
+- struct list_head *list,
+- struct fwnode_handle *parent)
++static bool acpi_add_nondev_subnodes(acpi_handle scope,
++ const union acpi_object *links,
++ struct list_head *list,
++ struct fwnode_handle *parent)
+ {
+ bool ret = false;
+ int i;
--- /dev/null
+From 636aa8807b5780b76609b40cd3d3e1b5a225471c Mon Sep 17 00:00:00 2001
+From: Mohan Kumar <mkumard@nvidia.com>
+Date: Thu, 11 Aug 2022 10:57:04 +0530
+Subject: ALSA: hda: Fix crash due to jack poll in suspend
+
+From: Mohan Kumar <mkumard@nvidia.com>
+
+commit 636aa8807b5780b76609b40cd3d3e1b5a225471c upstream.
+
+With jackpoll_in_suspend flag set, there is a possibility that
+jack poll worker thread will run even after system suspend was
+completed. Any register access after system pm callback flow
+will result in kernel crash as still jack poll worker thread
+tries to access registers.
+
+To fix the crash issue during system flow, cancel the jack poll
+worker thread during system pm prepare callback and cancel the
+worker thread at start of runtime suspend callback and re-schedule
+at last to avoid any unwarranted access of register by worker thread
+during suspend flow.
+
+Signed-off-by: Mohan Kumar <mkumard@nvidia.com>
+Fixes: b33115bd05af ("ALSA: hda: Jack detection poll in suspend state")
+Link: https://lore.kernel.org/r/20220811052704.2944-1-mkumard@nvidia.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/hda_codec.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/sound/pci/hda/hda_codec.c
++++ b/sound/pci/hda/hda_codec.c
+@@ -2935,8 +2935,7 @@ static int hda_codec_runtime_suspend(str
+ if (!codec->card)
+ return 0;
+
+- if (!codec->bus->jackpoll_in_suspend)
+- cancel_delayed_work_sync(&codec->jackpoll_work);
++ cancel_delayed_work_sync(&codec->jackpoll_work);
+
+ state = hda_call_codec_suspend(codec);
+ if (codec->link_down_at_suspend ||
+@@ -2944,6 +2943,11 @@ static int hda_codec_runtime_suspend(str
+ (state & AC_PWRST_CLK_STOP_OK)))
+ snd_hdac_codec_link_down(&codec->core);
+ snd_hda_codec_display_power(codec, false);
++
++ if (codec->bus->jackpoll_in_suspend &&
++ (dev->power.power_state.event != PM_EVENT_SUSPEND))
++ schedule_delayed_work(&codec->jackpoll_work,
++ codec->jackpoll_interval);
+ return 0;
+ }
+
+@@ -2967,6 +2971,9 @@ static int hda_codec_runtime_resume(stru
+ #ifdef CONFIG_PM_SLEEP
+ static int hda_codec_pm_prepare(struct device *dev)
+ {
++ struct hda_codec *codec = dev_to_hda_codec(dev);
++
++ cancel_delayed_work_sync(&codec->jackpoll_work);
+ dev->power.power_state = PMSG_SUSPEND;
+ return pm_runtime_suspended(dev);
+ }
+@@ -2986,9 +2993,6 @@ static void hda_codec_pm_complete(struct
+
+ static int hda_codec_pm_suspend(struct device *dev)
+ {
+- struct hda_codec *codec = dev_to_hda_codec(dev);
+-
+- cancel_delayed_work_sync(&codec->jackpoll_work);
+ dev->power.power_state = PMSG_SUSPEND;
+ return pm_runtime_force_suspend(dev);
+ }
--- /dev/null
+From 6bc2906253e723d1ab1acc652b55b83e286bfec2 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 9 Aug 2022 09:32:59 +0200
+Subject: ALSA: usb-audio: More comprehensive mixer map for ASUS ROG Zenith II
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 6bc2906253e723d1ab1acc652b55b83e286bfec2 upstream.
+
+ASUS ROG Zenith II has two USB interfaces, one for the front headphone
+and another for the rest I/O. Currently we provided the mixer mapping
+for the latter but with an incomplete form.
+
+This patch corrects and provides more comprehensive mixer mapping, as
+well as providing the proper device names for both the front headphone
+and main audio.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=211005
+Fixes: 2a48218f8e23 ("ALSA: usb-audio: Add mixer workaround for TRX40 and co")
+Link: https://lore.kernel.org/r/20220809073259.18849-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/card.c | 8 ++++++++
+ sound/usb/mixer_maps.c | 34 +++++++++++++++++++++++++---------
+ 2 files changed, 33 insertions(+), 9 deletions(-)
+
+--- a/sound/usb/card.c
++++ b/sound/usb/card.c
+@@ -387,6 +387,14 @@ static const struct usb_audio_device_nam
+ DEVICE_NAME(0x05e1, 0x0408, "Syntek", "STK1160"),
+ DEVICE_NAME(0x05e1, 0x0480, "Hauppauge", "Woodbury"),
+
++ /* ASUS ROG Zenith II: this machine has also two devices, one for
++ * the front headphone and another for the rest
++ */
++ PROFILE_NAME(0x0b05, 0x1915, "ASUS", "Zenith II Front Headphone",
++ "Zenith-II-Front-Headphone"),
++ PROFILE_NAME(0x0b05, 0x1916, "ASUS", "Zenith II Main Audio",
++ "Zenith-II-Main-Audio"),
++
+ /* ASUS ROG Strix */
+ PROFILE_NAME(0x0b05, 0x1917,
+ "Realtek", "ALC1220-VB-DT", "Realtek-ALC1220-VB-Desktop"),
+--- a/sound/usb/mixer_maps.c
++++ b/sound/usb/mixer_maps.c
+@@ -374,13 +374,28 @@ static const struct usbmix_name_map cors
+ { 0 }
+ };
+
+-/* Some mobos shipped with a dummy HD-audio show the invalid GET_MIN/GET_MAX
+- * response for Input Gain Pad (id=19, control=12) and the connector status
+- * for SPDIF terminal (id=18). Skip them.
+- */
+-static const struct usbmix_name_map asus_rog_map[] = {
+- { 18, NULL }, /* OT, connector control */
+- { 19, NULL, 12 }, /* FU, Input Gain Pad */
++/* ASUS ROG Zenith II with Realtek ALC1220-VB */
++static const struct usbmix_name_map asus_zenith_ii_map[] = {
++ { 19, NULL, 12 }, /* FU, Input Gain Pad - broken response, disabled */
++ { 16, "Speaker" }, /* OT */
++ { 22, "Speaker Playback" }, /* FU */
++ { 7, "Line" }, /* IT */
++ { 19, "Line Capture" }, /* FU */
++ { 8, "Mic" }, /* IT */
++ { 20, "Mic Capture" }, /* FU */
++ { 9, "Front Mic" }, /* IT */
++ { 21, "Front Mic Capture" }, /* FU */
++ { 17, "IEC958" }, /* OT */
++ { 23, "IEC958 Playback" }, /* FU */
++ {}
++};
++
++static const struct usbmix_connector_map asus_zenith_ii_connector_map[] = {
++ { 10, 16 }, /* (Back) Speaker */
++ { 11, 17 }, /* SPDIF */
++ { 13, 7 }, /* Line */
++ { 14, 8 }, /* Mic */
++ { 15, 9 }, /* Front Mic */
+ {}
+ };
+
+@@ -611,9 +626,10 @@ static const struct usbmix_ctl_map usbmi
+ .map = gigabyte_b450_map,
+ .connector_map = gigabyte_b450_connector_map,
+ },
+- { /* ASUS ROG Zenith II */
++ { /* ASUS ROG Zenith II (main audio) */
+ .id = USB_ID(0x0b05, 0x1916),
+- .map = asus_rog_map,
++ .map = asus_zenith_ii_map,
++ .connector_map = asus_zenith_ii_connector_map,
+ },
+ { /* ASUS ROG Strix */
+ .id = USB_ID(0x0b05, 0x1917),
--- /dev/null
+From 3e2a3a0830a2090e766d0d887d52c67de2a6f323 Mon Sep 17 00:00:00 2001
+From: Tom Rix <trix@redhat.com>
+Date: Sun, 13 Feb 2022 13:32:28 -0800
+Subject: apparmor: fix aa_label_asxprint return check
+
+From: Tom Rix <trix@redhat.com>
+
+commit 3e2a3a0830a2090e766d0d887d52c67de2a6f323 upstream.
+
+Clang static analysis reports this issue
+label.c:1802:3: warning: 2nd function call argument
+ is an uninitialized value
+ pr_info("%s", str);
+ ^~~~~~~~~~~~~~~~~~
+
+str is set from a successful call to aa_label_asxprint(&str, ...)
+On failure a negative value is returned, not a -1. So change
+the check.
+
+Fixes: f1bd904175e8 ("apparmor: add the base fns() for domain labels")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/apparmor/label.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/security/apparmor/label.c
++++ b/security/apparmor/label.c
+@@ -1744,7 +1744,7 @@ void aa_label_xaudit(struct audit_buffer
+ if (!use_label_hname(ns, label, flags) ||
+ display_mode(ns, label, flags)) {
+ len = aa_label_asxprint(&name, ns, label, flags, gfp);
+- if (len == -1) {
++ if (len < 0) {
+ AA_DEBUG("label print error");
+ return;
+ }
+@@ -1772,7 +1772,7 @@ void aa_label_seq_xprint(struct seq_file
+ int len;
+
+ len = aa_label_asxprint(&str, ns, label, flags, gfp);
+- if (len == -1) {
++ if (len < 0) {
+ AA_DEBUG("label print error");
+ return;
+ }
+@@ -1795,7 +1795,7 @@ void aa_label_xprintk(struct aa_ns *ns,
+ int len;
+
+ len = aa_label_asxprint(&str, ns, label, flags, gfp);
+- if (len == -1) {
++ if (len < 0) {
+ AA_DEBUG("label print error");
+ return;
+ }
--- /dev/null
+From 511f7b5b835726e844a5fc7444c18e4b8672edfd Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Tue, 14 Dec 2021 02:59:28 -0800
+Subject: apparmor: fix absroot causing audited secids to begin with =
+
+From: John Johansen <john.johansen@canonical.com>
+
+commit 511f7b5b835726e844a5fc7444c18e4b8672edfd upstream.
+
+AppArmor is prefixing secids that are converted to secctx with the =
+to indicate the secctx should only be parsed from an absolute root
+POV. This allows catching errors where secctx are reparsed back into
+internal labels.
+
+Unfortunately because audit is using secid to secctx conversion this
+means that subject and object labels can result in a very unfortunate
+== that can break audit parsing.
+
+eg. the subj==unconfined term in the below audit message
+
+type=USER_LOGIN msg=audit(1639443365.233:160): pid=1633 uid=0 auid=1000
+ses=3 subj==unconfined msg='op=login id=1000 exe="/usr/sbin/sshd"
+hostname=192.168.122.1 addr=192.168.122.1 terminal=/dev/pts/1 res=success'
+
+Fix this by switch the prepending of = to a _. This still works as a
+special character to flag this case without breaking audit. Also move
+this check behind debug as it should not be needed during normal
+operqation.
+
+Fixes: 26b7899510ae ("apparmor: add support for absolute root view based labels")
+Reported-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/apparmor/include/lib.h | 5 +++++
+ security/apparmor/label.c | 7 ++++---
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+--- a/security/apparmor/include/lib.h
++++ b/security/apparmor/include/lib.h
+@@ -22,6 +22,11 @@
+ */
+
+ #define DEBUG_ON (aa_g_debug)
++/*
++ * split individual debug cases out in preparation for finer grained
++ * debug controls in the future.
++ */
++#define AA_DEBUG_LABEL DEBUG_ON
+ #define dbg_printk(__fmt, __args...) pr_debug(__fmt, ##__args)
+ #define AA_DEBUG(fmt, args...) \
+ do { \
+--- a/security/apparmor/label.c
++++ b/security/apparmor/label.c
+@@ -1631,9 +1631,9 @@ int aa_label_snxprint(char *str, size_t
+ AA_BUG(!str && size != 0);
+ AA_BUG(!label);
+
+- if (flags & FLAG_ABS_ROOT) {
++ if (AA_DEBUG_LABEL && (flags & FLAG_ABS_ROOT)) {
+ ns = root_ns;
+- len = snprintf(str, size, "=");
++ len = snprintf(str, size, "_");
+ update_for_len(total, len, size, str);
+ } else if (!ns) {
+ ns = labels_ns(label);
+@@ -1895,7 +1895,8 @@ struct aa_label *aa_label_strn_parse(str
+ AA_BUG(!str);
+
+ str = skipn_spaces(str, n);
+- if (str == NULL || (*str == '=' && base != &root_ns->unconfined->label))
++ if (str == NULL || (AA_DEBUG_LABEL && *str == '_' &&
++ base != &root_ns->unconfined->label))
+ return ERR_PTR(-EINVAL);
+
+ len = label_count_strn_entries(str, end - str);
--- /dev/null
+From ec240b5905bbb09a03dccffee03062cf39e38dc2 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Tue, 25 Jan 2022 00:37:42 -0800
+Subject: apparmor: Fix failed mount permission check error message
+
+From: John Johansen <john.johansen@canonical.com>
+
+commit ec240b5905bbb09a03dccffee03062cf39e38dc2 upstream.
+
+When the mount check fails due to a permission check failure instead
+of explicitly at one of the subcomponent checks, AppArmor is reporting
+a failure in the flags match. However this is not true and AppArmor
+can not attribute the error at this point to any particular component,
+and should only indicate the mount failed due to missing permissions.
+
+Fixes: 2ea3ffb7782a ("apparmor: add mount mediation")
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/apparmor/mount.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/security/apparmor/mount.c
++++ b/security/apparmor/mount.c
+@@ -229,7 +229,8 @@ static const char * const mnt_info_table
+ "failed srcname match",
+ "failed type match",
+ "failed flags match",
+- "failed data match"
++ "failed data match",
++ "failed perms check"
+ };
+
+ /*
+@@ -284,8 +285,8 @@ static int do_match_mnt(struct aa_dfa *d
+ return 0;
+ }
+
+- /* failed at end of flags match */
+- return 4;
++ /* failed at perms check, don't confuse with flags match */
++ return 6;
+ }
+
+
--- /dev/null
+From 417ea9fe972d2654a268ad66e89c8fcae67017c3 Mon Sep 17 00:00:00 2001
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+Date: Tue, 14 Jun 2022 17:00:01 +0800
+Subject: apparmor: Fix memleak in aa_simple_write_to_buffer()
+
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+
+commit 417ea9fe972d2654a268ad66e89c8fcae67017c3 upstream.
+
+When copy_from_user failed, the memory is freed by kvfree. however the
+management struct and data blob are allocated independently, so only
+kvfree(data) cause a memleak issue here. Use aa_put_loaddata(data) to
+fix this issue.
+
+Fixes: a6a52579e52b5 ("apparmor: split load data into management struct and data blob")
+Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/apparmor/apparmorfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -401,7 +401,7 @@ static struct aa_loaddata *aa_simple_wri
+
+ data->size = copy_size;
+ if (copy_from_user(data->data, userbuf, copy_size)) {
+- kvfree(data);
++ aa_put_loaddata(data);
+ return ERR_PTR(-EFAULT);
+ }
+
--- /dev/null
+From 2504db207146543736e877241f3b3de005cbe056 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Sat, 26 Mar 2022 01:58:15 -0700
+Subject: apparmor: fix overlapping attachment computation
+
+From: John Johansen <john.johansen@canonical.com>
+
+commit 2504db207146543736e877241f3b3de005cbe056 upstream.
+
+When finding the profile via patterned attachments, the longest left
+match is being set to the static compile time value and not using the
+runtime computed value.
+
+Fix this by setting the candidate value to the greater of the
+precomputed value or runtime computed value.
+
+Fixes: 21f606610502 ("apparmor: improve overlapping domain attachment resolution")
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/apparmor/domain.c | 2 +-
+ security/apparmor/include/policy.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/security/apparmor/domain.c
++++ b/security/apparmor/domain.c
+@@ -466,7 +466,7 @@ restart:
+ * xattrs, or a longer match
+ */
+ candidate = profile;
+- candidate_len = profile->xmatch_len;
++ candidate_len = max(count, profile->xmatch_len);
+ candidate_xattrs = ret;
+ conflict = false;
+ }
+--- a/security/apparmor/include/policy.h
++++ b/security/apparmor/include/policy.h
+@@ -135,7 +135,7 @@ struct aa_profile {
+
+ const char *attach;
+ struct aa_dfa *xmatch;
+- int xmatch_len;
++ unsigned int xmatch_len;
+ enum audit_mode audit;
+ long mode;
+ u32 path_flags;
--- /dev/null
+From 68ff8540cc9e4ab557065b3f635c1ff4c96e1f1c Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Thu, 29 Apr 2021 01:48:28 -0700
+Subject: apparmor: fix quiet_denied for file rules
+
+From: John Johansen <john.johansen@canonical.com>
+
+commit 68ff8540cc9e4ab557065b3f635c1ff4c96e1f1c upstream.
+
+Global quieting of denied AppArmor generated file events is not
+handled correctly. Unfortunately the is checking if quieting of all
+audit events is set instead of just denied events.
+
+Fixes: 67012e8209df ("AppArmor: basic auditing infrastructure.")
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/apparmor/audit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/apparmor/audit.c
++++ b/security/apparmor/audit.c
+@@ -137,7 +137,7 @@ int aa_audit(int type, struct aa_profile
+ }
+ if (AUDIT_MODE(profile) == AUDIT_QUIET ||
+ (type == AUDIT_APPARMOR_DENIED &&
+- AUDIT_MODE(profile) == AUDIT_QUIET))
++ AUDIT_MODE(profile) == AUDIT_QUIET_DENIED))
+ return aad(sa)->error;
+
+ if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED)
--- /dev/null
+From 11c3627ec6b56c1525013f336f41b79a983b4d46 Mon Sep 17 00:00:00 2001
+From: Xin Xiong <xiongx18@fudan.edu.cn>
+Date: Thu, 28 Apr 2022 11:39:08 +0800
+Subject: apparmor: fix reference count leak in aa_pivotroot()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Xin Xiong <xiongx18@fudan.edu.cn>
+
+commit 11c3627ec6b56c1525013f336f41b79a983b4d46 upstream.
+
+The aa_pivotroot() function has a reference counting bug in a specific
+path. When aa_replace_current_label() returns on success, the function
+forgets to decrement the reference count of “target”, which is
+increased earlier by build_pivotroot(), causing a reference leak.
+
+Fix it by decreasing the refcount of “target” in that path.
+
+Fixes: 2ea3ffb7782a ("apparmor: add mount mediation")
+Co-developed-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Co-developed-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/apparmor/mount.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/security/apparmor/mount.c
++++ b/security/apparmor/mount.c
+@@ -719,6 +719,7 @@ int aa_pivotroot(struct aa_label *label,
+ aa_put_label(target);
+ goto out;
+ }
++ aa_put_label(target);
+ } else
+ /* already audited error */
+ error = PTR_ERR(target);
--- /dev/null
+From 3bbb7b2e9bbcd22e539e23034da753898fe3b4dc Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Sat, 26 Mar 2022 01:52:06 -0700
+Subject: apparmor: fix setting unconfined mode on a loaded profile
+
+From: John Johansen <john.johansen@canonical.com>
+
+commit 3bbb7b2e9bbcd22e539e23034da753898fe3b4dc upstream.
+
+When loading a profile that is set to unconfined mode, that label
+flag is not set when it should be. Ensure it is set so that when
+used in a label the unconfined check will be applied correctly.
+
+Fixes: 038165070aa5 ("apparmor: allow setting any profile into the unconfined state")
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/apparmor/policy_unpack.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -746,16 +746,18 @@ static struct aa_profile *unpack_profile
+ profile->label.flags |= FLAG_HAT;
+ if (!unpack_u32(e, &tmp, NULL))
+ goto fail;
+- if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG))
++ if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG)) {
+ profile->mode = APPARMOR_COMPLAIN;
+- else if (tmp == PACKED_MODE_ENFORCE)
++ } else if (tmp == PACKED_MODE_ENFORCE) {
+ profile->mode = APPARMOR_ENFORCE;
+- else if (tmp == PACKED_MODE_KILL)
++ } else if (tmp == PACKED_MODE_KILL) {
+ profile->mode = APPARMOR_KILL;
+- else if (tmp == PACKED_MODE_UNCONFINED)
++ } else if (tmp == PACKED_MODE_UNCONFINED) {
+ profile->mode = APPARMOR_UNCONFINED;
+- else
++ profile->label.flags |= FLAG_UNCONFINED;
++ } else {
+ goto fail;
++ }
+ if (!unpack_u32(e, &tmp, NULL))
+ goto fail;
+ if (tmp)
--- /dev/null
+From 6548c884a595391fab172faeae39e2b329b848f3 Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Fri, 10 Jun 2022 15:48:18 +0100
+Subject: ASoC: qdsp6: q6apm-dai: unprepare stream if its already prepared
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+commit 6548c884a595391fab172faeae39e2b329b848f3 upstream.
+
+prepare callback can be called multiple times, so unprepare the stream
+if its already prepared.
+
+Without this DSP is not happy to setting the params on a already
+prepared graph.
+
+Fixes: 9b4fe0f1cd79 ("ASoC: qdsp6: audioreach: add q6apm-dai support")
+Reported-by: Srinivasa Rao Mandadapu <quic_srivasam@quicinc.com>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20220610144818.511797-1-srinivas.kandagatla@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/qcom/qdsp6/q6apm-dai.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/sound/soc/qcom/qdsp6/q6apm-dai.c
++++ b/sound/soc/qcom/qdsp6/q6apm-dai.c
+@@ -153,6 +153,12 @@ static int q6apm_dai_prepare(struct snd_
+ q6apm_unmap_memory_regions(prtd->graph, substream->stream);
+ }
+
++ if (prtd->state) {
++ /* clear the previous setup if any */
++ q6apm_graph_stop(prtd->graph);
++ q6apm_unmap_memory_regions(prtd->graph, substream->stream);
++ }
++
+ prtd->pcm_count = snd_pcm_lib_period_bytes(substream);
+ prtd->pos = 0;
+ /* rate and channels are sent to audio driver */
--- /dev/null
+From f76fa6b338055054f80c72b29c97fb95c1becadc Mon Sep 17 00:00:00 2001
+From: Hou Tao <houtao1@huawei.com>
+Date: Wed, 10 Aug 2022 16:05:30 +0800
+Subject: bpf: Acquire map uref in .init_seq_private for array map iterator
+
+From: Hou Tao <houtao1@huawei.com>
+
+commit f76fa6b338055054f80c72b29c97fb95c1becadc upstream.
+
+bpf_iter_attach_map() acquires a map uref, and the uref may be released
+before or in the middle of iterating map elements. For example, the uref
+could be released in bpf_iter_detach_map() as part of
+bpf_link_release(), or could be released in bpf_map_put_with_uref() as
+part of bpf_map_release().
+
+Alternative fix is acquiring an extra bpf_link reference just like
+a pinned map iterator does, but it introduces unnecessary dependency
+on bpf_link instead of bpf_map.
+
+So choose another fix: acquiring an extra map uref in .init_seq_private
+for array map iterator.
+
+Fixes: d3cc2ab546ad ("bpf: Implement bpf iterator for array maps")
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/r/20220810080538.1845898-2-houtao@huaweicloud.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/arraymap.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/kernel/bpf/arraymap.c
++++ b/kernel/bpf/arraymap.c
+@@ -649,6 +649,11 @@ static int bpf_iter_init_array_map(void
+ seq_info->percpu_value_buf = value_buf;
+ }
+
++ /* bpf_iter_attach_map() acquires a map uref, and the uref may be
++ * released before or in the middle of iterating map elements, so
++ * acquire an extra map uref for iterator.
++ */
++ bpf_map_inc_with_uref(map);
+ seq_info->map = map;
+ return 0;
+ }
+@@ -657,6 +662,7 @@ static void bpf_iter_fini_array_map(void
+ {
+ struct bpf_iter_seq_array_map_info *seq_info = priv_data;
+
++ bpf_map_put_with_uref(seq_info->map);
+ kfree(seq_info->percpu_value_buf);
+ }
+
--- /dev/null
+From ef1e93d2eeb58a1f08c37b22a2314b94bc045f15 Mon Sep 17 00:00:00 2001
+From: Hou Tao <houtao1@huawei.com>
+Date: Wed, 10 Aug 2022 16:05:31 +0800
+Subject: bpf: Acquire map uref in .init_seq_private for hash map iterator
+
+From: Hou Tao <houtao1@huawei.com>
+
+commit ef1e93d2eeb58a1f08c37b22a2314b94bc045f15 upstream.
+
+bpf_iter_attach_map() acquires a map uref, and the uref may be released
+before or in the middle of iterating map elements. For example, the uref
+could be released in bpf_iter_detach_map() as part of
+bpf_link_release(), or could be released in bpf_map_put_with_uref() as
+part of bpf_map_release().
+
+So acquiring an extra map uref in bpf_iter_init_hash_map() and
+releasing it in bpf_iter_fini_hash_map().
+
+Fixes: d6c4503cc296 ("bpf: Implement bpf iterator for hash maps")
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/r/20220810080538.1845898-3-houtao@huaweicloud.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/hashtab.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/bpf/hashtab.c
++++ b/kernel/bpf/hashtab.c
+@@ -2060,6 +2060,7 @@ static int bpf_iter_init_hash_map(void *
+ seq_info->percpu_value_buf = value_buf;
+ }
+
++ bpf_map_inc_with_uref(map);
+ seq_info->map = map;
+ seq_info->htab = container_of(map, struct bpf_htab, map);
+ return 0;
+@@ -2069,6 +2070,7 @@ static void bpf_iter_fini_hash_map(void
+ {
+ struct bpf_iter_seq_hash_map_info *seq_info = priv_data;
+
++ bpf_map_put_with_uref(seq_info->map);
+ kfree(seq_info->percpu_value_buf);
+ }
+
--- /dev/null
+From 3c5f6e698b5c538bbb23cd453b22e1e4922cffd8 Mon Sep 17 00:00:00 2001
+From: Hou Tao <houtao1@huawei.com>
+Date: Wed, 10 Aug 2022 16:05:32 +0800
+Subject: bpf: Acquire map uref in .init_seq_private for sock local storage map iterator
+
+From: Hou Tao <houtao1@huawei.com>
+
+commit 3c5f6e698b5c538bbb23cd453b22e1e4922cffd8 upstream.
+
+bpf_iter_attach_map() acquires a map uref, and the uref may be released
+before or in the middle of iterating map elements. For example, the uref
+could be released in bpf_iter_detach_map() as part of
+bpf_link_release(), or could be released in bpf_map_put_with_uref() as
+part of bpf_map_release().
+
+So acquiring an extra map uref in bpf_iter_init_sk_storage_map() and
+releasing it in bpf_iter_fini_sk_storage_map().
+
+Fixes: 5ce6e77c7edf ("bpf: Implement bpf iterator for sock local storage map")
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Link: https://lore.kernel.org/r/20220810080538.1845898-4-houtao@huaweicloud.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/bpf_sk_storage.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/net/core/bpf_sk_storage.c
++++ b/net/core/bpf_sk_storage.c
+@@ -875,10 +875,18 @@ static int bpf_iter_init_sk_storage_map(
+ {
+ struct bpf_iter_seq_sk_storage_map_info *seq_info = priv_data;
+
++ bpf_map_inc_with_uref(aux->map);
+ seq_info->map = aux->map;
+ return 0;
+ }
+
++static void bpf_iter_fini_sk_storage_map(void *priv_data)
++{
++ struct bpf_iter_seq_sk_storage_map_info *seq_info = priv_data;
++
++ bpf_map_put_with_uref(seq_info->map);
++}
++
+ static int bpf_iter_attach_map(struct bpf_prog *prog,
+ union bpf_iter_link_info *linfo,
+ struct bpf_iter_aux_info *aux)
+@@ -924,7 +932,7 @@ static const struct seq_operations bpf_s
+ static const struct bpf_iter_seq_info iter_seq_info = {
+ .seq_ops = &bpf_sk_storage_map_seq_ops,
+ .init_seq_private = bpf_iter_init_sk_storage_map,
+- .fini_seq_private = NULL,
++ .fini_seq_private = bpf_iter_fini_sk_storage_map,
+ .seq_priv_size = sizeof(struct bpf_iter_seq_sk_storage_map_info),
+ };
+
--- /dev/null
+From f0d2b2716d71778d0b0c8eaa433c073287d69d93 Mon Sep 17 00:00:00 2001
+From: Hou Tao <houtao1@huawei.com>
+Date: Wed, 10 Aug 2022 16:05:33 +0800
+Subject: bpf: Acquire map uref in .init_seq_private for sock{map,hash} iterator
+
+From: Hou Tao <houtao1@huawei.com>
+
+commit f0d2b2716d71778d0b0c8eaa433c073287d69d93 upstream.
+
+sock_map_iter_attach_target() acquires a map uref, and the uref may be
+released before or in the middle of iterating map elements. For example,
+the uref could be released in sock_map_iter_detach_target() as part of
+bpf_link_release(), or could be released in bpf_map_put_with_uref() as
+part of bpf_map_release().
+
+Fixing it by acquiring an extra map uref in .init_seq_private and
+releasing it in .fini_seq_private.
+
+Fixes: 0365351524d7 ("net: Allow iterating sockmap and sockhash")
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/r/20220810080538.1845898-5-houtao@huaweicloud.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/sock_map.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/net/core/sock_map.c
++++ b/net/core/sock_map.c
+@@ -783,13 +783,22 @@ static int sock_map_init_seq_private(voi
+ {
+ struct sock_map_seq_info *info = priv_data;
+
++ bpf_map_inc_with_uref(aux->map);
+ info->map = aux->map;
+ return 0;
+ }
+
++static void sock_map_fini_seq_private(void *priv_data)
++{
++ struct sock_map_seq_info *info = priv_data;
++
++ bpf_map_put_with_uref(info->map);
++}
++
+ static const struct bpf_iter_seq_info sock_map_iter_seq_info = {
+ .seq_ops = &sock_map_seq_ops,
+ .init_seq_private = sock_map_init_seq_private,
++ .fini_seq_private = sock_map_fini_seq_private,
+ .seq_priv_size = sizeof(struct sock_map_seq_info),
+ };
+
+@@ -1369,18 +1378,27 @@ static const struct seq_operations sock_
+ };
+
+ static int sock_hash_init_seq_private(void *priv_data,
+- struct bpf_iter_aux_info *aux)
++ struct bpf_iter_aux_info *aux)
+ {
+ struct sock_hash_seq_info *info = priv_data;
+
++ bpf_map_inc_with_uref(aux->map);
+ info->map = aux->map;
+ info->htab = container_of(aux->map, struct bpf_shtab, map);
+ return 0;
+ }
+
++static void sock_hash_fini_seq_private(void *priv_data)
++{
++ struct sock_hash_seq_info *info = priv_data;
++
++ bpf_map_put_with_uref(info->map);
++}
++
+ static const struct bpf_iter_seq_info sock_hash_iter_seq_info = {
+ .seq_ops = &sock_hash_seq_ops,
+ .init_seq_private = sock_hash_init_seq_private,
++ .fini_seq_private = sock_hash_fini_seq_private,
+ .seq_priv_size = sizeof(struct sock_hash_seq_info),
+ };
+
--- /dev/null
+From 52bd05eb7c88e1ad8541a48873188ccebca9da26 Mon Sep 17 00:00:00 2001
+From: Hou Tao <houtao1@huawei.com>
+Date: Wed, 10 Aug 2022 16:05:34 +0800
+Subject: bpf: Check the validity of max_rdwr_access for sock local storage map iterator
+
+From: Hou Tao <houtao1@huawei.com>
+
+commit 52bd05eb7c88e1ad8541a48873188ccebca9da26 upstream.
+
+The value of sock local storage map is writable in map iterator, so check
+max_rdwr_access instead of max_rdonly_access.
+
+Fixes: 5ce6e77c7edf ("bpf: Implement bpf iterator for sock local storage map")
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Link: https://lore.kernel.org/r/20220810080538.1845898-6-houtao@huaweicloud.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/bpf_sk_storage.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/bpf_sk_storage.c
++++ b/net/core/bpf_sk_storage.c
+@@ -904,7 +904,7 @@ static int bpf_iter_attach_map(struct bp
+ if (map->map_type != BPF_MAP_TYPE_SK_STORAGE)
+ goto put_map;
+
+- if (prog->aux->max_rdonly_access > map->value_size) {
++ if (prog->aux->max_rdwr_access > map->value_size) {
+ err = -EACCES;
+ goto put_map;
+ }
--- /dev/null
+From 86f44fcec22ce2979507742bc53db8400e454f46 Mon Sep 17 00:00:00 2001
+From: Alexei Starovoitov <ast@kernel.org>
+Date: Mon, 8 Aug 2022 20:58:09 -0700
+Subject: bpf: Disallow bpf programs call prog_run command.
+
+From: Alexei Starovoitov <ast@kernel.org>
+
+commit 86f44fcec22ce2979507742bc53db8400e454f46 upstream.
+
+The verifier cannot perform sufficient validation of bpf_attr->test.ctx_in
+pointer, therefore bpf programs should not be allowed to call BPF_PROG_RUN
+command from within the program.
+To fix this issue split bpf_sys_bpf() bpf helper into normal kern_sys_bpf()
+kernel function that can only be used by the kernel light skeleton directly.
+
+Reported-by: YiFei Zhu <zhuyifei@google.com>
+Fixes: b1d18a7574d0 ("bpf: Extend sys_bpf commands for bpf_syscall programs.")
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/syscall.c | 20 ++++++++++++++------
+ tools/lib/bpf/skel_internal.h | 4 ++--
+ 2 files changed, 16 insertions(+), 8 deletions(-)
+
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -5035,9 +5035,6 @@ static bool syscall_prog_is_valid_access
+
+ BPF_CALL_3(bpf_sys_bpf, int, cmd, union bpf_attr *, attr, u32, attr_size)
+ {
+- struct bpf_prog * __maybe_unused prog;
+- struct bpf_tramp_run_ctx __maybe_unused run_ctx;
+-
+ switch (cmd) {
+ case BPF_MAP_CREATE:
+ case BPF_MAP_UPDATE_ELEM:
+@@ -5047,6 +5044,18 @@ BPF_CALL_3(bpf_sys_bpf, int, cmd, union
+ case BPF_LINK_CREATE:
+ case BPF_RAW_TRACEPOINT_OPEN:
+ break;
++ default:
++ return -EINVAL;
++ }
++ return __sys_bpf(cmd, KERNEL_BPFPTR(attr), attr_size);
++}
++
++int kern_sys_bpf(int cmd, union bpf_attr *attr, unsigned int size)
++{
++ struct bpf_prog * __maybe_unused prog;
++ struct bpf_tramp_run_ctx __maybe_unused run_ctx;
++
++ switch (cmd) {
+ #ifdef CONFIG_BPF_JIT /* __bpf_prog_enter_sleepable used by trampoline and JIT */
+ case BPF_PROG_TEST_RUN:
+ if (attr->test.data_in || attr->test.data_out ||
+@@ -5077,11 +5086,10 @@ BPF_CALL_3(bpf_sys_bpf, int, cmd, union
+ return 0;
+ #endif
+ default:
+- return -EINVAL;
++ return ____bpf_sys_bpf(cmd, attr, size);
+ }
+- return __sys_bpf(cmd, KERNEL_BPFPTR(attr), attr_size);
+ }
+-EXPORT_SYMBOL(bpf_sys_bpf);
++EXPORT_SYMBOL(kern_sys_bpf);
+
+ static const struct bpf_func_proto bpf_sys_bpf_proto = {
+ .func = bpf_sys_bpf,
+--- a/tools/lib/bpf/skel_internal.h
++++ b/tools/lib/bpf/skel_internal.h
+@@ -66,13 +66,13 @@ struct bpf_load_and_run_opts {
+ const char *errstr;
+ };
+
+-long bpf_sys_bpf(__u32 cmd, void *attr, __u32 attr_size);
++long kern_sys_bpf(__u32 cmd, void *attr, __u32 attr_size);
+
+ static inline int skel_sys_bpf(enum bpf_cmd cmd, union bpf_attr *attr,
+ unsigned int size)
+ {
+ #ifdef __KERNEL__
+- return bpf_sys_bpf(cmd, attr, size);
++ return kern_sys_bpf(cmd, attr, size);
+ #else
+ return syscall(__NR_bpf, cmd, attr, size);
+ #endif
--- /dev/null
+From 275c30bcee66a27d1aa97a215d607ad6d49804cb Mon Sep 17 00:00:00 2001
+From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+Date: Tue, 9 Aug 2022 23:30:32 +0200
+Subject: bpf: Don't reinit map value in prealloc_lru_pop
+
+From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+
+commit 275c30bcee66a27d1aa97a215d607ad6d49804cb upstream.
+
+The LRU map that is preallocated may have its elements reused while
+another program holds a pointer to it from bpf_map_lookup_elem. Hence,
+only check_and_free_fields is appropriate when the element is being
+deleted, as it ensures proper synchronization against concurrent access
+of the map value. After that, we cannot call check_and_init_map_value
+again as it may rewrite bpf_spin_lock, bpf_timer, and kptr fields while
+they can be concurrently accessed from a BPF program.
+
+This is safe to do as when the map entry is deleted, concurrent access
+is protected against by check_and_free_fields, i.e. an existing timer
+would be freed, and any existing kptr will be released by it. The
+program can create further timers and kptrs after check_and_free_fields,
+but they will eventually be released once the preallocated items are
+freed on map destruction, even if the item is never reused again. Hence,
+the deleted item sitting in the free list can still have resources
+attached to it, and they would never leak.
+
+With spin_lock, we never touch the field at all on delete or update, as
+we may end up modifying the state of the lock. Since the verifier
+ensures that a bpf_spin_lock call is always paired with bpf_spin_unlock
+call, the program will eventually release the lock so that on reuse the
+new user of the value can take the lock.
+
+Essentially, for the preallocated case, we must assume that the map
+value may always be in use by the program, even when it is sitting in
+the freelist, and handle things accordingly, i.e. use proper
+synchronization inside check_and_free_fields, and never reinitialize the
+special fields when it is reused on update.
+
+Fixes: 68134668c17f ("bpf: Add map side support for bpf timers.")
+Acked-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Link: https://lore.kernel.org/r/20220809213033.24147-3-memxor@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/hashtab.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/kernel/bpf/hashtab.c
++++ b/kernel/bpf/hashtab.c
+@@ -311,12 +311,8 @@ static struct htab_elem *prealloc_lru_po
+ struct htab_elem *l;
+
+ if (node) {
+- u32 key_size = htab->map.key_size;
+-
+ l = container_of(node, struct htab_elem, lru_node);
+- memcpy(l->key, key, key_size);
+- check_and_init_map_value(&htab->map,
+- l->key + round_up(key_size, 8));
++ memcpy(l->key, key, htab->map.key_size);
+ return l;
+ }
+
--- /dev/null
+From e2dcac2f58f5a95ab092d1da237ffdc0da1832cf Mon Sep 17 00:00:00 2001
+From: Jinghao Jia <jinghao@linux.ibm.com>
+Date: Fri, 29 Jul 2022 20:17:13 +0000
+Subject: BPF: Fix potential bad pointer dereference in bpf_sys_bpf()
+
+From: Jinghao Jia <jinghao@linux.ibm.com>
+
+commit e2dcac2f58f5a95ab092d1da237ffdc0da1832cf upstream.
+
+The bpf_sys_bpf() helper function allows an eBPF program to load another
+eBPF program from within the kernel. In this case the argument union
+bpf_attr pointer (as well as the insns and license pointers inside) is a
+kernel address instead of a userspace address (which is the case of a
+usual bpf() syscall). To make the memory copying process in the syscall
+work in both cases, bpfptr_t was introduced to wrap around the pointer
+and distinguish its origin. Specifically, when copying memory contents
+from a bpfptr_t, a copy_from_user() is performed in case of a userspace
+address and a memcpy() is performed for a kernel address.
+
+This can lead to problems because the in-kernel pointer is never checked
+for validity. The problem happens when an eBPF syscall program tries to
+call bpf_sys_bpf() to load a program but provides a bad insns pointer --
+say 0xdeadbeef -- in the bpf_attr union. The helper calls __sys_bpf()
+which would then call bpf_prog_load() to load the program.
+bpf_prog_load() is responsible for copying the eBPF instructions to the
+newly allocated memory for the program; it creates a kernel bpfptr_t for
+insns and invokes copy_from_bpfptr(). Internally, all bpfptr_t
+operations are backed by the corresponding sockptr_t operations, which
+performs direct memcpy() on kernel pointers for copy_from/strncpy_from
+operations. Therefore, the code is always happy to dereference the bad
+pointer to trigger a un-handle-able page fault and in turn an oops.
+However, this is not supposed to happen because at that point the eBPF
+program is already verified and should not cause a memory error.
+
+Sample KASAN trace:
+
+[ 25.685056][ T228] ==================================================================
+[ 25.685680][ T228] BUG: KASAN: user-memory-access in copy_from_bpfptr+0x21/0x30
+[ 25.686210][ T228] Read of size 80 at addr 00000000deadbeef by task poc/228
+[ 25.686732][ T228]
+[ 25.686893][ T228] CPU: 3 PID: 228 Comm: poc Not tainted 5.19.0-rc7 #7
+[ 25.687375][ T228] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS d55cb5a 04/01/2014
+[ 25.687991][ T228] Call Trace:
+[ 25.688223][ T228] <TASK>
+[ 25.688429][ T228] dump_stack_lvl+0x73/0x9e
+[ 25.688747][ T228] print_report+0xea/0x200
+[ 25.689061][ T228] ? copy_from_bpfptr+0x21/0x30
+[ 25.689401][ T228] ? _printk+0x54/0x6e
+[ 25.689693][ T228] ? _raw_spin_lock_irqsave+0x70/0xd0
+[ 25.690071][ T228] ? copy_from_bpfptr+0x21/0x30
+[ 25.690412][ T228] kasan_report+0xb5/0xe0
+[ 25.690716][ T228] ? copy_from_bpfptr+0x21/0x30
+[ 25.691059][ T228] kasan_check_range+0x2bd/0x2e0
+[ 25.691405][ T228] ? copy_from_bpfptr+0x21/0x30
+[ 25.691734][ T228] memcpy+0x25/0x60
+[ 25.692000][ T228] copy_from_bpfptr+0x21/0x30
+[ 25.692328][ T228] bpf_prog_load+0x604/0x9e0
+[ 25.692653][ T228] ? cap_capable+0xb4/0xe0
+[ 25.692956][ T228] ? security_capable+0x4f/0x70
+[ 25.693324][ T228] __sys_bpf+0x3af/0x580
+[ 25.693635][ T228] bpf_sys_bpf+0x45/0x240
+[ 25.693937][ T228] bpf_prog_f0ec79a5a3caca46_bpf_func1+0xa2/0xbd
+[ 25.694394][ T228] bpf_prog_run_pin_on_cpu+0x2f/0xb0
+[ 25.694756][ T228] bpf_prog_test_run_syscall+0x146/0x1c0
+[ 25.695144][ T228] bpf_prog_test_run+0x172/0x190
+[ 25.695487][ T228] __sys_bpf+0x2c5/0x580
+[ 25.695776][ T228] __x64_sys_bpf+0x3a/0x50
+[ 25.696084][ T228] do_syscall_64+0x60/0x90
+[ 25.696393][ T228] ? fpregs_assert_state_consistent+0x50/0x60
+[ 25.696815][ T228] ? exit_to_user_mode_prepare+0x36/0xa0
+[ 25.697202][ T228] ? syscall_exit_to_user_mode+0x20/0x40
+[ 25.697586][ T228] ? do_syscall_64+0x6e/0x90
+[ 25.697899][ T228] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[ 25.698312][ T228] RIP: 0033:0x7f6d543fb759
+[ 25.698624][ T228] Code: 08 5b 89 e8 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 97 a6 0e 00 f7 d8 64 89 01 48
+[ 25.699946][ T228] RSP: 002b:00007ffc3df78468 EFLAGS: 00000287 ORIG_RAX: 0000000000000141
+[ 25.700526][ T228] RAX: ffffffffffffffda RBX: 00007ffc3df78628 RCX: 00007f6d543fb759
+[ 25.701071][ T228] RDX: 0000000000000090 RSI: 00007ffc3df78478 RDI: 000000000000000a
+[ 25.701636][ T228] RBP: 00007ffc3df78510 R08: 0000000000000000 R09: 0000000000300000
+[ 25.702191][ T228] R10: 0000000000000005 R11: 0000000000000287 R12: 0000000000000000
+[ 25.702736][ T228] R13: 00007ffc3df78638 R14: 000055a1584aca68 R15: 00007f6d5456a000
+[ 25.703282][ T228] </TASK>
+[ 25.703490][ T228] ==================================================================
+[ 25.704050][ T228] Disabling lock debugging due to kernel taint
+
+Update copy_from_bpfptr() and strncpy_from_bpfptr() so that:
+ - for a kernel pointer, it uses the safe copy_from_kernel_nofault() and
+ strncpy_from_kernel_nofault() functions.
+ - for a userspace pointer, it performs copy_from_user() and
+ strncpy_from_user().
+
+Fixes: af2ac3e13e45 ("bpf: Prepare bpf syscall to be used from kernel and user space.")
+Link: https://lore.kernel.org/bpf/20220727132905.45166-1-jinghao@linux.ibm.com/
+Signed-off-by: Jinghao Jia <jinghao@linux.ibm.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/r/20220729201713.88688-1-jinghao@linux.ibm.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/bpfptr.h | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/include/linux/bpfptr.h
++++ b/include/linux/bpfptr.h
+@@ -49,7 +49,9 @@ static inline void bpfptr_add(bpfptr_t *
+ static inline int copy_from_bpfptr_offset(void *dst, bpfptr_t src,
+ size_t offset, size_t size)
+ {
+- return copy_from_sockptr_offset(dst, (sockptr_t) src, offset, size);
++ if (!bpfptr_is_kernel(src))
++ return copy_from_user(dst, src.user + offset, size);
++ return copy_from_kernel_nofault(dst, src.kernel + offset, size);
+ }
+
+ static inline int copy_from_bpfptr(void *dst, bpfptr_t src, size_t size)
+@@ -78,7 +80,9 @@ static inline void *kvmemdup_bpfptr(bpfp
+
+ static inline long strncpy_from_bpfptr(char *dst, bpfptr_t src, size_t count)
+ {
+- return strncpy_from_sockptr(dst, (sockptr_t) src, count);
++ if (bpfptr_is_kernel(src))
++ return strncpy_from_kernel_nofault(dst, src.kernel, count);
++ return strncpy_from_user(dst, src.user, count);
+ }
+
+ #endif /* _LINUX_BPFPTR_H */
--- /dev/null
+From a4cb6e62ea4d36e53fb3c0f18ea4503d7b76674f Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Mon, 1 Aug 2022 22:47:16 +0200
+Subject: can: ems_usb: fix clang's -Wunaligned-access warning
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit a4cb6e62ea4d36e53fb3c0f18ea4503d7b76674f upstream.
+
+clang emits a -Wunaligned-access warning on struct __packed
+ems_cpc_msg.
+
+The reason is that the anonymous union msg (not declared as packed) is
+being packed right after some non naturally aligned variables (3*8
+bits + 2*32) inside a packed struct:
+
+| struct __packed ems_cpc_msg {
+| u8 type; /* type of message */
+| u8 length; /* length of data within union 'msg' */
+| u8 msgid; /* confirmation handle */
+| __le32 ts_sec; /* timestamp in seconds */
+| __le32 ts_nsec; /* timestamp in nano seconds */
+| /* ^ not naturally aligned */
+|
+| union {
+| /* ^ not declared as packed */
+| u8 generic[64];
+| struct cpc_can_msg can_msg;
+| struct cpc_can_params can_params;
+| struct cpc_confirm confirmation;
+| struct cpc_overrun overrun;
+| struct cpc_can_error error;
+| struct cpc_can_err_counter err_counter;
+| u8 can_state;
+| } msg;
+| };
+
+Starting from LLVM 14, having an unpacked struct nested in a packed
+struct triggers a warning. c.f. [1].
+
+Fix the warning by marking the anonymous union as packed.
+
+[1] https://github.com/llvm/llvm-project/issues/55520
+
+Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface")
+Link: https://lore.kernel.org/all/20220802094021.959858-1-mkl@pengutronix.de
+Cc: Gerhard Uttenthaler <uttenthaler@ems-wuensche.com>
+Cc: Sebastian Haas <haas@ems-wuensche.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/ems_usb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/ems_usb.c
++++ b/drivers/net/can/usb/ems_usb.c
+@@ -194,7 +194,7 @@ struct __packed ems_cpc_msg {
+ __le32 ts_sec; /* timestamp in seconds */
+ __le32 ts_nsec; /* timestamp in nano seconds */
+
+- union {
++ union __packed {
+ u8 generic[64];
+ struct cpc_can_msg can_msg;
+ struct cpc_can_params can_params;
--- /dev/null
+From 8c21c54a53ab21842f5050fa090f26b03c0313d6 Mon Sep 17 00:00:00 2001
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+Date: Fri, 5 Aug 2022 18:02:16 +0300
+Subject: can: j1939: j1939_session_destroy(): fix memory leak of skbs
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+commit 8c21c54a53ab21842f5050fa090f26b03c0313d6 upstream.
+
+We need to drop skb references taken in j1939_session_skb_queue() when
+destroying a session in j1939_session_destroy(). Otherwise those skbs
+would be lost.
+
+Link to Syzkaller info and repro: https://forge.ispras.ru/issues/11743.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+V1: https://lore.kernel.org/all/20220708175949.539064-1-pchelkin@ispras.ru
+
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Suggested-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://lore.kernel.org/all/20220805150216.66313-1-pchelkin@ispras.ru
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/j1939/transport.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/net/can/j1939/transport.c
++++ b/net/can/j1939/transport.c
+@@ -260,6 +260,8 @@ static void __j1939_session_drop(struct
+
+ static void j1939_session_destroy(struct j1939_session *session)
+ {
++ struct sk_buff *skb;
++
+ if (session->transmission) {
+ if (session->err)
+ j1939_sk_errqueue(session, J1939_ERRQUEUE_TX_ABORT);
+@@ -274,7 +276,11 @@ static void j1939_session_destroy(struct
+ WARN_ON_ONCE(!list_empty(&session->sk_session_queue_entry));
+ WARN_ON_ONCE(!list_empty(&session->active_session_list_entry));
+
+- skb_queue_purge(&session->skb_queue);
++ while ((skb = skb_dequeue(&session->skb_queue)) != NULL) {
++ /* drop ref taken in j1939_session_skb_queue() */
++ skb_unref(skb);
++ kfree_skb(skb);
++ }
+ __j1939_session_drop(session);
+ j1939_priv_put(session->priv);
+ kfree(session);
--- /dev/null
+From d80d60b0db6ff3dd2e29247cc2a5166d7e9ae37e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20W=C3=BCrl?= <sebastian.wuerl@ororatech.com>
+Date: Thu, 4 Aug 2022 10:14:11 +0200
+Subject: can: mcp251x: Fix race condition on receive interrupt
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sebastian Würl <sebastian.wuerl@ororatech.com>
+
+commit d80d60b0db6ff3dd2e29247cc2a5166d7e9ae37e upstream.
+
+The mcp251x driver uses both receiving mailboxes of the CAN controller
+chips. For retrieving the CAN frames from the controller via SPI, it checks
+once per interrupt which mailboxes have been filled and will retrieve the
+messages accordingly.
+
+This introduces a race condition, as another CAN frame can enter mailbox 1
+while mailbox 0 is emptied. If now another CAN frame enters mailbox 0 until
+the interrupt handler is called next, mailbox 0 is emptied before
+mailbox 1, leading to out-of-order CAN frames in the network device.
+
+This is fixed by checking the interrupt flags once again after freeing
+mailbox 0, to correctly also empty mailbox 1 before leaving the handler.
+
+For reproducing the bug I created the following setup:
+ - Two CAN devices, one Raspberry Pi with MCP2515, the other can be any.
+ - Setup CAN to 1 MHz
+ - Spam bursts of 5 CAN-messages with increasing CAN-ids
+ - Continue sending the bursts while sleeping a second between the bursts
+ - Check on the RPi whether the received messages have increasing CAN-ids
+ - Without this patch, every burst of messages will contain a flipped pair
+
+v3: https://lore.kernel.org/all/20220804075914.67569-1-sebastian.wuerl@ororatech.com
+v2: https://lore.kernel.org/all/20220804064803.63157-1-sebastian.wuerl@ororatech.com
+v1: https://lore.kernel.org/all/20220803153300.58732-1-sebastian.wuerl@ororatech.com
+
+Fixes: bf66f3736a94 ("can: mcp251x: Move to threaded interrupts instead of workqueues.")
+Signed-off-by: Sebastian Würl <sebastian.wuerl@ororatech.com>
+Link: https://lore.kernel.org/all/20220804081411.68567-1-sebastian.wuerl@ororatech.com
+[mkl: reduce scope of intf1, eflag1]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/spi/mcp251x.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/can/spi/mcp251x.c
++++ b/drivers/net/can/spi/mcp251x.c
+@@ -1069,9 +1069,6 @@ static irqreturn_t mcp251x_can_ist(int i
+
+ mcp251x_read_2regs(spi, CANINTF, &intf, &eflag);
+
+- /* mask out flags we don't care about */
+- intf &= CANINTF_RX | CANINTF_TX | CANINTF_ERR;
+-
+ /* receive buffer 0 */
+ if (intf & CANINTF_RX0IF) {
+ mcp251x_hw_rx(spi, 0);
+@@ -1081,6 +1078,18 @@ static irqreturn_t mcp251x_can_ist(int i
+ if (mcp251x_is_2510(spi))
+ mcp251x_write_bits(spi, CANINTF,
+ CANINTF_RX0IF, 0x00);
++
++ /* check if buffer 1 is already known to be full, no need to re-read */
++ if (!(intf & CANINTF_RX1IF)) {
++ u8 intf1, eflag1;
++
++ /* intf needs to be read again to avoid a race condition */
++ mcp251x_read_2regs(spi, CANINTF, &intf1, &eflag1);
++
++ /* combine flags from both operations for error handling */
++ intf |= intf1;
++ eflag |= eflag1;
++ }
+ }
+
+ /* receive buffer 1 */
+@@ -1091,6 +1100,9 @@ static irqreturn_t mcp251x_can_ist(int i
+ clear_intf |= CANINTF_RX1IF;
+ }
+
++ /* mask out flags we don't care about */
++ intf &= CANINTF_RX | CANINTF_TX | CANINTF_ERR;
++
+ /* any error or tx interrupt we need to clear? */
+ if (intf & (CANINTF_ERR | CANINTF_TX))
+ clear_intf |= intf & (CANINTF_ERR | CANINTF_TX);
--- /dev/null
+From 6b4db2e528f650c7fb712961aac36455468d5902 Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@nvidia.com>
+Date: Tue, 9 Aug 2022 14:35:06 +0300
+Subject: devlink: Fix use-after-free after a failed reload
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+commit 6b4db2e528f650c7fb712961aac36455468d5902 upstream.
+
+After a failed devlink reload, devlink parameters are still registered,
+which means user space can set and get their values. In the case of the
+mlxsw "acl_region_rehash_interval" parameter, these operations will
+trigger a use-after-free [1].
+
+Fix this by rejecting set and get operations while in the failed state.
+Return the "-EOPNOTSUPP" error code which does not abort the parameters
+dump, but instead causes it to skip over the problematic parameter.
+
+Another possible fix is to perform these checks in the mlxsw parameter
+callbacks, but other drivers might be affected by the same problem and I
+am not aware of scenarios where these stricter checks will cause a
+regression.
+
+[1]
+mlxsw_spectrum3 0000:00:10.0: Port 125: Failed to register netdev
+mlxsw_spectrum3 0000:00:10.0: Failed to create ports
+
+==================================================================
+BUG: KASAN: use-after-free in mlxsw_sp_acl_tcam_vregion_rehash_intrvl_get+0xbd/0xd0 drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c:904
+Read of size 4 at addr ffff8880099dcfd8 by task kworker/u4:4/777
+
+CPU: 1 PID: 777 Comm: kworker/u4:4 Not tainted 5.19.0-rc7-custom-126601-gfe26f28c586d #1
+Hardware name: QEMU MSN4700, BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
+Workqueue: netns cleanup_net
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x92/0xbd lib/dump_stack.c:106
+ print_address_description mm/kasan/report.c:313 [inline]
+ print_report.cold+0x5e/0x5cf mm/kasan/report.c:429
+ kasan_report+0xb9/0xf0 mm/kasan/report.c:491
+ __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:306
+ mlxsw_sp_acl_tcam_vregion_rehash_intrvl_get+0xbd/0xd0 drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c:904
+ mlxsw_sp_acl_region_rehash_intrvl_get+0x49/0x60 drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c:1106
+ mlxsw_sp_params_acl_region_rehash_intrvl_get+0x33/0x80 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:3854
+ devlink_param_get net/core/devlink.c:4981 [inline]
+ devlink_nl_param_fill+0x238/0x12d0 net/core/devlink.c:5089
+ devlink_param_notify+0xe5/0x230 net/core/devlink.c:5168
+ devlink_ns_change_notify net/core/devlink.c:4417 [inline]
+ devlink_ns_change_notify net/core/devlink.c:4396 [inline]
+ devlink_reload+0x15f/0x700 net/core/devlink.c:4507
+ devlink_pernet_pre_exit+0x112/0x1d0 net/core/devlink.c:12272
+ ops_pre_exit_list net/core/net_namespace.c:152 [inline]
+ cleanup_net+0x494/0xc00 net/core/net_namespace.c:582
+ process_one_work+0x9fc/0x1710 kernel/workqueue.c:2289
+ worker_thread+0x675/0x10b0 kernel/workqueue.c:2436
+ kthread+0x30c/0x3d0 kernel/kthread.c:376
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
+ </TASK>
+
+The buggy address belongs to the physical page:
+page:ffffea0000267700 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99dc
+flags: 0x100000000000000(node=0|zone=1)
+raw: 0100000000000000 0000000000000000 dead000000000122 0000000000000000
+raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8880099dce80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ffff8880099dcf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+>ffff8880099dcf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ^
+ ffff8880099dd000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ffff8880099dd080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+==================================================================
+
+Fixes: 98bbf70c1c41 ("mlxsw: spectrum: add "acl_region_rehash_interval" devlink param")
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/devlink.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/core/devlink.c
++++ b/net/core/devlink.c
+@@ -4943,7 +4943,7 @@ static int devlink_param_get(struct devl
+ const struct devlink_param *param,
+ struct devlink_param_gset_ctx *ctx)
+ {
+- if (!param->get)
++ if (!param->get || devlink->reload_failed)
+ return -EOPNOTSUPP;
+ return param->get(devlink, param->id, ctx);
+ }
+@@ -4952,7 +4952,7 @@ static int devlink_param_set(struct devl
+ const struct devlink_param *param,
+ struct devlink_param_gset_ctx *ctx)
+ {
+- if (!param->set)
++ if (!param->set || devlink->reload_failed)
+ return -EOPNOTSUPP;
+ return param->set(devlink, param->id, ctx);
+ }
--- /dev/null
+From 9066e151c37950af92c3be6a7270daa8e8063db9 Mon Sep 17 00:00:00 2001
+From: Qifu Zhang <zhangqifu@bytedance.com>
+Date: Tue, 19 Jul 2022 19:50:13 +0800
+Subject: Documentation: ACPI: EINJ: Fix obsolete example
+
+From: Qifu Zhang <zhangqifu@bytedance.com>
+
+commit 9066e151c37950af92c3be6a7270daa8e8063db9 upstream.
+
+Since commit 488dac0c9237 ("libfs: fix error cast of negative value in
+simple_attr_write()"), the EINJ debugfs interface no longer accepts
+negative values as input. Attempt to do so will result in EINVAL.
+
+Fixes: 488dac0c9237 ("libfs: fix error cast of negative value in simple_attr_write()")
+Signed-off-by: Qifu Zhang <zhangqifu@bytedance.com>
+Reviewed-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/firmware-guide/acpi/apei/einj.rst | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/firmware-guide/acpi/apei/einj.rst
++++ b/Documentation/firmware-guide/acpi/apei/einj.rst
+@@ -168,7 +168,7 @@ An error injection example::
+ 0x00000008 Memory Correctable
+ 0x00000010 Memory Uncorrectable non-fatal
+ # echo 0x12345000 > param1 # Set memory address for injection
+- # echo $((-1 << 12)) > param2 # Mask 0xfffffffffffff000 - anywhere in this page
++ # echo 0xfffffffffffff000 > param2 # Mask - anywhere in this page
+ # echo 0x8 > error_type # Choose correctable memory error
+ # echo 1 > error_inject # Inject now
+
--- /dev/null
+From 944de5182f0269e72ffe0a8880c8dbeb30f473d8 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Fri, 20 May 2022 14:32:44 +0200
+Subject: dt-bindings: arm: qcom: fix Alcatel OneTouch Idol 3 compatibles
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit 944de5182f0269e72ffe0a8880c8dbeb30f473d8 upstream.
+
+The MSM8916 Alcatel OneTouch Idol 3 does not use MTP fallbacks in
+compatibles:
+
+ msm8916-alcatel-idol347.dtb: /: compatible: 'oneOf' conditional failed, one must be fixed:
+ ['alcatel,idol347', 'qcom,msm8916'] is too short
+
+Reported-by: Rob Herring <robh@kernel.org>
+Fixes: e9dd2f7204ed ("dt-bindings: arm: qcom: Document alcatel,idol347 board")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Acked-by: Rob Herring <robh@kernel.org>
+Reviewed-by: Stephan Gerhold <stephan@gerhold.net>
+Link: https://lore.kernel.org/r/20220520123252.365762-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/arm/qcom.yaml | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/Documentation/devicetree/bindings/arm/qcom.yaml
++++ b/Documentation/devicetree/bindings/arm/qcom.yaml
+@@ -153,14 +153,13 @@ properties:
+ - const: qcom,msm8974
+
+ - items:
+- - enum:
+- - alcatel,idol347
+ - const: qcom,msm8916-mtp/1
+ - const: qcom,msm8916-mtp
+ - const: qcom,msm8916
+
+ - items:
+ - enum:
++ - alcatel,idol347
+ - longcheer,l8150
+ - samsung,a3u-eur
+ - samsung,a5u-eur
--- /dev/null
+From 6cfb357851bd3ef0a48e14bccfb5ca6b8104ea61 Mon Sep 17 00:00:00 2001
+From: Jeff LaBundy <jeff@labundy.com>
+Date: Mon, 27 Jun 2022 15:16:00 -0700
+Subject: dt-bindings: input: iqs7222: Correct bottom speed step size
+
+From: Jeff LaBundy <jeff@labundy.com>
+
+commit 6cfb357851bd3ef0a48e14bccfb5ca6b8104ea61 upstream.
+
+The bottom speed property is specified in steps of 1, not 4.
+
+Fixes: 44dc42d254bf ("dt-bindings: input: Add bindings for Azoteq IQS7222A/B/C")
+Signed-off-by: Jeff LaBundy <jeff@labundy.com>
+Link: https://lore.kernel.org/r/20220626072412.475211-9-jeff@labundy.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/input/azoteq,iqs7222.yaml | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/input/azoteq,iqs7222.yaml b/Documentation/devicetree/bindings/input/azoteq,iqs7222.yaml
+index 6180f7ee2284..c9c3a1e9bcae 100644
+--- a/Documentation/devicetree/bindings/input/azoteq,iqs7222.yaml
++++ b/Documentation/devicetree/bindings/input/azoteq,iqs7222.yaml
+@@ -533,9 +533,8 @@ patternProperties:
+
+ azoteq,bottom-speed:
+ $ref: /schemas/types.yaml#/definitions/uint32
+- multipleOf: 4
+ minimum: 0
+- maximum: 1020
++ maximum: 255
+ description:
+ Specifies the speed of movement after which coordinate filtering is
+ linearly reduced.
+--
+2.37.2
+
--- /dev/null
+From f0ea452715d72bc365d2b401ceb458f5ae82eeec Mon Sep 17 00:00:00 2001
+From: Jeff LaBundy <jeff@labundy.com>
+Date: Mon, 27 Jun 2022 15:16:15 -0700
+Subject: dt-bindings: input: iqs7222: Extend slider-mapped GPIO to IQS7222C
+
+From: Jeff LaBundy <jeff@labundy.com>
+
+commit f0ea452715d72bc365d2b401ceb458f5ae82eeec upstream.
+
+Although the IQS7222C does not offer slider gesture support, the
+press/release event can still be mapped to any of the IQS7222C's
+three GPIO pins. Update the binding to reflect this relationship.
+
+Fixes: 44dc42d254bf ("dt-bindings: input: Add bindings for Azoteq IQS7222A/B/C")
+Signed-off-by: Jeff LaBundy <jeff@labundy.com>
+Link: https://lore.kernel.org/r/20220626072412.475211-10-jeff@labundy.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ .../bindings/input/azoteq,iqs7222.yaml | 21 ++++++++++++-------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/input/azoteq,iqs7222.yaml b/Documentation/devicetree/bindings/input/azoteq,iqs7222.yaml
+index c9c3a1e9bcae..32d0d5190334 100644
+--- a/Documentation/devicetree/bindings/input/azoteq,iqs7222.yaml
++++ b/Documentation/devicetree/bindings/input/azoteq,iqs7222.yaml
+@@ -611,16 +611,15 @@ patternProperties:
+ azoteq,gpio-select:
+ $ref: /schemas/types.yaml#/definitions/uint32-array
+ minItems: 1
+- maxItems: 1
++ maxItems: 3
+ items:
+ minimum: 0
+- maximum: 0
++ maximum: 2
+ description: |
+- Specifies an individual GPIO mapped to a tap, swipe or flick
+- gesture as follows:
++ Specifies one or more GPIO mapped to the event as follows:
+ 0: GPIO0
+- 1: GPIO3 (reserved)
+- 2: GPIO4 (reserved)
++ 1: GPIO3 (IQS7222C only)
++ 2: GPIO4 (IQS7222C only)
+
+ Note that although multiple events can be mapped to a single
+ GPIO, they must all be of the same type (proximity, touch or
+@@ -705,6 +704,14 @@ allOf:
+ multipleOf: 4
+ maximum: 1020
+
++ patternProperties:
++ "^event-(press|tap|(swipe|flick)-(pos|neg))$":
++ properties:
++ azoteq,gpio-select:
++ maxItems: 1
++ items:
++ maximum: 0
++
+ else:
+ patternProperties:
+ "^channel-([0-9]|1[0-9])$":
+@@ -721,8 +728,6 @@ allOf:
+
+ azoteq,gesture-dist: false
+
+- azoteq,gpio-select: false
+-
+ required:
+ - compatible
+ - reg
+--
+2.37.2
+
--- /dev/null
+From f5d2c1ed72c26152e6883ed67dc3004a39165098 Mon Sep 17 00:00:00 2001
+From: Jeff LaBundy <jeff@labundy.com>
+Date: Mon, 27 Jun 2022 15:15:46 -0700
+Subject: dt-bindings: input: iqs7222: Remove support for RF filter
+
+From: Jeff LaBundy <jeff@labundy.com>
+
+commit f5d2c1ed72c26152e6883ed67dc3004a39165098 upstream.
+
+The vendor has marked the RF filter enable control as reserved in
+the datasheet; remove it from the binding.
+
+Fixes: 44dc42d254bf ("dt-bindings: input: Add bindings for Azoteq IQS7222A/B/C")
+Signed-off-by: Jeff LaBundy <jeff@labundy.com>
+Link: https://lore.kernel.org/r/20220626072412.475211-8-jeff@labundy.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/input/azoteq,iqs7222.yaml | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/input/azoteq,iqs7222.yaml b/Documentation/devicetree/bindings/input/azoteq,iqs7222.yaml
+index a3a1e5a65306..6180f7ee2284 100644
+--- a/Documentation/devicetree/bindings/input/azoteq,iqs7222.yaml
++++ b/Documentation/devicetree/bindings/input/azoteq,iqs7222.yaml
+@@ -37,10 +37,6 @@ properties:
+ device is temporarily held in hardware reset prior to initialization if
+ this property is present.
+
+- azoteq,rf-filt-enable:
+- type: boolean
+- description: Enables the device's internal RF filter.
+-
+ azoteq,max-counts:
+ $ref: /schemas/types.yaml#/definitions/uint32
+ enum: [0, 1, 2, 3]
+--
+2.37.2
+
--- /dev/null
+From f4526ae80dbdef7078ab2aae30dfc70bbc0098c6 Mon Sep 17 00:00:00 2001
+From: Allen-KH Cheng <allen-kh.cheng@mediatek.com>
+Date: Mon, 25 Jul 2022 19:07:02 +0800
+Subject: dt-bindings: pinctrl: mt8186: Add and use drive-strength-microamp
+
+From: Allen-KH Cheng <allen-kh.cheng@mediatek.com>
+
+commit f4526ae80dbdef7078ab2aae30dfc70bbc0098c6 upstream.
+
+Commit e5fabbe43f3f ("pinctrl: mediatek: paris: Support generic
+PIN_CONFIG_DRIVE_STRENGTH_UA") added support for using
+drive-strength-microamp instead of mediatek,drive-strength-adv.
+
+Similarly to the mt8192 and mt8195, there's no user of property
+'mediatek,drive-strength-adv', hence removing it is safe.
+
+Fixes: 338e953f1bd1 ("dt-bindings: pinctrl: mt8186: add pinctrl file and binding document")
+Signed-off-by: Allen-KH Cheng <allen-kh.cheng@mediatek.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Link: https://lore.kernel.org/r/20220725110702.11362-3-allen-kh.cheng@mediatek.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/pinctrl/pinctrl-mt8186.yaml | 29 +---------
+ 1 file changed, 3 insertions(+), 26 deletions(-)
+
+--- a/Documentation/devicetree/bindings/pinctrl/pinctrl-mt8186.yaml
++++ b/Documentation/devicetree/bindings/pinctrl/pinctrl-mt8186.yaml
+@@ -105,31 +105,8 @@ patternProperties:
+ drive-strength:
+ enum: [2, 4, 6, 8, 10, 12, 14, 16]
+
+- mediatek,drive-strength-adv:
+- description: |
+- Describe the specific driving setup property.
+- For I2C pins, the existing generic driving setup can only support
+- 2/4/6/8/10/12/14/16mA driving. But in specific driving setup, they
+- can support 0.125/0.25/0.5/1mA adjustment. If we enable specific
+- driving setup, the existing generic setup will be disabled.
+- The specific driving setup is controlled by E1E0EN.
+- When E1=0/E0=0, the strength is 0.125mA.
+- When E1=0/E0=1, the strength is 0.25mA.
+- When E1=1/E0=0, the strength is 0.5mA.
+- When E1=1/E0=1, the strength is 1mA.
+- EN is used to enable or disable the specific driving setup.
+- Valid arguments are described as below:
+- 0: (E1, E0, EN) = (0, 0, 0)
+- 1: (E1, E0, EN) = (0, 0, 1)
+- 2: (E1, E0, EN) = (0, 1, 0)
+- 3: (E1, E0, EN) = (0, 1, 1)
+- 4: (E1, E0, EN) = (1, 0, 0)
+- 5: (E1, E0, EN) = (1, 0, 1)
+- 6: (E1, E0, EN) = (1, 1, 0)
+- 7: (E1, E0, EN) = (1, 1, 1)
+- So the valid arguments are from 0 to 7.
+- $ref: /schemas/types.yaml#/definitions/uint32
+- enum: [0, 1, 2, 3, 4, 5, 6, 7]
++ drive-strength-microamp:
++ enum: [125, 250, 500, 1000]
+
+ bias-pull-down:
+ oneOf:
+@@ -291,7 +268,7 @@ examples:
+ pinmux = <PINMUX_GPIO127__FUNC_SCL0>,
+ <PINMUX_GPIO128__FUNC_SDA0>;
+ bias-pull-up = <MTK_PULL_SET_RSEL_001>;
+- mediatek,drive-strength-adv = <7>;
++ drive-strength-microamp = <1000>;
+ };
+ };
+ };
--- /dev/null
+From b52e695324bb44728053a414f17d25a5959ecb9d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?N=C3=ADcolas=20F=2E=20R=2E=20A=2E=20Prado?=
+ <nfraprado@collabora.com>
+Date: Wed, 25 May 2022 11:57:13 -0400
+Subject: dt-bindings: pinctrl: mt8192: Add drive-strength-microamp
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+
+commit b52e695324bb44728053a414f17d25a5959ecb9d upstream.
+
+Commit e5fabbe43f3f ("pinctrl: mediatek: paris: Support generic
+PIN_CONFIG_DRIVE_STRENGTH_UA") added support for using
+drive-strength-microamp instead of mediatek,drive-strength-adv.
+
+Since there aren't any users of mediatek,drive-strength-adv on mt8192
+yet, remove this property and add drive-strength-microamp in its place,
+which has a clearer meaning.
+
+Fixes: 4ac68333ff6d ("dt-bindings: pinctrl: mt8192: Add mediatek,drive-strength-adv property")
+Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogiocchino.delregno@collabora.com>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Link: https://lore.kernel.org/r/20220525155714.1837360-2-nfraprado@collabora.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ .../bindings/pinctrl/pinctrl-mt8192.yaml | 27 ++-----------------
+ 1 file changed, 2 insertions(+), 25 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/pinctrl/pinctrl-mt8192.yaml b/Documentation/devicetree/bindings/pinctrl/pinctrl-mt8192.yaml
+index c90a132fbc79..8ede8b750237 100644
+--- a/Documentation/devicetree/bindings/pinctrl/pinctrl-mt8192.yaml
++++ b/Documentation/devicetree/bindings/pinctrl/pinctrl-mt8192.yaml
+@@ -80,31 +80,8 @@ patternProperties:
+ dt-bindings/pinctrl/mt65xx.h. It can only support 2/4/6/8/10/12/14/16mA in mt8192.
+ enum: [2, 4, 6, 8, 10, 12, 14, 16]
+
+- mediatek,drive-strength-adv:
+- description: |
+- Describe the specific driving setup property.
+- For I2C pins, the existing generic driving setup can only support
+- 2/4/6/8/10/12/14/16mA driving. But in specific driving setup, they
+- can support 0.125/0.25/0.5/1mA adjustment. If we enable specific
+- driving setup, the existing generic setup will be disabled.
+- The specific driving setup is controlled by E1E0EN.
+- When E1=0/E0=0, the strength is 0.125mA.
+- When E1=0/E0=1, the strength is 0.25mA.
+- When E1=1/E0=0, the strength is 0.5mA.
+- When E1=1/E0=1, the strength is 1mA.
+- EN is used to enable or disable the specific driving setup.
+- Valid arguments are described as below:
+- 0: (E1, E0, EN) = (0, 0, 0)
+- 1: (E1, E0, EN) = (0, 0, 1)
+- 2: (E1, E0, EN) = (0, 1, 0)
+- 3: (E1, E0, EN) = (0, 1, 1)
+- 4: (E1, E0, EN) = (1, 0, 0)
+- 5: (E1, E0, EN) = (1, 0, 1)
+- 6: (E1, E0, EN) = (1, 1, 0)
+- 7: (E1, E0, EN) = (1, 1, 1)
+- So the valid arguments are from 0 to 7.
+- $ref: /schemas/types.yaml#/definitions/uint32
+- enum: [0, 1, 2, 3, 4, 5, 6, 7]
++ drive-strength-microamp:
++ enum: [125, 250, 500, 1000]
+
+ mediatek,pull-up-adv:
+ description: |
+--
+2.37.2
+
--- /dev/null
+From 353d2ef77f2be4c1b9b3c70f1637a9986f07b997 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?N=C3=ADcolas=20F=2E=20R=2E=20A=2E=20Prado?=
+ <nfraprado@collabora.com>
+Date: Wed, 25 May 2022 11:57:14 -0400
+Subject: dt-bindings: pinctrl: mt8192: Use generic bias instead of pull-*-adv
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+
+commit 353d2ef77f2be4c1b9b3c70f1637a9986f07b997 upstream.
+
+Commit cafe19db7751 ("pinctrl: mediatek: Backward compatible to previous
+Mediatek's bias-pull usage") allowed the bias-pull-up and bias-pull-down
+properties to be used for setting PUPD/R1/R0 type bias on mtk-paris
+based SoC's, which was previously only supported by the custom
+mediatek,pull-up-adv and mediatek,pull-down-adv properties.
+
+Since the bias-pull-{up,down} properties already have defines associated
+thus being more descriptive and is more universal on MediaTek platforms,
+and given that there are no mediatek,pull-{up,down}-adv users on mt8192
+yet, remove the custom adv properties in favor of the generic ones.
+
+Note that only mediatek,pull-up-adv was merged in the binding, but not
+its down counterpart.
+
+Fixes: edbacb36ea50 ("dt-bindings: pinctrl: mt8192: Add mediatek,pull-up-adv property")
+Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogiocchino.delregno@collabora.com>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Link: https://lore.kernel.org/r/20220525155714.1837360-3-nfraprado@collabora.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ .../bindings/pinctrl/pinctrl-mt8192.yaml | 29 ++++++++++---------
+ 1 file changed, 15 insertions(+), 14 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/pinctrl/pinctrl-mt8192.yaml b/Documentation/devicetree/bindings/pinctrl/pinctrl-mt8192.yaml
+index 8ede8b750237..e39f5893bf16 100644
+--- a/Documentation/devicetree/bindings/pinctrl/pinctrl-mt8192.yaml
++++ b/Documentation/devicetree/bindings/pinctrl/pinctrl-mt8192.yaml
+@@ -83,20 +83,21 @@ patternProperties:
+ drive-strength-microamp:
+ enum: [125, 250, 500, 1000]
+
+- mediatek,pull-up-adv:
+- description: |
+- Pull up settings for 2 pull resistors, R0 and R1. User can
+- configure those special pins. Valid arguments are described as below:
+- 0: (R1, R0) = (0, 0) which means R1 disabled and R0 disabled.
+- 1: (R1, R0) = (0, 1) which means R1 disabled and R0 enabled.
+- 2: (R1, R0) = (1, 0) which means R1 enabled and R0 disabled.
+- 3: (R1, R0) = (1, 1) which means R1 enabled and R0 enabled.
+- $ref: /schemas/types.yaml#/definitions/uint32
+- enum: [0, 1, 2, 3]
+-
+- bias-pull-down: true
+-
+- bias-pull-up: true
++ bias-pull-down:
++ oneOf:
++ - type: boolean
++ description: normal pull down.
++ - enum: [100, 101, 102, 103]
++ description: PUPD/R1/R0 pull down type. See MTK_PUPD_SET_R1R0_
++ defines in dt-bindings/pinctrl/mt65xx.h.
++
++ bias-pull-up:
++ oneOf:
++ - type: boolean
++ description: normal pull up.
++ - enum: [100, 101, 102, 103]
++ description: PUPD/R1/R0 pull up type. See MTK_PUPD_SET_R1R0_
++ defines in dt-bindings/pinctrl/mt65xx.h.
+
+ bias-disable: true
+
+--
+2.37.2
+
--- /dev/null
+From 1b3ab63e56f0c30193b6787b083be4f4071b7fc6 Mon Sep 17 00:00:00 2001
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Date: Thu, 30 Jun 2022 15:15:43 +0200
+Subject: dt-bindings: pinctrl: mt8195: Add and use drive-strength-microamp
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+commit 1b3ab63e56f0c30193b6787b083be4f4071b7fc6 upstream.
+
+As was already done for MT8192 in commit b52e695324bb ("dt-bindings:
+pinctrl: mt8192: Add drive-strength-microamp"), replace the custom
+mediatek,drive-strength-adv property with the standardized pinconf
+'drive-strength-microamp' one.
+
+Similarly to the mt8192 counterpart, there's no user of property
+'mediatek,drive-strength-adv', hence removing it is safe.
+
+Fixes: 69c3d58dc187 ("dt-bindings: pinctrl: mt8195: Add mediatek,drive-strength-adv property")
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Reviewed-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Link: https://lore.kernel.org/r/20220630131543.225554-1-angelogioacchino.delregno@collabora.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ .../bindings/pinctrl/pinctrl-mt8195.yaml | 27 ++-----------------
+ 1 file changed, 2 insertions(+), 25 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/pinctrl/pinctrl-mt8195.yaml b/Documentation/devicetree/bindings/pinctrl/pinctrl-mt8195.yaml
+index bb40398bb047..3d8afb3d5695 100644
+--- a/Documentation/devicetree/bindings/pinctrl/pinctrl-mt8195.yaml
++++ b/Documentation/devicetree/bindings/pinctrl/pinctrl-mt8195.yaml
+@@ -98,31 +98,8 @@ patternProperties:
+ drive-strength:
+ enum: [2, 4, 6, 8, 10, 12, 14, 16]
+
+- mediatek,drive-strength-adv:
+- description: |
+- Describe the specific driving setup property.
+- For I2C pins, the existing generic driving setup can only support
+- 2/4/6/8/10/12/14/16mA driving. But in specific driving setup, they
+- can support 0.125/0.25/0.5/1mA adjustment. If we enable specific
+- driving setup, the existing generic setup will be disabled.
+- The specific driving setup is controlled by E1E0EN.
+- When E1=0/E0=0, the strength is 0.125mA.
+- When E1=0/E0=1, the strength is 0.25mA.
+- When E1=1/E0=0, the strength is 0.5mA.
+- When E1=1/E0=1, the strength is 1mA.
+- EN is used to enable or disable the specific driving setup.
+- Valid arguments are described as below:
+- 0: (E1, E0, EN) = (0, 0, 0)
+- 1: (E1, E0, EN) = (0, 0, 1)
+- 2: (E1, E0, EN) = (0, 1, 0)
+- 3: (E1, E0, EN) = (0, 1, 1)
+- 4: (E1, E0, EN) = (1, 0, 0)
+- 5: (E1, E0, EN) = (1, 0, 1)
+- 6: (E1, E0, EN) = (1, 1, 0)
+- 7: (E1, E0, EN) = (1, 1, 1)
+- So the valid arguments are from 0 to 7.
+- $ref: /schemas/types.yaml#/definitions/uint32
+- enum: [0, 1, 2, 3, 4, 5, 6, 7]
++ drive-strength-microamp:
++ enum: [125, 250, 500, 1000]
+
+ bias-pull-down:
+ oneOf:
+--
+2.37.2
+
--- /dev/null
+From 11bd0ffd165fce7aff1a2ed15c04c088239f3d42 Mon Sep 17 00:00:00 2001
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Date: Thu, 30 Jun 2022 14:23:34 +0200
+Subject: dt-bindings: pinctrl: mt8195: Fix name for mediatek,rsel-resistance-in-si-unit
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+commit 11bd0ffd165fce7aff1a2ed15c04c088239f3d42 upstream.
+
+When this property was introduced, it contained underscores, but
+the actual code wants dashes.
+
+Change it from mediatek,rsel_resistance_in_si_unit to
+mediatek,rsel-resistance-in-si-unit.
+
+Fixes: 91e7edceda96 ("dt-bindings: pinctrl: mt8195: change pull up/down description")
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Reviewed-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Link: https://lore.kernel.org/r/20220630122334.216903-1-angelogioacchino.delregno@collabora.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/pinctrl/pinctrl-mt8195.yaml | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/Documentation/devicetree/bindings/pinctrl/pinctrl-mt8195.yaml
++++ b/Documentation/devicetree/bindings/pinctrl/pinctrl-mt8195.yaml
+@@ -49,7 +49,7 @@ properties:
+ description: The interrupt outputs to sysirq.
+ maxItems: 1
+
+- mediatek,rsel_resistance_in_si_unit:
++ mediatek,rsel-resistance-in-si-unit:
+ type: boolean
+ description: |
+ Identifying i2c pins pull up/down type which is RSEL. It can support
+@@ -142,7 +142,7 @@ patternProperties:
+ "MTK_PUPD_SET_R1R0_11" define in mt8195.
+ For pull down type is RSEL, it can add RSEL define & resistance
+ value(ohm) to set different resistance by identifying property
+- "mediatek,rsel_resistance_in_si_unit".
++ "mediatek,rsel-resistance-in-si-unit".
+ It can support "MTK_PULL_SET_RSEL_000" & "MTK_PULL_SET_RSEL_001"
+ & "MTK_PULL_SET_RSEL_010" & "MTK_PULL_SET_RSEL_011"
+ & "MTK_PULL_SET_RSEL_100" & "MTK_PULL_SET_RSEL_101"
+@@ -161,7 +161,7 @@ patternProperties:
+ };
+ An example of using si unit resistance value(ohm):
+ &pio {
+- mediatek,rsel_resistance_in_si_unit;
++ mediatek,rsel-resistance-in-si-unit;
+ }
+ pincontroller {
+ i2c0_pin {
+@@ -190,7 +190,7 @@ patternProperties:
+ "MTK_PUPD_SET_R1R0_11" define in mt8195.
+ For pull up type is RSEL, it can add RSEL define & resistance
+ value(ohm) to set different resistance by identifying property
+- "mediatek,rsel_resistance_in_si_unit".
++ "mediatek,rsel-resistance-in-si-unit".
+ It can support "MTK_PULL_SET_RSEL_000" & "MTK_PULL_SET_RSEL_001"
+ & "MTK_PULL_SET_RSEL_010" & "MTK_PULL_SET_RSEL_011"
+ & "MTK_PULL_SET_RSEL_100" & "MTK_PULL_SET_RSEL_101"
+@@ -209,7 +209,7 @@ patternProperties:
+ };
+ An example of using si unit resistance value(ohm):
+ &pio {
+- mediatek,rsel_resistance_in_si_unit;
++ mediatek,rsel-resistance-in-si-unit;
+ }
+ pincontroller {
+ i2c0-pins {
--- /dev/null
+From b2c510ffe29f20a5f6ff31ae28d32ffa494b8cfb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?N=C3=ADcolas=20F=2E=20R=2E=20A=2E=20Prado?=
+ <nfraprado@collabora.com>
+Date: Thu, 23 Jun 2022 15:36:59 -0400
+Subject: dt-bindings: usb: mtk-xhci: Allow wakeup interrupt-names to be optional
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+
+commit b2c510ffe29f20a5f6ff31ae28d32ffa494b8cfb upstream.
+
+Add missing "minItems: 1" to the interrupt-names property to allow the
+second interrupt-names, "wakeup", to be optional.
+
+Fixes: fe8e488058c4 ("dt-bindings: usb: mtk-xhci: add wakeup interrupt")
+Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Acked-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Link: https://lore.kernel.org/r/20220623193702.817996-2-nfraprado@collabora.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/usb/mediatek,mtk-xhci.yaml | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/Documentation/devicetree/bindings/usb/mediatek,mtk-xhci.yaml
++++ b/Documentation/devicetree/bindings/usb/mediatek,mtk-xhci.yaml
+@@ -57,6 +57,7 @@ properties:
+ - description: optional, wakeup interrupt used to support runtime PM
+
+ interrupt-names:
++ minItems: 1
+ items:
+ - const: host
+ - const: wakeup
--- /dev/null
+From ca2bb69514a8bc7f83914122f0d596371352416c Mon Sep 17 00:00:00 2001
+From: Matthias May <matthias.may@westermo.com>
+Date: Fri, 5 Aug 2022 21:19:03 +0200
+Subject: geneve: do not use RT_TOS for IPv6 flowlabel
+
+From: Matthias May <matthias.may@westermo.com>
+
+commit ca2bb69514a8bc7f83914122f0d596371352416c upstream.
+
+According to Guillaume Nault RT_TOS should never be used for IPv6.
+
+Quote:
+RT_TOS() is an old macro used to interprete IPv4 TOS as described in
+the obsolete RFC 1349. It's conceptually wrong to use it even in IPv4
+code, although, given the current state of the code, most of the
+existing calls have no consequence.
+
+But using RT_TOS() in IPv6 code is always a bug: IPv6 never had a "TOS"
+field to be interpreted the RFC 1349 way. There's no historical
+compatibility to worry about.
+
+Fixes: 3a56f86f1be6 ("geneve: handle ipv6 priority like ipv4 tos")
+Acked-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: Matthias May <matthias.may@westermo.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/geneve.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/geneve.c
++++ b/drivers/net/geneve.c
+@@ -876,8 +876,7 @@ static struct dst_entry *geneve_get_v6_d
+ use_cache = false;
+ }
+
+- fl6->flowlabel = ip6_make_flowinfo(RT_TOS(prio),
+- info->key.label);
++ fl6->flowlabel = ip6_make_flowinfo(prio, info->key.label);
+ dst_cache = (struct dst_cache *)&info->dst_cache;
+ if (use_cache) {
+ dst = dst_cache_get_ip6(dst_cache, &fl6->saddr);
--- /dev/null
+From 6bb7144c3fa16a5efb54a8e2aff1817b4168018e Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Tue, 28 Jun 2022 22:42:35 -0700
+Subject: Input: exc3000 - fix return value check of wait_for_completion_timeout
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit 6bb7144c3fa16a5efb54a8e2aff1817b4168018e upstream.
+
+wait_for_completion_timeout() returns unsigned long not int.
+It returns 0 if timed out, and positive if completed.
+The check for <= 0 is ambiguous and should be == 0 here
+indicating timeout which is the only error case.
+
+Fixes: 102feb1ddfd0 ("Input: exc3000 - factor out vendor data request")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20220411105828.22140-1-linmq006@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/touchscreen/exc3000.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/input/touchscreen/exc3000.c
++++ b/drivers/input/touchscreen/exc3000.c
+@@ -220,6 +220,7 @@ static int exc3000_vendor_data_request(s
+ {
+ u8 buf[EXC3000_LEN_VENDOR_REQUEST] = { 0x67, 0x00, 0x42, 0x00, 0x03 };
+ int ret;
++ unsigned long time_left;
+
+ mutex_lock(&data->query_lock);
+
+@@ -233,9 +234,9 @@ static int exc3000_vendor_data_request(s
+ goto out_unlock;
+
+ if (response) {
+- ret = wait_for_completion_timeout(&data->wait_event,
+- timeout * HZ);
+- if (ret <= 0) {
++ time_left = wait_for_completion_timeout(&data->wait_event,
++ timeout * HZ);
++ if (time_left == 0) {
+ ret = -ETIMEDOUT;
+ goto out_unlock;
+ }
--- /dev/null
+From 2e70ef525b7309287b2d4dd24e7c9c038a006328 Mon Sep 17 00:00:00 2001
+From: Jeff LaBundy <jeff@labundy.com>
+Date: Mon, 27 Jun 2022 15:14:42 -0700
+Subject: Input: iqs7222 - acknowledge reset before writing registers
+
+From: Jeff LaBundy <jeff@labundy.com>
+
+commit 2e70ef525b7309287b2d4dd24e7c9c038a006328 upstream.
+
+If the device suffers a spurious reset while reacting to a previous
+spurious reset, the second reset interrupt is preempted because the
+ACK_RESET bit is written last.
+
+To solve this problem, write the ACK_RESET bit prior to writing any
+other registers. This ensures that any registers written before the
+second spurious reset will be rewritten.
+
+Last but not least, the order in which the ACK_RESET bit is written
+relative to the second filter beta register is important for select
+variants of silicon. Enforce the correct order so as to not clobber
+the system status register.
+
+Fixes: e505edaedcb9 ("Input: add support for Azoteq IQS7222A/B/C")
+Signed-off-by: Jeff LaBundy <jeff@labundy.com>
+Link: https://lore.kernel.org/r/20220626072412.475211-5-jeff@labundy.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/misc/iqs7222.c | 32 +++++++++++++++++++++++++++++---
+ 1 file changed, 29 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/input/misc/iqs7222.c b/drivers/input/misc/iqs7222.c
+index c46d3c8f0230..aa46f2cd4d34 100644
+--- a/drivers/input/misc/iqs7222.c
++++ b/drivers/input/misc/iqs7222.c
+@@ -94,11 +94,11 @@ enum iqs7222_reg_key_id {
+
+ enum iqs7222_reg_grp_id {
+ IQS7222_REG_GRP_STAT,
++ IQS7222_REG_GRP_FILT,
+ IQS7222_REG_GRP_CYCLE,
+ IQS7222_REG_GRP_GLBL,
+ IQS7222_REG_GRP_BTN,
+ IQS7222_REG_GRP_CHAN,
+- IQS7222_REG_GRP_FILT,
+ IQS7222_REG_GRP_SLDR,
+ IQS7222_REG_GRP_GPIO,
+ IQS7222_REG_GRP_SYS,
+@@ -1348,6 +1348,34 @@ static int iqs7222_dev_init(struct iqs7222_private *iqs7222, int dir)
+ int comms_offset = dev_desc->comms_offset;
+ int error, i, j, k;
+
++ /*
++ * Acknowledge reset before writing any registers in case the device
++ * suffers a spurious reset during initialization. Because this step
++ * may change the reserved fields of the second filter beta register,
++ * its cache must be updated.
++ *
++ * Writing the second filter beta register, in turn, may clobber the
++ * system status register. As such, the filter beta register pair is
++ * written first to protect against this hazard.
++ */
++ if (dir == WRITE) {
++ u16 reg = dev_desc->reg_grps[IQS7222_REG_GRP_FILT].base + 1;
++ u16 filt_setup;
++
++ error = iqs7222_write_word(iqs7222, IQS7222_SYS_SETUP,
++ iqs7222->sys_setup[0] |
++ IQS7222_SYS_SETUP_ACK_RESET);
++ if (error)
++ return error;
++
++ error = iqs7222_read_word(iqs7222, reg, &filt_setup);
++ if (error)
++ return error;
++
++ iqs7222->filt_setup[1] &= GENMASK(7, 0);
++ iqs7222->filt_setup[1] |= (filt_setup & ~GENMASK(7, 0));
++ }
++
+ /*
+ * Take advantage of the stop-bit disable function, if available, to
+ * save the trouble of having to reopen a communication window after
+@@ -2254,8 +2282,6 @@ static int iqs7222_parse_all(struct iqs7222_private *iqs7222)
+ return error;
+ }
+
+- sys_setup[0] |= IQS7222_SYS_SETUP_ACK_RESET;
+-
+ return iqs7222_parse_props(iqs7222, NULL, 0, IQS7222_REG_GRP_SYS,
+ IQS7222_REG_KEY_NONE);
+ }
+--
+2.37.2
+
--- /dev/null
+From 56a0c54c4c2bdb6c0952de90dd690020a703b50e Mon Sep 17 00:00:00 2001
+From: Jeff LaBundy <jeff@labundy.com>
+Date: Mon, 27 Jun 2022 15:13:49 -0700
+Subject: Input: iqs7222 - correct slider event disable logic
+
+From: Jeff LaBundy <jeff@labundy.com>
+
+commit 56a0c54c4c2bdb6c0952de90dd690020a703b50e upstream.
+
+If a positive swipe/flick gesture is defined but the corresponding
+negative gesture is not, the former is inadvertently disabled. Fix
+this by gently refactoring the logic responsible for disabling all
+gestures by default.
+
+As part of this change, make the code a bit simpler by eliminating
+a superfluous conditional check. If a slider event does not define
+an enable control, the second term of the bitwise AND operation is
+simply 0xFFFF.
+
+Fixes: e505edaedcb9 ("Input: add support for Azoteq IQS7222A/B/C")
+Signed-off-by: Jeff LaBundy <jeff@labundy.com>
+Link: https://lore.kernel.org/r/20220626072412.475211-2-jeff@labundy.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/misc/iqs7222.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/input/misc/iqs7222.c b/drivers/input/misc/iqs7222.c
+index 6b4138771a3f..53df74f3a982 100644
+--- a/drivers/input/misc/iqs7222.c
++++ b/drivers/input/misc/iqs7222.c
+@@ -2081,17 +2081,19 @@ static int iqs7222_parse_sldr(struct iqs7222_private *iqs7222, int sldr_index)
+ sldr_setup[0] |= dev_desc->wheel_enable;
+ }
+
++ /*
++ * The absence of a register offset makes it safe to assume the device
++ * supports gestures, each of which is first disabled until explicitly
++ * enabled.
++ */
++ if (!reg_offset)
++ for (i = 0; i < ARRAY_SIZE(iqs7222_sl_events); i++)
++ sldr_setup[9] &= ~iqs7222_sl_events[i].enable;
++
+ for (i = 0; i < ARRAY_SIZE(iqs7222_sl_events); i++) {
+ const char *event_name = iqs7222_sl_events[i].name;
+ struct fwnode_handle *event_node;
+
+- /*
+- * The absence of a register offset means the remaining fields
+- * in the group represent gesture settings.
+- */
+- if (iqs7222_sl_events[i].enable && !reg_offset)
+- sldr_setup[9] &= ~iqs7222_sl_events[i].enable;
+-
+ event_node = fwnode_get_named_child_node(sldr_node, event_name);
+ if (!event_node)
+ continue;
+--
+2.37.2
+
--- /dev/null
+From 95215d3d19c5b47b8ccef8cb61c9dcd17ac7a669 Mon Sep 17 00:00:00 2001
+From: Jeff LaBundy <jeff@labundy.com>
+Date: Mon, 27 Jun 2022 15:14:04 -0700
+Subject: Input: iqs7222 - fortify slider event reporting
+
+From: Jeff LaBundy <jeff@labundy.com>
+
+commit 95215d3d19c5b47b8ccef8cb61c9dcd17ac7a669 upstream.
+
+The release cycle of any key mapped to a slider gesture relies upon
+trailing interrupts generated by other unmasked sources, the timing
+and presence of which are inconsistent.
+
+To solve this problem, explicitly report a release cycle to emulate
+a full keystroke. Also, unmask touch interrupts if the slider press
+event is defined; this ensures the device reports a final interrupt
+with coordinate = 0xFFFF once the finger is lifted.
+
+As a result of how the logic has been refactored, the press/release
+event can now be mapped to a GPIO. This is more convenient than the
+previous solution, which required each channel within the slider to
+specify the same GPIO.
+
+As part of this change, use the device's resolution rather than its
+number of interrupt status registers to more safely determine if it
+is capable of reporting gestures.
+
+Last but not least, make the code a bit simpler by eliminating some
+unnecessarily complex conditional statements and a macro that could
+be derived using information that is already available.
+
+Fixes: e505edaedcb9 ("Input: add support for Azoteq IQS7222A/B/C")
+Signed-off-by: Jeff LaBundy <jeff@labundy.com>
+Link: https://lore.kernel.org/r/20220626072412.475211-3-jeff@labundy.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/misc/iqs7222.c | 96 ++++++++++++++++++++++--------------
+ 1 file changed, 58 insertions(+), 38 deletions(-)
+
+diff --git a/drivers/input/misc/iqs7222.c b/drivers/input/misc/iqs7222.c
+index 53df74f3a982..57616a7ebeae 100644
+--- a/drivers/input/misc/iqs7222.c
++++ b/drivers/input/misc/iqs7222.c
+@@ -40,7 +40,6 @@
+ #define IQS7222_SLDR_SETUP_2_RES_MASK GENMASK(15, 8)
+ #define IQS7222_SLDR_SETUP_2_RES_SHIFT 8
+ #define IQS7222_SLDR_SETUP_2_TOP_SPEED_MASK GENMASK(7, 0)
+-#define IQS7222_SLDR_SETUP_3_CHAN_SEL_MASK GENMASK(9, 0)
+
+ #define IQS7222_GPIO_SETUP_0_GPIO_EN BIT(0)
+
+@@ -54,6 +53,9 @@
+ #define IQS7222_SYS_SETUP_ACK_RESET BIT(0)
+
+ #define IQS7222_EVENT_MASK_ATI BIT(12)
++#define IQS7222_EVENT_MASK_SLDR BIT(10)
++#define IQS7222_EVENT_MASK_TOUCH BIT(1)
++#define IQS7222_EVENT_MASK_PROX BIT(0)
+
+ #define IQS7222_COMMS_HOLD BIT(0)
+ #define IQS7222_COMMS_ERROR 0xEEEE
+@@ -135,12 +137,12 @@ struct iqs7222_event_desc {
+ static const struct iqs7222_event_desc iqs7222_kp_events[] = {
+ {
+ .name = "event-prox",
+- .enable = BIT(0),
++ .enable = IQS7222_EVENT_MASK_PROX,
+ .reg_key = IQS7222_REG_KEY_PROX,
+ },
+ {
+ .name = "event-touch",
+- .enable = BIT(1),
++ .enable = IQS7222_EVENT_MASK_TOUCH,
+ .reg_key = IQS7222_REG_KEY_TOUCH,
+ },
+ };
+@@ -1957,8 +1959,8 @@ static int iqs7222_parse_sldr(struct iqs7222_private *iqs7222, int sldr_index)
+ int num_chan = dev_desc->reg_grps[IQS7222_REG_GRP_CHAN].num_row;
+ int ext_chan = rounddown(num_chan, 10);
+ int count, error, reg_offset, i;
++ u16 *event_mask = &iqs7222->sys_setup[dev_desc->event_offset];
+ u16 *sldr_setup = iqs7222->sldr_setup[sldr_index];
+- u16 *sys_setup = iqs7222->sys_setup;
+ unsigned int chan_sel[4], val;
+
+ error = iqs7222_parse_props(iqs7222, &sldr_node, sldr_index,
+@@ -2003,7 +2005,7 @@ static int iqs7222_parse_sldr(struct iqs7222_private *iqs7222, int sldr_index)
+ reg_offset = dev_desc->sldr_res < U16_MAX ? 0 : 1;
+
+ sldr_setup[0] |= count;
+- sldr_setup[3 + reg_offset] &= ~IQS7222_SLDR_SETUP_3_CHAN_SEL_MASK;
++ sldr_setup[3 + reg_offset] &= ~GENMASK(ext_chan - 1, 0);
+
+ for (i = 0; i < ARRAY_SIZE(chan_sel); i++) {
+ sldr_setup[5 + reg_offset + i] = 0;
+@@ -2106,6 +2108,22 @@ static int iqs7222_parse_sldr(struct iqs7222_private *iqs7222, int sldr_index)
+ if (error)
+ return error;
+
++ /*
++ * The press/release event does not expose a direct GPIO link,
++ * but one can be emulated by tying each of the participating
++ * channels to the same GPIO.
++ */
++ error = iqs7222_gpio_select(iqs7222, event_node,
++ i ? iqs7222_sl_events[i].enable
++ : sldr_setup[3 + reg_offset],
++ i ? 1568 + sldr_index * 30
++ : sldr_setup[4 + reg_offset]);
++ if (error)
++ return error;
++
++ if (!reg_offset)
++ sldr_setup[9] |= iqs7222_sl_events[i].enable;
++
+ error = fwnode_property_read_u32(event_node, "linux,code",
+ &val);
+ if (error) {
+@@ -2117,26 +2135,20 @@ static int iqs7222_parse_sldr(struct iqs7222_private *iqs7222, int sldr_index)
+ iqs7222->sl_code[sldr_index][i] = val;
+ input_set_capability(iqs7222->keypad, EV_KEY, val);
+
+- /*
+- * The press/release event is determined based on whether the
+- * coordinate field reports 0xFFFF and has no explicit enable
+- * control.
+- */
+- if (!iqs7222_sl_events[i].enable || reg_offset)
+- continue;
+-
+- sldr_setup[9] |= iqs7222_sl_events[i].enable;
+-
+- error = iqs7222_gpio_select(iqs7222, event_node,
+- iqs7222_sl_events[i].enable,
+- 1568 + sldr_index * 30);
+- if (error)
+- return error;
+-
+ if (!dev_desc->event_offset)
+ continue;
+
+- sys_setup[dev_desc->event_offset] |= BIT(10 + sldr_index);
++ /*
++ * The press/release event is determined based on whether the
++ * coordinate field reports 0xFFFF and solely relies on touch
++ * or proximity interrupts to be unmasked.
++ */
++ if (i && !reg_offset)
++ *event_mask |= (IQS7222_EVENT_MASK_SLDR << sldr_index);
++ else if (sldr_setup[4 + reg_offset] == dev_desc->touch_link)
++ *event_mask |= IQS7222_EVENT_MASK_TOUCH;
++ else
++ *event_mask |= IQS7222_EVENT_MASK_PROX;
+ }
+
+ /*
+@@ -2301,29 +2313,37 @@ static int iqs7222_report(struct iqs7222_private *iqs7222)
+ input_report_abs(iqs7222->keypad, iqs7222->sl_axis[i],
+ sldr_pos);
+
+- for (j = 0; j < ARRAY_SIZE(iqs7222_sl_events); j++) {
+- u16 mask = iqs7222_sl_events[j].mask;
+- u16 val = iqs7222_sl_events[j].val;
++ input_report_key(iqs7222->keypad, iqs7222->sl_code[i][0],
++ sldr_pos < dev_desc->sldr_res);
+
+- if (!iqs7222_sl_events[j].enable) {
+- input_report_key(iqs7222->keypad,
+- iqs7222->sl_code[i][j],
+- sldr_pos < dev_desc->sldr_res);
+- continue;
+- }
++ /*
++ * A maximum resolution indicates the device does not support
++ * gestures, in which case the remaining fields are ignored.
++ */
++ if (dev_desc->sldr_res == U16_MAX)
++ continue;
+
+- /*
+- * The remaining offsets represent gesture state, and
+- * are discarded in the case of IQS7222C because only
+- * absolute position is reported.
+- */
+- if (num_stat < IQS7222_MAX_COLS_STAT)
+- continue;
++ if (!(le16_to_cpu(status[1]) & IQS7222_EVENT_MASK_SLDR << i))
++ continue;
++
++ /*
++ * Skip the press/release event, as it does not have separate
++ * status fields and is handled separately.
++ */
++ for (j = 1; j < ARRAY_SIZE(iqs7222_sl_events); j++) {
++ u16 mask = iqs7222_sl_events[j].mask;
++ u16 val = iqs7222_sl_events[j].val;
+
+ input_report_key(iqs7222->keypad,
+ iqs7222->sl_code[i][j],
+ (state & mask) == val);
+ }
++
++ input_sync(iqs7222->keypad);
++
++ for (j = 1; j < ARRAY_SIZE(iqs7222_sl_events); j++)
++ input_report_key(iqs7222->keypad,
++ iqs7222->sl_code[i][j], 0);
+ }
+
+ input_sync(iqs7222->keypad);
+--
+2.37.2
+
--- /dev/null
+From 8635c68891c6d786d644747d599c41bdf512fbbf Mon Sep 17 00:00:00 2001
+From: Jeff LaBundy <jeff@labundy.com>
+Date: Mon, 27 Jun 2022 15:15:09 -0700
+Subject: Input: iqs7222 - handle reset during ATI
+
+From: Jeff LaBundy <jeff@labundy.com>
+
+commit 8635c68891c6d786d644747d599c41bdf512fbbf upstream.
+
+If the device suffers a spurious reset during ATI, there is no point
+in enduring any further retries. Instead, simply return successfully
+from the polling loop.
+
+In this case, the interrupt handler will intervene and recognize the
+device has been reset. It then proceeds to initialize the device and
+trigger ATI once more.
+
+As part of this change, swap the order of status field evaluation to
+match that of the interrupt handler, and correct a nearby off-by-one
+error that causes an error message to suggest the final attempt will
+be retried.
+
+Fixes: e505edaedcb9 ("Input: add support for Azoteq IQS7222A/B/C")
+Signed-off-by: Jeff LaBundy <jeff@labundy.com>
+Link: https://lore.kernel.org/r/20220626072412.475211-6-jeff@labundy.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/misc/iqs7222.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/input/misc/iqs7222.c b/drivers/input/misc/iqs7222.c
+index aa46f2cd4d34..e65260d290cc 100644
+--- a/drivers/input/misc/iqs7222.c
++++ b/drivers/input/misc/iqs7222.c
+@@ -1314,12 +1314,15 @@ static int iqs7222_ati_trigger(struct iqs7222_private *iqs7222)
+ if (error)
+ return error;
+
+- if (sys_status & IQS7222_SYS_STATUS_ATI_ACTIVE)
+- continue;
++ if (sys_status & IQS7222_SYS_STATUS_RESET)
++ return 0;
+
+ if (sys_status & IQS7222_SYS_STATUS_ATI_ERROR)
+ break;
+
++ if (sys_status & IQS7222_SYS_STATUS_ATI_ACTIVE)
++ continue;
++
+ /*
+ * Use stream-in-touch mode if either slider reports
+ * absolute position.
+@@ -1336,7 +1339,7 @@ static int iqs7222_ati_trigger(struct iqs7222_private *iqs7222)
+ dev_err(&client->dev,
+ "ATI attempt %d of %d failed with status 0x%02X, %s\n",
+ i + 1, IQS7222_NUM_RETRIES, (u8)sys_status,
+- i < IQS7222_NUM_RETRIES ? "retrying..." : "stopping");
++ i + 1 < IQS7222_NUM_RETRIES ? "retrying" : "stopping");
+ }
+
+ return -ETIMEDOUT;
+--
+2.37.2
+
--- /dev/null
+From 1e4189d8af2749e2db406f92bdc4abccbab63138 Mon Sep 17 00:00:00 2001
+From: Jeff LaBundy <jeff@labundy.com>
+Date: Mon, 27 Jun 2022 15:14:23 -0700
+Subject: Input: iqs7222 - protect volatile registers
+
+From: Jeff LaBundy <jeff@labundy.com>
+
+commit 1e4189d8af2749e2db406f92bdc4abccbab63138 upstream.
+
+Select variants of silicon silently mirror part of the event mask
+register to the system setup register (0xD0), and vice versa. For
+the following sequence:
+
+1. Read registers 0xD0 onward and store their contents.
+2. Modify the contents, including event mask fields.
+3. Write registers 0xD0 onward with the modified contents.
+4. Write register 0xD0 on its own again later, using the contents
+ from step 1 to populate any reserved fields.
+
+...the event mask register (e.g. address 0xDA) has been corrupted
+by writing register 0xD0 with contents that were made stale after
+step 3.
+
+To solve this problem, read register 0xD0 once more between steps
+3 and 4. When register 0xD0 is written during step 4, the portion
+which is mirrored to the event mask register already matches what
+was written in step 3.
+
+Fixes: e505edaedcb9 ("Input: add support for Azoteq IQS7222A/B/C")
+Signed-off-by: Jeff LaBundy <jeff@labundy.com>
+Link: https://lore.kernel.org/r/20220626072412.475211-4-jeff@labundy.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/misc/iqs7222.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/input/misc/iqs7222.c b/drivers/input/misc/iqs7222.c
+index 57616a7ebeae..c46d3c8f0230 100644
+--- a/drivers/input/misc/iqs7222.c
++++ b/drivers/input/misc/iqs7222.c
+@@ -1274,9 +1274,22 @@ static int iqs7222_ati_trigger(struct iqs7222_private *iqs7222)
+ struct i2c_client *client = iqs7222->client;
+ ktime_t ati_timeout;
+ u16 sys_status = 0;
+- u16 sys_setup = iqs7222->sys_setup[0] & ~IQS7222_SYS_SETUP_ACK_RESET;
++ u16 sys_setup;
+ int error, i;
+
++ /*
++ * The reserved fields of the system setup register may have changed
++ * as a result of other registers having been written. As such, read
++ * the register's latest value to avoid unexpected behavior when the
++ * register is written in the loop that follows.
++ */
++ error = iqs7222_read_word(iqs7222, IQS7222_SYS_SETUP, &sys_setup);
++ if (error)
++ return error;
++
++ sys_setup &= ~IQS7222_SYS_SETUP_INTF_MODE_MASK;
++ sys_setup &= ~IQS7222_SYS_SETUP_PWR_MODE_MASK;
++
+ for (i = 0; i < IQS7222_NUM_RETRIES; i++) {
+ /*
+ * Trigger ATI from streaming and normal-power modes so that
+@@ -2241,9 +2254,6 @@ static int iqs7222_parse_all(struct iqs7222_private *iqs7222)
+ return error;
+ }
+
+- sys_setup[0] &= ~IQS7222_SYS_SETUP_INTF_MODE_MASK;
+- sys_setup[0] &= ~IQS7222_SYS_SETUP_PWR_MODE_MASK;
+-
+ sys_setup[0] |= IQS7222_SYS_SETUP_ACK_RESET;
+
+ return iqs7222_parse_props(iqs7222, NULL, 0, IQS7222_REG_GRP_SYS,
+--
+2.37.2
+
--- /dev/null
+From 381932cf61d52bde656c8596c0cb8f46bed53dc0 Mon Sep 17 00:00:00 2001
+From: Jeff LaBundy <jeff@labundy.com>
+Date: Mon, 27 Jun 2022 15:15:25 -0700
+Subject: Input: iqs7222 - remove support for RF filter
+
+From: Jeff LaBundy <jeff@labundy.com>
+
+commit 381932cf61d52bde656c8596c0cb8f46bed53dc0 upstream.
+
+The vendor has marked the RF filter enable control as reserved in
+the datasheet; remove it from the driver.
+
+Fixes: e505edaedcb9 ("Input: add support for Azoteq IQS7222A/B/C")
+Signed-off-by: Jeff LaBundy <jeff@labundy.com>
+Link: https://lore.kernel.org/r/20220626072412.475211-7-jeff@labundy.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/misc/iqs7222.c | 7 -------
+ 1 file changed, 7 deletions(-)
+
+diff --git a/drivers/input/misc/iqs7222.c b/drivers/input/misc/iqs7222.c
+index e65260d290cc..b2e8097a2e6d 100644
+--- a/drivers/input/misc/iqs7222.c
++++ b/drivers/input/misc/iqs7222.c
+@@ -557,13 +557,6 @@ static const struct iqs7222_prop_desc iqs7222_props[] = {
+ .reg_width = 4,
+ .label = "current reference trim",
+ },
+- {
+- .name = "azoteq,rf-filt-enable",
+- .reg_grp = IQS7222_REG_GRP_GLBL,
+- .reg_offset = 0,
+- .reg_shift = 15,
+- .reg_width = 1,
+- },
+ {
+ .name = "azoteq,max-counts",
+ .reg_grp = IQS7222_REG_GRP_GLBL,
+--
+2.37.2
+
--- /dev/null
+From d6ed52583034f9d2e39dead7c18e03380fd4edf2 Mon Sep 17 00:00:00 2001
+From: Mattijs Korpershoek <mkorpershoek@baylibre.com>
+Date: Fri, 8 Jul 2022 14:57:31 -0700
+Subject: Input: mt6779-keypad - match hardware matrix organization
+
+From: Mattijs Korpershoek <mkorpershoek@baylibre.com>
+
+commit d6ed52583034f9d2e39dead7c18e03380fd4edf2 upstream.
+
+The MediaTek keypad has a set of bits representing keys,
+from KEY0 to KEY77, arranged in 5 chunks of 15 bits split into 5 32-bit
+registers.
+
+In our implementation, we simply decided to use register number as row
+and offset in the register as column when encoding our "matrix".
+
+Because of this, we can have a 5x32 matrix which does not match the
+hardware at all, which is confusing.
+
+Change the row/column calculation to match the hardware.
+
+Fixes: f28af984e771 ("Input: mt6779-keypad - add MediaTek keypad driver")
+Co-developed-by: Fabien Parent <fparent@baylibre.com>
+Signed-off-by: Fabien Parent <fparent@baylibre.com>
+Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
+Link: https://lore.kernel.org/r/20220707075236.126631-2-mkorpershoek@baylibre.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/keyboard/mt6779-keypad.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/input/keyboard/mt6779-keypad.c b/drivers/input/keyboard/mt6779-keypad.c
+index 2e7c9187c10f..bd86cb95bde3 100644
+--- a/drivers/input/keyboard/mt6779-keypad.c
++++ b/drivers/input/keyboard/mt6779-keypad.c
+@@ -42,7 +42,7 @@ static irqreturn_t mt6779_keypad_irq_handler(int irq, void *dev_id)
+ const unsigned short *keycode = keypad->input_dev->keycode;
+ DECLARE_BITMAP(new_state, MTK_KPD_NUM_BITS);
+ DECLARE_BITMAP(change, MTK_KPD_NUM_BITS);
+- unsigned int bit_nr;
++ unsigned int bit_nr, key;
+ unsigned int row, col;
+ unsigned int scancode;
+ unsigned int row_shift = get_count_order(keypad->n_cols);
+@@ -61,8 +61,10 @@ static irqreturn_t mt6779_keypad_irq_handler(int irq, void *dev_id)
+ if (bit_nr % 32 >= 16)
+ continue;
+
+- row = bit_nr / 32;
+- col = bit_nr % 32;
++ key = bit_nr / 32 * 16 + bit_nr % 32;
++ row = key / 9;
++ col = key % 9;
++
+ scancode = MATRIX_SCAN_CODE(row, col, row_shift);
+ /* 1: not pressed, 0: pressed */
+ pressed = !test_bit(bit_nr, new_state);
+--
+2.37.2
+
--- /dev/null
+From ab7e2e0dfa5d37540ab1dc5376e9a2cb9188925d Mon Sep 17 00:00:00 2001
+From: Matthias May <matthias.may@westermo.com>
+Date: Fri, 5 Aug 2022 21:19:06 +0200
+Subject: ipv6: do not use RT_TOS for IPv6 flowlabel
+
+From: Matthias May <matthias.may@westermo.com>
+
+commit ab7e2e0dfa5d37540ab1dc5376e9a2cb9188925d upstream.
+
+According to Guillaume Nault RT_TOS should never be used for IPv6.
+
+Quote:
+RT_TOS() is an old macro used to interprete IPv4 TOS as described in
+the obsolete RFC 1349. It's conceptually wrong to use it even in IPv4
+code, although, given the current state of the code, most of the
+existing calls have no consequence.
+
+But using RT_TOS() in IPv6 code is always a bug: IPv6 never had a "TOS"
+field to be interpreted the RFC 1349 way. There's no historical
+compatibility to worry about.
+
+Fixes: 571912c69f0e ("net: UDP tunnel encapsulation module for tunnelling different protocols like MPLS, IP, NSH etc.")
+Acked-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: Matthias May <matthias.may@westermo.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_output.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1311,8 +1311,7 @@ struct dst_entry *ip6_dst_lookup_tunnel(
+ fl6.daddr = info->key.u.ipv6.dst;
+ fl6.saddr = info->key.u.ipv6.src;
+ prio = info->key.tos;
+- fl6.flowlabel = ip6_make_flowinfo(RT_TOS(prio),
+- info->key.label);
++ fl6.flowlabel = ip6_make_flowinfo(prio, info->key.label);
+
+ dst = ipv6_stub->ipv6_dst_lookup_flow(net, sock->sk, &fl6,
+ NULL);
--- /dev/null
+From 3c2bf173501652fced1d058834e9c983d295b126 Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Mon, 30 May 2022 19:17:12 -0700
+Subject: m68k: coldfire/device.c: protect FLEXCAN blocks
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit 3c2bf173501652fced1d058834e9c983d295b126 upstream.
+
+When CAN_FLEXCAN=y and M5441x is not set/enabled, there are build
+errors in coldfire/device.c:
+
+../arch/m68k/coldfire/device.c:595:26: error: 'MCFFLEXCAN_BASE0' undeclared here (not in a function); did you mean 'MCFDMA_BASE0'?
+ 595 | .start = MCFFLEXCAN_BASE0,
+../arch/m68k/coldfire/device.c:596:43: error: 'MCFFLEXCAN_SIZE' undeclared here (not in a function)
+ 596 | .end = MCFFLEXCAN_BASE0 + MCFFLEXCAN_SIZE,
+../arch/m68k/coldfire/device.c:600:26: error: 'MCF_IRQ_IFL0' undeclared here (not in a function); did you mean 'MCF_IRQ_I2C0'?
+ 600 | .start = MCF_IRQ_IFL0,
+../arch/m68k/coldfire/device.c:605:26: error: 'MCF_IRQ_BOFF0' undeclared here (not in a function); did you mean 'MCF_IRQ_I2C0'?
+ 605 | .start = MCF_IRQ_BOFF0,
+../arch/m68k/coldfire/device.c:610:26: error: 'MCF_IRQ_ERR0' undeclared here (not in a function); did you mean 'MCF_IRQ_I2C0'?
+ 610 | .start = MCF_IRQ_ERR0,
+
+Protect the FLEXCAN code blocks by checking if MCFFLEXCAN_SIZE
+is defined.
+
+Fixes: 35a9f9363a89 ("m68k: m5441x: add flexcan support")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Greg Ungerer <gerg@linux-m68k.org>
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: linux-m68k@lists.linux-m68k.org
+Cc: uclinux-dev@uclinux.org
+Cc: Angelo Dureghello <angelo@kernel-space.org>
+Signed-off-by: Greg Ungerer <gerg@linux-m68k.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/m68k/coldfire/device.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/m68k/coldfire/device.c
++++ b/arch/m68k/coldfire/device.c
+@@ -581,7 +581,7 @@ static struct platform_device mcf_esdhc
+ };
+ #endif /* MCFSDHC_BASE */
+
+-#if IS_ENABLED(CONFIG_CAN_FLEXCAN)
++#ifdef MCFFLEXCAN_SIZE
+
+ #include <linux/can/platform/flexcan.h>
+
+@@ -620,7 +620,7 @@ static struct platform_device mcf_flexca
+ .resource = mcf5441x_flexcan0_resource,
+ .dev.platform_data = &mcf5441x_flexcan_info,
+ };
+-#endif /* IS_ENABLED(CONFIG_CAN_FLEXCAN) */
++#endif /* MCFFLEXCAN_SIZE */
+
+ static struct platform_device *mcf_devices[] __initdata = {
+ &mcf_uart,
+@@ -657,7 +657,7 @@ static struct platform_device *mcf_devic
+ #ifdef MCFSDHC_BASE
+ &mcf_esdhc,
+ #endif
+-#if IS_ENABLED(CONFIG_CAN_FLEXCAN)
++#ifdef MCFFLEXCAN_SIZE
+ &mcf_flexcan0,
+ #endif
+ };
--- /dev/null
+From bcb0da7fffee9464073998b267ce5543da2356d2 Mon Sep 17 00:00:00 2001
+From: Matthias May <matthias.may@westermo.com>
+Date: Fri, 5 Aug 2022 21:19:05 +0200
+Subject: mlx5: do not use RT_TOS for IPv6 flowlabel
+
+From: Matthias May <matthias.may@westermo.com>
+
+commit bcb0da7fffee9464073998b267ce5543da2356d2 upstream.
+
+According to Guillaume Nault RT_TOS should never be used for IPv6.
+
+Quote:
+RT_TOS() is an old macro used to interprete IPv4 TOS as described in
+the obsolete RFC 1349. It's conceptually wrong to use it even in IPv4
+code, although, given the current state of the code, most of the
+existing calls have no consequence.
+
+But using RT_TOS() in IPv6 code is always a bug: IPv6 never had a "TOS"
+field to be interpreted the RFC 1349 way. There's no historical
+compatibility to worry about.
+
+Fixes: ce99f6b97fcd ("net/mlx5e: Support SRIOV TC encapsulation offloads for IPv6 tunnels")
+Acked-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: Matthias May <matthias.may@westermo.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
+@@ -506,7 +506,7 @@ int mlx5e_tc_tun_create_header_ipv6(stru
+ int err;
+
+ attr.ttl = tun_key->ttl;
+- attr.fl.fl6.flowlabel = ip6_make_flowinfo(RT_TOS(tun_key->tos), tun_key->label);
++ attr.fl.fl6.flowlabel = ip6_make_flowinfo(tun_key->tos, tun_key->label);
+ attr.fl.fl6.daddr = tun_key->u.ipv6.dst;
+ attr.fl.fl6.saddr = tun_key->u.ipv6.src;
+
+@@ -620,7 +620,7 @@ int mlx5e_tc_tun_update_header_ipv6(stru
+
+ attr.ttl = tun_key->ttl;
+
+- attr.fl.fl6.flowlabel = ip6_make_flowinfo(RT_TOS(tun_key->tos), tun_key->label);
++ attr.fl.fl6.flowlabel = ip6_make_flowinfo(tun_key->tos, tun_key->label);
+ attr.fl.fl6.daddr = tun_key->u.ipv6.dst;
+ attr.fl.fl6.saddr = tun_key->u.ipv6.src;
+
--- /dev/null
+From f1d41f7720c89705c20e4335a807b1c518c2e7be Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Tue, 2 Aug 2022 18:33:24 +0200
+Subject: mptcp, btf: Add struct mptcp_sock definition when CONFIG_MPTCP is disabled
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+commit f1d41f7720c89705c20e4335a807b1c518c2e7be upstream.
+
+The btf_sock_ids array needs struct mptcp_sock BTF ID for the
+bpf_skc_to_mptcp_sock helper.
+
+When CONFIG_MPTCP is disabled, the 'struct mptcp_sock' is not
+defined and resolve_btfids will complain with:
+
+ [...]
+ BTFIDS vmlinux
+ WARN: resolve_btfids: unresolved symbol mptcp_sock
+ [...]
+
+Add an empty definition for struct mptcp_sock when CONFIG_MPTCP
+is disabled.
+
+Fixes: 3bc253c2e652 ("bpf: Add bpf_skc_to_mptcp_sock_proto")
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Link: https://lore.kernel.org/bpf/20220802163324.1873044-1-jolsa@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/mptcp.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/include/net/mptcp.h
++++ b/include/net/mptcp.h
+@@ -290,4 +290,8 @@ struct mptcp_sock *bpf_mptcp_sock_from_s
+ static inline struct mptcp_sock *bpf_mptcp_sock_from_subflow(struct sock *sk) { return NULL; }
+ #endif
+
++#if !IS_ENABLED(CONFIG_MPTCP)
++struct mptcp_sock { };
++#endif
++
+ #endif /* __NET_MPTCP_H */
--- /dev/null
+From c886d70286bf3ad411eb3d689328a67f7102c6ae Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Thu, 4 Aug 2022 17:21:26 -0700
+Subject: mptcp: do not queue data on closed subflows
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit c886d70286bf3ad411eb3d689328a67f7102c6ae upstream.
+
+Dipanjan reported a syzbot splat at close time:
+
+WARNING: CPU: 1 PID: 10818 at net/ipv4/af_inet.c:153
+inet_sock_destruct+0x6d0/0x8e0 net/ipv4/af_inet.c:153
+Modules linked in: uio_ivshmem(OE) uio(E)
+CPU: 1 PID: 10818 Comm: kworker/1:16 Tainted: G OE
+5.19.0-rc6-g2eae0556bb9d #2
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+1.13.0-1ubuntu1.1 04/01/2014
+Workqueue: events mptcp_worker
+RIP: 0010:inet_sock_destruct+0x6d0/0x8e0 net/ipv4/af_inet.c:153
+Code: 21 02 00 00 41 8b 9c 24 28 02 00 00 e9 07 ff ff ff e8 34 4d 91
+f9 89 ee 4c 89 e7 e8 4a 47 60 ff e9 a6 fc ff ff e8 20 4d 91 f9 <0f> 0b
+e9 84 fe ff ff e8 14 4d 91 f9 0f 0b e9 d4 fd ff ff e8 08 4d
+RSP: 0018:ffffc9001b35fa78 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: 00000000002879d0 RCX: ffff8881326f3b00
+RDX: 0000000000000000 RSI: ffff8881326f3b00 RDI: 0000000000000002
+RBP: ffff888179662674 R08: ffffffff87e983a0 R09: 0000000000000000
+R10: 0000000000000005 R11: 00000000000004ea R12: ffff888179662400
+R13: ffff888179662428 R14: 0000000000000001 R15: ffff88817e38e258
+FS: 0000000000000000(0000) GS:ffff8881f5f00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000020007bc0 CR3: 0000000179592000 CR4: 0000000000150ee0
+Call Trace:
+ <TASK>
+ __sk_destruct+0x4f/0x8e0 net/core/sock.c:2067
+ sk_destruct+0xbd/0xe0 net/core/sock.c:2112
+ __sk_free+0xef/0x3d0 net/core/sock.c:2123
+ sk_free+0x78/0xa0 net/core/sock.c:2134
+ sock_put include/net/sock.h:1927 [inline]
+ __mptcp_close_ssk+0x50f/0x780 net/mptcp/protocol.c:2351
+ __mptcp_destroy_sock+0x332/0x760 net/mptcp/protocol.c:2828
+ mptcp_worker+0x5d2/0xc90 net/mptcp/protocol.c:2586
+ process_one_work+0x9cc/0x1650 kernel/workqueue.c:2289
+ worker_thread+0x623/0x1070 kernel/workqueue.c:2436
+ kthread+0x2e9/0x3a0 kernel/kthread.c:376
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
+ </TASK>
+
+The root cause of the problem is that an mptcp-level (re)transmit can
+race with mptcp_close() and the packet scheduler checks the subflow
+state before acquiring the socket lock: we can try to (re)transmit on
+an already closed ssk.
+
+Fix the issue checking again the subflow socket status under the
+subflow socket lock protection. Additionally add the missing check
+for the fallback-to-tcp case.
+
+Fixes: d5f49190def6 ("mptcp: allow picking different xmit subflows")
+Reported-by: Dipanjan Das <mail.dipanjan.das@gmail.com>
+Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 8 +++++++-
+ net/mptcp/protocol.h | 11 +++++++----
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -1276,6 +1276,9 @@ static int mptcp_sendmsg_frag(struct soc
+ info->limit > dfrag->data_len))
+ return 0;
+
++ if (unlikely(!__tcp_can_send(ssk)))
++ return -EAGAIN;
++
+ /* compute send limit */
+ info->mss_now = tcp_send_mss(ssk, &info->size_goal, info->flags);
+ copy = info->size_goal;
+@@ -1449,7 +1452,8 @@ static struct sock *mptcp_subflow_get_se
+ if (__mptcp_check_fallback(msk)) {
+ if (!msk->first)
+ return NULL;
+- return sk_stream_memory_free(msk->first) ? msk->first : NULL;
++ return __tcp_can_send(msk->first) &&
++ sk_stream_memory_free(msk->first) ? msk->first : NULL;
+ }
+
+ /* re-use last subflow, if the burst allow that */
+@@ -1600,6 +1604,8 @@ void __mptcp_push_pending(struct sock *s
+
+ ret = mptcp_sendmsg_frag(sk, ssk, dfrag, &info);
+ if (ret <= 0) {
++ if (ret == -EAGAIN)
++ continue;
+ mptcp_push_release(ssk, &info);
+ goto out;
+ }
+--- a/net/mptcp/protocol.h
++++ b/net/mptcp/protocol.h
+@@ -625,16 +625,19 @@ void mptcp_info2sockaddr(const struct mp
+ struct sockaddr_storage *addr,
+ unsigned short family);
+
+-static inline bool __mptcp_subflow_active(struct mptcp_subflow_context *subflow)
++static inline bool __tcp_can_send(const struct sock *ssk)
+ {
+- struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
++ /* only send if our side has not closed yet */
++ return ((1 << inet_sk_state_load(ssk)) & (TCPF_ESTABLISHED | TCPF_CLOSE_WAIT));
++}
+
++static inline bool __mptcp_subflow_active(struct mptcp_subflow_context *subflow)
++{
+ /* can't send if JOIN hasn't completed yet (i.e. is usable for mptcp) */
+ if (subflow->request_join && !subflow->fully_established)
+ return false;
+
+- /* only send if our side has not closed yet */
+- return ((1 << ssk->sk_state) & (TCPF_ESTABLISHED | TCPF_CLOSE_WAIT));
++ return __tcp_can_send(mptcp_subflow_tcp_sock(subflow));
+ }
+
+ void mptcp_subflow_set_active(struct mptcp_subflow_context *subflow);
--- /dev/null
+From c0bf3c6aa444a5ef44acc57ef6cfa53fd4fc1c9b Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Thu, 4 Aug 2022 17:21:25 -0700
+Subject: mptcp: move subflow cleanup in mptcp_destroy_common()
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit c0bf3c6aa444a5ef44acc57ef6cfa53fd4fc1c9b upstream.
+
+If the mptcp socket creation fails due to a CGROUP_INET_SOCK_CREATE
+eBPF program, the MPTCP protocol ends-up leaking all the subflows:
+the related cleanup happens in __mptcp_destroy_sock() that is not
+invoked in such code path.
+
+Address the issue moving the subflow sockets cleanup in the
+mptcp_destroy_common() helper, which is invoked in every msk cleanup
+path.
+
+Additionally get rid of the intermediate list_splice_init step, which
+is an unneeded relic from the past.
+
+The issue is present since before the reported root cause commit, but
+any attempt to backport the fix before that hash will require a complete
+rewrite.
+
+Fixes: e16163b6e2 ("mptcp: refactor shutdown and close")
+Reported-by: Nguyen Dinh Phi <phind.uet@gmail.com>
+Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Co-developed-by: Nguyen Dinh Phi <phind.uet@gmail.com>
+Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 39 +++++++++++++++------------------------
+ net/mptcp/protocol.h | 2 +-
+ net/mptcp/subflow.c | 3 ++-
+ 3 files changed, 18 insertions(+), 26 deletions(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -2805,30 +2805,16 @@ static void __mptcp_wr_shutdown(struct s
+
+ static void __mptcp_destroy_sock(struct sock *sk)
+ {
+- struct mptcp_subflow_context *subflow, *tmp;
+ struct mptcp_sock *msk = mptcp_sk(sk);
+- LIST_HEAD(conn_list);
+
+ pr_debug("msk=%p", msk);
+
+ might_sleep();
+
+- /* join list will be eventually flushed (with rst) at sock lock release time*/
+- list_splice_init(&msk->conn_list, &conn_list);
+-
+ mptcp_stop_timer(sk);
+ sk_stop_timer(sk, &sk->sk_timer);
+ msk->pm.status = 0;
+
+- /* clears msk->subflow, allowing the following loop to close
+- * even the initial subflow
+- */
+- mptcp_dispose_initial_subflow(msk);
+- list_for_each_entry_safe(subflow, tmp, &conn_list, node) {
+- struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
+- __mptcp_close_ssk(sk, ssk, subflow, 0);
+- }
+-
+ sk->sk_prot->destroy(sk);
+
+ WARN_ON_ONCE(msk->rmem_fwd_alloc);
+@@ -2920,24 +2906,20 @@ static void mptcp_copy_inaddrs(struct so
+
+ static int mptcp_disconnect(struct sock *sk, int flags)
+ {
+- struct mptcp_subflow_context *subflow, *tmp;
+ struct mptcp_sock *msk = mptcp_sk(sk);
+
+ inet_sk_state_store(sk, TCP_CLOSE);
+
+- list_for_each_entry_safe(subflow, tmp, &msk->conn_list, node) {
+- struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
+-
+- __mptcp_close_ssk(sk, ssk, subflow, MPTCP_CF_FASTCLOSE);
+- }
+-
+ mptcp_stop_timer(sk);
+ sk_stop_timer(sk, &sk->sk_timer);
+
+ if (mptcp_sk(sk)->token)
+ mptcp_event(MPTCP_EVENT_CLOSED, mptcp_sk(sk), NULL, GFP_KERNEL);
+
+- mptcp_destroy_common(msk);
++ /* msk->subflow is still intact, the following will not free the first
++ * subflow
++ */
++ mptcp_destroy_common(msk, MPTCP_CF_FASTCLOSE);
+ msk->last_snd = NULL;
+ WRITE_ONCE(msk->flags, 0);
+ msk->cb_flags = 0;
+@@ -3087,12 +3069,17 @@ out:
+ return newsk;
+ }
+
+-void mptcp_destroy_common(struct mptcp_sock *msk)
++void mptcp_destroy_common(struct mptcp_sock *msk, unsigned int flags)
+ {
++ struct mptcp_subflow_context *subflow, *tmp;
+ struct sock *sk = (struct sock *)msk;
+
+ __mptcp_clear_xmit(sk);
+
++ /* join list will be eventually flushed (with rst) at sock lock release time */
++ list_for_each_entry_safe(subflow, tmp, &msk->conn_list, node)
++ __mptcp_close_ssk(sk, mptcp_subflow_tcp_sock(subflow), subflow, flags);
++
+ /* move to sk_receive_queue, sk_stream_kill_queues will purge it */
+ mptcp_data_lock(sk);
+ skb_queue_splice_tail_init(&msk->receive_queue, &sk->sk_receive_queue);
+@@ -3114,7 +3101,11 @@ static void mptcp_destroy(struct sock *s
+ {
+ struct mptcp_sock *msk = mptcp_sk(sk);
+
+- mptcp_destroy_common(msk);
++ /* clears msk->subflow, allowing the following to close
++ * even the initial subflow
++ */
++ mptcp_dispose_initial_subflow(msk);
++ mptcp_destroy_common(msk, 0);
+ sk_sockets_allocated_dec(sk);
+ }
+
+--- a/net/mptcp/protocol.h
++++ b/net/mptcp/protocol.h
+@@ -718,7 +718,7 @@ static inline void mptcp_write_space(str
+ }
+ }
+
+-void mptcp_destroy_common(struct mptcp_sock *msk);
++void mptcp_destroy_common(struct mptcp_sock *msk, unsigned int flags);
+
+ #define MPTCP_TOKEN_MAX_RETRIES 4
+
+--- a/net/mptcp/subflow.c
++++ b/net/mptcp/subflow.c
+@@ -621,7 +621,8 @@ static void mptcp_sock_destruct(struct s
+ sock_orphan(sk);
+ }
+
+- mptcp_destroy_common(mptcp_sk(sk));
++ /* We don't need to clear msk->subflow, as it's still NULL at this point */
++ mptcp_destroy_common(mptcp_sk(sk), 0);
+ inet_sock_destruct(sk);
+ }
+
--- /dev/null
+From 2ba5e47fb75fbb8fab45f5c1bc8d5c33d8834bd3 Mon Sep 17 00:00:00 2001
+From: "Chia-Lin Kao (AceLan)" <acelan.kao@canonical.com>
+Date: Mon, 8 Aug 2022 16:18:45 +0800
+Subject: net: atlantic: fix aq_vec index out of range error
+
+From: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
+
+commit 2ba5e47fb75fbb8fab45f5c1bc8d5c33d8834bd3 upstream.
+
+The final update statement of the for loop exceeds the array range, the
+dereference of self->aq_vec[i] is not checked and then leads to the
+index out of range error.
+Also fixed this kind of coding style in other for loop.
+
+[ 97.937604] UBSAN: array-index-out-of-bounds in drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1404:48
+[ 97.937607] index 8 is out of range for type 'aq_vec_s *[8]'
+[ 97.937608] CPU: 38 PID: 3767 Comm: kworker/u256:18 Not tainted 5.19.0+ #2
+[ 97.937610] Hardware name: Dell Inc. Precision 7865 Tower/, BIOS 1.0.0 06/12/2022
+[ 97.937611] Workqueue: events_unbound async_run_entry_fn
+[ 97.937616] Call Trace:
+[ 97.937617] <TASK>
+[ 97.937619] dump_stack_lvl+0x49/0x63
+[ 97.937624] dump_stack+0x10/0x16
+[ 97.937626] ubsan_epilogue+0x9/0x3f
+[ 97.937627] __ubsan_handle_out_of_bounds.cold+0x44/0x49
+[ 97.937629] ? __scm_send+0x348/0x440
+[ 97.937632] ? aq_vec_stop+0x72/0x80 [atlantic]
+[ 97.937639] aq_nic_stop+0x1b6/0x1c0 [atlantic]
+[ 97.937644] aq_suspend_common+0x88/0x90 [atlantic]
+[ 97.937648] aq_pm_suspend_poweroff+0xe/0x20 [atlantic]
+[ 97.937653] pci_pm_suspend+0x7e/0x1a0
+[ 97.937655] ? pci_pm_suspend_noirq+0x2b0/0x2b0
+[ 97.937657] dpm_run_callback+0x54/0x190
+[ 97.937660] __device_suspend+0x14c/0x4d0
+[ 97.937661] async_suspend+0x23/0x70
+[ 97.937663] async_run_entry_fn+0x33/0x120
+[ 97.937664] process_one_work+0x21f/0x3f0
+[ 97.937666] worker_thread+0x4a/0x3c0
+[ 97.937668] ? process_one_work+0x3f0/0x3f0
+[ 97.937669] kthread+0xf0/0x120
+[ 97.937671] ? kthread_complete_and_exit+0x20/0x20
+[ 97.937672] ret_from_fork+0x22/0x30
+[ 97.937676] </TASK>
+
+v2. fixed "warning: variable 'aq_vec' set but not used"
+
+v3. simplified a for loop
+
+Fixes: 97bde5c4f909 ("net: ethernet: aquantia: Support for NIC-specific code")
+Signed-off-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
+Acked-by: Sudarsana Reddy Kalluru <skalluru@marvell.com>
+Link: https://lore.kernel.org/r/20220808081845.42005-1-acelan.kao@canonical.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 21 ++++++++-------------
+ 1 file changed, 8 insertions(+), 13 deletions(-)
+
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
+@@ -265,12 +265,10 @@ static void aq_nic_service_timer_cb(stru
+ static void aq_nic_polling_timer_cb(struct timer_list *t)
+ {
+ struct aq_nic_s *self = from_timer(self, t, polling_timer);
+- struct aq_vec_s *aq_vec = NULL;
+ unsigned int i = 0U;
+
+- for (i = 0U, aq_vec = self->aq_vec[0];
+- self->aq_vecs > i; ++i, aq_vec = self->aq_vec[i])
+- aq_vec_isr(i, (void *)aq_vec);
++ for (i = 0U; self->aq_vecs > i; ++i)
++ aq_vec_isr(i, (void *)self->aq_vec[i]);
+
+ mod_timer(&self->polling_timer, jiffies +
+ AQ_CFG_POLLING_TIMER_INTERVAL);
+@@ -1014,7 +1012,6 @@ int aq_nic_get_regs_count(struct aq_nic_
+
+ u64 *aq_nic_get_stats(struct aq_nic_s *self, u64 *data)
+ {
+- struct aq_vec_s *aq_vec = NULL;
+ struct aq_stats_s *stats;
+ unsigned int count = 0U;
+ unsigned int i = 0U;
+@@ -1064,11 +1061,11 @@ u64 *aq_nic_get_stats(struct aq_nic_s *s
+ data += i;
+
+ for (tc = 0U; tc < self->aq_nic_cfg.tcs; tc++) {
+- for (i = 0U, aq_vec = self->aq_vec[0];
+- aq_vec && self->aq_vecs > i;
+- ++i, aq_vec = self->aq_vec[i]) {
++ for (i = 0U; self->aq_vecs > i; ++i) {
++ if (!self->aq_vec[i])
++ break;
+ data += count;
+- count = aq_vec_get_sw_stats(aq_vec, tc, data);
++ count = aq_vec_get_sw_stats(self->aq_vec[i], tc, data);
+ }
+ }
+
+@@ -1382,7 +1379,6 @@ int aq_nic_set_loopback(struct aq_nic_s
+
+ int aq_nic_stop(struct aq_nic_s *self)
+ {
+- struct aq_vec_s *aq_vec = NULL;
+ unsigned int i = 0U;
+
+ netif_tx_disable(self->ndev);
+@@ -1400,9 +1396,8 @@ int aq_nic_stop(struct aq_nic_s *self)
+
+ aq_ptp_irq_free(self);
+
+- for (i = 0U, aq_vec = self->aq_vec[0];
+- self->aq_vecs > i; ++i, aq_vec = self->aq_vec[i])
+- aq_vec_stop(aq_vec);
++ for (i = 0U; self->aq_vecs > i; ++i)
++ aq_vec_stop(self->aq_vec[i]);
+
+ aq_ptp_ring_stop(self);
+
--- /dev/null
+From c2e75634cbe368065f140dd30bf8b1a0355158fd Mon Sep 17 00:00:00 2001
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Wed, 10 Aug 2022 09:45:47 -0700
+Subject: net: atm: bring back zatm uAPI
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+commit c2e75634cbe368065f140dd30bf8b1a0355158fd upstream.
+
+Jiri reports that linux-atm does not build without this header.
+Bring it back. It's completely dead code but we can't break
+the build for user space :(
+
+Reported-by: Jiri Slaby <jirislaby@kernel.org>
+Fixes: 052e1f01bfae ("net: atm: remove support for ZeitNet ZN122x ATM devices")
+Link: https://lore.kernel.org/all/8576aef3-37e4-8bae-bab5-08f82a78efd3@kernel.org/
+Link: https://lore.kernel.org/r/20220810164547.484378-1-kuba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/uapi/linux/atm_zatm.h | 47 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 47 insertions(+)
+ create mode 100644 include/uapi/linux/atm_zatm.h
+
+diff --git a/include/uapi/linux/atm_zatm.h b/include/uapi/linux/atm_zatm.h
+new file mode 100644
+index 000000000000..5135027b93c1
+--- /dev/null
++++ b/include/uapi/linux/atm_zatm.h
+@@ -0,0 +1,47 @@
++/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
++/* atm_zatm.h - Driver-specific declarations of the ZATM driver (for use by
++ driver-specific utilities) */
++
++/* Written 1995-1999 by Werner Almesberger, EPFL LRC/ICA */
++
++
++#ifndef LINUX_ATM_ZATM_H
++#define LINUX_ATM_ZATM_H
++
++/*
++ * Note: non-kernel programs including this file must also include
++ * sys/types.h for struct timeval
++ */
++
++#include <linux/atmapi.h>
++#include <linux/atmioc.h>
++
++#define ZATM_GETPOOL _IOW('a',ATMIOC_SARPRV+1,struct atmif_sioc)
++ /* get pool statistics */
++#define ZATM_GETPOOLZ _IOW('a',ATMIOC_SARPRV+2,struct atmif_sioc)
++ /* get statistics and zero */
++#define ZATM_SETPOOL _IOW('a',ATMIOC_SARPRV+3,struct atmif_sioc)
++ /* set pool parameters */
++
++struct zatm_pool_info {
++ int ref_count; /* free buffer pool usage counters */
++ int low_water,high_water; /* refill parameters */
++ int rqa_count,rqu_count; /* queue condition counters */
++ int offset,next_off; /* alignment optimizations: offset */
++ int next_cnt,next_thres; /* repetition counter and threshold */
++};
++
++struct zatm_pool_req {
++ int pool_num; /* pool number */
++ struct zatm_pool_info info; /* actual information */
++};
++
++#define ZATM_OAM_POOL 0 /* free buffer pool for OAM cells */
++#define ZATM_AAL0_POOL 1 /* free buffer pool for AAL0 cells */
++#define ZATM_AAL5_POOL_BASE 2 /* first AAL5 free buffer pool */
++#define ZATM_LAST_POOL ZATM_AAL5_POOL_BASE+10 /* max. 64 kB */
++
++#define ZATM_TIMER_HISTORY_SIZE 16 /* number of timer adjustments to
++ record; must be 2^n */
++
++#endif
+--
+2.37.2
+
--- /dev/null
+From bc3410f250219660a7be032c01c954a53b2c26ab Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Thu, 4 Aug 2022 10:36:04 -0700
+Subject: net: bcmgenet: Indicate MAC is in charge of PHY PM
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+commit bc3410f250219660a7be032c01c954a53b2c26ab upstream.
+
+Avoid the PHY library call unnecessarily into the suspend/resume functions by
+setting phydev->mac_managed_pm to true. The GENET driver essentially does
+exactly what mdio_bus_phy_resume() does by calling phy_init_hw() plus
+phy_resume().
+
+Fixes: fba863b81604 ("net: phy: make PHY PM ops a no-op if MAC driver manages PHY PM")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20220804173605.1266574-1-f.fainelli@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmmii.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c
+@@ -393,6 +393,9 @@ int bcmgenet_mii_probe(struct net_device
+ if (priv->internal_phy && !GENET_IS_V5(priv))
+ dev->phydev->irq = PHY_MAC_INTERRUPT;
+
++ /* Indicate that the MAC is responsible for PHY PM */
++ dev->phydev->mac_managed_pm = true;
++
+ return 0;
+ }
+
--- /dev/null
+From 1b7680c6c1f6de9904f1d9b05c952f0c64a03350 Mon Sep 17 00:00:00 2001
+From: Sandor Bodo-Merle <sbodomerle@gmail.com>
+Date: Mon, 8 Aug 2022 19:39:39 +0200
+Subject: net: bgmac: Fix a BUG triggered by wrong bytes_compl
+
+From: Sandor Bodo-Merle <sbodomerle@gmail.com>
+
+commit 1b7680c6c1f6de9904f1d9b05c952f0c64a03350 upstream.
+
+On one of our machines we got:
+
+kernel BUG at lib/dynamic_queue_limits.c:27!
+Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM
+CPU: 0 PID: 1166 Comm: irq/41-bgmac Tainted: G W O 4.14.275-rt132 #1
+Hardware name: BRCM XGS iProc
+task: ee3415c0 task.stack: ee32a000
+PC is at dql_completed+0x168/0x178
+LR is at bgmac_poll+0x18c/0x6d8
+pc : [<c03b9430>] lr : [<c04b5a18>] psr: 800a0313
+sp : ee32be14 ip : 000005ea fp : 00000bd4
+r10: ee558500 r9 : c0116298 r8 : 00000002
+r7 : 00000000 r6 : ef128810 r5 : 01993267 r4 : 01993851
+r3 : ee558000 r2 : 000070e1 r1 : 00000bd4 r0 : ee52c180
+Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+Control: 12c5387d Table: 8e88c04a DAC: 00000051
+Process irq/41-bgmac (pid: 1166, stack limit = 0xee32a210)
+Stack: (0xee32be14 to 0xee32c000)
+be00: ee558520 ee52c100 ef128810
+be20: 00000000 00000002 c0116298 c04b5a18 00000000 c0a0c8c4 c0951780 00000040
+be40: c0701780 ee558500 ee55d520 ef05b340 ef6f9780 ee558520 00000001 00000040
+be60: ffffe000 c0a56878 ef6fa040 c0952040 0000012c c0528744 ef6f97b0 fffcfb6a
+be80: c0a04104 2eda8000 c0a0c4ec c0a0d368 ee32bf44 c0153534 ee32be98 ee32be98
+bea0: ee32bea0 ee32bea0 ee32bea8 ee32bea8 00000000 c01462e4 ffffe000 ef6f22a8
+bec0: ffffe000 00000008 ee32bee4 c0147430 ffffe000 c094a2a8 00000003 ffffe000
+bee0: c0a54528 00208040 0000000c c0a0c8c4 c0a65980 c0124d3c 00000008 ee558520
+bf00: c094a23c c0a02080 00000000 c07a9910 ef136970 ef136970 ee30a440 ef136900
+bf20: ee30a440 00000001 ef136900 ee30a440 c016d990 00000000 c0108db0 c012500c
+bf40: ef136900 c016da14 ee30a464 ffffe000 00000001 c016dd14 00000000 c016db28
+bf60: ffffe000 ee21a080 ee30a400 00000000 ee32a000 ee30a440 c016dbfc ee25fd70
+bf80: ee21a09c c013edcc ee32a000 ee30a400 c013ec7c 00000000 00000000 00000000
+bfa0: 00000000 00000000 00000000 c0108470 00000000 00000000 00000000 00000000
+bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
+[<c03b9430>] (dql_completed) from [<c04b5a18>] (bgmac_poll+0x18c/0x6d8)
+[<c04b5a18>] (bgmac_poll) from [<c0528744>] (net_rx_action+0x1c4/0x494)
+[<c0528744>] (net_rx_action) from [<c0124d3c>] (do_current_softirqs+0x1ec/0x43c)
+[<c0124d3c>] (do_current_softirqs) from [<c012500c>] (__local_bh_enable+0x80/0x98)
+[<c012500c>] (__local_bh_enable) from [<c016da14>] (irq_forced_thread_fn+0x84/0x98)
+[<c016da14>] (irq_forced_thread_fn) from [<c016dd14>] (irq_thread+0x118/0x1c0)
+[<c016dd14>] (irq_thread) from [<c013edcc>] (kthread+0x150/0x158)
+[<c013edcc>] (kthread) from [<c0108470>] (ret_from_fork+0x14/0x24)
+Code: a83f15e0 0200001a 0630a0e1 c3ffffea (f201f0e7)
+
+The issue seems similar to commit 90b3b339364c ("net: hisilicon: Fix a BUG
+trigered by wrong bytes_compl") and potentially introduced by commit
+b38c83dd0866 ("bgmac: simplify tx ring index handling").
+
+If there is an RX interrupt between setting ring->end
+and netdev_sent_queue() we can hit the BUG_ON as bgmac_dma_tx_free()
+can miscalculate the queue size while called from bgmac_poll().
+
+The machine which triggered the BUG runs a v4.14 RT kernel - but the issue
+seems present in mainline too.
+
+Fixes: b38c83dd0866 ("bgmac: simplify tx ring index handling")
+Signed-off-by: Sandor Bodo-Merle <sbodomerle@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20220808173939.193804-1-sbodomerle@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bgmac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/bgmac.c
++++ b/drivers/net/ethernet/broadcom/bgmac.c
+@@ -189,8 +189,8 @@ static netdev_tx_t bgmac_dma_tx_add(stru
+ }
+
+ slot->skb = skb;
+- ring->end += nr_frags + 1;
+ netdev_sent_queue(net_dev, skb->len);
++ ring->end += nr_frags + 1;
+
+ wmb();
+
--- /dev/null
+From 4c46bb49460ee14c69629e813640d8b929e88941 Mon Sep 17 00:00:00 2001
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+Date: Mon, 8 Aug 2022 15:51:27 +0300
+Subject: net: dsa: felix: suppress non-changes to the tagging protocol
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+commit 4c46bb49460ee14c69629e813640d8b929e88941 upstream.
+
+The way in which dsa_tree_change_tag_proto() works is that when
+dsa_tree_notify() fails, it doesn't know whether the operation failed
+mid way in a multi-switch tree, or it failed for a single-switch tree.
+So even though drivers need to fail cleanly in
+ds->ops->change_tag_protocol(), DSA will still call dsa_tree_notify()
+again, to restore the old tag protocol for potential switches in the
+tree where the change did succeeed (before failing for others).
+
+This means for the felix driver that if we report an error in
+felix_change_tag_protocol(), we'll get another call where proto_ops ==
+old_proto_ops. If we proceed to act upon that, we may do unexpected
+things. For example, we will call dsa_tag_8021q_register() twice in a
+row, without any dsa_tag_8021q_unregister() in between. Then we will
+actually call dsa_tag_8021q_unregister() via old_proto_ops->teardown,
+which (if it manages to run at all, after walking through corrupted data
+structures) will leave the ports inoperational anyway.
+
+The bug can be readily reproduced if we force an error while in
+tag_8021q mode; this crashes the kernel.
+
+echo ocelot-8021q > /sys/class/net/eno2/dsa/tagging
+echo edsa > /sys/class/net/eno2/dsa/tagging # -EPROTONOSUPPORT
+
+Unable to handle kernel NULL pointer dereference at virtual address 0000000000000014
+Call trace:
+ vcap_entry_get+0x24/0x124
+ ocelot_vcap_filter_del+0x198/0x270
+ felix_tag_8021q_vlan_del+0xd4/0x21c
+ dsa_switch_tag_8021q_vlan_del+0x168/0x2cc
+ dsa_switch_event+0x68/0x1170
+ dsa_tree_notify+0x14/0x34
+ dsa_port_tag_8021q_vlan_del+0x84/0x110
+ dsa_tag_8021q_unregister+0x15c/0x1c0
+ felix_tag_8021q_teardown+0x16c/0x180
+ felix_change_tag_protocol+0x1bc/0x230
+ dsa_switch_event+0x14c/0x1170
+ dsa_tree_change_tag_proto+0x118/0x1c0
+
+Fixes: 7a29d220f4c0 ("net: dsa: felix: reimplement tagging protocol change with function pointers")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20220808125127.3344094-1-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/ocelot/felix.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/dsa/ocelot/felix.c b/drivers/net/dsa/ocelot/felix.c
+index 859196898a7d..aadb0bd7c24f 100644
+--- a/drivers/net/dsa/ocelot/felix.c
++++ b/drivers/net/dsa/ocelot/felix.c
+@@ -610,6 +610,9 @@ static int felix_change_tag_protocol(struct dsa_switch *ds,
+
+ old_proto_ops = felix->tag_proto_ops;
+
++ if (proto_ops == old_proto_ops)
++ return 0;
++
+ err = proto_ops->setup(ds);
+ if (err)
+ goto setup_failed;
+--
+2.37.2
+
--- /dev/null
+From 3702e4041cfda50bc697363d29511ce8f6b24795 Mon Sep 17 00:00:00 2001
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+Date: Fri, 5 Aug 2022 09:31:59 +0200
+Subject: net: phy: c45 baset1: do not skip aneg configuration if clock role is not specified
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+commit 3702e4041cfda50bc697363d29511ce8f6b24795 upstream.
+
+In case master/slave clock role is not specified (which is default), the
+aneg registers will not be written.
+
+The visible impact of this is missing pause advertisement.
+
+So, rework genphy_c45_baset1_an_config_aneg() to be able to write
+advertisement registers even if clock role is unknown.
+
+Fixes: 3da8ffd8545f ("net: phy: Add 10BASE-T1L support in phy-c45")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20220805073159.908643-1-o.rempel@pengutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/phy-c45.c | 34 ++++++++++++++++------------------
+ 1 file changed, 16 insertions(+), 18 deletions(-)
+
+--- a/drivers/net/phy/phy-c45.c
++++ b/drivers/net/phy/phy-c45.c
+@@ -190,44 +190,42 @@ EXPORT_SYMBOL_GPL(genphy_c45_pma_setup_f
+ */
+ static int genphy_c45_baset1_an_config_aneg(struct phy_device *phydev)
+ {
++ u16 adv_l_mask, adv_l = 0;
++ u16 adv_m_mask, adv_m = 0;
+ int changed = 0;
+- u16 adv_l = 0;
+- u16 adv_m = 0;
+ int ret;
+
++ adv_l_mask = MDIO_AN_T1_ADV_L_FORCE_MS | MDIO_AN_T1_ADV_L_PAUSE_CAP |
++ MDIO_AN_T1_ADV_L_PAUSE_ASYM;
++ adv_m_mask = MDIO_AN_T1_ADV_M_MST | MDIO_AN_T1_ADV_M_B10L;
++
+ switch (phydev->master_slave_set) {
+ case MASTER_SLAVE_CFG_MASTER_FORCE:
++ adv_m |= MDIO_AN_T1_ADV_M_MST;
++ fallthrough;
+ case MASTER_SLAVE_CFG_SLAVE_FORCE:
+ adv_l |= MDIO_AN_T1_ADV_L_FORCE_MS;
+ break;
+ case MASTER_SLAVE_CFG_MASTER_PREFERRED:
++ adv_m |= MDIO_AN_T1_ADV_M_MST;
++ fallthrough;
+ case MASTER_SLAVE_CFG_SLAVE_PREFERRED:
+ break;
+ case MASTER_SLAVE_CFG_UNKNOWN:
+ case MASTER_SLAVE_CFG_UNSUPPORTED:
+- return 0;
++ /* if master/slave role is not specified, do not overwrite it */
++ adv_l_mask &= ~MDIO_AN_T1_ADV_L_FORCE_MS;
++ adv_m_mask &= ~MDIO_AN_T1_ADV_M_MST;
++ break;
+ default:
+ phydev_warn(phydev, "Unsupported Master/Slave mode\n");
+ return -EOPNOTSUPP;
+ }
+
+- switch (phydev->master_slave_set) {
+- case MASTER_SLAVE_CFG_MASTER_FORCE:
+- case MASTER_SLAVE_CFG_MASTER_PREFERRED:
+- adv_m |= MDIO_AN_T1_ADV_M_MST;
+- break;
+- case MASTER_SLAVE_CFG_SLAVE_FORCE:
+- case MASTER_SLAVE_CFG_SLAVE_PREFERRED:
+- break;
+- default:
+- break;
+- }
+-
+ adv_l |= linkmode_adv_to_mii_t1_adv_l_t(phydev->advertising);
+
+ ret = phy_modify_mmd_changed(phydev, MDIO_MMD_AN, MDIO_AN_T1_ADV_L,
+- (MDIO_AN_T1_ADV_L_FORCE_MS | MDIO_AN_T1_ADV_L_PAUSE_CAP
+- | MDIO_AN_T1_ADV_L_PAUSE_ASYM), adv_l);
++ adv_l_mask, adv_l);
+ if (ret < 0)
+ return ret;
+ if (ret > 0)
+@@ -236,7 +234,7 @@ static int genphy_c45_baset1_an_config_a
+ adv_m |= linkmode_adv_to_mii_t1_adv_m_t(phydev->advertising);
+
+ ret = phy_modify_mmd_changed(phydev, MDIO_MMD_AN, MDIO_AN_T1_ADV_M,
+- MDIO_AN_T1_ADV_M_MST | MDIO_AN_T1_ADV_M_B10L, adv_m);
++ adv_m_mask, adv_m);
+ if (ret < 0)
+ return ret;
+ if (ret > 0)
--- /dev/null
+From 744d23c71af39c7dc77ac7c3cac87ae86a181a85 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Mon, 1 Aug 2022 16:34:03 -0700
+Subject: net: phy: Warn about incorrect mdio_bus_phy_resume() state
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+commit 744d23c71af39c7dc77ac7c3cac87ae86a181a85 upstream.
+
+Calling mdio_bus_phy_resume() with neither the PHY state machine set to
+PHY_HALTED nor phydev->mac_managed_pm set to true is a good indication
+that we can produce a race condition looking like this:
+
+CPU0 CPU1
+bcmgenet_resume
+ -> phy_resume
+ -> phy_init_hw
+ -> phy_start
+ -> phy_resume
+ phy_start_aneg()
+mdio_bus_phy_resume
+ -> phy_resume
+ -> phy_write(..., BMCR_RESET)
+ -> usleep() -> phy_read()
+
+with the phy_resume() function triggering a PHY behavior that might have
+to be worked around with (see bf8bfc4336f7 ("net: phy: broadcom: Fix
+brcm_fet_config_init()") for instance) that ultimately leads to an error
+reading from the PHY.
+
+Fixes: fba863b81604 ("net: phy: make PHY PM ops a no-op if MAC driver manages PHY PM")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20220801233403.258871-1-f.fainelli@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/phy_device.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -316,6 +316,12 @@ static __maybe_unused int mdio_bus_phy_r
+
+ phydev->suspended_by_mdio_bus = 0;
+
++ /* If we managed to get here with the PHY state machine in a state other
++ * than PHY_HALTED this is an indication that something went wrong and
++ * we should most likely be using MAC managed PM and we are not.
++ */
++ WARN_ON(phydev->state != PHY_HALTED && !phydev->mac_managed_pm);
++
+ ret = phy_init_hw(phydev);
+ if (ret < 0)
+ return ret;
--- /dev/null
+From 4f61f133f354853bc394ec7d6028adb9b02dd701 Mon Sep 17 00:00:00 2001
+From: Cezar Bulinaru <cbulinaru@gmail.com>
+Date: Wed, 3 Aug 2022 02:27:59 -0400
+Subject: net: tap: NULL pointer derefence in dev_parse_header_protocol when skb->dev is null
+
+From: Cezar Bulinaru <cbulinaru@gmail.com>
+
+commit 4f61f133f354853bc394ec7d6028adb9b02dd701 upstream.
+
+Fixes a NULL pointer derefence bug triggered from tap driver.
+When tap_get_user calls virtio_net_hdr_to_skb the skb->dev is null
+(in tap.c skb->dev is set after the call to virtio_net_hdr_to_skb)
+virtio_net_hdr_to_skb calls dev_parse_header_protocol which
+needs skb->dev field to be valid.
+
+The line that trigers the bug is in dev_parse_header_protocol
+(dev is at offset 0x10 from skb and is stored in RAX register)
+ if (!dev->header_ops || !dev->header_ops->parse_protocol)
+ 22e1: mov 0x10(%rbx),%rax
+ 22e5: mov 0x230(%rax),%rax
+
+Setting skb->dev before the call in tap.c fixes the issue.
+
+BUG: kernel NULL pointer dereference, address: 0000000000000230
+RIP: 0010:virtio_net_hdr_to_skb.constprop.0+0x335/0x410 [tap]
+Code: c0 0f 85 b7 fd ff ff eb d4 41 39 c6 77 cf 29 c6 48 89 df 44 01 f6 e8 7a 79 83 c1 48 85 c0 0f 85 d9 fd ff ff eb b7 48 8b 43 10 <48> 8b 80 30 02 00 00 48 85 c0 74 55 48 8b 40 28 48 85 c0 74 4c 48
+RSP: 0018:ffffc90005c27c38 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: ffff888298f25300 RCX: 0000000000000010
+RDX: 0000000000000005 RSI: ffffc90005c27cb6 RDI: ffff888298f25300
+RBP: ffffc90005c27c80 R08: 00000000ffffffea R09: 00000000000007e8
+R10: ffff88858ec77458 R11: 0000000000000000 R12: 0000000000000001
+R13: 0000000000000014 R14: ffffc90005c27e08 R15: ffffc90005c27cb6
+FS: 0000000000000000(0000) GS:ffff88858ec40000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000230 CR3: 0000000281408006 CR4: 00000000003706e0
+Call Trace:
+ tap_get_user+0x3f1/0x540 [tap]
+ tap_sendmsg+0x56/0x362 [tap]
+ ? get_tx_bufs+0xc2/0x1e0 [vhost_net]
+ handle_tx_copy+0x114/0x670 [vhost_net]
+ handle_tx+0xb0/0xe0 [vhost_net]
+ handle_tx_kick+0x15/0x20 [vhost_net]
+ vhost_worker+0x7b/0xc0 [vhost]
+ ? vhost_vring_call_reset+0x40/0x40 [vhost]
+ kthread+0xfa/0x120
+ ? kthread_complete_and_exit+0x20/0x20
+ ret_from_fork+0x1f/0x30
+
+Fixes: 924a9bc362a5 ("net: check if protocol extracted by virtio_net_hdr_set_proto is correct")
+Signed-off-by: Cezar Bulinaru <cbulinaru@gmail.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/tap.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/tap.c
++++ b/drivers/net/tap.c
+@@ -716,10 +716,20 @@ static ssize_t tap_get_user(struct tap_q
+ skb_reset_mac_header(skb);
+ skb->protocol = eth_hdr(skb)->h_proto;
+
++ rcu_read_lock();
++ tap = rcu_dereference(q->tap);
++ if (!tap) {
++ kfree_skb(skb);
++ rcu_read_unlock();
++ return total_len;
++ }
++ skb->dev = tap->dev;
++
+ if (vnet_hdr_len) {
+ err = virtio_net_hdr_to_skb(skb, &vnet_hdr,
+ tap_is_little_endian(q));
+ if (err) {
++ rcu_read_unlock();
+ drop_reason = SKB_DROP_REASON_DEV_HDR;
+ goto err_kfree;
+ }
+@@ -732,8 +742,6 @@ static ssize_t tap_get_user(struct tap_q
+ __vlan_get_protocol(skb, skb->protocol, &depth) != 0)
+ skb_set_network_header(skb, depth);
+
+- rcu_read_lock();
+- tap = rcu_dereference(q->tap);
+ /* copy skb_ubuf_info for callback when skb has no error */
+ if (zerocopy) {
+ skb_zcopy_init(skb, msg_control);
+@@ -742,14 +750,8 @@ static ssize_t tap_get_user(struct tap_q
+ uarg->callback(NULL, uarg, false);
+ }
+
+- if (tap) {
+- skb->dev = tap->dev;
+- dev_queue_xmit(skb);
+- } else {
+- kfree_skb(skb);
+- }
++ dev_queue_xmit(skb);
+ rcu_read_unlock();
+-
+ return total_len;
+
+ err_kfree:
--- /dev/null
+From 399a14ec7993d605740de7b2cd5c0ce8407d12ed Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 4 Aug 2022 19:26:27 +0200
+Subject: netfilter: nf_tables: fix crash when nf_trace is enabled
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 399a14ec7993d605740de7b2cd5c0ce8407d12ed upstream.
+
+do not access info->pkt when info->trace is not 1.
+nft_traceinfo is not initialized, except when tracing is enabled.
+
+The 'nft_trace_enabled' static key cannot be used for this, we must
+always check info->trace first.
+
+Pass nft_pktinfo directly to avoid this.
+
+Fixes: e34b9ed96ce3 ("netfilter: nf_tables: avoid skb access on nf_stolen")
+Reported-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_core.c | 21 ++++++++++-----------
+ 1 file changed, 10 insertions(+), 11 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
+index 3ddce24ac76d..cee3e4e905ec 100644
+--- a/net/netfilter/nf_tables_core.c
++++ b/net/netfilter/nf_tables_core.c
+@@ -34,25 +34,23 @@ static noinline void __nft_trace_packet(struct nft_traceinfo *info,
+ nft_trace_notify(info);
+ }
+
+-static inline void nft_trace_packet(struct nft_traceinfo *info,
++static inline void nft_trace_packet(const struct nft_pktinfo *pkt,
++ struct nft_traceinfo *info,
+ const struct nft_chain *chain,
+ const struct nft_rule_dp *rule,
+ enum nft_trace_types type)
+ {
+ if (static_branch_unlikely(&nft_trace_enabled)) {
+- const struct nft_pktinfo *pkt = info->pkt;
+-
+ info->nf_trace = pkt->skb->nf_trace;
+ info->rule = rule;
+ __nft_trace_packet(info, chain, type);
+ }
+ }
+
+-static inline void nft_trace_copy_nftrace(struct nft_traceinfo *info)
++static inline void nft_trace_copy_nftrace(const struct nft_pktinfo *pkt,
++ struct nft_traceinfo *info)
+ {
+ if (static_branch_unlikely(&nft_trace_enabled)) {
+- const struct nft_pktinfo *pkt = info->pkt;
+-
+ if (info->trace)
+ info->nf_trace = pkt->skb->nf_trace;
+ }
+@@ -96,7 +94,6 @@ static noinline void __nft_trace_verdict(struct nft_traceinfo *info,
+ const struct nft_chain *chain,
+ const struct nft_regs *regs)
+ {
+- const struct nft_pktinfo *pkt = info->pkt;
+ enum nft_trace_types type;
+
+ switch (regs->verdict.code) {
+@@ -110,7 +107,9 @@ static noinline void __nft_trace_verdict(struct nft_traceinfo *info,
+ break;
+ default:
+ type = NFT_TRACETYPE_RULE;
+- info->nf_trace = pkt->skb->nf_trace;
++
++ if (info->trace)
++ info->nf_trace = info->pkt->skb->nf_trace;
+ break;
+ }
+
+@@ -271,10 +270,10 @@ nft_do_chain(struct nft_pktinfo *pkt, void *priv)
+ switch (regs.verdict.code) {
+ case NFT_BREAK:
+ regs.verdict.code = NFT_CONTINUE;
+- nft_trace_copy_nftrace(&info);
++ nft_trace_copy_nftrace(pkt, &info);
+ continue;
+ case NFT_CONTINUE:
+- nft_trace_packet(&info, chain, rule,
++ nft_trace_packet(pkt, &info, chain, rule,
+ NFT_TRACETYPE_RULE);
+ continue;
+ }
+@@ -318,7 +317,7 @@ nft_do_chain(struct nft_pktinfo *pkt, void *priv)
+ goto next_rule;
+ }
+
+- nft_trace_packet(&info, basechain, NULL, NFT_TRACETYPE_POLICY);
++ nft_trace_packet(pkt, &info, basechain, NULL, NFT_TRACETYPE_POLICY);
+
+ if (static_branch_unlikely(&nft_counters_enabled))
+ nft_update_chain_stats(basechain, pkt);
+--
+2.37.2
+
--- /dev/null
+From 51fd2eb52c0ca8275a906eed81878ef50ae94eb0 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Wed, 13 Jul 2022 17:46:52 -0400
+Subject: NFSv4: Fix races in the legacy idmapper upcall
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 51fd2eb52c0ca8275a906eed81878ef50ae94eb0 upstream.
+
+nfs_idmap_instantiate() will cause the process that is waiting in
+request_key_with_auxdata() to wake up and exit. If there is a second
+process waiting for the idmap->idmap_mutex, then it may wake up and
+start a new call to request_key_with_auxdata(). If the call to
+idmap_pipe_downcall() from the first process has not yet finished
+calling nfs_idmap_complete_pipe_upcall_locked(), then we may end up
+triggering the WARN_ON_ONCE() in nfs_idmap_prepare_pipe_upcall().
+
+The fix is to ensure that we clear idmap->idmap_upcall_data before
+calling nfs_idmap_instantiate().
+
+Fixes: e9ab41b620e4 ("NFSv4: Clean up the legacy idmapper upcall")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4idmap.c | 46 ++++++++++++++++++++++++----------------------
+ 1 file changed, 24 insertions(+), 22 deletions(-)
+
+--- a/fs/nfs/nfs4idmap.c
++++ b/fs/nfs/nfs4idmap.c
+@@ -561,22 +561,20 @@ nfs_idmap_prepare_pipe_upcall(struct idm
+ return true;
+ }
+
+-static void
+-nfs_idmap_complete_pipe_upcall_locked(struct idmap *idmap, int ret)
++static void nfs_idmap_complete_pipe_upcall(struct idmap_legacy_upcalldata *data,
++ int ret)
+ {
+- struct key *authkey = idmap->idmap_upcall_data->authkey;
+-
+- kfree(idmap->idmap_upcall_data);
+- idmap->idmap_upcall_data = NULL;
+- complete_request_key(authkey, ret);
+- key_put(authkey);
++ complete_request_key(data->authkey, ret);
++ key_put(data->authkey);
++ kfree(data);
+ }
+
+-static void
+-nfs_idmap_abort_pipe_upcall(struct idmap *idmap, int ret)
++static void nfs_idmap_abort_pipe_upcall(struct idmap *idmap,
++ struct idmap_legacy_upcalldata *data,
++ int ret)
+ {
+- if (idmap->idmap_upcall_data != NULL)
+- nfs_idmap_complete_pipe_upcall_locked(idmap, ret);
++ if (cmpxchg(&idmap->idmap_upcall_data, data, NULL) == data)
++ nfs_idmap_complete_pipe_upcall(data, ret);
+ }
+
+ static int nfs_idmap_legacy_upcall(struct key *authkey, void *aux)
+@@ -613,7 +611,7 @@ static int nfs_idmap_legacy_upcall(struc
+
+ ret = rpc_queue_upcall(idmap->idmap_pipe, msg);
+ if (ret < 0)
+- nfs_idmap_abort_pipe_upcall(idmap, ret);
++ nfs_idmap_abort_pipe_upcall(idmap, data, ret);
+
+ return ret;
+ out2:
+@@ -669,6 +667,7 @@ idmap_pipe_downcall(struct file *filp, c
+ struct request_key_auth *rka;
+ struct rpc_inode *rpci = RPC_I(file_inode(filp));
+ struct idmap *idmap = (struct idmap *)rpci->private;
++ struct idmap_legacy_upcalldata *data;
+ struct key *authkey;
+ struct idmap_msg im;
+ size_t namelen_in;
+@@ -678,10 +677,11 @@ idmap_pipe_downcall(struct file *filp, c
+ * will have been woken up and someone else may now have used
+ * idmap_key_cons - so after this point we may no longer touch it.
+ */
+- if (idmap->idmap_upcall_data == NULL)
++ data = xchg(&idmap->idmap_upcall_data, NULL);
++ if (data == NULL)
+ goto out_noupcall;
+
+- authkey = idmap->idmap_upcall_data->authkey;
++ authkey = data->authkey;
+ rka = get_request_key_auth(authkey);
+
+ if (mlen != sizeof(im)) {
+@@ -703,18 +703,17 @@ idmap_pipe_downcall(struct file *filp, c
+ if (namelen_in == 0 || namelen_in == IDMAP_NAMESZ) {
+ ret = -EINVAL;
+ goto out;
+-}
++ }
+
+- ret = nfs_idmap_read_and_verify_message(&im,
+- &idmap->idmap_upcall_data->idmap_msg,
+- rka->target_key, authkey);
++ ret = nfs_idmap_read_and_verify_message(&im, &data->idmap_msg,
++ rka->target_key, authkey);
+ if (ret >= 0) {
+ key_set_timeout(rka->target_key, nfs_idmap_cache_timeout);
+ ret = mlen;
+ }
+
+ out:
+- nfs_idmap_complete_pipe_upcall_locked(idmap, ret);
++ nfs_idmap_complete_pipe_upcall(data, ret);
+ out_noupcall:
+ return ret;
+ }
+@@ -728,7 +727,7 @@ idmap_pipe_destroy_msg(struct rpc_pipe_m
+ struct idmap *idmap = data->idmap;
+
+ if (msg->errno)
+- nfs_idmap_abort_pipe_upcall(idmap, msg->errno);
++ nfs_idmap_abort_pipe_upcall(idmap, data, msg->errno);
+ }
+
+ static void
+@@ -736,8 +735,11 @@ idmap_release_pipe(struct inode *inode)
+ {
+ struct rpc_inode *rpci = RPC_I(inode);
+ struct idmap *idmap = (struct idmap *)rpci->private;
++ struct idmap_legacy_upcalldata *data;
+
+- nfs_idmap_abort_pipe_upcall(idmap, -EPIPE);
++ data = xchg(&idmap->idmap_upcall_data, NULL);
++ if (data)
++ nfs_idmap_complete_pipe_upcall(data, -EPIPE);
+ }
+
+ int nfs_map_name_to_uid(const struct nfs_server *server, const char *name, size_t namelen, kuid_t *uid)
--- /dev/null
+From 2135e5d56278ffdb1c2e6d325dc6b87f669b9dac Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Tue, 2 Aug 2022 15:48:50 -0400
+Subject: NFSv4/pnfs: Fix a use-after-free bug in open
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 2135e5d56278ffdb1c2e6d325dc6b87f669b9dac upstream.
+
+If someone cancels the open RPC call, then we must not try to free
+either the open slot or the layoutget operation arguments, since they
+are likely still in use by the hung RPC call.
+
+Fixes: 6949493884fe ("NFSv4: Don't hold the layoutget locks across multiple RPC calls")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4proc.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -3096,12 +3096,13 @@ static int _nfs4_open_and_get_state(stru
+ }
+
+ out:
+- if (opendata->lgp) {
+- nfs4_lgopen_release(opendata->lgp);
+- opendata->lgp = NULL;
+- }
+- if (!opendata->cancelled)
++ if (!opendata->cancelled) {
++ if (opendata->lgp) {
++ nfs4_lgopen_release(opendata->lgp);
++ opendata->lgp = NULL;
++ }
+ nfs4_sequence_free_slot(&opendata->o_res.seq_res);
++ }
+ return ret;
+ }
+
--- /dev/null
+From f07a5d2427fc113dc50c5c818eba8929bc27b8ca Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Tue, 12 Jul 2022 09:16:04 -0400
+Subject: NFSv4.1: Don't decrease the value of seq_nr_highest_sent
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit f07a5d2427fc113dc50c5c818eba8929bc27b8ca upstream.
+
+When we're trying to figure out what the server may or may not have seen
+in terms of request numbers, do not assume that requests with a larger
+number were missed, just because we saw a reply to a request with a
+smaller number.
+
+Fixes: 3453d5708b33 ("NFSv4.1: Avoid false retries when RPC calls are interrupted")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4proc.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -784,10 +784,9 @@ static void nfs4_slot_sequence_record_se
+ if ((s32)(seqnr - slot->seq_nr_highest_sent) > 0)
+ slot->seq_nr_highest_sent = seqnr;
+ }
+-static void nfs4_slot_sequence_acked(struct nfs4_slot *slot,
+- u32 seqnr)
++static void nfs4_slot_sequence_acked(struct nfs4_slot *slot, u32 seqnr)
+ {
+- slot->seq_nr_highest_sent = seqnr;
++ nfs4_slot_sequence_record_sent(slot, seqnr);
+ slot->seq_nr_last_acked = seqnr;
+ }
+
--- /dev/null
+From 7ccafd4b2b9f34e6d8185f796f151c47424e273e Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Tue, 12 Jul 2022 09:22:40 -0400
+Subject: NFSv4.1: Handle NFS4ERR_DELAY replies to OP_SEQUENCE correctly
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 7ccafd4b2b9f34e6d8185f796f151c47424e273e upstream.
+
+Don't assume that the NFS4ERR_DELAY means that the server is processing
+this slot id.
+
+Fixes: 3453d5708b33 ("NFSv4.1: Avoid false retries when RPC calls are interrupted")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4proc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -853,7 +853,6 @@ static int nfs41_sequence_process(struct
+ __func__,
+ slot->slot_nr,
+ slot->seq_nr);
+- nfs4_slot_sequence_acked(slot, slot->seq_nr);
+ goto out_retry;
+ case -NFS4ERR_RETRY_UNCACHED_REP:
+ case -NFS4ERR_SEQ_FALSE_RETRY:
--- /dev/null
+From e35a5e782f67ed76a65ad0f23a484444a95f000f Mon Sep 17 00:00:00 2001
+From: Zhang Xianwei <zhang.xianwei8@zte.com.cn>
+Date: Wed, 27 Jul 2022 18:01:07 +0800
+Subject: NFSv4.1: RECLAIM_COMPLETE must handle EACCES
+
+From: Zhang Xianwei <zhang.xianwei8@zte.com.cn>
+
+commit e35a5e782f67ed76a65ad0f23a484444a95f000f upstream.
+
+A client should be able to handle getting an EACCES error while doing
+a mount operation to reclaim state due to NFS4CLNT_RECLAIM_REBOOT
+being set. If the server returns RPC_AUTH_BADCRED because authentication
+failed when we execute "exportfs -au", then RECLAIM_COMPLETE will go a
+wrong way. After mount succeeds, all OPEN call will fail due to an
+NFS4ERR_GRACE error being returned. This patch is to fix it by resending
+a RPC request.
+
+Signed-off-by: Zhang Xianwei <zhang.xianwei8@zte.com.cn>
+Signed-off-by: Yi Wang <wang.yi59@zte.com.cn>
+Fixes: aa5190d0ed7d ("NFSv4: Kill nfs4_async_handle_error() abuses by NFSv4.1")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4proc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -9475,6 +9475,9 @@ static int nfs41_reclaim_complete_handle
+ rpc_delay(task, NFS4_POLL_RETRY_MAX);
+ fallthrough;
+ case -NFS4ERR_RETRY_UNCACHED_REP:
++ case -EACCES:
++ dprintk("%s: failed to reclaim complete error %d for server %s, retrying\n",
++ __func__, task->tk_status, clp->cl_hostname);
+ return -EAGAIN;
+ case -NFS4ERR_BADSESSION:
+ case -NFS4ERR_DEADSESSION:
--- /dev/null
+From dd1d1a8a6b29b6b472fd0d449b29eb806c411dd2 Mon Sep 17 00:00:00 2001
+From: Stanislaw Kardach <skardach@marvell.com>
+Date: Wed, 3 Aug 2022 13:24:12 +0530
+Subject: octeontx2-af: Apply tx nibble fixup always
+
+From: Stanislaw Kardach <skardach@marvell.com>
+
+commit dd1d1a8a6b29b6b472fd0d449b29eb806c411dd2 upstream.
+
+NPC_PARSE_NIBBLE for TX interface has to be equal to the RX one for some
+silicon revisions. Mistakenly this fixup was only applied to the default
+MKEX profile while it should also be applied to any loaded profile.
+
+Fixes: 1c1935c9945d ("octeontx2-af: Add NIX1 interfaces to NPC")
+Signed-off-by: Stanislaw Kardach <skardach@marvell.com>
+Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
+Signed-off-by: Sunil Goutham <sgoutham@marvell.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
+@@ -1915,6 +1915,7 @@ static void rvu_npc_hw_init(struct rvu *
+
+ static void rvu_npc_setup_interfaces(struct rvu *rvu, int blkaddr)
+ {
++ struct npc_mcam_kex *mkex = rvu->kpu.mkex;
+ struct npc_mcam *mcam = &rvu->hw->mcam;
+ struct rvu_hwinfo *hw = rvu->hw;
+ u64 nibble_ena, rx_kex, tx_kex;
+@@ -1927,15 +1928,15 @@ static void rvu_npc_setup_interfaces(str
+ mcam->counters.max--;
+ mcam->rx_miss_act_cntr = mcam->counters.max;
+
+- rx_kex = npc_mkex_default.keyx_cfg[NIX_INTF_RX];
+- tx_kex = npc_mkex_default.keyx_cfg[NIX_INTF_TX];
++ rx_kex = mkex->keyx_cfg[NIX_INTF_RX];
++ tx_kex = mkex->keyx_cfg[NIX_INTF_TX];
+ nibble_ena = FIELD_GET(NPC_PARSE_NIBBLE, rx_kex);
+
+ nibble_ena = rvu_npc_get_tx_nibble_cfg(rvu, nibble_ena);
+ if (nibble_ena) {
+ tx_kex &= ~NPC_PARSE_NIBBLE;
+ tx_kex |= FIELD_PREP(NPC_PARSE_NIBBLE, nibble_ena);
+- npc_mkex_default.keyx_cfg[NIX_INTF_TX] = tx_kex;
++ mkex->keyx_cfg[NIX_INTF_TX] = tx_kex;
+ }
+
+ /* Configure RX interfaces */
--- /dev/null
+From c3c290276927a3ae79342a4e17ec0500c138c63a Mon Sep 17 00:00:00 2001
+From: Subbaraya Sundeep <sbhatta@marvell.com>
+Date: Wed, 3 Aug 2022 13:24:15 +0530
+Subject: octeontx2-af: Fix key checking for source mac
+
+From: Subbaraya Sundeep <sbhatta@marvell.com>
+
+commit c3c290276927a3ae79342a4e17ec0500c138c63a upstream.
+
+Given a field with its location/offset in input packet,
+the key checking logic verifies whether extracting the
+field can be supported or not based on the mkex profile
+loaded in hardware. This logic is wrong wrt source mac
+and this patch fixes that.
+
+Fixes: 9b179a960a96 ("octeontx2-af: Generate key field bit mask from KEX profile")
+Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
+Signed-off-by: Sunil Goutham <sgoutham@marvell.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c
++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c
+@@ -445,7 +445,8 @@ do { \
+ NPC_SCAN_HDR(NPC_VLAN_TAG1, NPC_LID_LB, NPC_LT_LB_CTAG, 2, 2);
+ NPC_SCAN_HDR(NPC_VLAN_TAG2, NPC_LID_LB, NPC_LT_LB_STAG_QINQ, 2, 2);
+ NPC_SCAN_HDR(NPC_DMAC, NPC_LID_LA, la_ltype, la_start, 6);
+- NPC_SCAN_HDR(NPC_SMAC, NPC_LID_LA, la_ltype, la_start, 6);
++ /* SMAC follows the DMAC(which is 6 bytes) */
++ NPC_SCAN_HDR(NPC_SMAC, NPC_LID_LA, la_ltype, la_start + 6, 6);
+ /* PF_FUNC is 2 bytes at 0th byte of NPC_LT_LA_IH_NIX_ETHER */
+ NPC_SCAN_HDR(NPC_PF_FUNC, NPC_LID_LA, NPC_LT_LA_IH_NIX_ETHER, 0, 2);
+ }
--- /dev/null
+From 3f8fe40ab7730cf8eb6f8b8ff412012f7f6f8f48 Mon Sep 17 00:00:00 2001
+From: Subbaraya Sundeep <sbhatta@marvell.com>
+Date: Wed, 3 Aug 2022 13:24:14 +0530
+Subject: octeontx2-af: Fix mcam entry resource leak
+
+From: Subbaraya Sundeep <sbhatta@marvell.com>
+
+commit 3f8fe40ab7730cf8eb6f8b8ff412012f7f6f8f48 upstream.
+
+The teardown sequence in FLR handler returns if no NIX LF
+is attached to PF/VF because it indicates that graceful
+shutdown of resources already happened. But there is a
+chance of all allocated MCAM entries not being freed by
+PF/VF. Hence free mcam entries even in case of detached LF.
+
+Fixes: c554f9c1574e ("octeontx2-af: Teardown NPA, NIX LF upon receiving FLR")
+Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
+Signed-off-by: Sunil Goutham <sgoutham@marvell.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/af/rvu.c | 6 ++++++
+ drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c | 6 ++++++
+ 2 files changed, 12 insertions(+)
+
+--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c
++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c
+@@ -2564,6 +2564,12 @@ static void __rvu_flr_handler(struct rvu
+ rvu_blklf_teardown(rvu, pcifunc, BLKADDR_NPA);
+ rvu_reset_lmt_map_tbl(rvu, pcifunc);
+ rvu_detach_rsrcs(rvu, NULL, pcifunc);
++ /* In scenarios where PF/VF drivers detach NIXLF without freeing MCAM
++ * entries, check and free the MCAM entries explicitly to avoid leak.
++ * Since LF is detached use LF number as -1.
++ */
++ rvu_npc_free_mcam_entries(rvu, pcifunc, -1);
++
+ mutex_unlock(&rvu->flr_lock);
+ }
+
+--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
+@@ -1096,6 +1096,9 @@ static void npc_enadis_default_entries(s
+
+ void rvu_npc_disable_default_entries(struct rvu *rvu, u16 pcifunc, int nixlf)
+ {
++ if (nixlf < 0)
++ return;
++
+ npc_enadis_default_entries(rvu, pcifunc, nixlf, false);
+
+ /* Delete multicast and promisc MCAM entries */
+@@ -1107,6 +1110,9 @@ void rvu_npc_disable_default_entries(str
+
+ void rvu_npc_enable_default_entries(struct rvu *rvu, u16 pcifunc, int nixlf)
+ {
++ if (nixlf < 0)
++ return;
++
+ /* Enables only broadcast match entry. Promisc/Allmulti are enabled
+ * in set_rx_mode mbox handler.
+ */
--- /dev/null
+From cf2437626502b5271d19686b03dea306efe17ea0 Mon Sep 17 00:00:00 2001
+From: Harman Kalra <hkalra@marvell.com>
+Date: Wed, 3 Aug 2022 13:24:13 +0530
+Subject: octeontx2-af: suppress external profile loading warning
+
+From: Harman Kalra <hkalra@marvell.com>
+
+commit cf2437626502b5271d19686b03dea306efe17ea0 upstream.
+
+The packet parser profile supplied as firmware may not
+be present all the time and default profile is used mostly.
+Hence suppress firmware loading warning from kernel due to
+absence of firmware in kernel image.
+
+Fixes: 3a7244152f9c ("octeontx2-af: add support for custom KPU entries")
+Signed-off-by: Harman Kalra <hkalra@marvell.com>
+Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
+Signed-off-by: Sunil Goutham <sgoutham@marvell.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
+@@ -1650,7 +1650,7 @@ static void npc_load_kpu_profile(struct
+ * Firmware database method.
+ * Default KPU profile.
+ */
+- if (!request_firmware(&fw, kpu_profile, rvu->dev)) {
++ if (!request_firmware_direct(&fw, kpu_profile, rvu->dev)) {
+ dev_info(rvu->dev, "Loading KPU profile from firmware: %s\n",
+ kpu_profile);
+ rvu->kpu_fwdata = kzalloc(fw->size, GFP_KERNEL);
--- /dev/null
+From 13c9f4dc102f2856e80b92486c41841e25e23772 Mon Sep 17 00:00:00 2001
+From: Naveen Mamindlapalli <naveenm@marvell.com>
+Date: Tue, 2 Aug 2022 19:58:13 +0530
+Subject: octeontx2-pf: Fix NIX_AF_TL3_TL2X_LINKX_CFG register configuration
+
+From: Naveen Mamindlapalli <naveenm@marvell.com>
+
+commit 13c9f4dc102f2856e80b92486c41841e25e23772 upstream.
+
+For packets scheduled to RPM and LBK, NIX_AF_PSE_CHANNEL_LEVEL[BP_LEVEL]
+selects the TL3 or TL2 scheduling level as the one used for link/channel
+selection and backpressure. For each scheduling queue at the selected
+level: Setting NIX_AF_TL3_TL2(0..255)_LINK(0..12)_CFG[ENA] = 1 allows
+the TL3/TL2 queue to schedule packets to a specified RPM or LBK link
+and channel.
+
+There is an issue in the code where NIX_AF_PSE_CHANNEL_LEVEL[BP_LEVEL]
+is set to TL3 where as the NIX_AF_TL3_TL2(0..255)_LINK(0..12)_CFG is
+configured for TL2 queue in some cases. As a result packets will not
+transmit on that link/channel. This patch fixes the issue by configuring
+the NIX_AF_TL3_TL2(0..255)_LINK(0..12)_CFG register depending on the
+NIX_AF_PSE_CHANNEL_LEVEL[BP_LEVEL] value.
+
+Fixes: caa2da34fd25a ("octeontx2-pf: Initialize and config queues")
+Signed-off-by: Naveen Mamindlapalli <naveenm@marvell.com>
+Signed-off-by: Sunil Kovvuri Goutham <sgoutham@marvell.com>
+Link: https://lore.kernel.org/r/20220802142813.25031-1-naveenm@marvell.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c | 19 +++++++++++----
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h | 1
+ 2 files changed, 15 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c
+@@ -632,6 +632,12 @@ int otx2_txschq_config(struct otx2_nic *
+ req->num_regs++;
+ req->reg[1] = NIX_AF_TL3X_SCHEDULE(schq);
+ req->regval[1] = dwrr_val;
++ if (lvl == hw->txschq_link_cfg_lvl) {
++ req->num_regs++;
++ req->reg[2] = NIX_AF_TL3_TL2X_LINKX_CFG(schq, hw->tx_link);
++ /* Enable this queue and backpressure */
++ req->regval[2] = BIT_ULL(13) | BIT_ULL(12);
++ }
+ } else if (lvl == NIX_TXSCH_LVL_TL2) {
+ parent = hw->txschq_list[NIX_TXSCH_LVL_TL1][0];
+ req->reg[0] = NIX_AF_TL2X_PARENT(schq);
+@@ -641,11 +647,12 @@ int otx2_txschq_config(struct otx2_nic *
+ req->reg[1] = NIX_AF_TL2X_SCHEDULE(schq);
+ req->regval[1] = TXSCH_TL1_DFLT_RR_PRIO << 24 | dwrr_val;
+
+- req->num_regs++;
+- req->reg[2] = NIX_AF_TL3_TL2X_LINKX_CFG(schq, hw->tx_link);
+- /* Enable this queue and backpressure */
+- req->regval[2] = BIT_ULL(13) | BIT_ULL(12);
+-
++ if (lvl == hw->txschq_link_cfg_lvl) {
++ req->num_regs++;
++ req->reg[2] = NIX_AF_TL3_TL2X_LINKX_CFG(schq, hw->tx_link);
++ /* Enable this queue and backpressure */
++ req->regval[2] = BIT_ULL(13) | BIT_ULL(12);
++ }
+ } else if (lvl == NIX_TXSCH_LVL_TL1) {
+ /* Default config for TL1.
+ * For VF this is always ignored.
+@@ -1591,6 +1598,8 @@ void mbox_handler_nix_txsch_alloc(struct
+ for (schq = 0; schq < rsp->schq[lvl]; schq++)
+ pf->hw.txschq_list[lvl][schq] =
+ rsp->schq_list[lvl][schq];
++
++ pf->hw.txschq_link_cfg_lvl = rsp->link_cfg_lvl;
+ }
+ EXPORT_SYMBOL(mbox_handler_nix_txsch_alloc);
+
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h
+@@ -195,6 +195,7 @@ struct otx2_hw {
+ u16 sqb_size;
+
+ /* NIX */
++ u8 txschq_link_cfg_lvl;
+ u16 txschq_list[NIX_TXSCH_LVL_CNT][MAX_TXSCHQ_PER_FUNC];
+ u16 matchall_ipolicer;
+ u32 dwrr_mtu;
--- /dev/null
+From b8c824a869f220c6b46df724f85794349bafbf23 Mon Sep 17 00:00:00 2001
+From: Basavaraj Natikar <Basavaraj.Natikar@amd.com>
+Date: Mon, 13 Jun 2022 12:11:26 +0530
+Subject: pinctrl: amd: Don't save/restore interrupt status and wake status bits
+
+From: Basavaraj Natikar <Basavaraj.Natikar@amd.com>
+
+commit b8c824a869f220c6b46df724f85794349bafbf23 upstream.
+
+Saving/restoring interrupt and wake status bits across suspend can
+cause the suspend to fail if an IRQ is serviced across the
+suspend cycle.
+
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Basavaraj Natikar <Basavaraj.Natikar@amd.com>
+Fixes: 79d2c8bede2c ("pinctrl/amd: save pin registers over suspend/resume")
+Link: https://lore.kernel.org/r/20220613064127.220416-3-Basavaraj.Natikar@amd.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/pinctrl-amd.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/pinctrl/pinctrl-amd.c
++++ b/drivers/pinctrl/pinctrl-amd.c
+@@ -917,6 +917,7 @@ static int amd_gpio_suspend(struct devic
+ {
+ struct amd_gpio *gpio_dev = dev_get_drvdata(dev);
+ struct pinctrl_desc *desc = gpio_dev->pctrl->desc;
++ unsigned long flags;
+ int i;
+
+ for (i = 0; i < desc->npins; i++) {
+@@ -925,7 +926,9 @@ static int amd_gpio_suspend(struct devic
+ if (!amd_gpio_should_save(gpio_dev, pin))
+ continue;
+
+- gpio_dev->saved_regs[i] = readl(gpio_dev->base + pin*4);
++ raw_spin_lock_irqsave(&gpio_dev->lock, flags);
++ gpio_dev->saved_regs[i] = readl(gpio_dev->base + pin * 4) & ~PIN_IRQ_PENDING;
++ raw_spin_unlock_irqrestore(&gpio_dev->lock, flags);
+ }
+
+ return 0;
+@@ -935,6 +938,7 @@ static int amd_gpio_resume(struct device
+ {
+ struct amd_gpio *gpio_dev = dev_get_drvdata(dev);
+ struct pinctrl_desc *desc = gpio_dev->pctrl->desc;
++ unsigned long flags;
+ int i;
+
+ for (i = 0; i < desc->npins; i++) {
+@@ -943,7 +947,10 @@ static int amd_gpio_resume(struct device
+ if (!amd_gpio_should_save(gpio_dev, pin))
+ continue;
+
+- writel(gpio_dev->saved_regs[i], gpio_dev->base + pin*4);
++ raw_spin_lock_irqsave(&gpio_dev->lock, flags);
++ gpio_dev->saved_regs[i] |= readl(gpio_dev->base + pin * 4) & PIN_IRQ_PENDING;
++ writel(gpio_dev->saved_regs[i], gpio_dev->base + pin * 4);
++ raw_spin_unlock_irqrestore(&gpio_dev->lock, flags);
+ }
+
+ return 0;
--- /dev/null
+From 4b32e054335ea0ce50967f63a7bfd4db058b14b9 Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Tue, 7 Jun 2022 15:16:01 +0400
+Subject: pinctrl: nomadik: Fix refcount leak in nmk_pinctrl_dt_subnode_to_map
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit 4b32e054335ea0ce50967f63a7bfd4db058b14b9 upstream.
+
+of_parse_phandle() returns a node pointer with refcount
+incremented, we should use of_node_put() on it when not need anymore.
+Add missing of_node_put() to avoid refcount leak."
+
+Fixes: c2f6d059abfc ("pinctrl: nomadik: refactor DT parser to take two paths")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20220607111602.57355-1-linmq006@gmail.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/nomadik/pinctrl-nomadik.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/nomadik/pinctrl-nomadik.c
++++ b/drivers/pinctrl/nomadik/pinctrl-nomadik.c
+@@ -1421,8 +1421,10 @@ static int nmk_pinctrl_dt_subnode_to_map
+
+ has_config = nmk_pinctrl_dt_get_config(np, &configs);
+ np_config = of_parse_phandle(np, "ste,config", 0);
+- if (np_config)
++ if (np_config) {
+ has_config |= nmk_pinctrl_dt_get_config(np_config, &configs);
++ of_node_put(np_config);
++ }
+ if (has_config) {
+ const char *gpio_name;
+ const char *pin;
--- /dev/null
+From 44339391c666e46cba522d19c65a6ad1071c68b7 Mon Sep 17 00:00:00 2001
+From: Nikita Travkin <nikita@trvn.ru>
+Date: Sun, 12 Jun 2022 19:59:54 +0500
+Subject: pinctrl: qcom: msm8916: Allow CAMSS GP clocks to be muxed
+
+From: Nikita Travkin <nikita@trvn.ru>
+
+commit 44339391c666e46cba522d19c65a6ad1071c68b7 upstream.
+
+GPIO 31, 32 can be muxed to GCC_CAMSS_GP(1,2)_CLK respectively but the
+function was never assigned to the pingroup (even though the function
+exists already).
+
+Add this mode to the related pins.
+
+Fixes: 5373a2c5abb6 ("pinctrl: qcom: Add msm8916 pinctrl driver")
+Signed-off-by: Nikita Travkin <nikita@trvn.ru>
+Link: https://lore.kernel.org/r/20220612145955.385787-4-nikita@trvn.ru
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/qcom/pinctrl-msm8916.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/pinctrl/qcom/pinctrl-msm8916.c
++++ b/drivers/pinctrl/qcom/pinctrl-msm8916.c
+@@ -844,8 +844,8 @@ static const struct msm_pingroup msm8916
+ PINGROUP(28, pwr_modem_enabled_a, NA, NA, NA, NA, NA, qdss_tracedata_b, NA, atest_combodac),
+ PINGROUP(29, cci_i2c, NA, NA, NA, NA, NA, qdss_tracedata_b, NA, atest_combodac),
+ PINGROUP(30, cci_i2c, NA, NA, NA, NA, NA, NA, NA, qdss_tracedata_b),
+- PINGROUP(31, cci_timer0, NA, NA, NA, NA, NA, NA, NA, NA),
+- PINGROUP(32, cci_timer1, NA, NA, NA, NA, NA, NA, NA, NA),
++ PINGROUP(31, cci_timer0, flash_strobe, NA, NA, NA, NA, NA, NA, NA),
++ PINGROUP(32, cci_timer1, flash_strobe, NA, NA, NA, NA, NA, NA, NA),
+ PINGROUP(33, cci_async, NA, NA, NA, NA, NA, NA, NA, qdss_tracedata_b),
+ PINGROUP(34, pwr_nav_enabled_a, NA, NA, NA, NA, NA, NA, NA, qdss_tracedata_b),
+ PINGROUP(35, pwr_crypto_enabled_a, NA, NA, NA, NA, NA, NA, NA, qdss_tracedata_b),
--- /dev/null
+From 4b759ca15a4914f96ea204ea9200ceeb01d70666 Mon Sep 17 00:00:00 2001
+From: Jianhua Lu <lujianhua000@gmail.com>
+Date: Wed, 3 Aug 2022 09:56:45 +0800
+Subject: pinctrl: qcom: sm8250: Fix PDC map
+
+From: Jianhua Lu <lujianhua000@gmail.com>
+
+commit 4b759ca15a4914f96ea204ea9200ceeb01d70666 upstream.
+
+Fix the PDC mapping for SM8250, gpio39 is mapped to irq73(not irq37).
+
+Fixes: b41efeed507a("pinctrl: qcom: sm8250: Specify PDC map.")
+Signed-off-by: Jianhua Lu <lujianhua000@gmail.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@somainline.org>
+Link: https://lore.kernel.org/r/20220803015645.22388-1-lujianhua000@gmail.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/qcom/pinctrl-sm8250.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/qcom/pinctrl-sm8250.c
++++ b/drivers/pinctrl/qcom/pinctrl-sm8250.c
+@@ -1316,7 +1316,7 @@ static const struct msm_pingroup sm8250_
+ static const struct msm_gpio_wakeirq_map sm8250_pdc_map[] = {
+ { 0, 79 }, { 1, 84 }, { 2, 80 }, { 3, 82 }, { 4, 107 }, { 7, 43 },
+ { 11, 42 }, { 14, 44 }, { 15, 52 }, { 19, 67 }, { 23, 68 }, { 24, 105 },
+- { 27, 92 }, { 28, 106 }, { 31, 69 }, { 35, 70 }, { 39, 37 },
++ { 27, 92 }, { 28, 106 }, { 31, 69 }, { 35, 70 }, { 39, 73 },
+ { 40, 108 }, { 43, 71 }, { 45, 72 }, { 47, 83 }, { 51, 74 }, { 55, 77 },
+ { 59, 78 }, { 63, 75 }, { 64, 81 }, { 65, 87 }, { 66, 88 }, { 67, 89 },
+ { 68, 54 }, { 70, 85 }, { 77, 46 }, { 80, 90 }, { 81, 91 }, { 83, 97 },
--- /dev/null
+From 5223c511eb4f919e6b423b2f66e02674e97e77e3 Mon Sep 17 00:00:00 2001
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Date: Wed, 11 May 2022 10:40:57 +0100
+Subject: pinctrl: renesas: rzg2l: Return -EINVAL for pins which have input disabled
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+commit 5223c511eb4f919e6b423b2f66e02674e97e77e3 upstream.
+
+Pin status reported by pinconf-pins file always reported pin status as
+"input enabled" even for pins which had input disabled. Fix this by
+returning -EINVAL for the pins which have input disabled.
+
+Fixes: c4c4637eb57f2 ("pinctrl: renesas: Add RZ/G2L pin and gpio controller driver")
+Reported-by: Phil Edworthy <phil.edworthy@renesas.com>
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Phil Edworthy <phil.edworthy@renesas.com>
+Link: https://lore.kernel.org/r/20220511094057.3151-1-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/renesas/pinctrl-rzg2l.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/pinctrl/renesas/pinctrl-rzg2l.c
++++ b/drivers/pinctrl/renesas/pinctrl-rzg2l.c
+@@ -517,6 +517,8 @@ static int rzg2l_pinctrl_pinconf_get(str
+ if (!(cfg & PIN_CFG_IEN))
+ return -EINVAL;
+ arg = rzg2l_read_pin_config(pctrl, IEN(port_offset), bit, IEN_MASK);
++ if (!arg)
++ return -EINVAL;
+ break;
+
+ case PIN_CONFIG_POWER_SOURCE: {
--- /dev/null
+From fc153c8f283bf5925615195fc9d4056414d7b168 Mon Sep 17 00:00:00 2001
+From: Samuel Holland <samuel@sholland.org>
+Date: Tue, 12 Jul 2022 21:52:29 -0500
+Subject: pinctrl: sunxi: Add I/O bias setting for H6 R-PIO
+
+From: Samuel Holland <samuel@sholland.org>
+
+commit fc153c8f283bf5925615195fc9d4056414d7b168 upstream.
+
+H6 requires I/O bias configuration on both of its PIO devices.
+Previously it was only done for the main PIO.
+
+The setting for Port L is at bit 0, so the bank calculation needs to
+account for the pin base. Otherwise the wrong bit is used.
+
+Fixes: cc62383fcebe ("pinctrl: sunxi: Support I/O bias voltage setting on H6")
+Reviewed-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Tested-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Samuel Holland <samuel@sholland.org>
+Link: https://lore.kernel.org/r/20220713025233.27248-3-samuel@sholland.org
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/sunxi/pinctrl-sun50i-h6-r.c | 1 +
+ drivers/pinctrl/sunxi/pinctrl-sunxi.c | 7 ++++---
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/pinctrl/sunxi/pinctrl-sun50i-h6-r.c
++++ b/drivers/pinctrl/sunxi/pinctrl-sun50i-h6-r.c
+@@ -107,6 +107,7 @@ static const struct sunxi_pinctrl_desc s
+ .npins = ARRAY_SIZE(sun50i_h6_r_pins),
+ .pin_base = PL_BASE,
+ .irq_banks = 2,
++ .io_bias_cfg_variant = BIAS_VOLTAGE_PIO_POW_MODE_SEL,
+ };
+
+ static int sun50i_h6_r_pinctrl_probe(struct platform_device *pdev)
+--- a/drivers/pinctrl/sunxi/pinctrl-sunxi.c
++++ b/drivers/pinctrl/sunxi/pinctrl-sunxi.c
+@@ -624,7 +624,7 @@ static int sunxi_pinctrl_set_io_bias_cfg
+ unsigned pin,
+ struct regulator *supply)
+ {
+- unsigned short bank = pin / PINS_PER_BANK;
++ unsigned short bank;
+ unsigned long flags;
+ u32 val, reg;
+ int uV;
+@@ -640,6 +640,9 @@ static int sunxi_pinctrl_set_io_bias_cfg
+ if (uV == 0)
+ return 0;
+
++ pin -= pctl->desc->pin_base;
++ bank = pin / PINS_PER_BANK;
++
+ switch (pctl->desc->io_bias_cfg_variant) {
+ case BIAS_VOLTAGE_GRP_CONFIG:
+ /*
+@@ -657,8 +660,6 @@ static int sunxi_pinctrl_set_io_bias_cfg
+ else
+ val = 0xD; /* 3.3V */
+
+- pin -= pctl->desc->pin_base;
+-
+ reg = readl(pctl->membase + sunxi_grp_config_reg(pin));
+ reg &= ~IO_BIAS_MASK;
+ writel(reg | val, pctl->membase + sunxi_grp_config_reg(pin));
--- /dev/null
+From bc3c8fe3c79bcdae4d90e3726054fac5cca8ac32 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Sun, 7 Aug 2022 13:53:04 +0200
+Subject: plip: avoid rcu debug splat
+
+From: Florian Westphal <fw@strlen.de>
+
+commit bc3c8fe3c79bcdae4d90e3726054fac5cca8ac32 upstream.
+
+WARNING: suspicious RCU usage
+5.2.0-rc2-00605-g2638eb8b50cfc #1 Not tainted
+drivers/net/plip/plip.c:1110 suspicious rcu_dereference_check() usage!
+
+plip_open is called with RTNL held, switch to the correct helper.
+
+Fixes: 2638eb8b50cf ("net: ipv4: provide __rcu annotation for ifa_list")
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Link: https://lore.kernel.org/r/20220807115304.13257-1-fw@strlen.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/plip/plip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/plip/plip.c
++++ b/drivers/net/plip/plip.c
+@@ -1111,7 +1111,7 @@ plip_open(struct net_device *dev)
+ /* Any address will do - we take the first. We already
+ have the first two bytes filled with 0xfc, from
+ plip_init_dev(). */
+- const struct in_ifaddr *ifa = rcu_dereference(in_dev->ifa_list);
++ const struct in_ifaddr *ifa = rtnl_dereference(in_dev->ifa_list);
+ if (ifa != NULL) {
+ dev_addr_mod(dev, 2, &ifa->ifa_local, 4);
+ }
--- /dev/null
+From 03c4cd6f89e074a51e289eb9129ac646f0f2bd29 Mon Sep 17 00:00:00 2001
+From: Zeng Jingxiang <linuszeng@tencent.com>
+Date: Thu, 28 Jul 2022 18:01:01 +0800
+Subject: rtc: spear: set range max
+
+From: Zeng Jingxiang <linuszeng@tencent.com>
+
+commit 03c4cd6f89e074a51e289eb9129ac646f0f2bd29 upstream.
+
+In the commit f395e1d3b28d7c2c67b73bd467c4fb79523e1c65
+("rtc: spear: set range"), the value of
+RTC_TIMESTAMP_END_9999 was incorrectly set to range_min.
+390 config->rtc->range_min = RTC_TIMESTAMP_BEGIN_0000;
+391 config->rtc->range_max = RTC_TIMESTAMP_END_9999;
+
+Fixes: f395e1d3b28d ("rtc: spear: set range")
+Signed-off-by: Zeng Jingxiang <linuszeng@tencent.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Link: https://lore.kernel.org/r/20220728100101.1906801-1-zengjx95@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-spear.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/rtc-spear.c b/drivers/rtc/rtc-spear.c
+index d4777b01ab22..736fe535cd45 100644
+--- a/drivers/rtc/rtc-spear.c
++++ b/drivers/rtc/rtc-spear.c
+@@ -388,7 +388,7 @@ static int spear_rtc_probe(struct platform_device *pdev)
+
+ config->rtc->ops = &spear_rtc_ops;
+ config->rtc->range_min = RTC_TIMESTAMP_BEGIN_0000;
+- config->rtc->range_min = RTC_TIMESTAMP_END_9999;
++ config->rtc->range_max = RTC_TIMESTAMP_END_9999;
+
+ status = devm_rtc_register_device(config->rtc);
+ if (status)
+--
+2.37.2
+
--- /dev/null
+From 8bcfb4ae4d970b9a9724ddfbac26c387934e0e94 Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@nvidia.com>
+Date: Tue, 9 Aug 2022 14:33:20 +0300
+Subject: selftests: forwarding: Fix failing tests with old libnet
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+commit 8bcfb4ae4d970b9a9724ddfbac26c387934e0e94 upstream.
+
+The custom multipath hash tests use mausezahn in order to test how
+changes in various packet fields affect the packet distribution across
+the available nexthops.
+
+The tool uses the libnet library for various low-level packet
+construction and injection. The library started using the
+"SO_BINDTODEVICE" socket option for IPv6 sockets in version 1.1.6 and
+for IPv4 sockets in version 1.2.
+
+When the option is not set, packets are not routed according to the
+table associated with the VRF master device and tests fail.
+
+Fix this by prefixing the command with "ip vrf exec", which will cause
+the route lookup to occur in the VRF routing table. This makes the tests
+pass regardless of the libnet library version.
+
+Fixes: 511e8db54036 ("selftests: forwarding: Add test for custom multipath hash")
+Fixes: 185b0c190bb6 ("selftests: forwarding: Add test for custom multipath hash with IPv4 GRE")
+Fixes: b7715acba4d3 ("selftests: forwarding: Add test for custom multipath hash with IPv6 GRE")
+Reported-by: Ivan Vecera <ivecera@redhat.com>
+Tested-by: Ivan Vecera <ivecera@redhat.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Amit Cohen <amcohen@nvidia.com>
+Link: https://lore.kernel.org/r/20220809113320.751413-1-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/forwarding/custom_multipath_hash.sh | 24 ++++++----
+ tools/testing/selftests/net/forwarding/gre_custom_multipath_hash.sh | 24 ++++++----
+ tools/testing/selftests/net/forwarding/ip6gre_custom_multipath_hash.sh | 24 ++++++----
+ 3 files changed, 48 insertions(+), 24 deletions(-)
+
+--- a/tools/testing/selftests/net/forwarding/custom_multipath_hash.sh
++++ b/tools/testing/selftests/net/forwarding/custom_multipath_hash.sh
+@@ -181,37 +181,43 @@ ping_ipv6()
+
+ send_src_ipv4()
+ {
+- $MZ $h1 -q -p 64 -A "198.51.100.2-198.51.100.253" -B 203.0.113.2 \
++ ip vrf exec v$h1 $MZ $h1 -q -p 64 \
++ -A "198.51.100.2-198.51.100.253" -B 203.0.113.2 \
+ -d 1msec -c 50 -t udp "sp=20000,dp=30000"
+ }
+
+ send_dst_ipv4()
+ {
+- $MZ $h1 -q -p 64 -A 198.51.100.2 -B "203.0.113.2-203.0.113.253" \
++ ip vrf exec v$h1 $MZ $h1 -q -p 64 \
++ -A 198.51.100.2 -B "203.0.113.2-203.0.113.253" \
+ -d 1msec -c 50 -t udp "sp=20000,dp=30000"
+ }
+
+ send_src_udp4()
+ {
+- $MZ $h1 -q -p 64 -A 198.51.100.2 -B 203.0.113.2 \
++ ip vrf exec v$h1 $MZ $h1 -q -p 64 \
++ -A 198.51.100.2 -B 203.0.113.2 \
+ -d 1msec -t udp "sp=0-32768,dp=30000"
+ }
+
+ send_dst_udp4()
+ {
+- $MZ $h1 -q -p 64 -A 198.51.100.2 -B 203.0.113.2 \
++ ip vrf exec v$h1 $MZ $h1 -q -p 64 \
++ -A 198.51.100.2 -B 203.0.113.2 \
+ -d 1msec -t udp "sp=20000,dp=0-32768"
+ }
+
+ send_src_ipv6()
+ {
+- $MZ -6 $h1 -q -p 64 -A "2001:db8:1::2-2001:db8:1::fd" -B 2001:db8:4::2 \
++ ip vrf exec v$h1 $MZ -6 $h1 -q -p 64 \
++ -A "2001:db8:1::2-2001:db8:1::fd" -B 2001:db8:4::2 \
+ -d 1msec -c 50 -t udp "sp=20000,dp=30000"
+ }
+
+ send_dst_ipv6()
+ {
+- $MZ -6 $h1 -q -p 64 -A 2001:db8:1::2 -B "2001:db8:4::2-2001:db8:4::fd" \
++ ip vrf exec v$h1 $MZ -6 $h1 -q -p 64 \
++ -A 2001:db8:1::2 -B "2001:db8:4::2-2001:db8:4::fd" \
+ -d 1msec -c 50 -t udp "sp=20000,dp=30000"
+ }
+
+@@ -226,13 +232,15 @@ send_flowlabel()
+
+ send_src_udp6()
+ {
+- $MZ -6 $h1 -q -p 64 -A 2001:db8:1::2 -B 2001:db8:4::2 \
++ ip vrf exec v$h1 $MZ -6 $h1 -q -p 64 \
++ -A 2001:db8:1::2 -B 2001:db8:4::2 \
+ -d 1msec -t udp "sp=0-32768,dp=30000"
+ }
+
+ send_dst_udp6()
+ {
+- $MZ -6 $h1 -q -p 64 -A 2001:db8:1::2 -B 2001:db8:4::2 \
++ ip vrf exec v$h1 $MZ -6 $h1 -q -p 64 \
++ -A 2001:db8:1::2 -B 2001:db8:4::2 \
+ -d 1msec -t udp "sp=20000,dp=0-32768"
+ }
+
+--- a/tools/testing/selftests/net/forwarding/gre_custom_multipath_hash.sh
++++ b/tools/testing/selftests/net/forwarding/gre_custom_multipath_hash.sh
+@@ -276,37 +276,43 @@ ping_ipv6()
+
+ send_src_ipv4()
+ {
+- $MZ $h1 -q -p 64 -A "198.51.100.2-198.51.100.253" -B 203.0.113.2 \
++ ip vrf exec v$h1 $MZ $h1 -q -p 64 \
++ -A "198.51.100.2-198.51.100.253" -B 203.0.113.2 \
+ -d 1msec -c 50 -t udp "sp=20000,dp=30000"
+ }
+
+ send_dst_ipv4()
+ {
+- $MZ $h1 -q -p 64 -A 198.51.100.2 -B "203.0.113.2-203.0.113.253" \
++ ip vrf exec v$h1 $MZ $h1 -q -p 64 \
++ -A 198.51.100.2 -B "203.0.113.2-203.0.113.253" \
+ -d 1msec -c 50 -t udp "sp=20000,dp=30000"
+ }
+
+ send_src_udp4()
+ {
+- $MZ $h1 -q -p 64 -A 198.51.100.2 -B 203.0.113.2 \
++ ip vrf exec v$h1 $MZ $h1 -q -p 64 \
++ -A 198.51.100.2 -B 203.0.113.2 \
+ -d 1msec -t udp "sp=0-32768,dp=30000"
+ }
+
+ send_dst_udp4()
+ {
+- $MZ $h1 -q -p 64 -A 198.51.100.2 -B 203.0.113.2 \
++ ip vrf exec v$h1 $MZ $h1 -q -p 64 \
++ -A 198.51.100.2 -B 203.0.113.2 \
+ -d 1msec -t udp "sp=20000,dp=0-32768"
+ }
+
+ send_src_ipv6()
+ {
+- $MZ -6 $h1 -q -p 64 -A "2001:db8:1::2-2001:db8:1::fd" -B 2001:db8:2::2 \
++ ip vrf exec v$h1 $MZ -6 $h1 -q -p 64 \
++ -A "2001:db8:1::2-2001:db8:1::fd" -B 2001:db8:2::2 \
+ -d 1msec -c 50 -t udp "sp=20000,dp=30000"
+ }
+
+ send_dst_ipv6()
+ {
+- $MZ -6 $h1 -q -p 64 -A 2001:db8:1::2 -B "2001:db8:2::2-2001:db8:2::fd" \
++ ip vrf exec v$h1 $MZ -6 $h1 -q -p 64 \
++ -A 2001:db8:1::2 -B "2001:db8:2::2-2001:db8:2::fd" \
+ -d 1msec -c 50 -t udp "sp=20000,dp=30000"
+ }
+
+@@ -321,13 +327,15 @@ send_flowlabel()
+
+ send_src_udp6()
+ {
+- $MZ -6 $h1 -q -p 64 -A 2001:db8:1::2 -B 2001:db8:2::2 \
++ ip vrf exec v$h1 $MZ -6 $h1 -q -p 64 \
++ -A 2001:db8:1::2 -B 2001:db8:2::2 \
+ -d 1msec -t udp "sp=0-32768,dp=30000"
+ }
+
+ send_dst_udp6()
+ {
+- $MZ -6 $h1 -q -p 64 -A 2001:db8:1::2 -B 2001:db8:2::2 \
++ ip vrf exec v$h1 $MZ -6 $h1 -q -p 64 \
++ -A 2001:db8:1::2 -B 2001:db8:2::2 \
+ -d 1msec -t udp "sp=20000,dp=0-32768"
+ }
+
+--- a/tools/testing/selftests/net/forwarding/ip6gre_custom_multipath_hash.sh
++++ b/tools/testing/selftests/net/forwarding/ip6gre_custom_multipath_hash.sh
+@@ -278,37 +278,43 @@ ping_ipv6()
+
+ send_src_ipv4()
+ {
+- $MZ $h1 -q -p 64 -A "198.51.100.2-198.51.100.253" -B 203.0.113.2 \
++ ip vrf exec v$h1 $MZ $h1 -q -p 64 \
++ -A "198.51.100.2-198.51.100.253" -B 203.0.113.2 \
+ -d 1msec -c 50 -t udp "sp=20000,dp=30000"
+ }
+
+ send_dst_ipv4()
+ {
+- $MZ $h1 -q -p 64 -A 198.51.100.2 -B "203.0.113.2-203.0.113.253" \
++ ip vrf exec v$h1 $MZ $h1 -q -p 64 \
++ -A 198.51.100.2 -B "203.0.113.2-203.0.113.253" \
+ -d 1msec -c 50 -t udp "sp=20000,dp=30000"
+ }
+
+ send_src_udp4()
+ {
+- $MZ $h1 -q -p 64 -A 198.51.100.2 -B 203.0.113.2 \
++ ip vrf exec v$h1 $MZ $h1 -q -p 64 \
++ -A 198.51.100.2 -B 203.0.113.2 \
+ -d 1msec -t udp "sp=0-32768,dp=30000"
+ }
+
+ send_dst_udp4()
+ {
+- $MZ $h1 -q -p 64 -A 198.51.100.2 -B 203.0.113.2 \
++ ip vrf exec v$h1 $MZ $h1 -q -p 64 \
++ -A 198.51.100.2 -B 203.0.113.2 \
+ -d 1msec -t udp "sp=20000,dp=0-32768"
+ }
+
+ send_src_ipv6()
+ {
+- $MZ -6 $h1 -q -p 64 -A "2001:db8:1::2-2001:db8:1::fd" -B 2001:db8:2::2 \
++ ip vrf exec v$h1 $MZ -6 $h1 -q -p 64 \
++ -A "2001:db8:1::2-2001:db8:1::fd" -B 2001:db8:2::2 \
+ -d 1msec -c 50 -t udp "sp=20000,dp=30000"
+ }
+
+ send_dst_ipv6()
+ {
+- $MZ -6 $h1 -q -p 64 -A 2001:db8:1::2 -B "2001:db8:2::2-2001:db8:2::fd" \
++ ip vrf exec v$h1 $MZ -6 $h1 -q -p 64 \
++ -A 2001:db8:1::2 -B "2001:db8:2::2-2001:db8:2::fd" \
+ -d 1msec -c 50 -t udp "sp=20000,dp=30000"
+ }
+
+@@ -323,13 +329,15 @@ send_flowlabel()
+
+ send_src_udp6()
+ {
+- $MZ -6 $h1 -q -p 64 -A 2001:db8:1::2 -B 2001:db8:2::2 \
++ ip vrf exec v$h1 $MZ -6 $h1 -q -p 64 \
++ -A 2001:db8:1::2 -B 2001:db8:2::2 \
+ -d 1msec -t udp "sp=0-32768,dp=30000"
+ }
+
+ send_dst_udp6()
+ {
+- $MZ -6 $h1 -q -p 64 -A 2001:db8:1::2 -B 2001:db8:2::2 \
++ ip vrf exec v$h1 $MZ -6 $h1 -q -p 64 \
++ -A 2001:db8:1::2 -B 2001:db8:2::2 \
+ -d 1msec -t udp "sp=20000,dp=0-32768"
+ }
+
--- /dev/null
+From df9e03aec3b14970df05b72d54f8ac9da3ab29e1 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 4 Aug 2022 17:21:27 -0700
+Subject: selftests: mptcp: make sendfile selftest work
+
+From: Florian Westphal <fw@strlen.de>
+
+commit df9e03aec3b14970df05b72d54f8ac9da3ab29e1 upstream.
+
+When the selftest got added, sendfile() on mptcp sockets returned
+-EOPNOTSUPP, so running 'mptcp_connect.sh -m sendfile' failed
+immediately.
+
+This is no longer the case, but the script fails anyway due to timeout.
+Let the receiver know once the sender has sent all data, just like
+with '-m mmap' mode.
+
+v2: need to respect cfg_wait too, as pm_userspace.sh relied
+on -m sendfile to keep the connection open (Mat Martineau)
+
+Fixes: 048d19d444be ("mptcp: add basic kselftest for mptcp")
+Reported-by: Xiumei Mu <xmu@redhat.com>
+Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_connect.c | 26 ++++++++++++++--------
+ 1 file changed, 17 insertions(+), 9 deletions(-)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_connect.c
++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c
+@@ -553,6 +553,18 @@ static void set_nonblock(int fd, bool no
+ fcntl(fd, F_SETFL, flags & ~O_NONBLOCK);
+ }
+
++static void shut_wr(int fd)
++{
++ /* Close our write side, ev. give some time
++ * for address notification and/or checking
++ * the current status
++ */
++ if (cfg_wait)
++ usleep(cfg_wait);
++
++ shutdown(fd, SHUT_WR);
++}
++
+ static int copyfd_io_poll(int infd, int peerfd, int outfd, bool *in_closed_after_out)
+ {
+ struct pollfd fds = {
+@@ -630,14 +642,7 @@ static int copyfd_io_poll(int infd, int
+ /* ... and peer also closed already */
+ break;
+
+- /* ... but we still receive.
+- * Close our write side, ev. give some time
+- * for address notification and/or checking
+- * the current status
+- */
+- if (cfg_wait)
+- usleep(cfg_wait);
+- shutdown(peerfd, SHUT_WR);
++ shut_wr(peerfd);
+ } else {
+ if (errno == EINTR)
+ continue;
+@@ -767,7 +772,7 @@ static int copyfd_io_mmap(int infd, int
+ if (err)
+ return err;
+
+- shutdown(peerfd, SHUT_WR);
++ shut_wr(peerfd);
+
+ err = do_recvfile(peerfd, outfd);
+ *in_closed_after_out = true;
+@@ -791,6 +796,9 @@ static int copyfd_io_sendfile(int infd,
+ err = do_sendfile(infd, peerfd, size);
+ if (err)
+ return err;
++
++ shut_wr(peerfd);
++
+ err = do_recvfile(peerfd, outfd);
+ *in_closed_after_out = true;
+ }
tracing-eprobes-have-event-probes-be-consistent-with-kprobes-and-uprobes.patch
tracing-probes-have-kprobes-and-uprobes-use-comm-too.patch
tracing-have-filter-accept-common_cpu-to-be-consistent.patch
+alsa-usb-audio-more-comprehensive-mixer-map-for-asus-rog-zenith-ii.patch
+alsa-hda-fix-crash-due-to-jack-poll-in-suspend.patch
+dt-bindings-usb-mtk-xhci-allow-wakeup-interrupt-names-to-be-optional.patch
+can-ems_usb-fix-clang-s-wunaligned-access-warning.patch
+apparmor-fix-quiet_denied-for-file-rules.patch
+apparmor-fix-absroot-causing-audited-secids-to-begin-with.patch
+apparmor-fix-failed-mount-permission-check-error-message.patch
+apparmor-fix-aa_label_asxprint-return-check.patch
+apparmor-fix-setting-unconfined-mode-on-a-loaded-profile.patch
+apparmor-fix-overlapping-attachment-computation.patch
+apparmor-fix-reference-count-leak-in-aa_pivotroot.patch
+apparmor-fix-memleak-in-aa_simple_write_to_buffer.patch
+documentation-acpi-einj-fix-obsolete-example.patch
+netfilter-nf_tables-fix-crash-when-nf_trace-is-enabled.patch
+net-tap-null-pointer-derefence-in-dev_parse_header_protocol-when-skb-dev-is-null.patch
+nfsv4.1-don-t-decrease-the-value-of-seq_nr_highest_sent.patch
+nfsv4.1-handle-nfs4err_delay-replies-to-op_sequence-correctly.patch
+nfsv4-fix-races-in-the-legacy-idmapper-upcall.patch
+nfsv4.1-reclaim_complete-must-handle-eacces.patch
+nfsv4-pnfs-fix-a-use-after-free-bug-in-open.patch
+mptcp-btf-add-struct-mptcp_sock-definition-when-config_mptcp-is-disabled.patch
+mptcp-move-subflow-cleanup-in-mptcp_destroy_common.patch
+mptcp-do-not-queue-data-on-closed-subflows.patch
+selftests-mptcp-make-sendfile-selftest-work.patch
+bpf-fix-potential-bad-pointer-dereference-in-bpf_sys_bpf.patch
+bpf-disallow-bpf-programs-call-prog_run-command.patch
+bpf-don-t-reinit-map-value-in-prealloc_lru_pop.patch
+bpf-acquire-map-uref-in-.init_seq_private-for-array-map-iterator.patch
+bpf-acquire-map-uref-in-.init_seq_private-for-hash-map-iterator.patch
+bpf-acquire-map-uref-in-.init_seq_private-for-sock-local-storage-map-iterator.patch
+bpf-acquire-map-uref-in-.init_seq_private-for-sock-map-hash-iterator.patch
+bpf-check-the-validity-of-max_rdwr_access-for-sock-local-storage-map-iterator.patch
+can-mcp251x-fix-race-condition-on-receive-interrupt.patch
+can-j1939-j1939_session_destroy-fix-memory-leak-of-skbs.patch
+net-atlantic-fix-aq_vec-index-out-of-range-error.patch
+m68k-coldfire-device.c-protect-flexcan-blocks.patch
+sunrpc-fix-expiry-of-auth-creds.patch
+sunrpc-fix-xdr_encode_bool.patch
+sunrpc-reinitialise-the-backchannel-request-buffers-before-reuse.patch
+sunrpc-don-t-reuse-bvec-on-retransmission-of-the-request.patch
+asoc-qdsp6-q6apm-dai-unprepare-stream-if-its-already-prepared.patch
+virtio-virtio_harden_notification-is-broken.patch
+virtio_net-fix-memory-leak-inside-xpd_tx-with-mergeable.patch
+virtio-blk-avoid-use-after-free-on-suspend-resume.patch
+devlink-fix-use-after-free-after-a-failed-reload.patch
+net-phy-warn-about-incorrect-mdio_bus_phy_resume-state.patch
+net-bcmgenet-indicate-mac-is-in-charge-of-phy-pm.patch
+net-phy-c45-baset1-do-not-skip-aneg-configuration-if-clock-role-is-not-specified.patch
+net-dsa-felix-suppress-non-changes-to-the-tagging-protocol.patch
+net-bgmac-fix-a-bug-triggered-by-wrong-bytes_compl.patch
+net-atm-bring-back-zatm-uapi.patch
+selftests-forwarding-fix-failing-tests-with-old-libnet.patch
+dt-bindings-arm-qcom-fix-alcatel-onetouch-idol-3-compatibles.patch
+pinctrl-renesas-rzg2l-return-einval-for-pins-which-have-input-disabled.patch
+dt-bindings-pinctrl-mt8192-add-drive-strength-microamp.patch
+dt-bindings-pinctrl-mt8192-use-generic-bias-instead-of-pull-adv.patch
+pinctrl-nomadik-fix-refcount-leak-in-nmk_pinctrl_dt_subnode_to_map.patch
+pinctrl-qcom-msm8916-allow-camss-gp-clocks-to-be-muxed.patch
+pinctrl-amd-don-t-save-restore-interrupt-status-and-wake-status-bits.patch
+dt-bindings-pinctrl-mt8195-fix-name-for-mediatek-rsel-resistance-in-si-unit.patch
+dt-bindings-pinctrl-mt8195-add-and-use-drive-strength-microamp.patch
+pinctrl-sunxi-add-i-o-bias-setting-for-h6-r-pio.patch
+dt-bindings-pinctrl-mt8186-add-and-use-drive-strength-microamp.patch
+pinctrl-qcom-sm8250-fix-pdc-map.patch
+rtc-spear-set-range-max.patch
+input-exc3000-fix-return-value-check-of-wait_for_completion_timeout.patch
+input-mt6779-keypad-match-hardware-matrix-organization.patch
+input-iqs7222-correct-slider-event-disable-logic.patch
+input-iqs7222-fortify-slider-event-reporting.patch
+input-iqs7222-protect-volatile-registers.patch
+input-iqs7222-acknowledge-reset-before-writing-registers.patch
+input-iqs7222-handle-reset-during-ati.patch
+input-iqs7222-remove-support-for-rf-filter.patch
+dt-bindings-input-iqs7222-remove-support-for-rf-filter.patch
+dt-bindings-input-iqs7222-correct-bottom-speed-step-size.patch
+dt-bindings-input-iqs7222-extend-slider-mapped-gpio-to-iqs7222c.patch
+um-add-missing-apply_returns.patch
+octeontx2-pf-fix-nix_af_tl3_tl2x_linkx_cfg-register-configuration.patch
+octeontx2-af-apply-tx-nibble-fixup-always.patch
+octeontx2-af-suppress-external-profile-loading-warning.patch
+octeontx2-af-fix-mcam-entry-resource-leak.patch
+octeontx2-af-fix-key-checking-for-source-mac.patch
+acpi-property-return-type-of-acpi_add_nondev_subnodes-should-be-bool.patch
+geneve-do-not-use-rt_tos-for-ipv6-flowlabel.patch
+vxlan-do-not-use-rt_tos-for-ipv6-flowlabel.patch
+mlx5-do-not-use-rt_tos-for-ipv6-flowlabel.patch
+ipv6-do-not-use-rt_tos-for-ipv6-flowlabel.patch
+plip-avoid-rcu-debug-splat.patch
+vsock-fix-memory-leak-in-vsock_connect.patch
+vsock-set-socket-state-back-to-ss_unconnected-in-vsock_connect_timeout.patch
--- /dev/null
+From 72691a269f0baad6d5f4aa7af97c29081b86d70f Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Wed, 27 Jul 2022 13:02:27 -0400
+Subject: SUNRPC: Don't reuse bvec on retransmission of the request
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 72691a269f0baad6d5f4aa7af97c29081b86d70f upstream.
+
+If a request is re-encoded and then retransmitted, we need to make sure
+that we also re-encode the bvec, in case the page lists have changed.
+
+Fixes: ff053dbbaffe ("SUNRPC: Move the call to xprt_send_pagedata() out of xprt_sock_sendmsg()")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/sunrpc/xprt.h | 3 ++-
+ net/sunrpc/clnt.c | 1 -
+ net/sunrpc/xprt.c | 27 ++++++++++++++++++---------
+ net/sunrpc/xprtsock.c | 12 ++----------
+ 4 files changed, 22 insertions(+), 21 deletions(-)
+
+--- a/include/linux/sunrpc/xprt.h
++++ b/include/linux/sunrpc/xprt.h
+@@ -144,7 +144,8 @@ struct rpc_xprt_ops {
+ unsigned short (*get_srcport)(struct rpc_xprt *xprt);
+ int (*buf_alloc)(struct rpc_task *task);
+ void (*buf_free)(struct rpc_task *task);
+- int (*prepare_request)(struct rpc_rqst *req);
++ int (*prepare_request)(struct rpc_rqst *req,
++ struct xdr_buf *buf);
+ int (*send_request)(struct rpc_rqst *req);
+ void (*wait_for_reply_request)(struct rpc_task *task);
+ void (*timer)(struct rpc_xprt *xprt, struct rpc_task *task);
+--- a/net/sunrpc/clnt.c
++++ b/net/sunrpc/clnt.c
+@@ -1856,7 +1856,6 @@ rpc_xdr_encode(struct rpc_task *task)
+ req->rq_snd_buf.head[0].iov_len = 0;
+ xdr_init_encode(&xdr, &req->rq_snd_buf,
+ req->rq_snd_buf.head[0].iov_base, req);
+- xdr_free_bvec(&req->rq_snd_buf);
+ if (rpc_encode_header(task, &xdr))
+ return;
+
+--- a/net/sunrpc/xprt.c
++++ b/net/sunrpc/xprt.c
+@@ -73,7 +73,7 @@ static void xprt_init(struct rpc_xprt *x
+ static __be32 xprt_alloc_xid(struct rpc_xprt *xprt);
+ static void xprt_destroy(struct rpc_xprt *xprt);
+ static void xprt_request_init(struct rpc_task *task);
+-static int xprt_request_prepare(struct rpc_rqst *req);
++static int xprt_request_prepare(struct rpc_rqst *req, struct xdr_buf *buf);
+
+ static DEFINE_SPINLOCK(xprt_list_lock);
+ static LIST_HEAD(xprt_list);
+@@ -1149,7 +1149,7 @@ xprt_request_enqueue_receive(struct rpc_
+ if (!xprt_request_need_enqueue_receive(task, req))
+ return 0;
+
+- ret = xprt_request_prepare(task->tk_rqstp);
++ ret = xprt_request_prepare(task->tk_rqstp, &req->rq_rcv_buf);
+ if (ret)
+ return ret;
+ spin_lock(&xprt->queue_lock);
+@@ -1179,8 +1179,11 @@ xprt_request_dequeue_receive_locked(stru
+ {
+ struct rpc_rqst *req = task->tk_rqstp;
+
+- if (test_and_clear_bit(RPC_TASK_NEED_RECV, &task->tk_runstate))
++ if (test_and_clear_bit(RPC_TASK_NEED_RECV, &task->tk_runstate)) {
+ xprt_request_rb_remove(req->rq_xprt, req);
++ xdr_free_bvec(&req->rq_rcv_buf);
++ req->rq_private_buf.bvec = NULL;
++ }
+ }
+
+ /**
+@@ -1336,8 +1339,14 @@ xprt_request_enqueue_transmit(struct rpc
+ {
+ struct rpc_rqst *pos, *req = task->tk_rqstp;
+ struct rpc_xprt *xprt = req->rq_xprt;
++ int ret;
+
+ if (xprt_request_need_enqueue_transmit(task, req)) {
++ ret = xprt_request_prepare(task->tk_rqstp, &req->rq_snd_buf);
++ if (ret) {
++ task->tk_status = ret;
++ return;
++ }
+ req->rq_bytes_sent = 0;
+ spin_lock(&xprt->queue_lock);
+ /*
+@@ -1397,6 +1406,7 @@ xprt_request_dequeue_transmit_locked(str
+ } else
+ list_del(&req->rq_xmit2);
+ atomic_long_dec(&req->rq_xprt->xmit_queuelen);
++ xdr_free_bvec(&req->rq_snd_buf);
+ }
+
+ /**
+@@ -1433,8 +1443,6 @@ xprt_request_dequeue_xprt(struct rpc_tas
+ test_bit(RPC_TASK_NEED_RECV, &task->tk_runstate) ||
+ xprt_is_pinned_rqst(req)) {
+ spin_lock(&xprt->queue_lock);
+- xprt_request_dequeue_transmit_locked(task);
+- xprt_request_dequeue_receive_locked(task);
+ while (xprt_is_pinned_rqst(req)) {
+ set_bit(RPC_TASK_MSG_PIN_WAIT, &task->tk_runstate);
+ spin_unlock(&xprt->queue_lock);
+@@ -1442,6 +1450,8 @@ xprt_request_dequeue_xprt(struct rpc_tas
+ spin_lock(&xprt->queue_lock);
+ clear_bit(RPC_TASK_MSG_PIN_WAIT, &task->tk_runstate);
+ }
++ xprt_request_dequeue_transmit_locked(task);
++ xprt_request_dequeue_receive_locked(task);
+ spin_unlock(&xprt->queue_lock);
+ }
+ }
+@@ -1449,18 +1459,19 @@ xprt_request_dequeue_xprt(struct rpc_tas
+ /**
+ * xprt_request_prepare - prepare an encoded request for transport
+ * @req: pointer to rpc_rqst
++ * @buf: pointer to send/rcv xdr_buf
+ *
+ * Calls into the transport layer to do whatever is needed to prepare
+ * the request for transmission or receive.
+ * Returns error, or zero.
+ */
+ static int
+-xprt_request_prepare(struct rpc_rqst *req)
++xprt_request_prepare(struct rpc_rqst *req, struct xdr_buf *buf)
+ {
+ struct rpc_xprt *xprt = req->rq_xprt;
+
+ if (xprt->ops->prepare_request)
+- return xprt->ops->prepare_request(req);
++ return xprt->ops->prepare_request(req, buf);
+ return 0;
+ }
+
+@@ -1961,8 +1972,6 @@ void xprt_release(struct rpc_task *task)
+ spin_unlock(&xprt->transport_lock);
+ if (req->rq_buffer)
+ xprt->ops->buf_free(task);
+- xdr_free_bvec(&req->rq_rcv_buf);
+- xdr_free_bvec(&req->rq_snd_buf);
+ if (req->rq_cred != NULL)
+ put_rpccred(req->rq_cred);
+ if (req->rq_release_snd_buf)
+--- a/net/sunrpc/xprtsock.c
++++ b/net/sunrpc/xprtsock.c
+@@ -822,17 +822,9 @@ static int xs_stream_nospace(struct rpc_
+ return ret;
+ }
+
+-static int
+-xs_stream_prepare_request(struct rpc_rqst *req)
++static int xs_stream_prepare_request(struct rpc_rqst *req, struct xdr_buf *buf)
+ {
+- gfp_t gfp = rpc_task_gfp_mask();
+- int ret;
+-
+- ret = xdr_alloc_bvec(&req->rq_snd_buf, gfp);
+- if (ret < 0)
+- return ret;
+- xdr_free_bvec(&req->rq_rcv_buf);
+- return xdr_alloc_bvec(&req->rq_rcv_buf, gfp);
++ return xdr_alloc_bvec(buf, rpc_task_gfp_mask());
+ }
+
+ /*
--- /dev/null
+From f1bafa7375c01ff71fb7cb97c06caadfcfe815f3 Mon Sep 17 00:00:00 2001
+From: Dan Aloni <dan.aloni@vastdata.com>
+Date: Mon, 4 Jul 2022 15:56:57 +0300
+Subject: sunrpc: fix expiry of auth creds
+
+From: Dan Aloni <dan.aloni@vastdata.com>
+
+commit f1bafa7375c01ff71fb7cb97c06caadfcfe815f3 upstream.
+
+Before this commit, with a large enough LRU of expired items (100), the
+loop skipped all the expired items and was entirely ineffectual in
+trimming the LRU list.
+
+Fixes: 95cd623250ad ('SUNRPC: Clean up the AUTH cache code')
+Signed-off-by: Dan Aloni <dan.aloni@vastdata.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/auth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sunrpc/auth.c
++++ b/net/sunrpc/auth.c
+@@ -445,7 +445,7 @@ rpcauth_prune_expired(struct list_head *
+ * Enforce a 60 second garbage collection moratorium
+ * Note that the cred_unused list must be time-ordered.
+ */
+- if (!time_in_range(cred->cr_expire, expired, jiffies))
++ if (time_in_range(cred->cr_expire, expired, jiffies))
+ continue;
+ if (!rpcauth_unhash_cred(cred))
+ continue;
--- /dev/null
+From c770f31d8f580ed4b965c64f924ec1cc50e41734 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Tue, 19 Jul 2022 09:18:35 -0400
+Subject: SUNRPC: Fix xdr_encode_bool()
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit c770f31d8f580ed4b965c64f924ec1cc50e41734 upstream.
+
+I discovered that xdr_encode_bool() was returning the same address
+that was passed in the @p parameter. The documenting comment states
+that the intent is to return the address of the next buffer
+location, just like the other "xdr_encode_*" helpers.
+
+The result was the encoded results of NFSv3 PATHCONF operations were
+not formed correctly.
+
+Fixes: ded04a587f6c ("NFSD: Update the NFSv3 PATHCONF3res encoder to use struct xdr_stream")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/sunrpc/xdr.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/sunrpc/xdr.h
++++ b/include/linux/sunrpc/xdr.h
+@@ -419,8 +419,8 @@ static inline int xdr_stream_encode_item
+ */
+ static inline __be32 *xdr_encode_bool(__be32 *p, u32 n)
+ {
+- *p = n ? xdr_one : xdr_zero;
+- return p++;
++ *p++ = n ? xdr_one : xdr_zero;
++ return p;
+ }
+
+ /**
--- /dev/null
+From 6622e3a73112fc336c1c2c582428fb5ef18e456a Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Wed, 27 Jul 2022 12:27:54 -0400
+Subject: SUNRPC: Reinitialise the backchannel request buffers before reuse
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 6622e3a73112fc336c1c2c582428fb5ef18e456a upstream.
+
+When we're reusing the backchannel requests instead of freeing them,
+then we should reinitialise any values of the send/receive xdr_bufs so
+that they reflect the available space.
+
+Fixes: 0d2a970d0ae5 ("SUNRPC: Fix a backchannel race")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/backchannel_rqst.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/net/sunrpc/backchannel_rqst.c
++++ b/net/sunrpc/backchannel_rqst.c
+@@ -64,6 +64,17 @@ static void xprt_free_allocation(struct
+ kfree(req);
+ }
+
++static void xprt_bc_reinit_xdr_buf(struct xdr_buf *buf)
++{
++ buf->head[0].iov_len = PAGE_SIZE;
++ buf->tail[0].iov_len = 0;
++ buf->pages = NULL;
++ buf->page_len = 0;
++ buf->flags = 0;
++ buf->len = 0;
++ buf->buflen = PAGE_SIZE;
++}
++
+ static int xprt_alloc_xdr_buf(struct xdr_buf *buf, gfp_t gfp_flags)
+ {
+ struct page *page;
+@@ -292,6 +303,9 @@ void xprt_free_bc_rqst(struct rpc_rqst *
+ */
+ spin_lock_bh(&xprt->bc_pa_lock);
+ if (xprt_need_to_requeue(xprt)) {
++ xprt_bc_reinit_xdr_buf(&req->rq_snd_buf);
++ xprt_bc_reinit_xdr_buf(&req->rq_rcv_buf);
++ req->rq_rcv_buf.len = PAGE_SIZE;
+ list_add_tail(&req->rq_bc_pa_list, &xprt->bc_pa_list);
+ xprt->bc_alloc_count++;
+ atomic_inc(&xprt->bc_slot_count);
--- /dev/null
+From 637285e7f8d6da70a70c64e7895cb0672357a1f7 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Thu, 14 Jul 2022 12:20:19 +0200
+Subject: um: Add missing apply_returns()
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit 637285e7f8d6da70a70c64e7895cb0672357a1f7 upstream.
+
+Implement apply_returns() stub for UM, just like all the other patching
+routines.
+
+Fixes: 15e67227c49a ("x86: Undo return-thunk damage")
+Reported-by: Randy Dunlap <rdunlap@infradead.org)
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/um/kernel/um_arch.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/um/kernel/um_arch.c
++++ b/arch/um/kernel/um_arch.c
+@@ -444,6 +444,10 @@ void apply_returns(s32 *start, s32 *end)
+ {
+ }
+
++void apply_returns(s32 *start, s32 *end)
++{
++}
++
+ void apply_alternatives(struct alt_instr *start, struct alt_instr *end)
+ {
+ }
--- /dev/null
+From 8d12ec10292877751ee4463b11a63bd850bc09b5 Mon Sep 17 00:00:00 2001
+From: Shigeru Yoshida <syoshida@redhat.com>
+Date: Thu, 11 Aug 2022 01:09:48 +0900
+Subject: virtio-blk: Avoid use-after-free on suspend/resume
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+commit 8d12ec10292877751ee4463b11a63bd850bc09b5 upstream.
+
+hctx->user_data is set to vq in virtblk_init_hctx(). However, vq is
+freed on suspend and reallocated on resume. So, hctx->user_data is
+invalid after resume, and it will cause use-after-free accessing which
+will result in the kernel crash something like below:
+
+[ 22.428391] Call Trace:
+[ 22.428899] <TASK>
+[ 22.429339] virtqueue_add_split+0x3eb/0x620
+[ 22.430035] ? __blk_mq_alloc_requests+0x17f/0x2d0
+[ 22.430789] ? kvm_clock_get_cycles+0x14/0x30
+[ 22.431496] virtqueue_add_sgs+0xad/0xd0
+[ 22.432108] virtblk_add_req+0xe8/0x150
+[ 22.432692] virtio_queue_rqs+0xeb/0x210
+[ 22.433330] blk_mq_flush_plug_list+0x1b8/0x280
+[ 22.434059] __blk_flush_plug+0xe1/0x140
+[ 22.434853] blk_finish_plug+0x20/0x40
+[ 22.435512] read_pages+0x20a/0x2e0
+[ 22.436063] ? folio_add_lru+0x62/0xa0
+[ 22.436652] page_cache_ra_unbounded+0x112/0x160
+[ 22.437365] filemap_get_pages+0xe1/0x5b0
+[ 22.437964] ? context_to_sid+0x70/0x100
+[ 22.438580] ? sidtab_context_to_sid+0x32/0x400
+[ 22.439979] filemap_read+0xcd/0x3d0
+[ 22.440917] xfs_file_buffered_read+0x4a/0xc0
+[ 22.441984] xfs_file_read_iter+0x65/0xd0
+[ 22.442970] __kernel_read+0x160/0x2e0
+[ 22.443921] bprm_execve+0x21b/0x640
+[ 22.444809] do_execveat_common.isra.0+0x1a8/0x220
+[ 22.446008] __x64_sys_execve+0x2d/0x40
+[ 22.446920] do_syscall_64+0x37/0x90
+[ 22.447773] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+This patch fixes this issue by getting vq from vblk, and removes
+virtblk_init_hctx().
+
+Fixes: 4e0400525691 ("virtio-blk: support polling I/O")
+Cc: "Suwan Kim" <suwan.kim027@gmail.com>
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Message-Id: <20220810160948.959781-1-syoshida@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/virtio_blk.c | 24 ++++++++++--------------
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c
+index 6fc7850c2b0a..d756423e0059 100644
+--- a/drivers/block/virtio_blk.c
++++ b/drivers/block/virtio_blk.c
+@@ -101,6 +101,14 @@ static inline blk_status_t virtblk_result(struct virtblk_req *vbr)
+ }
+ }
+
++static inline struct virtio_blk_vq *get_virtio_blk_vq(struct blk_mq_hw_ctx *hctx)
++{
++ struct virtio_blk *vblk = hctx->queue->queuedata;
++ struct virtio_blk_vq *vq = &vblk->vqs[hctx->queue_num];
++
++ return vq;
++}
++
+ static int virtblk_add_req(struct virtqueue *vq, struct virtblk_req *vbr)
+ {
+ struct scatterlist hdr, status, *sgs[3];
+@@ -416,7 +424,7 @@ static void virtio_queue_rqs(struct request **rqlist)
+ struct request *requeue_list = NULL;
+
+ rq_list_for_each_safe(rqlist, req, next) {
+- struct virtio_blk_vq *vq = req->mq_hctx->driver_data;
++ struct virtio_blk_vq *vq = get_virtio_blk_vq(req->mq_hctx);
+ bool kick;
+
+ if (!virtblk_prep_rq_batch(req)) {
+@@ -837,7 +845,7 @@ static void virtblk_complete_batch(struct io_comp_batch *iob)
+ static int virtblk_poll(struct blk_mq_hw_ctx *hctx, struct io_comp_batch *iob)
+ {
+ struct virtio_blk *vblk = hctx->queue->queuedata;
+- struct virtio_blk_vq *vq = hctx->driver_data;
++ struct virtio_blk_vq *vq = get_virtio_blk_vq(hctx);
+ struct virtblk_req *vbr;
+ unsigned long flags;
+ unsigned int len;
+@@ -862,22 +870,10 @@ static int virtblk_poll(struct blk_mq_hw_ctx *hctx, struct io_comp_batch *iob)
+ return found;
+ }
+
+-static int virtblk_init_hctx(struct blk_mq_hw_ctx *hctx, void *data,
+- unsigned int hctx_idx)
+-{
+- struct virtio_blk *vblk = data;
+- struct virtio_blk_vq *vq = &vblk->vqs[hctx_idx];
+-
+- WARN_ON(vblk->tag_set.tags[hctx_idx] != hctx->tags);
+- hctx->driver_data = vq;
+- return 0;
+-}
+-
+ static const struct blk_mq_ops virtio_mq_ops = {
+ .queue_rq = virtio_queue_rq,
+ .queue_rqs = virtio_queue_rqs,
+ .commit_rqs = virtio_commit_rqs,
+- .init_hctx = virtblk_init_hctx,
+ .complete = virtblk_request_done,
+ .map_queues = virtblk_map_queues,
+ .poll = virtblk_poll,
+--
+2.37.2
+
--- /dev/null
+From ebe797f25f68f28581f46a9cb9c1997ac15c39a0 Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Thu, 30 Jun 2022 15:10:57 -0400
+Subject: virtio: VIRTIO_HARDEN_NOTIFICATION is broken
+
+From: Michael S. Tsirkin <mst@redhat.com>
+
+commit ebe797f25f68f28581f46a9cb9c1997ac15c39a0 upstream.
+
+This option doesn't really work and breaks too many drivers.
+Not yet sure what's the right thing to do, for now
+let's make sure randconfig isn't broken by this.
+
+Fixes: c346dae4f3fb ("virtio: disable notification hardening by default")
+Cc: "Jason Wang" <jasowang@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/virtio/Kconfig | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/virtio/Kconfig
++++ b/drivers/virtio/Kconfig
+@@ -35,11 +35,12 @@ if VIRTIO_MENU
+
+ config VIRTIO_HARDEN_NOTIFICATION
+ bool "Harden virtio notification"
++ depends on BROKEN
+ help
+ Enable this to harden the device notifications and suppress
+ those that happen at a time where notifications are illegal.
+
+- Experimental: Note that several drivers still have bugs that
++ Experimental: Note that several drivers still have issues that
+ may cause crashes or hangs when correct handling of
+ notifications is enforced; depending on the subset of
+ drivers and devices you use, this may or may not work.
--- /dev/null
+From 7a542bee27c6a57e45c33cbbdc963325fd6493af Mon Sep 17 00:00:00 2001
+From: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Date: Thu, 4 Aug 2022 14:32:48 +0800
+Subject: virtio_net: fix memory leak inside XPD_TX with mergeable
+
+From: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+
+commit 7a542bee27c6a57e45c33cbbdc963325fd6493af upstream.
+
+When we call xdp_convert_buff_to_frame() to get xdpf, if it returns
+NULL, we should check if xdp_page was allocated by xdp_linearize_page().
+If it is newly allocated, it should be freed here alone. Just like any
+other "goto err_xdp".
+
+Fixes: 44fa2dbd4759 ("xdp: transition into using xdp_frame for ndo_xdp_xmit")
+Signed-off-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/virtio_net.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -1057,8 +1057,11 @@ static struct sk_buff *receive_mergeable
+ case XDP_TX:
+ stats->xdp_tx++;
+ xdpf = xdp_convert_buff_to_frame(&xdp);
+- if (unlikely(!xdpf))
++ if (unlikely(!xdpf)) {
++ if (unlikely(xdp_page != page))
++ put_page(xdp_page);
+ goto err_xdp;
++ }
+ err = virtnet_xdp_xmit(dev, 1, &xdpf, 0);
+ if (unlikely(!err)) {
+ xdp_return_frame_rx_napi(xdpf);
--- /dev/null
+From 7e97cfed9929eaabc41829c395eb0d1350fccb9d Mon Sep 17 00:00:00 2001
+From: Peilin Ye <peilin.ye@bytedance.com>
+Date: Mon, 8 Aug 2022 11:04:47 -0700
+Subject: vsock: Fix memory leak in vsock_connect()
+
+From: Peilin Ye <peilin.ye@bytedance.com>
+
+commit 7e97cfed9929eaabc41829c395eb0d1350fccb9d upstream.
+
+An O_NONBLOCK vsock_connect() request may try to reschedule
+@connect_work. Imagine the following sequence of vsock_connect()
+requests:
+
+ 1. The 1st, non-blocking request schedules @connect_work, which will
+ expire after 200 jiffies. Socket state is now SS_CONNECTING;
+
+ 2. Later, the 2nd, blocking request gets interrupted by a signal after
+ a few jiffies while waiting for the connection to be established.
+ Socket state is back to SS_UNCONNECTED, but @connect_work is still
+ pending, and will expire after 100 jiffies.
+
+ 3. Now, the 3rd, non-blocking request tries to schedule @connect_work
+ again. Since @connect_work is already scheduled,
+ schedule_delayed_work() silently returns. sock_hold() is called
+ twice, but sock_put() will only be called once in
+ vsock_connect_timeout(), causing a memory leak reported by syzbot:
+
+ BUG: memory leak
+ unreferenced object 0xffff88810ea56a40 (size 1232):
+ comm "syz-executor756", pid 3604, jiffies 4294947681 (age 12.350s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 28 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 (..@............
+ backtrace:
+ [<ffffffff837c830e>] sk_prot_alloc+0x3e/0x1b0 net/core/sock.c:1930
+ [<ffffffff837cbe22>] sk_alloc+0x32/0x2e0 net/core/sock.c:1989
+ [<ffffffff842ccf68>] __vsock_create.constprop.0+0x38/0x320 net/vmw_vsock/af_vsock.c:734
+ [<ffffffff842ce8f1>] vsock_create+0xc1/0x2d0 net/vmw_vsock/af_vsock.c:2203
+ [<ffffffff837c0cbb>] __sock_create+0x1ab/0x2b0 net/socket.c:1468
+ [<ffffffff837c3acf>] sock_create net/socket.c:1519 [inline]
+ [<ffffffff837c3acf>] __sys_socket+0x6f/0x140 net/socket.c:1561
+ [<ffffffff837c3bba>] __do_sys_socket net/socket.c:1570 [inline]
+ [<ffffffff837c3bba>] __se_sys_socket net/socket.c:1568 [inline]
+ [<ffffffff837c3bba>] __x64_sys_socket+0x1a/0x20 net/socket.c:1568
+ [<ffffffff84512815>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ [<ffffffff84512815>] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
+ [<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+ <...>
+
+Use mod_delayed_work() instead: if @connect_work is already scheduled,
+reschedule it, and undo sock_hold() to keep the reference count
+balanced.
+
+Reported-and-tested-by: syzbot+b03f55bf128f9a38f064@syzkaller.appspotmail.com
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Co-developed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/af_vsock.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1391,7 +1391,14 @@ static int vsock_connect(struct socket *
+ * timeout fires.
+ */
+ sock_hold(sk);
+- schedule_delayed_work(&vsk->connect_work, timeout);
++
++ /* If the timeout function is already scheduled,
++ * reschedule it, then ungrab the socket refcount to
++ * keep it balanced.
++ */
++ if (mod_delayed_work(system_wq, &vsk->connect_work,
++ timeout))
++ sock_put(sk);
+
+ /* Skip ahead to preserve error code set above. */
+ goto out_wait;
--- /dev/null
+From a3e7b29e30854ed67be0d17687e744ad0c769c4b Mon Sep 17 00:00:00 2001
+From: Peilin Ye <peilin.ye@bytedance.com>
+Date: Mon, 8 Aug 2022 11:05:25 -0700
+Subject: vsock: Set socket state back to SS_UNCONNECTED in vsock_connect_timeout()
+
+From: Peilin Ye <peilin.ye@bytedance.com>
+
+commit a3e7b29e30854ed67be0d17687e744ad0c769c4b upstream.
+
+Imagine two non-blocking vsock_connect() requests on the same socket.
+The first request schedules @connect_work, and after it times out,
+vsock_connect_timeout() sets *sock* state back to TCP_CLOSE, but keeps
+*socket* state as SS_CONNECTING.
+
+Later, the second request returns -EALREADY, meaning the socket "already
+has a pending connection in progress", even though the first request has
+already timed out.
+
+As suggested by Stefano, fix it by setting *socket* state back to
+SS_UNCONNECTED, so that the second request will return -ETIMEDOUT.
+
+Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/af_vsock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1286,6 +1286,7 @@ static void vsock_connect_timeout(struct
+ if (sk->sk_state == TCP_SYN_SENT &&
+ (sk->sk_shutdown != SHUTDOWN_MASK)) {
+ sk->sk_state = TCP_CLOSE;
++ sk->sk_socket->state = SS_UNCONNECTED;
+ sk->sk_err = ETIMEDOUT;
+ sk_error_report(sk);
+ vsock_transport_cancel_pkt(vsk);
--- /dev/null
+From e488d4f5d6e4cd1e728ba4ddbdcd7ef5f4d13a21 Mon Sep 17 00:00:00 2001
+From: Matthias May <matthias.may@westermo.com>
+Date: Fri, 5 Aug 2022 21:19:04 +0200
+Subject: vxlan: do not use RT_TOS for IPv6 flowlabel
+
+From: Matthias May <matthias.may@westermo.com>
+
+commit e488d4f5d6e4cd1e728ba4ddbdcd7ef5f4d13a21 upstream.
+
+According to Guillaume Nault RT_TOS should never be used for IPv6.
+
+Quote:
+RT_TOS() is an old macro used to interprete IPv4 TOS as described in
+the obsolete RFC 1349. It's conceptually wrong to use it even in IPv4
+code, although, given the current state of the code, most of the
+existing calls have no consequence.
+
+But using RT_TOS() in IPv6 code is always a bug: IPv6 never had a "TOS"
+field to be interpreted the RFC 1349 way. There's no historical
+compatibility to worry about.
+
+Fixes: 1400615d64cf ("vxlan: allow setting ipv6 traffic class")
+Acked-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: Matthias May <matthias.may@westermo.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vxlan/vxlan_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/vxlan/vxlan_core.c
++++ b/drivers/net/vxlan/vxlan_core.c
+@@ -2321,7 +2321,7 @@ static struct dst_entry *vxlan6_get_rout
+ fl6.flowi6_oif = oif;
+ fl6.daddr = *daddr;
+ fl6.saddr = *saddr;
+- fl6.flowlabel = ip6_make_flowinfo(RT_TOS(tos), label);
++ fl6.flowlabel = ip6_make_flowinfo(tos, label);
+ fl6.flowi6_mark = skb->mark;
+ fl6.flowi6_proto = IPPROTO_UDP;
+ fl6.fl6_dport = dport;
projects / thirdparty / kernel / stable-queue.git / commitdiff
