--- /dev/null
+From 91aa4b3782448a7a13baa8cbcdfd5fd19defcbd9 Mon Sep 17 00:00:00 2001
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+Date: Wed, 3 May 2023 13:31:10 +0200
+Subject: ARM: dts: imx6qdl-mba6: Add missing pvcie-supply regulator
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+commit 91aa4b3782448a7a13baa8cbcdfd5fd19defcbd9 upstream.
+
+This worked before by coincidence, as the regulator was probed and enabled
+before PCI RC probe. But probe order changed since commit 259b93b21a9f
+("regulator: Set PROBE_PREFER_ASYNCHRONOUS for drivers that existed in
+4.14") and PCIe supply is enabled after RC.
+Fix this by adding the regulator to RC node.
+
+The PCIe vaux regulator still needs to be enabled unconditionally for
+Mini-PCIe USB-only devices.
+
+Fixes: ef3846247b41 ("ARM: dts: imx6qdl: add TQ-Systems MBa6x device trees")
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/imx6qdl-mba6.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/boot/dts/imx6qdl-mba6.dtsi
++++ b/arch/arm/boot/dts/imx6qdl-mba6.dtsi
+@@ -209,6 +209,7 @@
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_pcie>;
+ reset-gpio = <&gpio6 7 GPIO_ACTIVE_LOW>;
++ vpcie-supply = <®_pcie>;
+ status = "okay";
+ };
+
--- /dev/null
+From b34ffb0c6d23583830f9327864b9c1f486003305 Mon Sep 17 00:00:00 2001
+From: Anton Protopopov <aspsk@isovalent.com>
+Date: Mon, 22 May 2023 15:45:58 +0000
+Subject: bpf: fix a memory leak in the LRU and LRU_PERCPU hash maps
+
+From: Anton Protopopov <aspsk@isovalent.com>
+
+commit b34ffb0c6d23583830f9327864b9c1f486003305 upstream.
+
+The LRU and LRU_PERCPU maps allocate a new element on update before locking the
+target hash table bucket. Right after that the maps try to lock the bucket.
+If this fails, then maps return -EBUSY to the caller without releasing the
+allocated element. This makes the element untracked: it doesn't belong to
+either of free lists, and it doesn't belong to the hash table, so can't be
+re-used; this eventually leads to the permanent -ENOMEM on LRU map updates,
+which is unexpected. Fix this by returning the element to the local free list
+if bucket locking fails.
+
+Fixes: 20b6cc34ea74 ("bpf: Avoid hashtab deadlock with map_locked")
+Signed-off-by: Anton Protopopov <aspsk@isovalent.com>
+Link: https://lore.kernel.org/r/20230522154558.2166815-1-aspsk@isovalent.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/hashtab.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/kernel/bpf/hashtab.c
++++ b/kernel/bpf/hashtab.c
+@@ -1197,7 +1197,7 @@ static long htab_lru_map_update_elem(str
+
+ ret = htab_lock_bucket(htab, b, hash, &flags);
+ if (ret)
+- return ret;
++ goto err_lock_bucket;
+
+ l_old = lookup_elem_raw(head, hash, key, key_size);
+
+@@ -1218,6 +1218,7 @@ static long htab_lru_map_update_elem(str
+ err:
+ htab_unlock_bucket(htab, b, hash, flags);
+
++err_lock_bucket:
+ if (ret)
+ htab_lru_push_free(htab, l_new);
+ else if (l_old)
+@@ -1320,7 +1321,7 @@ static long __htab_lru_percpu_map_update
+
+ ret = htab_lock_bucket(htab, b, hash, &flags);
+ if (ret)
+- return ret;
++ goto err_lock_bucket;
+
+ l_old = lookup_elem_raw(head, hash, key, key_size);
+
+@@ -1343,6 +1344,7 @@ static long __htab_lru_percpu_map_update
+ ret = 0;
+ err:
+ htab_unlock_bucket(htab, b, hash, flags);
++err_lock_bucket:
+ if (l_new)
+ bpf_lru_push_free(&htab->lru, &l_new->lru_node);
+ return ret;
--- /dev/null
+From 0613d8ca9ab382caabe9ed2dceb429e9781e443f Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Thu, 18 May 2023 11:25:28 +0100
+Subject: bpf: Fix mask generation for 32-bit narrow loads of 64-bit fields
+
+From: Will Deacon <will@kernel.org>
+
+commit 0613d8ca9ab382caabe9ed2dceb429e9781e443f upstream.
+
+A narrow load from a 64-bit context field results in a 64-bit load
+followed potentially by a 64-bit right-shift and then a bitwise AND
+operation to extract the relevant data.
+
+In the case of a 32-bit access, an immediate mask of 0xffffffff is used
+to construct a 64-bit BPP_AND operation which then sign-extends the mask
+value and effectively acts as a glorified no-op. For example:
+
+0: 61 10 00 00 00 00 00 00 r0 = *(u32 *)(r1 + 0)
+
+results in the following code generation for a 64-bit field:
+
+ ldr x7, [x7] // 64-bit load
+ mov x10, #0xffffffffffffffff
+ and x7, x7, x10
+
+Fix the mask generation so that narrow loads always perform a 32-bit AND
+operation:
+
+ ldr x7, [x7] // 64-bit load
+ mov w10, #0xffffffff
+ and w7, w7, w10
+
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: John Fastabend <john.fastabend@gmail.com>
+Cc: Krzesimir Nowak <krzesimir@kinvolk.io>
+Cc: Andrey Ignatov <rdna@fb.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Fixes: 31fd85816dbe ("bpf: permits narrower load from bpf program context fields")
+Signed-off-by: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20230518102528.1341-1-will@kernel.org
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/verifier.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -16017,7 +16017,7 @@ static int convert_ctx_accesses(struct b
+ insn_buf[cnt++] = BPF_ALU64_IMM(BPF_RSH,
+ insn->dst_reg,
+ shift);
+- insn_buf[cnt++] = BPF_ALU64_IMM(BPF_AND, insn->dst_reg,
++ insn_buf[cnt++] = BPF_ALU32_IMM(BPF_AND, insn->dst_reg,
+ (1ULL << size * 8) - 1);
+ }
+ }
--- /dev/null
+From cb8b02fd6343228966324528adf920bfb8b8e681 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Wed, 24 May 2023 03:26:19 -0500
+Subject: cifs: mapchars mount option ignored
+
+From: Steve French <stfrench@microsoft.com>
+
+commit cb8b02fd6343228966324528adf920bfb8b8e681 upstream.
+
+There are two ways that special characters (not allowed in some
+other operating systems like Windows, but allowed in POSIX) have
+been mapped in the past ("SFU" and "SFM" mappings) to allow them
+to be stored in a range reserved for special chars. The default
+for Linux has been to use "mapposix" (ie the SFM mapping) but
+the conversion to the new mount API in the 5.11 kernel broke
+the ability to override the default mapping of the reserved
+characters (like '?' and '*' and '\') via "mapchars" mount option.
+
+This patch fixes that - so can now mount with "mapchars"
+mount option to override the default ("mapposix" ie SFM) mapping.
+
+Reported-by: Tyler Spivey <tspivey8@gmail.com>
+Fixes: 24e0a1eff9e2 ("cifs: switch to new mount api")
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/fs_context.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/cifs/fs_context.c
++++ b/fs/cifs/fs_context.c
+@@ -904,6 +904,14 @@ static int smb3_fs_context_parse_param(s
+ ctx->sfu_remap = false; /* disable SFU mapping */
+ }
+ break;
++ case Opt_mapchars:
++ if (result.negated)
++ ctx->sfu_remap = false;
++ else {
++ ctx->sfu_remap = true;
++ ctx->remap = false; /* disable SFM (mapposix) mapping */
++ }
++ break;
+ case Opt_user_xattr:
+ if (result.negated)
+ ctx->no_xattr = 1;
--- /dev/null
+From f67bc15e526bb9920683ad6c1891ff9e08981335 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Fri, 21 Apr 2023 13:42:41 +0300
+Subject: coresight: Fix signedness bug in tmc_etr_buf_insert_barrier_packet()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit f67bc15e526bb9920683ad6c1891ff9e08981335 upstream.
+
+This code generates a Smatch warning:
+
+ drivers/hwtracing/coresight/coresight-tmc-etr.c:947 tmc_etr_buf_insert_barrier_packet()
+ error: uninitialized symbol 'bufp'.
+
+The problem is that if tmc_sg_table_get_data() returns -EINVAL, then
+when we test if "len < CORESIGHT_BARRIER_PKT_SIZE", the negative "len"
+value is type promoted to a high unsigned long value which is greater
+than CORESIGHT_BARRIER_PKT_SIZE. Fix this bug by adding an explicit
+check for error codes.
+
+Fixes: 75f4e3619fe2 ("coresight: tmc-etr: Add transparent buffer management")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Link: https://lore.kernel.org/r/7d33e244-d8b9-4c27-9653-883a13534b01@kili.mountain
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/coresight/coresight-tmc-etr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwtracing/coresight/coresight-tmc-etr.c
++++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c
+@@ -942,7 +942,7 @@ tmc_etr_buf_insert_barrier_packet(struct
+
+ len = tmc_etr_buf_get_data(etr_buf, offset,
+ CORESIGHT_BARRIER_PKT_SIZE, &bufp);
+- if (WARN_ON(len < CORESIGHT_BARRIER_PKT_SIZE))
++ if (WARN_ON(len < 0 || len < CORESIGHT_BARRIER_PKT_SIZE))
+ return -EINVAL;
+ coresight_insert_barrier_packet(bufp);
+ return offset + CORESIGHT_BARRIER_PKT_SIZE;
--- /dev/null
+From c21f11d182c2180d8b90eaff84f574cfa845b250 Mon Sep 17 00:00:00 2001
+From: Matthew Auld <matthew.auld@intel.com>
+Date: Fri, 19 May 2023 10:07:33 +0100
+Subject: drm: fix drmm_mutex_init()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthew Auld <matthew.auld@intel.com>
+
+commit c21f11d182c2180d8b90eaff84f574cfa845b250 upstream.
+
+In mutex_init() lockdep identifies a lock by defining a special static
+key for each lock class. However if we wrap the macro in a function,
+like in drmm_mutex_init(), we end up generating:
+
+int drmm_mutex_init(struct drm_device *dev, struct mutex *lock)
+{
+ static struct lock_class_key __key;
+
+ __mutex_init((lock), "lock", &__key);
+ ....
+}
+
+The static __key here is what lockdep uses to identify the lock class,
+however since this is just a normal function the key here will be
+created once, where all callers then use the same key. In effect the
+mutex->depmap.key will be the same pointer for different
+drmm_mutex_init() callers. This then results in impossible lockdep
+splats since lockdep thinks completely unrelated locks are the same lock
+class.
+
+To fix this turn drmm_mutex_init() into a macro such that it generates a
+different "static struct lock_class_key __key" for each invocation,
+which looks to be inline with what mutex_init() wants.
+
+v2:
+ - Revamp the commit message with clearer explanation of the issue.
+ - Rather export __drmm_mutex_release() than static inline.
+
+Reported-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Reported-by: Sarah Walker <sarah.walker@imgtec.com>
+Fixes: e13f13e039dc ("drm: Add DRM-managed mutex_init()")
+Cc: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>
+Cc: Boris Brezillon <boris.brezillon@collabora.com>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Jocelyn Falempe <jfalempe@redhat.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: dri-devel@lists.freedesktop.org
+Signed-off-by: Matthew Auld <matthew.auld@intel.com>
+Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
+Reviewed-by: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>
+Reviewed-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230519090733.489019-1-matthew.auld@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_managed.c | 22 ++--------------------
+ include/drm/drm_managed.h | 18 +++++++++++++++++-
+ 2 files changed, 19 insertions(+), 21 deletions(-)
+
+--- a/drivers/gpu/drm/drm_managed.c
++++ b/drivers/gpu/drm/drm_managed.c
+@@ -264,28 +264,10 @@ void drmm_kfree(struct drm_device *dev,
+ }
+ EXPORT_SYMBOL(drmm_kfree);
+
+-static void drmm_mutex_release(struct drm_device *dev, void *res)
++void __drmm_mutex_release(struct drm_device *dev, void *res)
+ {
+ struct mutex *lock = res;
+
+ mutex_destroy(lock);
+ }
+-
+-/**
+- * drmm_mutex_init - &drm_device-managed mutex_init()
+- * @dev: DRM device
+- * @lock: lock to be initialized
+- *
+- * Returns:
+- * 0 on success, or a negative errno code otherwise.
+- *
+- * This is a &drm_device-managed version of mutex_init(). The initialized
+- * lock is automatically destroyed on the final drm_dev_put().
+- */
+-int drmm_mutex_init(struct drm_device *dev, struct mutex *lock)
+-{
+- mutex_init(lock);
+-
+- return drmm_add_action_or_reset(dev, drmm_mutex_release, lock);
+-}
+-EXPORT_SYMBOL(drmm_mutex_init);
++EXPORT_SYMBOL(__drmm_mutex_release);
+--- a/include/drm/drm_managed.h
++++ b/include/drm/drm_managed.h
+@@ -105,6 +105,22 @@ char *drmm_kstrdup(struct drm_device *de
+
+ void drmm_kfree(struct drm_device *dev, void *data);
+
+-int drmm_mutex_init(struct drm_device *dev, struct mutex *lock);
++void __drmm_mutex_release(struct drm_device *dev, void *res);
++
++/**
++ * drmm_mutex_init - &drm_device-managed mutex_init()
++ * @dev: DRM device
++ * @lock: lock to be initialized
++ *
++ * Returns:
++ * 0 on success, or a negative errno code otherwise.
++ *
++ * This is a &drm_device-managed version of mutex_init(). The initialized
++ * lock is automatically destroyed on the final drm_dev_put().
++ */
++#define drmm_mutex_init(dev, lock) ({ \
++ mutex_init(lock); \
++ drmm_add_action_or_reset(dev, __drmm_mutex_release, lock); \
++}) \
+
+ #endif
--- /dev/null
+From b71b55248a580e9c9befc4ae060539f1f8e477da Mon Sep 17 00:00:00 2001
+From: Sudeep Holla <sudeep.holla@arm.com>
+Date: Thu, 20 Apr 2023 16:06:01 +0100
+Subject: firmware: arm_ffa: Check if ffa_driver remove is present before executing
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+commit b71b55248a580e9c9befc4ae060539f1f8e477da upstream.
+
+Currently ffa_drv->remove() is called unconditionally from
+ffa_device_remove(). Since the driver registration doesn't check for it
+and allows it to be registered without .remove callback, we need to check
+for the presence of it before executing it from ffa_device_remove() to
+above a NULL pointer dereference like the one below:
+
+ | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
+ | Mem abort info:
+ | ESR = 0x0000000086000004
+ | EC = 0x21: IABT (current EL), IL = 32 bits
+ | SET = 0, FnV = 0
+ | EA = 0, S1PTW = 0
+ | FSC = 0x04: level 0 translation fault
+ | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881cc8000
+ | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
+ | Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP
+ | CPU: 3 PID: 130 Comm: rmmod Not tainted 6.3.0-rc7 #6
+ | Hardware name: FVP Base RevC (DT)
+ | pstate: 63402809 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=-c)
+ | pc : 0x0
+ | lr : ffa_device_remove+0x20/0x2c
+ | Call trace:
+ | 0x0
+ | device_release_driver_internal+0x16c/0x260
+ | driver_detach+0x90/0xd0
+ | bus_remove_driver+0xdc/0x11c
+ | driver_unregister+0x30/0x54
+ | ffa_driver_unregister+0x14/0x20
+ | cleanup_module+0x18/0xeec
+ | __arm64_sys_delete_module+0x234/0x378
+ | invoke_syscall+0x40/0x108
+ | el0_svc_common+0xb4/0xf0
+ | do_el0_svc+0x30/0xa4
+ | el0_svc+0x2c/0x7c
+ | el0t_64_sync_handler+0x84/0xf0
+ | el0t_64_sync+0x190/0x194
+
+Fixes: 244f5d597e1e ("firmware: arm_ffa: Add missing remove callback to ffa_bus_type")
+Link: https://lore.kernel.org/r/20230419-ffa_fixes_6-4-v2-1-d9108e43a176@arm.com
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/arm_ffa/bus.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/firmware/arm_ffa/bus.c
++++ b/drivers/firmware/arm_ffa/bus.c
+@@ -53,7 +53,8 @@ static void ffa_device_remove(struct dev
+ {
+ struct ffa_driver *ffa_drv = to_ffa_driver(dev->driver);
+
+- ffa_drv->remove(to_ffa_dev(dev));
++ if (ffa_drv->remove)
++ ffa_drv->remove(to_ffa_dev(dev));
+ }
+
+ static int ffa_device_uevent(const struct device *dev, struct kobj_uevent_env *env)
--- /dev/null
+From 19b8766459c41c6f318f8a548cc1c66dffd18363 Mon Sep 17 00:00:00 2001
+From: Sudeep Holla <sudeep.holla@arm.com>
+Date: Thu, 20 Apr 2023 16:06:03 +0100
+Subject: firmware: arm_ffa: Fix FFA device names for logical partitions
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+commit 19b8766459c41c6f318f8a548cc1c66dffd18363 upstream.
+
+Each physical partition can provide multiple services each with UUID.
+Each such service can be presented as logical partition with a unique
+combination of VM ID and UUID. The number of distinct UUID in a system
+will be less than or equal to the number of logical partitions.
+
+However, currently it fails to register more than one logical partition
+or service within a physical partition as the device name contains only
+VM ID while both VM ID and UUID are maintained in the partition information.
+The kernel complains with the below message:
+
+ | sysfs: cannot create duplicate filename '/devices/arm-ffa-8001'
+ | CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.3.0-rc7 #8
+ | Hardware name: FVP Base RevC (DT)
+ | Call trace:
+ | dump_backtrace+0xf8/0x118
+ | show_stack+0x18/0x24
+ | dump_stack_lvl+0x50/0x68
+ | dump_stack+0x18/0x24
+ | sysfs_create_dir_ns+0xe0/0x13c
+ | kobject_add_internal+0x220/0x3d4
+ | kobject_add+0x94/0x100
+ | device_add+0x144/0x5d8
+ | device_register+0x20/0x30
+ | ffa_device_register+0x88/0xd8
+ | ffa_setup_partitions+0x108/0x1b8
+ | ffa_init+0x2ec/0x3a4
+ | do_one_initcall+0xcc/0x240
+ | do_initcall_level+0x8c/0xac
+ | do_initcalls+0x54/0x94
+ | do_basic_setup+0x1c/0x28
+ | kernel_init_freeable+0x100/0x16c
+ | kernel_init+0x20/0x1a0
+ | ret_from_fork+0x10/0x20
+ | kobject_add_internal failed for arm-ffa-8001 with -EEXIST, don't try to
+ | register things with the same name in the same directory.
+ | arm_ffa arm-ffa: unable to register device arm-ffa-8001 err=-17
+ | ARM FF-A: ffa_setup_partitions: failed to register partition ID 0x8001
+
+By virtue of being random enough to avoid collisions when generated in a
+distributed system, there is no way to compress UUID keys to the number
+of bits required to identify each. We can eliminate '-' in the name but
+it is not worth eliminating 4 bytes and add unnecessary logic for doing
+that. Also v1.0 doesn't provide the UUID of the partitions which makes
+it hard to use the same for the device name.
+
+So to keep it simple, let us alloc an ID using ida_alloc() and append the
+same to "arm-ffa" to make up a unique device name. Also stash the id value
+in ffa_dev to help freeing the ID later when the device is destroyed.
+
+Fixes: e781858488b9 ("firmware: arm_ffa: Add initial FFA bus support for device enumeration")
+Reported-by: Lucian Paul-Trifu <lucian.paul-trifu@arm.com>
+Link: https://lore.kernel.org/r/20230419-ffa_fixes_6-4-v2-3-d9108e43a176@arm.com
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/arm_ffa/bus.c | 16 +++++++++++++---
+ include/linux/arm_ffa.h | 1 +
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+--- a/drivers/firmware/arm_ffa/bus.c
++++ b/drivers/firmware/arm_ffa/bus.c
+@@ -15,6 +15,8 @@
+
+ #include "common.h"
+
++static DEFINE_IDA(ffa_bus_id);
++
+ static int ffa_device_match(struct device *dev, struct device_driver *drv)
+ {
+ const struct ffa_device_id *id_table;
+@@ -131,6 +133,7 @@ static void ffa_release_device(struct de
+ {
+ struct ffa_device *ffa_dev = to_ffa_dev(dev);
+
++ ida_free(&ffa_bus_id, ffa_dev->id);
+ kfree(ffa_dev);
+ }
+
+@@ -171,18 +174,24 @@ bool ffa_device_is_valid(struct ffa_devi
+ struct ffa_device *ffa_device_register(const uuid_t *uuid, int vm_id,
+ const struct ffa_ops *ops)
+ {
+- int ret;
++ int id, ret;
+ struct device *dev;
+ struct ffa_device *ffa_dev;
+
++ id = ida_alloc_min(&ffa_bus_id, 1, GFP_KERNEL);
++ if (id < 0)
++ return NULL;
++
+ ffa_dev = kzalloc(sizeof(*ffa_dev), GFP_KERNEL);
+- if (!ffa_dev)
++ if (!ffa_dev) {
++ ida_free(&ffa_bus_id, id);
+ return NULL;
++ }
+
+ dev = &ffa_dev->dev;
+ dev->bus = &ffa_bus_type;
+ dev->release = ffa_release_device;
+- dev_set_name(&ffa_dev->dev, "arm-ffa-%04x", vm_id);
++ dev_set_name(&ffa_dev->dev, "arm-ffa-%d", id);
+
+ ffa_dev->vm_id = vm_id;
+ ffa_dev->ops = ops;
+@@ -218,4 +227,5 @@ void arm_ffa_bus_exit(void)
+ {
+ ffa_devices_unregister();
+ bus_unregister(&ffa_bus_type);
++ ida_destroy(&ffa_bus_id);
+ }
+--- a/include/linux/arm_ffa.h
++++ b/include/linux/arm_ffa.h
+@@ -96,6 +96,7 @@
+
+ /* FFA Bus/Device/Driver related */
+ struct ffa_device {
++ u32 id;
+ int vm_id;
+ bool mode_32bit;
+ uuid_t uuid;
--- /dev/null
+From f15afbd34d8fadbd375f1212e97837e32bc170cc Mon Sep 17 00:00:00 2001
+From: Hao Ge <gehao@kylinos.cn>
+Date: Mon, 24 Apr 2023 13:18:35 +0800
+Subject: fs: fix undefined behavior in bit shift for SB_NOUSER
+
+From: Hao Ge <gehao@kylinos.cn>
+
+commit f15afbd34d8fadbd375f1212e97837e32bc170cc upstream.
+
+Shifting signed 32-bit value by 31 bits is undefined, so changing
+significant bit to unsigned. It was spotted by UBSAN.
+
+So let's just fix this by using the BIT() helper for all SB_* flags.
+
+Fixes: e462ec50cb5f ("VFS: Differentiate mount flags (MS_*) from internal superblock flags")
+Signed-off-by: Hao Ge <gehao@kylinos.cn>
+Message-Id: <20230424051835.374204-1-gehao@kylinos.cn>
+[brauner@kernel.org: use BIT() for all SB_* flags]
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/fs.h | 42 +++++++++++++++++++++---------------------
+ 1 file changed, 21 insertions(+), 21 deletions(-)
+
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -1059,29 +1059,29 @@ extern int send_sigurg(struct fown_struc
+ * sb->s_flags. Note that these mirror the equivalent MS_* flags where
+ * represented in both.
+ */
+-#define SB_RDONLY 1 /* Mount read-only */
+-#define SB_NOSUID 2 /* Ignore suid and sgid bits */
+-#define SB_NODEV 4 /* Disallow access to device special files */
+-#define SB_NOEXEC 8 /* Disallow program execution */
+-#define SB_SYNCHRONOUS 16 /* Writes are synced at once */
+-#define SB_MANDLOCK 64 /* Allow mandatory locks on an FS */
+-#define SB_DIRSYNC 128 /* Directory modifications are synchronous */
+-#define SB_NOATIME 1024 /* Do not update access times. */
+-#define SB_NODIRATIME 2048 /* Do not update directory access times */
+-#define SB_SILENT 32768
+-#define SB_POSIXACL (1<<16) /* VFS does not apply the umask */
+-#define SB_INLINECRYPT (1<<17) /* Use blk-crypto for encrypted files */
+-#define SB_KERNMOUNT (1<<22) /* this is a kern_mount call */
+-#define SB_I_VERSION (1<<23) /* Update inode I_version field */
+-#define SB_LAZYTIME (1<<25) /* Update the on-disk [acm]times lazily */
++#define SB_RDONLY BIT(0) /* Mount read-only */
++#define SB_NOSUID BIT(1) /* Ignore suid and sgid bits */
++#define SB_NODEV BIT(2) /* Disallow access to device special files */
++#define SB_NOEXEC BIT(3) /* Disallow program execution */
++#define SB_SYNCHRONOUS BIT(4) /* Writes are synced at once */
++#define SB_MANDLOCK BIT(6) /* Allow mandatory locks on an FS */
++#define SB_DIRSYNC BIT(7) /* Directory modifications are synchronous */
++#define SB_NOATIME BIT(10) /* Do not update access times. */
++#define SB_NODIRATIME BIT(11) /* Do not update directory access times */
++#define SB_SILENT BIT(15)
++#define SB_POSIXACL BIT(16) /* VFS does not apply the umask */
++#define SB_INLINECRYPT BIT(17) /* Use blk-crypto for encrypted files */
++#define SB_KERNMOUNT BIT(22) /* this is a kern_mount call */
++#define SB_I_VERSION BIT(23) /* Update inode I_version field */
++#define SB_LAZYTIME BIT(25) /* Update the on-disk [acm]times lazily */
+
+ /* These sb flags are internal to the kernel */
+-#define SB_SUBMOUNT (1<<26)
+-#define SB_FORCE (1<<27)
+-#define SB_NOSEC (1<<28)
+-#define SB_BORN (1<<29)
+-#define SB_ACTIVE (1<<30)
+-#define SB_NOUSER (1<<31)
++#define SB_SUBMOUNT BIT(26)
++#define SB_FORCE BIT(27)
++#define SB_NOSEC BIT(28)
++#define SB_BORN BIT(29)
++#define SB_ACTIVE BIT(30)
++#define SB_NOUSER BIT(31)
+
+ /* These flags relate to encoding and casefolding */
+ #define SB_ENC_STRICT_MODE_FL (1 << 0)
--- /dev/null
+From 878ecb0897f4737a4c9401f3523fd49589025671 Mon Sep 17 00:00:00 2001
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+Date: Tue, 23 May 2023 08:29:44 +0000
+Subject: ipv6: Fix out-of-bounds access in ipv6_find_tlv()
+
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+
+commit 878ecb0897f4737a4c9401f3523fd49589025671 upstream.
+
+optlen is fetched without checking whether there is more than one byte to parse.
+It can lead to out-of-bounds access.
+
+Found by InfoTeCS on behalf of Linux Verification Center
+(linuxtesting.org) with SVACE.
+
+Fixes: c61a40432509 ("[IPV6]: Find option offset by type.")
+Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/exthdrs_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv6/exthdrs_core.c
++++ b/net/ipv6/exthdrs_core.c
+@@ -143,6 +143,8 @@ int ipv6_find_tlv(const struct sk_buff *
+ optlen = 1;
+ break;
+ default:
++ if (len < 2)
++ goto bad;
+ optlen = nh[offset + 1] + 2;
+ if (optlen > len)
+ goto bad;
--- /dev/null
+From 600761245952d7f70280add6ce02894f1528992b Mon Sep 17 00:00:00 2001
+From: Horatiu Vultur <horatiu.vultur@microchip.com>
+Date: Mon, 22 May 2023 14:00:38 +0200
+Subject: lan966x: Fix unloading/loading of the driver
+
+From: Horatiu Vultur <horatiu.vultur@microchip.com>
+
+commit 600761245952d7f70280add6ce02894f1528992b upstream.
+
+It was noticing that after a while when unloading/loading the driver and
+sending traffic through the switch, it would stop working. It would stop
+forwarding any traffic and the only way to get out of this was to do a
+power cycle of the board. The root cause seems to be that the switch
+core is initialized twice. Apparently initializing twice the switch core
+disturbs the pointers in the queue systems in the HW, so after a while
+it would stop sending the traffic.
+Unfortunetly, it is not possible to use a reset of the switch here,
+because the reset line is connected to multiple devices like MDIO,
+SGPIO, FAN, etc. So then all the devices will get reseted when the
+network driver will be loaded.
+So the fix is to check if the core is initialized already and if that is
+the case don't initialize it again.
+
+Fixes: db8bcaad5393 ("net: lan966x: add the basic lan966x driver")
+Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230522120038.3749026-1-horatiu.vultur@microchip.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/microchip/lan966x/lan966x_main.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c
++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c
+@@ -1013,6 +1013,16 @@ static int lan966x_reset_switch(struct l
+
+ reset_control_reset(switch_reset);
+
++ /* Don't reinitialize the switch core, if it is already initialized. In
++ * case it is initialized twice, some pointers inside the queue system
++ * in HW will get corrupted and then after a while the queue system gets
++ * full and no traffic is passing through the switch. The issue is seen
++ * when loading and unloading the driver and sending traffic through the
++ * switch.
++ */
++ if (lan_rd(lan966x, SYS_RESET_CFG) & SYS_RESET_CFG_CORE_ENA)
++ return 0;
++
+ lan_wr(SYS_RESET_CFG_CORE_ENA_SET(0), lan966x, SYS_RESET_CFG);
+ lan_wr(SYS_RAM_INIT_RAM_INIT_SET(1), lan966x, SYS_RAM_INIT);
+ ret = readx_poll_timeout(lan966x_ram_init, lan966x,
--- /dev/null
+From 8a02fb71d7192ff1a9a47c9d937624966c6e09af Mon Sep 17 00:00:00 2001
+From: Pratyush Yadav <ptyadav@amazon.de>
+Date: Mon, 22 May 2023 17:30:20 +0200
+Subject: net: fix skb leak in __skb_tstamp_tx()
+
+From: Pratyush Yadav <ptyadav@amazon.de>
+
+commit 8a02fb71d7192ff1a9a47c9d937624966c6e09af upstream.
+
+Commit 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with
+TX timestamp.") added a call to skb_orphan_frags_rx() to fix leaks with
+zerocopy skbs. But it ended up adding a leak of its own. When
+skb_orphan_frags_rx() fails, the function just returns, leaking the skb
+it just cloned. Free it before returning.
+
+This bug was discovered and resolved using Coverity Static Analysis
+Security Testing (SAST) by Synopsys, Inc.
+
+Fixes: 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.")
+Signed-off-by: Pratyush Yadav <ptyadav@amazon.de>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/20230522153020.32422-1-ptyadav@amazon.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -5171,8 +5171,10 @@ void __skb_tstamp_tx(struct sk_buff *ori
+ } else {
+ skb = skb_clone(orig_skb, GFP_ATOMIC);
+
+- if (skb_orphan_frags_rx(skb, GFP_ATOMIC))
++ if (skb_orphan_frags_rx(skb, GFP_ATOMIC)) {
++ kfree_skb(skb);
+ return;
++ }
+ }
+ if (!skb)
+ return;
--- /dev/null
+From de678ca38861f2eb58814048076dcf95ed1b5bf9 Mon Sep 17 00:00:00 2001
+From: Sunil Goutham <sgoutham@marvell.com>
+Date: Thu, 18 May 2023 12:10:42 +0530
+Subject: octeontx2-pf: Fix TSOv6 offload
+
+From: Sunil Goutham <sgoutham@marvell.com>
+
+commit de678ca38861f2eb58814048076dcf95ed1b5bf9 upstream.
+
+HW adds segment size to the payload length
+in the IPv6 header. Fix payload length to
+just TCP header length instead of 'TCP header
+size + IPv6 header size'.
+
+Fixes: 86d7476078b8 ("octeontx2-pf: TCP segmentation offload support")
+Signed-off-by: Sunil Goutham <sgoutham@marvell.com>
+Signed-off-by: Ratheesh Kannoth <rkannoth@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c
+@@ -652,9 +652,7 @@ static void otx2_sqe_add_ext(struct otx2
+ htons(ext->lso_sb - skb_network_offset(skb));
+ } else if (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6) {
+ ext->lso_format = pfvf->hw.lso_tsov6_idx;
+-
+- ipv6_hdr(skb)->payload_len =
+- htons(ext->lso_sb - skb_network_offset(skb));
++ ipv6_hdr(skb)->payload_len = htons(tcp_hdrlen(skb));
+ } else if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP_L4) {
+ __be16 l3_proto = vlan_get_protocol(skb);
+ struct udphdr *udph = udp_hdr(skb);
--- /dev/null
+From 654d0310007146fae87b0c1a68f81e53ad519b14 Mon Sep 17 00:00:00 2001
+From: Etienne Carriere <etienne.carriere@linaro.org>
+Date: Thu, 20 Apr 2023 09:49:23 +0200
+Subject: optee: fix uninited async notif value
+
+From: Etienne Carriere <etienne.carriere@linaro.org>
+
+commit 654d0310007146fae87b0c1a68f81e53ad519b14 upstream.
+
+Fixes an uninitialized variable in irq_handler() that could lead to
+unpredictable behavior in case OP-TEE fails to handle SMC function ID
+OPTEE_SMC_GET_ASYNC_NOTIF_VALUE. This change ensures that in that case
+get_async_notif_value() properly reports there are no notification
+event.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Link: https://lore.kernel.org/r/202304200755.OoiuclDZ-lkp@intel.com/
+Reported-by: Dan Carpenter <error27@gmail.com>
+Link: https://lore.kernel.org/all/d9b7f69b-c737-4cb3-8e74-79fe00c934f9@kili.mountain/
+Fixes: 6749e69c4dad ("optee: add asynchronous notifications")
+Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
+Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
+Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tee/optee/smc_abi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/tee/optee/smc_abi.c
++++ b/drivers/tee/optee/smc_abi.c
+@@ -984,8 +984,10 @@ static u32 get_async_notif_value(optee_i
+
+ invoke_fn(OPTEE_SMC_GET_ASYNC_NOTIF_VALUE, 0, 0, 0, 0, 0, 0, 0, &res);
+
+- if (res.a0)
++ if (res.a0) {
++ *value_valid = false;
+ return 0;
++ }
+ *value_valid = (res.a2 & OPTEE_SMC_ASYNC_NOTIF_VALUE_VALID);
+ *value_pending = (res.a2 & OPTEE_SMC_ASYNC_NOTIF_VALUE_PENDING);
+ return res.a1;
--- /dev/null
+From bbb320bfe2c3e9740fe89cfa0a7089b4e8bfc4ff Mon Sep 17 00:00:00 2001
+From: Steve Wahl <steve.wahl@hpe.com>
+Date: Fri, 19 May 2023 11:04:20 -0500
+Subject: platform/x86: ISST: Remove 8 socket limit
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Steve Wahl <steve.wahl@hpe.com>
+
+commit bbb320bfe2c3e9740fe89cfa0a7089b4e8bfc4ff upstream.
+
+Stop restricting the PCI search to a range of PCI domains fed to
+pci_get_domain_bus_and_slot(). Instead, use for_each_pci_dev() and
+look at all PCI domains in one pass.
+
+On systems with more than 8 sockets, this avoids error messages like
+"Information: Invalid level, Can't get TDP control information at
+specified levels on cpu 480" from the intel speed select utility.
+
+Fixes: aa2ddd242572 ("platform/x86: ISST: Use numa node id for cpu pci dev mapping")
+Signed-off-by: Steve Wahl <steve.wahl@hpe.com>
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Link: https://lore.kernel.org/r/20230519160420.2588475-1-steve.wahl@hpe.com
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/intel/speed_select_if/isst_if_common.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
++++ b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
+@@ -295,14 +295,13 @@ struct isst_if_pkg_info {
+ static struct isst_if_cpu_info *isst_cpu_info;
+ static struct isst_if_pkg_info *isst_pkg_info;
+
+-#define ISST_MAX_PCI_DOMAINS 8
+-
+ static struct pci_dev *_isst_if_get_pci_dev(int cpu, int bus_no, int dev, int fn)
+ {
+ struct pci_dev *matched_pci_dev = NULL;
+ struct pci_dev *pci_dev = NULL;
++ struct pci_dev *_pci_dev = NULL;
+ int no_matches = 0, pkg_id;
+- int i, bus_number;
++ int bus_number;
+
+ if (bus_no < 0 || bus_no >= ISST_MAX_BUS_NUMBER || cpu < 0 ||
+ cpu >= nr_cpu_ids || cpu >= num_possible_cpus())
+@@ -314,12 +313,11 @@ static struct pci_dev *_isst_if_get_pci_
+ if (bus_number < 0)
+ return NULL;
+
+- for (i = 0; i < ISST_MAX_PCI_DOMAINS; ++i) {
+- struct pci_dev *_pci_dev;
++ for_each_pci_dev(_pci_dev) {
+ int node;
+
+- _pci_dev = pci_get_domain_bus_and_slot(i, bus_number, PCI_DEVFN(dev, fn));
+- if (!_pci_dev)
++ if (_pci_dev->bus->number != bus_number ||
++ _pci_dev->devfn != PCI_DEVFN(dev, fn))
+ continue;
+
+ ++no_matches;
--- /dev/null
+From 77c2a3097d7029441e8a91aa0de1b4e5464593da Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 15 Apr 2023 20:23:41 +0200
+Subject: power: supply: bq24190: Call power_supply_changed() after updating input current
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 77c2a3097d7029441e8a91aa0de1b4e5464593da upstream.
+
+The bq24192 model relies on external charger-type detection and once
+that is done the bq24190_charger code will update the input current.
+
+In this case, when the initial power_supply_changed() call is made
+from the interrupt handler, the input settings are 5V/0.5A which
+on many devices is not enough power to charge (while the device is on).
+
+On many devices the fuel-gauge relies in its external_power_changed
+callback to timely signal userspace about charging <-> discharging
+status changes. Add a power_supply_changed() call after updating
+the input current. This allows the fuel-gauge driver to timely recheck
+if the battery is charging after the new input current has been applied
+and then it can immediately notify userspace about this.
+
+Fixes: 18f8e6f695ac ("power: supply: bq24190_charger: Get input_current_limit from our supplier")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/bq24190_charger.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/power/supply/bq24190_charger.c
++++ b/drivers/power/supply/bq24190_charger.c
+@@ -1262,6 +1262,7 @@ static void bq24190_input_current_limit_
+ bq24190_charger_set_property(bdi->charger,
+ POWER_SUPPLY_PROP_INPUT_CURRENT_LIMIT,
+ &val);
++ power_supply_changed(bdi->charger);
+ }
+
+ /* Sync the input-current-limit with our parent supply (if we have one) */
--- /dev/null
+From ad3d9c779b1f09f3f3a6fefd07af407c7bc7c9a7 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 15 Apr 2023 20:23:40 +0200
+Subject: power: supply: bq25890: Call power_supply_changed() after updating input current or voltage
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit ad3d9c779b1f09f3f3a6fefd07af407c7bc7c9a7 upstream.
+
+The bq25892 model relies on external charger-type detection and once
+that is done the bq25890_charger code will update the input current
+and if pumpexpress is used also the input voltage.
+
+In this case, when the initial power_supply_changed() call is made
+from the interrupt handler, the input settings are 5V/0.5A which
+on many devices is not enough power to charge (while the device is on).
+
+On many devices the fuel-gauge relies in its external_power_changed
+callback to timely signal userspace about charging <-> discharging
+status changes. Add a power_supply_changed() call after updating
+the input current or voltage. This allows the fuel-gauge driver
+to timely recheck if the battery is charging after the new input
+settings have been applied and then it can immediately notify
+userspace about this.
+
+Fixes: 48f45b094dbb ("power: supply: bq25890: Support higher charging voltages through Pump Express+ protocol")
+Fixes: eab25b4f93aa ("power: supply: bq25890: On the bq25892 set the IINLIM based on external charger detection")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/bq25890_charger.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/power/supply/bq25890_charger.c
++++ b/drivers/power/supply/bq25890_charger.c
+@@ -775,6 +775,7 @@ static void bq25890_charger_external_pow
+ }
+
+ bq25890_field_write(bq, F_IINLIM, input_current_limit);
++ power_supply_changed(psy);
+ }
+
+ static int bq25890_get_chip_state(struct bq25890_device *bq,
+@@ -1106,6 +1107,8 @@ static void bq25890_pump_express_work(st
+ dev_info(bq->dev, "Hi-voltage charging requested, input voltage is %d mV\n",
+ voltage);
+
++ power_supply_changed(bq->charger);
++
+ return;
+ error_print:
+ bq25890_field_write(bq, F_PUMPX_EN, 0);
--- /dev/null
+From 35092c5819f8c5acc7bafe3fdbb13d6307c4f5e1 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 15 Apr 2023 20:23:35 +0200
+Subject: power: supply: bq27xxx: Add cache parameter to bq27xxx_battery_current_and_status()
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 35092c5819f8c5acc7bafe3fdbb13d6307c4f5e1 upstream.
+
+Add a cache parameter to bq27xxx_battery_current_and_status() so that
+it can optionally use cached flags instead of re-reading them itself.
+
+This is a preparation patch for making bq27xxx_battery_update() check
+the status and have it call power_supply_changed() on status changes.
+
+Fixes: 297a533b3e62 ("bq27x00: Cache battery registers")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/bq27xxx_battery.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/drivers/power/supply/bq27xxx_battery.c
++++ b/drivers/power/supply/bq27xxx_battery.c
+@@ -1840,7 +1840,8 @@ static bool bq27xxx_battery_is_full(stru
+ static int bq27xxx_battery_current_and_status(
+ struct bq27xxx_device_info *di,
+ union power_supply_propval *val_curr,
+- union power_supply_propval *val_status)
++ union power_supply_propval *val_status,
++ struct bq27xxx_reg_cache *cache)
+ {
+ bool single_flags = (di->opts & BQ27XXX_O_ZERO);
+ int curr;
+@@ -1852,10 +1853,14 @@ static int bq27xxx_battery_current_and_s
+ return curr;
+ }
+
+- flags = bq27xxx_read(di, BQ27XXX_REG_FLAGS, single_flags);
+- if (flags < 0) {
+- dev_err(di->dev, "error reading flags\n");
+- return flags;
++ if (cache) {
++ flags = cache->flags;
++ } else {
++ flags = bq27xxx_read(di, BQ27XXX_REG_FLAGS, single_flags);
++ if (flags < 0) {
++ dev_err(di->dev, "error reading flags\n");
++ return flags;
++ }
+ }
+
+ if (di->opts & BQ27XXX_O_ZERO) {
+@@ -2001,7 +2006,7 @@ static int bq27xxx_battery_get_property(
+
+ switch (psp) {
+ case POWER_SUPPLY_PROP_STATUS:
+- ret = bq27xxx_battery_current_and_status(di, NULL, val);
++ ret = bq27xxx_battery_current_and_status(di, NULL, val, NULL);
+ break;
+ case POWER_SUPPLY_PROP_VOLTAGE_NOW:
+ ret = bq27xxx_battery_voltage(di, val);
+@@ -2010,7 +2015,7 @@ static int bq27xxx_battery_get_property(
+ val->intval = di->cache.flags < 0 ? 0 : 1;
+ break;
+ case POWER_SUPPLY_PROP_CURRENT_NOW:
+- ret = bq27xxx_battery_current_and_status(di, val, NULL);
++ ret = bq27xxx_battery_current_and_status(di, val, NULL, NULL);
+ break;
+ case POWER_SUPPLY_PROP_CAPACITY:
+ ret = bq27xxx_simple_value(di->cache.capacity, val);
--- /dev/null
+From 59a99cd462fbdf71f4e845e09f37783035088b4f Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 15 Apr 2023 20:23:38 +0200
+Subject: power: supply: bq27xxx: After charger plug in/out wait 0.5s for things to stabilize
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 59a99cd462fbdf71f4e845e09f37783035088b4f upstream.
+
+bq27xxx_external_power_changed() gets called when the charger is plugged
+in or out. Rather then immediately scheduling an update wait 0.5 seconds
+for things to stabilize, so that e.g. the (dis)charge current is stable
+when bq27xxx_battery_update() runs.
+
+Fixes: 740b755a3b34 ("bq27x00: Poll battery state")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/bq27xxx_battery.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/power/supply/bq27xxx_battery.c
++++ b/drivers/power/supply/bq27xxx_battery.c
+@@ -2099,8 +2099,8 @@ static void bq27xxx_external_power_chang
+ {
+ struct bq27xxx_device_info *di = power_supply_get_drvdata(psy);
+
+- cancel_delayed_work_sync(&di->work);
+- schedule_delayed_work(&di->work, 0);
++ /* After charger plug in/out wait 0.5s for things to stabilize */
++ mod_delayed_work(system_wq, &di->work, HZ / 2);
+ }
+
+ int bq27xxx_battery_setup(struct bq27xxx_device_info *di)
--- /dev/null
+From 939a116142012926e25de0ea6b7e2f8d86a5f1b6 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 15 Apr 2023 20:23:37 +0200
+Subject: power: supply: bq27xxx: Ensure power_supply_changed() is called on current sign changes
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 939a116142012926e25de0ea6b7e2f8d86a5f1b6 upstream.
+
+On gauges where the current register is signed, there is no charging
+flag in the flags register. So only checking flags will not result
+in power_supply_changed() getting called when e.g. a charger is plugged
+in and the current sign changes from negative (discharging) to
+positive (charging).
+
+This causes userspace's notion of the status to lag until userspace
+does a poll.
+
+And when a power_supply_leds.c LED trigger is used to indicate charging
+status with a LED, this LED will lag until the capacity percentage
+changes, which may take many minutes (because the LED trigger only is
+updated on power_supply_changed() calls).
+
+Fix this by calling bq27xxx_battery_current_and_status() on gauges with
+a signed current register and checking if the status has changed.
+
+Fixes: 297a533b3e62 ("bq27x00: Cache battery registers")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/bq27xxx_battery.c | 13 ++++++++++++-
+ include/linux/power/bq27xxx_battery.h | 3 +++
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+--- a/drivers/power/supply/bq27xxx_battery.c
++++ b/drivers/power/supply/bq27xxx_battery.c
+@@ -1836,6 +1836,7 @@ static int bq27xxx_battery_current_and_s
+
+ static void bq27xxx_battery_update_unlocked(struct bq27xxx_device_info *di)
+ {
++ union power_supply_propval status = di->last_status;
+ struct bq27xxx_reg_cache cache = {0, };
+ bool has_singe_flag = di->opts & BQ27XXX_O_ZERO;
+
+@@ -1860,14 +1861,24 @@ static void bq27xxx_battery_update_unloc
+ if (di->regs[BQ27XXX_REG_CYCT] != INVALID_REG_ADDR)
+ cache.cycle_count = bq27xxx_battery_read_cyct(di);
+
++ /*
++ * On gauges with signed current reporting the current must be
++ * checked to detect charging <-> discharging status changes.
++ */
++ if (!(di->opts & BQ27XXX_O_ZERO))
++ bq27xxx_battery_current_and_status(di, NULL, &status, &cache);
++
+ /* We only have to read charge design full once */
+ if (di->charge_design_full <= 0)
+ di->charge_design_full = bq27xxx_battery_read_dcap(di);
+ }
+
+ if ((di->cache.capacity != cache.capacity) ||
+- (di->cache.flags != cache.flags))
++ (di->cache.flags != cache.flags) ||
++ (di->last_status.intval != status.intval)) {
++ di->last_status.intval = status.intval;
+ power_supply_changed(di->bat);
++ }
+
+ if (memcmp(&di->cache, &cache, sizeof(cache)) != 0)
+ di->cache = cache;
+--- a/include/linux/power/bq27xxx_battery.h
++++ b/include/linux/power/bq27xxx_battery.h
+@@ -2,6 +2,8 @@
+ #ifndef __LINUX_BQ27X00_BATTERY_H__
+ #define __LINUX_BQ27X00_BATTERY_H__
+
++#include <linux/power_supply.h>
++
+ enum bq27xxx_chip {
+ BQ27000 = 1, /* bq27000, bq27200 */
+ BQ27010, /* bq27010, bq27210 */
+@@ -70,6 +72,7 @@ struct bq27xxx_device_info {
+ int charge_design_full;
+ bool removed;
+ unsigned long last_update;
++ union power_supply_propval last_status;
+ struct delayed_work work;
+ struct power_supply *bat;
+ struct list_head list;
--- /dev/null
+From 5c34c0aef185dcd10881847b9ebf20046aa77cb4 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 15 Apr 2023 20:23:32 +0200
+Subject: power: supply: bq27xxx: Fix bq27xxx_battery_update() race condition
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 5c34c0aef185dcd10881847b9ebf20046aa77cb4 upstream.
+
+bq27xxx_battery_update() assumes / requires that it is only run once,
+not multiple times at the same time. But there are 3 possible callers:
+
+1. bq27xxx_battery_poll() delayed_work item handler
+2. bq27xxx_battery_irq_handler_thread() I2C IRQ handler
+3. bq27xxx_battery_setup()
+
+And there is no protection against these racing with each other,
+fix this race condition by making all callers take di->lock:
+
+- Rename bq27xxx_battery_update() to bq27xxx_battery_update_unlocked()
+
+- Add new bq27xxx_battery_update() which takes di->lock and then calls
+ bq27xxx_battery_update_unlocked()
+
+- Make stale cache check code in bq27xxx_battery_get_property(), which
+ already takes di->lock directly to check the jiffies, call
+ bq27xxx_battery_update_unlocked() instead of messing with
+ the delayed_work item
+
+- Make bq27xxx_battery_update_unlocked() mod the delayed-work item
+ so that the next poll is delayed to poll_interval milliseconds after
+ the last update independent of the source of the update
+
+Fixes: 740b755a3b34 ("bq27x00: Poll battery state")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/bq27xxx_battery.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+--- a/drivers/power/supply/bq27xxx_battery.c
++++ b/drivers/power/supply/bq27xxx_battery.c
+@@ -1761,7 +1761,7 @@ static int bq27xxx_battery_read_health(s
+ return POWER_SUPPLY_HEALTH_GOOD;
+ }
+
+-void bq27xxx_battery_update(struct bq27xxx_device_info *di)
++static void bq27xxx_battery_update_unlocked(struct bq27xxx_device_info *di)
+ {
+ struct bq27xxx_reg_cache cache = {0, };
+ bool has_singe_flag = di->opts & BQ27XXX_O_ZERO;
+@@ -1800,6 +1800,16 @@ void bq27xxx_battery_update(struct bq27x
+ di->cache = cache;
+
+ di->last_update = jiffies;
++
++ if (poll_interval > 0)
++ mod_delayed_work(system_wq, &di->work, poll_interval * HZ);
++}
++
++void bq27xxx_battery_update(struct bq27xxx_device_info *di)
++{
++ mutex_lock(&di->lock);
++ bq27xxx_battery_update_unlocked(di);
++ mutex_unlock(&di->lock);
+ }
+ EXPORT_SYMBOL_GPL(bq27xxx_battery_update);
+
+@@ -1810,9 +1820,6 @@ static void bq27xxx_battery_poll(struct
+ work.work);
+
+ bq27xxx_battery_update(di);
+-
+- if (poll_interval > 0)
+- schedule_delayed_work(&di->work, poll_interval * HZ);
+ }
+
+ static bool bq27xxx_battery_is_full(struct bq27xxx_device_info *di, int flags)
+@@ -1985,10 +1992,8 @@ static int bq27xxx_battery_get_property(
+ struct bq27xxx_device_info *di = power_supply_get_drvdata(psy);
+
+ mutex_lock(&di->lock);
+- if (time_is_before_jiffies(di->last_update + 5 * HZ)) {
+- cancel_delayed_work_sync(&di->work);
+- bq27xxx_battery_poll(&di->work.work);
+- }
++ if (time_is_before_jiffies(di->last_update + 5 * HZ))
++ bq27xxx_battery_update_unlocked(di);
+ mutex_unlock(&di->lock);
+
+ if (psp != POWER_SUPPLY_PROP_PRESENT && di->cache.flags < 0)
--- /dev/null
+From 444ff00734f3878cd54ddd1ed5e2e6dbea9326d5 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 15 Apr 2023 20:23:33 +0200
+Subject: power: supply: bq27xxx: Fix I2C IRQ race on remove
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 444ff00734f3878cd54ddd1ed5e2e6dbea9326d5 upstream.
+
+devm_request_threaded_irq() requested IRQs are only free-ed after
+the driver's remove function has ran. So the IRQ could trigger and
+call bq27xxx_battery_update() after bq27xxx_battery_teardown() has
+already run.
+
+Switch to explicitly free-ing the IRQ in bq27xxx_battery_i2c_remove()
+to fix this.
+
+Fixes: 8807feb91b76 ("power: bq27xxx_battery: Add interrupt handling support")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/bq27xxx_battery_i2c.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/power/supply/bq27xxx_battery_i2c.c
++++ b/drivers/power/supply/bq27xxx_battery_i2c.c
+@@ -179,7 +179,7 @@ static int bq27xxx_battery_i2c_probe(str
+ i2c_set_clientdata(client, di);
+
+ if (client->irq) {
+- ret = devm_request_threaded_irq(&client->dev, client->irq,
++ ret = request_threaded_irq(client->irq,
+ NULL, bq27xxx_battery_irq_handler_thread,
+ IRQF_ONESHOT,
+ di->name, di);
+@@ -209,6 +209,7 @@ static void bq27xxx_battery_i2c_remove(s
+ {
+ struct bq27xxx_device_info *di = i2c_get_clientdata(client);
+
++ free_irq(client->irq, di);
+ bq27xxx_battery_teardown(di);
+
+ mutex_lock(&battery_mutex);
--- /dev/null
+From c00bc80462afc7963f449d7f21d896d2f629cacc Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 15 Apr 2023 20:23:34 +0200
+Subject: power: supply: bq27xxx: Fix poll_interval handling and races on remove
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit c00bc80462afc7963f449d7f21d896d2f629cacc upstream.
+
+Before this patch bq27xxx_battery_teardown() was setting poll_interval = 0
+to avoid bq27xxx_battery_update() requeuing the delayed_work item.
+
+There are 2 problems with this:
+
+1. If the driver is unbound through sysfs, rather then the module being
+ rmmod-ed, this changes poll_interval unexpectedly
+
+2. This is racy, after it being set poll_interval could be changed
+ before bq27xxx_battery_update() checks it through
+ /sys/module/bq27xxx_battery/parameters/poll_interval
+
+Fix this by added a removed attribute to struct bq27xxx_device_info and
+using that instead of setting poll_interval to 0.
+
+There also is another poll_interval related race on remove(), writing
+/sys/module/bq27xxx_battery/parameters/poll_interval will requeue
+the delayed_work item for all devices on the bq27xxx_battery_devices
+list and the device being removed was only removed from that list
+after cancelling the delayed_work item.
+
+Fix this by moving the removal from the bq27xxx_battery_devices list
+to before cancelling the delayed_work item.
+
+Fixes: 8cfaaa811894 ("bq27x00_battery: Fix OOPS caused by unregistring bq27x00 driver")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/bq27xxx_battery.c | 22 +++++++++-------------
+ include/linux/power/bq27xxx_battery.h | 1 +
+ 2 files changed, 10 insertions(+), 13 deletions(-)
+
+--- a/drivers/power/supply/bq27xxx_battery.c
++++ b/drivers/power/supply/bq27xxx_battery.c
+@@ -1801,7 +1801,7 @@ static void bq27xxx_battery_update_unloc
+
+ di->last_update = jiffies;
+
+- if (poll_interval > 0)
++ if (!di->removed && poll_interval > 0)
+ mod_delayed_work(system_wq, &di->work, poll_interval * HZ);
+ }
+
+@@ -2132,22 +2132,18 @@ EXPORT_SYMBOL_GPL(bq27xxx_battery_setup)
+
+ void bq27xxx_battery_teardown(struct bq27xxx_device_info *di)
+ {
+- /*
+- * power_supply_unregister call bq27xxx_battery_get_property which
+- * call bq27xxx_battery_poll.
+- * Make sure that bq27xxx_battery_poll will not call
+- * schedule_delayed_work again after unregister (which cause OOPS).
+- */
+- poll_interval = 0;
+-
+- cancel_delayed_work_sync(&di->work);
+-
+- power_supply_unregister(di->bat);
+-
+ mutex_lock(&bq27xxx_list_lock);
+ list_del(&di->list);
+ mutex_unlock(&bq27xxx_list_lock);
+
++ /* Set removed to avoid bq27xxx_battery_update() re-queuing the work */
++ mutex_lock(&di->lock);
++ di->removed = true;
++ mutex_unlock(&di->lock);
++
++ cancel_delayed_work_sync(&di->work);
++
++ power_supply_unregister(di->bat);
+ mutex_destroy(&di->lock);
+ }
+ EXPORT_SYMBOL_GPL(bq27xxx_battery_teardown);
+--- a/include/linux/power/bq27xxx_battery.h
++++ b/include/linux/power/bq27xxx_battery.h
+@@ -68,6 +68,7 @@ struct bq27xxx_device_info {
+ struct bq27xxx_access_methods bus;
+ struct bq27xxx_reg_cache cache;
+ int charge_design_full;
++ bool removed;
+ unsigned long last_update;
+ struct delayed_work work;
+ struct power_supply *bat;
--- /dev/null
+From ff4c4a2a4437a6d03787c7aafb2617f20c3ef45f Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 15 Apr 2023 20:23:36 +0200
+Subject: power: supply: bq27xxx: Move bq27xxx_battery_update() down
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit ff4c4a2a4437a6d03787c7aafb2617f20c3ef45f upstream.
+
+Move the bq27xxx_battery_update() functions to below
+the bq27xxx_battery_current_and_status() function.
+
+This is just moving a block of text, no functional changes.
+
+This is a preparation patch for making bq27xxx_battery_update() check
+the status and have it call power_supply_changed() on status changes.
+
+Fixes: 297a533b3e62 ("bq27x00: Cache battery registers")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/bq27xxx_battery.c | 122 ++++++++++++++++-----------------
+ 1 file changed, 61 insertions(+), 61 deletions(-)
+
+--- a/drivers/power/supply/bq27xxx_battery.c
++++ b/drivers/power/supply/bq27xxx_battery.c
+@@ -1761,67 +1761,6 @@ static int bq27xxx_battery_read_health(s
+ return POWER_SUPPLY_HEALTH_GOOD;
+ }
+
+-static void bq27xxx_battery_update_unlocked(struct bq27xxx_device_info *di)
+-{
+- struct bq27xxx_reg_cache cache = {0, };
+- bool has_singe_flag = di->opts & BQ27XXX_O_ZERO;
+-
+- cache.flags = bq27xxx_read(di, BQ27XXX_REG_FLAGS, has_singe_flag);
+- if ((cache.flags & 0xff) == 0xff)
+- cache.flags = -1; /* read error */
+- if (cache.flags >= 0) {
+- cache.temperature = bq27xxx_battery_read_temperature(di);
+- if (di->regs[BQ27XXX_REG_TTE] != INVALID_REG_ADDR)
+- cache.time_to_empty = bq27xxx_battery_read_time(di, BQ27XXX_REG_TTE);
+- if (di->regs[BQ27XXX_REG_TTECP] != INVALID_REG_ADDR)
+- cache.time_to_empty_avg = bq27xxx_battery_read_time(di, BQ27XXX_REG_TTECP);
+- if (di->regs[BQ27XXX_REG_TTF] != INVALID_REG_ADDR)
+- cache.time_to_full = bq27xxx_battery_read_time(di, BQ27XXX_REG_TTF);
+-
+- cache.charge_full = bq27xxx_battery_read_fcc(di);
+- cache.capacity = bq27xxx_battery_read_soc(di);
+- if (di->regs[BQ27XXX_REG_AE] != INVALID_REG_ADDR)
+- cache.energy = bq27xxx_battery_read_energy(di);
+- di->cache.flags = cache.flags;
+- cache.health = bq27xxx_battery_read_health(di);
+- if (di->regs[BQ27XXX_REG_CYCT] != INVALID_REG_ADDR)
+- cache.cycle_count = bq27xxx_battery_read_cyct(di);
+-
+- /* We only have to read charge design full once */
+- if (di->charge_design_full <= 0)
+- di->charge_design_full = bq27xxx_battery_read_dcap(di);
+- }
+-
+- if ((di->cache.capacity != cache.capacity) ||
+- (di->cache.flags != cache.flags))
+- power_supply_changed(di->bat);
+-
+- if (memcmp(&di->cache, &cache, sizeof(cache)) != 0)
+- di->cache = cache;
+-
+- di->last_update = jiffies;
+-
+- if (!di->removed && poll_interval > 0)
+- mod_delayed_work(system_wq, &di->work, poll_interval * HZ);
+-}
+-
+-void bq27xxx_battery_update(struct bq27xxx_device_info *di)
+-{
+- mutex_lock(&di->lock);
+- bq27xxx_battery_update_unlocked(di);
+- mutex_unlock(&di->lock);
+-}
+-EXPORT_SYMBOL_GPL(bq27xxx_battery_update);
+-
+-static void bq27xxx_battery_poll(struct work_struct *work)
+-{
+- struct bq27xxx_device_info *di =
+- container_of(work, struct bq27xxx_device_info,
+- work.work);
+-
+- bq27xxx_battery_update(di);
+-}
+-
+ static bool bq27xxx_battery_is_full(struct bq27xxx_device_info *di, int flags)
+ {
+ if (di->opts & BQ27XXX_O_ZERO)
+@@ -1895,6 +1834,67 @@ static int bq27xxx_battery_current_and_s
+ return 0;
+ }
+
++static void bq27xxx_battery_update_unlocked(struct bq27xxx_device_info *di)
++{
++ struct bq27xxx_reg_cache cache = {0, };
++ bool has_singe_flag = di->opts & BQ27XXX_O_ZERO;
++
++ cache.flags = bq27xxx_read(di, BQ27XXX_REG_FLAGS, has_singe_flag);
++ if ((cache.flags & 0xff) == 0xff)
++ cache.flags = -1; /* read error */
++ if (cache.flags >= 0) {
++ cache.temperature = bq27xxx_battery_read_temperature(di);
++ if (di->regs[BQ27XXX_REG_TTE] != INVALID_REG_ADDR)
++ cache.time_to_empty = bq27xxx_battery_read_time(di, BQ27XXX_REG_TTE);
++ if (di->regs[BQ27XXX_REG_TTECP] != INVALID_REG_ADDR)
++ cache.time_to_empty_avg = bq27xxx_battery_read_time(di, BQ27XXX_REG_TTECP);
++ if (di->regs[BQ27XXX_REG_TTF] != INVALID_REG_ADDR)
++ cache.time_to_full = bq27xxx_battery_read_time(di, BQ27XXX_REG_TTF);
++
++ cache.charge_full = bq27xxx_battery_read_fcc(di);
++ cache.capacity = bq27xxx_battery_read_soc(di);
++ if (di->regs[BQ27XXX_REG_AE] != INVALID_REG_ADDR)
++ cache.energy = bq27xxx_battery_read_energy(di);
++ di->cache.flags = cache.flags;
++ cache.health = bq27xxx_battery_read_health(di);
++ if (di->regs[BQ27XXX_REG_CYCT] != INVALID_REG_ADDR)
++ cache.cycle_count = bq27xxx_battery_read_cyct(di);
++
++ /* We only have to read charge design full once */
++ if (di->charge_design_full <= 0)
++ di->charge_design_full = bq27xxx_battery_read_dcap(di);
++ }
++
++ if ((di->cache.capacity != cache.capacity) ||
++ (di->cache.flags != cache.flags))
++ power_supply_changed(di->bat);
++
++ if (memcmp(&di->cache, &cache, sizeof(cache)) != 0)
++ di->cache = cache;
++
++ di->last_update = jiffies;
++
++ if (!di->removed && poll_interval > 0)
++ mod_delayed_work(system_wq, &di->work, poll_interval * HZ);
++}
++
++void bq27xxx_battery_update(struct bq27xxx_device_info *di)
++{
++ mutex_lock(&di->lock);
++ bq27xxx_battery_update_unlocked(di);
++ mutex_unlock(&di->lock);
++}
++EXPORT_SYMBOL_GPL(bq27xxx_battery_update);
++
++static void bq27xxx_battery_poll(struct work_struct *work)
++{
++ struct bq27xxx_device_info *di =
++ container_of(work, struct bq27xxx_device_info,
++ work.work);
++
++ bq27xxx_battery_update(di);
++}
++
+ /*
+ * Get the average power in µW
+ * Return < 0 if something fails.
--- /dev/null
+From e4484643991e0f6b89060092563f0dbab9450cbb Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Thu, 13 Apr 2023 12:09:41 +0200
+Subject: power: supply: leds: Fix blink to LED on transition
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit e4484643991e0f6b89060092563f0dbab9450cbb upstream.
+
+When a battery's status changes from charging to full then
+the charging-blink-full-solid trigger tries to change
+the LED from blinking to solid/on.
+
+As is documented in include/linux/leds.h to deactivate blinking /
+to make the LED solid a LED_OFF must be send:
+
+"""
+ * Deactivate blinking again when the brightness is set to LED_OFF
+ * via the brightness_set() callback.
+"""
+
+led_set_brighness() calls with a brightness value other then 0 / LED_OFF
+merely change the brightness of the LED in its on state while it is
+blinking.
+
+So power_supply_update_bat_leds() must first send a LED_OFF event
+before the LED_FULL to disable blinking.
+
+Fixes: 6501f728c56f ("power_supply: Add new LED trigger charging-blink-solid-full")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Vasily Khoruzhick <anarsoul@gmail.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/power_supply_leds.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/power/supply/power_supply_leds.c
++++ b/drivers/power/supply/power_supply_leds.c
+@@ -35,8 +35,9 @@ static void power_supply_update_bat_leds
+ led_trigger_event(psy->charging_full_trig, LED_FULL);
+ led_trigger_event(psy->charging_trig, LED_OFF);
+ led_trigger_event(psy->full_trig, LED_FULL);
+- led_trigger_event(psy->charging_blink_full_solid_trig,
+- LED_FULL);
++ /* Going from blink to LED on requires a LED_OFF event to stop blink */
++ led_trigger_event(psy->charging_blink_full_solid_trig, LED_OFF);
++ led_trigger_event(psy->charging_blink_full_solid_trig, LED_FULL);
+ break;
+ case POWER_SUPPLY_STATUS_CHARGING:
+ led_trigger_event(psy->charging_full_trig, LED_FULL);
--- /dev/null
+From 4cbb0d358883a27e432714b5256f0362946f5e25 Mon Sep 17 00:00:00 2001
+From: Kang Chen <void0red@gmail.com>
+Date: Mon, 27 Feb 2023 11:14:10 +0800
+Subject: power: supply: mt6360: add a check of devm_work_autocancel in mt6360_charger_probe
+
+From: Kang Chen <void0red@gmail.com>
+
+commit 4cbb0d358883a27e432714b5256f0362946f5e25 upstream.
+
+devm_work_autocancel may fail, add a check and return early.
+
+Fixes: 0402e8ebb8b86 ("power: supply: mt6360_charger: add MT6360 charger support")
+Signed-off-by: Kang Chen <void0red@gmail.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/mt6360_charger.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/power/supply/mt6360_charger.c
++++ b/drivers/power/supply/mt6360_charger.c
+@@ -796,7 +796,9 @@ static int mt6360_charger_probe(struct p
+ mci->vinovp = 6500000;
+ mutex_init(&mci->chgdet_lock);
+ platform_set_drvdata(pdev, mci);
+- devm_work_autocancel(&pdev->dev, &mci->chrdet_work, mt6360_chrdet_work);
++ ret = devm_work_autocancel(&pdev->dev, &mci->chrdet_work, mt6360_chrdet_work);
++ if (ret)
++ return dev_err_probe(&pdev->dev, ret, "Failed to set delayed work\n");
+
+ ret = device_property_read_u32(&pdev->dev, "richtek,vinovp-microvolt", &mci->vinovp);
+ if (ret)
--- /dev/null
+From b2f2a3c9800208b0db2c2e34b05323757117faa2 Mon Sep 17 00:00:00 2001
+From: Daisuke Nojiri <dnojiri@chromium.org>
+Date: Mon, 24 Apr 2023 11:25:58 -0700
+Subject: power: supply: sbs-charger: Fix INHIBITED bit for Status reg
+
+From: Daisuke Nojiri <dnojiri@chromium.org>
+
+commit b2f2a3c9800208b0db2c2e34b05323757117faa2 upstream.
+
+CHARGE_INHIBITED bit position of the ChargerStatus register is actually
+0 not 1. This patch corrects it.
+
+Fixes: feb583e37f8a8 ("power: supply: add sbs-charger driver")
+Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/sbs-charger.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/power/supply/sbs-charger.c
++++ b/drivers/power/supply/sbs-charger.c
+@@ -24,7 +24,7 @@
+ #define SBS_CHARGER_REG_STATUS 0x13
+ #define SBS_CHARGER_REG_ALARM_WARNING 0x16
+
+-#define SBS_CHARGER_STATUS_CHARGE_INHIBITED BIT(1)
++#define SBS_CHARGER_STATUS_CHARGE_INHIBITED BIT(0)
+ #define SBS_CHARGER_STATUS_RES_COLD BIT(9)
+ #define SBS_CHARGER_STATUS_RES_HOT BIT(10)
+ #define SBS_CHARGER_STATUS_BATTERY_PRESENT BIT(14)
--- /dev/null
+From d67dada3e2524514b09496b9ee1df22d4507a280 Mon Sep 17 00:00:00 2001
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+Date: Fri, 12 May 2023 10:19:34 +0200
+Subject: regulator: pca9450: Fix BUCK2 enable_mask
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+commit d67dada3e2524514b09496b9ee1df22d4507a280 upstream.
+
+This fixes a copy & paste error.
+No functional change intended, BUCK1_ENMODE_MASK equals BUCK2_ENMODE_MASK.
+
+Fixes: 0935ff5f1f0a ("regulator: pca9450: add pca9450 pmic driver")
+Originally-from: Robin Gong <yibin.gong@nxp.com
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com
+Reviewed-by: Frieder Schrempf <frieder.schrempf@kontron.de
+Link: https://lore.kernel.org/r/20230512081935.2396180-1-alexander.stein@ew.tq-group.com
+Signed-off-by: Mark Brown <broonie@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/regulator/pca9450-regulator.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/regulator/pca9450-regulator.c
++++ b/drivers/regulator/pca9450-regulator.c
+@@ -264,7 +264,7 @@ static const struct pca9450_regulator_de
+ .vsel_reg = PCA9450_REG_BUCK2OUT_DVS0,
+ .vsel_mask = BUCK2OUT_DVS0_MASK,
+ .enable_reg = PCA9450_REG_BUCK2CTRL,
+- .enable_mask = BUCK1_ENMODE_MASK,
++ .enable_mask = BUCK2_ENMODE_MASK,
+ .ramp_reg = PCA9450_REG_BUCK2CTRL,
+ .ramp_mask = BUCK2_RAMP_MASK,
+ .ramp_delay_table = pca9450_dvs_buck_ramp_table,
+@@ -502,7 +502,7 @@ static const struct pca9450_regulator_de
+ .vsel_reg = PCA9450_REG_BUCK2OUT_DVS0,
+ .vsel_mask = BUCK2OUT_DVS0_MASK,
+ .enable_reg = PCA9450_REG_BUCK2CTRL,
+- .enable_mask = BUCK1_ENMODE_MASK,
++ .enable_mask = BUCK2_ENMODE_MASK,
+ .ramp_reg = PCA9450_REG_BUCK2CTRL,
+ .ramp_mask = BUCK2_RAMP_MASK,
+ .ramp_delay_table = pca9450_dvs_buck_ramp_table,
--- /dev/null
+From d226b1df361988f885c298737d6019c863a25f26 Mon Sep 17 00:00:00 2001
+From: Po-Hsu Lin <po-hsu.lin@canonical.com>
+Date: Thu, 18 May 2023 12:37:59 +0800
+Subject: selftests: fib_tests: mute cleanup error message
+
+From: Po-Hsu Lin <po-hsu.lin@canonical.com>
+
+commit d226b1df361988f885c298737d6019c863a25f26 upstream.
+
+In the end of the test, there will be an error message induced by the
+`ip netns del ns1` command in cleanup()
+
+ Tests passed: 201
+ Tests failed: 0
+ Cannot remove namespace file "/run/netns/ns1": No such file or directory
+
+This can even be reproduced with just `./fib_tests.sh -h` as we're
+calling cleanup() on exit.
+
+Redirect the error message to /dev/null to mute it.
+
+V2: Update commit message and fixes tag.
+V3: resubmit due to missing netdev ML in V2
+
+Fixes: b60417a9f2b8 ("selftest: fib_tests: Always cleanup before exit")
+Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/fib_tests.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/net/fib_tests.sh
++++ b/tools/testing/selftests/net/fib_tests.sh
+@@ -68,7 +68,7 @@ setup()
+ cleanup()
+ {
+ $IP link del dev dummy0 &> /dev/null
+- ip netns del ns1
++ ip netns del ns1 &> /dev/null
+ ip netns del ns2 &> /dev/null
+ }
+
usb-sisusbvga-add-endpoint-checks.patch
media-radio-shark-add-endpoint-checks.patch
asoc-lpass-fix-for-kasan-use_after_free-out-of-bounds.patch
+net-fix-skb-leak-in-__skb_tstamp_tx.patch
+drm-fix-drmm_mutex_init.patch
+selftests-fib_tests-mute-cleanup-error-message.patch
+octeontx2-pf-fix-tsov6-offload.patch
+bpf-fix-mask-generation-for-32-bit-narrow-loads-of-64-bit-fields.patch
+bpf-fix-a-memory-leak-in-the-lru-and-lru_percpu-hash-maps.patch
+lan966x-fix-unloading-loading-of-the-driver.patch
+ipv6-fix-out-of-bounds-access-in-ipv6_find_tlv.patch
+cifs-mapchars-mount-option-ignored.patch
+power-supply-leds-fix-blink-to-led-on-transition.patch
+power-supply-mt6360-add-a-check-of-devm_work_autocancel-in-mt6360_charger_probe.patch
+power-supply-bq27xxx-fix-bq27xxx_battery_update-race-condition.patch
+power-supply-bq27xxx-fix-i2c-irq-race-on-remove.patch
+power-supply-bq27xxx-fix-poll_interval-handling-and-races-on-remove.patch
+power-supply-bq27xxx-add-cache-parameter-to-bq27xxx_battery_current_and_status.patch
+power-supply-bq27xxx-move-bq27xxx_battery_update-down.patch
+power-supply-bq27xxx-ensure-power_supply_changed-is-called-on-current-sign-changes.patch
+power-supply-bq27xxx-after-charger-plug-in-out-wait-0.5s-for-things-to-stabilize.patch
+power-supply-bq25890-call-power_supply_changed-after-updating-input-current-or-voltage.patch
+power-supply-bq24190-call-power_supply_changed-after-updating-input-current.patch
+power-supply-sbs-charger-fix-inhibited-bit-for-status-reg.patch
+optee-fix-uninited-async-notif-value.patch
+firmware-arm_ffa-check-if-ffa_driver-remove-is-present-before-executing.patch
+firmware-arm_ffa-fix-ffa-device-names-for-logical-partitions.patch
+fs-fix-undefined-behavior-in-bit-shift-for-sb_nouser.patch
+regulator-pca9450-fix-buck2-enable_mask.patch
+platform-x86-isst-remove-8-socket-limit.patch
+coresight-fix-signedness-bug-in-tmc_etr_buf_insert_barrier_packet.patch
+arm-dts-imx6qdl-mba6-add-missing-pvcie-supply-regulator.patch
+x86-pci-xen-populate-msi-sysfs-entries.patch
+xen-pvcalls-back-fix-double-frees-with-pvcalls_new_active_socket.patch
--- /dev/null
+From 335b4223466dd75f9f3ea4918187afbadd22e5c8 Mon Sep 17 00:00:00 2001
+From: Maximilian Heyne <mheyne@amazon.de>
+Date: Wed, 3 May 2023 13:16:53 +0000
+Subject: x86/pci/xen: populate MSI sysfs entries
+
+From: Maximilian Heyne <mheyne@amazon.de>
+
+commit 335b4223466dd75f9f3ea4918187afbadd22e5c8 upstream.
+
+Commit bf5e758f02fc ("genirq/msi: Simplify sysfs handling") reworked the
+creation of sysfs entries for MSI IRQs. The creation used to be in
+msi_domain_alloc_irqs_descs_locked after calling ops->domain_alloc_irqs.
+Then it moved into __msi_domain_alloc_irqs which is an implementation of
+domain_alloc_irqs. However, Xen comes with the only other implementation
+of domain_alloc_irqs and hence doesn't run the sysfs population code
+anymore.
+
+Commit 6c796996ee70 ("x86/pci/xen: Fixup fallout from the PCI/MSI
+overhaul") set the flag MSI_FLAG_DEV_SYSFS for the xen msi_domain_info
+but that doesn't actually have an effect because Xen uses it's own
+domain_alloc_irqs implementation.
+
+Fix this by making use of the fallback functions for sysfs population.
+
+Fixes: bf5e758f02fc ("genirq/msi: Simplify sysfs handling")
+Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Link: https://lore.kernel.org/r/20230503131656.15928-1-mheyne@amazon.de
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/pci/xen.c | 8 +++++---
+ include/linux/msi.h | 9 ++++++++-
+ kernel/irq/msi.c | 4 ++--
+ 3 files changed, 15 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/pci/xen.c
++++ b/arch/x86/pci/xen.c
+@@ -198,7 +198,7 @@ static int xen_setup_msi_irqs(struct pci
+ i++;
+ }
+ kfree(v);
+- return 0;
++ return msi_device_populate_sysfs(&dev->dev);
+
+ error:
+ if (ret == -ENOSYS)
+@@ -254,7 +254,7 @@ static int xen_hvm_setup_msi_irqs(struct
+ dev_dbg(&dev->dev,
+ "xen: msi --> pirq=%d --> irq=%d\n", pirq, irq);
+ }
+- return 0;
++ return msi_device_populate_sysfs(&dev->dev);
+
+ error:
+ dev_err(&dev->dev, "Failed to create MSI%s! ret=%d!\n",
+@@ -346,7 +346,7 @@ static int xen_initdom_setup_msi_irqs(st
+ if (ret < 0)
+ goto out;
+ }
+- ret = 0;
++ ret = msi_device_populate_sysfs(&dev->dev);
+ out:
+ return ret;
+ }
+@@ -394,6 +394,8 @@ static void xen_teardown_msi_irqs(struct
+ xen_destroy_irq(msidesc->irq + i);
+ msidesc->irq = 0;
+ }
++
++ msi_device_destroy_sysfs(&dev->dev);
+ }
+
+ static void xen_pv_teardown_msi_irqs(struct pci_dev *dev)
+--- a/include/linux/msi.h
++++ b/include/linux/msi.h
+@@ -383,6 +383,13 @@ int arch_setup_msi_irq(struct pci_dev *d
+ void arch_teardown_msi_irq(unsigned int irq);
+ int arch_setup_msi_irqs(struct pci_dev *dev, int nvec, int type);
+ void arch_teardown_msi_irqs(struct pci_dev *dev);
++#endif /* CONFIG_PCI_MSI_ARCH_FALLBACKS */
++
++/*
++ * Xen uses non-default msi_domain_ops and hence needs a way to populate sysfs
++ * entries of MSI IRQs.
++ */
++#if defined(CONFIG_PCI_XEN) || defined(CONFIG_PCI_MSI_ARCH_FALLBACKS)
+ #ifdef CONFIG_SYSFS
+ int msi_device_populate_sysfs(struct device *dev);
+ void msi_device_destroy_sysfs(struct device *dev);
+@@ -390,7 +397,7 @@ void msi_device_destroy_sysfs(struct dev
+ static inline int msi_device_populate_sysfs(struct device *dev) { return 0; }
+ static inline void msi_device_destroy_sysfs(struct device *dev) { }
+ #endif /* !CONFIG_SYSFS */
+-#endif /* CONFIG_PCI_MSI_ARCH_FALLBACKS */
++#endif /* CONFIG_PCI_XEN || CONFIG_PCI_MSI_ARCH_FALLBACKS */
+
+ /*
+ * The restore hook is still available even for fully irq domain based
+--- a/kernel/irq/msi.c
++++ b/kernel/irq/msi.c
+@@ -542,7 +542,7 @@ fail:
+ return ret;
+ }
+
+-#ifdef CONFIG_PCI_MSI_ARCH_FALLBACKS
++#if defined(CONFIG_PCI_MSI_ARCH_FALLBACKS) || defined(CONFIG_PCI_XEN)
+ /**
+ * msi_device_populate_sysfs - Populate msi_irqs sysfs entries for a device
+ * @dev: The device (PCI, platform etc) which will get sysfs entries
+@@ -574,7 +574,7 @@ void msi_device_destroy_sysfs(struct dev
+ msi_for_each_desc(desc, dev, MSI_DESC_ALL)
+ msi_sysfs_remove_desc(dev, desc);
+ }
+-#endif /* CONFIG_PCI_MSI_ARCH_FALLBACK */
++#endif /* CONFIG_PCI_MSI_ARCH_FALLBACK || CONFIG_PCI_XEN */
+ #else /* CONFIG_SYSFS */
+ static inline int msi_sysfs_create_group(struct device *dev) { return 0; }
+ static inline int msi_sysfs_populate_desc(struct device *dev, struct msi_desc *desc) { return 0; }
--- /dev/null
+From 8fafac202d18230bb9926bda48e563fd2cce2a4f Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Wed, 3 May 2023 18:11:35 +0300
+Subject: xen/pvcalls-back: fix double frees with pvcalls_new_active_socket()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit 8fafac202d18230bb9926bda48e563fd2cce2a4f upstream.
+
+In the pvcalls_new_active_socket() function, most error paths call
+pvcalls_back_release_active(fedata->dev, fedata, map) which calls
+sock_release() on "sock". The bug is that the caller also frees sock.
+
+Fix this by making every error path in pvcalls_new_active_socket()
+release the sock, and don't free it in the caller.
+
+Fixes: 5db4d286a8ef ("xen/pvcalls: implement connect command")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Link: https://lore.kernel.org/r/e5f98dc2-0305-491f-a860-71bbd1398a2f@kili.mountain
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/xen/pvcalls-back.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/drivers/xen/pvcalls-back.c
++++ b/drivers/xen/pvcalls-back.c
+@@ -325,8 +325,10 @@ static struct sock_mapping *pvcalls_new_
+ void *page;
+
+ map = kzalloc(sizeof(*map), GFP_KERNEL);
+- if (map == NULL)
++ if (map == NULL) {
++ sock_release(sock);
+ return NULL;
++ }
+
+ map->fedata = fedata;
+ map->sock = sock;
+@@ -418,10 +420,8 @@ static int pvcalls_back_connect(struct x
+ req->u.connect.ref,
+ req->u.connect.evtchn,
+ sock);
+- if (!map) {
++ if (!map)
+ ret = -EFAULT;
+- sock_release(sock);
+- }
+
+ out:
+ rsp = RING_GET_RESPONSE(&fedata->ring, fedata->ring.rsp_prod_pvt++);
+@@ -561,7 +561,6 @@ static void __pvcalls_back_accept(struct
+ sock);
+ if (!map) {
+ ret = -EFAULT;
+- sock_release(sock);
+ goto out_error;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
