--- /dev/null
+From 1db4805d336e9d1a1edb85a6fa8b32d834a77fb2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 16:45:30 +0000
+Subject: af_unix: fix struct pid leaks in OOB support
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 2aab4b96900272885bc157f8b236abf1cdc02e08 ]
+
+syzbot reported struct pid leak [1].
+
+Issue is that queue_oob() calls maybe_add_creds() which potentially
+holds a reference on a pid.
+
+But skb->destructor is not set (either directly or by calling
+unix_scm_to_skb())
+
+This means that subsequent kfree_skb() or consume_skb() would leak
+this reference.
+
+In this fix, I chose to fully support scm even for the OOB message.
+
+[1]
+BUG: memory leak
+unreferenced object 0xffff8881053e7f80 (size 128):
+comm "syz-executor242", pid 5066, jiffies 4294946079 (age 13.220s)
+hex dump (first 32 bytes):
+01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+backtrace:
+[<ffffffff812ae26a>] alloc_pid+0x6a/0x560 kernel/pid.c:180
+[<ffffffff812718df>] copy_process+0x169f/0x26c0 kernel/fork.c:2285
+[<ffffffff81272b37>] kernel_clone+0xf7/0x610 kernel/fork.c:2684
+[<ffffffff812730cc>] __do_sys_clone+0x7c/0xb0 kernel/fork.c:2825
+[<ffffffff849ad699>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+[<ffffffff849ad699>] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
+[<ffffffff84a0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Fixes: 314001f0bf92 ("af_unix: Add OOB support")
+Reported-by: syzbot+7699d9e5635c10253a27@syzkaller.appspotmail.com
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Rao Shoaib <rao.shoaib@oracle.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://lore.kernel.org/r/20230307164530.771896-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index f0c2293f1d3b8..7d17601ceee79 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -2104,7 +2104,8 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
+ #define UNIX_SKB_FRAGS_SZ (PAGE_SIZE << get_order(32768))
+
+ #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
+-static int queue_oob(struct socket *sock, struct msghdr *msg, struct sock *other)
++static int queue_oob(struct socket *sock, struct msghdr *msg, struct sock *other,
++ struct scm_cookie *scm, bool fds_sent)
+ {
+ struct unix_sock *ousk = unix_sk(other);
+ struct sk_buff *skb;
+@@ -2115,6 +2116,11 @@ static int queue_oob(struct socket *sock, struct msghdr *msg, struct sock *other
+ if (!skb)
+ return err;
+
++ err = unix_scm_to_skb(scm, skb, !fds_sent);
++ if (err < 0) {
++ kfree_skb(skb);
++ return err;
++ }
+ skb_put(skb, 1);
+ err = skb_copy_datagram_from_iter(skb, 0, &msg->msg_iter, 1);
+
+@@ -2242,7 +2248,7 @@ static int unix_stream_sendmsg(struct socket *sock, struct msghdr *msg,
+
+ #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
+ if (msg->msg_flags & MSG_OOB) {
+- err = queue_oob(sock, msg, other);
++ err = queue_oob(sock, msg, other, &scm, fds_sent);
+ if (err)
+ goto out_err;
+ sent++;
+--
+2.39.2
+
--- /dev/null
+From ec20ea61e79f1fcc15fab128173282f45724263d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Feb 2023 10:11:56 +0100
+Subject: bgmac: fix *initial* chip reset to support BCM5358
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafał Miłecki <rafal@milecki.pl>
+
+[ Upstream commit f99e6d7c4ed3be2531bd576425a5bd07fb133bd7 ]
+
+While bringing hardware up we should perform a full reset including the
+switch bit (BGMAC_BCMA_IOCTL_SW_RESET aka SICF_SWRST). It's what
+specification says and what reference driver does.
+
+This seems to be critical for the BCM5358. Without this hardware doesn't
+get initialized properly and doesn't seem to transmit or receive any
+packets.
+
+Originally bgmac was calling bgmac_chip_reset() before setting
+"has_robosw" property which resulted in expected behaviour. That has
+changed as a side effect of adding platform device support which
+regressed BCM5358 support.
+
+Fixes: f6a95a24957a ("net: ethernet: bgmac: Add platform device support")
+Cc: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20230227091156.19509-1-zajec5@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bgmac.c | 8 ++++++--
+ drivers/net/ethernet/broadcom/bgmac.h | 2 ++
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bgmac.c b/drivers/net/ethernet/broadcom/bgmac.c
+index 3038386a5afd8..1761df8fb7f96 100644
+--- a/drivers/net/ethernet/broadcom/bgmac.c
++++ b/drivers/net/ethernet/broadcom/bgmac.c
+@@ -890,13 +890,13 @@ static void bgmac_chip_reset_idm_config(struct bgmac *bgmac)
+
+ if (iost & BGMAC_BCMA_IOST_ATTACHED) {
+ flags = BGMAC_BCMA_IOCTL_SW_CLKEN;
+- if (!bgmac->has_robosw)
++ if (bgmac->in_init || !bgmac->has_robosw)
+ flags |= BGMAC_BCMA_IOCTL_SW_RESET;
+ }
+ bgmac_clk_enable(bgmac, flags);
+ }
+
+- if (iost & BGMAC_BCMA_IOST_ATTACHED && !bgmac->has_robosw)
++ if (iost & BGMAC_BCMA_IOST_ATTACHED && (bgmac->in_init || !bgmac->has_robosw))
+ bgmac_idm_write(bgmac, BCMA_IOCTL,
+ bgmac_idm_read(bgmac, BCMA_IOCTL) &
+ ~BGMAC_BCMA_IOCTL_SW_RESET);
+@@ -1490,6 +1490,8 @@ int bgmac_enet_probe(struct bgmac *bgmac)
+ struct net_device *net_dev = bgmac->net_dev;
+ int err;
+
++ bgmac->in_init = true;
++
+ bgmac_chip_intrs_off(bgmac);
+
+ net_dev->irq = bgmac->irq;
+@@ -1542,6 +1544,8 @@ int bgmac_enet_probe(struct bgmac *bgmac)
+ /* Omit FCS from max MTU size */
+ net_dev->max_mtu = BGMAC_RX_MAX_FRAME_SIZE - ETH_FCS_LEN;
+
++ bgmac->in_init = false;
++
+ err = register_netdev(bgmac->net_dev);
+ if (err) {
+ dev_err(bgmac->dev, "Cannot register net device\n");
+diff --git a/drivers/net/ethernet/broadcom/bgmac.h b/drivers/net/ethernet/broadcom/bgmac.h
+index e05ac92c06504..d73ef262991d6 100644
+--- a/drivers/net/ethernet/broadcom/bgmac.h
++++ b/drivers/net/ethernet/broadcom/bgmac.h
+@@ -472,6 +472,8 @@ struct bgmac {
+ int irq;
+ u32 int_mask;
+
++ bool in_init;
++
+ /* Current MAC state */
+ int mac_speed;
+ int mac_duplex;
+--
+2.39.2
+
--- /dev/null
+From 0cf720960d27fac676afbbbdda51180249754a8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Feb 2023 10:22:00 +0800
+Subject: block: fix scan partition for exclusively open device again
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit e5cfefa97bccf956ea0bb6464c1f6c84fd7a8d9f ]
+
+As explained in commit 36369f46e917 ("block: Do not reread partition table
+on exclusively open device"), reread partition on the device that is
+exclusively opened by someone else is problematic.
+
+This patch will make sure partition scan will only be proceed if current
+thread open the device exclusively, or the device is not opened
+exclusively, and in the later case, other scanners and exclusive openers
+will be blocked temporarily until partition scan is done.
+
+Fixes: 10c70d95c0f2 ("block: remove the bd_openers checks in blk_drop_partitions")
+Cc: <stable@vger.kernel.org>
+Suggested-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20230217022200.3092987-3-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/genhd.c | 30 ++++++++++++++++++++++++++----
+ block/ioctl.c | 2 +-
+ 2 files changed, 27 insertions(+), 5 deletions(-)
+
+diff --git a/block/genhd.c b/block/genhd.c
+index 647f7d8d88312..85ae755913e9e 100644
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -359,6 +359,7 @@ EXPORT_SYMBOL_GPL(disk_uevent);
+ int disk_scan_partitions(struct gendisk *disk, fmode_t mode)
+ {
+ struct block_device *bdev;
++ int ret = 0;
+
+ if (disk->flags & (GENHD_FL_NO_PART | GENHD_FL_HIDDEN))
+ return -EINVAL;
+@@ -368,11 +369,27 @@ int disk_scan_partitions(struct gendisk *disk, fmode_t mode)
+ return -EBUSY;
+
+ set_bit(GD_NEED_PART_SCAN, &disk->state);
+- bdev = blkdev_get_by_dev(disk_devt(disk), mode, NULL);
++ /*
++ * If the device is opened exclusively by current thread already, it's
++ * safe to scan partitons, otherwise, use bd_prepare_to_claim() to
++ * synchronize with other exclusive openers and other partition
++ * scanners.
++ */
++ if (!(mode & FMODE_EXCL)) {
++ ret = bd_prepare_to_claim(disk->part0, disk_scan_partitions);
++ if (ret)
++ return ret;
++ }
++
++ bdev = blkdev_get_by_dev(disk_devt(disk), mode & ~FMODE_EXCL, NULL);
+ if (IS_ERR(bdev))
+- return PTR_ERR(bdev);
+- blkdev_put(bdev, mode);
+- return 0;
++ ret = PTR_ERR(bdev);
++ else
++ blkdev_put(bdev, mode);
++
++ if (!(mode & FMODE_EXCL))
++ bd_abort_claiming(disk->part0, disk_scan_partitions);
++ return ret;
+ }
+
+ /**
+@@ -498,6 +515,11 @@ int __must_check device_add_disk(struct device *parent, struct gendisk *disk,
+ if (ret)
+ goto out_unregister_bdi;
+
++ /* Make sure the first partition scan will be proceed */
++ if (get_capacity(disk) && !(disk->flags & GENHD_FL_NO_PART) &&
++ !test_bit(GD_SUPPRESS_PART_SCAN, &disk->state))
++ set_bit(GD_NEED_PART_SCAN, &disk->state);
++
+ bdev_add(disk->part0, ddev->devt);
+ if (get_capacity(disk))
+ disk_scan_partitions(disk, FMODE_READ);
+diff --git a/block/ioctl.c b/block/ioctl.c
+index 6dd49d877584a..9c5f637ff153f 100644
+--- a/block/ioctl.c
++++ b/block/ioctl.c
+@@ -528,7 +528,7 @@ static int blkdev_common_ioctl(struct block_device *bdev, fmode_t mode,
+ return -EACCES;
+ if (bdev_is_partition(bdev))
+ return -EINVAL;
+- return disk_scan_partitions(bdev->bd_disk, mode & ~FMODE_EXCL);
++ return disk_scan_partitions(bdev->bd_disk, mode);
+ case BLKTRACESTART:
+ case BLKTRACESTOP:
+ case BLKTRACETEARDOWN:
+--
+2.39.2
+
--- /dev/null
+From 2ecac0f822e38e6d0ea5b2088009d8a9ac976442 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 18:55:52 +0800
+Subject: block: fix wrong mode for blkdev_put() from disk_scan_partitions()
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 428913bce1e67ccb4dae317fd0332545bf8c9233 ]
+
+If disk_scan_partitions() is called with 'FMODE_EXCL',
+blkdev_get_by_dev() will be called without 'FMODE_EXCL', however, follow
+blkdev_put() is still called with 'FMODE_EXCL', which will cause
+'bd_holders' counter to leak.
+
+Fix the problem by using the right mode for blkdev_put().
+
+Reported-by: syzbot+2bcc0d79e548c4f62a59@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/lkml/f9649d501bc8c3444769418f6c26263555d9d3be.camel@linux.ibm.com/T/
+Tested-by: Julian Ruess <julianr@linux.ibm.com>
+Fixes: e5cfefa97bcc ("block: fix scan partition for exclusively open device again")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/genhd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/genhd.c b/block/genhd.c
+index 85ae755913e9e..0b6928e948f31 100644
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -385,7 +385,7 @@ int disk_scan_partitions(struct gendisk *disk, fmode_t mode)
+ if (IS_ERR(bdev))
+ ret = PTR_ERR(bdev);
+ else
+- blkdev_put(bdev, mode);
++ blkdev_put(bdev, mode & ~FMODE_EXCL);
+
+ if (!(mode & FMODE_EXCL))
+ bd_abort_claiming(disk->part0, disk_scan_partitions);
+--
+2.39.2
+
--- /dev/null
+From 27defee92721f0488c1a15c04721c41f8fde90da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Feb 2023 10:21:59 +0800
+Subject: block: Revert "block: Do not reread partition table on exclusively
+ open device"
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 0f77b29ad14e34a89961f32edc87b92db623bb37 ]
+
+This reverts commit 36369f46e91785688a5f39d7a5590e3f07981316.
+
+This patch can't fix the problem in a corner case that device can be
+opened exclusively after the checking and before blkdev_get_by_dev().
+We'll use a new solution to fix the problem in the next patch, and
+the new solution doesn't need to change apis.
+
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Acked-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20230217022200.3092987-2-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: e5cfefa97bcc ("block: fix scan partition for exclusively open device again")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk.h | 2 +-
+ block/genhd.c | 7 ++-----
+ block/ioctl.c | 13 ++++++-------
+ 3 files changed, 9 insertions(+), 13 deletions(-)
+
+diff --git a/block/blk.h b/block/blk.h
+index 8b75a95b28d60..a186ea20f39d8 100644
+--- a/block/blk.h
++++ b/block/blk.h
+@@ -436,7 +436,7 @@ static inline struct kmem_cache *blk_get_queue_kmem_cache(bool srcu)
+ }
+ struct request_queue *blk_alloc_queue(int node_id, bool alloc_srcu);
+
+-int disk_scan_partitions(struct gendisk *disk, fmode_t mode, void *owner);
++int disk_scan_partitions(struct gendisk *disk, fmode_t mode);
+
+ int disk_alloc_events(struct gendisk *disk);
+ void disk_add_events(struct gendisk *disk);
+diff --git a/block/genhd.c b/block/genhd.c
+index c4765681a8b4b..647f7d8d88312 100644
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -356,7 +356,7 @@ void disk_uevent(struct gendisk *disk, enum kobject_action action)
+ }
+ EXPORT_SYMBOL_GPL(disk_uevent);
+
+-int disk_scan_partitions(struct gendisk *disk, fmode_t mode, void *owner)
++int disk_scan_partitions(struct gendisk *disk, fmode_t mode)
+ {
+ struct block_device *bdev;
+
+@@ -366,9 +366,6 @@ int disk_scan_partitions(struct gendisk *disk, fmode_t mode, void *owner)
+ return -EINVAL;
+ if (disk->open_partitions)
+ return -EBUSY;
+- /* Someone else has bdev exclusively open? */
+- if (disk->part0->bd_holder && disk->part0->bd_holder != owner)
+- return -EBUSY;
+
+ set_bit(GD_NEED_PART_SCAN, &disk->state);
+ bdev = blkdev_get_by_dev(disk_devt(disk), mode, NULL);
+@@ -503,7 +500,7 @@ int __must_check device_add_disk(struct device *parent, struct gendisk *disk,
+
+ bdev_add(disk->part0, ddev->devt);
+ if (get_capacity(disk))
+- disk_scan_partitions(disk, FMODE_READ, NULL);
++ disk_scan_partitions(disk, FMODE_READ);
+
+ /*
+ * Announce the disk and partitions after all partitions are
+diff --git a/block/ioctl.c b/block/ioctl.c
+index 96617512982e5..6dd49d877584a 100644
+--- a/block/ioctl.c
++++ b/block/ioctl.c
+@@ -467,10 +467,10 @@ static int blkdev_bszset(struct block_device *bdev, fmode_t mode,
+ * user space. Note the separate arg/argp parameters that are needed
+ * to deal with the compat_ptr() conversion.
+ */
+-static int blkdev_common_ioctl(struct file *file, fmode_t mode, unsigned cmd,
+- unsigned long arg, void __user *argp)
++static int blkdev_common_ioctl(struct block_device *bdev, fmode_t mode,
++ unsigned int cmd, unsigned long arg,
++ void __user *argp)
+ {
+- struct block_device *bdev = I_BDEV(file->f_mapping->host);
+ unsigned int max_sectors;
+
+ switch (cmd) {
+@@ -528,8 +528,7 @@ static int blkdev_common_ioctl(struct file *file, fmode_t mode, unsigned cmd,
+ return -EACCES;
+ if (bdev_is_partition(bdev))
+ return -EINVAL;
+- return disk_scan_partitions(bdev->bd_disk, mode & ~FMODE_EXCL,
+- file);
++ return disk_scan_partitions(bdev->bd_disk, mode & ~FMODE_EXCL);
+ case BLKTRACESTART:
+ case BLKTRACESTOP:
+ case BLKTRACETEARDOWN:
+@@ -607,7 +606,7 @@ long blkdev_ioctl(struct file *file, unsigned cmd, unsigned long arg)
+ break;
+ }
+
+- ret = blkdev_common_ioctl(file, mode, cmd, arg, argp);
++ ret = blkdev_common_ioctl(bdev, mode, cmd, arg, argp);
+ if (ret != -ENOIOCTLCMD)
+ return ret;
+
+@@ -676,7 +675,7 @@ long compat_blkdev_ioctl(struct file *file, unsigned cmd, unsigned long arg)
+ break;
+ }
+
+- ret = blkdev_common_ioctl(file, mode, cmd, arg, argp);
++ ret = blkdev_common_ioctl(bdev, mode, cmd, arg, argp);
+ if (ret == -ENOIOCTLCMD && disk->fops->compat_ioctl)
+ ret = disk->fops->compat_ioctl(bdev, mode, cmd, arg);
+
+--
+2.39.2
+
--- /dev/null
+From ccc20fed41b1dbaea0d740d05ba9c8e03eb0ecc5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Mar 2023 18:43:57 -0800
+Subject: bnxt_en: Avoid order-5 memory allocation for TPA data
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit accd7e23693aaaa9aa0d3e9eca0ae77d1be80ab3 ]
+
+The driver needs to keep track of all the possible concurrent TPA (GRO/LRO)
+completions on the aggregation ring. On P5 chips, the maximum number
+of concurrent TPA is 256 and the amount of memory we allocate is order-5
+on systems using 4K pages. Memory allocation failure has been reported:
+
+NetworkManager: page allocation failure: order:5, mode:0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), nodemask=(null),cpuset=/,mems_allowed=0-1
+CPU: 15 PID: 2995 Comm: NetworkManager Kdump: loaded Not tainted 5.10.156 #1
+Hardware name: Dell Inc. PowerEdge R660/0M1CC5, BIOS 0.2.25 08/12/2022
+Call Trace:
+ dump_stack+0x57/0x6e
+ warn_alloc.cold.120+0x7b/0xdd
+ ? _cond_resched+0x15/0x30
+ ? __alloc_pages_direct_compact+0x15f/0x170
+ __alloc_pages_slowpath.constprop.108+0xc58/0xc70
+ __alloc_pages_nodemask+0x2d0/0x300
+ kmalloc_order+0x24/0xe0
+ kmalloc_order_trace+0x19/0x80
+ bnxt_alloc_mem+0x1150/0x15c0 [bnxt_en]
+ ? bnxt_get_func_stat_ctxs+0x13/0x60 [bnxt_en]
+ __bnxt_open_nic+0x12e/0x780 [bnxt_en]
+ bnxt_open+0x10b/0x240 [bnxt_en]
+ __dev_open+0xe9/0x180
+ __dev_change_flags+0x1af/0x220
+ dev_change_flags+0x21/0x60
+ do_setlink+0x35c/0x1100
+
+Instead of allocating this big chunk of memory and dividing it up for the
+concurrent TPA instances, allocate each small chunk separately for each
+TPA instance. This will reduce it to order-0 allocations.
+
+Fixes: 79632e9ba386 ("bnxt_en: Expand bnxt_tpa_info struct to support 57500 chips.")
+Reviewed-by: Somnath Kotur <somnath.kotur@broadcom.com>
+Reviewed-by: Damodharam Ammepalli <damodharam.ammepalli@broadcom.com>
+Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index cecda545372f9..251b102d2792b 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -3143,7 +3143,7 @@ static int bnxt_alloc_ring(struct bnxt *bp, struct bnxt_ring_mem_info *rmem)
+
+ static void bnxt_free_tpa_info(struct bnxt *bp)
+ {
+- int i;
++ int i, j;
+
+ for (i = 0; i < bp->rx_nr_rings; i++) {
+ struct bnxt_rx_ring_info *rxr = &bp->rx_ring[i];
+@@ -3151,8 +3151,10 @@ static void bnxt_free_tpa_info(struct bnxt *bp)
+ kfree(rxr->rx_tpa_idx_map);
+ rxr->rx_tpa_idx_map = NULL;
+ if (rxr->rx_tpa) {
+- kfree(rxr->rx_tpa[0].agg_arr);
+- rxr->rx_tpa[0].agg_arr = NULL;
++ for (j = 0; j < bp->max_tpa; j++) {
++ kfree(rxr->rx_tpa[j].agg_arr);
++ rxr->rx_tpa[j].agg_arr = NULL;
++ }
+ }
+ kfree(rxr->rx_tpa);
+ rxr->rx_tpa = NULL;
+@@ -3161,14 +3163,13 @@ static void bnxt_free_tpa_info(struct bnxt *bp)
+
+ static int bnxt_alloc_tpa_info(struct bnxt *bp)
+ {
+- int i, j, total_aggs = 0;
++ int i, j;
+
+ bp->max_tpa = MAX_TPA;
+ if (bp->flags & BNXT_FLAG_CHIP_P5) {
+ if (!bp->max_tpa_v2)
+ return 0;
+ bp->max_tpa = max_t(u16, bp->max_tpa_v2, MAX_TPA_P5);
+- total_aggs = bp->max_tpa * MAX_SKB_FRAGS;
+ }
+
+ for (i = 0; i < bp->rx_nr_rings; i++) {
+@@ -3182,12 +3183,12 @@ static int bnxt_alloc_tpa_info(struct bnxt *bp)
+
+ if (!(bp->flags & BNXT_FLAG_CHIP_P5))
+ continue;
+- agg = kcalloc(total_aggs, sizeof(*agg), GFP_KERNEL);
+- rxr->rx_tpa[0].agg_arr = agg;
+- if (!agg)
+- return -ENOMEM;
+- for (j = 1; j < bp->max_tpa; j++)
+- rxr->rx_tpa[j].agg_arr = agg + j * MAX_SKB_FRAGS;
++ for (j = 0; j < bp->max_tpa; j++) {
++ agg = kcalloc(MAX_SKB_FRAGS, sizeof(*agg), GFP_KERNEL);
++ if (!agg)
++ return -ENOMEM;
++ rxr->rx_tpa[j].agg_arr = agg;
++ }
+ rxr->rx_tpa_idx_map = kzalloc(sizeof(*rxr->rx_tpa_idx_map),
+ GFP_KERNEL);
+ if (!rxr->rx_tpa_idx_map)
+--
+2.39.2
+
--- /dev/null
+From 2cf6ec251e3a8efbd2c066501047c2862009b8df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Mar 2023 16:09:46 +0800
+Subject: bpf, sockmap: Fix an infinite loop error when len is 0 in
+ tcp_bpf_recvmsg_parser()
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit d900f3d20cc3169ce42ec72acc850e662a4d4db2 ]
+
+When the buffer length of the recvmsg system call is 0, we got the
+flollowing soft lockup problem:
+
+watchdog: BUG: soft lockup - CPU#3 stuck for 27s! [a.out:6149]
+CPU: 3 PID: 6149 Comm: a.out Kdump: loaded Not tainted 6.2.0+ #30
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
+RIP: 0010:remove_wait_queue+0xb/0xc0
+Code: 5e 41 5f c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 57 <41> 56 41 55 41 54 55 48 89 fd 53 48 89 f3 4c 8d 6b 18 4c 8d 73 20
+RSP: 0018:ffff88811b5978b8 EFLAGS: 00000246
+RAX: 0000000000000000 RBX: ffff88811a7d3780 RCX: ffffffffb7a4d768
+RDX: dffffc0000000000 RSI: ffff88811b597908 RDI: ffff888115408040
+RBP: 1ffff110236b2f1b R08: 0000000000000000 R09: ffff88811a7d37e7
+R10: ffffed10234fa6fc R11: 0000000000000001 R12: ffff88811179b800
+R13: 0000000000000001 R14: ffff88811a7d38a8 R15: ffff88811a7d37e0
+FS: 00007f6fb5398740(0000) GS:ffff888237180000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000020000000 CR3: 000000010b6ba002 CR4: 0000000000370ee0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ tcp_msg_wait_data+0x279/0x2f0
+ tcp_bpf_recvmsg_parser+0x3c6/0x490
+ inet_recvmsg+0x280/0x290
+ sock_recvmsg+0xfc/0x120
+ ____sys_recvmsg+0x160/0x3d0
+ ___sys_recvmsg+0xf0/0x180
+ __sys_recvmsg+0xea/0x1a0
+ do_syscall_64+0x3f/0x90
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+The logic in tcp_bpf_recvmsg_parser is as follows:
+
+msg_bytes_ready:
+ copied = sk_msg_recvmsg(sk, psock, msg, len, flags);
+ if (!copied) {
+ wait data;
+ goto msg_bytes_ready;
+ }
+
+In this case, "copied" always is 0, the infinite loop occurs.
+
+According to the Linux system call man page, 0 should be returned in this
+case. Therefore, in tcp_bpf_recvmsg_parser(), if the length is 0, directly
+return. Also modify several other functions with the same problem.
+
+Fixes: 1f5be6b3b063 ("udp: Implement udp_bpf_recvmsg() for sockmap")
+Fixes: 9825d866ce0d ("af_unix: Implement unix_dgram_bpf_recvmsg()")
+Fixes: c5d2177a72a1 ("bpf, sockmap: Fix race in ingress receive verdict with redirect to self")
+Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface")
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Cc: Jakub Sitnicki <jakub@cloudflare.com>
+Link: https://lore.kernel.org/bpf/20230303080946.1146638-1-liujian56@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_bpf.c | 6 ++++++
+ net/ipv4/udp_bpf.c | 3 +++
+ net/unix/unix_bpf.c | 3 +++
+ 3 files changed, 12 insertions(+)
+
+diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
+index cf26d65ca3893..ebf9175119370 100644
+--- a/net/ipv4/tcp_bpf.c
++++ b/net/ipv4/tcp_bpf.c
+@@ -186,6 +186,9 @@ static int tcp_bpf_recvmsg_parser(struct sock *sk,
+ if (unlikely(flags & MSG_ERRQUEUE))
+ return inet_recv_error(sk, msg, len, addr_len);
+
++ if (!len)
++ return 0;
++
+ psock = sk_psock_get(sk);
+ if (unlikely(!psock))
+ return tcp_recvmsg(sk, msg, len, flags, addr_len);
+@@ -244,6 +247,9 @@ static int tcp_bpf_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
+ if (unlikely(flags & MSG_ERRQUEUE))
+ return inet_recv_error(sk, msg, len, addr_len);
+
++ if (!len)
++ return 0;
++
+ psock = sk_psock_get(sk);
+ if (unlikely(!psock))
+ return tcp_recvmsg(sk, msg, len, flags, addr_len);
+diff --git a/net/ipv4/udp_bpf.c b/net/ipv4/udp_bpf.c
+index e5dc91d0e0793..0735d820e413f 100644
+--- a/net/ipv4/udp_bpf.c
++++ b/net/ipv4/udp_bpf.c
+@@ -68,6 +68,9 @@ static int udp_bpf_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
+ if (unlikely(flags & MSG_ERRQUEUE))
+ return inet_recv_error(sk, msg, len, addr_len);
+
++ if (!len)
++ return 0;
++
+ psock = sk_psock_get(sk);
+ if (unlikely(!psock))
+ return sk_udp_recvmsg(sk, msg, len, flags, addr_len);
+diff --git a/net/unix/unix_bpf.c b/net/unix/unix_bpf.c
+index e9bf155139612..2f9d8271c6ec7 100644
+--- a/net/unix/unix_bpf.c
++++ b/net/unix/unix_bpf.c
+@@ -54,6 +54,9 @@ static int unix_bpf_recvmsg(struct sock *sk, struct msghdr *msg,
+ struct sk_psock *psock;
+ int copied;
+
++ if (!len)
++ return 0;
++
+ psock = sk_psock_get(sk);
+ if (unlikely(!psock))
+ return __unix_recvmsg(sk, msg, len, flags);
+--
+2.39.2
+
--- /dev/null
+From fdd4e4594975d2d49df438a686a8225c355febc8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Feb 2023 19:54:40 +0100
+Subject: bpf, test_run: fix &xdp_frame misplacement for LIVE_FRAMES
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alexander Lobakin <aleksander.lobakin@intel.com>
+
+[ Upstream commit 6c20822fada1b8adb77fa450d03a0d449686a4a9 ]
+
+&xdp_buff and &xdp_frame are bound in a way that
+
+xdp_buff->data_hard_start == xdp_frame
+
+It's always the case and e.g. xdp_convert_buff_to_frame() relies on
+this.
+IOW, the following:
+
+ for (u32 i = 0; i < 0xdead; i++) {
+ xdpf = xdp_convert_buff_to_frame(&xdp);
+ xdp_convert_frame_to_buff(xdpf, &xdp);
+ }
+
+shouldn't ever modify @xdpf's contents or the pointer itself.
+However, "live packet" code wrongly treats &xdp_frame as part of its
+context placed *before* the data_hard_start. With such flow,
+data_hard_start is sizeof(*xdpf) off to the right and no longer points
+to the XDP frame.
+
+Instead of replacing `sizeof(ctx)` with `offsetof(ctx, xdpf)` in several
+places and praying that there are no more miscalcs left somewhere in the
+code, unionize ::frm with ::data in a flex array, so that both starts
+pointing to the actual data_hard_start and the XDP frame actually starts
+being a part of it, i.e. a part of the headroom, not the context.
+A nice side effect is that the maximum frame size for this mode gets
+increased by 40 bytes, as xdp_buff::frame_sz includes everything from
+data_hard_start (-> includes xdpf already) to the end of XDP/skb shared
+info.
+Also update %MAX_PKT_SIZE accordingly in the selftests code. Leave it
+hardcoded for 64 bit && 4k pages, it can be made more flexible later on.
+
+Minor: align `&head->data` with how `head->frm` is assigned for
+consistency.
+Minor #2: rename 'frm' to 'frame' in &xdp_page_head while at it for
+clarity.
+
+(was found while testing XDP traffic generator on ice, which calls
+ xdp_convert_frame_to_buff() for each XDP frame)
+
+Fixes: b530e9e1063e ("bpf: Add "live packet" mode for XDP in BPF_PROG_RUN")
+Acked-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: Alexander Lobakin <aleksander.lobakin@intel.com>
+Link: https://lore.kernel.org/r/20230215185440.4126672-1-aleksander.lobakin@intel.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bpf/test_run.c | 29 +++++++++++++++----
+ .../bpf/prog_tests/xdp_do_redirect.c | 7 +++--
+ 2 files changed, 27 insertions(+), 9 deletions(-)
+
+diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
+index 6094ef7cffcd2..cd3d713251a26 100644
+--- a/net/bpf/test_run.c
++++ b/net/bpf/test_run.c
+@@ -97,8 +97,11 @@ static bool bpf_test_timer_continue(struct bpf_test_timer *t, int iterations,
+ struct xdp_page_head {
+ struct xdp_buff orig_ctx;
+ struct xdp_buff ctx;
+- struct xdp_frame frm;
+- u8 data[];
++ union {
++ /* ::data_hard_start starts here */
++ DECLARE_FLEX_ARRAY(struct xdp_frame, frame);
++ DECLARE_FLEX_ARRAY(u8, data);
++ };
+ };
+
+ struct xdp_test_data {
+@@ -116,6 +119,20 @@ struct xdp_test_data {
+ #define TEST_XDP_FRAME_SIZE (PAGE_SIZE - sizeof(struct xdp_page_head))
+ #define TEST_XDP_MAX_BATCH 256
+
++#if BITS_PER_LONG == 64 && PAGE_SIZE == SZ_4K
++/* tools/testing/selftests/bpf/prog_tests/xdp_do_redirect.c:%MAX_PKT_SIZE
++ * must be updated accordingly when any of these changes, otherwise BPF
++ * selftests will fail.
++ */
++#ifdef __s390x__
++#define TEST_MAX_PKT_SIZE 3216
++#else
++#define TEST_MAX_PKT_SIZE 3408
++#endif
++static_assert(SKB_WITH_OVERHEAD(TEST_XDP_FRAME_SIZE - XDP_PACKET_HEADROOM) ==
++ TEST_MAX_PKT_SIZE);
++#endif
++
+ static void xdp_test_run_init_page(struct page *page, void *arg)
+ {
+ struct xdp_page_head *head = phys_to_virt(page_to_phys(page));
+@@ -132,8 +149,8 @@ static void xdp_test_run_init_page(struct page *page, void *arg)
+ headroom -= meta_len;
+
+ new_ctx = &head->ctx;
+- frm = &head->frm;
+- data = &head->data;
++ frm = head->frame;
++ data = head->data;
+ memcpy(data + headroom, orig_ctx->data_meta, frm_len);
+
+ xdp_init_buff(new_ctx, TEST_XDP_FRAME_SIZE, &xdp->rxq);
+@@ -223,7 +240,7 @@ static void reset_ctx(struct xdp_page_head *head)
+ head->ctx.data = head->orig_ctx.data;
+ head->ctx.data_meta = head->orig_ctx.data_meta;
+ head->ctx.data_end = head->orig_ctx.data_end;
+- xdp_update_frame_from_buff(&head->ctx, &head->frm);
++ xdp_update_frame_from_buff(&head->ctx, head->frame);
+ }
+
+ static int xdp_recv_frames(struct xdp_frame **frames, int nframes,
+@@ -285,7 +302,7 @@ static int xdp_test_run_batch(struct xdp_test_data *xdp, struct bpf_prog *prog,
+ head = phys_to_virt(page_to_phys(page));
+ reset_ctx(head);
+ ctx = &head->ctx;
+- frm = &head->frm;
++ frm = head->frame;
+ xdp->frame_cnt++;
+
+ act = bpf_prog_run_xdp(prog, ctx);
+diff --git a/tools/testing/selftests/bpf/prog_tests/xdp_do_redirect.c b/tools/testing/selftests/bpf/prog_tests/xdp_do_redirect.c
+index 15ad336691613..33ae63c01461a 100644
+--- a/tools/testing/selftests/bpf/prog_tests/xdp_do_redirect.c
++++ b/tools/testing/selftests/bpf/prog_tests/xdp_do_redirect.c
+@@ -63,12 +63,13 @@ static int attach_tc_prog(struct bpf_tc_hook *hook, int fd)
+ }
+
+ /* The maximum permissible size is: PAGE_SIZE - sizeof(struct xdp_page_head) -
+- * sizeof(struct skb_shared_info) - XDP_PACKET_HEADROOM = 3368 bytes
++ * SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) - XDP_PACKET_HEADROOM =
++ * 3408 bytes for 64-byte cacheline and 3216 for 256-byte one.
+ */
+ #if defined(__s390x__)
+-#define MAX_PKT_SIZE 3176
++#define MAX_PKT_SIZE 3216
+ #else
+-#define MAX_PKT_SIZE 3368
++#define MAX_PKT_SIZE 3408
+ #endif
+ static void test_max_pkt_size(int fd)
+ {
+--
+2.39.2
+
--- /dev/null
+From f8b7813a30dbb4a73ecc69d8519e4e082866b4af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Mar 2023 11:21:37 +0000
+Subject: btf: fix resolving BTF_KIND_VAR after ARRAY, STRUCT, UNION, PTR
+
+From: Lorenz Bauer <lorenz.bauer@isovalent.com>
+
+[ Upstream commit 9b459804ff9973e173fabafba2a1319f771e85fa ]
+
+btf_datasec_resolve contains a bug that causes the following BTF
+to fail loading:
+
+ [1] DATASEC a size=2 vlen=2
+ type_id=4 offset=0 size=1
+ type_id=7 offset=1 size=1
+ [2] INT (anon) size=1 bits_offset=0 nr_bits=8 encoding=(none)
+ [3] PTR (anon) type_id=2
+ [4] VAR a type_id=3 linkage=0
+ [5] INT (anon) size=1 bits_offset=0 nr_bits=8 encoding=(none)
+ [6] TYPEDEF td type_id=5
+ [7] VAR b type_id=6 linkage=0
+
+This error message is printed during btf_check_all_types:
+
+ [1] DATASEC a size=2 vlen=2
+ type_id=7 offset=1 size=1 Invalid type
+
+By tracing btf_*_resolve we can pinpoint the problem:
+
+ btf_datasec_resolve(depth: 1, type_id: 1, mode: RESOLVE_TBD) = 0
+ btf_var_resolve(depth: 2, type_id: 4, mode: RESOLVE_TBD) = 0
+ btf_ptr_resolve(depth: 3, type_id: 3, mode: RESOLVE_PTR) = 0
+ btf_var_resolve(depth: 2, type_id: 4, mode: RESOLVE_PTR) = 0
+ btf_datasec_resolve(depth: 1, type_id: 1, mode: RESOLVE_PTR) = -22
+
+The last invocation of btf_datasec_resolve should invoke btf_var_resolve
+by means of env_stack_push, instead it returns EINVAL. The reason is that
+env_stack_push is never executed for the second VAR.
+
+ if (!env_type_is_resolve_sink(env, var_type) &&
+ !env_type_is_resolved(env, var_type_id)) {
+ env_stack_set_next_member(env, i + 1);
+ return env_stack_push(env, var_type, var_type_id);
+ }
+
+env_type_is_resolve_sink() changes its behaviour based on resolve_mode.
+For RESOLVE_PTR, we can simplify the if condition to the following:
+
+ (btf_type_is_modifier() || btf_type_is_ptr) && !env_type_is_resolved()
+
+Since we're dealing with a VAR the clause evaluates to false. This is
+not sufficient to trigger the bug however. The log output and EINVAL
+are only generated if btf_type_id_size() fails.
+
+ if (!btf_type_id_size(btf, &type_id, &type_size)) {
+ btf_verifier_log_vsi(env, v->t, vsi, "Invalid type");
+ return -EINVAL;
+ }
+
+Most types are sized, so for example a VAR referring to an INT is not a
+problem. The bug is only triggered if a VAR points at a modifier. Since
+we skipped btf_var_resolve that modifier was also never resolved, which
+means that btf_resolved_type_id returns 0 aka VOID for the modifier.
+This in turn causes btf_type_id_size to return NULL, triggering EINVAL.
+
+To summarise, the following conditions are necessary:
+
+- VAR pointing at PTR, STRUCT, UNION or ARRAY
+- Followed by a VAR pointing at TYPEDEF, VOLATILE, CONST, RESTRICT or
+ TYPE_TAG
+
+The fix is to reset resolve_mode to RESOLVE_TBD before attempting to
+resolve a VAR from a DATASEC.
+
+Fixes: 1dc92851849c ("bpf: kernel side support for BTF Var and DataSec")
+Signed-off-by: Lorenz Bauer <lmb@isovalent.com>
+Link: https://lore.kernel.org/r/20230306112138.155352-2-lmb@isovalent.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/btf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
+index 7fcbe5d002070..b73169737a01e 100644
+--- a/kernel/bpf/btf.c
++++ b/kernel/bpf/btf.c
+@@ -4163,6 +4163,7 @@ static int btf_datasec_resolve(struct btf_verifier_env *env,
+ struct btf *btf = env->btf;
+ u16 i;
+
++ env->resolve_mode = RESOLVE_TBD;
+ for_each_vsi_from(i, v->next_member, v->t, vsi) {
+ u32 var_type_id = vsi->type, type_id, type_size = 0;
+ const struct btf_type *var_type = btf_type_by_id(env->btf,
+--
+2.39.2
+
--- /dev/null
+From b60930eac174391f44c8d9c60483b1c8e446b6ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Feb 2023 12:53:56 +0000
+Subject: btrfs: fix extent map logging bit not cleared for split maps after
+ dropping range
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit e4cc1483f35940c9288c332dd275f6fad485f8d2 ]
+
+At btrfs_drop_extent_map_range() we are clearing the EXTENT_FLAG_LOGGING
+bit on a 'flags' variable that was not initialized. This makes static
+checkers complain about it, so initialize the 'flags' variable before
+clearing the bit.
+
+In practice this has no consequences, because EXTENT_FLAG_LOGGING should
+not be set when btrfs_drop_extent_map_range() is called, as an fsync locks
+the inode in exclusive mode, locks the inode's mmap semaphore in exclusive
+mode too and it always flushes all delalloc.
+
+Also add a comment about why we clear EXTENT_FLAG_LOGGING on a copy of the
+flags of the split extent map.
+
+Reported-by: Dan Carpenter <error27@gmail.com>
+Link: https://lore.kernel.org/linux-btrfs/Y%2FyipSVozUDEZKow@kili/
+Fixes: db21370bffbc ("btrfs: drop extent map range more efficiently")
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/extent_map.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/extent_map.c b/fs/btrfs/extent_map.c
+index 6092a4eedc923..b8ae02aa632e3 100644
+--- a/fs/btrfs/extent_map.c
++++ b/fs/btrfs/extent_map.c
+@@ -760,7 +760,13 @@ void btrfs_drop_extent_map_range(struct btrfs_inode *inode, u64 start, u64 end,
+ goto next;
+ }
+
++ flags = em->flags;
+ clear_bit(EXTENT_FLAG_PINNED, &em->flags);
++ /*
++ * In case we split the extent map, we want to preserve the
++ * EXTENT_FLAG_LOGGING flag on our extent map, but we don't want
++ * it on the new extent maps.
++ */
+ clear_bit(EXTENT_FLAG_LOGGING, &flags);
+ modified = !list_empty(&em->list);
+
+@@ -771,7 +777,6 @@ void btrfs_drop_extent_map_range(struct btrfs_inode *inode, u64 start, u64 end,
+ if (em->start >= start && em_end <= end)
+ goto remove_em;
+
+- flags = em->flags;
+ gen = em->generation;
+ compressed = test_bit(EXTENT_FLAG_COMPRESSED, &em->flags);
+
+--
+2.39.2
+
--- /dev/null
+From ca1fb2dad4ed43e57a052e9aab6c587bdc208ea5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jan 2023 12:59:45 +0530
+Subject: bus: mhi: ep: Change state_lock to mutex
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+
+[ Upstream commit 1ddc7618294084fff8d673217a9479550990ee84 ]
+
+state_lock, the spinlock type is meant to protect race against concurrent
+MHI state transitions. In mhi_ep_set_m0_state(), while the state_lock is
+being held, the channels are resumed in mhi_ep_resume_channels() if the
+previous state was M3. This causes sleeping in atomic bug, since
+mhi_ep_resume_channels() use mutex internally.
+
+Since the state_lock is supposed to be held throughout the state change,
+it is not ideal to drop the lock before calling mhi_ep_resume_channels().
+So to fix this issue, let's change the type of state_lock to mutex. This
+would also allow holding the lock throughout all state transitions thereby
+avoiding any potential race.
+
+Cc: <stable@vger.kernel.org> # 5.19
+Fixes: e4b7b5f0f30a ("bus: mhi: ep: Add support for suspending and resuming channels")
+Reported-by: Dan Carpenter <error27@gmail.com>
+Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bus/mhi/ep/main.c | 8 +++++---
+ drivers/bus/mhi/ep/sm.c | 42 ++++++++++++++++++++++-----------------
+ include/linux/mhi_ep.h | 4 ++--
+ 3 files changed, 31 insertions(+), 23 deletions(-)
+
+diff --git a/drivers/bus/mhi/ep/main.c b/drivers/bus/mhi/ep/main.c
+index b06548005985c..edd153dda40c0 100644
+--- a/drivers/bus/mhi/ep/main.c
++++ b/drivers/bus/mhi/ep/main.c
+@@ -994,11 +994,11 @@ static void mhi_ep_reset_worker(struct work_struct *work)
+
+ mhi_ep_power_down(mhi_cntrl);
+
+- spin_lock_bh(&mhi_cntrl->state_lock);
++ mutex_lock(&mhi_cntrl->state_lock);
++
+ /* Reset MMIO to signal host that the MHI_RESET is completed in endpoint */
+ mhi_ep_mmio_reset(mhi_cntrl);
+ cur_state = mhi_cntrl->mhi_state;
+- spin_unlock_bh(&mhi_cntrl->state_lock);
+
+ /*
+ * Only proceed further if the reset is due to SYS_ERR. The host will
+@@ -1007,6 +1007,8 @@ static void mhi_ep_reset_worker(struct work_struct *work)
+ */
+ if (cur_state == MHI_STATE_SYS_ERR)
+ mhi_ep_power_up(mhi_cntrl);
++
++ mutex_unlock(&mhi_cntrl->state_lock);
+ }
+
+ /*
+@@ -1379,8 +1381,8 @@ int mhi_ep_register_controller(struct mhi_ep_cntrl *mhi_cntrl,
+
+ INIT_LIST_HEAD(&mhi_cntrl->st_transition_list);
+ INIT_LIST_HEAD(&mhi_cntrl->ch_db_list);
+- spin_lock_init(&mhi_cntrl->state_lock);
+ spin_lock_init(&mhi_cntrl->list_lock);
++ mutex_init(&mhi_cntrl->state_lock);
+ mutex_init(&mhi_cntrl->event_lock);
+
+ /* Set MHI version and AMSS EE before enumeration */
+diff --git a/drivers/bus/mhi/ep/sm.c b/drivers/bus/mhi/ep/sm.c
+index 3655c19e23c7b..fd200b2ac0bb2 100644
+--- a/drivers/bus/mhi/ep/sm.c
++++ b/drivers/bus/mhi/ep/sm.c
+@@ -63,24 +63,23 @@ int mhi_ep_set_m0_state(struct mhi_ep_cntrl *mhi_cntrl)
+ int ret;
+
+ /* If MHI is in M3, resume suspended channels */
+- spin_lock_bh(&mhi_cntrl->state_lock);
++ mutex_lock(&mhi_cntrl->state_lock);
++
+ old_state = mhi_cntrl->mhi_state;
+ if (old_state == MHI_STATE_M3)
+ mhi_ep_resume_channels(mhi_cntrl);
+
+ ret = mhi_ep_set_mhi_state(mhi_cntrl, MHI_STATE_M0);
+- spin_unlock_bh(&mhi_cntrl->state_lock);
+-
+ if (ret) {
+ mhi_ep_handle_syserr(mhi_cntrl);
+- return ret;
++ goto err_unlock;
+ }
+
+ /* Signal host that the device moved to M0 */
+ ret = mhi_ep_send_state_change_event(mhi_cntrl, MHI_STATE_M0);
+ if (ret) {
+ dev_err(dev, "Failed sending M0 state change event\n");
+- return ret;
++ goto err_unlock;
+ }
+
+ if (old_state == MHI_STATE_READY) {
+@@ -88,11 +87,14 @@ int mhi_ep_set_m0_state(struct mhi_ep_cntrl *mhi_cntrl)
+ ret = mhi_ep_send_ee_event(mhi_cntrl, MHI_EE_AMSS);
+ if (ret) {
+ dev_err(dev, "Failed sending AMSS EE event\n");
+- return ret;
++ goto err_unlock;
+ }
+ }
+
+- return 0;
++err_unlock:
++ mutex_unlock(&mhi_cntrl->state_lock);
++
++ return ret;
+ }
+
+ int mhi_ep_set_m3_state(struct mhi_ep_cntrl *mhi_cntrl)
+@@ -100,13 +102,12 @@ int mhi_ep_set_m3_state(struct mhi_ep_cntrl *mhi_cntrl)
+ struct device *dev = &mhi_cntrl->mhi_dev->dev;
+ int ret;
+
+- spin_lock_bh(&mhi_cntrl->state_lock);
+- ret = mhi_ep_set_mhi_state(mhi_cntrl, MHI_STATE_M3);
+- spin_unlock_bh(&mhi_cntrl->state_lock);
++ mutex_lock(&mhi_cntrl->state_lock);
+
++ ret = mhi_ep_set_mhi_state(mhi_cntrl, MHI_STATE_M3);
+ if (ret) {
+ mhi_ep_handle_syserr(mhi_cntrl);
+- return ret;
++ goto err_unlock;
+ }
+
+ mhi_ep_suspend_channels(mhi_cntrl);
+@@ -115,10 +116,13 @@ int mhi_ep_set_m3_state(struct mhi_ep_cntrl *mhi_cntrl)
+ ret = mhi_ep_send_state_change_event(mhi_cntrl, MHI_STATE_M3);
+ if (ret) {
+ dev_err(dev, "Failed sending M3 state change event\n");
+- return ret;
++ goto err_unlock;
+ }
+
+- return 0;
++err_unlock:
++ mutex_unlock(&mhi_cntrl->state_lock);
++
++ return ret;
+ }
+
+ int mhi_ep_set_ready_state(struct mhi_ep_cntrl *mhi_cntrl)
+@@ -127,22 +131,24 @@ int mhi_ep_set_ready_state(struct mhi_ep_cntrl *mhi_cntrl)
+ enum mhi_state mhi_state;
+ int ret, is_ready;
+
+- spin_lock_bh(&mhi_cntrl->state_lock);
++ mutex_lock(&mhi_cntrl->state_lock);
++
+ /* Ensure that the MHISTATUS is set to RESET by host */
+ mhi_state = mhi_ep_mmio_masked_read(mhi_cntrl, EP_MHISTATUS, MHISTATUS_MHISTATE_MASK);
+ is_ready = mhi_ep_mmio_masked_read(mhi_cntrl, EP_MHISTATUS, MHISTATUS_READY_MASK);
+
+ if (mhi_state != MHI_STATE_RESET || is_ready) {
+ dev_err(dev, "READY state transition failed. MHI host not in RESET state\n");
+- spin_unlock_bh(&mhi_cntrl->state_lock);
+- return -EIO;
++ ret = -EIO;
++ goto err_unlock;
+ }
+
+ ret = mhi_ep_set_mhi_state(mhi_cntrl, MHI_STATE_READY);
+- spin_unlock_bh(&mhi_cntrl->state_lock);
+-
+ if (ret)
+ mhi_ep_handle_syserr(mhi_cntrl);
+
++err_unlock:
++ mutex_unlock(&mhi_cntrl->state_lock);
++
+ return ret;
+ }
+diff --git a/include/linux/mhi_ep.h b/include/linux/mhi_ep.h
+index 478aece170462..f198a8ac7ee72 100644
+--- a/include/linux/mhi_ep.h
++++ b/include/linux/mhi_ep.h
+@@ -70,8 +70,8 @@ struct mhi_ep_db_info {
+ * @cmd_ctx_cache_phys: Physical address of the host command context cache
+ * @chdb: Array of channel doorbell interrupt info
+ * @event_lock: Lock for protecting event rings
+- * @list_lock: Lock for protecting state transition and channel doorbell lists
+ * @state_lock: Lock for protecting state transitions
++ * @list_lock: Lock for protecting state transition and channel doorbell lists
+ * @st_transition_list: List of state transitions
+ * @ch_db_list: List of queued channel doorbells
+ * @wq: Dedicated workqueue for handling rings and state changes
+@@ -117,8 +117,8 @@ struct mhi_ep_cntrl {
+
+ struct mhi_ep_db_info chdb[4];
+ struct mutex event_lock;
++ struct mutex state_lock;
+ spinlock_t list_lock;
+- spinlock_t state_lock;
+
+ struct list_head st_transition_list;
+ struct list_head ch_db_list;
+--
+2.39.2
+
--- /dev/null
+From f5108d175535437ee2d23ee174dbdecb6c8d3fae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Dec 2022 21:46:59 +0530
+Subject: bus: mhi: ep: Power up/down MHI stack during MHI RESET
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+
+[ Upstream commit 47a1dcaea07367c84238e71c08244ae3ed48c1cc ]
+
+During graceful shutdown scenario, host will issue MHI RESET to the
+endpoint device before initiating shutdown. In that case, it makes sense
+to completely power down the MHI stack as sooner or later the access to
+MMIO registers will be prohibited. Also, the stack needs to be powered
+up in the case of SYS_ERR to recover the device.
+
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
+Link: https://lore.kernel.org/r/20221228161704.255268-2-manivannan.sadhasivam@linaro.org
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Stable-dep-of: 1ddc76182940 ("bus: mhi: ep: Change state_lock to mutex")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bus/mhi/ep/main.c | 35 +++++++----------------------------
+ 1 file changed, 7 insertions(+), 28 deletions(-)
+
+diff --git a/drivers/bus/mhi/ep/main.c b/drivers/bus/mhi/ep/main.c
+index 357c61c12ce5b..b06548005985c 100644
+--- a/drivers/bus/mhi/ep/main.c
++++ b/drivers/bus/mhi/ep/main.c
+@@ -990,11 +990,9 @@ static void mhi_ep_abort_transfer(struct mhi_ep_cntrl *mhi_cntrl)
+ static void mhi_ep_reset_worker(struct work_struct *work)
+ {
+ struct mhi_ep_cntrl *mhi_cntrl = container_of(work, struct mhi_ep_cntrl, reset_work);
+- struct device *dev = &mhi_cntrl->mhi_dev->dev;
+ enum mhi_state cur_state;
+- int ret;
+
+- mhi_ep_abort_transfer(mhi_cntrl);
++ mhi_ep_power_down(mhi_cntrl);
+
+ spin_lock_bh(&mhi_cntrl->state_lock);
+ /* Reset MMIO to signal host that the MHI_RESET is completed in endpoint */
+@@ -1007,27 +1005,8 @@ static void mhi_ep_reset_worker(struct work_struct *work)
+ * issue reset during shutdown also and we don't need to do re-init in
+ * that case.
+ */
+- if (cur_state == MHI_STATE_SYS_ERR) {
+- mhi_ep_mmio_init(mhi_cntrl);
+-
+- /* Set AMSS EE before signaling ready state */
+- mhi_ep_mmio_set_env(mhi_cntrl, MHI_EE_AMSS);
+-
+- /* All set, notify the host that we are ready */
+- ret = mhi_ep_set_ready_state(mhi_cntrl);
+- if (ret)
+- return;
+-
+- dev_dbg(dev, "READY state notification sent to the host\n");
+-
+- ret = mhi_ep_enable(mhi_cntrl);
+- if (ret) {
+- dev_err(dev, "Failed to enable MHI endpoint: %d\n", ret);
+- return;
+- }
+-
+- enable_irq(mhi_cntrl->irq);
+- }
++ if (cur_state == MHI_STATE_SYS_ERR)
++ mhi_ep_power_up(mhi_cntrl);
+ }
+
+ /*
+@@ -1106,11 +1085,11 @@ EXPORT_SYMBOL_GPL(mhi_ep_power_up);
+
+ void mhi_ep_power_down(struct mhi_ep_cntrl *mhi_cntrl)
+ {
+- if (mhi_cntrl->enabled)
++ if (mhi_cntrl->enabled) {
+ mhi_ep_abort_transfer(mhi_cntrl);
+-
+- kfree(mhi_cntrl->mhi_event);
+- disable_irq(mhi_cntrl->irq);
++ kfree(mhi_cntrl->mhi_event);
++ disable_irq(mhi_cntrl->irq);
++ }
+ }
+ EXPORT_SYMBOL_GPL(mhi_ep_power_down);
+
+--
+2.39.2
+
--- /dev/null
+From bee40ea5662925f67ca21757bdad9b714d7106bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Feb 2023 19:01:54 -0300
+Subject: cifs: improve checking of DFS links over STATUS_OBJECT_NAME_INVALID
+
+From: Paulo Alcantara <pc@manguebit.com>
+
+[ Upstream commit b9ee2e307c6b06384b6f9e393a9b8e048e8fc277 ]
+
+Do not map STATUS_OBJECT_NAME_INVALID to -EREMOTE under non-DFS
+shares, or 'nodfs' mounts or CONFIG_CIFS_DFS_UPCALL=n builds.
+Otherwise, in the slow path, get a referral to figure out whether it
+is an actual DFS link.
+
+This could be simply reproduced under a non-DFS share by running the
+following
+
+ $ mount.cifs //srv/share /mnt -o ...
+ $ cat /mnt/$(printf '\U110000')
+ cat: '/mnt/'$'\364\220\200\200': Object is remote
+
+Fixes: c877ce47e137 ("cifs: reduce roundtrips on create/qinfo requests")
+CC: stable@vger.kernel.org # 6.2
+Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/cifsproto.h | 20 ++++++++++----
+ fs/cifs/misc.c | 67 +++++++++++++++++++++++++++++++++++++++++++++
+ fs/cifs/smb2inode.c | 21 +++++++-------
+ fs/cifs/smb2ops.c | 23 +++++++++-------
+ 4 files changed, 106 insertions(+), 25 deletions(-)
+
+diff --git a/fs/cifs/cifsproto.h b/fs/cifs/cifsproto.h
+index eb1a0de9dd553..bc4475f6c0827 100644
+--- a/fs/cifs/cifsproto.h
++++ b/fs/cifs/cifsproto.h
+@@ -664,11 +664,21 @@ static inline int get_dfs_path(const unsigned int xid, struct cifs_ses *ses,
+ int match_target_ip(struct TCP_Server_Info *server,
+ const char *share, size_t share_len,
+ bool *result);
+-
+-int cifs_dfs_query_info_nonascii_quirk(const unsigned int xid,
+- struct cifs_tcon *tcon,
+- struct cifs_sb_info *cifs_sb,
+- const char *dfs_link_path);
++int cifs_inval_name_dfs_link_error(const unsigned int xid,
++ struct cifs_tcon *tcon,
++ struct cifs_sb_info *cifs_sb,
++ const char *full_path,
++ bool *islink);
++#else
++static inline int cifs_inval_name_dfs_link_error(const unsigned int xid,
++ struct cifs_tcon *tcon,
++ struct cifs_sb_info *cifs_sb,
++ const char *full_path,
++ bool *islink)
++{
++ *islink = false;
++ return 0;
++}
+ #endif
+
+ static inline int cifs_create_options(struct cifs_sb_info *cifs_sb, int options)
+diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
+index 062175994e879..4e54736a06996 100644
+--- a/fs/cifs/misc.c
++++ b/fs/cifs/misc.c
+@@ -21,6 +21,7 @@
+ #include "cifsfs.h"
+ #ifdef CONFIG_CIFS_DFS_UPCALL
+ #include "dns_resolve.h"
++#include "dfs_cache.h"
+ #endif
+ #include "fs_context.h"
+ #include "cached_dir.h"
+@@ -1314,4 +1315,70 @@ int cifs_update_super_prepath(struct cifs_sb_info *cifs_sb, char *prefix)
+ cifs_sb->mnt_cifs_flags |= CIFS_MOUNT_USE_PREFIX_PATH;
+ return 0;
+ }
++
++/*
++ * Handle weird Windows SMB server behaviour. It responds with
++ * STATUS_OBJECT_NAME_INVALID code to SMB2 QUERY_INFO request for
++ * "\<server>\<dfsname>\<linkpath>" DFS reference, where <dfsname> contains
++ * non-ASCII unicode symbols.
++ */
++int cifs_inval_name_dfs_link_error(const unsigned int xid,
++ struct cifs_tcon *tcon,
++ struct cifs_sb_info *cifs_sb,
++ const char *full_path,
++ bool *islink)
++{
++ struct cifs_ses *ses = tcon->ses;
++ size_t len;
++ char *path;
++ char *ref_path;
++
++ *islink = false;
++
++ /*
++ * Fast path - skip check when @full_path doesn't have a prefix path to
++ * look up or tcon is not DFS.
++ */
++ if (strlen(full_path) < 2 || !cifs_sb ||
++ (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NO_DFS) ||
++ !is_tcon_dfs(tcon) || !ses->server->origin_fullpath)
++ return 0;
++
++ /*
++ * Slow path - tcon is DFS and @full_path has prefix path, so attempt
++ * to get a referral to figure out whether it is an DFS link.
++ */
++ len = strnlen(tcon->tree_name, MAX_TREE_SIZE + 1) + strlen(full_path) + 1;
++ path = kmalloc(len, GFP_KERNEL);
++ if (!path)
++ return -ENOMEM;
++
++ scnprintf(path, len, "%s%s", tcon->tree_name, full_path);
++ ref_path = dfs_cache_canonical_path(path + 1, cifs_sb->local_nls,
++ cifs_remap(cifs_sb));
++ kfree(path);
++
++ if (IS_ERR(ref_path)) {
++ if (PTR_ERR(ref_path) != -EINVAL)
++ return PTR_ERR(ref_path);
++ } else {
++ struct dfs_info3_param *refs = NULL;
++ int num_refs = 0;
++
++ /*
++ * XXX: we are not using dfs_cache_find() here because we might
++ * end filling all the DFS cache and thus potentially
++ * removing cached DFS targets that the client would eventually
++ * need during failover.
++ */
++ if (ses->server->ops->get_dfs_refer &&
++ !ses->server->ops->get_dfs_refer(xid, ses, ref_path, &refs,
++ &num_refs, cifs_sb->local_nls,
++ cifs_remap(cifs_sb)))
++ *islink = refs[0].server_type == DFS_TYPE_LINK;
++ free_dfs_info_array(refs, num_refs);
++ kfree(ref_path);
++ }
++ return 0;
++}
+ #endif
+diff --git a/fs/cifs/smb2inode.c b/fs/cifs/smb2inode.c
+index e1491440e8f1f..442718cf61b86 100644
+--- a/fs/cifs/smb2inode.c
++++ b/fs/cifs/smb2inode.c
+@@ -511,12 +511,13 @@ int smb2_query_path_info(const unsigned int xid, struct cifs_tcon *tcon,
+ struct cifs_sb_info *cifs_sb, const char *full_path,
+ struct cifs_open_info_data *data, bool *adjust_tz, bool *reparse)
+ {
+- int rc;
+ __u32 create_options = 0;
+ struct cifsFileInfo *cfile;
+ struct cached_fid *cfid = NULL;
+ struct kvec err_iov[3] = {};
+ int err_buftype[3] = {};
++ bool islink;
++ int rc, rc2;
+
+ *adjust_tz = false;
+ *reparse = false;
+@@ -563,15 +564,15 @@ int smb2_query_path_info(const unsigned int xid, struct cifs_tcon *tcon,
+ create_options, ACL_NO_MODE, data,
+ SMB2_OP_QUERY_INFO, cfile, NULL, NULL);
+ goto out;
+- } else if (rc != -EREMOTE && IS_ENABLED(CONFIG_CIFS_DFS_UPCALL) &&
+- hdr->Status == STATUS_OBJECT_NAME_INVALID) {
+- /*
+- * Handle weird Windows SMB server behaviour. It responds with
+- * STATUS_OBJECT_NAME_INVALID code to SMB2 QUERY_INFO request
+- * for "\<server>\<dfsname>\<linkpath>" DFS reference,
+- * where <dfsname> contains non-ASCII unicode symbols.
+- */
+- rc = -EREMOTE;
++ } else if (rc != -EREMOTE && hdr->Status == STATUS_OBJECT_NAME_INVALID) {
++ rc2 = cifs_inval_name_dfs_link_error(xid, tcon, cifs_sb,
++ full_path, &islink);
++ if (rc2) {
++ rc = rc2;
++ goto out;
++ }
++ if (islink)
++ rc = -EREMOTE;
+ }
+ if (rc == -EREMOTE && IS_ENABLED(CONFIG_CIFS_DFS_UPCALL) && cifs_sb &&
+ (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NO_DFS))
+diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
+index 6da495f593e17..0424876d22e5a 100644
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -796,7 +796,6 @@ static int
+ smb2_is_path_accessible(const unsigned int xid, struct cifs_tcon *tcon,
+ struct cifs_sb_info *cifs_sb, const char *full_path)
+ {
+- int rc;
+ __le16 *utf16_path;
+ __u8 oplock = SMB2_OPLOCK_LEVEL_NONE;
+ int err_buftype = CIFS_NO_BUFFER;
+@@ -804,6 +803,8 @@ smb2_is_path_accessible(const unsigned int xid, struct cifs_tcon *tcon,
+ struct kvec err_iov = {};
+ struct cifs_fid fid;
+ struct cached_fid *cfid;
++ bool islink;
++ int rc, rc2;
+
+ rc = open_cached_dir(xid, tcon, full_path, cifs_sb, true, &cfid);
+ if (!rc) {
+@@ -833,15 +834,17 @@ smb2_is_path_accessible(const unsigned int xid, struct cifs_tcon *tcon,
+
+ if (unlikely(!hdr || err_buftype == CIFS_NO_BUFFER))
+ goto out;
+- /*
+- * Handle weird Windows SMB server behaviour. It responds with
+- * STATUS_OBJECT_NAME_INVALID code to SMB2 QUERY_INFO request
+- * for "\<server>\<dfsname>\<linkpath>" DFS reference,
+- * where <dfsname> contains non-ASCII unicode symbols.
+- */
+- if (rc != -EREMOTE && IS_ENABLED(CONFIG_CIFS_DFS_UPCALL) &&
+- hdr->Status == STATUS_OBJECT_NAME_INVALID)
+- rc = -EREMOTE;
++
++ if (rc != -EREMOTE && hdr->Status == STATUS_OBJECT_NAME_INVALID) {
++ rc2 = cifs_inval_name_dfs_link_error(xid, tcon, cifs_sb,
++ full_path, &islink);
++ if (rc2) {
++ rc = rc2;
++ goto out;
++ }
++ if (islink)
++ rc = -EREMOTE;
++ }
+ if (rc == -EREMOTE && IS_ENABLED(CONFIG_CIFS_DFS_UPCALL) && cifs_sb &&
+ (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NO_DFS))
+ rc = -EOPNOTSUPP;
+--
+2.39.2
+
--- /dev/null
+From b61f0eae99eb665c32d6825af8c802a0ec0d3c60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Feb 2023 15:42:28 +0100
+Subject: drm/amdgpu: fix return value check in kfd
+
+From: Shashank Sharma <shashank.sharma@amd.com>
+
+[ Upstream commit 20534dbcc7b7bfb447279cdcfb0d88ee3b779a18 ]
+
+This patch fixes a return value check in kfd doorbell handling.
+This function should return 0(error) only when the ida_simple_get
+returns < 0(error), return > 0 is a success case.
+
+Cc: Felix Kuehling <Felix.Kuehling@amd.com>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Fixes: 16f0013157bf ("drm/amdkfd: Allocate doorbells only when needed")
+Acked-by: Christian Koenig <chriatian.koenig@amd.com>
+Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Signed-off-by: Shashank Sharma <shashank.sharma@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_doorbell.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_doorbell.c b/drivers/gpu/drm/amd/amdkfd/kfd_doorbell.c
+index cd4e61bf04939..3ac599f74fea8 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_doorbell.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_doorbell.c
+@@ -280,7 +280,7 @@ phys_addr_t kfd_get_process_doorbells(struct kfd_process_device *pdd)
+ if (!pdd->doorbell_index) {
+ int r = kfd_alloc_process_doorbells(pdd->dev,
+ &pdd->doorbell_index);
+- if (r)
++ if (r < 0)
+ return 0;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From b351a8764573e3d182e037a38df52b8f3c9bb892 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 19:31:49 +0200
+Subject: drm/i915: Do panel VBT init early if the VBT declares an explicit
+ panel type
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+[ Upstream commit 3f9ffce5765d68775163b8b134c4d7f156b48eec ]
+
+Lots of ADL machines out there with bogus VBTs that declare
+two eDP child devices. In order for those to work we need to
+figure out which power sequencer to use before we try the EDID
+read. So let's do the panel VBT init early if we can, falling
+back to the post-EDID init otherwise.
+
+The post-EDID init panel_type=0xff approach of assuming the
+power sequencer should already be enabled doesn't really work
+with multiple eDP panels, and currently we just end up using
+the same power sequencer for both eDP ports, which at least
+confuses the wakeref tracking, and potentially also causes us
+to toggle the VDD for the panel when we should not.
+
+Cc: Animesh Manna <animesh.manna@intel.com>
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221125173156.31689-3-ville.syrjala@linux.intel.com
+Stable-dep-of: 14e591a1930c ("drm/i915: Populate encoder->devdata for DSI on icl+")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/display/icl_dsi.c | 2 +-
+ drivers/gpu/drm/i915/display/intel_bios.c | 56 ++++++++++++++-----
+ drivers/gpu/drm/i915/display/intel_bios.h | 11 ++--
+ .../drm/i915/display/intel_display_types.h | 2 +-
+ drivers/gpu/drm/i915/display/intel_dp.c | 7 ++-
+ drivers/gpu/drm/i915/display/intel_lvds.c | 4 +-
+ drivers/gpu/drm/i915/display/intel_panel.c | 1 +
+ drivers/gpu/drm/i915/display/intel_sdvo.c | 2 +-
+ drivers/gpu/drm/i915/display/vlv_dsi.c | 2 +-
+ 9 files changed, 61 insertions(+), 26 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/display/icl_dsi.c b/drivers/gpu/drm/i915/display/icl_dsi.c
+index ed4d93942dbd2..34b3ff967a272 100644
+--- a/drivers/gpu/drm/i915/display/icl_dsi.c
++++ b/drivers/gpu/drm/i915/display/icl_dsi.c
+@@ -2053,7 +2053,7 @@ void icl_dsi_init(struct drm_i915_private *dev_priv)
+ /* attach connector to encoder */
+ intel_connector_attach_encoder(intel_connector, encoder);
+
+- intel_bios_init_panel(dev_priv, &intel_connector->panel, NULL, NULL);
++ intel_bios_init_panel_late(dev_priv, &intel_connector->panel, NULL, NULL);
+
+ mutex_lock(&dev->mode_config.mutex);
+ intel_panel_add_vbt_lfp_fixed_mode(intel_connector);
+diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c
+index 178a8cbb75838..2378a2a48716e 100644
+--- a/drivers/gpu/drm/i915/display/intel_bios.c
++++ b/drivers/gpu/drm/i915/display/intel_bios.c
+@@ -620,14 +620,14 @@ static void dump_pnp_id(struct drm_i915_private *i915,
+
+ static int opregion_get_panel_type(struct drm_i915_private *i915,
+ const struct intel_bios_encoder_data *devdata,
+- const struct edid *edid)
++ const struct edid *edid, bool use_fallback)
+ {
+ return intel_opregion_get_panel_type(i915);
+ }
+
+ static int vbt_get_panel_type(struct drm_i915_private *i915,
+ const struct intel_bios_encoder_data *devdata,
+- const struct edid *edid)
++ const struct edid *edid, bool use_fallback)
+ {
+ const struct bdb_lvds_options *lvds_options;
+
+@@ -652,7 +652,7 @@ static int vbt_get_panel_type(struct drm_i915_private *i915,
+
+ static int pnpid_get_panel_type(struct drm_i915_private *i915,
+ const struct intel_bios_encoder_data *devdata,
+- const struct edid *edid)
++ const struct edid *edid, bool use_fallback)
+ {
+ const struct bdb_lvds_lfp_data *data;
+ const struct bdb_lvds_lfp_data_ptrs *ptrs;
+@@ -701,9 +701,9 @@ static int pnpid_get_panel_type(struct drm_i915_private *i915,
+
+ static int fallback_get_panel_type(struct drm_i915_private *i915,
+ const struct intel_bios_encoder_data *devdata,
+- const struct edid *edid)
++ const struct edid *edid, bool use_fallback)
+ {
+- return 0;
++ return use_fallback ? 0 : -1;
+ }
+
+ enum panel_type {
+@@ -715,13 +715,13 @@ enum panel_type {
+
+ static int get_panel_type(struct drm_i915_private *i915,
+ const struct intel_bios_encoder_data *devdata,
+- const struct edid *edid)
++ const struct edid *edid, bool use_fallback)
+ {
+ struct {
+ const char *name;
+ int (*get_panel_type)(struct drm_i915_private *i915,
+ const struct intel_bios_encoder_data *devdata,
+- const struct edid *edid);
++ const struct edid *edid, bool use_fallback);
+ int panel_type;
+ } panel_types[] = {
+ [PANEL_TYPE_OPREGION] = {
+@@ -744,7 +744,8 @@ static int get_panel_type(struct drm_i915_private *i915,
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(panel_types); i++) {
+- panel_types[i].panel_type = panel_types[i].get_panel_type(i915, devdata, edid);
++ panel_types[i].panel_type = panel_types[i].get_panel_type(i915, devdata,
++ edid, use_fallback);
+
+ drm_WARN_ON(&i915->drm, panel_types[i].panel_type > 0xf &&
+ panel_types[i].panel_type != 0xff);
+@@ -3191,14 +3192,26 @@ void intel_bios_init(struct drm_i915_private *i915)
+ kfree(oprom_vbt);
+ }
+
+-void intel_bios_init_panel(struct drm_i915_private *i915,
+- struct intel_panel *panel,
+- const struct intel_bios_encoder_data *devdata,
+- const struct edid *edid)
++static void intel_bios_init_panel(struct drm_i915_private *i915,
++ struct intel_panel *panel,
++ const struct intel_bios_encoder_data *devdata,
++ const struct edid *edid,
++ bool use_fallback)
+ {
+- init_vbt_panel_defaults(panel);
++ /* already have it? */
++ if (panel->vbt.panel_type >= 0) {
++ drm_WARN_ON(&i915->drm, !use_fallback);
++ return;
++ }
+
+- panel->vbt.panel_type = get_panel_type(i915, devdata, edid);
++ panel->vbt.panel_type = get_panel_type(i915, devdata,
++ edid, use_fallback);
++ if (panel->vbt.panel_type < 0) {
++ drm_WARN_ON(&i915->drm, use_fallback);
++ return;
++ }
++
++ init_vbt_panel_defaults(panel);
+
+ parse_panel_options(i915, panel);
+ parse_generic_dtd(i915, panel);
+@@ -3213,6 +3226,21 @@ void intel_bios_init_panel(struct drm_i915_private *i915,
+ parse_mipi_sequence(i915, panel);
+ }
+
++void intel_bios_init_panel_early(struct drm_i915_private *i915,
++ struct intel_panel *panel,
++ const struct intel_bios_encoder_data *devdata)
++{
++ intel_bios_init_panel(i915, panel, devdata, NULL, false);
++}
++
++void intel_bios_init_panel_late(struct drm_i915_private *i915,
++ struct intel_panel *panel,
++ const struct intel_bios_encoder_data *devdata,
++ const struct edid *edid)
++{
++ intel_bios_init_panel(i915, panel, devdata, edid, true);
++}
++
+ /**
+ * intel_bios_driver_remove - Free any resources allocated by intel_bios_init()
+ * @i915: i915 device instance
+diff --git a/drivers/gpu/drm/i915/display/intel_bios.h b/drivers/gpu/drm/i915/display/intel_bios.h
+index e375405a78284..ff1fdd2e0c1c5 100644
+--- a/drivers/gpu/drm/i915/display/intel_bios.h
++++ b/drivers/gpu/drm/i915/display/intel_bios.h
+@@ -232,10 +232,13 @@ struct mipi_pps_data {
+ } __packed;
+
+ void intel_bios_init(struct drm_i915_private *dev_priv);
+-void intel_bios_init_panel(struct drm_i915_private *dev_priv,
+- struct intel_panel *panel,
+- const struct intel_bios_encoder_data *devdata,
+- const struct edid *edid);
++void intel_bios_init_panel_early(struct drm_i915_private *dev_priv,
++ struct intel_panel *panel,
++ const struct intel_bios_encoder_data *devdata);
++void intel_bios_init_panel_late(struct drm_i915_private *dev_priv,
++ struct intel_panel *panel,
++ const struct intel_bios_encoder_data *devdata,
++ const struct edid *edid);
+ void intel_bios_fini_panel(struct intel_panel *panel);
+ void intel_bios_driver_remove(struct drm_i915_private *dev_priv);
+ bool intel_bios_is_valid_vbt(const void *buf, size_t size);
+diff --git a/drivers/gpu/drm/i915/display/intel_display_types.h b/drivers/gpu/drm/i915/display/intel_display_types.h
+index 298d00a11f473..135dbcab62b28 100644
+--- a/drivers/gpu/drm/i915/display/intel_display_types.h
++++ b/drivers/gpu/drm/i915/display/intel_display_types.h
+@@ -291,7 +291,7 @@ struct intel_vbt_panel_data {
+ struct drm_display_mode *sdvo_lvds_vbt_mode; /* if any */
+
+ /* Feature bits */
+- unsigned int panel_type:4;
++ int panel_type;
+ unsigned int lvds_dither:1;
+ unsigned int bios_lvds_val; /* initial [PCH_]LVDS reg val in VBIOS */
+
+diff --git a/drivers/gpu/drm/i915/display/intel_dp.c b/drivers/gpu/drm/i915/display/intel_dp.c
+index b94bcceeff705..2e09899f2f927 100644
+--- a/drivers/gpu/drm/i915/display/intel_dp.c
++++ b/drivers/gpu/drm/i915/display/intel_dp.c
+@@ -5179,6 +5179,9 @@ static bool intel_edp_init_connector(struct intel_dp *intel_dp,
+ return false;
+ }
+
++ intel_bios_init_panel_early(dev_priv, &intel_connector->panel,
++ encoder->devdata);
++
+ intel_pps_init(intel_dp);
+
+ /* Cache DPCD and EDID for edp. */
+@@ -5213,8 +5216,8 @@ static bool intel_edp_init_connector(struct intel_dp *intel_dp,
+ }
+ intel_connector->edid = edid;
+
+- intel_bios_init_panel(dev_priv, &intel_connector->panel,
+- encoder->devdata, IS_ERR(edid) ? NULL : edid);
++ intel_bios_init_panel_late(dev_priv, &intel_connector->panel,
++ encoder->devdata, IS_ERR(edid) ? NULL : edid);
+
+ intel_panel_add_edid_fixed_modes(intel_connector, true);
+
+diff --git a/drivers/gpu/drm/i915/display/intel_lvds.c b/drivers/gpu/drm/i915/display/intel_lvds.c
+index e5352239b2a2f..a749a5a66d624 100644
+--- a/drivers/gpu/drm/i915/display/intel_lvds.c
++++ b/drivers/gpu/drm/i915/display/intel_lvds.c
+@@ -967,8 +967,8 @@ void intel_lvds_init(struct drm_i915_private *dev_priv)
+ }
+ intel_connector->edid = edid;
+
+- intel_bios_init_panel(dev_priv, &intel_connector->panel, NULL,
+- IS_ERR(edid) ? NULL : edid);
++ intel_bios_init_panel_late(dev_priv, &intel_connector->panel, NULL,
++ IS_ERR(edid) ? NULL : edid);
+
+ /* Try EDID first */
+ intel_panel_add_edid_fixed_modes(intel_connector,
+diff --git a/drivers/gpu/drm/i915/display/intel_panel.c b/drivers/gpu/drm/i915/display/intel_panel.c
+index 8bd7af99cd2b9..b50db0dd20fc5 100644
+--- a/drivers/gpu/drm/i915/display/intel_panel.c
++++ b/drivers/gpu/drm/i915/display/intel_panel.c
+@@ -652,6 +652,7 @@ void intel_panel_init_alloc(struct intel_connector *connector)
+ {
+ struct intel_panel *panel = &connector->panel;
+
++ connector->panel.vbt.panel_type = -1;
+ INIT_LIST_HEAD(&panel->fixed_modes);
+ }
+
+diff --git a/drivers/gpu/drm/i915/display/intel_sdvo.c b/drivers/gpu/drm/i915/display/intel_sdvo.c
+index 774c1dc31a521..a15e09b551708 100644
+--- a/drivers/gpu/drm/i915/display/intel_sdvo.c
++++ b/drivers/gpu/drm/i915/display/intel_sdvo.c
+@@ -2891,7 +2891,7 @@ intel_sdvo_lvds_init(struct intel_sdvo *intel_sdvo, int device)
+ if (!intel_sdvo_create_enhance_property(intel_sdvo, intel_sdvo_connector))
+ goto err;
+
+- intel_bios_init_panel(i915, &intel_connector->panel, NULL, NULL);
++ intel_bios_init_panel_late(i915, &intel_connector->panel, NULL, NULL);
+
+ /*
+ * Fetch modes from VBT. For SDVO prefer the VBT mode since some
+diff --git a/drivers/gpu/drm/i915/display/vlv_dsi.c b/drivers/gpu/drm/i915/display/vlv_dsi.c
+index b3f5ca280ef26..90e3e41095b34 100644
+--- a/drivers/gpu/drm/i915/display/vlv_dsi.c
++++ b/drivers/gpu/drm/i915/display/vlv_dsi.c
+@@ -1925,7 +1925,7 @@ void vlv_dsi_init(struct drm_i915_private *dev_priv)
+
+ intel_dsi->panel_power_off_time = ktime_get_boottime();
+
+- intel_bios_init_panel(dev_priv, &intel_connector->panel, NULL, NULL);
++ intel_bios_init_panel_late(dev_priv, &intel_connector->panel, NULL, NULL);
+
+ if (intel_connector->panel.vbt.dsi.config->dual_link)
+ intel_dsi->ports = BIT(PORT_A) | BIT(PORT_C);
+--
+2.39.2
+
--- /dev/null
+From 9e6969e91e662c26a8e05d11815525c78d1680c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 19:31:48 +0200
+Subject: drm/i915: Introduce intel_panel_init_alloc()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+[ Upstream commit f70f8153e3642337b444fbc0c64d546a46bbcd62 ]
+
+Introduce a place where we can initialize connector->panel
+after it's been allocated. We already have a intel_panel_init()
+so had to get creative with the name and came up with
+intel_panel_init_alloc().
+
+Cc: Animesh Manna <animesh.manna@intel.com>
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221125173156.31689-2-ville.syrjala@linux.intel.com
+Stable-dep-of: 14e591a1930c ("drm/i915: Populate encoder->devdata for DSI on icl+")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/display/intel_connector.c | 2 +-
+ drivers/gpu/drm/i915/display/intel_panel.c | 7 +++++++
+ drivers/gpu/drm/i915/display/intel_panel.h | 1 +
+ 3 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/display/intel_connector.c b/drivers/gpu/drm/i915/display/intel_connector.c
+index 6d5cbeb8df4da..8bb296f3d6252 100644
+--- a/drivers/gpu/drm/i915/display/intel_connector.c
++++ b/drivers/gpu/drm/i915/display/intel_connector.c
+@@ -54,7 +54,7 @@ int intel_connector_init(struct intel_connector *connector)
+ __drm_atomic_helper_connector_reset(&connector->base,
+ &conn_state->base);
+
+- INIT_LIST_HEAD(&connector->panel.fixed_modes);
++ intel_panel_init_alloc(connector);
+
+ return 0;
+ }
+diff --git a/drivers/gpu/drm/i915/display/intel_panel.c b/drivers/gpu/drm/i915/display/intel_panel.c
+index f72f4646c0d70..8bd7af99cd2b9 100644
+--- a/drivers/gpu/drm/i915/display/intel_panel.c
++++ b/drivers/gpu/drm/i915/display/intel_panel.c
+@@ -648,6 +648,13 @@ intel_panel_mode_valid(struct intel_connector *connector,
+ return MODE_OK;
+ }
+
++void intel_panel_init_alloc(struct intel_connector *connector)
++{
++ struct intel_panel *panel = &connector->panel;
++
++ INIT_LIST_HEAD(&panel->fixed_modes);
++}
++
+ int intel_panel_init(struct intel_connector *connector)
+ {
+ struct intel_panel *panel = &connector->panel;
+diff --git a/drivers/gpu/drm/i915/display/intel_panel.h b/drivers/gpu/drm/i915/display/intel_panel.h
+index 5c5b5b7f95b6c..4b51e1c51da62 100644
+--- a/drivers/gpu/drm/i915/display/intel_panel.h
++++ b/drivers/gpu/drm/i915/display/intel_panel.h
+@@ -18,6 +18,7 @@ struct intel_connector;
+ struct intel_crtc_state;
+ struct intel_encoder;
+
++void intel_panel_init_alloc(struct intel_connector *connector);
+ int intel_panel_init(struct intel_connector *connector);
+ void intel_panel_fini(struct intel_connector *connector);
+ enum drm_connector_status
+--
+2.39.2
+
--- /dev/null
+From 2a15d70f60a7f4c8e3272f0390ae0cb02d677071 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Feb 2023 08:43:36 +0200
+Subject: drm/i915: Populate encoder->devdata for DSI on icl+
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+[ Upstream commit 14e591a1930c2790fe862af5b01ee3ca587f752f ]
+
+We now have some eDP+DSI dual panel systems floating around
+where the DSI panel is the secondary LFP and thus needs to
+consult "panel type 2" in VBT in order to locate all the
+other panel type dependant stuff correctly.
+
+To that end we need to pass in the devdata to
+intel_bios_init_panel_late(), otherwise it'll just assume
+we want the primary panel type. So let's try to just populate
+the vbt.ports[] stuff and encoder->devdata for icl+ DSI
+panels as well.
+
+We can't do this on older platforms as there we risk a DSI
+port aliasing with a HDMI/DP port, which is a totally legal
+thing as the DSI ports live in their own little parallel
+universe.
+
+Cc: stable@vger.kernel.org
+Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/8016
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230207064337.18697-3-ville.syrjala@linux.intel.com
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+(cherry picked from commit ba00eb6a4bfbe5194ddda50730aba063951f8ce0)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/display/icl_dsi.c | 3 ++-
+ drivers/gpu/drm/i915/display/intel_bios.c | 15 ++++++++++++---
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/display/icl_dsi.c b/drivers/gpu/drm/i915/display/icl_dsi.c
+index 34b3ff967a272..ecd6c5c3f4ded 100644
+--- a/drivers/gpu/drm/i915/display/icl_dsi.c
++++ b/drivers/gpu/drm/i915/display/icl_dsi.c
+@@ -2053,7 +2053,8 @@ void icl_dsi_init(struct drm_i915_private *dev_priv)
+ /* attach connector to encoder */
+ intel_connector_attach_encoder(intel_connector, encoder);
+
+- intel_bios_init_panel_late(dev_priv, &intel_connector->panel, NULL, NULL);
++ encoder->devdata = intel_bios_encoder_data_lookup(dev_priv, port);
++ intel_bios_init_panel_late(dev_priv, &intel_connector->panel, encoder->devdata, NULL);
+
+ mutex_lock(&dev->mode_config.mutex);
+ intel_panel_add_vbt_lfp_fixed_mode(intel_connector);
+diff --git a/drivers/gpu/drm/i915/display/intel_bios.c b/drivers/gpu/drm/i915/display/intel_bios.c
+index 2378a2a48716e..a70b7061742a8 100644
+--- a/drivers/gpu/drm/i915/display/intel_bios.c
++++ b/drivers/gpu/drm/i915/display/intel_bios.c
+@@ -2593,6 +2593,12 @@ intel_bios_encoder_supports_edp(const struct intel_bios_encoder_data *devdata)
+ devdata->child.device_type & DEVICE_TYPE_INTERNAL_CONNECTOR;
+ }
+
++static bool
++intel_bios_encoder_supports_dsi(const struct intel_bios_encoder_data *devdata)
++{
++ return devdata->child.device_type & DEVICE_TYPE_MIPI_OUTPUT;
++}
++
+ static int _intel_bios_hdmi_level_shift(const struct intel_bios_encoder_data *devdata)
+ {
+ if (!devdata || devdata->i915->display.vbt.version < 158)
+@@ -2643,7 +2649,7 @@ static void print_ddi_port(const struct intel_bios_encoder_data *devdata,
+ {
+ struct drm_i915_private *i915 = devdata->i915;
+ const struct child_device_config *child = &devdata->child;
+- bool is_dvi, is_hdmi, is_dp, is_edp, is_crt, supports_typec_usb, supports_tbt;
++ bool is_dvi, is_hdmi, is_dp, is_edp, is_dsi, is_crt, supports_typec_usb, supports_tbt;
+ int dp_boost_level, dp_max_link_rate, hdmi_boost_level, hdmi_level_shift, max_tmds_clock;
+
+ is_dvi = intel_bios_encoder_supports_dvi(devdata);
+@@ -2651,13 +2657,14 @@ static void print_ddi_port(const struct intel_bios_encoder_data *devdata,
+ is_crt = intel_bios_encoder_supports_crt(devdata);
+ is_hdmi = intel_bios_encoder_supports_hdmi(devdata);
+ is_edp = intel_bios_encoder_supports_edp(devdata);
++ is_dsi = intel_bios_encoder_supports_dsi(devdata);
+
+ supports_typec_usb = intel_bios_encoder_supports_typec_usb(devdata);
+ supports_tbt = intel_bios_encoder_supports_tbt(devdata);
+
+ drm_dbg_kms(&i915->drm,
+- "Port %c VBT info: CRT:%d DVI:%d HDMI:%d DP:%d eDP:%d LSPCON:%d USB-Type-C:%d TBT:%d DSC:%d\n",
+- port_name(port), is_crt, is_dvi, is_hdmi, is_dp, is_edp,
++ "Port %c VBT info: CRT:%d DVI:%d HDMI:%d DP:%d eDP:%d DSI:%d LSPCON:%d USB-Type-C:%d TBT:%d DSC:%d\n",
++ port_name(port), is_crt, is_dvi, is_hdmi, is_dp, is_edp, is_dsi,
+ HAS_LSPCON(i915) && child->lspcon,
+ supports_typec_usb, supports_tbt,
+ devdata->dsc != NULL);
+@@ -2702,6 +2709,8 @@ static void parse_ddi_port(struct intel_bios_encoder_data *devdata)
+ enum port port;
+
+ port = dvo_port_to_port(i915, child->dvo_port);
++ if (port == PORT_NONE && DISPLAY_VER(i915) >= 11)
++ port = dsi_dvo_port_to_port(i915, child->dvo_port);
+ if (port == PORT_NONE)
+ return;
+
+--
+2.39.2
+
--- /dev/null
+From 1a538b33330ada8efc8e348525fa389c80d7f651 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Feb 2023 05:09:56 +0300
+Subject: drm/msm/a5xx: fix context faults during ring switch
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 32e7083429d46f29080626fe387ff90c086b1fbe ]
+
+The rptr_addr is set in the preempt_init_ring(), which is called from
+a5xx_gpu_init(). It uses shadowptr() to set the address, however the
+shadow_iova is not yet initialized at that time. Move the rptr_addr
+setting to the a5xx_preempt_hw_init() which is called after setting the
+shadow_iova, getting the correct value for the address.
+
+Fixes: 8907afb476ac ("drm/msm: Allow a5xx to mark the RPTR shadow as privileged")
+Suggested-by: Rob Clark <robdclark@gmail.com>
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/522640/
+Link: https://lore.kernel.org/r/20230214020956.164473-5-dmitry.baryshkov@linaro.org
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a5xx_preempt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
+index 6e326d851ba53..e0eef47dae632 100644
+--- a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
++++ b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
+@@ -208,6 +208,7 @@ void a5xx_preempt_hw_init(struct msm_gpu *gpu)
+ a5xx_gpu->preempt[i]->wptr = 0;
+ a5xx_gpu->preempt[i]->rptr = 0;
+ a5xx_gpu->preempt[i]->rbase = gpu->rb[i]->iova;
++ a5xx_gpu->preempt[i]->rptr_addr = shadowptr(a5xx_gpu, gpu->rb[i]);
+ }
+
+ /* Write a 0 to signal that we aren't switching pagetables */
+@@ -259,7 +260,6 @@ static int preempt_init_ring(struct a5xx_gpu *a5xx_gpu,
+ ptr->data = 0;
+ ptr->cntl = MSM_GPU_RB_CNTL_DEFAULT | AXXX_CP_RB_CNTL_NO_UPDATE;
+
+- ptr->rptr_addr = shadowptr(a5xx_gpu, ring);
+ ptr->counter = counters_iova;
+
+ return 0;
+--
+2.39.2
+
--- /dev/null
+From 6d1b7415ef1e047105706e30410d0fd722761b89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Feb 2023 05:09:54 +0300
+Subject: drm/msm/a5xx: fix highest bank bit for a530
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 141f66ebbfa17cc7e2075f06c50107da978c965b ]
+
+A530 has highest bank bit equal to 15 (like A540). Fix values written to
+REG_A5XX_RB_MODE_CNTL and REG_A5XX_TPL1_MODE_CNTL registers.
+
+Fixes: 1d832ab30ce6 ("drm/msm/a5xx: Add support for Adreno 508, 509, 512 GPUs")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/522639/
+Link: https://lore.kernel.org/r/20230214020956.164473-3-dmitry.baryshkov@linaro.org
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
+index f8634fbeffda0..4f0dbeebb79fb 100644
+--- a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
++++ b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
+@@ -808,7 +808,7 @@ static int a5xx_hw_init(struct msm_gpu *gpu)
+ gpu_write(gpu, REG_A5XX_RBBM_AHB_CNTL2, 0x0000003F);
+
+ /* Set the highest bank bit */
+- if (adreno_is_a540(adreno_gpu))
++ if (adreno_is_a540(adreno_gpu) || adreno_is_a530(adreno_gpu))
+ regbit = 2;
+ else
+ regbit = 1;
+--
+2.39.2
+
--- /dev/null
+From 6a6dbf610c6b415ce0e2b6e9266267e78dfca0b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Feb 2023 05:09:53 +0300
+Subject: drm/msm/a5xx: fix setting of the CP_PREEMPT_ENABLE_LOCAL register
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit a7a4c19c36de1e4b99b06e4060ccc8ab837725bc ]
+
+Rather than writing CP_PREEMPT_ENABLE_GLOBAL twice, follow the vendor
+kernel and set CP_PREEMPT_ENABLE_LOCAL register instead. a5xx_submit()
+will override it during submission, but let's get the sequence correct.
+
+Fixes: b1fc2839d2f9 ("drm/msm: Implement preemption for A5XX targets")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/522638/
+Link: https://lore.kernel.org/r/20230214020956.164473-2-dmitry.baryshkov@linaro.org
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
+index 3dcec7acb3840..f8634fbeffda0 100644
+--- a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
++++ b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
+@@ -151,8 +151,8 @@ static void a5xx_submit(struct msm_gpu *gpu, struct msm_gem_submit *submit)
+ OUT_RING(ring, 1);
+
+ /* Enable local preemption for finegrain preemption */
+- OUT_PKT7(ring, CP_PREEMPT_ENABLE_GLOBAL, 1);
+- OUT_RING(ring, 0x02);
++ OUT_PKT7(ring, CP_PREEMPT_ENABLE_LOCAL, 1);
++ OUT_RING(ring, 0x1);
+
+ /* Allow CP_CONTEXT_SWITCH_YIELD packets in the IB2 */
+ OUT_PKT7(ring, CP_YIELD_ENABLE, 1);
+--
+2.39.2
+
--- /dev/null
+From 5d4f42363cf02396f26f4e0d76489f1fa3c7daf5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Feb 2023 05:09:55 +0300
+Subject: drm/msm/a5xx: fix the emptyness check in the preempt code
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit b4fb748f0b734ce1d2e7834998cc599fcbd25d67 ]
+
+Quoting Yassine: ring->memptrs->rptr is never updated and stays 0, so
+the comparison always evaluates to false and get_next_ring always
+returns ring 0 thinking it isn't empty.
+
+Fix this by calling get_rptr() instead of reading rptr directly.
+
+Reported-by: Yassine Oudjana <y.oudjana@protonmail.com>
+Fixes: b1fc2839d2f9 ("drm/msm: Implement preemption for A5XX targets")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/522642/
+Link: https://lore.kernel.org/r/20230214020956.164473-4-dmitry.baryshkov@linaro.org
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a5xx_preempt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
+index 8abc9a2b114a2..6e326d851ba53 100644
+--- a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
++++ b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
+@@ -63,7 +63,7 @@ static struct msm_ringbuffer *get_next_ring(struct msm_gpu *gpu)
+ struct msm_ringbuffer *ring = gpu->rb[i];
+
+ spin_lock_irqsave(&ring->preempt_lock, flags);
+- empty = (get_wptr(ring) == ring->memptrs->rptr);
++ empty = (get_wptr(ring) == gpu->funcs->get_rptr(gpu, ring));
+ spin_unlock_irqrestore(&ring->preempt_lock, flags);
+
+ if (!empty)
+--
+2.39.2
+
--- /dev/null
+From 0e43cff182e6a09b0aa52e123d4614e8e0827ef1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Feb 2023 03:11:41 -0800
+Subject: drm/msm/dpu: clear DSPP reservations in rm release
+
+From: Kalyan Thota <quic_kalyant@quicinc.com>
+
+[ Upstream commit 5ec498ba86550909f2611b07087d57a71a78c336 ]
+
+Clear DSPP reservations from the global state during
+rm release
+
+Fixes: e47616df008b ("drm/msm/dpu: add support for color processing blocks in dpu driver")
+Signed-off-by: Kalyan Thota <quic_kalyant@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Marijn Suijten <marijn.suijten@somainline.org>
+Patchwork: https://patchwork.freedesktop.org/patch/522443/
+Link: https://lore.kernel.org/r/1676286704-818-2-git-send-email-quic_kalyant@quicinc.com
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_rm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_rm.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_rm.c
+index 7ada957adbbb8..58abf5fe97e20 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_rm.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_rm.c
+@@ -572,6 +572,8 @@ void dpu_rm_release(struct dpu_global_state *global_state,
+ ARRAY_SIZE(global_state->ctl_to_enc_id), enc->base.id);
+ _dpu_rm_clear_mapping(global_state->dsc_to_enc_id,
+ ARRAY_SIZE(global_state->dsc_to_enc_id), enc->base.id);
++ _dpu_rm_clear_mapping(global_state->dspp_to_enc_id,
++ ARRAY_SIZE(global_state->dspp_to_enc_id), enc->base.id);
+ }
+
+ int dpu_rm_reserve(
+--
+2.39.2
+
--- /dev/null
+From 01a4c1b421b815b3ffbfccdc085bc629b5d06849 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Feb 2023 01:12:11 +0200
+Subject: drm/msm/dpu: disable features unsupported by QCM2290
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit a2a448b4d9bcb5bff0e0f687b7932a7be9ca898a ]
+
+QCM2290 doesn't seem to support reg-dma, UBWC and CSC. Drop
+corresponding features being incorrectly enabled for qcm2290.
+
+Cc: Loic Poulain <loic.poulain@linaro.org>
+Fixes: 5334087ee743 ("drm/msm: add support for QCM2290 MDSS")
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/522209/
+Link: https://lore.kernel.org/r/20230211231259.1308718-3-dmitry.baryshkov@linaro.org
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c
+index 365738f40976a..e3f1661b84609 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c
+@@ -12,11 +12,15 @@
+ #include "dpu_hw_catalog.h"
+ #include "dpu_kms.h"
+
+-#define VIG_MASK \
++#define VIG_BASE_MASK \
+ (BIT(DPU_SSPP_SRC) | BIT(DPU_SSPP_QOS) |\
+- BIT(DPU_SSPP_CSC_10BIT) | BIT(DPU_SSPP_CDP) |\
++ BIT(DPU_SSPP_CDP) |\
+ BIT(DPU_SSPP_TS_PREFILL) | BIT(DPU_SSPP_EXCL_RECT))
+
++#define VIG_MASK \
++ (VIG_BASE_MASK | \
++ BIT(DPU_SSPP_CSC_10BIT))
++
+ #define VIG_MSM8998_MASK \
+ (VIG_MASK | BIT(DPU_SSPP_SCALER_QSEED3))
+
+@@ -29,7 +33,7 @@
+ #define VIG_SM8250_MASK \
+ (VIG_MASK | BIT(DPU_SSPP_QOS_8LVL) | BIT(DPU_SSPP_SCALER_QSEED3LITE))
+
+-#define VIG_QCM2290_MASK (VIG_MASK | BIT(DPU_SSPP_QOS_8LVL))
++#define VIG_QCM2290_MASK (VIG_BASE_MASK | BIT(DPU_SSPP_QOS_8LVL))
+
+ #define DMA_MSM8998_MASK \
+ (BIT(DPU_SSPP_SRC) | BIT(DPU_SSPP_QOS) |\
+@@ -283,7 +287,6 @@ static const struct dpu_caps qcm2290_dpu_caps = {
+ .max_mixer_width = DEFAULT_DPU_OUTPUT_LINE_WIDTH,
+ .max_mixer_blendstages = 0x4,
+ .smart_dma_rev = DPU_SSPP_SMART_DMA_V2,
+- .ubwc_version = DPU_HW_UBWC_VER_20,
+ .has_dim_layer = true,
+ .has_idle_pc = true,
+ .max_linewidth = 2160,
+@@ -1918,8 +1921,6 @@ static const struct dpu_mdss_cfg qcm2290_dpu_cfg = {
+ .intf = qcm2290_intf,
+ .vbif_count = ARRAY_SIZE(sdm845_vbif),
+ .vbif = sdm845_vbif,
+- .reg_dma_count = 1,
+- .dma_cfg = &sdm845_regdma,
+ .perf = &qcm2290_perf_data,
+ .mdss_irqs = IRQ_SC7180_MASK,
+ };
+--
+2.39.2
+
--- /dev/null
+From 3770b565f6a12d1d86946bfb0c9421dd34c0902d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Feb 2023 01:12:20 +0200
+Subject: drm/msm/dpu: drop DPU_DIM_LAYER from MIXER_MSM8998_MASK
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit a5045b00a68171de11603812f4304179ef608e60 ]
+
+The msm8998 doesn't seem to support DIM_LAYER, so drop it from
+the supported features mask.
+
+Fixes: 2d8a4edb672d ("drm/msm/dpu: use feature bit for LM combined alpha check")
+Fixes: 94391a14fc27 ("drm/msm/dpu1: Add MSM8998 to hw catalog")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/522231/
+Link: https://lore.kernel.org/r/20230211231259.1308718-12-dmitry.baryshkov@linaro.org
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c
+index 48fedd3f182e6..4c8d1d18b5055 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c
+@@ -55,7 +55,7 @@
+ (DMA_MSM8998_MASK | BIT(DPU_SSPP_CURSOR))
+
+ #define MIXER_MSM8998_MASK \
+- (BIT(DPU_MIXER_SOURCESPLIT) | BIT(DPU_DIM_LAYER))
++ (BIT(DPU_MIXER_SOURCESPLIT))
+
+ #define MIXER_SDM845_MASK \
+ (BIT(DPU_MIXER_SOURCESPLIT) | BIT(DPU_DIM_LAYER) | BIT(DPU_MIXER_COMBINED_ALPHA))
+--
+2.39.2
+
--- /dev/null
+From 29694c42b9bb25d4018dcbb7b561cfa38cb481bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Feb 2023 01:12:21 +0200
+Subject: drm/msm/dpu: fix clocks settings for msm8998 SSPP blocks
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 0abb6a24aabc1252eae75fe23b0ccd3217c6ee07 ]
+
+DMA2 and DMA3 planes on msm8998 should use corresponding DMA2 and DMA3
+clocks rather than CURSOR0/1 clocks (which are used for the CURSOR
+planes). Correct corresponding SSPP declarations.
+
+Fixes: 94391a14fc27 ("drm/msm/dpu1: Add MSM8998 to hw catalog")
+Cc: AngeloGioacchino Del Regno <angelogioacchino.delregno@somainline.org>
+Cc: Jami Kettunen <jami.kettunen@somainline.org>
+Reviewed-by: Marijn Suijten <marijn.suijten@somainline.org>
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/522230/
+Link: https://lore.kernel.org/r/20230211231259.1308718-13-dmitry.baryshkov@linaro.org
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c
+index 4c8d1d18b5055..41c93a18d5cb3 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c
+@@ -813,9 +813,9 @@ static const struct dpu_sspp_cfg msm8998_sspp[] = {
+ SSPP_BLK("sspp_9", SSPP_DMA1, 0x26000, DMA_MSM8998_MASK,
+ sdm845_dma_sblk_1, 5, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA1),
+ SSPP_BLK("sspp_10", SSPP_DMA2, 0x28000, DMA_CURSOR_MSM8998_MASK,
+- sdm845_dma_sblk_2, 9, SSPP_TYPE_DMA, DPU_CLK_CTRL_CURSOR0),
++ sdm845_dma_sblk_2, 9, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA2),
+ SSPP_BLK("sspp_11", SSPP_DMA3, 0x2a000, DMA_CURSOR_MSM8998_MASK,
+- sdm845_dma_sblk_3, 13, SSPP_TYPE_DMA, DPU_CLK_CTRL_CURSOR1),
++ sdm845_dma_sblk_3, 13, SSPP_TYPE_DMA, DPU_CLK_CTRL_DMA3),
+ };
+
+ static const struct dpu_sspp_cfg sdm845_sspp[] = {
+--
+2.39.2
+
--- /dev/null
+From a8a727c12b36427f2824e52776b9fff2787640b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Feb 2023 01:12:13 +0200
+Subject: drm/msm/dpu: fix len of sc7180 ctl blocks
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit ce6bd00abc220e9edf10986234fadba6462b4abf ]
+
+Change sc7180's ctl block len to 0x1dc.
+
+Fixes: 7bdc0c4b8126 ("msm:disp:dpu1: add support for display for SC7180 target")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/522210/
+Link: https://lore.kernel.org/r/20230211231259.1308718-5-dmitry.baryshkov@linaro.org
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c
+index e3f1661b84609..48fedd3f182e6 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c
+@@ -607,19 +607,19 @@ static const struct dpu_ctl_cfg sdm845_ctl[] = {
+ static const struct dpu_ctl_cfg sc7180_ctl[] = {
+ {
+ .name = "ctl_0", .id = CTL_0,
+- .base = 0x1000, .len = 0xE4,
++ .base = 0x1000, .len = 0x1dc,
+ .features = BIT(DPU_CTL_ACTIVE_CFG),
+ .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 9),
+ },
+ {
+ .name = "ctl_1", .id = CTL_1,
+- .base = 0x1200, .len = 0xE4,
++ .base = 0x1200, .len = 0x1dc,
+ .features = BIT(DPU_CTL_ACTIVE_CFG),
+ .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 10),
+ },
+ {
+ .name = "ctl_2", .id = CTL_2,
+- .base = 0x1400, .len = 0xE4,
++ .base = 0x1400, .len = 0x1dc,
+ .features = BIT(DPU_CTL_ACTIVE_CFG),
+ .intr_start = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR2, 11),
+ },
+--
+2.39.2
+
--- /dev/null
+From b2dce50a1cd11b33f8a0b9277a58c0de584a149f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Feb 2023 15:50:48 -0800
+Subject: drm/msm: Fix potential invalid ptr free
+
+From: Rob Clark <robdclark@chromium.org>
+
+[ Upstream commit 8a86f213f4426f19511a16d886871805b35c3acf ]
+
+The error path cleanup expects that chain and syncobj are either NULL or
+valid pointers. But post_deps was not allocated with __GFP_ZERO.
+
+Fixes: ab723b7a992a ("drm/msm: Add syncobj support.")
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
+Patchwork: https://patchwork.freedesktop.org/patch/523051/
+Link: https://lore.kernel.org/r/20230215235048.1166484-1-robdclark@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_gem_submit.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
+index 7c2cc1262c05d..d8c9d184190bb 100644
+--- a/drivers/gpu/drm/msm/msm_gem_submit.c
++++ b/drivers/gpu/drm/msm/msm_gem_submit.c
+@@ -627,8 +627,8 @@ static struct msm_submit_post_dep *msm_parse_post_deps(struct drm_device *dev,
+ int ret = 0;
+ uint32_t i, j;
+
+- post_deps = kmalloc_array(nr_syncobjs, sizeof(*post_deps),
+- GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY);
++ post_deps = kcalloc(nr_syncobjs, sizeof(*post_deps),
++ GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY);
+ if (!post_deps)
+ return ERR_PTR(-ENOMEM);
+
+@@ -643,7 +643,6 @@ static struct msm_submit_post_dep *msm_parse_post_deps(struct drm_device *dev,
+ }
+
+ post_deps[i].point = syncobj_desc.point;
+- post_deps[i].chain = NULL;
+
+ if (syncobj_desc.flags) {
+ ret = -EINVAL;
+--
+2.39.2
+
--- /dev/null
+From 12bc2b920b9ebb780dcfe4ab0f554d42cae2a8c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Oct 2022 12:42:29 +0100
+Subject: drm/nouveau/kms/nv50: fix nv50_wndw_new_ prototype
+
+From: Jiri Slaby (SUSE) <jirislaby@kernel.org>
+
+[ Upstream commit 3638a820c5c3b52f327cebb174fd4274bee08aa7 ]
+
+gcc-13 warns about mismatching types for enums. That revealed switched
+arguments of nv50_wndw_new_():
+ drivers/gpu/drm/nouveau/dispnv50/wndw.c:696:1: error: conflicting types for 'nv50_wndw_new_' due to enum/integer mismatch; have 'int(const struct nv50_wndw_func *, struct drm_device *, enum drm_plane_type, const char *, int, const u32 *, u32, enum nv50_disp_interlock_type, u32, struct nv50_wndw **)'
+ drivers/gpu/drm/nouveau/dispnv50/wndw.h:36:5: note: previous declaration of 'nv50_wndw_new_' with type 'int(const struct nv50_wndw_func *, struct drm_device *, enum drm_plane_type, const char *, int, const u32 *, enum nv50_disp_interlock_type, u32, u32, struct nv50_wndw **)'
+
+It can be barely visible, but the declaration says about the parameters
+in the middle:
+ enum nv50_disp_interlock_type,
+ u32 interlock_data,
+ u32 heads,
+
+While the definition states differently:
+ u32 heads,
+ enum nv50_disp_interlock_type interlock_type,
+ u32 interlock_data,
+
+Unify/fix the declaration to match the definition.
+
+Fixes: 53e0a3e70de6 ("drm/nouveau/kms/nv50-: simplify tracking of channel interlocks")
+Cc: Martin Liska <mliska@suse.cz>
+Cc: Ben Skeggs <bskeggs@redhat.com>
+Cc: Karol Herbst <kherbst@redhat.com>
+Cc: Lyude Paul <lyude@redhat.com>
+Cc: David Airlie <airlied@gmail.com>
+Cc: Daniel Vetter <daniel@ffwll.ch>
+Cc: dri-devel@lists.freedesktop.org
+Cc: nouveau@lists.freedesktop.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org>
+Signed-off-by: Karol Herbst <kherbst@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221031114229.10289-1-jirislaby@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/dispnv50/wndw.h | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/nouveau/dispnv50/wndw.h b/drivers/gpu/drm/nouveau/dispnv50/wndw.h
+index 591c852f326b9..76a6ae5d56526 100644
+--- a/drivers/gpu/drm/nouveau/dispnv50/wndw.h
++++ b/drivers/gpu/drm/nouveau/dispnv50/wndw.h
+@@ -35,8 +35,9 @@ struct nv50_wndw {
+
+ int nv50_wndw_new_(const struct nv50_wndw_func *, struct drm_device *,
+ enum drm_plane_type, const char *name, int index,
+- const u32 *format, enum nv50_disp_interlock_type,
+- u32 interlock_data, u32 heads, struct nv50_wndw **);
++ const u32 *format, u32 heads,
++ enum nv50_disp_interlock_type, u32 interlock_data,
++ struct nv50_wndw **);
+ void nv50_wndw_flush_set(struct nv50_wndw *, u32 *interlock,
+ struct nv50_wndw_atom *);
+ void nv50_wndw_flush_clr(struct nv50_wndw *, u32 *interlock, bool flush,
+--
+2.39.2
+
--- /dev/null
+From 25d56dae17aa91811ea6d7e705a6cc19a78506fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Mar 2023 13:31:47 +0800
+Subject: erofs: Revert "erofs: fix kvcalloc() misuse with __GFP_NOFAIL"
+
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+
+[ Upstream commit 647dd2c3f0e16b71a1a77897d038164d48eea154 ]
+
+Let's revert commit 12724ba38992 ("erofs: fix kvcalloc() misuse with
+__GFP_NOFAIL") since kvmalloc() already supports __GFP_NOFAIL in commit
+a421ef303008 ("mm: allow !GFP_KERNEL allocations for kvmalloc"). So
+the original fix was wrong.
+
+Actually there was some issue as [1] discussed, so before that mm fix
+is landed, the warn could still happen but applying this commit first
+will cause less.
+
+[1] https://lore.kernel.org/r/20230305053035.1911-1-hsiangkao@linux.alibaba.com
+
+Fixes: 12724ba38992 ("erofs: fix kvcalloc() misuse with __GFP_NOFAIL")
+Reviewed-by: Chao Yu <chao@kernel.org>
+Link: https://lore.kernel.org/r/20230309053148.9223-1-hsiangkao@linux.alibaba.com
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/erofs/zdata.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c
+index ee7c88c9b5afa..cf4871834ebb2 100644
+--- a/fs/erofs/zdata.c
++++ b/fs/erofs/zdata.c
+@@ -1047,12 +1047,12 @@ static int z_erofs_decompress_pcluster(struct z_erofs_decompress_backend *be,
+
+ if (!be->decompressed_pages)
+ be->decompressed_pages =
+- kcalloc(be->nr_pages, sizeof(struct page *),
+- GFP_KERNEL | __GFP_NOFAIL);
++ kvcalloc(be->nr_pages, sizeof(struct page *),
++ GFP_KERNEL | __GFP_NOFAIL);
+ if (!be->compressed_pages)
+ be->compressed_pages =
+- kcalloc(pclusterpages, sizeof(struct page *),
+- GFP_KERNEL | __GFP_NOFAIL);
++ kvcalloc(pclusterpages, sizeof(struct page *),
++ GFP_KERNEL | __GFP_NOFAIL);
+
+ z_erofs_parse_out_bvecs(be);
+ err2 = z_erofs_parse_in_bvecs(be, &overlapped);
+@@ -1100,7 +1100,7 @@ static int z_erofs_decompress_pcluster(struct z_erofs_decompress_backend *be,
+ }
+ if (be->compressed_pages < be->onstack_pages ||
+ be->compressed_pages >= be->onstack_pages + Z_EROFS_ONSTACK_PAGES)
+- kfree(be->compressed_pages);
++ kvfree(be->compressed_pages);
+ z_erofs_fill_other_copies(be, err);
+
+ for (i = 0; i < be->nr_pages; ++i) {
+@@ -1119,7 +1119,7 @@ static int z_erofs_decompress_pcluster(struct z_erofs_decompress_backend *be,
+ }
+
+ if (be->decompressed_pages != be->onstack_pages)
+- kfree(be->decompressed_pages);
++ kvfree(be->decompressed_pages);
+
+ pcl->length = 0;
+ pcl->partial = true;
+--
+2.39.2
+
--- /dev/null
+From c99de60c032bba6fae728709e15487a0b7ac46a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Feb 2023 16:25:36 +0100
+Subject: ethernet: ice: avoid gcc-9 integer overflow warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 8f5c5a790e3025d6eca96bf7ee5e3873dc92373f ]
+
+With older compilers like gcc-9, the calculation of the vlan
+priority field causes a false-positive warning from the byteswap:
+
+In file included from drivers/net/ethernet/intel/ice/ice_tc_lib.c:4:
+drivers/net/ethernet/intel/ice/ice_tc_lib.c: In function 'ice_parse_cls_flower':
+include/uapi/linux/swab.h:15:15: error: integer overflow in expression '(int)(short unsigned int)((int)match.key-><U67c8>.<U6698>.vlan_priority << 13) & 57344 & 255' of type 'int' results in '0' [-Werror=overflow]
+ 15 | (((__u16)(x) & (__u16)0x00ffU) << 8) | \
+ | ~~~~~~~~~~~~^~~~~~~~~~~~~~~~~
+include/uapi/linux/swab.h:106:2: note: in expansion of macro '___constant_swab16'
+ 106 | ___constant_swab16(x) : \
+ | ^~~~~~~~~~~~~~~~~~
+include/uapi/linux/byteorder/little_endian.h:42:43: note: in expansion of macro '__swab16'
+ 42 | #define __cpu_to_be16(x) ((__force __be16)__swab16((x)))
+ | ^~~~~~~~
+include/linux/byteorder/generic.h:96:21: note: in expansion of macro '__cpu_to_be16'
+ 96 | #define cpu_to_be16 __cpu_to_be16
+ | ^~~~~~~~~~~~~
+drivers/net/ethernet/intel/ice/ice_tc_lib.c:1458:5: note: in expansion of macro 'cpu_to_be16'
+ 1458 | cpu_to_be16((match.key->vlan_priority <<
+ | ^~~~~~~~~~~
+
+After a change to be16_encode_bits(), the code becomes more
+readable to both people and compilers, which avoids the warning.
+
+Fixes: 34800178b302 ("ice: Add support for VLAN priority filters in switchdev")
+Suggested-by: Alexander Lobakin <alexandr.lobakin@intel.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Alexander Lobakin <alexandr.lobakin@intel.com>
+Tested-by: Sujai Buvaneswaran <sujai.buvaneswaran@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_tc_lib.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_tc_lib.c b/drivers/net/ethernet/intel/ice/ice_tc_lib.c
+index f68c555be4e9a..71cb15fcf63b9 100644
+--- a/drivers/net/ethernet/intel/ice/ice_tc_lib.c
++++ b/drivers/net/ethernet/intel/ice/ice_tc_lib.c
+@@ -1322,8 +1322,8 @@ ice_parse_cls_flower(struct net_device *filter_dev, struct ice_vsi *vsi,
+ if (match.mask->vlan_priority) {
+ fltr->flags |= ICE_TC_FLWR_FIELD_VLAN_PRIO;
+ headers->vlan_hdr.vlan_prio =
+- cpu_to_be16((match.key->vlan_priority <<
+- VLAN_PRIO_SHIFT) & VLAN_PRIO_MASK);
++ be16_encode_bits(match.key->vlan_priority,
++ VLAN_PRIO_MASK);
+ }
+
+ if (match.mask->vlan_tpid)
+@@ -1356,8 +1356,8 @@ ice_parse_cls_flower(struct net_device *filter_dev, struct ice_vsi *vsi,
+ if (match.mask->vlan_priority) {
+ fltr->flags |= ICE_TC_FLWR_FIELD_CVLAN_PRIO;
+ headers->cvlan_hdr.vlan_prio =
+- cpu_to_be16((match.key->vlan_priority <<
+- VLAN_PRIO_SHIFT) & VLAN_PRIO_MASK);
++ be16_encode_bits(match.key->vlan_priority,
++ VLAN_PRIO_MASK);
+ }
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 8fbf8c13113dcaa25028825ccd4923d0b0e071c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jan 2023 12:22:21 +0100
+Subject: ext4: Fix possible corruption when moving a directory
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 0813299c586b175d7edb25f56412c54b812d0379 ]
+
+When we are renaming a directory to a different directory, we need to
+update '..' entry in the moved directory. However nothing prevents moved
+directory from being modified and even converted from the inline format
+to the normal format. When such race happens the rename code gets
+confused and we crash. Fix the problem by locking the moved directory.
+
+CC: stable@vger.kernel.org
+Fixes: 32f7f22c0b52 ("ext4: let ext4_rename handle inline dir")
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20230126112221.11866-1-jack@suse.cz
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/namei.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
+index 9799ed2fdbc09..dc8f8a435a7ea 100644
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -3873,9 +3873,16 @@ static int ext4_rename(struct user_namespace *mnt_userns, struct inode *old_dir,
+ if (new.dir != old.dir && EXT4_DIR_LINK_MAX(new.dir))
+ goto end_rename;
+ }
++ /*
++ * We need to protect against old.inode directory getting
++ * converted from inline directory format into a normal one.
++ */
++ inode_lock_nested(old.inode, I_MUTEX_NONDIR2);
+ retval = ext4_rename_dir_prepare(handle, &old);
+- if (retval)
++ if (retval) {
++ inode_unlock(old.inode);
+ goto end_rename;
++ }
+ }
+ /*
+ * If we're renaming a file within an inline_data dir and adding or
+@@ -4007,6 +4014,8 @@ static int ext4_rename(struct user_namespace *mnt_userns, struct inode *old_dir,
+ } else {
+ ext4_journal_stop(handle);
+ }
++ if (old.dir_bh)
++ inode_unlock(old.inode);
+ release_bh:
+ brelse(old.dir_bh);
+ brelse(old.bh);
+--
+2.39.2
+
--- /dev/null
+From 5a7f18c60d1c8cc36193030ebf2d69fb0fd6c0a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Oct 2022 16:45:15 -0400
+Subject: fd: dlm: trace send/recv of dlm message and rcom
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit e01c4b7bd41522ae0299c07e2ee8c721fee02595 ]
+
+This patch adds tracepoints for send and recv cases of dlm messages and
+dlm rcom messages. In case of send and dlm message we add the dlm rsb
+resource name this dlm messages belongs to. This has the advantage to
+follow dlm messages on a per lock basis. In case of recv message the
+resource name can be extracted by follow the send message sequence
+number.
+
+The dlm message DLM_MSG_PURGE doesn't belong to a lock request and will
+not set the resource name in a dlm_message trace. The same for all rcom
+messages.
+
+There is additional handling required for this debugging functionality
+which is tried to be small as possible. Also the midcomms layer gets
+aware of lock resource names, for now this is required to make a
+connection between sequence number and lock resource names. It is for
+debugging purpose only.
+
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Stable-dep-of: 724b6bab0d75 ("fs: dlm: fix use after free in midcomms commit")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/lock.c | 21 +--
+ fs/dlm/midcomms.c | 45 +++++-
+ fs/dlm/midcomms.h | 3 +-
+ fs/dlm/rcom.c | 4 +-
+ include/trace/events/dlm.h | 297 +++++++++++++++++++++++++++++++++++++
+ 5 files changed, 353 insertions(+), 17 deletions(-)
+
+diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c
+index b246d71b5e17a..0b1bc24536ceb 100644
+--- a/fs/dlm/lock.c
++++ b/fs/dlm/lock.c
+@@ -3611,9 +3611,10 @@ static int create_message(struct dlm_rsb *r, struct dlm_lkb *lkb,
+ /* further lowcomms enhancements or alternate implementations may make
+ the return value from this function useful at some point */
+
+-static int send_message(struct dlm_mhandle *mh, struct dlm_message *ms)
++static int send_message(struct dlm_mhandle *mh, struct dlm_message *ms,
++ const void *name, int namelen)
+ {
+- dlm_midcomms_commit_mhandle(mh);
++ dlm_midcomms_commit_mhandle(mh, name, namelen);
+ return 0;
+ }
+
+@@ -3679,7 +3680,7 @@ static int send_common(struct dlm_rsb *r, struct dlm_lkb *lkb, int mstype)
+
+ send_args(r, lkb, ms);
+
+- error = send_message(mh, ms);
++ error = send_message(mh, ms, r->res_name, r->res_length);
+ if (error)
+ goto fail;
+ return 0;
+@@ -3742,7 +3743,7 @@ static int send_grant(struct dlm_rsb *r, struct dlm_lkb *lkb)
+
+ ms->m_result = 0;
+
+- error = send_message(mh, ms);
++ error = send_message(mh, ms, r->res_name, r->res_length);
+ out:
+ return error;
+ }
+@@ -3763,7 +3764,7 @@ static int send_bast(struct dlm_rsb *r, struct dlm_lkb *lkb, int mode)
+
+ ms->m_bastmode = cpu_to_le32(mode);
+
+- error = send_message(mh, ms);
++ error = send_message(mh, ms, r->res_name, r->res_length);
+ out:
+ return error;
+ }
+@@ -3786,7 +3787,7 @@ static int send_lookup(struct dlm_rsb *r, struct dlm_lkb *lkb)
+
+ send_args(r, lkb, ms);
+
+- error = send_message(mh, ms);
++ error = send_message(mh, ms, r->res_name, r->res_length);
+ if (error)
+ goto fail;
+ return 0;
+@@ -3811,7 +3812,7 @@ static int send_remove(struct dlm_rsb *r)
+ memcpy(ms->m_extra, r->res_name, r->res_length);
+ ms->m_hash = cpu_to_le32(r->res_hash);
+
+- error = send_message(mh, ms);
++ error = send_message(mh, ms, r->res_name, r->res_length);
+ out:
+ return error;
+ }
+@@ -3833,7 +3834,7 @@ static int send_common_reply(struct dlm_rsb *r, struct dlm_lkb *lkb,
+
+ ms->m_result = cpu_to_le32(to_dlm_errno(rv));
+
+- error = send_message(mh, ms);
++ error = send_message(mh, ms, r->res_name, r->res_length);
+ out:
+ return error;
+ }
+@@ -3874,7 +3875,7 @@ static int send_lookup_reply(struct dlm_ls *ls, struct dlm_message *ms_in,
+ ms->m_result = cpu_to_le32(to_dlm_errno(rv));
+ ms->m_nodeid = cpu_to_le32(ret_nodeid);
+
+- error = send_message(mh, ms);
++ error = send_message(mh, ms, ms_in->m_extra, receive_extralen(ms_in));
+ out:
+ return error;
+ }
+@@ -6300,7 +6301,7 @@ static int send_purge(struct dlm_ls *ls, int nodeid, int pid)
+ ms->m_nodeid = cpu_to_le32(nodeid);
+ ms->m_pid = cpu_to_le32(pid);
+
+- return send_message(mh, ms);
++ return send_message(mh, ms, NULL, 0);
+ }
+
+ int dlm_user_purge(struct dlm_ls *ls, struct dlm_user_proc *proc,
+diff --git a/fs/dlm/midcomms.c b/fs/dlm/midcomms.c
+index 4a8721ab9f149..8d11f104a97eb 100644
+--- a/fs/dlm/midcomms.c
++++ b/fs/dlm/midcomms.c
+@@ -132,6 +132,7 @@
+ */
+ #define DLM_DEBUG_FENCE_TERMINATION 0
+
++#include <trace/events/dlm.h>
+ #include <net/tcp.h>
+
+ #include "dlm_internal.h"
+@@ -415,7 +416,7 @@ static int dlm_send_fin(struct midcomms_node *node,
+ m_header->h_cmd = DLM_FIN;
+
+ pr_debug("sending fin msg to node %d\n", node->nodeid);
+- dlm_midcomms_commit_mhandle(mh);
++ dlm_midcomms_commit_mhandle(mh, NULL, 0);
+ set_bit(DLM_NODE_FLAG_STOP_TX, &node->flags);
+
+ return 0;
+@@ -474,6 +475,20 @@ static void dlm_pas_fin_ack_rcv(struct midcomms_node *node)
+ spin_unlock(&node->state_lock);
+ }
+
++static void dlm_receive_buffer_3_2_trace(uint32_t seq, union dlm_packet *p)
++{
++ switch (p->header.h_cmd) {
++ case DLM_MSG:
++ trace_dlm_recv_message(seq, &p->message);
++ break;
++ case DLM_RCOM:
++ trace_dlm_recv_rcom(seq, &p->rcom);
++ break;
++ default:
++ break;
++ }
++}
++
+ static void dlm_midcomms_receive_buffer(union dlm_packet *p,
+ struct midcomms_node *node,
+ uint32_t seq)
+@@ -534,6 +549,7 @@ static void dlm_midcomms_receive_buffer(union dlm_packet *p,
+ break;
+ default:
+ WARN_ON(test_bit(DLM_NODE_FLAG_STOP_RX, &node->flags));
++ dlm_receive_buffer_3_2_trace(seq, p);
+ dlm_receive_buffer(p, node->nodeid);
+ set_bit(DLM_NODE_ULP_DELIVERED, &node->flags);
+ break;
+@@ -1124,11 +1140,30 @@ struct dlm_mhandle *dlm_midcomms_get_mhandle(int nodeid, int len,
+ }
+ #endif
+
+-static void dlm_midcomms_commit_msg_3_2(struct dlm_mhandle *mh)
++static void dlm_midcomms_commit_msg_3_2_trace(const struct dlm_mhandle *mh,
++ const void *name, int namelen)
++{
++ switch (mh->inner_p->header.h_cmd) {
++ case DLM_MSG:
++ trace_dlm_send_message(mh->seq, &mh->inner_p->message,
++ name, namelen);
++ break;
++ case DLM_RCOM:
++ trace_dlm_send_rcom(mh->seq, &mh->inner_p->rcom);
++ break;
++ default:
++ /* nothing to trace */
++ break;
++ }
++}
++
++static void dlm_midcomms_commit_msg_3_2(struct dlm_mhandle *mh,
++ const void *name, int namelen)
+ {
+ /* nexthdr chain for fast lookup */
+ mh->opts->o_nextcmd = mh->inner_p->header.h_cmd;
+ mh->committed = true;
++ dlm_midcomms_commit_msg_3_2_trace(mh, name, namelen);
+ dlm_lowcomms_commit_msg(mh->msg);
+ }
+
+@@ -1136,8 +1171,10 @@ static void dlm_midcomms_commit_msg_3_2(struct dlm_mhandle *mh)
+ * dlm_midcomms_get_mhandle
+ */
+ #ifndef __CHECKER__
+-void dlm_midcomms_commit_mhandle(struct dlm_mhandle *mh)
++void dlm_midcomms_commit_mhandle(struct dlm_mhandle *mh,
++ const void *name, int namelen)
+ {
++
+ switch (mh->node->version) {
+ case DLM_VERSION_3_1:
+ srcu_read_unlock(&nodes_srcu, mh->idx);
+@@ -1148,7 +1185,7 @@ void dlm_midcomms_commit_mhandle(struct dlm_mhandle *mh)
+ dlm_free_mhandle(mh);
+ break;
+ case DLM_VERSION_3_2:
+- dlm_midcomms_commit_msg_3_2(mh);
++ dlm_midcomms_commit_msg_3_2(mh, name, namelen);
+ srcu_read_unlock(&nodes_srcu, mh->idx);
+ break;
+ default:
+diff --git a/fs/dlm/midcomms.h b/fs/dlm/midcomms.h
+index f61fce622e93d..69296552d5add 100644
+--- a/fs/dlm/midcomms.h
++++ b/fs/dlm/midcomms.h
+@@ -17,7 +17,8 @@ struct midcomms_node;
+ int dlm_process_incoming_buffer(int nodeid, unsigned char *buf, int buflen);
+ struct dlm_mhandle *dlm_midcomms_get_mhandle(int nodeid, int len,
+ gfp_t allocation, char **ppc);
+-void dlm_midcomms_commit_mhandle(struct dlm_mhandle *mh);
++void dlm_midcomms_commit_mhandle(struct dlm_mhandle *mh, const void *name,
++ int namelen);
+ int dlm_midcomms_close(int nodeid);
+ int dlm_midcomms_start(void);
+ void dlm_midcomms_stop(void);
+diff --git a/fs/dlm/rcom.c b/fs/dlm/rcom.c
+index f19860315043a..b76d52e2f6bdd 100644
+--- a/fs/dlm/rcom.c
++++ b/fs/dlm/rcom.c
+@@ -91,7 +91,7 @@ static int create_rcom_stateless(struct dlm_ls *ls, int to_nodeid, int type,
+
+ static void send_rcom(struct dlm_mhandle *mh, struct dlm_rcom *rc)
+ {
+- dlm_midcomms_commit_mhandle(mh);
++ dlm_midcomms_commit_mhandle(mh, NULL, 0);
+ }
+
+ static void send_rcom_stateless(struct dlm_msg *msg, struct dlm_rcom *rc)
+@@ -516,7 +516,7 @@ int dlm_send_ls_not_ready(int nodeid, struct dlm_rcom *rc_in)
+ rf = (struct rcom_config *) rc->rc_buf;
+ rf->rf_lvblen = cpu_to_le32(~0U);
+
+- dlm_midcomms_commit_mhandle(mh);
++ dlm_midcomms_commit_mhandle(mh, NULL, 0);
+
+ return 0;
+ }
+diff --git a/include/trace/events/dlm.h b/include/trace/events/dlm.h
+index da0eaae98fa34..4ec47828d55ed 100644
+--- a/include/trace/events/dlm.h
++++ b/include/trace/events/dlm.h
+@@ -46,6 +46,56 @@
+ { DLM_SBF_VALNOTVALID, "VALNOTVALID" }, \
+ { DLM_SBF_ALTMODE, "ALTMODE" })
+
++#define show_lkb_flags(flags) __print_flags(flags, "|", \
++ { DLM_IFL_MSTCPY, "MSTCPY" }, \
++ { DLM_IFL_RESEND, "RESEND" }, \
++ { DLM_IFL_DEAD, "DEAD" }, \
++ { DLM_IFL_OVERLAP_UNLOCK, "OVERLAP_UNLOCK" }, \
++ { DLM_IFL_OVERLAP_CANCEL, "OVERLAP_CANCEL" }, \
++ { DLM_IFL_ENDOFLIFE, "ENDOFLIFE" }, \
++ { DLM_IFL_DEADLOCK_CANCEL, "DEADLOCK_CANCEL" }, \
++ { DLM_IFL_STUB_MS, "STUB_MS" }, \
++ { DLM_IFL_USER, "USER" }, \
++ { DLM_IFL_ORPHAN, "ORPHAN" })
++
++#define show_header_cmd(cmd) __print_symbolic(cmd, \
++ { DLM_MSG, "MSG"}, \
++ { DLM_RCOM, "RCOM"}, \
++ { DLM_OPTS, "OPTS"}, \
++ { DLM_ACK, "ACK"}, \
++ { DLM_FIN, "FIN"})
++
++#define show_message_version(version) __print_symbolic(version, \
++ { DLM_VERSION_3_1, "3.1"}, \
++ { DLM_VERSION_3_2, "3.2"})
++
++#define show_message_type(type) __print_symbolic(type, \
++ { DLM_MSG_REQUEST, "REQUEST"}, \
++ { DLM_MSG_CONVERT, "CONVERT"}, \
++ { DLM_MSG_UNLOCK, "UNLOCK"}, \
++ { DLM_MSG_CANCEL, "CANCEL"}, \
++ { DLM_MSG_REQUEST_REPLY, "REQUEST_REPLY"}, \
++ { DLM_MSG_CONVERT_REPLY, "CONVERT_REPLY"}, \
++ { DLM_MSG_UNLOCK_REPLY, "UNLOCK_REPLY"}, \
++ { DLM_MSG_CANCEL_REPLY, "CANCEL_REPLY"}, \
++ { DLM_MSG_GRANT, "GRANT"}, \
++ { DLM_MSG_BAST, "BAST"}, \
++ { DLM_MSG_LOOKUP, "LOOKUP"}, \
++ { DLM_MSG_REMOVE, "REMOVE"}, \
++ { DLM_MSG_LOOKUP_REPLY, "LOOKUP_REPLY"}, \
++ { DLM_MSG_PURGE, "PURGE"})
++
++#define show_rcom_type(type) __print_symbolic(type, \
++ { DLM_RCOM_STATUS, "STATUS"}, \
++ { DLM_RCOM_NAMES, "NAMES"}, \
++ { DLM_RCOM_LOOKUP, "LOOKUP"}, \
++ { DLM_RCOM_LOCK, "LOCK"}, \
++ { DLM_RCOM_STATUS_REPLY, "STATUS_REPLY"}, \
++ { DLM_RCOM_NAMES_REPLY, "NAMES_REPLY"}, \
++ { DLM_RCOM_LOOKUP_REPLY, "LOOKUP_REPLY"}, \
++ { DLM_RCOM_LOCK_REPLY, "LOCK_REPLY"})
++
++
+ /* note: we begin tracing dlm_lock_start() only if ls and lkb are found */
+ TRACE_EVENT(dlm_lock_start,
+
+@@ -290,6 +340,253 @@ TRACE_EVENT(dlm_unlock_end,
+
+ );
+
++DECLARE_EVENT_CLASS(dlm_rcom_template,
++
++ TP_PROTO(uint32_t seq, const struct dlm_rcom *rc),
++
++ TP_ARGS(seq, rc),
++
++ TP_STRUCT__entry(
++ __field(uint32_t, seq)
++ __field(uint32_t, h_version)
++ __field(uint32_t, h_lockspace)
++ __field(uint32_t, h_nodeid)
++ __field(uint16_t, h_length)
++ __field(uint8_t, h_cmd)
++ __field(uint32_t, rc_type)
++ __field(int32_t, rc_result)
++ __field(uint64_t, rc_id)
++ __field(uint64_t, rc_seq)
++ __field(uint64_t, rc_seq_reply)
++ __dynamic_array(unsigned char, rc_buf,
++ le16_to_cpu(rc->rc_header.h_length) - sizeof(*rc))
++ ),
++
++ TP_fast_assign(
++ __entry->seq = seq;
++ __entry->h_version = le32_to_cpu(rc->rc_header.h_version);
++ __entry->h_lockspace = le32_to_cpu(rc->rc_header.u.h_lockspace);
++ __entry->h_nodeid = le32_to_cpu(rc->rc_header.h_nodeid);
++ __entry->h_length = le16_to_cpu(rc->rc_header.h_length);
++ __entry->h_cmd = rc->rc_header.h_cmd;
++ __entry->rc_type = le32_to_cpu(rc->rc_type);
++ __entry->rc_result = le32_to_cpu(rc->rc_result);
++ __entry->rc_id = le64_to_cpu(rc->rc_id);
++ __entry->rc_seq = le64_to_cpu(rc->rc_seq);
++ __entry->rc_seq_reply = le64_to_cpu(rc->rc_seq_reply);
++ memcpy(__get_dynamic_array(rc_buf), rc->rc_buf,
++ __get_dynamic_array_len(rc_buf));
++ ),
++
++ TP_printk("seq=%u, h_version=%s h_lockspace=%u h_nodeid=%u "
++ "h_length=%u h_cmd=%s rc_type=%s rc_result=%d "
++ "rc_id=%llu rc_seq=%llu rc_seq_reply=%llu "
++ "rc_buf=0x%s", __entry->seq,
++ show_message_version(__entry->h_version),
++ __entry->h_lockspace, __entry->h_nodeid, __entry->h_length,
++ show_header_cmd(__entry->h_cmd),
++ show_rcom_type(__entry->rc_type),
++ __entry->rc_result, __entry->rc_id, __entry->rc_seq,
++ __entry->rc_seq_reply,
++ __print_hex_str(__get_dynamic_array(rc_buf),
++ __get_dynamic_array_len(rc_buf)))
++
++);
++
++DEFINE_EVENT(dlm_rcom_template, dlm_send_rcom,
++ TP_PROTO(uint32_t seq, const struct dlm_rcom *rc),
++ TP_ARGS(seq, rc));
++
++DEFINE_EVENT(dlm_rcom_template, dlm_recv_rcom,
++ TP_PROTO(uint32_t seq, const struct dlm_rcom *rc),
++ TP_ARGS(seq, rc));
++
++TRACE_EVENT(dlm_send_message,
++
++ TP_PROTO(uint32_t seq, const struct dlm_message *ms,
++ const void *name, int namelen),
++
++ TP_ARGS(seq, ms, name, namelen),
++
++ TP_STRUCT__entry(
++ __field(uint32_t, seq)
++ __field(uint32_t, h_version)
++ __field(uint32_t, h_lockspace)
++ __field(uint32_t, h_nodeid)
++ __field(uint16_t, h_length)
++ __field(uint8_t, h_cmd)
++ __field(uint32_t, m_type)
++ __field(uint32_t, m_nodeid)
++ __field(uint32_t, m_pid)
++ __field(uint32_t, m_lkid)
++ __field(uint32_t, m_remid)
++ __field(uint32_t, m_parent_lkid)
++ __field(uint32_t, m_parent_remid)
++ __field(uint32_t, m_exflags)
++ __field(uint32_t, m_sbflags)
++ __field(uint32_t, m_flags)
++ __field(uint32_t, m_lvbseq)
++ __field(uint32_t, m_hash)
++ __field(int32_t, m_status)
++ __field(int32_t, m_grmode)
++ __field(int32_t, m_rqmode)
++ __field(int32_t, m_bastmode)
++ __field(int32_t, m_asts)
++ __field(int32_t, m_result)
++ __dynamic_array(unsigned char, m_extra,
++ le16_to_cpu(ms->m_header.h_length) - sizeof(*ms))
++ __dynamic_array(unsigned char, res_name, namelen)
++ ),
++
++ TP_fast_assign(
++ __entry->seq = seq;
++ __entry->h_version = le32_to_cpu(ms->m_header.h_version);
++ __entry->h_lockspace = le32_to_cpu(ms->m_header.u.h_lockspace);
++ __entry->h_nodeid = le32_to_cpu(ms->m_header.h_nodeid);
++ __entry->h_length = le16_to_cpu(ms->m_header.h_length);
++ __entry->h_cmd = ms->m_header.h_cmd;
++ __entry->m_type = le32_to_cpu(ms->m_type);
++ __entry->m_nodeid = le32_to_cpu(ms->m_nodeid);
++ __entry->m_pid = le32_to_cpu(ms->m_pid);
++ __entry->m_lkid = le32_to_cpu(ms->m_lkid);
++ __entry->m_remid = le32_to_cpu(ms->m_remid);
++ __entry->m_parent_lkid = le32_to_cpu(ms->m_parent_lkid);
++ __entry->m_parent_remid = le32_to_cpu(ms->m_parent_remid);
++ __entry->m_exflags = le32_to_cpu(ms->m_exflags);
++ __entry->m_sbflags = le32_to_cpu(ms->m_sbflags);
++ __entry->m_flags = le32_to_cpu(ms->m_flags);
++ __entry->m_lvbseq = le32_to_cpu(ms->m_lvbseq);
++ __entry->m_hash = le32_to_cpu(ms->m_hash);
++ __entry->m_status = le32_to_cpu(ms->m_status);
++ __entry->m_grmode = le32_to_cpu(ms->m_grmode);
++ __entry->m_rqmode = le32_to_cpu(ms->m_rqmode);
++ __entry->m_bastmode = le32_to_cpu(ms->m_bastmode);
++ __entry->m_asts = le32_to_cpu(ms->m_asts);
++ __entry->m_result = le32_to_cpu(ms->m_result);
++ memcpy(__get_dynamic_array(m_extra), ms->m_extra,
++ __get_dynamic_array_len(m_extra));
++ memcpy(__get_dynamic_array(res_name), name,
++ __get_dynamic_array_len(res_name));
++ ),
++
++ TP_printk("seq=%u h_version=%s h_lockspace=%u h_nodeid=%u "
++ "h_length=%u h_cmd=%s m_type=%s m_nodeid=%u "
++ "m_pid=%u m_lkid=%u m_remid=%u m_parent_lkid=%u "
++ "m_parent_remid=%u m_exflags=%s m_sbflags=%s m_flags=%s "
++ "m_lvbseq=%u m_hash=%u m_status=%d m_grmode=%s "
++ "m_rqmode=%s m_bastmode=%s m_asts=%d m_result=%d "
++ "m_extra=0x%s res_name=0x%s",
++ __entry->seq, show_message_version(__entry->h_version),
++ __entry->h_lockspace, __entry->h_nodeid, __entry->h_length,
++ show_header_cmd(__entry->h_cmd),
++ show_message_type(__entry->m_type),
++ __entry->m_nodeid, __entry->m_pid, __entry->m_lkid,
++ __entry->m_remid, __entry->m_parent_lkid,
++ __entry->m_parent_remid, show_lock_flags(__entry->m_exflags),
++ show_dlm_sb_flags(__entry->m_sbflags),
++ show_lkb_flags(__entry->m_flags), __entry->m_lvbseq,
++ __entry->m_hash, __entry->m_status,
++ show_lock_mode(__entry->m_grmode),
++ show_lock_mode(__entry->m_rqmode),
++ show_lock_mode(__entry->m_bastmode),
++ __entry->m_asts, __entry->m_result,
++ __print_hex_str(__get_dynamic_array(m_extra),
++ __get_dynamic_array_len(m_extra)),
++ __print_hex_str(__get_dynamic_array(res_name),
++ __get_dynamic_array_len(res_name)))
++
++);
++
++TRACE_EVENT(dlm_recv_message,
++
++ TP_PROTO(uint32_t seq, const struct dlm_message *ms),
++
++ TP_ARGS(seq, ms),
++
++ TP_STRUCT__entry(
++ __field(uint32_t, seq)
++ __field(uint32_t, h_version)
++ __field(uint32_t, h_lockspace)
++ __field(uint32_t, h_nodeid)
++ __field(uint16_t, h_length)
++ __field(uint8_t, h_cmd)
++ __field(uint32_t, m_type)
++ __field(uint32_t, m_nodeid)
++ __field(uint32_t, m_pid)
++ __field(uint32_t, m_lkid)
++ __field(uint32_t, m_remid)
++ __field(uint32_t, m_parent_lkid)
++ __field(uint32_t, m_parent_remid)
++ __field(uint32_t, m_exflags)
++ __field(uint32_t, m_sbflags)
++ __field(uint32_t, m_flags)
++ __field(uint32_t, m_lvbseq)
++ __field(uint32_t, m_hash)
++ __field(int32_t, m_status)
++ __field(int32_t, m_grmode)
++ __field(int32_t, m_rqmode)
++ __field(int32_t, m_bastmode)
++ __field(int32_t, m_asts)
++ __field(int32_t, m_result)
++ __dynamic_array(unsigned char, m_extra,
++ le16_to_cpu(ms->m_header.h_length) - sizeof(*ms))
++ ),
++
++ TP_fast_assign(
++ __entry->seq = seq;
++ __entry->h_version = le32_to_cpu(ms->m_header.h_version);
++ __entry->h_lockspace = le32_to_cpu(ms->m_header.u.h_lockspace);
++ __entry->h_nodeid = le32_to_cpu(ms->m_header.h_nodeid);
++ __entry->h_length = le16_to_cpu(ms->m_header.h_length);
++ __entry->h_cmd = ms->m_header.h_cmd;
++ __entry->m_type = le32_to_cpu(ms->m_type);
++ __entry->m_nodeid = le32_to_cpu(ms->m_nodeid);
++ __entry->m_pid = le32_to_cpu(ms->m_pid);
++ __entry->m_lkid = le32_to_cpu(ms->m_lkid);
++ __entry->m_remid = le32_to_cpu(ms->m_remid);
++ __entry->m_parent_lkid = le32_to_cpu(ms->m_parent_lkid);
++ __entry->m_parent_remid = le32_to_cpu(ms->m_parent_remid);
++ __entry->m_exflags = le32_to_cpu(ms->m_exflags);
++ __entry->m_sbflags = le32_to_cpu(ms->m_sbflags);
++ __entry->m_flags = le32_to_cpu(ms->m_flags);
++ __entry->m_lvbseq = le32_to_cpu(ms->m_lvbseq);
++ __entry->m_hash = le32_to_cpu(ms->m_hash);
++ __entry->m_status = le32_to_cpu(ms->m_status);
++ __entry->m_grmode = le32_to_cpu(ms->m_grmode);
++ __entry->m_rqmode = le32_to_cpu(ms->m_rqmode);
++ __entry->m_bastmode = le32_to_cpu(ms->m_bastmode);
++ __entry->m_asts = le32_to_cpu(ms->m_asts);
++ __entry->m_result = le32_to_cpu(ms->m_result);
++ memcpy(__get_dynamic_array(m_extra), ms->m_extra,
++ __get_dynamic_array_len(m_extra));
++ ),
++
++ TP_printk("seq=%u h_version=%s h_lockspace=%u h_nodeid=%u "
++ "h_length=%u h_cmd=%s m_type=%s m_nodeid=%u "
++ "m_pid=%u m_lkid=%u m_remid=%u m_parent_lkid=%u "
++ "m_parent_remid=%u m_exflags=%s m_sbflags=%s m_flags=%s "
++ "m_lvbseq=%u m_hash=%u m_status=%d m_grmode=%s "
++ "m_rqmode=%s m_bastmode=%s m_asts=%d m_result=%d "
++ "m_extra=0x%s",
++ __entry->seq, show_message_version(__entry->h_version),
++ __entry->h_lockspace, __entry->h_nodeid, __entry->h_length,
++ show_header_cmd(__entry->h_cmd),
++ show_message_type(__entry->m_type),
++ __entry->m_nodeid, __entry->m_pid, __entry->m_lkid,
++ __entry->m_remid, __entry->m_parent_lkid,
++ __entry->m_parent_remid, show_lock_flags(__entry->m_exflags),
++ show_dlm_sb_flags(__entry->m_sbflags),
++ show_lkb_flags(__entry->m_flags), __entry->m_lvbseq,
++ __entry->m_hash, __entry->m_status,
++ show_lock_mode(__entry->m_grmode),
++ show_lock_mode(__entry->m_rqmode),
++ show_lock_mode(__entry->m_bastmode),
++ __entry->m_asts, __entry->m_result,
++ __print_hex_str(__get_dynamic_array(m_extra),
++ __get_dynamic_array_len(m_extra)))
++
++);
++
+ TRACE_EVENT(dlm_send,
+
+ TP_PROTO(int nodeid, int ret),
+--
+2.39.2
+
--- /dev/null
+From 92b8a5c275456f27362c78593d327059a7980541 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 17:11:46 -0500
+Subject: fs: dlm: add midcomms init/start functions
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 8b0188b0d60b6f6183b48380bac49fe080c5ded9 ]
+
+This patch introduces leftovers of init, start, stop and exit
+functionality. The dlm application layer should always call the midcomms
+layer which getting aware of such event and redirect it to the lowcomms
+layer. Some functionality which is currently handled inside the start
+functionality of midcomms and lowcomms should be handled in the init
+functionality as it only need to be initialized once when dlm is loaded.
+
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Stable-dep-of: aad633dc0cf9 ("fs: dlm: start midcomms before scand")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/lockspace.c | 5 ++---
+ fs/dlm/lowcomms.c | 16 ++++++++++------
+ fs/dlm/lowcomms.h | 1 +
+ fs/dlm/main.c | 7 +++++--
+ fs/dlm/midcomms.c | 17 ++++++++++++++++-
+ fs/dlm/midcomms.h | 3 +++
+ 6 files changed, 37 insertions(+), 12 deletions(-)
+
+diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c
+index 04e1b4fe366dc..c3cf2e7996f6c 100644
+--- a/fs/dlm/lockspace.c
++++ b/fs/dlm/lockspace.c
+@@ -17,7 +17,6 @@
+ #include "recoverd.h"
+ #include "dir.h"
+ #include "midcomms.h"
+-#include "lowcomms.h"
+ #include "config.h"
+ #include "memory.h"
+ #include "lock.h"
+@@ -726,7 +725,7 @@ static int __dlm_new_lockspace(const char *name, const char *cluster,
+ if (!ls_count) {
+ dlm_scand_stop();
+ dlm_midcomms_shutdown();
+- dlm_lowcomms_stop();
++ dlm_midcomms_stop();
+ }
+ out:
+ mutex_unlock(&ls_lock);
+@@ -929,7 +928,7 @@ int dlm_release_lockspace(void *lockspace, int force)
+ if (!error)
+ ls_count--;
+ if (!ls_count)
+- dlm_lowcomms_stop();
++ dlm_midcomms_stop();
+ mutex_unlock(&ls_lock);
+
+ return error;
+diff --git a/fs/dlm/lowcomms.c b/fs/dlm/lowcomms.c
+index 871d4e9f49fb6..6ed09edabea0c 100644
+--- a/fs/dlm/lowcomms.c
++++ b/fs/dlm/lowcomms.c
+@@ -1982,10 +1982,6 @@ static const struct dlm_proto_ops dlm_sctp_ops = {
+ int dlm_lowcomms_start(void)
+ {
+ int error = -EINVAL;
+- int i;
+-
+- for (i = 0; i < CONN_HASH_SIZE; i++)
+- INIT_HLIST_HEAD(&connection_hash[i]);
+
+ init_local();
+ if (!dlm_local_count) {
+@@ -1994,8 +1990,6 @@ int dlm_lowcomms_start(void)
+ goto fail;
+ }
+
+- INIT_WORK(&listen_con.rwork, process_listen_recv_socket);
+-
+ error = work_start();
+ if (error)
+ goto fail_local;
+@@ -2034,6 +2028,16 @@ int dlm_lowcomms_start(void)
+ return error;
+ }
+
++void dlm_lowcomms_init(void)
++{
++ int i;
++
++ for (i = 0; i < CONN_HASH_SIZE; i++)
++ INIT_HLIST_HEAD(&connection_hash[i]);
++
++ INIT_WORK(&listen_con.rwork, process_listen_recv_socket);
++}
++
+ void dlm_lowcomms_exit(void)
+ {
+ struct dlm_node_addr *na, *safe;
+diff --git a/fs/dlm/lowcomms.h b/fs/dlm/lowcomms.h
+index 29369feea9916..bbce7a18416dc 100644
+--- a/fs/dlm/lowcomms.h
++++ b/fs/dlm/lowcomms.h
+@@ -35,6 +35,7 @@ extern int dlm_allow_conn;
+ int dlm_lowcomms_start(void);
+ void dlm_lowcomms_shutdown(void);
+ void dlm_lowcomms_stop(void);
++void dlm_lowcomms_init(void);
+ void dlm_lowcomms_exit(void);
+ int dlm_lowcomms_close(int nodeid);
+ struct dlm_msg *dlm_lowcomms_new_msg(int nodeid, int len, gfp_t allocation,
+diff --git a/fs/dlm/main.c b/fs/dlm/main.c
+index 1c5be4b70ac1b..a77338be32371 100644
+--- a/fs/dlm/main.c
++++ b/fs/dlm/main.c
+@@ -17,7 +17,7 @@
+ #include "user.h"
+ #include "memory.h"
+ #include "config.h"
+-#include "lowcomms.h"
++#include "midcomms.h"
+
+ #define CREATE_TRACE_POINTS
+ #include <trace/events/dlm.h>
+@@ -30,6 +30,8 @@ static int __init init_dlm(void)
+ if (error)
+ goto out;
+
++ dlm_midcomms_init();
++
+ error = dlm_lockspace_init();
+ if (error)
+ goto out_mem;
+@@ -66,6 +68,7 @@ static int __init init_dlm(void)
+ out_lockspace:
+ dlm_lockspace_exit();
+ out_mem:
++ dlm_midcomms_exit();
+ dlm_memory_exit();
+ out:
+ return error;
+@@ -79,7 +82,7 @@ static void __exit exit_dlm(void)
+ dlm_config_exit();
+ dlm_memory_exit();
+ dlm_lockspace_exit();
+- dlm_lowcomms_exit();
++ dlm_midcomms_exit();
+ dlm_unregister_debugfs();
+ }
+
+diff --git a/fs/dlm/midcomms.c b/fs/dlm/midcomms.c
+index 546c52c46b1c9..095f2005fb621 100644
+--- a/fs/dlm/midcomms.c
++++ b/fs/dlm/midcomms.c
+@@ -1160,13 +1160,28 @@ void dlm_midcomms_commit_mhandle(struct dlm_mhandle *mh)
+ #endif
+
+ int dlm_midcomms_start(void)
++{
++ return dlm_lowcomms_start();
++}
++
++void dlm_midcomms_stop(void)
++{
++ dlm_lowcomms_stop();
++}
++
++void dlm_midcomms_init(void)
+ {
+ int i;
+
+ for (i = 0; i < CONN_HASH_SIZE; i++)
+ INIT_HLIST_HEAD(&node_hash[i]);
+
+- return dlm_lowcomms_start();
++ dlm_lowcomms_init();
++}
++
++void dlm_midcomms_exit(void)
++{
++ dlm_lowcomms_exit();
+ }
+
+ static void dlm_act_fin_ack_rcv(struct midcomms_node *node)
+diff --git a/fs/dlm/midcomms.h b/fs/dlm/midcomms.h
+index 82bcd96619228..f61fce622e93d 100644
+--- a/fs/dlm/midcomms.h
++++ b/fs/dlm/midcomms.h
+@@ -20,6 +20,9 @@ struct dlm_mhandle *dlm_midcomms_get_mhandle(int nodeid, int len,
+ void dlm_midcomms_commit_mhandle(struct dlm_mhandle *mh);
+ int dlm_midcomms_close(int nodeid);
+ int dlm_midcomms_start(void);
++void dlm_midcomms_stop(void);
++void dlm_midcomms_init(void);
++void dlm_midcomms_exit(void);
+ void dlm_midcomms_shutdown(void);
+ void dlm_midcomms_add_member(int nodeid);
+ void dlm_midcomms_remove_member(int nodeid);
+--
+2.39.2
+
--- /dev/null
+From 2360bbb166d1923d89ae2615462602af245e7ff9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jan 2023 17:10:33 -0500
+Subject: fs: dlm: be sure to call dlm_send_queue_flush()
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 7354fa4ef697191effedc2ae9a8293427708bbf5 ]
+
+If we release a midcomms node structure, there should be nothing left
+inside the dlm midcomms send queue. However, sometimes this is not true
+because I believe some DLM_FIN message was not acked... if we run
+into a shutdown timeout, then we should be sure there is no pending send
+dlm message inside this queue when releasing midcomms node structure.
+
+Cc: stable@vger.kernel.org
+Fixes: 489d8e559c65 ("fs: dlm: add reliable connection if reconnect")
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/midcomms.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/dlm/midcomms.c b/fs/dlm/midcomms.c
+index b53d7a281be93..d976c2009b185 100644
+--- a/fs/dlm/midcomms.c
++++ b/fs/dlm/midcomms.c
+@@ -1367,6 +1367,7 @@ static void midcomms_node_release(struct rcu_head *rcu)
+ struct midcomms_node *node = container_of(rcu, struct midcomms_node, rcu);
+
+ WARN_ON_ONCE(atomic_read(&node->send_queue_cnt));
++ dlm_send_queue_flush(node);
+ kfree(node);
+ }
+
+--
+2.39.2
+
--- /dev/null
+From b9ec90687720c2530144e2fe364d7e8c948d3e88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Oct 2022 16:45:26 -0400
+Subject: fs: dlm: fix log of lowcomms vs midcomms
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 3e54c9e80e68b765d8877023d93f1eea1b9d1c54 ]
+
+This patch will fix a small issue when printing out that
+dlm_midcomms_start() failed to start and it was printing out that the
+dlm subcomponent lowcomms was failed but lowcomms is behind the midcomms
+layer.
+
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Stable-dep-of: aad633dc0cf9 ("fs: dlm: start midcomms before scand")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/lockspace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c
+index bae050df7abff..04e1b4fe366dc 100644
+--- a/fs/dlm/lockspace.c
++++ b/fs/dlm/lockspace.c
+@@ -391,7 +391,7 @@ static int threads_start(void)
+ /* Thread for sending/receiving messages for all lockspace's */
+ error = dlm_midcomms_start();
+ if (error) {
+- log_print("cannot start dlm lowcomms %d", error);
++ log_print("cannot start dlm midcomms %d", error);
+ goto scand_fail;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 70e7ce139b9d14a1c60a8e80afe184889f3051df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jan 2023 17:10:34 -0500
+Subject: fs: dlm: fix race setting stop tx flag
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 164272113b685927126c938b4a9cbd2075eb15ee ]
+
+This patch sets the stop tx flag before we commit the dlm message.
+This flag will report about unexpected transmissions after we
+send the DLM_FIN message out, which should be the last message sent.
+When we commit the dlm fin message, it could be that we already
+got an ack back and the CLOSED state change already happened.
+We should not set this flag when we are in CLOSED state. To avoid this
+race we simply set the tx flag before the state change can be in
+progress by moving it before dlm_midcomms_commit_mhandle().
+
+Cc: stable@vger.kernel.org
+Fixes: 489d8e559c65 ("fs: dlm: add reliable connection if reconnect")
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/midcomms.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/dlm/midcomms.c b/fs/dlm/midcomms.c
+index d976c2009b185..b2a25a33a1488 100644
+--- a/fs/dlm/midcomms.c
++++ b/fs/dlm/midcomms.c
+@@ -406,6 +406,7 @@ static int dlm_send_fin(struct midcomms_node *node,
+ if (!mh)
+ return -ENOMEM;
+
++ set_bit(DLM_NODE_FLAG_STOP_TX, &node->flags);
+ mh->ack_rcv = ack_rcv;
+
+ m_header = (struct dlm_header *)ppc;
+@@ -417,7 +418,6 @@ static int dlm_send_fin(struct midcomms_node *node,
+
+ pr_debug("sending fin msg to node %d\n", node->nodeid);
+ dlm_midcomms_commit_mhandle(mh, NULL, 0);
+- set_bit(DLM_NODE_FLAG_STOP_TX, &node->flags);
+
+ return 0;
+ }
+--
+2.39.2
+
--- /dev/null
+From 687a2942061ac9c7e091ef7848bd8bc264fe4ba6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jan 2023 17:10:32 -0500
+Subject: fs: dlm: fix use after free in midcomms commit
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 724b6bab0d75f1dc01fdfbf7fe8d4217a5cb90ba ]
+
+While working on processing dlm message in softirq context I experienced
+the following KASAN use-after-free warning:
+
+[ 151.760477] ==================================================================
+[ 151.761803] BUG: KASAN: use-after-free in dlm_midcomms_commit_mhandle+0x19d/0x4b0
+[ 151.763414] Read of size 4 at addr ffff88811a980c60 by task lock_torture/1347
+
+[ 151.765284] CPU: 7 PID: 1347 Comm: lock_torture Not tainted 6.1.0-rc4+ #2828
+[ 151.766778] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-3.module+el8.7.0+16134+e5908aa2 04/01/2014
+[ 151.768726] Call Trace:
+[ 151.769277] <TASK>
+[ 151.769748] dump_stack_lvl+0x5b/0x86
+[ 151.770556] print_report+0x180/0x4c8
+[ 151.771378] ? kasan_complete_mode_report_info+0x7c/0x1e0
+[ 151.772241] ? dlm_midcomms_commit_mhandle+0x19d/0x4b0
+[ 151.773069] kasan_report+0x93/0x1a0
+[ 151.773668] ? dlm_midcomms_commit_mhandle+0x19d/0x4b0
+[ 151.774514] __asan_load4+0x7e/0xa0
+[ 151.775089] dlm_midcomms_commit_mhandle+0x19d/0x4b0
+[ 151.775890] ? create_message.isra.29.constprop.64+0x57/0xc0
+[ 151.776770] send_common+0x19f/0x1b0
+[ 151.777342] ? remove_from_waiters+0x60/0x60
+[ 151.778017] ? lock_downgrade+0x410/0x410
+[ 151.778648] ? __this_cpu_preempt_check+0x13/0x20
+[ 151.779421] ? rcu_lockdep_current_cpu_online+0x88/0xc0
+[ 151.780292] _convert_lock+0x46/0x150
+[ 151.780893] convert_lock+0x7b/0xc0
+[ 151.781459] dlm_lock+0x3ac/0x580
+[ 151.781993] ? 0xffffffffc0540000
+[ 151.782522] ? torture_stop+0x120/0x120 [dlm_locktorture]
+[ 151.783379] ? dlm_scan_rsbs+0xa70/0xa70
+[ 151.784003] ? preempt_count_sub+0xd6/0x130
+[ 151.784661] ? is_module_address+0x47/0x70
+[ 151.785309] ? torture_stop+0x120/0x120 [dlm_locktorture]
+[ 151.786166] ? 0xffffffffc0540000
+[ 151.786693] ? lockdep_init_map_type+0xc3/0x360
+[ 151.787414] ? 0xffffffffc0540000
+[ 151.787947] torture_dlm_lock_sync.isra.3+0xe9/0x150 [dlm_locktorture]
+[ 151.789004] ? torture_stop+0x120/0x120 [dlm_locktorture]
+[ 151.789858] ? 0xffffffffc0540000
+[ 151.790392] ? lock_torture_cleanup+0x20/0x20 [dlm_locktorture]
+[ 151.791347] ? delay_tsc+0x94/0xc0
+[ 151.791898] torture_ex_iter+0xc3/0xea [dlm_locktorture]
+[ 151.792735] ? torture_start+0x30/0x30 [dlm_locktorture]
+[ 151.793606] lock_torture+0x177/0x270 [dlm_locktorture]
+[ 151.794448] ? torture_dlm_lock_sync.isra.3+0x150/0x150 [dlm_locktorture]
+[ 151.795539] ? lock_torture_stats+0x80/0x80 [dlm_locktorture]
+[ 151.796476] ? do_raw_spin_lock+0x11e/0x1e0
+[ 151.797152] ? mark_held_locks+0x34/0xb0
+[ 151.797784] ? _raw_spin_unlock_irqrestore+0x30/0x70
+[ 151.798581] ? __kthread_parkme+0x79/0x110
+[ 151.799246] ? trace_preempt_on+0x2a/0xf0
+[ 151.799902] ? __kthread_parkme+0x79/0x110
+[ 151.800579] ? preempt_count_sub+0xd6/0x130
+[ 151.801271] ? __kasan_check_read+0x11/0x20
+[ 151.801963] ? __kthread_parkme+0xec/0x110
+[ 151.802630] ? lock_torture_stats+0x80/0x80 [dlm_locktorture]
+[ 151.803569] kthread+0x192/0x1d0
+[ 151.804104] ? kthread_complete_and_exit+0x30/0x30
+[ 151.804881] ret_from_fork+0x1f/0x30
+[ 151.805480] </TASK>
+
+[ 151.806111] Allocated by task 1347:
+[ 151.806681] kasan_save_stack+0x26/0x50
+[ 151.807308] kasan_set_track+0x25/0x30
+[ 151.807920] kasan_save_alloc_info+0x1e/0x30
+[ 151.808609] __kasan_slab_alloc+0x63/0x80
+[ 151.809263] kmem_cache_alloc+0x1ad/0x830
+[ 151.809916] dlm_allocate_mhandle+0x17/0x20
+[ 151.810590] dlm_midcomms_get_mhandle+0x96/0x260
+[ 151.811344] _create_message+0x95/0x180
+[ 151.811994] create_message.isra.29.constprop.64+0x57/0xc0
+[ 151.812880] send_common+0x129/0x1b0
+[ 151.813467] _convert_lock+0x46/0x150
+[ 151.814074] convert_lock+0x7b/0xc0
+[ 151.814648] dlm_lock+0x3ac/0x580
+[ 151.815199] torture_dlm_lock_sync.isra.3+0xe9/0x150 [dlm_locktorture]
+[ 151.816258] torture_ex_iter+0xc3/0xea [dlm_locktorture]
+[ 151.817129] lock_torture+0x177/0x270 [dlm_locktorture]
+[ 151.817986] kthread+0x192/0x1d0
+[ 151.818518] ret_from_fork+0x1f/0x30
+
+[ 151.819369] Freed by task 1336:
+[ 151.819890] kasan_save_stack+0x26/0x50
+[ 151.820514] kasan_set_track+0x25/0x30
+[ 151.821128] kasan_save_free_info+0x2e/0x50
+[ 151.821812] __kasan_slab_free+0x107/0x1a0
+[ 151.822483] kmem_cache_free+0x204/0x5e0
+[ 151.823152] dlm_free_mhandle+0x18/0x20
+[ 151.823781] dlm_mhandle_release+0x2e/0x40
+[ 151.824454] rcu_core+0x583/0x1330
+[ 151.825047] rcu_core_si+0xe/0x20
+[ 151.825594] __do_softirq+0xf4/0x5c2
+
+[ 151.826450] Last potentially related work creation:
+[ 151.827238] kasan_save_stack+0x26/0x50
+[ 151.827870] __kasan_record_aux_stack+0xa2/0xc0
+[ 151.828609] kasan_record_aux_stack_noalloc+0xb/0x20
+[ 151.829415] call_rcu+0x4c/0x760
+[ 151.829954] dlm_mhandle_delete+0x97/0xb0
+[ 151.830718] dlm_process_incoming_buffer+0x2fc/0xb30
+[ 151.831524] process_dlm_messages+0x16e/0x470
+[ 151.832245] process_one_work+0x505/0xa10
+[ 151.832905] worker_thread+0x67/0x650
+[ 151.833507] kthread+0x192/0x1d0
+[ 151.834046] ret_from_fork+0x1f/0x30
+
+[ 151.834900] The buggy address belongs to the object at ffff88811a980c30
+ which belongs to the cache dlm_mhandle of size 88
+[ 151.836894] The buggy address is located 48 bytes inside of
+ 88-byte region [ffff88811a980c30, ffff88811a980c88)
+
+[ 151.839007] The buggy address belongs to the physical page:
+[ 151.839904] page:0000000076cf5d62 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11a980
+[ 151.841378] flags: 0x8000000000000200(slab|zone=2)
+[ 151.842141] raw: 8000000000000200 0000000000000000 dead000000000122 ffff8881089b43c0
+[ 151.843401] raw: 0000000000000000 0000000000220022 00000001ffffffff 0000000000000000
+[ 151.844640] page dumped because: kasan: bad access detected
+
+[ 151.845822] Memory state around the buggy address:
+[ 151.846602] ffff88811a980b00: fb fb fb fb fc fc fc fc fa fb fb fb fb fb fb fb
+[ 151.847761] ffff88811a980b80: fb fb fb fc fc fc fc fa fb fb fb fb fb fb fb fb
+[ 151.848921] >ffff88811a980c00: fb fb fc fc fc fc fa fb fb fb fb fb fb fb fb fb
+[ 151.850076] ^
+[ 151.851085] ffff88811a980c80: fb fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb
+[ 151.852269] ffff88811a980d00: fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb fc
+[ 151.853428] ==================================================================
+[ 151.855618] Disabling lock debugging due to kernel taint
+
+It is accessing a mhandle in dlm_midcomms_commit_mhandle() and the mhandle
+was freed by a call_rcu() call in dlm_process_incoming_buffer(),
+dlm_mhandle_delete(). It looks like it was freed because an ack of
+this message was received. There is a short race between committing the
+dlm message to be transmitted and getting an ack back. If the ack is
+faster than returning from dlm_midcomms_commit_msg_3_2(), then we run
+into a use-after free because we still need to reference the mhandle when
+calling srcu_read_unlock().
+
+To avoid that, we don't allow that mhandle to be freed between
+dlm_midcomms_commit_msg_3_2() and srcu_read_unlock() by using rcu read
+lock. We can do that because mhandle is protected by rcu handling.
+
+Cc: stable@vger.kernel.org
+Fixes: 489d8e559c65 ("fs: dlm: add reliable connection if reconnect")
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/midcomms.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/fs/dlm/midcomms.c b/fs/dlm/midcomms.c
+index 8d11f104a97eb..0477493706edb 100644
+--- a/fs/dlm/midcomms.c
++++ b/fs/dlm/midcomms.c
+@@ -1185,8 +1185,15 @@ void dlm_midcomms_commit_mhandle(struct dlm_mhandle *mh,
+ dlm_free_mhandle(mh);
+ break;
+ case DLM_VERSION_3_2:
++ /* held rcu read lock here, because we sending the
++ * dlm message out, when we do that we could receive
++ * an ack back which releases the mhandle and we
++ * get a use after free.
++ */
++ rcu_read_lock();
+ dlm_midcomms_commit_msg_3_2(mh, name, namelen);
+ srcu_read_unlock(&nodes_srcu, mh->idx);
++ rcu_read_unlock();
+ break;
+ default:
+ srcu_read_unlock(&nodes_srcu, mh->idx);
+--
+2.39.2
+
--- /dev/null
+From 342ed3afabada1a9276f30720ddde270c595d850 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Oct 2022 16:45:13 -0400
+Subject: fs: dlm: remove send repeat remove handling
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 57a5724ef0b332eb6e78250157910a006b01bf6e ]
+
+This patch removes the send repeat remove handling. This handling is
+there to repeatingly DLM_MSG_REMOVE messages in cases the dlm stack
+thinks it was not received at the first time. In cases of message drops
+this functionality is necessary, but since the DLM midcomms layer
+guarantees there are no messages drops between cluster nodes this
+feature became not strict necessary anymore. Due message
+delays/processing it could be that two send_repeat_remove() are sent out
+while the other should be still on it's way. We remove the repeat remove
+handling because we are sure that the message cannot be dropped due
+communication errors.
+
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Stable-dep-of: 724b6bab0d75 ("fs: dlm: fix use after free in midcomms commit")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/lock.c | 74 ---------------------------------------------------
+ 1 file changed, 74 deletions(-)
+
+diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c
+index 94a72ede57646..b246d71b5e17a 100644
+--- a/fs/dlm/lock.c
++++ b/fs/dlm/lock.c
+@@ -4044,66 +4044,6 @@ static int validate_message(struct dlm_lkb *lkb, struct dlm_message *ms)
+ return error;
+ }
+
+-static void send_repeat_remove(struct dlm_ls *ls, char *ms_name, int len)
+-{
+- char name[DLM_RESNAME_MAXLEN + 1];
+- struct dlm_message *ms;
+- struct dlm_mhandle *mh;
+- struct dlm_rsb *r;
+- uint32_t hash, b;
+- int rv, dir_nodeid;
+-
+- memset(name, 0, sizeof(name));
+- memcpy(name, ms_name, len);
+-
+- hash = jhash(name, len, 0);
+- b = hash & (ls->ls_rsbtbl_size - 1);
+-
+- dir_nodeid = dlm_hash2nodeid(ls, hash);
+-
+- log_error(ls, "send_repeat_remove dir %d %s", dir_nodeid, name);
+-
+- spin_lock(&ls->ls_rsbtbl[b].lock);
+- rv = dlm_search_rsb_tree(&ls->ls_rsbtbl[b].keep, name, len, &r);
+- if (!rv) {
+- spin_unlock(&ls->ls_rsbtbl[b].lock);
+- log_error(ls, "repeat_remove on keep %s", name);
+- return;
+- }
+-
+- rv = dlm_search_rsb_tree(&ls->ls_rsbtbl[b].toss, name, len, &r);
+- if (!rv) {
+- spin_unlock(&ls->ls_rsbtbl[b].lock);
+- log_error(ls, "repeat_remove on toss %s", name);
+- return;
+- }
+-
+- /* use ls->remove_name2 to avoid conflict with shrink? */
+-
+- spin_lock(&ls->ls_remove_spin);
+- ls->ls_remove_len = len;
+- memcpy(ls->ls_remove_name, name, DLM_RESNAME_MAXLEN);
+- spin_unlock(&ls->ls_remove_spin);
+- spin_unlock(&ls->ls_rsbtbl[b].lock);
+-
+- rv = _create_message(ls, sizeof(struct dlm_message) + len,
+- dir_nodeid, DLM_MSG_REMOVE, &ms, &mh);
+- if (rv)
+- goto out;
+-
+- memcpy(ms->m_extra, name, len);
+- ms->m_hash = cpu_to_le32(hash);
+-
+- send_message(mh, ms);
+-
+-out:
+- spin_lock(&ls->ls_remove_spin);
+- ls->ls_remove_len = 0;
+- memset(ls->ls_remove_name, 0, DLM_RESNAME_MAXLEN);
+- spin_unlock(&ls->ls_remove_spin);
+- wake_up(&ls->ls_remove_wait);
+-}
+-
+ static int receive_request(struct dlm_ls *ls, struct dlm_message *ms)
+ {
+ struct dlm_lkb *lkb;
+@@ -4173,25 +4113,11 @@ static int receive_request(struct dlm_ls *ls, struct dlm_message *ms)
+ ENOTBLK request failures when the lookup reply designating us
+ as master is delayed. */
+
+- /* We could repeatedly return -EBADR here if our send_remove() is
+- delayed in being sent/arriving/being processed on the dir node.
+- Another node would repeatedly lookup up the master, and the dir
+- node would continue returning our nodeid until our send_remove
+- took effect.
+-
+- We send another remove message in case our previous send_remove
+- was lost/ignored/missed somehow. */
+-
+ if (error != -ENOTBLK) {
+ log_limit(ls, "receive_request %x from %d %d",
+ le32_to_cpu(ms->m_lkid), from_nodeid, error);
+ }
+
+- if (namelen && error == -EBADR) {
+- send_repeat_remove(ls, ms->m_extra, namelen);
+- msleep(1000);
+- }
+-
+ setup_stub_lkb(ls, ms);
+ send_request_reply(&ls->ls_stub_rsb, &ls->ls_stub_lkb, error);
+ return error;
+--
+2.39.2
+
--- /dev/null
+From dd5c12d61887cd055ca77639f69755dcc17d5d39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jan 2023 17:10:31 -0500
+Subject: fs: dlm: start midcomms before scand
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit aad633dc0cf90093998b1ae0ba9f19b5f1dab644 ]
+
+The scand kthread can send dlm messages out, especially dlm remove
+messages to free memory for unused rsb on other nodes. To send out dlm
+messages, midcomms must be initialized. This patch moves the midcomms
+start before scand is started.
+
+Cc: stable@vger.kernel.org
+Fixes: e7fd41792fc0 ("[DLM] The core of the DLM for GFS2/CLVM")
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/lockspace.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c
+index c3cf2e7996f6c..7b29ea7bfb416 100644
+--- a/fs/dlm/lockspace.c
++++ b/fs/dlm/lockspace.c
+@@ -381,23 +381,23 @@ static int threads_start(void)
+ {
+ int error;
+
+- error = dlm_scand_start();
++ /* Thread for sending/receiving messages for all lockspace's */
++ error = dlm_midcomms_start();
+ if (error) {
+- log_print("cannot start dlm_scand thread %d", error);
++ log_print("cannot start dlm midcomms %d", error);
+ goto fail;
+ }
+
+- /* Thread for sending/receiving messages for all lockspace's */
+- error = dlm_midcomms_start();
++ error = dlm_scand_start();
+ if (error) {
+- log_print("cannot start dlm midcomms %d", error);
+- goto scand_fail;
++ log_print("cannot start dlm_scand thread %d", error);
++ goto midcomms_fail;
+ }
+
+ return 0;
+
+- scand_fail:
+- dlm_scand_stop();
++ midcomms_fail:
++ dlm_midcomms_stop();
+ fail:
+ return error;
+ }
+--
+2.39.2
+
--- /dev/null
+From 3caf2f8a5d7a02a3e33d0df6030f66f4f9d0e107 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Oct 2022 16:45:14 -0400
+Subject: fs: dlm: use packet in dlm_mhandle
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 5b787667e87a373a2f8f70e6be2b5d99c408462f ]
+
+To allow more than just dereferencing the inner header we directly point
+to the inner dlm packet which allows us to dereference the header, rcom
+or message structure.
+
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Stable-dep-of: 724b6bab0d75 ("fs: dlm: fix use after free in midcomms commit")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/midcomms.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/dlm/midcomms.c b/fs/dlm/midcomms.c
+index 095f2005fb621..4a8721ab9f149 100644
+--- a/fs/dlm/midcomms.c
++++ b/fs/dlm/midcomms.c
+@@ -194,7 +194,7 @@ struct midcomms_node {
+ };
+
+ struct dlm_mhandle {
+- const struct dlm_header *inner_hd;
++ const union dlm_packet *inner_p;
+ struct midcomms_node *node;
+ struct dlm_opts *opts;
+ struct dlm_msg *msg;
+@@ -1049,7 +1049,7 @@ static struct dlm_msg *dlm_midcomms_get_msg_3_2(struct dlm_mhandle *mh, int node
+ dlm_fill_opts_header(opts, len, mh->seq);
+
+ *ppc += sizeof(*opts);
+- mh->inner_hd = (const struct dlm_header *)*ppc;
++ mh->inner_p = (const union dlm_packet *)*ppc;
+ return msg;
+ }
+
+@@ -1127,7 +1127,7 @@ struct dlm_mhandle *dlm_midcomms_get_mhandle(int nodeid, int len,
+ static void dlm_midcomms_commit_msg_3_2(struct dlm_mhandle *mh)
+ {
+ /* nexthdr chain for fast lookup */
+- mh->opts->o_nextcmd = mh->inner_hd->h_cmd;
++ mh->opts->o_nextcmd = mh->inner_p->header.h_cmd;
+ mh->committed = true;
+ dlm_lowcomms_commit_msg(mh->msg);
+ }
+--
+2.39.2
+
--- /dev/null
+From 2d80727685f8ef9aeb85017ad0d319895076617b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Oct 2022 16:45:27 -0400
+Subject: fs: dlm: use WARN_ON_ONCE() instead of WARN_ON()
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 775af207464bd28a2086f8399c0b2a3f1f40c7ae ]
+
+To not get the console spammed about WARN_ON() of invalid states in the
+dlm midcomms hot path handling we switch to WARN_ON_ONCE() to get it
+only once that there might be an issue with the midcomms state handling.
+
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Stable-dep-of: 7354fa4ef697 ("fs: dlm: be sure to call dlm_send_queue_flush()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/midcomms.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/fs/dlm/midcomms.c b/fs/dlm/midcomms.c
+index 0477493706edb..b53d7a281be93 100644
+--- a/fs/dlm/midcomms.c
++++ b/fs/dlm/midcomms.c
+@@ -469,7 +469,7 @@ static void dlm_pas_fin_ack_rcv(struct midcomms_node *node)
+ spin_unlock(&node->state_lock);
+ log_print("%s: unexpected state: %d\n",
+ __func__, node->state);
+- WARN_ON(1);
++ WARN_ON_ONCE(1);
+ return;
+ }
+ spin_unlock(&node->state_lock);
+@@ -542,13 +542,13 @@ static void dlm_midcomms_receive_buffer(union dlm_packet *p,
+ spin_unlock(&node->state_lock);
+ log_print("%s: unexpected state: %d\n",
+ __func__, node->state);
+- WARN_ON(1);
++ WARN_ON_ONCE(1);
+ return;
+ }
+ spin_unlock(&node->state_lock);
+ break;
+ default:
+- WARN_ON(test_bit(DLM_NODE_FLAG_STOP_RX, &node->flags));
++ WARN_ON_ONCE(test_bit(DLM_NODE_FLAG_STOP_RX, &node->flags));
+ dlm_receive_buffer_3_2_trace(seq, p);
+ dlm_receive_buffer(p, node->nodeid);
+ set_bit(DLM_NODE_ULP_DELIVERED, &node->flags);
+@@ -764,7 +764,7 @@ static void dlm_midcomms_receive_buffer_3_2(union dlm_packet *p, int nodeid)
+ goto out;
+ }
+
+- WARN_ON(test_bit(DLM_NODE_FLAG_STOP_RX, &node->flags));
++ WARN_ON_ONCE(test_bit(DLM_NODE_FLAG_STOP_RX, &node->flags));
+ dlm_receive_buffer(p, nodeid);
+ break;
+ case DLM_OPTS:
+@@ -1089,7 +1089,7 @@ struct dlm_mhandle *dlm_midcomms_get_mhandle(int nodeid, int len,
+ }
+
+ /* this is a bug, however we going on and hope it will be resolved */
+- WARN_ON(test_bit(DLM_NODE_FLAG_STOP_TX, &node->flags));
++ WARN_ON_ONCE(test_bit(DLM_NODE_FLAG_STOP_TX, &node->flags));
+
+ mh = dlm_allocate_mhandle();
+ if (!mh)
+@@ -1121,7 +1121,7 @@ struct dlm_mhandle *dlm_midcomms_get_mhandle(int nodeid, int len,
+ break;
+ default:
+ dlm_free_mhandle(mh);
+- WARN_ON(1);
++ WARN_ON_ONCE(1);
+ goto err;
+ }
+
+@@ -1197,7 +1197,7 @@ void dlm_midcomms_commit_mhandle(struct dlm_mhandle *mh,
+ break;
+ default:
+ srcu_read_unlock(&nodes_srcu, mh->idx);
+- WARN_ON(1);
++ WARN_ON_ONCE(1);
+ break;
+ }
+ }
+@@ -1254,7 +1254,7 @@ static void dlm_act_fin_ack_rcv(struct midcomms_node *node)
+ spin_unlock(&node->state_lock);
+ log_print("%s: unexpected state: %d\n",
+ __func__, node->state);
+- WARN_ON(1);
++ WARN_ON_ONCE(1);
+ return;
+ }
+ spin_unlock(&node->state_lock);
+@@ -1366,7 +1366,7 @@ static void midcomms_node_release(struct rcu_head *rcu)
+ {
+ struct midcomms_node *node = container_of(rcu, struct midcomms_node, rcu);
+
+- WARN_ON(atomic_read(&node->send_queue_cnt));
++ WARN_ON_ONCE(atomic_read(&node->send_queue_cnt));
+ kfree(node);
+ }
+
+--
+2.39.2
+
--- /dev/null
+From d6c2d08395ec1ce93c425f0bcb134623ca47831f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Mar 2023 21:47:07 +0100
+Subject: ice: copy last block omitted in ice_get_module_eeprom()
+
+From: Petr Oros <poros@redhat.com>
+
+[ Upstream commit 84cba1840e68430325ac133a11be06bfb2f7acd8 ]
+
+ice_get_module_eeprom() is broken since commit e9c9692c8a81 ("ice:
+Reimplement module reads used by ethtool") In this refactor,
+ice_get_module_eeprom() reads the eeprom in blocks of size 8.
+But the condition that should protect the buffer overflow
+ignores the last block. The last block always contains zeros.
+
+Bug uncovered by ethtool upstream commit 9538f384b535
+("netlink: eeprom: Defer page requests to individual parsers")
+After this commit, ethtool reads a block with length = 1;
+to read the SFF-8024 identifier value.
+
+unpatched driver:
+$ ethtool -m enp65s0f0np0 offset 0x90 length 8
+Offset Values
+------ ------
+0x0090: 00 00 00 00 00 00 00 00
+$ ethtool -m enp65s0f0np0 offset 0x90 length 12
+Offset Values
+------ ------
+0x0090: 00 00 01 a0 4d 65 6c 6c 00 00 00 00
+$
+
+$ ethtool -m enp65s0f0np0
+Offset Values
+------ ------
+0x0000: 11 06 06 00 00 00 00 00 00 00 00 00 00 00 00 00
+0x0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+0x0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+0x0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+0x0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+0x0060: 00 00 00 00 00 00 00 00 00 00 00 00 00 01 08 00
+0x0070: 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+patched driver:
+$ ethtool -m enp65s0f0np0 offset 0x90 length 8
+Offset Values
+------ ------
+0x0090: 00 00 01 a0 4d 65 6c 6c
+$ ethtool -m enp65s0f0np0 offset 0x90 length 12
+Offset Values
+------ ------
+0x0090: 00 00 01 a0 4d 65 6c 6c 61 6e 6f 78
+$ ethtool -m enp65s0f0np0
+ Identifier : 0x11 (QSFP28)
+ Extended identifier : 0x00
+ Extended identifier description : 1.5W max. Power consumption
+ Extended identifier description : No CDR in TX, No CDR in RX
+ Extended identifier description : High Power Class (> 3.5 W) not enabled
+ Connector : 0x23 (No separable connector)
+ Transceiver codes : 0x88 0x00 0x00 0x00 0x00 0x00 0x00 0x00
+ Transceiver type : 40G Ethernet: 40G Base-CR4
+ Transceiver type : 25G Ethernet: 25G Base-CR CA-N
+ Encoding : 0x05 (64B/66B)
+ BR, Nominal : 25500Mbps
+ Rate identifier : 0x00
+ Length (SMF,km) : 0km
+ Length (OM3 50um) : 0m
+ Length (OM2 50um) : 0m
+ Length (OM1 62.5um) : 0m
+ Length (Copper or Active cable) : 1m
+ Transmitter technology : 0xa0 (Copper cable unequalized)
+ Attenuation at 2.5GHz : 4db
+ Attenuation at 5.0GHz : 5db
+ Attenuation at 7.0GHz : 7db
+ Attenuation at 12.9GHz : 10db
+ ........
+ ....
+
+Fixes: e9c9692c8a81 ("ice: Reimplement module reads used by ethtool")
+Signed-off-by: Petr Oros <poros@redhat.com>
+Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Tested-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_ethtool.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c
+index e1f6373a3a2c0..02eb78df2378e 100644
+--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c
++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c
+@@ -4145,6 +4145,8 @@ ice_get_module_eeprom(struct net_device *netdev,
+ * SFP modules only ever use page 0.
+ */
+ if (page == 0 || !(data[0x2] & 0x4)) {
++ u32 copy_len;
++
+ /* If i2c bus is busy due to slow page change or
+ * link management access, call can fail. This is normal.
+ * So we retry this a few times.
+@@ -4168,8 +4170,8 @@ ice_get_module_eeprom(struct net_device *netdev,
+ }
+
+ /* Make sure we have enough room for the new block */
+- if ((i + SFF_READ_BLOCK_SIZE) < ee->len)
+- memcpy(data + i, value, SFF_READ_BLOCK_SIZE);
++ copy_len = min_t(u32, SFF_READ_BLOCK_SIZE, ee->len - i);
++ memcpy(data + i, value, copy_len);
+ }
+ }
+ return 0;
+--
+2.39.2
+
--- /dev/null
+From b7944f580fa73db6345ba8823e26cd12426416da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jan 2023 14:24:10 +0100
+Subject: ice: Fix DSCP PFC TLV creation
+
+From: Dave Ertman <david.m.ertman@intel.com>
+
+[ Upstream commit fef3f92e8a4214652d8f33f50330dc5a92efbf11 ]
+
+When creating the TLV to send to the FW for configuring DSCP mode PFC,the
+PFCENABLE field was being masked with a 4 bit mask (0xF), but this is an 8
+bit bitmask for enabled classes for PFC. This means that traffic classes
+4-7 could not be enabled for PFC.
+
+Remove the mask completely, as it is not necessary, as we are assigning 8
+bits to an 8 bit field.
+
+Fixes: 2a87bd73e50d ("ice: Add DSCP support")
+Signed-off-by: Dave Ertman <david.m.ertman@intel.com>
+Signed-off-by: Karen Ostrowska <karen.ostrowska@intel.com>
+Tested-by: Gurucharan G <gurucharanx.g@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_dcb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_dcb.c b/drivers/net/ethernet/intel/ice/ice_dcb.c
+index 0b146a0d42058..6375372f87294 100644
+--- a/drivers/net/ethernet/intel/ice/ice_dcb.c
++++ b/drivers/net/ethernet/intel/ice/ice_dcb.c
+@@ -1372,7 +1372,7 @@ ice_add_dscp_pfc_tlv(struct ice_lldp_org_tlv *tlv, struct ice_dcbx_cfg *dcbcfg)
+ tlv->ouisubtype = htonl(ouisubtype);
+
+ buf[0] = dcbcfg->pfc.pfccap & 0xF;
+- buf[1] = dcbcfg->pfc.pfcena & 0xF;
++ buf[1] = dcbcfg->pfc.pfcena;
+ }
+
+ /**
+--
+2.39.2
+
--- /dev/null
+From 35acac485956f1cb6055cb068ab8e63e4d0b7dee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Feb 2023 15:30:24 +0000
+Subject: ila: do not generate empty messages in ila_xlat_nl_cmd_get_mapping()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 693aa2c0d9b6d5b1f2745d31b6e70d09dbbaf06e ]
+
+ila_xlat_nl_cmd_get_mapping() generates an empty skb,
+triggerring a recent sanity check [1].
+
+Instead, return an error code, so that user space
+can get it.
+
+[1]
+skb_assert_len
+WARNING: CPU: 0 PID: 5923 at include/linux/skbuff.h:2527 skb_assert_len include/linux/skbuff.h:2527 [inline]
+WARNING: CPU: 0 PID: 5923 at include/linux/skbuff.h:2527 __dev_queue_xmit+0x1bc0/0x3488 net/core/dev.c:4156
+Modules linked in:
+CPU: 0 PID: 5923 Comm: syz-executor269 Not tainted 6.2.0-syzkaller-18300-g2ebd1fbb946d #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023
+pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : skb_assert_len include/linux/skbuff.h:2527 [inline]
+pc : __dev_queue_xmit+0x1bc0/0x3488 net/core/dev.c:4156
+lr : skb_assert_len include/linux/skbuff.h:2527 [inline]
+lr : __dev_queue_xmit+0x1bc0/0x3488 net/core/dev.c:4156
+sp : ffff80001e0d6c40
+x29: ffff80001e0d6e60 x28: dfff800000000000 x27: ffff0000c86328c0
+x26: dfff800000000000 x25: ffff0000c8632990 x24: ffff0000c8632a00
+x23: 0000000000000000 x22: 1fffe000190c6542 x21: ffff0000c8632a10
+x20: ffff0000c8632a00 x19: ffff80001856e000 x18: ffff80001e0d5fc0
+x17: 0000000000000000 x16: ffff80001235d16c x15: 0000000000000000
+x14: 0000000000000000 x13: 0000000000000001 x12: 0000000000000001
+x11: ff80800008353a30 x10: 0000000000000000 x9 : 21567eaf25bfb600
+x8 : 21567eaf25bfb600 x7 : 0000000000000001 x6 : 0000000000000001
+x5 : ffff80001e0d6558 x4 : ffff800015c74760 x3 : ffff800008596744
+x2 : 0000000000000001 x1 : 0000000100000000 x0 : 000000000000000e
+Call trace:
+skb_assert_len include/linux/skbuff.h:2527 [inline]
+__dev_queue_xmit+0x1bc0/0x3488 net/core/dev.c:4156
+dev_queue_xmit include/linux/netdevice.h:3033 [inline]
+__netlink_deliver_tap_skb net/netlink/af_netlink.c:307 [inline]
+__netlink_deliver_tap+0x45c/0x6f8 net/netlink/af_netlink.c:325
+netlink_deliver_tap+0xf4/0x174 net/netlink/af_netlink.c:338
+__netlink_sendskb net/netlink/af_netlink.c:1283 [inline]
+netlink_sendskb+0x6c/0x154 net/netlink/af_netlink.c:1292
+netlink_unicast+0x334/0x8d4 net/netlink/af_netlink.c:1380
+nlmsg_unicast include/net/netlink.h:1099 [inline]
+genlmsg_unicast include/net/genetlink.h:433 [inline]
+genlmsg_reply include/net/genetlink.h:443 [inline]
+ila_xlat_nl_cmd_get_mapping+0x620/0x7d0 net/ipv6/ila/ila_xlat.c:493
+genl_family_rcv_msg_doit net/netlink/genetlink.c:968 [inline]
+genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline]
+genl_rcv_msg+0x938/0xc1c net/netlink/genetlink.c:1065
+netlink_rcv_skb+0x214/0x3c4 net/netlink/af_netlink.c:2574
+genl_rcv+0x38/0x50 net/netlink/genetlink.c:1076
+netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
+netlink_unicast+0x660/0x8d4 net/netlink/af_netlink.c:1365
+netlink_sendmsg+0x800/0xae0 net/netlink/af_netlink.c:1942
+sock_sendmsg_nosec net/socket.c:714 [inline]
+sock_sendmsg net/socket.c:734 [inline]
+____sys_sendmsg+0x558/0x844 net/socket.c:2479
+___sys_sendmsg net/socket.c:2533 [inline]
+__sys_sendmsg+0x26c/0x33c net/socket.c:2562
+__do_sys_sendmsg net/socket.c:2571 [inline]
+__se_sys_sendmsg net/socket.c:2569 [inline]
+__arm64_sys_sendmsg+0x80/0x94 net/socket.c:2569
+__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
+invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
+el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
+do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:193
+el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
+el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
+el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
+irq event stamp: 136484
+hardirqs last enabled at (136483): [<ffff800008350244>] __up_console_sem+0x60/0xb4 kernel/printk/printk.c:345
+hardirqs last disabled at (136484): [<ffff800012358d60>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:405
+softirqs last enabled at (136418): [<ffff800008020ea8>] softirq_handle_end kernel/softirq.c:414 [inline]
+softirqs last enabled at (136418): [<ffff800008020ea8>] __do_softirq+0xd4c/0xfa4 kernel/softirq.c:600
+softirqs last disabled at (136371): [<ffff80000802b4a4>] ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:80
+---[ end trace 0000000000000000 ]---
+skb len=0 headroom=0 headlen=0 tailroom=192
+mac=(0,0) net=(0,-1) trans=-1
+shinfo(txflags=0 nr_frags=0 gso(size=0 type=0 segs=0))
+csum(0x0 ip_summed=0 complete_sw=0 valid=0 level=0)
+hash(0x0 sw=0 l4=0) proto=0x0010 pkttype=6 iif=0
+dev name=nlmon0 feat=0x0000000000005861
+
+Fixes: 7f00feaf1076 ("ila: Add generic ILA translation facility")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ila/ila_xlat.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv6/ila/ila_xlat.c b/net/ipv6/ila/ila_xlat.c
+index 47447f0241df6..bee45dfeb1874 100644
+--- a/net/ipv6/ila/ila_xlat.c
++++ b/net/ipv6/ila/ila_xlat.c
+@@ -477,6 +477,7 @@ int ila_xlat_nl_cmd_get_mapping(struct sk_buff *skb, struct genl_info *info)
+
+ rcu_read_lock();
+
++ ret = -ESRCH;
+ ila = ila_lookup_by_params(&xp, ilan);
+ if (ila) {
+ ret = ila_dump_info(ila,
+--
+2.39.2
+
--- /dev/null
+From 450804da63fbddcc07053920e1d8c53c22f8dbed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Feb 2023 16:43:29 -0800
+Subject: Input: exc3000 - properly stop timer on shutdown
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+[ Upstream commit 79c81d137d36f9635bbcbc3916c0cccb418a61dd ]
+
+We need to stop the timer on driver unbind or probe failures, otherwise
+we get UAF/Oops.
+
+Fixes: 7e577a17f2ee ("Input: add I2C attached EETI EXC3000 multi touch driver")
+Reported-by: "Stahl, Michael" <mstahl@moba.de>
+Link: https://lore.kernel.org/r/Y9dK57BFqtlf8NmN@google.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/touchscreen/exc3000.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/input/touchscreen/exc3000.c b/drivers/input/touchscreen/exc3000.c
+index 4b7eee01c6aad..615646a03039b 100644
+--- a/drivers/input/touchscreen/exc3000.c
++++ b/drivers/input/touchscreen/exc3000.c
+@@ -109,6 +109,11 @@ static inline void exc3000_schedule_timer(struct exc3000_data *data)
+ mod_timer(&data->timer, jiffies + msecs_to_jiffies(EXC3000_TIMEOUT_MS));
+ }
+
++static void exc3000_shutdown_timer(void *timer)
++{
++ del_timer_sync(timer);
++}
++
+ static int exc3000_read_frame(struct exc3000_data *data, u8 *buf)
+ {
+ struct i2c_client *client = data->client;
+@@ -386,6 +391,11 @@ static int exc3000_probe(struct i2c_client *client)
+ if (error)
+ return error;
+
++ error = devm_add_action_or_reset(&client->dev, exc3000_shutdown_timer,
++ &data->timer);
++ if (error)
++ return error;
++
+ error = devm_request_threaded_irq(&client->dev, client->irq,
+ NULL, exc3000_interrupt, IRQF_ONESHOT,
+ client->name, data);
+--
+2.39.2
+
--- /dev/null
+From a737cfa29d9fb1aea7b857efaac2ed558ff637a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jan 2023 10:34:47 -0600
+Subject: ipmi:ssif: Add a timer between request retries
+
+From: Corey Minyard <cminyard@mvista.com>
+
+[ Upstream commit 00bb7e763ec9f384cb382455cb6ba5588b5375cf ]
+
+The IPMI spec has a time (T6) specified between request retries. Add
+the handling for that.
+
+Reported by: Tony Camuso <tcamuso@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/ipmi/ipmi_ssif.c | 34 +++++++++++++++++++++++++++-------
+ 1 file changed, 27 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c
+index c25c4b1a03ae0..a5ddebb1edea4 100644
+--- a/drivers/char/ipmi/ipmi_ssif.c
++++ b/drivers/char/ipmi/ipmi_ssif.c
+@@ -74,7 +74,8 @@
+ /*
+ * Timer values
+ */
+-#define SSIF_MSG_USEC 60000 /* 60ms between message tries. */
++#define SSIF_MSG_USEC 60000 /* 60ms between message tries (T3). */
++#define SSIF_REQ_RETRY_USEC 60000 /* 60ms between send retries (T6). */
+ #define SSIF_MSG_PART_USEC 5000 /* 5ms for a message part */
+
+ /* How many times to we retry sending/receiving the message. */
+@@ -82,7 +83,9 @@
+ #define SSIF_RECV_RETRIES 250
+
+ #define SSIF_MSG_MSEC (SSIF_MSG_USEC / 1000)
++#define SSIF_REQ_RETRY_MSEC (SSIF_REQ_RETRY_USEC / 1000)
+ #define SSIF_MSG_JIFFIES ((SSIF_MSG_USEC * 1000) / TICK_NSEC)
++#define SSIF_REQ_RETRY_JIFFIES ((SSIF_REQ_RETRY_USEC * 1000) / TICK_NSEC)
+ #define SSIF_MSG_PART_JIFFIES ((SSIF_MSG_PART_USEC * 1000) / TICK_NSEC)
+
+ /*
+@@ -229,6 +232,9 @@ struct ssif_info {
+ bool got_alert;
+ bool waiting_alert;
+
++ /* Used to inform the timeout that it should do a resend. */
++ bool do_resend;
++
+ /*
+ * If set to true, this will request events the next time the
+ * state machine is idle.
+@@ -531,22 +537,28 @@ static void start_get(struct ssif_info *ssif_info)
+ ssif_info->recv, I2C_SMBUS_BLOCK_DATA);
+ }
+
++static void start_resend(struct ssif_info *ssif_info);
++
+ static void retry_timeout(struct timer_list *t)
+ {
+ struct ssif_info *ssif_info = from_timer(ssif_info, t, retry_timer);
+ unsigned long oflags, *flags;
+- bool waiting;
++ bool waiting, resend;
+
+ if (ssif_info->stopping)
+ return;
+
+ flags = ipmi_ssif_lock_cond(ssif_info, &oflags);
++ resend = ssif_info->do_resend;
++ ssif_info->do_resend = false;
+ waiting = ssif_info->waiting_alert;
+ ssif_info->waiting_alert = false;
+ ipmi_ssif_unlock_cond(ssif_info, flags);
+
+ if (waiting)
+ start_get(ssif_info);
++ if (resend)
++ start_resend(ssif_info);
+ }
+
+ static void watch_timeout(struct timer_list *t)
+@@ -595,8 +607,6 @@ static void ssif_alert(struct i2c_client *client, enum i2c_alert_protocol type,
+ start_get(ssif_info);
+ }
+
+-static void start_resend(struct ssif_info *ssif_info);
+-
+ static void msg_done_handler(struct ssif_info *ssif_info, int result,
+ unsigned char *data, unsigned int len)
+ {
+@@ -901,7 +911,13 @@ static void msg_written_handler(struct ssif_info *ssif_info, int result,
+ if (result < 0) {
+ ssif_info->retries_left--;
+ if (ssif_info->retries_left > 0) {
+- start_resend(ssif_info);
++ /*
++ * Wait the retry timeout time per the spec,
++ * then redo the send.
++ */
++ ssif_info->do_resend = true;
++ mod_timer(&ssif_info->retry_timer,
++ jiffies + SSIF_REQ_RETRY_JIFFIES);
+ return;
+ }
+
+@@ -1311,8 +1327,10 @@ static int do_cmd(struct i2c_client *client, int len, unsigned char *msg,
+ ret = i2c_smbus_write_block_data(client, SSIF_IPMI_REQUEST, len, msg);
+ if (ret) {
+ retry_cnt--;
+- if (retry_cnt > 0)
++ if (retry_cnt > 0) {
++ msleep(SSIF_REQ_RETRY_MSEC);
+ goto retry1;
++ }
+ return -ENODEV;
+ }
+
+@@ -1453,8 +1471,10 @@ static int start_multipart_test(struct i2c_client *client,
+ 32, msg);
+ if (ret) {
+ retry_cnt--;
+- if (retry_cnt > 0)
++ if (retry_cnt > 0) {
++ msleep(SSIF_REQ_RETRY_MSEC);
+ goto retry_write;
++ }
+ dev_err(&client->dev, "Could not write multi-part start, though the BMC said it could handle it. Just limit sends to one part.\n");
+ return ret;
+ }
+--
+2.39.2
+
--- /dev/null
+From 321ee5a94bb8ac4cd9701b68f8575b899296d6ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 15:03:11 -0500
+Subject: ipmi:ssif: Increase the message retry time
+
+From: Corey Minyard <cminyard@mvista.com>
+
+[ Upstream commit 39721d62bbc16ebc9bb2bdc2c163658f33da3b0b ]
+
+The spec states that the minimum message retry time is 60ms, but it was
+set to 20ms. Correct it.
+
+Reported by: Tony Camuso <tcamuso@redhat.com>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Stable-dep-of: 00bb7e763ec9 ("ipmi:ssif: Add a timer between request retries")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/ipmi/ipmi_ssif.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c
+index cbd56886f1d2a..c25c4b1a03ae0 100644
+--- a/drivers/char/ipmi/ipmi_ssif.c
++++ b/drivers/char/ipmi/ipmi_ssif.c
+@@ -74,7 +74,7 @@
+ /*
+ * Timer values
+ */
+-#define SSIF_MSG_USEC 20000 /* 20ms between message tries. */
++#define SSIF_MSG_USEC 60000 /* 60ms between message tries. */
+ #define SSIF_MSG_PART_USEC 5000 /* 5ms for a message part */
+
+ /* How many times to we retry sending/receiving the message. */
+--
+2.39.2
+
--- /dev/null
+From 58e0f56006ac8cde826c4d39bc766a41bc0a4223 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jan 2023 10:41:48 -0600
+Subject: ipmi:ssif: Remove rtc_us_timer
+
+From: Corey Minyard <cminyard@mvista.com>
+
+[ Upstream commit 9e8b89926fb87e5625bdde6fd5de2c31fb1d83bf ]
+
+It was cruft left over from older handling of run to completion.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/ipmi/ipmi_ssif.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+diff --git a/drivers/char/ipmi/ipmi_ssif.c b/drivers/char/ipmi/ipmi_ssif.c
+index 7c606c49cd535..cbd56886f1d2a 100644
+--- a/drivers/char/ipmi/ipmi_ssif.c
++++ b/drivers/char/ipmi/ipmi_ssif.c
+@@ -241,12 +241,6 @@ struct ssif_info {
+ */
+ bool req_flags;
+
+- /*
+- * Used to perform timer operations when run-to-completion
+- * mode is on. This is a countdown timer.
+- */
+- int rtc_us_timer;
+-
+ /* Used for sending/receiving data. +1 for the length. */
+ unsigned char data[IPMI_MAX_MSG_LENGTH + 1];
+ unsigned int data_len;
+@@ -530,7 +524,6 @@ static void msg_done_handler(struct ssif_info *ssif_info, int result,
+
+ static void start_get(struct ssif_info *ssif_info)
+ {
+- ssif_info->rtc_us_timer = 0;
+ ssif_info->multi_pos = 0;
+
+ ssif_i2c_send(ssif_info, msg_done_handler, I2C_SMBUS_READ,
+@@ -622,7 +615,6 @@ static void msg_done_handler(struct ssif_info *ssif_info, int result,
+
+ flags = ipmi_ssif_lock_cond(ssif_info, &oflags);
+ ssif_info->waiting_alert = true;
+- ssif_info->rtc_us_timer = SSIF_MSG_USEC;
+ if (!ssif_info->stopping)
+ mod_timer(&ssif_info->retry_timer,
+ jiffies + SSIF_MSG_JIFFIES);
+@@ -973,7 +965,6 @@ static void msg_written_handler(struct ssif_info *ssif_info, int result,
+ /* Wait a jiffie then request the next message */
+ ssif_info->waiting_alert = true;
+ ssif_info->retries_left = SSIF_RECV_RETRIES;
+- ssif_info->rtc_us_timer = SSIF_MSG_PART_USEC;
+ if (!ssif_info->stopping)
+ mod_timer(&ssif_info->retry_timer,
+ jiffies + SSIF_MSG_PART_JIFFIES);
+--
+2.39.2
+
--- /dev/null
+From 9ea0c293e8d832329a97da81fcbc0af7177091cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Nov 2022 23:08:58 +0000
+Subject: KVM: VMX: Do _all_ initialization before exposing /dev/kvm to
+ userspace
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit e32b120071ea114efc0b4ddd439547750b85f618 ]
+
+Call kvm_init() only after _all_ setup is complete, as kvm_init() exposes
+/dev/kvm to userspace and thus allows userspace to create VMs (and call
+other ioctls). E.g. KVM will encounter a NULL pointer when attempting to
+add a vCPU to the per-CPU loaded_vmcss_on_cpu list if userspace is able to
+create a VM before vmx_init() configures said list.
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000008
+ #PF: supervisor write access in kernel mode
+ #PF: error_code(0x0002) - not-present page
+ PGD 0 P4D 0
+ Oops: 0002 [#1] SMP
+ CPU: 6 PID: 1143 Comm: stable Not tainted 6.0.0-rc7+ #988
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
+ RIP: 0010:vmx_vcpu_load_vmcs+0x68/0x230 [kvm_intel]
+ <TASK>
+ vmx_vcpu_load+0x16/0x60 [kvm_intel]
+ kvm_arch_vcpu_load+0x32/0x1f0 [kvm]
+ vcpu_load+0x2f/0x40 [kvm]
+ kvm_arch_vcpu_create+0x231/0x310 [kvm]
+ kvm_vm_ioctl+0x79f/0xe10 [kvm]
+ ? handle_mm_fault+0xb1/0x220
+ __x64_sys_ioctl+0x80/0xb0
+ do_syscall_64+0x2b/0x50
+ entry_SYSCALL_64_after_hwframe+0x46/0xb0
+ RIP: 0033:0x7f5a6b05743b
+ </TASK>
+ Modules linked in: vhost_net vhost vhost_iotlb tap kvm_intel(+) kvm irqbypass
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-Id: <20221130230934.1014142-15-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx/vmx.c | 30 +++++++++++++++++++-----------
+ 1 file changed, 19 insertions(+), 11 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
+index 81a23ae4f872b..bc868958e91fe 100644
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -8456,19 +8456,23 @@ static void vmx_cleanup_l1d_flush(void)
+ l1tf_vmx_mitigation = VMENTER_L1D_FLUSH_AUTO;
+ }
+
+-static void vmx_exit(void)
++static void __vmx_exit(void)
+ {
++ allow_smaller_maxphyaddr = false;
++
+ #ifdef CONFIG_KEXEC_CORE
+ RCU_INIT_POINTER(crash_vmclear_loaded_vmcss, NULL);
+ synchronize_rcu();
+ #endif
++ vmx_cleanup_l1d_flush();
++}
+
++static void vmx_exit(void)
++{
+ kvm_exit();
+ kvm_x86_vendor_exit();
+
+- vmx_cleanup_l1d_flush();
+-
+- allow_smaller_maxphyaddr = false;
++ __vmx_exit();
+ }
+ module_exit(vmx_exit);
+
+@@ -8513,11 +8517,6 @@ static int __init vmx_init(void)
+ if (r)
+ return r;
+
+- r = kvm_init(&vmx_init_ops, sizeof(struct vcpu_vmx),
+- __alignof__(struct vcpu_vmx), THIS_MODULE);
+- if (r)
+- goto err_kvm_init;
+-
+ /*
+ * Must be called after common x86 init so enable_ept is properly set
+ * up. Hand the parameter mitigation value in which was stored in
+@@ -8551,11 +8550,20 @@ static int __init vmx_init(void)
+ if (!enable_ept)
+ allow_smaller_maxphyaddr = true;
+
++ /*
++ * Common KVM initialization _must_ come last, after this, /dev/kvm is
++ * exposed to userspace!
++ */
++ r = kvm_init(&vmx_init_ops, sizeof(struct vcpu_vmx),
++ __alignof__(struct vcpu_vmx), THIS_MODULE);
++ if (r)
++ goto err_kvm_init;
++
+ return 0;
+
+-err_l1d_flush:
+- vmx_exit();
+ err_kvm_init:
++ __vmx_exit();
++err_l1d_flush:
+ kvm_x86_vendor_exit();
+ return r;
+ }
+--
+2.39.2
+
--- /dev/null
+From 3aa38d02e59e21e4bca67f2706535ea6166070e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Nov 2022 23:08:55 +0000
+Subject: KVM: VMX: Don't bother disabling eVMCS static key on module exit
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit da66de44b01e9b7fa09731057593850394bf32e4 ]
+
+Don't disable the eVMCS static key on module exit, kvm_intel.ko owns the
+key so there can't possibly be users after the kvm_intel.ko is unloaded,
+at least not without much bigger issues.
+
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-Id: <20221130230934.1014142-12-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Stable-dep-of: e32b120071ea ("KVM: VMX: Do _all_ initialization before exposing /dev/kvm to userspace")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx/vmx.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
+index 87874b22ba4bf..d3d84563a7f9c 100644
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -8465,10 +8465,6 @@ static void vmx_exit(void)
+
+ kvm_exit();
+
+-#if IS_ENABLED(CONFIG_HYPERV)
+- if (static_branch_unlikely(&enable_evmcs))
+- static_branch_disable(&enable_evmcs);
+-#endif
+ vmx_cleanup_l1d_flush();
+
+ allow_smaller_maxphyaddr = false;
+--
+2.39.2
+
--- /dev/null
+From fa66ad216fac394653b9d0ee43dc44f1a0e722ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Nov 2022 23:08:54 +0000
+Subject: KVM: VMX: Reset eVMCS controls in VP assist page during hardware
+ disabling
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit 2916b70fc342719f570640de07251b7f91feebdb ]
+
+Reset the eVMCS controls in the per-CPU VP assist page during hardware
+disabling instead of waiting until kvm-intel's module exit. The controls
+are activated if and only if KVM creates a VM, i.e. don't need to be
+reset if hardware is never enabled.
+
+Doing the reset during hardware disabling will naturally fix a potential
+NULL pointer deref bug once KVM disables CPU hotplug while enabling and
+disabling hardware (which is necessary to fix a variety of bugs). If the
+kernel is running as the root partition, the VP assist page is unmapped
+during CPU hot unplug, and so KVM's clearing of the eVMCS controls needs
+to occur with CPU hot(un)plug disabled, otherwise KVM could attempt to
+write to a CPU's VP assist page after it's unmapped.
+
+Reported-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Message-Id: <20221130230934.1014142-11-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Stable-dep-of: e32b120071ea ("KVM: VMX: Do _all_ initialization before exposing /dev/kvm to userspace")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx/vmx.c | 50 +++++++++++++++++++++++++-----------------
+ 1 file changed, 30 insertions(+), 20 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
+index f5c1cb7cec8a7..87874b22ba4bf 100644
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -551,6 +551,33 @@ static int hv_enable_direct_tlbflush(struct kvm_vcpu *vcpu)
+ return 0;
+ }
+
++static void hv_reset_evmcs(void)
++{
++ struct hv_vp_assist_page *vp_ap;
++
++ if (!static_branch_unlikely(&enable_evmcs))
++ return;
++
++ /*
++ * KVM should enable eVMCS if and only if all CPUs have a VP assist
++ * page, and should reject CPU onlining if eVMCS is enabled the CPU
++ * doesn't have a VP assist page allocated.
++ */
++ vp_ap = hv_get_vp_assist_page(smp_processor_id());
++ if (WARN_ON_ONCE(!vp_ap))
++ return;
++
++ /*
++ * Reset everything to support using non-enlightened VMCS access later
++ * (e.g. when we reload the module with enlightened_vmcs=0)
++ */
++ vp_ap->nested_control.features.directhypercall = 0;
++ vp_ap->current_nested_vmcs = 0;
++ vp_ap->enlighten_vmentry = 0;
++}
++
++#else /* IS_ENABLED(CONFIG_HYPERV) */
++static void hv_reset_evmcs(void) {}
+ #endif /* IS_ENABLED(CONFIG_HYPERV) */
+
+ /*
+@@ -2501,6 +2528,8 @@ static void vmx_hardware_disable(void)
+ if (cpu_vmxoff())
+ kvm_spurious_fault();
+
++ hv_reset_evmcs();
++
+ intel_pt_handle_vmx(0);
+ }
+
+@@ -8437,27 +8466,8 @@ static void vmx_exit(void)
+ kvm_exit();
+
+ #if IS_ENABLED(CONFIG_HYPERV)
+- if (static_branch_unlikely(&enable_evmcs)) {
+- int cpu;
+- struct hv_vp_assist_page *vp_ap;
+- /*
+- * Reset everything to support using non-enlightened VMCS
+- * access later (e.g. when we reload the module with
+- * enlightened_vmcs=0)
+- */
+- for_each_online_cpu(cpu) {
+- vp_ap = hv_get_vp_assist_page(cpu);
+-
+- if (!vp_ap)
+- continue;
+-
+- vp_ap->nested_control.features.directhypercall = 0;
+- vp_ap->current_nested_vmcs = 0;
+- vp_ap->enlighten_vmentry = 0;
+- }
+-
++ if (static_branch_unlikely(&enable_evmcs))
+ static_branch_disable(&enable_evmcs);
+- }
+ #endif
+ vmx_cleanup_l1d_flush();
+
+--
+2.39.2
+
--- /dev/null
+From d09c939d196cdeb3c83d11c761a6644f86b37fd2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Nov 2022 23:08:57 +0000
+Subject: KVM: x86: Move guts of kvm_arch_init() to standalone helper
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit 4f8396b96a9fc672964842fe7adbe8ddca8a3adf ]
+
+Move the guts of kvm_arch_init() to a new helper, kvm_x86_vendor_init(),
+so that VMX can do _all_ arch and vendor initialization before calling
+kvm_init(). Calling kvm_init() must be the _very_ last step during init,
+as kvm_init() exposes /dev/kvm to userspace, i.e. allows creating VMs.
+
+No functional change intended.
+
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-Id: <20221130230934.1014142-14-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Stable-dep-of: e32b120071ea ("KVM: VMX: Do _all_ initialization before exposing /dev/kvm to userspace")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/kvm_host.h | 3 +++
+ arch/x86/kvm/svm/svm.c | 23 +++++++++++++++++++++--
+ arch/x86/kvm/vmx/vmx.c | 21 +++++++++++++++------
+ arch/x86/kvm/x86.c | 15 +++++++++++++--
+ 4 files changed, 52 insertions(+), 10 deletions(-)
+
+diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
+index f05ebaa26f0ff..ef8cabfbe8540 100644
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -1695,6 +1695,9 @@ extern struct kvm_x86_ops kvm_x86_ops;
+ #define KVM_X86_OP_OPTIONAL_RET0 KVM_X86_OP
+ #include <asm/kvm-x86-ops.h>
+
++int kvm_x86_vendor_init(struct kvm_x86_init_ops *ops);
++void kvm_x86_vendor_exit(void);
++
+ #define __KVM_HAVE_ARCH_VM_ALLOC
+ static inline struct kvm *kvm_arch_alloc_vm(void)
+ {
+diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
+index bfe93a1c4f92e..3629dd979667c 100644
+--- a/arch/x86/kvm/svm/svm.c
++++ b/arch/x86/kvm/svm/svm.c
+@@ -5080,15 +5080,34 @@ static struct kvm_x86_init_ops svm_init_ops __initdata = {
+
+ static int __init svm_init(void)
+ {
++ int r;
++
+ __unused_size_checks();
+
+- return kvm_init(&svm_init_ops, sizeof(struct vcpu_svm),
+- __alignof__(struct vcpu_svm), THIS_MODULE);
++ r = kvm_x86_vendor_init(&svm_init_ops);
++ if (r)
++ return r;
++
++ /*
++ * Common KVM initialization _must_ come last, after this, /dev/kvm is
++ * exposed to userspace!
++ */
++ r = kvm_init(&svm_init_ops, sizeof(struct vcpu_svm),
++ __alignof__(struct vcpu_svm), THIS_MODULE);
++ if (r)
++ goto err_kvm_init;
++
++ return 0;
++
++err_kvm_init:
++ kvm_x86_vendor_exit();
++ return r;
+ }
+
+ static void __exit svm_exit(void)
+ {
+ kvm_exit();
++ kvm_x86_vendor_exit();
+ }
+
+ module_init(svm_init)
+diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
+index d3d84563a7f9c..81a23ae4f872b 100644
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -8464,6 +8464,7 @@ static void vmx_exit(void)
+ #endif
+
+ kvm_exit();
++ kvm_x86_vendor_exit();
+
+ vmx_cleanup_l1d_flush();
+
+@@ -8508,23 +8509,25 @@ static int __init vmx_init(void)
+ }
+ #endif
+
++ r = kvm_x86_vendor_init(&vmx_init_ops);
++ if (r)
++ return r;
++
+ r = kvm_init(&vmx_init_ops, sizeof(struct vcpu_vmx),
+ __alignof__(struct vcpu_vmx), THIS_MODULE);
+ if (r)
+- return r;
++ goto err_kvm_init;
+
+ /*
+- * Must be called after kvm_init() so enable_ept is properly set
++ * Must be called after common x86 init so enable_ept is properly set
+ * up. Hand the parameter mitigation value in which was stored in
+ * the pre module init parser. If no parameter was given, it will
+ * contain 'auto' which will be turned into the default 'cond'
+ * mitigation mode.
+ */
+ r = vmx_setup_l1d_flush(vmentry_l1d_flush_param);
+- if (r) {
+- vmx_exit();
+- return r;
+- }
++ if (r)
++ goto err_l1d_flush;
+
+ vmx_setup_fb_clear_ctrl();
+
+@@ -8549,5 +8552,11 @@ static int __init vmx_init(void)
+ allow_smaller_maxphyaddr = true;
+
+ return 0;
++
++err_l1d_flush:
++ vmx_exit();
++err_kvm_init:
++ kvm_x86_vendor_exit();
++ return r;
+ }
+ module_init(vmx_init);
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 68827b8dc37a5..ab09d292bdede 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -9351,7 +9351,16 @@ static struct notifier_block pvclock_gtod_notifier = {
+
+ int kvm_arch_init(void *opaque)
+ {
+- struct kvm_x86_init_ops *ops = opaque;
++ return 0;
++}
++
++void kvm_arch_exit(void)
++{
++
++}
++
++int kvm_x86_vendor_init(struct kvm_x86_init_ops *ops)
++{
+ u64 host_pat;
+ int r;
+
+@@ -9441,8 +9450,9 @@ int kvm_arch_init(void *opaque)
+ kmem_cache_destroy(x86_emulator_cache);
+ return r;
+ }
++EXPORT_SYMBOL_GPL(kvm_x86_vendor_init);
+
+-void kvm_arch_exit(void)
++void kvm_x86_vendor_exit(void)
+ {
+ #ifdef CONFIG_X86_64
+ if (hypervisor_is_type(X86_HYPER_MS_HYPERV))
+@@ -9468,6 +9478,7 @@ void kvm_arch_exit(void)
+ WARN_ON(static_branch_unlikely(&kvm_xen_enabled.key));
+ #endif
+ }
++EXPORT_SYMBOL_GPL(kvm_x86_vendor_exit);
+
+ static int __kvm_emulate_halt(struct kvm_vcpu *vcpu, int state, int reason)
+ {
+--
+2.39.2
+
--- /dev/null
+From ac1bc6d5a7ff148e28cb5c9902d4cac96dd6e302 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Feb 2023 21:14:13 +0100
+Subject: m68k: mm: Move initrd phys_to_virt handling after paging_init()
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+[ Upstream commit d4b97925e87eb133e400fe4a482d750c74ce392f ]
+
+When booting with an initial ramdisk on platforms where physical memory
+does not start at address zero (e.g. on Amiga):
+
+ initrd: 0ef0602c - 0f800000
+ Zone ranges:
+ DMA [mem 0x0000000008000000-0x000000f7ffffffff]
+ Normal empty
+ Movable zone start for each node
+ Early memory node ranges
+ node 0: [mem 0x0000000008000000-0x000000000f7fffff]
+ Initmem setup node 0 [mem 0x0000000008000000-0x000000000f7fffff]
+ Unable to handle kernel access at virtual address (ptrval)
+ Oops: 00000000
+ Modules linked in:
+ PC: [<00201d3c>] memcmp+0x28/0x56
+
+As phys_to_virt() relies on m68k_memoffset and module_fixup(), it must
+not be called before paging_init(). Hence postpone the phys_to_virt
+handling for the initial ramdisk until after calling paging_init().
+
+While at it, reduce #ifdef clutter by using IS_ENABLED() instead.
+
+Fixes: 376e3fdecb0dcae2 ("m68k: Enable memtest functionality")
+Reported-by: Stephen Walsh <vk3heg@vk3heg.net>
+Link: https://lists.debian.org/debian-68k/2022/09/msg00007.html
+Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Link: https://lore.kernel.org/r/4f45f05f377bf3f5baf88dbd5c3c8aeac59d94f0.camel@physik.fu-berlin.de
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Acked-by: Finn Thain <fthain@linux-m68k.org>
+Link: https://lore.kernel.org/r/dff216da09ab7a60217c3fc2147e671ae07d636f.1677528627.git.geert@linux-m68k.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/kernel/setup_mm.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/arch/m68k/kernel/setup_mm.c b/arch/m68k/kernel/setup_mm.c
+index 3a2bb2e8fdad4..fbff1cea62caa 100644
+--- a/arch/m68k/kernel/setup_mm.c
++++ b/arch/m68k/kernel/setup_mm.c
+@@ -326,16 +326,16 @@ void __init setup_arch(char **cmdline_p)
+ panic("No configuration setup");
+ }
+
+-#ifdef CONFIG_BLK_DEV_INITRD
+- if (m68k_ramdisk.size) {
++ if (IS_ENABLED(CONFIG_BLK_DEV_INITRD) && m68k_ramdisk.size)
+ memblock_reserve(m68k_ramdisk.addr, m68k_ramdisk.size);
++
++ paging_init();
++
++ if (IS_ENABLED(CONFIG_BLK_DEV_INITRD) && m68k_ramdisk.size) {
+ initrd_start = (unsigned long)phys_to_virt(m68k_ramdisk.addr);
+ initrd_end = initrd_start + m68k_ramdisk.size;
+ pr_info("initrd: %08lx - %08lx\n", initrd_start, initrd_end);
+ }
+-#endif
+-
+- paging_init();
+
+ #ifdef CONFIG_NATFEAT
+ nf_init();
+--
+2.39.2
+
--- /dev/null
+From aafae0194c76b13d3afed2fe425be6132a952d03 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Mar 2023 01:39:13 +0900
+Subject: net: caif: Fix use-after-free in cfusbl_device_notify()
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit 9781e98a97110f5e76999058368b4be76a788484 ]
+
+syzbot reported use-after-free in cfusbl_device_notify() [1]. This
+causes a stack trace like below:
+
+BUG: KASAN: use-after-free in cfusbl_device_notify+0x7c9/0x870 net/caif/caif_usb.c:138
+Read of size 8 at addr ffff88807ac4e6f0 by task kworker/u4:6/1214
+
+CPU: 0 PID: 1214 Comm: kworker/u4:6 Not tainted 5.19.0-rc3-syzkaller-00146-g92f20ff72066 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: netns cleanup_net
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
+ print_address_description.constprop.0.cold+0xeb/0x467 mm/kasan/report.c:313
+ print_report mm/kasan/report.c:429 [inline]
+ kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
+ cfusbl_device_notify+0x7c9/0x870 net/caif/caif_usb.c:138
+ notifier_call_chain+0xb5/0x200 kernel/notifier.c:87
+ call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1945
+ call_netdevice_notifiers_extack net/core/dev.c:1983 [inline]
+ call_netdevice_notifiers net/core/dev.c:1997 [inline]
+ netdev_wait_allrefs_any net/core/dev.c:10227 [inline]
+ netdev_run_todo+0xbc0/0x10f0 net/core/dev.c:10341
+ default_device_exit_batch+0x44e/0x590 net/core/dev.c:11334
+ ops_exit_list+0x125/0x170 net/core/net_namespace.c:167
+ cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:594
+ process_one_work+0x996/0x1610 kernel/workqueue.c:2289
+ worker_thread+0x665/0x1080 kernel/workqueue.c:2436
+ kthread+0x2e9/0x3a0 kernel/kthread.c:376
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
+ </TASK>
+
+When unregistering a net device, unregister_netdevice_many_notify()
+sets the device's reg_state to NETREG_UNREGISTERING, calls notifiers
+with NETDEV_UNREGISTER, and adds the device to the todo list.
+
+Later on, devices in the todo list are processed by netdev_run_todo().
+netdev_run_todo() waits devices' reference count become 1 while
+rebdoadcasting NETDEV_UNREGISTER notification.
+
+When cfusbl_device_notify() is called with NETDEV_UNREGISTER multiple
+times, the parent device might be freed. This could cause UAF.
+Processing NETDEV_UNREGISTER multiple times also causes inbalance of
+reference count for the module.
+
+This patch fixes the issue by accepting only first NETDEV_UNREGISTER
+notification.
+
+Fixes: 7ad65bf68d70 ("caif: Add support for CAIF over CDC NCM USB interface")
+CC: sjur.brandeland@stericsson.com <sjur.brandeland@stericsson.com>
+Reported-by: syzbot+b563d33852b893653a9e@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?id=c3bfd8e2450adab3bffe4d80821fbbced600407f [1]
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Link: https://lore.kernel.org/r/20230301163913.391304-1-syoshida@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/caif/caif_usb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/caif/caif_usb.c b/net/caif/caif_usb.c
+index ebc202ffdd8d8..bf61ea4b8132d 100644
+--- a/net/caif/caif_usb.c
++++ b/net/caif/caif_usb.c
+@@ -134,6 +134,9 @@ static int cfusbl_device_notify(struct notifier_block *me, unsigned long what,
+ struct usb_device *usbdev;
+ int res;
+
++ if (what == NETDEV_UNREGISTER && dev->reg_state >= NETREG_UNREGISTERED)
++ return 0;
++
+ /* Check whether we have a NCM device, and find its VID/PID. */
+ if (!(dev->dev.parent && dev->dev.parent->driver &&
+ strcmp(dev->dev.parent->driver->name, "cdc_ncm") == 0))
+--
+2.39.2
+
--- /dev/null
+From 8bf323c3275c83a3dbb5d0dc0b6f7779894f34f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 17:54:11 +0200
+Subject: net: dsa: mt7530: permit port 5 to work without port 6 on MT7621 SoC
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit c8b8a3c601f2cfad25ab5ce5b04df700048aef6e ]
+
+The MT7530 switch from the MT7621 SoC has 2 ports which can be set up as
+internal: port 5 and 6. Arınç reports that the GMAC1 attached to port 5
+receives corrupted frames, unless port 6 (attached to GMAC0) has been
+brought up by the driver. This is true regardless of whether port 5 is
+used as a user port or as a CPU port (carrying DSA tags).
+
+Offline debugging (blind for me) which began in the linked thread showed
+experimentally that the configuration done by the driver for port 6
+contains a step which is needed by port 5 as well - the write to
+CORE_GSWPLL_GRP2 (note that I've no idea as to what it does, apart from
+the comment "Set core clock into 500Mhz"). Prints put by Arınç show that
+the reset value of CORE_GSWPLL_GRP2 is RG_GSWPLL_POSDIV_500M(1) |
+RG_GSWPLL_FBKDIV_500M(40) (0x128), both on the MCM MT7530 from the
+MT7621 SoC, as well as on the standalone MT7530 from MT7623NI Bananapi
+BPI-R2. Apparently, port 5 on the standalone MT7530 can work under both
+values of the register, while on the MT7621 SoC it cannot.
+
+The call path that triggers the register write is:
+
+mt753x_phylink_mac_config() for port 6
+-> mt753x_pad_setup()
+ -> mt7530_pad_clk_setup()
+
+so this fully explains the behavior noticed by Arınç, that bringing port
+6 up is necessary.
+
+The simplest fix for the problem is to extract the register writes which
+are needed for both port 5 and 6 into a common mt7530_pll_setup()
+function, which is called at mt7530_setup() time, immediately after
+switch reset. We can argue that this mirrors the code layout introduced
+in mt7531_setup() by commit 42bc4fafe359 ("net: mt7531: only do PLL once
+after the reset"), in that the PLL setup has the exact same positioning,
+and further work to consolidate the separate setup() functions is not
+hindered.
+
+Testing confirms that:
+
+- the slight reordering of writes to MT7530_P6ECR and to
+ CORE_GSWPLL_GRP1 / CORE_GSWPLL_GRP2 introduced by this change does not
+ appear to cause problems for the operation of port 6 on MT7621 and on
+ MT7623 (where port 5 also always worked)
+
+- packets sent through port 5 are not corrupted anymore, regardless of
+ whether port 6 is enabled by phylink or not (or even present in the
+ device tree)
+
+My algorithm for determining the Fixes: tag is as follows. Testing shows
+that some logic from mt7530_pad_clk_setup() is needed even for port 5.
+Prior to commit ca366d6c889b ("net: dsa: mt7530: Convert to PHYLINK
+API"), a call did exist for all phy_is_pseudo_fixed_link() ports - so
+port 5 included. That commit replaced it with a temporary "Port 5 is not
+supported!" comment, and the following commit 38f790a80560 ("net: dsa:
+mt7530: Add support for port 5") replaced that comment with a
+configuration procedure in mt7530_setup_port5() which was insufficient
+for port 5 to work. I'm laying the blame on the patch that claimed
+support for port 5, although one would have also needed the change from
+commit c3b8e07909db ("net: dsa: mt7530: setup core clock even in TRGMII
+mode") for the write to be performed completely independently from port
+6's configuration.
+
+Thanks go to Arınç for describing the problem, for debugging and for
+testing.
+
+Reported-by: Arınç ÜNAL <arinc.unal@arinc9.com>
+Link: https://lore.kernel.org/netdev/f297c2c4-6e7c-57ac-2394-f6025d309b9d@arinc9.com/
+Fixes: 38f790a80560 ("net: dsa: mt7530: Add support for port 5")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Tested-by: Arınç ÜNAL <arinc.unal@arinc9.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230307155411.868573-1-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mt7530.c | 35 ++++++++++++++++++++---------------
+ 1 file changed, 20 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c
+index a884f6f6a8c2c..1e0b8bcd59e6c 100644
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -393,6 +393,24 @@ mt7530_fdb_write(struct mt7530_priv *priv, u16 vid,
+ mt7530_write(priv, MT7530_ATA1 + (i * 4), reg[i]);
+ }
+
++/* Set up switch core clock for MT7530 */
++static void mt7530_pll_setup(struct mt7530_priv *priv)
++{
++ /* Disable PLL */
++ core_write(priv, CORE_GSWPLL_GRP1, 0);
++
++ /* Set core clock into 500Mhz */
++ core_write(priv, CORE_GSWPLL_GRP2,
++ RG_GSWPLL_POSDIV_500M(1) |
++ RG_GSWPLL_FBKDIV_500M(25));
++
++ /* Enable PLL */
++ core_write(priv, CORE_GSWPLL_GRP1,
++ RG_GSWPLL_EN_PRE |
++ RG_GSWPLL_POSDIV_200M(2) |
++ RG_GSWPLL_FBKDIV_200M(32));
++}
++
+ /* Setup TX circuit including relevant PAD and driving */
+ static int
+ mt7530_pad_clk_setup(struct dsa_switch *ds, phy_interface_t interface)
+@@ -453,21 +471,6 @@ mt7530_pad_clk_setup(struct dsa_switch *ds, phy_interface_t interface)
+ core_clear(priv, CORE_TRGMII_GSW_CLK_CG,
+ REG_GSWCK_EN | REG_TRGMIICK_EN);
+
+- /* Setup core clock for MT7530 */
+- /* Disable PLL */
+- core_write(priv, CORE_GSWPLL_GRP1, 0);
+-
+- /* Set core clock into 500Mhz */
+- core_write(priv, CORE_GSWPLL_GRP2,
+- RG_GSWPLL_POSDIV_500M(1) |
+- RG_GSWPLL_FBKDIV_500M(25));
+-
+- /* Enable PLL */
+- core_write(priv, CORE_GSWPLL_GRP1,
+- RG_GSWPLL_EN_PRE |
+- RG_GSWPLL_POSDIV_200M(2) |
+- RG_GSWPLL_FBKDIV_200M(32));
+-
+ /* Setup the MT7530 TRGMII Tx Clock */
+ core_write(priv, CORE_PLL_GROUP5, RG_LCDDS_PCW_NCPO1(ncpo1));
+ core_write(priv, CORE_PLL_GROUP6, RG_LCDDS_PCW_NCPO0(0));
+@@ -2201,6 +2204,8 @@ mt7530_setup(struct dsa_switch *ds)
+ SYS_CTRL_PHY_RST | SYS_CTRL_SW_RST |
+ SYS_CTRL_REG_RST);
+
++ mt7530_pll_setup(priv);
++
+ /* Enable Port 6 only; P5 as GMAC5 which currently is not supported */
+ val = mt7530_read(priv, MT7530_MHWTRAP);
+ val &= ~MHWTRAP_P6_DIS & ~MHWTRAP_PHY_ACCESS;
+--
+2.39.2
+
--- /dev/null
+From f42ae603071a7de77909525fdc621ad2a1a61846 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Mar 2023 13:43:20 +0000
+Subject: net: ethernet: mtk_eth_soc: fix RX data corruption issue
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Daniel Golle <daniel@makrotopia.org>
+
+[ Upstream commit 193250ace270fecd586dd2d0dfbd9cbd2ade977f ]
+
+Fix data corruption issue with SerDes connected PHYs operating at 1.25
+Gbps speed where we could previously observe about 30% packet loss while
+the bad packet counter was increasing.
+
+As almost all boards with MediaTek MT7622 or MT7986 use either the MT7531
+switch IC operating at 3.125Gbps SerDes rate or single-port PHYs using
+rate-adaptation to 2500Base-X mode, this issue only got exposed now when
+we started trying to use SFP modules operating with 1.25 Gbps with the
+BananaPi R3 board.
+
+The fix is to set bit 12 which disables the RX FIFO clear function when
+setting up MAC MCR, MediaTek SDK did the same change stating:
+"If without this patch, kernel might receive invalid packets that are
+corrupted by GMAC."[1]
+
+[1]: https://git01.mediatek.com/plugins/gitiles/openwrt/feeds/mtk-openwrt-feeds/+/d8a2975939a12686c4a95c40db21efdc3f821f63
+
+Fixes: 42c03844e93d ("net-next: mediatek: add support for MediaTek MT7622 SoC")
+Tested-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/138da2735f92c8b6f8578ec2e5a794ee515b665f.1677937317.git.daniel@makrotopia.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 3 ++-
+ drivers/net/ethernet/mediatek/mtk_eth_soc.h | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+index 53ee9dea66388..49975924e2426 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+@@ -561,7 +561,8 @@ static int mtk_mac_finish(struct phylink_config *config, unsigned int mode,
+ mcr_cur = mtk_r32(mac->hw, MTK_MAC_MCR(mac->id));
+ mcr_new = mcr_cur;
+ mcr_new |= MAC_MCR_IPG_CFG | MAC_MCR_FORCE_MODE |
+- MAC_MCR_BACKOFF_EN | MAC_MCR_BACKPR_EN | MAC_MCR_FORCE_LINK;
++ MAC_MCR_BACKOFF_EN | MAC_MCR_BACKPR_EN | MAC_MCR_FORCE_LINK |
++ MAC_MCR_RX_FIFO_CLR_DIS;
+
+ /* Only update control register when needed! */
+ if (mcr_new != mcr_cur)
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.h b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
+index 306fdc2c608a4..dafa9a0baa58c 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.h
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
+@@ -357,6 +357,7 @@
+ #define MAC_MCR_FORCE_MODE BIT(15)
+ #define MAC_MCR_TX_EN BIT(14)
+ #define MAC_MCR_RX_EN BIT(13)
++#define MAC_MCR_RX_FIFO_CLR_DIS BIT(12)
+ #define MAC_MCR_BACKOFF_EN BIT(9)
+ #define MAC_MCR_BACKPR_EN BIT(8)
+ #define MAC_MCR_FORCE_RX_FC BIT(5)
+--
+2.39.2
+
--- /dev/null
+From 23bd047bc09253f3bd6b97835129616389d4fc35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Mar 2023 08:43:07 -0700
+Subject: net: lan78xx: fix accessing the LAN7800's internal phy specific
+ registers from the MAC driver
+
+From: Yuiko Oshino <yuiko.oshino@microchip.com>
+
+[ Upstream commit e57cf3639c323eeed05d3725fd82f91b349adca8 ]
+
+Move the LAN7800 internal phy (phy ID 0x0007c132) specific register
+accesses to the phy driver (microchip.c).
+
+Fix the error reported by Enguerrand de Ribaucourt in December 2022,
+"Some operations during the cable switch workaround modify the register
+LAN88XX_INT_MASK of the PHY. However, this register is specific to the
+LAN8835 PHY. For instance, if a DP8322I PHY is connected to the LAN7801,
+that register (0x19), corresponds to the LED and MAC address
+configuration, resulting in unapropriate behavior."
+
+I did not test with the DP8322I PHY, but I tested with an EVB-LAN7800
+with the internal PHY.
+
+Fixes: 14437e3fa284 ("lan78xx: workaround of forced 100 Full/Half duplex mode error")
+Signed-off-by: Yuiko Oshino <yuiko.oshino@microchip.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20230301154307.30438-1-yuiko.oshino@microchip.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/microchip.c | 32 ++++++++++++++++++++++++++++++++
+ drivers/net/usb/lan78xx.c | 27 +--------------------------
+ 2 files changed, 33 insertions(+), 26 deletions(-)
+
+diff --git a/drivers/net/phy/microchip.c b/drivers/net/phy/microchip.c
+index ccecee2524ce6..0b88635f4fbca 100644
+--- a/drivers/net/phy/microchip.c
++++ b/drivers/net/phy/microchip.c
+@@ -342,6 +342,37 @@ static int lan88xx_config_aneg(struct phy_device *phydev)
+ return genphy_config_aneg(phydev);
+ }
+
++static void lan88xx_link_change_notify(struct phy_device *phydev)
++{
++ int temp;
++
++ /* At forced 100 F/H mode, chip may fail to set mode correctly
++ * when cable is switched between long(~50+m) and short one.
++ * As workaround, set to 10 before setting to 100
++ * at forced 100 F/H mode.
++ */
++ if (!phydev->autoneg && phydev->speed == 100) {
++ /* disable phy interrupt */
++ temp = phy_read(phydev, LAN88XX_INT_MASK);
++ temp &= ~LAN88XX_INT_MASK_MDINTPIN_EN_;
++ phy_write(phydev, LAN88XX_INT_MASK, temp);
++
++ temp = phy_read(phydev, MII_BMCR);
++ temp &= ~(BMCR_SPEED100 | BMCR_SPEED1000);
++ phy_write(phydev, MII_BMCR, temp); /* set to 10 first */
++ temp |= BMCR_SPEED100;
++ phy_write(phydev, MII_BMCR, temp); /* set to 100 later */
++
++ /* clear pending interrupt generated while workaround */
++ temp = phy_read(phydev, LAN88XX_INT_STS);
++
++ /* enable phy interrupt back */
++ temp = phy_read(phydev, LAN88XX_INT_MASK);
++ temp |= LAN88XX_INT_MASK_MDINTPIN_EN_;
++ phy_write(phydev, LAN88XX_INT_MASK, temp);
++ }
++}
++
+ static struct phy_driver microchip_phy_driver[] = {
+ {
+ .phy_id = 0x0007c132,
+@@ -359,6 +390,7 @@ static struct phy_driver microchip_phy_driver[] = {
+
+ .config_init = lan88xx_config_init,
+ .config_aneg = lan88xx_config_aneg,
++ .link_change_notify = lan88xx_link_change_notify,
+
+ .config_intr = lan88xx_phy_config_intr,
+ .handle_interrupt = lan88xx_handle_interrupt,
+diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
+index f18ab8e220db7..068488890d57b 100644
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -2115,33 +2115,8 @@ static void lan78xx_remove_mdio(struct lan78xx_net *dev)
+ static void lan78xx_link_status_change(struct net_device *net)
+ {
+ struct phy_device *phydev = net->phydev;
+- int temp;
+-
+- /* At forced 100 F/H mode, chip may fail to set mode correctly
+- * when cable is switched between long(~50+m) and short one.
+- * As workaround, set to 10 before setting to 100
+- * at forced 100 F/H mode.
+- */
+- if (!phydev->autoneg && (phydev->speed == 100)) {
+- /* disable phy interrupt */
+- temp = phy_read(phydev, LAN88XX_INT_MASK);
+- temp &= ~LAN88XX_INT_MASK_MDINTPIN_EN_;
+- phy_write(phydev, LAN88XX_INT_MASK, temp);
+
+- temp = phy_read(phydev, MII_BMCR);
+- temp &= ~(BMCR_SPEED100 | BMCR_SPEED1000);
+- phy_write(phydev, MII_BMCR, temp); /* set to 10 first */
+- temp |= BMCR_SPEED100;
+- phy_write(phydev, MII_BMCR, temp); /* set to 100 later */
+-
+- /* clear pending interrupt generated while workaround */
+- temp = phy_read(phydev, LAN88XX_INT_STS);
+-
+- /* enable phy interrupt back */
+- temp = phy_read(phydev, LAN88XX_INT_MASK);
+- temp |= LAN88XX_INT_MASK_MDINTPIN_EN_;
+- phy_write(phydev, LAN88XX_INT_MASK, temp);
+- }
++ phy_print_status(phydev);
+ }
+
+ static int irq_map(struct irq_domain *d, unsigned int irq,
+--
+2.39.2
+
--- /dev/null
+From 848b5361d47e6b919be76be4515369298032150f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Feb 2023 21:47:42 +0100
+Subject: net: lan966x: Fix port police support using tc-matchall
+
+From: Horatiu Vultur <horatiu.vultur@microchip.com>
+
+[ Upstream commit 81563d8548b0478075c720666be348d4199b8591 ]
+
+When the police was removed from the port, then it was trying to
+remove the police from the police id and not from the actual
+police index.
+The police id represents the id of the police and police index
+represents the position in HW where the police is situated.
+The port police id can be any number while the port police index
+is a number based on the port chip port.
+Fix this by deleting the police from HW that is situated at the
+police index and not police id.
+
+Fixes: 5390334b59a3 ("net: lan966x: Add port police support using tc-matchall")
+Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microchip/lan966x/lan966x_police.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_police.c b/drivers/net/ethernet/microchip/lan966x/lan966x_police.c
+index a9aec900d608d..7d66fe75cd3bf 100644
+--- a/drivers/net/ethernet/microchip/lan966x/lan966x_police.c
++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_police.c
+@@ -194,7 +194,7 @@ int lan966x_police_port_del(struct lan966x_port *port,
+ return -EINVAL;
+ }
+
+- err = lan966x_police_del(port, port->tc.police_id);
++ err = lan966x_police_del(port, POL_IDX_PORT + port->chip_port);
+ if (err) {
+ NL_SET_ERR_MSG_MOD(extack,
+ "Failed to add policer to port");
+--
+2.39.2
+
--- /dev/null
+From 8bd20e26ca7344d5240558a6eead51ac2d77aa4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Mar 2023 11:52:44 +0100
+Subject: net: phy: smsc: fix link up detection in forced irq mode
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit 58aac3a2ef414fea6d7fdf823ea177744a087d13 ]
+
+Currently link up can't be detected in forced mode if polling
+isn't used. Only link up interrupt source we have is aneg
+complete which isn't applicable in forced mode. Therefore we
+have to use energy-on as link up indicator.
+
+Fixes: 7365494550f6 ("net: phy: smsc: skip ENERGYON interrupt if disabled")
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/smsc.c | 14 +++-----------
+ 1 file changed, 3 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/phy/smsc.c b/drivers/net/phy/smsc.c
+index ac7481ce2fc16..00d9eff91dcfa 100644
+--- a/drivers/net/phy/smsc.c
++++ b/drivers/net/phy/smsc.c
+@@ -44,7 +44,6 @@ static struct smsc_hw_stat smsc_hw_stats[] = {
+ };
+
+ struct smsc_phy_priv {
+- u16 intmask;
+ bool energy_enable;
+ };
+
+@@ -57,7 +56,6 @@ static int smsc_phy_ack_interrupt(struct phy_device *phydev)
+
+ static int smsc_phy_config_intr(struct phy_device *phydev)
+ {
+- struct smsc_phy_priv *priv = phydev->priv;
+ int rc;
+
+ if (phydev->interrupts == PHY_INTERRUPT_ENABLED) {
+@@ -65,14 +63,9 @@ static int smsc_phy_config_intr(struct phy_device *phydev)
+ if (rc)
+ return rc;
+
+- priv->intmask = MII_LAN83C185_ISF_INT4 | MII_LAN83C185_ISF_INT6;
+- if (priv->energy_enable)
+- priv->intmask |= MII_LAN83C185_ISF_INT7;
+-
+- rc = phy_write(phydev, MII_LAN83C185_IM, priv->intmask);
++ rc = phy_write(phydev, MII_LAN83C185_IM,
++ MII_LAN83C185_ISF_INT_PHYLIB_EVENTS);
+ } else {
+- priv->intmask = 0;
+-
+ rc = phy_write(phydev, MII_LAN83C185_IM, 0);
+ if (rc)
+ return rc;
+@@ -85,7 +78,6 @@ static int smsc_phy_config_intr(struct phy_device *phydev)
+
+ static irqreturn_t smsc_phy_handle_interrupt(struct phy_device *phydev)
+ {
+- struct smsc_phy_priv *priv = phydev->priv;
+ int irq_status;
+
+ irq_status = phy_read(phydev, MII_LAN83C185_ISF);
+@@ -96,7 +88,7 @@ static irqreturn_t smsc_phy_handle_interrupt(struct phy_device *phydev)
+ return IRQ_NONE;
+ }
+
+- if (!(irq_status & priv->intmask))
++ if (!(irq_status & MII_LAN83C185_ISF_INT_PHYLIB_EVENTS))
+ return IRQ_NONE;
+
+ phy_trigger_machine(phydev);
+--
+2.39.2
+
--- /dev/null
+From c715fbc1dbc29303d89d41c6db0ac79289464c89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Mar 2023 16:37:54 +0000
+Subject: net: phylib: get rid of unnecessary locking
+
+From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+
+[ Upstream commit f4b47a2e9463950df3e7c8b70e017877c1d4eb11 ]
+
+The locking in phy_probe() and phy_remove() does very little to prevent
+any races with e.g. phy_attach_direct(), but instead causes lockdep ABBA
+warnings. Remove it.
+
+======================================================
+WARNING: possible circular locking dependency detected
+6.2.0-dirty #1108 Tainted: G W E
+------------------------------------------------------
+ip/415 is trying to acquire lock:
+ffff5c268f81ef50 (&dev->lock){+.+.}-{3:3}, at: phy_attach_direct+0x17c/0x3a0 [libphy]
+
+but task is already holding lock:
+ffffaef6496cb518 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x154/0x560
+
+which lock already depends on the new lock.
+
+the existing dependency chain (in reverse order) is:
+
+-> #1 (rtnl_mutex){+.+.}-{3:3}:
+ __lock_acquire+0x35c/0x6c0
+ lock_acquire.part.0+0xcc/0x220
+ lock_acquire+0x68/0x84
+ __mutex_lock+0x8c/0x414
+ mutex_lock_nested+0x34/0x40
+ rtnl_lock+0x24/0x30
+ sfp_bus_add_upstream+0x34/0x150
+ phy_sfp_probe+0x4c/0x94 [libphy]
+ mv3310_probe+0x148/0x184 [marvell10g]
+ phy_probe+0x8c/0x200 [libphy]
+ call_driver_probe+0xbc/0x15c
+ really_probe+0xc0/0x320
+ __driver_probe_device+0x84/0x120
+ driver_probe_device+0x44/0x120
+ __device_attach_driver+0xc4/0x160
+ bus_for_each_drv+0x80/0xe0
+ __device_attach+0xb0/0x1f0
+ device_initial_probe+0x1c/0x2c
+ bus_probe_device+0xa4/0xb0
+ device_add+0x360/0x53c
+ phy_device_register+0x60/0xa4 [libphy]
+ fwnode_mdiobus_phy_device_register+0xc0/0x190 [fwnode_mdio]
+ fwnode_mdiobus_register_phy+0x160/0xd80 [fwnode_mdio]
+ of_mdiobus_register+0x140/0x340 [of_mdio]
+ orion_mdio_probe+0x298/0x3c0 [mvmdio]
+ platform_probe+0x70/0xe0
+ call_driver_probe+0x34/0x15c
+ really_probe+0xc0/0x320
+ __driver_probe_device+0x84/0x120
+ driver_probe_device+0x44/0x120
+ __driver_attach+0x104/0x210
+ bus_for_each_dev+0x78/0xdc
+ driver_attach+0x2c/0x3c
+ bus_add_driver+0x184/0x240
+ driver_register+0x80/0x13c
+ __platform_driver_register+0x30/0x3c
+ xt_compat_calc_jump+0x28/0xa4 [x_tables]
+ do_one_initcall+0x50/0x1b0
+ do_init_module+0x50/0x1fc
+ load_module+0x684/0x744
+ __do_sys_finit_module+0xc4/0x140
+ __arm64_sys_finit_module+0x28/0x34
+ invoke_syscall+0x50/0x120
+ el0_svc_common.constprop.0+0x6c/0x1b0
+ do_el0_svc+0x34/0x44
+ el0_svc+0x48/0xf0
+ el0t_64_sync_handler+0xb8/0xc0
+ el0t_64_sync+0x1a0/0x1a4
+
+-> #0 (&dev->lock){+.+.}-{3:3}:
+ check_prev_add+0xb4/0xc80
+ validate_chain+0x414/0x47c
+ __lock_acquire+0x35c/0x6c0
+ lock_acquire.part.0+0xcc/0x220
+ lock_acquire+0x68/0x84
+ __mutex_lock+0x8c/0x414
+ mutex_lock_nested+0x34/0x40
+ phy_attach_direct+0x17c/0x3a0 [libphy]
+ phylink_fwnode_phy_connect.part.0+0x70/0xe4 [phylink]
+ phylink_fwnode_phy_connect+0x48/0x60 [phylink]
+ mvpp2_open+0xec/0x2e0 [mvpp2]
+ __dev_open+0x104/0x214
+ __dev_change_flags+0x1d4/0x254
+ dev_change_flags+0x2c/0x7c
+ do_setlink+0x254/0xa50
+ __rtnl_newlink+0x430/0x514
+ rtnl_newlink+0x58/0x8c
+ rtnetlink_rcv_msg+0x17c/0x560
+ netlink_rcv_skb+0x64/0x150
+ rtnetlink_rcv+0x20/0x30
+ netlink_unicast+0x1d4/0x2b4
+ netlink_sendmsg+0x1a4/0x400
+ ____sys_sendmsg+0x228/0x290
+ ___sys_sendmsg+0x88/0xec
+ __sys_sendmsg+0x70/0xd0
+ __arm64_sys_sendmsg+0x2c/0x40
+ invoke_syscall+0x50/0x120
+ el0_svc_common.constprop.0+0x6c/0x1b0
+ do_el0_svc+0x34/0x44
+ el0_svc+0x48/0xf0
+ el0t_64_sync_handler+0xb8/0xc0
+ el0t_64_sync+0x1a0/0x1a4
+
+other info that might help us debug this:
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(rtnl_mutex);
+ lock(&dev->lock);
+ lock(rtnl_mutex);
+ lock(&dev->lock);
+
+ *** DEADLOCK ***
+
+Fixes: 298e54fa810e ("net: phy: add core phylib sfp support")
+Reported-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/phy_device.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
+index 8cff61dbc4b57..7fbb0904b3c0f 100644
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -3041,8 +3041,6 @@ static int phy_probe(struct device *dev)
+ if (phydrv->flags & PHY_IS_INTERNAL)
+ phydev->is_internal = true;
+
+- mutex_lock(&phydev->lock);
+-
+ /* Deassert the reset signal */
+ phy_device_reset(phydev, 0);
+
+@@ -3110,12 +3108,10 @@ static int phy_probe(struct device *dev)
+ phydev->state = PHY_READY;
+
+ out:
+- /* Assert the reset signal */
++ /* Re-assert the reset signal on error */
+ if (err)
+ phy_device_reset(phydev, 1);
+
+- mutex_unlock(&phydev->lock);
+-
+ return err;
+ }
+
+@@ -3125,9 +3121,7 @@ static int phy_remove(struct device *dev)
+
+ cancel_delayed_work_sync(&phydev->state_queue);
+
+- mutex_lock(&phydev->lock);
+ phydev->state = PHY_DOWN;
+- mutex_unlock(&phydev->lock);
+
+ sfp_bus_del_upstream(phydev->sfp_bus);
+ phydev->sfp_bus = NULL;
+--
+2.39.2
+
--- /dev/null
+From eeac0e89886ce9143d4f893ff78d3b34f0cd9c0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 11:23:46 +0800
+Subject: net/smc: fix fallback failed while sendmsg with fastopen
+
+From: D. Wythe <alibuda@linux.alibaba.com>
+
+[ Upstream commit ce7ca794712f186da99719e8b4e97bd5ddbb04c3 ]
+
+Before determining whether the msg has unsupported options, it has been
+prematurely terminated by the wrong status check.
+
+For the application, the general usages of MSG_FASTOPEN likes
+
+fd = socket(...)
+/* rather than connect */
+sendto(fd, data, len, MSG_FASTOPEN)
+
+Hence, We need to check the flag before state check, because the sock
+state here is always SMC_INIT when applications tries MSG_FASTOPEN.
+Once we found unsupported options, fallback it to TCP.
+
+Fixes: ee9dfbef02d1 ("net/smc: handle sockopts forcing fallback")
+Signed-off-by: D. Wythe <alibuda@linux.alibaba.com>
+Signed-off-by: Simon Horman <simon.horman@corigine.com>
+
+v2 -> v1: Optimize code style
+Reviewed-by: Tony Lu <tonylu@linux.alibaba.com>
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index d9413d43b1045..e8018b0fb7676 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -2644,16 +2644,14 @@ static int smc_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+ {
+ struct sock *sk = sock->sk;
+ struct smc_sock *smc;
+- int rc = -EPIPE;
++ int rc;
+
+ smc = smc_sk(sk);
+ lock_sock(sk);
+- if ((sk->sk_state != SMC_ACTIVE) &&
+- (sk->sk_state != SMC_APPCLOSEWAIT1) &&
+- (sk->sk_state != SMC_INIT))
+- goto out;
+
++ /* SMC does not support connect with fastopen */
+ if (msg->msg_flags & MSG_FASTOPEN) {
++ /* not connected yet, fallback */
+ if (sk->sk_state == SMC_INIT && !smc->connect_nonblock) {
+ rc = smc_switch_to_fallback(smc, SMC_CLC_DECL_OPTUNSUPP);
+ if (rc)
+@@ -2662,6 +2660,11 @@ static int smc_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+ rc = -EINVAL;
+ goto out;
+ }
++ } else if ((sk->sk_state != SMC_ACTIVE) &&
++ (sk->sk_state != SMC_APPCLOSEWAIT1) &&
++ (sk->sk_state != SMC_INIT)) {
++ rc = -EPIPE;
++ goto out;
+ }
+
+ if (smc->use_fallback) {
+--
+2.39.2
+
--- /dev/null
+From e7f6bd21c17480db6ca47e2d3a5b3b84cfb96696 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Mar 2023 14:21:43 +0800
+Subject: net: stmmac: add to set device wake up flag when stmmac init phy
+
+From: Rongguang Wei <weirongguang@kylinos.cn>
+
+[ Upstream commit a9334b702a03b693f54ebd3b98f67bf722b74870 ]
+
+When MAC is not support PMT, driver will check PHY's WoL capability
+and set device wakeup capability in stmmac_init_phy(). We can enable
+the WoL through ethtool, the driver would enable the device wake up
+flag. Now the device_may_wakeup() return true.
+
+But if there is a way which enable the PHY's WoL capability derectly,
+like in BIOS. The driver would not know the enable thing and would not
+set the device wake up flag. The phy_suspend may failed like this:
+
+[ 32.409063] PM: dpm_run_callback(): mdio_bus_phy_suspend+0x0/0x50 returns -16
+[ 32.409065] PM: Device stmmac-1:00 failed to suspend: error -16
+[ 32.409067] PM: Some devices failed to suspend, or early wake event detected
+
+Add to set the device wakeup enable flag according to the get_wol
+function result in PHY can fix the error in this scene.
+
+v2: add a Fixes tag.
+
+Fixes: 1d8e5b0f3f2c ("net: stmmac: Support WOL with phy")
+Signed-off-by: Rongguang Wei <weirongguang@kylinos.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 84e1740b12f1b..3c1d4b27668fe 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -1168,6 +1168,7 @@ static int stmmac_init_phy(struct net_device *dev)
+
+ phylink_ethtool_get_wol(priv->phylink, &wol);
+ device_set_wakeup_capable(priv->device, !!wol.supported);
++ device_set_wakeup_enable(priv->device, !!wol.wolopts);
+ }
+
+ return ret;
+--
+2.39.2
+
--- /dev/null
+From a43334e699d8036362f8bbf20cea2c33c5707d7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Mar 2023 11:26:10 -0800
+Subject: net: tls: fix device-offloaded sendpage straddling records
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit e539a105f947b9db470fec39fe91d85fe737a432 ]
+
+Adrien reports that incorrect data is transmitted when a single
+page straddles multiple records. We would transmit the same
+data in all iterations of the loop.
+
+Reported-by: Adrien Moulin <amoulin@corp.free.fr>
+Link: https://lore.kernel.org/all/61481278.42813558.1677845235112.JavaMail.zimbra@corp.free.fr
+Fixes: c1318b39c7d3 ("tls: Add opt-in zerocopy mode of sendfile()")
+Tested-by: Adrien Moulin <amoulin@corp.free.fr>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Acked-by: Maxim Mikityanskiy <maxtram95@gmail.com>
+Link: https://lore.kernel.org/r/20230304192610.3818098-1-kuba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tls/tls_device.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c
+index 6c593788dc250..a7cc4f9faac28 100644
+--- a/net/tls/tls_device.c
++++ b/net/tls/tls_device.c
+@@ -508,6 +508,8 @@ static int tls_push_data(struct sock *sk,
+ zc_pfrag.offset = iter_offset.offset;
+ zc_pfrag.size = copy;
+ tls_append_frag(record, &zc_pfrag, copy);
++
++ iter_offset.offset += copy;
+ } else if (copy) {
+ copy = min_t(size_t, copy, pfrag->size - pfrag->offset);
+
+--
+2.39.2
+
--- /dev/null
+From b3c067645e0833e013988d7174b70c460ad18cd4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Feb 2023 10:33:44 +0800
+Subject: net: tls: fix possible race condition between
+ do_tls_getsockopt_conf() and do_tls_setsockopt_conf()
+
+From: Hangyu Hua <hbh25y@gmail.com>
+
+[ Upstream commit 49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962 ]
+
+ctx->crypto_send.info is not protected by lock_sock in
+do_tls_getsockopt_conf(). A race condition between do_tls_getsockopt_conf()
+and error paths of do_tls_setsockopt_conf() may lead to a use-after-free
+or null-deref.
+
+More discussion: https://lore.kernel.org/all/Y/ht6gQL+u6fj3dG@hog/
+
+Fixes: 3c4d7559159b ("tls: kernel TLS support")
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Link: https://lore.kernel.org/r/20230228023344.9623-1-hbh25y@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tls/tls_main.c | 23 +++++------------------
+ 1 file changed, 5 insertions(+), 18 deletions(-)
+
+diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
+index 3735cb00905df..b32c112984dd9 100644
+--- a/net/tls/tls_main.c
++++ b/net/tls/tls_main.c
+@@ -405,13 +405,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval,
+ rc = -EINVAL;
+ goto out;
+ }
+- lock_sock(sk);
+ memcpy(crypto_info_aes_gcm_128->iv,
+ cctx->iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
+ TLS_CIPHER_AES_GCM_128_IV_SIZE);
+ memcpy(crypto_info_aes_gcm_128->rec_seq, cctx->rec_seq,
+ TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
+- release_sock(sk);
+ if (copy_to_user(optval,
+ crypto_info_aes_gcm_128,
+ sizeof(*crypto_info_aes_gcm_128)))
+@@ -429,13 +427,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval,
+ rc = -EINVAL;
+ goto out;
+ }
+- lock_sock(sk);
+ memcpy(crypto_info_aes_gcm_256->iv,
+ cctx->iv + TLS_CIPHER_AES_GCM_256_SALT_SIZE,
+ TLS_CIPHER_AES_GCM_256_IV_SIZE);
+ memcpy(crypto_info_aes_gcm_256->rec_seq, cctx->rec_seq,
+ TLS_CIPHER_AES_GCM_256_REC_SEQ_SIZE);
+- release_sock(sk);
+ if (copy_to_user(optval,
+ crypto_info_aes_gcm_256,
+ sizeof(*crypto_info_aes_gcm_256)))
+@@ -451,13 +447,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval,
+ rc = -EINVAL;
+ goto out;
+ }
+- lock_sock(sk);
+ memcpy(aes_ccm_128->iv,
+ cctx->iv + TLS_CIPHER_AES_CCM_128_SALT_SIZE,
+ TLS_CIPHER_AES_CCM_128_IV_SIZE);
+ memcpy(aes_ccm_128->rec_seq, cctx->rec_seq,
+ TLS_CIPHER_AES_CCM_128_REC_SEQ_SIZE);
+- release_sock(sk);
+ if (copy_to_user(optval, aes_ccm_128, sizeof(*aes_ccm_128)))
+ rc = -EFAULT;
+ break;
+@@ -472,13 +466,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval,
+ rc = -EINVAL;
+ goto out;
+ }
+- lock_sock(sk);
+ memcpy(chacha20_poly1305->iv,
+ cctx->iv + TLS_CIPHER_CHACHA20_POLY1305_SALT_SIZE,
+ TLS_CIPHER_CHACHA20_POLY1305_IV_SIZE);
+ memcpy(chacha20_poly1305->rec_seq, cctx->rec_seq,
+ TLS_CIPHER_CHACHA20_POLY1305_REC_SEQ_SIZE);
+- release_sock(sk);
+ if (copy_to_user(optval, chacha20_poly1305,
+ sizeof(*chacha20_poly1305)))
+ rc = -EFAULT;
+@@ -493,13 +485,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval,
+ rc = -EINVAL;
+ goto out;
+ }
+- lock_sock(sk);
+ memcpy(sm4_gcm_info->iv,
+ cctx->iv + TLS_CIPHER_SM4_GCM_SALT_SIZE,
+ TLS_CIPHER_SM4_GCM_IV_SIZE);
+ memcpy(sm4_gcm_info->rec_seq, cctx->rec_seq,
+ TLS_CIPHER_SM4_GCM_REC_SEQ_SIZE);
+- release_sock(sk);
+ if (copy_to_user(optval, sm4_gcm_info, sizeof(*sm4_gcm_info)))
+ rc = -EFAULT;
+ break;
+@@ -513,13 +503,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval,
+ rc = -EINVAL;
+ goto out;
+ }
+- lock_sock(sk);
+ memcpy(sm4_ccm_info->iv,
+ cctx->iv + TLS_CIPHER_SM4_CCM_SALT_SIZE,
+ TLS_CIPHER_SM4_CCM_IV_SIZE);
+ memcpy(sm4_ccm_info->rec_seq, cctx->rec_seq,
+ TLS_CIPHER_SM4_CCM_REC_SEQ_SIZE);
+- release_sock(sk);
+ if (copy_to_user(optval, sm4_ccm_info, sizeof(*sm4_ccm_info)))
+ rc = -EFAULT;
+ break;
+@@ -535,13 +523,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval,
+ rc = -EINVAL;
+ goto out;
+ }
+- lock_sock(sk);
+ memcpy(crypto_info_aria_gcm_128->iv,
+ cctx->iv + TLS_CIPHER_ARIA_GCM_128_SALT_SIZE,
+ TLS_CIPHER_ARIA_GCM_128_IV_SIZE);
+ memcpy(crypto_info_aria_gcm_128->rec_seq, cctx->rec_seq,
+ TLS_CIPHER_ARIA_GCM_128_REC_SEQ_SIZE);
+- release_sock(sk);
+ if (copy_to_user(optval,
+ crypto_info_aria_gcm_128,
+ sizeof(*crypto_info_aria_gcm_128)))
+@@ -559,13 +545,11 @@ static int do_tls_getsockopt_conf(struct sock *sk, char __user *optval,
+ rc = -EINVAL;
+ goto out;
+ }
+- lock_sock(sk);
+ memcpy(crypto_info_aria_gcm_256->iv,
+ cctx->iv + TLS_CIPHER_ARIA_GCM_256_SALT_SIZE,
+ TLS_CIPHER_ARIA_GCM_256_IV_SIZE);
+ memcpy(crypto_info_aria_gcm_256->rec_seq, cctx->rec_seq,
+ TLS_CIPHER_ARIA_GCM_256_REC_SEQ_SIZE);
+- release_sock(sk);
+ if (copy_to_user(optval,
+ crypto_info_aria_gcm_256,
+ sizeof(*crypto_info_aria_gcm_256)))
+@@ -614,11 +598,9 @@ static int do_tls_getsockopt_no_pad(struct sock *sk, char __user *optval,
+ if (len < sizeof(value))
+ return -EINVAL;
+
+- lock_sock(sk);
+ value = -EINVAL;
+ if (ctx->rx_conf == TLS_SW || ctx->rx_conf == TLS_HW)
+ value = ctx->rx_no_pad;
+- release_sock(sk);
+ if (value < 0)
+ return value;
+
+@@ -635,6 +617,8 @@ static int do_tls_getsockopt(struct sock *sk, int optname,
+ {
+ int rc = 0;
+
++ lock_sock(sk);
++
+ switch (optname) {
+ case TLS_TX:
+ case TLS_RX:
+@@ -651,6 +635,9 @@ static int do_tls_getsockopt(struct sock *sk, int optname,
+ rc = -ENOPROTOOPT;
+ break;
+ }
++
++ release_sock(sk);
++
+ return rc;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 2cce7b4b4f0a92a0035f45101eb87d29dfe49366 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Mar 2023 13:32:47 +0000
+Subject: net: use indirect calls helpers for sk_exit_memory_pressure()
+
+From: Brian Vazquez <brianvv@google.com>
+
+[ Upstream commit 5c1ebbfabcd61142a4551bfc0e51840f9bdae7af ]
+
+Florian reported a regression and sent a patch with the following
+changelog:
+
+<quote>
+ There is a noticeable tcp performance regression (loopback or cross-netns),
+ seen with iperf3 -Z (sendfile mode) when generic retpolines are needed.
+
+ With SK_RECLAIM_THRESHOLD checks gone number of calls to enter/leave
+ memory pressure happen much more often. For TCP indirect calls are
+ used.
+
+ We can't remove the if-set-return short-circuit check in
+ tcp_enter_memory_pressure because there are callers other than
+ sk_enter_memory_pressure. Doing a check in the sk wrapper too
+ reduces the indirect calls enough to recover some performance.
+
+ Before,
+ 0.00-60.00 sec 322 GBytes 46.1 Gbits/sec receiver
+
+ After:
+ 0.00-60.04 sec 359 GBytes 51.4 Gbits/sec receiver
+
+ "iperf3 -c $peer -t 60 -Z -f g", connected via veth in another netns.
+</quote>
+
+It seems we forgot to upstream this indirect call mitigation we
+had for years, lets do this instead.
+
+[edumazet] - It seems we forgot to upstream this indirect call
+ mitigation we had for years, let's do this instead.
+ - Changed to INDIRECT_CALL_INET_1() to avoid bots reports.
+
+Fixes: 4890b686f408 ("net: keep sk->sk_forward_alloc as small as possible")
+Reported-by: Florian Westphal <fw@strlen.de>
+Link: https://lore.kernel.org/netdev/20230227152741.4a53634b@kernel.org/T/
+Signed-off-by: Brian Vazquez <brianvv@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20230301133247.2346111-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 4dfdcdfd00114..eb0b76acd9df1 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2805,7 +2805,8 @@ static void sk_enter_memory_pressure(struct sock *sk)
+ static void sk_leave_memory_pressure(struct sock *sk)
+ {
+ if (sk->sk_prot->leave_memory_pressure) {
+- sk->sk_prot->leave_memory_pressure(sk);
++ INDIRECT_CALL_INET_1(sk->sk_prot->leave_memory_pressure,
++ tcp_leave_memory_pressure, sk);
+ } else {
+ unsigned long *memory_pressure = sk->sk_prot->memory_pressure;
+
+--
+2.39.2
+
--- /dev/null
+From d4207695fb07d77483d725a8cb313e97e7accdbf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 05:22:54 +0000
+Subject: netfilter: conntrack: adopt safer max chain length
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit c77737b736ceb50fdf150434347dbd81ec76dbb1 ]
+
+Customers using GKE 1.25 and 1.26 are facing conntrack issues
+root caused to commit c9c3b6811f74 ("netfilter: conntrack: make
+max chain length random").
+
+Even if we assume Uniform Hashing, a bucket often reachs 8 chained
+items while the load factor of the hash table is smaller than 0.5
+
+With a limit of 16, we reach load factors of 3.
+With a limit of 32, we reach load factors of 11.
+With a limit of 40, we reach load factors of 15.
+With a limit of 50, we reach load factors of 24.
+
+This patch changes MIN_CHAINLEN to 50, to minimize risks.
+
+Ideally, we could in the future add a cushion based on expected
+load factor (2 * nf_conntrack_max / nf_conntrack_buckets),
+because some setups might expect unusual values.
+
+Fixes: c9c3b6811f74 ("netfilter: conntrack: make max chain length random")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
+index 7f0f3bcaae031..30ed45b1b57df 100644
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -96,8 +96,8 @@ static DEFINE_MUTEX(nf_conntrack_mutex);
+ #define GC_SCAN_MAX_DURATION msecs_to_jiffies(10)
+ #define GC_SCAN_EXPIRED_MAX (64000u / HZ)
+
+-#define MIN_CHAINLEN 8u
+-#define MAX_CHAINLEN (32u - MIN_CHAINLEN)
++#define MIN_CHAINLEN 50u
++#define MAX_CHAINLEN (80u - MIN_CHAINLEN)
+
+ static struct conntrack_gc_work conntrack_gc_work;
+
+--
+2.39.2
+
--- /dev/null
+From 5d0209ba2d749d875800d11d3f02624279515ee9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Mar 2023 17:48:31 -0800
+Subject: netfilter: ctnetlink: revert to dumping mark regardless of event type
+
+From: Ivan Delalande <colona@arista.com>
+
+[ Upstream commit 9f7dd42f0db1dc6915a52d4a8a96ca18dd8cc34e ]
+
+It seems that change was unintentional, we have userspace code that
+needs the mark while listening for events like REPLY, DESTROY, etc.
+Also include 0-marks in requested dumps, as they were before that fix.
+
+Fixes: 1feeae071507 ("netfilter: ctnetlink: fix compilation warning after data race fixes in ct mark")
+Signed-off-by: Ivan Delalande <colona@arista.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index 733bb56950c14..d095d3c1ceca6 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -328,11 +328,12 @@ ctnetlink_dump_timestamp(struct sk_buff *skb, const struct nf_conn *ct)
+ }
+
+ #ifdef CONFIG_NF_CONNTRACK_MARK
+-static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)
++static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct,
++ bool dump)
+ {
+ u32 mark = READ_ONCE(ct->mark);
+
+- if (!mark)
++ if (!mark && !dump)
+ return 0;
+
+ if (nla_put_be32(skb, CTA_MARK, htonl(mark)))
+@@ -343,7 +344,7 @@ static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)
+ return -1;
+ }
+ #else
+-#define ctnetlink_dump_mark(a, b) (0)
++#define ctnetlink_dump_mark(a, b, c) (0)
+ #endif
+
+ #ifdef CONFIG_NF_CONNTRACK_SECMARK
+@@ -548,7 +549,7 @@ static int ctnetlink_dump_extinfo(struct sk_buff *skb,
+ static int ctnetlink_dump_info(struct sk_buff *skb, struct nf_conn *ct)
+ {
+ if (ctnetlink_dump_status(skb, ct) < 0 ||
+- ctnetlink_dump_mark(skb, ct) < 0 ||
++ ctnetlink_dump_mark(skb, ct, true) < 0 ||
+ ctnetlink_dump_secctx(skb, ct) < 0 ||
+ ctnetlink_dump_id(skb, ct) < 0 ||
+ ctnetlink_dump_use(skb, ct) < 0 ||
+@@ -831,8 +832,7 @@ ctnetlink_conntrack_event(unsigned int events, const struct nf_ct_event *item)
+ }
+
+ #ifdef CONFIG_NF_CONNTRACK_MARK
+- if (events & (1 << IPCT_MARK) &&
+- ctnetlink_dump_mark(skb, ct) < 0)
++ if (ctnetlink_dump_mark(skb, ct, events & (1 << IPCT_MARK)))
+ goto nla_put_failure;
+ #endif
+ nlmsg_end(skb, nlh);
+@@ -2735,7 +2735,7 @@ static int __ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct)
+ goto nla_put_failure;
+
+ #ifdef CONFIG_NF_CONNTRACK_MARK
+- if (ctnetlink_dump_mark(skb, ct) < 0)
++ if (ctnetlink_dump_mark(skb, ct, true) < 0)
+ goto nla_put_failure;
+ #endif
+ if (ctnetlink_dump_labels(skb, ct) < 0)
+--
+2.39.2
+
--- /dev/null
+From e783b408844577a55476cd479a55a91be0e4d9d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Feb 2023 17:09:03 +0100
+Subject: netfilter: nft_last: copy content when cloning expression
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 860e874290fb3be08e966c9c8ffc510c5b0f2bd8 ]
+
+If the ruleset contains last timestamps, restore them accordingly.
+Otherwise, listing after restoration shows never used items.
+
+Fixes: 33a24de37e81 ("netfilter: nft_last: move stateful fields out of expression data")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_last.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/netfilter/nft_last.c b/net/netfilter/nft_last.c
+index bb15a55dad5c0..eaa54964cf23c 100644
+--- a/net/netfilter/nft_last.c
++++ b/net/netfilter/nft_last.c
+@@ -104,11 +104,15 @@ static void nft_last_destroy(const struct nft_ctx *ctx,
+ static int nft_last_clone(struct nft_expr *dst, const struct nft_expr *src)
+ {
+ struct nft_last_priv *priv_dst = nft_expr_priv(dst);
++ struct nft_last_priv *priv_src = nft_expr_priv(src);
+
+ priv_dst->last = kzalloc(sizeof(*priv_dst->last), GFP_ATOMIC);
+ if (!priv_dst->last)
+ return -ENOMEM;
+
++ priv_dst->last->set = priv_src->last->set;
++ priv_dst->last->jiffies = priv_src->last->jiffies;
++
+ return 0;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 76f85dbdf24f33d1ee17df73eb62fda5fb315193 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Feb 2023 20:43:02 +0100
+Subject: netfilter: nft_quota: copy content when cloning expression
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit aabef97a35160461e9c576848ded737558d89055 ]
+
+If the ruleset contains consumed quota, restore them accordingly.
+Otherwise, listing after restoration shows never used items.
+
+Restore the user-defined quota and flags too.
+
+Fixes: ed0a0c60f0e5 ("netfilter: nft_quota: move stateful fields out of expression data")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_quota.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_quota.c b/net/netfilter/nft_quota.c
+index e6b0df68feeaf..410a5fcf88309 100644
+--- a/net/netfilter/nft_quota.c
++++ b/net/netfilter/nft_quota.c
+@@ -235,12 +235,16 @@ static void nft_quota_destroy(const struct nft_ctx *ctx,
+ static int nft_quota_clone(struct nft_expr *dst, const struct nft_expr *src)
+ {
+ struct nft_quota *priv_dst = nft_expr_priv(dst);
++ struct nft_quota *priv_src = nft_expr_priv(src);
++
++ priv_dst->quota = priv_src->quota;
++ priv_dst->flags = priv_src->flags;
+
+ priv_dst->consumed = kmalloc(sizeof(*priv_dst->consumed), GFP_ATOMIC);
+ if (!priv_dst->consumed)
+ return -ENOMEM;
+
+- atomic64_set(priv_dst->consumed, 0);
++ *priv_dst->consumed = *priv_src->consumed;
+
+ return 0;
+ }
+--
+2.39.2
+
--- /dev/null
+From d3a1affa4540ecfabcb6a7a506757861d43f1762 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Mar 2023 10:58:56 +0100
+Subject: netfilter: tproxy: fix deadlock due to missing BH disable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 4a02426787bf024dafdb79b362285ee325de3f5e ]
+
+The xtables packet traverser performs an unconditional local_bh_disable(),
+but the nf_tables evaluation loop does not.
+
+Functions that are called from either xtables or nftables must assume
+that they can be called in process context.
+
+inet_twsk_deschedule_put() assumes that no softirq interrupt can occur.
+If tproxy is used from nf_tables its possible that we'll deadlock
+trying to aquire a lock already held in process context.
+
+Add a small helper that takes care of this and use it.
+
+Link: https://lore.kernel.org/netfilter-devel/401bd6ed-314a-a196-1cdc-e13c720cc8f2@balasys.hu/
+Fixes: 4ed8eb6570a4 ("netfilter: nf_tables: Add native tproxy support")
+Reported-and-tested-by: Major Dávid <major.david@balasys.hu>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netfilter/nf_tproxy.h | 7 +++++++
+ net/ipv4/netfilter/nf_tproxy_ipv4.c | 2 +-
+ net/ipv6/netfilter/nf_tproxy_ipv6.c | 2 +-
+ 3 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/include/net/netfilter/nf_tproxy.h b/include/net/netfilter/nf_tproxy.h
+index 82d0e41b76f22..faa108b1ba675 100644
+--- a/include/net/netfilter/nf_tproxy.h
++++ b/include/net/netfilter/nf_tproxy.h
+@@ -17,6 +17,13 @@ static inline bool nf_tproxy_sk_is_transparent(struct sock *sk)
+ return false;
+ }
+
++static inline void nf_tproxy_twsk_deschedule_put(struct inet_timewait_sock *tw)
++{
++ local_bh_disable();
++ inet_twsk_deschedule_put(tw);
++ local_bh_enable();
++}
++
+ /* assign a socket to the skb -- consumes sk */
+ static inline void nf_tproxy_assign_sock(struct sk_buff *skb, struct sock *sk)
+ {
+diff --git a/net/ipv4/netfilter/nf_tproxy_ipv4.c b/net/ipv4/netfilter/nf_tproxy_ipv4.c
+index b22b2c745c76c..69e3317996043 100644
+--- a/net/ipv4/netfilter/nf_tproxy_ipv4.c
++++ b/net/ipv4/netfilter/nf_tproxy_ipv4.c
+@@ -38,7 +38,7 @@ nf_tproxy_handle_time_wait4(struct net *net, struct sk_buff *skb,
+ hp->source, lport ? lport : hp->dest,
+ skb->dev, NF_TPROXY_LOOKUP_LISTENER);
+ if (sk2) {
+- inet_twsk_deschedule_put(inet_twsk(sk));
++ nf_tproxy_twsk_deschedule_put(inet_twsk(sk));
+ sk = sk2;
+ }
+ }
+diff --git a/net/ipv6/netfilter/nf_tproxy_ipv6.c b/net/ipv6/netfilter/nf_tproxy_ipv6.c
+index 929502e51203b..52f828bb5a83d 100644
+--- a/net/ipv6/netfilter/nf_tproxy_ipv6.c
++++ b/net/ipv6/netfilter/nf_tproxy_ipv6.c
+@@ -63,7 +63,7 @@ nf_tproxy_handle_time_wait6(struct sk_buff *skb, int tproto, int thoff,
+ lport ? lport : hp->dest,
+ skb->dev, NF_TPROXY_LOOKUP_LISTENER);
+ if (sk2) {
+- inet_twsk_deschedule_put(inet_twsk(sk));
++ nf_tproxy_twsk_deschedule_put(inet_twsk(sk));
+ sk = sk2;
+ }
+ }
+--
+2.39.2
+
--- /dev/null
+From ffb5596b75a509dcf9336b1a9bf576a0a2d4792f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Feb 2023 17:30:37 +0800
+Subject: nfc: fdp: add null check of devm_kmalloc_array in
+ fdp_nci_i2c_read_device_properties
+
+From: Kang Chen <void0red@gmail.com>
+
+[ Upstream commit 11f180a5d62a51b484e9648f9b310e1bd50b1a57 ]
+
+devm_kmalloc_array may fails, *fw_vsc_cfg might be null and cause
+out-of-bounds write in device_property_read_u8_array later.
+
+Fixes: a06347c04c13 ("NFC: Add Intel Fields Peak NFC solution driver")
+Signed-off-by: Kang Chen <void0red@gmail.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230227093037.907654-1-void0red@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/fdp/i2c.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/nfc/fdp/i2c.c b/drivers/nfc/fdp/i2c.c
+index 2d53e0f88d2f9..1e0f2297f9c66 100644
+--- a/drivers/nfc/fdp/i2c.c
++++ b/drivers/nfc/fdp/i2c.c
+@@ -247,6 +247,9 @@ static void fdp_nci_i2c_read_device_properties(struct device *dev,
+ len, sizeof(**fw_vsc_cfg),
+ GFP_KERNEL);
+
++ if (!*fw_vsc_cfg)
++ goto alloc_err;
++
+ r = device_property_read_u8_array(dev, FDP_DP_FW_VSC_CFG_NAME,
+ *fw_vsc_cfg, len);
+
+@@ -260,6 +263,7 @@ static void fdp_nci_i2c_read_device_properties(struct device *dev,
+ *fw_vsc_cfg = NULL;
+ }
+
++alloc_err:
+ dev_dbg(dev, "Clock type: %d, clock frequency: %d, VSC: %s",
+ *clock_type, *clock_freq, *fw_vsc_cfg != NULL ? "yes" : "no");
+ }
+--
+2.39.2
+
--- /dev/null
+From 7a4fd97c533e8f53d7ee04116df69b1c2cbf4bec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Mar 2023 10:43:47 -0500
+Subject: NFSD: Protect against filesystem freezing
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit fd9a2e1d513823e840960cb3bc26d8b7749d4ac2 ]
+
+Flole observes this WARNING on occasion:
+
+[1210423.486503] WARNING: CPU: 8 PID: 1524732 at fs/ext4/ext4_jbd2.c:75 ext4_journal_check_start+0x68/0xb0
+
+Reported-by: <flole@flole.de>
+Suggested-by: Jan Kara <jack@suse.cz>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=217123
+Fixes: 73da852e3831 ("nfsd: use vfs_iter_read/write")
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/vfs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
+index 0d49c6bb22eb1..59f9a8cee012a 100644
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -1037,7 +1037,9 @@ nfsd_vfs_write(struct svc_rqst *rqstp, struct svc_fh *fhp, struct nfsd_file *nf,
+ since = READ_ONCE(file->f_wb_err);
+ if (verf)
+ nfsd_copy_write_verifier(verf, nn);
++ file_start_write(file);
+ host_err = vfs_iter_write(file, &iter, &pos, flags);
++ file_end_write(file);
+ if (host_err < 0) {
+ nfsd_reset_write_verifier(nn);
+ trace_nfsd_writeverf_reset(nn, rqstp, host_err);
+--
+2.39.2
+
--- /dev/null
+From c4caebee531663b7ebd324b352391d64caeb119a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 16:19:08 +0530
+Subject: octeontx2-af: Unlock contexts in the queue context cache in case of
+ fault detection
+
+From: Suman Ghosh <sumang@marvell.com>
+
+[ Upstream commit ea9dd2e5c6d12c8b65ce7514c8359a70eeaa0e70 ]
+
+NDC caches contexts of frequently used queue's (Rx and Tx queues)
+contexts. Due to a HW errata when NDC detects fault/poision while
+accessing contexts it could go into an illegal state where a cache
+line could get locked forever. To makesure all cache lines in NDC
+are available for optimum performance upon fault/lockerror/posion
+errors scan through all cache lines in NDC and clear the lock bit.
+
+Fixes: 4a3581cd5995 ("octeontx2-af: NPA AQ instruction enqueue support")
+Signed-off-by: Suman Ghosh <sumang@marvell.com>
+Signed-off-by: Sunil Kovvuri Goutham <sgoutham@marvell.com>
+Signed-off-by: Sai Krishna <saikrishnag@marvell.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/marvell/octeontx2/af/rvu.h | 5 ++
+ .../marvell/octeontx2/af/rvu_debugfs.c | 7 +--
+ .../ethernet/marvell/octeontx2/af/rvu_nix.c | 16 ++++-
+ .../ethernet/marvell/octeontx2/af/rvu_npa.c | 58 ++++++++++++++++++-
+ .../ethernet/marvell/octeontx2/af/rvu_reg.h | 3 +
+ 5 files changed, 82 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.h b/drivers/net/ethernet/marvell/octeontx2/af/rvu.h
+index 76474385a6027..b07c6f51b461b 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.h
++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.h
+@@ -859,6 +859,9 @@ int rvu_cpt_lf_teardown(struct rvu *rvu, u16 pcifunc, int blkaddr, int lf,
+ int slot);
+ int rvu_cpt_ctx_flush(struct rvu *rvu, u16 pcifunc);
+
++#define NDC_AF_BANK_MASK GENMASK_ULL(7, 0)
++#define NDC_AF_BANK_LINE_MASK GENMASK_ULL(31, 16)
++
+ /* CN10K RVU */
+ int rvu_set_channels_base(struct rvu *rvu);
+ void rvu_program_channels(struct rvu *rvu);
+@@ -874,6 +877,8 @@ static inline void rvu_dbg_init(struct rvu *rvu) {}
+ static inline void rvu_dbg_exit(struct rvu *rvu) {}
+ #endif
+
++int rvu_ndc_fix_locked_cacheline(struct rvu *rvu, int blkaddr);
++
+ /* RVU Switch */
+ void rvu_switch_enable(struct rvu *rvu);
+ void rvu_switch_disable(struct rvu *rvu);
+diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c
+index f66dde2b0f926..abef0fd4259a3 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c
++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c
+@@ -198,9 +198,6 @@ enum cpt_eng_type {
+ CPT_IE_TYPE = 3,
+ };
+
+-#define NDC_MAX_BANK(rvu, blk_addr) (rvu_read64(rvu, \
+- blk_addr, NDC_AF_CONST) & 0xFF)
+-
+ #define rvu_dbg_NULL NULL
+ #define rvu_dbg_open_NULL NULL
+
+@@ -1448,6 +1445,7 @@ static int ndc_blk_hits_miss_stats(struct seq_file *s, int idx, int blk_addr)
+ struct nix_hw *nix_hw;
+ struct rvu *rvu;
+ int bank, max_bank;
++ u64 ndc_af_const;
+
+ if (blk_addr == BLKADDR_NDC_NPA0) {
+ rvu = s->private;
+@@ -1456,7 +1454,8 @@ static int ndc_blk_hits_miss_stats(struct seq_file *s, int idx, int blk_addr)
+ rvu = nix_hw->rvu;
+ }
+
+- max_bank = NDC_MAX_BANK(rvu, blk_addr);
++ ndc_af_const = rvu_read64(rvu, blk_addr, NDC_AF_CONST);
++ max_bank = FIELD_GET(NDC_AF_BANK_MASK, ndc_af_const);
+ for (bank = 0; bank < max_bank; bank++) {
+ seq_printf(s, "BANK:%d\n", bank);
+ seq_printf(s, "\tHits:\t%lld\n",
+diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
+index a62c1b3220120..84f2ba53b8b68 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
+@@ -790,6 +790,7 @@ static int nix_aq_enqueue_wait(struct rvu *rvu, struct rvu_block *block,
+ struct nix_aq_res_s *result;
+ int timeout = 1000;
+ u64 reg, head;
++ int ret;
+
+ result = (struct nix_aq_res_s *)aq->res->base;
+
+@@ -813,9 +814,22 @@ static int nix_aq_enqueue_wait(struct rvu *rvu, struct rvu_block *block,
+ return -EBUSY;
+ }
+
+- if (result->compcode != NIX_AQ_COMP_GOOD)
++ if (result->compcode != NIX_AQ_COMP_GOOD) {
+ /* TODO: Replace this with some error code */
++ if (result->compcode == NIX_AQ_COMP_CTX_FAULT ||
++ result->compcode == NIX_AQ_COMP_LOCKERR ||
++ result->compcode == NIX_AQ_COMP_CTX_POISON) {
++ ret = rvu_ndc_fix_locked_cacheline(rvu, BLKADDR_NDC_NIX0_RX);
++ ret |= rvu_ndc_fix_locked_cacheline(rvu, BLKADDR_NDC_NIX0_TX);
++ ret |= rvu_ndc_fix_locked_cacheline(rvu, BLKADDR_NDC_NIX1_RX);
++ ret |= rvu_ndc_fix_locked_cacheline(rvu, BLKADDR_NDC_NIX1_TX);
++ if (ret)
++ dev_err(rvu->dev,
++ "%s: Not able to unlock cachelines\n", __func__);
++ }
++
+ return -EBUSY;
++ }
+
+ return 0;
+ }
+diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npa.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npa.c
+index 70bd036ed76e4..4f5ca5ab13a40 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npa.c
++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npa.c
+@@ -4,7 +4,7 @@
+ * Copyright (C) 2018 Marvell.
+ *
+ */
+-
++#include <linux/bitfield.h>
+ #include <linux/module.h>
+ #include <linux/pci.h>
+
+@@ -42,9 +42,18 @@ static int npa_aq_enqueue_wait(struct rvu *rvu, struct rvu_block *block,
+ return -EBUSY;
+ }
+
+- if (result->compcode != NPA_AQ_COMP_GOOD)
++ if (result->compcode != NPA_AQ_COMP_GOOD) {
+ /* TODO: Replace this with some error code */
++ if (result->compcode == NPA_AQ_COMP_CTX_FAULT ||
++ result->compcode == NPA_AQ_COMP_LOCKERR ||
++ result->compcode == NPA_AQ_COMP_CTX_POISON) {
++ if (rvu_ndc_fix_locked_cacheline(rvu, BLKADDR_NDC_NPA0))
++ dev_err(rvu->dev,
++ "%s: Not able to unlock cachelines\n", __func__);
++ }
++
+ return -EBUSY;
++ }
+
+ return 0;
+ }
+@@ -545,3 +554,48 @@ void rvu_npa_lf_teardown(struct rvu *rvu, u16 pcifunc, int npalf)
+
+ npa_ctx_free(rvu, pfvf);
+ }
++
++/* Due to an Hardware errata, in some corner cases, AQ context lock
++ * operations can result in a NDC way getting into an illegal state
++ * of not valid but locked.
++ *
++ * This API solves the problem by clearing the lock bit of the NDC block.
++ * The operation needs to be done for each line of all the NDC banks.
++ */
++int rvu_ndc_fix_locked_cacheline(struct rvu *rvu, int blkaddr)
++{
++ int bank, max_bank, line, max_line, err;
++ u64 reg, ndc_af_const;
++
++ /* Set the ENABLE bit(63) to '0' */
++ reg = rvu_read64(rvu, blkaddr, NDC_AF_CAMS_RD_INTERVAL);
++ rvu_write64(rvu, blkaddr, NDC_AF_CAMS_RD_INTERVAL, reg & GENMASK_ULL(62, 0));
++
++ /* Poll until the BUSY bits(47:32) are set to '0' */
++ err = rvu_poll_reg(rvu, blkaddr, NDC_AF_CAMS_RD_INTERVAL, GENMASK_ULL(47, 32), true);
++ if (err) {
++ dev_err(rvu->dev, "Timed out while polling for NDC CAM busy bits.\n");
++ return err;
++ }
++
++ ndc_af_const = rvu_read64(rvu, blkaddr, NDC_AF_CONST);
++ max_bank = FIELD_GET(NDC_AF_BANK_MASK, ndc_af_const);
++ max_line = FIELD_GET(NDC_AF_BANK_LINE_MASK, ndc_af_const);
++ for (bank = 0; bank < max_bank; bank++) {
++ for (line = 0; line < max_line; line++) {
++ /* Check if 'cache line valid bit(63)' is not set
++ * but 'cache line lock bit(60)' is set and on
++ * success, reset the lock bit(60).
++ */
++ reg = rvu_read64(rvu, blkaddr,
++ NDC_AF_BANKX_LINEX_METADATA(bank, line));
++ if (!(reg & BIT_ULL(63)) && (reg & BIT_ULL(60))) {
++ rvu_write64(rvu, blkaddr,
++ NDC_AF_BANKX_LINEX_METADATA(bank, line),
++ reg & ~BIT_ULL(60));
++ }
++ }
++ }
++
++ return 0;
++}
+diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_reg.h b/drivers/net/ethernet/marvell/octeontx2/af/rvu_reg.h
+index 0e0d536645ac7..39f7a7cb27558 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_reg.h
++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_reg.h
+@@ -690,6 +690,7 @@
+ #define NDC_AF_INTR_ENA_W1S (0x00068)
+ #define NDC_AF_INTR_ENA_W1C (0x00070)
+ #define NDC_AF_ACTIVE_PC (0x00078)
++#define NDC_AF_CAMS_RD_INTERVAL (0x00080)
+ #define NDC_AF_BP_TEST_ENABLE (0x001F8)
+ #define NDC_AF_BP_TEST(a) (0x00200 | (a) << 3)
+ #define NDC_AF_BLK_RST (0x002F0)
+@@ -705,6 +706,8 @@
+ (0x00F00 | (a) << 5 | (b) << 4)
+ #define NDC_AF_BANKX_HIT_PC(a) (0x01000 | (a) << 3)
+ #define NDC_AF_BANKX_MISS_PC(a) (0x01100 | (a) << 3)
++#define NDC_AF_BANKX_LINEX_METADATA(a, b) \
++ (0x10000 | (a) << 12 | (b) << 3)
+
+ /* LBK */
+ #define LBK_CONST (0x10ull)
+--
+2.39.2
+
--- /dev/null
+From 086de55f818ebacf207803aff7a09c1b94e8c5c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Mar 2023 11:11:44 +0800
+Subject: perf stat: Fix counting when initial delay configured
+
+From: Changbin Du <changbin.du@huawei.com>
+
+[ Upstream commit 25f69c69bc3ca8c781a94473f28d443d745768e3 ]
+
+When creating counters with initial delay configured, the enable_on_exec
+field is not set. So we need to enable the counters later. The problem
+is, when a workload is specified the target__none() is true. So we also
+need to check stat_config.initial_delay.
+
+In this change, we add a new field 'initial_delay' for struct target
+which could be shared by other subcommands. And define
+target__enable_on_exec() which returns whether enable_on_exec should be
+set on normal cases.
+
+Before this fix the event is not counted:
+
+ $ ./perf stat -e instructions -D 100 sleep 2
+ Events disabled
+ Events enabled
+
+ Performance counter stats for 'sleep 2':
+
+ <not counted> instructions
+
+ 1.901661124 seconds time elapsed
+
+ 0.001602000 seconds user
+ 0.000000000 seconds sys
+
+After fix it works:
+
+ $ ./perf stat -e instructions -D 100 sleep 2
+ Events disabled
+ Events enabled
+
+ Performance counter stats for 'sleep 2':
+
+ 404,214 instructions
+
+ 1.901743475 seconds time elapsed
+
+ 0.001617000 seconds user
+ 0.000000000 seconds sys
+
+Fixes: c587e77e100fa40e ("perf stat: Do not delay the workload with --delay")
+Signed-off-by: Changbin Du <changbin.du@huawei.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Hui Wang <hw.huiwang@huawei.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20230302031146.2801588-2-changbin.du@huawei.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-stat.c | 15 +++++----------
+ tools/perf/util/stat.c | 6 +-----
+ tools/perf/util/stat.h | 1 -
+ tools/perf/util/target.h | 12 ++++++++++++
+ 4 files changed, 18 insertions(+), 16 deletions(-)
+
+diff --git a/tools/perf/builtin-stat.c b/tools/perf/builtin-stat.c
+index 978fdc60b4e84..f6427e3a47421 100644
+--- a/tools/perf/builtin-stat.c
++++ b/tools/perf/builtin-stat.c
+@@ -528,12 +528,7 @@ static int enable_counters(void)
+ return err;
+ }
+
+- /*
+- * We need to enable counters only if:
+- * - we don't have tracee (attaching to task or cpu)
+- * - we have initial delay configured
+- */
+- if (!target__none(&target)) {
++ if (!target__enable_on_exec(&target)) {
+ if (!all_counters_use_bpf)
+ evlist__enable(evsel_list);
+ }
+@@ -906,7 +901,7 @@ static int __run_perf_stat(int argc, const char **argv, int run_idx)
+ return err;
+ }
+
+- if (stat_config.initial_delay) {
++ if (target.initial_delay) {
+ pr_info(EVLIST_DISABLED_MSG);
+ } else {
+ err = enable_counters();
+@@ -918,8 +913,8 @@ static int __run_perf_stat(int argc, const char **argv, int run_idx)
+ if (forks)
+ evlist__start_workload(evsel_list);
+
+- if (stat_config.initial_delay > 0) {
+- usleep(stat_config.initial_delay * USEC_PER_MSEC);
++ if (target.initial_delay > 0) {
++ usleep(target.initial_delay * USEC_PER_MSEC);
+ err = enable_counters();
+ if (err)
+ return -1;
+@@ -1243,7 +1238,7 @@ static struct option stat_options[] = {
+ "aggregate counts per thread", AGGR_THREAD),
+ OPT_SET_UINT(0, "per-node", &stat_config.aggr_mode,
+ "aggregate counts per numa node", AGGR_NODE),
+- OPT_INTEGER('D', "delay", &stat_config.initial_delay,
++ OPT_INTEGER('D', "delay", &target.initial_delay,
+ "ms to wait before starting measurement after program start (-1: start with events disabled)"),
+ OPT_CALLBACK_NOOPT(0, "metric-only", &stat_config.metric_only, NULL,
+ "Only print computed metrics. No raw values", enable_metric_only),
+diff --git a/tools/perf/util/stat.c b/tools/perf/util/stat.c
+index 8ec8bb4a99129..b63b3a3129919 100644
+--- a/tools/perf/util/stat.c
++++ b/tools/perf/util/stat.c
+@@ -583,11 +583,7 @@ int create_perf_stat_counter(struct evsel *evsel,
+ if (evsel__is_group_leader(evsel)) {
+ attr->disabled = 1;
+
+- /*
+- * In case of initial_delay we enable tracee
+- * events manually.
+- */
+- if (target__none(target) && !config->initial_delay)
++ if (target__enable_on_exec(target))
+ attr->enable_on_exec = 1;
+ }
+
+diff --git a/tools/perf/util/stat.h b/tools/perf/util/stat.h
+index 35c940d7f29cd..05c5125d7f419 100644
+--- a/tools/perf/util/stat.h
++++ b/tools/perf/util/stat.h
+@@ -145,7 +145,6 @@ struct perf_stat_config {
+ FILE *output;
+ unsigned int interval;
+ unsigned int timeout;
+- int initial_delay;
+ unsigned int unit_width;
+ unsigned int metric_only_len;
+ int times;
+diff --git a/tools/perf/util/target.h b/tools/perf/util/target.h
+index daec6cba500d4..880f1af7f6ad6 100644
+--- a/tools/perf/util/target.h
++++ b/tools/perf/util/target.h
+@@ -18,6 +18,7 @@ struct target {
+ bool per_thread;
+ bool use_bpf;
+ bool hybrid;
++ int initial_delay;
+ const char *attr_map;
+ };
+
+@@ -72,6 +73,17 @@ static inline bool target__none(struct target *target)
+ return !target__has_task(target) && !target__has_cpu(target);
+ }
+
++static inline bool target__enable_on_exec(struct target *target)
++{
++ /*
++ * Normally enable_on_exec should be set if:
++ * 1) The tracee process is forked (not attaching to existed task or cpu).
++ * 2) And initial_delay is not configured.
++ * Otherwise, we enable tracee events manually.
++ */
++ return target__none(target) && !target->initial_delay;
++}
++
+ static inline bool target__has_per_thread(struct target *target)
+ {
+ return target->system_wide && target->per_thread;
+--
+2.39.2
+
--- /dev/null
+From c2d957ac66946ffd9b60bb5c63c9ce854bed3396 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Feb 2023 21:39:50 -0800
+Subject: platform: mellanox: select REGMAP instead of depending on it
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 03f5eb300ad1241f854269a3e521b119189a4493 ]
+
+REGMAP is a hidden (not user visible) symbol. Users cannot set it
+directly thru "make *config", so drivers should select it instead of
+depending on it if they need it.
+
+Consistently using "select" or "depends on" can also help reduce
+Kconfig circular dependency issues.
+
+Therefore, change the use of "depends on REGMAP" to "select REGMAP".
+
+For NVSW_SN2201, select REGMAP_I2C instead of depending on it.
+
+Fixes: c6acad68eb2d ("platform/mellanox: mlxreg-hotplug: Modify to use a regmap interface")
+Fixes: 5ec4a8ace06c ("platform/mellanox: Introduce support for Mellanox register access driver")
+Fixes: 62f9529b8d5c ("platform/mellanox: mlxreg-lc: Add initial support for Nvidia line card devices")
+Fixes: 662f24826f95 ("platform/mellanox: Add support for new SN2201 system")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Darren Hart <dvhart@infradead.org>
+Cc: Hans de Goede <hdegoede@redhat.com>
+Cc: Michael Shych <michaelsh@nvidia.com>
+Cc: Mark Gross <markgross@kernel.org>
+Cc: Vadim Pasternak <vadimp@nvidia.com>
+Cc: platform-driver-x86@vger.kernel.org
+Link: https://lore.kernel.org/r/20230226053953.4681-6-rdunlap@infradead.org
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/mellanox/Kconfig | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/platform/mellanox/Kconfig b/drivers/platform/mellanox/Kconfig
+index 09c7829e95c4b..382793e73a60a 100644
+--- a/drivers/platform/mellanox/Kconfig
++++ b/drivers/platform/mellanox/Kconfig
+@@ -16,17 +16,17 @@ if MELLANOX_PLATFORM
+
+ config MLXREG_HOTPLUG
+ tristate "Mellanox platform hotplug driver support"
+- depends on REGMAP
+ depends on HWMON
+ depends on I2C
++ select REGMAP
+ help
+ This driver handles hot-plug events for the power suppliers, power
+ cables and fans on the wide range Mellanox IB and Ethernet systems.
+
+ config MLXREG_IO
+ tristate "Mellanox platform register access driver support"
+- depends on REGMAP
+ depends on HWMON
++ select REGMAP
+ help
+ This driver allows access to Mellanox programmable device register
+ space through sysfs interface. The sets of registers for sysfs access
+@@ -36,9 +36,9 @@ config MLXREG_IO
+
+ config MLXREG_LC
+ tristate "Mellanox line card platform driver support"
+- depends on REGMAP
+ depends on HWMON
+ depends on I2C
++ select REGMAP
+ help
+ This driver provides support for the Mellanox MSN4800-XX line cards,
+ which are the part of MSN4800 Ethernet modular switch systems
+@@ -80,10 +80,9 @@ config MLXBF_PMC
+
+ config NVSW_SN2201
+ tristate "Nvidia SN2201 platform driver support"
+- depends on REGMAP
+ depends on HWMON
+ depends on I2C
+- depends on REGMAP_I2C
++ select REGMAP_I2C
+ help
+ This driver provides support for the Nvidia SN2201 platform.
+ The SN2201 is a highly integrated for one rack unit system with
+--
+2.39.2
+
--- /dev/null
+From d1a45b1a1ab31c379b5991e78448fb36b48d9164 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Feb 2023 21:39:51 -0800
+Subject: platform: x86: MLX_PLATFORM: select REGMAP instead of depending on it
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 7e7e1541c91615e9950d0b96bcd1806d297e970e ]
+
+REGMAP is a hidden (not user visible) symbol. Users cannot set it
+directly thru "make *config", so drivers should select it instead of
+depending on it if they need it.
+
+Consistently using "select" or "depends on" can also help reduce
+Kconfig circular dependency issues.
+
+Therefore, change the use of "depends on REGMAP" to "select REGMAP".
+
+Fixes: ef0f62264b2a ("platform/x86: mlx-platform: Add physical bus number auto detection")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Vadim Pasternak <vadimp@mellanox.com>
+Cc: Darren Hart <dvhart@infradead.org>
+Cc: Hans de Goede <hdegoede@redhat.com>
+Cc: Mark Gross <markgross@kernel.org>
+Cc: platform-driver-x86@vger.kernel.org
+Link: https://lore.kernel.org/r/20230226053953.4681-7-rdunlap@infradead.org
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/Kconfig | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/Kconfig b/drivers/platform/x86/Kconfig
+index f5312f51de19f..b02a8125bc7d5 100644
+--- a/drivers/platform/x86/Kconfig
++++ b/drivers/platform/x86/Kconfig
+@@ -997,7 +997,8 @@ config SERIAL_MULTI_INSTANTIATE
+
+ config MLX_PLATFORM
+ tristate "Mellanox Technologies platform support"
+- depends on I2C && REGMAP
++ depends on I2C
++ select REGMAP
+ help
+ This option enables system support for the Mellanox Technologies
+ platform. The Mellanox systems provide data center networking
+--
+2.39.2
+
--- /dev/null
+From 16653e56716d799166f4e6d8bb2be304ef74ed18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jan 2023 08:39:00 +0100
+Subject: powerpc/boot: Don't always pass -mcpu=powerpc when building 32-bit
+ uImage
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit ff7c76f66d8bad4e694c264c789249e1d3a8205d ]
+
+When CONFIG_TARGET_CPU is specified then pass its value to the compiler
+-mcpu option. This fixes following build error when building kernel with
+powerpc e500 SPE capable cross compilers:
+
+ BOOTAS arch/powerpc/boot/crt0.o
+ powerpc-linux-gnuspe-gcc: error: unrecognized argument in option ‘-mcpu=powerpc’
+ powerpc-linux-gnuspe-gcc: note: valid arguments to ‘-mcpu=’ are: 8540 8548 native
+ make[1]: *** [arch/powerpc/boot/Makefile:231: arch/powerpc/boot/crt0.o] Error 1
+
+Similar change was already introduced for the main powerpc Makefile in
+commit 446cda1b21d9 ("powerpc/32: Don't always pass -mcpu=powerpc to the
+compiler").
+
+Fixes: 40a75584e526 ("powerpc/boot: Build wrapper for an appropriate CPU")
+Cc: stable@vger.kernel.org # v5.19+
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/2ae3ae5887babfdacc34435bff0944b3f336100a.1674632329.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/boot/Makefile | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/arch/powerpc/boot/Makefile b/arch/powerpc/boot/Makefile
+index d32d95aea5d6f..295f76df13b55 100644
+--- a/arch/powerpc/boot/Makefile
++++ b/arch/powerpc/boot/Makefile
+@@ -39,13 +39,19 @@ BOOTCFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
+ $(LINUXINCLUDE)
+
+ ifdef CONFIG_PPC64_BOOT_WRAPPER
+-ifdef CONFIG_CPU_LITTLE_ENDIAN
+-BOOTCFLAGS += -m64 -mcpu=powerpc64le
++BOOTCFLAGS += -m64
+ else
+-BOOTCFLAGS += -m64 -mcpu=powerpc64
++BOOTCFLAGS += -m32
+ endif
++
++ifdef CONFIG_TARGET_CPU_BOOL
++BOOTCFLAGS += -mcpu=$(CONFIG_TARGET_CPU)
++else ifdef CONFIG_PPC64_BOOT_WRAPPER
++ifdef CONFIG_CPU_LITTLE_ENDIAN
++BOOTCFLAGS += -mcpu=powerpc64le
+ else
+-BOOTCFLAGS += -m32 -mcpu=powerpc
++BOOTCFLAGS += -mcpu=powerpc64
++endif
+ endif
+
+ BOOTCFLAGS += -isystem $(shell $(BOOTCC) -print-file-name=include)
+--
+2.39.2
+
--- /dev/null
+From 4e9f763224ed18ac24b398f1923bef6c4f546ab5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Feb 2023 17:59:39 +0200
+Subject: powerpc: dts: t1040rdb: fix compatible string for Rev A boards
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit ae44f1c9d1fc54aeceb335fedb1e73b2c3ee4561 ]
+
+It looks like U-Boot fails to start the kernel properly when the
+compatible string of the board isn't fsl,T1040RDB, so stop overriding it
+from the rev-a.dts.
+
+Fixes: 5ebb74749202 ("powerpc: dts: t1040rdb: fix ports names for Seville Ethernet switch")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/boot/dts/fsl/t1040rdb-rev-a.dts | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/powerpc/boot/dts/fsl/t1040rdb-rev-a.dts b/arch/powerpc/boot/dts/fsl/t1040rdb-rev-a.dts
+index 73f8c998c64df..d4f5f159d6f23 100644
+--- a/arch/powerpc/boot/dts/fsl/t1040rdb-rev-a.dts
++++ b/arch/powerpc/boot/dts/fsl/t1040rdb-rev-a.dts
+@@ -10,7 +10,6 @@
+
+ / {
+ model = "fsl,T1040RDB-REV-A";
+- compatible = "fsl,T1040RDB-REV-A";
+ };
+
+ &seville_port0 {
+--
+2.39.2
+
--- /dev/null
+From 58362747ffe4611eae1b034623fb9710ff0fba02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Mar 2023 14:37:55 +0000
+Subject: RISC-V: Don't check text_mutex during stop_machine
+
+From: Conor Dooley <conor.dooley@microchip.com>
+
+[ Upstream commit 2a8db5ec4a28a0fce822d10224db9471a44b6925 ]
+
+We're currently using stop_machine() to update ftrace & kprobes, which
+means that the thread that takes text_mutex during may not be the same
+as the thread that eventually patches the code. This isn't actually a
+race because the lock is still held (preventing any other concurrent
+accesses) and there is only one thread running during stop_machine(),
+but it does trigger a lockdep failure.
+
+This patch just elides the lockdep check during stop_machine.
+
+Fixes: c15ac4fd60d5 ("riscv/ftrace: Add dynamic function tracer support")
+Suggested-by: Steven Rostedt <rostedt@goodmis.org>
+Reported-by: Changbin Du <changbin.du@gmail.com>
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
+Link: https://lore.kernel.org/r/20230303143754.4005217-1-conor.dooley@microchip.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/include/asm/ftrace.h | 2 +-
+ arch/riscv/include/asm/patch.h | 2 ++
+ arch/riscv/kernel/ftrace.c | 13 +++++++++++--
+ arch/riscv/kernel/patch.c | 28 +++++++++++++++++++++++++---
+ 4 files changed, 39 insertions(+), 6 deletions(-)
+
+diff --git a/arch/riscv/include/asm/ftrace.h b/arch/riscv/include/asm/ftrace.h
+index 9e73922e1e2e5..d47d87c2d7e3d 100644
+--- a/arch/riscv/include/asm/ftrace.h
++++ b/arch/riscv/include/asm/ftrace.h
+@@ -109,6 +109,6 @@ int ftrace_init_nop(struct module *mod, struct dyn_ftrace *rec);
+ #define ftrace_init_nop ftrace_init_nop
+ #endif
+
+-#endif
++#endif /* CONFIG_DYNAMIC_FTRACE */
+
+ #endif /* _ASM_RISCV_FTRACE_H */
+diff --git a/arch/riscv/include/asm/patch.h b/arch/riscv/include/asm/patch.h
+index 9a7d7346001ee..98d9de07cba17 100644
+--- a/arch/riscv/include/asm/patch.h
++++ b/arch/riscv/include/asm/patch.h
+@@ -9,4 +9,6 @@
+ int patch_text_nosync(void *addr, const void *insns, size_t len);
+ int patch_text(void *addr, u32 insn);
+
++extern int riscv_patch_in_stop_machine;
++
+ #endif /* _ASM_RISCV_PATCH_H */
+diff --git a/arch/riscv/kernel/ftrace.c b/arch/riscv/kernel/ftrace.c
+index 5bff37af4770b..03a6434a8cdd0 100644
+--- a/arch/riscv/kernel/ftrace.c
++++ b/arch/riscv/kernel/ftrace.c
+@@ -15,10 +15,19 @@
+ void ftrace_arch_code_modify_prepare(void) __acquires(&text_mutex)
+ {
+ mutex_lock(&text_mutex);
++
++ /*
++ * The code sequences we use for ftrace can't be patched while the
++ * kernel is running, so we need to use stop_machine() to modify them
++ * for now. This doesn't play nice with text_mutex, we use this flag
++ * to elide the check.
++ */
++ riscv_patch_in_stop_machine = true;
+ }
+
+ void ftrace_arch_code_modify_post_process(void) __releases(&text_mutex)
+ {
++ riscv_patch_in_stop_machine = false;
+ mutex_unlock(&text_mutex);
+ }
+
+@@ -107,9 +116,9 @@ int ftrace_init_nop(struct module *mod, struct dyn_ftrace *rec)
+ {
+ int out;
+
+- ftrace_arch_code_modify_prepare();
++ mutex_lock(&text_mutex);
+ out = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
+- ftrace_arch_code_modify_post_process();
++ mutex_unlock(&text_mutex);
+
+ return out;
+ }
+diff --git a/arch/riscv/kernel/patch.c b/arch/riscv/kernel/patch.c
+index 765004b605132..e099961453cca 100644
+--- a/arch/riscv/kernel/patch.c
++++ b/arch/riscv/kernel/patch.c
+@@ -11,6 +11,7 @@
+ #include <asm/kprobes.h>
+ #include <asm/cacheflush.h>
+ #include <asm/fixmap.h>
++#include <asm/ftrace.h>
+ #include <asm/patch.h>
+
+ struct patch_insn {
+@@ -19,6 +20,8 @@ struct patch_insn {
+ atomic_t cpu_count;
+ };
+
++int riscv_patch_in_stop_machine = false;
++
+ #ifdef CONFIG_MMU
+ /*
+ * The fix_to_virt(, idx) needs a const value (not a dynamic variable of
+@@ -59,8 +62,15 @@ static int patch_insn_write(void *addr, const void *insn, size_t len)
+ * Before reaching here, it was expected to lock the text_mutex
+ * already, so we don't need to give another lock here and could
+ * ensure that it was safe between each cores.
++ *
++ * We're currently using stop_machine() for ftrace & kprobes, and while
++ * that ensures text_mutex is held before installing the mappings it
++ * does not ensure text_mutex is held by the calling thread. That's
++ * safe but triggers a lockdep failure, so just elide it for that
++ * specific case.
+ */
+- lockdep_assert_held(&text_mutex);
++ if (!riscv_patch_in_stop_machine)
++ lockdep_assert_held(&text_mutex);
+
+ if (across_pages)
+ patch_map(addr + len, FIX_TEXT_POKE1);
+@@ -121,13 +131,25 @@ NOKPROBE_SYMBOL(patch_text_cb);
+
+ int patch_text(void *addr, u32 insn)
+ {
++ int ret;
+ struct patch_insn patch = {
+ .addr = addr,
+ .insn = insn,
+ .cpu_count = ATOMIC_INIT(0),
+ };
+
+- return stop_machine_cpuslocked(patch_text_cb,
+- &patch, cpu_online_mask);
++ /*
++ * kprobes takes text_mutex, before calling patch_text(), but as we call
++ * calls stop_machine(), the lockdep assertion in patch_insn_write()
++ * gets confused by the context in which the lock is taken.
++ * Instead, ensure the lock is held before calling stop_machine(), and
++ * set riscv_patch_in_stop_machine to skip the check in
++ * patch_insn_write().
++ */
++ lockdep_assert_held(&text_mutex);
++ riscv_patch_in_stop_machine = true;
++ ret = stop_machine_cpuslocked(patch_text_cb, &patch, cpu_online_mask);
++ riscv_patch_in_stop_machine = false;
++ return ret;
+ }
+ NOKPROBE_SYMBOL(patch_text);
+--
+2.39.2
+
--- /dev/null
+From 67a71e390c6ea75688cddbc79e2832d7d46eefe8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Jan 2023 17:42:42 +0800
+Subject: riscv: Add header include guards to insn.h
+
+From: Liao Chang <liaochang1@huawei.com>
+
+[ Upstream commit 8ac6e619d9d51b3eb5bae817db8aa94e780a0db4 ]
+
+Add header include guards to insn.h to prevent repeating declaration of
+any identifiers in insn.h.
+
+Fixes: edde5584c7ab ("riscv: Add SW single-step support for KDB")
+Signed-off-by: Liao Chang <liaochang1@huawei.com>
+Reviewed-by: Andrew Jones <ajones@ventanamicro.com>
+Fixes: c9c1af3f186a ("RISC-V: rename parse_asm.h to insn.h")
+Reviewed-by: Conor Dooley <conor.dooley@microchip.com>
+Link: https://lore.kernel.org/r/20230129094242.282620-1-liaochang1@huawei.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/include/asm/parse_asm.h | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/riscv/include/asm/parse_asm.h b/arch/riscv/include/asm/parse_asm.h
+index f36368de839f5..3cd00332d70f5 100644
+--- a/arch/riscv/include/asm/parse_asm.h
++++ b/arch/riscv/include/asm/parse_asm.h
+@@ -3,6 +3,9 @@
+ * Copyright (C) 2020 SiFive
+ */
+
++#ifndef _ASM_RISCV_INSN_H
++#define _ASM_RISCV_INSN_H
++
+ #include <linux/bits.h>
+
+ /* The bit field of immediate value in I-type instruction */
+@@ -217,3 +220,5 @@ static inline bool is_ ## INSN_NAME ## _insn(long insn) \
+ (RVC_X(x_, RVC_B_IMM_5_OPOFF, RVC_B_IMM_5_MASK) << RVC_B_IMM_5_OFF) | \
+ (RVC_X(x_, RVC_B_IMM_7_6_OPOFF, RVC_B_IMM_7_6_MASK) << RVC_B_IMM_7_6_OFF) | \
+ (RVC_IMM_SIGN(x_) << RVC_B_IMM_SIGN_OFF); })
++
++#endif /* _ASM_RISCV_INSN_H */
+--
+2.39.2
+
--- /dev/null
+From 319949b256112f4117a902f4dae42699716a0b62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Mar 2023 10:16:39 +0100
+Subject: riscv: Use READ_ONCE_NOCHECK in imprecise unwinding stack mode
+
+From: Alexandre Ghiti <alexghiti@rivosinc.com>
+
+[ Upstream commit 76950340cf03b149412fe0d5f0810e52ac1df8cb ]
+
+When CONFIG_FRAME_POINTER is unset, the stack unwinding function
+walk_stackframe randomly reads the stack and then, when KASAN is enabled,
+it can lead to the following backtrace:
+
+[ 0.000000] ==================================================================
+[ 0.000000] BUG: KASAN: stack-out-of-bounds in walk_stackframe+0xa6/0x11a
+[ 0.000000] Read of size 8 at addr ffffffff81807c40 by task swapper/0
+[ 0.000000]
+[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.2.0-12919-g24203e6db61f #43
+[ 0.000000] Hardware name: riscv-virtio,qemu (DT)
+[ 0.000000] Call Trace:
+[ 0.000000] [<ffffffff80007ba8>] walk_stackframe+0x0/0x11a
+[ 0.000000] [<ffffffff80099ecc>] init_param_lock+0x26/0x2a
+[ 0.000000] [<ffffffff80007c4a>] walk_stackframe+0xa2/0x11a
+[ 0.000000] [<ffffffff80c49c80>] dump_stack_lvl+0x22/0x36
+[ 0.000000] [<ffffffff80c3783e>] print_report+0x198/0x4a8
+[ 0.000000] [<ffffffff80099ecc>] init_param_lock+0x26/0x2a
+[ 0.000000] [<ffffffff80007c4a>] walk_stackframe+0xa2/0x11a
+[ 0.000000] [<ffffffff8015f68a>] kasan_report+0x9a/0xc8
+[ 0.000000] [<ffffffff80007c4a>] walk_stackframe+0xa2/0x11a
+[ 0.000000] [<ffffffff80007c4a>] walk_stackframe+0xa2/0x11a
+[ 0.000000] [<ffffffff8006e99c>] desc_make_final+0x80/0x84
+[ 0.000000] [<ffffffff8009a04e>] stack_trace_save+0x88/0xa6
+[ 0.000000] [<ffffffff80099fc2>] filter_irq_stacks+0x72/0x76
+[ 0.000000] [<ffffffff8006b95e>] devkmsg_read+0x32a/0x32e
+[ 0.000000] [<ffffffff8015ec16>] kasan_save_stack+0x28/0x52
+[ 0.000000] [<ffffffff8006e998>] desc_make_final+0x7c/0x84
+[ 0.000000] [<ffffffff8009a04a>] stack_trace_save+0x84/0xa6
+[ 0.000000] [<ffffffff8015ec52>] kasan_set_track+0x12/0x20
+[ 0.000000] [<ffffffff8015f22e>] __kasan_slab_alloc+0x58/0x5e
+[ 0.000000] [<ffffffff8015e7ea>] __kmem_cache_create+0x21e/0x39a
+[ 0.000000] [<ffffffff80e133ac>] create_boot_cache+0x70/0x9c
+[ 0.000000] [<ffffffff80e17ab2>] kmem_cache_init+0x6c/0x11e
+[ 0.000000] [<ffffffff80e00fd6>] mm_init+0xd8/0xfe
+[ 0.000000] [<ffffffff80e011d8>] start_kernel+0x190/0x3ca
+[ 0.000000]
+[ 0.000000] The buggy address belongs to stack of task swapper/0
+[ 0.000000] and is located at offset 0 in frame:
+[ 0.000000] stack_trace_save+0x0/0xa6
+[ 0.000000]
+[ 0.000000] This frame has 1 object:
+[ 0.000000] [32, 56) 'c'
+[ 0.000000]
+[ 0.000000] The buggy address belongs to the physical page:
+[ 0.000000] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x81a07
+[ 0.000000] flags: 0x1000(reserved|zone=0)
+[ 0.000000] raw: 0000000000001000 ff600003f1e3d150 ff600003f1e3d150 0000000000000000
+[ 0.000000] raw: 0000000000000000 0000000000000000 00000001ffffffff
+[ 0.000000] page dumped because: kasan: bad access detected
+[ 0.000000]
+[ 0.000000] Memory state around the buggy address:
+[ 0.000000] ffffffff81807b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 0.000000] ffffffff81807b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 0.000000] >ffffffff81807c00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f3
+[ 0.000000] ^
+[ 0.000000] ffffffff81807c80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
+[ 0.000000] ffffffff81807d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 0.000000] ==================================================================
+
+Fix that by using READ_ONCE_NOCHECK when reading the stack in imprecise
+mode.
+
+Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly")
+Reported-by: Chathura Rajapaksha <chathura.abeyrathne.lk@gmail.com>
+Link: https://lore.kernel.org/all/CAD7mqryDQCYyJ1gAmtMm8SASMWAQ4i103ptTb0f6Oda=tPY2=A@mail.gmail.com/
+Suggested-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Link: https://lore.kernel.org/r/20230308091639.602024-1-alexghiti@rivosinc.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/stacktrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c
+index 85cd5442d2f81..17d7383f201a5 100644
+--- a/arch/riscv/kernel/stacktrace.c
++++ b/arch/riscv/kernel/stacktrace.c
+@@ -92,7 +92,7 @@ void notrace walk_stackframe(struct task_struct *task,
+ while (!kstack_end(ksp)) {
+ if (__kernel_text_address(pc) && unlikely(!fn(arg, pc)))
+ break;
+- pc = (*ksp++) - 0x4;
++ pc = READ_ONCE_NOCHECK(*ksp++) - 0x4;
+ }
+ }
+
+--
+2.39.2
+
--- /dev/null
+From fe033a057ce3fc9b60e7cbe8285eea4a1ecce88f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Feb 2023 12:52:00 -0800
+Subject: scsi: core: Remove the /proc/scsi/${proc_name} directory earlier
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit fc663711b94468f4e1427ebe289c9f05669699c9 ]
+
+Remove the /proc/scsi/${proc_name} directory earlier to fix a race
+condition between unloading and reloading kernel modules. This fixes a bug
+introduced in 2009 by commit 77c019768f06 ("[SCSI] fix /proc memory leak in
+the SCSI core").
+
+Fix the following kernel warning:
+
+proc_dir_entry 'scsi/scsi_debug' already registered
+WARNING: CPU: 19 PID: 27986 at fs/proc/generic.c:376 proc_register+0x27d/0x2e0
+Call Trace:
+ proc_mkdir+0xb5/0xe0
+ scsi_proc_hostdir_add+0xb5/0x170
+ scsi_host_alloc+0x683/0x6c0
+ sdebug_driver_probe+0x6b/0x2d0 [scsi_debug]
+ really_probe+0x159/0x540
+ __driver_probe_device+0xdc/0x230
+ driver_probe_device+0x4f/0x120
+ __device_attach_driver+0xef/0x180
+ bus_for_each_drv+0xe5/0x130
+ __device_attach+0x127/0x290
+ device_initial_probe+0x17/0x20
+ bus_probe_device+0x110/0x130
+ device_add+0x673/0xc80
+ device_register+0x1e/0x30
+ sdebug_add_host_helper+0x1a7/0x3b0 [scsi_debug]
+ scsi_debug_init+0x64f/0x1000 [scsi_debug]
+ do_one_initcall+0xd7/0x470
+ do_init_module+0xe7/0x330
+ load_module+0x122a/0x12c0
+ __do_sys_finit_module+0x124/0x1a0
+ __x64_sys_finit_module+0x46/0x50
+ do_syscall_64+0x38/0x80
+ entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+Link: https://lore.kernel.org/r/20230210205200.36973-3-bvanassche@acm.org
+Cc: Alan Stern <stern@rowland.harvard.edu>
+Cc: Yi Zhang <yi.zhang@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: 77c019768f06 ("[SCSI] fix /proc memory leak in the SCSI core")
+Reported-by: Yi Zhang <yi.zhang@redhat.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hosts.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
+index 9857dba09c951..85e66574ec414 100644
+--- a/drivers/scsi/hosts.c
++++ b/drivers/scsi/hosts.c
+@@ -181,6 +181,7 @@ void scsi_remove_host(struct Scsi_Host *shost)
+ scsi_forget_host(shost);
+ mutex_unlock(&shost->scan_mutex);
+ scsi_proc_host_rm(shost);
++ scsi_proc_hostdir_rm(shost->hostt);
+
+ /*
+ * New SCSI devices cannot be attached anymore because of the SCSI host
+@@ -340,6 +341,7 @@ static void scsi_host_dev_release(struct device *dev)
+ struct Scsi_Host *shost = dev_to_shost(dev);
+ struct device *parent = dev->parent;
+
++ /* In case scsi_remove_host() has not been called. */
+ scsi_proc_hostdir_rm(shost->hostt);
+
+ /* Wait for functions invoked through call_rcu(&scmd->rcu, ...) */
+--
+2.39.2
+
--- /dev/null
+From 673917e413f121c5bd09c769d1195eefb6182bfa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Mar 2023 16:23:40 +0530
+Subject: scsi: megaraid_sas: Update max supported LD IDs to 240
+
+From: Chandrakanth Patil <chandrakanth.patil@broadcom.com>
+
+[ Upstream commit bfa659177dcba48cf13f2bd88c1972f12a60bf1c ]
+
+The firmware only supports Logical Disk IDs up to 240 and LD ID 255 (0xFF)
+is reserved for deleted LDs. However, in some cases, firmware was assigning
+LD ID 254 (0xFE) to deleted LDs and this was causing the driver to mark the
+wrong disk as deleted. This in turn caused the wrong disk device to be
+taken offline by the SCSI midlayer.
+
+To address this issue, limit the LD ID range from 255 to 240. This ensures
+the deleted LD ID is properly identified and removed by the driver without
+accidently deleting any valid LDs.
+
+Fixes: ae6874ba4b43 ("scsi: megaraid_sas: Early detection of VD deletion through RaidMap update")
+Reported-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Chandrakanth Patil <chandrakanth.patil@broadcom.com>
+Signed-off-by: Sumit Saxena <sumit.saxena@broadcom.com>
+Link: https://lore.kernel.org/r/20230302105342.34933-2-chandrakanth.patil@broadcom.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/megaraid/megaraid_sas.h | 2 ++
+ drivers/scsi/megaraid/megaraid_sas_fp.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/megaraid/megaraid_sas.h b/drivers/scsi/megaraid/megaraid_sas.h
+index 4919ea54b8277..2ef9d41fc6f42 100644
+--- a/drivers/scsi/megaraid/megaraid_sas.h
++++ b/drivers/scsi/megaraid/megaraid_sas.h
+@@ -1519,6 +1519,8 @@ struct megasas_ctrl_info {
+ #define MEGASAS_MAX_LD_IDS (MEGASAS_MAX_LD_CHANNELS * \
+ MEGASAS_MAX_DEV_PER_CHANNEL)
+
++#define MEGASAS_MAX_SUPPORTED_LD_IDS 240
++
+ #define MEGASAS_MAX_SECTORS (2*1024)
+ #define MEGASAS_MAX_SECTORS_IEEE (2*128)
+ #define MEGASAS_DBG_LVL 1
+diff --git a/drivers/scsi/megaraid/megaraid_sas_fp.c b/drivers/scsi/megaraid/megaraid_sas_fp.c
+index da1cad1ee1238..4463a538102ad 100644
+--- a/drivers/scsi/megaraid/megaraid_sas_fp.c
++++ b/drivers/scsi/megaraid/megaraid_sas_fp.c
+@@ -358,7 +358,7 @@ u8 MR_ValidateMapInfo(struct megasas_instance *instance, u64 map_id)
+ ld = MR_TargetIdToLdGet(i, drv_map);
+
+ /* For non existing VDs, iterate to next VD*/
+- if (ld >= (MAX_LOGICAL_DRIVES_EXT - 1))
++ if (ld >= MEGASAS_MAX_SUPPORTED_LD_IDS)
+ continue;
+
+ raid = MR_LdRaidGet(ld, drv_map);
+--
+2.39.2
+
--- /dev/null
+From 68010ef60bc62baf9fd99e4d1da7f6458910c425 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Mar 2023 15:30:24 +0900
+Subject: scsi: sd: Fix wrong zone_write_granularity value during revalidate
+
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+
+[ Upstream commit 288b3271d920c9ba949c3bab0f749f4cecc70e09 ]
+
+When the sd driver revalidates host-managed SMR disks, it calls
+disk_set_zoned() which changes the zone_write_granularity attribute value
+to the logical block size regardless of the device type. After that, the sd
+driver overwrites the value in sd_zbc_read_zone() with the physical block
+size, since ZBC/ZAC requires this for host-managed disks. Between the calls
+to disk_set_zoned() and sd_zbc_read_zone(), there exists a window where the
+attribute shows the logical block size as the zone_write_granularity value,
+which is wrong for host-managed disks. The duration of the window is from
+20ms to 200ms, depending on report zone command execution time.
+
+To avoid the wrong zone_write_granularity value between disk_set_zoned()
+and sd_zbc_read_zone(), modify the value not in sd_zbc_read_zone() but
+just after disk_set_zoned() call.
+
+Fixes: a805a4fa4fa3 ("block: introduce zone_write_granularity limit")
+Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Link: https://lore.kernel.org/r/20230306063024.3376959-1-shinichiro.kawasaki@wdc.com
+Reviewed-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/sd.c | 7 ++++++-
+ drivers/scsi/sd_zbc.c | 8 --------
+ 2 files changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
+index eb76ba0550216..e934779bf05c8 100644
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -2933,8 +2933,13 @@ static void sd_read_block_characteristics(struct scsi_disk *sdkp)
+ }
+
+ if (sdkp->device->type == TYPE_ZBC) {
+- /* Host-managed */
++ /*
++ * Host-managed: Per ZBC and ZAC specifications, writes in
++ * sequential write required zones of host-managed devices must
++ * be aligned to the device physical block size.
++ */
+ disk_set_zoned(sdkp->disk, BLK_ZONED_HM);
++ blk_queue_zone_write_granularity(q, sdkp->physical_block_size);
+ } else {
+ sdkp->zoned = zoned;
+ if (sdkp->zoned == 1) {
+diff --git a/drivers/scsi/sd_zbc.c b/drivers/scsi/sd_zbc.c
+index bd15624c63228..4c35b4a916355 100644
+--- a/drivers/scsi/sd_zbc.c
++++ b/drivers/scsi/sd_zbc.c
+@@ -956,14 +956,6 @@ int sd_zbc_read_zones(struct scsi_disk *sdkp, u8 buf[SD_BUF_SIZE])
+ disk_set_max_active_zones(disk, 0);
+ nr_zones = round_up(sdkp->capacity, zone_blocks) >> ilog2(zone_blocks);
+
+- /*
+- * Per ZBC and ZAC specifications, writes in sequential write required
+- * zones of host-managed devices must be aligned to the device physical
+- * block size.
+- */
+- if (blk_queue_zoned_model(q) == BLK_ZONED_HM)
+- blk_queue_zone_write_granularity(q, sdkp->physical_block_size);
+-
+ sdkp->early_zone_info.nr_zones = nr_zones;
+ sdkp->early_zone_info.zone_blocks = zone_blocks;
+
+--
+2.39.2
+
--- /dev/null
+From 30ca55d774f56288ae20d6e70debfc3b1b4deaec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Feb 2023 17:36:46 +0800
+Subject: selftests: nft_nat: ensuring the listening side is up before starting
+ the client
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 2067e7a00aa604b94de31d64f29b8893b1696f26 ]
+
+The test_local_dnat_portonly() function initiates the client-side as
+soon as it sets the listening side to the background. This could lead to
+a race condition where the server may not be ready to listen. To ensure
+that the server-side is up and running before initiating the
+client-side, a delay is introduced to the test_local_dnat_portonly()
+function.
+
+Before the fix:
+ # ./nft_nat.sh
+ PASS: netns routing/connectivity: ns0-rthlYrBU can reach ns1-rthlYrBU and ns2-rthlYrBU
+ PASS: ping to ns1-rthlYrBU was ip NATted to ns2-rthlYrBU
+ PASS: ping to ns1-rthlYrBU OK after ip nat output chain flush
+ PASS: ipv6 ping to ns1-rthlYrBU was ip6 NATted to ns2-rthlYrBU
+ 2023/02/27 04:11:03 socat[6055] E connect(5, AF=2 10.0.1.99:2000, 16): Connection refused
+ ERROR: inet port rewrite
+
+After the fix:
+ # ./nft_nat.sh
+ PASS: netns routing/connectivity: ns0-9sPJV6JJ can reach ns1-9sPJV6JJ and ns2-9sPJV6JJ
+ PASS: ping to ns1-9sPJV6JJ was ip NATted to ns2-9sPJV6JJ
+ PASS: ping to ns1-9sPJV6JJ OK after ip nat output chain flush
+ PASS: ipv6 ping to ns1-9sPJV6JJ was ip6 NATted to ns2-9sPJV6JJ
+ PASS: inet port rewrite without l3 address
+
+Fixes: 282e5f8fe907 ("netfilter: nat: really support inet nat without l3 address")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/netfilter/nft_nat.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/testing/selftests/netfilter/nft_nat.sh b/tools/testing/selftests/netfilter/nft_nat.sh
+index 924ecb3f1f737..dd40d9f6f2599 100755
+--- a/tools/testing/selftests/netfilter/nft_nat.sh
++++ b/tools/testing/selftests/netfilter/nft_nat.sh
+@@ -404,6 +404,8 @@ EOF
+ echo SERVER-$family | ip netns exec "$ns1" timeout 5 socat -u STDIN TCP-LISTEN:2000 &
+ sc_s=$!
+
++ sleep 1
++
+ result=$(ip netns exec "$ns0" timeout 1 socat TCP:$daddr:2000 STDOUT)
+
+ if [ "$result" = "SERVER-inet" ];then
+--
+2.39.2
+
hid-core-provide-new-max_buffer_size-attribute-to-over-ride-the-default.patch
hid-uhid-over-ride-the-default-maximum-data-buffer-value-with-our-own.patch
nfc-change-order-inside-nfc_se_io-error-path.patch
+kvm-vmx-reset-evmcs-controls-in-vp-assist-page-durin.patch
+kvm-vmx-don-t-bother-disabling-evmcs-static-key-on-m.patch
+kvm-x86-move-guts-of-kvm_arch_init-to-standalone-hel.patch
+kvm-vmx-do-_all_-initialization-before-exposing-dev-.patch
+fs-dlm-fix-log-of-lowcomms-vs-midcomms.patch
+fs-dlm-add-midcomms-init-start-functions.patch
+fs-dlm-start-midcomms-before-scand.patch
+fs-dlm-remove-send-repeat-remove-handling.patch
+fs-dlm-use-packet-in-dlm_mhandle.patch
+fd-dlm-trace-send-recv-of-dlm-message-and-rcom.patch
+fs-dlm-fix-use-after-free-in-midcomms-commit.patch
+fs-dlm-use-warn_on_once-instead-of-warn_on.patch
+fs-dlm-be-sure-to-call-dlm_send_queue_flush.patch
+fs-dlm-fix-race-setting-stop-tx-flag.patch
+udf-fix-off-by-one-error-when-discarding-preallocati.patch
+bus-mhi-ep-power-up-down-mhi-stack-during-mhi-reset.patch
+bus-mhi-ep-change-state_lock-to-mutex.patch
+powerpc-boot-don-t-always-pass-mcpu-powerpc-when-bui.patch
+input-exc3000-properly-stop-timer-on-shutdown.patch
+ipmi-ssif-remove-rtc_us_timer.patch
+ipmi-ssif-increase-the-message-retry-time.patch
+ipmi-ssif-add-a-timer-between-request-retries.patch
+spi-intel-check-number-of-chip-selects-after-reading.patch
+drm-i915-introduce-intel_panel_init_alloc.patch
+drm-i915-do-panel-vbt-init-early-if-the-vbt-declares.patch
+drm-i915-populate-encoder-devdata-for-dsi-on-icl.patch
+block-revert-block-do-not-reread-partition-table-on-.patch
+block-fix-scan-partition-for-exclusively-open-device.patch
+riscv-add-header-include-guards-to-insn.h.patch
+scsi-core-remove-the-proc-scsi-proc_name-directory-e.patch
+ext4-fix-possible-corruption-when-moving-a-directory.patch
+cifs-improve-checking-of-dfs-links-over-status_objec.patch
+drm-nouveau-kms-nv50-fix-nv50_wndw_new_-prototype.patch
+drm-msm-fix-potential-invalid-ptr-free.patch
+drm-msm-a5xx-fix-setting-of-the-cp_preempt_enable_lo.patch
+drm-msm-a5xx-fix-highest-bank-bit-for-a530.patch
+drm-msm-a5xx-fix-the-emptyness-check-in-the-preempt-.patch
+drm-msm-a5xx-fix-context-faults-during-ring-switch.patch
+bgmac-fix-initial-chip-reset-to-support-bcm5358.patch
+nfc-fdp-add-null-check-of-devm_kmalloc_array-in-fdp_.patch
+powerpc-dts-t1040rdb-fix-compatible-string-for-rev-a.patch
+tls-rx-fix-return-value-for-async-crypto.patch
+drm-msm-dpu-disable-features-unsupported-by-qcm2290.patch
+ila-do-not-generate-empty-messages-in-ila_xlat_nl_cm.patch
+net-lan966x-fix-port-police-support-using-tc-matchal.patch
+selftests-nft_nat-ensuring-the-listening-side-is-up-.patch
+netfilter-nft_last-copy-content-when-cloning-express.patch
+netfilter-nft_quota-copy-content-when-cloning-expres.patch
+net-tls-fix-possible-race-condition-between-do_tls_g.patch
+net-use-indirect-calls-helpers-for-sk_exit_memory_pr.patch
+perf-stat-fix-counting-when-initial-delay-configured.patch
+net-lan78xx-fix-accessing-the-lan7800-s-internal-phy.patch
+net-caif-fix-use-after-free-in-cfusbl_device_notify.patch
+ice-copy-last-block-omitted-in-ice_get_module_eeprom.patch
+bpf-sockmap-fix-an-infinite-loop-error-when-len-is-0.patch
+drm-msm-dpu-fix-len-of-sc7180-ctl-blocks.patch
+drm-msm-dpu-drop-dpu_dim_layer-from-mixer_msm8998_ma.patch
+drm-msm-dpu-fix-clocks-settings-for-msm8998-sspp-blo.patch
+drm-msm-dpu-clear-dspp-reservations-in-rm-release.patch
+net-stmmac-add-to-set-device-wake-up-flag-when-stmma.patch
+net-phylib-get-rid-of-unnecessary-locking.patch
+bnxt_en-avoid-order-5-memory-allocation-for-tpa-data.patch
+netfilter-ctnetlink-revert-to-dumping-mark-regardles.patch
+netfilter-tproxy-fix-deadlock-due-to-missing-bh-disa.patch
+m68k-mm-move-initrd-phys_to_virt-handling-after-pagi.patch
+btrfs-fix-extent-map-logging-bit-not-cleared-for-spl.patch
+bpf-test_run-fix-xdp_frame-misplacement-for-live_fra.patch
+btf-fix-resolving-btf_kind_var-after-array-struct-un.patch
+net-phy-smsc-fix-link-up-detection-in-forced-irq-mod.patch
+net-ethernet-mtk_eth_soc-fix-rx-data-corruption-issu.patch
+net-tls-fix-device-offloaded-sendpage-straddling-rec.patch
+scsi-megaraid_sas-update-max-supported-ld-ids-to-240.patch
+scsi-sd-fix-wrong-zone_write_granularity-value-durin.patch
+netfilter-conntrack-adopt-safer-max-chain-length.patch
+platform-mellanox-select-regmap-instead-of-depending.patch
+platform-x86-mlx_platform-select-regmap-instead-of-d.patch
+block-fix-wrong-mode-for-blkdev_put-from-disk_scan_p.patch
+nfsd-protect-against-filesystem-freezing.patch
+ice-fix-dscp-pfc-tlv-creation.patch
+ethernet-ice-avoid-gcc-9-integer-overflow-warning.patch
+net-smc-fix-fallback-failed-while-sendmsg-with-fasto.patch
+octeontx2-af-unlock-contexts-in-the-queue-context-ca.patch
+sunrpc-fix-a-server-shutdown-leak.patch
+net-dsa-mt7530-permit-port-5-to-work-without-port-6-.patch
+af_unix-fix-struct-pid-leaks-in-oob-support.patch
+erofs-revert-erofs-fix-kvcalloc-misuse-with-__gfp_no.patch
+riscv-use-read_once_nocheck-in-imprecise-unwinding-s.patch
+risc-v-don-t-check-text_mutex-during-stop_machine.patch
+drm-amdgpu-fix-return-value-check-in-kfd.patch
--- /dev/null
+From 7f83600dc1a649047ccabd55c9eab0ef8f8abf0d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Feb 2023 13:00:40 +0200
+Subject: spi: intel: Check number of chip selects after reading the descriptor
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+[ Upstream commit 574fbb95cd9d88bdc9c9c4c64223a38a61d7de9a ]
+
+The flash decriptor contains the number of flash components that we use
+to figure out how many flash chips there are connected. Therefore we
+need to read it first before deciding how many chip selects the
+controller has.
+
+Reported-by: Marcin Witkowski <marcin.witkowski@intel.com>
+Fixes: 3f03c618bebb ("spi: intel: Add support for second flash chip")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Link: https://lore.kernel.org/r/20230215110040.42186-1-mika.westerberg@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-intel.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/spi/spi-intel.c b/drivers/spi/spi-intel.c
+index 3ac73691fbb54..54fc226e1cdf6 100644
+--- a/drivers/spi/spi-intel.c
++++ b/drivers/spi/spi-intel.c
+@@ -1366,14 +1366,14 @@ static int intel_spi_populate_chip(struct intel_spi *ispi)
+ if (!spi_new_device(ispi->master, &chip))
+ return -ENODEV;
+
+- /* Add the second chip if present */
+- if (ispi->master->num_chipselect < 2)
+- return 0;
+-
+ ret = intel_spi_read_desc(ispi);
+ if (ret)
+ return ret;
+
++ /* Add the second chip if present */
++ if (ispi->master->num_chipselect < 2)
++ return 0;
++
+ chip.platform_data = NULL;
+ chip.chip_select = 1;
+
+--
+2.39.2
+
--- /dev/null
+From cb529ff70a8ed8ed56149d9c0cd340f67e6598bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Mar 2023 16:08:32 -0500
+Subject: SUNRPC: Fix a server shutdown leak
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+[ Upstream commit 9ca6705d9d609441d34f8b853e1e4a6369b3b171 ]
+
+Fix a race where kthread_stop() may prevent the threadfn from ever getting
+called. If that happens the svc_rqst will not be cleaned up.
+
+Fixes: ed6473ddc704 ("NFSv4: Fix callback server shutdown")
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/svc.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
+index 24577d1b99079..9ee32e06f877e 100644
+--- a/net/sunrpc/svc.c
++++ b/net/sunrpc/svc.c
+@@ -787,6 +787,7 @@ svc_start_kthreads(struct svc_serv *serv, struct svc_pool *pool, int nrservs)
+ static int
+ svc_stop_kthreads(struct svc_serv *serv, struct svc_pool *pool, int nrservs)
+ {
++ struct svc_rqst *rqstp;
+ struct task_struct *task;
+ unsigned int state = serv->sv_nrthreads-1;
+
+@@ -795,7 +796,10 @@ svc_stop_kthreads(struct svc_serv *serv, struct svc_pool *pool, int nrservs)
+ task = choose_victim(serv, pool, &state);
+ if (task == NULL)
+ break;
+- kthread_stop(task);
++ rqstp = kthread_data(task);
++ /* Did we lose a race to svo_function threadfn? */
++ if (kthread_stop(task) == -EINTR)
++ svc_exit_thread(rqstp);
+ nrservs++;
+ } while (nrservs < 0);
+ return 0;
+--
+2.39.2
+
--- /dev/null
+From 5dc0e57d356f34fbac13d87893e0b65444631ec6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Feb 2023 10:12:01 -0800
+Subject: tls: rx: fix return value for async crypto
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 4d42cd6bc2ac1b9be50ade13771daec90c9d18b1 ]
+
+Gaurav reports that TLS Rx is broken with async crypto
+accelerators. The commit under fixes missed updating
+the retval byte counting logic when updating how records
+are stored. Even tho both before and after the change
+'decrypted' was updated inside the main loop, it was
+completely overwritten when processing the async
+completions. Now that the rx_list only holds
+non-zero-copy records we need to add, not overwrite.
+
+Reported-and-bisected-by: Gaurav Jain <gaurav.jain@nxp.com>
+Fixes: cbbdee9918a2 ("tls: rx: async: don't put async zc on the list")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=217064
+Tested-by: Gaurav Jain <gaurav.jain@nxp.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230227181201.1793772-1-kuba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tls/tls_sw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
+index 38dcd9b401027..992092aeebad9 100644
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -2114,7 +2114,7 @@ int tls_sw_recvmsg(struct sock *sk,
+ else
+ err = process_rx_list(ctx, msg, &control, 0,
+ async_copy_bytes, is_peek);
+- decrypted = max(err, 0);
++ decrypted += max(err, 0);
+ }
+
+ copied += decrypted;
+--
+2.39.2
+
--- /dev/null
+From 36c08ae353bc14dd1301a213cfb2ba489203bb6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jan 2023 14:29:15 +0100
+Subject: udf: Fix off-by-one error when discarding preallocation
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit f54aa97fb7e5329a373f9df4e5e213ced4fc8759 ]
+
+The condition determining whether the preallocation can be used had
+an off-by-one error so we didn't discard preallocation when new
+allocation was just following it. This can then confuse code in
+inode_getblk().
+
+CC: stable@vger.kernel.org
+Fixes: 16d055656814 ("udf: Discard preallocation before extending file with a hole")
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/udf/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/udf/inode.c b/fs/udf/inode.c
+index 259152a08852b..a4e875b61f895 100644
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -443,7 +443,7 @@ static int udf_get_block(struct inode *inode, sector_t block,
+ * Block beyond EOF and prealloc extents? Just discard preallocation
+ * as it is not useful and complicates things.
+ */
+- if (((loff_t)block) << inode->i_blkbits > iinfo->i_lenExtents)
++ if (((loff_t)block) << inode->i_blkbits >= iinfo->i_lenExtents)
+ udf_discard_prealloc(inode);
+ udf_clear_extent_cache(inode);
+ phys = inode_getblk(inode, block, &err, &new);
+--
+2.39.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
