--- /dev/null
+From 0805c7c8aa041cda7c9e04d4638b161d9e563fd7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 22:43:25 +0800
+Subject: 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race
+ condition
+
+From: Zheng Wang <zyytlz.wz@163.com>
+
+[ Upstream commit ea4f1009408efb4989a0f139b70fb338e7f687d0 ]
+
+In xen_9pfs_front_probe, it calls xen_9pfs_front_alloc_dataring
+to init priv->rings and bound &ring->work with p9_xen_response.
+
+When it calls xen_9pfs_front_event_handler to handle IRQ requests,
+it will finally call schedule_work to start the work.
+
+When we call xen_9pfs_front_remove to remove the driver, there
+may be a sequence as follows:
+
+Fix it by finishing the work before cleanup in xen_9pfs_front_free.
+
+Note that, this bug is found by static analysis, which might be
+false positive.
+
+CPU0 CPU1
+
+ |p9_xen_response
+xen_9pfs_front_remove|
+ xen_9pfs_front_free|
+kfree(priv) |
+//free priv |
+ |p9_tag_lookup
+ |//use priv->client
+
+Fixes: 71ebd71921e4 ("xen/9pfs: connect to the backend")
+Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Signed-off-by: Eric Van Hensbergen <ericvh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/9p/trans_xen.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
+index 75c03a82baf38..68027e4fb4216 100644
+--- a/net/9p/trans_xen.c
++++ b/net/9p/trans_xen.c
+@@ -278,6 +278,10 @@ static void xen_9pfs_front_free(struct xen_9pfs_front_priv *priv)
+ write_unlock(&xen_9pfs_lock);
+
+ for (i = 0; i < priv->num_rings; i++) {
++ struct xen_9pfs_dataring *ring = &priv->rings[i];
++
++ cancel_work_sync(&ring->work);
++
+ if (!priv->rings[i].intf)
+ break;
+ if (priv->rings[i].irq > 0)
+--
+2.39.2
+
--- /dev/null
+From 780c7d068923f5f4a0931bfd17634917c1f26602 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Mar 2023 03:12:05 +0100
+Subject: ACPI: resource: Add Medion S17413 to IRQ override quirk
+
+From: Aymeric Wibo <obiwac@gmail.com>
+
+[ Upstream commit 2d0ab14634a26e54f8d6d231b47b7ef233e84599 ]
+
+Add DMI info of the Medion S17413 (board M1xA) to the IRQ override
+quirk table. This fixes the keyboard not working on these laptops.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=213031
+Signed-off-by: Aymeric Wibo <obiwac@gmail.com>
+[ rjw: Fixed up white space ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/resource.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c
+index a222bda7e15b0..d08818baea88f 100644
+--- a/drivers/acpi/resource.c
++++ b/drivers/acpi/resource.c
+@@ -400,6 +400,13 @@ static const struct dmi_system_id medion_laptop[] = {
+ DMI_MATCH(DMI_BOARD_NAME, "M17T"),
+ },
+ },
++ {
++ .ident = "MEDION S17413",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "MEDION"),
++ DMI_MATCH(DMI_BOARD_NAME, "M1xA"),
++ },
++ },
+ { }
+ };
+
+--
+2.39.2
+
--- /dev/null
+From 67e3ff8629d85da17143ea926174b9b7850a0be8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Mar 2023 16:59:46 +0100
+Subject: ACPI: video: Add backlight=native DMI quirk for Acer Aspire 3830TG
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 5e7a3bf65db57461d0f47955248fcadf37321a74 ]
+
+The Acer Aspire 3830TG predates Windows 8, so it defaults to using
+acpi_video# for backlight control, but this is non functional on
+this model.
+
+Add a DMI quirk to use the native backlight interface which does
+work properly.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/video_detect.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c
+index 42b5af5490a11..f0f41959faea6 100644
+--- a/drivers/acpi/video_detect.c
++++ b/drivers/acpi/video_detect.c
+@@ -530,6 +530,14 @@ static const struct dmi_system_id video_detect_dmi_table[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "Precision 7510"),
+ },
+ },
++ {
++ .callback = video_detect_force_native,
++ /* Acer Aspire 3830TG */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 3830TG"),
++ },
++ },
+ {
+ .callback = video_detect_force_native,
+ /* Acer Aspire 4810T */
+--
+2.39.2
+
--- /dev/null
+From 11fe8a9cf1208194cc55a89d8a8648d530cd6b29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Feb 2023 00:10:14 +0100
+Subject: ARM: 9290/1: uaccess: Fix KASAN false-positives
+
+From: Andrew Jeffery <andrew@aj.id.au>
+
+[ Upstream commit ceac10c83b330680cc01ceaaab86cd49f4f30d81 ]
+
+__copy_to_user_memcpy() and __clear_user_memset() had been calling
+memcpy() and memset() respectively, leading to false-positive KASAN
+reports when starting userspace:
+
+ [ 10.707901] Run /init as init process
+ [ 10.731892] process '/bin/busybox' started with executable stack
+ [ 10.745234] ==================================================================
+ [ 10.745796] BUG: KASAN: user-memory-access in __clear_user_memset+0x258/0x3ac
+ [ 10.747260] Write of size 2687 at addr 000de581 by task init/1
+
+Use __memcpy() and __memset() instead to allow userspace access, which
+is of course the intent of these functions.
+
+Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
+Signed-off-by: Zev Weiss <zev@bewilderbeest.net>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/lib/uaccess_with_memcpy.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/lib/uaccess_with_memcpy.c b/arch/arm/lib/uaccess_with_memcpy.c
+index 14eecaaf295fa..e4c2677cc1e9e 100644
+--- a/arch/arm/lib/uaccess_with_memcpy.c
++++ b/arch/arm/lib/uaccess_with_memcpy.c
+@@ -116,7 +116,7 @@ __copy_to_user_memcpy(void __user *to, const void *from, unsigned long n)
+ tocopy = n;
+
+ ua_flags = uaccess_save_and_enable();
+- memcpy((void *)to, from, tocopy);
++ __memcpy((void *)to, from, tocopy);
+ uaccess_restore(ua_flags);
+ to += tocopy;
+ from += tocopy;
+@@ -178,7 +178,7 @@ __clear_user_memset(void __user *addr, unsigned long n)
+ tocopy = n;
+
+ ua_flags = uaccess_save_and_enable();
+- memset((void *)addr, 0, tocopy);
++ __memset((void *)addr, 0, tocopy);
+ uaccess_restore(ua_flags);
+ addr += tocopy;
+ n -= tocopy;
+--
+2.39.2
+
--- /dev/null
+From cbc8af670b6bd9a0e1ce6b685a6863f6b04f058d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Mar 2023 22:06:03 +0100
+Subject: ARM: dts: qcom: apq8026-lg-lenok: add missing reserved memory
+
+From: Luca Weiss <luca@z3ntu.xyz>
+
+[ Upstream commit ecd240875e877d78fd03efbc62292f550872df3f ]
+
+Turns out these two memory regions also need to be avoided, otherwise
+weird things will happen when Linux tries to use this memory.
+
+Signed-off-by: Luca Weiss <luca@z3ntu.xyz>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20230308-lenok-reserved-memory-v1-1-b8bf6ff01207@z3ntu.xyz
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/qcom-apq8026-lg-lenok.dts | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/arch/arm/boot/dts/qcom-apq8026-lg-lenok.dts b/arch/arm/boot/dts/qcom-apq8026-lg-lenok.dts
+index 193569f0ca5f7..4bdadb7681c30 100644
+--- a/arch/arm/boot/dts/qcom-apq8026-lg-lenok.dts
++++ b/arch/arm/boot/dts/qcom-apq8026-lg-lenok.dts
+@@ -26,6 +26,16 @@
+ };
+
+ reserved-memory {
++ sbl_region: sbl@2f00000 {
++ reg = <0x02f00000 0x100000>;
++ no-map;
++ };
++
++ external_image_region: external-image@3100000 {
++ reg = <0x03100000 0x200000>;
++ no-map;
++ };
++
+ adsp_region: adsp@3300000 {
+ reg = <0x03300000 0x1400000>;
+ no-map;
+--
+2.39.2
+
--- /dev/null
+From 1aa88a4dbf850965cbc8cb498e598996219c5236 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Feb 2023 12:12:54 -0500
+Subject: asymmetric_keys: log on fatal failures in PE/pkcs7
+
+From: Robbie Harwood <rharwood@redhat.com>
+
+[ Upstream commit 3584c1dbfffdabf8e3dc1dd25748bb38dd01cd43 ]
+
+These particular errors can be encountered while trying to kexec when
+secureboot lockdown is in place. Without this change, even with a
+signed debug build, one still needs to reboot the machine to add the
+appropriate dyndbg parameters (since lockdown blocks debugfs).
+
+Accordingly, upgrade all pr_debug() before fatal error into pr_warn().
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Jarkko Sakkinen <jarkko@kernel.org>
+cc: Eric Biederman <ebiederm@xmission.com>
+cc: Herbert Xu <herbert@gondor.apana.org.au>
+cc: keyrings@vger.kernel.org
+cc: linux-crypto@vger.kernel.org
+cc: kexec@lists.infradead.org
+Link: https://lore.kernel.org/r/20230220171254.592347-3-rharwood@redhat.com/ # v2
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/asymmetric_keys/pkcs7_verify.c | 10 +++++-----
+ crypto/asymmetric_keys/verify_pefile.c | 24 ++++++++++++------------
+ 2 files changed, 17 insertions(+), 17 deletions(-)
+
+diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c
+index f6321c785714c..3da32813e4412 100644
+--- a/crypto/asymmetric_keys/pkcs7_verify.c
++++ b/crypto/asymmetric_keys/pkcs7_verify.c
+@@ -79,16 +79,16 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7,
+ }
+
+ if (sinfo->msgdigest_len != sig->digest_size) {
+- pr_debug("Sig %u: Invalid digest size (%u)\n",
+- sinfo->index, sinfo->msgdigest_len);
++ pr_warn("Sig %u: Invalid digest size (%u)\n",
++ sinfo->index, sinfo->msgdigest_len);
+ ret = -EBADMSG;
+ goto error;
+ }
+
+ if (memcmp(sig->digest, sinfo->msgdigest,
+ sinfo->msgdigest_len) != 0) {
+- pr_debug("Sig %u: Message digest doesn't match\n",
+- sinfo->index);
++ pr_warn("Sig %u: Message digest doesn't match\n",
++ sinfo->index);
+ ret = -EKEYREJECTED;
+ goto error;
+ }
+@@ -478,7 +478,7 @@ int pkcs7_supply_detached_data(struct pkcs7_message *pkcs7,
+ const void *data, size_t datalen)
+ {
+ if (pkcs7->data) {
+- pr_debug("Data already supplied\n");
++ pr_warn("Data already supplied\n");
+ return -EINVAL;
+ }
+ pkcs7->data = data;
+diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c
+index fe1bb374239d7..22beaf2213a22 100644
+--- a/crypto/asymmetric_keys/verify_pefile.c
++++ b/crypto/asymmetric_keys/verify_pefile.c
+@@ -74,7 +74,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen,
+ break;
+
+ default:
+- pr_debug("Unknown PEOPT magic = %04hx\n", pe32->magic);
++ pr_warn("Unknown PEOPT magic = %04hx\n", pe32->magic);
+ return -ELIBBAD;
+ }
+
+@@ -95,7 +95,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen,
+ ctx->certs_size = ddir->certs.size;
+
+ if (!ddir->certs.virtual_address || !ddir->certs.size) {
+- pr_debug("Unsigned PE binary\n");
++ pr_warn("Unsigned PE binary\n");
+ return -ENODATA;
+ }
+
+@@ -127,7 +127,7 @@ static int pefile_strip_sig_wrapper(const void *pebuf,
+ unsigned len;
+
+ if (ctx->sig_len < sizeof(wrapper)) {
+- pr_debug("Signature wrapper too short\n");
++ pr_warn("Signature wrapper too short\n");
+ return -ELIBBAD;
+ }
+
+@@ -142,16 +142,16 @@ static int pefile_strip_sig_wrapper(const void *pebuf,
+ * rounded up since 0.110.
+ */
+ if (wrapper.length > ctx->sig_len) {
+- pr_debug("Signature wrapper bigger than sig len (%x > %x)\n",
+- ctx->sig_len, wrapper.length);
++ pr_warn("Signature wrapper bigger than sig len (%x > %x)\n",
++ ctx->sig_len, wrapper.length);
+ return -ELIBBAD;
+ }
+ if (wrapper.revision != WIN_CERT_REVISION_2_0) {
+- pr_debug("Signature is not revision 2.0\n");
++ pr_warn("Signature is not revision 2.0\n");
+ return -ENOTSUPP;
+ }
+ if (wrapper.cert_type != WIN_CERT_TYPE_PKCS_SIGNED_DATA) {
+- pr_debug("Signature certificate type is not PKCS\n");
++ pr_warn("Signature certificate type is not PKCS\n");
+ return -ENOTSUPP;
+ }
+
+@@ -164,7 +164,7 @@ static int pefile_strip_sig_wrapper(const void *pebuf,
+ ctx->sig_offset += sizeof(wrapper);
+ ctx->sig_len -= sizeof(wrapper);
+ if (ctx->sig_len < 4) {
+- pr_debug("Signature data missing\n");
++ pr_warn("Signature data missing\n");
+ return -EKEYREJECTED;
+ }
+
+@@ -198,7 +198,7 @@ static int pefile_strip_sig_wrapper(const void *pebuf,
+ return 0;
+ }
+ not_pkcs7:
+- pr_debug("Signature data not PKCS#7\n");
++ pr_warn("Signature data not PKCS#7\n");
+ return -ELIBBAD;
+ }
+
+@@ -341,8 +341,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen,
+ digest_size = crypto_shash_digestsize(tfm);
+
+ if (digest_size != ctx->digest_len) {
+- pr_debug("Digest size mismatch (%zx != %x)\n",
+- digest_size, ctx->digest_len);
++ pr_warn("Digest size mismatch (%zx != %x)\n",
++ digest_size, ctx->digest_len);
+ ret = -EBADMSG;
+ goto error_no_desc;
+ }
+@@ -373,7 +373,7 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen,
+ * PKCS#7 certificate.
+ */
+ if (memcmp(digest, ctx->digest, ctx->digest_len) != 0) {
+- pr_debug("Digest mismatch\n");
++ pr_warn("Digest mismatch\n");
+ ret = -EKEYREJECTED;
+ } else {
+ pr_debug("The digests match!\n");
+--
+2.39.2
+
--- /dev/null
+From beba79eaaabc39d24e3af9a7011df32df1f172dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Mar 2023 22:12:31 +0800
+Subject: block: ublk_drv: mark device as LIVE before adding disk
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit 4985e7b2c002eb4c5c794a1d3acd91b82c89a0fd ]
+
+IO can be started before add_disk() returns, such as reading parititon table,
+then the monitor work should work for making forward progress.
+
+So mark device as LIVE before adding disk, meantime change to
+DEAD if add_disk() fails.
+
+Fixed: 71f28f3136af ("ublk_drv: add io_uring based userspace block driver")
+Reviewed-by: Ziyang Zhang <ZiyangZhang@linux.alibaba.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20230318141231.55562-1-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/ublk_drv.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
+index 2ed994a313a91..c0cbc5f3eb266 100644
+--- a/drivers/block/ublk_drv.c
++++ b/drivers/block/ublk_drv.c
+@@ -1571,17 +1571,18 @@ static int ublk_ctrl_start_dev(struct io_uring_cmd *cmd)
+ set_bit(GD_SUPPRESS_PART_SCAN, &disk->state);
+
+ get_device(&ub->cdev_dev);
++ ub->dev_info.state = UBLK_S_DEV_LIVE;
+ ret = add_disk(disk);
+ if (ret) {
+ /*
+ * Has to drop the reference since ->free_disk won't be
+ * called in case of add_disk failure.
+ */
++ ub->dev_info.state = UBLK_S_DEV_DEAD;
+ ublk_put_device(ub);
+ goto out_put_disk;
+ }
+ set_bit(UB_STATE_USED, &ub->state);
+- ub->dev_info.state = UBLK_S_DEV_LIVE;
+ out_put_disk:
+ if (ret)
+ put_disk(disk);
+--
+2.39.2
+
--- /dev/null
+From 2ff2f177efe1ae126dc9932df655c6cac0ab39f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Mar 2023 13:18:20 -0700
+Subject: Bluetooth: Fix printing errors if LE Connection times out
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit b62e72200eaad523f08d8319bba50fc652e032a8 ]
+
+This fixes errors like bellow when LE Connection times out since that
+is actually not a controller error:
+
+ Bluetooth: hci0: Opcode 0x200d failed: -110
+ Bluetooth: hci0: request failed to create LE connection: err -110
+
+Instead the code shall properly detect if -ETIMEDOUT is returned and
+send HCI_OP_LE_CREATE_CONN_CANCEL to give up on the connection.
+
+Link: https://github.com/bluez/bluez/issues/340
+Fixes: 8e8b92ee60de ("Bluetooth: hci_sync: Add hci_le_create_conn_sync")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci_core.h | 1 +
+ net/bluetooth/hci_conn.c | 7 +++++--
+ net/bluetooth/hci_event.c | 16 ++++++----------
+ net/bluetooth/hci_sync.c | 13 ++++++++++---
+ 4 files changed, 22 insertions(+), 15 deletions(-)
+
+diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
+index 7f585e5dd71b8..061fec6fd0152 100644
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -953,6 +953,7 @@ enum {
+ HCI_CONN_STK_ENCRYPT,
+ HCI_CONN_AUTH_INITIATOR,
+ HCI_CONN_DROP,
++ HCI_CONN_CANCEL,
+ HCI_CONN_PARAM_REMOVAL_PEND,
+ HCI_CONN_NEW_LINK_KEY,
+ HCI_CONN_SCANNING,
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
+index 1b80d94d639cc..c2c6dea01cc91 100644
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -1247,6 +1247,8 @@ static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err)
+ {
+ struct hci_conn *conn = data;
+
++ bt_dev_dbg(hdev, "err %d", err);
++
+ hci_dev_lock(hdev);
+
+ if (!err) {
+@@ -1254,8 +1256,6 @@ static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err)
+ goto done;
+ }
+
+- bt_dev_err(hdev, "request failed to create LE connection: err %d", err);
+-
+ /* Check if connection is still pending */
+ if (conn != hci_lookup_le_connect(hdev))
+ goto done;
+@@ -2796,6 +2796,9 @@ int hci_abort_conn(struct hci_conn *conn, u8 reason)
+ {
+ int r = 0;
+
++ if (test_and_set_bit(HCI_CONN_CANCEL, &conn->flags))
++ return 0;
++
+ switch (conn->state) {
+ case BT_CONNECTED:
+ case BT_CONFIG:
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 0e2425eb6aa79..78c505f528a47 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -2876,16 +2876,6 @@ static void cs_le_create_conn(struct hci_dev *hdev, bdaddr_t *peer_addr,
+
+ conn->resp_addr_type = peer_addr_type;
+ bacpy(&conn->resp_addr, peer_addr);
+-
+- /* We don't want the connection attempt to stick around
+- * indefinitely since LE doesn't have a page timeout concept
+- * like BR/EDR. Set a timer for any connection that doesn't use
+- * the accept list for connecting.
+- */
+- if (filter_policy == HCI_LE_USE_PEER_ADDR)
+- queue_delayed_work(conn->hdev->workqueue,
+- &conn->le_conn_timeout,
+- conn->conn_timeout);
+ }
+
+ static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
+@@ -5892,6 +5882,12 @@ static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
+ if (status)
+ goto unlock;
+
++ /* Drop the connection if it has been aborted */
++ if (test_bit(HCI_CONN_CANCEL, &conn->flags)) {
++ hci_conn_drop(conn);
++ goto unlock;
++ }
++
+ if (conn->dst_type == ADDR_LE_DEV_PUBLIC)
+ addr_type = BDADDR_LE_PUBLIC;
+ else
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index f614f96c5c23d..9361fb3685cc7 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -246,8 +246,9 @@ int __hci_cmd_sync_status_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
+
+ skb = __hci_cmd_sync_sk(hdev, opcode, plen, param, event, timeout, sk);
+ if (IS_ERR(skb)) {
+- bt_dev_err(hdev, "Opcode 0x%4x failed: %ld", opcode,
+- PTR_ERR(skb));
++ if (!event)
++ bt_dev_err(hdev, "Opcode 0x%4x failed: %ld", opcode,
++ PTR_ERR(skb));
+ return PTR_ERR(skb);
+ }
+
+@@ -5108,8 +5109,11 @@ static int hci_le_connect_cancel_sync(struct hci_dev *hdev,
+ if (test_bit(HCI_CONN_SCANNING, &conn->flags))
+ return 0;
+
++ if (test_and_set_bit(HCI_CONN_CANCEL, &conn->flags))
++ return 0;
++
+ return __hci_cmd_sync_status(hdev, HCI_OP_LE_CREATE_CONN_CANCEL,
+- 6, &conn->dst, HCI_CMD_TIMEOUT);
++ 0, NULL, HCI_CMD_TIMEOUT);
+ }
+
+ static int hci_connect_cancel_sync(struct hci_dev *hdev, struct hci_conn *conn)
+@@ -6084,6 +6088,9 @@ int hci_le_create_conn_sync(struct hci_dev *hdev, struct hci_conn *conn)
+ conn->conn_timeout, NULL);
+
+ done:
++ if (err == -ETIMEDOUT)
++ hci_le_connect_cancel_sync(hdev, conn);
++
+ /* Re-enable advertising after the connection attempt is finished. */
+ hci_resume_advertising_sync(hdev);
+ return err;
+--
+2.39.2
+
--- /dev/null
+From 8b2197fc8eb5bfaf0fe3553c1ad4da9656c5fc0c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Mar 2023 10:57:55 -0700
+Subject: Bluetooth: hci_conn: Fix not cleaning up on LE Connection failure
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 19cf60bf63cbaf5262eac400c707966e19999b83 ]
+
+hci_connect_le_scan_cleanup shall always be invoked to cleanup the
+states and re-enable passive scanning if necessary, otherwise it may
+cause the pending action to stay active causing multiple attempts to
+connect.
+
+Fixes: 9b3628d79b46 ("Bluetooth: hci_sync: Cleanup hci_conn if it cannot be aborted")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_conn.c | 52 +++++++++++++++++++---------------------
+ 1 file changed, 24 insertions(+), 28 deletions(-)
+
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
+index 6265614c748f8..1b80d94d639cc 100644
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -68,7 +68,7 @@ static const struct sco_param esco_param_msbc[] = {
+ };
+
+ /* This function requires the caller holds hdev->lock */
+-static void hci_connect_le_scan_cleanup(struct hci_conn *conn)
++static void hci_connect_le_scan_cleanup(struct hci_conn *conn, u8 status)
+ {
+ struct hci_conn_params *params;
+ struct hci_dev *hdev = conn->hdev;
+@@ -88,9 +88,28 @@ static void hci_connect_le_scan_cleanup(struct hci_conn *conn)
+
+ params = hci_pend_le_action_lookup(&hdev->pend_le_conns, bdaddr,
+ bdaddr_type);
+- if (!params || !params->explicit_connect)
++ if (!params)
+ return;
+
++ if (params->conn) {
++ hci_conn_drop(params->conn);
++ hci_conn_put(params->conn);
++ params->conn = NULL;
++ }
++
++ if (!params->explicit_connect)
++ return;
++
++ /* If the status indicates successful cancellation of
++ * the attempt (i.e. Unknown Connection Id) there's no point of
++ * notifying failure since we'll go back to keep trying to
++ * connect. The only exception is explicit connect requests
++ * where a timeout + cancel does indicate an actual failure.
++ */
++ if (status && status != HCI_ERROR_UNKNOWN_CONN_ID)
++ mgmt_connect_failed(hdev, &conn->dst, conn->type,
++ conn->dst_type, status);
++
+ /* The connection attempt was doing scan for new RPA, and is
+ * in scan phase. If params are not associated with any other
+ * autoconnect action, remove them completely. If they are, just unmark
+@@ -178,7 +197,7 @@ static void le_scan_cleanup(struct work_struct *work)
+ rcu_read_unlock();
+
+ if (c == conn) {
+- hci_connect_le_scan_cleanup(conn);
++ hci_connect_le_scan_cleanup(conn, 0x00);
+ hci_conn_cleanup(conn);
+ }
+
+@@ -1193,31 +1212,8 @@ EXPORT_SYMBOL(hci_get_route);
+ static void hci_le_conn_failed(struct hci_conn *conn, u8 status)
+ {
+ struct hci_dev *hdev = conn->hdev;
+- struct hci_conn_params *params;
+
+- params = hci_pend_le_action_lookup(&hdev->pend_le_conns, &conn->dst,
+- conn->dst_type);
+- if (params && params->conn) {
+- hci_conn_drop(params->conn);
+- hci_conn_put(params->conn);
+- params->conn = NULL;
+- }
+-
+- /* If the status indicates successful cancellation of
+- * the attempt (i.e. Unknown Connection Id) there's no point of
+- * notifying failure since we'll go back to keep trying to
+- * connect. The only exception is explicit connect requests
+- * where a timeout + cancel does indicate an actual failure.
+- */
+- if (status != HCI_ERROR_UNKNOWN_CONN_ID ||
+- (params && params->explicit_connect))
+- mgmt_connect_failed(hdev, &conn->dst, conn->type,
+- conn->dst_type, status);
+-
+- /* Since we may have temporarily stopped the background scanning in
+- * favor of connection establishment, we should restart it.
+- */
+- hci_update_passive_scan(hdev);
++ hci_connect_le_scan_cleanup(conn, status);
+
+ /* Enable advertising in case this was a failed connection
+ * attempt as a peripheral.
+@@ -1254,7 +1250,7 @@ static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err)
+ hci_dev_lock(hdev);
+
+ if (!err) {
+- hci_connect_le_scan_cleanup(conn);
++ hci_connect_le_scan_cleanup(conn, 0x00);
+ goto done;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 677bab479b184756bac641488fcec3ff87a40ccc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Mar 2023 14:45:03 -0700
+Subject: Bluetooth: SCO: Fix possible circular locking dependency
+ sco_sock_getsockopt
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 975abc0c90fc485ff9b4a6afa475c3b1398d5d47 ]
+
+This attempts to fix the following trace:
+
+======================================================
+WARNING: possible circular locking dependency detected
+6.3.0-rc2-g68fcb3a7bf97 #4706 Not tainted
+------------------------------------------------------
+sco-tester/31 is trying to acquire lock:
+ffff8880025b8070 (&hdev->lock){+.+.}-{3:3}, at:
+sco_sock_getsockopt+0x1fc/0xa90
+
+but task is already holding lock:
+ffff888001eeb130 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at:
+sco_sock_getsockopt+0x104/0xa90
+
+which lock already depends on the new lock.
+
+the existing dependency chain (in reverse order) is:
+
+-> #2 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
+ lock_sock_nested+0x32/0x80
+ sco_connect_cfm+0x118/0x4a0
+ hci_sync_conn_complete_evt+0x1e6/0x3d0
+ hci_event_packet+0x55c/0x7c0
+ hci_rx_work+0x34c/0xa00
+ process_one_work+0x575/0x910
+ worker_thread+0x89/0x6f0
+ kthread+0x14e/0x180
+ ret_from_fork+0x2b/0x50
+
+-> #1 (hci_cb_list_lock){+.+.}-{3:3}:
+ __mutex_lock+0x13b/0xcc0
+ hci_sync_conn_complete_evt+0x1ad/0x3d0
+ hci_event_packet+0x55c/0x7c0
+ hci_rx_work+0x34c/0xa00
+ process_one_work+0x575/0x910
+ worker_thread+0x89/0x6f0
+ kthread+0x14e/0x180
+ ret_from_fork+0x2b/0x50
+
+-> #0 (&hdev->lock){+.+.}-{3:3}:
+ __lock_acquire+0x18cc/0x3740
+ lock_acquire+0x151/0x3a0
+ __mutex_lock+0x13b/0xcc0
+ sco_sock_getsockopt+0x1fc/0xa90
+ __sys_getsockopt+0xe9/0x190
+ __x64_sys_getsockopt+0x5b/0x70
+ do_syscall_64+0x42/0x90
+ entry_SYSCALL_64_after_hwframe+0x70/0xda
+
+other info that might help us debug this:
+
+Chain exists of:
+ &hdev->lock --> hci_cb_list_lock --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
+ lock(hci_cb_list_lock);
+ lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
+ lock(&hdev->lock);
+
+ *** DEADLOCK ***
+
+1 lock held by sco-tester/31:
+ #0: ffff888001eeb130 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0},
+ at: sco_sock_getsockopt+0x104/0xa90
+
+Fixes: 248733e87d50 ("Bluetooth: Allow querying of supported offload codecs over SCO socket")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/sco.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
+index 1111da4e2f2bd..1755f91a66f6a 100644
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -1129,6 +1129,8 @@ static int sco_sock_getsockopt(struct socket *sock, int level, int optname,
+ break;
+ }
+
++ release_sock(sk);
++
+ /* find total buffer size required to copy codec + caps */
+ hci_dev_lock(hdev);
+ list_for_each_entry(c, &hdev->local_codecs, list) {
+@@ -1146,15 +1148,13 @@ static int sco_sock_getsockopt(struct socket *sock, int level, int optname,
+ buf_len += sizeof(struct bt_codecs);
+ if (buf_len > len) {
+ hci_dev_put(hdev);
+- err = -ENOBUFS;
+- break;
++ return -ENOBUFS;
+ }
+ ptr = optval;
+
+ if (put_user(num_codecs, ptr)) {
+ hci_dev_put(hdev);
+- err = -EFAULT;
+- break;
++ return -EFAULT;
+ }
+ ptr += sizeof(num_codecs);
+
+@@ -1194,12 +1194,14 @@ static int sco_sock_getsockopt(struct socket *sock, int level, int optname,
+ ptr += len;
+ }
+
+- if (!err && put_user(buf_len, optlen))
+- err = -EFAULT;
+-
+ hci_dev_unlock(hdev);
+ hci_dev_put(hdev);
+
++ lock_sock(sk);
++
++ if (!err && put_user(buf_len, optlen))
++ err = -EFAULT;
++
+ break;
+
+ default:
+--
+2.39.2
+
--- /dev/null
+From 6e6661c41c5036101106385086c91c05bf7a3caf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Apr 2023 14:19:18 +0300
+Subject: Bluetooth: Set ISO Data Path on broadcast sink
+
+From: Claudia Draghicescu <claudia.rosu@nxp.com>
+
+[ Upstream commit d2e4f1b1cba8742db66aaf77374cab7c0c7c8656 ]
+
+This patch enables ISO data rx on broadcast sink.
+
+Fixes: eca0ae4aea66 ("Bluetooth: Add initial implementation of BIS connections")
+Signed-off-by: Claudia Draghicescu <claudia.rosu@nxp.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 78c505f528a47..42a3a19b111e3 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -6981,7 +6981,7 @@ static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data,
+ bis->iso_qos.in.latency = le16_to_cpu(ev->interval) * 125 / 100;
+ bis->iso_qos.in.sdu = le16_to_cpu(ev->max_pdu);
+
+- hci_connect_cfm(bis, ev->status);
++ hci_iso_setup_path(bis);
+ }
+
+ hci_dev_unlock(hdev);
+--
+2.39.2
+
--- /dev/null
+From 410523c96de5ce5099da81323510e80c6948f7dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Apr 2023 16:23:50 +0800
+Subject: bonding: fix ns validation on backup slaves
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 4598380f9c548aa161eb4e990a1583f0a7d1e0d7 ]
+
+When arp_validate is set to 2, 3, or 6, validation is performed for
+backup slaves as well. As stated in the bond documentation, validation
+involves checking the broadcast ARP request sent out via the active
+slave. This helps determine which slaves are more likely to function in
+the event of an active slave failure.
+
+However, when the target is an IPv6 address, the NS message sent from
+the active interface is not checked on backup slaves. Additionally,
+based on the bond_arp_rcv() rule b, we must reverse the saddr and daddr
+when checking the NS message.
+
+Note that when checking the NS message, the destination address is a
+multicast address. Therefore, we must convert the target address to
+solicited multicast in the bond_get_targets_ip6() function.
+
+Prior to the fix, the backup slaves had a mii status of "down", but
+after the fix, all of the slaves' mii status was updated to "UP".
+
+Fixes: 4e24be018eb9 ("bonding: add new parameter ns_targets")
+Reviewed-by: Jonathan Toppins <jtoppins@redhat.com>
+Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 5 +++--
+ include/net/bonding.h | 8 ++++++--
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 45d3cb557de73..9f6824a6537bc 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3266,7 +3266,8 @@ static int bond_na_rcv(const struct sk_buff *skb, struct bonding *bond,
+
+ combined = skb_header_pointer(skb, 0, sizeof(_combined), &_combined);
+ if (!combined || combined->ip6.nexthdr != NEXTHDR_ICMP ||
+- combined->icmp6.icmp6_type != NDISC_NEIGHBOUR_ADVERTISEMENT)
++ (combined->icmp6.icmp6_type != NDISC_NEIGHBOUR_SOLICITATION &&
++ combined->icmp6.icmp6_type != NDISC_NEIGHBOUR_ADVERTISEMENT))
+ goto out;
+
+ saddr = &combined->ip6.saddr;
+@@ -3288,7 +3289,7 @@ static int bond_na_rcv(const struct sk_buff *skb, struct bonding *bond,
+ else if (curr_active_slave &&
+ time_after(slave_last_rx(bond, curr_active_slave),
+ curr_active_slave->last_link_up))
+- bond_validate_na(bond, slave, saddr, daddr);
++ bond_validate_na(bond, slave, daddr, saddr);
+ else if (curr_arp_slave &&
+ bond_time_in_interval(bond, slave_last_tx(curr_arp_slave), 1))
+ bond_validate_na(bond, slave, saddr, daddr);
+diff --git a/include/net/bonding.h b/include/net/bonding.h
+index e999f851738bd..768348008d0c9 100644
+--- a/include/net/bonding.h
++++ b/include/net/bonding.h
+@@ -765,13 +765,17 @@ static inline int bond_get_targets_ip(__be32 *targets, __be32 ip)
+ #if IS_ENABLED(CONFIG_IPV6)
+ static inline int bond_get_targets_ip6(struct in6_addr *targets, struct in6_addr *ip)
+ {
++ struct in6_addr mcaddr;
+ int i;
+
+- for (i = 0; i < BOND_MAX_NS_TARGETS; i++)
+- if (ipv6_addr_equal(&targets[i], ip))
++ for (i = 0; i < BOND_MAX_NS_TARGETS; i++) {
++ addrconf_addr_solict_mult(&targets[i], &mcaddr);
++ if ((ipv6_addr_equal(&targets[i], ip)) ||
++ (ipv6_addr_equal(&mcaddr, ip)))
+ return i;
+ else if (ipv6_addr_any(&targets[i]))
+ break;
++ }
+
+ return -1;
+ }
+--
+2.39.2
+
--- /dev/null
+From 73500e24b1487db0b8e3407674e883b35f6d8504 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Apr 2023 19:41:44 -0400
+Subject: bpf, arm64: Fixed a BTI error on returning to patched function
+
+From: Xu Kuohai <xukuohai@huawei.com>
+
+[ Upstream commit 738a96c4a8c36950803fdd27e7c30aca92dccefd ]
+
+When BPF_TRAMP_F_CALL_ORIG is set, BPF trampoline uses BLR to jump
+back to the instruction next to call site to call the patched function.
+For BTI-enabled kernel, the instruction next to call site is usually
+PACIASP, in this case, it's safe to jump back with BLR. But when
+the call site is not followed by a PACIASP or bti, a BTI exception
+is triggered.
+
+Here is a fault log:
+
+ Unhandled 64-bit el1h sync exception on CPU0, ESR 0x0000000034000002 -- BTI
+ CPU: 0 PID: 263 Comm: test_progs Tainted: GF
+ Hardware name: linux,dummy-virt (DT)
+ pstate: 40400805 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=-c)
+ pc : bpf_fentry_test1+0xc/0x30
+ lr : bpf_trampoline_6442573892_0+0x48/0x1000
+ sp : ffff80000c0c3a50
+ x29: ffff80000c0c3a90 x28: ffff0000c2e6c080 x27: 0000000000000000
+ x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000050
+ x23: 0000000000000000 x22: 0000ffffcfd2a7f0 x21: 000000000000000a
+ x20: 0000ffffcfd2a7f0 x19: 0000000000000000 x18: 0000000000000000
+ x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffcfd2a7f0
+ x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
+ x11: 0000000000000000 x10: ffff80000914f5e4 x9 : ffff8000082a1528
+ x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0101010101010101
+ x5 : 0000000000000000 x4 : 00000000fffffff2 x3 : 0000000000000001
+ x2 : ffff8001f4b82000 x1 : 0000000000000000 x0 : 0000000000000001
+ Kernel panic - not syncing: Unhandled exception
+ CPU: 0 PID: 263 Comm: test_progs Tainted: GF
+ Hardware name: linux,dummy-virt (DT)
+ Call trace:
+ dump_backtrace+0xec/0x144
+ show_stack+0x24/0x7c
+ dump_stack_lvl+0x8c/0xb8
+ dump_stack+0x18/0x34
+ panic+0x1cc/0x3ec
+ __el0_error_handler_common+0x0/0x130
+ el1h_64_sync_handler+0x60/0xd0
+ el1h_64_sync+0x78/0x7c
+ bpf_fentry_test1+0xc/0x30
+ bpf_fentry_test1+0xc/0x30
+ bpf_prog_test_run_tracing+0xdc/0x2a0
+ __sys_bpf+0x438/0x22a0
+ __arm64_sys_bpf+0x30/0x54
+ invoke_syscall+0x78/0x110
+ el0_svc_common.constprop.0+0x6c/0x1d0
+ do_el0_svc+0x38/0xe0
+ el0_svc+0x30/0xd0
+ el0t_64_sync_handler+0x1ac/0x1b0
+ el0t_64_sync+0x1a0/0x1a4
+ Kernel Offset: disabled
+ CPU features: 0x0000,00034c24,f994fdab
+ Memory Limit: none
+
+And the instruction next to call site of bpf_fentry_test1 is ADD,
+not PACIASP:
+
+<bpf_fentry_test1>:
+ bti c
+ nop
+ nop
+ add w0, w0, #0x1
+ paciasp
+
+For BPF prog, JIT always puts a PACIASP after call site for BTI-enabled
+kernel, so there is no problem. To fix it, replace BLR with RET to bypass
+the branch target check.
+
+Fixes: efc9909fdce0 ("bpf, arm64: Add bpf trampoline for arm64")
+Reported-by: Florent Revest <revest@chromium.org>
+Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Tested-by: Florent Revest <revest@chromium.org>
+Acked-by: Florent Revest <revest@chromium.org>
+Link: https://lore.kernel.org/bpf/20230401234144.3719742-1-xukuohai@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/net/bpf_jit.h | 4 ++++
+ arch/arm64/net/bpf_jit_comp.c | 3 ++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm64/net/bpf_jit.h b/arch/arm64/net/bpf_jit.h
+index a6acb94ea3d63..c2edadb8ec6a3 100644
+--- a/arch/arm64/net/bpf_jit.h
++++ b/arch/arm64/net/bpf_jit.h
+@@ -281,4 +281,8 @@
+ /* DMB */
+ #define A64_DMB_ISH aarch64_insn_gen_dmb(AARCH64_INSN_MB_ISH)
+
++/* ADR */
++#define A64_ADR(Rd, offset) \
++ aarch64_insn_gen_adr(0, offset, Rd, AARCH64_INSN_ADR_TYPE_ADR)
++
+ #endif /* _BPF_JIT_H */
+diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
+index 30f76178608b3..8f16217c111c8 100644
+--- a/arch/arm64/net/bpf_jit_comp.c
++++ b/arch/arm64/net/bpf_jit_comp.c
+@@ -1905,7 +1905,8 @@ static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im,
+ restore_args(ctx, args_off, nargs);
+ /* call original func */
+ emit(A64_LDR64I(A64_R(10), A64_SP, retaddr_off), ctx);
+- emit(A64_BLR(A64_R(10)), ctx);
++ emit(A64_ADR(A64_LR, AARCH64_INSN_SIZE * 2), ctx);
++ emit(A64_RET(A64_R(10)), ctx);
+ /* store return value */
+ emit(A64_STR64I(A64_R(0), A64_SP, retval_off), ctx);
+ /* reserve a nop for bpf_tramp_image_put */
+--
+2.39.2
+
--- /dev/null
+From 8697f1c6fb58a9177b7b164bbab9d2186bd3c29a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Mar 2023 17:42:32 -0700
+Subject: bpf: tcp: Use sock_gen_put instead of sock_put in bpf_iter_tcp
+
+From: Martin KaFai Lau <martin.lau@kernel.org>
+
+[ Upstream commit 580031ff9952b7dbf48dedba6b56a100ae002bef ]
+
+While reviewing the udp-iter batching patches, noticed the bpf_iter_tcp
+calling sock_put() is incorrect. It should call sock_gen_put instead
+because bpf_iter_tcp is iterating the ehash table which has the req sk
+and tw sk. This patch replaces all sock_put with sock_gen_put in the
+bpf_iter_tcp codepath.
+
+Fixes: 04c7820b776f ("bpf: tcp: Bpf iter batching and lock_sock")
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20230328004232.2134233-1-martin.lau@linux.dev
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_ipv4.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index da46357f501b3..ad0a5f185a694 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -2728,7 +2728,7 @@ static int tcp_prog_seq_show(struct bpf_prog *prog, struct bpf_iter_meta *meta,
+ static void bpf_iter_tcp_put_batch(struct bpf_tcp_iter_state *iter)
+ {
+ while (iter->cur_sk < iter->end_sk)
+- sock_put(iter->batch[iter->cur_sk++]);
++ sock_gen_put(iter->batch[iter->cur_sk++]);
+ }
+
+ static int bpf_iter_tcp_realloc_batch(struct bpf_tcp_iter_state *iter,
+@@ -2889,7 +2889,7 @@ static void *bpf_iter_tcp_seq_next(struct seq_file *seq, void *v, loff_t *pos)
+ * st->bucket. See tcp_seek_last_pos().
+ */
+ st->offset++;
+- sock_put(iter->batch[iter->cur_sk++]);
++ sock_gen_put(iter->batch[iter->cur_sk++]);
+ }
+
+ if (iter->cur_sk < iter->end_sk)
+--
+2.39.2
+
--- /dev/null
+From b8ec84bade3d7ccb22df60a787d73ad1af1bf2e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Apr 2023 22:15:32 +0900
+Subject: cgroup,freezer: hold cpu_hotplug_lock before freezer_mutex
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit 57dcd64c7e036299ef526b400a8d12b8a2352f26 ]
+
+syzbot is reporting circular locking dependency between cpu_hotplug_lock
+and freezer_mutex, for commit f5d39b020809 ("freezer,sched: Rewrite core
+freezer logic") replaced atomic_inc() in freezer_apply_state() with
+static_branch_inc() which holds cpu_hotplug_lock.
+
+cpu_hotplug_lock => cgroup_threadgroup_rwsem => freezer_mutex
+
+ cgroup_file_write() {
+ cgroup_procs_write() {
+ __cgroup_procs_write() {
+ cgroup_procs_write_start() {
+ cgroup_attach_lock() {
+ cpus_read_lock() {
+ percpu_down_read(&cpu_hotplug_lock);
+ }
+ percpu_down_write(&cgroup_threadgroup_rwsem);
+ }
+ }
+ cgroup_attach_task() {
+ cgroup_migrate() {
+ cgroup_migrate_execute() {
+ freezer_attach() {
+ mutex_lock(&freezer_mutex);
+ (...snipped...)
+ }
+ }
+ }
+ }
+ (...snipped...)
+ }
+ }
+ }
+
+freezer_mutex => cpu_hotplug_lock
+
+ cgroup_file_write() {
+ freezer_write() {
+ freezer_change_state() {
+ mutex_lock(&freezer_mutex);
+ freezer_apply_state() {
+ static_branch_inc(&freezer_active) {
+ static_key_slow_inc() {
+ cpus_read_lock();
+ static_key_slow_inc_cpuslocked();
+ cpus_read_unlock();
+ }
+ }
+ }
+ mutex_unlock(&freezer_mutex);
+ }
+ }
+ }
+
+Swap locking order by moving cpus_read_lock() in freezer_apply_state()
+to before mutex_lock(&freezer_mutex) in freezer_change_state().
+
+Reported-by: syzbot <syzbot+c39682e86c9d84152f93@syzkaller.appspotmail.com>
+Link: https://syzkaller.appspot.com/bug?extid=c39682e86c9d84152f93
+Suggested-by: Hillf Danton <hdanton@sina.com>
+Fixes: f5d39b020809 ("freezer,sched: Rewrite core freezer logic")
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Mukesh Ojha <quic_mojha@quicinc.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/cgroup/legacy_freezer.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/cgroup/legacy_freezer.c b/kernel/cgroup/legacy_freezer.c
+index 1b6b21851e9d4..936473203a6b5 100644
+--- a/kernel/cgroup/legacy_freezer.c
++++ b/kernel/cgroup/legacy_freezer.c
+@@ -22,6 +22,7 @@
+ #include <linux/freezer.h>
+ #include <linux/seq_file.h>
+ #include <linux/mutex.h>
++#include <linux/cpu.h>
+
+ /*
+ * A cgroup is freezing if any FREEZING flags are set. FREEZING_SELF is
+@@ -350,7 +351,7 @@ static void freezer_apply_state(struct freezer *freezer, bool freeze,
+
+ if (freeze) {
+ if (!(freezer->state & CGROUP_FREEZING))
+- static_branch_inc(&freezer_active);
++ static_branch_inc_cpuslocked(&freezer_active);
+ freezer->state |= state;
+ freeze_cgroup(freezer);
+ } else {
+@@ -361,7 +362,7 @@ static void freezer_apply_state(struct freezer *freezer, bool freeze,
+ if (!(freezer->state & CGROUP_FREEZING)) {
+ freezer->state &= ~CGROUP_FROZEN;
+ if (was_freezing)
+- static_branch_dec(&freezer_active);
++ static_branch_dec_cpuslocked(&freezer_active);
+ unfreeze_cgroup(freezer);
+ }
+ }
+@@ -379,6 +380,7 @@ static void freezer_change_state(struct freezer *freezer, bool freeze)
+ {
+ struct cgroup_subsys_state *pos;
+
++ cpus_read_lock();
+ /*
+ * Update all its descendants in pre-order traversal. Each
+ * descendant will try to inherit its parent's FREEZING state as
+@@ -407,6 +409,7 @@ static void freezer_change_state(struct freezer *freezer, bool freeze)
+ }
+ rcu_read_unlock();
+ mutex_unlock(&freezer_mutex);
++ cpus_read_unlock();
+ }
+
+ static ssize_t freezer_write(struct kernfs_open_file *of,
+--
+2.39.2
+
--- /dev/null
+From ed8c994ccdcc7b380e34ee12a74c4eebdb6fde46 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Mar 2023 08:49:40 +0100
+Subject: clk: rs9: Fix suspend/resume
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+[ Upstream commit 632e04739c8f45c2d9ca4d4c5bd18d80c2ac9296 ]
+
+Disabling the cache in commit 2ff4ba9e3702 ("clk: rs9: Fix I2C accessors")
+without removing cache synchronization in resume path results in a
+kernel panic as map->cache_ops is unset, due to REGCACHE_NONE.
+Enable flat cache again to support resume again. num_reg_defaults_raw
+is necessary to read the cache defaults from hardware. Some registers
+are strapped in hardware and cannot be provided in software.
+
+Fixes: 2ff4ba9e3702 ("clk: rs9: Fix I2C accessors")
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Link: https://lore.kernel.org/r/20230310074940.3475703-1-alexander.stein@ew.tq-group.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk-renesas-pcie.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/clk/clk-renesas-pcie.c b/drivers/clk/clk-renesas-pcie.c
+index e6247141d0c05..3e98a16eba6bb 100644
+--- a/drivers/clk/clk-renesas-pcie.c
++++ b/drivers/clk/clk-renesas-pcie.c
+@@ -144,8 +144,9 @@ static int rs9_regmap_i2c_read(void *context,
+ static const struct regmap_config rs9_regmap_config = {
+ .reg_bits = 8,
+ .val_bits = 8,
+- .cache_type = REGCACHE_NONE,
++ .cache_type = REGCACHE_FLAT,
+ .max_register = RS9_REG_BCP,
++ .num_reg_defaults_raw = 0x8,
+ .rd_table = &rs9_readable_table,
+ .wr_table = &rs9_writeable_table,
+ .reg_write = rs9_regmap_i2c_write,
+--
+2.39.2
+
--- /dev/null
+From 3b3b4e16572d8b75507ba5d0b1101b58ed2c48a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Mar 2023 10:36:24 +0800
+Subject: clk: sprd: set max_register according to mapping range
+
+From: Chunyan Zhang <chunyan.zhang@unisoc.com>
+
+[ Upstream commit 47d43086531f10539470a63e8ad92803e686a3dd ]
+
+In sprd clock driver, regmap_config.max_register was set to a fixed value
+which is likely larger than the address range configured in device tree,
+when reading registers through debugfs it would cause access violation.
+
+Fixes: d41f59fd92f2 ("clk: sprd: Add common infrastructure")
+Signed-off-by: Chunyan Zhang <chunyan.zhang@unisoc.com>
+Link: https://lore.kernel.org/r/20230316023624.758204-1-chunyan.zhang@unisoc.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/sprd/common.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/clk/sprd/common.c b/drivers/clk/sprd/common.c
+index ce81e4087a8fc..2bfbab8db94bf 100644
+--- a/drivers/clk/sprd/common.c
++++ b/drivers/clk/sprd/common.c
+@@ -17,7 +17,6 @@ static const struct regmap_config sprdclk_regmap_config = {
+ .reg_bits = 32,
+ .reg_stride = 4,
+ .val_bits = 32,
+- .max_register = 0xffff,
+ .fast_io = true,
+ };
+
+@@ -43,6 +42,8 @@ int sprd_clk_regmap_init(struct platform_device *pdev,
+ struct device *dev = &pdev->dev;
+ struct device_node *node = dev->of_node, *np;
+ struct regmap *regmap;
++ struct resource *res;
++ struct regmap_config reg_config = sprdclk_regmap_config;
+
+ if (of_find_property(node, "sprd,syscon", NULL)) {
+ regmap = syscon_regmap_lookup_by_phandle(node, "sprd,syscon");
+@@ -59,12 +60,14 @@ int sprd_clk_regmap_init(struct platform_device *pdev,
+ return PTR_ERR(regmap);
+ }
+ } else {
+- base = devm_platform_ioremap_resource(pdev, 0);
++ base = devm_platform_get_and_ioremap_resource(pdev, 0, &res);
+ if (IS_ERR(base))
+ return PTR_ERR(base);
+
++ reg_config.max_register = resource_size(res) - reg_config.reg_stride;
++
+ regmap = devm_regmap_init_mmio(&pdev->dev, base,
+- &sprdclk_regmap_config);
++ ®_config);
+ if (IS_ERR(regmap)) {
+ pr_err("failed to init regmap\n");
+ return PTR_ERR(regmap);
+--
+2.39.2
+
--- /dev/null
+From 76b0f847a74d104bd35427d19c04b380f54e4278 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Feb 2023 16:22:21 +0100
+Subject: dmaengine: apple-admac: Fix 'current_tx' not getting freed
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Martin Povišer <povik+lin@cutebit.org>
+
+[ Upstream commit d9503be5a100c553731c0e8a82c7b4201e8a970c ]
+
+In terminate_all we should queue up all submitted descriptors to be
+freed. We do that for the content of the 'issued' and 'submitted' lists,
+but the 'current_tx' descriptor falls through the cracks as it's
+removed from the 'issued' list once it gets assigned to be the current
+descriptor. Explicitly queue up freeing of the 'current_tx' descriptor
+to address a memory leak that is otherwise present.
+
+Fixes: b127315d9a78 ("dmaengine: apple-admac: Add Apple ADMAC driver")
+Signed-off-by: Martin Povišer <povik+lin@cutebit.org>
+Link: https://lore.kernel.org/r/20230224152222.26732-2-povik+lin@cutebit.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/apple-admac.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/dma/apple-admac.c b/drivers/dma/apple-admac.c
+index b9132b495d181..4cf8da77bdd91 100644
+--- a/drivers/dma/apple-admac.c
++++ b/drivers/dma/apple-admac.c
+@@ -512,7 +512,10 @@ static int admac_terminate_all(struct dma_chan *chan)
+ admac_stop_chan(adchan);
+ admac_reset_rings(adchan);
+
+- adchan->current_tx = NULL;
++ if (adchan->current_tx) {
++ list_add_tail(&adchan->current_tx->node, &adchan->to_free);
++ adchan->current_tx = NULL;
++ }
+ /*
+ * Descriptors can only be freed after the tasklet
+ * has been killed (in admac_synchronize).
+--
+2.39.2
+
--- /dev/null
+From 4a48a731efe345a1cb470dc0e0a70b45dae5c314 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Feb 2023 16:22:20 +0100
+Subject: dmaengine: apple-admac: Handle 'global' interrupt flags
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Martin Povišer <povik+lin@cutebit.org>
+
+[ Upstream commit a288fd158fbf85c06a9ac01cecabf97ac5d962e7 ]
+
+In addition to TX channel and RX channel interrupt flags there's
+another class of 'global' interrupt flags with unknown semantics. Those
+weren't being handled up to now, and they are the suspected cause of
+stuck IRQ states that have been sporadically occurring. Check the global
+flags and clear them if raised.
+
+Fixes: b127315d9a78 ("dmaengine: apple-admac: Add Apple ADMAC driver")
+Signed-off-by: Martin Povišer <povik+lin@cutebit.org>
+Link: https://lore.kernel.org/r/20230224152222.26732-1-povik+lin@cutebit.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/apple-admac.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/dma/apple-admac.c b/drivers/dma/apple-admac.c
+index 90f28bda29c8b..00cbfafe0ed9d 100644
+--- a/drivers/dma/apple-admac.c
++++ b/drivers/dma/apple-admac.c
+@@ -75,6 +75,7 @@
+
+ #define REG_TX_INTSTATE(idx) (0x0030 + (idx) * 4)
+ #define REG_RX_INTSTATE(idx) (0x0040 + (idx) * 4)
++#define REG_GLOBAL_INTSTATE(idx) (0x0050 + (idx) * 4)
+ #define REG_CHAN_INTSTATUS(ch, idx) (0x8010 + (ch) * 0x200 + (idx) * 4)
+ #define REG_CHAN_INTMASK(ch, idx) (0x8020 + (ch) * 0x200 + (idx) * 4)
+
+@@ -672,13 +673,14 @@ static void admac_handle_chan_int(struct admac_data *ad, int no)
+ static irqreturn_t admac_interrupt(int irq, void *devid)
+ {
+ struct admac_data *ad = devid;
+- u32 rx_intstate, tx_intstate;
++ u32 rx_intstate, tx_intstate, global_intstate;
+ int i;
+
+ rx_intstate = readl_relaxed(ad->base + REG_RX_INTSTATE(ad->irq_index));
+ tx_intstate = readl_relaxed(ad->base + REG_TX_INTSTATE(ad->irq_index));
++ global_intstate = readl_relaxed(ad->base + REG_GLOBAL_INTSTATE(ad->irq_index));
+
+- if (!tx_intstate && !rx_intstate)
++ if (!tx_intstate && !rx_intstate && !global_intstate)
+ return IRQ_NONE;
+
+ for (i = 0; i < ad->nchannels; i += 2) {
+@@ -693,6 +695,12 @@ static irqreturn_t admac_interrupt(int irq, void *devid)
+ rx_intstate >>= 1;
+ }
+
++ if (global_intstate) {
++ dev_warn(ad->dev, "clearing unknown global interrupt flag: %x\n",
++ global_intstate);
++ writel_relaxed(~(u32) 0, ad->base + REG_GLOBAL_INTSTATE(ad->irq_index));
++ }
++
+ return IRQ_HANDLED;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From ee86eee1bd4cd351f0c6fa074def48b3531db9d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Feb 2023 16:22:22 +0100
+Subject: dmaengine: apple-admac: Set src_addr_widths capability
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Martin Povišer <povik+lin@cutebit.org>
+
+[ Upstream commit 6e96adcaa7a29827ac8ee8df290a44957a4823ec ]
+
+Add missing setting of 'src_addr_widths', which is the same as for the
+other direction.
+
+Fixes: b127315d9a78 ("dmaengine: apple-admac: Add Apple ADMAC driver")
+Signed-off-by: Martin Povišer <povik+lin@cutebit.org>
+Link: https://lore.kernel.org/r/20230224152222.26732-3-povik+lin@cutebit.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/apple-admac.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/dma/apple-admac.c b/drivers/dma/apple-admac.c
+index 00cbfafe0ed9d..b9132b495d181 100644
+--- a/drivers/dma/apple-admac.c
++++ b/drivers/dma/apple-admac.c
+@@ -858,6 +858,9 @@ static int admac_probe(struct platform_device *pdev)
+
+ dma->directions = BIT(DMA_MEM_TO_DEV) | BIT(DMA_DEV_TO_MEM);
+ dma->residue_granularity = DMA_RESIDUE_GRANULARITY_BURST;
++ dma->src_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_1_BYTE) |
++ BIT(DMA_SLAVE_BUSWIDTH_2_BYTES) |
++ BIT(DMA_SLAVE_BUSWIDTH_4_BYTES);
+ dma->dst_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_1_BYTE) |
+ BIT(DMA_SLAVE_BUSWIDTH_2_BYTES) |
+ BIT(DMA_SLAVE_BUSWIDTH_4_BYTES);
+--
+2.39.2
+
--- /dev/null
+From f7c5cd74bd571a4e8bf2913aa5922a03048fa43e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 15:24:22 +0800
+Subject: drm/amdgpu: add mes resume when do gfx post soft reset
+
+From: Tong Liu01 <Tong.Liu01@amd.com>
+
+[ Upstream commit 4eb0b49a0ad3e004a6a65b84efe37bc7e66d560f ]
+
+[why]
+when gfx do soft reset, mes will also do reset, if mes is not
+resumed when do recover from soft reset, mes is unable to respond
+in later sequence
+
+[how]
+resume mes when do gfx post soft reset
+
+Signed-off-by: Tong Liu01 <Tong.Liu01@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
+index 90e739d9aeee7..7a13129842602 100644
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
+@@ -4625,6 +4625,14 @@ static bool gfx_v11_0_check_soft_reset(void *handle)
+ return false;
+ }
+
++static int gfx_v11_0_post_soft_reset(void *handle)
++{
++ /**
++ * GFX soft reset will impact MES, need resume MES when do GFX soft reset
++ */
++ return amdgpu_mes_resume((struct amdgpu_device *)handle);
++}
++
+ static uint64_t gfx_v11_0_get_gpu_clock_counter(struct amdgpu_device *adev)
+ {
+ uint64_t clock;
+@@ -6068,6 +6076,7 @@ static const struct amd_ip_funcs gfx_v11_0_ip_funcs = {
+ .wait_for_idle = gfx_v11_0_wait_for_idle,
+ .soft_reset = gfx_v11_0_soft_reset,
+ .check_soft_reset = gfx_v11_0_check_soft_reset,
++ .post_soft_reset = gfx_v11_0_post_soft_reset,
+ .set_clockgating_state = gfx_v11_0_set_clockgating_state,
+ .set_powergating_state = gfx_v11_0_set_powergating_state,
+ .get_clockgating_state = gfx_v11_0_get_clockgating_state,
+--
+2.39.2
+
--- /dev/null
+From 9b2bd985d8d074d8061b433eb03448dd428526a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Mar 2023 11:30:32 +0800
+Subject: drm/amdgpu: Force signal hw_fences that are embedded in non-sched
+ jobs
+
+From: YuBiao Wang <YuBiao.Wang@amd.com>
+
+[ Upstream commit 033c56474acf567a450f8bafca50e0b610f2b716 ]
+
+[Why]
+For engines not supporting soft reset, i.e. VCN, there will be a failed
+ib test before mode 1 reset during asic reset. The fences in this case
+are never signaled and next time when we try to free the sa_bo, kernel
+will hang.
+
+[How]
+During pre_asic_reset, driver will clear job fences and afterwards the
+fences' refcount will be reduced to 1. For drm_sched_jobs it will be
+released in job_free_cb, and for non-sched jobs like ib_test, it's meant
+to be released in sa_bo_free but only when the fences are signaled. So
+we have to force signal the non_sched bad job's fence during
+pre_asic_reset or the clear is not complete.
+
+Signed-off-by: YuBiao Wang <YuBiao.Wang@amd.com>
+Acked-by: Luben Tuikov <luben.tuikov@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c
+index 6fdb679321d0d..3cc1929285fc0 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c
+@@ -624,6 +624,15 @@ void amdgpu_fence_driver_clear_job_fences(struct amdgpu_ring *ring)
+ ptr = &ring->fence_drv.fences[i];
+ old = rcu_dereference_protected(*ptr, 1);
+ if (old && old->ops == &amdgpu_job_fence_ops) {
++ struct amdgpu_job *job;
++
++ /* For non-scheduler bad job, i.e. failed ib test, we need to signal
++ * it right here or we won't be able to track them in fence_drv
++ * and they will remain unsignaled during sa_bo free.
++ */
++ job = container_of(old, struct amdgpu_job, hw_fence);
++ if (!job->base.s_fence && !dma_fence_is_signaled(old))
++ dma_fence_signal(old);
+ RCU_INIT_POINTER(*ptr, NULL);
+ dma_fence_put(old);
+ }
+--
+2.39.2
+
--- /dev/null
+From 4e7458e5d45069bce87c2d186730b8173a3b97ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 18:59:59 +0800
+Subject: drm/amdgpu/gfx: set cg flags to enter/exit safe mode
+
+From: Jane Jian <Jane.Jian@amd.com>
+
+[ Upstream commit e06bfcc1a1c41bcb8c31470d437e147ce9f0acfd ]
+
+sriov needs to enter/exit safe mode in update umd p state
+add the cg flag to let it enter or exit while needed
+
+Signed-off-by: Jane Jian <Jane.Jian@amd.com>
+Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
+index 7a13129842602..0dd2fe4f071e8 100644
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
+@@ -1316,6 +1316,11 @@ static int gfx_v11_0_sw_init(void *handle)
+ break;
+ }
+
++ /* Enable CG flag in one VF mode for enabling RLC safe mode enter/exit */
++ if (adev->ip_versions[GC_HWIP][0] == IP_VERSION(11, 0, 3) &&
++ amdgpu_sriov_is_pp_one_vf(adev))
++ adev->cg_flags = AMD_CG_SUPPORT_GFX_CGCG;
++
+ /* EOP Event */
+ r = amdgpu_irq_add_id(adev, SOC21_IH_CLIENTID_GRBM_CP,
+ GFX_11_0_0__SRCID__CP_EOP_INTERRUPT,
+--
+2.39.2
+
--- /dev/null
+From ce683e3c1250362f90adb7002eb10ae54be2d1de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Dec 2021 17:34:16 +0100
+Subject: drm/armada: Fix a potential double free in an error handling path
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit b89ce1177d42d5c124e83f3858818cd4e6a2c46f ]
+
+'priv' is a managed resource, so there is no need to free it explicitly or
+there will be a double free().
+
+Fixes: 90ad200b4cbc ("drm/armada: Use devm_drm_dev_alloc")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/c4f3c9207a9fce35cb6dd2cc60e755275961588a.1640536364.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/armada/armada_drv.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/armada/armada_drv.c b/drivers/gpu/drm/armada/armada_drv.c
+index 0643887800b4d..142668cd6d7cd 100644
+--- a/drivers/gpu/drm/armada/armada_drv.c
++++ b/drivers/gpu/drm/armada/armada_drv.c
+@@ -99,7 +99,6 @@ static int armada_drm_bind(struct device *dev)
+ if (ret) {
+ dev_err(dev, "[" DRM_NAME ":%s] can't kick out simple-fb: %d\n",
+ __func__, ret);
+- kfree(priv);
+ return ret;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From d65308715d53c9f006d6e4d5488021b2eae79a9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Mar 2023 10:52:18 +0100
+Subject: drm: panel-orientation-quirks: Add quirk for Lenovo Yoga Book X90F
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 03aecb1acbcd7a660f97d645ca6c09d9de27ff9d ]
+
+Like the Windows Lenovo Yoga Book X91F/L the Android Lenovo Yoga Book
+X90F/L has a portrait 1200x1920 screen used in landscape mode,
+add a quirk for this.
+
+When the quirk for the X91F/L was initially added it was written to
+also apply to the X90F/L but this does not work because the Android
+version of the Yoga Book uses completely different DMI strings.
+Also adjust the X91F/L quirk to reflect that it only applies to
+the X91F/L models.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230301095218.28457-1-hdegoede@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_panel_orientation_quirks.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+index 5522d610c5cfd..b1a38e6ce2f8f 100644
+--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+@@ -328,10 +328,17 @@ static const struct dmi_system_id orientation_data[] = {
+ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "IdeaPad Duet 3 10IGL5"),
+ },
+ .driver_data = (void *)&lcd1200x1920_rightside_up,
+- }, { /* Lenovo Yoga Book X90F / X91F / X91L */
++ }, { /* Lenovo Yoga Book X90F / X90L */
+ .matches = {
+- /* Non exact match to match all versions */
+- DMI_MATCH(DMI_PRODUCT_NAME, "Lenovo YB1-X9"),
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Intel Corporation"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "CHERRYVIEW D1 PLATFORM"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "YETI-11"),
++ },
++ .driver_data = (void *)&lcd1200x1920_rightside_up,
++ }, { /* Lenovo Yoga Book X91F / X91L */
++ .matches = {
++ /* Non exact match to match F + L versions */
++ DMI_MATCH(DMI_PRODUCT_NAME, "Lenovo YB1-X91"),
+ },
+ .driver_data = (void *)&lcd1200x1920_rightside_up,
+ }, { /* Lenovo Yoga Tablet 2 830F / 830L */
+--
+2.39.2
+
--- /dev/null
+From 209f9c8afd82b87b599e6242ce657b5ccbffeb9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Mar 2023 13:31:03 +0100
+Subject: efi: sysfb_efi: Add quirk for Lenovo Yoga Book X91F/L
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 5ed213dd64681f84a01ceaa82fb336cf7d59ddcf ]
+
+Another Lenovo convertable which reports a landscape resolution of
+1920x1200 with a pitch of (1920 * 4) bytes, while the actual framebuffer
+has a resolution of 1200x1920 with a pitch of (1200 * 4) bytes.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/sysfb_efi.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/firmware/efi/sysfb_efi.c b/drivers/firmware/efi/sysfb_efi.c
+index e76d6803bdd08..456d0e5eaf78b 100644
+--- a/drivers/firmware/efi/sysfb_efi.c
++++ b/drivers/firmware/efi/sysfb_efi.c
+@@ -272,6 +272,14 @@ static const struct dmi_system_id efifb_dmi_swap_width_height[] __initconst = {
+ "IdeaPad Duet 3 10IGL5"),
+ },
+ },
++ {
++ /* Lenovo Yoga Book X91F / X91L */
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ /* Non exact match to match F + L versions */
++ DMI_MATCH(DMI_PRODUCT_NAME, "Lenovo YB1-X91"),
++ },
++ },
+ {},
+ };
+
+--
+2.39.2
+
--- /dev/null
+From 938e32b178c09ac66ea808793a20005b2427fc28 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Mar 2023 10:04:10 +0100
+Subject: hwmon: (peci/cputemp) Fix miscalculated DTS for SKX
+
+From: Iwona Winiarska <iwona.winiarska@intel.com>
+
+[ Upstream commit 2b91c4a870c9830eaf95e744454c9c218cccb736 ]
+
+For Skylake, DTS temperature of the CPU is reported in S10.6 format
+instead of S8.8.
+
+Reported-by: Paul Fertser <fercerpav@gmail.com>
+Link: https://lore.kernel.org/lkml/ZBhHS7v+98NK56is@home.paul.comp/
+Signed-off-by: Iwona Winiarska <iwona.winiarska@intel.com>
+Link: https://lore.kernel.org/r/20230321090410.866766-1-iwona.winiarska@intel.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/peci/cputemp.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/peci/cputemp.c b/drivers/hwmon/peci/cputemp.c
+index 30850a479f61f..87d56f0fc888c 100644
+--- a/drivers/hwmon/peci/cputemp.c
++++ b/drivers/hwmon/peci/cputemp.c
+@@ -537,6 +537,12 @@ static const struct cpu_info cpu_hsx = {
+ .thermal_margin_to_millidegree = &dts_eight_dot_eight_to_millidegree,
+ };
+
++static const struct cpu_info cpu_skx = {
++ .reg = &resolved_cores_reg_hsx,
++ .min_peci_revision = 0x33,
++ .thermal_margin_to_millidegree = &dts_ten_dot_six_to_millidegree,
++};
++
+ static const struct cpu_info cpu_icx = {
+ .reg = &resolved_cores_reg_icx,
+ .min_peci_revision = 0x40,
+@@ -558,7 +564,7 @@ static const struct auxiliary_device_id peci_cputemp_ids[] = {
+ },
+ {
+ .name = "peci_cpu.cputemp.skx",
+- .driver_data = (kernel_ulong_t)&cpu_hsx,
++ .driver_data = (kernel_ulong_t)&cpu_skx,
+ },
+ {
+ .name = "peci_cpu.cputemp.icx",
+--
+2.39.2
+
--- /dev/null
+From cd7d7436193ab7adfa02e7c86601afdb16532a72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Mar 2023 22:38:51 +0800
+Subject: hwmon: (xgene) Fix ioremap and memremap leak
+
+From: Tianyi Jing <jingfelix@hust.edu.cn>
+
+[ Upstream commit 813cc94c7847ae4a17e9f744fb4dbdf7df6bd732 ]
+
+Smatch reports:
+
+drivers/hwmon/xgene-hwmon.c:757 xgene_hwmon_probe() warn:
+'ctx->pcc_comm_addr' from ioremap() not released on line: 757.
+
+This is because in drivers/hwmon/xgene-hwmon.c:701 xgene_hwmon_probe(),
+ioremap and memremap is not released, which may cause a leak.
+
+To fix this, ioremap and memremap is modified to devm_ioremap and
+devm_memremap.
+
+Signed-off-by: Tianyi Jing <jingfelix@hust.edu.cn>
+Reviewed-by: Dongliang Mu <dzm91@hust.edu.cn>
+Link: https://lore.kernel.org/r/20230318143851.2191625-1-jingfelix@hust.edu.cn
+[groeck: Fixed formatting and subject]
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/xgene-hwmon.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/hwmon/xgene-hwmon.c b/drivers/hwmon/xgene-hwmon.c
+index d1abea49f01be..78d9f52e2a719 100644
+--- a/drivers/hwmon/xgene-hwmon.c
++++ b/drivers/hwmon/xgene-hwmon.c
+@@ -698,14 +698,14 @@ static int xgene_hwmon_probe(struct platform_device *pdev)
+ ctx->comm_base_addr = pcc_chan->shmem_base_addr;
+ if (ctx->comm_base_addr) {
+ if (version == XGENE_HWMON_V2)
+- ctx->pcc_comm_addr = (void __force *)ioremap(
+- ctx->comm_base_addr,
+- pcc_chan->shmem_size);
++ ctx->pcc_comm_addr = (void __force *)devm_ioremap(&pdev->dev,
++ ctx->comm_base_addr,
++ pcc_chan->shmem_size);
+ else
+- ctx->pcc_comm_addr = memremap(
+- ctx->comm_base_addr,
+- pcc_chan->shmem_size,
+- MEMREMAP_WB);
++ ctx->pcc_comm_addr = devm_memremap(&pdev->dev,
++ ctx->comm_base_addr,
++ pcc_chan->shmem_size,
++ MEMREMAP_WB);
+ } else {
+ dev_err(&pdev->dev, "Failed to get PCC comm region\n");
+ rc = -ENODEV;
+--
+2.39.2
+
--- /dev/null
+From 9c51cf3f0bdaf883966259bc4e1e8f55c03c6a6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 15:45:51 +0800
+Subject: i2c: hisi: Avoid redundant interrupts
+
+From: Yicong Yang <yangyicong@hisilicon.com>
+
+[ Upstream commit cc9812a3096d1986caca9a23bee99effc45c08df ]
+
+After issuing all the messages we can disable the TX_EMPTY interrupts
+to avoid handling redundant interrupts. For doing a sinlge bus
+detection (i2cdetect -y -r 0) we can reduce ~97% interrupts (before
+~12000 after ~400).
+
+Signed-off-by: Sheng Feng <fengsheng5@huawei.com>
+Signed-off-by: Yicong Yang <yangyicong@hisilicon.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-hisi.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/i2c/busses/i2c-hisi.c b/drivers/i2c/busses/i2c-hisi.c
+index d30071f299879..8a61bee745a16 100644
+--- a/drivers/i2c/busses/i2c-hisi.c
++++ b/drivers/i2c/busses/i2c-hisi.c
+@@ -314,6 +314,13 @@ static void hisi_i2c_xfer_msg(struct hisi_i2c_controller *ctlr)
+ max_write == 0)
+ break;
+ }
++
++ /*
++ * Disable the TX_EMPTY interrupt after finishing all the messages to
++ * avoid overwhelming the CPU.
++ */
++ if (ctlr->msg_tx_idx == ctlr->msg_num)
++ hisi_i2c_disable_int(ctlr, HISI_I2C_INT_TX_EMPTY);
+ }
+
+ static irqreturn_t hisi_i2c_irq(int irq, void *context)
+--
+2.39.2
+
--- /dev/null
+From ee4a8ca797e0abd958dbedb232da0b6cdc651e28 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jan 2023 16:32:46 +0100
+Subject: i2c: imx-lpi2c: clean rx/tx buffers upon new message
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+[ Upstream commit 987dd36c0141f6ab9f0fbf14d6b2ec3342dedb2f ]
+
+When start sending a new message clear the Rx & Tx buffer pointers in
+order to avoid using stale pointers.
+
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Tested-by: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-imx-lpi2c.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/i2c/busses/i2c-imx-lpi2c.c b/drivers/i2c/busses/i2c-imx-lpi2c.c
+index 9b2f9544c5681..a49b14d52a986 100644
+--- a/drivers/i2c/busses/i2c-imx-lpi2c.c
++++ b/drivers/i2c/busses/i2c-imx-lpi2c.c
+@@ -463,6 +463,8 @@ static int lpi2c_imx_xfer(struct i2c_adapter *adapter,
+ if (num == 1 && msgs[0].len == 0)
+ goto stop;
+
++ lpi2c_imx->rx_buf = NULL;
++ lpi2c_imx->tx_buf = NULL;
+ lpi2c_imx->delivered = 0;
+ lpi2c_imx->msglen = msgs[i].len;
+ init_completion(&lpi2c_imx->complete);
+--
+2.39.2
+
--- /dev/null
+From f602fecda1cae566dac9de56dc2f5023c60f03e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Apr 2023 15:35:27 -0600
+Subject: iavf: refactor VLAN filter states
+
+From: Ahmed Zaki <ahmed.zaki@intel.com>
+
+[ Upstream commit 0c0da0e951053fda20412cd284e2714bbbb31bff ]
+
+The VLAN filter states are currently being saved as individual bits.
+This is error prone as multiple bits might be mistakenly set.
+
+Fix by replacing the bits with a single state enum. Also, add an
+"ACTIVE" state for filters that are accepted by the PF.
+
+Signed-off-by: Ahmed Zaki <ahmed.zaki@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Stable-dep-of: 9c85b7fa12ef ("iavf: remove active_cvlans and active_svlans bitmaps")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf.h | 15 +++++----
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 8 ++---
+ .../net/ethernet/intel/iavf/iavf_virtchnl.c | 31 +++++++++----------
+ 3 files changed, 28 insertions(+), 26 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h
+index 2a9f1eeeb7015..fdbb5d9a554cf 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf.h
++++ b/drivers/net/ethernet/intel/iavf/iavf.h
+@@ -157,15 +157,18 @@ struct iavf_vlan {
+ u16 tpid;
+ };
+
++enum iavf_vlan_state_t {
++ IAVF_VLAN_INVALID,
++ IAVF_VLAN_ADD, /* filter needs to be added */
++ IAVF_VLAN_IS_NEW, /* filter is new, wait for PF answer */
++ IAVF_VLAN_ACTIVE, /* filter is accepted by PF */
++ IAVF_VLAN_REMOVE, /* filter needs to be removed */
++};
++
+ struct iavf_vlan_filter {
+ struct list_head list;
+ struct iavf_vlan vlan;
+- struct {
+- u8 is_new_vlan:1; /* filter is new, wait for PF answer */
+- u8 remove:1; /* filter needs to be removed */
+- u8 add:1; /* filter needs to be added */
+- u8 padding:5;
+- };
++ enum iavf_vlan_state_t state;
+ };
+
+ #define IAVF_MAX_TRAFFIC_CLASS 4
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index 5f8fff6c701fc..8e4d0b0644e4a 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -791,7 +791,7 @@ iavf_vlan_filter *iavf_add_vlan(struct iavf_adapter *adapter,
+ f->vlan = vlan;
+
+ list_add_tail(&f->list, &adapter->vlan_filter_list);
+- f->add = true;
++ f->state = IAVF_VLAN_ADD;
+ adapter->aq_required |= IAVF_FLAG_AQ_ADD_VLAN_FILTER;
+ }
+
+@@ -813,7 +813,7 @@ static void iavf_del_vlan(struct iavf_adapter *adapter, struct iavf_vlan vlan)
+
+ f = iavf_find_vlan(adapter, vlan);
+ if (f) {
+- f->remove = true;
++ f->state = IAVF_VLAN_REMOVE;
+ adapter->aq_required |= IAVF_FLAG_AQ_DEL_VLAN_FILTER;
+ }
+
+@@ -1296,11 +1296,11 @@ static void iavf_clear_mac_vlan_filters(struct iavf_adapter *adapter)
+ /* remove all VLAN filters */
+ list_for_each_entry_safe(vlf, vlftmp, &adapter->vlan_filter_list,
+ list) {
+- if (vlf->add) {
++ if (vlf->state == IAVF_VLAN_ADD) {
+ list_del(&vlf->list);
+ kfree(vlf);
+ } else {
+- vlf->remove = true;
++ vlf->state = IAVF_VLAN_REMOVE;
+ }
+ }
+ spin_unlock_bh(&adapter->mac_vlan_list_lock);
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
+index 2c03ca01fdd9c..68d6e7c1e52b1 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
+@@ -642,7 +642,7 @@ static void iavf_vlan_add_reject(struct iavf_adapter *adapter)
+
+ spin_lock_bh(&adapter->mac_vlan_list_lock);
+ list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) {
+- if (f->is_new_vlan) {
++ if (f->state == IAVF_VLAN_IS_NEW) {
+ if (f->vlan.tpid == ETH_P_8021Q)
+ clear_bit(f->vlan.vid,
+ adapter->vsi.active_cvlans);
+@@ -679,7 +679,7 @@ void iavf_add_vlans(struct iavf_adapter *adapter)
+ spin_lock_bh(&adapter->mac_vlan_list_lock);
+
+ list_for_each_entry(f, &adapter->vlan_filter_list, list) {
+- if (f->add)
++ if (f->state == IAVF_VLAN_ADD)
+ count++;
+ }
+ if (!count || !VLAN_FILTERING_ALLOWED(adapter)) {
+@@ -710,11 +710,10 @@ void iavf_add_vlans(struct iavf_adapter *adapter)
+ vvfl->vsi_id = adapter->vsi_res->vsi_id;
+ vvfl->num_elements = count;
+ list_for_each_entry(f, &adapter->vlan_filter_list, list) {
+- if (f->add) {
++ if (f->state == IAVF_VLAN_ADD) {
+ vvfl->vlan_id[i] = f->vlan.vid;
+ i++;
+- f->add = false;
+- f->is_new_vlan = true;
++ f->state = IAVF_VLAN_IS_NEW;
+ if (i == count)
+ break;
+ }
+@@ -760,7 +759,7 @@ void iavf_add_vlans(struct iavf_adapter *adapter)
+ vvfl_v2->vport_id = adapter->vsi_res->vsi_id;
+ vvfl_v2->num_elements = count;
+ list_for_each_entry(f, &adapter->vlan_filter_list, list) {
+- if (f->add) {
++ if (f->state == IAVF_VLAN_ADD) {
+ struct virtchnl_vlan_supported_caps *filtering_support =
+ &adapter->vlan_v2_caps.filtering.filtering_support;
+ struct virtchnl_vlan *vlan;
+@@ -778,8 +777,7 @@ void iavf_add_vlans(struct iavf_adapter *adapter)
+ vlan->tpid = f->vlan.tpid;
+
+ i++;
+- f->add = false;
+- f->is_new_vlan = true;
++ f->state = IAVF_VLAN_IS_NEW;
+ }
+ }
+
+@@ -822,10 +820,11 @@ void iavf_del_vlans(struct iavf_adapter *adapter)
+ * filters marked for removal to enable bailing out before
+ * sending a virtchnl message
+ */
+- if (f->remove && !VLAN_FILTERING_ALLOWED(adapter)) {
++ if (f->state == IAVF_VLAN_REMOVE &&
++ !VLAN_FILTERING_ALLOWED(adapter)) {
+ list_del(&f->list);
+ kfree(f);
+- } else if (f->remove) {
++ } else if (f->state == IAVF_VLAN_REMOVE) {
+ count++;
+ }
+ }
+@@ -857,7 +856,7 @@ void iavf_del_vlans(struct iavf_adapter *adapter)
+ vvfl->vsi_id = adapter->vsi_res->vsi_id;
+ vvfl->num_elements = count;
+ list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) {
+- if (f->remove) {
++ if (f->state == IAVF_VLAN_REMOVE) {
+ vvfl->vlan_id[i] = f->vlan.vid;
+ i++;
+ list_del(&f->list);
+@@ -901,7 +900,7 @@ void iavf_del_vlans(struct iavf_adapter *adapter)
+ vvfl_v2->vport_id = adapter->vsi_res->vsi_id;
+ vvfl_v2->num_elements = count;
+ list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) {
+- if (f->remove) {
++ if (f->state == IAVF_VLAN_REMOVE) {
+ struct virtchnl_vlan_supported_caps *filtering_support =
+ &adapter->vlan_v2_caps.filtering.filtering_support;
+ struct virtchnl_vlan *vlan;
+@@ -2192,7 +2191,7 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter,
+ list_for_each_entry(vlf,
+ &adapter->vlan_filter_list,
+ list)
+- vlf->add = true;
++ vlf->state = IAVF_VLAN_ADD;
+
+ adapter->aq_required |=
+ IAVF_FLAG_AQ_ADD_VLAN_FILTER;
+@@ -2252,7 +2251,7 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter,
+ list_for_each_entry(vlf,
+ &adapter->vlan_filter_list,
+ list)
+- vlf->add = true;
++ vlf->state = IAVF_VLAN_ADD;
+
+ aq_required |= IAVF_FLAG_AQ_ADD_VLAN_FILTER;
+ }
+@@ -2436,8 +2435,8 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter,
+
+ spin_lock_bh(&adapter->mac_vlan_list_lock);
+ list_for_each_entry(f, &adapter->vlan_filter_list, list) {
+- if (f->is_new_vlan) {
+- f->is_new_vlan = false;
++ if (f->state == IAVF_VLAN_IS_NEW) {
++ f->state = IAVF_VLAN_ACTIVE;
+ if (f->vlan.tpid == ETH_P_8021Q)
+ set_bit(f->vlan.vid,
+ adapter->vsi.active_cvlans);
+--
+2.39.2
+
--- /dev/null
+From c577a655b5bdda17179b9ad062c156982a1f57c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Apr 2023 15:35:28 -0600
+Subject: iavf: remove active_cvlans and active_svlans bitmaps
+
+From: Ahmed Zaki <ahmed.zaki@intel.com>
+
+[ Upstream commit 9c85b7fa12ef2e4fc11a4e31ac595fb5f9d0ddf9 ]
+
+The VLAN filters info is currently being held in a list and 2 bitmaps
+(active_cvlans and active_svlans). We are experiencing some racing where
+data is not in sync in the list and bitmaps. For example, the VLAN is
+initially added to the list but only when the PF replies, it is added to
+the bitmap. If a user adds many V2 VLANS before the PF responds:
+
+ while [ $((i++)) ]
+ ip l add l eth0 name eth0.$i type vlan id $i
+
+we might end up with more VLAN list entries than the designated limit.
+Also, The "ip link show" will show more links added than the PF limit.
+
+On the other and, the bitmaps are only used to check the number of VLAN
+filters and to re-enable the filters when the interface goes from DOWN to
+UP.
+
+This patch gets rid of the bitmaps and uses the list only. To do that,
+the states of the VLAN filter are modified:
+1 - IAVF_VLAN_REMOVE: the entry needs to be totally removed after informing
+ the PF. This is the "ip link del eth0.$i" path.
+2 - IAVF_VLAN_DISABLE: (new) the netdev went down. The filter needs to be
+ removed from the PF and then marked INACTIVE.
+3 - IAVF_VLAN_INACTIVE: (new) no PF filter exists, but the user did not
+ delete the VLAN.
+
+Fixes: 48ccc43ecf10 ("iavf: Add support VIRTCHNL_VF_OFFLOAD_VLAN_V2 during netdev config")
+Signed-off-by: Ahmed Zaki <ahmed.zaki@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf.h | 7 +--
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 40 +++++++----------
+ .../net/ethernet/intel/iavf/iavf_virtchnl.c | 45 ++++++++++---------
+ 3 files changed, 45 insertions(+), 47 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h
+index fdbb5d9a554cf..93a998f169de7 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf.h
++++ b/drivers/net/ethernet/intel/iavf/iavf.h
+@@ -58,8 +58,6 @@ enum iavf_vsi_state_t {
+ struct iavf_vsi {
+ struct iavf_adapter *back;
+ struct net_device *netdev;
+- unsigned long active_cvlans[BITS_TO_LONGS(VLAN_N_VID)];
+- unsigned long active_svlans[BITS_TO_LONGS(VLAN_N_VID)];
+ u16 seid;
+ u16 id;
+ DECLARE_BITMAP(state, __IAVF_VSI_STATE_SIZE__);
+@@ -162,7 +160,9 @@ enum iavf_vlan_state_t {
+ IAVF_VLAN_ADD, /* filter needs to be added */
+ IAVF_VLAN_IS_NEW, /* filter is new, wait for PF answer */
+ IAVF_VLAN_ACTIVE, /* filter is accepted by PF */
+- IAVF_VLAN_REMOVE, /* filter needs to be removed */
++ IAVF_VLAN_DISABLE, /* filter needs to be deleted by PF, then marked INACTIVE */
++ IAVF_VLAN_INACTIVE, /* filter is inactive, we are in IFF_DOWN */
++ IAVF_VLAN_REMOVE, /* filter needs to be removed from list */
+ };
+
+ struct iavf_vlan_filter {
+@@ -260,6 +260,7 @@ struct iavf_adapter {
+ wait_queue_head_t vc_waitqueue;
+ struct iavf_q_vector *q_vectors;
+ struct list_head vlan_filter_list;
++ int num_vlan_filters;
+ struct list_head mac_filter_list;
+ struct mutex crit_lock;
+ struct mutex client_lock;
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index 8e4d0b0644e4a..34711a88dbaa0 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -792,6 +792,7 @@ iavf_vlan_filter *iavf_add_vlan(struct iavf_adapter *adapter,
+
+ list_add_tail(&f->list, &adapter->vlan_filter_list);
+ f->state = IAVF_VLAN_ADD;
++ adapter->num_vlan_filters++;
+ adapter->aq_required |= IAVF_FLAG_AQ_ADD_VLAN_FILTER;
+ }
+
+@@ -828,14 +829,18 @@ static void iavf_del_vlan(struct iavf_adapter *adapter, struct iavf_vlan vlan)
+ **/
+ static void iavf_restore_filters(struct iavf_adapter *adapter)
+ {
+- u16 vid;
++ struct iavf_vlan_filter *f;
+
+ /* re-add all VLAN filters */
+- for_each_set_bit(vid, adapter->vsi.active_cvlans, VLAN_N_VID)
+- iavf_add_vlan(adapter, IAVF_VLAN(vid, ETH_P_8021Q));
++ spin_lock_bh(&adapter->mac_vlan_list_lock);
+
+- for_each_set_bit(vid, adapter->vsi.active_svlans, VLAN_N_VID)
+- iavf_add_vlan(adapter, IAVF_VLAN(vid, ETH_P_8021AD));
++ list_for_each_entry(f, &adapter->vlan_filter_list, list) {
++ if (f->state == IAVF_VLAN_INACTIVE)
++ f->state = IAVF_VLAN_ADD;
++ }
++
++ spin_unlock_bh(&adapter->mac_vlan_list_lock);
++ adapter->aq_required |= IAVF_FLAG_AQ_ADD_VLAN_FILTER;
+ }
+
+ /**
+@@ -844,8 +849,7 @@ static void iavf_restore_filters(struct iavf_adapter *adapter)
+ */
+ u16 iavf_get_num_vlans_added(struct iavf_adapter *adapter)
+ {
+- return bitmap_weight(adapter->vsi.active_cvlans, VLAN_N_VID) +
+- bitmap_weight(adapter->vsi.active_svlans, VLAN_N_VID);
++ return adapter->num_vlan_filters;
+ }
+
+ /**
+@@ -928,11 +932,6 @@ static int iavf_vlan_rx_kill_vid(struct net_device *netdev,
+ return 0;
+
+ iavf_del_vlan(adapter, IAVF_VLAN(vid, be16_to_cpu(proto)));
+- if (proto == cpu_to_be16(ETH_P_8021Q))
+- clear_bit(vid, adapter->vsi.active_cvlans);
+- else
+- clear_bit(vid, adapter->vsi.active_svlans);
+-
+ return 0;
+ }
+
+@@ -1293,16 +1292,11 @@ static void iavf_clear_mac_vlan_filters(struct iavf_adapter *adapter)
+ }
+ }
+
+- /* remove all VLAN filters */
++ /* disable all VLAN filters */
+ list_for_each_entry_safe(vlf, vlftmp, &adapter->vlan_filter_list,
+- list) {
+- if (vlf->state == IAVF_VLAN_ADD) {
+- list_del(&vlf->list);
+- kfree(vlf);
+- } else {
+- vlf->state = IAVF_VLAN_REMOVE;
+- }
+- }
++ list)
++ vlf->state = IAVF_VLAN_DISABLE;
++
+ spin_unlock_bh(&adapter->mac_vlan_list_lock);
+ }
+
+@@ -2905,6 +2899,7 @@ static void iavf_disable_vf(struct iavf_adapter *adapter)
+ list_del(&fv->list);
+ kfree(fv);
+ }
++ adapter->num_vlan_filters = 0;
+
+ spin_unlock_bh(&adapter->mac_vlan_list_lock);
+
+@@ -3122,9 +3117,6 @@ static void iavf_reset_task(struct work_struct *work)
+ adapter->aq_required |= IAVF_FLAG_AQ_ADD_CLOUD_FILTER;
+ iavf_misc_irq_enable(adapter);
+
+- bitmap_clear(adapter->vsi.active_cvlans, 0, VLAN_N_VID);
+- bitmap_clear(adapter->vsi.active_svlans, 0, VLAN_N_VID);
+-
+ mod_delayed_work(adapter->wq, &adapter->watchdog_task, 2);
+
+ /* We were running when the reset started, so we need to restore some
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
+index 68d6e7c1e52b1..00dccdd290dce 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c
+@@ -643,15 +643,9 @@ static void iavf_vlan_add_reject(struct iavf_adapter *adapter)
+ spin_lock_bh(&adapter->mac_vlan_list_lock);
+ list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) {
+ if (f->state == IAVF_VLAN_IS_NEW) {
+- if (f->vlan.tpid == ETH_P_8021Q)
+- clear_bit(f->vlan.vid,
+- adapter->vsi.active_cvlans);
+- else
+- clear_bit(f->vlan.vid,
+- adapter->vsi.active_svlans);
+-
+ list_del(&f->list);
+ kfree(f);
++ adapter->num_vlan_filters--;
+ }
+ }
+ spin_unlock_bh(&adapter->mac_vlan_list_lock);
+@@ -824,7 +818,12 @@ void iavf_del_vlans(struct iavf_adapter *adapter)
+ !VLAN_FILTERING_ALLOWED(adapter)) {
+ list_del(&f->list);
+ kfree(f);
+- } else if (f->state == IAVF_VLAN_REMOVE) {
++ adapter->num_vlan_filters--;
++ } else if (f->state == IAVF_VLAN_DISABLE &&
++ !VLAN_FILTERING_ALLOWED(adapter)) {
++ f->state = IAVF_VLAN_INACTIVE;
++ } else if (f->state == IAVF_VLAN_REMOVE ||
++ f->state == IAVF_VLAN_DISABLE) {
+ count++;
+ }
+ }
+@@ -856,11 +855,18 @@ void iavf_del_vlans(struct iavf_adapter *adapter)
+ vvfl->vsi_id = adapter->vsi_res->vsi_id;
+ vvfl->num_elements = count;
+ list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) {
+- if (f->state == IAVF_VLAN_REMOVE) {
++ if (f->state == IAVF_VLAN_DISABLE) {
+ vvfl->vlan_id[i] = f->vlan.vid;
++ f->state = IAVF_VLAN_INACTIVE;
+ i++;
++ if (i == count)
++ break;
++ } else if (f->state == IAVF_VLAN_REMOVE) {
++ vvfl->vlan_id[i] = f->vlan.vid;
+ list_del(&f->list);
+ kfree(f);
++ adapter->num_vlan_filters--;
++ i++;
+ if (i == count)
+ break;
+ }
+@@ -900,7 +906,8 @@ void iavf_del_vlans(struct iavf_adapter *adapter)
+ vvfl_v2->vport_id = adapter->vsi_res->vsi_id;
+ vvfl_v2->num_elements = count;
+ list_for_each_entry_safe(f, ftmp, &adapter->vlan_filter_list, list) {
+- if (f->state == IAVF_VLAN_REMOVE) {
++ if (f->state == IAVF_VLAN_DISABLE ||
++ f->state == IAVF_VLAN_REMOVE) {
+ struct virtchnl_vlan_supported_caps *filtering_support =
+ &adapter->vlan_v2_caps.filtering.filtering_support;
+ struct virtchnl_vlan *vlan;
+@@ -914,8 +921,13 @@ void iavf_del_vlans(struct iavf_adapter *adapter)
+ vlan->tci = f->vlan.vid;
+ vlan->tpid = f->vlan.tpid;
+
+- list_del(&f->list);
+- kfree(f);
++ if (f->state == IAVF_VLAN_DISABLE) {
++ f->state = IAVF_VLAN_INACTIVE;
++ } else {
++ list_del(&f->list);
++ kfree(f);
++ adapter->num_vlan_filters--;
++ }
+ i++;
+ if (i == count)
+ break;
+@@ -2435,15 +2447,8 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter,
+
+ spin_lock_bh(&adapter->mac_vlan_list_lock);
+ list_for_each_entry(f, &adapter->vlan_filter_list, list) {
+- if (f->state == IAVF_VLAN_IS_NEW) {
++ if (f->state == IAVF_VLAN_IS_NEW)
+ f->state = IAVF_VLAN_ACTIVE;
+- if (f->vlan.tpid == ETH_P_8021Q)
+- set_bit(f->vlan.vid,
+- adapter->vsi.active_cvlans);
+- else
+- set_bit(f->vlan.vid,
+- adapter->vsi.active_svlans);
+- }
+ }
+ spin_unlock_bh(&adapter->mac_vlan_list_lock);
+ }
+--
+2.39.2
+
--- /dev/null
+From 7c4eb896ef3de57394dcdd54540fedad43b73b83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Mar 2023 15:40:49 +0200
+Subject: IB/mlx5: Add support for 400G_8X lane speed
+
+From: Maher Sanalla <msanalla@nvidia.com>
+
+[ Upstream commit 88c9483faf15ada14eca82714114656893063458 ]
+
+Currently, when driver queries PTYS to report which link speed is being
+used on its RoCE ports, it does not check the case of having 400Gbps
+transmitted over 8 lanes. Thus it fails to report the said speed and
+instead it defaults to report 10G over 4 lanes.
+
+Add a check for the said speed when querying PTYS and report it back
+correctly when needed.
+
+Fixes: 08e8676f1607 ("IB/mlx5: Add support for 50Gbps per lane link modes")
+Signed-off-by: Maher Sanalla <msanalla@nvidia.com>
+Reviewed-by: Aya Levin <ayal@nvidia.com>
+Reviewed-by: Saeed Mahameed <saeedm@nvidia.com>
+Link: https://lore.kernel.org/r/ec9040548d119d22557d6a4b4070d6f421701fd4.1678973994.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
+index c669ef6e47e73..eaa35e1df2a85 100644
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -442,6 +442,10 @@ static int translate_eth_ext_proto_oper(u32 eth_proto_oper, u16 *active_speed,
+ *active_width = IB_WIDTH_2X;
+ *active_speed = IB_SPEED_NDR;
+ break;
++ case MLX5E_PROT_MASK(MLX5E_400GAUI_8):
++ *active_width = IB_WIDTH_8X;
++ *active_speed = IB_SPEED_HDR;
++ break;
+ case MLX5E_PROT_MASK(MLX5E_400GAUI_4_400GBASE_CR4_KR4):
+ *active_width = IB_WIDTH_4X;
+ *active_speed = IB_SPEED_NDR;
+--
+2.39.2
+
--- /dev/null
+From b6d0bfc4107bb203b1fd142c363a4258006c792b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Apr 2023 16:23:21 +0100
+Subject: KVM: arm64: Advertise ID_AA64PFR0_EL1.CSV2/3 to protected VMs
+
+From: Fuad Tabba <tabba@google.com>
+
+[ Upstream commit e81625218bf7986ba1351a98c43d346b15601d26 ]
+
+The existing pKVM code attempts to advertise CSV2/3 using values
+initialized to 0, but never set. To advertise CSV2/3 to protected
+guests, pass the CSV2/3 values to hyp when initializing hyp's
+view of guests' ID_AA64PFR0_EL1.
+
+Similar to non-protected KVM, these are system-wide, rather than
+per cpu, for simplicity.
+
+Fixes: 6c30bfb18d0b ("KVM: arm64: Add handlers for protected VM System Registers")
+Signed-off-by: Fuad Tabba <tabba@google.com>
+Link: https://lore.kernel.org/r/20230404152321.413064-1-tabba@google.com
+Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kvm/arm.c | 26 ++++++++++++++++++-
+ .../arm64/kvm/hyp/include/nvhe/fixed_config.h | 5 +++-
+ arch/arm64/kvm/hyp/nvhe/sys_regs.c | 7 -----
+ 3 files changed, 29 insertions(+), 9 deletions(-)
+
+diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c
+index e40606a560997..6ce6888cf73d6 100644
+--- a/arch/arm64/kvm/arm.c
++++ b/arch/arm64/kvm/arm.c
+@@ -1870,9 +1870,33 @@ static int do_pkvm_init(u32 hyp_va_bits)
+ return ret;
+ }
+
++static u64 get_hyp_id_aa64pfr0_el1(void)
++{
++ /*
++ * Track whether the system isn't affected by spectre/meltdown in the
++ * hypervisor's view of id_aa64pfr0_el1, used for protected VMs.
++ * Although this is per-CPU, we make it global for simplicity, e.g., not
++ * to have to worry about vcpu migration.
++ *
++ * Unlike for non-protected VMs, userspace cannot override this for
++ * protected VMs.
++ */
++ u64 val = read_sanitised_ftr_reg(SYS_ID_AA64PFR0_EL1);
++
++ val &= ~(ARM64_FEATURE_MASK(ID_AA64PFR0_EL1_CSV2) |
++ ARM64_FEATURE_MASK(ID_AA64PFR0_EL1_CSV3));
++
++ val |= FIELD_PREP(ARM64_FEATURE_MASK(ID_AA64PFR0_EL1_CSV2),
++ arm64_get_spectre_v2_state() == SPECTRE_UNAFFECTED);
++ val |= FIELD_PREP(ARM64_FEATURE_MASK(ID_AA64PFR0_EL1_CSV3),
++ arm64_get_meltdown_state() == SPECTRE_UNAFFECTED);
++
++ return val;
++}
++
+ static void kvm_hyp_init_symbols(void)
+ {
+- kvm_nvhe_sym(id_aa64pfr0_el1_sys_val) = read_sanitised_ftr_reg(SYS_ID_AA64PFR0_EL1);
++ kvm_nvhe_sym(id_aa64pfr0_el1_sys_val) = get_hyp_id_aa64pfr0_el1();
+ kvm_nvhe_sym(id_aa64pfr1_el1_sys_val) = read_sanitised_ftr_reg(SYS_ID_AA64PFR1_EL1);
+ kvm_nvhe_sym(id_aa64isar0_el1_sys_val) = read_sanitised_ftr_reg(SYS_ID_AA64ISAR0_EL1);
+ kvm_nvhe_sym(id_aa64isar1_el1_sys_val) = read_sanitised_ftr_reg(SYS_ID_AA64ISAR1_EL1);
+diff --git a/arch/arm64/kvm/hyp/include/nvhe/fixed_config.h b/arch/arm64/kvm/hyp/include/nvhe/fixed_config.h
+index 07edfc7524c94..37440e1dda930 100644
+--- a/arch/arm64/kvm/hyp/include/nvhe/fixed_config.h
++++ b/arch/arm64/kvm/hyp/include/nvhe/fixed_config.h
+@@ -33,11 +33,14 @@
+ * Allow for protected VMs:
+ * - Floating-point and Advanced SIMD
+ * - Data Independent Timing
++ * - Spectre/Meltdown Mitigation
+ */
+ #define PVM_ID_AA64PFR0_ALLOW (\
+ ARM64_FEATURE_MASK(ID_AA64PFR0_EL1_FP) | \
+ ARM64_FEATURE_MASK(ID_AA64PFR0_EL1_AdvSIMD) | \
+- ARM64_FEATURE_MASK(ID_AA64PFR0_EL1_DIT) \
++ ARM64_FEATURE_MASK(ID_AA64PFR0_EL1_DIT) | \
++ ARM64_FEATURE_MASK(ID_AA64PFR0_EL1_CSV2) | \
++ ARM64_FEATURE_MASK(ID_AA64PFR0_EL1_CSV3) \
+ )
+
+ /*
+diff --git a/arch/arm64/kvm/hyp/nvhe/sys_regs.c b/arch/arm64/kvm/hyp/nvhe/sys_regs.c
+index 0f9ac25afdf40..3d5121ee39777 100644
+--- a/arch/arm64/kvm/hyp/nvhe/sys_regs.c
++++ b/arch/arm64/kvm/hyp/nvhe/sys_regs.c
+@@ -84,19 +84,12 @@ static u64 get_restricted_features_unsigned(u64 sys_reg_val,
+
+ static u64 get_pvm_id_aa64pfr0(const struct kvm_vcpu *vcpu)
+ {
+- const struct kvm *kvm = (const struct kvm *)kern_hyp_va(vcpu->kvm);
+ u64 set_mask = 0;
+ u64 allow_mask = PVM_ID_AA64PFR0_ALLOW;
+
+ set_mask |= get_restricted_features_unsigned(id_aa64pfr0_el1_sys_val,
+ PVM_ID_AA64PFR0_RESTRICT_UNSIGNED);
+
+- /* Spectre and Meltdown mitigation in KVM */
+- set_mask |= FIELD_PREP(ARM64_FEATURE_MASK(ID_AA64PFR0_EL1_CSV2),
+- (u64)kvm->arch.pfr0_csv2);
+- set_mask |= FIELD_PREP(ARM64_FEATURE_MASK(ID_AA64PFR0_EL1_CSV3),
+- (u64)kvm->arch.pfr0_csv3);
+-
+ return (id_aa64pfr0_el1_sys_val & allow_mask) | set_mask;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 14c725d2bac3a60a427de8c8e57bc5f0f4795d4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 19:02:48 +0000
+Subject: KVM: arm64: Initialise hypervisor copies of host symbols
+ unconditionally
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Will Deacon <will@kernel.org>
+
+[ Upstream commit 6c165223e9a6384aa1e934b90f2650e71adb972a ]
+
+The nVHE object at EL2 maintains its own copies of some host variables
+so that, when pKVM is enabled, the host cannot directly modify the
+hypervisor state. When running in normal nVHE mode, however, these
+variables are still mirrored at EL2 but are not initialised.
+
+Initialise the hypervisor symbols from the host copies regardless of
+pKVM, ensuring that any reference to this data at EL2 with normal nVHE
+will return a sensibly initialised value.
+
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Tested-by: Vincent Donnefort <vdonnefort@google.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20221110190259.26861-16-will@kernel.org
+Stable-dep-of: e81625218bf7 ("KVM: arm64: Advertise ID_AA64PFR0_EL1.CSV2/3 to protected VMs")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kvm/arm.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c
+index 94d33e296e10c..e40606a560997 100644
+--- a/arch/arm64/kvm/arm.c
++++ b/arch/arm64/kvm/arm.c
+@@ -1870,11 +1870,8 @@ static int do_pkvm_init(u32 hyp_va_bits)
+ return ret;
+ }
+
+-static int kvm_hyp_init_protection(u32 hyp_va_bits)
++static void kvm_hyp_init_symbols(void)
+ {
+- void *addr = phys_to_virt(hyp_mem_base);
+- int ret;
+-
+ kvm_nvhe_sym(id_aa64pfr0_el1_sys_val) = read_sanitised_ftr_reg(SYS_ID_AA64PFR0_EL1);
+ kvm_nvhe_sym(id_aa64pfr1_el1_sys_val) = read_sanitised_ftr_reg(SYS_ID_AA64PFR1_EL1);
+ kvm_nvhe_sym(id_aa64isar0_el1_sys_val) = read_sanitised_ftr_reg(SYS_ID_AA64ISAR0_EL1);
+@@ -1883,6 +1880,12 @@ static int kvm_hyp_init_protection(u32 hyp_va_bits)
+ kvm_nvhe_sym(id_aa64mmfr0_el1_sys_val) = read_sanitised_ftr_reg(SYS_ID_AA64MMFR0_EL1);
+ kvm_nvhe_sym(id_aa64mmfr1_el1_sys_val) = read_sanitised_ftr_reg(SYS_ID_AA64MMFR1_EL1);
+ kvm_nvhe_sym(id_aa64mmfr2_el1_sys_val) = read_sanitised_ftr_reg(SYS_ID_AA64MMFR2_EL1);
++}
++
++static int kvm_hyp_init_protection(u32 hyp_va_bits)
++{
++ void *addr = phys_to_virt(hyp_mem_base);
++ int ret;
+
+ ret = create_hyp_mappings(addr, addr + hyp_mem_size, PAGE_HYP);
+ if (ret)
+@@ -2057,6 +2060,8 @@ static int init_hyp_mode(void)
+ cpu_prepare_hyp_mode(cpu);
+ }
+
++ kvm_hyp_init_symbols();
++
+ if (is_protected_kvm_enabled()) {
+ init_cpu_logical_map();
+
+@@ -2064,9 +2069,7 @@ static int init_hyp_mode(void)
+ err = -ENODEV;
+ goto out_err;
+ }
+- }
+
+- if (is_protected_kvm_enabled()) {
+ err = kvm_hyp_init_protection(hyp_va_bits);
+ if (err) {
+ kvm_err("Failed to init hyp memory protection\n");
+--
+2.39.2
+
--- /dev/null
+From 86e17af37b08a86c00a793b15b590ac342437624 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Dec 2022 13:15:00 -0800
+Subject: libbpf: Fix single-line struct definition output in btf_dump
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 872aec4b5f635d94111d48ec3c57fbe078d64e7d ]
+
+btf_dump APIs emit unnecessary tabs when emitting struct/union
+definition that fits on the single line. Before this patch we'd get:
+
+struct blah {<tab>};
+
+This patch fixes this and makes sure that we get more natural:
+
+struct blah {};
+
+Fixes: 44a726c3f23c ("bpftool: Print newline before '}' for struct with padding only fields")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20221212211505.558851-2-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/btf_dump.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/tools/lib/bpf/btf_dump.c b/tools/lib/bpf/btf_dump.c
+index 80a15a6802094..4cd1d49c94d6d 100644
+--- a/tools/lib/bpf/btf_dump.c
++++ b/tools/lib/bpf/btf_dump.c
+@@ -1015,9 +1015,12 @@ static void btf_dump_emit_struct_def(struct btf_dump *d,
+ * Keep `struct empty {}` on a single line,
+ * only print newline when there are regular or padding fields.
+ */
+- if (vlen || t->size)
++ if (vlen || t->size) {
+ btf_dump_printf(d, "\n");
+- btf_dump_printf(d, "%s}", pfx(lvl));
++ btf_dump_printf(d, "%s}", pfx(lvl));
++ } else {
++ btf_dump_printf(d, "}");
++ }
+ if (packed)
+ btf_dump_printf(d, " __attribute__((packed))");
+ }
+--
+2.39.2
+
--- /dev/null
+From b7eb4d89773398e6d909b7e13cf7554bc0d67d90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Mar 2023 15:13:35 +0800
+Subject: LoongArch, bpf: Fix jit to skip speculation barrier opcode
+
+From: George Guo <guodongtai@kylinos.cn>
+
+[ Upstream commit a6f6a95f25803500079513780d11a911ce551d76 ]
+
+Just skip the opcode(BPF_ST | BPF_NOSPEC) in the BPF JIT instead of
+failing to JIT the entire program, given LoongArch currently has no
+couterpart of a speculation barrier instruction. To verify the issue,
+use the ltp testcase as shown below.
+
+Also, Wang says:
+
+ I can confirm there's currently no speculation barrier equivalent
+ on LonogArch. (Loongson says there are builtin mitigations for
+ Spectre-V1 and V2 on their chips, and AFAIK efforts to port the
+ exploits to mips/LoongArch have all failed a few years ago.)
+
+Without this patch:
+
+ $ ./bpf_prog02
+ [...]
+ bpf_common.c:123: TBROK: Failed verification: ??? (524)
+ [...]
+ Summary:
+ passed 0
+ failed 0
+ broken 1
+ skipped 0
+ warnings 0
+
+With this patch:
+
+ $ ./bpf_prog02
+ [...]
+ Summary:
+ passed 0
+ failed 0
+ broken 0
+ skipped 0
+ warnings 0
+
+Fixes: 5dc615520c4d ("LoongArch: Add BPF JIT support")
+Signed-off-by: George Guo <guodongtai@kylinos.cn>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: WANG Xuerui <git@xen0n.name>
+Cc: Tiezhu Yang <yangtiezhu@loongson.cn>
+Link: https://lore.kernel.org/bpf/20230328071335.2664966-1-guodongtai@kylinos.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/loongarch/net/bpf_jit.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/loongarch/net/bpf_jit.c b/arch/loongarch/net/bpf_jit.c
+index 2467bfb8889a9..82b4402810da0 100644
+--- a/arch/loongarch/net/bpf_jit.c
++++ b/arch/loongarch/net/bpf_jit.c
+@@ -955,6 +955,10 @@ static int build_insn(const struct bpf_insn *insn, struct jit_ctx *ctx, bool ext
+ emit_atomic(insn, ctx);
+ break;
+
++ /* Speculation barrier */
++ case BPF_ST | BPF_NOSPEC:
++ break;
++
+ default:
+ pr_err("bpf_jit: unknown opcode %02x\n", code);
+ return -EINVAL;
+--
+2.39.2
+
--- /dev/null
+From 0e061adf8a192938e546a987ddea5d313cee42fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Apr 2023 16:21:44 -0700
+Subject: net: macb: fix a memory corruption in extended buffer descriptor mode
+
+From: Roman Gushchin <roman.gushchin@linux.dev>
+
+[ Upstream commit e8b74453555872851bdd7ea43a7c0ec39659834f ]
+
+For quite some time we were chasing a bug which looked like a sudden
+permanent failure of networking and mmc on some of our devices.
+The bug was very sensitive to any software changes and even more to
+any kernel debug options.
+
+Finally we got a setup where the problem was reproducible with
+CONFIG_DMA_API_DEBUG=y and it revealed the issue with the rx dma:
+
+[ 16.992082] ------------[ cut here ]------------
+[ 16.996779] DMA-API: macb ff0b0000.ethernet: device driver tries to free DMA memory it has not allocated [device address=0x0000000875e3e244] [size=1536 bytes]
+[ 17.011049] WARNING: CPU: 0 PID: 85 at kernel/dma/debug.c:1011 check_unmap+0x6a0/0x900
+[ 17.018977] Modules linked in: xxxxx
+[ 17.038823] CPU: 0 PID: 85 Comm: irq/55-8000f000 Not tainted 5.4.0 #28
+[ 17.045345] Hardware name: xxxxx
+[ 17.049528] pstate: 60000005 (nZCv daif -PAN -UAO)
+[ 17.054322] pc : check_unmap+0x6a0/0x900
+[ 17.058243] lr : check_unmap+0x6a0/0x900
+[ 17.062163] sp : ffffffc010003c40
+[ 17.065470] x29: ffffffc010003c40 x28: 000000004000c03c
+[ 17.070783] x27: ffffffc010da7048 x26: ffffff8878e38800
+[ 17.076095] x25: ffffff8879d22810 x24: ffffffc010003cc8
+[ 17.081407] x23: 0000000000000000 x22: ffffffc010a08750
+[ 17.086719] x21: ffffff8878e3c7c0 x20: ffffffc010acb000
+[ 17.092032] x19: 0000000875e3e244 x18: 0000000000000010
+[ 17.097343] x17: 0000000000000000 x16: 0000000000000000
+[ 17.102647] x15: ffffff8879e4a988 x14: 0720072007200720
+[ 17.107959] x13: 0720072007200720 x12: 0720072007200720
+[ 17.113261] x11: 0720072007200720 x10: 0720072007200720
+[ 17.118565] x9 : 0720072007200720 x8 : 000000000000022d
+[ 17.123869] x7 : 0000000000000015 x6 : 0000000000000098
+[ 17.129173] x5 : 0000000000000000 x4 : 0000000000000000
+[ 17.134475] x3 : 00000000ffffffff x2 : ffffffc010a1d370
+[ 17.139778] x1 : b420c9d75d27bb00 x0 : 0000000000000000
+[ 17.145082] Call trace:
+[ 17.147524] check_unmap+0x6a0/0x900
+[ 17.151091] debug_dma_unmap_page+0x88/0x90
+[ 17.155266] gem_rx+0x114/0x2f0
+[ 17.158396] macb_poll+0x58/0x100
+[ 17.161705] net_rx_action+0x118/0x400
+[ 17.165445] __do_softirq+0x138/0x36c
+[ 17.169100] irq_exit+0x98/0xc0
+[ 17.172234] __handle_domain_irq+0x64/0xc0
+[ 17.176320] gic_handle_irq+0x5c/0xc0
+[ 17.179974] el1_irq+0xb8/0x140
+[ 17.183109] xiic_process+0x5c/0xe30
+[ 17.186677] irq_thread_fn+0x28/0x90
+[ 17.190244] irq_thread+0x208/0x2a0
+[ 17.193724] kthread+0x130/0x140
+[ 17.196945] ret_from_fork+0x10/0x20
+[ 17.200510] ---[ end trace 7240980785f81d6f ]---
+
+[ 237.021490] ------------[ cut here ]------------
+[ 237.026129] DMA-API: exceeded 7 overlapping mappings of cacheline 0x0000000021d79e7b
+[ 237.033886] WARNING: CPU: 0 PID: 0 at kernel/dma/debug.c:499 add_dma_entry+0x214/0x240
+[ 237.041802] Modules linked in: xxxxx
+[ 237.061637] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 5.4.0 #28
+[ 237.068941] Hardware name: xxxxx
+[ 237.073116] pstate: 80000085 (Nzcv daIf -PAN -UAO)
+[ 237.077900] pc : add_dma_entry+0x214/0x240
+[ 237.081986] lr : add_dma_entry+0x214/0x240
+[ 237.086072] sp : ffffffc010003c30
+[ 237.089379] x29: ffffffc010003c30 x28: ffffff8878a0be00
+[ 237.094683] x27: 0000000000000180 x26: ffffff8878e387c0
+[ 237.099987] x25: 0000000000000002 x24: 0000000000000000
+[ 237.105290] x23: 000000000000003b x22: ffffffc010a0fa00
+[ 237.110594] x21: 0000000021d79e7b x20: ffffffc010abe600
+[ 237.115897] x19: 00000000ffffffef x18: 0000000000000010
+[ 237.121201] x17: 0000000000000000 x16: 0000000000000000
+[ 237.126504] x15: ffffffc010a0fdc8 x14: 0720072007200720
+[ 237.131807] x13: 0720072007200720 x12: 0720072007200720
+[ 237.137111] x11: 0720072007200720 x10: 0720072007200720
+[ 237.142415] x9 : 0720072007200720 x8 : 0000000000000259
+[ 237.147718] x7 : 0000000000000001 x6 : 0000000000000000
+[ 237.153022] x5 : ffffffc010003a20 x4 : 0000000000000001
+[ 237.158325] x3 : 0000000000000006 x2 : 0000000000000007
+[ 237.163628] x1 : 8ac721b3a7dc1c00 x0 : 0000000000000000
+[ 237.168932] Call trace:
+[ 237.171373] add_dma_entry+0x214/0x240
+[ 237.175115] debug_dma_map_page+0xf8/0x120
+[ 237.179203] gem_rx_refill+0x190/0x280
+[ 237.182942] gem_rx+0x224/0x2f0
+[ 237.186075] macb_poll+0x58/0x100
+[ 237.189384] net_rx_action+0x118/0x400
+[ 237.193125] __do_softirq+0x138/0x36c
+[ 237.196780] irq_exit+0x98/0xc0
+[ 237.199914] __handle_domain_irq+0x64/0xc0
+[ 237.204000] gic_handle_irq+0x5c/0xc0
+[ 237.207654] el1_irq+0xb8/0x140
+[ 237.210789] arch_cpu_idle+0x40/0x200
+[ 237.214444] default_idle_call+0x18/0x30
+[ 237.218359] do_idle+0x200/0x280
+[ 237.221578] cpu_startup_entry+0x20/0x30
+[ 237.225493] rest_init+0xe4/0xf0
+[ 237.228713] arch_call_rest_init+0xc/0x14
+[ 237.232714] start_kernel+0x47c/0x4a8
+[ 237.236367] ---[ end trace 7240980785f81d70 ]---
+
+Lars was fast to find an explanation: according to the datasheet
+bit 2 of the rx buffer descriptor entry has a different meaning in the
+extended mode:
+ Address [2] of beginning of buffer, or
+ in extended buffer descriptor mode (DMA configuration register [28] = 1),
+ indicates a valid timestamp in the buffer descriptor entry.
+
+The macb driver didn't mask this bit while getting an address and it
+eventually caused a memory corruption and a dma failure.
+
+The problem is resolved by explicitly clearing the problematic bit
+if hw timestamping is used.
+
+Fixes: 7b4296148066 ("net: macb: Add support for PTP timestamps in DMA descriptors")
+Signed-off-by: Roman Gushchin <roman.gushchin@linux.dev>
+Co-developed-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://lore.kernel.org/r/20230412232144.770336-1-roman.gushchin@linux.dev
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index e255780f3867c..abd6cc0cd641f 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -1010,6 +1010,10 @@ static dma_addr_t macb_get_addr(struct macb *bp, struct macb_dma_desc *desc)
+ }
+ #endif
+ addr |= MACB_BF(RX_WADDR, MACB_BFEXT(RX_WADDR, desc->addr));
++#ifdef CONFIG_MACB_USE_HWSTAMP
++ if (bp->hw_dma_cap & HW_DMA_CAP_PTP)
++ addr &= ~GEM_BIT(DMA_RXVALID);
++#endif
+ return addr;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From c72313010eed1adb302849430f8b938b8ffde7b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Apr 2023 07:53:41 +0000
+Subject: net: openvswitch: fix race on port output
+
+From: Felix Huettner <felix.huettner@mail.schwarz>
+
+[ Upstream commit 066b86787fa3d97b7aefb5ac0a99a22dad2d15f8 ]
+
+assume the following setup on a single machine:
+1. An openvswitch instance with one bridge and default flows
+2. two network namespaces "server" and "client"
+3. two ovs interfaces "server" and "client" on the bridge
+4. for each ovs interface a veth pair with a matching name and 32 rx and
+ tx queues
+5. move the ends of the veth pairs to the respective network namespaces
+6. assign ip addresses to each of the veth ends in the namespaces (needs
+ to be the same subnet)
+7. start some http server on the server network namespace
+8. test if a client in the client namespace can reach the http server
+
+when following the actions below the host has a chance of getting a cpu
+stuck in a infinite loop:
+1. send a large amount of parallel requests to the http server (around
+ 3000 curls should work)
+2. in parallel delete the network namespace (do not delete interfaces or
+ stop the server, just kill the namespace)
+
+there is a low chance that this will cause the below kernel cpu stuck
+message. If this does not happen just retry.
+Below there is also the output of bpftrace for the functions mentioned
+in the output.
+
+The series of events happening here is:
+1. the network namespace is deleted calling
+ `unregister_netdevice_many_notify` somewhere in the process
+2. this sets first `NETREG_UNREGISTERING` on both ends of the veth and
+ then runs `synchronize_net`
+3. it then calls `call_netdevice_notifiers` with `NETDEV_UNREGISTER`
+4. this is then handled by `dp_device_event` which calls
+ `ovs_netdev_detach_dev` (if a vport is found, which is the case for
+ the veth interface attached to ovs)
+5. this removes the rx_handlers of the device but does not prevent
+ packages to be sent to the device
+6. `dp_device_event` then queues the vport deletion to work in
+ background as a ovs_lock is needed that we do not hold in the
+ unregistration path
+7. `unregister_netdevice_many_notify` continues to call
+ `netdev_unregister_kobject` which sets `real_num_tx_queues` to 0
+8. port deletion continues (but details are not relevant for this issue)
+9. at some future point the background task deletes the vport
+
+If after 7. but before 9. a packet is send to the ovs vport (which is
+not deleted at this point in time) which forwards it to the
+`dev_queue_xmit` flow even though the device is unregistering.
+In `skb_tx_hash` (which is called in the `dev_queue_xmit`) path there is
+a while loop (if the packet has a rx_queue recorded) that is infinite if
+`dev->real_num_tx_queues` is zero.
+
+To prevent this from happening we update `do_output` to handle devices
+without carrier the same as if the device is not found (which would
+be the code path after 9. is done).
+
+Additionally we now produce a warning in `skb_tx_hash` if we will hit
+the infinite loop.
+
+bpftrace (first word is function name):
+
+__dev_queue_xmit server: real_num_tx_queues: 1, cpu: 2, pid: 28024, tid: 28024, skb_addr: 0xffff9edb6f207000, reg_state: 1
+netdev_core_pick_tx server: addr: 0xffff9f0a46d4a000 real_num_tx_queues: 1, cpu: 2, pid: 28024, tid: 28024, skb_addr: 0xffff9edb6f207000, reg_state: 1
+dp_device_event server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, event 2, reg_state: 1
+synchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024
+synchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024
+synchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024
+synchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024
+dp_device_event server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, event 6, reg_state: 2
+ovs_netdev_detach_dev server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, reg_state: 2
+netdev_rx_handler_unregister server: real_num_tx_queues: 1, cpu: 9, pid: 21024, tid: 21024, reg_state: 2
+synchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024
+netdev_rx_handler_unregister ret server: real_num_tx_queues: 1, cpu: 9, pid: 21024, tid: 21024, reg_state: 2
+dp_device_event server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, event 27, reg_state: 2
+dp_device_event server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, event 22, reg_state: 2
+dp_device_event server: real_num_tx_queues: 1 cpu 9, pid: 21024, tid: 21024, event 18, reg_state: 2
+netdev_unregister_kobject: real_num_tx_queues: 1, cpu: 9, pid: 21024, tid: 21024
+synchronize_rcu_expedited: cpu 9, pid: 21024, tid: 21024
+ovs_vport_send server: real_num_tx_queues: 0, cpu: 2, pid: 28024, tid: 28024, skb_addr: 0xffff9edb6f207000, reg_state: 2
+__dev_queue_xmit server: real_num_tx_queues: 0, cpu: 2, pid: 28024, tid: 28024, skb_addr: 0xffff9edb6f207000, reg_state: 2
+netdev_core_pick_tx server: addr: 0xffff9f0a46d4a000 real_num_tx_queues: 0, cpu: 2, pid: 28024, tid: 28024, skb_addr: 0xffff9edb6f207000, reg_state: 2
+broken device server: real_num_tx_queues: 0, cpu: 2, pid: 28024, tid: 28024
+ovs_dp_detach_port server: real_num_tx_queues: 0 cpu 9, pid: 9124, tid: 9124, reg_state: 2
+synchronize_rcu_expedited: cpu 9, pid: 33604, tid: 33604
+
+stuck message:
+
+watchdog: BUG: soft lockup - CPU#5 stuck for 26s! [curl:1929279]
+Modules linked in: veth pktgen bridge stp llc ip_set_hash_net nft_counter xt_set nft_compat nf_tables ip_set_hash_ip ip_set nfnetlink_cttimeout nfnetlink openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 tls binfmt_misc nls_iso8859_1 input_leds joydev serio_raw dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua sch_fq_codel drm efi_pstore virtio_rng ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel virtio_net ahci net_failover crypto_simd cryptd psmouse libahci virtio_blk failover
+CPU: 5 PID: 1929279 Comm: curl Not tainted 5.15.0-67-generic #74-Ubuntu
+Hardware name: OpenStack Foundation OpenStack Nova, BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+RIP: 0010:netdev_pick_tx+0xf1/0x320
+Code: 00 00 8d 48 ff 0f b7 c1 66 39 ca 0f 86 e9 01 00 00 45 0f b7 ff 41 39 c7 0f 87 5b 01 00 00 44 29 f8 41 39 c7 0f 87 4f 01 00 00 <eb> f2 0f 1f 44 00 00 49 8b 94 24 28 04 00 00 48 85 d2 0f 84 53 01
+RSP: 0018:ffffb78b40298820 EFLAGS: 00000246
+RAX: 0000000000000000 RBX: ffff9c8773adc2e0 RCX: 000000000000083f
+RDX: 0000000000000000 RSI: ffff9c8773adc2e0 RDI: ffff9c870a25e000
+RBP: ffffb78b40298858 R08: 0000000000000001 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: ffff9c870a25e000
+R13: ffff9c870a25e000 R14: ffff9c87fe043480 R15: 0000000000000000
+FS: 00007f7b80008f00(0000) GS:ffff9c8e5f740000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f7b80f6a0b0 CR3: 0000000329d66000 CR4: 0000000000350ee0
+Call Trace:
+ <IRQ>
+ netdev_core_pick_tx+0xa4/0xb0
+ __dev_queue_xmit+0xf8/0x510
+ ? __bpf_prog_exit+0x1e/0x30
+ dev_queue_xmit+0x10/0x20
+ ovs_vport_send+0xad/0x170 [openvswitch]
+ do_output+0x59/0x180 [openvswitch]
+ do_execute_actions+0xa80/0xaa0 [openvswitch]
+ ? kfree+0x1/0x250
+ ? kfree+0x1/0x250
+ ? kprobe_perf_func+0x4f/0x2b0
+ ? flow_lookup.constprop.0+0x5c/0x110 [openvswitch]
+ ovs_execute_actions+0x4c/0x120 [openvswitch]
+ ovs_dp_process_packet+0xa1/0x200 [openvswitch]
+ ? ovs_ct_update_key.isra.0+0xa8/0x120 [openvswitch]
+ ? ovs_ct_fill_key+0x1d/0x30 [openvswitch]
+ ? ovs_flow_key_extract+0x2db/0x350 [openvswitch]
+ ovs_vport_receive+0x77/0xd0 [openvswitch]
+ ? __htab_map_lookup_elem+0x4e/0x60
+ ? bpf_prog_680e8aff8547aec1_kfree+0x3b/0x714
+ ? trace_call_bpf+0xc8/0x150
+ ? kfree+0x1/0x250
+ ? kfree+0x1/0x250
+ ? kprobe_perf_func+0x4f/0x2b0
+ ? kprobe_perf_func+0x4f/0x2b0
+ ? __mod_memcg_lruvec_state+0x63/0xe0
+ netdev_port_receive+0xc4/0x180 [openvswitch]
+ ? netdev_port_receive+0x180/0x180 [openvswitch]
+ netdev_frame_hook+0x1f/0x40 [openvswitch]
+ __netif_receive_skb_core.constprop.0+0x23d/0xf00
+ __netif_receive_skb_one_core+0x3f/0xa0
+ __netif_receive_skb+0x15/0x60
+ process_backlog+0x9e/0x170
+ __napi_poll+0x33/0x180
+ net_rx_action+0x126/0x280
+ ? ttwu_do_activate+0x72/0xf0
+ __do_softirq+0xd9/0x2e7
+ ? rcu_report_exp_cpu_mult+0x1b0/0x1b0
+ do_softirq+0x7d/0xb0
+ </IRQ>
+ <TASK>
+ __local_bh_enable_ip+0x54/0x60
+ ip_finish_output2+0x191/0x460
+ __ip_finish_output+0xb7/0x180
+ ip_finish_output+0x2e/0xc0
+ ip_output+0x78/0x100
+ ? __ip_finish_output+0x180/0x180
+ ip_local_out+0x5e/0x70
+ __ip_queue_xmit+0x184/0x440
+ ? tcp_syn_options+0x1f9/0x300
+ ip_queue_xmit+0x15/0x20
+ __tcp_transmit_skb+0x910/0x9c0
+ ? __mod_memcg_state+0x44/0xa0
+ tcp_connect+0x437/0x4e0
+ ? ktime_get_with_offset+0x60/0xf0
+ tcp_v4_connect+0x436/0x530
+ __inet_stream_connect+0xd4/0x3a0
+ ? kprobe_perf_func+0x4f/0x2b0
+ ? aa_sk_perm+0x43/0x1c0
+ inet_stream_connect+0x3b/0x60
+ __sys_connect_file+0x63/0x70
+ __sys_connect+0xa6/0xd0
+ ? setfl+0x108/0x170
+ ? do_fcntl+0xe8/0x5a0
+ __x64_sys_connect+0x18/0x20
+ do_syscall_64+0x5c/0xc0
+ ? __x64_sys_fcntl+0xa9/0xd0
+ ? exit_to_user_mode_prepare+0x37/0xb0
+ ? syscall_exit_to_user_mode+0x27/0x50
+ ? do_syscall_64+0x69/0xc0
+ ? __sys_setsockopt+0xea/0x1e0
+ ? exit_to_user_mode_prepare+0x37/0xb0
+ ? syscall_exit_to_user_mode+0x27/0x50
+ ? __x64_sys_setsockopt+0x1f/0x30
+ ? do_syscall_64+0x69/0xc0
+ ? irqentry_exit+0x1d/0x30
+ ? exc_page_fault+0x89/0x170
+ entry_SYSCALL_64_after_hwframe+0x61/0xcb
+RIP: 0033:0x7f7b8101c6a7
+Code: 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 18 89 54 24 0c 48 89 34 24 89
+RSP: 002b:00007ffffd6b2198 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7b8101c6a7
+RDX: 0000000000000010 RSI: 00007ffffd6b2360 RDI: 0000000000000005
+RBP: 0000561f1370d560 R08: 00002795ad21d1ac R09: 0030312e302e302e
+R10: 00007ffffd73f080 R11: 0000000000000246 R12: 0000561f1370c410
+R13: 0000000000000000 R14: 0000000000000005 R15: 0000000000000000
+ </TASK>
+
+Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action")
+Co-developed-by: Luca Czesla <luca.czesla@mail.schwarz>
+Signed-off-by: Luca Czesla <luca.czesla@mail.schwarz>
+Signed-off-by: Felix Huettner <felix.huettner@mail.schwarz>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/ZC0pBXBAgh7c76CA@kernel-bug-kernel-bug
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 1 +
+ net/openvswitch/actions.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 24eae99dfe05a..a25b8741b1599 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3211,6 +3211,7 @@ static u16 skb_tx_hash(const struct net_device *dev,
+ }
+
+ if (skb_rx_queue_recorded(skb)) {
++ DEBUG_NET_WARN_ON_ONCE(qcount == 0);
+ hash = skb_get_rx_queue(skb);
+ if (hash >= qoffset)
+ hash -= qoffset;
+diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
+index ca3ebfdb30231..a8cf9a88758ef 100644
+--- a/net/openvswitch/actions.c
++++ b/net/openvswitch/actions.c
+@@ -913,7 +913,7 @@ static void do_output(struct datapath *dp, struct sk_buff *skb, int out_port,
+ {
+ struct vport *vport = ovs_vport_rcu(dp, out_port);
+
+- if (likely(vport)) {
++ if (likely(vport && netif_carrier_ok(vport->dev))) {
+ u16 mru = OVS_CB(skb)->mru;
+ u32 cutlen = OVS_CB(skb)->cutlen;
+
+--
+2.39.2
+
--- /dev/null
+From 0a140d63a92b47108c5cdfe05d93bdf13cdeec98 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Apr 2023 09:23:52 +0800
+Subject: net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume()
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit 6417070918de3bcdbe0646e7256dae58fd8083ba ]
+
+Syzbot reported a bug as following:
+
+=====================================================
+BUG: KMSAN: uninit-value in qrtr_tx_resume+0x185/0x1f0 net/qrtr/af_qrtr.c:230
+ qrtr_tx_resume+0x185/0x1f0 net/qrtr/af_qrtr.c:230
+ qrtr_endpoint_post+0xf85/0x11b0 net/qrtr/af_qrtr.c:519
+ qrtr_tun_write_iter+0x270/0x400 net/qrtr/tun.c:108
+ call_write_iter include/linux/fs.h:2189 [inline]
+ aio_write+0x63a/0x950 fs/aio.c:1600
+ io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019
+ __do_sys_io_submit fs/aio.c:2078 [inline]
+ __se_sys_io_submit+0x293/0x770 fs/aio.c:2048
+ __x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slab.h:766 [inline]
+ slab_alloc_node mm/slub.c:3452 [inline]
+ __kmem_cache_alloc_node+0x71f/0xce0 mm/slub.c:3491
+ __do_kmalloc_node mm/slab_common.c:967 [inline]
+ __kmalloc_node_track_caller+0x114/0x3b0 mm/slab_common.c:988
+ kmalloc_reserve net/core/skbuff.c:492 [inline]
+ __alloc_skb+0x3af/0x8f0 net/core/skbuff.c:565
+ __netdev_alloc_skb+0x120/0x7d0 net/core/skbuff.c:630
+ qrtr_endpoint_post+0xbd/0x11b0 net/qrtr/af_qrtr.c:446
+ qrtr_tun_write_iter+0x270/0x400 net/qrtr/tun.c:108
+ call_write_iter include/linux/fs.h:2189 [inline]
+ aio_write+0x63a/0x950 fs/aio.c:1600
+ io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019
+ __do_sys_io_submit fs/aio.c:2078 [inline]
+ __se_sys_io_submit+0x293/0x770 fs/aio.c:2048
+ __x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+It is because that skb->len requires at least sizeof(struct qrtr_ctrl_pkt)
+in qrtr_tx_resume(). And skb->len equals to size in qrtr_endpoint_post().
+But size is less than sizeof(struct qrtr_ctrl_pkt) when qrtr_cb->type
+equals to QRTR_TYPE_RESUME_TX in qrtr_endpoint_post() under the syzbot
+scenario. This triggers the uninit variable access bug.
+
+Add size check when qrtr_cb->type equals to QRTR_TYPE_RESUME_TX in
+qrtr_endpoint_post() to fix the bug.
+
+Fixes: 5fdeb0d372ab ("net: qrtr: Implement outgoing flow control")
+Reported-by: syzbot+4436c9630a45820fda76@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?id=c14607f0963d27d5a3d5f4c8639b500909e43540
+Suggested-by: Manivannan Sadhasivam <mani@kernel.org>
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230410012352.3997823-1-william.xuanziyang@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/qrtr/af_qrtr.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/net/qrtr/af_qrtr.c b/net/qrtr/af_qrtr.c
+index 3a70255c8d02f..76f0434d3d06a 100644
+--- a/net/qrtr/af_qrtr.c
++++ b/net/qrtr/af_qrtr.c
+@@ -498,6 +498,11 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len)
+ if (!size || len != ALIGN(size, 4) + hdrlen)
+ goto err;
+
++ if ((cb->type == QRTR_TYPE_NEW_SERVER ||
++ cb->type == QRTR_TYPE_RESUME_TX) &&
++ size < sizeof(struct qrtr_ctrl_pkt))
++ goto err;
++
+ if (cb->dst_port != QRTR_PORT_CTRL && cb->type != QRTR_TYPE_DATA &&
+ cb->type != QRTR_TYPE_RESUME_TX)
+ goto err;
+@@ -510,9 +515,6 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len)
+ /* Remote node endpoint can bridge other distant nodes */
+ const struct qrtr_ctrl_pkt *pkt;
+
+- if (size < sizeof(*pkt))
+- goto err;
+-
+ pkt = data + hdrlen;
+ qrtr_node_assign(node, le32_to_cpu(pkt->server.node));
+ }
+--
+2.39.2
+
--- /dev/null
+From 7bcd4c32bf8030d1e3b76e797832f589a1a09f50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 Apr 2023 12:43:21 -0700
+Subject: net: wwan: iosm: Fix error handling path in ipc_pcie_probe()
+
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+
+[ Upstream commit a56ef25619e079bd7d744636cf18d054d1e91982 ]
+
+Smatch reports:
+ drivers/net/wwan/iosm/iosm_ipc_pcie.c:298 ipc_pcie_probe()
+ warn: missing unwind goto?
+
+When dma_set_mask fails it directly returns without disabling pci
+device and freeing ipc_pcie. Fix this my calling a correct goto label
+
+As dma_set_mask returns either 0 or -EIO, we can use a goto label, as
+it finally returns -EIO.
+
+Add a set_mask_fail goto label which stands consistent with other goto
+labels in this function..
+
+Fixes: 035e3befc191 ("net: wwan: iosm: fix driver not working with INTEL_IOMMU disabled")
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wwan/iosm/iosm_ipc_pcie.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wwan/iosm/iosm_ipc_pcie.c b/drivers/net/wwan/iosm/iosm_ipc_pcie.c
+index 5bf5a93937c9c..04517bd3325a2 100644
+--- a/drivers/net/wwan/iosm/iosm_ipc_pcie.c
++++ b/drivers/net/wwan/iosm/iosm_ipc_pcie.c
+@@ -295,7 +295,7 @@ static int ipc_pcie_probe(struct pci_dev *pci,
+ ret = dma_set_mask(ipc_pcie->dev, DMA_BIT_MASK(64));
+ if (ret) {
+ dev_err(ipc_pcie->dev, "Could not set PCI DMA mask: %d", ret);
+- return ret;
++ goto set_mask_fail;
+ }
+
+ ipc_pcie_config_aspm(ipc_pcie);
+@@ -323,6 +323,7 @@ static int ipc_pcie_probe(struct pci_dev *pci,
+ imem_init_fail:
+ ipc_pcie_resources_release(ipc_pcie);
+ resources_req_fail:
++set_mask_fail:
+ pci_disable_device(pci);
+ pci_enable_fail:
+ kfree(ipc_pcie);
+--
+2.39.2
+
--- /dev/null
+From 3f43bcd027f788e63e85071e635945cb811b65f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Apr 2023 23:31:18 -0700
+Subject: niu: Fix missing unwind goto in niu_alloc_channels()
+
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+
+[ Upstream commit 8ce07be703456acb00e83d99f3b8036252c33b02 ]
+
+Smatch reports: drivers/net/ethernet/sun/niu.c:4525
+ niu_alloc_channels() warn: missing unwind goto?
+
+If niu_rbr_fill() fails, then we are directly returning 'err' without
+freeing the channels.
+
+Fix this by changing direct return to a goto 'out_err'.
+
+Fixes: a3138df9f20e ("[NIU]: Add Sun Neptune ethernet driver.")
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sun/niu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/sun/niu.c b/drivers/net/ethernet/sun/niu.c
+index e6144d963eaaa..4bbf011d53e69 100644
+--- a/drivers/net/ethernet/sun/niu.c
++++ b/drivers/net/ethernet/sun/niu.c
+@@ -4522,7 +4522,7 @@ static int niu_alloc_channels(struct niu *np)
+
+ err = niu_rbr_fill(np, rp, GFP_KERNEL);
+ if (err)
+- return err;
++ goto out_err;
+ }
+
+ tx_rings = kcalloc(num_tx_rings, sizeof(struct tx_ring_info),
+--
+2.39.2
+
--- /dev/null
+From 9ffe85d7fd9bcd4b921114a08e1a38d2783bdf3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Mar 2023 17:20:09 +0530
+Subject: nvme: send Identify with CNS 06h only to I/O controllers
+
+From: Martin George <martinus.gpy@gmail.com>
+
+[ Upstream commit def84ab600b71ea3fcc422a876d5d0d0daa7d4f3 ]
+
+Identify CNS 06h (I/O Command Set Specific Identify Controller data
+structure) is supported only on i/o controllers.
+
+But nvme_init_non_mdts_limits() currently invokes this on all
+controllers. Correct this by ensuring this is sent to I/O
+controllers only.
+
+Signed-off-by: Martin George <marting@netapp.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index cb71ce3413c2d..c54c6ffba0bcd 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -3074,7 +3074,8 @@ static int nvme_init_non_mdts_limits(struct nvme_ctrl *ctrl)
+ else
+ ctrl->max_zeroes_sectors = 0;
+
+- if (nvme_ctrl_limited_cns(ctrl))
++ if (ctrl->subsys->subtype != NVME_NQN_NVME ||
++ nvme_ctrl_limited_cns(ctrl))
+ return 0;
+
+ id = kzalloc(sizeof(*id), GFP_KERNEL);
+--
+2.39.2
+
--- /dev/null
+From 33e1c831b2afd36ecfa079f8757c13852c860c4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Dec 2022 12:17:23 +0300
+Subject: power: supply: axp288_fuel_gauge: Added check for negative values
+
+From: Denis Arefev <arefev@swemel.ru>
+
+[ Upstream commit bf6c880d5d1448489ebf92e2d13d5713ff644930 ]
+
+Variable 'pirq', which may receive negative value
+in platform_get_irq().
+Used as an index in a function regmap_irq_get_virq().
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Signed-off-by: Denis Arefev <arefev@swemel.ru>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/axp288_fuel_gauge.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/power/supply/axp288_fuel_gauge.c b/drivers/power/supply/axp288_fuel_gauge.c
+index 8e6f8a6550790..05f4131784629 100644
+--- a/drivers/power/supply/axp288_fuel_gauge.c
++++ b/drivers/power/supply/axp288_fuel_gauge.c
+@@ -724,6 +724,8 @@ static int axp288_fuel_gauge_probe(struct platform_device *pdev)
+
+ for (i = 0; i < AXP288_FG_INTR_NUM; i++) {
+ pirq = platform_get_irq(pdev, i);
++ if (pirq < 0)
++ continue;
+ ret = regmap_irq_get_virq(axp20x->regmap_irqc, pirq);
+ if (ret < 0)
+ return dev_err_probe(dev, ret, "getting vIRQ %d\n", pirq);
+--
+2.39.2
+
--- /dev/null
+From 5ba97277572d2a05ffec1baede7168c5ab8a790e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Dec 2022 13:38:57 -0800
+Subject: power: supply: cros_usbpd: reclassify "default case!" as debug
+
+From: Grant Grundler <grundler@chromium.org>
+
+[ Upstream commit 14c76b2e75bca4d96e2b85a0c12aa43e84fe3f74 ]
+
+This doesn't need to be printed every second as an error:
+...
+<3>[17438.628385] cros-usbpd-charger cros-usbpd-charger.3.auto: Port 1: default case!
+<3>[17439.634176] cros-usbpd-charger cros-usbpd-charger.3.auto: Port 1: default case!
+<3>[17440.640298] cros-usbpd-charger cros-usbpd-charger.3.auto: Port 1: default case!
+...
+
+Reduce priority from ERROR to DEBUG.
+
+Signed-off-by: Grant Grundler <grundler@chromium.org>
+Reviewed-by: Guenter Roeck <groeck@chromium.org>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/cros_usbpd-charger.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/power/supply/cros_usbpd-charger.c b/drivers/power/supply/cros_usbpd-charger.c
+index cadb6a0c2cc7e..b6c96376776a9 100644
+--- a/drivers/power/supply/cros_usbpd-charger.c
++++ b/drivers/power/supply/cros_usbpd-charger.c
+@@ -276,7 +276,7 @@ static int cros_usbpd_charger_get_power_info(struct port_data *port)
+ port->psy_current_max = 0;
+ break;
+ default:
+- dev_err(dev, "Port %d: default case!\n", port->port_number);
++ dev_dbg(dev, "Port %d: default case!\n", port->port_number);
+ port->psy_usb_type = POWER_SUPPLY_USB_TYPE_SDP;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 67bf80f0c4e8fdcb2d63672501ecbba957a62030 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Dec 2022 11:23:16 +0800
+Subject: power: supply: rk817: Fix unsigned comparison with less than zero
+
+From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+
+[ Upstream commit 3268a4d9b0b85a4382e93bdf7be5400a73db74c5 ]
+
+The tmp is defined as u32 type, which results in invalid processing of
+tmp<0 in function rk817_read_or_set_full_charge_on_boot(). Therefore,
+drop the comparison.
+
+drivers/power/supply/rk817_charger.c:828 rk817_read_or_set_full_charge_on_boot() warn: unsigned 'tmp' is never less than zero.
+drivers/power/supply/rk817_charger.c:788 rk817_read_or_set_full_charge_on_boot() warn: unsigned 'tmp' is never less than zero.
+
+Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=3444
+Reported-by: Abaci Robot <abaci@linux.alibaba.com>
+Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+Tested-by: Chris Morgan <macromorgan@hotmail.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/rk817_charger.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/power/supply/rk817_charger.c b/drivers/power/supply/rk817_charger.c
+index 4f9c1c4179165..36f807b5ec442 100644
+--- a/drivers/power/supply/rk817_charger.c
++++ b/drivers/power/supply/rk817_charger.c
+@@ -785,8 +785,6 @@ rk817_read_or_set_full_charge_on_boot(struct rk817_charger *charger,
+ regmap_bulk_read(rk808->regmap, RK817_GAS_GAUGE_Q_PRES_H3,
+ bulk_reg, 4);
+ tmp = get_unaligned_be32(bulk_reg);
+- if (tmp < 0)
+- tmp = 0;
+ boot_charge_mah = ADC_TO_CHARGE_UAH(tmp,
+ charger->res_div) / 1000;
+ /*
+@@ -825,8 +823,6 @@ rk817_read_or_set_full_charge_on_boot(struct rk817_charger *charger,
+ regmap_bulk_read(rk808->regmap, RK817_GAS_GAUGE_Q_PRES_H3,
+ bulk_reg, 4);
+ tmp = get_unaligned_be32(bulk_reg);
+- if (tmp < 0)
+- tmp = 0;
+ boot_charge_mah = ADC_TO_CHARGE_UAH(tmp, charger->res_div) / 1000;
+ regmap_bulk_read(rk808->regmap, RK817_GAS_GAUGE_OCV_VOL_H,
+ bulk_reg, 2);
+--
+2.39.2
+
--- /dev/null
+From 29724ab45ae6cbc140b9293c2b74b7911ff357d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Apr 2023 10:18:49 +0300
+Subject: qlcnic: check pci_reset_function result
+
+From: Denis Plotnikov <den-plotnikov@yandex-team.ru>
+
+[ Upstream commit 7573099e10ca69c3be33995c1fcd0d241226816d ]
+
+Static code analyzer complains to unchecked return value.
+The result of pci_reset_function() is unchecked.
+Despite, the issue is on the FLR supported code path and in that
+case reset can be done with pcie_flr(), the patch uses less invasive
+approach by adding the result check of pci_reset_function().
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 7e2cf4feba05 ("qlcnic: change driver hardware interface mechanism")
+Signed-off-by: Denis Plotnikov <den-plotnikov@yandex-team.ru>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Reviewed-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c
+index 87f76bac2e463..eb827b86ecae8 100644
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c
+@@ -628,7 +628,13 @@ int qlcnic_fw_create_ctx(struct qlcnic_adapter *dev)
+ int i, err, ring;
+
+ if (dev->flags & QLCNIC_NEED_FLR) {
+- pci_reset_function(dev->pdev);
++ err = pci_reset_function(dev->pdev);
++ if (err) {
++ dev_err(&dev->pdev->dev,
++ "Adapter reset failed (%d). Please reboot\n",
++ err);
++ return err;
++ }
+ dev->flags &= ~QLCNIC_NEED_FLR;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 7c6eac4a32c08d6ef9203e51c4bcb3e21b09b043 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Mar 2023 12:59:55 +0200
+Subject: RDMA/cma: Allow UD qp_type to join multicast only
+
+From: Mark Zhang <markzhang@nvidia.com>
+
+[ Upstream commit 58e84f6b3e84e46524b7e5a916b53c1ad798bc8f ]
+
+As for multicast:
+- The SIDR is the only mode that makes sense;
+- Besides PS_UDP, other port spaces like PS_IB is also allowed, as it is
+ UD compatible. In this case qkey also needs to be set [1].
+
+This patch allows only UD qp_type to join multicast, and set qkey to
+default if it's not set, to fix an uninit-value error: the ib->rec.qkey
+field is accessed without being initialized.
+
+=====================================================
+BUG: KMSAN: uninit-value in cma_set_qkey drivers/infiniband/core/cma.c:510 [inline]
+BUG: KMSAN: uninit-value in cma_make_mc_event+0xb73/0xe00 drivers/infiniband/core/cma.c:4570
+ cma_set_qkey drivers/infiniband/core/cma.c:510 [inline]
+ cma_make_mc_event+0xb73/0xe00 drivers/infiniband/core/cma.c:4570
+ cma_iboe_join_multicast drivers/infiniband/core/cma.c:4782 [inline]
+ rdma_join_multicast+0x2b83/0x30a0 drivers/infiniband/core/cma.c:4814
+ ucma_process_join+0xa76/0xf60 drivers/infiniband/core/ucma.c:1479
+ ucma_join_multicast+0x1e3/0x250 drivers/infiniband/core/ucma.c:1546
+ ucma_write+0x639/0x6d0 drivers/infiniband/core/ucma.c:1732
+ vfs_write+0x8ce/0x2030 fs/read_write.c:588
+ ksys_write+0x28c/0x520 fs/read_write.c:643
+ __do_sys_write fs/read_write.c:655 [inline]
+ __se_sys_write fs/read_write.c:652 [inline]
+ __ia32_sys_write+0xdb/0x120 fs/read_write.c:652
+ do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline]
+ __do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180
+ do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205
+ do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248
+ entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
+
+Local variable ib.i created at:
+cma_iboe_join_multicast drivers/infiniband/core/cma.c:4737 [inline]
+rdma_join_multicast+0x586/0x30a0 drivers/infiniband/core/cma.c:4814
+ucma_process_join+0xa76/0xf60 drivers/infiniband/core/ucma.c:1479
+
+CPU: 0 PID: 29874 Comm: syz-executor.3 Not tainted 5.16.0-rc3-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+=====================================================
+
+[1] https://lore.kernel.org/linux-rdma/20220117183832.GD84788@nvidia.com/
+
+Fixes: b5de0c60cc30 ("RDMA/cma: Fix use after free race in roce multicast join")
+Reported-by: syzbot+8fcbb77276d43cc8b693@syzkaller.appspotmail.com
+Signed-off-by: Mark Zhang <markzhang@nvidia.com>
+Link: https://lore.kernel.org/r/58a4a98323b5e6b1282e83f6b76960d06e43b9fa.1679309909.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cma.c | 60 ++++++++++++++++++++---------------
+ 1 file changed, 34 insertions(+), 26 deletions(-)
+
+diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
+index 8730674ceb2e1..c6a671edba5c8 100644
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -624,22 +624,11 @@ static inline unsigned short cma_family(struct rdma_id_private *id_priv)
+ return id_priv->id.route.addr.src_addr.ss_family;
+ }
+
+-static int cma_set_qkey(struct rdma_id_private *id_priv, u32 qkey)
++static int cma_set_default_qkey(struct rdma_id_private *id_priv)
+ {
+ struct ib_sa_mcmember_rec rec;
+ int ret = 0;
+
+- if (id_priv->qkey) {
+- if (qkey && id_priv->qkey != qkey)
+- return -EINVAL;
+- return 0;
+- }
+-
+- if (qkey) {
+- id_priv->qkey = qkey;
+- return 0;
+- }
+-
+ switch (id_priv->id.ps) {
+ case RDMA_PS_UDP:
+ case RDMA_PS_IB:
+@@ -659,6 +648,16 @@ static int cma_set_qkey(struct rdma_id_private *id_priv, u32 qkey)
+ return ret;
+ }
+
++static int cma_set_qkey(struct rdma_id_private *id_priv, u32 qkey)
++{
++ if (!qkey ||
++ (id_priv->qkey && (id_priv->qkey != qkey)))
++ return -EINVAL;
++
++ id_priv->qkey = qkey;
++ return 0;
++}
++
+ static void cma_translate_ib(struct sockaddr_ib *sib, struct rdma_dev_addr *dev_addr)
+ {
+ dev_addr->dev_type = ARPHRD_INFINIBAND;
+@@ -1229,7 +1228,7 @@ static int cma_ib_init_qp_attr(struct rdma_id_private *id_priv,
+ *qp_attr_mask = IB_QP_STATE | IB_QP_PKEY_INDEX | IB_QP_PORT;
+
+ if (id_priv->id.qp_type == IB_QPT_UD) {
+- ret = cma_set_qkey(id_priv, 0);
++ ret = cma_set_default_qkey(id_priv);
+ if (ret)
+ return ret;
+
+@@ -4558,7 +4557,10 @@ static int cma_send_sidr_rep(struct rdma_id_private *id_priv,
+ memset(&rep, 0, sizeof rep);
+ rep.status = status;
+ if (status == IB_SIDR_SUCCESS) {
+- ret = cma_set_qkey(id_priv, qkey);
++ if (qkey)
++ ret = cma_set_qkey(id_priv, qkey);
++ else
++ ret = cma_set_default_qkey(id_priv);
+ if (ret)
+ return ret;
+ rep.qp_num = id_priv->qp_num;
+@@ -4763,9 +4765,7 @@ static void cma_make_mc_event(int status, struct rdma_id_private *id_priv,
+ enum ib_gid_type gid_type;
+ struct net_device *ndev;
+
+- if (!status)
+- status = cma_set_qkey(id_priv, be32_to_cpu(multicast->rec.qkey));
+- else
++ if (status)
+ pr_debug_ratelimited("RDMA CM: MULTICAST_ERROR: failed to join multicast. status %d\n",
+ status);
+
+@@ -4793,7 +4793,7 @@ static void cma_make_mc_event(int status, struct rdma_id_private *id_priv,
+ }
+
+ event->param.ud.qp_num = 0xFFFFFF;
+- event->param.ud.qkey = be32_to_cpu(multicast->rec.qkey);
++ event->param.ud.qkey = id_priv->qkey;
+
+ out:
+ if (ndev)
+@@ -4812,8 +4812,11 @@ static int cma_ib_mc_handler(int status, struct ib_sa_multicast *multicast)
+ READ_ONCE(id_priv->state) == RDMA_CM_DESTROYING)
+ goto out;
+
+- cma_make_mc_event(status, id_priv, multicast, &event, mc);
+- ret = cma_cm_event_handler(id_priv, &event);
++ ret = cma_set_qkey(id_priv, be32_to_cpu(multicast->rec.qkey));
++ if (!ret) {
++ cma_make_mc_event(status, id_priv, multicast, &event, mc);
++ ret = cma_cm_event_handler(id_priv, &event);
++ }
+ rdma_destroy_ah_attr(&event.param.ud.ah_attr);
+ WARN_ON(ret);
+
+@@ -4866,9 +4869,11 @@ static int cma_join_ib_multicast(struct rdma_id_private *id_priv,
+ if (ret)
+ return ret;
+
+- ret = cma_set_qkey(id_priv, 0);
+- if (ret)
+- return ret;
++ if (!id_priv->qkey) {
++ ret = cma_set_default_qkey(id_priv);
++ if (ret)
++ return ret;
++ }
+
+ cma_set_mgid(id_priv, (struct sockaddr *) &mc->addr, &rec.mgid);
+ rec.qkey = cpu_to_be32(id_priv->qkey);
+@@ -4945,9 +4950,6 @@ static int cma_iboe_join_multicast(struct rdma_id_private *id_priv,
+ cma_iboe_set_mgid(addr, &ib.rec.mgid, gid_type);
+
+ ib.rec.pkey = cpu_to_be16(0xffff);
+- if (id_priv->id.ps == RDMA_PS_UDP)
+- ib.rec.qkey = cpu_to_be32(RDMA_UDP_QKEY);
+-
+ if (dev_addr->bound_dev_if)
+ ndev = dev_get_by_index(dev_addr->net, dev_addr->bound_dev_if);
+ if (!ndev)
+@@ -4973,6 +4975,9 @@ static int cma_iboe_join_multicast(struct rdma_id_private *id_priv,
+ if (err || !ib.rec.mtu)
+ return err ?: -EINVAL;
+
++ if (!id_priv->qkey)
++ cma_set_default_qkey(id_priv);
++
+ rdma_ip2gid((struct sockaddr *)&id_priv->id.route.addr.src_addr,
+ &ib.rec.port_gid);
+ INIT_WORK(&mc->iboe_join.work, cma_iboe_join_work_handler);
+@@ -4998,6 +5003,9 @@ int rdma_join_multicast(struct rdma_cm_id *id, struct sockaddr *addr,
+ READ_ONCE(id_priv->state) != RDMA_CM_ADDR_RESOLVED))
+ return -EINVAL;
+
++ if (id_priv->id.qp_type != IB_QPT_UD)
++ return -EINVAL;
++
+ mc = kzalloc(sizeof(*mc), GFP_KERNEL);
+ if (!mc)
+ return -ENOMEM;
+--
+2.39.2
+
--- /dev/null
+From 0f2666bc048abdddc9d09501d990c3b088b68a63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 Mar 2023 23:34:24 -0700
+Subject: RDMA/core: Fix GID entry ref leak when create_ah fails
+
+From: Saravanan Vajravel <saravanan.vajravel@broadcom.com>
+
+[ Upstream commit aca3b0fa3d04b40c96934d86cc224cccfa7ea8e0 ]
+
+If AH create request fails, release sgid_attr to avoid GID entry
+referrence leak reported while releasing GID table
+
+Fixes: 1a1f460ff151 ("RDMA: Hold the sgid_attr inside the struct ib_ah/qp")
+Link: https://lore.kernel.org/r/20230401063424.342204-1-saravanan.vajravel@broadcom.com
+Reviewed-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Saravanan Vajravel <saravanan.vajravel@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/verbs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c
+index 11b1c1603aeb4..b99b3cc283b65 100644
+--- a/drivers/infiniband/core/verbs.c
++++ b/drivers/infiniband/core/verbs.c
+@@ -532,6 +532,8 @@ static struct ib_ah *_rdma_create_ah(struct ib_pd *pd,
+ else
+ ret = device->ops.create_ah(ah, &init_attr, NULL);
+ if (ret) {
++ if (ah->sgid_attr)
++ rdma_put_gid_attr(ah->sgid_attr);
+ kfree(ah);
+ return ERR_PTR(ret);
+ }
+--
+2.39.2
+
--- /dev/null
+From 38292fbedefbdea572d211d1cc11749c4efc1c8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Mar 2023 16:46:52 +0800
+Subject: RDMA/erdma: Defer probing if netdevice can not be found
+
+From: Cheng Xu <chengyou@linux.alibaba.com>
+
+[ Upstream commit 6bd1bca858f1734a75572a788213d1e1143f2f0a ]
+
+ERDMA device may be probed before its associated netdevice, returning
+-EPROBE_DEFER allows OS try to probe erdma device later.
+
+Fixes: d55e6fb4803c ("RDMA/erdma: Add the erdma module")
+Signed-off-by: Cheng Xu <chengyou@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20230320084652.16807-5-chengyou@linux.alibaba.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/erdma/erdma_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/erdma/erdma_main.c b/drivers/infiniband/hw/erdma/erdma_main.c
+index 49778bb294ae4..49d9319217414 100644
+--- a/drivers/infiniband/hw/erdma/erdma_main.c
++++ b/drivers/infiniband/hw/erdma/erdma_main.c
+@@ -56,7 +56,7 @@ static int erdma_netdev_event(struct notifier_block *nb, unsigned long event,
+ static int erdma_enum_and_get_netdev(struct erdma_dev *dev)
+ {
+ struct net_device *netdev;
+- int ret = -ENODEV;
++ int ret = -EPROBE_DEFER;
+
+ /* Already binded to a net_device, so we skip. */
+ if (dev->netdev)
+--
+2.39.2
+
--- /dev/null
+From b4232db92d776d682e5702280744bd3f0626286a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Mar 2023 16:46:51 +0800
+Subject: RDMA/erdma: Inline mtt entries into WQE if supported
+
+From: Cheng Xu <chengyou@linux.alibaba.com>
+
+[ Upstream commit 0dd83a4d7756713f81990d6c5547500f212a1190 ]
+
+The max inline mtt count supported is ERDMA_MAX_INLINE_MTT_ENTRIES.
+When mr->mem.mtt_nents == ERDMA_MAX_INLINE_MTT_ENTRIES, inline mtt
+is also supported, fix it.
+
+Fixes: 155055771704 ("RDMA/erdma: Add verbs implementation")
+Signed-off-by: Cheng Xu <chengyou@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20230320084652.16807-4-chengyou@linux.alibaba.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/erdma/erdma_qp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/erdma/erdma_qp.c b/drivers/infiniband/hw/erdma/erdma_qp.c
+index 5fe1a339a4354..e3b0baa703e68 100644
+--- a/drivers/infiniband/hw/erdma/erdma_qp.c
++++ b/drivers/infiniband/hw/erdma/erdma_qp.c
+@@ -402,7 +402,7 @@ static int erdma_push_one_sqe(struct erdma_qp *qp, u16 *pi,
+ FIELD_PREP(ERDMA_SQE_MR_MTT_CNT_MASK,
+ mr->mem.mtt_nents);
+
+- if (mr->mem.mtt_nents < ERDMA_MAX_INLINE_MTT_ENTRIES) {
++ if (mr->mem.mtt_nents <= ERDMA_MAX_INLINE_MTT_ENTRIES) {
+ attrs |= FIELD_PREP(ERDMA_SQE_MR_MTT_TYPE_MASK, 0);
+ /* Copy SGLs to SQE content to accelerate */
+ memcpy(get_queue_entry(qp->kern_qp.sq_buf, idx + 1,
+--
+2.39.2
+
--- /dev/null
+From bbf29f46c05babea2db7d80d6e4a9a4c72341b8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Mar 2023 16:46:50 +0800
+Subject: RDMA/erdma: Update default EQ depth to 4096 and max_send_wr to 8192
+
+From: Cheng Xu <chengyou@linux.alibaba.com>
+
+[ Upstream commit 6256aa9ae955d10ec73a434533ca62034eff1b76 ]
+
+Max EQ depth of hardware is 32K, the current default EQ depth is too small
+for some applications, so change the default depth to 4096.
+Max send WRs the hardware can support is 8K, but the driver limits the
+value to 4K. Remove this limitation.
+
+Fixes: be3cff0f242d ("RDMA/erdma: Add the hardware related definitions")
+Fixes: db23ae64caac ("RDMA/erdma: Add verbs header file")
+Signed-off-by: Cheng Xu <chengyou@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20230320084652.16807-3-chengyou@linux.alibaba.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/erdma/erdma_hw.h | 2 +-
+ drivers/infiniband/hw/erdma/erdma_verbs.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/erdma/erdma_hw.h b/drivers/infiniband/hw/erdma/erdma_hw.h
+index e788887732e1f..c533c693e5e38 100644
+--- a/drivers/infiniband/hw/erdma/erdma_hw.h
++++ b/drivers/infiniband/hw/erdma/erdma_hw.h
+@@ -420,7 +420,7 @@ struct erdma_reg_mr_sqe {
+ };
+
+ /* EQ related. */
+-#define ERDMA_DEFAULT_EQ_DEPTH 256
++#define ERDMA_DEFAULT_EQ_DEPTH 4096
+
+ /* ceqe */
+ #define ERDMA_CEQE_HDR_DB_MASK BIT_ULL(63)
+diff --git a/drivers/infiniband/hw/erdma/erdma_verbs.h b/drivers/infiniband/hw/erdma/erdma_verbs.h
+index ab6380635e9e6..eabab8bba95af 100644
+--- a/drivers/infiniband/hw/erdma/erdma_verbs.h
++++ b/drivers/infiniband/hw/erdma/erdma_verbs.h
+@@ -11,7 +11,7 @@
+
+ /* RDMA Capability. */
+ #define ERDMA_MAX_PD (128 * 1024)
+-#define ERDMA_MAX_SEND_WR 4096
++#define ERDMA_MAX_SEND_WR 8192
+ #define ERDMA_MAX_ORD 128
+ #define ERDMA_MAX_IRD 128
+ #define ERDMA_MAX_SGE_RD 1
+--
+2.39.2
+
--- /dev/null
+From 0b9977a01cce44717ba268242465fee00fc4d7ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 09:52:31 -0500
+Subject: RDMA/irdma: Add ipv4 check to irdma_find_listener()
+
+From: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
+
+[ Upstream commit e4522c097ec10f23ea0933e9e69d4fa9d8ae9441 ]
+
+Add ipv4 check to irdma_find_listener(). Otherwise the function
+incorrectly finds and returns a listener with a different addr family for
+the zero IP addr, if a listener with a zero IP addr and the same port as
+the one searched for has already been created.
+
+Fixes: 146b9756f14c ("RDMA/irdma: Add connection manager")
+Signed-off-by: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Link: https://lore.kernel.org/r/20230315145231.931-5-shiraz.saleem@intel.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/cm.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/infiniband/hw/irdma/cm.c b/drivers/infiniband/hw/irdma/cm.c
+index 195aa9ea18b6c..8817864154af1 100644
+--- a/drivers/infiniband/hw/irdma/cm.c
++++ b/drivers/infiniband/hw/irdma/cm.c
+@@ -1458,13 +1458,15 @@ static int irdma_send_fin(struct irdma_cm_node *cm_node)
+ * irdma_find_listener - find a cm node listening on this addr-port pair
+ * @cm_core: cm's core
+ * @dst_addr: listener ip addr
++ * @ipv4: flag indicating IPv4 when true
+ * @dst_port: listener tcp port num
+ * @vlan_id: virtual LAN ID
+ * @listener_state: state to match with listen node's
+ */
+ static struct irdma_cm_listener *
+-irdma_find_listener(struct irdma_cm_core *cm_core, u32 *dst_addr, u16 dst_port,
+- u16 vlan_id, enum irdma_cm_listener_state listener_state)
++irdma_find_listener(struct irdma_cm_core *cm_core, u32 *dst_addr, bool ipv4,
++ u16 dst_port, u16 vlan_id,
++ enum irdma_cm_listener_state listener_state)
+ {
+ struct irdma_cm_listener *listen_node;
+ static const u32 ip_zero[4] = { 0, 0, 0, 0 };
+@@ -1477,7 +1479,7 @@ irdma_find_listener(struct irdma_cm_core *cm_core, u32 *dst_addr, u16 dst_port,
+ list_for_each_entry (listen_node, &cm_core->listen_list, list) {
+ memcpy(listen_addr, listen_node->loc_addr, sizeof(listen_addr));
+ listen_port = listen_node->loc_port;
+- if (listen_port != dst_port ||
++ if (listen_node->ipv4 != ipv4 || listen_port != dst_port ||
+ !(listener_state & listen_node->listener_state))
+ continue;
+ /* compare node pair, return node handle if a match */
+@@ -2902,9 +2904,10 @@ irdma_make_listen_node(struct irdma_cm_core *cm_core,
+ unsigned long flags;
+
+ /* cannot have multiple matching listeners */
+- listener = irdma_find_listener(cm_core, cm_info->loc_addr,
+- cm_info->loc_port, cm_info->vlan_id,
+- IRDMA_CM_LISTENER_EITHER_STATE);
++ listener =
++ irdma_find_listener(cm_core, cm_info->loc_addr, cm_info->ipv4,
++ cm_info->loc_port, cm_info->vlan_id,
++ IRDMA_CM_LISTENER_EITHER_STATE);
+ if (listener &&
+ listener->listener_state == IRDMA_CM_LISTENER_ACTIVE_STATE) {
+ refcount_dec(&listener->refcnt);
+@@ -3153,6 +3156,7 @@ void irdma_receive_ilq(struct irdma_sc_vsi *vsi, struct irdma_puda_buf *rbuf)
+
+ listener = irdma_find_listener(cm_core,
+ cm_info.loc_addr,
++ cm_info.ipv4,
+ cm_info.loc_port,
+ cm_info.vlan_id,
+ IRDMA_CM_LISTENER_ACTIVE_STATE);
+--
+2.39.2
+
--- /dev/null
+From 2772b920a472044961f0b521f1e815e900cba8ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 09:52:28 -0500
+Subject: RDMA/irdma: Do not generate SW completions for NOPs
+
+From: Mustafa Ismail <mustafa.ismail@intel.com>
+
+[ Upstream commit 30ed9ee9a10a90ae719dcfcacead1d0506fa45ed ]
+
+Currently, artificial SW completions are generated for NOP wqes which can
+generate unexpected completions with wr_id = 0. Skip the generation of
+artificial completions for NOPs.
+
+Fixes: 81091d7696ae ("RDMA/irdma: Add SW mechanism to generate completions on error")
+Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Link: https://lore.kernel.org/r/20230315145231.931-2-shiraz.saleem@intel.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/utils.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/irdma/utils.c b/drivers/infiniband/hw/irdma/utils.c
+index 445e69e864097..7887230c867b1 100644
+--- a/drivers/infiniband/hw/irdma/utils.c
++++ b/drivers/infiniband/hw/irdma/utils.c
+@@ -2595,7 +2595,10 @@ void irdma_generate_flush_completions(struct irdma_qp *iwqp)
+ /* remove the SQ WR by moving SQ tail*/
+ IRDMA_RING_SET_TAIL(*sq_ring,
+ sq_ring->tail + qp->sq_wrtrk_array[sq_ring->tail].quanta);
+-
++ if (cmpl->cpi.op_type == IRDMAQP_OP_NOP) {
++ kfree(cmpl);
++ continue;
++ }
+ ibdev_dbg(iwqp->iwscq->ibcq.device,
+ "DEV: %s: adding wr_id = 0x%llx SQ Completion to list qp_id=%d\n",
+ __func__, cmpl->cpi.wr_id, qp->qp_id);
+--
+2.39.2
+
--- /dev/null
+From c2adb354c933ed76b2bcdae16788cf02c670f40b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 09:52:29 -0500
+Subject: RDMA/irdma: Fix memory leak of PBLE objects
+
+From: Mustafa Ismail <mustafa.ismail@intel.com>
+
+[ Upstream commit b69a6979dbaa2453675fe9c71bdc2497fedb11f9 ]
+
+On rmmod of irdma, the PBLE object memory is not being freed. PBLE object
+memory are not statically pre-allocated at function initialization time
+unlike other HMC objects. PBLEs objects and the Segment Descriptors (SD)
+for it can be dynamically allocated during scale up and SD's remain
+allocated till function deinitialization.
+
+Fix this leak by adding IRDMA_HMC_IW_PBLE to the iw_hmc_obj_types[] table
+and skip pbles in irdma_create_hmc_obj but not in irdma_del_hmc_objects().
+
+Fixes: 44d9e52977a1 ("RDMA/irdma: Implement device initialization definitions")
+Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Link: https://lore.kernel.org/r/20230315145231.931-3-shiraz.saleem@intel.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/hw.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/infiniband/hw/irdma/hw.c b/drivers/infiniband/hw/irdma/hw.c
+index 2e1e2bad04011..43dfa4761f069 100644
+--- a/drivers/infiniband/hw/irdma/hw.c
++++ b/drivers/infiniband/hw/irdma/hw.c
+@@ -41,6 +41,7 @@ static enum irdma_hmc_rsrc_type iw_hmc_obj_types[] = {
+ IRDMA_HMC_IW_XFFL,
+ IRDMA_HMC_IW_Q1,
+ IRDMA_HMC_IW_Q1FL,
++ IRDMA_HMC_IW_PBLE,
+ IRDMA_HMC_IW_TIMER,
+ IRDMA_HMC_IW_FSIMC,
+ IRDMA_HMC_IW_FSIAV,
+@@ -827,6 +828,8 @@ static int irdma_create_hmc_objs(struct irdma_pci_f *rf, bool privileged,
+ info.entry_type = rf->sd_type;
+
+ for (i = 0; i < IW_HMC_OBJ_TYPE_NUM; i++) {
++ if (iw_hmc_obj_types[i] == IRDMA_HMC_IW_PBLE)
++ continue;
+ if (dev->hmc_info->hmc_obj[iw_hmc_obj_types[i]].cnt) {
+ info.rsrc_type = iw_hmc_obj_types[i];
+ info.count = dev->hmc_info->hmc_obj[info.rsrc_type].cnt;
+--
+2.39.2
+
--- /dev/null
+From 8a4e105bb0f86799e82f475141a4e17a46989562 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 09:52:30 -0500
+Subject: RDMA/irdma: Increase iWARP CM default rexmit count
+
+From: Mustafa Ismail <mustafa.ismail@intel.com>
+
+[ Upstream commit 8385a875c9eecc429b2f72970efcbb0e5cb5b547 ]
+
+When running perftest with large number of connections in iWARP mode, the
+passive side could be slow to respond. Increase the rexmit counter default
+to allow scaling connections.
+
+Fixes: 146b9756f14c ("RDMA/irdma: Add connection manager")
+Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Link: https://lore.kernel.org/r/20230315145231.931-4-shiraz.saleem@intel.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/cm.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/irdma/cm.h b/drivers/infiniband/hw/irdma/cm.h
+index 19c284975fc7c..7feadb3e1eda3 100644
+--- a/drivers/infiniband/hw/irdma/cm.h
++++ b/drivers/infiniband/hw/irdma/cm.h
+@@ -41,7 +41,7 @@
+ #define TCP_OPTIONS_PADDING 3
+
+ #define IRDMA_DEFAULT_RETRYS 64
+-#define IRDMA_DEFAULT_RETRANS 8
++#define IRDMA_DEFAULT_RETRANS 32
+ #define IRDMA_DEFAULT_TTL 0x40
+ #define IRDMA_DEFAULT_RTT_VAR 6
+ #define IRDMA_DEFAULT_SS_THRESH 0x3fffffff
+--
+2.39.2
+
--- /dev/null
+From 37ce7b2dc1d9d25c141ad4d1274d6c7eea6c9435 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Apr 2023 15:43:30 -0400
+Subject: sctp: fix a potential overflow in sctp_ifwdtsn_skip
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 32832a2caf82663870126c5186cf8f86c8b2a649 ]
+
+Currently, when traversing ifwdtsn skips with _sctp_walk_ifwdtsn, it only
+checks the pos against the end of the chunk. However, the data left for
+the last pos may be < sizeof(struct sctp_ifwdtsn_skip), and dereference
+it as struct sctp_ifwdtsn_skip may cause coverflow.
+
+This patch fixes it by checking the pos against "the end of the chunk -
+sizeof(struct sctp_ifwdtsn_skip)" in sctp_ifwdtsn_skip, similar to
+sctp_fwdtsn_skip.
+
+Fixes: 0fc2ea922c8a ("sctp: implement validate_ftsn for sctp_stream_interleave")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Link: https://lore.kernel.org/r/2a71bffcd80b4f2c61fac6d344bb2f11c8fd74f7.1681155810.git.lucien.xin@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/stream_interleave.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/sctp/stream_interleave.c b/net/sctp/stream_interleave.c
+index bb22b71df7a34..4fbd6d0529545 100644
+--- a/net/sctp/stream_interleave.c
++++ b/net/sctp/stream_interleave.c
+@@ -1160,7 +1160,8 @@ static void sctp_generate_iftsn(struct sctp_outq *q, __u32 ctsn)
+
+ #define _sctp_walk_ifwdtsn(pos, chunk, end) \
+ for (pos = chunk->subh.ifwdtsn_hdr->skip; \
+- (void *)pos < (void *)chunk->subh.ifwdtsn_hdr->skip + (end); pos++)
++ (void *)pos <= (void *)chunk->subh.ifwdtsn_hdr->skip + (end) - \
++ sizeof(struct sctp_ifwdtsn_skip); pos++)
+
+ #define sctp_walk_ifwdtsn(pos, ch) \
+ _sctp_walk_ifwdtsn((pos), (ch), ntohs((ch)->chunk_hdr->length) - \
+--
+2.39.2
+
--- /dev/null
+From d5bafff0b8e1437d71f4f9eff10087bcb1e87321 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Mar 2023 12:41:18 -0800
+Subject: selftests/bpf: Fix progs/find_vma_fail1.c build error.
+
+From: Alexei Starovoitov <ast@kernel.org>
+
+[ Upstream commit 32513d40d908b267508d37994753d9bd1600914b ]
+
+The commit 11e456cae91e ("selftests/bpf: Fix compilation errors: Assign a value to a constant")
+fixed the issue cleanly in bpf-next.
+This is an alternative fix in bpf tree to avoid merge conflict between bpf and bpf-next.
+
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/progs/find_vma_fail1.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/progs/find_vma_fail1.c b/tools/testing/selftests/bpf/progs/find_vma_fail1.c
+index b3b326b8e2d1c..6dab9cffda132 100644
+--- a/tools/testing/selftests/bpf/progs/find_vma_fail1.c
++++ b/tools/testing/selftests/bpf/progs/find_vma_fail1.c
+@@ -2,6 +2,7 @@
+ /* Copyright (c) 2021 Facebook */
+ #include "vmlinux.h"
+ #include <bpf/bpf_helpers.h>
++#define vm_flags vm_start
+
+ char _license[] SEC("license") = "GPL";
+
+--
+2.39.2
+
--- /dev/null
+From a9eef648b7b05d2438ba4f0e673527157b5f5645 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Apr 2023 07:58:28 -0400
+Subject: selftests: openvswitch: adjust datapath NL message declaration
+
+From: Aaron Conole <aconole@redhat.com>
+
+[ Upstream commit 306dc21361993f4fe50a15d4db6b1a4de5d0adb0 ]
+
+The netlink message for creating a new datapath takes an array
+of ports for the PID creation. This shouldn't cause much issue
+but correct it for future cases where we need to do decode of
+datapath information that could include the per-cpu PID map.
+
+Fixes: 25f16c873fb1 ("selftests: add openvswitch selftest suite")
+Signed-off-by: Aaron Conole <aconole@redhat.com>
+Link: https://lore.kernel.org/r/20230412115828.3991806-1-aconole@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/openvswitch/ovs-dpctl.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/openvswitch/ovs-dpctl.py b/tools/testing/selftests/net/openvswitch/ovs-dpctl.py
+index 3243c90d449e6..5d467d1993cb1 100644
+--- a/tools/testing/selftests/net/openvswitch/ovs-dpctl.py
++++ b/tools/testing/selftests/net/openvswitch/ovs-dpctl.py
+@@ -62,7 +62,7 @@ class OvsDatapath(GenericNetlinkSocket):
+ nla_map = (
+ ("OVS_DP_ATTR_UNSPEC", "none"),
+ ("OVS_DP_ATTR_NAME", "asciiz"),
+- ("OVS_DP_ATTR_UPCALL_PID", "uint32"),
++ ("OVS_DP_ATTR_UPCALL_PID", "array(uint32)"),
+ ("OVS_DP_ATTR_STATS", "dpstats"),
+ ("OVS_DP_ATTR_MEGAFLOW_STATS", "megaflowstats"),
+ ("OVS_DP_ATTR_USER_FEATURES", "uint32"),
+--
+2.39.2
+
fbcon-fix-error-paths-in-set_con2fb_map.patch
fbcon-set_con2fb_map-needs-to-set-con2fb_map.patch
drm-i915-dsi-fix-dss-ctl-register-offsets-for-tgl.patch
+clk-sprd-set-max_register-according-to-mapping-range.patch
+rdma-irdma-do-not-generate-sw-completions-for-nops.patch
+rdma-irdma-fix-memory-leak-of-pble-objects.patch
+rdma-irdma-increase-iwarp-cm-default-rexmit-count.patch
+rdma-irdma-add-ipv4-check-to-irdma_find_listener.patch
+ib-mlx5-add-support-for-400g_8x-lane-speed.patch
+rdma-erdma-update-default-eq-depth-to-4096-and-max_s.patch
+rdma-erdma-inline-mtt-entries-into-wqe-if-supported.patch
+rdma-erdma-defer-probing-if-netdevice-can-not-be-fou.patch
+clk-rs9-fix-suspend-resume.patch
+rdma-cma-allow-ud-qp_type-to-join-multicast-only.patch
+bpf-tcp-use-sock_gen_put-instead-of-sock_put-in-bpf_.patch
+loongarch-bpf-fix-jit-to-skip-speculation-barrier-op.patch
+dmaengine-apple-admac-handle-global-interrupt-flags.patch
+dmaengine-apple-admac-set-src_addr_widths-capability.patch
+dmaengine-apple-admac-fix-current_tx-not-getting-fre.patch
+9p-xen-fix-use-after-free-bug-in-xen_9pfs_front_remo.patch
+bpf-arm64-fixed-a-bti-error-on-returning-to-patched-.patch
+kvm-arm64-initialise-hypervisor-copies-of-host-symbo.patch
+kvm-arm64-advertise-id_aa64pfr0_el1.csv2-3-to-protec.patch
+niu-fix-missing-unwind-goto-in-niu_alloc_channels.patch
+tcp-restrict-net.ipv4.tcp_app_win.patch
+bonding-fix-ns-validation-on-backup-slaves.patch
+iavf-refactor-vlan-filter-states.patch
+iavf-remove-active_cvlans-and-active_svlans-bitmaps.patch
+net-openvswitch-fix-race-on-port-output.patch
+bluetooth-hci_conn-fix-not-cleaning-up-on-le-connect.patch
+bluetooth-fix-printing-errors-if-le-connection-times.patch
+bluetooth-sco-fix-possible-circular-locking-dependen.patch
+bluetooth-set-iso-data-path-on-broadcast-sink.patch
+drm-armada-fix-a-potential-double-free-in-an-error-h.patch
+qlcnic-check-pci_reset_function-result.patch
+net-wwan-iosm-fix-error-handling-path-in-ipc_pcie_pr.patch
+cgroup-freezer-hold-cpu_hotplug_lock-before-freezer_.patch
+net-qrtr-fix-an-uninit-variable-access-bug-in-qrtr_t.patch
+sctp-fix-a-potential-overflow-in-sctp_ifwdtsn_skip.patch
+rdma-core-fix-gid-entry-ref-leak-when-create_ah-fail.patch
+selftests-openvswitch-adjust-datapath-nl-message-dec.patch
+udp6-fix-potential-access-to-stale-information.patch
+net-macb-fix-a-memory-corruption-in-extended-buffer-.patch
+skbuff-fix-a-race-between-coalescing-and-releasing-s.patch
+libbpf-fix-single-line-struct-definition-output-in-b.patch
+arm-9290-1-uaccess-fix-kasan-false-positives.patch
+arm-dts-qcom-apq8026-lg-lenok-add-missing-reserved-m.patch
+power-supply-rk817-fix-unsigned-comparison-with-less.patch
+power-supply-cros_usbpd-reclassify-default-case-as-d.patch
+power-supply-axp288_fuel_gauge-added-check-for-negat.patch
+selftests-bpf-fix-progs-find_vma_fail1.c-build-error.patch
+wifi-mwifiex-mark-of-related-data-as-maybe-unused.patch
+i2c-imx-lpi2c-clean-rx-tx-buffers-upon-new-message.patch
+i2c-hisi-avoid-redundant-interrupts.patch
+efi-sysfb_efi-add-quirk-for-lenovo-yoga-book-x91f-l.patch
+block-ublk_drv-mark-device-as-live-before-adding-dis.patch
+acpi-video-add-backlight-native-dmi-quirk-for-acer-a.patch
+drm-panel-orientation-quirks-add-quirk-for-lenovo-yo.patch
+hwmon-peci-cputemp-fix-miscalculated-dts-for-skx.patch
+hwmon-xgene-fix-ioremap-and-memremap-leak.patch
+verify_pefile-relax-wrapper-length-check.patch
+asymmetric_keys-log-on-fatal-failures-in-pe-pkcs7.patch
+nvme-send-identify-with-cns-06h-only-to-i-o-controll.patch
+wifi-iwlwifi-mvm-fix-mvmtxq-stopped-handling.patch
+wifi-iwlwifi-mvm-protect-txq-list-manipulation.patch
+drm-amdgpu-add-mes-resume-when-do-gfx-post-soft-rese.patch
+drm-amdgpu-force-signal-hw_fences-that-are-embedded-.patch
+drm-amdgpu-gfx-set-cg-flags-to-enter-exit-safe-mode.patch
+acpi-resource-add-medion-s17413-to-irq-override-quir.patch
--- /dev/null
+From e66db83e8c526df35b494ce666bee794d2a22fbb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Apr 2023 17:03:53 +0800
+Subject: skbuff: Fix a race between coalescing and releasing SKBs
+
+From: Liang Chen <liangchen.linux@gmail.com>
+
+[ Upstream commit 0646dc31ca886693274df5749cd0c8c1eaaeb5ca ]
+
+Commit 1effe8ca4e34 ("skbuff: fix coalescing for page_pool fragment
+recycling") allowed coalescing to proceed with non page pool page and page
+pool page when @from is cloned, i.e.
+
+to->pp_recycle --> false
+from->pp_recycle --> true
+skb_cloned(from) --> true
+
+However, it actually requires skb_cloned(@from) to hold true until
+coalescing finishes in this situation. If the other cloned SKB is
+released while the merging is in process, from_shinfo->nr_frags will be
+set to 0 toward the end of the function, causing the increment of frag
+page _refcount to be unexpectedly skipped resulting in inconsistent
+reference counts. Later when SKB(@to) is released, it frees the page
+directly even though the page pool page is still in use, leading to
+use-after-free or double-free errors. So it should be prohibited.
+
+The double-free error message below prompted us to investigate:
+BUG: Bad page state in process swapper/1 pfn:0e0d1
+page:00000000c6548b28 refcount:-1 mapcount:0 mapping:0000000000000000
+index:0x2 pfn:0xe0d1
+flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff)
+raw: 000fffffc0000000 0000000000000000 ffffffff00000101 0000000000000000
+raw: 0000000000000002 0000000000000000 ffffffffffffffff 0000000000000000
+page dumped because: nonzero _refcount
+
+CPU: 1 PID: 0 Comm: swapper/1 Tainted: G E 6.2.0+
+Call Trace:
+ <IRQ>
+dump_stack_lvl+0x32/0x50
+bad_page+0x69/0xf0
+free_pcp_prepare+0x260/0x2f0
+free_unref_page+0x20/0x1c0
+skb_release_data+0x10b/0x1a0
+napi_consume_skb+0x56/0x150
+net_rx_action+0xf0/0x350
+? __napi_schedule+0x79/0x90
+__do_softirq+0xc8/0x2b1
+__irq_exit_rcu+0xb9/0xf0
+common_interrupt+0x82/0xa0
+</IRQ>
+<TASK>
+asm_common_interrupt+0x22/0x40
+RIP: 0010:default_idle+0xb/0x20
+
+Fixes: 53e0961da1c7 ("page_pool: add frag page recycling support in page pool")
+Signed-off-by: Liang Chen <liangchen.linux@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20230413090353.14448-1-liangchen.linux@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skbuff.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index 51db260f471f4..cd4b3a610961f 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -5409,18 +5409,18 @@ bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from,
+ if (skb_cloned(to))
+ return false;
+
+- /* In general, avoid mixing slab allocated and page_pool allocated
+- * pages within the same SKB. However when @to is not pp_recycle and
+- * @from is cloned, we can transition frag pages from page_pool to
+- * reference counted.
+- *
+- * On the other hand, don't allow coalescing two pp_recycle SKBs if
+- * @from is cloned, in case the SKB is using page_pool fragment
++ /* In general, avoid mixing page_pool and non-page_pool allocated
++ * pages within the same SKB. Additionally avoid dealing with clones
++ * with page_pool pages, in case the SKB is using page_pool fragment
+ * references (PP_FLAG_PAGE_FRAG). Since we only take full page
+ * references for cloned SKBs at the moment that would result in
+ * inconsistent reference counts.
++ * In theory we could take full references if @from is cloned and
++ * !@to->pp_recycle but its tricky (due to potential race with
++ * the clone disappearing) and rare, so not worth dealing with.
+ */
+- if (to->pp_recycle != (from->pp_recycle && !skb_cloned(from)))
++ if (to->pp_recycle != from->pp_recycle ||
++ (from->pp_recycle && skb_cloned(from)))
+ return false;
+
+ if (len <= skb_tailroom(to)) {
+--
+2.39.2
+
--- /dev/null
+From c3a1deea03d6712de71fd44c30609bab32766e7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Apr 2023 14:34:50 +0800
+Subject: tcp: restrict net.ipv4.tcp_app_win
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit dc5110c2d959c1707e12df5f792f41d90614adaa ]
+
+UBSAN: shift-out-of-bounds in net/ipv4/tcp_input.c:555:23
+shift exponent 255 is too large for 32-bit type 'int'
+CPU: 1 PID: 7907 Comm: ssh Not tainted 6.3.0-rc4-00161-g62bad54b26db-dirty #206
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x136/0x150
+ __ubsan_handle_shift_out_of_bounds+0x21f/0x5a0
+ tcp_init_transfer.cold+0x3a/0xb9
+ tcp_finish_connect+0x1d0/0x620
+ tcp_rcv_state_process+0xd78/0x4d60
+ tcp_v4_do_rcv+0x33d/0x9d0
+ __release_sock+0x133/0x3b0
+ release_sock+0x58/0x1b0
+
+'maxwin' is int, shifting int for 32 or more bits is undefined behaviour.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/networking/ip-sysctl.rst | 2 ++
+ net/ipv4/sysctl_net_ipv4.c | 3 +++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst
+index e7b3fa7bb3f73..4ecb549fd052e 100644
+--- a/Documentation/networking/ip-sysctl.rst
++++ b/Documentation/networking/ip-sysctl.rst
+@@ -337,6 +337,8 @@ tcp_app_win - INTEGER
+ Reserve max(window/2^tcp_app_win, mss) of window for application
+ buffer. Value 0 is special, it means that nothing is reserved.
+
++ Possible values are [0, 31], inclusive.
++
+ Default: 31
+
+ tcp_autocorking - BOOLEAN
+diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
+index 9b8a6db7a66b3..39dbeb6071965 100644
+--- a/net/ipv4/sysctl_net_ipv4.c
++++ b/net/ipv4/sysctl_net_ipv4.c
+@@ -25,6 +25,7 @@ static int ip_local_port_range_min[] = { 1, 1 };
+ static int ip_local_port_range_max[] = { 65535, 65535 };
+ static int tcp_adv_win_scale_min = -31;
+ static int tcp_adv_win_scale_max = 31;
++static int tcp_app_win_max = 31;
+ static int tcp_min_snd_mss_min = TCP_MIN_SND_MSS;
+ static int tcp_min_snd_mss_max = 65535;
+ static int ip_privileged_port_min;
+@@ -1171,6 +1172,8 @@ static struct ctl_table ipv4_net_table[] = {
+ .maxlen = sizeof(u8),
+ .mode = 0644,
+ .proc_handler = proc_dou8vec_minmax,
++ .extra1 = SYSCTL_ZERO,
++ .extra2 = &tcp_app_win_max,
+ },
+ {
+ .procname = "tcp_adv_win_scale",
+--
+2.39.2
+
--- /dev/null
+From bcdb6c98874a86068cb97b7f5a0209895bc1dd38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Apr 2023 13:03:08 +0000
+Subject: udp6: fix potential access to stale information
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 1c5950fc6fe996235f1d18539b9c6b64b597f50f ]
+
+lena wang reported an issue caused by udpv6_sendmsg()
+mangling msg->msg_name and msg->msg_namelen, which
+are later read from ____sys_sendmsg() :
+
+ /*
+ * If this is sendmmsg() and sending to current destination address was
+ * successful, remember it.
+ */
+ if (used_address && err >= 0) {
+ used_address->name_len = msg_sys->msg_namelen;
+ if (msg_sys->msg_name)
+ memcpy(&used_address->name, msg_sys->msg_name,
+ used_address->name_len);
+ }
+
+udpv6_sendmsg() wants to pretend the remote address family
+is AF_INET in order to call udp_sendmsg().
+
+A fix would be to modify the address in-place, instead
+of using a local variable, but this could have other side effects.
+
+Instead, restore initial values before we return from udpv6_sendmsg().
+
+Fixes: c71d8ebe7a44 ("net: Fix security_socket_sendmsg() bypass problem.")
+Reported-by: lena wang <lena.wang@mediatek.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Maciej Żenczykowski <maze@google.com>
+Link: https://lore.kernel.org/r/20230412130308.1202254-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/udp.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index 98a64e8d9bdaa..17d721a6add72 100644
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -1391,9 +1391,11 @@ int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
+ msg->msg_name = &sin;
+ msg->msg_namelen = sizeof(sin);
+ do_udp_sendmsg:
+- if (ipv6_only_sock(sk))
+- return -ENETUNREACH;
+- return udp_sendmsg(sk, msg, len);
++ err = ipv6_only_sock(sk) ?
++ -ENETUNREACH : udp_sendmsg(sk, msg, len);
++ msg->msg_name = sin6;
++ msg->msg_namelen = addr_len;
++ return err;
+ }
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 1bfc454e3b4a563b0f894b5d8055321736693e30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Feb 2023 12:12:53 -0500
+Subject: verify_pefile: relax wrapper length check
+
+From: Robbie Harwood <rharwood@redhat.com>
+
+[ Upstream commit 4fc5c74dde69a7eda172514aaeb5a7df3600adb3 ]
+
+The PE Format Specification (section "The Attribute Certificate Table
+(Image Only)") states that `dwLength` is to be rounded up to 8-byte
+alignment when used for traversal. Therefore, the field is not required
+to be an 8-byte multiple in the first place.
+
+Accordingly, pesign has not performed this alignment since version
+0.110. This causes kexec failure on pesign'd binaries with "PEFILE:
+Signature wrapper len wrong". Update the comment and relax the check.
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Jarkko Sakkinen <jarkko@kernel.org>
+cc: Eric Biederman <ebiederm@xmission.com>
+cc: Herbert Xu <herbert@gondor.apana.org.au>
+cc: keyrings@vger.kernel.org
+cc: linux-crypto@vger.kernel.org
+cc: kexec@lists.infradead.org
+Link: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#the-attribute-certificate-table-image-only
+Link: https://github.com/rhboot/pesign
+Link: https://lore.kernel.org/r/20230220171254.592347-2-rharwood@redhat.com/ # v2
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/asymmetric_keys/verify_pefile.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c
+index 7553ab18db898..fe1bb374239d7 100644
+--- a/crypto/asymmetric_keys/verify_pefile.c
++++ b/crypto/asymmetric_keys/verify_pefile.c
+@@ -135,11 +135,15 @@ static int pefile_strip_sig_wrapper(const void *pebuf,
+ pr_debug("sig wrapper = { %x, %x, %x }\n",
+ wrapper.length, wrapper.revision, wrapper.cert_type);
+
+- /* Both pesign and sbsign round up the length of certificate table
+- * (in optional header data directories) to 8 byte alignment.
++ /* sbsign rounds up the length of certificate table (in optional
++ * header data directories) to 8 byte alignment. However, the PE
++ * specification states that while entries are 8-byte aligned, this is
++ * not included in their length, and as a result, pesign has not
++ * rounded up since 0.110.
+ */
+- if (round_up(wrapper.length, 8) != ctx->sig_len) {
+- pr_debug("Signature wrapper len wrong\n");
++ if (wrapper.length > ctx->sig_len) {
++ pr_debug("Signature wrapper bigger than sig len (%x > %x)\n",
++ ctx->sig_len, wrapper.length);
+ return -ELIBBAD;
+ }
+ if (wrapper.revision != WIN_CERT_REVISION_2_0) {
+--
+2.39.2
+
--- /dev/null
+From 49c450ec29e9ae4af3e8d0923b75b1dc42dcac0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Mar 2023 10:53:24 +0100
+Subject: wifi: iwlwifi: mvm: fix mvmtxq->stopped handling
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit b58e3d4311b54b6dd0e37165277965da0c9eb21d ]
+
+This could race if the queue is redirected while full, then
+the flushing internally would start it while it's not yet
+usable again. Fix it by using two state bits instead of just
+one.
+
+Reviewed-by: Benjamin Berg <benjamin.berg@intel.com>
+Tested-by: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 5 ++++-
+ drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 4 +++-
+ drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 5 ++++-
+ drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 4 ++--
+ 4 files changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+index 8464c9b7baf1f..23e1413ef4719 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+@@ -729,7 +729,10 @@ void iwl_mvm_mac_itxq_xmit(struct ieee80211_hw *hw, struct ieee80211_txq *txq)
+
+ rcu_read_lock();
+ do {
+- while (likely(!mvmtxq->stopped &&
++ while (likely(!test_bit(IWL_MVM_TXQ_STATE_STOP_FULL,
++ &mvmtxq->state) &&
++ !test_bit(IWL_MVM_TXQ_STATE_STOP_REDIRECT,
++ &mvmtxq->state) &&
+ !test_bit(IWL_MVM_STATUS_IN_D3, &mvm->status))) {
+ skb = ieee80211_tx_dequeue(hw, txq);
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
+index 1ccb3cad7cdc1..b5089349ebb7a 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
+@@ -729,7 +729,9 @@ struct iwl_mvm_txq {
+ struct list_head list;
+ u16 txq_id;
+ atomic_t tx_request;
+- bool stopped;
++#define IWL_MVM_TXQ_STATE_STOP_FULL 0
++#define IWL_MVM_TXQ_STATE_STOP_REDIRECT 1
++ unsigned long state;
+ };
+
+ static inline struct iwl_mvm_txq *
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+index 5b8e9a06f6d4a..79e151512fe73 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+@@ -1680,7 +1680,10 @@ static void iwl_mvm_queue_state_change(struct iwl_op_mode *op_mode,
+
+ txq = sta->txq[tid];
+ mvmtxq = iwl_mvm_txq_from_mac80211(txq);
+- mvmtxq->stopped = !start;
++ if (start)
++ clear_bit(IWL_MVM_TXQ_STATE_STOP_FULL, &mvmtxq->state);
++ else
++ set_bit(IWL_MVM_TXQ_STATE_STOP_FULL, &mvmtxq->state);
+
+ if (start && mvmsta->sta_state != IEEE80211_STA_NOTEXIST)
+ iwl_mvm_mac_itxq_xmit(mvm->hw, txq);
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+index cbd8053a9e35a..41b1b8b6c1e1d 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+@@ -692,7 +692,7 @@ static int iwl_mvm_redirect_queue(struct iwl_mvm *mvm, int queue, int tid,
+ queue, iwl_mvm_ac_to_tx_fifo[ac]);
+
+ /* Stop the queue and wait for it to empty */
+- txq->stopped = true;
++ set_bit(IWL_MVM_TXQ_STATE_STOP_REDIRECT, &txq->state);
+
+ ret = iwl_trans_wait_tx_queues_empty(mvm->trans, BIT(queue));
+ if (ret) {
+@@ -735,7 +735,7 @@ static int iwl_mvm_redirect_queue(struct iwl_mvm *mvm, int queue, int tid,
+
+ out:
+ /* Continue using the queue */
+- txq->stopped = false;
++ clear_bit(IWL_MVM_TXQ_STATE_STOP_REDIRECT, &txq->state);
+
+ return ret;
+ }
+--
+2.39.2
+
--- /dev/null
+From 2f815ce6099d4a5d7417b6ab4d861eb0ebeed56a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Mar 2023 10:53:25 +0100
+Subject: wifi: iwlwifi: mvm: protect TXQ list manipulation
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 923bf981eb6ecc027227716e30701bdcc1845fbf ]
+
+Some recent upstream debugging uncovered the fact that in
+iwlwifi, the TXQ list manipulation is racy.
+
+Introduce a new state bit for when the TXQ is completely
+ready and can be used without locking, and if that's not
+set yet acquire the lock to check everything correctly.
+
+Reviewed-by: Benjamin Berg <benjamin.berg@intel.com>
+Tested-by: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/intel/iwlwifi/mvm/mac80211.c | 45 ++++++-------------
+ drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 2 +
+ drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 1 +
+ drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 25 +++++++++--
+ 4 files changed, 39 insertions(+), 34 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+index 23e1413ef4719..a841268e0709f 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+@@ -757,42 +757,25 @@ static void iwl_mvm_mac_wake_tx_queue(struct ieee80211_hw *hw,
+ struct iwl_mvm *mvm = IWL_MAC80211_GET_MVM(hw);
+ struct iwl_mvm_txq *mvmtxq = iwl_mvm_txq_from_mac80211(txq);
+
+- /*
+- * Please note that racing is handled very carefully here:
+- * mvmtxq->txq_id is updated during allocation, and mvmtxq->list is
+- * deleted afterwards.
+- * This means that if:
+- * mvmtxq->txq_id != INVALID_QUEUE && list_empty(&mvmtxq->list):
+- * queue is allocated and we can TX.
+- * mvmtxq->txq_id != INVALID_QUEUE && !list_empty(&mvmtxq->list):
+- * a race, should defer the frame.
+- * mvmtxq->txq_id == INVALID_QUEUE && list_empty(&mvmtxq->list):
+- * need to allocate the queue and defer the frame.
+- * mvmtxq->txq_id == INVALID_QUEUE && !list_empty(&mvmtxq->list):
+- * queue is already scheduled for allocation, no need to allocate,
+- * should defer the frame.
+- */
+-
+- /* If the queue is allocated TX and return. */
+- if (!txq->sta || mvmtxq->txq_id != IWL_MVM_INVALID_QUEUE) {
+- /*
+- * Check that list is empty to avoid a race where txq_id is
+- * already updated, but the queue allocation work wasn't
+- * finished
+- */
+- if (unlikely(txq->sta && !list_empty(&mvmtxq->list)))
+- return;
+-
++ if (likely(test_bit(IWL_MVM_TXQ_STATE_READY, &mvmtxq->state)) ||
++ !txq->sta) {
+ iwl_mvm_mac_itxq_xmit(hw, txq);
+ return;
+ }
+
+- /* The list is being deleted only after the queue is fully allocated. */
+- if (!list_empty(&mvmtxq->list))
+- return;
++ /* iwl_mvm_mac_itxq_xmit() will later be called by the worker
++ * to handle any packets we leave on the txq now
++ */
+
+- list_add_tail(&mvmtxq->list, &mvm->add_stream_txqs);
+- schedule_work(&mvm->add_stream_wk);
++ spin_lock_bh(&mvm->add_stream_lock);
++ /* The list is being deleted only after the queue is fully allocated. */
++ if (list_empty(&mvmtxq->list) &&
++ /* recheck under lock */
++ !test_bit(IWL_MVM_TXQ_STATE_READY, &mvmtxq->state)) {
++ list_add_tail(&mvmtxq->list, &mvm->add_stream_txqs);
++ schedule_work(&mvm->add_stream_wk);
++ }
++ spin_unlock_bh(&mvm->add_stream_lock);
+ }
+
+ #define CHECK_BA_TRIGGER(_mvm, _trig, _tid_bm, _tid, _fmt...) \
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
+index b5089349ebb7a..f5c921c41be56 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
+@@ -731,6 +731,7 @@ struct iwl_mvm_txq {
+ atomic_t tx_request;
+ #define IWL_MVM_TXQ_STATE_STOP_FULL 0
+ #define IWL_MVM_TXQ_STATE_STOP_REDIRECT 1
++#define IWL_MVM_TXQ_STATE_READY 2
+ unsigned long state;
+ };
+
+@@ -829,6 +830,7 @@ struct iwl_mvm {
+ struct iwl_mvm_tvqm_txq_info tvqm_info[IWL_MAX_TVQM_QUEUES];
+ };
+ struct work_struct add_stream_wk; /* To add streams to queues */
++ spinlock_t add_stream_lock;
+
+ const char *nvm_file_name;
+ struct iwl_nvm_data *nvm_data;
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+index 79e151512fe73..994f597a7102a 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+@@ -1184,6 +1184,7 @@ iwl_op_mode_mvm_start(struct iwl_trans *trans, const struct iwl_cfg *cfg,
+ INIT_DELAYED_WORK(&mvm->scan_timeout_dwork, iwl_mvm_scan_timeout_wk);
+ INIT_WORK(&mvm->add_stream_wk, iwl_mvm_add_new_dqa_stream_wk);
+ INIT_LIST_HEAD(&mvm->add_stream_txqs);
++ spin_lock_init(&mvm->add_stream_lock);
+
+ init_waitqueue_head(&mvm->rx_sync_waitq);
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+index 41b1b8b6c1e1d..013aca70c3d3b 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+@@ -383,8 +383,11 @@ static int iwl_mvm_disable_txq(struct iwl_mvm *mvm, struct ieee80211_sta *sta,
+ struct iwl_mvm_txq *mvmtxq =
+ iwl_mvm_txq_from_tid(sta, tid);
+
+- mvmtxq->txq_id = IWL_MVM_INVALID_QUEUE;
++ spin_lock_bh(&mvm->add_stream_lock);
+ list_del_init(&mvmtxq->list);
++ clear_bit(IWL_MVM_TXQ_STATE_READY, &mvmtxq->state);
++ mvmtxq->txq_id = IWL_MVM_INVALID_QUEUE;
++ spin_unlock_bh(&mvm->add_stream_lock);
+ }
+
+ /* Regardless if this is a reserved TXQ for a STA - mark it as false */
+@@ -478,8 +481,11 @@ static int iwl_mvm_remove_sta_queue_marking(struct iwl_mvm *mvm, int queue)
+ disable_agg_tids |= BIT(tid);
+ mvmsta->tid_data[tid].txq_id = IWL_MVM_INVALID_QUEUE;
+
+- mvmtxq->txq_id = IWL_MVM_INVALID_QUEUE;
++ spin_lock_bh(&mvm->add_stream_lock);
+ list_del_init(&mvmtxq->list);
++ clear_bit(IWL_MVM_TXQ_STATE_READY, &mvmtxq->state);
++ mvmtxq->txq_id = IWL_MVM_INVALID_QUEUE;
++ spin_unlock_bh(&mvm->add_stream_lock);
+ }
+
+ mvmsta->tfd_queue_msk &= ~BIT(queue); /* Don't use this queue anymore */
+@@ -1443,12 +1449,22 @@ void iwl_mvm_add_new_dqa_stream_wk(struct work_struct *wk)
+ * a queue in the function itself.
+ */
+ if (iwl_mvm_sta_alloc_queue(mvm, txq->sta, txq->ac, tid)) {
++ spin_lock_bh(&mvm->add_stream_lock);
+ list_del_init(&mvmtxq->list);
++ spin_unlock_bh(&mvm->add_stream_lock);
+ continue;
+ }
+
+- list_del_init(&mvmtxq->list);
++ /* now we're ready, any remaining races/concurrency will be
++ * handled in iwl_mvm_mac_itxq_xmit()
++ */
++ set_bit(IWL_MVM_TXQ_STATE_READY, &mvmtxq->state);
++
+ local_bh_disable();
++ spin_lock(&mvm->add_stream_lock);
++ list_del_init(&mvmtxq->list);
++ spin_unlock(&mvm->add_stream_lock);
++
+ iwl_mvm_mac_itxq_xmit(mvm->hw, txq);
+ local_bh_enable();
+ }
+@@ -1862,8 +1878,11 @@ static void iwl_mvm_disable_sta_queues(struct iwl_mvm *mvm,
+ struct iwl_mvm_txq *mvmtxq =
+ iwl_mvm_txq_from_mac80211(sta->txq[i]);
+
++ spin_lock_bh(&mvm->add_stream_lock);
+ mvmtxq->txq_id = IWL_MVM_INVALID_QUEUE;
+ list_del_init(&mvmtxq->list);
++ clear_bit(IWL_MVM_TXQ_STATE_READY, &mvmtxq->state);
++ spin_unlock_bh(&mvm->add_stream_lock);
+ }
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 4cc83fe8683a7e5df60651c329db444a48be750b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Mar 2023 14:25:23 +0100
+Subject: wifi: mwifiex: mark OF related data as maybe unused
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 139f6973bf140c65d4d1d4bde5485badb4454d7a ]
+
+The driver can be compile tested with !CONFIG_OF making certain data
+unused:
+
+ drivers/net/wireless/marvell/mwifiex/sdio.c:498:34: error: ‘mwifiex_sdio_of_match_table’ defined but not used [-Werror=unused-const-variable=]
+ drivers/net/wireless/marvell/mwifiex/pcie.c:175:34: error: ‘mwifiex_pcie_of_match_table’ defined but not used [-Werror=unused-const-variable=]
+
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20230312132523.352182-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/pcie.c | 2 +-
+ drivers/net/wireless/marvell/mwifiex/sdio.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/pcie.c b/drivers/net/wireless/marvell/mwifiex/pcie.c
+index 5dcf61761a165..9a698a16a8f38 100644
+--- a/drivers/net/wireless/marvell/mwifiex/pcie.c
++++ b/drivers/net/wireless/marvell/mwifiex/pcie.c
+@@ -172,7 +172,7 @@ static const struct mwifiex_pcie_device mwifiex_pcie8997 = {
+ .can_ext_scan = true,
+ };
+
+-static const struct of_device_id mwifiex_pcie_of_match_table[] = {
++static const struct of_device_id mwifiex_pcie_of_match_table[] __maybe_unused = {
+ { .compatible = "pci11ab,2b42" },
+ { .compatible = "pci1b4b,2b42" },
+ { }
+diff --git a/drivers/net/wireless/marvell/mwifiex/sdio.c b/drivers/net/wireless/marvell/mwifiex/sdio.c
+index 9f506efa53705..ea1c1c2412e72 100644
+--- a/drivers/net/wireless/marvell/mwifiex/sdio.c
++++ b/drivers/net/wireless/marvell/mwifiex/sdio.c
+@@ -479,7 +479,7 @@ static struct memory_type_mapping mem_type_mapping_tbl[] = {
+ {"EXTLAST", NULL, 0, 0xFE},
+ };
+
+-static const struct of_device_id mwifiex_sdio_of_match_table[] = {
++static const struct of_device_id mwifiex_sdio_of_match_table[] __maybe_unused = {
+ { .compatible = "marvell,sd8787" },
+ { .compatible = "marvell,sd8897" },
+ { .compatible = "marvell,sd8997" },
+--
+2.39.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
