--- /dev/null
+From d7532d1e448b8dbc2f06478c3b1b94220a2778ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Feb 2023 21:12:14 +0800
+Subject: ARM: dts: imx6sl: tolino-shine2hd: fix usbotg1 pinctrl
+
+From: Peng Fan <peng.fan@nxp.com>
+
+[ Upstream commit 1cd489e1ada1cffa56bd06fd4609f5a60a985d43 ]
+
+usb@2184000: 'pinctrl-0' is a dependency of 'pinctrl-names'
+
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Fixes: 9c7016f1ca6d ("ARM: dts: imx: add devicetree for Tolino Shine 2 HD")
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6sl-tolino-shine2hd.dts | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm/boot/dts/imx6sl-tolino-shine2hd.dts b/arch/arm/boot/dts/imx6sl-tolino-shine2hd.dts
+index caa2796088036..0fd126db4e5db 100644
+--- a/arch/arm/boot/dts/imx6sl-tolino-shine2hd.dts
++++ b/arch/arm/boot/dts/imx6sl-tolino-shine2hd.dts
+@@ -580,6 +580,7 @@ &usdhc3 {
+
+ &usbotg1 {
+ pinctrl-names = "default";
++ pinctrl-0 = <&pinctrl_usbotg1>;
+ disable-over-current;
+ srp-disable;
+ hnp-disable;
+--
+2.39.2
+
--- /dev/null
+From 9016431f93d0d952f5b90d3ce1c03f93c5135d06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Feb 2023 21:12:13 +0800
+Subject: ARM: dts: imx6sll: e60k02: fix usbotg1 pinctrl
+
+From: Peng Fan <peng.fan@nxp.com>
+
+[ Upstream commit 957c04e9784c7c757e8cc293d7fb2a60cdf461b6 ]
+
+usb@2184000: 'pinctrl-0' is a dependency of 'pinctrl-names'
+
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Fixes: c100ea86e6ab ("ARM: dts: add Netronix E60K02 board common file")
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/e60k02.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm/boot/dts/e60k02.dtsi b/arch/arm/boot/dts/e60k02.dtsi
+index 3af1ab4458ef5..bd1f58ae23743 100644
+--- a/arch/arm/boot/dts/e60k02.dtsi
++++ b/arch/arm/boot/dts/e60k02.dtsi
+@@ -296,6 +296,7 @@ &usdhc3 {
+
+ &usbotg1 {
+ pinctrl-names = "default";
++ pinctrl-0 = <&pinctrl_usbotg1>;
+ disable-over-current;
+ srp-disable;
+ hnp-disable;
+--
+2.39.2
+
--- /dev/null
+From e56ed67ffd90d635a36fe8d92a759a5303b8dc67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Mar 2023 14:33:18 +0000
+Subject: atm: idt77252: fix kmemleak when rmmod idt77252
+
+From: Li Zetao <lizetao1@huawei.com>
+
+[ Upstream commit 4fe3c88552a3fbe1944426a4506a18cdeb457b5a ]
+
+There are memory leaks reported by kmemleak:
+
+ unreferenced object 0xffff888106500800 (size 128):
+ comm "modprobe", pid 1017, jiffies 4297787785 (age 67.152s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000970ce626>] __kmem_cache_alloc_node+0x20c/0x380
+ [<00000000fb5f78d9>] kmalloc_trace+0x2f/0xb0
+ [<000000000e947e2a>] idt77252_init_one+0x2847/0x3c90 [idt77252]
+ [<000000006efb048e>] local_pci_probe+0xeb/0x1a0
+ ...
+
+ unreferenced object 0xffff888106500b00 (size 128):
+ comm "modprobe", pid 1017, jiffies 4297787785 (age 67.152s)
+ hex dump (first 32 bytes):
+ 00 20 3d 01 80 88 ff ff 00 20 3d 01 80 88 ff ff . =...... =.....
+ f0 23 3d 01 80 88 ff ff 00 20 3d 01 00 00 00 00 .#=...... =.....
+ backtrace:
+ [<00000000970ce626>] __kmem_cache_alloc_node+0x20c/0x380
+ [<00000000fb5f78d9>] kmalloc_trace+0x2f/0xb0
+ [<00000000f451c5be>] alloc_scq.constprop.0+0x4a/0x400 [idt77252]
+ [<00000000e6313849>] idt77252_init_one+0x28cf/0x3c90 [idt77252]
+
+The root cause is traced to the vc_maps which alloced in open_card_oam()
+are not freed in close_card_oam(). The vc_maps are used to record
+open connections, so when close a vc_map in close_card_oam(), the memory
+should be freed. Moreover, the ubr0 is not closed when close a idt77252
+device, leading to the memory leak of vc_map and scq_info.
+
+Fix them by adding kfree in close_card_oam() and implementing new
+close_card_ubr0() to close ubr0.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Li Zetao <lizetao1@huawei.com>
+Reviewed-by: Francois Romieu <romieu@fr.zoreil.com>
+Link: https://lore.kernel.org/r/20230320143318.2644630-1-lizetao1@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/atm/idt77252.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c
+index 82f6f1fbe9e78..a217b50439e72 100644
+--- a/drivers/atm/idt77252.c
++++ b/drivers/atm/idt77252.c
+@@ -2915,6 +2915,7 @@ close_card_oam(struct idt77252_dev *card)
+
+ recycle_rx_pool_skb(card, &vc->rcv.rx_pool);
+ }
++ kfree(vc);
+ }
+ }
+ }
+@@ -2958,6 +2959,15 @@ open_card_ubr0(struct idt77252_dev *card)
+ return 0;
+ }
+
++static void
++close_card_ubr0(struct idt77252_dev *card)
++{
++ struct vc_map *vc = card->vcs[0];
++
++ free_scq(card, vc->scq);
++ kfree(vc);
++}
++
+ static int
+ idt77252_dev_open(struct idt77252_dev *card)
+ {
+@@ -3007,6 +3017,7 @@ static void idt77252_dev_close(struct atm_dev *dev)
+ struct idt77252_dev *card = dev->dev_data;
+ u32 conf;
+
++ close_card_ubr0(card);
+ close_card_oam(card);
+
+ conf = SAR_CFG_RXPTH | /* enable receive path */
+--
+2.39.2
+
--- /dev/null
+From 2e249c78198c54232f3c9d30b0f9b30c5d86b336 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Mar 2023 14:31:55 +0100
+Subject: Bluetooth: btqcomsmd: Fix command timeout after setting BD address
+
+From: Stephan Gerhold <stephan.gerhold@kernkonzept.com>
+
+[ Upstream commit 5d44ab9e204200a78ad55cdf185aa2bb109b5950 ]
+
+On most devices using the btqcomsmd driver (e.g. the DragonBoard 410c
+and other devices based on the Qualcomm MSM8916/MSM8909/... SoCs)
+the Bluetooth firmware seems to become unresponsive for a while after
+setting the BD address. On recent kernel versions (at least 5.17+)
+this often causes timeouts for subsequent commands, e.g. the HCI reset
+sent by the Bluetooth core during initialization:
+
+ Bluetooth: hci0: Opcode 0x c03 failed: -110
+
+Unfortunately this behavior does not seem to be documented anywhere.
+Experimentation suggests that the minimum necessary delay to avoid
+the problem is ~150us. However, to be sure add a sleep for > 1ms
+in case it is a bit longer on other firmware versions.
+
+Older kernel versions are likely also affected, although perhaps with
+slightly different errors or less probability. Side effects can easily
+hide the issue in most cases, e.g. unrelated incoming interrupts that
+cause the necessary delay.
+
+Fixes: 1511cc750c3d ("Bluetooth: Introduce Qualcomm WCNSS SMD based HCI driver")
+Signed-off-by: Stephan Gerhold <stephan.gerhold@kernkonzept.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btqcomsmd.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/bluetooth/btqcomsmd.c b/drivers/bluetooth/btqcomsmd.c
+index 2acb719e596f5..11c7e04bf3947 100644
+--- a/drivers/bluetooth/btqcomsmd.c
++++ b/drivers/bluetooth/btqcomsmd.c
+@@ -122,6 +122,21 @@ static int btqcomsmd_setup(struct hci_dev *hdev)
+ return 0;
+ }
+
++static int btqcomsmd_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr)
++{
++ int ret;
++
++ ret = qca_set_bdaddr_rome(hdev, bdaddr);
++ if (ret)
++ return ret;
++
++ /* The firmware stops responding for a while after setting the bdaddr,
++ * causing timeouts for subsequent commands. Sleep a bit to avoid this.
++ */
++ usleep_range(1000, 10000);
++ return 0;
++}
++
+ static int btqcomsmd_probe(struct platform_device *pdev)
+ {
+ struct btqcomsmd *btq;
+@@ -162,7 +177,7 @@ static int btqcomsmd_probe(struct platform_device *pdev)
+ hdev->close = btqcomsmd_close;
+ hdev->send = btqcomsmd_send;
+ hdev->setup = btqcomsmd_setup;
+- hdev->set_bdaddr = qca_set_bdaddr_rome;
++ hdev->set_bdaddr = btqcomsmd_set_bdaddr;
+
+ ret = hci_register_dev(hdev);
+ if (ret < 0)
+--
+2.39.2
+
--- /dev/null
+From 5521ef61015a6fb8dcc56b97bd30f67f06a47fb6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Mar 2023 16:07:39 +0800
+Subject: Bluetooth: btsdio: fix use after free bug in btsdio_remove due to
+ unfinished work
+
+From: Zheng Wang <zyytlz.wz@163.com>
+
+[ Upstream commit 1e9ac114c4428fdb7ff4635b45d4f46017e8916f ]
+
+In btsdio_probe, &data->work was bound with btsdio_work.In
+btsdio_send_frame, it was started by schedule_work.
+
+If we call btsdio_remove with an unfinished job, there may
+be a race condition and cause UAF bug on hdev.
+
+Fixes: ddbaf13e3609 ("[Bluetooth] Add generic driver for Bluetooth SDIO devices")
+Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btsdio.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/bluetooth/btsdio.c b/drivers/bluetooth/btsdio.c
+index 199e8f7d426d9..7050a16e7efeb 100644
+--- a/drivers/bluetooth/btsdio.c
++++ b/drivers/bluetooth/btsdio.c
+@@ -352,6 +352,7 @@ static void btsdio_remove(struct sdio_func *func)
+
+ BT_DBG("func %p", func);
+
++ cancel_work_sync(&data->work);
+ if (!data)
+ return;
+
+--
+2.39.2
+
--- /dev/null
+From d56bc0c2abd57db4c0d2941cb89576405551afe5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Mar 2021 13:04:37 -0700
+Subject: Bluetooth: L2CAP: Fix not checking for maximum number of DCID
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 7cf3b1dd6aa603fd80969e9e7160becf1455a0eb ]
+
+When receiving L2CAP_CREDIT_BASED_CONNECTION_REQ the remote may request
+more channels than allowed by the spec (10 octecs = 5 CIDs) so this
+checks if the number of channels is bigger than the maximum allowed and
+respond with an error.
+
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Stable-dep-of: 9aa9d9473f15 ("Bluetooth: L2CAP: Fix responding with wrong PDU type")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/l2cap.h | 1 +
+ net/bluetooth/l2cap_core.c | 12 +++++++++---
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
+index 9b8000869b078..7f9d0ab76b14f 100644
+--- a/include/net/bluetooth/l2cap.h
++++ b/include/net/bluetooth/l2cap.h
+@@ -493,6 +493,7 @@ struct l2cap_le_credits {
+
+ #define L2CAP_ECRED_MIN_MTU 64
+ #define L2CAP_ECRED_MIN_MPS 64
++#define L2CAP_ECRED_MAX_CID 5
+
+ struct l2cap_ecred_conn_req {
+ __le16 psm;
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index bde90df6b4976..b01677882e38c 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -5952,7 +5952,7 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
+ struct l2cap_ecred_conn_req *req = (void *) data;
+ struct {
+ struct l2cap_ecred_conn_rsp rsp;
+- __le16 dcid[5];
++ __le16 dcid[L2CAP_ECRED_MAX_CID];
+ } __packed pdu;
+ struct l2cap_chan *chan, *pchan;
+ u16 mtu, mps;
+@@ -5969,6 +5969,14 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
+ goto response;
+ }
+
++ cmd_len -= sizeof(*req);
++ num_scid = cmd_len / sizeof(u16);
++
++ if (num_scid > ARRAY_SIZE(pdu.dcid)) {
++ result = L2CAP_CR_LE_INVALID_PARAMS;
++ goto response;
++ }
++
+ mtu = __le16_to_cpu(req->mtu);
+ mps = __le16_to_cpu(req->mps);
+
+@@ -6013,8 +6021,6 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
+ }
+
+ result = L2CAP_CR_LE_SUCCESS;
+- cmd_len -= sizeof(*req);
+- num_scid = cmd_len / sizeof(u16);
+
+ for (i = 0; i < num_scid; i++) {
+ u16 scid = __le16_to_cpu(req->scid[i]);
+--
+2.39.2
+
--- /dev/null
+From a5d8a419d98636c8d3612b717081439609a34867 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Mar 2023 14:20:34 -0800
+Subject: Bluetooth: L2CAP: Fix responding with wrong PDU type
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 9aa9d9473f1550d1936c31259720b3f1f4690576 ]
+
+L2CAP_ECRED_CONN_REQ shall be responded with L2CAP_ECRED_CONN_RSP not
+L2CAP_LE_CONN_RSP:
+
+L2CAP LE EATT Server - Reject - run
+ Listening for connections
+ New client connection with handle 0x002a
+ Sending L2CAP Request from client
+ Client received response code 0x15
+ Unexpected L2CAP response code (expected 0x18)
+L2CAP LE EATT Server - Reject - test failed
+
+> ACL Data RX: Handle 42 flags 0x02 dlen 26
+ LE L2CAP: Enhanced Credit Connection Request (0x17) ident 1 len 18
+ PSM: 39 (0x0027)
+ MTU: 64
+ MPS: 64
+ Credits: 5
+ Source CID: 65
+ Source CID: 66
+ Source CID: 67
+ Source CID: 68
+ Source CID: 69
+< ACL Data TX: Handle 42 flags 0x00 dlen 16
+ LE L2CAP: LE Connection Response (0x15) ident 1 len 8
+ invalid size
+ 00 00 00 00 00 00 06 00
+
+L2CAP LE EATT Server - Reject - run
+ Listening for connections
+ New client connection with handle 0x002a
+ Sending L2CAP Request from client
+ Client received response code 0x18
+L2CAP LE EATT Server - Reject - test passed
+
+Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 117 +++++++++++++++++++++++++------------
+ 1 file changed, 79 insertions(+), 38 deletions(-)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index b01677882e38c..367b1dec2e751 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -710,6 +710,17 @@ void l2cap_chan_del(struct l2cap_chan *chan, int err)
+ }
+ EXPORT_SYMBOL_GPL(l2cap_chan_del);
+
++static void __l2cap_chan_list_id(struct l2cap_conn *conn, u16 id,
++ l2cap_chan_func_t func, void *data)
++{
++ struct l2cap_chan *chan, *l;
++
++ list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
++ if (chan->ident == id)
++ func(chan, data);
++ }
++}
++
+ static void __l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
+ void *data)
+ {
+@@ -777,23 +788,9 @@ static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
+
+ static void l2cap_chan_ecred_connect_reject(struct l2cap_chan *chan)
+ {
+- struct l2cap_conn *conn = chan->conn;
+- struct l2cap_ecred_conn_rsp rsp;
+- u16 result;
+-
+- if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
+- result = L2CAP_CR_LE_AUTHORIZATION;
+- else
+- result = L2CAP_CR_LE_BAD_PSM;
+-
+ l2cap_state_change(chan, BT_DISCONN);
+
+- memset(&rsp, 0, sizeof(rsp));
+-
+- rsp.result = cpu_to_le16(result);
+-
+- l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
+- &rsp);
++ __l2cap_ecred_conn_rsp_defer(chan);
+ }
+
+ static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
+@@ -848,7 +845,7 @@ void l2cap_chan_close(struct l2cap_chan *chan, int reason)
+ break;
+ case L2CAP_MODE_EXT_FLOWCTL:
+ l2cap_chan_ecred_connect_reject(chan);
+- break;
++ return;
+ }
+ }
+ }
+@@ -3934,43 +3931,86 @@ void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
+ &rsp);
+ }
+
+-void __l2cap_ecred_conn_rsp_defer(struct l2cap_chan *chan)
++static void l2cap_ecred_list_defer(struct l2cap_chan *chan, void *data)
+ {
++ int *result = data;
++
++ if (*result || test_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
++ return;
++
++ switch (chan->state) {
++ case BT_CONNECT2:
++ /* If channel still pending accept add to result */
++ (*result)++;
++ return;
++ case BT_CONNECTED:
++ return;
++ default:
++ /* If not connected or pending accept it has been refused */
++ *result = -ECONNREFUSED;
++ return;
++ }
++}
++
++struct l2cap_ecred_rsp_data {
+ struct {
+ struct l2cap_ecred_conn_rsp rsp;
+- __le16 dcid[5];
++ __le16 scid[L2CAP_ECRED_MAX_CID];
+ } __packed pdu;
++ int count;
++};
++
++static void l2cap_ecred_rsp_defer(struct l2cap_chan *chan, void *data)
++{
++ struct l2cap_ecred_rsp_data *rsp = data;
++
++ if (test_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
++ return;
++
++ /* Reset ident so only one response is sent */
++ chan->ident = 0;
++
++ /* Include all channels pending with the same ident */
++ if (!rsp->pdu.rsp.result)
++ rsp->pdu.rsp.dcid[rsp->count++] = cpu_to_le16(chan->scid);
++ else
++ l2cap_chan_del(chan, ECONNRESET);
++}
++
++void __l2cap_ecred_conn_rsp_defer(struct l2cap_chan *chan)
++{
+ struct l2cap_conn *conn = chan->conn;
+- u16 ident = chan->ident;
+- int i = 0;
++ struct l2cap_ecred_rsp_data data;
++ u16 id = chan->ident;
++ int result = 0;
+
+- if (!ident)
++ if (!id)
+ return;
+
+- BT_DBG("chan %p ident %d", chan, ident);
++ BT_DBG("chan %p id %d", chan, id);
+
+- pdu.rsp.mtu = cpu_to_le16(chan->imtu);
+- pdu.rsp.mps = cpu_to_le16(chan->mps);
+- pdu.rsp.credits = cpu_to_le16(chan->rx_credits);
+- pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
++ memset(&data, 0, sizeof(data));
+
+- mutex_lock(&conn->chan_lock);
++ data.pdu.rsp.mtu = cpu_to_le16(chan->imtu);
++ data.pdu.rsp.mps = cpu_to_le16(chan->mps);
++ data.pdu.rsp.credits = cpu_to_le16(chan->rx_credits);
++ data.pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
+
+- list_for_each_entry(chan, &conn->chan_l, list) {
+- if (chan->ident != ident)
+- continue;
++ /* Verify that all channels are ready */
++ __l2cap_chan_list_id(conn, id, l2cap_ecred_list_defer, &result);
+
+- /* Reset ident so only one response is sent */
+- chan->ident = 0;
++ if (result > 0)
++ return;
+
+- /* Include all channels pending with the same ident */
+- pdu.dcid[i++] = cpu_to_le16(chan->scid);
+- }
++ if (result < 0)
++ data.pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_AUTHORIZATION);
+
+- mutex_unlock(&conn->chan_lock);
++ /* Build response */
++ __l2cap_chan_list_id(conn, id, l2cap_ecred_rsp_defer, &data);
+
+- l2cap_send_cmd(conn, ident, L2CAP_ECRED_CONN_RSP,
+- sizeof(pdu.rsp) + i * sizeof(__le16), &pdu);
++ l2cap_send_cmd(conn, id, L2CAP_ECRED_CONN_RSP,
++ sizeof(data.pdu.rsp) + (data.count * sizeof(__le16)),
++ &data.pdu);
+ }
+
+ void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
+@@ -6073,6 +6113,7 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
+ __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
+
+ chan->ident = cmd->ident;
++ chan->mode = L2CAP_MODE_EXT_FLOWCTL;
+
+ if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
+ l2cap_state_change(chan, BT_CONNECT2);
+--
+2.39.2
+
--- /dev/null
+From bad755146c5b09e05cd0e50e3ea1cfec6a675446 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 22:54:08 +0900
+Subject: bootconfig: Fix testcase to increase max node
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+[ Upstream commit b69245126a48e50882021180fa5d264dc7149ccc ]
+
+Since commit 6c40624930c5 ("bootconfig: Increase max nodes of bootconfig
+from 1024 to 8192 for DCC support") increased the max number of bootconfig
+node to 8192, the bootconfig testcase of the max number of nodes fails.
+To fix this issue, we can not simply increase the number in the test script
+because the test bootconfig file becomes too big (>32KB). To fix that, we
+can use a combination of three alphabets (26^3 = 17576). But with that,
+we can not express the 8193 (just one exceed from the limitation) because
+it also exceeds the max size of bootconfig. So, the first 26 nodes will just
+use one alphabet.
+
+With this fix, test-bootconfig.sh passes all tests.
+
+Link: https://lore.kernel.org/all/167888844790.791176.670805252426835131.stgit@devnote2/
+
+Reported-by: Heinz Wiesinger <pprkut@slackware.com>
+Link: https://lore.kernel.org/all/2463802.XAFRqVoOGU@amaterasu.liwjatan.org
+Fixes: 6c40624930c5 ("bootconfig: Increase max nodes of bootconfig from 1024 to 8192 for DCC support")
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bootconfig/test-bootconfig.sh | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/tools/bootconfig/test-bootconfig.sh b/tools/bootconfig/test-bootconfig.sh
+index baed891d0ba49..e36f178f7dcbf 100755
+--- a/tools/bootconfig/test-bootconfig.sh
++++ b/tools/bootconfig/test-bootconfig.sh
+@@ -87,10 +87,14 @@ xfail grep -i "error" $OUTFILE
+
+ echo "Max node number check"
+
+-echo -n > $TEMPCONF
+-for i in `seq 1 1024` ; do
+- echo "node$i" >> $TEMPCONF
+-done
++awk '
++BEGIN {
++ for (i = 0; i < 26; i += 1)
++ printf("%c\n", 65 + i % 26)
++ for (i = 26; i < 8192; i += 1)
++ printf("%c%c%c\n", 65 + i % 26, 65 + (i / 26) % 26, 65 + (i / 26 / 26))
++}
++' > $TEMPCONF
+ xpass $BOOTCONF -a $TEMPCONF $INITRD
+
+ echo "badnode" >> $TEMPCONF
+--
+2.39.2
+
--- /dev/null
+From 2765664d94cc2d70671e45381e8cf58b4a8ccb39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Mar 2023 15:37:25 +0100
+Subject: bpf: Adjust insufficient default bpf_jit_limit
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 10ec8ca8ec1a2f04c4ed90897225231c58c124a7 ]
+
+We've seen recent AWS EKS (Kubernetes) user reports like the following:
+
+ After upgrading EKS nodes from v20230203 to v20230217 on our 1.24 EKS
+ clusters after a few days a number of the nodes have containers stuck
+ in ContainerCreating state or liveness/readiness probes reporting the
+ following error:
+
+ Readiness probe errored: rpc error: code = Unknown desc = failed to
+ exec in container: failed to start exec "4a11039f730203ffc003b7[...]":
+ OCI runtime exec failed: exec failed: unable to start container process:
+ unable to init seccomp: error loading seccomp filter into kernel:
+ error loading seccomp filter: errno 524: unknown
+
+ However, we had not been seeing this issue on previous AMIs and it only
+ started to occur on v20230217 (following the upgrade from kernel 5.4 to
+ 5.10) with no other changes to the underlying cluster or workloads.
+
+ We tried the suggestions from that issue (sysctl net.core.bpf_jit_limit=452534528)
+ which helped to immediately allow containers to be created and probes to
+ execute but after approximately a day the issue returned and the value
+ returned by cat /proc/vmallocinfo | grep bpf_jit | awk '{s+=$2} END {print s}'
+ was steadily increasing.
+
+I tested bpf tree to observe bpf_jit_charge_modmem, bpf_jit_uncharge_modmem
+their sizes passed in as well as bpf_jit_current under tcpdump BPF filter,
+seccomp BPF and native (e)BPF programs, and the behavior all looks sane
+and expected, that is nothing "leaking" from an upstream perspective.
+
+The bpf_jit_limit knob was originally added in order to avoid a situation
+where unprivileged applications loading BPF programs (e.g. seccomp BPF
+policies) consuming all the module memory space via BPF JIT such that loading
+of kernel modules would be prevented. The default limit was defined back in
+2018 and while good enough back then, we are generally seeing far more BPF
+consumers today.
+
+Adjust the limit for the BPF JIT pool from originally 1/4 to now 1/2 of the
+module memory space to better reflect today's needs and avoid more users
+running into potentially hard to debug issues.
+
+Fixes: fdadd04931c2 ("bpf: fix bpf_jit_limit knob for PAGE_SIZE >= 64K")
+Reported-by: Stephen Haynes <sh@synk.net>
+Reported-by: Lefteris Alexakis <lefteris.alexakis@kpn.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://github.com/awslabs/amazon-eks-ami/issues/1179
+Link: https://github.com/awslabs/amazon-eks-ami/issues/1219
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://lore.kernel.org/r/20230320143725.8394-1-daniel@iogearbox.net
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
+index 73d4b1e32fbdb..d3f6a070875cb 100644
+--- a/kernel/bpf/core.c
++++ b/kernel/bpf/core.c
+@@ -826,7 +826,7 @@ static int __init bpf_jit_charge_init(void)
+ {
+ /* Only used as heuristic here to derive limit. */
+ bpf_jit_limit_max = bpf_jit_alloc_exec_limit();
+- bpf_jit_limit = min_t(u64, round_up(bpf_jit_limit_max >> 2,
++ bpf_jit_limit = min_t(u64, round_up(bpf_jit_limit_max >> 1,
+ PAGE_SIZE), LONG_MAX);
+ return 0;
+ }
+--
+2.39.2
+
--- /dev/null
+From 957e011e85d945d688fbd8cbb48b38b5dfed30ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Mar 2023 16:34:27 +0000
+Subject: erspan: do not use skb_mac_header() in ndo_start_xmit()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 8e50ed774554f93d55426039b27b1e38d7fa64d8 ]
+
+Drivers should not assume skb_mac_header(skb) == skb->data in their
+ndo_start_xmit().
+
+Use skb_network_offset() and skb_transport_offset() which
+better describe what is needed in erspan_fb_xmit() and
+ip6erspan_tunnel_xmit()
+
+syzbot reported:
+WARNING: CPU: 0 PID: 5083 at include/linux/skbuff.h:2873 skb_mac_header include/linux/skbuff.h:2873 [inline]
+WARNING: CPU: 0 PID: 5083 at include/linux/skbuff.h:2873 ip6erspan_tunnel_xmit+0x1d9c/0x2d90 net/ipv6/ip6_gre.c:962
+Modules linked in:
+CPU: 0 PID: 5083 Comm: syz-executor406 Not tainted 6.3.0-rc2-syzkaller-00866-gd4671cb96fa3 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
+RIP: 0010:skb_mac_header include/linux/skbuff.h:2873 [inline]
+RIP: 0010:ip6erspan_tunnel_xmit+0x1d9c/0x2d90 net/ipv6/ip6_gre.c:962
+Code: 04 02 41 01 de 84 c0 74 08 3c 03 0f 8e 1c 0a 00 00 45 89 b4 24 c8 00 00 00 c6 85 77 fe ff ff 01 e9 33 e7 ff ff e8 b4 27 a1 f8 <0f> 0b e9 b6 e7 ff ff e8 a8 27 a1 f8 49 8d bf f0 0c 00 00 48 b8 00
+RSP: 0018:ffffc90003b2f830 EFLAGS: 00010293
+RAX: 0000000000000000 RBX: 000000000000ffff RCX: 0000000000000000
+RDX: ffff888021273a80 RSI: ffffffff88e1bd4c RDI: 0000000000000003
+RBP: ffffc90003b2f9d8 R08: 0000000000000003 R09: 000000000000ffff
+R10: 000000000000ffff R11: 0000000000000000 R12: ffff88802b28da00
+R13: 00000000000000d0 R14: ffff88807e25b6d0 R15: ffff888023408000
+FS: 0000555556a61300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000055e5b11eb6e8 CR3: 0000000027c1b000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+<TASK>
+__netdev_start_xmit include/linux/netdevice.h:4900 [inline]
+netdev_start_xmit include/linux/netdevice.h:4914 [inline]
+__dev_direct_xmit+0x504/0x730 net/core/dev.c:4300
+dev_direct_xmit include/linux/netdevice.h:3088 [inline]
+packet_xmit+0x20a/0x390 net/packet/af_packet.c:285
+packet_snd net/packet/af_packet.c:3075 [inline]
+packet_sendmsg+0x31a0/0x5150 net/packet/af_packet.c:3107
+sock_sendmsg_nosec net/socket.c:724 [inline]
+sock_sendmsg+0xde/0x190 net/socket.c:747
+__sys_sendto+0x23a/0x340 net/socket.c:2142
+__do_sys_sendto net/socket.c:2154 [inline]
+__se_sys_sendto net/socket.c:2150 [inline]
+__x64_sys_sendto+0xe1/0x1b0 net/socket.c:2150
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+RIP: 0033:0x7f123aaa1039
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffc15d12058 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f123aaa1039
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
+RBP: 0000000000000000 R08: 0000000020000040 R09: 0000000000000014
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f123aa648c0
+R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000
+
+Fixes: 1baf5ebf8954 ("erspan: auto detect truncated packets.")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230320163427.8096-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_gre.c | 4 ++--
+ net/ipv6/ip6_gre.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index 65ead8a749337..9d1a506571043 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -547,7 +547,7 @@ static void erspan_fb_xmit(struct sk_buff *skb, struct net_device *dev)
+ truncate = true;
+ }
+
+- nhoff = skb_network_header(skb) - skb_mac_header(skb);
++ nhoff = skb_network_offset(skb);
+ if (skb->protocol == htons(ETH_P_IP) &&
+ (ntohs(ip_hdr(skb)->tot_len) > skb->len - nhoff))
+ truncate = true;
+@@ -556,7 +556,7 @@ static void erspan_fb_xmit(struct sk_buff *skb, struct net_device *dev)
+ int thoff;
+
+ if (skb_transport_header_was_set(skb))
+- thoff = skb_transport_header(skb) - skb_mac_header(skb);
++ thoff = skb_transport_offset(skb);
+ else
+ thoff = nhoff + sizeof(struct ipv6hdr);
+ if (ntohs(ipv6_hdr(skb)->payload_len) > skb->len - thoff)
+diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
+index 0010f9e54f13b..2332b5b81c551 100644
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -959,7 +959,7 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
+ truncate = true;
+ }
+
+- nhoff = skb_network_header(skb) - skb_mac_header(skb);
++ nhoff = skb_network_offset(skb);
+ if (skb->protocol == htons(ETH_P_IP) &&
+ (ntohs(ip_hdr(skb)->tot_len) > skb->len - nhoff))
+ truncate = true;
+@@ -968,7 +968,7 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
+ int thoff;
+
+ if (skb_transport_header_was_set(skb))
+- thoff = skb_transport_header(skb) - skb_mac_header(skb);
++ thoff = skb_transport_offset(skb);
+ else
+ thoff = nhoff + sizeof(struct ipv6hdr);
+ if (ntohs(ipv6_hdr(skb)->payload_len) > skb->len - thoff)
+--
+2.39.2
+
--- /dev/null
+From 1e2bb127c8bc944f8444e1f17253d09d7aa28b18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Mar 2023 10:23:32 -0700
+Subject: gve: Cache link_speed value from device
+
+From: Joshua Washington <joshwash@google.com>
+
+[ Upstream commit 68c3e4fc8628b1487c965aabb29207249657eb5f ]
+
+The link speed is never changed for the uptime of a VM, and the current
+implementation sends an admin queue command for each call. Admin queue
+command invocations have nontrivial overhead (e.g., VM exits), which can
+be disruptive to users if triggered frequently. Our telemetry data shows
+that there are VMs that make frequent calls to this admin queue command.
+Caching the result of the original admin queue command would eliminate
+the need to send multiple admin queue commands on subsequent calls to
+retrieve link speed.
+
+Fixes: 7e074d5a76ca ("gve: Enable Link Speed Reporting in the driver.")
+Signed-off-by: Joshua Washington <joshwash@google.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230321172332.91678-1-joshwash@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/google/gve/gve_ethtool.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/google/gve/gve_ethtool.c b/drivers/net/ethernet/google/gve/gve_ethtool.c
+index c53a043139446..e0449cc24fbdb 100644
+--- a/drivers/net/ethernet/google/gve/gve_ethtool.c
++++ b/drivers/net/ethernet/google/gve/gve_ethtool.c
+@@ -510,7 +510,10 @@ static int gve_get_link_ksettings(struct net_device *netdev,
+ struct ethtool_link_ksettings *cmd)
+ {
+ struct gve_priv *priv = netdev_priv(netdev);
+- int err = gve_adminq_report_link_speed(priv);
++ int err = 0;
++
++ if (priv->link_speed == 0)
++ err = gve_adminq_report_link_speed(priv);
+
+ cmd->base.speed = priv->link_speed;
+ return err;
+--
+2.39.2
+
--- /dev/null
+From bfc833b38379277f66efbcf33bd6115e5fcb7bb3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jan 2023 16:32:47 +0100
+Subject: i2c: imx-lpi2c: check only for enabled interrupt flags
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+[ Upstream commit 1c7885004567e8951d65a983be095f254dd20bef ]
+
+When reading from I2C, the Tx watermark is set to 0. Unfortunately the
+TDF (transmit data flag) is enabled when Tx FIFO entries is equal or less
+than watermark. So it is set in every case, hence the reset default of 1.
+This results in the MSR_RDF _and_ MSR_TDF flags to be set thus trying
+to send Tx data on a read message.
+Mask the IRQ status to filter for wanted flags only.
+
+Fixes: a55fa9d0e42e ("i2c: imx-lpi2c: add low power i2c bus driver")
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Tested-by: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-imx-lpi2c.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/i2c/busses/i2c-imx-lpi2c.c b/drivers/i2c/busses/i2c-imx-lpi2c.c
+index 8b9ba055c4186..2018dbcf241e9 100644
+--- a/drivers/i2c/busses/i2c-imx-lpi2c.c
++++ b/drivers/i2c/busses/i2c-imx-lpi2c.c
+@@ -502,10 +502,14 @@ static int lpi2c_imx_xfer(struct i2c_adapter *adapter,
+ static irqreturn_t lpi2c_imx_isr(int irq, void *dev_id)
+ {
+ struct lpi2c_imx_struct *lpi2c_imx = dev_id;
++ unsigned int enabled;
+ unsigned int temp;
+
++ enabled = readl(lpi2c_imx->base + LPI2C_MIER);
++
+ lpi2c_imx_intctrl(lpi2c_imx, 0);
+ temp = readl(lpi2c_imx->base + LPI2C_MSR);
++ temp &= enabled;
+
+ if (temp & MSR_RDF)
+ lpi2c_imx_read_rxfifo(lpi2c_imx);
+--
+2.39.2
+
--- /dev/null
+From 39b7844c7ea4ea125856c219338c6f954572be2a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Mar 2023 12:59:07 +0100
+Subject: iavf: fix inverted Rx hash condition leading to disabled hash
+
+From: Alexander Lobakin <aleksander.lobakin@intel.com>
+
+[ Upstream commit 32d57f667f871bc5a8babbe27ea4c5e668ee0ea8 ]
+
+Condition, which checks whether the netdev has hashing enabled is
+inverted. Basically, the tagged commit effectively disabled passing flow
+hash from descriptor to skb, unless user *disables* it via Ethtool.
+Commit a876c3ba59a6 ("i40e/i40evf: properly report Rx packet hash")
+fixed this problem, but only for i40e.
+Invert the condition now in iavf and unblock passing hash to skbs again.
+
+Fixes: 857942fd1aa1 ("i40e: Fix Rx hash reported to the stack by our driver")
+Reviewed-by: Larysa Zaremba <larysa.zaremba@intel.com>
+Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
+Signed-off-by: Alexander Lobakin <aleksander.lobakin@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_txrx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_txrx.c b/drivers/net/ethernet/intel/iavf/iavf_txrx.c
+index d481a922f0184..f411e683eb151 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_txrx.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_txrx.c
+@@ -1061,7 +1061,7 @@ static inline void iavf_rx_hash(struct iavf_ring *ring,
+ cpu_to_le64((u64)IAVF_RX_DESC_FLTSTAT_RSS_HASH <<
+ IAVF_RX_DESC_STATUS_FLTSTAT_SHIFT);
+
+- if (ring->netdev->features & NETIF_F_RXHASH)
++ if (!(ring->netdev->features & NETIF_F_RXHASH))
+ return;
+
+ if ((rx_desc->wb.qword1.status_error_len & rss_mask) == rss_mask) {
+--
+2.39.2
+
--- /dev/null
+From 9a0a03abeceaf8185c586ee94ec193c0516e9797 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Mar 2023 12:59:08 +0100
+Subject: iavf: fix non-tunneled IPv6 UDP packet type and hashing
+
+From: Alexander Lobakin <aleksander.lobakin@intel.com>
+
+[ Upstream commit de58647b4301fe181f9c38e8b46f7021584ae427 ]
+
+Currently, IAVF's decode_rx_desc_ptype() correctly reports payload type
+of L4 for IPv4 UDP packets and IPv{4,6} TCP, but only L3 for IPv6 UDP.
+Originally, i40e, ice and iavf were affected.
+Commit 73df8c9e3e3d ("i40e: Correct UDP packet header for non_tunnel-ipv6")
+fixed that in i40e, then
+commit 638a0c8c8861 ("ice: fix incorrect payload indicator on PTYPE")
+fixed that for ice.
+IPv6 UDP is L4 obviously. Fix it and make iavf report correct L4 hash
+type for such packets, so that the stack won't calculate it on CPU when
+needs it.
+
+Fixes: 206812b5fccb ("i40e/i40evf: i40e implementation for skb_set_hash")
+Reviewed-by: Larysa Zaremba <larysa.zaremba@intel.com>
+Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
+Signed-off-by: Alexander Lobakin <aleksander.lobakin@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_common.c b/drivers/net/ethernet/intel/iavf/iavf_common.c
+index 8547fc8fdfd60..78423ca401b24 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_common.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_common.c
+@@ -662,7 +662,7 @@ struct iavf_rx_ptype_decoded iavf_ptype_lookup[] = {
+ /* Non Tunneled IPv6 */
+ IAVF_PTT(88, IP, IPV6, FRG, NONE, NONE, NOF, NONE, PAY3),
+ IAVF_PTT(89, IP, IPV6, NOF, NONE, NONE, NOF, NONE, PAY3),
+- IAVF_PTT(90, IP, IPV6, NOF, NONE, NONE, NOF, UDP, PAY3),
++ IAVF_PTT(90, IP, IPV6, NOF, NONE, NONE, NOF, UDP, PAY4),
+ IAVF_PTT_UNUSED_ENTRY(91),
+ IAVF_PTT(92, IP, IPV6, NOF, NONE, NONE, NOF, TCP, PAY4),
+ IAVF_PTT(93, IP, IPV6, NOF, NONE, NONE, NOF, SCTP, PAY4),
+--
+2.39.2
+
--- /dev/null
+From 02f09441ffd067abf56b16015109984e15d4b446 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Dec 2022 19:20:03 +0900
+Subject: igbvf: Regard vf reset nack as success
+
+From: Akihiko Odaki <akihiko.odaki@daynix.com>
+
+[ Upstream commit 02c83791ef969c6a8a150b4927193d0d0e50fb23 ]
+
+vf reset nack actually represents the reset operation itself is
+performed but no address is assigned. Therefore, e1000_reset_hw_vf
+should fill the "perm_addr" with the zero address and return success on
+such an occasion. This prevents its callers in netdev.c from saying PF
+still resetting, and instead allows them to correctly report that no
+address is assigned.
+
+Fixes: 6ddbc4cf1f4d ("igb: Indicate failure on vf reset for empty mac address")
+Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Tested-by: Marek Szlosek <marek.szlosek@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igbvf/vf.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igbvf/vf.c b/drivers/net/ethernet/intel/igbvf/vf.c
+index b8ba3f94c3632..a47a2e3e548cf 100644
+--- a/drivers/net/ethernet/intel/igbvf/vf.c
++++ b/drivers/net/ethernet/intel/igbvf/vf.c
+@@ -1,6 +1,8 @@
+ // SPDX-License-Identifier: GPL-2.0
+ /* Copyright(c) 2009 - 2018 Intel Corporation. */
+
++#include <linux/etherdevice.h>
++
+ #include "vf.h"
+
+ static s32 e1000_check_for_link_vf(struct e1000_hw *hw);
+@@ -131,11 +133,16 @@ static s32 e1000_reset_hw_vf(struct e1000_hw *hw)
+ /* set our "perm_addr" based on info provided by PF */
+ ret_val = mbx->ops.read_posted(hw, msgbuf, 3);
+ if (!ret_val) {
+- if (msgbuf[0] == (E1000_VF_RESET |
+- E1000_VT_MSGTYPE_ACK))
++ switch (msgbuf[0]) {
++ case E1000_VF_RESET | E1000_VT_MSGTYPE_ACK:
+ memcpy(hw->mac.perm_addr, addr, ETH_ALEN);
+- else
++ break;
++ case E1000_VF_RESET | E1000_VT_MSGTYPE_NACK:
++ eth_zero_addr(hw->mac.perm_addr);
++ break;
++ default:
+ ret_val = -E1000_ERR_MAC_INIT;
++ }
+ }
+ }
+
+--
+2.39.2
+
--- /dev/null
+From a56ed44c5ea7c62c13f756ccd800c3875a046dfb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 15:45:31 +0900
+Subject: igc: fix the validation logic for taprio's gate list
+
+From: AKASHI Takahiro <takahiro.akashi@linaro.org>
+
+[ Upstream commit 2b4cc3d3f4d8ec42961e98568a0afeee96a943ab ]
+
+The check introduced in the commit a5fd39464a40 ("igc: Lift TAPRIO schedule
+restriction") can detect a false positive error in some corner case.
+For instance,
+ tc qdisc replace ... taprio num_tc 4
+ ...
+ sched-entry S 0x01 100000 # slot#1
+ sched-entry S 0x03 100000 # slot#2
+ sched-entry S 0x04 100000 # slot#3
+ sched-entry S 0x08 200000 # slot#4
+ flags 0x02 # hardware offload
+
+Here the queue#0 (the first queue) is on at the slot#1 and #2,
+and off at the slot#3 and #4. Under the current logic, when the slot#4
+is examined, validate_schedule() returns *false* since the enablement
+count for the queue#0 is two and it is already off at the previous slot
+(i.e. #3). But this definition is truely correct.
+
+Let's fix the logic to enforce a strict validation for consecutively-opened
+slots.
+
+Fixes: a5fd39464a40 ("igc: Lift TAPRIO schedule restriction")
+Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Reviewed-by: Kurt Kanzenbach <kurt@linutronix.de>
+Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 1a0aae7b128d8..3aa0efb542aaf 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -4874,18 +4874,18 @@ static bool validate_schedule(struct igc_adapter *adapter,
+ if (e->command != TC_TAPRIO_CMD_SET_GATES)
+ return false;
+
+- for (i = 0; i < adapter->num_tx_queues; i++) {
+- if (e->gate_mask & BIT(i))
++ for (i = 0; i < adapter->num_tx_queues; i++)
++ if (e->gate_mask & BIT(i)) {
+ queue_uses[i]++;
+
+- /* There are limitations: A single queue cannot be
+- * opened and closed multiple times per cycle unless the
+- * gate stays open. Check for it.
+- */
+- if (queue_uses[i] > 1 &&
+- !(prev->gate_mask & BIT(i)))
+- return false;
+- }
++ /* There are limitations: A single queue cannot
++ * be opened and closed multiple times per cycle
++ * unless the gate stays open. Check for it.
++ */
++ if (queue_uses[i] > 1 &&
++ !(prev->gate_mask & BIT(i)))
++ return false;
++ }
+ }
+
+ return true;
+--
+2.39.2
+
--- /dev/null
+From 192e3750d6e6139c0f8557bcbb51b651a9c53bd5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 10:28:52 +0800
+Subject: intel/igbvf: free irq on the error path in igbvf_request_msix()
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit 85eb39bb39cbb5c086df1e19ba67cc1366693a77 ]
+
+In igbvf_request_msix(), irqs have not been freed on the err path,
+we need to free it. Fix it.
+
+Fixes: d4e0fe01a38a ("igbvf: add new driver to support 82576 virtual functions")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Tested-by: Marek Szlosek <marek.szlosek@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igbvf/netdev.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igbvf/netdev.c b/drivers/net/ethernet/intel/igbvf/netdev.c
+index fe8c0a26b7201..037ec90ed56cb 100644
+--- a/drivers/net/ethernet/intel/igbvf/netdev.c
++++ b/drivers/net/ethernet/intel/igbvf/netdev.c
+@@ -1074,7 +1074,7 @@ static int igbvf_request_msix(struct igbvf_adapter *adapter)
+ igbvf_intr_msix_rx, 0, adapter->rx_ring->name,
+ netdev);
+ if (err)
+- goto out;
++ goto free_irq_tx;
+
+ adapter->rx_ring->itr_register = E1000_EITR(vector);
+ adapter->rx_ring->itr_val = adapter->current_itr;
+@@ -1083,10 +1083,14 @@ static int igbvf_request_msix(struct igbvf_adapter *adapter)
+ err = request_irq(adapter->msix_entries[vector].vector,
+ igbvf_msix_other, 0, netdev->name, netdev);
+ if (err)
+- goto out;
++ goto free_irq_rx;
+
+ igbvf_configure_msix(adapter);
+ return 0;
++free_irq_rx:
++ free_irq(adapter->msix_entries[--vector].vector, netdev);
++free_irq_tx:
++ free_irq(adapter->msix_entries[--vector].vector, netdev);
+ out:
+ return err;
+ }
+--
+2.39.2
+
--- /dev/null
+From a69a811bba45afebb503a1b403ef2f27585ae170 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Mar 2023 15:15:18 +0000
+Subject: keys: Do not cache key in task struct if key is requested from kernel
+ thread
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 47f9e4c924025c5be87959d3335e66fcbb7f6b5c ]
+
+The key which gets cached in task structure from a kernel thread does not
+get invalidated even after expiry. Due to which, a new key request from
+kernel thread will be served with the cached key if it's present in task
+struct irrespective of the key validity. The change is to not cache key in
+task_struct when key requested from kernel thread so that kernel thread
+gets a valid key on every key request.
+
+The problem has been seen with the cifs module doing DNS lookups from a
+kernel thread and the results getting pinned by being attached to that
+kernel thread's cache - and thus not something that can be easily got rid
+of. The cache would ordinarily be cleared by notify-resume, but kernel
+threads don't do that.
+
+This isn't seen with AFS because AFS is doing request_key() within the
+kernel half of a user thread - which will do notify-resume.
+
+Fixes: 7743c48e54ee ("keys: Cache result of request_key*() temporarily in task_struct")
+Signed-off-by: Bharath SM <bharathsm@microsoft.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+cc: Shyam Prasad N <nspmangalore@gmail.com>
+cc: Steve French <smfrench@gmail.com>
+cc: keyrings@vger.kernel.org
+cc: linux-cifs@vger.kernel.org
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/CAGypqWw951d=zYRbdgNR4snUDvJhWL=q3=WOyh7HhSJupjz2vA@mail.gmail.com/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/keys/request_key.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/security/keys/request_key.c b/security/keys/request_key.c
+index 2da4404276f0f..07a0ef2baacd8 100644
+--- a/security/keys/request_key.c
++++ b/security/keys/request_key.c
+@@ -38,9 +38,12 @@ static void cache_requested_key(struct key *key)
+ #ifdef CONFIG_KEYS_REQUEST_CACHE
+ struct task_struct *t = current;
+
+- key_put(t->cached_requested_key);
+- t->cached_requested_key = key_get(key);
+- set_tsk_thread_flag(t, TIF_NOTIFY_RESUME);
++ /* Do not cache key if it is a kernel thread */
++ if (!(t->flags & PF_KTHREAD)) {
++ key_put(t->cached_requested_key);
++ t->cached_requested_key = key_get(key);
++ set_tsk_thread_flag(t, TIF_NOTIFY_RESUME);
++ }
+ #endif
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 28449e8fa1319f4ae07be9705d1f69747565d54a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Mar 2023 22:05:20 +0300
+Subject: net: dsa: mt7530: move setting ssc_delta to PHY_INTERFACE_MODE_TRGMII
+ case
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arınç ÜNAL <arinc.unal@arinc9.com>
+
+[ Upstream commit 407b508bdd70b6848993843d96ed49ac4108fb52 ]
+
+Move setting the ssc_delta variable to under the PHY_INTERFACE_MODE_TRGMII
+case as it's only needed when trgmii is used.
+
+Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch")
+Signed-off-by: Arınç ÜNAL <arinc.unal@arinc9.com>
+Link: https://lore.kernel.org/r/20230320190520.124513-3-arinc.unal@arinc9.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mt7530.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c
+index 70155e996f7d7..821ac2984282b 100644
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -403,6 +403,10 @@ mt7530_pad_clk_setup(struct dsa_switch *ds, phy_interface_t interface)
+ break;
+ case PHY_INTERFACE_MODE_TRGMII:
+ trgint = 1;
++ if (xtal == HWTRAP_XTAL_25MHZ)
++ ssc_delta = 0x57;
++ else
++ ssc_delta = 0x87;
+ if (priv->id == ID_MT7621) {
+ /* PLL frequency: 150MHz: 1.2GBit */
+ if (xtal == HWTRAP_XTAL_40MHZ)
+@@ -422,11 +426,6 @@ mt7530_pad_clk_setup(struct dsa_switch *ds, phy_interface_t interface)
+ return -EINVAL;
+ }
+
+- if (xtal == HWTRAP_XTAL_25MHZ)
+- ssc_delta = 0x57;
+- else
+- ssc_delta = 0x87;
+-
+ mt7530_rmw(priv, MT7530_P6ECR, P6_INTF_MODE_MASK,
+ P6_INTF_MODE(trgint));
+
+--
+2.39.2
+
--- /dev/null
+From 4227740d61a4c91c28829dd8f582474abd4d6c83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Mar 2023 16:33:16 -0700
+Subject: net: mdio: fix owner field for mdio buses registered using
+ device-tree
+
+From: Maxime Bizon <mbizon@freebox.fr>
+
+[ Upstream commit 99669259f3361d759219811e670b7e0742668556 ]
+
+Bus ownership is wrong when using of_mdiobus_register() to register an mdio
+bus. That function is not inline, so when it calls mdiobus_register() the wrong
+THIS_MODULE value is captured.
+
+Signed-off-by: Maxime Bizon <mbizon@freebox.fr>
+Fixes: 90eff9096c01 ("net: phy: Allow splitting MDIO bus/device support from PHYs")
+[florian: fix kdoc, added Fixes tag]
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/mdio/of_mdio.c | 12 +++++++-----
+ drivers/net/phy/mdio_devres.c | 11 ++++++-----
+ include/linux/of_mdio.h | 22 +++++++++++++++++++---
+ 3 files changed, 32 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/mdio/of_mdio.c b/drivers/net/mdio/of_mdio.c
+index 5bae47f3da405..b254127cea50d 100644
+--- a/drivers/net/mdio/of_mdio.c
++++ b/drivers/net/mdio/of_mdio.c
+@@ -238,21 +238,23 @@ bool of_mdiobus_child_is_phy(struct device_node *child)
+ EXPORT_SYMBOL(of_mdiobus_child_is_phy);
+
+ /**
+- * of_mdiobus_register - Register mii_bus and create PHYs from the device tree
++ * __of_mdiobus_register - Register mii_bus and create PHYs from the device tree
+ * @mdio: pointer to mii_bus structure
+ * @np: pointer to device_node of MDIO bus.
++ * @owner: module owning the @mdio object.
+ *
+ * This function registers the mii_bus structure and registers a phy_device
+ * for each child node of @np.
+ */
+-int of_mdiobus_register(struct mii_bus *mdio, struct device_node *np)
++int __of_mdiobus_register(struct mii_bus *mdio, struct device_node *np,
++ struct module *owner)
+ {
+ struct device_node *child;
+ bool scanphys = false;
+ int addr, rc;
+
+ if (!np)
+- return mdiobus_register(mdio);
++ return __mdiobus_register(mdio, owner);
+
+ /* Do not continue if the node is disabled */
+ if (!of_device_is_available(np))
+@@ -272,7 +274,7 @@ int of_mdiobus_register(struct mii_bus *mdio, struct device_node *np)
+ of_property_read_u32(np, "reset-post-delay-us", &mdio->reset_post_delay_us);
+
+ /* Register the MDIO bus */
+- rc = mdiobus_register(mdio);
++ rc = __mdiobus_register(mdio, owner);
+ if (rc)
+ return rc;
+
+@@ -336,7 +338,7 @@ int of_mdiobus_register(struct mii_bus *mdio, struct device_node *np)
+ mdiobus_unregister(mdio);
+ return rc;
+ }
+-EXPORT_SYMBOL(of_mdiobus_register);
++EXPORT_SYMBOL(__of_mdiobus_register);
+
+ /**
+ * of_mdio_find_device - Given a device tree node, find the mdio_device
+diff --git a/drivers/net/phy/mdio_devres.c b/drivers/net/phy/mdio_devres.c
+index b560e99695dfd..69b829e6ab35b 100644
+--- a/drivers/net/phy/mdio_devres.c
++++ b/drivers/net/phy/mdio_devres.c
+@@ -98,13 +98,14 @@ EXPORT_SYMBOL(__devm_mdiobus_register);
+
+ #if IS_ENABLED(CONFIG_OF_MDIO)
+ /**
+- * devm_of_mdiobus_register - Resource managed variant of of_mdiobus_register()
++ * __devm_of_mdiobus_register - Resource managed variant of of_mdiobus_register()
+ * @dev: Device to register mii_bus for
+ * @mdio: MII bus structure to register
+ * @np: Device node to parse
++ * @owner: Owning module
+ */
+-int devm_of_mdiobus_register(struct device *dev, struct mii_bus *mdio,
+- struct device_node *np)
++int __devm_of_mdiobus_register(struct device *dev, struct mii_bus *mdio,
++ struct device_node *np, struct module *owner)
+ {
+ struct mdiobus_devres *dr;
+ int ret;
+@@ -117,7 +118,7 @@ int devm_of_mdiobus_register(struct device *dev, struct mii_bus *mdio,
+ if (!dr)
+ return -ENOMEM;
+
+- ret = of_mdiobus_register(mdio, np);
++ ret = __of_mdiobus_register(mdio, np, owner);
+ if (ret) {
+ devres_free(dr);
+ return ret;
+@@ -127,7 +128,7 @@ int devm_of_mdiobus_register(struct device *dev, struct mii_bus *mdio,
+ devres_add(dev, dr);
+ return 0;
+ }
+-EXPORT_SYMBOL(devm_of_mdiobus_register);
++EXPORT_SYMBOL(__devm_of_mdiobus_register);
+ #endif /* CONFIG_OF_MDIO */
+
+ MODULE_LICENSE("GPL");
+diff --git a/include/linux/of_mdio.h b/include/linux/of_mdio.h
+index f56c6a9230ac8..8cc6522ee43ab 100644
+--- a/include/linux/of_mdio.h
++++ b/include/linux/of_mdio.h
+@@ -14,9 +14,25 @@
+
+ #if IS_ENABLED(CONFIG_OF_MDIO)
+ bool of_mdiobus_child_is_phy(struct device_node *child);
+-int of_mdiobus_register(struct mii_bus *mdio, struct device_node *np);
+-int devm_of_mdiobus_register(struct device *dev, struct mii_bus *mdio,
+- struct device_node *np);
++int __of_mdiobus_register(struct mii_bus *mdio, struct device_node *np,
++ struct module *owner);
++
++static inline int of_mdiobus_register(struct mii_bus *mdio,
++ struct device_node *np)
++{
++ return __of_mdiobus_register(mdio, np, THIS_MODULE);
++}
++
++int __devm_of_mdiobus_register(struct device *dev, struct mii_bus *mdio,
++ struct device_node *np, struct module *owner);
++
++static inline int devm_of_mdiobus_register(struct device *dev,
++ struct mii_bus *mdio,
++ struct device_node *np)
++{
++ return __devm_of_mdiobus_register(dev, mdio, np, THIS_MODULE);
++}
++
+ struct mdio_device *of_mdio_find_device(struct device_node *np);
+ struct phy_device *of_phy_find_device(struct device_node *phy_np);
+ struct phy_device *
+--
+2.39.2
+
--- /dev/null
+From ba2f6dbd6355ff38ee1fed72210e9c5b18ff0478 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Mar 2023 14:20:57 +0800
+Subject: net: mdio: thunder: Add missing fwnode_handle_put()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit b1de5c78ebe9858ccec9d49af2f76724f1d47e3e ]
+
+In device_for_each_child_node(), we should add fwnode_handle_put()
+when break out of the iteration device_for_each_child_node()
+as it will automatically increase and decrease the refcounter.
+
+Fixes: 379d7ac7ca31 ("phy: mdio-thunder: Add driver for Cavium Thunder SoC MDIO buses.")
+Signed-off-by: Liang He <windhl@126.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/mdio/mdio-thunder.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/mdio/mdio-thunder.c b/drivers/net/mdio/mdio-thunder.c
+index 822d2cdd2f359..394b864aaa372 100644
+--- a/drivers/net/mdio/mdio-thunder.c
++++ b/drivers/net/mdio/mdio-thunder.c
+@@ -104,6 +104,7 @@ static int thunder_mdiobus_pci_probe(struct pci_dev *pdev,
+ if (i >= ARRAY_SIZE(nexus->buses))
+ break;
+ }
++ fwnode_handle_put(fwn);
+ return 0;
+
+ err_release_regions:
+--
+2.39.2
+
--- /dev/null
+From 2329e60f1351b871a11099ee61feca015cca6ea0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Feb 2023 14:16:10 +0300
+Subject: net/mlx5: E-Switch, Fix an Oops in error handling code
+
+From: Dan Carpenter <error27@gmail.com>
+
+[ Upstream commit 640fcdbcf27fc62de9223f958ceb4e897a00e791 ]
+
+The error handling dereferences "vport". There is nothing we can do if
+it is an error pointer except returning the error code.
+
+Fixes: 133dcfc577ea ("net/mlx5: E-Switch, Alloc and free unique metadata for match")
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Reviewed-by: Roi Dayan <roid@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c
+index 548c005ea6335..90a10230bf0cd 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c
+@@ -301,8 +301,7 @@ int mlx5_esw_acl_ingress_vport_bond_update(struct mlx5_eswitch *esw, u16 vport_n
+
+ if (WARN_ON_ONCE(IS_ERR(vport))) {
+ esw_warn(esw->dev, "vport(%d) invalid!\n", vport_num);
+- err = PTR_ERR(vport);
+- goto out;
++ return PTR_ERR(vport);
+ }
+
+ esw_acl_ingress_ofld_rules_destroy(esw, vport);
+--
+2.39.2
+
--- /dev/null
+From 4d63e8aec35c74b7815d49dc65373d0c001ab4e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Jan 2023 14:07:03 +0200
+Subject: net/mlx5: Fix steering rules cleanup
+
+From: Lama Kayal <lkayal@nvidia.com>
+
+[ Upstream commit 922f56e9a795d6f3dd72d3428ebdd7ee040fa855 ]
+
+vport's mc, uc and multicast rules are not deleted in teardown path when
+EEH happens. Since the vport's promisc settings(uc, mc and all) in
+firmware are reset after EEH, mlx5 driver will try to delete the above
+rules in the initialization path. This cause kernel crash because these
+software rules are no longer valid.
+
+Fix by nullifying these rules right after delete to avoid accessing any dangling
+pointers.
+
+Call Trace:
+__list_del_entry_valid+0xcc/0x100 (unreliable)
+tree_put_node+0xf4/0x1b0 [mlx5_core]
+tree_remove_node+0x30/0x70 [mlx5_core]
+mlx5_del_flow_rules+0x14c/0x1f0 [mlx5_core]
+esw_apply_vport_rx_mode+0x10c/0x200 [mlx5_core]
+esw_update_vport_rx_mode+0xb4/0x180 [mlx5_core]
+esw_vport_change_handle_locked+0x1ec/0x230 [mlx5_core]
+esw_enable_vport+0x130/0x260 [mlx5_core]
+mlx5_eswitch_enable_sriov+0x2a0/0x2f0 [mlx5_core]
+mlx5_device_enable_sriov+0x74/0x440 [mlx5_core]
+mlx5_load_one+0x114c/0x1550 [mlx5_core]
+mlx5_pci_resume+0x68/0xf0 [mlx5_core]
+eeh_report_resume+0x1a4/0x230
+eeh_pe_dev_traverse+0x98/0x170
+eeh_handle_normal_event+0x3e4/0x640
+eeh_handle_event+0x4c/0x370
+eeh_event_handler+0x14c/0x210
+kthread+0x168/0x1b0
+ret_from_kernel_thread+0x5c/0x84
+
+Fixes: a35f71f27a61 ("net/mlx5: E-Switch, Implement promiscuous rx modes vf request handling")
+Signed-off-by: Huy Nguyen <huyn@mellanox.com>
+Signed-off-by: Lama Kayal <lkayal@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Reviewed-by: Maor Dickman <maord@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+index 78cc6f0bbc72b..3ae082c72a2b8 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+@@ -1339,6 +1339,7 @@ static void esw_disable_vport(struct mlx5_eswitch *esw, u16 vport_num)
+ */
+ esw_vport_change_handle_locked(vport);
+ vport->enabled_events = 0;
++ esw_apply_vport_rx_mode(esw, vport, false, false);
+ esw_vport_cleanup(esw, vport);
+ esw->enabled_vports--;
+
+--
+2.39.2
+
--- /dev/null
+From 99c2f43f66b63a685de9c7fbeceacdd7ded5a7b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 11:04:38 +0200
+Subject: net/mlx5: Read the TC mapping of all priorities on ETS query
+
+From: Maher Sanalla <msanalla@nvidia.com>
+
+[ Upstream commit 44d553188c38ac74b799dfdcebafef2f7bb70942 ]
+
+When ETS configurations are queried by the user to get the mapping
+assignment between packet priority and traffic class, only priorities up
+to maximum TCs are queried from QTCT register in FW to retrieve their
+assigned TC, leaving the rest of the priorities mapped to the default
+TC #0 which might be misleading.
+
+Fix by querying the TC mapping of all priorities on each ETS query,
+regardless of the maximum number of TCs configured in FW.
+
+Fixes: 820c2c5e773d ("net/mlx5e: Read ETS settings directly from firmware")
+Signed-off-by: Maher Sanalla <msanalla@nvidia.com>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c b/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c
+index 7c0ae7c38eefd..c25fb0cbde274 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c
+@@ -117,12 +117,14 @@ static int mlx5e_dcbnl_ieee_getets(struct net_device *netdev,
+ if (!MLX5_CAP_GEN(priv->mdev, ets))
+ return -EOPNOTSUPP;
+
+- ets->ets_cap = mlx5_max_tc(priv->mdev) + 1;
+- for (i = 0; i < ets->ets_cap; i++) {
++ for (i = 0; i < IEEE_8021QAZ_MAX_TCS; i++) {
+ err = mlx5_query_port_prio_tc(mdev, i, &ets->prio_tc[i]);
+ if (err)
+ return err;
++ }
+
++ ets->ets_cap = mlx5_max_tc(priv->mdev) + 1;
++ for (i = 0; i < ets->ets_cap; i++) {
+ err = mlx5_query_port_tc_group(mdev, i, &tc_group[i]);
+ if (err)
+ return err;
+--
+2.39.2
+
--- /dev/null
+From 52fab673f4aeeb2d0ae1df140a5403fbdb14b25f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Mar 2023 13:33:24 -0700
+Subject: net: phy: Ensure state transitions are processed from phy_stop()
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 4203d84032e28f893594a453bd8bc9c3b15c7334 ]
+
+In the phy_disconnect() -> phy_stop() path, we will be forcibly setting
+the PHY state machine to PHY_HALTED. This invalidates the old_state !=
+phydev->state condition in phy_state_machine() such that we will neither
+display the state change for debugging, nor will we invoke the
+link_change_notify() callback.
+
+Factor the code by introducing phy_process_state_change(), and ensure
+that we process the state change from phy_stop() as well.
+
+Fixes: 5c5f626bcace ("net: phy: improve handling link_change_notify callback")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/phy.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/phy/phy.c b/drivers/net/phy/phy.c
+index 18e67eb6d8b4f..f3e606b6617e9 100644
+--- a/drivers/net/phy/phy.c
++++ b/drivers/net/phy/phy.c
+@@ -56,6 +56,18 @@ static const char *phy_state_to_str(enum phy_state st)
+ return NULL;
+ }
+
++static void phy_process_state_change(struct phy_device *phydev,
++ enum phy_state old_state)
++{
++ if (old_state != phydev->state) {
++ phydev_dbg(phydev, "PHY state change %s -> %s\n",
++ phy_state_to_str(old_state),
++ phy_state_to_str(phydev->state));
++ if (phydev->drv && phydev->drv->link_change_notify)
++ phydev->drv->link_change_notify(phydev);
++ }
++}
++
+ static void phy_link_up(struct phy_device *phydev)
+ {
+ phydev->phy_link_change(phydev, true);
+@@ -1110,6 +1122,7 @@ EXPORT_SYMBOL(phy_free_interrupt);
+ void phy_stop(struct phy_device *phydev)
+ {
+ struct net_device *dev = phydev->attached_dev;
++ enum phy_state old_state;
+
+ if (!phy_is_started(phydev) && phydev->state != PHY_DOWN) {
+ WARN(1, "called from state %s\n",
+@@ -1118,6 +1131,7 @@ void phy_stop(struct phy_device *phydev)
+ }
+
+ mutex_lock(&phydev->lock);
++ old_state = phydev->state;
+
+ if (phydev->state == PHY_CABLETEST) {
+ phy_abort_cable_test(phydev);
+@@ -1128,6 +1142,7 @@ void phy_stop(struct phy_device *phydev)
+ sfp_upstream_stop(phydev->sfp_bus);
+
+ phydev->state = PHY_HALTED;
++ phy_process_state_change(phydev, old_state);
+
+ mutex_unlock(&phydev->lock);
+
+@@ -1242,13 +1257,7 @@ void phy_state_machine(struct work_struct *work)
+ if (err < 0)
+ phy_error(phydev);
+
+- if (old_state != phydev->state) {
+- phydev_dbg(phydev, "PHY state change %s -> %s\n",
+- phy_state_to_str(old_state),
+- phy_state_to_str(phydev->state));
+- if (phydev->drv && phydev->drv->link_change_notify)
+- phydev->drv->link_change_notify(phydev);
+- }
++ phy_process_state_change(phydev, old_state);
+
+ /* Only re-schedule a PHY state machine change if we are polling the
+ * PHY, if PHY_IGNORE_INTERRUPT is set, then we will be moving
+--
+2.39.2
+
--- /dev/null
+From bbe25d90a43e3ce33440d4d871a0c6b8b9496be1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Mar 2023 17:39:16 +0000
+Subject: net/ps3_gelic_net: Fix RX sk_buff length
+
+From: Geoff Levand <geoff@infradead.org>
+
+[ Upstream commit 19b3bb51c3bc288b3f2c6f8c4450b0f548320625 ]
+
+The Gelic Ethernet device needs to have the RX sk_buffs aligned to
+GELIC_NET_RXBUF_ALIGN, and also the length of the RX sk_buffs must
+be a multiple of GELIC_NET_RXBUF_ALIGN.
+
+The current Gelic Ethernet driver was not allocating sk_buffs large
+enough to allow for this alignment.
+
+Also, correct the maximum and minimum MTU sizes, and add a new
+preprocessor macro for the maximum frame size, GELIC_NET_MAX_FRAME.
+
+Fixes various randomly occurring runtime network errors.
+
+Fixes: 02c1889166b4 ("ps3: gigabit ethernet driver for PS3, take3")
+Signed-off-by: Geoff Levand <geoff@infradead.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/toshiba/ps3_gelic_net.c | 19 ++++++++++---------
+ drivers/net/ethernet/toshiba/ps3_gelic_net.h | 5 +++--
+ 2 files changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/ethernet/toshiba/ps3_gelic_net.c b/drivers/net/ethernet/toshiba/ps3_gelic_net.c
+index d9a5722f561b5..013011285dd01 100644
+--- a/drivers/net/ethernet/toshiba/ps3_gelic_net.c
++++ b/drivers/net/ethernet/toshiba/ps3_gelic_net.c
+@@ -365,26 +365,27 @@ static int gelic_card_init_chain(struct gelic_card *card,
+ *
+ * allocates a new rx skb, iommu-maps it and attaches it to the descriptor.
+ * Activate the descriptor state-wise
++ *
++ * Gelic RX sk_buffs must be aligned to GELIC_NET_RXBUF_ALIGN and the length
++ * must be a multiple of GELIC_NET_RXBUF_ALIGN.
+ */
+ static int gelic_descr_prepare_rx(struct gelic_card *card,
+ struct gelic_descr *descr)
+ {
++ static const unsigned int rx_skb_size =
++ ALIGN(GELIC_NET_MAX_FRAME, GELIC_NET_RXBUF_ALIGN) +
++ GELIC_NET_RXBUF_ALIGN - 1;
+ int offset;
+- unsigned int bufsize;
+
+ if (gelic_descr_get_status(descr) != GELIC_DESCR_DMA_NOT_IN_USE)
+ dev_info(ctodev(card), "%s: ERROR status\n", __func__);
+- /* we need to round up the buffer size to a multiple of 128 */
+- bufsize = ALIGN(GELIC_NET_MAX_MTU, GELIC_NET_RXBUF_ALIGN);
+
+- /* and we need to have it 128 byte aligned, therefore we allocate a
+- * bit more */
+- descr->skb = dev_alloc_skb(bufsize + GELIC_NET_RXBUF_ALIGN - 1);
++ descr->skb = netdev_alloc_skb(*card->netdev, rx_skb_size);
+ if (!descr->skb) {
+ descr->buf_addr = 0; /* tell DMAC don't touch memory */
+ return -ENOMEM;
+ }
+- descr->buf_size = cpu_to_be32(bufsize);
++ descr->buf_size = cpu_to_be32(rx_skb_size);
+ descr->dmac_cmd_status = 0;
+ descr->result_size = 0;
+ descr->valid_size = 0;
+@@ -397,7 +398,7 @@ static int gelic_descr_prepare_rx(struct gelic_card *card,
+ /* io-mmu-map the skb */
+ descr->buf_addr = cpu_to_be32(dma_map_single(ctodev(card),
+ descr->skb->data,
+- GELIC_NET_MAX_MTU,
++ GELIC_NET_MAX_FRAME,
+ DMA_FROM_DEVICE));
+ if (!descr->buf_addr) {
+ dev_kfree_skb_any(descr->skb);
+@@ -915,7 +916,7 @@ static void gelic_net_pass_skb_up(struct gelic_descr *descr,
+ data_error = be32_to_cpu(descr->data_error);
+ /* unmap skb buffer */
+ dma_unmap_single(ctodev(card), be32_to_cpu(descr->buf_addr),
+- GELIC_NET_MAX_MTU,
++ GELIC_NET_MAX_FRAME,
+ DMA_FROM_DEVICE);
+
+ skb_put(skb, be32_to_cpu(descr->valid_size)?
+diff --git a/drivers/net/ethernet/toshiba/ps3_gelic_net.h b/drivers/net/ethernet/toshiba/ps3_gelic_net.h
+index 68f324ed4eaf0..0d98defb011ed 100644
+--- a/drivers/net/ethernet/toshiba/ps3_gelic_net.h
++++ b/drivers/net/ethernet/toshiba/ps3_gelic_net.h
+@@ -19,8 +19,9 @@
+ #define GELIC_NET_RX_DESCRIPTORS 128 /* num of descriptors */
+ #define GELIC_NET_TX_DESCRIPTORS 128 /* num of descriptors */
+
+-#define GELIC_NET_MAX_MTU VLAN_ETH_FRAME_LEN
+-#define GELIC_NET_MIN_MTU VLAN_ETH_ZLEN
++#define GELIC_NET_MAX_FRAME 2312
++#define GELIC_NET_MAX_MTU 2294
++#define GELIC_NET_MIN_MTU 64
+ #define GELIC_NET_RXBUF_ALIGN 128
+ #define GELIC_CARD_RX_CSUM_DEFAULT 1 /* hw chksum */
+ #define GELIC_NET_WATCHDOG_TIMEOUT 5*HZ
+--
+2.39.2
+
--- /dev/null
+From 58dd9eaa0f04540d4199e43dfbc50f28ea0351c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Mar 2023 17:39:16 +0000
+Subject: net/ps3_gelic_net: Use dma_mapping_error
+
+From: Geoff Levand <geoff@infradead.org>
+
+[ Upstream commit bebe933d35a63d4f042fbf4dce4f22e689ba0fcd ]
+
+The current Gelic Etherenet driver was checking the return value of its
+dma_map_single call, and not using the dma_mapping_error() routine.
+
+Fixes runtime problems like these:
+
+ DMA-API: ps3_gelic_driver sb_05: device driver failed to check map error
+ WARNING: CPU: 0 PID: 0 at kernel/dma/debug.c:1027 .check_unmap+0x888/0x8dc
+
+Fixes: 02c1889166b4 ("ps3: gigabit ethernet driver for PS3, take3")
+Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
+Signed-off-by: Geoff Levand <geoff@infradead.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/toshiba/ps3_gelic_net.c | 24 +++++++++++---------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/ethernet/toshiba/ps3_gelic_net.c b/drivers/net/ethernet/toshiba/ps3_gelic_net.c
+index 013011285dd01..524098a7b6585 100644
+--- a/drivers/net/ethernet/toshiba/ps3_gelic_net.c
++++ b/drivers/net/ethernet/toshiba/ps3_gelic_net.c
+@@ -317,15 +317,17 @@ static int gelic_card_init_chain(struct gelic_card *card,
+
+ /* set up the hardware pointers in each descriptor */
+ for (i = 0; i < no; i++, descr++) {
++ dma_addr_t cpu_addr;
++
+ gelic_descr_set_status(descr, GELIC_DESCR_DMA_NOT_IN_USE);
+- descr->bus_addr =
+- dma_map_single(ctodev(card), descr,
+- GELIC_DESCR_SIZE,
+- DMA_BIDIRECTIONAL);
+
+- if (!descr->bus_addr)
++ cpu_addr = dma_map_single(ctodev(card), descr,
++ GELIC_DESCR_SIZE, DMA_BIDIRECTIONAL);
++
++ if (dma_mapping_error(ctodev(card), cpu_addr))
+ goto iommu_error;
+
++ descr->bus_addr = cpu_to_be32(cpu_addr);
+ descr->next = descr + 1;
+ descr->prev = descr - 1;
+ }
+@@ -375,6 +377,7 @@ static int gelic_descr_prepare_rx(struct gelic_card *card,
+ static const unsigned int rx_skb_size =
+ ALIGN(GELIC_NET_MAX_FRAME, GELIC_NET_RXBUF_ALIGN) +
+ GELIC_NET_RXBUF_ALIGN - 1;
++ dma_addr_t cpu_addr;
+ int offset;
+
+ if (gelic_descr_get_status(descr) != GELIC_DESCR_DMA_NOT_IN_USE)
+@@ -396,11 +399,10 @@ static int gelic_descr_prepare_rx(struct gelic_card *card,
+ if (offset)
+ skb_reserve(descr->skb, GELIC_NET_RXBUF_ALIGN - offset);
+ /* io-mmu-map the skb */
+- descr->buf_addr = cpu_to_be32(dma_map_single(ctodev(card),
+- descr->skb->data,
+- GELIC_NET_MAX_FRAME,
+- DMA_FROM_DEVICE));
+- if (!descr->buf_addr) {
++ cpu_addr = dma_map_single(ctodev(card), descr->skb->data,
++ GELIC_NET_MAX_FRAME, DMA_FROM_DEVICE);
++ descr->buf_addr = cpu_to_be32(cpu_addr);
++ if (dma_mapping_error(ctodev(card), cpu_addr)) {
+ dev_kfree_skb_any(descr->skb);
+ descr->skb = NULL;
+ dev_info(ctodev(card),
+@@ -780,7 +782,7 @@ static int gelic_descr_prepare_tx(struct gelic_card *card,
+
+ buf = dma_map_single(ctodev(card), skb->data, skb->len, DMA_TO_DEVICE);
+
+- if (!buf) {
++ if (dma_mapping_error(ctodev(card), buf)) {
+ dev_err(ctodev(card),
+ "dma map 2 failed (%p, %i). Dropping packet\n",
+ skb->data, skb->len);
+--
+2.39.2
+
--- /dev/null
+From 60b6a2077c8d4443fad63ea7b70d37e920571cbc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Mar 2023 16:05:26 +0800
+Subject: net: qcom/emac: Fix use after free bug in emac_remove due to race
+ condition
+
+From: Zheng Wang <zyytlz.wz@163.com>
+
+[ Upstream commit 6b6bc5b8bd2d4ca9e1efa9ae0f98a0b0687ace75 ]
+
+In emac_probe, &adpt->work_thread is bound with
+emac_work_thread. Then it will be started by timeout
+handler emac_tx_timeout or a IRQ handler emac_isr.
+
+If we remove the driver which will call emac_remove
+ to make cleanup, there may be a unfinished work.
+
+The possible sequence is as follows:
+
+Fix it by finishing the work before cleanup in the emac_remove
+and disable timeout response.
+
+CPU0 CPU1
+
+ |emac_work_thread
+emac_remove |
+free_netdev |
+kfree(netdev); |
+ |emac_reinit_locked
+ |emac_mac_down
+ |//use netdev
+Fixes: b9b17debc69d ("net: emac: emac gigabit ethernet controller driver")
+Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qualcomm/emac/emac.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/ethernet/qualcomm/emac/emac.c b/drivers/net/ethernet/qualcomm/emac/emac.c
+index ad655f0a4965c..e1aa56be9cc0b 100644
+--- a/drivers/net/ethernet/qualcomm/emac/emac.c
++++ b/drivers/net/ethernet/qualcomm/emac/emac.c
+@@ -728,9 +728,15 @@ static int emac_remove(struct platform_device *pdev)
+ struct net_device *netdev = dev_get_drvdata(&pdev->dev);
+ struct emac_adapter *adpt = netdev_priv(netdev);
+
++ netif_carrier_off(netdev);
++ netif_tx_disable(netdev);
++
+ unregister_netdev(netdev);
+ netif_napi_del(&adpt->rx_q.napi);
+
++ free_irq(adpt->irq.irq, &adpt->irq);
++ cancel_work_sync(&adpt->work_thread);
++
+ emac_clks_teardown(adpt);
+
+ put_device(&adpt->phydev->mdio.dev);
+--
+2.39.2
+
--- /dev/null
+From 9ca4cee3df3a76f2084eee7e909091da1333d55f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Mar 2023 14:45:43 +1100
+Subject: net/sonic: use dma_mapping_error() for error check
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 4107b8746d93ace135b8c4da4f19bbae81db785f ]
+
+The DMA address returned by dma_map_single() should be checked with
+dma_mapping_error(). Fix it accordingly.
+
+Fixes: efcce839360f ("[PATCH] macsonic/jazzsonic network drivers update")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Tested-by: Stan Johnson <userm57@yahoo.com>
+Signed-off-by: Finn Thain <fthain@linux-m68k.org>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Link: https://lore.kernel.org/r/6645a4b5c1e364312103f48b7b36783b94e197a2.1679370343.git.fthain@linux-m68k.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/natsemi/sonic.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/natsemi/sonic.c b/drivers/net/ethernet/natsemi/sonic.c
+index d17d1b4f2585f..825356ee3492e 100644
+--- a/drivers/net/ethernet/natsemi/sonic.c
++++ b/drivers/net/ethernet/natsemi/sonic.c
+@@ -292,7 +292,7 @@ static int sonic_send_packet(struct sk_buff *skb, struct net_device *dev)
+ */
+
+ laddr = dma_map_single(lp->device, skb->data, length, DMA_TO_DEVICE);
+- if (!laddr) {
++ if (dma_mapping_error(lp->device, laddr)) {
+ pr_err_ratelimited("%s: failed to map tx DMA buffer.\n", dev->name);
+ dev_kfree_skb_any(skb);
+ return NETDEV_TX_OK;
+@@ -509,7 +509,7 @@ static bool sonic_alloc_rb(struct net_device *dev, struct sonic_local *lp,
+
+ *new_addr = dma_map_single(lp->device, skb_put(*new_skb, SONIC_RBSIZE),
+ SONIC_RBSIZE, DMA_FROM_DEVICE);
+- if (!*new_addr) {
++ if (dma_mapping_error(lp->device, *new_addr)) {
+ dev_kfree_skb(*new_skb);
+ *new_skb = NULL;
+ return false;
+--
+2.39.2
+
--- /dev/null
+From 2b049d5a5869ab27d98110360443c893fe6aa3f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Mar 2023 11:19:54 +0100
+Subject: net: usb: smsc95xx: Limit packet length to skb->len
+
+From: Szymon Heidrich <szymon.heidrich@gmail.com>
+
+[ Upstream commit ff821092cf02a70c2bccd2d19269f01e29aa52cf ]
+
+Packet length retrieved from descriptor may be larger than
+the actual socket buffer length. In such case the cloned
+skb passed up the network stack will leak kernel memory contents.
+
+Fixes: 2f7ca802bdae ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver")
+Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Link: https://lore.kernel.org/r/20230316101954.75836-1-szymon.heidrich@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/smsc95xx.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
+index e1cd4c2de2d30..975f52605867f 100644
+--- a/drivers/net/usb/smsc95xx.c
++++ b/drivers/net/usb/smsc95xx.c
+@@ -1824,6 +1824,12 @@ static int smsc95xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
+ size = (u16)((header & RX_STS_FL_) >> 16);
+ align_count = (4 - ((size + NET_IP_ALIGN) % 4)) % 4;
+
++ if (unlikely(size > skb->len)) {
++ netif_dbg(dev, rx_err, dev->net,
++ "size err header=0x%08x\n", header);
++ return 0;
++ }
++
+ if (unlikely(header & RX_STS_ES_)) {
+ netif_dbg(dev, rx_err, dev->net,
+ "Error header=0x%08x\n", header);
+--
+2.39.2
+
--- /dev/null
+From 36a929d293122bcaf66c2f90f7d79f7b445e540d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Mar 2023 09:57:36 -0600
+Subject: nvme-tcp: fix nvme_tcp_term_pdu to match spec
+
+From: Caleb Sander <csander@purestorage.com>
+
+[ Upstream commit aa01c67de5926fdb276793180564f172c55fb0d7 ]
+
+The FEI field of C2HTermReq/H2CTermReq is 4 bytes but not 4-byte-aligned
+in the NVMe/TCP specification (it is located at offset 10 in the PDU).
+Split it into two 16-bit integers in struct nvme_tcp_term_pdu
+so no padding is inserted. There should also be 10 reserved bytes after.
+There are currently no users of this type.
+
+Fixes: fc221d05447aa6db ("nvme-tcp: Add protocol header")
+Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Caleb Sander <csander@purestorage.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/nvme-tcp.h | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/nvme-tcp.h b/include/linux/nvme-tcp.h
+index 959e0bd9a913e..73364ae916890 100644
+--- a/include/linux/nvme-tcp.h
++++ b/include/linux/nvme-tcp.h
+@@ -114,8 +114,9 @@ struct nvme_tcp_icresp_pdu {
+ struct nvme_tcp_term_pdu {
+ struct nvme_tcp_hdr hdr;
+ __le16 fes;
+- __le32 fei;
+- __u8 rsvd[8];
++ __le16 feil;
++ __le16 feiu;
++ __u8 rsvd[10];
+ };
+
+ /**
+--
+2.39.2
+
--- /dev/null
+From 282828ef8b2a15a8b856baa118e9dc9e25c143c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Mar 2023 09:06:58 +0800
+Subject: platform/chrome: cros_ec_chardev: fix kernel data leak from ioctl
+
+From: Tzung-Bi Shih <tzungbi@kernel.org>
+
+[ Upstream commit b20cf3f89c56b5f6a38b7f76a8128bf9f291bbd3 ]
+
+It is possible to peep kernel page's data by providing larger `insize`
+in struct cros_ec_command[1] when invoking EC host commands.
+
+Fix it by using zeroed memory.
+
+[1]: https://elixir.bootlin.com/linux/v6.2/source/include/linux/platform_data/cros_ec_proto.h#L74
+
+Fixes: eda2e30c6684 ("mfd / platform: cros_ec: Miscellaneous character device to talk with the EC")
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Reviewed-by: Guenter Roeck <groeck@chromium.org>
+Link: https://lore.kernel.org/r/20230324010658.1082361-1-tzungbi@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/chrome/cros_ec_chardev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/chrome/cros_ec_chardev.c b/drivers/platform/chrome/cros_ec_chardev.c
+index 0de7c255254e0..d6de5a2941282 100644
+--- a/drivers/platform/chrome/cros_ec_chardev.c
++++ b/drivers/platform/chrome/cros_ec_chardev.c
+@@ -284,7 +284,7 @@ static long cros_ec_chardev_ioctl_xcmd(struct cros_ec_dev *ec, void __user *arg)
+ u_cmd.insize > EC_MAX_MSG_BYTES)
+ return -EINVAL;
+
+- s_cmd = kmalloc(sizeof(*s_cmd) + max(u_cmd.outsize, u_cmd.insize),
++ s_cmd = kzalloc(sizeof(*s_cmd) + max(u_cmd.outsize, u_cmd.insize),
+ GFP_KERNEL);
+ if (!s_cmd)
+ return -ENOMEM;
+--
+2.39.2
+
--- /dev/null
+From d4f4f7347e38ef52d49b79bedc39080decf28a78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Mar 2023 01:47:28 +0800
+Subject: power: supply: bq24190: Fix use after free bug in bq24190_remove due
+ to race condition
+
+From: Zheng Wang <zyytlz.wz@163.com>
+
+[ Upstream commit 47c29d69212911f50bdcdd0564b5999a559010d4 ]
+
+In bq24190_probe, &bdi->input_current_limit_work is bound
+with bq24190_input_current_limit_work. When external power
+changed, it will call bq24190_charger_external_power_changed
+ to start the work.
+
+If we remove the module which will call bq24190_remove to make
+cleanup, there may be a unfinished work. The possible
+sequence is as follows:
+
+CPU0 CPUc1
+
+ |bq24190_input_current_limit_work
+bq24190_remove |
+power_supply_unregister |
+device_unregister |
+power_supply_dev_release|
+kfree(psy) |
+ |
+ | power_supply_get_property_from_supplier
+ | //use
+
+Fix it by finishing the work before cleanup in the bq24190_remove
+
+Fixes: 97774672573a ("power_supply: Initialize changed_work before calling device_add")
+Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/bq24190_charger.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/power/supply/bq24190_charger.c b/drivers/power/supply/bq24190_charger.c
+index 81389fcc73e14..338dd82007e4e 100644
+--- a/drivers/power/supply/bq24190_charger.c
++++ b/drivers/power/supply/bq24190_charger.c
+@@ -1834,6 +1834,7 @@ static int bq24190_remove(struct i2c_client *client)
+ struct bq24190_dev_info *bdi = i2c_get_clientdata(client);
+ int error;
+
++ cancel_delayed_work_sync(&bdi->input_current_limit_work);
+ error = pm_runtime_resume_and_get(bdi->dev);
+ if (error < 0)
+ dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", error);
+--
+2.39.2
+
--- /dev/null
+From f642bf41c846ebfd9be1ab56c199c05e25507064 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Apr 2022 08:30:44 +0000
+Subject: power: supply: bq24190_charger: using pm_runtime_resume_and_get
+ instead of pm_runtime_get_sync
+
+From: Minghao Chi <chi.minghao@zte.com.cn>
+
+[ Upstream commit d96a89407e5f682d1cb22569d91784506c784863 ]
+
+Using pm_runtime_resume_and_get is more appropriate
+for simplifing code
+
+Reported-by: Zeal Robot <zealci@zte.com.cn>
+Signed-off-by: Minghao Chi <chi.minghao@zte.com.cn>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Stable-dep-of: 47c29d692129 ("power: supply: bq24190: Fix use after free bug in bq24190_remove due to race condition")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/bq24190_charger.c | 63 +++++++++-----------------
+ 1 file changed, 21 insertions(+), 42 deletions(-)
+
+diff --git a/drivers/power/supply/bq24190_charger.c b/drivers/power/supply/bq24190_charger.c
+index 8c3c378dce0d5..81389fcc73e14 100644
+--- a/drivers/power/supply/bq24190_charger.c
++++ b/drivers/power/supply/bq24190_charger.c
+@@ -448,11 +448,9 @@ static ssize_t bq24190_sysfs_show(struct device *dev,
+ if (!info)
+ return -EINVAL;
+
+- ret = pm_runtime_get_sync(bdi->dev);
+- if (ret < 0) {
+- pm_runtime_put_noidle(bdi->dev);
++ ret = pm_runtime_resume_and_get(bdi->dev);
++ if (ret < 0)
+ return ret;
+- }
+
+ ret = bq24190_read_mask(bdi, info->reg, info->mask, info->shift, &v);
+ if (ret)
+@@ -483,11 +481,9 @@ static ssize_t bq24190_sysfs_store(struct device *dev,
+ if (ret < 0)
+ return ret;
+
+- ret = pm_runtime_get_sync(bdi->dev);
+- if (ret < 0) {
+- pm_runtime_put_noidle(bdi->dev);
++ ret = pm_runtime_resume_and_get(bdi->dev);
++ if (ret < 0)
+ return ret;
+- }
+
+ ret = bq24190_write_mask(bdi, info->reg, info->mask, info->shift, v);
+ if (ret)
+@@ -506,10 +502,9 @@ static int bq24190_set_charge_mode(struct regulator_dev *dev, u8 val)
+ struct bq24190_dev_info *bdi = rdev_get_drvdata(dev);
+ int ret;
+
+- ret = pm_runtime_get_sync(bdi->dev);
++ ret = pm_runtime_resume_and_get(bdi->dev);
+ if (ret < 0) {
+ dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", ret);
+- pm_runtime_put_noidle(bdi->dev);
+ return ret;
+ }
+
+@@ -539,10 +534,9 @@ static int bq24190_vbus_is_enabled(struct regulator_dev *dev)
+ int ret;
+ u8 val;
+
+- ret = pm_runtime_get_sync(bdi->dev);
++ ret = pm_runtime_resume_and_get(bdi->dev);
+ if (ret < 0) {
+ dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", ret);
+- pm_runtime_put_noidle(bdi->dev);
+ return ret;
+ }
+
+@@ -1083,11 +1077,9 @@ static int bq24190_charger_get_property(struct power_supply *psy,
+
+ dev_dbg(bdi->dev, "prop: %d\n", psp);
+
+- ret = pm_runtime_get_sync(bdi->dev);
+- if (ret < 0) {
+- pm_runtime_put_noidle(bdi->dev);
++ ret = pm_runtime_resume_and_get(bdi->dev);
++ if (ret < 0)
+ return ret;
+- }
+
+ switch (psp) {
+ case POWER_SUPPLY_PROP_CHARGE_TYPE:
+@@ -1157,11 +1149,9 @@ static int bq24190_charger_set_property(struct power_supply *psy,
+
+ dev_dbg(bdi->dev, "prop: %d\n", psp);
+
+- ret = pm_runtime_get_sync(bdi->dev);
+- if (ret < 0) {
+- pm_runtime_put_noidle(bdi->dev);
++ ret = pm_runtime_resume_and_get(bdi->dev);
++ if (ret < 0)
+ return ret;
+- }
+
+ switch (psp) {
+ case POWER_SUPPLY_PROP_ONLINE:
+@@ -1420,11 +1410,9 @@ static int bq24190_battery_get_property(struct power_supply *psy,
+ dev_warn(bdi->dev, "warning: /sys/class/power_supply/bq24190-battery is deprecated\n");
+ dev_dbg(bdi->dev, "prop: %d\n", psp);
+
+- ret = pm_runtime_get_sync(bdi->dev);
+- if (ret < 0) {
+- pm_runtime_put_noidle(bdi->dev);
++ ret = pm_runtime_resume_and_get(bdi->dev);
++ if (ret < 0)
+ return ret;
+- }
+
+ switch (psp) {
+ case POWER_SUPPLY_PROP_STATUS:
+@@ -1468,11 +1456,9 @@ static int bq24190_battery_set_property(struct power_supply *psy,
+ dev_warn(bdi->dev, "warning: /sys/class/power_supply/bq24190-battery is deprecated\n");
+ dev_dbg(bdi->dev, "prop: %d\n", psp);
+
+- ret = pm_runtime_get_sync(bdi->dev);
+- if (ret < 0) {
+- pm_runtime_put_noidle(bdi->dev);
++ ret = pm_runtime_resume_and_get(bdi->dev);
++ if (ret < 0)
+ return ret;
+- }
+
+ switch (psp) {
+ case POWER_SUPPLY_PROP_ONLINE:
+@@ -1626,10 +1612,9 @@ static irqreturn_t bq24190_irq_handler_thread(int irq, void *data)
+ int error;
+
+ bdi->irq_event = true;
+- error = pm_runtime_get_sync(bdi->dev);
++ error = pm_runtime_resume_and_get(bdi->dev);
+ if (error < 0) {
+ dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", error);
+- pm_runtime_put_noidle(bdi->dev);
+ return IRQ_NONE;
+ }
+ bq24190_check_status(bdi);
+@@ -1849,11 +1834,9 @@ static int bq24190_remove(struct i2c_client *client)
+ struct bq24190_dev_info *bdi = i2c_get_clientdata(client);
+ int error;
+
+- error = pm_runtime_get_sync(bdi->dev);
+- if (error < 0) {
++ error = pm_runtime_resume_and_get(bdi->dev);
++ if (error < 0)
+ dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", error);
+- pm_runtime_put_noidle(bdi->dev);
+- }
+
+ bq24190_register_reset(bdi);
+ if (bdi->battery)
+@@ -1902,11 +1885,9 @@ static __maybe_unused int bq24190_pm_suspend(struct device *dev)
+ struct bq24190_dev_info *bdi = i2c_get_clientdata(client);
+ int error;
+
+- error = pm_runtime_get_sync(bdi->dev);
+- if (error < 0) {
++ error = pm_runtime_resume_and_get(bdi->dev);
++ if (error < 0)
+ dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", error);
+- pm_runtime_put_noidle(bdi->dev);
+- }
+
+ bq24190_register_reset(bdi);
+
+@@ -1927,11 +1908,9 @@ static __maybe_unused int bq24190_pm_resume(struct device *dev)
+ bdi->f_reg = 0;
+ bdi->ss_reg = BQ24190_REG_SS_VBUS_STAT_MASK; /* impossible state */
+
+- error = pm_runtime_get_sync(bdi->dev);
+- if (error < 0) {
++ error = pm_runtime_resume_and_get(bdi->dev);
++ if (error < 0)
+ dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", error);
+- pm_runtime_put_noidle(bdi->dev);
+- }
+
+ bq24190_register_reset(bdi);
+ bq24190_set_config(bdi);
+--
+2.39.2
+
--- /dev/null
+From ea0795085e7de5174057f3b1b34720c228f22478 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Mar 2023 01:46:50 +0800
+Subject: power: supply: da9150: Fix use after free bug in
+ da9150_charger_remove due to race condition
+
+From: Zheng Wang <zyytlz.wz@163.com>
+
+[ Upstream commit 06615d11cc78162dfd5116efb71f29eb29502d37 ]
+
+In da9150_charger_probe, &charger->otg_work is bound with
+da9150_charger_otg_work. da9150_charger_otg_ncb may be
+called to start the work.
+
+If we remove the module which will call da9150_charger_remove
+to make cleanup, there may be a unfinished work. The possible
+sequence is as follows:
+
+Fix it by canceling the work before cleanup in the da9150_charger_remove
+
+CPU0 CPUc1
+
+ |da9150_charger_otg_work
+da9150_charger_remove |
+power_supply_unregister |
+device_unregister |
+power_supply_dev_release|
+kfree(psy) |
+ |
+ | power_supply_changed(charger->usb);
+ | //use
+
+Fixes: c1a281e34dae ("power: Add support for DA9150 Charger")
+Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/da9150-charger.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/power/supply/da9150-charger.c b/drivers/power/supply/da9150-charger.c
+index f9314cc0cd75f..6b987da586556 100644
+--- a/drivers/power/supply/da9150-charger.c
++++ b/drivers/power/supply/da9150-charger.c
+@@ -662,6 +662,7 @@ static int da9150_charger_remove(struct platform_device *pdev)
+
+ if (!IS_ERR_OR_NULL(charger->usb_phy))
+ usb_unregister_notifier(charger->usb_phy, &charger->otg_nb);
++ cancel_work_sync(&charger->otg_work);
+
+ power_supply_unregister(charger->battery);
+ power_supply_unregister(charger->usb);
+--
+2.39.2
+
--- /dev/null
+From 13d1481d9ce6ba8da28cdb995fc39f647ca39587 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Mar 2023 13:29:21 +0300
+Subject: qed/qed_sriov: guard against NULL derefs from qed_iov_get_vf_info
+
+From: Daniil Tatianin <d-tatianin@yandex-team.ru>
+
+[ Upstream commit 25143b6a01d0cc5319edd3de22ffa2578b045550 ]
+
+We have to make sure that the info returned by the helper is valid
+before using it.
+
+Found by Linux Verification Center (linuxtesting.org) with the SVACE
+static analysis tool.
+
+Fixes: f990c82c385b ("qed*: Add support for ndo_set_vf_trust")
+Fixes: 733def6a04bf ("qed*: IOV link control")
+Signed-off-by: Daniil Tatianin <d-tatianin@yandex-team.ru>
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_sriov.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_sriov.c b/drivers/net/ethernet/qlogic/qed/qed_sriov.c
+index 3541bc95493f0..b2a2beb84e54e 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_sriov.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_sriov.c
+@@ -4378,6 +4378,9 @@ qed_iov_configure_min_tx_rate(struct qed_dev *cdev, int vfid, u32 rate)
+ }
+
+ vf = qed_iov_get_vf_info(QED_LEADING_HWFN(cdev), (u16)vfid, true);
++ if (!vf)
++ return -EINVAL;
++
+ vport_id = vf->vport_id;
+
+ return qed_configure_vport_wfq(cdev, vport_id, rate);
+@@ -5123,7 +5126,7 @@ static void qed_iov_handle_trust_change(struct qed_hwfn *hwfn)
+
+ /* Validate that the VF has a configured vport */
+ vf = qed_iov_get_vf_info(hwfn, i, true);
+- if (!vf->vport_instance)
++ if (!vf || !vf->vport_instance)
+ continue;
+
+ memset(¶ms, 0, sizeof(params));
+--
+2.39.2
+
--- /dev/null
+From c5ed03f60c5d7fdb92f1d6893fec68d71dc76110 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 14:21:54 +0800
+Subject: scsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate()
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit a13faca032acbf2699293587085293bdfaafc8ae ]
+
+If alua_rtpg_queue() failed from alua_activate(), then 'qdata' is not
+freed, which will cause following memleak:
+
+unreferenced object 0xffff88810b2c6980 (size 32):
+ comm "kworker/u16:2", pid 635322, jiffies 4355801099 (age 1216426.076s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 40 39 24 c1 ff ff ff ff 00 f8 ea 0a 81 88 ff ff @9$.............
+ backtrace:
+ [<0000000098f3a26d>] alua_activate+0xb0/0x320
+ [<000000003b529641>] scsi_dh_activate+0xb2/0x140
+ [<000000007b296db3>] activate_path_work+0xc6/0xe0 [dm_multipath]
+ [<000000007adc9ace>] process_one_work+0x3c5/0x730
+ [<00000000c457a985>] worker_thread+0x93/0x650
+ [<00000000cb80e628>] kthread+0x1ba/0x210
+ [<00000000a1e61077>] ret_from_fork+0x22/0x30
+
+Fix the problem by freeing 'qdata' in error path.
+
+Fixes: 625fe857e4fa ("scsi: scsi_dh_alua: Check scsi_device_get() return value")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20230315062154.668812-1-yukuai1@huaweicloud.com
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/device_handler/scsi_dh_alua.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c
+index fe8a5e5c0df84..bf0b3178f84d0 100644
+--- a/drivers/scsi/device_handler/scsi_dh_alua.c
++++ b/drivers/scsi/device_handler/scsi_dh_alua.c
+@@ -1036,10 +1036,12 @@ static int alua_activate(struct scsi_device *sdev,
+ rcu_read_unlock();
+ mutex_unlock(&h->init_mutex);
+
+- if (alua_rtpg_queue(pg, sdev, qdata, true))
++ if (alua_rtpg_queue(pg, sdev, qdata, true)) {
+ fn = NULL;
+- else
++ } else {
++ kfree(qdata);
+ err = SCSI_DH_DEV_OFFLINED;
++ }
+ kref_put(&pg->kref, release_port_group);
+ out:
+ if (fn)
+--
+2.39.2
+
interconnect-qcom-msm8974-fix-registration-race.patch
drm-sun4i-fix-missing-component-unbind-on-bind-error.patch
net-tls-fix-possible-race-condition-between-do_tls_g.patch
+power-supply-bq24190_charger-using-pm_runtime_resume.patch
+power-supply-bq24190-fix-use-after-free-bug-in-bq241.patch
+power-supply-da9150-fix-use-after-free-bug-in-da9150.patch
+arm-dts-imx6sll-e60k02-fix-usbotg1-pinctrl.patch
+arm-dts-imx6sl-tolino-shine2hd-fix-usbotg1-pinctrl.patch
+xsk-add-missing-overflow-check-in-xdp_umem_reg.patch
+iavf-fix-inverted-rx-hash-condition-leading-to-disab.patch
+iavf-fix-non-tunneled-ipv6-udp-packet-type-and-hashi.patch
+intel-igbvf-free-irq-on-the-error-path-in-igbvf_requ.patch
+igbvf-regard-vf-reset-nack-as-success.patch
+igc-fix-the-validation-logic-for-taprio-s-gate-list.patch
+i2c-imx-lpi2c-check-only-for-enabled-interrupt-flags.patch
+scsi-scsi_dh_alua-fix-memleak-for-qdata-in-alua_acti.patch
+net-usb-smsc95xx-limit-packet-length-to-skb-len.patch
+qed-qed_sriov-guard-against-null-derefs-from-qed_iov.patch
+xirc2ps_cs-fix-use-after-free-bug-in-xirc2ps_detach.patch
+net-phy-ensure-state-transitions-are-processed-from-.patch
+net-mdio-fix-owner-field-for-mdio-buses-registered-u.patch
+net-qcom-emac-fix-use-after-free-bug-in-emac_remove-.patch
+net-ps3_gelic_net-fix-rx-sk_buff-length.patch
+net-ps3_gelic_net-use-dma_mapping_error.patch
+bootconfig-fix-testcase-to-increase-max-node.patch
+keys-do-not-cache-key-in-task-struct-if-key-is-reque.patch
+bpf-adjust-insufficient-default-bpf_jit_limit.patch
+net-mlx5-fix-steering-rules-cleanup.patch
+net-mlx5-read-the-tc-mapping-of-all-priorities-on-et.patch
+net-mlx5-e-switch-fix-an-oops-in-error-handling-code.patch
+atm-idt77252-fix-kmemleak-when-rmmod-idt77252.patch
+erspan-do-not-use-skb_mac_header-in-ndo_start_xmit.patch
+net-sonic-use-dma_mapping_error-for-error-check.patch
+nvme-tcp-fix-nvme_tcp_term_pdu-to-match-spec.patch
+gve-cache-link_speed-value-from-device.patch
+net-dsa-mt7530-move-setting-ssc_delta-to-phy_interfa.patch
+net-mdio-thunder-add-missing-fwnode_handle_put.patch
+bluetooth-btqcomsmd-fix-command-timeout-after-settin.patch
+bluetooth-l2cap-fix-not-checking-for-maximum-number-.patch
+bluetooth-l2cap-fix-responding-with-wrong-pdu-type.patch
+bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch
+platform-chrome-cros_ec_chardev-fix-kernel-data-leak.patch
--- /dev/null
+From 8f65f85ca486648f7138e14a46d444afe156aca3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Mar 2023 00:15:26 +0800
+Subject: xirc2ps_cs: Fix use after free bug in xirc2ps_detach
+
+From: Zheng Wang <zyytlz.wz@163.com>
+
+[ Upstream commit e8d20c3ded59a092532513c9bd030d1ea66f5f44 ]
+
+In xirc2ps_probe, the local->tx_timeout_task was bounded
+with xirc2ps_tx_timeout_task. When timeout occurs,
+it will call xirc_tx_timeout->schedule_work to start the
+work.
+
+When we call xirc2ps_detach to remove the driver, there
+may be a sequence as follows:
+
+Stop responding to timeout tasks and complete scheduled
+tasks before cleanup in xirc2ps_detach, which will fix
+the problem.
+
+CPU0 CPU1
+
+ |xirc2ps_tx_timeout_task
+xirc2ps_detach |
+ free_netdev |
+ kfree(dev); |
+ |
+ | do_reset
+ | //use dev
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/xircom/xirc2ps_cs.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/xircom/xirc2ps_cs.c b/drivers/net/ethernet/xircom/xirc2ps_cs.c
+index 3e337142b5161..56cef59c1c872 100644
+--- a/drivers/net/ethernet/xircom/xirc2ps_cs.c
++++ b/drivers/net/ethernet/xircom/xirc2ps_cs.c
+@@ -503,6 +503,11 @@ static void
+ xirc2ps_detach(struct pcmcia_device *link)
+ {
+ struct net_device *dev = link->priv;
++ struct local_info *local = netdev_priv(dev);
++
++ netif_carrier_off(dev);
++ netif_tx_disable(dev);
++ cancel_work_sync(&local->tx_timeout_task);
+
+ dev_dbg(&link->dev, "detach\n");
+
+--
+2.39.2
+
--- /dev/null
+From a1d8a66285238308553f44cd713bafcec001474b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Mar 2023 18:40:13 +0100
+Subject: xsk: Add missing overflow check in xdp_umem_reg
+
+From: Kal Conley <kal.conley@dectris.com>
+
+[ Upstream commit c7df4813b149362248d6ef7be41a311e27bf75fe ]
+
+The number of chunks can overflow u32. Make sure to return -EINVAL on
+overflow. Also remove a redundant u32 cast assigning umem->npgs.
+
+Fixes: bbff2f321a86 ("xsk: new descriptor addressing scheme")
+Signed-off-by: Kal Conley <kal.conley@dectris.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Link: https://lore.kernel.org/bpf/20230308174013.1114745-1-kal.conley@dectris.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xdp/xdp_umem.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c
+index 56a28a686988d..42b19feb2b6e5 100644
+--- a/net/xdp/xdp_umem.c
++++ b/net/xdp/xdp_umem.c
+@@ -153,10 +153,11 @@ static int xdp_umem_account_pages(struct xdp_umem *umem)
+
+ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)
+ {
+- u32 npgs_rem, chunk_size = mr->chunk_size, headroom = mr->headroom;
+ bool unaligned_chunks = mr->flags & XDP_UMEM_UNALIGNED_CHUNK_FLAG;
+- u64 npgs, addr = mr->addr, size = mr->len;
+- unsigned int chunks, chunks_rem;
++ u32 chunk_size = mr->chunk_size, headroom = mr->headroom;
++ u64 addr = mr->addr, size = mr->len;
++ u32 chunks_rem, npgs_rem;
++ u64 chunks, npgs;
+ int err;
+
+ if (chunk_size < XDP_UMEM_MIN_CHUNK_SIZE || chunk_size > PAGE_SIZE) {
+@@ -191,8 +192,8 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)
+ if (npgs > U32_MAX)
+ return -EINVAL;
+
+- chunks = (unsigned int)div_u64_rem(size, chunk_size, &chunks_rem);
+- if (chunks == 0)
++ chunks = div_u64_rem(size, chunk_size, &chunks_rem);
++ if (!chunks || chunks > U32_MAX)
+ return -EINVAL;
+
+ if (!unaligned_chunks && chunks_rem)
+@@ -205,7 +206,7 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)
+ umem->headroom = headroom;
+ umem->chunk_size = chunk_size;
+ umem->chunks = chunks;
+- umem->npgs = (u32)npgs;
++ umem->npgs = npgs;
+ umem->pgs = NULL;
+ umem->user = NULL;
+ umem->flags = mr->flags;
+--
+2.39.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
