--- /dev/null
+From fad567eb3ddd29cd2cc7f3b139d9d262dd056792 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Aug 2022 14:38:41 +0200
+Subject: acl: return EOPNOTSUPP in posix_acl_fix_xattr_common()
+
+From: Christian Brauner <brauner@kernel.org>
+
+[ Upstream commit 985a6d0b3c800265a2d5312a52c549bf09254e55 ]
+
+Return EOPNOTSUPP when the POSIX ACL version doesn't match and zero if
+there are no entries. This will allow us to reuse the helper in
+posix_acl_from_xattr(). This change will have no user visible effects.
+
+Fixes: 0c5fd887d2bb ("acl: move idmapped mount fixup into vfs_{g,s}etxattr()")
+Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
+Reviewed-by: Seth Forshee (DigitalOcean) <sforshee@kernel.org>>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/posix_acl.c | 25 +++++++++----------------
+ 1 file changed, 9 insertions(+), 16 deletions(-)
+
+diff --git a/fs/posix_acl.c b/fs/posix_acl.c
+index 5af33800743e..abe387700ba9 100644
+--- a/fs/posix_acl.c
++++ b/fs/posix_acl.c
+@@ -710,9 +710,9 @@ EXPORT_SYMBOL(posix_acl_update_mode);
+ /*
+ * Fix up the uids and gids in posix acl extended attributes in place.
+ */
+-static int posix_acl_fix_xattr_common(void *value, size_t size)
++static int posix_acl_fix_xattr_common(const void *value, size_t size)
+ {
+- struct posix_acl_xattr_header *header = value;
++ const struct posix_acl_xattr_header *header = value;
+ int count;
+
+ if (!header)
+@@ -720,13 +720,13 @@ static int posix_acl_fix_xattr_common(void *value, size_t size)
+ if (size < sizeof(struct posix_acl_xattr_header))
+ return -EINVAL;
+ if (header->a_version != cpu_to_le32(POSIX_ACL_XATTR_VERSION))
+- return -EINVAL;
++ return -EOPNOTSUPP;
+
+ count = posix_acl_xattr_count(size);
+ if (count < 0)
+ return -EINVAL;
+ if (count == 0)
+- return -EINVAL;
++ return 0;
+
+ return count;
+ }
+@@ -748,7 +748,7 @@ void posix_acl_getxattr_idmapped_mnt(struct user_namespace *mnt_userns,
+ return;
+
+ count = posix_acl_fix_xattr_common(value, size);
+- if (count < 0)
++ if (count <= 0)
+ return;
+
+ for (end = entry + count; entry != end; entry++) {
+@@ -788,7 +788,7 @@ void posix_acl_setxattr_idmapped_mnt(struct user_namespace *mnt_userns,
+ return;
+
+ count = posix_acl_fix_xattr_common(value, size);
+- if (count < 0)
++ if (count <= 0)
+ return;
+
+ for (end = entry + count; entry != end; entry++) {
+@@ -822,7 +822,7 @@ static void posix_acl_fix_xattr_userns(
+ kgid_t gid;
+
+ count = posix_acl_fix_xattr_common(value, size);
+- if (count < 0)
++ if (count <= 0)
+ return;
+
+ for (end = entry + count; entry != end; entry++) {
+@@ -870,16 +870,9 @@ posix_acl_from_xattr(struct user_namespace *user_ns,
+ struct posix_acl *acl;
+ struct posix_acl_entry *acl_e;
+
+- if (!value)
+- return NULL;
+- if (size < sizeof(struct posix_acl_xattr_header))
+- return ERR_PTR(-EINVAL);
+- if (header->a_version != cpu_to_le32(POSIX_ACL_XATTR_VERSION))
+- return ERR_PTR(-EOPNOTSUPP);
+-
+- count = posix_acl_xattr_count(size);
++ count = posix_acl_fix_xattr_common(value, size);
+ if (count < 0)
+- return ERR_PTR(-EINVAL);
++ return ERR_PTR(count);
+ if (count == 0)
+ return NULL;
+
+--
+2.35.1
+
--- /dev/null
+From eddd4abeb1b0bd6dbf3d047ac570dc7267d77d08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Sep 2022 15:49:53 +0800
+Subject: ACPI: APEI: do not add task_work to kernel thread to avoid memory
+ leak
+
+From: Shuai Xue <xueshuai@linux.alibaba.com>
+
+[ Upstream commit 415fed694fe11395df56e05022d6e7cee1d39dd3 ]
+
+If an error is detected as a result of user-space process accessing a
+corrupt memory location, the CPU may take an abort. Then the platform
+firmware reports kernel via NMI like notifications, e.g. NOTIFY_SEA,
+NOTIFY_SOFTWARE_DELEGATED, etc.
+
+For NMI like notifications, commit 7f17b4a121d0 ("ACPI: APEI: Kick the
+memory_failure() queue for synchronous errors") keep track of whether
+memory_failure() work was queued, and make task_work pending to flush out
+the queue so that the work is processed before return to user-space.
+
+The code use init_mm to check whether the error occurs in user space:
+
+ if (current->mm != &init_mm)
+
+The condition is always true, becase _nobody_ ever has "init_mm" as a real
+VM any more.
+
+In addition to abort, errors can also be signaled as asynchronous
+exceptions, such as interrupt and SError. In such case, the interrupted
+current process could be any kind of thread. When a kernel thread is
+interrupted, the work ghes_kick_task_work deferred to task_work will never
+be processed because entry_handler returns to call ret_to_kernel() instead
+of ret_to_user(). Consequently, the estatus_node alloced from
+ghes_estatus_pool in ghes_in_nmi_queue_one_entry() will not be freed.
+After around 200 allocations in our platform, the ghes_estatus_pool will
+run of memory and ghes_in_nmi_queue_one_entry() returns ENOMEM. As a
+result, the event failed to be processed.
+
+ sdei: event 805 on CPU 113 failed with error: -2
+
+Finally, a lot of unhandled events may cause platform firmware to exceed
+some threshold and reboot.
+
+The condition should generally just do
+
+ if (current->mm)
+
+as described in active_mm.rst documentation.
+
+Then if an asynchronous error is detected when a kernel thread is running,
+(e.g. when detected by a background scrubber), do not add task_work to it
+as the original patch intends to do.
+
+Fixes: 7f17b4a121d0 ("ACPI: APEI: Kick the memory_failure() queue for synchronous errors")
+Signed-off-by: Shuai Xue <xueshuai@linux.alibaba.com>
+Reviewed-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/apei/ghes.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
+index d91ad378c00d..80ad530583c9 100644
+--- a/drivers/acpi/apei/ghes.c
++++ b/drivers/acpi/apei/ghes.c
+@@ -985,7 +985,7 @@ static void ghes_proc_in_irq(struct irq_work *irq_work)
+ ghes_estatus_cache_add(generic, estatus);
+ }
+
+- if (task_work_pending && current->mm != &init_mm) {
++ if (task_work_pending && current->mm) {
+ estatus_node->task_work.func = ghes_kick_task_work;
+ estatus_node->task_work_cpu = smp_processor_id();
+ ret = task_work_add(current, &estatus_node->task_work,
+--
+2.35.1
+
--- /dev/null
+From ea95ed3113415fc26a4bf7fbafb459398d8afced Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 17:45:00 +0800
+Subject: ACPI: PCC: Fix Tx acknowledge in the PCC address space handler
+
+From: Huisong Li <lihuisong@huawei.com>
+
+[ Upstream commit 18729106c26fb97d4c9ae63ba7aba9889a058dc4 ]
+
+Currently, mbox_client_txdone() is called from the PCC address space
+handler and that expects the user the Tx state machine to be controlled
+by the client which is not the case and the below warning is thrown:
+
+ | PCCT: Client can't run the TX ticker
+
+Let the controller run the state machine and the end of Tx can be
+acknowledge by calling mbox_chan_txdone() instead.
+
+Fixes: 77e2a04745ff ("ACPI: PCC: Implement OperationRegion handler for the PCC Type 3 subtype")
+Signed-off-by: Huisong Li <lihuisong@huawei.com>
+Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpi_pcc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/acpi_pcc.c b/drivers/acpi/acpi_pcc.c
+index 16ba875e3293..ee4ce5ba1fb2 100644
+--- a/drivers/acpi/acpi_pcc.c
++++ b/drivers/acpi/acpi_pcc.c
+@@ -121,7 +121,7 @@ acpi_pcc_address_space_handler(u32 function, acpi_physical_address addr,
+ }
+ }
+
+- mbox_client_txdone(data->pcc_chan->mchan, ret);
++ mbox_chan_txdone(data->pcc_chan->mchan, ret);
+
+ memcpy_fromio(value, data->pcc_comm_addr, data->ctx.length);
+
+--
+2.35.1
+
--- /dev/null
+From 0e4a6943010969e80165bacaa9e725a507af392b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Sep 2022 12:33:19 -0300
+Subject: ACPI: PCC: Release resources on address space setup failure path
+
+From: Rafael Mendonca <rafaelmendsr@gmail.com>
+
+[ Upstream commit f890157e61b85ce8ae01a41ffa375e3b99853698 ]
+
+The allocated memory for the pcc_data struct doesn't get freed under an
+error path in pcc_mbox_request_channel() or acpi_os_ioremap(). Also, the
+PCC mailbox channel doesn't get freed under an error path in
+acpi_os_ioremap().
+
+Fixes: 77e2a04745ff8 ("ACPI: PCC: Implement OperationRegion handler for the PCC Type 3 subtype")
+Signed-off-by: Rafael Mendonca <rafaelmendsr@gmail.com>
+Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpi_pcc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/acpi/acpi_pcc.c b/drivers/acpi/acpi_pcc.c
+index a12b55d81209..84f1ac416b57 100644
+--- a/drivers/acpi/acpi_pcc.c
++++ b/drivers/acpi/acpi_pcc.c
+@@ -63,6 +63,7 @@ acpi_pcc_address_space_setup(acpi_handle region_handle, u32 function,
+ if (IS_ERR(data->pcc_chan)) {
+ pr_err("Failed to find PCC channel for subspace %d\n",
+ ctx->subspace_id);
++ kfree(data);
+ return AE_NOT_FOUND;
+ }
+
+@@ -72,6 +73,8 @@ acpi_pcc_address_space_setup(acpi_handle region_handle, u32 function,
+ if (!data->pcc_comm_addr) {
+ pr_err("Failed to ioremap PCC comm region mem for %d\n",
+ ctx->subspace_id);
++ pcc_mbox_free_channel(data->pcc_chan);
++ kfree(data);
+ return AE_NO_MEMORY;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 07e87c80aa91e3d0e14983a7b699eacf6e62c522 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 17:44:59 +0800
+Subject: ACPI: PCC: replace wait_for_completion()
+
+From: Huisong Li <lihuisong@huawei.com>
+
+[ Upstream commit 91cefefb699120efd0a5ba345d12626b688f86ce ]
+
+Currently, the function waiting for completion of mailbox operation is
+'wait_for_completion()'. The PCC method will be permanently blocked if
+this mailbox message fails to execute. So this patch replaces it with
+'wait_for_completion_timeout()'. And set the timeout interval to an
+arbitrary retries on top of nominal to prevent the remote processor is
+slow to respond to PCC commands.
+
+Fixes: 77e2a04745ff ("ACPI: PCC: Implement OperationRegion handler for the PCC Type 3 subtype")
+Signed-off-by: Huisong Li <lihuisong@huawei.com>
+Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpi_pcc.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/acpi/acpi_pcc.c b/drivers/acpi/acpi_pcc.c
+index 84f1ac416b57..16ba875e3293 100644
+--- a/drivers/acpi/acpi_pcc.c
++++ b/drivers/acpi/acpi_pcc.c
+@@ -23,6 +23,12 @@
+
+ #include <acpi/pcc.h>
+
++/*
++ * Arbitrary retries in case the remote processor is slow to respond
++ * to PCC commands
++ */
++#define PCC_CMD_WAIT_RETRIES_NUM 500
++
+ struct pcc_data {
+ struct pcc_mbox_chan *pcc_chan;
+ void __iomem *pcc_comm_addr;
+@@ -89,6 +95,7 @@ acpi_pcc_address_space_handler(u32 function, acpi_physical_address addr,
+ {
+ int ret;
+ struct pcc_data *data = region_context;
++ u64 usecs_lat;
+
+ reinit_completion(&data->done);
+
+@@ -99,8 +106,20 @@ acpi_pcc_address_space_handler(u32 function, acpi_physical_address addr,
+ if (ret < 0)
+ return AE_ERROR;
+
+- if (data->pcc_chan->mchan->mbox->txdone_irq)
+- wait_for_completion(&data->done);
++ if (data->pcc_chan->mchan->mbox->txdone_irq) {
++ /*
++ * pcc_chan->latency is just a Nominal value. In reality the remote
++ * processor could be much slower to reply. So add an arbitrary
++ * amount of wait on top of Nominal.
++ */
++ usecs_lat = PCC_CMD_WAIT_RETRIES_NUM * data->pcc_chan->latency;
++ ret = wait_for_completion_timeout(&data->done,
++ usecs_to_jiffies(usecs_lat));
++ if (ret == 0) {
++ pr_err("PCC command executed timeout!\n");
++ return AE_TIME;
++ }
++ }
+
+ mbox_client_txdone(data->pcc_chan->mchan, ret);
+
+--
+2.35.1
+
--- /dev/null
+From 907c0d7a0bda62df61abe14ffa950aad5b1c49b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Sep 2022 14:34:12 +0200
+Subject: ACPI: tables: FPDT: Don't call acpi_os_map_memory() on invalid phys
+ address
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 211391bf04b3c74e250c566eeff9cf808156c693 ]
+
+On a Packard Bell Dot SC (Intel Atom N2600 model) there is a FPDT table
+which contains invalid physical addresses, with high bits set which fall
+outside the range of the CPU-s supported physical address range.
+
+Calling acpi_os_map_memory() on such an invalid phys address leads to
+the below WARN_ON in ioremap triggering resulting in an oops/stacktrace.
+
+Add code to verify the physical address before calling acpi_os_map_memory()
+to fix / avoid the oops.
+
+[ 1.226900] ioremap: invalid physical address 3001000000000000
+[ 1.226949] ------------[ cut here ]------------
+[ 1.226962] WARNING: CPU: 1 PID: 1 at arch/x86/mm/ioremap.c:200 __ioremap_caller.cold+0x43/0x5f
+[ 1.226996] Modules linked in:
+[ 1.227016] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.0.0-rc3+ #490
+[ 1.227029] Hardware name: Packard Bell dot s/SJE01_CT, BIOS V1.10 07/23/2013
+[ 1.227038] RIP: 0010:__ioremap_caller.cold+0x43/0x5f
+[ 1.227054] Code: 96 00 00 e9 f8 af 24 ff 89 c6 48 c7 c7 d8 0c 84 99 e8 6a 96 00 00 e9 76 af 24 ff 48 89 fe 48 c7 c7 a8 0c 84 99 e8 56 96 00 00 <0f> 0b e9 60 af 24 ff 48 8b 34 24 48 c7 c7 40 0d 84 99 e8 3f 96 00
+[ 1.227067] RSP: 0000:ffffb18c40033d60 EFLAGS: 00010286
+[ 1.227084] RAX: 0000000000000032 RBX: 3001000000000000 RCX: 0000000000000000
+[ 1.227095] RDX: 0000000000000001 RSI: 00000000ffffdfff RDI: 00000000ffffffff
+[ 1.227105] RBP: 3001000000000000 R08: 0000000000000000 R09: ffffb18c40033c18
+[ 1.227115] R10: 0000000000000003 R11: ffffffff99d62fe8 R12: 0000000000000008
+[ 1.227124] R13: 0003001000000000 R14: 0000000000001000 R15: 3001000000000000
+[ 1.227135] FS: 0000000000000000(0000) GS:ffff913a3c080000(0000) knlGS:0000000000000000
+[ 1.227146] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1.227156] CR2: 0000000000000000 CR3: 0000000018c26000 CR4: 00000000000006e0
+[ 1.227167] Call Trace:
+[ 1.227176] <TASK>
+[ 1.227185] ? acpi_os_map_iomem+0x1c9/0x1e0
+[ 1.227215] ? kmem_cache_alloc_trace+0x187/0x370
+[ 1.227254] acpi_os_map_iomem+0x1c9/0x1e0
+[ 1.227288] acpi_init_fpdt+0xa8/0x253
+[ 1.227308] ? acpi_debugfs_init+0x1f/0x1f
+[ 1.227339] do_one_initcall+0x5a/0x300
+[ 1.227406] ? rcu_read_lock_sched_held+0x3f/0x80
+[ 1.227442] kernel_init_freeable+0x28b/0x2cc
+[ 1.227512] ? rest_init+0x170/0x170
+[ 1.227538] kernel_init+0x16/0x140
+[ 1.227552] ret_from_fork+0x1f/0x30
+[ 1.227639] </TASK>
+[ 1.227647] irq event stamp: 186819
+[ 1.227656] hardirqs last enabled at (186825): [<ffffffff98184a6e>] __up_console_sem+0x5e/0x70
+[ 1.227672] hardirqs last disabled at (186830): [<ffffffff98184a53>] __up_console_sem+0x43/0x70
+[ 1.227686] softirqs last enabled at (186576): [<ffffffff980fbc9d>] __irq_exit_rcu+0xed/0x160
+[ 1.227701] softirqs last disabled at (186569): [<ffffffff980fbc9d>] __irq_exit_rcu+0xed/0x160
+[ 1.227715] ---[ end trace 0000000000000000 ]---
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpi_fpdt.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/drivers/acpi/acpi_fpdt.c b/drivers/acpi/acpi_fpdt.c
+index 6922a44b3ce7..a2056c4c8cb7 100644
+--- a/drivers/acpi/acpi_fpdt.c
++++ b/drivers/acpi/acpi_fpdt.c
+@@ -143,6 +143,23 @@ static const struct attribute_group boot_attr_group = {
+
+ static struct kobject *fpdt_kobj;
+
++#if defined CONFIG_X86 && defined CONFIG_PHYS_ADDR_T_64BIT
++#include <linux/processor.h>
++static bool fpdt_address_valid(u64 address)
++{
++ /*
++ * On some systems the table contains invalid addresses
++ * with unsuppored high address bits set, check for this.
++ */
++ return !(address >> boot_cpu_data.x86_phys_bits);
++}
++#else
++static bool fpdt_address_valid(u64 address)
++{
++ return true;
++}
++#endif
++
+ static int fpdt_process_subtable(u64 address, u32 subtable_type)
+ {
+ struct fpdt_subtable_header *subtable_header;
+@@ -151,6 +168,11 @@ static int fpdt_process_subtable(u64 address, u32 subtable_type)
+ u32 length, offset;
+ int result;
+
++ if (!fpdt_address_valid(address)) {
++ pr_info(FW_BUG "invalid physical address: 0x%llx!\n", address);
++ return -EINVAL;
++ }
++
+ subtable_header = acpi_os_map_memory(address, sizeof(*subtable_header));
+ if (!subtable_header)
+ return -ENOMEM;
+--
+2.35.1
+
--- /dev/null
+From 18fae22da10237b3f2e369a43399f1ea4022ccc7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Aug 2022 20:49:50 +0200
+Subject: ACPI: video: Add Toshiba Satellite/Portege Z830 quirk
+
+From: Arvid Norlander <lkml@vorpal.se>
+
+[ Upstream commit 574160b8548deff8b80b174f03201e94ab8431e2 ]
+
+Toshiba Satellite Z830 needs the quirk video_disable_backlight_sysfs_if
+for proper backlight control after suspend/resume cycles.
+
+Toshiba Portege Z830 is simply the same laptop rebranded for certain
+markets (I looked through the manual to other language sections to confirm
+this) and thus also needs this quirk.
+
+Thanks to Hans de Goede for suggesting this fix.
+
+Link: https://www.spinics.net/lists/platform-driver-x86/msg34394.html
+Suggested-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Arvid Norlander <lkml@vorpal.se>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Tested-by: Arvid Norlander <lkml@vorpal.se>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpi_video.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c
+index 5cbe2196176d..2a4990733cf0 100644
+--- a/drivers/acpi/acpi_video.c
++++ b/drivers/acpi/acpi_video.c
+@@ -496,6 +496,22 @@ static const struct dmi_system_id video_dmi_table[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "SATELLITE R830"),
+ },
+ },
++ {
++ .callback = video_disable_backlight_sysfs_if,
++ .ident = "Toshiba Satellite Z830",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "SATELLITE Z830"),
++ },
++ },
++ {
++ .callback = video_disable_backlight_sysfs_if,
++ .ident = "Toshiba Portege Z830",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE Z830"),
++ },
++ },
+ /*
+ * Some machine's _DOD IDs don't have bit 31(Device ID Scheme) set
+ * but the IDs actually follow the Device ID Scheme.
+--
+2.35.1
+
--- /dev/null
+From 2f712beea2e616a8967adfbed3bbff48e4a85657 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Sep 2022 13:23:14 -0500
+Subject: ACPI: x86: Add a quirk for Dell Inspiron 14 2-in-1 for
+ StorageD3Enable
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 018d6711c26e4bd26e20a819fcc7f8ab902608f3 ]
+
+Dell Inspiron 14 2-in-1 has two ACPI nodes under GPP1 both with _ADR of
+0, both without _HID. It's ambiguous which the kernel should take, but
+it seems to take "DEV0". Unfortunately "DEV0" is missing the device
+property `StorageD3Enable` which is present on "NVME".
+
+To avoid this causing problems for suspend, add a quirk for this system
+to behave like `StorageD3Enable` property was found.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216440
+Reported-and-tested-by: Luya Tshimbalanga <luya@fedoraproject.org>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/x86/utils.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/x86/utils.c b/drivers/acpi/x86/utils.c
+index 664070fc8349..d7cdd8406c84 100644
+--- a/drivers/acpi/x86/utils.c
++++ b/drivers/acpi/x86/utils.c
+@@ -207,9 +207,26 @@ static const struct x86_cpu_id storage_d3_cpu_ids[] = {
+ {}
+ };
+
++static const struct dmi_system_id force_storage_d3_dmi[] = {
++ {
++ /*
++ * _ADR is ambiguous between GPP1.DEV0 and GPP1.NVME
++ * but .NVME is needed to get StorageD3Enable node
++ * https://bugzilla.kernel.org/show_bug.cgi?id=216440
++ */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 14 7425 2-in-1"),
++ }
++ },
++ {}
++};
++
+ bool force_storage_d3(void)
+ {
+- return x86_match_cpu(storage_d3_cpu_ids);
++ const struct dmi_system_id *dmi_id = dmi_first_match(force_storage_d3_dmi);
++
++ return dmi_id || x86_match_cpu(storage_d3_cpu_ids);
+ }
+
+ /*
+--
+2.35.1
+
--- /dev/null
+From f41b8eed4fa9bce8ea1665901fcc3be75deabb81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Sep 2022 08:52:04 -0700
+Subject: af_unix: Fix memory leaks of the whole sk due to OOB skb.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 7a62ed61367b8fd01bae1e18e30602c25060d824 ]
+
+syzbot reported a sequence of memory leaks, and one of them indicated we
+failed to free a whole sk:
+
+ unreferenced object 0xffff8880126e0000 (size 1088):
+ comm "syz-executor419", pid 326, jiffies 4294773607 (age 12.609s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 7d 00 00 00 00 00 00 00 ........}.......
+ 01 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............
+ backtrace:
+ [<000000006fefe750>] sk_prot_alloc+0x64/0x2a0 net/core/sock.c:1970
+ [<0000000074006db5>] sk_alloc+0x3b/0x800 net/core/sock.c:2029
+ [<00000000728cd434>] unix_create1+0xaf/0x920 net/unix/af_unix.c:928
+ [<00000000a279a139>] unix_create+0x113/0x1d0 net/unix/af_unix.c:997
+ [<0000000068259812>] __sock_create+0x2ab/0x550 net/socket.c:1516
+ [<00000000da1521e1>] sock_create net/socket.c:1566 [inline]
+ [<00000000da1521e1>] __sys_socketpair+0x1a8/0x550 net/socket.c:1698
+ [<000000007ab259e1>] __do_sys_socketpair net/socket.c:1751 [inline]
+ [<000000007ab259e1>] __se_sys_socketpair net/socket.c:1748 [inline]
+ [<000000007ab259e1>] __x64_sys_socketpair+0x97/0x100 net/socket.c:1748
+ [<000000007dedddc1>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ [<000000007dedddc1>] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80
+ [<000000009456679f>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+We can reproduce this issue by creating two AF_UNIX SOCK_STREAM sockets,
+send()ing an OOB skb to each other, and close()ing them without consuming
+the OOB skbs.
+
+ int skpair[2];
+
+ socketpair(AF_UNIX, SOCK_STREAM, 0, skpair);
+
+ send(skpair[0], "x", 1, MSG_OOB);
+ send(skpair[1], "x", 1, MSG_OOB);
+
+ close(skpair[0]);
+ close(skpair[1]);
+
+Currently, we free an OOB skb in unix_sock_destructor() which is called via
+__sk_free(), but it's too late because the receiver's unix_sk(sk)->oob_skb
+is accounted against the sender's sk->sk_wmem_alloc and __sk_free() is
+called only when sk->sk_wmem_alloc is 0.
+
+In the repro sequences, we do not consume the OOB skb, so both two sk's
+sock_put() never reach __sk_free() due to the positive sk->sk_wmem_alloc.
+Then, no one can consume the OOB skb nor call __sk_free(), and we finally
+leak the two whole sk.
+
+Thus, we must free the unconsumed OOB skb earlier when close()ing the
+socket.
+
+Fixes: 314001f0bf92 ("af_unix: Add OOB support")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index bf338b782fc4..d686804119c9 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -569,12 +569,6 @@ static void unix_sock_destructor(struct sock *sk)
+
+ skb_queue_purge(&sk->sk_receive_queue);
+
+-#if IS_ENABLED(CONFIG_AF_UNIX_OOB)
+- if (u->oob_skb) {
+- kfree_skb(u->oob_skb);
+- u->oob_skb = NULL;
+- }
+-#endif
+ DEBUG_NET_WARN_ON_ONCE(refcount_read(&sk->sk_wmem_alloc));
+ DEBUG_NET_WARN_ON_ONCE(!sk_unhashed(sk));
+ DEBUG_NET_WARN_ON_ONCE(sk->sk_socket);
+@@ -620,6 +614,13 @@ static void unix_release_sock(struct sock *sk, int embrion)
+
+ unix_state_unlock(sk);
+
++#if IS_ENABLED(CONFIG_AF_UNIX_OOB)
++ if (u->oob_skb) {
++ kfree_skb(u->oob_skb);
++ u->oob_skb = NULL;
++ }
++#endif
++
+ wake_up_interruptible_all(&u->peer_wait);
+
+ if (skpair != NULL) {
+--
+2.35.1
+
--- /dev/null
+From b36a19d248afdf1517b4dad8e29e27e285a71199 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Sep 2022 18:58:13 +0200
+Subject: ALSA: dmaengine: increment buffer pointer atomically
+
+From: Andreas Pape <apape@de.adit-jv.com>
+
+[ Upstream commit d1c442019594692c64a70a86ad88eb5b6db92216 ]
+
+Setting pointer and afterwards checking for wraparound leads
+to the possibility of returning the inconsistent pointer position.
+
+This patch increments buffer pointer atomically to avoid this issue.
+
+Fixes: e7f73a1613567a ("ASoC: Add dmaengine PCM helper functions")
+Signed-off-by: Andreas Pape <apape@de.adit-jv.com>
+Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
+Link: https://lore.kernel.org/r/1664211493-11789-1-git-send-email-erosca@de.adit-jv.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/pcm_dmaengine.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/sound/core/pcm_dmaengine.c b/sound/core/pcm_dmaengine.c
+index 5b2ca028f5aa..494ec0c207fa 100644
+--- a/sound/core/pcm_dmaengine.c
++++ b/sound/core/pcm_dmaengine.c
+@@ -133,12 +133,14 @@ EXPORT_SYMBOL_GPL(snd_dmaengine_pcm_set_config_from_dai_data);
+
+ static void dmaengine_pcm_dma_complete(void *arg)
+ {
++ unsigned int new_pos;
+ struct snd_pcm_substream *substream = arg;
+ struct dmaengine_pcm_runtime_data *prtd = substream_to_prtd(substream);
+
+- prtd->pos += snd_pcm_lib_period_bytes(substream);
+- if (prtd->pos >= snd_pcm_lib_buffer_bytes(substream))
+- prtd->pos = 0;
++ new_pos = prtd->pos + snd_pcm_lib_period_bytes(substream);
++ if (new_pos >= snd_pcm_lib_buffer_bytes(substream))
++ new_pos = 0;
++ prtd->pos = new_pos;
+
+ snd_pcm_period_elapsed(substream);
+ }
+--
+2.35.1
+
--- /dev/null
+From bcce0037d12ff0995d167aabb6b829c64629882f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Sep 2022 11:23:06 +0200
+Subject: ALSA: hda: beep: Simplify keep-power-at-enable behavior
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 4c8d695cb9bc5f6fd298a586602947b2fc099a64 ]
+
+The recent fix for IDT codecs to keep the power up while the beep is
+enabled can be better integrated into the beep helper code.
+This patch cleans up the code with refactoring.
+
+Fixes: 414d38ba8710 ("ALSA: hda/sigmatel: Keep power up while beep is enabled")
+Link: https://lore.kernel.org/r/20220906092306.26183-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_beep.c | 15 +++++++++++++--
+ sound/pci/hda/hda_beep.h | 1 +
+ sound/pci/hda/patch_sigmatel.c | 25 ++-----------------------
+ 3 files changed, 16 insertions(+), 25 deletions(-)
+
+diff --git a/sound/pci/hda/hda_beep.c b/sound/pci/hda/hda_beep.c
+index 53a2b89f8983..e63621bcb214 100644
+--- a/sound/pci/hda/hda_beep.c
++++ b/sound/pci/hda/hda_beep.c
+@@ -118,6 +118,12 @@ static int snd_hda_beep_event(struct input_dev *dev, unsigned int type,
+ return 0;
+ }
+
++static void turn_on_beep(struct hda_beep *beep)
++{
++ if (beep->keep_power_at_enable)
++ snd_hda_power_up_pm(beep->codec);
++}
++
+ static void turn_off_beep(struct hda_beep *beep)
+ {
+ cancel_work_sync(&beep->beep_work);
+@@ -125,6 +131,8 @@ static void turn_off_beep(struct hda_beep *beep)
+ /* turn off beep */
+ generate_tone(beep, 0);
+ }
++ if (beep->keep_power_at_enable)
++ snd_hda_power_down_pm(beep->codec);
+ }
+
+ /**
+@@ -140,7 +148,9 @@ int snd_hda_enable_beep_device(struct hda_codec *codec, int enable)
+ enable = !!enable;
+ if (beep->enabled != enable) {
+ beep->enabled = enable;
+- if (!enable)
++ if (enable)
++ turn_on_beep(beep);
++ else
+ turn_off_beep(beep);
+ return 1;
+ }
+@@ -167,7 +177,8 @@ static int beep_dev_disconnect(struct snd_device *device)
+ input_unregister_device(beep->dev);
+ else
+ input_free_device(beep->dev);
+- turn_off_beep(beep);
++ if (beep->enabled)
++ turn_off_beep(beep);
+ return 0;
+ }
+
+diff --git a/sound/pci/hda/hda_beep.h b/sound/pci/hda/hda_beep.h
+index a25358a4807a..db76e3ddba65 100644
+--- a/sound/pci/hda/hda_beep.h
++++ b/sound/pci/hda/hda_beep.h
+@@ -25,6 +25,7 @@ struct hda_beep {
+ unsigned int enabled:1;
+ unsigned int linear_tone:1; /* linear tone for IDT/STAC codec */
+ unsigned int playing:1;
++ unsigned int keep_power_at_enable:1; /* set by driver */
+ struct work_struct beep_work; /* scheduled task for beep event */
+ struct mutex mutex;
+ void (*power_hook)(struct hda_beep *beep, bool on);
+diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c
+index 7f340f18599c..a794a01a68ca 100644
+--- a/sound/pci/hda/patch_sigmatel.c
++++ b/sound/pci/hda/patch_sigmatel.c
+@@ -4311,6 +4311,8 @@ static int stac_parse_auto_config(struct hda_codec *codec)
+ if (codec->beep) {
+ /* IDT/STAC codecs have linear beep tone parameter */
+ codec->beep->linear_tone = spec->linear_tone_beep;
++ /* keep power up while beep is enabled */
++ codec->beep->keep_power_at_enable = 1;
+ /* if no beep switch is available, make its own one */
+ caps = query_amp_caps(codec, nid, HDA_OUTPUT);
+ if (!(caps & AC_AMPCAP_MUTE)) {
+@@ -4444,28 +4446,6 @@ static int stac_suspend(struct hda_codec *codec)
+
+ return 0;
+ }
+-
+-static int stac_check_power_status(struct hda_codec *codec, hda_nid_t nid)
+-{
+-#ifdef CONFIG_SND_HDA_INPUT_BEEP
+- struct sigmatel_spec *spec = codec->spec;
+-#endif
+- int ret = snd_hda_gen_check_power_status(codec, nid);
+-
+-#ifdef CONFIG_SND_HDA_INPUT_BEEP
+- if (nid == spec->gen.beep_nid && codec->beep) {
+- if (codec->beep->enabled != spec->beep_power_on) {
+- spec->beep_power_on = codec->beep->enabled;
+- if (spec->beep_power_on)
+- snd_hda_power_up_pm(codec);
+- else
+- snd_hda_power_down_pm(codec);
+- }
+- ret |= spec->beep_power_on;
+- }
+-#endif
+- return ret;
+-}
+ #else
+ #define stac_suspend NULL
+ #endif /* CONFIG_PM */
+@@ -4478,7 +4458,6 @@ static const struct hda_codec_ops stac_patch_ops = {
+ .unsol_event = snd_hda_jack_unsol_event,
+ #ifdef CONFIG_PM
+ .suspend = stac_suspend,
+- .check_power_status = stac_check_power_status,
+ #endif
+ };
+
+--
+2.35.1
+
--- /dev/null
+From b868d4706e47b8774c88ffc6377778d08926640c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Aug 2022 13:17:27 +0200
+Subject: ALSA: hda: Fix page fault in snd_hda_codec_shutdown()
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit f2bd1c5ae2cb0cf9525c9bffc0038c12dd7e1338 ]
+
+If early probe of HDAudio bus driver fails e.g.: due to missing
+firmware file, snd_hda_codec_shutdown() ends in manipulating
+uninitialized codec->pcm_list_head causing page fault.
+
+Initialization of HDAudio codec in ASoC is split in two:
+- snd_hda_codec_device_init()
+- snd_hda_codec_device_new()
+
+snd_hda_codec_device_init() is called during probe_codecs() by HDAudio
+bus driver while snd_hda_codec_device_new() is called by
+codec-component's ->probe(). The second call will not happen until all
+components required by related sound card are present within the ASoC
+framework. With firmware failing to load during the PCI's deferred
+initialization i.e.: probe_work(), no platform components are ever
+registered. HDAudio codec enumeration is done at that point though, so
+the codec components became registered to ASoC framework, calling
+snd_hda_codec_device_init() in the process.
+
+Now, during platform reboot snd_hda_codec_shutdown() is called for every
+codec found on the HDAudio bus causing oops if any of them has not
+completed both of their initialization steps. Relocating field
+initialization fixes the issue.
+
+Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Link: https://lore.kernel.org/r/20220816111727.3218543-7-cezary.rojewski@intel.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_codec.c | 41 +++++++++++++++++++--------------------
+ 1 file changed, 20 insertions(+), 21 deletions(-)
+
+diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
+index 384426d7e9dd..4ae8b9574778 100644
+--- a/sound/pci/hda/hda_codec.c
++++ b/sound/pci/hda/hda_codec.c
+@@ -931,8 +931,28 @@ snd_hda_codec_device_init(struct hda_bus *bus, unsigned int codec_addr,
+ }
+
+ codec->bus = bus;
++ codec->depop_delay = -1;
++ codec->fixup_id = HDA_FIXUP_ID_NOT_SET;
++ codec->core.dev.release = snd_hda_codec_dev_release;
++ codec->core.exec_verb = codec_exec_verb;
+ codec->core.type = HDA_DEV_LEGACY;
+
++ mutex_init(&codec->spdif_mutex);
++ mutex_init(&codec->control_mutex);
++ snd_array_init(&codec->mixers, sizeof(struct hda_nid_item), 32);
++ snd_array_init(&codec->nids, sizeof(struct hda_nid_item), 32);
++ snd_array_init(&codec->init_pins, sizeof(struct hda_pincfg), 16);
++ snd_array_init(&codec->driver_pins, sizeof(struct hda_pincfg), 16);
++ snd_array_init(&codec->cvt_setups, sizeof(struct hda_cvt_setup), 8);
++ snd_array_init(&codec->spdif_out, sizeof(struct hda_spdif_out), 16);
++ snd_array_init(&codec->jacktbl, sizeof(struct hda_jack_tbl), 16);
++ snd_array_init(&codec->verbs, sizeof(struct hda_verb *), 8);
++ INIT_LIST_HEAD(&codec->conn_list);
++ INIT_LIST_HEAD(&codec->pcm_list_head);
++ INIT_DELAYED_WORK(&codec->jackpoll_work, hda_jackpoll_work);
++ refcount_set(&codec->pcm_ref, 1);
++ init_waitqueue_head(&codec->remove_sleep);
++
+ return codec;
+ }
+ EXPORT_SYMBOL_GPL(snd_hda_codec_device_init);
+@@ -985,29 +1005,8 @@ int snd_hda_codec_device_new(struct hda_bus *bus, struct snd_card *card,
+ if (snd_BUG_ON(codec_addr > HDA_MAX_CODEC_ADDRESS))
+ return -EINVAL;
+
+- codec->core.dev.release = snd_hda_codec_dev_release;
+- codec->core.exec_verb = codec_exec_verb;
+-
+ codec->card = card;
+ codec->addr = codec_addr;
+- mutex_init(&codec->spdif_mutex);
+- mutex_init(&codec->control_mutex);
+- snd_array_init(&codec->mixers, sizeof(struct hda_nid_item), 32);
+- snd_array_init(&codec->nids, sizeof(struct hda_nid_item), 32);
+- snd_array_init(&codec->init_pins, sizeof(struct hda_pincfg), 16);
+- snd_array_init(&codec->driver_pins, sizeof(struct hda_pincfg), 16);
+- snd_array_init(&codec->cvt_setups, sizeof(struct hda_cvt_setup), 8);
+- snd_array_init(&codec->spdif_out, sizeof(struct hda_spdif_out), 16);
+- snd_array_init(&codec->jacktbl, sizeof(struct hda_jack_tbl), 16);
+- snd_array_init(&codec->verbs, sizeof(struct hda_verb *), 8);
+- INIT_LIST_HEAD(&codec->conn_list);
+- INIT_LIST_HEAD(&codec->pcm_list_head);
+- refcount_set(&codec->pcm_ref, 1);
+- init_waitqueue_head(&codec->remove_sleep);
+-
+- INIT_DELAYED_WORK(&codec->jackpoll_work, hda_jackpoll_work);
+- codec->depop_delay = -1;
+- codec->fixup_id = HDA_FIXUP_ID_NOT_SET;
+
+ #ifdef CONFIG_PM
+ codec->power_jiffies = jiffies;
+--
+2.35.1
+
--- /dev/null
+From 7e9366c5bf62aad91473edd289639192c6835375 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Sep 2022 09:03:07 +0200
+Subject: ALSA: hda/hdmi: change type for the 'assigned' variable
+
+From: Jaroslav Kysela <perex@perex.cz>
+
+[ Upstream commit 4053a41282f8aae290d3fe7b8daef4c8c53a4ab8 ]
+
+This change converts the assigned value from int type to
+the bool type to retain consistency with other structure
+members like 'setup', 'non_pcm' etc.
+
+Signed-off-by: Jaroslav Kysela <perex@perex.cz>
+Link: https://lore.kernel.org/r/20220913070307.3234038-1-perex@perex.cz
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Stable-dep-of: fc6f923ecfa2 ("ALSA: hda/hdmi: Fix the converter allocation for the silent stream")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_hdmi.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
+index c239d9dbbaef..69afea67bf3e 100644
+--- a/sound/pci/hda/patch_hdmi.c
++++ b/sound/pci/hda/patch_hdmi.c
+@@ -53,7 +53,7 @@ MODULE_PARM_DESC(enable_all_pins, "Forcibly enable all pins");
+
+ struct hdmi_spec_per_cvt {
+ hda_nid_t cvt_nid;
+- int assigned;
++ bool assigned; /* the stream has been assigned */
+ unsigned int channels_min;
+ unsigned int channels_max;
+ u32 rates;
+@@ -1204,7 +1204,7 @@ static int hdmi_pcm_open_no_pin(struct hda_pcm_stream *hinfo,
+ return err;
+
+ per_cvt = get_cvt(spec, cvt_idx);
+- per_cvt->assigned = 1;
++ per_cvt->assigned = true;
+ hinfo->nid = per_cvt->cvt_nid;
+
+ pin_cvt_fixup(codec, NULL, per_cvt->cvt_nid);
+@@ -1273,7 +1273,7 @@ static int hdmi_pcm_open(struct hda_pcm_stream *hinfo,
+
+ per_cvt = get_cvt(spec, cvt_idx);
+ /* Claim converter */
+- per_cvt->assigned = 1;
++ per_cvt->assigned = true;
+
+ set_bit(pcm_idx, &spec->pcm_in_use);
+ per_pin = get_pin(spec, pin_idx);
+@@ -1308,7 +1308,7 @@ static int hdmi_pcm_open(struct hda_pcm_stream *hinfo,
+ snd_hdmi_eld_update_pcm_info(&eld->info, hinfo);
+ if (hinfo->channels_min > hinfo->channels_max ||
+ !hinfo->rates || !hinfo->formats) {
+- per_cvt->assigned = 0;
++ per_cvt->assigned = false;
+ hinfo->nid = 0;
+ snd_hda_spdif_ctls_unassign(codec, pcm_idx);
+ err = -ENODEV;
+@@ -1767,7 +1767,7 @@ static void silent_stream_enable(struct hda_codec *codec,
+ }
+
+ per_cvt = get_cvt(spec, cvt_idx);
+- per_cvt->assigned = 1;
++ per_cvt->assigned = true;
+ per_pin->cvt_nid = per_cvt->cvt_nid;
+ per_pin->silent_stream = true;
+
+@@ -1827,7 +1827,7 @@ static void silent_stream_disable(struct hda_codec *codec,
+ cvt_idx = cvt_nid_to_cvt_index(codec, per_pin->cvt_nid);
+ if (cvt_idx >= 0 && cvt_idx < spec->num_cvts) {
+ per_cvt = get_cvt(spec, cvt_idx);
+- per_cvt->assigned = 0;
++ per_cvt->assigned = false;
+ }
+
+ if (spec->silent_stream_type == SILENT_STREAM_I915) {
+@@ -2223,7 +2223,7 @@ static int hdmi_pcm_close(struct hda_pcm_stream *hinfo,
+ goto unlock;
+ }
+ per_cvt = get_cvt(spec, cvt_idx);
+- per_cvt->assigned = 0;
++ per_cvt->assigned = false;
+ hinfo->nid = 0;
+
+ azx_stream(get_azx_dev(substream))->stripe = 0;
+--
+2.35.1
+
--- /dev/null
+From 1825c901731b0d56469b1513d4e57c10fbaf0020 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Oct 2022 09:48:10 +0200
+Subject: ALSA: hda/hdmi: Don't skip notification handling during PM operation
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 5226c7b9784eee215e3914f440b3c2e1764f67a8 ]
+
+The HDMI driver skips the notification handling from the graphics
+driver when the codec driver is being in the PM operation. This
+behavior was introduced by the commit eb399d3c99d8 ("ALSA: hda - Skip
+ELD notification during PM process"). This skip may cause a problem,
+as we may miss the ELD update when the connection/disconnection
+happens right at the runtime-PM operation of the audio codec.
+
+Although this workaround was valid at that time, it's no longer true;
+the fix was required just because the ELD update procedure needed to
+wake up the audio codec, which had lead to a runtime-resume during a
+runtime-suspend. Meanwhile, the ELD update procedure doesn't need a
+codec wake up any longer since the commit 788d441a164c ("ALSA: hda -
+Use component ops for i915 HDMI/DP audio jack handling"); i.e. there
+is no much reason for skipping the notification.
+
+Let's drop those checks for addressing the missing notification.
+
+Fixes: 788d441a164c ("ALSA: hda - Use component ops for i915 HDMI/DP audio jack handling")
+Reported-by: Brent Lu <brent.lu@intel.com>
+Link: https://lore.kernel.org/r/20220927135807.4097052-1-brent.lu@intel.com
+Link: https://lore.kernel.org/r/20221001074809.7461-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_hdmi.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
+index d463c968b3a4..287f4f78e7b1 100644
+--- a/sound/pci/hda/patch_hdmi.c
++++ b/sound/pci/hda/patch_hdmi.c
+@@ -2751,9 +2751,6 @@ static void generic_acomp_pin_eld_notify(void *audio_ptr, int port, int dev_id)
+ */
+ if (codec->core.dev.power.power_state.event == PM_EVENT_SUSPEND)
+ return;
+- /* ditto during suspend/resume process itself */
+- if (snd_hdac_is_in_pm(&codec->core))
+- return;
+
+ check_presence_and_report(codec, pin_nid, dev_id);
+ }
+@@ -2937,9 +2934,6 @@ static void intel_pin_eld_notify(void *audio_ptr, int port, int pipe)
+ */
+ if (codec->core.dev.power.power_state.event == PM_EVENT_SUSPEND)
+ return;
+- /* ditto during suspend/resume process itself */
+- if (snd_hdac_is_in_pm(&codec->core))
+- return;
+
+ snd_hdac_i915_set_bclk(&codec->bus->core);
+ check_presence_and_report(codec, pin_nid, dev_id);
+--
+2.35.1
+
--- /dev/null
+From b3f582c8b14551f27218e4bc15d0d809019ed5b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Sep 2022 15:54:44 +0200
+Subject: ALSA: hda/hdmi: Fix the converter allocation for the silent stream
+
+From: Jaroslav Kysela <perex@perex.cz>
+
+[ Upstream commit fc6f923ecfa2fafd0600f1b7e2de09baf29865e2 ]
+
+Track the converters handling the silent stream using a new
+variable to avoid mixing of the open/close and silent stream
+use. This change ensures the proper allocation of the converters.
+
+Fixes: 5f80d6bd2b01 ("ALSA: hda/hdmi: Fix the converter reuse for the silent stream")
+
+Signed-off-by: Jaroslav Kysela <perex@perex.cz>
+Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Link: https://lore.kernel.org/r/20220919135444.3554982-1-perex@perex.cz
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_hdmi.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
+index 69afea67bf3e..d463c968b3a4 100644
+--- a/sound/pci/hda/patch_hdmi.c
++++ b/sound/pci/hda/patch_hdmi.c
+@@ -54,6 +54,7 @@ MODULE_PARM_DESC(enable_all_pins, "Forcibly enable all pins");
+ struct hdmi_spec_per_cvt {
+ hda_nid_t cvt_nid;
+ bool assigned; /* the stream has been assigned */
++ bool silent_stream; /* silent stream activated */
+ unsigned int channels_min;
+ unsigned int channels_max;
+ u32 rates;
+@@ -988,7 +989,8 @@ static int hdmi_setup_stream(struct hda_codec *codec, hda_nid_t cvt_nid,
+ * of the pin.
+ */
+ static int hdmi_choose_cvt(struct hda_codec *codec,
+- int pin_idx, int *cvt_id)
++ int pin_idx, int *cvt_id,
++ bool silent)
+ {
+ struct hdmi_spec *spec = codec->spec;
+ struct hdmi_spec_per_pin *per_pin;
+@@ -1003,6 +1005,9 @@ static int hdmi_choose_cvt(struct hda_codec *codec,
+
+ if (per_pin && per_pin->silent_stream) {
+ cvt_idx = cvt_nid_to_cvt_index(codec, per_pin->cvt_nid);
++ per_cvt = get_cvt(spec, cvt_idx);
++ if (per_cvt->assigned && !silent)
++ return -EBUSY;
+ if (cvt_id)
+ *cvt_id = cvt_idx;
+ return 0;
+@@ -1013,7 +1018,7 @@ static int hdmi_choose_cvt(struct hda_codec *codec,
+ per_cvt = get_cvt(spec, cvt_idx);
+
+ /* Must not already be assigned */
+- if (per_cvt->assigned)
++ if (per_cvt->assigned || per_cvt->silent_stream)
+ continue;
+ if (per_pin == NULL)
+ break;
+@@ -1199,7 +1204,7 @@ static int hdmi_pcm_open_no_pin(struct hda_pcm_stream *hinfo,
+ if (pcm_idx < 0)
+ return -EINVAL;
+
+- err = hdmi_choose_cvt(codec, -1, &cvt_idx);
++ err = hdmi_choose_cvt(codec, -1, &cvt_idx, false);
+ if (err)
+ return err;
+
+@@ -1267,7 +1272,7 @@ static int hdmi_pcm_open(struct hda_pcm_stream *hinfo,
+ }
+ }
+
+- err = hdmi_choose_cvt(codec, pin_idx, &cvt_idx);
++ err = hdmi_choose_cvt(codec, pin_idx, &cvt_idx, false);
+ if (err < 0)
+ goto unlock;
+
+@@ -1278,7 +1283,6 @@ static int hdmi_pcm_open(struct hda_pcm_stream *hinfo,
+ set_bit(pcm_idx, &spec->pcm_in_use);
+ per_pin = get_pin(spec, pin_idx);
+ per_pin->cvt_nid = per_cvt->cvt_nid;
+- per_pin->silent_stream = false;
+ hinfo->nid = per_cvt->cvt_nid;
+
+ /* flip stripe flag for the assigned stream if supported */
+@@ -1760,14 +1764,14 @@ static void silent_stream_enable(struct hda_codec *codec,
+ }
+
+ pin_idx = pin_id_to_pin_index(codec, per_pin->pin_nid, per_pin->dev_id);
+- err = hdmi_choose_cvt(codec, pin_idx, &cvt_idx);
++ err = hdmi_choose_cvt(codec, pin_idx, &cvt_idx, true);
+ if (err) {
+ codec_err(codec, "hdmi: no free converter to enable silent mode\n");
+ goto unlock_out;
+ }
+
+ per_cvt = get_cvt(spec, cvt_idx);
+- per_cvt->assigned = true;
++ per_cvt->silent_stream = true;
+ per_pin->cvt_nid = per_cvt->cvt_nid;
+ per_pin->silent_stream = true;
+
+@@ -1827,7 +1831,7 @@ static void silent_stream_disable(struct hda_codec *codec,
+ cvt_idx = cvt_nid_to_cvt_index(codec, per_pin->cvt_nid);
+ if (cvt_idx >= 0 && cvt_idx < spec->num_cvts) {
+ per_cvt = get_cvt(spec, cvt_idx);
+- per_cvt->assigned = false;
++ per_cvt->silent_stream = false;
+ }
+
+ if (spec->silent_stream_type == SILENT_STREAM_I915) {
+--
+2.35.1
+
--- /dev/null
+From 3eb68616ce5d21cc1569b9573b03b11064893f59 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Sep 2022 13:45:48 +0200
+Subject: ALSA: intel-dspconfig: add ES8336 support for AlderLake-PS
+
+From: Muralidhar Reddy <muralidhar.reddy@intel.com>
+
+[ Upstream commit 9db1c9fa214ef41d098633ff40a87284ca6e1870 ]
+
+added quirks for ESS8336 for AlderLake-PS
+
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Signed-off-by: Muralidhar Reddy <muralidhar.reddy@intel.com>
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20220919114548.42769-1-pierre-louis.bossart@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/intel-dsp-config.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/sound/hda/intel-dsp-config.c b/sound/hda/intel-dsp-config.c
+index 5a478649f338..b9eb3208f288 100644
+--- a/sound/hda/intel-dsp-config.c
++++ b/sound/hda/intel-dsp-config.c
+@@ -427,6 +427,11 @@ static const struct config_entry config_table[] = {
+ .device = 0x51cd,
+ },
+ /* Alderlake-PS */
++ {
++ .flags = FLAG_SOF,
++ .device = 0x51c9,
++ .codec_hid = &essx_83x6,
++ },
+ {
+ .flags = FLAG_SOF | FLAG_SOF_ONLY_IF_DMIC_OR_SOUNDWIRE,
+ .device = 0x51c9,
+--
+2.35.1
+
--- /dev/null
+From ada0c96ac91d345c7174d97efcd4c7dc768d7605 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Aug 2022 17:14:33 -0300
+Subject: ALSA: usb-audio: Add quirk to enable Avid Mbox 3 support
+
+From: Conner Knox <connerknoxpublic@gmail.com>
+
+[ Upstream commit b01104fc62b6194c852124f6c6df1c0a5c031fc1 ]
+
+Add support for Avid Mbox3 USB audio interface at 48kHz
+
+Signed-off-by: Conner Knox <connerknoxpublic@gmail.com>
+Link: https://lore.kernel.org/r/20220818201433.16360-1-mbarriolinares@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/quirks-table.h | 76 ++++++++++
+ sound/usb/quirks.c | 302 +++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 378 insertions(+)
+
+diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h
+index f93201a830b5..06dfdd45cff8 100644
+--- a/sound/usb/quirks-table.h
++++ b/sound/usb/quirks-table.h
+@@ -2985,6 +2985,82 @@ YAMAHA_DEVICE(0x7010, "UB99"),
+ }
+ }
+ },
++/* DIGIDESIGN MBOX 3 */
++{
++ USB_DEVICE(0x0dba, 0x5000),
++ .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
++ .vendor_name = "Digidesign",
++ .product_name = "Mbox 3",
++ .ifnum = QUIRK_ANY_INTERFACE,
++ .type = QUIRK_COMPOSITE,
++ .data = (const struct snd_usb_audio_quirk[]) {
++ {
++ .ifnum = 0,
++ .type = QUIRK_IGNORE_INTERFACE
++ },
++ {
++ .ifnum = 1,
++ .type = QUIRK_IGNORE_INTERFACE
++ },
++ {
++ .ifnum = 2,
++ .type = QUIRK_AUDIO_FIXED_ENDPOINT,
++ .data = &(const struct audioformat) {
++ .formats = SNDRV_PCM_FMTBIT_S24_3LE,
++ .channels = 4,
++ .iface = 2,
++ .altsetting = 1,
++ .altset_idx = 1,
++ .attributes = 0x00,
++ .endpoint = 0x01,
++ .ep_attr = USB_ENDPOINT_XFER_ISOC |
++ USB_ENDPOINT_SYNC_ASYNC,
++ .rates = SNDRV_PCM_RATE_48000,
++ .rate_min = 48000,
++ .rate_max = 48000,
++ .nr_rates = 1,
++ .rate_table = (unsigned int[]) {
++ 48000
++ }
++ }
++ },
++ {
++ .ifnum = 3,
++ .type = QUIRK_AUDIO_FIXED_ENDPOINT,
++ .data = &(const struct audioformat) {
++ .formats = SNDRV_PCM_FMTBIT_S24_3LE,
++ .channels = 4,
++ .iface = 3,
++ .altsetting = 1,
++ .altset_idx = 1,
++ .endpoint = 0x81,
++ .attributes = 0x00,
++ .ep_attr = USB_ENDPOINT_XFER_ISOC |
++ USB_ENDPOINT_SYNC_ASYNC,
++ .maxpacksize = 0x009c,
++ .rates = SNDRV_PCM_RATE_48000,
++ .rate_min = 48000,
++ .rate_max = 48000,
++ .nr_rates = 1,
++ .rate_table = (unsigned int[]) {
++ 48000
++ }
++ }
++ },
++ {
++ .ifnum = 4,
++ .type = QUIRK_MIDI_FIXED_ENDPOINT,
++ .data = &(const struct snd_usb_midi_endpoint_info) {
++ .out_cables = 0x0001,
++ .in_cables = 0x0001
++ }
++ },
++ {
++ .ifnum = -1
++ }
++ }
++ }
++},
+ {
+ /* Tascam US122 MKII - playback-only support */
+ USB_DEVICE_VENDOR_SPEC(0x0644, 0x8021),
+diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
+index 5b4d8f5eade2..194c75c45628 100644
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -1020,6 +1020,304 @@ static int snd_usb_axefx3_boot_quirk(struct usb_device *dev)
+ return 0;
+ }
+
++static void mbox3_setup_48_24_magic(struct usb_device *dev)
++{
++ /* The Mbox 3 is "little endian" */
++ /* max volume is: 0x0000. */
++ /* min volume is: 0x0080 (shown in little endian form) */
++
++
++ /* Load 48000Hz rate into buffer */
++ u8 com_buff[4] = {0x80, 0xbb, 0x00, 0x00};
++
++ /* Set 48000Hz sample rate */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 0x01, 0x21, 0x0100, 0x0001, &com_buff, 4); //Is this really needed?
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 0x01, 0x21, 0x0100, 0x8101, &com_buff, 4);
++
++ /* Deactivate Tuner */
++ /* on = 0x01*/
++ /* off = 0x00*/
++ com_buff[0] = 0x00;
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 0x01, 0x21, 0x0003, 0x2001, &com_buff, 1);
++
++ /* Set clock source to Internal (as opposed to S/PDIF) */
++ com_buff[0] = 0x01;
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0100, 0x8001, &com_buff, 1);
++
++ /* Mute the hardware loopbacks to start the device in a known state. */
++ com_buff[0] = 0x00;
++ com_buff[1] = 0x80;
++ /* Analogue input 1 left channel: */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0110, 0x4001, &com_buff, 2);
++ /* Analogue input 1 right channel: */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0111, 0x4001, &com_buff, 2);
++ /* Analogue input 2 left channel: */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0114, 0x4001, &com_buff, 2);
++ /* Analogue input 2 right channel: */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0115, 0x4001, &com_buff, 2);
++ /* Analogue input 3 left channel: */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0118, 0x4001, &com_buff, 2);
++ /* Analogue input 3 right channel: */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0119, 0x4001, &com_buff, 2);
++ /* Analogue input 4 left channel: */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x011c, 0x4001, &com_buff, 2);
++ /* Analogue input 4 right channel: */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x011d, 0x4001, &com_buff, 2);
++
++ /* Set software sends to output */
++ com_buff[0] = 0x00;
++ com_buff[1] = 0x00;
++ /* Analogue software return 1 left channel: */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0100, 0x4001, &com_buff, 2);
++ com_buff[0] = 0x00;
++ com_buff[1] = 0x80;
++ /* Analogue software return 1 right channel: */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0101, 0x4001, &com_buff, 2);
++ com_buff[0] = 0x00;
++ com_buff[1] = 0x80;
++ /* Analogue software return 2 left channel: */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0104, 0x4001, &com_buff, 2);
++ com_buff[0] = 0x00;
++ com_buff[1] = 0x00;
++ /* Analogue software return 2 right channel: */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0105, 0x4001, &com_buff, 2);
++
++ com_buff[0] = 0x00;
++ com_buff[1] = 0x80;
++ /* Analogue software return 3 left channel: */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0108, 0x4001, &com_buff, 2);
++ /* Analogue software return 3 right channel: */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0109, 0x4001, &com_buff, 2);
++ /* Analogue software return 4 left channel: */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x010c, 0x4001, &com_buff, 2);
++ /* Analogue software return 4 right channel: */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x010d, 0x4001, &com_buff, 2);
++
++ /* Return to muting sends */
++ com_buff[0] = 0x00;
++ com_buff[1] = 0x80;
++ /* Analogue fx return left channel: */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0120, 0x4001, &com_buff, 2);
++ /* Analogue fx return right channel: */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0121, 0x4001, &com_buff, 2);
++
++ /* Analogue software input 1 fx send: */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0100, 0x4201, &com_buff, 2);
++ /* Analogue software input 2 fx send: */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0101, 0x4201, &com_buff, 2);
++ /* Analogue software input 3 fx send: */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0102, 0x4201, &com_buff, 2);
++ /* Analogue software input 4 fx send: */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0103, 0x4201, &com_buff, 2);
++ /* Analogue input 1 fx send: */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0104, 0x4201, &com_buff, 2);
++ /* Analogue input 2 fx send: */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0105, 0x4201, &com_buff, 2);
++ /* Analogue input 3 fx send: */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0106, 0x4201, &com_buff, 2);
++ /* Analogue input 4 fx send: */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0107, 0x4201, &com_buff, 2);
++
++ /* Toggle allowing host control */
++ com_buff[0] = 0x02;
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 3, 0x21, 0x0000, 0x2001, &com_buff, 1);
++
++ /* Do not dim fx returns */
++ com_buff[0] = 0x00;
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 3, 0x21, 0x0002, 0x2001, &com_buff, 1);
++
++ /* Do not set fx returns to mono */
++ com_buff[0] = 0x00;
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 3, 0x21, 0x0001, 0x2001, &com_buff, 1);
++
++ /* Mute the S/PDIF hardware loopback
++ * same odd volume logic here as above
++ */
++ com_buff[0] = 0x00;
++ com_buff[1] = 0x80;
++ /* S/PDIF hardware input 1 left channel */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0112, 0x4001, &com_buff, 2);
++ /* S/PDIF hardware input 1 right channel */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0113, 0x4001, &com_buff, 2);
++ /* S/PDIF hardware input 2 left channel */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0116, 0x4001, &com_buff, 2);
++ /* S/PDIF hardware input 2 right channel */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0117, 0x4001, &com_buff, 2);
++ /* S/PDIF hardware input 3 left channel */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x011a, 0x4001, &com_buff, 2);
++ /* S/PDIF hardware input 3 right channel */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x011b, 0x4001, &com_buff, 2);
++ /* S/PDIF hardware input 4 left channel */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x011e, 0x4001, &com_buff, 2);
++ /* S/PDIF hardware input 4 right channel */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x011f, 0x4001, &com_buff, 2);
++ /* S/PDIF software return 1 left channel */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0102, 0x4001, &com_buff, 2);
++ /* S/PDIF software return 1 right channel */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0103, 0x4001, &com_buff, 2);
++ /* S/PDIF software return 2 left channel */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0106, 0x4001, &com_buff, 2);
++ /* S/PDIF software return 2 right channel */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0107, 0x4001, &com_buff, 2);
++
++ com_buff[0] = 0x00;
++ com_buff[1] = 0x00;
++ /* S/PDIF software return 3 left channel */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x010a, 0x4001, &com_buff, 2);
++
++ com_buff[0] = 0x00;
++ com_buff[1] = 0x80;
++ /* S/PDIF software return 3 right channel */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x010b, 0x4001, &com_buff, 2);
++ /* S/PDIF software return 4 left channel */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x010e, 0x4001, &com_buff, 2);
++
++ com_buff[0] = 0x00;
++ com_buff[1] = 0x00;
++ /* S/PDIF software return 4 right channel */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x010f, 0x4001, &com_buff, 2);
++
++ com_buff[0] = 0x00;
++ com_buff[1] = 0x80;
++ /* S/PDIF fx returns left channel */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0122, 0x4001, &com_buff, 2);
++ /* S/PDIF fx returns right channel */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0123, 0x4001, &com_buff, 2);
++
++ /* Set the dropdown "Effect" to the first option */
++ /* Room1 = 0x00 */
++ /* Room2 = 0x01 */
++ /* Room3 = 0x02 */
++ /* Hall 1 = 0x03 */
++ /* Hall 2 = 0x04 */
++ /* Plate = 0x05 */
++ /* Delay = 0x06 */
++ /* Echo = 0x07 */
++ com_buff[0] = 0x00;
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0200, 0x4301, &com_buff, 1); /* max is 0xff */
++ /* min is 0x00 */
++
++
++ /* Set the effect duration to 0 */
++ /* max is 0xffff */
++ /* min is 0x0000 */
++ com_buff[0] = 0x00;
++ com_buff[1] = 0x00;
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0400, 0x4301, &com_buff, 2);
++
++ /* Set the effect volume and feedback to 0 */
++ /* max is 0xff */
++ /* min is 0x00 */
++ com_buff[0] = 0x00;
++ /* feedback: */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0500, 0x4301, &com_buff, 1);
++ /* volume: */
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 1, 0x21, 0x0300, 0x4301, &com_buff, 1);
++
++ /* Set soft button hold duration */
++ /* 0x03 = 250ms */
++ /* 0x05 = 500ms DEFAULT */
++ /* 0x08 = 750ms */
++ /* 0x0a = 1sec */
++ com_buff[0] = 0x05;
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 3, 0x21, 0x0005, 0x2001, &com_buff, 1);
++
++ /* Use dim LEDs for button of state */
++ com_buff[0] = 0x00;
++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0),
++ 3, 0x21, 0x0004, 0x2001, &com_buff, 1);
++}
++
++#define MBOX3_DESCRIPTOR_SIZE 464
++
++static int snd_usb_mbox3_boot_quirk(struct usb_device *dev)
++{
++ struct usb_host_config *config = dev->actconfig;
++ int err;
++ int descriptor_size;
++
++ descriptor_size = le16_to_cpu(get_cfg_desc(config)->wTotalLength);
++
++ if (descriptor_size != MBOX3_DESCRIPTOR_SIZE) {
++ dev_err(&dev->dev, "Invalid descriptor size=%d.\n", descriptor_size);
++ return -ENODEV;
++ }
++
++ dev_dbg(&dev->dev, "device initialised!\n");
++
++ err = usb_get_descriptor(dev, USB_DT_DEVICE, 0,
++ &dev->descriptor, sizeof(dev->descriptor));
++ config = dev->actconfig;
++ if (err < 0)
++ dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err);
++
++ err = usb_reset_configuration(dev);
++ if (err < 0)
++ dev_dbg(&dev->dev, "error usb_reset_configuration: %d\n", err);
++ dev_dbg(&dev->dev, "mbox3_boot: new boot length = %d\n",
++ le16_to_cpu(get_cfg_desc(config)->wTotalLength));
++
++ mbox3_setup_48_24_magic(dev);
++ dev_info(&dev->dev, "Digidesign Mbox 3: 24bit 48kHz");
++
++ return 0; /* Successful boot */
++}
+
+ #define MICROBOOK_BUF_SIZE 128
+
+@@ -1324,6 +1622,10 @@ int snd_usb_apply_boot_quirk(struct usb_device *dev,
+ case USB_ID(0x0dba, 0x3000):
+ /* Digidesign Mbox 2 */
+ return snd_usb_mbox2_boot_quirk(dev);
++ case USB_ID(0x0dba, 0x5000):
++ /* Digidesign Mbox 3 */
++ return snd_usb_mbox3_boot_quirk(dev);
++
+
+ case USB_ID(0x1235, 0x0010): /* Focusrite Novation Saffire 6 USB */
+ case USB_ID(0x1235, 0x0018): /* Focusrite Novation Twitch */
+--
+2.35.1
+
--- /dev/null
+From 7d68abce80a2dfaa7d00b6283cc80459b668a106 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 20:11:26 +0200
+Subject: ALSA: usb-audio: Properly refcounting clock rate
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 9a737e7f8b371e97eb649904276407cee2c9cf30 ]
+
+We fixed the bug introduced by the patch for managing the shared
+clocks at the commit 809f44a0cc5a ("ALSA: usb-audio: Clear fixed clock
+rate at closing EP"), but it was merely a workaround. By this change,
+the clock reference rate is cleared at each EP close, hence the still
+remaining EP may need a re-setup of rate unnecessarily.
+
+This patch introduces the proper refcounting for the clock reference
+object so that the clock setup is done only when needed.
+
+Fixes: 809f44a0cc5a ("ALSA: usb-audio: Clear fixed clock rate at closing EP")
+Fixes: c11117b634f4 ("ALSA: usb-audio: Refcount multiple accesses on the single clock")
+Link: https://lore.kernel.org/r/20220920181126.4912-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/endpoint.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
+index f8a5329fb131..48a3843a08f1 100644
+--- a/sound/usb/endpoint.c
++++ b/sound/usb/endpoint.c
+@@ -39,6 +39,7 @@ struct snd_usb_iface_ref {
+ struct snd_usb_clock_ref {
+ unsigned char clock;
+ atomic_t locked;
++ int opened;
+ int rate;
+ bool need_setup;
+ struct list_head list;
+@@ -804,6 +805,7 @@ snd_usb_endpoint_open(struct snd_usb_audio *chip,
+ ep = NULL;
+ goto unlock;
+ }
++ ep->clock_ref->opened++;
+ }
+
+ ep->cur_audiofmt = fp;
+@@ -927,8 +929,10 @@ void snd_usb_endpoint_close(struct snd_usb_audio *chip,
+ endpoint_set_interface(chip, ep, false);
+
+ if (!--ep->opened) {
+- if (ep->clock_ref && !atomic_read(&ep->clock_ref->locked))
+- ep->clock_ref->rate = 0;
++ if (ep->clock_ref) {
++ if (!--ep->clock_ref->opened)
++ ep->clock_ref->rate = 0;
++ }
+ ep->iface = 0;
+ ep->altsetting = 0;
+ ep->cur_audiofmt = NULL;
+@@ -1649,8 +1653,7 @@ void snd_usb_endpoint_stop(struct snd_usb_endpoint *ep, bool keep_pending)
+ WRITE_ONCE(ep->sync_source->sync_sink, NULL);
+ stop_urbs(ep, false, keep_pending);
+ if (ep->clock_ref)
+- if (!atomic_dec_return(&ep->clock_ref->locked))
+- ep->clock_ref->rate = 0;
++ atomic_dec(&ep->clock_ref->locked);
+ }
+ }
+
+--
+2.35.1
+
--- /dev/null
+From d2813634190e1817b641e4f5c077e893dda53026 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Sep 2022 18:12:47 +0200
+Subject: ALSA: usb-audio: Register card at the last interface
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 6392dcd1d0c7034ccf630ec55fc9e5810ecadf3b ]
+
+The USB-audio driver matches per interface, and as default, it
+registers the card instance at the very first instance. This can be a
+problem for the devices that have multiple interfaces to be probed, as
+the udev rule isn't applied properly for the later appearing
+interfaces. Although we introduced the delayed_register option and
+the quirks for covering those shortcomings, it's nothing but a
+workaround for specific devices.
+
+This patch is an another attempt to fix the problem in a more generic
+way. Now the driver checks the whole USB device descriptor at the
+very first time when an interface is attached to a sound card. It
+looks at each matching interface in the descriptor and remembers the
+last matching one. The snd_card_register() is invoked only when this
+last interface is probed.
+
+After this change, the quirks for the delayed registration become
+superfluous, hence they are removed along with the patch. OTOH, the
+delayed_register option is still kept, as it might be useful for some
+corner cases (e.g. a special driver overtakes the interface probe from
+the standard driver, and the last interface probe may miss).
+
+Link: https://lore.kernel.org/r/20220904161247.16461-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/card.c | 32 +++++++++++++++++++++++++-------
+ sound/usb/quirks.c | 42 ------------------------------------------
+ sound/usb/quirks.h | 2 --
+ sound/usb/usbaudio.h | 1 +
+ 4 files changed, 26 insertions(+), 51 deletions(-)
+
+diff --git a/sound/usb/card.c b/sound/usb/card.c
+index 706d249a9ad6..3aea241435fb 100644
+--- a/sound/usb/card.c
++++ b/sound/usb/card.c
+@@ -690,7 +690,7 @@ static bool get_alias_id(struct usb_device *dev, unsigned int *id)
+ return false;
+ }
+
+-static bool check_delayed_register_option(struct snd_usb_audio *chip, int iface)
++static int check_delayed_register_option(struct snd_usb_audio *chip)
+ {
+ int i;
+ unsigned int id, inum;
+@@ -699,14 +699,31 @@ static bool check_delayed_register_option(struct snd_usb_audio *chip, int iface)
+ if (delayed_register[i] &&
+ sscanf(delayed_register[i], "%x:%x", &id, &inum) == 2 &&
+ id == chip->usb_id)
+- return iface < inum;
++ return inum;
+ }
+
+- return false;
++ return -1;
+ }
+
+ static const struct usb_device_id usb_audio_ids[]; /* defined below */
+
++/* look for the last interface that matches with our ids and remember it */
++static void find_last_interface(struct snd_usb_audio *chip)
++{
++ struct usb_host_config *config = chip->dev->actconfig;
++ struct usb_interface *intf;
++ int i;
++
++ if (!config)
++ return;
++ for (i = 0; i < config->desc.bNumInterfaces; i++) {
++ intf = config->interface[i];
++ if (usb_match_id(intf, usb_audio_ids))
++ chip->last_iface = intf->altsetting[0].desc.bInterfaceNumber;
++ }
++ usb_audio_dbg(chip, "Found last interface = %d\n", chip->last_iface);
++}
++
+ /* look for the corresponding quirk */
+ static const struct snd_usb_audio_quirk *
+ get_alias_quirk(struct usb_device *dev, unsigned int id)
+@@ -813,6 +830,7 @@ static int usb_audio_probe(struct usb_interface *intf,
+ err = -ENODEV;
+ goto __error;
+ }
++ find_last_interface(chip);
+ }
+
+ if (chip->num_interfaces >= MAX_CARD_INTERFACES) {
+@@ -862,11 +880,11 @@ static int usb_audio_probe(struct usb_interface *intf,
+ chip->need_delayed_register = false; /* clear again */
+ }
+
+- /* we are allowed to call snd_card_register() many times, but first
+- * check to see if a device needs to skip it or do anything special
++ /* register card if we reach to the last interface or to the specified
++ * one given via option
+ */
+- if (!snd_usb_registration_quirk(chip, ifnum) &&
+- !check_delayed_register_option(chip, ifnum)) {
++ if (check_delayed_register_option(chip) == ifnum ||
++ chip->last_iface == ifnum) {
+ err = snd_card_register(chip->card);
+ if (err < 0)
+ goto __error;
+diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
+index 194c75c45628..eadac586bcc8 100644
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -2030,48 +2030,6 @@ void snd_usb_audioformat_attributes_quirk(struct snd_usb_audio *chip,
+ }
+ }
+
+-/*
+- * registration quirk:
+- * the registration is skipped if a device matches with the given ID,
+- * unless the interface reaches to the defined one. This is for delaying
+- * the registration until the last known interface, so that the card and
+- * devices appear at the same time.
+- */
+-
+-struct registration_quirk {
+- unsigned int usb_id; /* composed via USB_ID() */
+- unsigned int interface; /* the interface to trigger register */
+-};
+-
+-#define REG_QUIRK_ENTRY(vendor, product, iface) \
+- { .usb_id = USB_ID(vendor, product), .interface = (iface) }
+-
+-static const struct registration_quirk registration_quirks[] = {
+- REG_QUIRK_ENTRY(0x0951, 0x16d8, 2), /* Kingston HyperX AMP */
+- REG_QUIRK_ENTRY(0x0951, 0x16ed, 2), /* Kingston HyperX Cloud Alpha S */
+- REG_QUIRK_ENTRY(0x0951, 0x16ea, 2), /* Kingston HyperX Cloud Flight S */
+- REG_QUIRK_ENTRY(0x0ecb, 0x1f46, 2), /* JBL Quantum 600 */
+- REG_QUIRK_ENTRY(0x0ecb, 0x1f47, 2), /* JBL Quantum 800 */
+- REG_QUIRK_ENTRY(0x0ecb, 0x1f4c, 2), /* JBL Quantum 400 */
+- REG_QUIRK_ENTRY(0x0ecb, 0x2039, 2), /* JBL Quantum 400 */
+- REG_QUIRK_ENTRY(0x0ecb, 0x203c, 2), /* JBL Quantum 600 */
+- REG_QUIRK_ENTRY(0x0ecb, 0x203e, 2), /* JBL Quantum 800 */
+- { 0 } /* terminator */
+-};
+-
+-/* return true if skipping registration */
+-bool snd_usb_registration_quirk(struct snd_usb_audio *chip, int iface)
+-{
+- const struct registration_quirk *q;
+-
+- for (q = registration_quirks; q->usb_id; q++)
+- if (chip->usb_id == q->usb_id)
+- return iface < q->interface;
+-
+- /* Register as normal */
+- return false;
+-}
+-
+ /*
+ * driver behavior quirk flags
+ */
+diff --git a/sound/usb/quirks.h b/sound/usb/quirks.h
+index 31abb7cb01a5..f9bfd5ac7bab 100644
+--- a/sound/usb/quirks.h
++++ b/sound/usb/quirks.h
+@@ -48,8 +48,6 @@ void snd_usb_audioformat_attributes_quirk(struct snd_usb_audio *chip,
+ struct audioformat *fp,
+ int stream);
+
+-bool snd_usb_registration_quirk(struct snd_usb_audio *chip, int iface);
+-
+ void snd_usb_init_quirk_flags(struct snd_usb_audio *chip);
+
+ #endif /* __USBAUDIO_QUIRKS_H */
+diff --git a/sound/usb/usbaudio.h b/sound/usb/usbaudio.h
+index ffbb4b0d09a0..2c6575029b1c 100644
+--- a/sound/usb/usbaudio.h
++++ b/sound/usb/usbaudio.h
+@@ -37,6 +37,7 @@ struct snd_usb_audio {
+ unsigned int quirk_flags;
+ unsigned int need_delayed_register:1; /* warn for delayed registration */
+ int num_interfaces;
++ int last_iface;
+ int num_suspended_intf;
+ int sample_rate_read_error;
+
+--
+2.35.1
+
--- /dev/null
+From e9c127906f179a83ac7127486144883d68e22e17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 20:11:06 +0200
+Subject: ALSA: usb-audio: Split endpoint setups for hw_params and prepare
+ (take#2)
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 2be79d58645465351af5320eb14c70a94724c5ef ]
+
+This is a second attempt to fix the bug appearing on Android with the
+recent kernel; the first try was ff878b408a03 and reverted at commit
+79764ec772bc.
+
+The details taken from the v1 patch:
+
+One of the former changes for the endpoint management was the more
+consistent setup of endpoints at hw_params.
+snd_usb_endpoint_configure() is a single function that does the full
+setup, and it's called from both PCM hw_params and prepare callbacks.
+Although the EP setup at the prepare phase is usually skipped (by
+checking need_setup flag), it may be still effective in some cases
+like suspend/resume that requires the interface setup again.
+
+As it's a full and single setup, the invocation of
+snd_usb_endpoint_configure() includes not only the USB interface setup
+but also the buffer release and allocation. OTOH, doing the buffer
+release and re-allocation at PCM prepare phase is rather superfluous,
+and better to be done only in the hw_params phase.
+
+For those optimizations, this patch splits the endpoint setup to two
+phases: snd_usb_endpoint_set_params() and snd_usb_endpoint_prepare(),
+to be called from hw_params and from prepare, respectively.
+
+Note that this patch changes the driver operation slightly,
+effectively moving the USB interface setup again to PCM prepare stage
+instead of hw_params stage, while the buffer allocation and such
+initializations are still done at hw_params stage.
+
+And, the change of the USB interface setup timing (moving to prepare)
+gave an interesting "fix", too: it was reported that the recent
+kernels caused silent output at the beginning on playbacks on some
+devices on Android, and this change casually fixed the regression.
+It seems that those devices are picky about the sample rate change (or
+the interface change?), and don't follow the too immediate rate
+changes.
+
+Meanwhile, Android operates the PCM in the following order:
+- open, then hw_params with the possibly highest sample rate
+- close without prepare
+- re-open, hw_params with the normal sample rate
+- prepare, and start streaming
+This procedure ended up the hw_params twice with different rates, and
+because the recent kernel did set up the sample rate twice one and
+after, it screwed up the device. OTOH, the earlier kernels didn't set
+up the USB interface at hw_params, hence this problem didn't appear.
+
+Now, with this patch, the USB interface setup is again back to the
+prepare phase, and it works around the problem automagically.
+Although we should address the sample rate problem in a more solid
+way in future, let's keep things working as before for now.
+
+***
+
+What's new in the take#2 patch:
+- The regression caused by the v1 patch (bko#216500) was due to the
+ missing check of need_setup flag at hw_params. Now the check is
+ added, and the snd_usb_endpoint_set_params() call is skipped when
+ the running EP is re-opened.
+
+- There was another bug in v1 where the clock reference rate wasn't
+ updated at hw_params phase, which may lead to a lack of the proper
+ hw constraints when an application doesn't issue the prepare but
+ only the hw_params call. This patch fixes it as well by tracking
+ the clock rate change in the prepare callback with a new flag
+ "need_update" for the clock reference object, just like others.
+
+- The configure_endpoints() are simplified and folded back into
+ snd_usb_pcm_prepare().
+
+Fixes: bf6313a0ff76 ("ALSA: usb-audio: Refactor endpoint management")
+Fixes: ff878b408a03 ("ALSA: usb-audio: Split endpoint setups for hw_params and prepare")
+Reported-by: chihhao chen <chihhao.chen@mediatek.com>
+Link: https://lore.kernel.org/r/87e6d6ae69d68dc588ac9acc8c0f24d6188375c3.camel@mediatek.com
+Link: https://lore.kernel.org/r/20220901124136.4984-1-tiwai@suse.de
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216500
+Link: https://lore.kernel.org/r/20220920181106.4894-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/endpoint.c | 76 +++++++++++++++++++++++++++-----------------
+ sound/usb/endpoint.h | 6 ++--
+ sound/usb/pcm.c | 51 ++++++++++++-----------------
+ 3 files changed, 70 insertions(+), 63 deletions(-)
+
+diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
+index 6d8989482ade..f8a5329fb131 100644
+--- a/sound/usb/endpoint.c
++++ b/sound/usb/endpoint.c
+@@ -40,6 +40,7 @@ struct snd_usb_clock_ref {
+ unsigned char clock;
+ atomic_t locked;
+ int rate;
++ bool need_setup;
+ struct list_head list;
+ };
+
+@@ -759,7 +760,8 @@ bool snd_usb_endpoint_compatible(struct snd_usb_audio *chip,
+ * The endpoint needs to be closed via snd_usb_endpoint_close() later.
+ *
+ * Note that this function doesn't configure the endpoint. The substream
+- * needs to set it up later via snd_usb_endpoint_configure().
++ * needs to set it up later via snd_usb_endpoint_set_params() and
++ * snd_usb_endpoint_prepare().
+ */
+ struct snd_usb_endpoint *
+ snd_usb_endpoint_open(struct snd_usb_audio *chip,
+@@ -1289,15 +1291,39 @@ static int sync_ep_set_params(struct snd_usb_endpoint *ep)
+ return -ENOMEM;
+ }
+
++/* update the rate of the referred clock; return the actual rate */
++static int update_clock_ref_rate(struct snd_usb_audio *chip,
++ struct snd_usb_endpoint *ep)
++{
++ struct snd_usb_clock_ref *clock = ep->clock_ref;
++ int rate = ep->cur_rate;
++
++ if (!clock || clock->rate == rate)
++ return rate;
++ if (clock->rate) {
++ if (atomic_read(&clock->locked))
++ return clock->rate;
++ if (clock->rate != rate) {
++ usb_audio_err(chip, "Mismatched sample rate %d vs %d for EP 0x%x\n",
++ clock->rate, rate, ep->ep_num);
++ return clock->rate;
++ }
++ }
++ clock->rate = rate;
++ clock->need_setup = true;
++ return rate;
++}
++
+ /*
+ * snd_usb_endpoint_set_params: configure an snd_usb_endpoint
+ *
++ * It's called either from hw_params callback.
+ * Determine the number of URBs to be used on this endpoint.
+ * An endpoint must be configured before it can be started.
+ * An endpoint that is already running can not be reconfigured.
+ */
+-static int snd_usb_endpoint_set_params(struct snd_usb_audio *chip,
+- struct snd_usb_endpoint *ep)
++int snd_usb_endpoint_set_params(struct snd_usb_audio *chip,
++ struct snd_usb_endpoint *ep)
+ {
+ const struct audioformat *fmt = ep->cur_audiofmt;
+ int err;
+@@ -1349,49 +1375,46 @@ static int snd_usb_endpoint_set_params(struct snd_usb_audio *chip,
+ ep->maxframesize = ep->maxpacksize / ep->cur_frame_bytes;
+ ep->curframesize = ep->curpacksize / ep->cur_frame_bytes;
+
+- return 0;
++ return update_clock_ref_rate(chip, ep);
+ }
+
+ static int init_sample_rate(struct snd_usb_audio *chip,
+ struct snd_usb_endpoint *ep)
+ {
+ struct snd_usb_clock_ref *clock = ep->clock_ref;
+- int err;
++ int rate, err;
+
+- if (clock) {
+- if (atomic_read(&clock->locked))
+- return 0;
+- if (clock->rate == ep->cur_rate)
+- return 0;
+- if (clock->rate && clock->rate != ep->cur_rate) {
+- usb_audio_dbg(chip, "Mismatched sample rate %d vs %d for EP 0x%x\n",
+- clock->rate, ep->cur_rate, ep->ep_num);
+- return -EINVAL;
+- }
+- }
++ rate = update_clock_ref_rate(chip, ep);
++ if (rate < 0)
++ return rate;
++ if (clock && !clock->need_setup)
++ return 0;
+
+- err = snd_usb_init_sample_rate(chip, ep->cur_audiofmt, ep->cur_rate);
+- if (err < 0)
++ err = snd_usb_init_sample_rate(chip, ep->cur_audiofmt, rate);
++ if (err < 0) {
++ if (clock)
++ clock->rate = 0; /* reset rate */
+ return err;
++ }
+
+ if (clock)
+- clock->rate = ep->cur_rate;
++ clock->need_setup = false;
+ return 0;
+ }
+
+ /*
+- * snd_usb_endpoint_configure: Configure the endpoint
++ * snd_usb_endpoint_prepare: Prepare the endpoint
+ *
+ * This function sets up the EP to be fully usable state.
+- * It's called either from hw_params or prepare callback.
++ * It's called either from prepare callback.
+ * The function checks need_setup flag, and performs nothing unless needed,
+ * so it's safe to call this multiple times.
+ *
+ * This returns zero if unchanged, 1 if the configuration has changed,
+ * or a negative error code.
+ */
+-int snd_usb_endpoint_configure(struct snd_usb_audio *chip,
+- struct snd_usb_endpoint *ep)
++int snd_usb_endpoint_prepare(struct snd_usb_audio *chip,
++ struct snd_usb_endpoint *ep)
+ {
+ bool iface_first;
+ int err = 0;
+@@ -1412,9 +1435,6 @@ int snd_usb_endpoint_configure(struct snd_usb_audio *chip,
+ if (err < 0)
+ goto unlock;
+ }
+- err = snd_usb_endpoint_set_params(chip, ep);
+- if (err < 0)
+- goto unlock;
+ goto done;
+ }
+
+@@ -1442,10 +1462,6 @@ int snd_usb_endpoint_configure(struct snd_usb_audio *chip,
+ if (err < 0)
+ goto unlock;
+
+- err = snd_usb_endpoint_set_params(chip, ep);
+- if (err < 0)
+- goto unlock;
+-
+ err = snd_usb_select_mode_quirk(chip, ep->cur_audiofmt);
+ if (err < 0)
+ goto unlock;
+diff --git a/sound/usb/endpoint.h b/sound/usb/endpoint.h
+index 6a9af04cf175..e67ea28faa54 100644
+--- a/sound/usb/endpoint.h
++++ b/sound/usb/endpoint.h
+@@ -17,8 +17,10 @@ snd_usb_endpoint_open(struct snd_usb_audio *chip,
+ bool is_sync_ep);
+ void snd_usb_endpoint_close(struct snd_usb_audio *chip,
+ struct snd_usb_endpoint *ep);
+-int snd_usb_endpoint_configure(struct snd_usb_audio *chip,
+- struct snd_usb_endpoint *ep);
++int snd_usb_endpoint_set_params(struct snd_usb_audio *chip,
++ struct snd_usb_endpoint *ep);
++int snd_usb_endpoint_prepare(struct snd_usb_audio *chip,
++ struct snd_usb_endpoint *ep);
+ int snd_usb_endpoint_get_clock_rate(struct snd_usb_audio *chip, int clock);
+
+ bool snd_usb_endpoint_compatible(struct snd_usb_audio *chip,
+diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c
+index d45d1d7e6664..e721fc12acde 100644
+--- a/sound/usb/pcm.c
++++ b/sound/usb/pcm.c
+@@ -433,35 +433,6 @@ static void close_endpoints(struct snd_usb_audio *chip,
+ }
+ }
+
+-static int configure_endpoints(struct snd_usb_audio *chip,
+- struct snd_usb_substream *subs)
+-{
+- int err;
+-
+- if (subs->data_endpoint->need_setup) {
+- /* stop any running stream beforehand */
+- if (stop_endpoints(subs, false))
+- sync_pending_stops(subs);
+- if (subs->sync_endpoint) {
+- err = snd_usb_endpoint_configure(chip, subs->sync_endpoint);
+- if (err < 0)
+- return err;
+- }
+- err = snd_usb_endpoint_configure(chip, subs->data_endpoint);
+- if (err < 0)
+- return err;
+- snd_usb_set_format_quirk(subs, subs->cur_audiofmt);
+- } else {
+- if (subs->sync_endpoint) {
+- err = snd_usb_endpoint_configure(chip, subs->sync_endpoint);
+- if (err < 0)
+- return err;
+- }
+- }
+-
+- return 0;
+-}
+-
+ /*
+ * hw_params callback
+ *
+@@ -551,7 +522,16 @@ static int snd_usb_hw_params(struct snd_pcm_substream *substream,
+ subs->cur_audiofmt = fmt;
+ mutex_unlock(&chip->mutex);
+
+- ret = configure_endpoints(chip, subs);
++ if (!subs->data_endpoint->need_setup)
++ goto unlock;
++
++ if (subs->sync_endpoint) {
++ ret = snd_usb_endpoint_set_params(chip, subs->sync_endpoint);
++ if (ret < 0)
++ goto unlock;
++ }
++
++ ret = snd_usb_endpoint_set_params(chip, subs->data_endpoint);
+
+ unlock:
+ if (ret < 0)
+@@ -634,9 +614,18 @@ static int snd_usb_pcm_prepare(struct snd_pcm_substream *substream)
+ goto unlock;
+ }
+
+- ret = configure_endpoints(chip, subs);
++ if (subs->sync_endpoint) {
++ ret = snd_usb_endpoint_prepare(chip, subs->sync_endpoint);
++ if (ret < 0)
++ goto unlock;
++ }
++
++ ret = snd_usb_endpoint_prepare(chip, subs->data_endpoint);
+ if (ret < 0)
+ goto unlock;
++ else if (ret > 0)
++ snd_usb_set_format_quirk(subs, subs->cur_audiofmt);
++ ret = 0;
+
+ /* reset the pointer */
+ subs->buffer_bytes = frames_to_bytes(runtime, runtime->buffer_size);
+--
+2.35.1
+
--- /dev/null
+From 76287c94137a118cb4747192019a75991a2a3ec0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 09:06:22 +0100
+Subject: ARM: 9233/1: stacktrace: Skip frame pointer boundary check for
+ call_with_stack()
+
+From: Li Huafei <lihuafei1@huawei.com>
+
+[ Upstream commit 5854e4d8530e6ed4c2532a71a6b0474e199d44dd ]
+
+When using the frame pointer unwinder, it was found that the stack trace
+output of stack_trace_save() is incomplete if the stack contains
+call_with_stack():
+
+ [0x7f00002c] dump_stack_task+0x2c/0x90 [hrtimer]
+ [0x7f0000a0] hrtimer_hander+0x10/0x18 [hrtimer]
+ [0x801a67f0] __hrtimer_run_queues+0x1b0/0x3b4
+ [0x801a7350] hrtimer_run_queues+0xc4/0xd8
+ [0x801a597c] update_process_times+0x3c/0x88
+ [0x801b5a98] tick_periodic+0x50/0xd8
+ [0x801b5bf4] tick_handle_periodic+0x24/0x84
+ [0x8010ffc4] twd_handler+0x38/0x48
+ [0x8017d220] handle_percpu_devid_irq+0xa8/0x244
+ [0x80176e9c] generic_handle_domain_irq+0x2c/0x3c
+ [0x8052e3a8] gic_handle_irq+0x7c/0x90
+ [0x808ab15c] generic_handle_arch_irq+0x60/0x80
+ [0x8051191c] call_with_stack+0x1c/0x20
+
+For the frame pointer unwinder, unwind_frame() checks stackframe::fp by
+stackframe::sp. Since call_with_stack() switches the SP from one stack
+to another, stackframe::fp and stackframe: :sp will point to different
+stacks, so we can no longer check stackframe::fp by stackframe::sp. Skip
+checking stackframe::fp at this point to avoid this problem.
+
+Signed-off-by: Li Huafei <lihuafei1@huawei.com>
+Reviewed-by: Linus Waleij <linus.walleij@linaro.org>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/kernel/stacktrace.c | 40 ++++++++++++++++++++++++++++------
+ arch/arm/lib/call_with_stack.S | 2 ++
+ 2 files changed, 35 insertions(+), 7 deletions(-)
+
+diff --git a/arch/arm/kernel/stacktrace.c b/arch/arm/kernel/stacktrace.c
+index d0fa2037460a..af87040b0353 100644
+--- a/arch/arm/kernel/stacktrace.c
++++ b/arch/arm/kernel/stacktrace.c
+@@ -9,6 +9,8 @@
+ #include <asm/stacktrace.h>
+ #include <asm/traps.h>
+
++#include "reboot.h"
++
+ #if defined(CONFIG_FRAME_POINTER) && !defined(CONFIG_ARM_UNWIND)
+ /*
+ * Unwind the current stack frame and store the new register values in the
+@@ -39,29 +41,53 @@
+ * Note that with framepointer enabled, even the leaf functions have the same
+ * prologue and epilogue, therefore we can ignore the LR value in this case.
+ */
+-int notrace unwind_frame(struct stackframe *frame)
++
++extern unsigned long call_with_stack_end;
++
++static int frame_pointer_check(struct stackframe *frame)
+ {
+ unsigned long high, low;
+ unsigned long fp = frame->fp;
++ unsigned long pc = frame->pc;
++
++ /*
++ * call_with_stack() is the only place we allow SP to jump from one
++ * stack to another, with FP and SP pointing to different stacks,
++ * skipping the FP boundary check at this point.
++ */
++ if (pc >= (unsigned long)&call_with_stack &&
++ pc < (unsigned long)&call_with_stack_end)
++ return 0;
+
+ /* only go to a higher address on the stack */
+ low = frame->sp;
+ high = ALIGN(low, THREAD_SIZE);
+
+-#ifdef CONFIG_CC_IS_CLANG
+ /* check current frame pointer is within bounds */
++#ifdef CONFIG_CC_IS_CLANG
+ if (fp < low + 4 || fp > high - 4)
+ return -EINVAL;
+-
+- frame->sp = frame->fp;
+- frame->fp = READ_ONCE_NOCHECK(*(unsigned long *)(fp));
+- frame->pc = READ_ONCE_NOCHECK(*(unsigned long *)(fp + 4));
+ #else
+- /* check current frame pointer is within bounds */
+ if (fp < low + 12 || fp > high - 4)
+ return -EINVAL;
++#endif
++
++ return 0;
++}
++
++int notrace unwind_frame(struct stackframe *frame)
++{
++ unsigned long fp = frame->fp;
++
++ if (frame_pointer_check(frame))
++ return -EINVAL;
+
+ /* restore the registers from the stack frame */
++#ifdef CONFIG_CC_IS_CLANG
++ frame->sp = frame->fp;
++ frame->fp = READ_ONCE_NOCHECK(*(unsigned long *)(fp));
++ frame->pc = READ_ONCE_NOCHECK(*(unsigned long *)(fp + 4));
++#else
+ frame->fp = READ_ONCE_NOCHECK(*(unsigned long *)(fp - 12));
+ frame->sp = READ_ONCE_NOCHECK(*(unsigned long *)(fp - 8));
+ frame->pc = READ_ONCE_NOCHECK(*(unsigned long *)(fp - 4));
+diff --git a/arch/arm/lib/call_with_stack.S b/arch/arm/lib/call_with_stack.S
+index 0a268a6c513c..5030d4e8d126 100644
+--- a/arch/arm/lib/call_with_stack.S
++++ b/arch/arm/lib/call_with_stack.S
+@@ -46,4 +46,6 @@ UNWIND( .setfp fpreg, sp )
+ pop {fpreg, pc}
+ UNWIND( .fnend )
+ #endif
++ .globl call_with_stack_end
++call_with_stack_end:
+ ENDPROC(call_with_stack)
+--
+2.35.1
+
--- /dev/null
+From 470a131720c8f3115c7da56ad633195d8da89da1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 09:08:46 +0100
+Subject: ARM: 9234/1: stacktrace: Avoid duplicate saving of exception PC value
+
+From: Li Huafei <lihuafei1@huawei.com>
+
+[ Upstream commit 752ec621ef5c30777958cc5eb5f1cf394f7733f4 ]
+
+Because an exception stack frame is not created in the exception entry,
+save_trace() does special handling for the exception PC, but this is
+only needed when CONFIG_FRAME_POINTER_UNWIND=y. When
+CONFIG_ARM_UNWIND=y, unwind annotations have been added to the exception
+entry and save_trace() will repeatedly save the exception PC:
+
+ [0x7f000090] hrtimer_hander+0x8/0x10 [hrtimer]
+ [0x8019ec50] __hrtimer_run_queues+0x18c/0x394
+ [0x8019f760] hrtimer_run_queues+0xbc/0xd0
+ [0x8019def0] update_process_times+0x34/0x80
+ [0x801ad2a4] tick_periodic+0x48/0xd0
+ [0x801ad3dc] tick_handle_periodic+0x1c/0x7c
+ [0x8010f2e0] twd_handler+0x30/0x40
+ [0x80177620] handle_percpu_devid_irq+0xa0/0x23c
+ [0x801718d0] generic_handle_domain_irq+0x24/0x34
+ [0x80502d28] gic_handle_irq+0x74/0x88
+ [0x8085817c] generic_handle_arch_irq+0x58/0x78
+ [0x80100ba8] __irq_svc+0x88/0xc8
+ [0x80108114] arch_cpu_idle+0x38/0x3c
+ [0x80108114] arch_cpu_idle+0x38/0x3c <==== duplicate saved exception PC
+ [0x80861bf8] default_idle_call+0x38/0x130
+ [0x8015d5cc] do_idle+0x150/0x214
+ [0x8015d978] cpu_startup_entry+0x18/0x1c
+ [0x808589c0] rest_init+0xd8/0xdc
+ [0x80c00a44] arch_post_acpi_subsys_init+0x0/0x8
+
+We can move the special handling of the exception PC in save_trace() to
+the unwind_frame() of the frame pointer unwinder.
+
+Signed-off-by: Li Huafei <lihuafei1@huawei.com>
+Reviewed-by: Linus Waleij <linus.walleij@linaro.org>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/include/asm/stacktrace.h | 6 +++++
+ arch/arm/kernel/return_address.c | 1 +
+ arch/arm/kernel/stacktrace.c | 44 +++++++++++++++++++++----------
+ 3 files changed, 37 insertions(+), 14 deletions(-)
+
+diff --git a/arch/arm/include/asm/stacktrace.h b/arch/arm/include/asm/stacktrace.h
+index 3e78f921b8b2..39be2d1aa27b 100644
+--- a/arch/arm/include/asm/stacktrace.h
++++ b/arch/arm/include/asm/stacktrace.h
+@@ -21,6 +21,9 @@ struct stackframe {
+ struct llist_node *kr_cur;
+ struct task_struct *tsk;
+ #endif
++#ifdef CONFIG_UNWINDER_FRAME_POINTER
++ bool ex_frame;
++#endif
+ };
+
+ static __always_inline
+@@ -34,6 +37,9 @@ void arm_get_current_stackframe(struct pt_regs *regs, struct stackframe *frame)
+ frame->kr_cur = NULL;
+ frame->tsk = current;
+ #endif
++#ifdef CONFIG_UNWINDER_FRAME_POINTER
++ frame->ex_frame = in_entry_text(frame->pc);
++#endif
+ }
+
+ extern int unwind_frame(struct stackframe *frame);
+diff --git a/arch/arm/kernel/return_address.c b/arch/arm/kernel/return_address.c
+index 8aac1e10b117..38f1ea9c724d 100644
+--- a/arch/arm/kernel/return_address.c
++++ b/arch/arm/kernel/return_address.c
+@@ -47,6 +47,7 @@ void *return_address(unsigned int level)
+ frame.kr_cur = NULL;
+ frame.tsk = current;
+ #endif
++ frame.ex_frame = false;
+
+ walk_stackframe(&frame, save_return_addr, &data);
+
+diff --git a/arch/arm/kernel/stacktrace.c b/arch/arm/kernel/stacktrace.c
+index af87040b0353..85443b5d1922 100644
+--- a/arch/arm/kernel/stacktrace.c
++++ b/arch/arm/kernel/stacktrace.c
+@@ -82,6 +82,27 @@ int notrace unwind_frame(struct stackframe *frame)
+ if (frame_pointer_check(frame))
+ return -EINVAL;
+
++ /*
++ * When we unwind through an exception stack, include the saved PC
++ * value into the stack trace.
++ */
++ if (frame->ex_frame) {
++ struct pt_regs *regs = (struct pt_regs *)frame->sp;
++
++ /*
++ * We check that 'regs + sizeof(struct pt_regs)' (that is,
++ * ®s[1]) does not exceed the bottom of the stack to avoid
++ * accessing data outside the task's stack. This may happen
++ * when frame->ex_frame is a false positive.
++ */
++ if ((unsigned long)®s[1] > ALIGN(frame->sp, THREAD_SIZE))
++ return -EINVAL;
++
++ frame->pc = regs->ARM_pc;
++ frame->ex_frame = false;
++ return 0;
++ }
++
+ /* restore the registers from the stack frame */
+ #ifdef CONFIG_CC_IS_CLANG
+ frame->sp = frame->fp;
+@@ -98,6 +119,9 @@ int notrace unwind_frame(struct stackframe *frame)
+ (void *)frame->fp, &frame->kr_cur);
+ #endif
+
++ if (in_entry_text(frame->pc))
++ frame->ex_frame = true;
++
+ return 0;
+ }
+ #endif
+@@ -128,7 +152,6 @@ static int save_trace(struct stackframe *frame, void *d)
+ {
+ struct stack_trace_data *data = d;
+ struct stack_trace *trace = data->trace;
+- struct pt_regs *regs;
+ unsigned long addr = frame->pc;
+
+ if (data->no_sched_functions && in_sched_functions(addr))
+@@ -139,19 +162,6 @@ static int save_trace(struct stackframe *frame, void *d)
+ }
+
+ trace->entries[trace->nr_entries++] = addr;
+-
+- if (trace->nr_entries >= trace->max_entries)
+- return 1;
+-
+- if (!in_entry_text(frame->pc))
+- return 0;
+-
+- regs = (struct pt_regs *)frame->sp;
+- if ((unsigned long)®s[1] > ALIGN(frame->sp, THREAD_SIZE))
+- return 0;
+-
+- trace->entries[trace->nr_entries++] = regs->ARM_pc;
+-
+ return trace->nr_entries >= trace->max_entries;
+ }
+
+@@ -193,6 +203,9 @@ static noinline void __save_stack_trace(struct task_struct *tsk,
+ frame.kr_cur = NULL;
+ frame.tsk = tsk;
+ #endif
++#ifdef CONFIG_UNWINDER_FRAME_POINTER
++ frame.ex_frame = false;
++#endif
+
+ walk_stackframe(&frame, save_trace, &data);
+ }
+@@ -214,6 +227,9 @@ void save_stack_trace_regs(struct pt_regs *regs, struct stack_trace *trace)
+ frame.kr_cur = NULL;
+ frame.tsk = current;
+ #endif
++#ifdef CONFIG_UNWINDER_FRAME_POINTER
++ frame.ex_frame = in_entry_text(frame.pc);
++#endif
+
+ walk_stackframe(&frame, save_trace, &data);
+ }
+--
+2.35.1
+
--- /dev/null
+From 32023abf27c148d884da9c99d729badef18c2364 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Sep 2022 16:26:59 +0100
+Subject: ARM: 9242/1: kasan: Only map modules if CONFIG_KASAN_VMALLOC=n
+
+From: Alex Sverdlin <alexander.sverdlin@nokia.com>
+
+[ Upstream commit 823f606ab6b4759a1faf0388abcf4fb0776710d2 ]
+
+In case CONFIG_KASAN_VMALLOC=y kasan_populate_vmalloc() allocates the
+shadow pages dynamically. But even worse is that kasan_release_vmalloc()
+releases them, which is not compatible with create_mapping() of
+MODULES_VADDR..MODULES_END range:
+
+BUG: Bad page state in process kworker/9:1 pfn:2068b
+page:e5e06160 refcount:0 mapcount:0 mapping:00000000 index:0x0
+flags: 0x1000(reserved)
+raw: 00001000 e5e06164 e5e06164 00000000 00000000 00000000 ffffffff 00000000
+page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
+bad because of flags: 0x1000(reserved)
+Modules linked in: ip_tables
+CPU: 9 PID: 154 Comm: kworker/9:1 Not tainted 5.4.188-... #1
+Hardware name: LSI Axxia AXM55XX
+Workqueue: events do_free_init
+unwind_backtrace
+show_stack
+dump_stack
+bad_page
+free_pcp_prepare
+free_unref_page
+kasan_depopulate_vmalloc_pte
+__apply_to_page_range
+apply_to_existing_page_range
+kasan_release_vmalloc
+__purge_vmap_area_lazy
+_vm_unmap_aliases.part.0
+__vunmap
+do_free_init
+process_one_work
+worker_thread
+kthread
+
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/kasan_init.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/mm/kasan_init.c b/arch/arm/mm/kasan_init.c
+index 29caee9c79ce..46d9f4a622cb 100644
+--- a/arch/arm/mm/kasan_init.c
++++ b/arch/arm/mm/kasan_init.c
+@@ -268,12 +268,17 @@ void __init kasan_init(void)
+
+ /*
+ * 1. The module global variables are in MODULES_VADDR ~ MODULES_END,
+- * so we need to map this area.
++ * so we need to map this area if CONFIG_KASAN_VMALLOC=n. With
++ * VMALLOC support KASAN will manage this region dynamically,
++ * refer to kasan_populate_vmalloc() and ARM's implementation of
++ * module_alloc().
+ * 2. PKMAP_BASE ~ PKMAP_BASE+PMD_SIZE's shadow and MODULES_VADDR
+ * ~ MODULES_END's shadow is in the same PMD_SIZE, so we can't
+ * use kasan_populate_zero_shadow.
+ */
+- create_mapping((void *)MODULES_VADDR, (void *)(PKMAP_BASE + PMD_SIZE));
++ if (!IS_ENABLED(CONFIG_KASAN_VMALLOC) && IS_ENABLED(CONFIG_MODULES))
++ create_mapping((void *)MODULES_VADDR, (void *)(MODULES_END));
++ create_mapping((void *)PKMAP_BASE, (void *)(PKMAP_BASE + PMD_SIZE));
+
+ /*
+ * KAsan may reuse the contents of kasan_early_shadow_pte directly, so
+--
+2.35.1
+
--- /dev/null
+From f8e79cbfa9608d069a9d8332d4f833ee254ab89c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Sep 2022 23:13:53 +0100
+Subject: ARM: 9243/1: riscpc: Unbreak the build
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 32844a8eecaa4a3e65841c53e43e04a9087d1ef6 ]
+
+This patch fixes the following build error:
+
+In file included from ./include/linux/io.h:13,
+ from ./arch/arm/mach-rpc/include/mach/uncompress.h:9,
+ from arch/arm/boot/compressed/misc.c:31:
+./arch/arm/include/asm/io.h:85:22: error: conflicting types for ‘__raw_writeb’
+ 85 | #define __raw_writeb __raw_writeb
+ | ^~~~~~~~~~~~
+./arch/arm/include/asm/io.h:86:20: note: in expansion of macro ‘__raw_writeb’
+ 86 | static inline void __raw_writeb(u8 val, volatile void __iomem *addr)
+ | ^~~~~~~~~~~~
+In file included from arch/arm/boot/compressed/misc.c:26:
+arch/arm/boot/compressed/misc-ep93xx.h:13:20: note: previous definition of ‘__raw_writeb’ was here
+ 13 | static inline void __raw_writeb(unsigned char value, unsigned int ptr)
+ | ^~~~~~~~~~~~
+
+To: Russell King <linux@armlinux.org.uk>
+
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: linux-arm-kernel@lists.infradead.org
+Fixes: 0361c7e504b1 ("ARM: ep93xx: multiplatform support")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/compressed/misc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm/boot/compressed/misc.c b/arch/arm/boot/compressed/misc.c
+index cb2e069dc73f..abfed1aa2baa 100644
+--- a/arch/arm/boot/compressed/misc.c
++++ b/arch/arm/boot/compressed/misc.c
+@@ -23,7 +23,9 @@ unsigned int __machine_arch_type;
+ #include <linux/types.h>
+ #include <linux/linkage.h>
+ #include "misc.h"
++#ifdef CONFIG_ARCH_EP93XX
+ #include "misc-ep93xx.h"
++#endif
+
+ static void putstr(const char *ptr);
+
+--
+2.35.1
+
--- /dev/null
+From b88dd105097228a52f736ff1a91a50ccc6195484 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Sep 2022 05:25:51 +0100
+Subject: ARM: 9244/1: dump: Fix wrong pg_level in walk_pmd()
+
+From: Wang Kefeng <wangkefeng.wang@huawei.com>
+
+[ Upstream commit 2ccd19b3ffac07cc7e75a2bd1ed779728bb67197 ]
+
+After ARM supports p4d page tables, the pg_level for note_page()
+in walk_pmd() should be 4, not 3, fix it.
+
+Fixes: 84e6ffb2c49c ("arm: add support for folded p4d page tables")
+Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/dump.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/mm/dump.c b/arch/arm/mm/dump.c
+index fb688003d156..712da6a81b23 100644
+--- a/arch/arm/mm/dump.c
++++ b/arch/arm/mm/dump.c
+@@ -346,7 +346,7 @@ static void walk_pmd(struct pg_state *st, pud_t *pud, unsigned long start)
+ addr = start + i * PMD_SIZE;
+ domain = get_domain_name(pmd);
+ if (pmd_none(*pmd) || pmd_large(*pmd) || !pmd_present(*pmd))
+- note_page(st, addr, 3, pmd_val(*pmd), domain);
++ note_page(st, addr, 4, pmd_val(*pmd), domain);
+ else
+ walk_pte(st, pmd, addr, domain);
+
+--
+2.35.1
+
--- /dev/null
+From 77a9cb07e3f6b3c0dc42d22bb0e4d6ca2e3ba039 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Sep 2022 12:10:49 +0100
+Subject: ARM: 9247/1: mm: set readonly for MT_MEMORY_RO with ARM_LPAE
+
+From: Wang Kefeng <wangkefeng.wang@huawei.com>
+
+[ Upstream commit 14ca1a4690750bb54e1049e49f3140ef48958a6e ]
+
+MT_MEMORY_RO is introduced by commit 598f0a99fa8a ("ARM: 9210/1:
+Mark the FDT_FIXED sections as shareable"), which is a readonly
+memory type for FDT area, but there are some different between
+ARM_LPAE and non-ARM_LPAE, we need to setup PMD_SECT_AP2 and
+L_PMD_SECT_RDONLY for MT_MEMORY_RO when ARM_LAPE enabled.
+
+non-ARM_LPAE 0xff800000-0xffa00000 2M PGD KERNEL ro NX SHD
+ARM_LPAE 0xff800000-0xffc00000 4M PMD RW NX SHD
+ARM_LPAE+fix 0xff800000-0xffc00000 4M PMD ro NX SHD
+
+Fixes: 598f0a99fa8a ("ARM: 9210/1: Mark the FDT_FIXED sections as shareable")
+Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/mmu.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c
+index a49f0b9c0f75..463fc2a8448f 100644
+--- a/arch/arm/mm/mmu.c
++++ b/arch/arm/mm/mmu.c
+@@ -300,7 +300,11 @@ static struct mem_type mem_types[] __ro_after_init = {
+ .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY |
+ L_PTE_XN | L_PTE_RDONLY,
+ .prot_l1 = PMD_TYPE_TABLE,
++#ifdef CONFIG_ARM_LPAE
++ .prot_sect = PMD_TYPE_SECT | L_PMD_SECT_RDONLY | PMD_SECT_AP2,
++#else
+ .prot_sect = PMD_TYPE_SECT,
++#endif
+ .domain = DOMAIN_KERNEL,
+ },
+ [MT_ROM] = {
+--
+2.35.1
+
--- /dev/null
+From 6208456b75d340e4eefc86e5f714f97c6e7fcfce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Sep 2022 15:41:03 -0700
+Subject: ARM: decompressor: Include .data.rel.ro.local
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 1b64daf413acd86c2c13f5443f6b4ef3690c8061 ]
+
+The .data.rel.ro.local section has the same semantics as .data.rel.ro
+here, so include it in the .rodata section of the decompressor.
+Additionally since the .printk_index section isn't usable outside of
+the core kernel, discard it in the decompressor. Avoids these warnings:
+
+arm-linux-gnueabi-ld: warning: orphan section `.data.rel.ro.local' from `arch/arm/boot/compressed/fdt_rw.o' being placed in section `.data.rel.ro.local'
+arm-linux-gnueabi-ld: warning: orphan section `.printk_index' from `arch/arm/boot/compressed/fdt_rw.o' being placed in section `.printk_index'
+
+Reported-by: kernel test robot <lkp@intel.com>
+Link: https://lore.kernel.org/linux-mm/202209080545.qMIVj7YM-lkp@intel.com
+Cc: Russell King <linux@armlinux.org.uk>
+Cc: linux-arm-kernel@lists.infradead.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/compressed/vmlinux.lds.S | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm/boot/compressed/vmlinux.lds.S b/arch/arm/boot/compressed/vmlinux.lds.S
+index 1bcb68ac4b01..3fcb3e62dc56 100644
+--- a/arch/arm/boot/compressed/vmlinux.lds.S
++++ b/arch/arm/boot/compressed/vmlinux.lds.S
+@@ -23,6 +23,7 @@ SECTIONS
+ *(.ARM.extab*)
+ *(.note.*)
+ *(.rel.*)
++ *(.printk_index)
+ /*
+ * Discard any r/w data - this produces a link error if we have any,
+ * which is required for PIC decompression. Local data generates
+@@ -57,6 +58,7 @@ SECTIONS
+ *(.rodata)
+ *(.rodata.*)
+ *(.data.rel.ro)
++ *(.data.rel.ro.*)
+ }
+ .piggydata : {
+ *(.piggydata)
+--
+2.35.1
+
--- /dev/null
+From b4ca3b0eaa3466f8f75368b2d9b01aa8f30db3bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Oct 2022 09:10:19 +0200
+Subject: =?UTF-8?q?ARM/dma-mapp=D1=96ng:=20don't=20override=20->dma=5Fcohe?=
+ =?UTF-8?q?rent=20when=20set=20from=20a=20bus=20notifier?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 49bc8bebae79c8516cb12f91818f3a7907e3ebce ]
+
+Commit ae626eb97376 ("ARM/dma-mapping: use dma-direct unconditionally")
+caused a regression on the mvebu platform, wherein devices that are
+dma-coherent are marked as dma-noncoherent, because although
+mvebu_hwcc_notifier() after that commit still marks then as coherent,
+the arm_coherent_dma_ops() function, which is called later, overwrites
+this setting, since it is being called from drivers/of/device.c with
+coherency parameter determined by of_dma_is_coherent(), and the
+device-trees do not declare the 'dma-coherent' property.
+
+Fix this by defaulting never clearing the dma_coherent flag in
+arm_coherent_dma_ops().
+
+Fixes: ae626eb97376 ("ARM/dma-mapping: use dma-direct unconditionally")
+Reported-by: Marek Behún <kabel@kernel.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Tested-by: Marek Behún <kabel@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/dma-mapping.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
+index 089c9c644cce..bfc7476f1411 100644
+--- a/arch/arm/mm/dma-mapping.c
++++ b/arch/arm/mm/dma-mapping.c
+@@ -1769,8 +1769,16 @@ static void arm_teardown_iommu_dma_ops(struct device *dev) { }
+ void arch_setup_dma_ops(struct device *dev, u64 dma_base, u64 size,
+ const struct iommu_ops *iommu, bool coherent)
+ {
+- dev->archdata.dma_coherent = coherent;
+- dev->dma_coherent = coherent;
++ /*
++ * Due to legacy code that sets the ->dma_coherent flag from a bus
++ * notifier we can't just assign coherent to the ->dma_coherent flag
++ * here, but instead have to make sure we only set but never clear it
++ * for now.
++ */
++ if (coherent) {
++ dev->archdata.dma_coherent = true;
++ dev->dma_coherent = true;
++ }
+
+ /*
+ * Don't override the dma_ops if they have already been set. Ideally
+--
+2.35.1
+
--- /dev/null
+From a0542bf6bde10de583a531b572c8a2d5116c1950 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 15:28:26 +0200
+Subject: ARM: Drop CMDLINE_* dependency on ATAGS
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 136f4b1ec7c962ee37a787e095fd37b058d72bd3 ]
+
+On arm32, the configuration options to specify the kernel command line
+type depend on ATAGS. However, the actual CMDLINE cofiguration option
+does not depend on ATAGS, and the code that handles this is not specific
+to ATAGS (see drivers/of/fdt.c:early_init_dt_scan_chosen()).
+
+Hence users who desire to override the kernel command line on arm32 must
+enable support for ATAGS, even on a pure-DT system. Other architectures
+(arm64, loongarch, microblaze, nios2, powerpc, and riscv) do not impose
+such a restriction.
+
+Hence drop the dependency on ATAGS.
+
+Fixes: bd51e2f595580fb6 ("ARM: 7506/1: allow for ATAGS to be configured out when DT support is selected")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
+index 87badeae3181..11ecf09aadc8 100644
+--- a/arch/arm/Kconfig
++++ b/arch/arm/Kconfig
+@@ -1671,7 +1671,6 @@ config CMDLINE
+ choice
+ prompt "Kernel command line type" if CMDLINE != ""
+ default CMDLINE_FROM_BOOTLOADER
+- depends on ATAGS
+
+ config CMDLINE_FROM_BOOTLOADER
+ bool "Use bootloader kernel arguments if available"
+--
+2.35.1
+
--- /dev/null
+From 92b3520f34ae624ac208a6e93a06dba6d15b3f2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Sep 2022 12:43:53 +0200
+Subject: ARM: dts: exynos: correct s5k6a3 reset polarity on Midas family
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+[ Upstream commit 3ba2d4bb9592bf7a6a3fe3dbe711ecfc3d004bab ]
+
+According to s5k6a3 driver code, the reset line for the chip appears to
+be active low. This also matches the typical polarity of reset lines in
+general. Let's fix it up as having correct polarity in DTS is important
+when the driver will be switched over to gpiod API.
+
+Fixes: b4fec64758ab ("ARM: dts: Add camera device nodes for Exynos4412 TRATS2 board")
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20220913164104.203957-1-dmitry.torokhov@gmail.com
+Link: https://lore.kernel.org/r/20220926104354.118578-2-krzysztof.kozlowski@linaro.org'
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/exynos4412-midas.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/exynos4412-midas.dtsi b/arch/arm/boot/dts/exynos4412-midas.dtsi
+index b967397a46c5..8e1c19a8ad06 100644
+--- a/arch/arm/boot/dts/exynos4412-midas.dtsi
++++ b/arch/arm/boot/dts/exynos4412-midas.dtsi
+@@ -586,7 +586,7 @@
+ clocks = <&camera 1>;
+ clock-names = "extclk";
+ samsung,camclk-out = <1>;
+- gpios = <&gpm1 6 GPIO_ACTIVE_HIGH>;
++ gpios = <&gpm1 6 GPIO_ACTIVE_LOW>;
+
+ port {
+ is_s5k6a3_ep: endpoint {
+--
+2.35.1
+
--- /dev/null
+From a0b09d937473a5f79e717836f400f47e423848b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 15:05:03 -0700
+Subject: ARM: dts: exynos: fix polarity of VBUS GPIO of Origen
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+[ Upstream commit a08137bd1e0a7ce951dce9ce4a83e39d379b6e1b ]
+
+EHCI Oxynos (drivers/usb/host/ehci-exynos.c) drives VBUS GPIO high when
+trying to power up the bus, therefore the GPIO in DTS must be marked as
+"active high". This will be important when EHCI driver is converted to
+gpiod API that respects declared polarities.
+
+Fixes: 4e8991def565 ("ARM: dts: exynos: Enable AX88760 USB hub on Origen board")
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Link: https://lore.kernel.org/r/20220927220504.3744878-1-dmitry.torokhov@gmail.com
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/exynos4412-origen.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/exynos4412-origen.dts b/arch/arm/boot/dts/exynos4412-origen.dts
+index 6db09dba07ff..a3905e27b9cd 100644
+--- a/arch/arm/boot/dts/exynos4412-origen.dts
++++ b/arch/arm/boot/dts/exynos4412-origen.dts
+@@ -95,7 +95,7 @@
+ };
+
+ &ehci {
+- samsung,vbus-gpio = <&gpx3 5 1>;
++ samsung,vbus-gpio = <&gpx3 5 GPIO_ACTIVE_HIGH>;
+ status = "okay";
+ phys = <&exynos_usbphy 2>, <&exynos_usbphy 3>;
+ phy-names = "hsic0", "hsic1";
+--
+2.35.1
+
--- /dev/null
+From 64483a633ac3c51f39fe3a3e55535d2eef75bbea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Jul 2022 08:41:58 +0200
+Subject: ARM: dts: imx6: delete interrupts property if interrupts-extended is
+ set
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+[ Upstream commit c9d38ff7080b2c4fa6786b82210fa13115895aae ]
+
+In most cases this is related to fsl,err006687-workaround-present, which
+requires a GPIO interrupt next a GIC interrupt.
+
+This fixes the dtbs_check warning:
+imx6dl-mba6a.dtb: ethernet@2188000: More than one condition true in oneOf schema:
+ {'$filename': 'Documentation/devicetree/bindings/net/fsl,fec.yaml',
+[...]
+
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6dl-riotboard.dts | 1 +
+ arch/arm/boot/dts/imx6q-arm2.dts | 1 +
+ arch/arm/boot/dts/imx6q-evi.dts | 1 +
+ arch/arm/boot/dts/imx6q-mccmon6.dts | 1 +
+ arch/arm/boot/dts/imx6qdl-nit6xlite.dtsi | 1 +
+ arch/arm/boot/dts/imx6qdl-nitrogen6_max.dtsi | 1 +
+ arch/arm/boot/dts/imx6qdl-nitrogen6_som2.dtsi | 1 +
+ arch/arm/boot/dts/imx6qdl-nitrogen6x.dtsi | 1 +
+ arch/arm/boot/dts/imx6qdl-sabreauto.dtsi | 1 +
+ arch/arm/boot/dts/imx6qdl-tqma6a.dtsi | 1 +
+ arch/arm/boot/dts/imx6qdl-ts7970.dtsi | 1 +
+ 11 files changed, 11 insertions(+)
+
+diff --git a/arch/arm/boot/dts/imx6dl-riotboard.dts b/arch/arm/boot/dts/imx6dl-riotboard.dts
+index e7d9bfbfd0e4..e7be05f205d3 100644
+--- a/arch/arm/boot/dts/imx6dl-riotboard.dts
++++ b/arch/arm/boot/dts/imx6dl-riotboard.dts
+@@ -90,6 +90,7 @@
+ pinctrl-0 = <&pinctrl_enet>;
+ phy-mode = "rgmii-id";
+ phy-handle = <&rgmii_phy>;
++ /delete-property/ interrupts;
+ interrupts-extended = <&gpio1 6 IRQ_TYPE_LEVEL_HIGH>,
+ <&intc 0 119 IRQ_TYPE_LEVEL_HIGH>;
+ fsl,err006687-workaround-present;
+diff --git a/arch/arm/boot/dts/imx6q-arm2.dts b/arch/arm/boot/dts/imx6q-arm2.dts
+index 0b40f52268b3..75586299d9ca 100644
+--- a/arch/arm/boot/dts/imx6q-arm2.dts
++++ b/arch/arm/boot/dts/imx6q-arm2.dts
+@@ -178,6 +178,7 @@
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_enet>;
+ phy-mode = "rgmii";
++ /delete-property/ interrupts;
+ interrupts-extended = <&gpio1 6 IRQ_TYPE_LEVEL_HIGH>,
+ <&intc 0 119 IRQ_TYPE_LEVEL_HIGH>;
+ fsl,err006687-workaround-present;
+diff --git a/arch/arm/boot/dts/imx6q-evi.dts b/arch/arm/boot/dts/imx6q-evi.dts
+index c63f371ede8b..78d941fef5df 100644
+--- a/arch/arm/boot/dts/imx6q-evi.dts
++++ b/arch/arm/boot/dts/imx6q-evi.dts
+@@ -146,6 +146,7 @@
+ pinctrl-0 = <&pinctrl_enet>;
+ phy-mode = "rgmii";
+ phy-reset-gpios = <&gpio1 25 GPIO_ACTIVE_LOW>;
++ /delete-property/ interrupts;
+ interrupts-extended = <&gpio1 6 IRQ_TYPE_LEVEL_HIGH>,
+ <&intc 0 119 IRQ_TYPE_LEVEL_HIGH>;
+ fsl,err006687-workaround-present;
+diff --git a/arch/arm/boot/dts/imx6q-mccmon6.dts b/arch/arm/boot/dts/imx6q-mccmon6.dts
+index 55692c73943d..64ab01018b71 100644
+--- a/arch/arm/boot/dts/imx6q-mccmon6.dts
++++ b/arch/arm/boot/dts/imx6q-mccmon6.dts
+@@ -100,6 +100,7 @@
+ pinctrl-0 = <&pinctrl_enet>;
+ phy-mode = "rgmii";
+ phy-reset-gpios = <&gpio1 27 GPIO_ACTIVE_LOW>;
++ /delete-property/ interrupts;
+ interrupts-extended = <&gpio1 6 IRQ_TYPE_LEVEL_HIGH>,
+ <&intc 0 119 IRQ_TYPE_LEVEL_HIGH>;
+ status = "okay";
+diff --git a/arch/arm/boot/dts/imx6qdl-nit6xlite.dtsi b/arch/arm/boot/dts/imx6qdl-nit6xlite.dtsi
+index 0ad4cb4f1e82..a53a5d0766a5 100644
+--- a/arch/arm/boot/dts/imx6qdl-nit6xlite.dtsi
++++ b/arch/arm/boot/dts/imx6qdl-nit6xlite.dtsi
+@@ -192,6 +192,7 @@
+ phy-mode = "rgmii";
+ phy-handle = <ðphy>;
+ phy-reset-gpios = <&gpio1 27 GPIO_ACTIVE_LOW>;
++ /delete-property/ interrupts;
+ interrupts-extended = <&gpio1 6 IRQ_TYPE_LEVEL_HIGH>,
+ <&intc 0 119 IRQ_TYPE_LEVEL_HIGH>;
+ fsl,err006687-workaround-present;
+diff --git a/arch/arm/boot/dts/imx6qdl-nitrogen6_max.dtsi b/arch/arm/boot/dts/imx6qdl-nitrogen6_max.dtsi
+index beaa2dcd436c..57c21a01f126 100644
+--- a/arch/arm/boot/dts/imx6qdl-nitrogen6_max.dtsi
++++ b/arch/arm/boot/dts/imx6qdl-nitrogen6_max.dtsi
+@@ -334,6 +334,7 @@
+ phy-mode = "rgmii";
+ phy-handle = <ðphy>;
+ phy-reset-gpios = <&gpio1 27 GPIO_ACTIVE_LOW>;
++ /delete-property/ interrupts;
+ interrupts-extended = <&gpio1 6 IRQ_TYPE_LEVEL_HIGH>,
+ <&intc 0 119 IRQ_TYPE_LEVEL_HIGH>;
+ fsl,err006687-workaround-present;
+diff --git a/arch/arm/boot/dts/imx6qdl-nitrogen6_som2.dtsi b/arch/arm/boot/dts/imx6qdl-nitrogen6_som2.dtsi
+index ee7e2371f94b..000e9dc97b1a 100644
+--- a/arch/arm/boot/dts/imx6qdl-nitrogen6_som2.dtsi
++++ b/arch/arm/boot/dts/imx6qdl-nitrogen6_som2.dtsi
+@@ -263,6 +263,7 @@
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_enet>;
+ phy-mode = "rgmii";
++ /delete-property/ interrupts;
+ interrupts-extended = <&gpio1 6 IRQ_TYPE_LEVEL_HIGH>,
+ <&intc 0 119 IRQ_TYPE_LEVEL_HIGH>;
+ fsl,err006687-workaround-present;
+diff --git a/arch/arm/boot/dts/imx6qdl-nitrogen6x.dtsi b/arch/arm/boot/dts/imx6qdl-nitrogen6x.dtsi
+index 904d5d051d63..731759bdd7f5 100644
+--- a/arch/arm/boot/dts/imx6qdl-nitrogen6x.dtsi
++++ b/arch/arm/boot/dts/imx6qdl-nitrogen6x.dtsi
+@@ -267,6 +267,7 @@
+ phy-mode = "rgmii";
+ phy-handle = <ðphy>;
+ phy-reset-gpios = <&gpio1 27 GPIO_ACTIVE_LOW>;
++ /delete-property/ interrupts;
+ interrupts-extended = <&gpio1 6 IRQ_TYPE_LEVEL_HIGH>,
+ <&intc 0 119 IRQ_TYPE_LEVEL_HIGH>;
+ fsl,err006687-workaround-present;
+diff --git a/arch/arm/boot/dts/imx6qdl-sabreauto.dtsi b/arch/arm/boot/dts/imx6qdl-sabreauto.dtsi
+index 1368a4762037..3dbb460ef102 100644
+--- a/arch/arm/boot/dts/imx6qdl-sabreauto.dtsi
++++ b/arch/arm/boot/dts/imx6qdl-sabreauto.dtsi
+@@ -295,6 +295,7 @@
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_enet>;
+ phy-mode = "rgmii-id";
++ /delete-property/ interrupts;
+ interrupts-extended = <&gpio1 6 IRQ_TYPE_LEVEL_HIGH>,
+ <&intc 0 119 IRQ_TYPE_LEVEL_HIGH>;
+ fsl,err006687-workaround-present;
+diff --git a/arch/arm/boot/dts/imx6qdl-tqma6a.dtsi b/arch/arm/boot/dts/imx6qdl-tqma6a.dtsi
+index 7dc3f0005b0f..0a36e1bce375 100644
+--- a/arch/arm/boot/dts/imx6qdl-tqma6a.dtsi
++++ b/arch/arm/boot/dts/imx6qdl-tqma6a.dtsi
+@@ -7,6 +7,7 @@
+ #include <dt-bindings/gpio/gpio.h>
+
+ &fec {
++ /delete-property/ interrupts;
+ interrupts-extended = <&gpio1 6 IRQ_TYPE_LEVEL_HIGH>,
+ <&intc 0 119 IRQ_TYPE_LEVEL_HIGH>;
+ fsl,err006687-workaround-present;
+diff --git a/arch/arm/boot/dts/imx6qdl-ts7970.dtsi b/arch/arm/boot/dts/imx6qdl-ts7970.dtsi
+index d6ba4b2a60f6..c096d25a6f5b 100644
+--- a/arch/arm/boot/dts/imx6qdl-ts7970.dtsi
++++ b/arch/arm/boot/dts/imx6qdl-ts7970.dtsi
+@@ -192,6 +192,7 @@
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_enet>;
+ phy-mode = "rgmii";
++ /delete-property/ interrupts;
+ interrupts-extended = <&gpio1 6 IRQ_TYPE_LEVEL_HIGH>,
+ <&intc 0 119 IRQ_TYPE_LEVEL_HIGH>;
+ fsl,err006687-workaround-present;
+--
+2.35.1
+
--- /dev/null
+From 84c533255616a50cd05efd5180a38a0f9300d16b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 07:53:32 +0200
+Subject: ARM: dts: imx6dl: add missing properties for sram
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+[ Upstream commit f5848b95633d598bacf0500e0108dc5961af88c0 ]
+
+All 3 properties are required by sram.yaml. Fixes the dtbs_check warning:
+sram@900000: '#address-cells' is a required property
+sram@900000: '#size-cells' is a required property
+sram@900000: 'ranges' is a required property
+
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6dl.dtsi | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/arm/boot/dts/imx6dl.dtsi b/arch/arm/boot/dts/imx6dl.dtsi
+index 8e0ed209ede0..dc919e09a505 100644
+--- a/arch/arm/boot/dts/imx6dl.dtsi
++++ b/arch/arm/boot/dts/imx6dl.dtsi
+@@ -84,6 +84,9 @@
+ ocram: sram@900000 {
+ compatible = "mmio-sram";
+ reg = <0x00900000 0x20000>;
++ ranges = <0 0x00900000 0x20000>;
++ #address-cells = <1>;
++ #size-cells = <1>;
+ clocks = <&clks IMX6QDL_CLK_OCRAM>;
+ };
+
+--
+2.35.1
+
--- /dev/null
+From 12e62bf9291b4e7216019a542a32526fb6e882ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Jul 2022 18:25:15 +0200
+Subject: ARM: dts: imx6dl-yapp4: Bind the backlight controller to the LCD
+ panel
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michal Vokáč <michal.vokac@ysoft.com>
+
+[ Upstream commit 8b212526a957e012e88d68d7f33bb11b312c2ea6 ]
+
+Add connection between the backlight controller and LCD panel.
+With that the backlight is automatically switched on when the panel
+is on or switched off when the panel is blanked.
+
+Signed-off-by: Michal Vokáč <michal.vokac@ysoft.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Stable-dep-of: afd8f77957e3 ("ARM: dts: imx6qdl-kontron-samx6i: hook up DDC i2c bus")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6dl-yapp4-common.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi b/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi
+index 674af39c884a..52162e8c7274 100644
+--- a/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi
++++ b/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi
+@@ -55,6 +55,7 @@
+ panel: panel {
+ compatible = "dataimage,scf0700c48ggu18";
+ power-supply = <&sw2_reg>;
++ backlight = <&backlight>;
+ status = "disabled";
+
+ port {
+--
+2.35.1
+
--- /dev/null
+From b502b60291989b7b97a611d9080b3eb50681f720 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 07:53:31 +0200
+Subject: ARM: dts: imx6q: add missing properties for sram
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+[ Upstream commit b11d083c5dcec7c42fe982c854706d404ddd3a5f ]
+
+All 3 properties are required by sram.yaml. Fixes the dtbs_check warning:
+sram@900000: '#address-cells' is a required property
+sram@900000: '#size-cells' is a required property
+sram@900000: 'ranges' is a required property
+
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6q.dtsi | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/arm/boot/dts/imx6q.dtsi b/arch/arm/boot/dts/imx6q.dtsi
+index 3b77eae40e39..df86049a695b 100644
+--- a/arch/arm/boot/dts/imx6q.dtsi
++++ b/arch/arm/boot/dts/imx6q.dtsi
+@@ -163,6 +163,9 @@
+ ocram: sram@900000 {
+ compatible = "mmio-sram";
+ reg = <0x00900000 0x40000>;
++ ranges = <0 0x00900000 0x40000>;
++ #address-cells = <1>;
++ #size-cells = <1>;
+ clocks = <&clks IMX6QDL_CLK_OCRAM>;
+ };
+
+--
+2.35.1
+
--- /dev/null
+From dd3471c8185f608a98623ebe373e025936167541 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Jul 2022 15:05:23 +0200
+Subject: ARM: dts: imx6qdl-kontron-samx6i: hook up DDC i2c bus
+
+From: Lucas Stach <l.stach@pengutronix.de>
+
+[ Upstream commit afd8f77957e3e83adf21d9229c61ff37f44a177a ]
+
+i2c2 is routed to the pins dedicated as DDC in the module standard.
+Reduce clock rate to 100kHz to be in line with VESA standard and hook
+this bus up to the HDMI node.
+
+Fixes: 708ed2649ad8 ("ARM: dts: imx6qdl-kontron-samx6i: increase i2c-frequency")
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+[m.felsch@pengutronix.de: add fixes line]
+Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6qdl-kontron-samx6i.dtsi | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/imx6qdl-kontron-samx6i.dtsi b/arch/arm/boot/dts/imx6qdl-kontron-samx6i.dtsi
+index 6b791d515e29..683f6e58ab23 100644
+--- a/arch/arm/boot/dts/imx6qdl-kontron-samx6i.dtsi
++++ b/arch/arm/boot/dts/imx6qdl-kontron-samx6i.dtsi
+@@ -263,6 +263,10 @@
+ phy-reset-gpios = <&gpio1 25 GPIO_ACTIVE_LOW>;
+ };
+
++&hdmi {
++ ddc-i2c-bus = <&i2c2>;
++};
++
+ &i2c_intern {
+ pmic@8 {
+ compatible = "fsl,pfuze100";
+@@ -387,7 +391,7 @@
+
+ /* HDMI_CTRL */
+ &i2c2 {
+- clock-frequency = <375000>;
++ clock-frequency = <100000>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_i2c2>;
+ };
+--
+2.35.1
+
--- /dev/null
+From c23d5091cac28db27c98c3b6d48a276d5f7907fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 07:53:33 +0200
+Subject: ARM: dts: imx6qp: add missing properties for sram
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+[ Upstream commit 088fe5237435ee2f7ed4450519b2ef58b94c832f ]
+
+All 3 properties are required by sram.yaml. Fixes the dtbs_check warning:
+sram@940000: '#address-cells' is a required property
+sram@940000: '#size-cells' is a required property
+sram@940000: 'ranges' is a required property
+
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6qp.dtsi | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/arch/arm/boot/dts/imx6qp.dtsi b/arch/arm/boot/dts/imx6qp.dtsi
+index 050365513836..fc164991d2ae 100644
+--- a/arch/arm/boot/dts/imx6qp.dtsi
++++ b/arch/arm/boot/dts/imx6qp.dtsi
+@@ -9,12 +9,18 @@
+ ocram2: sram@940000 {
+ compatible = "mmio-sram";
+ reg = <0x00940000 0x20000>;
++ ranges = <0 0x00940000 0x20000>;
++ #address-cells = <1>;
++ #size-cells = <1>;
+ clocks = <&clks IMX6QDL_CLK_OCRAM>;
+ };
+
+ ocram3: sram@960000 {
+ compatible = "mmio-sram";
+ reg = <0x00960000 0x20000>;
++ ranges = <0 0x00960000 0x20000>;
++ #address-cells = <1>;
++ #size-cells = <1>;
+ clocks = <&clks IMX6QDL_CLK_OCRAM>;
+ };
+
+--
+2.35.1
+
--- /dev/null
+From 14e9205f48c5709bcac0330604bfc4aece83c4c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 07:53:34 +0200
+Subject: ARM: dts: imx6sl: add missing properties for sram
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+[ Upstream commit 60c9213a1d9941a8b33db570796c3f9be8984974 ]
+
+All 3 properties are required by sram.yaml. Fixes the dtbs_check warning:
+sram@900000: '#address-cells' is a required property
+sram@900000: '#size-cells' is a required property
+sram@900000: 'ranges' is a required property
+
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6sl.dtsi | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/arm/boot/dts/imx6sl.dtsi b/arch/arm/boot/dts/imx6sl.dtsi
+index 06a515121dfc..cfd6b4972ae7 100644
+--- a/arch/arm/boot/dts/imx6sl.dtsi
++++ b/arch/arm/boot/dts/imx6sl.dtsi
+@@ -115,6 +115,9 @@
+ ocram: sram@900000 {
+ compatible = "mmio-sram";
+ reg = <0x00900000 0x20000>;
++ ranges = <0 0x00900000 0x20000>;
++ #address-cells = <1>;
++ #size-cells = <1>;
+ clocks = <&clks IMX6SL_CLK_OCRAM>;
+ };
+
+--
+2.35.1
+
--- /dev/null
+From 9e908abd003192c1e43aa99c3627cd60b3f873d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 21:22:48 +0200
+Subject: ARM: dts: imx6sl: use tabs for code indent
+
+From: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+
+[ Upstream commit 218db824a7519856d0eaaeb5c41ca504ed550210 ]
+
+This fixes the following error:
+
+arch/arm/boot/dts/imx6sl.dtsi:714: error: code indent should use tabs
+where possible
+
+Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6sl.dtsi | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/arch/arm/boot/dts/imx6sl.dtsi b/arch/arm/boot/dts/imx6sl.dtsi
+index cfd6b4972ae7..01122ddfdc0d 100644
+--- a/arch/arm/boot/dts/imx6sl.dtsi
++++ b/arch/arm/boot/dts/imx6sl.dtsi
+@@ -61,10 +61,10 @@
+ <792000 1175000>,
+ <396000 975000>;
+ fsl,soc-operating-points =
+- /* ARM kHz SOC-PU uV */
+- <996000 1225000>,
+- <792000 1175000>,
+- <396000 1175000>;
++ /* ARM kHz SOC-PU uV */
++ <996000 1225000>,
++ <792000 1175000>,
++ <396000 1175000>;
+ clock-latency = <61036>; /* two CLK32 periods */
+ #cooling-cells = <2>;
+ clocks = <&clks IMX6SL_CLK_ARM>, <&clks IMX6SL_CLK_PLL2_PFD2>,
+@@ -225,7 +225,7 @@
+
+ uart5: serial@2018000 {
+ compatible = "fsl,imx6sl-uart",
+- "fsl,imx6q-uart", "fsl,imx21-uart";
++ "fsl,imx6q-uart", "fsl,imx21-uart";
+ reg = <0x02018000 0x4000>;
+ interrupts = <0 30 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&clks IMX6SL_CLK_UART>,
+@@ -238,7 +238,7 @@
+
+ uart1: serial@2020000 {
+ compatible = "fsl,imx6sl-uart",
+- "fsl,imx6q-uart", "fsl,imx21-uart";
++ "fsl,imx6q-uart", "fsl,imx21-uart";
+ reg = <0x02020000 0x4000>;
+ interrupts = <0 26 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&clks IMX6SL_CLK_UART>,
+@@ -251,7 +251,7 @@
+
+ uart2: serial@2024000 {
+ compatible = "fsl,imx6sl-uart",
+- "fsl,imx6q-uart", "fsl,imx21-uart";
++ "fsl,imx6q-uart", "fsl,imx21-uart";
+ reg = <0x02024000 0x4000>;
+ interrupts = <0 27 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&clks IMX6SL_CLK_UART>,
+@@ -312,7 +312,7 @@
+
+ uart3: serial@2034000 {
+ compatible = "fsl,imx6sl-uart",
+- "fsl,imx6q-uart", "fsl,imx21-uart";
++ "fsl,imx6q-uart", "fsl,imx21-uart";
+ reg = <0x02034000 0x4000>;
+ interrupts = <0 28 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&clks IMX6SL_CLK_UART>,
+@@ -325,7 +325,7 @@
+
+ uart4: serial@2038000 {
+ compatible = "fsl,imx6sl-uart",
+- "fsl,imx6q-uart", "fsl,imx21-uart";
++ "fsl,imx6q-uart", "fsl,imx21-uart";
+ reg = <0x02038000 0x4000>;
+ interrupts = <0 29 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&clks IMX6SL_CLK_UART>,
+@@ -714,7 +714,7 @@
+ #power-domain-cells = <0>;
+ power-supply = <®_pu>;
+ clocks = <&clks IMX6SL_CLK_GPU2D_OVG>,
+- <&clks IMX6SL_CLK_GPU2D_PODF>;
++ <&clks IMX6SL_CLK_GPU2D_PODF>;
+ };
+
+ pd_disp: power-domain@2 {
+--
+2.35.1
+
--- /dev/null
+From 1a4e16eadbeedf9d069099899b256f746ceab120 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 07:53:35 +0200
+Subject: ARM: dts: imx6sll: add missing properties for sram
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+[ Upstream commit 7492a83ed9b7a151e2dd11d64b06da7a7f0fa7f9 ]
+
+All 3 properties are required by sram.yaml. Fixes the dtbs_check warning:
+sram@900000: '#address-cells' is a required property
+sram@900000: '#size-cells' is a required property
+sram@900000: 'ranges' is a required property
+
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6sll.dtsi | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/arm/boot/dts/imx6sll.dtsi b/arch/arm/boot/dts/imx6sll.dtsi
+index d4a000c3dde7..2873369a57c0 100644
+--- a/arch/arm/boot/dts/imx6sll.dtsi
++++ b/arch/arm/boot/dts/imx6sll.dtsi
+@@ -115,6 +115,9 @@
+ ocram: sram@900000 {
+ compatible = "mmio-sram";
+ reg = <0x00900000 0x20000>;
++ ranges = <0 0x00900000 0x20000>;
++ #address-cells = <1>;
++ #size-cells = <1>;
+ };
+
+ intc: interrupt-controller@a01000 {
+--
+2.35.1
+
--- /dev/null
+From 8a12d386956f04b87b4740d6d0c6d16668c8283f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 07:53:36 +0200
+Subject: ARM: dts: imx6sx: add missing properties for sram
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+[ Upstream commit 415432c008b2bce8138841356ba444631cabaa50 ]
+
+All 3 properties are required by sram.yaml. Fixes the dtbs_check warning:
+sram@900000: '#address-cells' is a required property
+sram@900000: '#size-cells' is a required property
+sram@900000: 'ranges' is a required property
+
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6sx.dtsi | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/arch/arm/boot/dts/imx6sx.dtsi b/arch/arm/boot/dts/imx6sx.dtsi
+index 4d075e2bf749..2611eef3b2a2 100644
+--- a/arch/arm/boot/dts/imx6sx.dtsi
++++ b/arch/arm/boot/dts/imx6sx.dtsi
+@@ -164,12 +164,18 @@
+ ocram_s: sram@8f8000 {
+ compatible = "mmio-sram";
+ reg = <0x008f8000 0x4000>;
++ ranges = <0 0x008f8000 0x4000>;
++ #address-cells = <1>;
++ #size-cells = <1>;
+ clocks = <&clks IMX6SX_CLK_OCRAM_S>;
+ };
+
+ ocram: sram@900000 {
+ compatible = "mmio-sram";
+ reg = <0x00900000 0x20000>;
++ ranges = <0 0x00900000 0x20000>;
++ #address-cells = <1>;
++ #size-cells = <1>;
+ clocks = <&clks IMX6SX_CLK_OCRAM>;
+ };
+
+--
+2.35.1
+
--- /dev/null
+From 912dab307e9169935b4886b9b8bfde05fe9724e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 21:22:49 +0200
+Subject: ARM: dts: imx6sx-udoo-neo: don't use multiple blank lines
+
+From: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+
+[ Upstream commit fd2dd7077c7498765e7326c1b7f34bde85f1a975 ]
+
+This fixes the following warning:
+
+arch/arm/boot/dts/imx6sx-udoo-neo.dtsi:309: check: Please don't use multiple
+blank lines
+
+While at it, use tabs indent for some pinctrl entries.
+
+Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6sx-udoo-neo.dtsi | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/arch/arm/boot/dts/imx6sx-udoo-neo.dtsi b/arch/arm/boot/dts/imx6sx-udoo-neo.dtsi
+index 35861bbea94e..c84ea1fac5e9 100644
+--- a/arch/arm/boot/dts/imx6sx-udoo-neo.dtsi
++++ b/arch/arm/boot/dts/imx6sx-udoo-neo.dtsi
+@@ -226,7 +226,7 @@
+ &iomuxc {
+ pinctrl_bt_reg: btreggrp {
+ fsl,pins =
+- <MX6SX_PAD_KEY_ROW2__GPIO2_IO_17 0x15059>;
++ <MX6SX_PAD_KEY_ROW2__GPIO2_IO_17 0x15059>;
+ };
+
+ pinctrl_enet1: enet1grp {
+@@ -306,7 +306,6 @@
+ >;
+ };
+
+-
+ pinctrl_uart1: uart1grp {
+ fsl,pins =
+ <MX6SX_PAD_GPIO1_IO04__UART1_DCE_TX 0x1b0b1>,
+@@ -347,24 +346,23 @@
+
+ pinctrl_otg1_reg: otg1grp {
+ fsl,pins =
+- <MX6SX_PAD_GPIO1_IO09__GPIO1_IO_9 0x10b0>;
++ <MX6SX_PAD_GPIO1_IO09__GPIO1_IO_9 0x10b0>;
+ };
+
+-
+ pinctrl_otg2_reg: otg2grp {
+ fsl,pins =
+- <MX6SX_PAD_NAND_RE_B__GPIO4_IO_12 0x10b0>;
++ <MX6SX_PAD_NAND_RE_B__GPIO4_IO_12 0x10b0>;
+ };
+
+ pinctrl_usb_otg1: usbotg1grp {
+ fsl,pins =
+- <MX6SX_PAD_GPIO1_IO10__ANATOP_OTG1_ID 0x17059>,
+- <MX6SX_PAD_GPIO1_IO08__USB_OTG1_OC 0x10b0>;
++ <MX6SX_PAD_GPIO1_IO10__ANATOP_OTG1_ID 0x17059>,
++ <MX6SX_PAD_GPIO1_IO08__USB_OTG1_OC 0x10b0>;
+ };
+
+ pinctrl_usb_otg2: usbot2ggrp {
+ fsl,pins =
+- <MX6SX_PAD_QSPI1A_DATA0__USB_OTG2_OC 0x10b0>;
++ <MX6SX_PAD_QSPI1A_DATA0__USB_OTG2_OC 0x10b0>;
+ };
+
+ pinctrl_usdhc2: usdhc2grp {
+--
+2.35.1
+
--- /dev/null
+From b2baee3c5789128a7bf36f15908f02a67158e8ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Jul 2022 18:16:22 +0800
+Subject: ARM: dts: imx7d-sdb: config the max pressure for tsc2046
+
+From: Haibo Chen <haibo.chen@nxp.com>
+
+[ Upstream commit e7c4ebe2f9cd68588eb24ba4ed122e696e2d5272 ]
+
+Use the general touchscreen method to config the max pressure for
+touch tsc2046(data sheet suggest 8 bit pressure), otherwise, for
+ABS_PRESSURE, when config the same max and min value, weston will
+meet the following issue,
+
+[17:19:39.183] event1 - ADS7846 Touchscreen: is tagged by udev as: Touchscreen
+[17:19:39.183] event1 - ADS7846 Touchscreen: kernel bug: device has min == max on ABS_PRESSURE
+[17:19:39.183] event1 - ADS7846 Touchscreen: was rejected
+[17:19:39.183] event1 - not using input device '/dev/input/event1'
+
+This will then cause the APP weston-touch-calibrator can't list touch devices.
+
+root@imx6ul7d:~# weston-touch-calibrator
+could not load cursor 'dnd-move'
+could not load cursor 'dnd-copy'
+could not load cursor 'dnd-none'
+No devices listed.
+
+And accroding to binding Doc, "ti,x-max", "ti,y-max", "ti,pressure-max"
+belong to the deprecated properties, so remove them. Also for "ti,x-min",
+"ti,y-min", "ti,x-plate-ohms", the value set in dts equal to the default
+value in driver, so are redundant, also remove here.
+
+Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx7d-sdb.dts | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/arch/arm/boot/dts/imx7d-sdb.dts b/arch/arm/boot/dts/imx7d-sdb.dts
+index 78f4224a9bf4..e93b9cd9c27b 100644
+--- a/arch/arm/boot/dts/imx7d-sdb.dts
++++ b/arch/arm/boot/dts/imx7d-sdb.dts
+@@ -206,12 +206,7 @@
+ interrupt-parent = <&gpio2>;
+ interrupts = <29 0>;
+ pendown-gpio = <&gpio2 29 GPIO_ACTIVE_HIGH>;
+- ti,x-min = /bits/ 16 <0>;
+- ti,x-max = /bits/ 16 <0>;
+- ti,y-min = /bits/ 16 <0>;
+- ti,y-max = /bits/ 16 <0>;
+- ti,pressure-max = /bits/ 16 <0>;
+- ti,x-plate-ohms = /bits/ 16 <400>;
++ touchscreen-max-pressure = <255>;
+ wakeup-source;
+ };
+ };
+--
+2.35.1
+
--- /dev/null
+From e14528fdb0833c9f5a206dfbfd0a9628022701ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Aug 2022 02:10:24 +0200
+Subject: ARM: dts: kirkwood: lsxl: fix serial line
+
+From: Michael Walle <michael@walle.cc>
+
+[ Upstream commit 04eabc6ac10fda9424606d9a7ab6ab9a5d95350a ]
+
+Commit 327e15428977 ("ARM: dts: kirkwood: consolidate common pinctrl
+settings") unknowingly broke the serial output on this board. Before
+this commit, the pinmux was still configured by the bootloader and the
+kernel didn't reconfigured it again. This was an oversight by the
+initial board support where the pinmux for the serial line was never
+configured by the kernel. But with this commit, the serial line will be
+reconfigured to the wrong pins. This is especially confusing, because
+the output still works, but the input doesn't. Presumingly, the input is
+reconfigured to MPP10, but the output is connected to both MPP11 and
+MPP5.
+
+Override the pinmux in the board device tree.
+
+Fixes: 327e15428977 ("ARM: dts: kirkwood: consolidate common pinctrl settings")
+Signed-off-by: Michael Walle <michael@walle.cc>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/kirkwood-lsxl.dtsi | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/arm/boot/dts/kirkwood-lsxl.dtsi b/arch/arm/boot/dts/kirkwood-lsxl.dtsi
+index 7b151acb9984..321a40a98ed2 100644
+--- a/arch/arm/boot/dts/kirkwood-lsxl.dtsi
++++ b/arch/arm/boot/dts/kirkwood-lsxl.dtsi
+@@ -10,6 +10,11 @@
+
+ ocp@f1000000 {
+ pinctrl: pin-controller@10000 {
++ /* Non-default UART pins */
++ pmx_uart0: pmx-uart0 {
++ marvell,pins = "mpp4", "mpp5";
++ };
++
+ pmx_power_hdd: pmx-power-hdd {
+ marvell,pins = "mpp10";
+ marvell,function = "gpo";
+--
+2.35.1
+
--- /dev/null
+From 9781e0b2b67d1bf0ee064c47d5594e99b4884efe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Aug 2022 02:10:25 +0200
+Subject: ARM: dts: kirkwood: lsxl: remove first ethernet port
+
+From: Michael Walle <michael@walle.cc>
+
+[ Upstream commit 2d528eda7c96ce5c70f895854ecd5684bd5d80b9 ]
+
+Both the Linkstation LS-CHLv2 and the LS-XHL have only one ethernet
+port. This has always been wrong, i.e. the board code used to set up
+both ports, but the driver will play nice and return -ENODEV if the
+assiciated PHY is not found. Nevertheless, it is wrong. Remove it.
+
+Fixes: 876e23333511 ("ARM: kirkwood: add gigabit ethernet and mvmdio device tree nodes")
+Signed-off-by: Michael Walle <michael@walle.cc>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/kirkwood-lsxl.dtsi | 11 -----------
+ 1 file changed, 11 deletions(-)
+
+diff --git a/arch/arm/boot/dts/kirkwood-lsxl.dtsi b/arch/arm/boot/dts/kirkwood-lsxl.dtsi
+index 321a40a98ed2..88b70ba1c8fe 100644
+--- a/arch/arm/boot/dts/kirkwood-lsxl.dtsi
++++ b/arch/arm/boot/dts/kirkwood-lsxl.dtsi
+@@ -218,22 +218,11 @@
+ &mdio {
+ status = "okay";
+
+- ethphy0: ethernet-phy@0 {
+- reg = <0>;
+- };
+-
+ ethphy1: ethernet-phy@8 {
+ reg = <8>;
+ };
+ };
+
+-ð0 {
+- status = "okay";
+- ethernet0-port@0 {
+- phy-handle = <ðphy0>;
+- };
+-};
+-
+ ð1 {
+ status = "okay";
+ ethernet1-port@0 {
+--
+2.35.1
+
--- /dev/null
+From f0e40a30f288662c9c3042d71174dc2cc50d38f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Jul 2022 14:56:10 +0200
+Subject: ARM: dts: turris-omnia: Fix mpp26 pin name and comment
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Behún <kabel@kernel.org>
+
+[ Upstream commit 49e93898f0dc177e645c22d0664813567fd9ec00 ]
+
+There is a bug in Turris Omnia's schematics, whereupon the MPP[26] pin,
+which is routed to CN11 pin header, is documented as SPI CS1, but
+MPP[26] pin does not support this function. Instead it controls chip
+select 2 if in "spi0" mode.
+
+Fix the name of the pin node in pinctrl node and fix the comment in SPI
+node.
+
+Fixes: 26ca8b52d6e1 ("ARM: dts: add support for Turris Omnia")
+Signed-off-by: Marek Behún <kabel@kernel.org>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/armada-385-turris-omnia.dts | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/armada-385-turris-omnia.dts b/arch/arm/boot/dts/armada-385-turris-omnia.dts
+index d1e0db6e5730..a41902e3815c 100644
+--- a/arch/arm/boot/dts/armada-385-turris-omnia.dts
++++ b/arch/arm/boot/dts/armada-385-turris-omnia.dts
+@@ -476,7 +476,7 @@
+ marvell,function = "spi0";
+ };
+
+- spi0cs1_pins: spi0cs1-pins {
++ spi0cs2_pins: spi0cs2-pins {
+ marvell,pins = "mpp26";
+ marvell,function = "spi0";
+ };
+@@ -511,7 +511,7 @@
+ };
+ };
+
+- /* MISO, MOSI, SCLK and CS1 are routed to pin header CN11 */
++ /* MISO, MOSI, SCLK and CS2 are routed to pin header CN11 */
+ };
+
+ &uart0 {
+--
+2.35.1
+
--- /dev/null
+From 11e94b28bed67be359ebda343e7ef77c6054f266 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Sep 2022 21:55:50 +0200
+Subject: ARM: orion: fix include path
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 63872304bdb3decd5454f4dd210c25395278ed13 ]
+
+Now that CONFIG_ARCH_MULTIPLATFORM can be disabled anywhere,
+there is a build failure for plat-orion:
+
+arch/arm/plat-orion/irq.c:19:10: fatal error: plat/irq.h: No such file or directory
+
+Make the include path unconditional.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/plat-orion/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/plat-orion/Makefile b/arch/arm/plat-orion/Makefile
+index 4e3f25de13c1..830b0be038c6 100644
+--- a/arch/arm/plat-orion/Makefile
++++ b/arch/arm/plat-orion/Makefile
+@@ -2,7 +2,7 @@
+ #
+ # Makefile for the linux kernel.
+ #
+-ccflags-$(CONFIG_ARCH_MULTIPLATFORM) := -I$(srctree)/$(src)/include
++ccflags-y := -I$(srctree)/$(src)/include
+
+ orion-gpio-$(CONFIG_GPIOLIB) += gpio.o
+ obj-$(CONFIG_PLAT_ORION_LEGACY) += irq.o pcie.o time.o common.o mpp.o
+--
+2.35.1
+
--- /dev/null
+From 843d764dbb26173a59f14db9c3cd12ed3751638e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Sep 2022 18:15:55 -0700
+Subject: arm64: dts: exynos: fix polarity of "enable" line of NFC chip in TM2
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+[ Upstream commit bd1a665a01b4d65fd8dc6fece4b376fa5c8c55bb ]
+
+According to s3fwrn5 driver code the "enable" GPIO line is driven "high"
+when chip is not in use (mode is S3FWRN5_MODE_COLD), and is driven "low"
+when chip is in use.
+
+s3fwrn5_phy_power_ctrl():
+
+ ...
+ gpio_set_value(phy->gpio_en, 1);
+ ...
+ if (mode != S3FWRN5_MODE_COLD) {
+ msleep(S3FWRN5_EN_WAIT_TIME);
+ gpio_set_value(phy->gpio_en, 0);
+ msleep(S3FWRN5_EN_WAIT_TIME);
+ }
+
+Therefore the line described by "en-gpios" property should be annotated
+as "active low".
+
+The wakeup gpio appears to have correct polarity (active high).
+
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Link: https://lore.kernel.org/r/20220929011557.4165216-1-dmitry.torokhov@gmail.com
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Stable-dep-of: a08137bd1e0a ("ARM: dts: exynos: fix polarity of VBUS GPIO of Origen")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/exynos/exynos5433-tm2-common.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/exynos/exynos5433-tm2-common.dtsi b/arch/arm64/boot/dts/exynos/exynos5433-tm2-common.dtsi
+index 91c9bd1b47dd..bde6a6bb8dfc 100644
+--- a/arch/arm64/boot/dts/exynos/exynos5433-tm2-common.dtsi
++++ b/arch/arm64/boot/dts/exynos/exynos5433-tm2-common.dtsi
+@@ -795,7 +795,7 @@
+ reg = <0x27>;
+ interrupt-parent = <&gpa1>;
+ interrupts = <3 IRQ_TYPE_EDGE_RISING>;
+- en-gpios = <&gpf1 4 GPIO_ACTIVE_HIGH>;
++ en-gpios = <&gpf1 4 GPIO_ACTIVE_LOW>;
+ wake-gpios = <&gpj0 2 GPIO_ACTIVE_HIGH>;
+ };
+ };
+--
+2.35.1
+
--- /dev/null
+From 4336d29e76f02eed74df5c60c27e3e4201e79481 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Aug 2022 10:03:50 +0200
+Subject: arm64: dts: imx8mm-kontron: Use the VSELECT signal to switch SD card
+ IO voltage
+
+From: Frieder Schrempf <frieder.schrempf@kontron.de>
+
+[ Upstream commit eef2c0217e02b6c7ed5b10b82ea944127145e113 ]
+
+It turns out that it is not necessary to declare the VSELECT signal as
+GPIO and let the PMIC driver set it to a fixed high level. This switches
+the voltage between 3.3V and 1.8V by setting the PMIC register for LDO5
+accordingly.
+
+Instead we can do it like other boards already do and simply mux the
+VSELECT signal of the USDHC interface to the pin. This makes sure that
+the correct voltage is selected by setting the PMIC's SD_VSEL input
+to high or low accordingly.
+
+Reported-by: Heiko Thiery <heiko.thiery@gmail.com>
+Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
+Reviewed-by: Heiko Thiery <heiko.thiery@gmail.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-s.dts | 3 +++
+ arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-som.dtsi | 2 --
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-s.dts b/arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-s.dts
+index 23be1ec538ba..c54536c0a2ba 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-s.dts
++++ b/arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-s.dts
+@@ -321,6 +321,7 @@
+ MX8MM_IOMUXC_SD2_DATA2_USDHC2_DATA2 0x1d0
+ MX8MM_IOMUXC_SD2_DATA3_USDHC2_DATA3 0x1d0
+ MX8MM_IOMUXC_SD2_CD_B_GPIO2_IO12 0x019
++ MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x1d0
+ >;
+ };
+
+@@ -333,6 +334,7 @@
+ MX8MM_IOMUXC_SD2_DATA2_USDHC2_DATA2 0x1d4
+ MX8MM_IOMUXC_SD2_DATA3_USDHC2_DATA3 0x1d4
+ MX8MM_IOMUXC_SD2_CD_B_GPIO2_IO12 0x019
++ MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x1d0
+ >;
+ };
+
+@@ -345,6 +347,7 @@
+ MX8MM_IOMUXC_SD2_DATA2_USDHC2_DATA2 0x1d6
+ MX8MM_IOMUXC_SD2_DATA3_USDHC2_DATA3 0x1d6
+ MX8MM_IOMUXC_SD2_CD_B_GPIO2_IO12 0x019
++ MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x1d0
+ >;
+ };
+ };
+diff --git a/arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-som.dtsi
+index 8f90eb02550d..6307af803429 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-som.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-som.dtsi
+@@ -86,7 +86,6 @@
+ pinctrl-0 = <&pinctrl_pmic>;
+ interrupt-parent = <&gpio1>;
+ interrupts = <0 IRQ_TYPE_LEVEL_LOW>;
+- sd-vsel-gpios = <&gpio1 4 GPIO_ACTIVE_HIGH>;
+
+ regulators {
+ reg_vdd_soc: BUCK1 {
+@@ -229,7 +228,6 @@
+ pinctrl_pmic: pmicgrp {
+ fsl,pins = <
+ MX8MM_IOMUXC_GPIO1_IO00_GPIO1_IO0 0x141
+- MX8MM_IOMUXC_GPIO1_IO04_GPIO1_IO4 0x141
+ >;
+ };
+
+--
+2.35.1
+
--- /dev/null
+From 8b4ee8a4b70d732a22b8e0e9d45311590377456b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Sep 2022 08:28:54 +0200
+Subject: arm64: dts: imx8mp: Add snps,gfladj-refclk-lpm-sel quirk to USB nodes
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+[ Upstream commit 5c3d5ecf48ab06c709c012bf1e8f0c91e1fcd7ad ]
+
+With this set the SOF/ITP counter is based on ref_clk when 2.0 ports are
+suspended.
+snps,dis-u2-freeclk-exists-quirk can be removed as
+snps,gfladj-refclk-lpm-sel also clears the free running clock configuration
+bit.
+
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Link: https://lore.kernel.org/r/20220915062855.751881-4-alexander.stein@ew.tq-group.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mp.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mp.dtsi b/arch/arm64/boot/dts/freescale/imx8mp.dtsi
+index fe178b7d063c..522ab47426c3 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mp.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mp.dtsi
+@@ -1189,7 +1189,7 @@
+ interrupts = <GIC_SPI 40 IRQ_TYPE_LEVEL_HIGH>;
+ phys = <&usb3_phy0>, <&usb3_phy0>;
+ phy-names = "usb2-phy", "usb3-phy";
+- snps,dis-u2-freeclk-exists-quirk;
++ snps,gfladj-refclk-lpm-sel-quirk;
+ };
+
+ };
+@@ -1231,7 +1231,7 @@
+ interrupts = <GIC_SPI 41 IRQ_TYPE_LEVEL_HIGH>;
+ phys = <&usb3_phy1>, <&usb3_phy1>;
+ phy-names = "usb2-phy", "usb3-phy";
+- snps,dis-u2-freeclk-exists-quirk;
++ snps,gfladj-refclk-lpm-sel-quirk;
+ };
+ };
+
+--
+2.35.1
+
--- /dev/null
+From bf1bfb90e7f2b5e5c939fccb60df0b47a01f2ef9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 10:42:13 +0200
+Subject: arm64: dts: imx8mq-librem5: Add bq25895 as max17055's power supply
+
+From: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+
+[ Upstream commit 6effe295e1a87408033c29dbcea9d5a5c8b937d5 ]
+
+This allows the userspace to notice that there's not enough
+current provided to charge the battery, and also fixes issues
+with 0% SOC values being considered invalid.
+
+Signed-off-by: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+Signed-off-by: Martin Kepplinger <martin.kepplinger@puri.sm>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi b/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi
+index 9eec8a7eecfc..127fc7f904c8 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi
+@@ -1077,6 +1077,7 @@
+ interrupts = <20 IRQ_TYPE_LEVEL_LOW>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_gauge>;
++ power-supplies = <&bq25895>;
+ maxim,over-heat-temp = <700>;
+ maxim,over-volt = <4500>;
+ maxim,rsns-microohm = <5000>;
+--
+2.35.1
+
--- /dev/null
+From cc6e5762e39c9ada0d70c58d93eb7f890df14c37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 21:22:50 +0200
+Subject: arm64: dts: imx8ulp: no executable source file permission
+
+From: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+
+[ Upstream commit 7db9905d48e1b9a97a28224c5a201262ebce7489 ]
+
+This fixes the following error:
+
+arch/arm64/boot/dts/freescale/imx8ulp-pinfunc.h: error: do not set
+ execute permissions for source files
+
+Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+Acked-by: Peng Fan <peng.fan@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8ulp-pinfunc.h | 0
+ 1 file changed, 0 insertions(+), 0 deletions(-)
+ mode change 100755 => 100644 arch/arm64/boot/dts/freescale/imx8ulp-pinfunc.h
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8ulp-pinfunc.h b/arch/arm64/boot/dts/freescale/imx8ulp-pinfunc.h
+old mode 100755
+new mode 100644
+--
+2.35.1
+
--- /dev/null
+From 5e0159fea3fca6f59377c13697b165ea83bc09c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Sep 2022 14:28:08 +1200
+Subject: arm64: dts: marvell: 98dx25xx: use correct property for i2c gpios
+
+From: Chris Packham <chris.packham@alliedtelesis.co.nz>
+
+[ Upstream commit 2b14d382ec97ca5b420239ee6e16da390fab476c ]
+
+Use the correct names for scl-gpios and sda-gpios so that the generic
+i2c recovery code will find them. While we're here set the
+GPIO_OPEN_DRAIN flag on the gpios.
+
+Fixes: b795fadfc46b ("arm64: dts: marvell: Add Armada 98DX2530 SoC and RD-AC5X board")
+Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/marvell/ac5-98dx25xx.dtsi | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/marvell/ac5-98dx25xx.dtsi b/arch/arm64/boot/dts/marvell/ac5-98dx25xx.dtsi
+index 80b44c7df56a..881bf948d1df 100644
+--- a/arch/arm64/boot/dts/marvell/ac5-98dx25xx.dtsi
++++ b/arch/arm64/boot/dts/marvell/ac5-98dx25xx.dtsi
+@@ -117,8 +117,8 @@
+ pinctrl-names = "default", "gpio";
+ pinctrl-0 = <&i2c0_pins>;
+ pinctrl-1 = <&i2c0_gpio>;
+- scl_gpio = <&gpio0 26 GPIO_ACTIVE_HIGH>;
+- sda_gpio = <&gpio0 27 GPIO_ACTIVE_HIGH>;
++ scl-gpios = <&gpio0 26 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
++ sda-gpios = <&gpio0 27 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
+ status = "disabled";
+ };
+
+@@ -136,8 +136,8 @@
+ pinctrl-names = "default", "gpio";
+ pinctrl-0 = <&i2c1_pins>;
+ pinctrl-1 = <&i2c1_gpio>;
+- scl_gpio = <&gpio0 20 GPIO_ACTIVE_HIGH>;
+- sda_gpio = <&gpio0 21 GPIO_ACTIVE_HIGH>;
++ scl-gpios = <&gpio0 20 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
++ sda-gpios = <&gpio0 21 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
+ status = "disabled";
+ };
+
+--
+2.35.1
+
--- /dev/null
+From be500bcf91d2007aec55b6bb51791f6d1e3fb53c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Sep 2022 16:34:30 +0200
+Subject: arm64: dts: qcom: ipq8074: fix PCIe PHY serdes size
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit ed22cc93abae68f9d3fc4957c20a1d902cf28882 ]
+
+The size of the PCIe PHY serdes register region is 0x1c4 and the
+corresponding 'reg' property should specifically not include the
+adjacent regions that are defined in the child node (e.g. tx and rx).
+
+Fixes: 33057e1672fe ("ARM: dts: ipq8074: Add pcie nodes")
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20220915143431.19842-1-johan+linaro@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/ipq8074.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/ipq8074.dtsi b/arch/arm64/boot/dts/qcom/ipq8074.dtsi
+index d53675fc1595..b9bf43215ada 100644
+--- a/arch/arm64/boot/dts/qcom/ipq8074.dtsi
++++ b/arch/arm64/boot/dts/qcom/ipq8074.dtsi
+@@ -199,7 +199,7 @@
+
+ pcie_qmp0: phy@86000 {
+ compatible = "qcom,ipq8074-qmp-pcie-phy";
+- reg = <0x00086000 0x1000>;
++ reg = <0x00086000 0x1c4>;
+ #address-cells = <1>;
+ #size-cells = <1>;
+ ranges;
+@@ -227,7 +227,7 @@
+
+ pcie_qmp1: phy@8e000 {
+ compatible = "qcom,ipq8074-qmp-pcie-phy";
+- reg = <0x0008e000 0x1000>;
++ reg = <0x0008e000 0x1c4>;
+ #address-cells = <1>;
+ #size-cells = <1>;
+ ranges;
+--
+2.35.1
+
--- /dev/null
+From 25b770aa702a3b0482456d854a0033ecee6b4f7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Aug 2022 14:26:48 +0100
+Subject: arm64: dts: qcom: pm8350c: Drop PWM reg declaration
+
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+
+[ Upstream commit eeca7d46217ccfe9289530e959c0fb29190af0d6 ]
+
+The PWM is a part of the SPMI PMIC block and maps several different
+addresses within the SPMI block. It is not accurate to describe as pwm@reg
+as a result.
+
+Fixes: 5be66d2dc887 ("arm64: dts: qcom: pm8350c: Add pwm support")
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20220828132648.3624126-3-bryan.odonoghue@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/pm8350c.dtsi | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/pm8350c.dtsi b/arch/arm64/boot/dts/qcom/pm8350c.dtsi
+index e0bbb67717fe..f28e71487d5c 100644
+--- a/arch/arm64/boot/dts/qcom/pm8350c.dtsi
++++ b/arch/arm64/boot/dts/qcom/pm8350c.dtsi
+@@ -30,9 +30,8 @@
+ #interrupt-cells = <2>;
+ };
+
+- pm8350c_pwm: pwm@e800 {
++ pm8350c_pwm: pwm {
+ compatible = "qcom,pm8350c-pwm";
+- reg = <0xe800>;
+ #pwm-cells = <2>;
+ status = "disabled";
+ };
+--
+2.35.1
+
--- /dev/null
+From 539ce76c939c00dd22cde3998c2ea12932fc2d96 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Aug 2022 14:19:42 +0200
+Subject: arm64: dts: qcom: sa8295p-adp: disallow regulator mode switches
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit 2a6164cef63cae77edbd9deef844b1774886fcb7 ]
+
+Do not allow the RPMh regulators to switch to low-power mode with an
+exception for the UFS regulators (l3c, l6c, l10c and l17c) as UFS
+supports an idle mode.
+
+This specifically avoids having regulators be but in low-power mode when
+only some consumers specify loads while the actual total load really
+warrants high-power mode.
+
+Fixes: 519183af39b2 ("arm64: dts: qcom: add SA8540P and ADP")
+Link: https://lore.kernel.org/all/YtkrDcjTGhpaU1e0@hovoldconsulting.com
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20220803121942.30236-4-johan+linaro@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sa8295p-adp.dts | 11 -----------
+ 1 file changed, 11 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sa8295p-adp.dts b/arch/arm64/boot/dts/qcom/sa8295p-adp.dts
+index 9398f0349944..ca5f5ad32ce5 100644
+--- a/arch/arm64/boot/dts/qcom/sa8295p-adp.dts
++++ b/arch/arm64/boot/dts/qcom/sa8295p-adp.dts
+@@ -35,7 +35,6 @@
+ regulator-min-microvolt = <1200000>;
+ regulator-max-microvolt = <1208000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ };
+
+ vreg_l5a: ldo5 {
+@@ -43,7 +42,6 @@
+ regulator-min-microvolt = <912000>;
+ regulator-max-microvolt = <912000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ };
+
+ vreg_l7a: ldo7 {
+@@ -51,7 +49,6 @@
+ regulator-min-microvolt = <1800000>;
+ regulator-max-microvolt = <1800000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ };
+
+ vreg_l13a: ldo13 {
+@@ -59,7 +56,6 @@
+ regulator-min-microvolt = <3072000>;
+ regulator-max-microvolt = <3072000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ };
+ };
+
+@@ -72,7 +68,6 @@
+ regulator-min-microvolt = <912000>;
+ regulator-max-microvolt = <912000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ };
+
+ vreg_l2c: ldo2 {
+@@ -80,7 +75,6 @@
+ regulator-min-microvolt = <3072000>;
+ regulator-max-microvolt = <3072000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ };
+
+ vreg_l3c: ldo3 {
+@@ -96,7 +90,6 @@
+ regulator-min-microvolt = <1200000>;
+ regulator-max-microvolt = <1208000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ };
+
+ vreg_l6c: ldo6 {
+@@ -112,7 +105,6 @@
+ regulator-min-microvolt = <1800000>;
+ regulator-max-microvolt = <1800000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ };
+
+ vreg_l10c: ldo10 {
+@@ -141,7 +133,6 @@
+ regulator-min-microvolt = <1200000>;
+ regulator-max-microvolt = <1200000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ };
+
+ vreg_l7g: ldo7 {
+@@ -149,7 +140,6 @@
+ regulator-min-microvolt = <1800000>;
+ regulator-max-microvolt = <1800000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ };
+
+ vreg_l8g: ldo8 {
+@@ -157,7 +147,6 @@
+ regulator-min-microvolt = <880000>;
+ regulator-max-microvolt = <880000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ };
+ };
+ };
+--
+2.35.1
+
--- /dev/null
+From d8830a1624453a1dd258f57656b52336eca96c2f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 17:49:00 -0700
+Subject: arm64: dts: qcom: sc7180-trogdor: Keep pm6150_adc enabled for TZ
+
+From: Stephen Boyd <swboyd@chromium.org>
+
+[ Upstream commit 144fbd028fdec2deeb3b99d5e60dbf3167950ebe ]
+
+There's still a thermal zone using pm6150_adc in the pm6150.dtsi file,
+pm6150_thermal. It's not super obvious because it indirectly uses the
+adc through an iio channel in pm6150_temp. Let's keep this enabled on
+lazor and coachz so that reading the temperature of the pm6150_thermal
+zone continues to work. Otherwise we get -EINVAL when reading the zone,
+and I suspect the PMIC temperature trip doesn't work properly so we
+don't shutdown when the PMIC overheats.
+
+Cc: Matthias Kaehlcke <mka@chromium.org>
+Fixes: b8d1e3d33487 ("arm64: dts: qcom: sc7180-trogdor: Delete ADC config for unused thermistors")
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Reviewed-by: Matthias Kaehlcke <mka@chromium.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20220827004901.511543-1-swboyd@chromium.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sc7180-trogdor-coachz-r1.dts | 2 --
+ arch/arm64/boot/dts/qcom/sc7180-trogdor-lazor.dtsi | 2 --
+ 2 files changed, 4 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sc7180-trogdor-coachz-r1.dts b/arch/arm64/boot/dts/qcom/sc7180-trogdor-coachz-r1.dts
+index 8290d036044a..edfcd47e1a00 100644
+--- a/arch/arm64/boot/dts/qcom/sc7180-trogdor-coachz-r1.dts
++++ b/arch/arm64/boot/dts/qcom/sc7180-trogdor-coachz-r1.dts
+@@ -24,8 +24,6 @@
+ };
+
+ &pm6150_adc {
+- status = "disabled";
+-
+ /delete-node/ skin-temp-thermistor@4e;
+ /delete-node/ charger-thermistor@4f;
+ };
+diff --git a/arch/arm64/boot/dts/qcom/sc7180-trogdor-lazor.dtsi b/arch/arm64/boot/dts/qcom/sc7180-trogdor-lazor.dtsi
+index 2cf7d5212c61..002663d752da 100644
+--- a/arch/arm64/boot/dts/qcom/sc7180-trogdor-lazor.dtsi
++++ b/arch/arm64/boot/dts/qcom/sc7180-trogdor-lazor.dtsi
+@@ -55,8 +55,6 @@ ap_ts_pen_1v8: &i2c4 {
+ };
+
+ &pm6150_adc {
+- status = "disabled";
+-
+ /delete-node/ charger-thermistor@4f;
+ };
+
+--
+2.35.1
+
--- /dev/null
+From a4d72ef1aeb1a0edcacc14e85ccf37fb9034f490 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Aug 2022 10:35:07 +0530
+Subject: arm64: dts: qcom: sc7280: Cleanup the lpasscc node
+
+From: Satya Priya <quic_c_skakit@quicinc.com>
+
+[ Upstream commit 8c7ebabd2e3f33ef24378d3cac00d3e59886cecb ]
+
+Remove "cc" regmap from lpasscc node which is overlapping
+with the lpass_aon regmap.
+
+Fixes: 422a295221bb ("arm64: dts: qcom: sc7280: Add clock controller nodes")
+Signed-off-by: Satya Priya <quic_c_skakit@quicinc.com>
+Signed-off-by: Taniya Das <quic_tdas@quicinc.com>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/1660107909-27947-2-git-send-email-quic_c_skakit@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sc7280.dtsi | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sc7280.dtsi b/arch/arm64/boot/dts/qcom/sc7280.dtsi
+index dac3b69e314f..1d48f92a2982 100644
+--- a/arch/arm64/boot/dts/qcom/sc7280.dtsi
++++ b/arch/arm64/boot/dts/qcom/sc7280.dtsi
+@@ -2168,9 +2168,8 @@
+ lpasscc: lpasscc@3000000 {
+ compatible = "qcom,sc7280-lpasscc";
+ reg = <0 0x03000000 0 0x40>,
+- <0 0x03c04000 0 0x4>,
+- <0 0x03389000 0 0x24>;
+- reg-names = "qdsp6ss", "top_cc", "cc";
++ <0 0x03c04000 0 0x4>;
++ reg-names = "qdsp6ss", "top_cc";
+ clocks = <&gcc GCC_CFG_NOC_LPASS_CLK>;
+ clock-names = "iface";
+ #clock-cells = <1>;
+--
+2.35.1
+
--- /dev/null
+From 84ba3a6c4dc0c6f5ca9eb1226a0da0462525275b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Aug 2022 11:43:38 +0300
+Subject: arm64: dts: qcom: sc7280-idp: correct ADC channel node name and unit
+ address
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 5589ffb2da2a66988ab3a68334dad3e68b42e3a9 ]
+
+Correct SPMI PMIC VADC channel node name:
+1. Use hyphens instead of underscores,
+2. Add missing unit address.
+
+This fixes `make dtbs_check` warnings like:
+
+ qcom/sc7280-idp.dtb: pmic@0: adc@3100: 'pmk8350_die_temp', 'pmr735a_die_temp' do not match any of the regexes: '^.*@[0-9a-f]+$', 'pinctrl-[0-9]+'
+
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Stephen Boyd <sboyd@kernel.org>
+Reviewed-by: Vinod Koul <vkoul@kernel.org>
+Reviewed-by: David Heidelberg <david@ixit.cz>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20220828084341.112146-12-krzysztof.kozlowski@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sc7280-idp.dts | 2 +-
+ arch/arm64/boot/dts/qcom/sc7280-idp.dtsi | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sc7280-idp.dts b/arch/arm64/boot/dts/qcom/sc7280-idp.dts
+index 6d3ff80582ae..e2e37a0292ad 100644
+--- a/arch/arm64/boot/dts/qcom/sc7280-idp.dts
++++ b/arch/arm64/boot/dts/qcom/sc7280-idp.dts
+@@ -78,7 +78,7 @@
+ };
+
+ &pmk8350_vadc {
+- pmr735a_die_temp {
++ pmr735a-die-temp@403 {
+ reg = <PMR735A_ADC7_DIE_TEMP>;
+ label = "pmr735a_die_temp";
+ qcom,pre-scaling = <1 1>;
+diff --git a/arch/arm64/boot/dts/qcom/sc7280-idp.dtsi b/arch/arm64/boot/dts/qcom/sc7280-idp.dtsi
+index a74e0b730db6..27c47ddbdf02 100644
+--- a/arch/arm64/boot/dts/qcom/sc7280-idp.dtsi
++++ b/arch/arm64/boot/dts/qcom/sc7280-idp.dtsi
+@@ -264,7 +264,7 @@
+ };
+
+ &pmk8350_vadc {
+- pmk8350_die_temp {
++ pmk8350-die-temp@3 {
+ reg = <PMK8350_ADC7_DIE_TEMP>;
+ label = "pmk8350_die_temp";
+ qcom,pre-scaling = <1 1>;
+--
+2.35.1
+
--- /dev/null
+From a2ed6445a64059aa590a76f6312e9ead9ee5ca69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Aug 2022 10:35:09 +0530
+Subject: arm64: dts: qcom: sc7280: Update lpasscore node
+
+From: Satya Priya <quic_c_skakit@quicinc.com>
+
+[ Upstream commit d9a1e922730389afc425f2250de361b7f07acdbc ]
+
+To maintain consistency with other lpass nodes(lpass_audiocc,
+lpass_aon and lpass_hm), update lpasscore to lpass_core.
+
+Fixes: 9499240d15f2 ("arm64: dts: qcom: sc7280: Add lpasscore & lpassaudio clock controllers")
+Signed-off-by: Taniya Das <quic_tdas@quicinc.com>
+Signed-off-by: Satya Priya <quic_c_skakit@quicinc.com>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/1660107909-27947-4-git-send-email-quic_c_skakit@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sc7280.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sc7280.dtsi b/arch/arm64/boot/dts/qcom/sc7280.dtsi
+index 1d48f92a2982..51ed691075ad 100644
+--- a/arch/arm64/boot/dts/qcom/sc7280.dtsi
++++ b/arch/arm64/boot/dts/qcom/sc7280.dtsi
+@@ -2191,13 +2191,13 @@
+ reg = <0 0x03380000 0 0x30000>;
+ clocks = <&rpmhcc RPMH_CXO_CLK>,
+ <&rpmhcc RPMH_CXO_CLK_A>,
+- <&lpasscore LPASS_CORE_CC_CORE_CLK>;
++ <&lpass_core LPASS_CORE_CC_CORE_CLK>;
+ clock-names = "bi_tcxo", "bi_tcxo_ao", "iface";
+ #clock-cells = <1>;
+ #power-domain-cells = <1>;
+ };
+
+- lpasscore: clock-controller@3900000 {
++ lpass_core: clock-controller@3900000 {
+ compatible = "qcom,sc7280-lpasscorecc";
+ reg = <0 0x03900000 0 0x50000>;
+ clocks = <&rpmhcc RPMH_CXO_CLK>;
+--
+2.35.1
+
--- /dev/null
+From cd034c6494f8497255799bb85a78a7826c89c822 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Aug 2022 14:19:40 +0200
+Subject: arm64: dts: qcom: sc8280xp-crd: disallow regulator mode switches
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit 412737a60c846a6adb7f7571905c200da036815e ]
+
+Do not allow the RPMh regulators to switch to low-power mode with an
+exception for the UFS regulators (l7c and l3d) as UFS supports an idle
+mode.
+
+This specifically avoids having regulators be but in low-power mode when
+only some consumers specify loads while the actual total load really
+warrants high-power mode.
+
+Fixes: ccd3517faf18 ("arm64: dts: qcom: sc8280xp: Add reference device")
+Link: https://lore.kernel.org/all/YtkrDcjTGhpaU1e0@hovoldconsulting.com
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20220803121942.30236-2-johan+linaro@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sc8280xp-crd.dts | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sc8280xp-crd.dts b/arch/arm64/boot/dts/qcom/sc8280xp-crd.dts
+index 45058ad0a1c8..6792e88b2c6c 100644
+--- a/arch/arm64/boot/dts/qcom/sc8280xp-crd.dts
++++ b/arch/arm64/boot/dts/qcom/sc8280xp-crd.dts
+@@ -87,7 +87,6 @@
+ regulator-min-microvolt = <1200000>;
+ regulator-max-microvolt = <1200000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ regulator-boot-on;
+ regulator-always-on;
+ };
+@@ -97,7 +96,6 @@
+ regulator-min-microvolt = <912000>;
+ regulator-max-microvolt = <912000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ };
+
+ vreg_l6b: ldo6 {
+@@ -105,7 +103,6 @@
+ regulator-min-microvolt = <880000>;
+ regulator-max-microvolt = <880000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ regulator-boot-on;
+ };
+ };
+@@ -119,7 +116,6 @@
+ regulator-min-microvolt = <1800000>;
+ regulator-max-microvolt = <1800000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ };
+
+ vreg_l7c: ldo7 {
+@@ -135,7 +131,6 @@
+ regulator-min-microvolt = <3072000>;
+ regulator-max-microvolt = <3072000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ };
+ };
+
+@@ -158,7 +153,6 @@
+ regulator-min-microvolt = <1200000>;
+ regulator-max-microvolt = <1200000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ };
+
+ vreg_l6d: ldo6 {
+@@ -166,7 +160,6 @@
+ regulator-min-microvolt = <880000>;
+ regulator-max-microvolt = <880000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ };
+
+ vreg_l7d: ldo7 {
+@@ -174,7 +167,6 @@
+ regulator-min-microvolt = <3072000>;
+ regulator-max-microvolt = <3072000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ };
+
+ vreg_l9d: ldo9 {
+@@ -182,7 +174,6 @@
+ regulator-min-microvolt = <912000>;
+ regulator-max-microvolt = <912000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ };
+ };
+ };
+--
+2.35.1
+
--- /dev/null
+From b5a42110a3ec065a077976af892b7a338b9e6f41 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Aug 2022 14:19:41 +0200
+Subject: arm64: dts: qcom: sc8280xp-lenovo-thinkpad-x13s: disallow regulator
+ mode switches
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit 648ec2f2ddc05346287e308fbc31a6b8117a1edd ]
+
+Do not allow the RPMh regulators to switch to low-power mode.
+
+This specifically avoids having regulators be but in low-power mode when
+only some consumers specify loads while the actual total load really
+warrants high-power mode.
+
+Fixes: 32c231385ed4 ("arm64: dts: qcom: sc8280xp: add Lenovo Thinkpad X13s devicetree")
+Link: https://lore.kernel.org/all/YtkrDcjTGhpaU1e0@hovoldconsulting.com
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20220803121942.30236-3-johan+linaro@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts b/arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts
+index 4c404e2eafba..f0ab207cc8e9 100644
+--- a/arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts
++++ b/arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts
+@@ -79,7 +79,6 @@
+ regulator-min-microvolt = <1200000>;
+ regulator-max-microvolt = <1200000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ regulator-boot-on;
+ };
+
+@@ -88,7 +87,6 @@
+ regulator-min-microvolt = <912000>;
+ regulator-max-microvolt = <912000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ };
+
+ vreg_l6b: ldo6 {
+@@ -96,7 +94,6 @@
+ regulator-min-microvolt = <880000>;
+ regulator-max-microvolt = <880000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ regulator-boot-on;
+ regulator-always-on; // FIXME: VDD_A_EDP_0_0P9
+ };
+@@ -111,7 +108,6 @@
+ regulator-min-microvolt = <1800000>;
+ regulator-max-microvolt = <1800000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ };
+
+ vreg_l12c: ldo12 {
+@@ -119,7 +115,6 @@
+ regulator-min-microvolt = <1800000>;
+ regulator-max-microvolt = <1800000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ };
+
+ vreg_l13c: ldo13 {
+@@ -127,7 +122,6 @@
+ regulator-min-microvolt = <3072000>;
+ regulator-max-microvolt = <3072000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ };
+ };
+
+@@ -142,7 +136,6 @@
+ regulator-min-microvolt = <1200000>;
+ regulator-max-microvolt = <1200000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ };
+
+ vreg_l4d: ldo4 {
+@@ -150,7 +143,6 @@
+ regulator-min-microvolt = <1200000>;
+ regulator-max-microvolt = <1200000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ };
+
+ vreg_l7d: ldo7 {
+@@ -158,7 +150,6 @@
+ regulator-min-microvolt = <3072000>;
+ regulator-max-microvolt = <3072000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ };
+
+ vreg_l9d: ldo9 {
+@@ -166,7 +157,6 @@
+ regulator-min-microvolt = <912000>;
+ regulator-max-microvolt = <912000>;
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+- regulator-allow-set-load;
+ };
+ };
+ };
+--
+2.35.1
+
--- /dev/null
+From fd5adcd1f69bb9a5f9d6cb39485cd327f45760c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Sep 2022 12:32:40 +0530
+Subject: arm64: dts: qcom: sc8280xp-pmics: Remove reg entry & use correct node
+ name for pmc8280c_lpg node
+
+From: Bhupesh Sharma <bhupesh.sharma@linaro.org>
+
+[ Upstream commit 7dac7991408f77b0b33ee5e6b729baa683889277 ]
+
+Commit eeca7d46217c ("arm64: dts: qcom: pm8350c: Drop PWM reg declaration")
+dropped PWM reg declaration for pm8350c pwm(s), but there is a leftover
+'reg' entry inside the lpg/pwm node in sc8280xp dts file. Remove the same.
+
+While at it, also remove the unused unit address in the node
+label.
+
+Also, since dt-bindings expect LPG/PWM node name to be "pwm",
+use correct node name as well, to fix the following
+error reported by 'make dtbs_check':
+
+ 'lpg' does not match any of the regexes
+
+Fixes: eeca7d46217c ("arm64: dts: qcom: pm8350c: Drop PWM reg declaration")
+Cc: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Cc: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Cc: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Bhupesh Sharma <bhupesh.sharma@linaro.org>
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20220905070240.1634997-1-bhupesh.sharma@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sc8280xp-pmics.dtsi | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sc8280xp-pmics.dtsi b/arch/arm64/boot/dts/qcom/sc8280xp-pmics.dtsi
+index ae90b97aecb8..24836b6b9bbc 100644
+--- a/arch/arm64/boot/dts/qcom/sc8280xp-pmics.dtsi
++++ b/arch/arm64/boot/dts/qcom/sc8280xp-pmics.dtsi
+@@ -60,9 +60,8 @@
+ #interrupt-cells = <2>;
+ };
+
+- pmc8280c_lpg: lpg@e800 {
++ pmc8280c_lpg: pwm {
+ compatible = "qcom,pm8350c-pwm";
+- reg = <0xe800>;
+
+ #address-cells = <1>;
+ #size-cells = <0>;
+--
+2.35.1
+
--- /dev/null
+From b2c83d7350882592f9c9be9a163fc5a60704ab00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Jul 2022 13:37:47 +0200
+Subject: arm64: dts: qcom: sdm845: narrow LLCC address space
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 300b5f661eebefb8571841b78091343eb87eca54 ]
+
+The Last Level Cache Controller (LLCC) device does not need to access
+entire LLCC address space. Currently driver uses only hardware info and
+status registers which both reside in LLCC0_COMMON range (offset
+0x30000, size 0x1000). Narrow the address space to allow binding other
+drivers to rest of LLCC address space.
+
+Cc: Rajendra Nayak <quic_rjendra@quicinc.com>
+Cc: Sibi Sankar <quic_sibis@quicinc.com>
+Reported-by: Steev Klimaszewski <steev@kali.org>
+Suggested-by: Sibi Sankar <quic_sibis@quicinc.com>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Tested-by: Steev Klimaszewski <steev@kali.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/20220728113748.170548-11-krzysztof.kozlowski@linaro.org
+Stable-dep-of: 5a0504945878 ("arm64: dts: qcom: sdm845-xiaomi-polaris: Fix sde_dsi_active pinctrl")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sdm845.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sdm845.dtsi b/arch/arm64/boot/dts/qcom/sdm845.dtsi
+index f0e286715d1b..4d5ae5897d1d 100644
+--- a/arch/arm64/boot/dts/qcom/sdm845.dtsi
++++ b/arch/arm64/boot/dts/qcom/sdm845.dtsi
+@@ -2138,7 +2138,7 @@
+
+ llcc: system-cache-controller@1100000 {
+ compatible = "qcom,sdm845-llcc";
+- reg = <0 0x01100000 0 0x200000>, <0 0x01300000 0 0x50000>;
++ reg = <0 0x01100000 0 0x31000>, <0 0x01300000 0 0x50000>;
+ reg-names = "llcc_base", "llcc_broadcast_base";
+ interrupts = <GIC_SPI 582 IRQ_TYPE_LEVEL_HIGH>;
+ };
+--
+2.35.1
+
--- /dev/null
+From 173e33c4ffee1aa4d2224d5ea4dbe0f56b6aa6df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Aug 2022 12:14:23 +0200
+Subject: arm64: dts: qcom: sdm845-xiaomi-polaris: Fix sde_dsi_active pinctrl
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 5a0504945878b4af7534c1ce668a5678dc0201cf ]
+
+"make dtbs_check" says:
+
+ bias-disable: boolean property with value b'\x00\x00\x00\x00'
+
+Fix this by dropping the offending value.
+
+Fixes: be497abe19bf08fb ("arm64: dts: qcom: Add support for Xiaomi Mi Mix2s")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Caleb Connolly <caleb@connolly.tech>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/629afd26008c2b1ba5822799ea7ea5b5271895e8.1660903997.git.geert+renesas@glider.be
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sdm845-xiaomi-polaris.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sdm845-xiaomi-polaris.dts b/arch/arm64/boot/dts/qcom/sdm845-xiaomi-polaris.dts
+index 7747081b9887..dba7c2693ff5 100644
+--- a/arch/arm64/boot/dts/qcom/sdm845-xiaomi-polaris.dts
++++ b/arch/arm64/boot/dts/qcom/sdm845-xiaomi-polaris.dts
+@@ -617,7 +617,7 @@
+ pins = "gpio6", "gpio10";
+ function = "gpio";
+ drive-strength = <8>;
+- bias-disable = <0>;
++ bias-disable;
+ };
+
+ sde_dsi_suspend: sde-dsi-suspend {
+--
+2.35.1
+
--- /dev/null
+From e0768cb6308c31481e9c414ed7d83e2b65cb28af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Sep 2022 08:17:42 +0200
+Subject: arm64: dts: qcom: sm8350-sagami: correct TS pin property
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit c9c53d1f4329564f98ed0decfe3c377c6639ec5d ]
+
+The pin configuration is selected with "pins", not "pin" property.
+
+Fixes: 1209e9246632 ("arm64: dts: qcom: sm8350-sagami: Enable and populate I2C/SPI nodes")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20220912061746.6311-37-krzysztof.kozlowski@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sm8350-sony-xperia-sagami.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sm8350-sony-xperia-sagami.dtsi b/arch/arm64/boot/dts/qcom/sm8350-sony-xperia-sagami.dtsi
+index cb9bbd234b7b..b702ab1605bb 100644
+--- a/arch/arm64/boot/dts/qcom/sm8350-sony-xperia-sagami.dtsi
++++ b/arch/arm64/boot/dts/qcom/sm8350-sony-xperia-sagami.dtsi
+@@ -223,7 +223,7 @@
+ gpio-reserved-ranges = <44 4>;
+
+ ts_int_default: ts-int-default {
+- pin = "gpio23";
++ pins = "gpio23";
+ function = "gpio";
+ drive-strength = <2>;
+ bias-disable;
+--
+2.35.1
+
--- /dev/null
+From ae0a99046410da9a419462b10a5b89b5402e99e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Sep 2022 16:34:31 +0200
+Subject: arm64: dts: qcom: sm8450: fix UFS PHY serdes size
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit 677920072e9d757ae158d66b8fdb695992bb3f1a ]
+
+The size of the UFS PHY serdes register region is 0x1c4 and the
+corresponding 'reg' property should specifically not include the
+adjacent regions that are defined in the child node (e.g. tx and rx).
+
+Fixes: 07fa917a335e ("arm64: dts: qcom: sm8450: add ufs nodes")
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20220915143431.19842-2-johan+linaro@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sm8450.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sm8450.dtsi b/arch/arm64/boot/dts/qcom/sm8450.dtsi
+index 4978c5ba5dd0..8a6c0f3e7bb7 100644
+--- a/arch/arm64/boot/dts/qcom/sm8450.dtsi
++++ b/arch/arm64/boot/dts/qcom/sm8450.dtsi
+@@ -3117,7 +3117,7 @@
+
+ ufs_mem_phy: phy@1d87000 {
+ compatible = "qcom,sm8450-qmp-ufs-phy";
+- reg = <0 0x01d87000 0 0xe10>;
++ reg = <0 0x01d87000 0 0x1c4>;
+ #address-cells = <2>;
+ #size-cells = <2>;
+ ranges;
+--
+2.35.1
+
--- /dev/null
+From 72b4fc9cc9fd42e21d8fc8353fafaa20630ec68d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Aug 2022 11:15:34 +0100
+Subject: arm64: dts: renesas: r9a07g043: Fix SCI{Rx,Tx} interrupt types
+
+From: Biju Das <biju.das.jz@bp.renesas.com>
+
+[ Upstream commit 72a482dbaec4b9e4d54b81be6bdb8c016fd2f4bd ]
+
+As per the RZ/G2UL Hardware User's Manual (Rev.1.00 Apr, 2022),
+the interrupt type of SCI{Rx,Tx} is edge triggered.
+
+Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
+Fixes: cf40c9689e5109bf ("arm64: dts: renesas: Add initial DTSI for RZ/G2UL SoC")
+Link: https://lore.kernel.org/r/20220802101534.1401342-3-biju.das.jz@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r9a07g043.dtsi | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/r9a07g043.dtsi b/arch/arm64/boot/dts/renesas/r9a07g043.dtsi
+index 40201a16d653..af84d4797972 100644
+--- a/arch/arm64/boot/dts/renesas/r9a07g043.dtsi
++++ b/arch/arm64/boot/dts/renesas/r9a07g043.dtsi
+@@ -334,8 +334,8 @@
+ compatible = "renesas,r9a07g043-sci", "renesas,sci";
+ reg = <0 0x1004d000 0 0x400>;
+ interrupts = <GIC_SPI 405 IRQ_TYPE_LEVEL_HIGH>,
+- <GIC_SPI 406 IRQ_TYPE_LEVEL_HIGH>,
+- <GIC_SPI 407 IRQ_TYPE_LEVEL_HIGH>,
++ <GIC_SPI 406 IRQ_TYPE_EDGE_RISING>,
++ <GIC_SPI 407 IRQ_TYPE_EDGE_RISING>,
+ <GIC_SPI 408 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "eri", "rxi", "txi", "tei";
+ clocks = <&cpg CPG_MOD R9A07G043_SCI0_CLKP>;
+@@ -349,8 +349,8 @@
+ compatible = "renesas,r9a07g043-sci", "renesas,sci";
+ reg = <0 0x1004d400 0 0x400>;
+ interrupts = <GIC_SPI 409 IRQ_TYPE_LEVEL_HIGH>,
+- <GIC_SPI 410 IRQ_TYPE_LEVEL_HIGH>,
+- <GIC_SPI 411 IRQ_TYPE_LEVEL_HIGH>,
++ <GIC_SPI 410 IRQ_TYPE_EDGE_RISING>,
++ <GIC_SPI 411 IRQ_TYPE_EDGE_RISING>,
+ <GIC_SPI 412 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "eri", "rxi", "txi", "tei";
+ clocks = <&cpg CPG_MOD R9A07G043_SCI1_CLKP>;
+--
+2.35.1
+
--- /dev/null
+From 3bc686a80be1d34953a549e43cc0a24492b6a736 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Aug 2022 11:15:32 +0100
+Subject: arm64: dts: renesas: r9a07g044: Fix SCI{Rx,Tx} interrupt types
+
+From: Biju Das <biju.das.jz@bp.renesas.com>
+
+[ Upstream commit f3b7bc89c97b98aa6f157d5f296695af8940a5ac ]
+
+As per the latest RZ/G2L Hardware User's Manual (Rev.1.10 Apr, 2022),
+the interrupt type of SCI{Rx,Tx} is edge triggered.
+
+Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
+Fixes: f9a2adcc9e908907 ("arm64: dts: renesas: r9a07g044: Add SCI[0-1] nodes")
+Link: https://lore.kernel.org/r/20220802101534.1401342-1-biju.das.jz@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r9a07g044.dtsi | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/r9a07g044.dtsi b/arch/arm64/boot/dts/renesas/r9a07g044.dtsi
+index 3652e511160f..265140b20dad 100644
+--- a/arch/arm64/boot/dts/renesas/r9a07g044.dtsi
++++ b/arch/arm64/boot/dts/renesas/r9a07g044.dtsi
+@@ -394,8 +394,8 @@
+ compatible = "renesas,r9a07g044-sci", "renesas,sci";
+ reg = <0 0x1004d000 0 0x400>;
+ interrupts = <GIC_SPI 405 IRQ_TYPE_LEVEL_HIGH>,
+- <GIC_SPI 406 IRQ_TYPE_LEVEL_HIGH>,
+- <GIC_SPI 407 IRQ_TYPE_LEVEL_HIGH>,
++ <GIC_SPI 406 IRQ_TYPE_EDGE_RISING>,
++ <GIC_SPI 407 IRQ_TYPE_EDGE_RISING>,
+ <GIC_SPI 408 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "eri", "rxi", "txi", "tei";
+ clocks = <&cpg CPG_MOD R9A07G044_SCI0_CLKP>;
+@@ -409,8 +409,8 @@
+ compatible = "renesas,r9a07g044-sci", "renesas,sci";
+ reg = <0 0x1004d400 0 0x400>;
+ interrupts = <GIC_SPI 409 IRQ_TYPE_LEVEL_HIGH>,
+- <GIC_SPI 410 IRQ_TYPE_LEVEL_HIGH>,
+- <GIC_SPI 411 IRQ_TYPE_LEVEL_HIGH>,
++ <GIC_SPI 410 IRQ_TYPE_EDGE_RISING>,
++ <GIC_SPI 411 IRQ_TYPE_EDGE_RISING>,
+ <GIC_SPI 412 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "eri", "rxi", "txi", "tei";
+ clocks = <&cpg CPG_MOD R9A07G044_SCI1_CLKP>;
+--
+2.35.1
+
--- /dev/null
+From 1fe39f4c2272a95be85ba8a4bde4e678292d4bcc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Aug 2022 11:15:33 +0100
+Subject: arm64: dts: renesas: r9a07g054: Fix SCI{Rx,Tx} interrupt types
+
+From: Biju Das <biju.das.jz@bp.renesas.com>
+
+[ Upstream commit 13dec051c7f139eef345c55a60941843e72128f1 ]
+
+As per the RZ/V2L Hardware User's Manual (Rev.1.00 Nov, 2021),
+the interrupt type of SCI{Rx,Tx} is edge triggered.
+
+Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
+Fixes: 7c2b8198f4f321df ("arm64: dts: renesas: Add initial DTSI for RZ/V2L SoC")
+Link: https://lore.kernel.org/r/20220802101534.1401342-2-biju.das.jz@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/renesas/r9a07g054.dtsi | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/r9a07g054.dtsi b/arch/arm64/boot/dts/renesas/r9a07g054.dtsi
+index 4d6b9d7684c9..d0eeca4f6aa1 100644
+--- a/arch/arm64/boot/dts/renesas/r9a07g054.dtsi
++++ b/arch/arm64/boot/dts/renesas/r9a07g054.dtsi
+@@ -399,8 +399,8 @@
+ compatible = "renesas,r9a07g054-sci", "renesas,sci";
+ reg = <0 0x1004d000 0 0x400>;
+ interrupts = <GIC_SPI 405 IRQ_TYPE_LEVEL_HIGH>,
+- <GIC_SPI 406 IRQ_TYPE_LEVEL_HIGH>,
+- <GIC_SPI 407 IRQ_TYPE_LEVEL_HIGH>,
++ <GIC_SPI 406 IRQ_TYPE_EDGE_RISING>,
++ <GIC_SPI 407 IRQ_TYPE_EDGE_RISING>,
+ <GIC_SPI 408 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "eri", "rxi", "txi", "tei";
+ clocks = <&cpg CPG_MOD R9A07G054_SCI0_CLKP>;
+@@ -414,8 +414,8 @@
+ compatible = "renesas,r9a07g054-sci", "renesas,sci";
+ reg = <0 0x1004d400 0 0x400>;
+ interrupts = <GIC_SPI 409 IRQ_TYPE_LEVEL_HIGH>,
+- <GIC_SPI 410 IRQ_TYPE_LEVEL_HIGH>,
+- <GIC_SPI 411 IRQ_TYPE_LEVEL_HIGH>,
++ <GIC_SPI 410 IRQ_TYPE_EDGE_RISING>,
++ <GIC_SPI 411 IRQ_TYPE_EDGE_RISING>,
+ <GIC_SPI 412 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "eri", "rxi", "txi", "tei";
+ clocks = <&cpg CPG_MOD R9A07G054_SCI1_CLKP>;
+--
+2.35.1
+
--- /dev/null
+From 468b12935668d03adcfebe86663caf1e03fe1751 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Sep 2022 13:57:23 -0700
+Subject: arm64: dts: ti: k3-j7200: fix main pinmux range
+
+From: Matt Ranostay <mranostay@ti.com>
+
+[ Upstream commit 0d0a0b4413460383331088b2203ba09a6971bc3a ]
+
+Range size of 0x2b4 was incorrect since there isn't 173 configurable
+pins for muxing. Additionally there is a non-addressable region in the
+mapping which requires splitting into two ranges.
+
+main_pmx0 -> 67 pins
+main_pmx1 -> 3 pins
+
+Fixes: d361ed88455f ("arm64: dts: ti: Add support for J7200 SoC")
+Signed-off-by: Matt Ranostay <mranostay@ti.com>
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+Tested-by: Vaishnav Achath <vaishnav.a@ti.com>
+Link: https://lore.kernel.org/r/20220919205723.8342-1-mranostay@ti.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/ti/k3-j7200-common-proc-board.dts | 10 ++++++----
+ arch/arm64/boot/dts/ti/k3-j7200-main.dtsi | 11 ++++++++++-
+ 2 files changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/ti/k3-j7200-common-proc-board.dts b/arch/arm64/boot/dts/ti/k3-j7200-common-proc-board.dts
+index 121975dc8239..7e8552fd2b6a 100644
+--- a/arch/arm64/boot/dts/ti/k3-j7200-common-proc-board.dts
++++ b/arch/arm64/boot/dts/ti/k3-j7200-common-proc-board.dts
+@@ -134,15 +134,17 @@
+ >;
+ };
+
+- main_usbss0_pins_default: main-usbss0-pins-default {
++ vdd_sd_dv_pins_default: vdd-sd-dv-pins-default {
+ pinctrl-single,pins = <
+- J721E_IOPAD(0x120, PIN_OUTPUT, 0) /* (T4) USB0_DRVVBUS */
++ J721E_IOPAD(0xd0, PIN_OUTPUT, 7) /* (T5) SPI0_D1.GPIO0_55 */
+ >;
+ };
++};
+
+- vdd_sd_dv_pins_default: vdd-sd-dv-pins-default {
++&main_pmx1 {
++ main_usbss0_pins_default: main-usbss0-pins-default {
+ pinctrl-single,pins = <
+- J721E_IOPAD(0xd0, PIN_OUTPUT, 7) /* (T5) SPI0_D1.GPIO0_55 */
++ J721E_IOPAD(0x04, PIN_OUTPUT, 0) /* (T4) USB0_DRVVBUS */
+ >;
+ };
+ };
+diff --git a/arch/arm64/boot/dts/ti/k3-j7200-main.dtsi b/arch/arm64/boot/dts/ti/k3-j7200-main.dtsi
+index 16684a2f054d..e12a53f1857f 100644
+--- a/arch/arm64/boot/dts/ti/k3-j7200-main.dtsi
++++ b/arch/arm64/boot/dts/ti/k3-j7200-main.dtsi
+@@ -295,7 +295,16 @@
+ main_pmx0: pinctrl@11c000 {
+ compatible = "pinctrl-single";
+ /* Proxy 0 addressing */
+- reg = <0x00 0x11c000 0x00 0x2b4>;
++ reg = <0x00 0x11c000 0x00 0x10c>;
++ #pinctrl-cells = <1>;
++ pinctrl-single,register-width = <32>;
++ pinctrl-single,function-mask = <0xffffffff>;
++ };
++
++ main_pmx1: pinctrl@11c11c {
++ compatible = "pinctrl-single";
++ /* Proxy 0 addressing */
++ reg = <0x00 0x11c11c 0x00 0xc>;
+ #pinctrl-cells = <1>;
+ pinctrl-single,register-width = <32>;
+ pinctrl-single,function-mask = <0xffffffff>;
+--
+2.35.1
+
--- /dev/null
+From b6dbe3bd3da7ae3cc28ab6b79c440d73a0abce8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Sep 2022 13:23:18 +0900
+Subject: arm64: dts: uniphier: Add USB-device support for PXs3 reference board
+
+From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+
+[ Upstream commit 19fee1a1096d21ab1f1e712148b5417bda2939a2 ]
+
+PXs3 reference board can change each USB port 0 and 1 to device mode
+with jumpers. Prepare devicetree sources for USB port 0 and 1.
+
+This specifies dr_mode, pinctrl, and some quirks and removes nodes for
+unused phys and vbus-supply properties.
+
+Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+Link: https://lore.kernel.org/r/20220913042321.4817-8-hayashi.kunihiko@socionext.com'
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/uniphier-pinctrl.dtsi | 10 +++++
+ arch/arm64/boot/dts/socionext/Makefile | 4 +-
+ .../socionext/uniphier-pxs3-ref-gadget0.dts | 41 +++++++++++++++++++
+ .../socionext/uniphier-pxs3-ref-gadget1.dts | 40 ++++++++++++++++++
+ 4 files changed, 94 insertions(+), 1 deletion(-)
+ create mode 100644 arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget0.dts
+ create mode 100644 arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget1.dts
+
+diff --git a/arch/arm/boot/dts/uniphier-pinctrl.dtsi b/arch/arm/boot/dts/uniphier-pinctrl.dtsi
+index c0fd029b37e5..f909ec2e5333 100644
+--- a/arch/arm/boot/dts/uniphier-pinctrl.dtsi
++++ b/arch/arm/boot/dts/uniphier-pinctrl.dtsi
+@@ -196,11 +196,21 @@
+ function = "usb0";
+ };
+
++ pinctrl_usb0_device: usb0-device {
++ groups = "usb0_device";
++ function = "usb0";
++ };
++
+ pinctrl_usb1: usb1 {
+ groups = "usb1";
+ function = "usb1";
+ };
+
++ pinctrl_usb1_device: usb1-device {
++ groups = "usb1_device";
++ function = "usb1";
++ };
++
+ pinctrl_usb2: usb2 {
+ groups = "usb2";
+ function = "usb2";
+diff --git a/arch/arm64/boot/dts/socionext/Makefile b/arch/arm64/boot/dts/socionext/Makefile
+index dda3da33614b..33989a9643ac 100644
+--- a/arch/arm64/boot/dts/socionext/Makefile
++++ b/arch/arm64/boot/dts/socionext/Makefile
+@@ -5,4 +5,6 @@ dtb-$(CONFIG_ARCH_UNIPHIER) += \
+ uniphier-ld20-akebi96.dtb \
+ uniphier-ld20-global.dtb \
+ uniphier-ld20-ref.dtb \
+- uniphier-pxs3-ref.dtb
++ uniphier-pxs3-ref.dtb \
++ uniphier-pxs3-ref-gadget0.dtb \
++ uniphier-pxs3-ref-gadget1.dtb
+diff --git a/arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget0.dts b/arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget0.dts
+new file mode 100644
+index 000000000000..7069f51bc120
+--- /dev/null
++++ b/arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget0.dts
+@@ -0,0 +1,41 @@
++// SPDX-License-Identifier: GPL-2.0-or-later OR MIT
++//
++// Device Tree Source for UniPhier PXs3 Reference Board (for USB-Device #0)
++//
++// Copyright (C) 2021 Socionext Inc.
++// Author: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
++
++/dts-v1/;
++#include "uniphier-pxs3-ref.dts"
++
++/ {
++ model = "UniPhier PXs3 Reference Board (USB-Device #0)";
++};
++
++/* I2C3 pinctrl is shared with USB*VBUSIN */
++&i2c3 {
++ status = "disabled";
++};
++
++&usb0 {
++ status = "okay";
++ dr_mode = "peripheral";
++ pinctrl-0 = <&pinctrl_usb0_device>;
++ snps,dis_enblslpm_quirk;
++ snps,dis_u2_susphy_quirk;
++ snps,dis_u3_susphy_quirk;
++ snps,usb2_gadget_lpm_disable;
++ phy-names = "usb2-phy", "usb3-phy";
++ phys = <&usb0_hsphy0>, <&usb0_ssphy0>;
++};
++
++&usb0_hsphy0 {
++ /delete-property/ vbus-supply;
++};
++
++&usb0_ssphy0 {
++ /delete-property/ vbus-supply;
++};
++
++/delete-node/ &usb0_hsphy1;
++/delete-node/ &usb0_ssphy1;
+diff --git a/arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget1.dts b/arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget1.dts
+new file mode 100644
+index 000000000000..a3cfa8113ffb
+--- /dev/null
++++ b/arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget1.dts
+@@ -0,0 +1,40 @@
++// SPDX-License-Identifier: GPL-2.0-or-later OR MIT
++//
++// Device Tree Source for UniPhier PXs3 Reference Board (for USB-Device #1)
++//
++// Copyright (C) 2021 Socionext Inc.
++// Author: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
++
++/dts-v1/;
++#include "uniphier-pxs3-ref.dts"
++
++/ {
++ model = "UniPhier PXs3 Reference Board (USB-Device #1)";
++};
++
++/* I2C3 pinctrl is shared with USB*VBUSIN */
++&i2c3 {
++ status = "disabled";
++};
++
++&usb1 {
++ status = "okay";
++ dr_mode = "peripheral";
++ pinctrl-0 = <&pinctrl_usb1_device>;
++ snps,dis_enblslpm_quirk;
++ snps,dis_u2_susphy_quirk;
++ snps,dis_u3_susphy_quirk;
++ snps,usb2_gadget_lpm_disable;
++ phy-names = "usb2-phy", "usb3-phy";
++ phys = <&usb1_hsphy0>, <&usb1_ssphy0>;
++};
++
++&usb1_hsphy0 {
++ /delete-property/ vbus-supply;
++};
++
++&usb1_ssphy0 {
++ /delete-property/ vbus-supply;
++};
++
++/delete-node/ &usb1_hsphy1;
+--
+2.35.1
+
--- /dev/null
+From 7c16a74e10b28b5aaa5c405a496cb195046835b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Sep 2022 14:45:25 +0100
+Subject: arm64: ftrace: fix module PLTs with mcount
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+[ Upstream commit 8cfb08575c6d4585f1ce0deeb189e5c824776b04 ]
+
+Li Huafei reports that mcount-based ftrace with module PLTs was broken
+by commit:
+
+ a6253579977e4c6f ("arm64: ftrace: consistently handle PLTs.")
+
+When a module PLTs are used and a module is loaded sufficiently far away
+from the kernel, we'll create PLTs for any branches which are
+out-of-range. These are separate from the special ftrace trampoline
+PLTs, which the module PLT code doesn't directly manipulate.
+
+When mcount is in use this is a problem, as each mcount callsite in a
+module will be initialized to point to a module PLT, but since commit
+a6253579977e4c6f ftrace_make_nop() will assume that the callsite has
+been initialized to point to the special ftrace trampoline PLT, and
+ftrace_find_callable_addr() rejects other cases.
+
+This means that when ftrace tries to initialize a callsite via
+ftrace_make_nop(), the call to ftrace_find_callable_addr() will find
+that the `_mcount` stub is out-of-range and is not handled by the ftrace
+PLT, resulting in a splat:
+
+| ftrace_test: loading out-of-tree module taints kernel.
+| ftrace: no module PLT for _mcount
+| ------------[ ftrace bug ]------------
+| ftrace failed to modify
+| [<ffff800029180014>] 0xffff800029180014
+| actual: 44:00:00:94
+| Initializing ftrace call sites
+| ftrace record flags: 2000000
+| (0)
+| expected tramp: ffff80000802eb3c
+| ------------[ cut here ]------------
+| WARNING: CPU: 3 PID: 157 at kernel/trace/ftrace.c:2120 ftrace_bug+0x94/0x270
+| Modules linked in:
+| CPU: 3 PID: 157 Comm: insmod Tainted: G O 6.0.0-rc6-00151-gcd722513a189-dirty #22
+| Hardware name: linux,dummy-virt (DT)
+| pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+| pc : ftrace_bug+0x94/0x270
+| lr : ftrace_bug+0x21c/0x270
+| sp : ffff80000b2bbaf0
+| x29: ffff80000b2bbaf0 x28: 0000000000000000 x27: ffff0000c4d38000
+| x26: 0000000000000001 x25: ffff800009d7e000 x24: ffff0000c4d86e00
+| x23: 0000000002000000 x22: ffff80000a62b000 x21: ffff8000098ebea8
+| x20: ffff0000c4d38000 x19: ffff80000aa24158 x18: ffffffffffffffff
+| x17: 0000000000000000 x16: 0a0d2d2d2d2d2d2d x15: ffff800009aa9118
+| x14: 0000000000000000 x13: 6333626532303830 x12: 3030303866666666
+| x11: 203a706d61727420 x10: 6465746365707865 x9 : 3362653230383030
+| x8 : c0000000ffffefff x7 : 0000000000017fe8 x6 : 000000000000bff4
+| x5 : 0000000000057fa8 x4 : 0000000000000000 x3 : 0000000000000001
+| x2 : ad2cb14bb5438900 x1 : 0000000000000000 x0 : 0000000000000022
+| Call trace:
+| ftrace_bug+0x94/0x270
+| ftrace_process_locs+0x308/0x430
+| ftrace_module_init+0x44/0x60
+| load_module+0x15b4/0x1ce8
+| __do_sys_init_module+0x1ec/0x238
+| __arm64_sys_init_module+0x24/0x30
+| invoke_syscall+0x54/0x118
+| el0_svc_common.constprop.4+0x84/0x100
+| do_el0_svc+0x3c/0xd0
+| el0_svc+0x1c/0x50
+| el0t_64_sync_handler+0x90/0xb8
+| el0t_64_sync+0x15c/0x160
+| ---[ end trace 0000000000000000 ]---
+| ---------test_init-----------
+
+Fix this by reverting to the old behaviour of ignoring the old
+instruction when initialising an mcount callsite in a module, which was
+the behaviour prior to commit a6253579977e4c6f.
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Fixes: a6253579977e ("arm64: ftrace: consistently handle PLTs.")
+Reported-by: Li Huafei <lihuafei1@huawei.com>
+Link: https://lore.kernel.org/linux-arm-kernel/20220929094134.99512-1-lihuafei1@huawei.com
+Cc: Ard Biesheuvel <ardb@kernel.org>
+Cc: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20220929134525.798593-1-mark.rutland@arm.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/ftrace.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm64/kernel/ftrace.c b/arch/arm64/kernel/ftrace.c
+index ea5dc7c90f46..b49ba9a24bcc 100644
+--- a/arch/arm64/kernel/ftrace.c
++++ b/arch/arm64/kernel/ftrace.c
+@@ -217,11 +217,26 @@ int ftrace_make_nop(struct module *mod, struct dyn_ftrace *rec,
+ unsigned long pc = rec->ip;
+ u32 old = 0, new;
+
++ new = aarch64_insn_gen_nop();
++
++ /*
++ * When using mcount, callsites in modules may have been initalized to
++ * call an arbitrary module PLT (which redirects to the _mcount stub)
++ * rather than the ftrace PLT we'll use at runtime (which redirects to
++ * the ftrace trampoline). We can ignore the old PLT when initializing
++ * the callsite.
++ *
++ * Note: 'mod' is only set at module load time.
++ */
++ if (!IS_ENABLED(CONFIG_DYNAMIC_FTRACE_WITH_REGS) &&
++ IS_ENABLED(CONFIG_ARM64_MODULE_PLTS) && mod) {
++ return aarch64_insn_patch_text_nosync((void *)pc, new);
++ }
++
+ if (!ftrace_find_callable_addr(rec, mod, &addr))
+ return -EINVAL;
+
+ old = aarch64_insn_gen_branch_imm(pc, addr, AARCH64_INSN_BRANCH_LINK);
+- new = aarch64_insn_gen_nop();
+
+ return ftrace_modify_code(pc, old, new, true);
+ }
+--
+2.35.1
+
--- /dev/null
+From 8b72cc663801f6e97e2b8b4ce7d035ad41a7854d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Aug 2022 20:47:39 +0800
+Subject: arm64: run softirqs on the per-CPU IRQ stack
+
+From: Qi Zheng <zhengqi.arch@bytedance.com>
+
+[ Upstream commit 8eb858c44b98e0326bb32fca34ae671995cd73bb ]
+
+Currently arm64 supports per-CPU IRQ stack, but softirqs
+are still handled in the task context.
+
+Since any call to local_bh_enable() at any level in the task's
+call stack may trigger a softirq processing run, which could
+potentially cause a task stack overflow if the combined stack
+footprints exceed the stack's size, let's run these softirqs
+on the IRQ stack as well.
+
+Signed-off-by: Qi Zheng <zhengqi.arch@bytedance.com>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20220815124739.15948-1-zhengqi.arch@bytedance.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/Kconfig | 1 +
+ arch/arm64/kernel/irq.c | 14 ++++++++++++++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
+index 3795eb5ba1cd..6bd34a77d4f5 100644
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -230,6 +230,7 @@ config ARM64
+ select HAVE_ARCH_USERFAULTFD_MINOR if USERFAULTFD
+ select TRACE_IRQFLAGS_SUPPORT
+ select TRACE_IRQFLAGS_NMI_SUPPORT
++ select HAVE_SOFTIRQ_ON_OWN_STACK
+ help
+ ARM 64-bit (AArch64) Linux support.
+
+diff --git a/arch/arm64/kernel/irq.c b/arch/arm64/kernel/irq.c
+index bda49430c9ea..38dbd3828f13 100644
+--- a/arch/arm64/kernel/irq.c
++++ b/arch/arm64/kernel/irq.c
+@@ -21,7 +21,9 @@
+ #include <linux/seq_file.h>
+ #include <linux/vmalloc.h>
+ #include <asm/daifflags.h>
++#include <asm/exception.h>
+ #include <asm/vmap_stack.h>
++#include <asm/softirq_stack.h>
+
+ /* Only access this in an NMI enter/exit */
+ DEFINE_PER_CPU(struct nmi_ctx, nmi_contexts);
+@@ -71,6 +73,18 @@ static void init_irq_stacks(void)
+ }
+ #endif
+
++#ifndef CONFIG_PREEMPT_RT
++static void ____do_softirq(struct pt_regs *regs)
++{
++ __do_softirq();
++}
++
++void do_softirq_own_stack(void)
++{
++ call_on_irq_stack(NULL, ____do_softirq);
++}
++#endif
++
+ static void default_handle_irq(struct pt_regs *regs)
+ {
+ panic("IRQ taken without a root IRQ handler\n");
+--
+2.35.1
+
--- /dev/null
+From f08e7e5312f1656fe916ae2d5523da4a0c0eec75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Aug 2022 15:37:56 +0800
+Subject: ASoC: amd: acp: add missing platform_device_unregister() in
+ acp_pci_probe()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 6a4ce20fd776d2fd19ffaf85cf34a53761e2c888 ]
+
+Add missing platform_device_unregister() in error path in acp_pci_probe().
+
+Fixes: c49f5e74a11e ("ASoC: amd: acp: Add error handling cases")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20220819073758.1273160-1-yangyingliang@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/acp/acp-pci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/amd/acp/acp-pci.c b/sound/soc/amd/acp/acp-pci.c
+index 2c8e960cc9a6..5bb23ebe1216 100644
+--- a/sound/soc/amd/acp/acp-pci.c
++++ b/sound/soc/amd/acp/acp-pci.c
+@@ -104,6 +104,7 @@ static int acp_pci_probe(struct pci_dev *pci, const struct pci_device_id *pci_id
+ addr = pci_resource_start(pci, 0);
+ chip->base = devm_ioremap(&pci->dev, addr, pci_resource_len(pci, 0));
+ if (!chip->base) {
++ platform_device_unregister(dmic_dev);
+ ret = -ENOMEM;
+ goto release_regions;
+ }
+--
+2.35.1
+
--- /dev/null
+From daeda050ff1d44ece27ded6f610f1ee3dc6445cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 15:14:34 -0500
+Subject: ASoC: amd: yc: Add ASUS UM5302TA into DMI table
+
+From: Xiaoyan Li <lxy.lixiaoyan@gmail.com>
+
+[ Upstream commit 4df5b13dec9e1b5a12db47ee92eb3f7da5c3deb5 ]
+
+ASUS Zenbook S 13 OLED (UM5302TA) needs this quirk to get the built-in
+microphone working properly.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216270
+Signed-off-by: Xiaoyan Li <lxy.lixiaoyan@gmail.com>
+Suggested-by: Mario Limonciello <mario.limonciello@amd.com>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://lore.kernel.org/r/20220920201436.19734-2-mario.limonciello@amd.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
+index e0b24e1daef3..5eab3baf3573 100644
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -171,6 +171,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "21J6"),
+ }
+ },
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "UM5302TA"),
++ }
++ },
+ {}
+ };
+
+--
+2.35.1
+
--- /dev/null
+From 16d83b2472718bdcb79ecfb6474c05033483511b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 15:14:35 -0500
+Subject: ASoC: amd: yc: Add Lenovo Yoga Slim 7 Pro X to quirks table
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 2232b2dd8cd4f1e6d554b2c3f6899ce36f791b67 ]
+
+Lenovo Yoga Slim 7 Pro X has an ACP DMIC that isn't specified in the
+ASL or existing quirk list. Add it to the quirk table to let DMIC
+work on these systems.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216299
+Tested-by: Sebastian S <iam@decentr.al>
+Reported-and-tested-by: Travis Glenn Hansen <travisghansen@yahoo.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://lore.kernel.org/r/20220920201436.19734-3-mario.limonciello@amd.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
+index 5eab3baf3573..2cb50d5cf1a9 100644
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -171,6 +171,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "21J6"),
+ }
+ },
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "82"),
++ }
++ },
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
+--
+2.35.1
+
--- /dev/null
+From 9cfef11ecd5ce14eb92732a6e0922fef5a659665 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Sep 2022 18:01:05 +0100
+Subject: ASoC: codecs: tx-macro: fix kcontrol put
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit c1057a08af438e0cf5450c1d977a3011198ed2f8 ]
+
+tx_macro_tx_mixer_put() and tx_macro_dec_mode_put() currently returns zero
+eventhough it changes the value.
+Fix this, so that change notifications are sent correctly.
+
+Fixes: d207bdea0ca9 ("ASoC: codecs: lpass-tx-macro: add dapm widgets and route")
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20220906170112.1984-6-srinivas.kandagatla@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/lpass-tx-macro.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/lpass-tx-macro.c b/sound/soc/codecs/lpass-tx-macro.c
+index 55503ba480bb..e162a08d9945 100644
+--- a/sound/soc/codecs/lpass-tx-macro.c
++++ b/sound/soc/codecs/lpass-tx-macro.c
+@@ -823,17 +823,23 @@ static int tx_macro_tx_mixer_put(struct snd_kcontrol *kcontrol,
+ struct tx_macro *tx = snd_soc_component_get_drvdata(component);
+
+ if (enable) {
++ if (tx->active_decimator[dai_id] == dec_id)
++ return 0;
++
+ set_bit(dec_id, &tx->active_ch_mask[dai_id]);
+ tx->active_ch_cnt[dai_id]++;
+ tx->active_decimator[dai_id] = dec_id;
+ } else {
++ if (tx->active_decimator[dai_id] == -1)
++ return 0;
++
+ tx->active_ch_cnt[dai_id]--;
+ clear_bit(dec_id, &tx->active_ch_mask[dai_id]);
+ tx->active_decimator[dai_id] = -1;
+ }
+ snd_soc_dapm_mixer_update_power(widget->dapm, kcontrol, enable, update);
+
+- return 0;
++ return 1;
+ }
+
+ static int tx_macro_enable_dec(struct snd_soc_dapm_widget *w,
+@@ -1019,9 +1025,12 @@ static int tx_macro_dec_mode_put(struct snd_kcontrol *kcontrol,
+ int path = e->shift_l;
+ struct tx_macro *tx = snd_soc_component_get_drvdata(component);
+
++ if (tx->dec_mode[path] == value)
++ return 0;
++
+ tx->dec_mode[path] = value;
+
+- return 0;
++ return 1;
+ }
+
+ static int tx_macro_get_bcs(struct snd_kcontrol *kcontrol,
+--
+2.35.1
+
--- /dev/null
+From f8956ac040315468ac5c8dacd91742bbb7ffcf76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Sep 2022 21:44:57 +0200
+Subject: ASoC: da7219: Fix an error handling path in
+ da7219_register_dai_clks()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit abb4e4349afe7eecdb0499582f1c777031e3a7c8 ]
+
+If clk_hw_register() fails, the corresponding clk should not be
+unregistered.
+
+To handle errors from loops, clean up partial iterations before doing the
+goto. So add a clk_hw_unregister().
+Then use a while (--i >= 0) loop in the unwind section.
+
+Fixes: 78013a1cf297 ("ASoC: da7219: Fix clock handling around codec level probe")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/e4acceab57a0d9e477a8d5890a45c5309e553e7c.1663875789.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/da7219.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/da7219.c b/sound/soc/codecs/da7219.c
+index 50ecf30e6136..4746c8700451 100644
+--- a/sound/soc/codecs/da7219.c
++++ b/sound/soc/codecs/da7219.c
+@@ -2196,6 +2196,7 @@ static int da7219_register_dai_clks(struct snd_soc_component *component)
+ dai_clk_lookup = clkdev_hw_create(dai_clk_hw, init.name,
+ "%s", dev_name(dev));
+ if (!dai_clk_lookup) {
++ clk_hw_unregister(dai_clk_hw);
+ ret = -ENOMEM;
+ goto err;
+ } else {
+@@ -2217,12 +2218,12 @@ static int da7219_register_dai_clks(struct snd_soc_component *component)
+ return 0;
+
+ err:
+- do {
++ while (--i >= 0) {
+ if (da7219->dai_clks_lookup[i])
+ clkdev_drop(da7219->dai_clks_lookup[i]);
+
+ clk_hw_unregister(&da7219->dai_clks_hw[i]);
+- } while (i-- > 0);
++ }
+
+ if (np)
+ kfree(da7219->clk_hw_data);
+--
+2.35.1
+
--- /dev/null
+From dfd7430cc91816d875b3df073652594739e6fff3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Sep 2022 11:59:12 +0200
+Subject: ASoC: es8316: fix register sync error in suspend/resume tests
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+
+[ Upstream commit 6de0b0292b548010b09917e8cdfc337a6dcf67ce ]
+
+The SOF CI tests report failures with the following error thrown
+
+kernel: es8316 i2c-ESSX8336:00: Unable to sync registers 0x0-0x1. -121
+
+ES8336 only supports I2C read/write one byte a time, so we do need to
+set the .use_single_read and .use_single_write flags to avoid this
+sync issue.
+
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Reviewed-by: FRED OH <fred.oh@linux.intel.com>
+Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Link: https://lore.kernel.org/r/20220922095912.27010-1-pierre-louis.bossart@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Stable-dep-of: e18f6bcf8e86 ("ASoC: wcd-mbhc-v2: Revert "ASoC: wcd-mbhc-v2: use pm_runtime_resume_and_get()"")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/es8316.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/soc/codecs/es8316.c b/sound/soc/codecs/es8316.c
+index de7185f73e1e..10a204255b6a 100644
+--- a/sound/soc/codecs/es8316.c
++++ b/sound/soc/codecs/es8316.c
+@@ -793,6 +793,8 @@ static const struct regmap_access_table es8316_volatile_table = {
+ static const struct regmap_config es8316_regmap = {
+ .reg_bits = 8,
+ .val_bits = 8,
++ .use_single_read = true,
++ .use_single_write = true,
+ .max_register = 0x53,
+ .volatile_table = &es8316_volatile_table,
+ .cache_type = REGCACHE_RBTREE,
+--
+2.35.1
+
--- /dev/null
+From b995eb969f1a31bfb0b8a69e0ebd89916017a668 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Sep 2022 21:43:54 +0800
+Subject: ASoC: eureka-tlv320: Hold reference returned from of_find_xxx API
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit bfb735a3ceff0bab6473bac275da96f9b2a06dec ]
+
+In eukrea_tlv320_probe(), we need to hold the reference returned
+from of_find_compatible_node() which has increased the refcount
+and then call of_node_put() with it when done.
+
+Fixes: 66f232908de2 ("ASoC: eukrea-tlv320: Add DT support.")
+Co-authored-by: Kelin Wang <wangkelin2023@163.com>
+Signed-off-by: Liang He <windhl@126.com>
+Link: https://lore.kernel.org/r/20220914134354.3995587-1-windhl@126.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/eukrea-tlv320.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/sound/soc/fsl/eukrea-tlv320.c b/sound/soc/fsl/eukrea-tlv320.c
+index 8b61582753c8..9af4c4a35eb1 100644
+--- a/sound/soc/fsl/eukrea-tlv320.c
++++ b/sound/soc/fsl/eukrea-tlv320.c
+@@ -86,7 +86,7 @@ static int eukrea_tlv320_probe(struct platform_device *pdev)
+ int ret;
+ int int_port = 0, ext_port;
+ struct device_node *np = pdev->dev.of_node;
+- struct device_node *ssi_np = NULL, *codec_np = NULL;
++ struct device_node *ssi_np = NULL, *codec_np = NULL, *tmp_np = NULL;
+
+ eukrea_tlv320.dev = &pdev->dev;
+ if (np) {
+@@ -143,7 +143,7 @@ static int eukrea_tlv320_probe(struct platform_device *pdev)
+ }
+
+ if (machine_is_eukrea_cpuimx27() ||
+- of_find_compatible_node(NULL, NULL, "fsl,imx21-audmux")) {
++ (tmp_np = of_find_compatible_node(NULL, NULL, "fsl,imx21-audmux"))) {
+ imx_audmux_v1_configure_port(MX27_AUDMUX_HPCR1_SSI0,
+ IMX_AUDMUX_V1_PCR_SYN |
+ IMX_AUDMUX_V1_PCR_TFSDIR |
+@@ -158,10 +158,11 @@ static int eukrea_tlv320_probe(struct platform_device *pdev)
+ IMX_AUDMUX_V1_PCR_SYN |
+ IMX_AUDMUX_V1_PCR_RXDSEL(MX27_AUDMUX_HPCR1_SSI0)
+ );
++ of_node_put(tmp_np);
+ } else if (machine_is_eukrea_cpuimx25sd() ||
+ machine_is_eukrea_cpuimx35sd() ||
+ machine_is_eukrea_cpuimx51sd() ||
+- of_find_compatible_node(NULL, NULL, "fsl,imx31-audmux")) {
++ (tmp_np = of_find_compatible_node(NULL, NULL, "fsl,imx31-audmux"))) {
+ if (!np)
+ ext_port = machine_is_eukrea_cpuimx25sd() ?
+ 4 : 3;
+@@ -178,6 +179,7 @@ static int eukrea_tlv320_probe(struct platform_device *pdev)
+ IMX_AUDMUX_V2_PTCR_SYN,
+ IMX_AUDMUX_V2_PDCR_RXDSEL(int_port)
+ );
++ of_node_put(tmp_np);
+ } else {
+ if (np) {
+ /* The eukrea,asoc-tlv320 driver was explicitly
+--
+2.35.1
+
--- /dev/null
+From 6d1342331321d6028f47cc1101900d1384ab591f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Sep 2022 11:27:23 +0200
+Subject: ASoC: mediatek: mt8195-mt6359: Properly register sound card for SOF
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit 64ec924c781ee846bd469be8d1d6bbed78c0f439 ]
+
+Adding a probe callback on this snd_soc_card is required when
+Sound Open Firmware support is desired, as we need to appropriately
+populate the stream_name for SOF to be able to bind widgets.
+Failing to do so will produce errors when applying the SOF topology
+leading to card registration failure (so, no sound).
+While at it, also make sure to fill the topology_shortname as required.
+
+Fixes: 0caf1120c583 ("ASoC: mediatek: mt8195: extract SOF common code")
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20220906092727.37324-2-angelogioacchino.delregno@collabora.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/mediatek/mt8195/mt8195-mt6359.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/sound/soc/mediatek/mt8195/mt8195-mt6359.c b/sound/soc/mediatek/mt8195/mt8195-mt6359.c
+index c530e3fc27e4..961e769602d6 100644
+--- a/sound/soc/mediatek/mt8195/mt8195-mt6359.c
++++ b/sound/soc/mediatek/mt8195/mt8195-mt6359.c
+@@ -1383,7 +1383,13 @@ static int mt8195_mt6359_dev_probe(struct platform_device *pdev)
+ sof_priv->num_streams = ARRAY_SIZE(g_sof_conn_streams);
+ sof_priv->sof_dai_link_fixup = mt8195_dai_link_fixup;
+ soc_card_data->sof_priv = sof_priv;
++ card->probe = mtk_sof_card_probe;
+ card->late_probe = mtk_sof_card_late_probe;
++ if (!card->topology_shortname_created) {
++ snprintf(card->topology_shortname, 32, "sof-%s", card->name);
++ card->topology_shortname_created = true;
++ }
++ card->name = card->topology_shortname;
+ sof_on = 1;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From aa6694fb95b644d7f205c21d2254f1cb5727e375 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Aug 2022 14:01:26 +0300
+Subject: ASoC: mt6359: fix tests for platform_get_irq() failure
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 51eea3a6fb4d39c2cc71824e6eee5949d7ae4d1c ]
+
+The platform_get_irq() returns negative error codes. It can't actually
+return zero, but if it did that should be treated as success.
+
+Fixes: eef07b9e0925 ("ASoC: mediatek: mt6359: add MT6359 accdet jack driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/YvThhr86N3qQM2EO@kili
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/mt6359-accdet.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/sound/soc/codecs/mt6359-accdet.c b/sound/soc/codecs/mt6359-accdet.c
+index c190628e2905..7f624854948c 100644
+--- a/sound/soc/codecs/mt6359-accdet.c
++++ b/sound/soc/codecs/mt6359-accdet.c
+@@ -965,7 +965,7 @@ static int mt6359_accdet_probe(struct platform_device *pdev)
+ mutex_init(&priv->res_lock);
+
+ priv->accdet_irq = platform_get_irq(pdev, 0);
+- if (priv->accdet_irq) {
++ if (priv->accdet_irq >= 0) {
+ ret = devm_request_threaded_irq(&pdev->dev, priv->accdet_irq,
+ NULL, mt6359_accdet_irq,
+ IRQF_TRIGGER_HIGH | IRQF_ONESHOT,
+@@ -979,7 +979,7 @@ static int mt6359_accdet_probe(struct platform_device *pdev)
+
+ if (priv->caps & ACCDET_PMIC_EINT0) {
+ priv->accdet_eint0 = platform_get_irq(pdev, 1);
+- if (priv->accdet_eint0) {
++ if (priv->accdet_eint0 >= 0) {
+ ret = devm_request_threaded_irq(&pdev->dev,
+ priv->accdet_eint0,
+ NULL, mt6359_accdet_irq,
+@@ -994,7 +994,7 @@ static int mt6359_accdet_probe(struct platform_device *pdev)
+ }
+ } else if (priv->caps & ACCDET_PMIC_EINT1) {
+ priv->accdet_eint1 = platform_get_irq(pdev, 2);
+- if (priv->accdet_eint1) {
++ if (priv->accdet_eint1 >= 0) {
+ ret = devm_request_threaded_irq(&pdev->dev,
+ priv->accdet_eint1,
+ NULL, mt6359_accdet_irq,
+--
+2.35.1
+
--- /dev/null
+From 65c9db7a4398539f7ad688363c747eb9cd72978d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Sep 2022 00:01:16 +0800
+Subject: ASoC: mt6660: Fix PM disable depth imbalance in mt6660_i2c_probe
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+[ Upstream commit b73f11e895e140537e7f8c7251211ccd3ce0782b ]
+
+The pm_runtime_enable will increase power disable depth. Thus
+a pairing decrement is needed on the error handling path to
+keep it balanced according to context. We fix it by moving
+pm_runtime_enable to the endding of mt6660_i2c_probe.
+
+Fixes:f289e55c6eeb4 ("ASoC: Add MediaTek MT6660 Speaker Amp Driver")
+
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Link: https://lore.kernel.org/r/20220928160116.125020-5-zhangqilong3@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/mt6660.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/mt6660.c b/sound/soc/codecs/mt6660.c
+index ba11555796ad..45e0df13afb9 100644
+--- a/sound/soc/codecs/mt6660.c
++++ b/sound/soc/codecs/mt6660.c
+@@ -503,13 +503,17 @@ static int mt6660_i2c_probe(struct i2c_client *client)
+ dev_err(chip->dev, "read chip revision fail\n");
+ goto probe_fail;
+ }
+- pm_runtime_set_active(chip->dev);
+- pm_runtime_enable(chip->dev);
+
+ ret = devm_snd_soc_register_component(chip->dev,
+ &mt6660_component_driver,
+ &mt6660_codec_dai, 1);
++ if (!ret) {
++ pm_runtime_set_active(chip->dev);
++ pm_runtime_enable(chip->dev);
++ }
++
+ return ret;
++
+ probe_fail:
+ _mt6660_chip_power_on(chip, 0);
+ mutex_destroy(&chip->io_lock);
+--
+2.35.1
+
--- /dev/null
+From e2915bc10329ba08baf9d54b9dedbf6e2b18b618 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Sep 2022 03:12:34 +0000
+Subject: ASoC: rockchip: i2s: use regmap_read_poll_timeout to poll I2S_CLR
+
+From: Judy Hsiao <judyhsiao@chromium.org>
+
+[ Upstream commit fbb0ec656ee5ee43b4b3022fd8290707265c52df ]
+
+Use regmap_read_poll_timeout to poll I2S_CLR.
+It also fixes the 'rockchip-i2s ff070000.i2s; fail to clear' when
+the read of I2S_CLR exceeds the retry limit.
+
+Fixes: 0ff9f8b9f592 ("ASoC: rockchip: i2s: Fix error code when fail to read I2S_CLR")
+Signed-off-by: Judy Hsiao <judyhsiao@chromium.org>
+Reviewed-by: Brian Norris <briannorris@chromium.org>
+Link: https://lore.kernel.org/r/20220914031234.2250298-1-judyhsiao@chromium.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/rockchip/rockchip_i2s.c | 41 ++++++++++++-------------------
+ 1 file changed, 16 insertions(+), 25 deletions(-)
+
+diff --git a/sound/soc/rockchip/rockchip_i2s.c b/sound/soc/rockchip/rockchip_i2s.c
+index f5f3540a9e18..28c86f5e435e 100644
+--- a/sound/soc/rockchip/rockchip_i2s.c
++++ b/sound/soc/rockchip/rockchip_i2s.c
+@@ -126,7 +126,6 @@ static inline struct rk_i2s_dev *to_info(struct snd_soc_dai *dai)
+ static int rockchip_snd_txctrl(struct rk_i2s_dev *i2s, int on)
+ {
+ unsigned int val = 0;
+- int retry = 10;
+ int ret = 0;
+
+ spin_lock(&i2s->lock);
+@@ -163,18 +162,14 @@ static int rockchip_snd_txctrl(struct rk_i2s_dev *i2s, int on)
+ I2S_CLR_TXC | I2S_CLR_RXC);
+ if (ret < 0)
+ goto end;
+- regmap_read(i2s->regmap, I2S_CLR, &val);
+-
+- /* Should wait for clear operation to finish */
+- while (val) {
+- regmap_read(i2s->regmap, I2S_CLR, &val);
+- retry--;
+- if (!retry) {
+- dev_warn(i2s->dev, "fail to clear\n");
+- ret = -EBUSY;
+- break;
+- }
+- }
++ ret = regmap_read_poll_timeout(i2s->regmap,
++ I2S_CLR,
++ val,
++ val != 0,
++ 20,
++ 200);
++ if (ret < 0)
++ dev_warn(i2s->dev, "fail to clear: %d\n", ret);
+ }
+ }
+ end:
+@@ -188,7 +183,6 @@ static int rockchip_snd_txctrl(struct rk_i2s_dev *i2s, int on)
+ static int rockchip_snd_rxctrl(struct rk_i2s_dev *i2s, int on)
+ {
+ unsigned int val = 0;
+- int retry = 10;
+ int ret = 0;
+
+ spin_lock(&i2s->lock);
+@@ -226,17 +220,14 @@ static int rockchip_snd_rxctrl(struct rk_i2s_dev *i2s, int on)
+ I2S_CLR_TXC | I2S_CLR_RXC);
+ if (ret < 0)
+ goto end;
+- regmap_read(i2s->regmap, I2S_CLR, &val);
+- /* Should wait for clear operation to finish */
+- while (val) {
+- regmap_read(i2s->regmap, I2S_CLR, &val);
+- retry--;
+- if (!retry) {
+- dev_warn(i2s->dev, "fail to clear\n");
+- ret = -EBUSY;
+- break;
+- }
+- }
++ ret = regmap_read_poll_timeout(i2s->regmap,
++ I2S_CLR,
++ val,
++ val != 0,
++ 20,
++ 200);
++ if (ret < 0)
++ dev_warn(i2s->dev, "fail to clear: %d\n", ret);
+ }
+ }
+ end:
+--
+2.35.1
+
--- /dev/null
+From 25f431669651eba09e30bd4bdbe00d844d23d065 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Sep 2022 15:15:46 +0000
+Subject: ASoC: rockchip: i2s: use regmap_read_poll_timeout_atomic to poll
+ I2S_CLR
+
+From: Judy Hsiao <judyhsiao@chromium.org>
+
+[ Upstream commit f0c8d7468af0001b80b0c86802ee28063f800987 ]
+
+1. Uses regmap_read_poll_timeout_atomic to poll I2S_CLR as it is called
+ within a spin lock.
+
+2. Fixes the typo of break condition in regmap_read_poll_timeout_atomic.
+
+Fixes: fbb0ec656ee5 ("ASoC: rockchip: i2s: use regmap_read_poll_timeout to poll I2S_CLR")
+Signed-off-by: Judy Hsiao <judyhsiao@chromium.org>
+Link: https://lore.kernel.org/r/20220930151546.2017667-1-judyhsiao@chromium.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/rockchip/rockchip_i2s.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/sound/soc/rockchip/rockchip_i2s.c b/sound/soc/rockchip/rockchip_i2s.c
+index 28c86f5e435e..a8758ad68442 100644
+--- a/sound/soc/rockchip/rockchip_i2s.c
++++ b/sound/soc/rockchip/rockchip_i2s.c
+@@ -162,12 +162,12 @@ static int rockchip_snd_txctrl(struct rk_i2s_dev *i2s, int on)
+ I2S_CLR_TXC | I2S_CLR_RXC);
+ if (ret < 0)
+ goto end;
+- ret = regmap_read_poll_timeout(i2s->regmap,
+- I2S_CLR,
+- val,
+- val != 0,
+- 20,
+- 200);
++ ret = regmap_read_poll_timeout_atomic(i2s->regmap,
++ I2S_CLR,
++ val,
++ val == 0,
++ 20,
++ 200);
+ if (ret < 0)
+ dev_warn(i2s->dev, "fail to clear: %d\n", ret);
+ }
+@@ -220,12 +220,12 @@ static int rockchip_snd_rxctrl(struct rk_i2s_dev *i2s, int on)
+ I2S_CLR_TXC | I2S_CLR_RXC);
+ if (ret < 0)
+ goto end;
+- ret = regmap_read_poll_timeout(i2s->regmap,
+- I2S_CLR,
+- val,
+- val != 0,
+- 20,
+- 200);
++ ret = regmap_read_poll_timeout_atomic(i2s->regmap,
++ I2S_CLR,
++ val,
++ val == 0,
++ 20,
++ 200);
+ if (ret < 0)
+ dev_warn(i2s->dev, "fail to clear: %d\n", ret);
+ }
+--
+2.35.1
+
--- /dev/null
+From 3e26d4a2801b3e27c0176174f936409eac20b4c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 09:30:30 +0800
+Subject: ASoC: rsnd: Add check for rsnd_mod_power_on
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 376be51caf8871419bbcbb755e1e615d30dc3153 ]
+
+As rsnd_mod_power_on() can return negative numbers,
+it should be better to check the return value and
+deal with the exception.
+
+Fixes: e7d850dd10f4 ("ASoC: rsnd: use mod base common method on SSI-parent")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://lore.kernel.org/r/20220902013030.3691266-1-jiasheng@iscas.ac.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sh/rcar/ctu.c | 6 +++++-
+ sound/soc/sh/rcar/dvc.c | 6 +++++-
+ sound/soc/sh/rcar/mix.c | 6 +++++-
+ sound/soc/sh/rcar/src.c | 5 ++++-
+ sound/soc/sh/rcar/ssi.c | 4 +++-
+ 5 files changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/sound/soc/sh/rcar/ctu.c b/sound/soc/sh/rcar/ctu.c
+index 6156445bcb69..e39eb2ac7e95 100644
+--- a/sound/soc/sh/rcar/ctu.c
++++ b/sound/soc/sh/rcar/ctu.c
+@@ -171,7 +171,11 @@ static int rsnd_ctu_init(struct rsnd_mod *mod,
+ struct rsnd_dai_stream *io,
+ struct rsnd_priv *priv)
+ {
+- rsnd_mod_power_on(mod);
++ int ret;
++
++ ret = rsnd_mod_power_on(mod);
++ if (ret < 0)
++ return ret;
+
+ rsnd_ctu_activation(mod);
+
+diff --git a/sound/soc/sh/rcar/dvc.c b/sound/soc/sh/rcar/dvc.c
+index 5137e03a9d7c..16befcbc312c 100644
+--- a/sound/soc/sh/rcar/dvc.c
++++ b/sound/soc/sh/rcar/dvc.c
+@@ -186,7 +186,11 @@ static int rsnd_dvc_init(struct rsnd_mod *mod,
+ struct rsnd_dai_stream *io,
+ struct rsnd_priv *priv)
+ {
+- rsnd_mod_power_on(mod);
++ int ret;
++
++ ret = rsnd_mod_power_on(mod);
++ if (ret < 0)
++ return ret;
+
+ rsnd_dvc_activation(mod);
+
+diff --git a/sound/soc/sh/rcar/mix.c b/sound/soc/sh/rcar/mix.c
+index 3572c2c5686c..1de0e085804c 100644
+--- a/sound/soc/sh/rcar/mix.c
++++ b/sound/soc/sh/rcar/mix.c
+@@ -146,7 +146,11 @@ static int rsnd_mix_init(struct rsnd_mod *mod,
+ struct rsnd_dai_stream *io,
+ struct rsnd_priv *priv)
+ {
+- rsnd_mod_power_on(mod);
++ int ret;
++
++ ret = rsnd_mod_power_on(mod);
++ if (ret < 0)
++ return ret;
+
+ rsnd_mix_activation(mod);
+
+diff --git a/sound/soc/sh/rcar/src.c b/sound/soc/sh/rcar/src.c
+index 0ea84ae57c6a..f832165e46bc 100644
+--- a/sound/soc/sh/rcar/src.c
++++ b/sound/soc/sh/rcar/src.c
+@@ -463,11 +463,14 @@ static int rsnd_src_init(struct rsnd_mod *mod,
+ struct rsnd_priv *priv)
+ {
+ struct rsnd_src *src = rsnd_mod_to_src(mod);
++ int ret;
+
+ /* reset sync convert_rate */
+ src->sync.val = 0;
+
+- rsnd_mod_power_on(mod);
++ ret = rsnd_mod_power_on(mod);
++ if (ret < 0)
++ return ret;
+
+ rsnd_src_activation(mod);
+
+diff --git a/sound/soc/sh/rcar/ssi.c b/sound/soc/sh/rcar/ssi.c
+index 43c5e27dc5c8..7ade6c5ed96f 100644
+--- a/sound/soc/sh/rcar/ssi.c
++++ b/sound/soc/sh/rcar/ssi.c
+@@ -480,7 +480,9 @@ static int rsnd_ssi_init(struct rsnd_mod *mod,
+
+ ssi->usrcnt++;
+
+- rsnd_mod_power_on(mod);
++ ret = rsnd_mod_power_on(mod);
++ if (ret < 0)
++ return ret;
+
+ rsnd_ssi_config_init(mod, io);
+
+--
+2.35.1
+
--- /dev/null
+From b08a080294fddd40155e56f004736ceeec1e534c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Aug 2022 02:35:32 +0000
+Subject: ASoC: soc-pcm.c: call __soc_pcm_close() in soc_pcm_close()
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+[ Upstream commit 6bbabd28805f36baf6d0f3eb082db032a638f612 ]
+
+commit b7898396f4bbe16 ("ASoC: soc-pcm: Fix and cleanup DPCM locking")
+added __soc_pcm_close() for non-lock version of soc_pcm_close().
+But soc_pcm_close() is not using it. It is no problem, but confusable.
+
+ static int __soc_pcm_close(...)
+ {
+=> return soc_pcm_clean(rtd, substream, 0);
+ }
+
+ static int soc_pcm_close(...)
+ {
+ ...
+ snd_soc_dpcm_mutex_lock(rtd);
+=> soc_pcm_clean(rtd, substream, 0);
+ snd_soc_dpcm_mutex_unlock(rtd);
+ return 0;
+ }
+
+This patch use it.
+
+Fixes: b7898396f4bbe16 ("ASoC: soc-pcm: Fix and cleanup DPCM locking")
+Cc: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://lore.kernel.org/r/87czctgg3w.wl-kuninori.morimoto.gx@renesas.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-pcm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c
+index 4f60c0a83311..4d9b91e7e14f 100644
+--- a/sound/soc/soc-pcm.c
++++ b/sound/soc/soc-pcm.c
+@@ -723,7 +723,7 @@ static int soc_pcm_close(struct snd_pcm_substream *substream)
+ struct snd_soc_pcm_runtime *rtd = asoc_substream_to_rtd(substream);
+
+ snd_soc_dpcm_mutex_lock(rtd);
+- soc_pcm_clean(rtd, substream, 0);
++ __soc_pcm_close(rtd, substream);
+ snd_soc_dpcm_mutex_unlock(rtd);
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From 45131003d9ae905cecc28d1e6e555257307539d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Sep 2022 13:53:48 +0200
+Subject: ASoC: SOF: add quirk to override topology mclk_id
+
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+
+[ Upstream commit d136949dd8e2e309dc2f186507486b71cbe9acdb ]
+
+Some Intel-based platforms rely on a topology file that hard-codes the
+use of MCLK0. This is incorrect in 10% of the cases. Rather than
+generating yet another set of topology files, this patch adds a kernel
+module parameter to override the topology value.
+
+In hindsight, we should never have allowed mclks to be specified in
+topology, this is a hardware-level information that should not have
+been visible in the topology.
+
+Future patches will try to set this value automagically, e.g. by
+parsing the NHLT content.
+
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Link: https://lore.kernel.org/r/20220919115350.43104-3-pierre-louis.bossart@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/intel/hda.c | 11 +++++++++++
+ sound/soc/sof/ipc3-topology.c | 7 +++++++
+ sound/soc/sof/sof-priv.h | 4 ++++
+ 3 files changed, 22 insertions(+)
+
+diff --git a/sound/soc/sof/intel/hda.c b/sound/soc/sof/intel/hda.c
+index 6d4ecbe14adf..ada2e6775749 100644
+--- a/sound/soc/sof/intel/hda.c
++++ b/sound/soc/sof/intel/hda.c
+@@ -376,6 +376,10 @@ static int dmic_num_override = -1;
+ module_param_named(dmic_num, dmic_num_override, int, 0444);
+ MODULE_PARM_DESC(dmic_num, "SOF HDA DMIC number");
+
++static int mclk_id_override = -1;
++module_param_named(mclk_id, mclk_id_override, int, 0444);
++MODULE_PARM_DESC(mclk_id, "SOF SSP mclk_id");
++
+ #if IS_ENABLED(CONFIG_SND_SOC_SOF_HDA)
+ static bool hda_codec_use_common_hdmi = IS_ENABLED(CONFIG_SND_HDA_CODEC_HDMI);
+ module_param_named(use_common_hdmi, hda_codec_use_common_hdmi, bool, 0444);
+@@ -1565,6 +1569,13 @@ struct snd_soc_acpi_mach *hda_machine_select(struct snd_sof_dev *sdev)
+
+ sof_pdata->tplg_filename = tplg_filename;
+ }
++
++ /* check if mclk_id should be modified from topology defaults */
++ if (mclk_id_override >= 0) {
++ dev_info(sdev->dev, "Overriding topology with MCLK %d from kernel_parameter\n", mclk_id_override);
++ sdev->mclk_id_override = true;
++ sdev->mclk_id_quirk = mclk_id_override;
++ }
+ }
+
+ /*
+diff --git a/sound/soc/sof/ipc3-topology.c b/sound/soc/sof/ipc3-topology.c
+index 65923e7a5976..a39b43850f0e 100644
+--- a/sound/soc/sof/ipc3-topology.c
++++ b/sound/soc/sof/ipc3-topology.c
+@@ -1249,6 +1249,7 @@ static int sof_link_afe_load(struct snd_soc_component *scomp, struct snd_sof_dai
+ static int sof_link_ssp_load(struct snd_soc_component *scomp, struct snd_sof_dai_link *slink,
+ struct sof_ipc_dai_config *config, struct snd_sof_dai *dai)
+ {
++ struct snd_sof_dev *sdev = snd_soc_component_get_drvdata(scomp);
+ struct snd_soc_tplg_hw_config *hw_config = slink->hw_configs;
+ struct sof_dai_private_data *private = dai->private;
+ u32 size = sizeof(*config);
+@@ -1273,6 +1274,12 @@ static int sof_link_ssp_load(struct snd_soc_component *scomp, struct snd_sof_dai
+
+ config[i].hdr.size = size;
+
++ if (sdev->mclk_id_override) {
++ dev_dbg(scomp->dev, "tplg: overriding topology mclk_id %d by quirk %d\n",
++ config[i].ssp.mclk_id, sdev->mclk_id_quirk);
++ config[i].ssp.mclk_id = sdev->mclk_id_quirk;
++ }
++
+ /* copy differentiating hw configs to ipc structs */
+ config[i].ssp.mclk_rate = le32_to_cpu(hw_config[i].mclk_rate);
+ config[i].ssp.bclk_rate = le32_to_cpu(hw_config[i].bclk_rate);
+diff --git a/sound/soc/sof/sof-priv.h b/sound/soc/sof/sof-priv.h
+index 823583086279..828c74bb75f8 100644
+--- a/sound/soc/sof/sof-priv.h
++++ b/sound/soc/sof/sof-priv.h
+@@ -594,6 +594,10 @@ struct snd_sof_dev {
+ /* to protect the ipc_rx_handler_list and dsp_state_handler_list list */
+ struct mutex client_event_handler_mutex;
+
++ /* quirks to override topology values */
++ bool mclk_id_override;
++ u16 mclk_id_quirk; /* same size as in IPC3 definitions */
++
+ void *private; /* core does not touch this */
+ };
+
+--
+2.35.1
+
--- /dev/null
+From 3fe692642d2609b8bab064bc229368ec0535e0b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Sep 2022 14:27:51 +0300
+Subject: ASoC: SOF: ipc4-topology: Free the ida when IPC fails in
+ sof_ipc4_widget_setup()
+
+From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+
+[ Upstream commit 61eb0add28023119773d6aab8f402e149473920c ]
+
+The allocated ida needs to be freed up if the IPC message fails since
+next time when we try again to set up the widget we are going to try to
+allocate another ID and given enough tries, we are going to run out of
+unique IDs.
+
+Fixes: 711d0427c713 ("ASoC: SOF: ipc4-topology: move ida allocate/free to widget_setup/free")
+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20220921112751.9253-1-peter.ujfalusi@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/ipc4-topology.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/sof/ipc4-topology.c b/sound/soc/sof/ipc4-topology.c
+index 64929dc9af39..340d92452d7c 100644
+--- a/sound/soc/sof/ipc4-topology.c
++++ b/sound/soc/sof/ipc4-topology.c
+@@ -1544,9 +1544,16 @@ static int sof_ipc4_widget_setup(struct snd_sof_dev *sdev, struct snd_sof_widget
+ msg->data_ptr = ipc_data;
+
+ ret = sof_ipc_tx_message(sdev->ipc, msg, ipc_size, NULL, 0);
+- if (ret < 0)
++ if (ret < 0) {
+ dev_err(sdev->dev, "failed to create module %s\n", swidget->widget->name);
+
++ if (swidget->id != snd_soc_dapm_scheduler) {
++ struct sof_ipc4_fw_module *fw_module = swidget->module_info;
++
++ ida_free(&fw_module->m_ida, swidget->instance_id);
++ }
++ }
++
+ return ret;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 0b29bea6d5e2556c12f6748a7bcaa5ffa6d4b2b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Sep 2022 11:27:24 +0200
+Subject: ASoC: SOF: mediatek: mt8195: Import namespace SND_SOC_SOF_MTK_COMMON
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit 404bec4c8f6c38ae5fa208344f1086d38026e93d ]
+
+Here we're using function mtk_adsp_dump() from mtk-adsp-common:
+explicitly import its namespace.
+
+Fixes: 3a054f90e955 ("ASoC: SOF: mediatek: Add mt8195 debug dump")
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20220906092727.37324-3-angelogioacchino.delregno@collabora.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/mediatek/mt8195/mt8195.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/sof/mediatek/mt8195/mt8195.c b/sound/soc/sof/mediatek/mt8195/mt8195.c
+index 9c146015cd1b..ff575de7e46a 100644
+--- a/sound/soc/sof/mediatek/mt8195/mt8195.c
++++ b/sound/soc/sof/mediatek/mt8195/mt8195.c
+@@ -652,4 +652,5 @@ static struct platform_driver snd_sof_of_mt8195_driver = {
+ module_platform_driver(snd_sof_of_mt8195_driver);
+
+ MODULE_IMPORT_NS(SND_SOC_SOF_XTENSA);
++MODULE_IMPORT_NS(SND_SOC_SOF_MTK_COMMON);
+ MODULE_LICENSE("Dual BSD/GPL");
+--
+2.35.1
+
--- /dev/null
+From ad23f7c269df791f4a2c4d8c9c1acc632b79aafe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Sep 2022 13:44:29 +0200
+Subject: ASoC: SOF: pci: Change DMI match info to support all Chrome platforms
+
+From: Jairaj Arava <jairaj.arava@intel.com>
+
+[ Upstream commit c1c1fc8103f794a10c5c15e3c17879caf4f42c8f ]
+
+In some Chrome platforms if OEM's use their own string as SYS_VENDOR than
+"Google", it leads to firmware load failure from intel/sof/community path.
+
+Hence, changing SYS_VENDOR to PRODUCT_FAMILY in which "Google" is used
+as common prefix and is supported in all Chrome platforms.
+
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Reviewed-by: Chao Song <chao.song@intel.com>
+Reviewed-by: Curtis Malainey <curtis@malainey.com>
+Signed-off-by: Jairaj Arava <jairaj.arava@intel.com>
+Signed-off-by: Curtis Malainey <cujomalainey@chromium.org>
+Signed-off-by: Sathyanarayana Nujella <sathyanarayana.nujella@intel.com>
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20220919114429.42700-1-pierre-louis.bossart@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/sof-pci-dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/sof/sof-pci-dev.c b/sound/soc/sof/sof-pci-dev.c
+index d627092b399d..643fd1036d60 100644
+--- a/sound/soc/sof/sof-pci-dev.c
++++ b/sound/soc/sof/sof-pci-dev.c
+@@ -138,7 +138,7 @@ static const struct dmi_system_id community_key_platforms[] = {
+ .ident = "Google Chromebooks",
+ .callback = chromebook_use_community_key,
+ .matches = {
+- DMI_MATCH(DMI_SYS_VENDOR, "Google"),
++ DMI_MATCH(DMI_PRODUCT_FAMILY, "Google"),
+ }
+ },
+ {},
+--
+2.35.1
+
--- /dev/null
+From 398d015df7c0fbd692e62451610a08d7c7215038 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 22:26:40 +0800
+Subject: ASoC: stm: Fix PM disable depth imbalance in stm32_i2s_probe
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+[ Upstream commit 93618e5e05a3ce4aa6750268c5025bdb4cb7dc6e ]
+
+The pm_runtime_enable will increase power disable depth. Thus
+a pairing decrement is needed on the error handling path to
+keep it balanced according to context. We fix it by moving
+pm_runtime_enable to the endding of stm32_i2s_probe.
+
+Fixes:32a956a1fadf ("ASoC: stm32: i2s: add pm_runtime support")
+
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Reviewed-by: Olivier Moysan <olivier.moysan@foss.st.com>
+Link: https://lore.kernel.org/r/20220927142640.64647-1-zhangqilong3@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/stm/stm32_i2s.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/stm/stm32_i2s.c b/sound/soc/stm/stm32_i2s.c
+index 6aafe793eec4..ce7f6942308f 100644
+--- a/sound/soc/stm/stm32_i2s.c
++++ b/sound/soc/stm/stm32_i2s.c
+@@ -1136,8 +1136,6 @@ static int stm32_i2s_probe(struct platform_device *pdev)
+ return dev_err_probe(&pdev->dev, PTR_ERR(i2s->regmap),
+ "Regmap init error\n");
+
+- pm_runtime_enable(&pdev->dev);
+-
+ ret = snd_dmaengine_pcm_register(&pdev->dev, &stm32_i2s_pcm_config, 0);
+ if (ret)
+ return dev_err_probe(&pdev->dev, ret, "PCM DMA register error\n");
+@@ -1180,6 +1178,8 @@ static int stm32_i2s_probe(struct platform_device *pdev)
+ FIELD_GET(I2S_VERR_MIN_MASK, val));
+ }
+
++ pm_runtime_enable(&pdev->dev);
++
+ return ret;
+
+ error:
+--
+2.35.1
+
--- /dev/null
+From 899f8e4b3f3f1f7ae3174ea85976b72e52540435 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 22:26:00 +0800
+Subject: ASoC: stm32: dfsdm: Fix PM disable depth imbalance in
+ stm32_adfsdm_probe
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+[ Upstream commit b9a0da5b2edcae2a901b85c8cc42efc5bec4bd7b ]
+
+The pm_runtime_enable will increase power disable depth. Thus
+a pairing decrement is needed on the error handling path to
+keep it balanced according to context. We fix it by moving
+pm_runtime_enable to the endding of stm32_adfsdm_probe.
+
+Fixes:98e500a12f934 ("ASoC: stm32: dfsdm: add pm_runtime support for audio")
+
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Reviewed-by: Olivier Moysan <olivier.moysan@foss.st.com>
+Link: https://lore.kernel.org/r/20220927142601.64266-2-zhangqilong3@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/stm/stm32_adfsdm.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/sound/soc/stm/stm32_adfsdm.c b/sound/soc/stm/stm32_adfsdm.c
+index 04f2912e1418..643fc8a17018 100644
+--- a/sound/soc/stm/stm32_adfsdm.c
++++ b/sound/soc/stm/stm32_adfsdm.c
+@@ -335,8 +335,6 @@ static int stm32_adfsdm_probe(struct platform_device *pdev)
+
+ dev_set_drvdata(&pdev->dev, priv);
+
+- pm_runtime_enable(&pdev->dev);
+-
+ ret = devm_snd_soc_register_component(&pdev->dev,
+ &stm32_adfsdm_dai_component,
+ &priv->dai_drv, 1);
+@@ -366,9 +364,13 @@ static int stm32_adfsdm_probe(struct platform_device *pdev)
+ #endif
+
+ ret = snd_soc_add_component(component, NULL, 0);
+- if (ret < 0)
++ if (ret < 0) {
+ dev_err(&pdev->dev, "%s: Failed to register PCM platform\n",
+ __func__);
++ return ret;
++ }
++
++ pm_runtime_enable(&pdev->dev);
+
+ return ret;
+ }
+--
+2.35.1
+
--- /dev/null
+From 23cab2a564e73f30fb9ab968ecf8ba685dd550bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 22:26:01 +0800
+Subject: ASoC: stm32: spdifrx: Fix PM disable depth imbalance in
+ stm32_spdifrx_probe
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+[ Upstream commit 0325cc0ac7980e1c7b744aab8df59afab6daeb43 ]
+
+The pm_runtime_enable will increase power disable depth. Thus
+a pairing decrement is needed on the error handling path to
+keep it balanced according to context. We fix it by moving
+pm_runtime_enable to the endding of stm32_spdifrx_probe.
+
+Fixes:ac5e3efd55868 ("ASoC: stm32: spdifrx: add pm_runtime support")
+
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Reviewed-by: Olivier Moysan <olivier.moysan@foss.st.com>
+Link: https://lore.kernel.org/r/20220927142601.64266-3-zhangqilong3@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/stm/stm32_spdifrx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/stm/stm32_spdifrx.c b/sound/soc/stm/stm32_spdifrx.c
+index 0f7146756717..d399c906bb92 100644
+--- a/sound/soc/stm/stm32_spdifrx.c
++++ b/sound/soc/stm/stm32_spdifrx.c
+@@ -1002,8 +1002,6 @@ static int stm32_spdifrx_probe(struct platform_device *pdev)
+ udelay(2);
+ reset_control_deassert(rst);
+
+- pm_runtime_enable(&pdev->dev);
+-
+ pcm_config = &stm32_spdifrx_pcm_config;
+ ret = snd_dmaengine_pcm_register(&pdev->dev, pcm_config, 0);
+ if (ret)
+@@ -1036,6 +1034,8 @@ static int stm32_spdifrx_probe(struct platform_device *pdev)
+ FIELD_GET(SPDIFRX_VERR_MIN_MASK, ver));
+ }
+
++ pm_runtime_enable(&pdev->dev);
++
+ return ret;
+
+ error:
+--
+2.35.1
+
--- /dev/null
+From 45fec26e20948967042c9157a8a6c5ce84c78ea8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Sep 2022 00:22:55 +0300
+Subject: ASoC: sunxi: sun4i-codec: set debugfs_prefix for CPU DAI component
+
+From: Mikhail Rudenko <mike.rudenko@gmail.com>
+
+[ Upstream commit 717a8ff20f32792d6a94f2883e771482c37d844b ]
+
+At present, succesfull probing of H3 Codec results in an error
+
+ debugfs: Directory '1c22c00.codec' with parent 'H3 Audio Codec' already present!
+
+This is caused by a directory name conflict between codec
+components. Fix it by setting debugfs_prefix for the CPU DAI
+component.
+
+Signed-off-by: Mikhail Rudenko <mike.rudenko@gmail.com>
+Link: https://lore.kernel.org/r/20220913212256.151799-2-mike.rudenko@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sunxi/sun4i-codec.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/soc/sunxi/sun4i-codec.c b/sound/soc/sunxi/sun4i-codec.c
+index 830beb38bf15..fdf3165acd70 100644
+--- a/sound/soc/sunxi/sun4i-codec.c
++++ b/sound/soc/sunxi/sun4i-codec.c
+@@ -1232,6 +1232,9 @@ static const struct snd_soc_component_driver sun8i_a23_codec_codec = {
+ static const struct snd_soc_component_driver sun4i_codec_component = {
+ .name = "sun4i-codec",
+ .legacy_dai_naming = 1,
++#ifdef CONFIG_DEBUG_FS
++ .debugfs_prefix = "cpu",
++#endif
+ };
+
+ #define SUN4I_CODEC_RATES SNDRV_PCM_RATE_CONTINUOUS
+--
+2.35.1
+
--- /dev/null
+From 8d3d3cf16d06449f9f4c8fe61bad05529e6c3ffb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 16:02:37 +0200
+Subject: ASoC: tas2764: Allow mono streams
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Martin Povišer <povik+lin@cutebit.org>
+
+[ Upstream commit 23204d928a27146d13e11c9383632775345ecca8 ]
+
+The part is a mono speaker amp, but it can do downmix and switch between
+left and right channel, so the right channel range is 1 to 2.
+
+(This mirrors commit bf54d97a835d ("ASoC: tas2770: Allow mono streams")
+which was a fix to the tas2770 driver.)
+
+Fixes: 827ed8a0fa50 ("ASoC: tas2764: Add the driver for the TAS2764")
+Signed-off-by: Martin Povišer <povik+lin@cutebit.org>
+Link: https://lore.kernel.org/r/20220825140241.53963-2-povik+lin@cutebit.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/tas2764.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/tas2764.c b/sound/soc/codecs/tas2764.c
+index 846d9d3ecc9d..0df5d975c3c9 100644
+--- a/sound/soc/codecs/tas2764.c
++++ b/sound/soc/codecs/tas2764.c
+@@ -485,7 +485,7 @@ static struct snd_soc_dai_driver tas2764_dai_driver[] = {
+ .id = 0,
+ .playback = {
+ .stream_name = "ASI1 Playback",
+- .channels_min = 2,
++ .channels_min = 1,
+ .channels_max = 2,
+ .rates = TAS2764_RATES,
+ .formats = TAS2764_FORMATS,
+--
+2.35.1
+
--- /dev/null
+From 0158913cefdbc67853b12d2bac4bfc6e8ed305a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 16:02:38 +0200
+Subject: ASoC: tas2764: Drop conflicting set_bias_level power setting
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Martin Povišer <povik+lin@cutebit.org>
+
+[ Upstream commit 09273f38832406db19a8907a934687cc10660a6b ]
+
+The driver is setting the PWR_CTRL field in both the set_bias_level
+callback and on DAPM events of the DAC widget (and also in the
+mute_stream method). Drop the set_bias_level callback altogether as the
+power setting it does is in conflict with the other code paths.
+
+(This mirrors commit c8a6ae3fe1c8 ("ASoC: tas2770: Drop conflicting
+set_bias_level power setting") which was a fix to the tas2770 driver.)
+
+Fixes: 827ed8a0fa50 ("ASoC: tas2764: Add the driver for the TAS2764")
+Signed-off-by: Martin Povišer <povik+lin@cutebit.org>
+Link: https://lore.kernel.org/r/20220825140241.53963-3-povik+lin@cutebit.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/tas2764.c | 33 ---------------------------------
+ 1 file changed, 33 deletions(-)
+
+diff --git a/sound/soc/codecs/tas2764.c b/sound/soc/codecs/tas2764.c
+index 0df5d975c3c9..f4ac6edefdc0 100644
+--- a/sound/soc/codecs/tas2764.c
++++ b/sound/soc/codecs/tas2764.c
+@@ -50,38 +50,6 @@ static void tas2764_reset(struct tas2764_priv *tas2764)
+ usleep_range(1000, 2000);
+ }
+
+-static int tas2764_set_bias_level(struct snd_soc_component *component,
+- enum snd_soc_bias_level level)
+-{
+- struct tas2764_priv *tas2764 = snd_soc_component_get_drvdata(component);
+-
+- switch (level) {
+- case SND_SOC_BIAS_ON:
+- snd_soc_component_update_bits(component, TAS2764_PWR_CTRL,
+- TAS2764_PWR_CTRL_MASK,
+- TAS2764_PWR_CTRL_ACTIVE);
+- break;
+- case SND_SOC_BIAS_STANDBY:
+- case SND_SOC_BIAS_PREPARE:
+- snd_soc_component_update_bits(component, TAS2764_PWR_CTRL,
+- TAS2764_PWR_CTRL_MASK,
+- TAS2764_PWR_CTRL_MUTE);
+- break;
+- case SND_SOC_BIAS_OFF:
+- snd_soc_component_update_bits(component, TAS2764_PWR_CTRL,
+- TAS2764_PWR_CTRL_MASK,
+- TAS2764_PWR_CTRL_SHUTDOWN);
+- break;
+-
+- default:
+- dev_err(tas2764->dev,
+- "wrong power level setting %d\n", level);
+- return -EINVAL;
+- }
+-
+- return 0;
+-}
+-
+ #ifdef CONFIG_PM
+ static int tas2764_codec_suspend(struct snd_soc_component *component)
+ {
+@@ -549,7 +517,6 @@ static const struct snd_soc_component_driver soc_component_driver_tas2764 = {
+ .probe = tas2764_codec_probe,
+ .suspend = tas2764_codec_suspend,
+ .resume = tas2764_codec_resume,
+- .set_bias_level = tas2764_set_bias_level,
+ .controls = tas2764_snd_controls,
+ .num_controls = ARRAY_SIZE(tas2764_snd_controls),
+ .dapm_widgets = tas2764_dapm_widgets,
+--
+2.35.1
+
--- /dev/null
+From f8b8fba257cc7b6485c12646eb7996cb35f70b60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 16:02:39 +0200
+Subject: ASoC: tas2764: Fix mute/unmute
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Martin Povišer <povik+lin@cutebit.org>
+
+[ Upstream commit f5ad67f13623548e5aff847f89700c178aaf2a98 ]
+
+Because the PWR_CTRL field is modeled as the power state of the DAC
+widget, and at the same time it is used to implement mute/unmute, we
+need some additional book-keeping to have the right end result no matter
+the sequence of calls. Without this fix, one permanently mutes an
+ongoing stream by toggling the associated speaker pin control.
+
+(This mirrors commit 1e5907bcb3a3 ("ASoC: tas2770: Fix handling of
+mute/unmute") which was a fix to the tas2770 driver.)
+
+Fixes: 827ed8a0fa50 ("ASoC: tas2764: Add the driver for the TAS2764")
+Signed-off-by: Martin Povišer <povik+lin@cutebit.org>
+Link: https://lore.kernel.org/r/20220825140241.53963-4-povik+lin@cutebit.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/tas2764.c | 57 +++++++++++++++++++++-----------------
+ 1 file changed, 32 insertions(+), 25 deletions(-)
+
+diff --git a/sound/soc/codecs/tas2764.c b/sound/soc/codecs/tas2764.c
+index f4ac6edefdc0..39902f77a2e0 100644
+--- a/sound/soc/codecs/tas2764.c
++++ b/sound/soc/codecs/tas2764.c
+@@ -34,6 +34,9 @@ struct tas2764_priv {
+
+ int v_sense_slot;
+ int i_sense_slot;
++
++ bool dac_powered;
++ bool unmuted;
+ };
+
+ static void tas2764_reset(struct tas2764_priv *tas2764)
+@@ -50,6 +53,26 @@ static void tas2764_reset(struct tas2764_priv *tas2764)
+ usleep_range(1000, 2000);
+ }
+
++static int tas2764_update_pwr_ctrl(struct tas2764_priv *tas2764)
++{
++ struct snd_soc_component *component = tas2764->component;
++ unsigned int val;
++ int ret;
++
++ if (tas2764->dac_powered)
++ val = tas2764->unmuted ?
++ TAS2764_PWR_CTRL_ACTIVE : TAS2764_PWR_CTRL_MUTE;
++ else
++ val = TAS2764_PWR_CTRL_SHUTDOWN;
++
++ ret = snd_soc_component_update_bits(component, TAS2764_PWR_CTRL,
++ TAS2764_PWR_CTRL_MASK, val);
++ if (ret < 0)
++ return ret;
++
++ return 0;
++}
++
+ #ifdef CONFIG_PM
+ static int tas2764_codec_suspend(struct snd_soc_component *component)
+ {
+@@ -82,9 +105,7 @@ static int tas2764_codec_resume(struct snd_soc_component *component)
+ usleep_range(1000, 2000);
+ }
+
+- ret = snd_soc_component_update_bits(component, TAS2764_PWR_CTRL,
+- TAS2764_PWR_CTRL_MASK,
+- TAS2764_PWR_CTRL_ACTIVE);
++ ret = tas2764_update_pwr_ctrl(tas2764);
+
+ if (ret < 0)
+ return ret;
+@@ -118,14 +139,12 @@ static int tas2764_dac_event(struct snd_soc_dapm_widget *w,
+
+ switch (event) {
+ case SND_SOC_DAPM_POST_PMU:
+- ret = snd_soc_component_update_bits(component, TAS2764_PWR_CTRL,
+- TAS2764_PWR_CTRL_MASK,
+- TAS2764_PWR_CTRL_MUTE);
++ tas2764->dac_powered = true;
++ ret = tas2764_update_pwr_ctrl(tas2764);
+ break;
+ case SND_SOC_DAPM_PRE_PMD:
+- ret = snd_soc_component_update_bits(component, TAS2764_PWR_CTRL,
+- TAS2764_PWR_CTRL_MASK,
+- TAS2764_PWR_CTRL_SHUTDOWN);
++ tas2764->dac_powered = false;
++ ret = tas2764_update_pwr_ctrl(tas2764);
+ break;
+ default:
+ dev_err(tas2764->dev, "Unsupported event\n");
+@@ -170,17 +189,11 @@ static const struct snd_soc_dapm_route tas2764_audio_map[] = {
+
+ static int tas2764_mute(struct snd_soc_dai *dai, int mute, int direction)
+ {
+- struct snd_soc_component *component = dai->component;
+- int ret;
+-
+- ret = snd_soc_component_update_bits(component, TAS2764_PWR_CTRL,
+- TAS2764_PWR_CTRL_MASK,
+- mute ? TAS2764_PWR_CTRL_MUTE : 0);
++ struct tas2764_priv *tas2764 =
++ snd_soc_component_get_drvdata(dai->component);
+
+- if (ret < 0)
+- return ret;
+-
+- return 0;
++ tas2764->unmuted = !mute;
++ return tas2764_update_pwr_ctrl(tas2764);
+ }
+
+ static int tas2764_set_bitwidth(struct tas2764_priv *tas2764, int bitwidth)
+@@ -494,12 +507,6 @@ static int tas2764_codec_probe(struct snd_soc_component *component)
+ if (ret < 0)
+ return ret;
+
+- ret = snd_soc_component_update_bits(component, TAS2764_PWR_CTRL,
+- TAS2764_PWR_CTRL_MASK,
+- TAS2764_PWR_CTRL_MUTE);
+- if (ret < 0)
+- return ret;
+-
+ return 0;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 54e18079a6981221bb8afcee22921dc4216939e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Sep 2022 15:15:28 +0200
+Subject: ASoC: wcd-mbhc-v2: Revert "ASoC: wcd-mbhc-v2: use
+ pm_runtime_resume_and_get()"
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit e18f6bcf8e864ea0e9690691d0d749c662b6a2c7 ]
+
+This reverts commit ddea4bbf287b6028eaa15a185d0693856956ecf2 ("ASoC:
+wcd-mbhc-v2: use pm_runtime_resume_and_get()"), because it introduced
+double runtime PM put if pm_runtime_get_sync() returns -EACCES:
+
+ wcd934x-codec wcd934x-codec.3.auto: WCD934X Minor:0x1 Version:0x401
+ wcd934x-codec wcd934x-codec.3.auto: Runtime PM usage count underflow!
+
+The commit claimed no changes in functionality except dropping the
+reference on -EACCESS. This is exactly the change introducing bug
+because function calls unconditionally pm_runtime_put_autosuspend() at
+the end.
+
+Fixes: ddea4bbf287b ("ASoC: wcd-mbhc-v2: use pm_runtime_resume_and_get()")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20220929131528.217502-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wcd-mbhc-v2.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/sound/soc/codecs/wcd-mbhc-v2.c b/sound/soc/codecs/wcd-mbhc-v2.c
+index 98baef594bf3..31009283e7d4 100644
+--- a/sound/soc/codecs/wcd-mbhc-v2.c
++++ b/sound/soc/codecs/wcd-mbhc-v2.c
+@@ -714,11 +714,12 @@ static int wcd_mbhc_initialise(struct wcd_mbhc *mbhc)
+ struct snd_soc_component *component = mbhc->component;
+ int ret;
+
+- ret = pm_runtime_resume_and_get(component->dev);
++ ret = pm_runtime_get_sync(component->dev);
+ if (ret < 0 && ret != -EACCES) {
+ dev_err_ratelimited(component->dev,
+- "pm_runtime_resume_and_get failed in %s, ret %d\n",
++ "pm_runtime_get_sync failed in %s, ret %d\n",
+ __func__, ret);
++ pm_runtime_put_noidle(component->dev);
+ return ret;
+ }
+
+@@ -1096,11 +1097,12 @@ static void wcd_correct_swch_plug(struct work_struct *work)
+ mbhc = container_of(work, struct wcd_mbhc, correct_plug_swch);
+ component = mbhc->component;
+
+- ret = pm_runtime_resume_and_get(component->dev);
++ ret = pm_runtime_get_sync(component->dev);
+ if (ret < 0 && ret != -EACCES) {
+ dev_err_ratelimited(component->dev,
+- "pm_runtime_resume_and_get failed in %s, ret %d\n",
++ "pm_runtime_get_sync failed in %s, ret %d\n",
+ __func__, ret);
++ pm_runtime_put_noidle(component->dev);
+ return;
+ }
+ micbias_mv = wcd_mbhc_get_micbias(mbhc);
+--
+2.35.1
+
--- /dev/null
+From ac9d1b2c7b0a541629d1a9129576d133168de644 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Sep 2022 00:01:15 +0800
+Subject: ASoC: wm5102: Fix PM disable depth imbalance in wm5102_probe
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+[ Upstream commit fcbb60820cd3008bb44334a0395e5e57ccb77329 ]
+
+The pm_runtime_enable will increase power disable depth. Thus
+a pairing decrement is needed on the error handling path to
+keep it balanced according to context. We fix it by moving
+pm_runtime_enable to the endding of wm5102_probe.
+
+Fixes:93e8791dd34ca ("ASoC: wm5102: Initial driver")
+
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Link: https://lore.kernel.org/r/20220928160116.125020-4-zhangqilong3@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wm5102.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/sound/soc/codecs/wm5102.c b/sound/soc/codecs/wm5102.c
+index af7d324e3352..c09c9ac51b3e 100644
+--- a/sound/soc/codecs/wm5102.c
++++ b/sound/soc/codecs/wm5102.c
+@@ -2099,9 +2099,6 @@ static int wm5102_probe(struct platform_device *pdev)
+ regmap_update_bits(arizona->regmap, wm5102_digital_vu[i],
+ WM5102_DIG_VU, WM5102_DIG_VU);
+
+- pm_runtime_enable(&pdev->dev);
+- pm_runtime_idle(&pdev->dev);
+-
+ ret = arizona_request_irq(arizona, ARIZONA_IRQ_DSP_IRQ1,
+ "ADSP2 Compressed IRQ", wm5102_adsp2_irq,
+ wm5102);
+@@ -2134,6 +2131,9 @@ static int wm5102_probe(struct platform_device *pdev)
+ goto err_spk_irqs;
+ }
+
++ pm_runtime_enable(&pdev->dev);
++ pm_runtime_idle(&pdev->dev);
++
+ return ret;
+
+ err_spk_irqs:
+--
+2.35.1
+
--- /dev/null
+From cbc17b5e13348256391024a74ba02ad89d1c9a34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Sep 2022 00:01:14 +0800
+Subject: ASoC: wm5110: Fix PM disable depth imbalance in wm5110_probe
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+[ Upstream commit 86b46bf1feb83898d89a2b4a8d08d21e9ea277a7 ]
+
+The pm_runtime_enable will increase power disable depth. Thus
+a pairing decrement is needed on the error handling path to
+keep it balanced according to context. We fix it by moving
+pm_runtime_enable to the endding of wm5110_probe.
+
+Fixes:5c6af635fd772 ("ASoC: wm5110: Add audio CODEC driver")
+
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Link: https://lore.kernel.org/r/20220928160116.125020-3-zhangqilong3@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wm5110.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/sound/soc/codecs/wm5110.c b/sound/soc/codecs/wm5110.c
+index f3f4a10bf0f7..fc634c995834 100644
+--- a/sound/soc/codecs/wm5110.c
++++ b/sound/soc/codecs/wm5110.c
+@@ -2457,9 +2457,6 @@ static int wm5110_probe(struct platform_device *pdev)
+ regmap_update_bits(arizona->regmap, wm5110_digital_vu[i],
+ WM5110_DIG_VU, WM5110_DIG_VU);
+
+- pm_runtime_enable(&pdev->dev);
+- pm_runtime_idle(&pdev->dev);
+-
+ ret = arizona_request_irq(arizona, ARIZONA_IRQ_DSP_IRQ1,
+ "ADSP2 Compressed IRQ", wm5110_adsp2_irq,
+ wm5110);
+@@ -2492,6 +2489,9 @@ static int wm5110_probe(struct platform_device *pdev)
+ goto err_spk_irqs;
+ }
+
++ pm_runtime_enable(&pdev->dev);
++ pm_runtime_idle(&pdev->dev);
++
+ return ret;
+
+ err_spk_irqs:
+--
+2.35.1
+
--- /dev/null
+From fd9fb0c7f58ea826c3003d0db16d78c1804fe5ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Sep 2022 00:01:13 +0800
+Subject: ASoC: wm8997: Fix PM disable depth imbalance in wm8997_probe
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+[ Upstream commit 41a736ac20602f64773e80f0f5b32cde1830a44a ]
+
+The pm_runtime_enable will increase power disable depth. Thus
+a pairing decrement is needed on the error handling path to
+keep it balanced according to context. We fix it by moving
+pm_runtime_enable to the endding of wm8997_probe
+
+Fixes:40843aea5a9bd ("ASoC: wm8997: Initial CODEC driver")
+
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Link: https://lore.kernel.org/r/20220928160116.125020-2-zhangqilong3@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wm8997.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/sound/soc/codecs/wm8997.c b/sound/soc/codecs/wm8997.c
+index 210ad662fc26..77136a521605 100644
+--- a/sound/soc/codecs/wm8997.c
++++ b/sound/soc/codecs/wm8997.c
+@@ -1161,9 +1161,6 @@ static int wm8997_probe(struct platform_device *pdev)
+ regmap_update_bits(arizona->regmap, wm8997_digital_vu[i],
+ WM8997_DIG_VU, WM8997_DIG_VU);
+
+- pm_runtime_enable(&pdev->dev);
+- pm_runtime_idle(&pdev->dev);
+-
+ arizona_init_common(arizona);
+
+ ret = arizona_init_vol_limit(arizona);
+@@ -1182,6 +1179,9 @@ static int wm8997_probe(struct platform_device *pdev)
+ goto err_spk_irqs;
+ }
+
++ pm_runtime_enable(&pdev->dev);
++ pm_runtime_idle(&pdev->dev);
++
+ return ret;
+
+ err_spk_irqs:
+--
+2.35.1
+
--- /dev/null
+From 30274fe86e26e273d34cb4aceec882453308aeaf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 01:05:30 +0300
+Subject: ASoC: wm_adsp: Handle optional legacy support
+
+From: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
+
+[ Upstream commit 35c8ae25c4fdeabf490e005692795a3be17ca5f6 ]
+
+The tracing capabilities for the speaker protection fw enabled via
+commit c55b3e46cb99 ("ASoC: wm_adsp: Add trace caps to speaker
+protection FW") are not be available on all platforms, such as the
+Valve's Steam Deck which is based on the Halo Core DSP.
+
+As a consequence, whenever the firmware is loaded, a rather misleading
+'Failed to parse legacy: -19' error message is written to the kernel
+ring buffer:
+
+[ 288.977412] steamdeck kernel: cs35l41 spi-VLV1776:01: DSP1: Firmware version: 3
+[ 288.978002] steamdeck kernel: cs35l41 spi-VLV1776:01: DSP1: cs35l41-dsp1-spk-prot.wmfw: Fri 02 Apr 2021 21:03:50 W. Europe Daylight Time
+[ 289.094065] steamdeck kernel: cs35l41 spi-VLV1776:01: DSP1: Firmware: 400a4 vendor: 0x2 v0.33.0, 2 algorithms
+[ 289.095073] steamdeck kernel: cs35l41 spi-VLV1776:01: DSP1: 0: ID cd v29.53.0 XM@94 YM@e
+[ 289.095665] steamdeck kernel: cs35l41 spi-VLV1776:01: DSP1: 1: ID f20b v0.0.1 XM@170 YM@0
+[ 289.096275] steamdeck kernel: cs35l41 spi-VLV1776:01: DSP1: Protection: C:\Users\ocanavan\Desktop\cirrusTune_july2021.bin
+[ 291.172383] steamdeck kernel: cs35l41 spi-VLV1776:01: DSP1: Failed to parse legacy: -19
+
+Update wm_adsp_buffer_init() to print a more descriptive info message
+when wm_adsp_buffer_parse_legacy() returns -ENODEV.
+
+Fixes: c55b3e46cb99 ("ASoC: wm_adsp: Add trace caps to speaker protection FW")
+Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
+Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/20220825220530.1205141-1-cristian.ciocaltea@collabora.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wm_adsp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/wm_adsp.c b/sound/soc/codecs/wm_adsp.c
+index cfaa45ede916..8a2e9771bb50 100644
+--- a/sound/soc/codecs/wm_adsp.c
++++ b/sound/soc/codecs/wm_adsp.c
+@@ -1602,7 +1602,9 @@ static int wm_adsp_buffer_init(struct wm_adsp *dsp)
+ if (list_empty(&dsp->buffer_list)) {
+ /* Fall back to legacy support */
+ ret = wm_adsp_buffer_parse_legacy(dsp);
+- if (ret)
++ if (ret == -ENODEV)
++ adsp_info(dsp, "Legacy support not available\n");
++ else if (ret)
+ adsp_warn(dsp, "Failed to parse legacy: %d\n", ret);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From b69500e1df1e586c93a3b595cff07a5c57d1c0ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Sep 2022 14:28:33 +0200
+Subject: ata: fix ata_id_has_devslp()
+
+From: Niklas Cassel <niklas.cassel@wdc.com>
+
+[ Upstream commit 9c6e09a434e1317e09b78b3b69cd384022ec9a03 ]
+
+ACS-5 section
+7.13.6.36 Word 78: Serial ATA features supported
+states that:
+
+If word 76 is not 0000h or FFFFh, word 78 reports the features supported
+by the device. If this word is not supported, the word shall be cleared
+to zero.
+
+(This text also exists in really old ACS standards, e.g. ACS-3.)
+
+Additionally, move the macro to the other ATA_ID_FEATURE_SUPP macros
+(which already have this check), thus making it more likely that the
+next ATA_ID_FEATURE_SUPP macro that is added will include this check.
+
+Fixes: 65fe1f0f66a5 ("ahci: implement aggressive SATA device sleep support")
+Signed-off-by: Niklas Cassel <niklas.cassel@wdc.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/ata.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/ata.h b/include/linux/ata.h
+index 868bfd503aee..bc136a43689f 100644
+--- a/include/linux/ata.h
++++ b/include/linux/ata.h
+@@ -566,6 +566,10 @@ struct ata_bmdma_prd {
+ ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \
+ ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \
+ ((id)[ATA_ID_FEATURE_SUPP] & (1 << 2)))
++#define ata_id_has_devslp(id) \
++ ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \
++ ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \
++ ((id)[ATA_ID_FEATURE_SUPP] & (1 << 8)))
+ #define ata_id_iordy_disable(id) ((id)[ATA_ID_CAPABILITY] & (1 << 10))
+ #define ata_id_has_iordy(id) ((id)[ATA_ID_CAPABILITY] & (1 << 11))
+ #define ata_id_u32(id,n) \
+@@ -578,7 +582,6 @@ struct ata_bmdma_prd {
+
+ #define ata_id_cdb_intr(id) (((id)[ATA_ID_CONFIG] & 0x60) == 0x20)
+ #define ata_id_has_da(id) ((id)[ATA_ID_SATA_CAPABILITY_2] & (1 << 4))
+-#define ata_id_has_devslp(id) ((id)[ATA_ID_FEATURE_SUPP] & (1 << 8))
+ #define ata_id_has_ncq_autosense(id) \
+ ((id)[ATA_ID_FEATURE_SUPP] & (1 << 7))
+
+--
+2.35.1
+
--- /dev/null
+From 6f8bf2e6d1f47e66224331694e1743d9a7ca5670 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Sep 2022 14:28:35 +0200
+Subject: ata: fix ata_id_has_dipm()
+
+From: Niklas Cassel <niklas.cassel@wdc.com>
+
+[ Upstream commit 630624cb1b5826d753ac8e01a0e42de43d66dedf ]
+
+ACS-5 section
+7.13.6.36 Word 78: Serial ATA features supported
+states that:
+
+If word 76 is not 0000h or FFFFh, word 78 reports the features supported
+by the device. If this word is not supported, the word shall be cleared
+to zero.
+
+(This text also exists in really old ACS standards, e.g. ACS-3.)
+
+The problem with ata_id_has_dipm() is that the while it performs a
+check against 0 and 0xffff, it performs the check against
+ATA_ID_FEATURE_SUPP (word 78), the same word where the feature bit
+is stored.
+
+Fix this by performing the check against ATA_ID_SATA_CAPABILITY
+(word 76), like required by the spec. The feature bit check itself
+is of course still performed against ATA_ID_FEATURE_SUPP (word 78).
+
+Additionally, move the macro to the other ATA_ID_FEATURE_SUPP macros
+(which already have this check), thus making it more likely that the
+next ATA_ID_FEATURE_SUPP macro that is added will include this check.
+
+Fixes: ca77329fb713 ("[libata] Link power management infrastructure")
+Signed-off-by: Niklas Cassel <niklas.cassel@wdc.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/ata.h | 15 ++++-----------
+ 1 file changed, 4 insertions(+), 11 deletions(-)
+
+diff --git a/include/linux/ata.h b/include/linux/ata.h
+index 4845443e0f08..e3050e153a71 100644
+--- a/include/linux/ata.h
++++ b/include/linux/ata.h
+@@ -574,6 +574,10 @@ struct ata_bmdma_prd {
+ ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \
+ ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \
+ ((id)[ATA_ID_FEATURE_SUPP] & (1 << 7)))
++#define ata_id_has_dipm(id) \
++ ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \
++ ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \
++ ((id)[ATA_ID_FEATURE_SUPP] & (1 << 3)))
+ #define ata_id_iordy_disable(id) ((id)[ATA_ID_CAPABILITY] & (1 << 10))
+ #define ata_id_has_iordy(id) ((id)[ATA_ID_CAPABILITY] & (1 << 11))
+ #define ata_id_u32(id,n) \
+@@ -597,17 +601,6 @@ static inline bool ata_id_has_hipm(const u16 *id)
+ return val & (1 << 9);
+ }
+
+-static inline bool ata_id_has_dipm(const u16 *id)
+-{
+- u16 val = id[ATA_ID_FEATURE_SUPP];
+-
+- if (val == 0 || val == 0xffff)
+- return false;
+-
+- return val & (1 << 3);
+-}
+-
+-
+ static inline bool ata_id_has_fua(const u16 *id)
+ {
+ if ((id[ATA_ID_CFSSE] & 0xC000) != 0x4000)
+--
+2.35.1
+
--- /dev/null
+From 7b5aba60b27a089e79a602b0761d7ffe3ff28788 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Sep 2022 14:28:34 +0200
+Subject: ata: fix ata_id_has_ncq_autosense()
+
+From: Niklas Cassel <niklas.cassel@wdc.com>
+
+[ Upstream commit a5fb6bf853148974dbde092ec1bde553bea5e49f ]
+
+ACS-5 section
+7.13.6.36 Word 78: Serial ATA features supported
+states that:
+
+If word 76 is not 0000h or FFFFh, word 78 reports the features supported
+by the device. If this word is not supported, the word shall be cleared
+to zero.
+
+(This text also exists in really old ACS standards, e.g. ACS-3.)
+
+Additionally, move the macro to the other ATA_ID_FEATURE_SUPP macros
+(which already have this check), thus making it more likely that the
+next ATA_ID_FEATURE_SUPP macro that is added will include this check.
+
+Fixes: 5b01e4b9efa0 ("libata: Implement NCQ autosense")
+Signed-off-by: Niklas Cassel <niklas.cassel@wdc.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/ata.h | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/ata.h b/include/linux/ata.h
+index bc136a43689f..4845443e0f08 100644
+--- a/include/linux/ata.h
++++ b/include/linux/ata.h
+@@ -570,6 +570,10 @@ struct ata_bmdma_prd {
+ ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \
+ ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \
+ ((id)[ATA_ID_FEATURE_SUPP] & (1 << 8)))
++#define ata_id_has_ncq_autosense(id) \
++ ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \
++ ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \
++ ((id)[ATA_ID_FEATURE_SUPP] & (1 << 7)))
+ #define ata_id_iordy_disable(id) ((id)[ATA_ID_CAPABILITY] & (1 << 10))
+ #define ata_id_has_iordy(id) ((id)[ATA_ID_CAPABILITY] & (1 << 11))
+ #define ata_id_u32(id,n) \
+@@ -582,8 +586,6 @@ struct ata_bmdma_prd {
+
+ #define ata_id_cdb_intr(id) (((id)[ATA_ID_CONFIG] & 0x60) == 0x20)
+ #define ata_id_has_da(id) ((id)[ATA_ID_SATA_CAPABILITY_2] & (1 << 4))
+-#define ata_id_has_ncq_autosense(id) \
+- ((id)[ATA_ID_FEATURE_SUPP] & (1 << 7))
+
+ static inline bool ata_id_has_hipm(const u16 *id)
+ {
+--
+2.35.1
+
--- /dev/null
+From 8f5da874606456de9e554402f75bee369575b1e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Sep 2022 14:28:32 +0200
+Subject: ata: fix ata_id_sense_reporting_enabled() and
+ ata_id_has_sense_reporting()
+
+From: Niklas Cassel <niklas.cassel@wdc.com>
+
+[ Upstream commit 690aa8c3ae308bc696ec8b1b357b995193927083 ]
+
+ACS-5 section
+7.13.6.41 Words 85..87, 120: Commands and feature sets supported or enabled
+states that:
+
+If bit 15 of word 86 is set to one, bit 14 of word 119 is set to one,
+and bit 15 of word 119 is cleared to zero, then word 119 is valid.
+
+If bit 15 of word 86 is set to one, bit 14 of word 120 is set to one,
+and bit 15 of word 120 is cleared to zero, then word 120 is valid.
+
+(This text also exists in really old ACS standards, e.g. ACS-3.)
+
+Currently, ata_id_sense_reporting_enabled() and
+ata_id_has_sense_reporting() both check bit 15 of word 86,
+but neither of them check that bit 14 of word 119 is set to one,
+or that bit 15 of word 119 is cleared to zero.
+
+Additionally, make ata_id_sense_reporting_enabled() return false
+if !ata_id_has_sense_reporting(), similar to how e.g.
+ata_id_flush_ext_enabled() returns false if !ata_id_has_flush_ext().
+
+Fixes: e87fd28cf9a2 ("libata: Implement support for sense data reporting")
+Signed-off-by: Niklas Cassel <niklas.cassel@wdc.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/ata.h | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/include/linux/ata.h b/include/linux/ata.h
+index 21292b5bbb55..868bfd503aee 100644
+--- a/include/linux/ata.h
++++ b/include/linux/ata.h
+@@ -771,16 +771,21 @@ static inline bool ata_id_has_read_log_dma_ext(const u16 *id)
+
+ static inline bool ata_id_has_sense_reporting(const u16 *id)
+ {
+- if (!(id[ATA_ID_CFS_ENABLE_2] & (1 << 15)))
++ if (!(id[ATA_ID_CFS_ENABLE_2] & BIT(15)))
++ return false;
++ if ((id[ATA_ID_COMMAND_SET_3] & (BIT(15) | BIT(14))) != BIT(14))
+ return false;
+- return id[ATA_ID_COMMAND_SET_3] & (1 << 6);
++ return id[ATA_ID_COMMAND_SET_3] & BIT(6);
+ }
+
+ static inline bool ata_id_sense_reporting_enabled(const u16 *id)
+ {
+- if (!(id[ATA_ID_CFS_ENABLE_2] & (1 << 15)))
++ if (!ata_id_has_sense_reporting(id))
++ return false;
++ /* ata_id_has_sense_reporting() == true, word 86 must have bit 15 set */
++ if ((id[ATA_ID_COMMAND_SET_4] & (BIT(15) | BIT(14))) != BIT(14))
+ return false;
+- return id[ATA_ID_COMMAND_SET_4] & (1 << 6);
++ return id[ATA_ID_COMMAND_SET_4] & BIT(6);
+ }
+
+ /**
+--
+2.35.1
+
--- /dev/null
+From b891d28b58e63aeb1afb92119ee963d3ab9906ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Sep 2022 22:36:06 +0300
+Subject: ata: libahci_platform: Sanity check the DT child nodes number
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit 3c132ea6508b34956e5ed88d04936983ec230601 ]
+
+Having greater than AHCI_MAX_PORTS (32) ports detected isn't that critical
+from the further AHCI-platform initialization point of view since
+exceeding the ports upper limit will cause allocating more resources than
+will be used afterwards. But detecting too many child DT-nodes doesn't
+seem right since it's very unlikely to have it on an ordinary platform. In
+accordance with the AHCI specification there can't be more than 32 ports
+implemented at least due to having the CAP.NP field of 5 bits wide and the
+PI register of dword size. Thus if such situation is found the DTB must
+have been corrupted and the data read from it shouldn't be reliable. Let's
+consider that as an erroneous situation and halt further resources
+allocation.
+
+Note it's logically more correct to have the nports set only after the
+initialization value is checked for being sane. So while at it let's make
+sure nports is assigned with a correct value.
+
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libahci_platform.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/ata/libahci_platform.c b/drivers/ata/libahci_platform.c
+index 32495ae96567..986f1923a76d 100644
+--- a/drivers/ata/libahci_platform.c
++++ b/drivers/ata/libahci_platform.c
+@@ -451,14 +451,24 @@ struct ahci_host_priv *ahci_platform_get_resources(struct platform_device *pdev,
+ }
+ }
+
+- hpriv->nports = child_nodes = of_get_child_count(dev->of_node);
++ /*
++ * Too many sub-nodes most likely means having something wrong with
++ * the firmware.
++ */
++ child_nodes = of_get_child_count(dev->of_node);
++ if (child_nodes > AHCI_MAX_PORTS) {
++ rc = -EINVAL;
++ goto err_out;
++ }
+
+ /*
+ * If no sub-node was found, we still need to set nports to
+ * one in order to be able to use the
+ * ahci_platform_[en|dis]able_[phys|regulators] functions.
+ */
+- if (!child_nodes)
++ if (child_nodes)
++ hpriv->nports = child_nodes;
++ else
+ hpriv->nports = 1;
+
+ hpriv->phys = devm_kcalloc(dev, hpriv->nports, sizeof(*hpriv->phys), GFP_KERNEL);
+--
+2.35.1
+
--- /dev/null
+From ad0960563cae29102cb1b89ea882207a950a4113 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 15:32:38 -0400
+Subject: audit: explicitly check audit_context->context enum value
+
+From: Richard Guy Briggs <rgb@redhat.com>
+
+[ Upstream commit 3ed66951f952ed8f1a5d03e171722bf2631e8d58 ]
+
+Be explicit in checking the struct audit_context "context" member enum
+value rather than assuming the order of context enum values.
+
+Fixes: 12c5e81d3fd0 ("audit: prepare audit_context for use in calling contexts beyond syscalls")
+Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/auditsc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/auditsc.c b/kernel/auditsc.c
+index 79a5da1bc5bb..0ee09447ad04 100644
+--- a/kernel/auditsc.c
++++ b/kernel/auditsc.c
+@@ -2069,7 +2069,7 @@ void __audit_syscall_exit(int success, long return_code)
+ /* run through both filters to ensure we set the filterkey properly */
+ audit_filter_syscall(current, context);
+ audit_filter_inodes(current, context);
+- if (context->current_state < AUDIT_STATE_RECORD)
++ if (context->current_state != AUDIT_STATE_RECORD)
+ goto out;
+
+ audit_log_exit();
+--
+2.35.1
+
--- /dev/null
+From 418a4fb1b4e176073669f8f508a456939a692254 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 15:32:39 -0400
+Subject: audit: free audit_proctitle only on task exit
+
+From: Richard Guy Briggs <rgb@redhat.com>
+
+[ Upstream commit c3f3ea8af44d0c5fba79fe8b198087342d0c7e04 ]
+
+Since audit_proctitle is generated at syscall exit time, its value is
+used immediately and cached for the next syscall. Since this is the
+case, then only clear it at task exit time. Otherwise, there is no
+point in caching the value OR bearing the overhead of regenerating it.
+
+Fixes: 12c5e81d3fd0 ("audit: prepare audit_context for use in calling contexts beyond syscalls")
+Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/auditsc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/auditsc.c b/kernel/auditsc.c
+index 0ee09447ad04..63a6fe99aa3a 100644
+--- a/kernel/auditsc.c
++++ b/kernel/auditsc.c
+@@ -1016,7 +1016,6 @@ static void audit_reset_context(struct audit_context *ctx)
+ WARN_ON(!list_empty(&ctx->killed_trees));
+ audit_free_module(ctx);
+ ctx->fds[0] = -1;
+- audit_proctitle_free(ctx);
+ ctx->type = 0; /* reset last for audit_free_*() */
+ }
+
+@@ -1077,6 +1076,7 @@ static inline void audit_free_context(struct audit_context *context)
+ {
+ /* resetting is extra work, but it is likely just noise */
+ audit_reset_context(context);
++ audit_proctitle_free(context);
+ free_tree_refs(context);
+ kfree(context->filterkey);
+ kfree(context);
+--
+2.35.1
+
--- /dev/null
+From a0b901a3ad3d16f2f0bd9bf62d58d38ee3ffca43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 00:16:47 +0800
+Subject: bcache: fix set_at_max_writeback_rate() for multiple attached devices
+
+From: Coly Li <colyli@suse.de>
+
+[ Upstream commit d2d05b88035d2d51a5bb6c5afec88a0880c73df4 ]
+
+Inside set_at_max_writeback_rate() the calculation in following if()
+check is wrong,
+ if (atomic_inc_return(&c->idle_counter) <
+ atomic_read(&c->attached_dev_nr) * 6)
+
+Because each attached backing device has its own writeback thread
+running and increasing c->idle_counter, the counter increates much
+faster than expected. The correct calculation should be,
+ (counter / dev_nr) < dev_nr * 6
+which equals to,
+ counter < dev_nr * dev_nr * 6
+
+This patch fixes the above mistake with correct calculation, and helper
+routine idle_counter_exceeded() is added to make code be more clear.
+
+Reported-by: Mingzhe Zou <mingzhe.zou@easystack.cn>
+Signed-off-by: Coly Li <colyli@suse.de>
+Acked-by: Mingzhe Zou <mingzhe.zou@easystack.cn>
+Link: https://lore.kernel.org/r/20220919161647.81238-6-colyli@suse.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/writeback.c | 73 +++++++++++++++++++++++++----------
+ 1 file changed, 52 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/md/bcache/writeback.c b/drivers/md/bcache/writeback.c
+index 3f0ff3aab6f2..9c227e4a8465 100644
+--- a/drivers/md/bcache/writeback.c
++++ b/drivers/md/bcache/writeback.c
+@@ -157,6 +157,53 @@ static void __update_writeback_rate(struct cached_dev *dc)
+ dc->writeback_rate_target = target;
+ }
+
++static bool idle_counter_exceeded(struct cache_set *c)
++{
++ int counter, dev_nr;
++
++ /*
++ * If c->idle_counter is overflow (idel for really long time),
++ * reset as 0 and not set maximum rate this time for code
++ * simplicity.
++ */
++ counter = atomic_inc_return(&c->idle_counter);
++ if (counter <= 0) {
++ atomic_set(&c->idle_counter, 0);
++ return false;
++ }
++
++ dev_nr = atomic_read(&c->attached_dev_nr);
++ if (dev_nr == 0)
++ return false;
++
++ /*
++ * c->idle_counter is increased by writeback thread of all
++ * attached backing devices, in order to represent a rough
++ * time period, counter should be divided by dev_nr.
++ * Otherwise the idle time cannot be larger with more backing
++ * device attached.
++ * The following calculation equals to checking
++ * (counter / dev_nr) < (dev_nr * 6)
++ */
++ if (counter < (dev_nr * dev_nr * 6))
++ return false;
++
++ return true;
++}
++
++/*
++ * Idle_counter is increased every time when update_writeback_rate() is
++ * called. If all backing devices attached to the same cache set have
++ * identical dc->writeback_rate_update_seconds values, it is about 6
++ * rounds of update_writeback_rate() on each backing device before
++ * c->at_max_writeback_rate is set to 1, and then max wrteback rate set
++ * to each dc->writeback_rate.rate.
++ * In order to avoid extra locking cost for counting exact dirty cached
++ * devices number, c->attached_dev_nr is used to calculate the idle
++ * throushold. It might be bigger if not all cached device are in write-
++ * back mode, but it still works well with limited extra rounds of
++ * update_writeback_rate().
++ */
+ static bool set_at_max_writeback_rate(struct cache_set *c,
+ struct cached_dev *dc)
+ {
+@@ -167,21 +214,8 @@ static bool set_at_max_writeback_rate(struct cache_set *c,
+ /* Don't set max writeback rate if gc is running */
+ if (!c->gc_mark_valid)
+ return false;
+- /*
+- * Idle_counter is increased everytime when update_writeback_rate() is
+- * called. If all backing devices attached to the same cache set have
+- * identical dc->writeback_rate_update_seconds values, it is about 6
+- * rounds of update_writeback_rate() on each backing device before
+- * c->at_max_writeback_rate is set to 1, and then max wrteback rate set
+- * to each dc->writeback_rate.rate.
+- * In order to avoid extra locking cost for counting exact dirty cached
+- * devices number, c->attached_dev_nr is used to calculate the idle
+- * throushold. It might be bigger if not all cached device are in write-
+- * back mode, but it still works well with limited extra rounds of
+- * update_writeback_rate().
+- */
+- if (atomic_inc_return(&c->idle_counter) <
+- atomic_read(&c->attached_dev_nr) * 6)
++
++ if (!idle_counter_exceeded(c))
+ return false;
+
+ if (atomic_read(&c->at_max_writeback_rate) != 1)
+@@ -195,13 +229,10 @@ static bool set_at_max_writeback_rate(struct cache_set *c,
+ dc->writeback_rate_change = 0;
+
+ /*
+- * Check c->idle_counter and c->at_max_writeback_rate agagain in case
+- * new I/O arrives during before set_at_max_writeback_rate() returns.
+- * Then the writeback rate is set to 1, and its new value should be
+- * decided via __update_writeback_rate().
++ * In case new I/O arrives during before
++ * set_at_max_writeback_rate() returns.
+ */
+- if ((atomic_read(&c->idle_counter) <
+- atomic_read(&c->attached_dev_nr) * 6) ||
++ if (!idle_counter_exceeded(c) ||
+ !atomic_read(&c->at_max_writeback_rate))
+ return false;
+
+--
+2.35.1
+
--- /dev/null
+From d473e27343ecca8daf7a24f792949a8988f5974a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 08:56:52 -0700
+Subject: blk-mq: use quiesced elevator switch when reinitializing queues
+
+From: Keith Busch <kbusch@kernel.org>
+
+[ Upstream commit 8237c01f1696bc53c470493bf1fe092a107648a6 ]
+
+The hctx's run_work may be racing with the elevator switch when
+reinitializing hardware queues. The queue is merely frozen in this
+context, but that only prevents requests from allocating and doesn't
+stop the hctx work from running. The work may get an elevator pointer
+that's being torn down, and can result in use-after-free errors and
+kernel panics (example below). Use the quiesced elevator switch instead,
+and make the previous one static since it is now only used locally.
+
+ nvme nvme0: resetting controller
+ nvme nvme0: 32/0/0 default/read/poll queues
+ BUG: kernel NULL pointer dereference, address: 0000000000000008
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 80000020c8861067 P4D 80000020c8861067 PUD 250f8c8067 PMD 0
+ Oops: 0000 [#1] SMP PTI
+ Workqueue: kblockd blk_mq_run_work_fn
+ RIP: 0010:kyber_has_work+0x29/0x70
+
+...
+
+ Call Trace:
+ __blk_mq_do_dispatch_sched+0x83/0x2b0
+ __blk_mq_sched_dispatch_requests+0x12e/0x170
+ blk_mq_sched_dispatch_requests+0x30/0x60
+ __blk_mq_run_hw_queue+0x2b/0x50
+ process_one_work+0x1ef/0x380
+ worker_thread+0x2d/0x3e0
+
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20220927155652.3260724-1-kbusch@fb.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-mq.c | 6 +++---
+ block/blk.h | 3 +--
+ block/elevator.c | 4 ++--
+ 3 files changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/block/blk-mq.c b/block/blk-mq.c
+index c96c8c4f751b..887b8682eb69 100644
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -4473,14 +4473,14 @@ static bool blk_mq_elv_switch_none(struct list_head *head,
+ list_add(&qe->node, head);
+
+ /*
+- * After elevator_switch_mq, the previous elevator_queue will be
++ * After elevator_switch, the previous elevator_queue will be
+ * released by elevator_release. The reference of the io scheduler
+ * module get by elevator_get will also be put. So we need to get
+ * a reference of the io scheduler module here to prevent it to be
+ * removed.
+ */
+ __module_get(qe->type->elevator_owner);
+- elevator_switch_mq(q, NULL);
++ elevator_switch(q, NULL);
+ mutex_unlock(&q->sysfs_lock);
+
+ return true;
+@@ -4512,7 +4512,7 @@ static void blk_mq_elv_switch_back(struct list_head *head,
+ kfree(qe);
+
+ mutex_lock(&q->sysfs_lock);
+- elevator_switch_mq(q, t);
++ elevator_switch(q, t);
+ mutex_unlock(&q->sysfs_lock);
+ }
+
+diff --git a/block/blk.h b/block/blk.h
+index d7142c4d2fef..52432eab621e 100644
+--- a/block/blk.h
++++ b/block/blk.h
+@@ -270,8 +270,7 @@ bool blk_bio_list_merge(struct request_queue *q, struct list_head *list,
+
+ void blk_insert_flush(struct request *rq);
+
+-int elevator_switch_mq(struct request_queue *q,
+- struct elevator_type *new_e);
++int elevator_switch(struct request_queue *q, struct elevator_type *new_e);
+ void elevator_exit(struct request_queue *q);
+ int elv_register_queue(struct request_queue *q, bool uevent);
+ void elv_unregister_queue(struct request_queue *q);
+diff --git a/block/elevator.c b/block/elevator.c
+index c319765892bb..bd71f0fc4e4b 100644
+--- a/block/elevator.c
++++ b/block/elevator.c
+@@ -588,7 +588,7 @@ void elv_unregister(struct elevator_type *e)
+ }
+ EXPORT_SYMBOL_GPL(elv_unregister);
+
+-int elevator_switch_mq(struct request_queue *q,
++static int elevator_switch_mq(struct request_queue *q,
+ struct elevator_type *new_e)
+ {
+ int ret;
+@@ -723,7 +723,7 @@ void elevator_init_mq(struct request_queue *q)
+ * need for the new one. this way we have a chance of going back to the old
+ * one, if the new one fails init for some reason.
+ */
+-static int elevator_switch(struct request_queue *q, struct elevator_type *new_e)
++int elevator_switch(struct request_queue *q, struct elevator_type *new_e)
+ {
+ int err;
+
+--
+2.35.1
+
--- /dev/null
+From 014dd2dc003758a7d1a3d9295f829f495ff2f1ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Aug 2022 10:22:38 +0800
+Subject: blk-throttle: prevent overflow while calculating wait time
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 8d6bbaada2e0a65f9012ac4c2506460160e7237a ]
+
+There is a problem found by code review in tg_with_in_bps_limit() that
+'bps_limit * jiffy_elapsed_rnd' might overflow. Fix the problem by
+calling mul_u64_u64_div_u64() instead.
+
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Link: https://lore.kernel.org/r/20220829022240.3348319-3-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-throttle.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/block/blk-throttle.c b/block/blk-throttle.c
+index 3c02a9b3275a..35cf744ea9d1 100644
+--- a/block/blk-throttle.c
++++ b/block/blk-throttle.c
+@@ -806,7 +806,7 @@ static bool tg_with_in_bps_limit(struct throtl_grp *tg, struct bio *bio,
+ u64 bps_limit, unsigned long *wait)
+ {
+ bool rw = bio_data_dir(bio);
+- u64 bytes_allowed, extra_bytes, tmp;
++ u64 bytes_allowed, extra_bytes;
+ unsigned long jiffy_elapsed, jiffy_wait, jiffy_elapsed_rnd;
+ unsigned int bio_size = throtl_bio_data_size(bio);
+
+@@ -824,10 +824,8 @@ static bool tg_with_in_bps_limit(struct throtl_grp *tg, struct bio *bio,
+ jiffy_elapsed_rnd = tg->td->throtl_slice;
+
+ jiffy_elapsed_rnd = roundup(jiffy_elapsed_rnd, tg->td->throtl_slice);
+-
+- tmp = bps_limit * jiffy_elapsed_rnd;
+- do_div(tmp, HZ);
+- bytes_allowed = tmp;
++ bytes_allowed = mul_u64_u64_div_u64(bps_limit, (u64)jiffy_elapsed_rnd,
++ (u64)HZ);
+
+ if (tg->bytes_disp[rw] + bio_size <= bytes_allowed) {
+ if (wait)
+--
+2.35.1
+
--- /dev/null
+From 5295b35a207e040b6ff3814f8f26f85cb2db2e63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 13:06:26 -0700
+Subject: block: Fix the enum blk_eh_timer_return documentation
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit b2bed51a5261f4266ecb857bba680a7f668d3ddf ]
+
+The documentation of the blk_eh_timer_return enumeration values does not
+reflect correctly how e.g. the SCSI core uses these values. Fix the
+documentation.
+
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Ming Lei <ming.lei@redhat.com>
+Cc: Hannes Reinecke <hare@suse.de>
+Cc: Damien Le Moal <damien.lemoal@wdc.com>
+Cc: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Fixes: 88b0cfad2888 ("block: document the blk_eh_timer_return values")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Link: https://lore.kernel.org/r/20220920200626.3422296-1-bvanassche@acm.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/blk-mq.h | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/blk-mq.h b/include/linux/blk-mq.h
+index 92294a5fb083..1532cd07a597 100644
+--- a/include/linux/blk-mq.h
++++ b/include/linux/blk-mq.h
+@@ -268,9 +268,16 @@ static inline void rq_list_move(struct request **src, struct request **dst,
+ rq_list_add(dst, rq);
+ }
+
++/**
++ * enum blk_eh_timer_return - How the timeout handler should proceed
++ * @BLK_EH_DONE: The block driver completed the command or will complete it at
++ * a later time.
++ * @BLK_EH_RESET_TIMER: Reset the request timer and continue waiting for the
++ * request to complete.
++ */
+ enum blk_eh_timer_return {
+- BLK_EH_DONE, /* drivers has completed the command */
+- BLK_EH_RESET_TIMER, /* reset timer and try again */
++ BLK_EH_DONE,
++ BLK_EH_RESET_TIMER,
+ };
+
+ #define BLK_TAG_ALLOC_FIFO 0 /* allocate starting from 0 */
+--
+2.35.1
+
--- /dev/null
+From ad5478c1cf85137aee014156879d3fcf8342dc5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 09:58:15 +0200
+Subject: block: replace blk_queue_nowait with bdev_nowait
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 568ec936bf1384fc15873908c96a9aeb62536edb ]
+
+Replace blk_queue_nowait with a bdev_nowait helpers that takes the
+block_device given that the I/O submission path should not have to
+look into the request_queue.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Pankaj Raghav <p.raghav@samsung.com>
+Link: https://lore.kernel.org/r/20220927075815.269694-1-hch@lst.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-core.c | 2 +-
+ drivers/md/dm-table.c | 4 +---
+ drivers/md/md.c | 4 ++--
+ include/linux/blkdev.h | 6 +++++-
+ io_uring/io_uring.c | 2 +-
+ 5 files changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/block/blk-core.c b/block/blk-core.c
+index 651057c4146b..4ec669b0eadc 100644
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -717,7 +717,7 @@ void submit_bio_noacct(struct bio *bio)
+ * For a REQ_NOWAIT based request, return -EOPNOTSUPP
+ * if queue does not support NOWAIT.
+ */
+- if ((bio->bi_opf & REQ_NOWAIT) && !blk_queue_nowait(q))
++ if ((bio->bi_opf & REQ_NOWAIT) && !bdev_nowait(bdev))
+ goto not_supported;
+
+ if (should_fail_bio(bio))
+diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c
+index 332f96b58252..d8034ff0cb24 100644
+--- a/drivers/md/dm-table.c
++++ b/drivers/md/dm-table.c
+@@ -1856,9 +1856,7 @@ static bool dm_table_supports_write_zeroes(struct dm_table *t)
+ static int device_not_nowait_capable(struct dm_target *ti, struct dm_dev *dev,
+ sector_t start, sector_t len, void *data)
+ {
+- struct request_queue *q = bdev_get_queue(dev->bdev);
+-
+- return !blk_queue_nowait(q);
++ return !bdev_nowait(dev->bdev);
+ }
+
+ static bool dm_table_supports_nowait(struct dm_table *t)
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 470a975e4be9..a467b492d4ad 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -5845,7 +5845,7 @@ int md_run(struct mddev *mddev)
+ }
+ }
+ sysfs_notify_dirent_safe(rdev->sysfs_state);
+- nowait = nowait && blk_queue_nowait(bdev_get_queue(rdev->bdev));
++ nowait = nowait && bdev_nowait(rdev->bdev);
+ }
+
+ if (!bioset_initialized(&mddev->bio_set)) {
+@@ -6982,7 +6982,7 @@ static int hot_add_disk(struct mddev *mddev, dev_t dev)
+ * If the new disk does not support REQ_NOWAIT,
+ * disable on the whole MD.
+ */
+- if (!blk_queue_nowait(bdev_get_queue(rdev->bdev))) {
++ if (!bdev_nowait(rdev->bdev)) {
+ pr_info("%s: Disabling nowait because %pg does not support nowait\n",
+ mdname(mddev), rdev->bdev);
+ blk_queue_flag_clear(QUEUE_FLAG_NOWAIT, mddev->queue);
+diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
+index 84b13fdd34a7..4750772ef228 100644
+--- a/include/linux/blkdev.h
++++ b/include/linux/blkdev.h
+@@ -618,7 +618,6 @@ bool blk_queue_flag_test_and_set(unsigned int flag, struct request_queue *q);
+ #define blk_queue_quiesced(q) test_bit(QUEUE_FLAG_QUIESCED, &(q)->queue_flags)
+ #define blk_queue_pm_only(q) atomic_read(&(q)->pm_only)
+ #define blk_queue_registered(q) test_bit(QUEUE_FLAG_REGISTERED, &(q)->queue_flags)
+-#define blk_queue_nowait(q) test_bit(QUEUE_FLAG_NOWAIT, &(q)->queue_flags)
+ #define blk_queue_sq_sched(q) test_bit(QUEUE_FLAG_SQ_SCHED, &(q)->queue_flags)
+
+ extern void blk_set_pm_only(struct request_queue *q);
+@@ -1280,6 +1279,11 @@ static inline bool bdev_fua(struct block_device *bdev)
+ return test_bit(QUEUE_FLAG_FUA, &bdev_get_queue(bdev)->queue_flags);
+ }
+
++static inline bool bdev_nowait(struct block_device *bdev)
++{
++ return test_bit(QUEUE_FLAG_NOWAIT, &bdev_get_queue(bdev)->queue_flags);
++}
++
+ static inline enum blk_zoned_model bdev_zoned_model(struct block_device *bdev)
+ {
+ struct request_queue *q = bdev_get_queue(bdev);
+diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
+index c5dd483a7de2..e0e20307bd68 100644
+--- a/io_uring/io_uring.c
++++ b/io_uring/io_uring.c
+@@ -1388,7 +1388,7 @@ static void io_iopoll_req_issued(struct io_kiocb *req, unsigned int issue_flags)
+
+ static bool io_bdev_nowait(struct block_device *bdev)
+ {
+- return !bdev || blk_queue_nowait(bdev_get_queue(bdev));
++ return !bdev || bdev_nowait(bdev);
+ }
+
+ /*
+--
+2.35.1
+
--- /dev/null
+From 0541b0f427c3bd52d73e735dd29202e59804317e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Aug 2022 15:07:13 +0100
+Subject: block: sed-opal: Add ioctl to return device status
+
+From: dougmill@linux.vnet.ibm.com <dougmill@linux.vnet.ibm.com>
+
+[ Upstream commit c6ea70604249bc357ce09e9f8e16c29df0fb2fa2 ]
+
+Provide a mechanism to retrieve basic status information about
+the device, including the "supported" flag indicating whether
+SED-OPAL is supported. The information returned is from the various
+feature descriptors received during the discovery0 step, and so
+this ioctl does nothing more than perform the discovery0 step
+and then save the information received. See "struct opal_status"
+and OPAL_FL_* bits for the status information currently returned.
+
+This is necessary to be able to check whether a device is OPAL
+enabled, set up, locked or unlocked from userspace programs
+like systemd-cryptsetup and libcryptsetup. Right now we just
+have to assume the user 'knows' or blindly attempt setup/lock/unlock
+operations.
+
+Signed-off-by: Douglas Miller <dougmill@linux.vnet.ibm.com>
+Tested-by: Luca Boccassi <bluca@debian.org>
+Reviewed-by: Scott Bauer <sbauer@plzdonthack.me>
+Acked-by: Christian Brauner (Microsoft) <brauner@kernel.org>
+Link: https://lore.kernel.org/r/20220816140713.84893-1-luca.boccassi@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: 040b83fcecfb ("sbitmap: fix possible io hung due to lost wakeup")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/opal_proto.h | 5 ++
+ block/sed-opal.c | 89 ++++++++++++++++++++++++++++++-----
+ include/linux/sed-opal.h | 1 +
+ include/uapi/linux/sed-opal.h | 13 +++++
+ 4 files changed, 96 insertions(+), 12 deletions(-)
+
+diff --git a/block/opal_proto.h b/block/opal_proto.h
+index b486b3ec7dc4..7152aa1f1a49 100644
+--- a/block/opal_proto.h
++++ b/block/opal_proto.h
+@@ -39,7 +39,12 @@ enum opal_response_token {
+ #define FIRST_TPER_SESSION_NUM 4096
+
+ #define TPER_SYNC_SUPPORTED 0x01
++/* FC_LOCKING features */
++#define LOCKING_SUPPORTED_MASK 0x01
++#define LOCKING_ENABLED_MASK 0x02
++#define LOCKED_MASK 0x04
+ #define MBR_ENABLED_MASK 0x10
++#define MBR_DONE_MASK 0x20
+
+ #define TINY_ATOM_DATA_MASK 0x3F
+ #define TINY_ATOM_SIGNED 0x40
+diff --git a/block/sed-opal.c b/block/sed-opal.c
+index 9700197000f2..2c5327a0543a 100644
+--- a/block/sed-opal.c
++++ b/block/sed-opal.c
+@@ -74,8 +74,7 @@ struct parsed_resp {
+ };
+
+ struct opal_dev {
+- bool supported;
+- bool mbr_enabled;
++ u32 flags;
+
+ void *data;
+ sec_send_recv *send_recv;
+@@ -280,6 +279,30 @@ static bool check_tper(const void *data)
+ return true;
+ }
+
++static bool check_lcksuppt(const void *data)
++{
++ const struct d0_locking_features *lfeat = data;
++ u8 sup_feat = lfeat->supported_features;
++
++ return !!(sup_feat & LOCKING_SUPPORTED_MASK);
++}
++
++static bool check_lckenabled(const void *data)
++{
++ const struct d0_locking_features *lfeat = data;
++ u8 sup_feat = lfeat->supported_features;
++
++ return !!(sup_feat & LOCKING_ENABLED_MASK);
++}
++
++static bool check_locked(const void *data)
++{
++ const struct d0_locking_features *lfeat = data;
++ u8 sup_feat = lfeat->supported_features;
++
++ return !!(sup_feat & LOCKED_MASK);
++}
++
+ static bool check_mbrenabled(const void *data)
+ {
+ const struct d0_locking_features *lfeat = data;
+@@ -288,6 +311,14 @@ static bool check_mbrenabled(const void *data)
+ return !!(sup_feat & MBR_ENABLED_MASK);
+ }
+
++static bool check_mbrdone(const void *data)
++{
++ const struct d0_locking_features *lfeat = data;
++ u8 sup_feat = lfeat->supported_features;
++
++ return !!(sup_feat & MBR_DONE_MASK);
++}
++
+ static bool check_sum(const void *data)
+ {
+ const struct d0_single_user_mode *sum = data;
+@@ -435,7 +466,7 @@ static int opal_discovery0_end(struct opal_dev *dev)
+ u32 hlen = be32_to_cpu(hdr->length);
+
+ print_buffer(dev->resp, hlen);
+- dev->mbr_enabled = false;
++ dev->flags &= OPAL_FL_SUPPORTED;
+
+ if (hlen > IO_BUFFER_LENGTH - sizeof(*hdr)) {
+ pr_debug("Discovery length overflows buffer (%zu+%u)/%u\n",
+@@ -461,7 +492,16 @@ static int opal_discovery0_end(struct opal_dev *dev)
+ check_geometry(dev, body);
+ break;
+ case FC_LOCKING:
+- dev->mbr_enabled = check_mbrenabled(body->features);
++ if (check_lcksuppt(body->features))
++ dev->flags |= OPAL_FL_LOCKING_SUPPORTED;
++ if (check_lckenabled(body->features))
++ dev->flags |= OPAL_FL_LOCKING_ENABLED;
++ if (check_locked(body->features))
++ dev->flags |= OPAL_FL_LOCKED;
++ if (check_mbrenabled(body->features))
++ dev->flags |= OPAL_FL_MBR_ENABLED;
++ if (check_mbrdone(body->features))
++ dev->flags |= OPAL_FL_MBR_DONE;
+ break;
+ case FC_ENTERPRISE:
+ case FC_DATASTORE:
+@@ -2109,7 +2149,8 @@ static int check_opal_support(struct opal_dev *dev)
+ mutex_lock(&dev->dev_lock);
+ setup_opal_dev(dev);
+ ret = opal_discovery0_step(dev);
+- dev->supported = !ret;
++ if (!ret)
++ dev->flags |= OPAL_FL_SUPPORTED;
+ mutex_unlock(&dev->dev_lock);
+
+ return ret;
+@@ -2148,6 +2189,7 @@ struct opal_dev *init_opal_dev(void *data, sec_send_recv *send_recv)
+
+ INIT_LIST_HEAD(&dev->unlk_lst);
+ mutex_init(&dev->dev_lock);
++ dev->flags = 0;
+ dev->data = data;
+ dev->send_recv = send_recv;
+ if (check_opal_support(dev) != 0) {
+@@ -2528,7 +2570,7 @@ bool opal_unlock_from_suspend(struct opal_dev *dev)
+ if (!dev)
+ return false;
+
+- if (!dev->supported)
++ if (!(dev->flags & OPAL_FL_SUPPORTED))
+ return false;
+
+ mutex_lock(&dev->dev_lock);
+@@ -2546,7 +2588,7 @@ bool opal_unlock_from_suspend(struct opal_dev *dev)
+ was_failure = true;
+ }
+
+- if (dev->mbr_enabled) {
++ if (dev->flags & OPAL_FL_MBR_ENABLED) {
+ ret = __opal_set_mbr_done(dev, &suspend->unlk.session.opal_key);
+ if (ret)
+ pr_debug("Failed to set MBR Done in S3 resume\n");
+@@ -2620,6 +2662,23 @@ static int opal_generic_read_write_table(struct opal_dev *dev,
+ return ret;
+ }
+
++static int opal_get_status(struct opal_dev *dev, void __user *data)
++{
++ struct opal_status sts = {0};
++
++ /*
++ * check_opal_support() error is not fatal,
++ * !dev->supported is a valid condition
++ */
++ if (!check_opal_support(dev))
++ sts.flags = dev->flags;
++ if (copy_to_user(data, &sts, sizeof(sts))) {
++ pr_debug("Error copying status to userspace\n");
++ return -EFAULT;
++ }
++ return 0;
++}
++
+ int sed_ioctl(struct opal_dev *dev, unsigned int cmd, void __user *arg)
+ {
+ void *p;
+@@ -2629,12 +2688,14 @@ int sed_ioctl(struct opal_dev *dev, unsigned int cmd, void __user *arg)
+ return -EACCES;
+ if (!dev)
+ return -ENOTSUPP;
+- if (!dev->supported)
++ if (!(dev->flags & OPAL_FL_SUPPORTED))
+ return -ENOTSUPP;
+
+- p = memdup_user(arg, _IOC_SIZE(cmd));
+- if (IS_ERR(p))
+- return PTR_ERR(p);
++ if (cmd & IOC_IN) {
++ p = memdup_user(arg, _IOC_SIZE(cmd));
++ if (IS_ERR(p))
++ return PTR_ERR(p);
++ }
+
+ switch (cmd) {
+ case IOC_OPAL_SAVE:
+@@ -2685,11 +2746,15 @@ int sed_ioctl(struct opal_dev *dev, unsigned int cmd, void __user *arg)
+ case IOC_OPAL_GENERIC_TABLE_RW:
+ ret = opal_generic_read_write_table(dev, p);
+ break;
++ case IOC_OPAL_GET_STATUS:
++ ret = opal_get_status(dev, arg);
++ break;
+ default:
+ break;
+ }
+
+- kfree(p);
++ if (cmd & IOC_IN)
++ kfree(p);
+ return ret;
+ }
+ EXPORT_SYMBOL_GPL(sed_ioctl);
+diff --git a/include/linux/sed-opal.h b/include/linux/sed-opal.h
+index 1ac0d712a9c3..6f837bb6c715 100644
+--- a/include/linux/sed-opal.h
++++ b/include/linux/sed-opal.h
+@@ -43,6 +43,7 @@ static inline bool is_sed_ioctl(unsigned int cmd)
+ case IOC_OPAL_MBR_DONE:
+ case IOC_OPAL_WRITE_SHADOW_MBR:
+ case IOC_OPAL_GENERIC_TABLE_RW:
++ case IOC_OPAL_GET_STATUS:
+ return true;
+ }
+ return false;
+diff --git a/include/uapi/linux/sed-opal.h b/include/uapi/linux/sed-opal.h
+index 6f5af1a84213..2573772e2fb3 100644
+--- a/include/uapi/linux/sed-opal.h
++++ b/include/uapi/linux/sed-opal.h
+@@ -132,6 +132,18 @@ struct opal_read_write_table {
+ __u64 priv;
+ };
+
++#define OPAL_FL_SUPPORTED 0x00000001
++#define OPAL_FL_LOCKING_SUPPORTED 0x00000002
++#define OPAL_FL_LOCKING_ENABLED 0x00000004
++#define OPAL_FL_LOCKED 0x00000008
++#define OPAL_FL_MBR_ENABLED 0x00000010
++#define OPAL_FL_MBR_DONE 0x00000020
++
++struct opal_status {
++ __u32 flags;
++ __u32 reserved;
++};
++
+ #define IOC_OPAL_SAVE _IOW('p', 220, struct opal_lock_unlock)
+ #define IOC_OPAL_LOCK_UNLOCK _IOW('p', 221, struct opal_lock_unlock)
+ #define IOC_OPAL_TAKE_OWNERSHIP _IOW('p', 222, struct opal_key)
+@@ -148,5 +160,6 @@ struct opal_read_write_table {
+ #define IOC_OPAL_MBR_DONE _IOW('p', 233, struct opal_mbr_done)
+ #define IOC_OPAL_WRITE_SHADOW_MBR _IOW('p', 234, struct opal_shadow_mbr)
+ #define IOC_OPAL_GENERIC_TABLE_RW _IOW('p', 235, struct opal_read_write_table)
++#define IOC_OPAL_GET_STATUS _IOR('p', 236, struct opal_status)
+
+ #endif /* _UAPI_SED_OPAL_H */
+--
+2.35.1
+
--- /dev/null
+From 688bab541911201c90a243f371e24d67ae8b480a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Sep 2022 01:21:42 +0900
+Subject: Bluetooth: avoid hci_dev_test_and_set_flag() in mgmt_init_hdev()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit f74ca25d6d6629ffd4fd80a1a73037253b57d06b ]
+
+syzbot is again reporting attempt to cancel uninitialized work
+at mgmt_index_removed() [1], for setting of HCI_MGMT flag from
+mgmt_init_hdev() from hci_mgmt_cmd() from hci_sock_sendmsg() can
+race with testing of HCI_MGMT flag from mgmt_index_removed() from
+hci_sock_bind() due to lack of serialization via hci_dev_lock().
+
+Since mgmt_init_hdev() is called with mgmt_chan_list_lock held, we can
+safely split hci_dev_test_and_set_flag() into hci_dev_test_flag() and
+hci_dev_set_flag(). Thus, in order to close this race, set HCI_MGMT flag
+after INIT_DELAYED_WORK() completed.
+
+This is a local fix based on mgmt_chan_list_lock. Lack of serialization
+via hci_dev_lock() might be causing different race conditions somewhere
+else. But a global fix based on hci_dev_lock() should deserve a future
+patch.
+
+Link: https://syzkaller.appspot.com/bug?extid=844c7bf1b1aa4119c5de
+Reported-by: syzbot+844c7bf1b1aa4119c5de@syzkaller.appspotmail.com
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Fixes: 3f2893d3c142986a ("Bluetooth: don't try to cancel uninitialized works at mgmt_index_removed()")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/mgmt.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
+index 72e6595a71cc..3d1cd0666968 100644
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -1050,7 +1050,7 @@ static void discov_off(struct work_struct *work)
+
+ static void mgmt_init_hdev(struct sock *sk, struct hci_dev *hdev)
+ {
+- if (hci_dev_test_and_set_flag(hdev, HCI_MGMT))
++ if (hci_dev_test_flag(hdev, HCI_MGMT))
+ return;
+
+ BT_INFO("MGMT ver %d.%d", MGMT_VERSION, MGMT_REVISION);
+@@ -1065,6 +1065,8 @@ static void mgmt_init_hdev(struct sock *sk, struct hci_dev *hdev)
+ * it
+ */
+ hci_dev_clear_flag(hdev, HCI_BONDABLE);
++
++ hci_dev_set_flag(hdev, HCI_MGMT);
+ }
+
+ static int read_controller_info(struct sock *sk, struct hci_dev *hdev,
+--
+2.35.1
+
--- /dev/null
+From 90d5816edbd96d9b25492b9774188dd032c0a2af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Sep 2022 12:49:45 +0530
+Subject: Bluetooth: btintel: Mark Intel controller to support LE_STATES quirk
+
+From: Kiran K <kiran.k@intel.com>
+
+[ Upstream commit dd0a1794f4334ddbf9b7c5e7d642aaffff38c69b ]
+
+HarrrisonPeak, CyclonePeak, SnowFieldPeak and SandyPeak controllers
+are marked to support HCI_QUIRK_LE_STATES.
+
+Signed-off-by: Kiran K <kiran.k@intel.com>
+Signed-off-by: Chethan T N <chethan.tumkur.narayan@intel.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btintel.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c
+index 818681c89db8..d44a96667517 100644
+--- a/drivers/bluetooth/btintel.c
++++ b/drivers/bluetooth/btintel.c
+@@ -2439,15 +2439,20 @@ static int btintel_setup_combined(struct hci_dev *hdev)
+ INTEL_ROM_LEGACY_NO_WBS_SUPPORT))
+ set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED,
+ &hdev->quirks);
++ if (ver.hw_variant == 0x08 && ver.fw_variant == 0x22)
++ set_bit(HCI_QUIRK_VALID_LE_STATES,
++ &hdev->quirks);
+
+ err = btintel_legacy_rom_setup(hdev, &ver);
+ break;
+ case 0x0b: /* SfP */
+- case 0x0c: /* WsP */
+ case 0x11: /* JfP */
+ case 0x12: /* ThP */
+ case 0x13: /* HrP */
+ case 0x14: /* CcP */
++ set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks);
++ fallthrough;
++ case 0x0c: /* WsP */
+ /* Apply the device specific HCI quirks
+ *
+ * All Legacy bootloader devices support WBS
+@@ -2455,11 +2460,6 @@ static int btintel_setup_combined(struct hci_dev *hdev)
+ set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED,
+ &hdev->quirks);
+
+- /* Valid LE States quirk for JfP/ThP familiy */
+- if (ver.hw_variant == 0x11 || ver.hw_variant == 0x12)
+- set_bit(HCI_QUIRK_VALID_LE_STATES,
+- &hdev->quirks);
+-
+ /* Setup MSFT Extension support */
+ btintel_set_msft_opcode(hdev, ver.hw_variant);
+
+@@ -2530,9 +2530,8 @@ static int btintel_setup_combined(struct hci_dev *hdev)
+ */
+ set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks);
+
+- /* Valid LE States quirk for JfP/ThP familiy */
+- if (ver.hw_variant == 0x11 || ver.hw_variant == 0x12)
+- set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks);
++ /* Set Valid LE States quirk */
++ set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks);
+
+ /* Setup MSFT Extension support */
+ btintel_set_msft_opcode(hdev, ver.hw_variant);
+--
+2.35.1
+
--- /dev/null
+From a6404a1bca426dbb740979738b18befbefb7b22a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Aug 2022 08:49:07 +0800
+Subject: Bluetooth: btusb: mediatek: fix WMT failure during runtime suspend
+
+From: Sean Wang <sean.wang@mediatek.com>
+
+[ Upstream commit fd3f106677bac70437dc12e76c827294ed495a44 ]
+
+WMT cmd/event doesn't follow up the generic HCI cmd/event handling, it
+needs constantly polling control pipe until the host received the WMT
+event, thus, we should require to specifically acquire PM counter on the
+USB to prevent the interface from entering auto suspended while WMT
+cmd/event in progress.
+
+Fixes: a1c49c434e15 ("Bluetooth: btusb: Add protocol support for MediaTek MT7668U USB devices")
+Co-developed-by: Jing Cai <jing.cai@mediatek.com>
+Signed-off-by: Jing Cai <jing.cai@mediatek.com>
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btusb.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 15caa6469538..1bb46cbff0fa 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -2477,15 +2477,29 @@ static int btusb_mtk_hci_wmt_sync(struct hci_dev *hdev,
+
+ set_bit(BTUSB_TX_WAIT_VND_EVT, &data->flags);
+
++ /* WMT cmd/event doesn't follow up the generic HCI cmd/event handling,
++ * it needs constantly polling control pipe until the host received the
++ * WMT event, thus, we should require to specifically acquire PM counter
++ * on the USB to prevent the interface from entering auto suspended
++ * while WMT cmd/event in progress.
++ */
++ err = usb_autopm_get_interface(data->intf);
++ if (err < 0)
++ goto err_free_wc;
++
+ err = __hci_cmd_send(hdev, 0xfc6f, hlen, wc);
+
+ if (err < 0) {
+ clear_bit(BTUSB_TX_WAIT_VND_EVT, &data->flags);
++ usb_autopm_put_interface(data->intf);
+ goto err_free_wc;
+ }
+
+ /* Submit control IN URB on demand to process the WMT event */
+ err = btusb_mtk_submit_wmt_recv_urb(hdev);
++
++ usb_autopm_put_interface(data->intf);
++
+ if (err < 0)
+ goto err_free_wc;
+
+--
+2.35.1
+
--- /dev/null
+From 84fddcfd42d833dd3beff4d732df09fbb39d5638 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Aug 2022 23:58:12 +0900
+Subject: Bluetooth: hci_{ldisc,serdev}: check percpu_init_rwsem() failure
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit 3124d320c22f3f4388d9ac5c8f37eaad0cefd6b1 ]
+
+syzbot is reporting NULL pointer dereference at hci_uart_tty_close() [1],
+for rcu_sync_enter() is called without rcu_sync_init() due to
+hci_uart_tty_open() ignoring percpu_init_rwsem() failure.
+
+While we are at it, fix that hci_uart_register_device() ignores
+percpu_init_rwsem() failure and hci_uart_unregister_device() does not
+call percpu_free_rwsem().
+
+Link: https://syzkaller.appspot.com/bug?extid=576dfca25381fb6fbc5f [1]
+Reported-by: syzbot <syzbot+576dfca25381fb6fbc5f@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Fixes: 67d2f8781b9f00d1 ("Bluetooth: hci_ldisc: Allow sleeping while proto locks are held.")
+Fixes: d73e172816652772 ("Bluetooth: hci_serdev: Init hci_uart proto_lock to avoid oops")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_ldisc.c | 7 +++++--
+ drivers/bluetooth/hci_serdev.c | 10 +++++++---
+ 2 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
+index f537673ede17..865112e96ff9 100644
+--- a/drivers/bluetooth/hci_ldisc.c
++++ b/drivers/bluetooth/hci_ldisc.c
+@@ -493,6 +493,11 @@ static int hci_uart_tty_open(struct tty_struct *tty)
+ BT_ERR("Can't allocate control structure");
+ return -ENFILE;
+ }
++ if (percpu_init_rwsem(&hu->proto_lock)) {
++ BT_ERR("Can't allocate semaphore structure");
++ kfree(hu);
++ return -ENOMEM;
++ }
+
+ tty->disc_data = hu;
+ hu->tty = tty;
+@@ -505,8 +510,6 @@ static int hci_uart_tty_open(struct tty_struct *tty)
+ INIT_WORK(&hu->init_ready, hci_uart_init_work);
+ INIT_WORK(&hu->write_work, hci_uart_write_work);
+
+- percpu_init_rwsem(&hu->proto_lock);
+-
+ /* Flush any pending characters in the driver */
+ tty_driver_flush_buffer(tty);
+
+diff --git a/drivers/bluetooth/hci_serdev.c b/drivers/bluetooth/hci_serdev.c
+index c0e5f42ec6b7..f16fd79bc02b 100644
+--- a/drivers/bluetooth/hci_serdev.c
++++ b/drivers/bluetooth/hci_serdev.c
+@@ -310,11 +310,12 @@ int hci_uart_register_device(struct hci_uart *hu,
+
+ serdev_device_set_client_ops(hu->serdev, &hci_serdev_client_ops);
+
++ if (percpu_init_rwsem(&hu->proto_lock))
++ return -ENOMEM;
++
+ err = serdev_device_open(hu->serdev);
+ if (err)
+- return err;
+-
+- percpu_init_rwsem(&hu->proto_lock);
++ goto err_rwsem;
+
+ err = p->open(hu);
+ if (err)
+@@ -389,6 +390,8 @@ int hci_uart_register_device(struct hci_uart *hu,
+ p->close(hu);
+ err_open:
+ serdev_device_close(hu->serdev);
++err_rwsem:
++ percpu_free_rwsem(&hu->proto_lock);
+ return err;
+ }
+ EXPORT_SYMBOL_GPL(hci_uart_register_device);
+@@ -410,5 +413,6 @@ void hci_uart_unregister_device(struct hci_uart *hu)
+ clear_bit(HCI_UART_PROTO_READY, &hu->flags);
+ serdev_device_close(hu->serdev);
+ }
++ percpu_free_rwsem(&hu->proto_lock);
+ }
+ EXPORT_SYMBOL_GPL(hci_uart_unregister_device);
+--
+2.35.1
+
--- /dev/null
+From 19bbc25ce02735c93d31096481aa5a8160dbea78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Sep 2022 15:44:42 -0700
+Subject: Bluetooth: hci_core: Fix not handling link timeouts propertly
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 116523c8fac05d1d26f748fee7919a4ec5df67ea ]
+
+Change that introduced the use of __check_timeout did not account for
+link types properly, it always assumes ACL_LINK is used thus causing
+hdev->acl_last_tx to be used even in case of LE_LINK and then again
+uses ACL_LINK with hci_link_tx_to.
+
+To fix this __check_timeout now takes the link type as parameter and
+then procedure to use the right last_tx based on the link type and pass
+it to hci_link_tx_to.
+
+Fixes: 1b1d29e51499 ("Bluetooth: Make use of __check_timeout on hci_sched_le")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Tested-by: David Beinder <david@beinder.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_core.c | 34 +++++++++++++++++++++++-----------
+ 1 file changed, 23 insertions(+), 11 deletions(-)
+
+diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
+index 9873d2e67988..e6be18eb7fe6 100644
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -3478,15 +3478,27 @@ static inline int __get_blocks(struct hci_dev *hdev, struct sk_buff *skb)
+ return DIV_ROUND_UP(skb->len - HCI_ACL_HDR_SIZE, hdev->block_len);
+ }
+
+-static void __check_timeout(struct hci_dev *hdev, unsigned int cnt)
++static void __check_timeout(struct hci_dev *hdev, unsigned int cnt, u8 type)
+ {
+- if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
+- /* ACL tx timeout must be longer than maximum
+- * link supervision timeout (40.9 seconds) */
+- if (!cnt && time_after(jiffies, hdev->acl_last_tx +
+- HCI_ACL_TX_TIMEOUT))
+- hci_link_tx_to(hdev, ACL_LINK);
++ unsigned long last_tx;
++
++ if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED))
++ return;
++
++ switch (type) {
++ case LE_LINK:
++ last_tx = hdev->le_last_tx;
++ break;
++ default:
++ last_tx = hdev->acl_last_tx;
++ break;
+ }
++
++ /* tx timeout must be longer than maximum link supervision timeout
++ * (40.9 seconds)
++ */
++ if (!cnt && time_after(jiffies, last_tx + HCI_ACL_TX_TIMEOUT))
++ hci_link_tx_to(hdev, type);
+ }
+
+ /* Schedule SCO */
+@@ -3544,7 +3556,7 @@ static void hci_sched_acl_pkt(struct hci_dev *hdev)
+ struct sk_buff *skb;
+ int quote;
+
+- __check_timeout(hdev, cnt);
++ __check_timeout(hdev, cnt, ACL_LINK);
+
+ while (hdev->acl_cnt &&
+ (chan = hci_chan_sent(hdev, ACL_LINK, "e))) {
+@@ -3587,8 +3599,6 @@ static void hci_sched_acl_blk(struct hci_dev *hdev)
+ int quote;
+ u8 type;
+
+- __check_timeout(hdev, cnt);
+-
+ BT_DBG("%s", hdev->name);
+
+ if (hdev->dev_type == HCI_AMP)
+@@ -3596,6 +3606,8 @@ static void hci_sched_acl_blk(struct hci_dev *hdev)
+ else
+ type = ACL_LINK;
+
++ __check_timeout(hdev, cnt, type);
++
+ while (hdev->block_cnt > 0 &&
+ (chan = hci_chan_sent(hdev, type, "e))) {
+ u32 priority = (skb_peek(&chan->data_q))->priority;
+@@ -3669,7 +3681,7 @@ static void hci_sched_le(struct hci_dev *hdev)
+
+ cnt = hdev->le_pkts ? hdev->le_cnt : hdev->acl_cnt;
+
+- __check_timeout(hdev, cnt);
++ __check_timeout(hdev, cnt, LE_LINK);
+
+ tmp = cnt;
+ while (cnt && (chan = hci_chan_sent(hdev, LE_LINK, "e))) {
+--
+2.35.1
+
--- /dev/null
+From 7f8af1bf803f7b8ccc3bd5842b37a66332388599 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Sep 2022 11:10:17 -0700
+Subject: Bluetooth: hci_event: Make sure ISO events don't affect non-ISO
+ connections
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit ed680f925aea76ac666f34d9923cb40558f4e97b ]
+
+ISO events (CIS/BIS) shall only be relevant for connection with link
+type of ISO_LINK, otherwise the controller is probably buggy or it is
+the result of fuzzer tools such as syzkaller.
+
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index d6f0e6ca0e7e..ab79a978deb5 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -6778,6 +6778,13 @@ static void hci_le_cis_estabilished_evt(struct hci_dev *hdev, void *data,
+ goto unlock;
+ }
+
++ if (conn->type != ISO_LINK) {
++ bt_dev_err(hdev,
++ "Invalid connection link type handle 0x%4.4x",
++ handle);
++ goto unlock;
++ }
++
+ if (conn->role == HCI_ROLE_SLAVE) {
+ __le32 interval;
+
+@@ -6898,6 +6905,13 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
+ if (!conn)
+ goto unlock;
+
++ if (conn->type != ISO_LINK) {
++ bt_dev_err(hdev,
++ "Invalid connection link type handle 0x%2.2x",
++ ev->handle);
++ goto unlock;
++ }
++
+ if (ev->num_bis)
+ conn->handle = __le16_to_cpu(ev->bis_handle[0]);
+
+--
+2.35.1
+
--- /dev/null
+From edf3f23b2232b922de610ea43ac881873780de2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Sep 2022 13:12:30 -0700
+Subject: Bluetooth: hci_sync: Fix not indicating power state
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 6abf0dae8c3c927f54e62c46faf8aba580ba0d04 ]
+
+When setting power state using legacy/non-mgmt API
+(e.g hcitool hci0 up) the likes of mgmt_set_powered_complete won't be
+called causing clients of the MGMT API to not be notified of the change
+of the state.
+
+Fixes: cf75ad8b41d2 ("Bluetooth: hci_sync: Convert MGMT_SET_POWERED")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Tested-by: Tedd Ho-Jeong An <tedd.an@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sync.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index fbd5613eebfc..f70798589bf5 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -4355,6 +4355,7 @@ int hci_dev_open_sync(struct hci_dev *hdev)
+ hci_dev_test_flag(hdev, HCI_MGMT) &&
+ hdev->dev_type == HCI_PRIMARY) {
+ ret = hci_powered_update_sync(hdev);
++ mgmt_power_on(hdev, ret);
+ }
+ } else {
+ /* Init failed, cleanup */
+--
+2.35.1
+
--- /dev/null
+From ec67039babdffa42118aa383e6f8592afaaeec5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Sep 2022 10:56:59 -0700
+Subject: Bluetooth: hci_sysfs: Fix attempting to call device_add multiple
+ times
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 448a496f760664d3e2e79466aa1787e6abc922b5 ]
+
+device_add shall not be called multiple times as stated in its
+documentation:
+
+ 'Do not call this routine or device_register() more than once for
+ any device structure'
+
+Syzkaller reports a bug as follows [1]:
+------------[ cut here ]------------
+kernel BUG at lib/list_debug.c:33!
+invalid opcode: 0000 [#1] PREEMPT SMP KASAN
+[...]
+Call Trace:
+ <TASK>
+ __list_add include/linux/list.h:69 [inline]
+ list_add_tail include/linux/list.h:102 [inline]
+ kobj_kset_join lib/kobject.c:164 [inline]
+ kobject_add_internal+0x18f/0x8f0 lib/kobject.c:214
+ kobject_add_varg lib/kobject.c:358 [inline]
+ kobject_add+0x150/0x1c0 lib/kobject.c:410
+ device_add+0x368/0x1e90 drivers/base/core.c:3452
+ hci_conn_add_sysfs+0x9b/0x1b0 net/bluetooth/hci_sysfs.c:53
+ hci_le_cis_estabilished_evt+0x57c/0xae0 net/bluetooth/hci_event.c:6799
+ hci_le_meta_evt+0x2b8/0x510 net/bluetooth/hci_event.c:7110
+ hci_event_func net/bluetooth/hci_event.c:7440 [inline]
+ hci_event_packet+0x63d/0xfd0 net/bluetooth/hci_event.c:7495
+ hci_rx_work+0xae7/0x1230 net/bluetooth/hci_core.c:4007
+ process_one_work+0x991/0x1610 kernel/workqueue.c:2289
+ worker_thread+0x665/0x1080 kernel/workqueue.c:2436
+ kthread+0x2e4/0x3a0 kernel/kthread.c:376
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
+ </TASK>
+
+Link: https://syzkaller.appspot.com/bug?id=da3246e2d33afdb92d66bc166a0934c5b146404a
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Tested-by: Hawkins Jiawei <yin31149@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sysfs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
+index 4e3e0451b08c..08542dfc2dc5 100644
+--- a/net/bluetooth/hci_sysfs.c
++++ b/net/bluetooth/hci_sysfs.c
+@@ -48,6 +48,9 @@ void hci_conn_add_sysfs(struct hci_conn *conn)
+
+ BT_DBG("conn %p", conn);
+
++ if (device_is_registered(&conn->dev))
++ return;
++
+ dev_set_name(&conn->dev, "%s:%d", hdev->name, conn->handle);
+
+ if (device_add(&conn->dev) < 0) {
+--
+2.35.1
+
--- /dev/null
+From 78722f230adea1d32f9db20b1f62f026784d9108 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Sep 2022 13:27:13 -0700
+Subject: Bluetooth: L2CAP: Fix user-after-free
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 35fcbc4243aad7e7d020b7c1dfb14bb888b20a4f ]
+
+This uses l2cap_chan_hold_unless_zero() after calling
+__l2cap_get_chan_blah() to prevent the following trace:
+
+Bluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref
+*kref)
+Bluetooth: chan 0000000023c4974d
+Bluetooth: parent 00000000ae861c08
+==================================================================
+BUG: KASAN: use-after-free in __mutex_waiter_is_first
+kernel/locking/mutex.c:191 [inline]
+BUG: KASAN: use-after-free in __mutex_lock_common
+kernel/locking/mutex.c:671 [inline]
+BUG: KASAN: use-after-free in __mutex_lock+0x278/0x400
+kernel/locking/mutex.c:729
+Read of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389
+
+Link: https://lore.kernel.org/lkml/20220622082716.478486-1-lee.jones@linaro.org
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 770891f68703..1f34b82ca0ec 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -4309,6 +4309,12 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
+ }
+ }
+
++ chan = l2cap_chan_hold_unless_zero(chan);
++ if (!chan) {
++ err = -EBADSLT;
++ goto unlock;
++ }
++
+ err = 0;
+
+ l2cap_chan_lock(chan);
+@@ -4338,6 +4344,7 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
+ }
+
+ l2cap_chan_unlock(chan);
++ l2cap_chan_put(chan);
+
+ unlock:
+ mutex_unlock(&conn->chan_lock);
+--
+2.35.1
+
--- /dev/null
+From cce48609c8ef8523fb790f57db7e1189f2ff8ea2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Sep 2022 00:32:56 +0900
+Subject: Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit 2d2cb3066f2c90cd8ca540b36ba7a55e7f2406e0 ]
+
+syzbot is reporting cancel_delayed_work() without INIT_DELAYED_WORK() at
+l2cap_chan_del() [1], for CONF_NOT_COMPLETE flag (which meant to prevent
+l2cap_chan_del() from calling cancel_delayed_work()) is cleared by timer
+which fires before l2cap_chan_del() is called by closing file descriptor
+created by socket(AF_BLUETOOTH, SOCK_STREAM, BTPROTO_L2CAP).
+
+l2cap_bredr_sig_cmd(L2CAP_CONF_REQ) and l2cap_bredr_sig_cmd(L2CAP_CONF_RSP)
+are calling l2cap_ertm_init(chan), and they call l2cap_chan_ready() (which
+clears CONF_NOT_COMPLETE flag) only when l2cap_ertm_init(chan) succeeded.
+
+l2cap_sock_init() does not call l2cap_ertm_init(chan), and it instead sets
+CONF_NOT_COMPLETE flag by calling l2cap_chan_set_defaults(). However, when
+connect() is requested, "command 0x0409 tx timeout" happens after 2 seconds
+ from connect() request, and CONF_NOT_COMPLETE flag is cleared after 4
+seconds from connect() request, for l2cap_conn_start() from
+l2cap_info_timeout() callback scheduled by
+
+ schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT);
+
+in l2cap_connect() is calling l2cap_chan_ready().
+
+Fix this problem by initializing delayed works used by L2CAP_MODE_ERTM
+mode as soon as l2cap_chan_create() allocates a channel, like I did in
+commit be8597239379f0f5 ("Bluetooth: initialize skb_queue_head at
+l2cap_chan_create()").
+
+Link: https://syzkaller.appspot.com/bug?extid=83672956c7aa6af698b3 [1]
+Reported-by: syzbot <syzbot+83672956c7aa6af698b3@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 2c9de67daadc..770891f68703 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -61,6 +61,9 @@ static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
+
+ static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
+ struct sk_buff_head *skbs, u8 event);
++static void l2cap_retrans_timeout(struct work_struct *work);
++static void l2cap_monitor_timeout(struct work_struct *work);
++static void l2cap_ack_timeout(struct work_struct *work);
+
+ static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type)
+ {
+@@ -476,6 +479,9 @@ struct l2cap_chan *l2cap_chan_create(void)
+ write_unlock(&chan_list_lock);
+
+ INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout);
++ INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
++ INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
++ INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
+
+ chan->state = BT_OPEN;
+
+@@ -3320,10 +3326,6 @@ int l2cap_ertm_init(struct l2cap_chan *chan)
+ chan->rx_state = L2CAP_RX_STATE_RECV;
+ chan->tx_state = L2CAP_TX_STATE_XMIT;
+
+- INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout);
+- INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout);
+- INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout);
+-
+ skb_queue_head_init(&chan->srej_q);
+
+ err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win);
+--
+2.35.1
+
--- /dev/null
+From 11c1c1ab1a3b216441edeb40371465ec8b7ecbef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 09:58:15 -0700
+Subject: Bluetooth: Prevent double register of suspend
+
+From: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
+
+[ Upstream commit 4b8af331bb4d4cc8bb91c284b11b98dd1e265185 ]
+
+Suspend notifier should only be registered and unregistered once per
+hdev. Simplify this by only registering during driver registration and
+simply exiting early when HCI_USER_CHANNEL is set.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Fixes: 359ee4f834f5 (Bluetooth: Unregister suspend with userchannel)
+Signed-off-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_core.c | 4 ++++
+ net/bluetooth/hci_sock.c | 3 ---
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
+index e6be18eb7fe6..6ae5aa5c0927 100644
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -2400,6 +2400,10 @@ static int hci_suspend_notifier(struct notifier_block *nb, unsigned long action,
+ container_of(nb, struct hci_dev, suspend_notifier);
+ int ret = 0;
+
++ /* Userspace has full control of this device. Do nothing. */
++ if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
++ return NOTIFY_DONE;
++
+ if (action == PM_SUSPEND_PREPARE)
+ ret = hci_suspend_dev(hdev);
+ else if (action == PM_POST_SUSPEND)
+diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
+index 0d015d4a8e41..bd8358b44aa4 100644
+--- a/net/bluetooth/hci_sock.c
++++ b/net/bluetooth/hci_sock.c
+@@ -887,7 +887,6 @@ static int hci_sock_release(struct socket *sock)
+ */
+ hci_dev_do_close(hdev);
+ hci_dev_clear_flag(hdev, HCI_USER_CHANNEL);
+- hci_register_suspend_notifier(hdev);
+ mgmt_index_added(hdev);
+ }
+
+@@ -1216,7 +1215,6 @@ static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
+ }
+
+ mgmt_index_removed(hdev);
+- hci_unregister_suspend_notifier(hdev);
+
+ err = hci_dev_open(hdev->id);
+ if (err) {
+@@ -1231,7 +1229,6 @@ static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
+ err = 0;
+ } else {
+ hci_dev_clear_flag(hdev, HCI_USER_CHANNEL);
+- hci_register_suspend_notifier(hdev);
+ mgmt_index_added(hdev);
+ hci_dev_put(hdev);
+ goto done;
+--
+2.35.1
+
--- /dev/null
+From bee023759c0fc70eefade612dba6214aaa0d10de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Sep 2022 16:08:13 -0700
+Subject: Bluetooth: RFCOMM: Fix possible deadlock on socket shutdown/release
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 812e92b824c1db16c9519f8624d48a9901a0d38f ]
+
+Due to change to switch to use lock_sock inside rfcomm_sk_state_change
+the socket shutdown/release procedure can cause a deadlock:
+
+ rfcomm_sock_shutdown():
+ lock_sock();
+ __rfcomm_sock_close():
+ rfcomm_dlc_close():
+ __rfcomm_dlc_close():
+ rfcomm_dlc_lock();
+ rfcomm_sk_state_change():
+ lock_sock();
+
+To fix this when the call __rfcomm_sock_close is now done without
+holding the lock_sock since rfcomm_dlc_lock exists to protect
+the dlc data there is no need to use lock_sock in that code path.
+
+Link: https://lore.kernel.org/all/CAD+dNTsbuU4w+Y_P7o+VEN7BYCAbZuwZx2+tH+OTzCdcZF82YA@mail.gmail.com/
+Fixes: b7ce436a5d79 ("Bluetooth: switch to lock_sock in RFCOMM")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/rfcomm/sock.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
+index 4bf4ea6cbb5e..21e24da4847f 100644
+--- a/net/bluetooth/rfcomm/sock.c
++++ b/net/bluetooth/rfcomm/sock.c
+@@ -902,7 +902,10 @@ static int rfcomm_sock_shutdown(struct socket *sock, int how)
+ lock_sock(sk);
+ if (!sk->sk_shutdown) {
+ sk->sk_shutdown = SHUTDOWN_MASK;
++
++ release_sock(sk);
+ __rfcomm_sock_close(sk);
++ lock_sock(sk);
+
+ if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime &&
+ !(current->flags & PF_EXITING))
+--
+2.35.1
+
--- /dev/null
+From b52b7af93fac5f4b00a41c49955b4d84b9a6f558 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Sep 2022 14:28:43 +0800
+Subject: bnx2x: fix potential memory leak in bnx2x_tpa_stop()
+
+From: Jianglei Nie <niejianglei2021@163.com>
+
+[ Upstream commit b43f9acbb8942b05252be83ac25a81cec70cc192 ]
+
+bnx2x_tpa_stop() allocates a memory chunk from new_data with
+bnx2x_frag_alloc(). The new_data should be freed when gets some error.
+But when "pad + len > fp->rx_buf_size" is true, bnx2x_tpa_stop() returns
+without releasing the new_data, which will lead to a memory leak.
+
+We should free the new_data with bnx2x_frag_free() when "pad + len >
+fp->rx_buf_size" is true.
+
+Fixes: 07b0f00964def8af9321cfd6c4a7e84f6362f728 ("bnx2x: fix possible panic under memory stress")
+Signed-off-by: Jianglei Nie <niejianglei2021@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+index 712b5595bc39..24bfc65e28e1 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+@@ -789,6 +789,7 @@ static void bnx2x_tpa_stop(struct bnx2x *bp, struct bnx2x_fastpath *fp,
+ BNX2X_ERR("skb_put is about to fail... pad %d len %d rx_buf_size %d\n",
+ pad, len, fp->rx_buf_size);
+ bnx2x_panic();
++ bnx2x_frag_free(fp, new_data);
+ return;
+ }
+ #endif
+--
+2.35.1
+
--- /dev/null
+From 8b8914ee2bff7ebd41fb722f34dd0a9b241a61d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Sep 2022 22:10:38 +0300
+Subject: bnxt_en: replace reset with config timestamps
+
+From: Vadim Fedorenko <vfedorenko@novek.ru>
+
+[ Upstream commit 8db3d514e96715c897fe793c4d5fc0fd86aca517 ]
+
+Any change to the hardware timestamps configuration triggers nic restart,
+which breaks transmition and reception of network packets for a while.
+But there is no need to fully restart the device because while configuring
+hardware timestamps. The code for changing configuration runs after all
+of the initialisation, when the NIC is actually up and running. This patch
+changes the code that ioctl will only update configuration registers and
+will not trigger carrier status change, but in case of timestamps for
+all rx packetes it fallbacks to close()/open() sequnce because of
+synchronization issues in the hardware. Tested on BCM57504.
+
+Cc: Richard Cochran <richardcochran@gmail.com>
+Signed-off-by: Vadim Fedorenko <vfedorenko@novek.ru>
+Reviewed-by: Michael Chan <michael.chan@broadcom.com>
+Link: https://lore.kernel.org/r/20220922191038.29921-1-vfedorenko@novek.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c
+index 8e316367f6ce..2132ce63193c 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c
+@@ -505,9 +505,13 @@ static int bnxt_hwrm_ptp_cfg(struct bnxt *bp)
+ ptp->tstamp_filters = flags;
+
+ if (netif_running(bp->dev)) {
+- rc = bnxt_close_nic(bp, false, false);
+- if (!rc)
+- rc = bnxt_open_nic(bp, false, false);
++ if (ptp->rx_filter == HWTSTAMP_FILTER_ALL) {
++ rc = bnxt_close_nic(bp, false, false);
++ if (!rc)
++ rc = bnxt_open_nic(bp, false, false);
++ } else {
++ bnxt_ptp_cfg_tstamp_filters(bp);
++ }
+ if (!rc && !ptp->tstamp_filters)
+ rc = -EIO;
+ }
+--
+2.35.1
+
--- /dev/null
+From bf15e28c9c6eec82799002b09c64af70019746aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Sep 2022 17:33:38 +0200
+Subject: bpf: Adjust kprobe_multi entry_ip for CONFIG_X86_KERNEL_IBT
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+[ Upstream commit c09eb2e578eb1668bbc84dc07e8d8bd6f04b9a02 ]
+
+Martynas reported bpf_get_func_ip returning +4 address when
+CONFIG_X86_KERNEL_IBT option is enabled.
+
+When CONFIG_X86_KERNEL_IBT is enabled we'll have endbr instruction
+at the function entry, which screws return value of bpf_get_func_ip()
+helper that should return the function address.
+
+There's short term workaround for kprobe_multi bpf program made by
+Alexei [1], but we need this fixup also for bpf_get_attach_cookie,
+that returns cookie based on the entry_ip value.
+
+Moving the fixup in the fprobe handler, so both bpf_get_func_ip
+and bpf_get_attach_cookie get expected function address when
+CONFIG_X86_KERNEL_IBT option is enabled.
+
+Also renaming kprobe_multi_link_handler entry_ip argument to fentry_ip
+so it's clearer this is an ftrace __fentry__ ip.
+
+[1] commit 7f0059b58f02 ("selftests/bpf: Fix kprobe_multi test.")
+
+Cc: Peter Zijlstra <peterz@infradead.org>
+Reported-by: Martynas Pumputis <m@lambda.lt>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Link: https://lore.kernel.org/r/20220926153340.1621984-5-jolsa@kernel.org
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/bpf_trace.c | 20 +++++++++++++++++--
+ .../selftests/bpf/progs/kprobe_multi.c | 4 +---
+ 2 files changed, 19 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
+index 68e5cdd24cef..b1daf7c9b895 100644
+--- a/kernel/trace/bpf_trace.c
++++ b/kernel/trace/bpf_trace.c
+@@ -1026,6 +1026,22 @@ static const struct bpf_func_proto bpf_get_func_ip_proto_tracing = {
+ .arg1_type = ARG_PTR_TO_CTX,
+ };
+
++#ifdef CONFIG_X86_KERNEL_IBT
++static unsigned long get_entry_ip(unsigned long fentry_ip)
++{
++ u32 instr;
++
++ /* Being extra safe in here in case entry ip is on the page-edge. */
++ if (get_kernel_nofault(instr, (u32 *) fentry_ip - 1))
++ return fentry_ip;
++ if (is_endbr(instr))
++ fentry_ip -= ENDBR_INSN_SIZE;
++ return fentry_ip;
++}
++#else
++#define get_entry_ip(fentry_ip) fentry_ip
++#endif
++
+ BPF_CALL_1(bpf_get_func_ip_kprobe, struct pt_regs *, regs)
+ {
+ struct kprobe *kp = kprobe_running();
+@@ -2414,13 +2430,13 @@ kprobe_multi_link_prog_run(struct bpf_kprobe_multi_link *link,
+ }
+
+ static void
+-kprobe_multi_link_handler(struct fprobe *fp, unsigned long entry_ip,
++kprobe_multi_link_handler(struct fprobe *fp, unsigned long fentry_ip,
+ struct pt_regs *regs)
+ {
+ struct bpf_kprobe_multi_link *link;
+
+ link = container_of(fp, struct bpf_kprobe_multi_link, fp);
+- kprobe_multi_link_prog_run(link, entry_ip, regs);
++ kprobe_multi_link_prog_run(link, get_entry_ip(fentry_ip), regs);
+ }
+
+ static int symbols_cmp_r(const void *a, const void *b, const void *priv)
+diff --git a/tools/testing/selftests/bpf/progs/kprobe_multi.c b/tools/testing/selftests/bpf/progs/kprobe_multi.c
+index 08f95a8155d1..98c3399e15c0 100644
+--- a/tools/testing/selftests/bpf/progs/kprobe_multi.c
++++ b/tools/testing/selftests/bpf/progs/kprobe_multi.c
+@@ -36,15 +36,13 @@ __u64 kretprobe_test6_result = 0;
+ __u64 kretprobe_test7_result = 0;
+ __u64 kretprobe_test8_result = 0;
+
+-extern bool CONFIG_X86_KERNEL_IBT __kconfig __weak;
+-
+ static void kprobe_multi_check(void *ctx, bool is_return)
+ {
+ if (bpf_get_current_pid_tgid() >> 32 != pid)
+ return;
+
+ __u64 cookie = test_cookie ? bpf_get_attach_cookie(ctx) : 0;
+- __u64 addr = bpf_get_func_ip(ctx) - (CONFIG_X86_KERNEL_IBT ? 4 : 0);
++ __u64 addr = bpf_get_func_ip(ctx);
+
+ #define SET(__var, __addr, __cookie) ({ \
+ if (((const void *) addr == __addr) && \
+--
+2.35.1
+
--- /dev/null
+From 6bdd1482ad84d4001ce9b652d8f4a3c14de5c2b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Sep 2022 11:01:20 +0000
+Subject: bpf: btf: fix truncated last_member_type_id in btf_struct_resolve
+
+From: Lorenz Bauer <oss@lmb.io>
+
+[ Upstream commit a37a32583e282d8d815e22add29bc1e91e19951a ]
+
+When trying to finish resolving a struct member, btf_struct_resolve
+saves the member type id in a u16 temporary variable. This truncates
+the 32 bit type id value if it exceeds UINT16_MAX.
+
+As a result, structs that have members with type ids > UINT16_MAX and
+which need resolution will fail with a message like this:
+
+ [67414] STRUCT ff_device size=120 vlen=12
+ effect_owners type_id=67434 bits_offset=960 Member exceeds struct_size
+
+Fix this by changing the type of last_member_type_id to u32.
+
+Fixes: a0791f0df7d2 ("bpf: fix BTF limits")
+Reviewed-by: Stanislav Fomichev <sdf@google.com>
+Signed-off-by: Lorenz Bauer <oss@lmb.io>
+Link: https://lore.kernel.org/r/20220910110120.339242-1-oss@lmb.io
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/btf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
+index 7e64447659f3..36fd4b509294 100644
+--- a/kernel/bpf/btf.c
++++ b/kernel/bpf/btf.c
+@@ -3128,7 +3128,7 @@ static int btf_struct_resolve(struct btf_verifier_env *env,
+ if (v->next_member) {
+ const struct btf_type *last_member_type;
+ const struct btf_member *last_member;
+- u16 last_member_type_id;
++ u32 last_member_type_id;
+
+ last_member = btf_type_member(v->t) + v->next_member - 1;
+ last_member_type_id = last_member->type;
+--
+2.35.1
+
--- /dev/null
+From c860ebe44f2873f1dbdc4221877e1660b3512bc2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Sep 2022 10:46:02 +0000
+Subject: bpf, cgroup: Reject prog_attach_flags array when effective query
+
+From: Pu Lehui <pulehui@huawei.com>
+
+[ Upstream commit 0e426a3ae030a9e891899370229e117158b35de6 ]
+
+Attach flags is only valid for attached progs of this layer cgroup,
+but not for effective progs. For querying with EFFECTIVE flags,
+exporting attach flags does not make sense. So when effective query,
+we reject prog_attach_flags array and don't need to populate it.
+Also we limit attach_flags to output 0 during effective query.
+
+Fixes: b79c9fc9551b ("bpf: implement BPF_PROG_QUERY for BPF_LSM_CGROUP")
+Signed-off-by: Pu Lehui <pulehui@huawei.com>
+Link: https://lore.kernel.org/r/20220921104604.2340580-2-pulehui@huaweicloud.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/bpf.h | 7 +++++--
+ kernel/bpf/cgroup.c | 28 ++++++++++++++++++----------
+ tools/include/uapi/linux/bpf.h | 7 +++++--
+ 3 files changed, 28 insertions(+), 14 deletions(-)
+
+diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
+index 59a217ca2dfd..4eff7fc7ae58 100644
+--- a/include/uapi/linux/bpf.h
++++ b/include/uapi/linux/bpf.h
+@@ -1233,7 +1233,7 @@ enum {
+
+ /* Query effective (directly attached + inherited from ancestor cgroups)
+ * programs that will be executed for events within a cgroup.
+- * attach_flags with this flag are returned only for directly attached programs.
++ * attach_flags with this flag are always returned 0.
+ */
+ #define BPF_F_QUERY_EFFECTIVE (1U << 0)
+
+@@ -1432,7 +1432,10 @@ union bpf_attr {
+ __u32 attach_flags;
+ __aligned_u64 prog_ids;
+ __u32 prog_cnt;
+- __aligned_u64 prog_attach_flags; /* output: per-program attach_flags */
++ /* output: per-program attach_flags.
++ * not allowed to be set during effective query.
++ */
++ __aligned_u64 prog_attach_flags;
+ } query;
+
+ struct { /* anonymous struct used by BPF_RAW_TRACEPOINT_OPEN command */
+diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
+index 4a400cd63731..22888aaa68b6 100644
+--- a/kernel/bpf/cgroup.c
++++ b/kernel/bpf/cgroup.c
+@@ -1020,6 +1020,7 @@ static int __cgroup_bpf_query(struct cgroup *cgrp, const union bpf_attr *attr,
+ union bpf_attr __user *uattr)
+ {
+ __u32 __user *prog_attach_flags = u64_to_user_ptr(attr->query.prog_attach_flags);
++ bool effective_query = attr->query.query_flags & BPF_F_QUERY_EFFECTIVE;
+ __u32 __user *prog_ids = u64_to_user_ptr(attr->query.prog_ids);
+ enum bpf_attach_type type = attr->query.attach_type;
+ enum cgroup_bpf_attach_type from_atype, to_atype;
+@@ -1029,8 +1030,12 @@ static int __cgroup_bpf_query(struct cgroup *cgrp, const union bpf_attr *attr,
+ int total_cnt = 0;
+ u32 flags;
+
++ if (effective_query && prog_attach_flags)
++ return -EINVAL;
++
+ if (type == BPF_LSM_CGROUP) {
+- if (attr->query.prog_cnt && prog_ids && !prog_attach_flags)
++ if (!effective_query && attr->query.prog_cnt &&
++ prog_ids && !prog_attach_flags)
+ return -EINVAL;
+
+ from_atype = CGROUP_LSM_START;
+@@ -1045,7 +1050,7 @@ static int __cgroup_bpf_query(struct cgroup *cgrp, const union bpf_attr *attr,
+ }
+
+ for (atype = from_atype; atype <= to_atype; atype++) {
+- if (attr->query.query_flags & BPF_F_QUERY_EFFECTIVE) {
++ if (effective_query) {
+ effective = rcu_dereference_protected(cgrp->bpf.effective[atype],
+ lockdep_is_held(&cgroup_mutex));
+ total_cnt += bpf_prog_array_length(effective);
+@@ -1054,6 +1059,8 @@ static int __cgroup_bpf_query(struct cgroup *cgrp, const union bpf_attr *attr,
+ }
+ }
+
++ /* always output uattr->query.attach_flags as 0 during effective query */
++ flags = effective_query ? 0 : flags;
+ if (copy_to_user(&uattr->query.attach_flags, &flags, sizeof(flags)))
+ return -EFAULT;
+ if (copy_to_user(&uattr->query.prog_cnt, &total_cnt, sizeof(total_cnt)))
+@@ -1068,7 +1075,7 @@ static int __cgroup_bpf_query(struct cgroup *cgrp, const union bpf_attr *attr,
+ }
+
+ for (atype = from_atype; atype <= to_atype && total_cnt; atype++) {
+- if (attr->query.query_flags & BPF_F_QUERY_EFFECTIVE) {
++ if (effective_query) {
+ effective = rcu_dereference_protected(cgrp->bpf.effective[atype],
+ lockdep_is_held(&cgroup_mutex));
+ cnt = min_t(int, bpf_prog_array_length(effective), total_cnt);
+@@ -1090,15 +1097,16 @@ static int __cgroup_bpf_query(struct cgroup *cgrp, const union bpf_attr *attr,
+ if (++i == cnt)
+ break;
+ }
+- }
+
+- if (prog_attach_flags) {
+- flags = cgrp->bpf.flags[atype];
++ if (prog_attach_flags) {
++ flags = cgrp->bpf.flags[atype];
+
+- for (i = 0; i < cnt; i++)
+- if (copy_to_user(prog_attach_flags + i, &flags, sizeof(flags)))
+- return -EFAULT;
+- prog_attach_flags += cnt;
++ for (i = 0; i < cnt; i++)
++ if (copy_to_user(prog_attach_flags + i,
++ &flags, sizeof(flags)))
++ return -EFAULT;
++ prog_attach_flags += cnt;
++ }
+ }
+
+ prog_ids += cnt;
+diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
+index 59a217ca2dfd..4eff7fc7ae58 100644
+--- a/tools/include/uapi/linux/bpf.h
++++ b/tools/include/uapi/linux/bpf.h
+@@ -1233,7 +1233,7 @@ enum {
+
+ /* Query effective (directly attached + inherited from ancestor cgroups)
+ * programs that will be executed for events within a cgroup.
+- * attach_flags with this flag are returned only for directly attached programs.
++ * attach_flags with this flag are always returned 0.
+ */
+ #define BPF_F_QUERY_EFFECTIVE (1U << 0)
+
+@@ -1432,7 +1432,10 @@ union bpf_attr {
+ __u32 attach_flags;
+ __aligned_u64 prog_ids;
+ __u32 prog_cnt;
+- __aligned_u64 prog_attach_flags; /* output: per-program attach_flags */
++ /* output: per-program attach_flags.
++ * not allowed to be set during effective query.
++ */
++ __aligned_u64 prog_attach_flags;
+ } query;
+
+ struct { /* anonymous struct used by BPF_RAW_TRACEPOINT_OPEN command */
+--
+2.35.1
+
--- /dev/null
+From 0a983e5a6bc67e1bbe7fe1015434b59acbb470b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Aug 2022 10:15:59 -0700
+Subject: bpf: Cleanup check_refcount_ok
+
+From: Dave Marchevsky <davemarchevsky@fb.com>
+
+[ Upstream commit b2d8ef19c6e7ed71ba5092feb0710063a751834f ]
+
+Discussion around a recently-submitted patch provided historical
+context for check_refcount_ok [0]. Specifically, the function and its
+helpers - may_be_acquire_function and arg_type_may_be_refcounted -
+predate the OBJ_RELEASE type flag and the addition of many more helpers
+with acquire/release semantics.
+
+The purpose of check_refcount_ok is to ensure:
+ 1) Helper doesn't have multiple uses of return reg's ref_obj_id
+ 2) Helper with release semantics only has one arg needing to be
+ released, since that's tracked using meta->ref_obj_id
+
+With current verifier, it's safe to remove check_refcount_ok and its
+helpers. Since addition of OBJ_RELEASE type flag, case 2) has been
+handled by the arg_type_is_release check in check_func_arg. To ensure
+case 1) won't result in verifier silently prioritizing one use of
+ref_obj_id, this patch adds a helper_multiple_ref_obj_use check which
+fails loudly if a helper passes > 1 test for use of ref_obj_id.
+
+ [0]: lore.kernel.org/bpf/20220713234529.4154673-1-davemarchevsky@fb.com
+
+Signed-off-by: Dave Marchevsky <davemarchevsky@fb.com>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Acked-by: Joanne Koong <joannelkoong@gmail.com>
+Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+Link: https://lore.kernel.org/r/20220808171559.3251090-1-davemarchevsky@fb.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Stable-dep-of: 883743422ced ("bpf: Fix ref_obj_id for dynptr data slices in verifier")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 74 +++++++++++++++++--------------------------
+ 1 file changed, 29 insertions(+), 45 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 3eadb14e090b..1141a35216a7 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -467,25 +467,11 @@ static bool type_is_rdonly_mem(u32 type)
+ return type & MEM_RDONLY;
+ }
+
+-static bool arg_type_may_be_refcounted(enum bpf_arg_type type)
+-{
+- return type == ARG_PTR_TO_SOCK_COMMON;
+-}
+-
+ static bool type_may_be_null(u32 type)
+ {
+ return type & PTR_MAYBE_NULL;
+ }
+
+-static bool may_be_acquire_function(enum bpf_func_id func_id)
+-{
+- return func_id == BPF_FUNC_sk_lookup_tcp ||
+- func_id == BPF_FUNC_sk_lookup_udp ||
+- func_id == BPF_FUNC_skc_lookup_tcp ||
+- func_id == BPF_FUNC_map_lookup_elem ||
+- func_id == BPF_FUNC_ringbuf_reserve;
+-}
+-
+ static bool is_acquire_function(enum bpf_func_id func_id,
+ const struct bpf_map *map)
+ {
+@@ -518,6 +504,26 @@ static bool is_ptr_cast_function(enum bpf_func_id func_id)
+ func_id == BPF_FUNC_skc_to_tcp_request_sock;
+ }
+
++static bool is_dynptr_acquire_function(enum bpf_func_id func_id)
++{
++ return func_id == BPF_FUNC_dynptr_data;
++}
++
++static bool helper_multiple_ref_obj_use(enum bpf_func_id func_id,
++ const struct bpf_map *map)
++{
++ int ref_obj_uses = 0;
++
++ if (is_ptr_cast_function(func_id))
++ ref_obj_uses++;
++ if (is_acquire_function(func_id, map))
++ ref_obj_uses++;
++ if (is_dynptr_acquire_function(func_id))
++ ref_obj_uses++;
++
++ return ref_obj_uses > 1;
++}
++
+ static bool is_cmpxchg_insn(const struct bpf_insn *insn)
+ {
+ return BPF_CLASS(insn->code) == BPF_STX &&
+@@ -6456,33 +6462,6 @@ static bool check_arg_pair_ok(const struct bpf_func_proto *fn)
+ return true;
+ }
+
+-static bool check_refcount_ok(const struct bpf_func_proto *fn, int func_id)
+-{
+- int count = 0;
+-
+- if (arg_type_may_be_refcounted(fn->arg1_type))
+- count++;
+- if (arg_type_may_be_refcounted(fn->arg2_type))
+- count++;
+- if (arg_type_may_be_refcounted(fn->arg3_type))
+- count++;
+- if (arg_type_may_be_refcounted(fn->arg4_type))
+- count++;
+- if (arg_type_may_be_refcounted(fn->arg5_type))
+- count++;
+-
+- /* A reference acquiring function cannot acquire
+- * another refcounted ptr.
+- */
+- if (may_be_acquire_function(func_id) && count)
+- return false;
+-
+- /* We only support one arg being unreferenced at the moment,
+- * which is sufficient for the helper functions we have right now.
+- */
+- return count <= 1;
+-}
+-
+ static bool check_btf_id_ok(const struct bpf_func_proto *fn)
+ {
+ int i;
+@@ -6506,8 +6485,7 @@ static int check_func_proto(const struct bpf_func_proto *fn, int func_id,
+ {
+ return check_raw_mode_ok(fn) &&
+ check_arg_pair_ok(fn) &&
+- check_btf_id_ok(fn) &&
+- check_refcount_ok(fn, func_id) ? 0 : -EINVAL;
++ check_btf_id_ok(fn) ? 0 : -EINVAL;
+ }
+
+ /* Packet data might have moved, any old PTR_TO_PACKET[_META,_END]
+@@ -7460,6 +7438,12 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn
+ if (type_may_be_null(regs[BPF_REG_0].type))
+ regs[BPF_REG_0].id = ++env->id_gen;
+
++ if (helper_multiple_ref_obj_use(func_id, meta.map_ptr)) {
++ verbose(env, "verifier internal error: func %s#%d sets ref_obj_id more than once\n",
++ func_id_name(func_id), func_id);
++ return -EFAULT;
++ }
++
+ if (is_ptr_cast_function(func_id)) {
+ /* For release_reference() */
+ regs[BPF_REG_0].ref_obj_id = meta.ref_obj_id;
+@@ -7472,10 +7456,10 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn
+ regs[BPF_REG_0].id = id;
+ /* For release_reference() */
+ regs[BPF_REG_0].ref_obj_id = id;
+- } else if (func_id == BPF_FUNC_dynptr_data) {
++ } else if (is_dynptr_acquire_function(func_id)) {
+ int dynptr_id = 0, i;
+
+- /* Find the id of the dynptr we're acquiring a reference to */
++ /* Find the id of the dynptr we're tracking the reference of */
+ for (i = 0; i < MAX_BPF_FUNC_REG_ARGS; i++) {
+ if (arg_type_is_dynptr(fn->arg_type[i])) {
+ if (dynptr_id) {
+--
+2.35.1
+
--- /dev/null
+From 6bfab3bfec3c315cf1aa2520d8efa9cddcb4dfca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Aug 2022 12:26:27 +0800
+Subject: bpf: Disable preemption when increasing per-cpu map_locked
+
+From: Hou Tao <houtao1@huawei.com>
+
+[ Upstream commit 2775da21628738ce073a3a6a806adcbaada0f091 ]
+
+Per-cpu htab->map_locked is used to prohibit the concurrent accesses
+from both NMI and non-NMI contexts. But since commit 74d862b682f5
+("sched: Make migrate_disable/enable() independent of RT"),
+migrate_disable() is also preemptible under CONFIG_PREEMPT case, so now
+map_locked also disallows concurrent updates from normal contexts
+(e.g. userspace processes) unexpectedly as shown below:
+
+process A process B
+
+htab_map_update_elem()
+ htab_lock_bucket()
+ migrate_disable()
+ /* return 1 */
+ __this_cpu_inc_return()
+ /* preempted by B */
+
+ htab_map_update_elem()
+ /* the same bucket as A */
+ htab_lock_bucket()
+ migrate_disable()
+ /* return 2, so lock fails */
+ __this_cpu_inc_return()
+ return -EBUSY
+
+A fix that seems feasible is using in_nmi() in htab_lock_bucket() and
+only checking the value of map_locked for nmi context. But it will
+re-introduce dead-lock on bucket lock if htab_lock_bucket() is re-entered
+through non-tracing program (e.g. fentry program).
+
+One cannot use preempt_disable() to fix this issue as htab_use_raw_lock
+being false causes the bucket lock to be a spin lock which can sleep and
+does not work with preempt_disable().
+
+Therefore, use migrate_disable() when using the spinlock instead of
+preempt_disable() and defer fixing concurrent updates to when the kernel
+has its own BPF memory allocator.
+
+Fixes: 74d862b682f5 ("sched: Make migrate_disable/enable() independent of RT")
+Reviewed-by: Hao Luo <haoluo@google.com>
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Link: https://lore.kernel.org/r/20220831042629.130006-2-houtao@huaweicloud.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/hashtab.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
+index 6c530a5e560a..ad09da139589 100644
+--- a/kernel/bpf/hashtab.c
++++ b/kernel/bpf/hashtab.c
+@@ -162,17 +162,25 @@ static inline int htab_lock_bucket(const struct bpf_htab *htab,
+ unsigned long *pflags)
+ {
+ unsigned long flags;
++ bool use_raw_lock;
+
+ hash = hash & HASHTAB_MAP_LOCK_MASK;
+
+- migrate_disable();
++ use_raw_lock = htab_use_raw_lock(htab);
++ if (use_raw_lock)
++ preempt_disable();
++ else
++ migrate_disable();
+ if (unlikely(__this_cpu_inc_return(*(htab->map_locked[hash])) != 1)) {
+ __this_cpu_dec(*(htab->map_locked[hash]));
+- migrate_enable();
++ if (use_raw_lock)
++ preempt_enable();
++ else
++ migrate_enable();
+ return -EBUSY;
+ }
+
+- if (htab_use_raw_lock(htab))
++ if (use_raw_lock)
+ raw_spin_lock_irqsave(&b->raw_lock, flags);
+ else
+ spin_lock_irqsave(&b->lock, flags);
+@@ -185,13 +193,18 @@ static inline void htab_unlock_bucket(const struct bpf_htab *htab,
+ struct bucket *b, u32 hash,
+ unsigned long flags)
+ {
++ bool use_raw_lock = htab_use_raw_lock(htab);
++
+ hash = hash & HASHTAB_MAP_LOCK_MASK;
+- if (htab_use_raw_lock(htab))
++ if (use_raw_lock)
+ raw_spin_unlock_irqrestore(&b->raw_lock, flags);
+ else
+ spin_unlock_irqrestore(&b->lock, flags);
+ __this_cpu_dec(*(htab->map_locked[hash]));
+- migrate_enable();
++ if (use_raw_lock)
++ preempt_enable();
++ else
++ migrate_enable();
+ }
+
+ static bool htab_lru_map_delete_node(void *arg, struct bpf_lru_node *node);
+--
+2.35.1
+
--- /dev/null
+From af5c2d8d48dad29af2b033fa9749012fddab4faa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Sep 2022 14:38:55 +0100
+Subject: bpf: Ensure correct locking around vulnerable function find_vpid()
+
+From: Lee Jones <lee@kernel.org>
+
+[ Upstream commit 83c10cc362d91c0d8d25e60779ee52fdbbf3894d ]
+
+The documentation for find_vpid() clearly states:
+
+ "Must be called with the tasklist_lock or rcu_read_lock() held."
+
+Presently we do neither for find_vpid() instance in bpf_task_fd_query().
+Add proper rcu_read_lock/unlock() to fix the issue.
+
+Fixes: 41bdc4b40ed6f ("bpf: introduce bpf subcommand BPF_TASK_FD_QUERY")
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/bpf/20220912133855.1218900-1-lee@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/syscall.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index f798acd43a28..22e7a805c672 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -4395,7 +4395,9 @@ static int bpf_task_fd_query(const union bpf_attr *attr,
+ if (attr->task_fd_query.flags != 0)
+ return -EINVAL;
+
++ rcu_read_lock();
+ task = get_pid_task(find_vpid(pid), PIDTYPE_PID);
++ rcu_read_unlock();
+ if (!task)
+ return -ENOENT;
+
+--
+2.35.1
+
--- /dev/null
+From 013ce3fd2e6d3344c1cac5cf64584741629233cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Aug 2022 14:40:54 -0700
+Subject: bpf: Fix ref_obj_id for dynptr data slices in verifier
+
+From: Joanne Koong <joannelkoong@gmail.com>
+
+[ Upstream commit 883743422ced8c961ab05dc63ec81b75a4e56052 ]
+
+When a data slice is obtained from a dynptr (through the bpf_dynptr_data API),
+the ref obj id of the dynptr must be found and then associated with the data
+slice.
+
+The ref obj id of the dynptr must be found *before* the caller saved regs are
+reset. Without this fix, the ref obj id tracking is not correct for
+dynptrs that are at an offset from the frame pointer.
+
+Please also note that the data slice's ref obj id must be assigned after the
+ret types are parsed, since RET_PTR_TO_ALLOC_MEM-type return regs get
+zero-marked.
+
+Fixes: 34d4ef5775f7 ("bpf: Add dynptr data slices")
+Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
+Acked-by: David Vernet <void@manifault.com>
+Link: https://lore.kernel.org/r/20220809214055.4050604-1-joannelkoong@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 38 ++++++++++++++++++++------------------
+ 1 file changed, 20 insertions(+), 18 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 1141a35216a7..c127585ad429 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -504,7 +504,7 @@ static bool is_ptr_cast_function(enum bpf_func_id func_id)
+ func_id == BPF_FUNC_skc_to_tcp_request_sock;
+ }
+
+-static bool is_dynptr_acquire_function(enum bpf_func_id func_id)
++static bool is_dynptr_ref_function(enum bpf_func_id func_id)
+ {
+ return func_id == BPF_FUNC_dynptr_data;
+ }
+@@ -518,7 +518,7 @@ static bool helper_multiple_ref_obj_use(enum bpf_func_id func_id,
+ ref_obj_uses++;
+ if (is_acquire_function(func_id, map))
+ ref_obj_uses++;
+- if (is_dynptr_acquire_function(func_id))
++ if (is_dynptr_ref_function(func_id))
+ ref_obj_uses++;
+
+ return ref_obj_uses > 1;
+@@ -7322,6 +7322,23 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn
+ }
+ }
+ break;
++ case BPF_FUNC_dynptr_data:
++ for (i = 0; i < MAX_BPF_FUNC_REG_ARGS; i++) {
++ if (arg_type_is_dynptr(fn->arg_type[i])) {
++ if (meta.ref_obj_id) {
++ verbose(env, "verifier internal error: meta.ref_obj_id already set\n");
++ return -EFAULT;
++ }
++ /* Find the id of the dynptr we're tracking the reference of */
++ meta.ref_obj_id = stack_slot_get_id(env, ®s[BPF_REG_1 + i]);
++ break;
++ }
++ }
++ if (i == MAX_BPF_FUNC_REG_ARGS) {
++ verbose(env, "verifier internal error: no dynptr in bpf_dynptr_data()\n");
++ return -EFAULT;
++ }
++ break;
+ }
+
+ if (err)
+@@ -7444,7 +7461,7 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn
+ return -EFAULT;
+ }
+
+- if (is_ptr_cast_function(func_id)) {
++ if (is_ptr_cast_function(func_id) || is_dynptr_ref_function(func_id)) {
+ /* For release_reference() */
+ regs[BPF_REG_0].ref_obj_id = meta.ref_obj_id;
+ } else if (is_acquire_function(func_id, meta.map_ptr)) {
+@@ -7456,21 +7473,6 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn
+ regs[BPF_REG_0].id = id;
+ /* For release_reference() */
+ regs[BPF_REG_0].ref_obj_id = id;
+- } else if (is_dynptr_acquire_function(func_id)) {
+- int dynptr_id = 0, i;
+-
+- /* Find the id of the dynptr we're tracking the reference of */
+- for (i = 0; i < MAX_BPF_FUNC_REG_ARGS; i++) {
+- if (arg_type_is_dynptr(fn->arg_type[i])) {
+- if (dynptr_id) {
+- verbose(env, "verifier internal error: multiple dynptr args in func\n");
+- return -EFAULT;
+- }
+- dynptr_id = stack_slot_get_id(env, ®s[BPF_REG_1 + i]);
+- }
+- }
+- /* For release_reference() */
+- regs[BPF_REG_0].ref_obj_id = dynptr_id;
+ }
+
+ do_refine_retval_range(regs, fn->ret_type, func_id, &meta);
+--
+2.35.1
+
--- /dev/null
+From 84ad2ecdf75728fe7de1a8864cf0e35ecff430e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Aug 2022 03:31:25 +0200
+Subject: bpf: Fix reference state management for synchronous callbacks
+
+From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+
+[ Upstream commit 9d9d00ac29d0ef7ce426964de46fa6b380357d0a ]
+
+Currently, verifier verifies callback functions (sync and async) as if
+they will be executed once, (i.e. it explores execution state as if the
+function was being called once). The next insn to explore is set to
+start of subprog and the exit from nested frame is handled using
+curframe > 0 and prepare_func_exit. In case of async callback it uses a
+customized variant of push_stack simulating a kind of branch to set up
+custom state and execution context for the async callback.
+
+While this approach is simple and works when callback really will be
+executed only once, it is unsafe for all of our current helpers which
+are for_each style, i.e. they execute the callback multiple times.
+
+A callback releasing acquired references of the caller may do so
+multiple times, but currently verifier sees it as one call inside the
+frame, which then returns to caller. Hence, it thinks it released some
+reference that the cb e.g. got access through callback_ctx (register
+filled inside cb from spilled typed register on stack).
+
+Similarly, it may see that an acquire call is unpaired inside the
+callback, so the caller will copy the reference state of callback and
+then will have to release the register with new ref_obj_ids. But again,
+the callback may execute multiple times, but the verifier will only
+account for acquired references for a single symbolic execution of the
+callback, which will cause leaks.
+
+Note that for async callback case, things are different. While currently
+we have bpf_timer_set_callback which only executes it once, even for
+multiple executions it would be safe, as reference state is NULL and
+check_reference_leak would force program to release state before
+BPF_EXIT. The state is also unaffected by analysis for the caller frame.
+Hence async callback is safe.
+
+Since we want the reference state to be accessible, e.g. for pointers
+loaded from stack through callback_ctx's PTR_TO_STACK, we still have to
+copy caller's reference_state to callback's bpf_func_state, but we
+enforce that whatever references it adds to that reference_state has
+been released before it hits BPF_EXIT. This requires introducing a new
+callback_ref member in the reference state to distinguish between caller
+vs callee references. Hence, check_reference_leak now errors out if it
+sees we are in callback_fn and we have not released callback_ref refs.
+Since there can be multiple nested callbacks, like frame 0 -> cb1 -> cb2
+etc. we need to also distinguish between whether this particular ref
+belongs to this callback frame or parent, and only error for our own, so
+we store state->frameno (which is always non-zero for callbacks).
+
+In short, callbacks can read parent reference_state, but cannot mutate
+it, to be able to use pointers acquired by the caller. They must only
+undo their changes (by releasing their own acquired_refs before
+BPF_EXIT) on top of caller reference_state before returning (at which
+point the caller and callback state will match anyway, so no need to
+copy it back to caller).
+
+Fixes: 69c087ba6225 ("bpf: Add bpf_for_each_map_elem() helper")
+Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+Link: https://lore.kernel.org/r/20220823013125.24938-1-memxor@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bpf_verifier.h | 11 ++++++++++
+ kernel/bpf/verifier.c | 42 ++++++++++++++++++++++++++++--------
+ 2 files changed, 44 insertions(+), 9 deletions(-)
+
+diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
+index 2e3bad8640dc..1fdddbf3546b 100644
+--- a/include/linux/bpf_verifier.h
++++ b/include/linux/bpf_verifier.h
+@@ -212,6 +212,17 @@ struct bpf_reference_state {
+ * is used purely to inform the user of a reference leak.
+ */
+ int insn_idx;
++ /* There can be a case like:
++ * main (frame 0)
++ * cb (frame 1)
++ * func (frame 3)
++ * cb (frame 4)
++ * Hence for frame 4, if callback_ref just stored boolean, it would be
++ * impossible to distinguish nested callback refs. Hence store the
++ * frameno and compare that to callback_ref in check_reference_leak when
++ * exiting a callback function.
++ */
++ int callback_ref;
+ };
+
+ /* state of the program:
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index c127585ad429..8b5ea7f6b536 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -1092,6 +1092,7 @@ static int acquire_reference_state(struct bpf_verifier_env *env, int insn_idx)
+ id = ++env->id_gen;
+ state->refs[new_ofs].id = id;
+ state->refs[new_ofs].insn_idx = insn_idx;
++ state->refs[new_ofs].callback_ref = state->in_callback_fn ? state->frameno : 0;
+
+ return id;
+ }
+@@ -1104,6 +1105,9 @@ static int release_reference_state(struct bpf_func_state *state, int ptr_id)
+ last_idx = state->acquired_refs - 1;
+ for (i = 0; i < state->acquired_refs; i++) {
+ if (state->refs[i].id == ptr_id) {
++ /* Cannot release caller references in callbacks */
++ if (state->in_callback_fn && state->refs[i].callback_ref != state->frameno)
++ return -EINVAL;
+ if (last_idx && i != last_idx)
+ memcpy(&state->refs[i], &state->refs[last_idx],
+ sizeof(*state->refs));
+@@ -6919,10 +6923,17 @@ static int prepare_func_exit(struct bpf_verifier_env *env, int *insn_idx)
+ caller->regs[BPF_REG_0] = *r0;
+ }
+
+- /* Transfer references to the caller */
+- err = copy_reference_state(caller, callee);
+- if (err)
+- return err;
++ /* callback_fn frame should have released its own additions to parent's
++ * reference state at this point, or check_reference_leak would
++ * complain, hence it must be the same as the caller. There is no need
++ * to copy it back.
++ */
++ if (!callee->in_callback_fn) {
++ /* Transfer references to the caller */
++ err = copy_reference_state(caller, callee);
++ if (err)
++ return err;
++ }
+
+ *insn_idx = callee->callsite + 1;
+ if (env->log.level & BPF_LOG_LEVEL) {
+@@ -7044,13 +7055,20 @@ record_func_key(struct bpf_verifier_env *env, struct bpf_call_arg_meta *meta,
+ static int check_reference_leak(struct bpf_verifier_env *env)
+ {
+ struct bpf_func_state *state = cur_func(env);
++ bool refs_lingering = false;
+ int i;
+
++ if (state->frameno && !state->in_callback_fn)
++ return 0;
++
+ for (i = 0; i < state->acquired_refs; i++) {
++ if (state->in_callback_fn && state->refs[i].callback_ref != state->frameno)
++ continue;
+ verbose(env, "Unreleased reference id=%d alloc_insn=%d\n",
+ state->refs[i].id, state->refs[i].insn_idx);
++ refs_lingering = true;
+ }
+- return state->acquired_refs ? -EINVAL : 0;
++ return refs_lingering ? -EINVAL : 0;
+ }
+
+ static int check_bpf_snprintf_call(struct bpf_verifier_env *env,
+@@ -12319,6 +12337,16 @@ static int do_check(struct bpf_verifier_env *env)
+ return -EINVAL;
+ }
+
++ /* We must do check_reference_leak here before
++ * prepare_func_exit to handle the case when
++ * state->curframe > 0, it may be a callback
++ * function, for which reference_state must
++ * match caller reference state when it exits.
++ */
++ err = check_reference_leak(env);
++ if (err)
++ return err;
++
+ if (state->curframe) {
+ /* exit from nested function */
+ err = prepare_func_exit(env, &env->insn_idx);
+@@ -12328,10 +12356,6 @@ static int do_check(struct bpf_verifier_env *env)
+ continue;
+ }
+
+- err = check_reference_leak(env);
+- if (err)
+- return err;
+-
+ err = check_return_code(env);
+ if (err)
+ return err;
+--
+2.35.1
+
--- /dev/null
+From a1759e22e6619a41c2fb5633ab029f208fa23b20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Sep 2022 14:51:26 +0800
+Subject: bpf: Only add BTF IDs for socket security hooks when
+ CONFIG_SECURITY_NETWORK is on
+
+From: Hou Tao <houtao1@huawei.com>
+
+[ Upstream commit ef331a8d4c0061ea4d353cd0db1c9b33fd45f0f2 ]
+
+When CONFIG_SECURITY_NETWORK is disabled, there will be build warnings
+from resolve_btfids:
+
+ WARN: resolve_btfids: unresolved symbol bpf_lsm_socket_socketpair
+ ......
+ WARN: resolve_btfids: unresolved symbol bpf_lsm_inet_conn_established
+
+Fixing it by wrapping these BTF ID definitions by CONFIG_SECURITY_NETWORK.
+
+Fixes: 69fd337a975c ("bpf: per-cgroup lsm flavor")
+Fixes: 9113d7e48e91 ("bpf: expose bpf_{g,s}etsockopt to lsm cgroup")
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Link: https://lore.kernel.org/r/20220901065126.3856297-1-houtao@huaweicloud.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/bpf_lsm.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
+index fa71d58b7ded..832a0e48a2a1 100644
+--- a/kernel/bpf/bpf_lsm.c
++++ b/kernel/bpf/bpf_lsm.c
+@@ -41,17 +41,21 @@ BTF_SET_END(bpf_lsm_hooks)
+ */
+ BTF_SET_START(bpf_lsm_current_hooks)
+ /* operate on freshly allocated sk without any cgroup association */
++#ifdef CONFIG_SECURITY_NETWORK
+ BTF_ID(func, bpf_lsm_sk_alloc_security)
+ BTF_ID(func, bpf_lsm_sk_free_security)
++#endif
+ BTF_SET_END(bpf_lsm_current_hooks)
+
+ /* List of LSM hooks that trigger while the socket is properly locked.
+ */
+ BTF_SET_START(bpf_lsm_locked_sockopt_hooks)
++#ifdef CONFIG_SECURITY_NETWORK
+ BTF_ID(func, bpf_lsm_socket_sock_rcv_skb)
+ BTF_ID(func, bpf_lsm_sock_graft)
+ BTF_ID(func, bpf_lsm_inet_csk_clone)
+ BTF_ID(func, bpf_lsm_inet_conn_established)
++#endif
+ BTF_SET_END(bpf_lsm_locked_sockopt_hooks)
+
+ /* List of LSM hooks that trigger while the socket is _not_ locked,
+@@ -59,8 +63,10 @@ BTF_SET_END(bpf_lsm_locked_sockopt_hooks)
+ * in the early init phase.
+ */
+ BTF_SET_START(bpf_lsm_unlocked_sockopt_hooks)
++#ifdef CONFIG_SECURITY_NETWORK
+ BTF_ID(func, bpf_lsm_socket_post_create)
+ BTF_ID(func, bpf_lsm_socket_socketpair)
++#endif
+ BTF_SET_END(bpf_lsm_unlocked_sockopt_hooks)
+
+ #ifdef CONFIG_CGROUP_BPF
+--
+2.35.1
+
--- /dev/null
+From 09c8286c845367e43a26a1b54fec7d07bb4054a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Aug 2022 12:26:28 +0800
+Subject: bpf: Propagate error from htab_lock_bucket() to userspace
+
+From: Hou Tao <houtao1@huawei.com>
+
+[ Upstream commit 66a7a92e4d0d091e79148a4c6ec15d1da65f4280 ]
+
+In __htab_map_lookup_and_delete_batch() if htab_lock_bucket() returns
+-EBUSY, it will go to next bucket. Going to next bucket may not only
+skip the elements in current bucket silently, but also incur
+out-of-bound memory access or expose kernel memory to userspace if
+current bucket_cnt is greater than bucket_size or zero.
+
+Fixing it by stopping batch operation and returning -EBUSY when
+htab_lock_bucket() fails, and the application can retry or skip the busy
+batch as needed.
+
+Fixes: 20b6cc34ea74 ("bpf: Avoid hashtab deadlock with map_locked")
+Reported-by: Hao Sun <sunhao.th@gmail.com>
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Link: https://lore.kernel.org/r/20220831042629.130006-3-houtao@huaweicloud.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/hashtab.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
+index ad09da139589..75f77df910dc 100644
+--- a/kernel/bpf/hashtab.c
++++ b/kernel/bpf/hashtab.c
+@@ -1704,8 +1704,11 @@ __htab_map_lookup_and_delete_batch(struct bpf_map *map,
+ /* do not grab the lock unless need it (bucket_cnt > 0). */
+ if (locked) {
+ ret = htab_lock_bucket(htab, b, batch, &flags);
+- if (ret)
+- goto next_batch;
++ if (ret) {
++ rcu_read_unlock();
++ bpf_enable_instrumentation();
++ goto after_loop;
++ }
+ }
+
+ bucket_cnt = 0;
+--
+2.35.1
+
--- /dev/null
+From 31dfaa0450cb1ca003aa18c13d7f124fc90c27ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Sep 2022 11:47:38 -0700
+Subject: bpf: use bpf_prog_pack for bpf_dispatcher
+
+From: Song Liu <song@kernel.org>
+
+[ Upstream commit 19c02415da2345d0dda2b5c4495bc17cc14b18b5 ]
+
+Allocate bpf_dispatcher with bpf_prog_pack_alloc so that bpf_dispatcher
+can share pages with bpf programs.
+
+arch_prepare_bpf_dispatcher() is updated to provide a RW buffer as working
+area for arch code to write to.
+
+This also fixes CPA W^X warnning like:
+
+CPA refuse W^X violation: 8000000000000163 -> 0000000000000163 range: ...
+
+Signed-off-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/20220926184739.3512547-2-song@kernel.org
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/net/bpf_jit_comp.c | 16 ++++++++--------
+ include/linux/bpf.h | 3 ++-
+ include/linux/filter.h | 5 +++++
+ kernel/bpf/core.c | 9 +++++++--
+ kernel/bpf/dispatcher.c | 27 +++++++++++++++++++++------
+ 5 files changed, 43 insertions(+), 17 deletions(-)
+
+diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
+index c1f6c1c51d99..362562c832e6 100644
+--- a/arch/x86/net/bpf_jit_comp.c
++++ b/arch/x86/net/bpf_jit_comp.c
+@@ -2209,7 +2209,7 @@ int arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, void *image, void *i
+ return ret;
+ }
+
+-static int emit_bpf_dispatcher(u8 **pprog, int a, int b, s64 *progs)
++static int emit_bpf_dispatcher(u8 **pprog, int a, int b, s64 *progs, u8 *image, u8 *buf)
+ {
+ u8 *jg_reloc, *prog = *pprog;
+ int pivot, err, jg_bytes = 1;
+@@ -2225,12 +2225,12 @@ static int emit_bpf_dispatcher(u8 **pprog, int a, int b, s64 *progs)
+ EMIT2_off32(0x81, add_1reg(0xF8, BPF_REG_3),
+ progs[a]);
+ err = emit_cond_near_jump(&prog, /* je func */
+- (void *)progs[a], prog,
++ (void *)progs[a], image + (prog - buf),
+ X86_JE);
+ if (err)
+ return err;
+
+- emit_indirect_jump(&prog, 2 /* rdx */, prog);
++ emit_indirect_jump(&prog, 2 /* rdx */, image + (prog - buf));
+
+ *pprog = prog;
+ return 0;
+@@ -2255,7 +2255,7 @@ static int emit_bpf_dispatcher(u8 **pprog, int a, int b, s64 *progs)
+ jg_reloc = prog;
+
+ err = emit_bpf_dispatcher(&prog, a, a + pivot, /* emit lower_part */
+- progs);
++ progs, image, buf);
+ if (err)
+ return err;
+
+@@ -2269,7 +2269,7 @@ static int emit_bpf_dispatcher(u8 **pprog, int a, int b, s64 *progs)
+ emit_code(jg_reloc - jg_bytes, jg_offset, jg_bytes);
+
+ err = emit_bpf_dispatcher(&prog, a + pivot + 1, /* emit upper_part */
+- b, progs);
++ b, progs, image, buf);
+ if (err)
+ return err;
+
+@@ -2289,12 +2289,12 @@ static int cmp_ips(const void *a, const void *b)
+ return 0;
+ }
+
+-int arch_prepare_bpf_dispatcher(void *image, s64 *funcs, int num_funcs)
++int arch_prepare_bpf_dispatcher(void *image, void *buf, s64 *funcs, int num_funcs)
+ {
+- u8 *prog = image;
++ u8 *prog = buf;
+
+ sort(funcs, num_funcs, sizeof(funcs[0]), cmp_ips, NULL);
+- return emit_bpf_dispatcher(&prog, 0, num_funcs - 1, funcs);
++ return emit_bpf_dispatcher(&prog, 0, num_funcs - 1, funcs, image, buf);
+ }
+
+ struct x64_jit_data {
+diff --git a/include/linux/bpf.h b/include/linux/bpf.h
+index 20c26aed7896..80fc8a88c610 100644
+--- a/include/linux/bpf.h
++++ b/include/linux/bpf.h
+@@ -891,6 +891,7 @@ struct bpf_dispatcher {
+ struct bpf_dispatcher_prog progs[BPF_DISPATCHER_MAX];
+ int num_progs;
+ void *image;
++ void *rw_image;
+ u32 image_off;
+ struct bpf_ksym ksym;
+ };
+@@ -909,7 +910,7 @@ int bpf_trampoline_unlink_prog(struct bpf_tramp_link *link, struct bpf_trampolin
+ struct bpf_trampoline *bpf_trampoline_get(u64 key,
+ struct bpf_attach_target_info *tgt_info);
+ void bpf_trampoline_put(struct bpf_trampoline *tr);
+-int arch_prepare_bpf_dispatcher(void *image, s64 *funcs, int num_funcs);
++int arch_prepare_bpf_dispatcher(void *image, void *buf, s64 *funcs, int num_funcs);
+ #define BPF_DISPATCHER_INIT(_name) { \
+ .mutex = __MUTEX_INITIALIZER(_name.mutex), \
+ .func = &_name##_func, \
+diff --git a/include/linux/filter.h b/include/linux/filter.h
+index a5f21dc3c432..f2c47df5ad2a 100644
+--- a/include/linux/filter.h
++++ b/include/linux/filter.h
+@@ -1018,6 +1018,8 @@ extern long bpf_jit_limit_max;
+
+ typedef void (*bpf_jit_fill_hole_t)(void *area, unsigned int size);
+
++void bpf_jit_fill_hole_with_zero(void *area, unsigned int size);
++
+ struct bpf_binary_header *
+ bpf_jit_binary_alloc(unsigned int proglen, u8 **image_ptr,
+ unsigned int alignment,
+@@ -1030,6 +1032,9 @@ void bpf_jit_free(struct bpf_prog *fp);
+ struct bpf_binary_header *
+ bpf_jit_binary_pack_hdr(const struct bpf_prog *fp);
+
++void *bpf_prog_pack_alloc(u32 size, bpf_jit_fill_hole_t bpf_fill_ill_insns);
++void bpf_prog_pack_free(struct bpf_binary_header *hdr);
++
+ static inline bool bpf_prog_kallsyms_verify_off(const struct bpf_prog *fp)
+ {
+ return list_empty(&fp->aux->ksym.lnode) ||
+diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
+index 3d9eb3ae334c..c4600a5781de 100644
+--- a/kernel/bpf/core.c
++++ b/kernel/bpf/core.c
+@@ -825,6 +825,11 @@ struct bpf_prog_pack {
+ unsigned long bitmap[];
+ };
+
++void bpf_jit_fill_hole_with_zero(void *area, unsigned int size)
++{
++ memset(area, 0, size);
++}
++
+ #define BPF_PROG_SIZE_TO_NBITS(size) (round_up(size, BPF_PROG_CHUNK_SIZE) / BPF_PROG_CHUNK_SIZE)
+
+ static DEFINE_MUTEX(pack_mutex);
+@@ -864,7 +869,7 @@ static struct bpf_prog_pack *alloc_new_pack(bpf_jit_fill_hole_t bpf_fill_ill_ins
+ return pack;
+ }
+
+-static void *bpf_prog_pack_alloc(u32 size, bpf_jit_fill_hole_t bpf_fill_ill_insns)
++void *bpf_prog_pack_alloc(u32 size, bpf_jit_fill_hole_t bpf_fill_ill_insns)
+ {
+ unsigned int nbits = BPF_PROG_SIZE_TO_NBITS(size);
+ struct bpf_prog_pack *pack;
+@@ -905,7 +910,7 @@ static void *bpf_prog_pack_alloc(u32 size, bpf_jit_fill_hole_t bpf_fill_ill_insn
+ return ptr;
+ }
+
+-static void bpf_prog_pack_free(struct bpf_binary_header *hdr)
++void bpf_prog_pack_free(struct bpf_binary_header *hdr)
+ {
+ struct bpf_prog_pack *pack = NULL, *tmp;
+ unsigned int nbits;
+diff --git a/kernel/bpf/dispatcher.c b/kernel/bpf/dispatcher.c
+index 2444bd15cc2d..fa64b80b8bca 100644
+--- a/kernel/bpf/dispatcher.c
++++ b/kernel/bpf/dispatcher.c
+@@ -85,12 +85,12 @@ static bool bpf_dispatcher_remove_prog(struct bpf_dispatcher *d,
+ return false;
+ }
+
+-int __weak arch_prepare_bpf_dispatcher(void *image, s64 *funcs, int num_funcs)
++int __weak arch_prepare_bpf_dispatcher(void *image, void *buf, s64 *funcs, int num_funcs)
+ {
+ return -ENOTSUPP;
+ }
+
+-static int bpf_dispatcher_prepare(struct bpf_dispatcher *d, void *image)
++static int bpf_dispatcher_prepare(struct bpf_dispatcher *d, void *image, void *buf)
+ {
+ s64 ips[BPF_DISPATCHER_MAX] = {}, *ipsp = &ips[0];
+ int i;
+@@ -99,12 +99,12 @@ static int bpf_dispatcher_prepare(struct bpf_dispatcher *d, void *image)
+ if (d->progs[i].prog)
+ *ipsp++ = (s64)(uintptr_t)d->progs[i].prog->bpf_func;
+ }
+- return arch_prepare_bpf_dispatcher(image, &ips[0], d->num_progs);
++ return arch_prepare_bpf_dispatcher(image, buf, &ips[0], d->num_progs);
+ }
+
+ static void bpf_dispatcher_update(struct bpf_dispatcher *d, int prev_num_progs)
+ {
+- void *old, *new;
++ void *old, *new, *tmp;
+ u32 noff;
+ int err;
+
+@@ -117,8 +117,14 @@ static void bpf_dispatcher_update(struct bpf_dispatcher *d, int prev_num_progs)
+ }
+
+ new = d->num_progs ? d->image + noff : NULL;
++ tmp = d->num_progs ? d->rw_image + noff : NULL;
+ if (new) {
+- if (bpf_dispatcher_prepare(d, new))
++ /* Prepare the dispatcher in d->rw_image. Then use
++ * bpf_arch_text_copy to update d->image, which is RO+X.
++ */
++ if (bpf_dispatcher_prepare(d, new, tmp))
++ return;
++ if (IS_ERR(bpf_arch_text_copy(new, tmp, PAGE_SIZE / 2)))
+ return;
+ }
+
+@@ -140,9 +146,18 @@ void bpf_dispatcher_change_prog(struct bpf_dispatcher *d, struct bpf_prog *from,
+
+ mutex_lock(&d->mutex);
+ if (!d->image) {
+- d->image = bpf_jit_alloc_exec_page();
++ d->image = bpf_prog_pack_alloc(PAGE_SIZE, bpf_jit_fill_hole_with_zero);
+ if (!d->image)
+ goto out;
++ d->rw_image = bpf_jit_alloc_exec(PAGE_SIZE);
++ if (!d->rw_image) {
++ u32 size = PAGE_SIZE;
++
++ bpf_arch_text_copy(d->image, &size, sizeof(size));
++ bpf_prog_pack_free((struct bpf_binary_header *)d->image);
++ d->image = NULL;
++ goto out;
++ }
+ bpf_image_ksym_add(d->image, &d->ksym);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 035d9e3789948241710c528cc074f8fa0380ccbc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Sep 2022 14:19:35 +0800
+Subject: bpf: Use this_cpu_{inc|dec|inc_return} for bpf_task_storage_busy
+
+From: Hou Tao <houtao1@huawei.com>
+
+[ Upstream commit 197827a05e13808c60f52632e9887eede63f1c16 ]
+
+Now migrate_disable() does not disable preemption and under some
+architectures (e.g. arm64) __this_cpu_{inc|dec|inc_return} are neither
+preemption-safe nor IRQ-safe, so for fully preemptible kernel concurrent
+lookups or updates on the same task local storage and on the same CPU
+may make bpf_task_storage_busy be imbalanced, and
+bpf_task_storage_trylock() on the specific cpu will always fail.
+
+Fixing it by using this_cpu_{inc|dec|inc_return} when manipulating
+bpf_task_storage_busy.
+
+Fixes: bc235cdb423a ("bpf: Prevent deadlock from recursive bpf_task_storage_[get|delete]")
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/r/20220901061938.3789460-2-houtao@huaweicloud.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/bpf_local_storage.c | 4 ++--
+ kernel/bpf/bpf_task_storage.c | 8 ++++----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/kernel/bpf/bpf_local_storage.c b/kernel/bpf/bpf_local_storage.c
+index 8ce40fd869f6..d13ffb00e981 100644
+--- a/kernel/bpf/bpf_local_storage.c
++++ b/kernel/bpf/bpf_local_storage.c
+@@ -555,11 +555,11 @@ void bpf_local_storage_map_free(struct bpf_local_storage_map *smap,
+ struct bpf_local_storage_elem, map_node))) {
+ if (busy_counter) {
+ migrate_disable();
+- __this_cpu_inc(*busy_counter);
++ this_cpu_inc(*busy_counter);
+ }
+ bpf_selem_unlink(selem, false);
+ if (busy_counter) {
+- __this_cpu_dec(*busy_counter);
++ this_cpu_dec(*busy_counter);
+ migrate_enable();
+ }
+ cond_resched_rcu();
+diff --git a/kernel/bpf/bpf_task_storage.c b/kernel/bpf/bpf_task_storage.c
+index e9014dc62682..6f290623347e 100644
+--- a/kernel/bpf/bpf_task_storage.c
++++ b/kernel/bpf/bpf_task_storage.c
+@@ -26,20 +26,20 @@ static DEFINE_PER_CPU(int, bpf_task_storage_busy);
+ static void bpf_task_storage_lock(void)
+ {
+ migrate_disable();
+- __this_cpu_inc(bpf_task_storage_busy);
++ this_cpu_inc(bpf_task_storage_busy);
+ }
+
+ static void bpf_task_storage_unlock(void)
+ {
+- __this_cpu_dec(bpf_task_storage_busy);
++ this_cpu_dec(bpf_task_storage_busy);
+ migrate_enable();
+ }
+
+ static bool bpf_task_storage_trylock(void)
+ {
+ migrate_disable();
+- if (unlikely(__this_cpu_inc_return(bpf_task_storage_busy) != 1)) {
+- __this_cpu_dec(bpf_task_storage_busy);
++ if (unlikely(this_cpu_inc_return(bpf_task_storage_busy) != 1)) {
++ this_cpu_dec(bpf_task_storage_busy);
+ migrate_enable();
+ return false;
+ }
+--
+2.35.1
+
--- /dev/null
+From cf872db648af62b52d089e90cfaa9be5d7c308e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Sep 2022 14:19:36 +0800
+Subject: bpf: Use this_cpu_{inc_return|dec} for prog->active
+
+From: Hou Tao <houtao1@huawei.com>
+
+[ Upstream commit c89e843a11f1075d27684f6b42256213e4592383 ]
+
+Both __this_cpu_inc_return() and __this_cpu_dec() are not preemption
+safe and now migrate_disable() doesn't disable preemption, so the update
+of prog-active is not atomic and in theory under fully preemptible kernel
+recurisve prevention may do not work.
+
+Fixing by using the preemption-safe and IRQ-safe variants.
+
+Fixes: ca06f55b9002 ("bpf: Add per-program recursion prevention mechanism")
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/r/20220901061938.3789460-3-houtao@huaweicloud.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/trampoline.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c
+index ff87e38af8a7..ad76940b02cc 100644
+--- a/kernel/bpf/trampoline.c
++++ b/kernel/bpf/trampoline.c
+@@ -895,7 +895,7 @@ u64 notrace __bpf_prog_enter(struct bpf_prog *prog, struct bpf_tramp_run_ctx *ru
+
+ run_ctx->saved_run_ctx = bpf_set_run_ctx(&run_ctx->run_ctx);
+
+- if (unlikely(__this_cpu_inc_return(*(prog->active)) != 1)) {
++ if (unlikely(this_cpu_inc_return(*(prog->active)) != 1)) {
+ inc_misses_counter(prog);
+ return 0;
+ }
+@@ -930,7 +930,7 @@ void notrace __bpf_prog_exit(struct bpf_prog *prog, u64 start, struct bpf_tramp_
+ bpf_reset_run_ctx(run_ctx->saved_run_ctx);
+
+ update_prog_stats(prog, start);
+- __this_cpu_dec(*(prog->active));
++ this_cpu_dec(*(prog->active));
+ migrate_enable();
+ rcu_read_unlock();
+ }
+@@ -966,7 +966,7 @@ u64 notrace __bpf_prog_enter_sleepable(struct bpf_prog *prog, struct bpf_tramp_r
+ migrate_disable();
+ might_fault();
+
+- if (unlikely(__this_cpu_inc_return(*(prog->active)) != 1)) {
++ if (unlikely(this_cpu_inc_return(*(prog->active)) != 1)) {
+ inc_misses_counter(prog);
+ return 0;
+ }
+@@ -982,7 +982,7 @@ void notrace __bpf_prog_exit_sleepable(struct bpf_prog *prog, u64 start,
+ bpf_reset_run_ctx(run_ctx->saved_run_ctx);
+
+ update_prog_stats(prog, start);
+- __this_cpu_dec(*(prog->active));
++ this_cpu_dec(*(prog->active));
+ migrate_enable();
+ rcu_read_unlock_trace();
+ }
+--
+2.35.1
+
--- /dev/null
+From 8f1ca494b2820789d8209750ac06e6e47ea071f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Aug 2022 17:22:05 +0100
+Subject: bpftool: Clear errno after libcap's checks
+
+From: Quentin Monnet <quentin@isovalent.com>
+
+[ Upstream commit cea558855c39b7f1f02ff50dcf701ca6596bc964 ]
+
+When bpftool is linked against libcap, the library runs a "constructor"
+function to compute the number of capabilities of the running kernel
+[0], at the beginning of the execution of the program. As part of this,
+it performs multiple calls to prctl(). Some of these may fail, and set
+errno to a non-zero value:
+
+ # strace -e prctl ./bpftool version
+ prctl(PR_CAPBSET_READ, CAP_MAC_OVERRIDE) = 1
+ prctl(PR_CAPBSET_READ, 0x30 /* CAP_??? */) = -1 EINVAL (Invalid argument)
+ prctl(PR_CAPBSET_READ, CAP_CHECKPOINT_RESTORE) = 1
+ prctl(PR_CAPBSET_READ, 0x2c /* CAP_??? */) = -1 EINVAL (Invalid argument)
+ prctl(PR_CAPBSET_READ, 0x2a /* CAP_??? */) = -1 EINVAL (Invalid argument)
+ prctl(PR_CAPBSET_READ, 0x29 /* CAP_??? */) = -1 EINVAL (Invalid argument)
+ ** fprintf added at the top of main(): we have errno == 1
+ ./bpftool v7.0.0
+ using libbpf v1.0
+ features: libbfd, libbpf_strict, skeletons
+ +++ exited with 0 +++
+
+This has been addressed in libcap 2.63 [1], but until this version is
+available everywhere, we can fix it on bpftool side.
+
+Let's clean errno at the beginning of the main() function, to make sure
+that these checks do not interfere with the batch mode, where we error
+out if errno is set after a bpftool command.
+
+ [0] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/tree/libcap/cap_alloc.c?h=libcap-2.65#n20
+ [1] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=f25a1b7e69f7b33e6afb58b3e38f3450b7d2d9a0
+
+Signed-off-by: Quentin Monnet <quentin@isovalent.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20220815162205.45043-1-quentin@isovalent.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/main.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/tools/bpf/bpftool/main.c b/tools/bpf/bpftool/main.c
+index 451cefc2d0da..ccd7457f92bf 100644
+--- a/tools/bpf/bpftool/main.c
++++ b/tools/bpf/bpftool/main.c
+@@ -435,6 +435,16 @@ int main(int argc, char **argv)
+
+ setlinebuf(stdout);
+
++#ifdef USE_LIBCAP
++ /* Libcap < 2.63 hooks before main() to compute the number of
++ * capabilities of the running kernel, and doing so it calls prctl()
++ * which may fail and set errno to non-zero.
++ * Let's reset errno to make sure this does not interfere with the
++ * batch mode.
++ */
++ errno = 0;
++#endif
++
+ last_do_help = do_help;
+ pretty_output = false;
+ json_output = false;
+--
+2.35.1
+
--- /dev/null
+From 63148473cd74cb94edf7dd6e8c7fd42f3f911bed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Aug 2022 15:59:00 -0700
+Subject: bpftool: Fix a wrong type cast in btf_dumper_int
+
+From: Lam Thai <lamthai@arista.com>
+
+[ Upstream commit 7184aef9c0f7a81db8fd18d183ee42481d89bf35 ]
+
+When `data` points to a boolean value, casting it to `int *` is problematic
+and could lead to a wrong value being passed to `jsonw_bool`. Change the
+cast to `bool *` instead.
+
+Fixes: b12d6ec09730 ("bpf: btf: add btf print functionality")
+Signed-off-by: Lam Thai <lamthai@arista.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Reviewed-by: Quentin Monnet <quentin@isovalent.com>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/bpf/20220824225859.9038-1-lamthai@arista.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/btf_dumper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/bpf/bpftool/btf_dumper.c b/tools/bpf/bpftool/btf_dumper.c
+index 125798b0bc5d..19924b6ce796 100644
+--- a/tools/bpf/bpftool/btf_dumper.c
++++ b/tools/bpf/bpftool/btf_dumper.c
+@@ -452,7 +452,7 @@ static int btf_dumper_int(const struct btf_type *t, __u8 bit_offset,
+ *(char *)data);
+ break;
+ case BTF_INT_BOOL:
+- jsonw_bool(jw, *(int *)data);
++ jsonw_bool(jw, *(bool *)data);
+ break;
+ default:
+ /* shouldn't happen */
+--
+2.35.1
+
--- /dev/null
+From 79117e1487587553c159b0e2629da8c50066ebc9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Sep 2022 10:46:03 +0000
+Subject: bpftool: Fix wrong cgroup attach flags being assigned to effective
+ progs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pu Lehui <pulehui@huawei.com>
+
+[ Upstream commit bdcee1b0b0834d031c76a12209840afe949b048a ]
+
+When root-cgroup attach multi progs and sub-cgroup attach a override prog,
+bpftool will display incorrectly for the attach flags of the sub-cgroup’s
+effective progs:
+
+$ bpftool cgroup tree /sys/fs/cgroup effective
+CgroupPath
+ID AttachType AttachFlags Name
+/sys/fs/cgroup
+6 cgroup_sysctl multi sysctl_tcp_mem
+13 cgroup_sysctl multi sysctl_tcp_mem
+/sys/fs/cgroup/cg1
+20 cgroup_sysctl override sysctl_tcp_mem
+6 cgroup_sysctl override sysctl_tcp_mem <- wrong
+13 cgroup_sysctl override sysctl_tcp_mem <- wrong
+/sys/fs/cgroup/cg1/cg2
+20 cgroup_sysctl sysctl_tcp_mem
+6 cgroup_sysctl sysctl_tcp_mem
+13 cgroup_sysctl sysctl_tcp_mem
+
+Attach flags is only valid for attached progs of this layer cgroup,
+but not for effective progs. For querying with EFFECTIVE flags,
+exporting attach flags does not make sense. So let's remove the
+AttachFlags field and the associated logic. After this patch, the
+above effective cgroup tree will show as bellow:
+
+$ bpftool cgroup tree /sys/fs/cgroup effective
+CgroupPath
+ID AttachType Name
+/sys/fs/cgroup
+6 cgroup_sysctl sysctl_tcp_mem
+13 cgroup_sysctl sysctl_tcp_mem
+/sys/fs/cgroup/cg1
+20 cgroup_sysctl sysctl_tcp_mem
+6 cgroup_sysctl sysctl_tcp_mem
+13 cgroup_sysctl sysctl_tcp_mem
+/sys/fs/cgroup/cg1/cg2
+20 cgroup_sysctl sysctl_tcp_mem
+6 cgroup_sysctl sysctl_tcp_mem
+13 cgroup_sysctl sysctl_tcp_mem
+
+Fixes: b79c9fc9551b ("bpf: implement BPF_PROG_QUERY for BPF_LSM_CGROUP")
+Fixes: a98bf57391a2 ("tools: bpftool: add support for reporting the effective cgroup progs")
+Signed-off-by: Pu Lehui <pulehui@huawei.com>
+Link: https://lore.kernel.org/r/20220921104604.2340580-3-pulehui@huaweicloud.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/cgroup.c | 54 ++++++++++++++++++++++++++++++++++----
+ 1 file changed, 49 insertions(+), 5 deletions(-)
+
+diff --git a/tools/bpf/bpftool/cgroup.c b/tools/bpf/bpftool/cgroup.c
+index cced668fb2a3..b46a998d8f8d 100644
+--- a/tools/bpf/bpftool/cgroup.c
++++ b/tools/bpf/bpftool/cgroup.c
+@@ -136,8 +136,8 @@ static int show_bpf_prog(int id, enum bpf_attach_type attach_type,
+ jsonw_string_field(json_wtr, "attach_type", attach_type_str);
+ else
+ jsonw_uint_field(json_wtr, "attach_type", attach_type);
+- jsonw_string_field(json_wtr, "attach_flags",
+- attach_flags_str);
++ if (!(query_flags & BPF_F_QUERY_EFFECTIVE))
++ jsonw_string_field(json_wtr, "attach_flags", attach_flags_str);
+ jsonw_string_field(json_wtr, "name", prog_name);
+ if (attach_btf_name)
+ jsonw_string_field(json_wtr, "attach_btf_name", attach_btf_name);
+@@ -150,7 +150,10 @@ static int show_bpf_prog(int id, enum bpf_attach_type attach_type,
+ printf("%-15s", attach_type_str);
+ else
+ printf("type %-10u", attach_type);
+- printf(" %-15s %-15s", attach_flags_str, prog_name);
++ if (query_flags & BPF_F_QUERY_EFFECTIVE)
++ printf(" %-15s", prog_name);
++ else
++ printf(" %-15s %-15s", attach_flags_str, prog_name);
+ if (attach_btf_name)
+ printf(" %-15s", attach_btf_name);
+ else if (info.attach_btf_id)
+@@ -195,6 +198,32 @@ static int cgroup_has_attached_progs(int cgroup_fd)
+
+ return no_prog ? 0 : 1;
+ }
++
++static int show_effective_bpf_progs(int cgroup_fd, enum bpf_attach_type type,
++ int level)
++{
++ LIBBPF_OPTS(bpf_prog_query_opts, p);
++ __u32 prog_ids[1024] = {0};
++ __u32 iter;
++ int ret;
++
++ p.query_flags = query_flags;
++ p.prog_cnt = ARRAY_SIZE(prog_ids);
++ p.prog_ids = prog_ids;
++
++ ret = bpf_prog_query_opts(cgroup_fd, type, &p);
++ if (ret)
++ return ret;
++
++ if (p.prog_cnt == 0)
++ return 0;
++
++ for (iter = 0; iter < p.prog_cnt; iter++)
++ show_bpf_prog(prog_ids[iter], type, NULL, level);
++
++ return 0;
++}
++
+ static int show_attached_bpf_progs(int cgroup_fd, enum bpf_attach_type type,
+ int level)
+ {
+@@ -245,6 +274,14 @@ static int show_attached_bpf_progs(int cgroup_fd, enum bpf_attach_type type,
+ return 0;
+ }
+
++static int show_bpf_progs(int cgroup_fd, enum bpf_attach_type type,
++ int level)
++{
++ return query_flags & BPF_F_QUERY_EFFECTIVE ?
++ show_effective_bpf_progs(cgroup_fd, type, level) :
++ show_attached_bpf_progs(cgroup_fd, type, level);
++}
++
+ static int do_show(int argc, char **argv)
+ {
+ enum bpf_attach_type type;
+@@ -292,6 +329,8 @@ static int do_show(int argc, char **argv)
+
+ if (json_output)
+ jsonw_start_array(json_wtr);
++ else if (query_flags & BPF_F_QUERY_EFFECTIVE)
++ printf("%-8s %-15s %-15s\n", "ID", "AttachType", "Name");
+ else
+ printf("%-8s %-15s %-15s %-15s\n", "ID", "AttachType",
+ "AttachFlags", "Name");
+@@ -304,7 +343,7 @@ static int do_show(int argc, char **argv)
+ * If we were able to get the show for at least one
+ * attach type, let's return 0.
+ */
+- if (show_attached_bpf_progs(cgroup_fd, type, 0) == 0)
++ if (show_bpf_progs(cgroup_fd, type, 0) == 0)
+ ret = 0;
+ }
+
+@@ -362,7 +401,7 @@ static int do_show_tree_fn(const char *fpath, const struct stat *sb,
+
+ btf_vmlinux = libbpf_find_kernel_btf();
+ for (type = 0; type < __MAX_BPF_ATTACH_TYPE; type++)
+- show_attached_bpf_progs(cgroup_fd, type, ftw->level);
++ show_bpf_progs(cgroup_fd, type, ftw->level);
+
+ if (errno == EINVAL)
+ /* Last attach type does not support query.
+@@ -436,6 +475,11 @@ static int do_show_tree(int argc, char **argv)
+
+ if (json_output)
+ jsonw_start_array(json_wtr);
++ else if (query_flags & BPF_F_QUERY_EFFECTIVE)
++ printf("%s\n"
++ "%-8s %-15s %-15s\n",
++ "CgroupPath",
++ "ID", "AttachType", "Name");
+ else
+ printf("%s\n"
+ "%-8s %-15s %-15s %-15s\n",
+--
+2.35.1
+
--- /dev/null
+From 1d1a3f9298043318b9ce0d9ef5bba16c97e97c8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Sep 2022 18:32:23 +0200
+Subject: btrfs: add KCSAN annotations for unlocked access to block_rsv->full
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit 748f553c3c4c4f175c6c834358632aff802d72cf ]
+
+KCSAN reports that there's unlocked access mixed with locked access,
+which is technically correct but is not a bug. To avoid false alerts at
+least from KCSAN, add annotation and use a wrapper whenever ->full is
+accessed for read outside of lock.
+
+It is used as a fast check and only advisory. In the worst case the
+block reserve is found !full and becomes full in the meantime, but
+properly handled.
+
+Depending on the value of ->full, btrfs_block_rsv_release decides
+where to return the reservation, and block_rsv_release_bytes handles a
+NULL pointer for block_rsv and if it's not NULL then it double checks
+the full status under a lock.
+
+Link: https://lore.kernel.org/linux-btrfs/CAAwBoOJDjei5Hnem155N_cJwiEkVwJYvgN-tQrwWbZQGhFU=cA@mail.gmail.com/
+Link: https://lore.kernel.org/linux-btrfs/YvHU/vsXd7uz5V6j@hungrycats.org
+Reported-by: Zygo Blaxell <ce3g8jdj@umail.furryterror.org>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/block-rsv.c | 2 +-
+ fs/btrfs/block-rsv.h | 9 +++++++++
+ fs/btrfs/transaction.c | 4 ++--
+ 3 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/fs/btrfs/block-rsv.c b/fs/btrfs/block-rsv.c
+index 06be0644dd37..046caf14a4bb 100644
+--- a/fs/btrfs/block-rsv.c
++++ b/fs/btrfs/block-rsv.c
+@@ -286,7 +286,7 @@ u64 btrfs_block_rsv_release(struct btrfs_fs_info *fs_info,
+ */
+ if (block_rsv == delayed_rsv)
+ target = global_rsv;
+- else if (block_rsv != global_rsv && !delayed_rsv->full)
++ else if (block_rsv != global_rsv && !btrfs_block_rsv_full(delayed_rsv))
+ target = delayed_rsv;
+
+ if (target && block_rsv->space_info != target->space_info)
+diff --git a/fs/btrfs/block-rsv.h b/fs/btrfs/block-rsv.h
+index 0c183709be00..578c3497a455 100644
+--- a/fs/btrfs/block-rsv.h
++++ b/fs/btrfs/block-rsv.h
+@@ -92,4 +92,13 @@ static inline void btrfs_unuse_block_rsv(struct btrfs_fs_info *fs_info,
+ btrfs_block_rsv_release(fs_info, block_rsv, 0, NULL);
+ }
+
++/*
++ * Fast path to check if the reserve is full, may be carefully used outside of
++ * locks.
++ */
++static inline bool btrfs_block_rsv_full(const struct btrfs_block_rsv *rsv)
++{
++ return data_race(rsv->full);
++}
++
+ #endif /* BTRFS_BLOCK_RSV_H */
+diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c
+index 6e3b2cb6a04a..255b0c0e1674 100644
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -635,7 +635,7 @@ start_transaction(struct btrfs_root *root, unsigned int num_items,
+ */
+ num_bytes = btrfs_calc_insert_metadata_size(fs_info, num_items);
+ if (flush == BTRFS_RESERVE_FLUSH_ALL &&
+- delayed_refs_rsv->full == 0) {
++ btrfs_block_rsv_full(delayed_refs_rsv) == 0) {
+ delayed_refs_bytes = num_bytes;
+ num_bytes <<= 1;
+ }
+@@ -660,7 +660,7 @@ start_transaction(struct btrfs_root *root, unsigned int num_items,
+ if (rsv->space_info->force_alloc)
+ do_chunk_alloc = true;
+ } else if (num_items == 0 && flush == BTRFS_RESERVE_FLUSH_ALL &&
+- !delayed_refs_rsv->full) {
++ !btrfs_block_rsv_full(delayed_refs_rsv)) {
+ /*
+ * Some people call with btrfs_start_transaction(root, 0)
+ * because they can be throttled, but have some other mechanism
+--
+2.35.1
+
--- /dev/null
+From cfca5f04b3bb29b3a74ff00154aacebe440602ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Jul 2022 15:11:50 -0700
+Subject: btrfs: add lockdep annotations for num_extwriters wait event
+
+From: Ioannis Angelakopoulos <iangelak@fb.com>
+
+[ Upstream commit 5a9ba6709f13313984900d635b4c73c9eb7d644e ]
+
+Similarly to the num_writers wait event in fs/btrfs/transaction.c add a
+lockdep annotation for the num_extwriters wait event.
+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Ioannis Angelakopoulos <iangelak@fb.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ctree.h | 1 +
+ fs/btrfs/disk-io.c | 1 +
+ fs/btrfs/transaction.c | 13 +++++++++++++
+ 3 files changed, 15 insertions(+)
+
+diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
+index 707e644bab92..e886cf639c0f 100644
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -1097,6 +1097,7 @@ struct btrfs_fs_info {
+ * compiled without lockdep).
+ */
+ struct lockdep_map btrfs_trans_num_writers_map;
++ struct lockdep_map btrfs_trans_num_extwriters_map;
+
+ #ifdef CONFIG_BTRFS_FS_REF_VERIFY
+ spinlock_t ref_verify_lock;
+diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
+index a04b32f7df9d..811d743e26e6 100644
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -2991,6 +2991,7 @@ void btrfs_init_fs_info(struct btrfs_fs_info *fs_info)
+ seqlock_init(&fs_info->profiles_lock);
+
+ btrfs_lockdep_init_map(fs_info, btrfs_trans_num_writers);
++ btrfs_lockdep_init_map(fs_info, btrfs_trans_num_extwriters);
+
+ INIT_LIST_HEAD(&fs_info->dirty_cowonly_roots);
+ INIT_LIST_HEAD(&fs_info->space_info);
+diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c
+index b3cb54d852f8..44e47db4c8e8 100644
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -314,6 +314,7 @@ static noinline int join_transaction(struct btrfs_fs_info *fs_info,
+ extwriter_counter_inc(cur_trans, type);
+ spin_unlock(&fs_info->trans_lock);
+ btrfs_lockdep_acquire(fs_info, btrfs_trans_num_writers);
++ btrfs_lockdep_acquire(fs_info, btrfs_trans_num_extwriters);
+ return 0;
+ }
+ spin_unlock(&fs_info->trans_lock);
+@@ -336,6 +337,7 @@ static noinline int join_transaction(struct btrfs_fs_info *fs_info,
+ return -ENOMEM;
+
+ btrfs_lockdep_acquire(fs_info, btrfs_trans_num_writers);
++ btrfs_lockdep_acquire(fs_info, btrfs_trans_num_extwriters);
+
+ spin_lock(&fs_info->trans_lock);
+ if (fs_info->running_transaction) {
+@@ -343,11 +345,13 @@ static noinline int join_transaction(struct btrfs_fs_info *fs_info,
+ * someone started a transaction after we unlocked. Make sure
+ * to redo the checks above
+ */
++ btrfs_lockdep_release(fs_info, btrfs_trans_num_extwriters);
+ btrfs_lockdep_release(fs_info, btrfs_trans_num_writers);
+ kfree(cur_trans);
+ goto loop;
+ } else if (BTRFS_FS_ERROR(fs_info)) {
+ spin_unlock(&fs_info->trans_lock);
++ btrfs_lockdep_release(fs_info, btrfs_trans_num_extwriters);
+ btrfs_lockdep_release(fs_info, btrfs_trans_num_writers);
+ kfree(cur_trans);
+ return -EROFS;
+@@ -1028,6 +1032,7 @@ static int __btrfs_end_transaction(struct btrfs_trans_handle *trans,
+
+ cond_wake_up(&cur_trans->writer_wait);
+
++ btrfs_lockdep_release(info, btrfs_trans_num_extwriters);
+ btrfs_lockdep_release(info, btrfs_trans_num_writers);
+
+ btrfs_put_transaction(cur_trans);
+@@ -2270,6 +2275,13 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans)
+ if (ret)
+ goto lockdep_release;
+
++ /*
++ * The thread has started/joined the transaction thus it holds the
++ * lockdep map as a reader. It has to release it before acquiring the
++ * lockdep map as a writer.
++ */
++ btrfs_lockdep_release(fs_info, btrfs_trans_num_extwriters);
++ btrfs_might_wait_for_event(fs_info, btrfs_trans_num_extwriters);
+ wait_event(cur_trans->writer_wait,
+ extwriter_counter_read(cur_trans) == 0);
+
+@@ -2541,6 +2553,7 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans)
+ return ret;
+
+ lockdep_release:
++ btrfs_lockdep_release(fs_info, btrfs_trans_num_extwriters);
+ btrfs_lockdep_release(fs_info, btrfs_trans_num_writers);
+ goto cleanup_transaction;
+ }
+--
+2.35.1
+
--- /dev/null
+From 4c3eac5e35f1d4118988475c65fddc92b7dced27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Jul 2022 15:11:48 -0700
+Subject: btrfs: add lockdep annotations for num_writers wait event
+
+From: Ioannis Angelakopoulos <iangelak@fb.com>
+
+[ Upstream commit e1489b4fe6045a79a5e9c658eed65311977e230a ]
+
+Annotate the num_writers wait event in fs/btrfs/transaction.c with
+lockdep in order to catch deadlocks involving this wait event.
+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Ioannis Angelakopoulos <iangelak@fb.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ctree.h | 6 ++++++
+ fs/btrfs/disk-io.c | 2 ++
+ fs/btrfs/transaction.c | 38 +++++++++++++++++++++++++++++++++-----
+ 3 files changed, 41 insertions(+), 5 deletions(-)
+
+diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
+index dfeb7174219e..707e644bab92 100644
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -1092,6 +1092,12 @@ struct btrfs_fs_info {
+ /* Updates are not protected by any lock */
+ struct btrfs_commit_stats commit_stats;
+
++ /*
++ * Annotations for transaction events (structures are empty when
++ * compiled without lockdep).
++ */
++ struct lockdep_map btrfs_trans_num_writers_map;
++
+ #ifdef CONFIG_BTRFS_FS_REF_VERIFY
+ spinlock_t ref_verify_lock;
+ struct rb_root block_tree;
+diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
+index 2633137c3e9f..a04b32f7df9d 100644
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -2990,6 +2990,8 @@ void btrfs_init_fs_info(struct btrfs_fs_info *fs_info)
+ mutex_init(&fs_info->zoned_data_reloc_io_lock);
+ seqlock_init(&fs_info->profiles_lock);
+
++ btrfs_lockdep_init_map(fs_info, btrfs_trans_num_writers);
++
+ INIT_LIST_HEAD(&fs_info->dirty_cowonly_roots);
+ INIT_LIST_HEAD(&fs_info->space_info);
+ INIT_LIST_HEAD(&fs_info->tree_mod_seq_list);
+diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c
+index 0bec10740ad3..b3cb54d852f8 100644
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -313,6 +313,7 @@ static noinline int join_transaction(struct btrfs_fs_info *fs_info,
+ atomic_inc(&cur_trans->num_writers);
+ extwriter_counter_inc(cur_trans, type);
+ spin_unlock(&fs_info->trans_lock);
++ btrfs_lockdep_acquire(fs_info, btrfs_trans_num_writers);
+ return 0;
+ }
+ spin_unlock(&fs_info->trans_lock);
+@@ -334,16 +335,20 @@ static noinline int join_transaction(struct btrfs_fs_info *fs_info,
+ if (!cur_trans)
+ return -ENOMEM;
+
++ btrfs_lockdep_acquire(fs_info, btrfs_trans_num_writers);
++
+ spin_lock(&fs_info->trans_lock);
+ if (fs_info->running_transaction) {
+ /*
+ * someone started a transaction after we unlocked. Make sure
+ * to redo the checks above
+ */
++ btrfs_lockdep_release(fs_info, btrfs_trans_num_writers);
+ kfree(cur_trans);
+ goto loop;
+ } else if (BTRFS_FS_ERROR(fs_info)) {
+ spin_unlock(&fs_info->trans_lock);
++ btrfs_lockdep_release(fs_info, btrfs_trans_num_writers);
+ kfree(cur_trans);
+ return -EROFS;
+ }
+@@ -1022,6 +1027,9 @@ static int __btrfs_end_transaction(struct btrfs_trans_handle *trans,
+ extwriter_counter_dec(cur_trans, trans->type);
+
+ cond_wake_up(&cur_trans->writer_wait);
++
++ btrfs_lockdep_release(info, btrfs_trans_num_writers);
++
+ btrfs_put_transaction(cur_trans);
+
+ if (current->journal_info == trans)
+@@ -1994,6 +2002,12 @@ static void cleanup_transaction(struct btrfs_trans_handle *trans, int err)
+ if (cur_trans == fs_info->running_transaction) {
+ cur_trans->state = TRANS_STATE_COMMIT_DOING;
+ spin_unlock(&fs_info->trans_lock);
++
++ /*
++ * The thread has already released the lockdep map as reader
++ * already in btrfs_commit_transaction().
++ */
++ btrfs_might_wait_for_event(fs_info, btrfs_trans_num_writers);
+ wait_event(cur_trans->writer_wait,
+ atomic_read(&cur_trans->num_writers) == 1);
+
+@@ -2222,7 +2236,7 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans)
+
+ btrfs_put_transaction(prev_trans);
+ if (ret)
+- goto cleanup_transaction;
++ goto lockdep_release;
+ } else {
+ spin_unlock(&fs_info->trans_lock);
+ }
+@@ -2236,7 +2250,7 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans)
+ */
+ if (BTRFS_FS_ERROR(fs_info)) {
+ ret = -EROFS;
+- goto cleanup_transaction;
++ goto lockdep_release;
+ }
+ }
+
+@@ -2250,19 +2264,21 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans)
+
+ ret = btrfs_start_delalloc_flush(fs_info);
+ if (ret)
+- goto cleanup_transaction;
++ goto lockdep_release;
+
+ ret = btrfs_run_delayed_items(trans);
+ if (ret)
+- goto cleanup_transaction;
++ goto lockdep_release;
+
+ wait_event(cur_trans->writer_wait,
+ extwriter_counter_read(cur_trans) == 0);
+
+ /* some pending stuffs might be added after the previous flush. */
+ ret = btrfs_run_delayed_items(trans);
+- if (ret)
++ if (ret) {
++ btrfs_lockdep_release(fs_info, btrfs_trans_num_writers);
+ goto cleanup_transaction;
++ }
+
+ btrfs_wait_delalloc_flush(fs_info);
+
+@@ -2284,6 +2300,14 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans)
+ add_pending_snapshot(trans);
+ cur_trans->state = TRANS_STATE_COMMIT_DOING;
+ spin_unlock(&fs_info->trans_lock);
++
++ /*
++ * The thread has started/joined the transaction thus it holds the
++ * lockdep map as a reader. It has to release it before acquiring the
++ * lockdep map as a writer.
++ */
++ btrfs_lockdep_release(fs_info, btrfs_trans_num_writers);
++ btrfs_might_wait_for_event(fs_info, btrfs_trans_num_writers);
+ wait_event(cur_trans->writer_wait,
+ atomic_read(&cur_trans->num_writers) == 1);
+
+@@ -2515,6 +2539,10 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans)
+ cleanup_transaction(trans, ret);
+
+ return ret;
++
++lockdep_release:
++ btrfs_lockdep_release(fs_info, btrfs_trans_num_writers);
++ goto cleanup_transaction;
+ }
+
+ /*
+--
+2.35.1
+
--- /dev/null
+From 5898b5a0ae847ba581045a1ebfa11348731daa5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Jul 2022 15:11:54 -0700
+Subject: btrfs: add lockdep annotations for pending_ordered wait event
+
+From: Ioannis Angelakopoulos <iangelak@fb.com>
+
+[ Upstream commit 8b53779eaa98b55f4cccadd4d12b3233e9633140 ]
+
+In contrast to the num_writers and num_extwriters wait events, the
+condition for the pending ordered wait event is signaled in a different
+context from the wait event itself. The condition signaling occurs in
+btrfs_remove_ordered_extent() in fs/btrfs/ordered-data.c while the wait
+event is implemented in btrfs_commit_transaction() in
+fs/btrfs/transaction.c
+
+Thus the thread signaling the condition has to acquire the lockdep map
+as a reader at the start of btrfs_remove_ordered_extent() and release it
+after it has signaled the condition. In this case some dependencies
+might be left out due to the placement of the annotation, but it is
+better than no annotation at all.
+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Ioannis Angelakopoulos <iangelak@fb.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ctree.h | 1 +
+ fs/btrfs/disk-io.c | 1 +
+ fs/btrfs/ordered-data.c | 3 +++
+ fs/btrfs/transaction.c | 1 +
+ 4 files changed, 6 insertions(+)
+
+diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
+index f8172e269f03..8bd9a6d5ade6 100644
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -1099,6 +1099,7 @@ struct btrfs_fs_info {
+ struct lockdep_map btrfs_trans_num_writers_map;
+ struct lockdep_map btrfs_trans_num_extwriters_map;
+ struct lockdep_map btrfs_state_change_map[4];
++ struct lockdep_map btrfs_trans_pending_ordered_map;
+
+ #ifdef CONFIG_BTRFS_FS_REF_VERIFY
+ spinlock_t ref_verify_lock;
+diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
+index 68c6cb4e9283..393553fdfed6 100644
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -2992,6 +2992,7 @@ void btrfs_init_fs_info(struct btrfs_fs_info *fs_info)
+
+ btrfs_lockdep_init_map(fs_info, btrfs_trans_num_writers);
+ btrfs_lockdep_init_map(fs_info, btrfs_trans_num_extwriters);
++ btrfs_lockdep_init_map(fs_info, btrfs_trans_pending_ordered);
+ btrfs_state_lockdep_init_map(fs_info, btrfs_trans_commit_start,
+ BTRFS_LOCKDEP_TRANS_COMMIT_START);
+ btrfs_state_lockdep_init_map(fs_info, btrfs_trans_unblocked,
+diff --git a/fs/btrfs/ordered-data.c b/fs/btrfs/ordered-data.c
+index 1952ac85222c..2a4cb6db42d1 100644
+--- a/fs/btrfs/ordered-data.c
++++ b/fs/btrfs/ordered-data.c
+@@ -525,6 +525,7 @@ void btrfs_remove_ordered_extent(struct btrfs_inode *btrfs_inode,
+ struct rb_node *node;
+ bool pending;
+
++ btrfs_lockdep_acquire(fs_info, btrfs_trans_pending_ordered);
+ /* This is paired with btrfs_add_ordered_extent. */
+ spin_lock(&btrfs_inode->lock);
+ btrfs_mod_outstanding_extents(btrfs_inode, -1);
+@@ -580,6 +581,8 @@ void btrfs_remove_ordered_extent(struct btrfs_inode *btrfs_inode,
+ }
+ }
+
++ btrfs_lockdep_release(fs_info, btrfs_trans_pending_ordered);
++
+ spin_lock(&root->ordered_extent_lock);
+ list_del_init(&entry->root_extent_list);
+ root->nr_ordered_extents--;
+diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c
+index d3576f84020d..6e3b2cb6a04a 100644
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -2310,6 +2310,7 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans)
+ * transaction. Otherwise if this transaction commits before the ordered
+ * extents complete we lose logged data after a power failure.
+ */
++ btrfs_might_wait_for_event(fs_info, btrfs_trans_pending_ordered);
+ wait_event(cur_trans->pending_wait,
+ atomic_read(&cur_trans->pending_ordered) == 0);
+
+--
+2.35.1
+
--- /dev/null
+From dbaab36298dc01beea6a2d8ffe12e7d7180f2b30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Jul 2022 15:11:59 -0700
+Subject: btrfs: add lockdep annotations for the ordered extents wait event
+
+From: Ioannis Angelakopoulos <iangelak@fb.com>
+
+[ Upstream commit 5f4403e10f9b75b081bcc763b98d73e29de8c248 ]
+
+This wait event is very similar to the pending ordered wait event in the
+sense that it occurs in a different context than the condition signaling
+for the event. The signaling occurs in btrfs_remove_ordered_extent()
+while the wait event is implemented in btrfs_start_ordered_extent() in
+fs/btrfs/ordered-data.c
+
+However, in this case a thread must not acquire the lockdep map for the
+ordered extents wait event when the ordered extent is related to a free
+space inode. That is because lockdep creates dependencies between locks
+acquired both in execution paths related to normal inodes and paths
+related to free space inodes, thus leading to false positives.
+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Ioannis Angelakopoulos <iangelak@fb.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ctree.h | 1 +
+ fs/btrfs/disk-io.c | 1 +
+ fs/btrfs/inode.c | 13 +++++++++++++
+ fs/btrfs/ordered-data.c | 18 ++++++++++++++++++
+ 4 files changed, 33 insertions(+)
+
+diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
+index 8bd9a6d5ade6..804962f97452 100644
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -1100,6 +1100,7 @@ struct btrfs_fs_info {
+ struct lockdep_map btrfs_trans_num_extwriters_map;
+ struct lockdep_map btrfs_state_change_map[4];
+ struct lockdep_map btrfs_trans_pending_ordered_map;
++ struct lockdep_map btrfs_ordered_extent_map;
+
+ #ifdef CONFIG_BTRFS_FS_REF_VERIFY
+ spinlock_t ref_verify_lock;
+diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
+index 393553fdfed6..e0e1730e67d7 100644
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -2993,6 +2993,7 @@ void btrfs_init_fs_info(struct btrfs_fs_info *fs_info)
+ btrfs_lockdep_init_map(fs_info, btrfs_trans_num_writers);
+ btrfs_lockdep_init_map(fs_info, btrfs_trans_num_extwriters);
+ btrfs_lockdep_init_map(fs_info, btrfs_trans_pending_ordered);
++ btrfs_lockdep_init_map(fs_info, btrfs_ordered_extent);
+ btrfs_state_lockdep_init_map(fs_info, btrfs_trans_commit_start,
+ BTRFS_LOCKDEP_TRANS_COMMIT_START);
+ btrfs_state_lockdep_init_map(fs_info, btrfs_trans_unblocked,
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index 1372210869b1..b06955727055 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -3225,6 +3225,8 @@ int btrfs_finish_ordered_io(struct btrfs_ordered_extent *ordered_extent)
+ clear_bits |= EXTENT_DELALLOC_NEW;
+
+ freespace_inode = btrfs_is_free_space_inode(inode);
++ if (!freespace_inode)
++ btrfs_lockdep_acquire(fs_info, btrfs_ordered_extent);
+
+ if (test_bit(BTRFS_ORDERED_IOERR, &ordered_extent->flags)) {
+ ret = -EIO;
+@@ -8959,6 +8961,7 @@ void btrfs_destroy_inode(struct inode *vfs_inode)
+ struct btrfs_ordered_extent *ordered;
+ struct btrfs_inode *inode = BTRFS_I(vfs_inode);
+ struct btrfs_root *root = inode->root;
++ bool freespace_inode;
+
+ WARN_ON(!hlist_empty(&vfs_inode->i_dentry));
+ WARN_ON(vfs_inode->i_data.nrpages);
+@@ -8980,6 +8983,12 @@ void btrfs_destroy_inode(struct inode *vfs_inode)
+ if (!root)
+ return;
+
++ /*
++ * If this is a free space inode do not take the ordered extents lockdep
++ * map.
++ */
++ freespace_inode = btrfs_is_free_space_inode(inode);
++
+ while (1) {
+ ordered = btrfs_lookup_first_ordered_extent(inode, (u64)-1);
+ if (!ordered)
+@@ -8988,6 +8997,10 @@ void btrfs_destroy_inode(struct inode *vfs_inode)
+ btrfs_err(root->fs_info,
+ "found ordered extent %llu %llu on inode cleanup",
+ ordered->file_offset, ordered->num_bytes);
++
++ if (!freespace_inode)
++ btrfs_lockdep_acquire(root->fs_info, btrfs_ordered_extent);
++
+ btrfs_remove_ordered_extent(inode, ordered);
+ btrfs_put_ordered_extent(ordered);
+ btrfs_put_ordered_extent(ordered);
+diff --git a/fs/btrfs/ordered-data.c b/fs/btrfs/ordered-data.c
+index 2a4cb6db42d1..eb24a6d20ff8 100644
+--- a/fs/btrfs/ordered-data.c
++++ b/fs/btrfs/ordered-data.c
+@@ -524,6 +524,13 @@ void btrfs_remove_ordered_extent(struct btrfs_inode *btrfs_inode,
+ struct btrfs_fs_info *fs_info = root->fs_info;
+ struct rb_node *node;
+ bool pending;
++ bool freespace_inode;
++
++ /*
++ * If this is a free space inode the thread has not acquired the ordered
++ * extents lockdep map.
++ */
++ freespace_inode = btrfs_is_free_space_inode(btrfs_inode);
+
+ btrfs_lockdep_acquire(fs_info, btrfs_trans_pending_ordered);
+ /* This is paired with btrfs_add_ordered_extent. */
+@@ -597,6 +604,8 @@ void btrfs_remove_ordered_extent(struct btrfs_inode *btrfs_inode,
+ }
+ spin_unlock(&root->ordered_extent_lock);
+ wake_up(&entry->wait);
++ if (!freespace_inode)
++ btrfs_lockdep_release(fs_info, btrfs_ordered_extent);
+ }
+
+ static void btrfs_run_ordered_extent_work(struct btrfs_work *work)
+@@ -715,9 +724,16 @@ void btrfs_start_ordered_extent(struct btrfs_ordered_extent *entry, int wait)
+ u64 start = entry->file_offset;
+ u64 end = start + entry->num_bytes - 1;
+ struct btrfs_inode *inode = BTRFS_I(entry->inode);
++ bool freespace_inode;
+
+ trace_btrfs_ordered_extent_start(inode, entry);
+
++ /*
++ * If this is a free space inode do not take the ordered extents lockdep
++ * map.
++ */
++ freespace_inode = btrfs_is_free_space_inode(inode);
++
+ /*
+ * pages in the range can be dirty, clean or writeback. We
+ * start IO on any dirty ones so the wait doesn't stall waiting
+@@ -726,6 +742,8 @@ void btrfs_start_ordered_extent(struct btrfs_ordered_extent *entry, int wait)
+ if (!test_bit(BTRFS_ORDERED_DIRECT, &entry->flags))
+ filemap_fdatawrite_range(inode->vfs_inode.i_mapping, start, end);
+ if (wait) {
++ if (!freespace_inode)
++ btrfs_might_wait_for_event(inode->root->fs_info, btrfs_ordered_extent);
+ wait_event(entry->wait, test_bit(BTRFS_ORDERED_COMPLETE,
+ &entry->flags));
+ }
+--
+2.35.1
+
--- /dev/null
+From 3c196fc7745196ba3f6358ce334e0512366c86f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Jul 2022 15:11:52 -0700
+Subject: btrfs: add lockdep annotations for transaction states wait events
+
+From: Ioannis Angelakopoulos <iangelak@fb.com>
+
+[ Upstream commit 3e738c531aad8caa7f3d20ab878a8a0d3574e730 ]
+
+Add lockdep annotations for the transaction states that have wait
+events;
+
+ 1) TRANS_STATE_COMMIT_START
+ 2) TRANS_STATE_UNBLOCKED
+ 3) TRANS_STATE_SUPER_COMMITTED
+ 4) TRANS_STATE_COMPLETED
+
+The new macros introduced here to annotate the transaction states wait
+events have the same effect as the generic lockdep annotation macros.
+
+With the exception of the lockdep annotation for TRANS_STATE_COMMIT_START
+the transaction thread has to acquire the lockdep maps for the
+transaction states as reader after the lockdep map for num_writers is
+released so that lockdep does not complain.
+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Ioannis Angelakopoulos <iangelak@fb.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ctree.h | 32 +++++++++++++++++++++++++
+ fs/btrfs/disk-io.c | 8 +++++++
+ fs/btrfs/transaction.c | 53 ++++++++++++++++++++++++++++++++++--------
+ 3 files changed, 83 insertions(+), 10 deletions(-)
+
+diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
+index e886cf639c0f..f8172e269f03 100644
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -1098,6 +1098,7 @@ struct btrfs_fs_info {
+ */
+ struct lockdep_map btrfs_trans_num_writers_map;
+ struct lockdep_map btrfs_trans_num_extwriters_map;
++ struct lockdep_map btrfs_state_change_map[4];
+
+ #ifdef CONFIG_BTRFS_FS_REF_VERIFY
+ spinlock_t ref_verify_lock;
+@@ -1181,6 +1182,13 @@ enum {
+ BTRFS_ROOT_RESET_LOCKDEP_CLASS,
+ };
+
++enum btrfs_lockdep_trans_states {
++ BTRFS_LOCKDEP_TRANS_COMMIT_START,
++ BTRFS_LOCKDEP_TRANS_UNBLOCKED,
++ BTRFS_LOCKDEP_TRANS_SUPER_COMMITTED,
++ BTRFS_LOCKDEP_TRANS_COMPLETED,
++};
++
+ /*
+ * Lockdep annotation for wait events.
+ *
+@@ -1219,6 +1227,22 @@ enum {
+ #define btrfs_lockdep_release(owner, lock) \
+ rwsem_release(&owner->lock##_map, _THIS_IP_)
+
++/*
++ * Macros for the transaction states wait events, similar to the generic wait
++ * event macros.
++ */
++#define btrfs_might_wait_for_state(owner, i) \
++ do { \
++ rwsem_acquire(&owner->btrfs_state_change_map[i], 0, 0, _THIS_IP_); \
++ rwsem_release(&owner->btrfs_state_change_map[i], _THIS_IP_); \
++ } while (0)
++
++#define btrfs_trans_state_lockdep_acquire(owner, i) \
++ rwsem_acquire_read(&owner->btrfs_state_change_map[i], 0, 0, _THIS_IP_)
++
++#define btrfs_trans_state_lockdep_release(owner, i) \
++ rwsem_release(&owner->btrfs_state_change_map[i], _THIS_IP_)
++
+ /* Initialization of the lockdep map */
+ #define btrfs_lockdep_init_map(owner, lock) \
+ do { \
+@@ -1226,6 +1250,14 @@ enum {
+ lockdep_init_map(&owner->lock##_map, #lock, &lock##_key, 0); \
+ } while (0)
+
++/* Initialization of the transaction states lockdep maps. */
++#define btrfs_state_lockdep_init_map(owner, lock, state) \
++ do { \
++ static struct lock_class_key lock##_key; \
++ lockdep_init_map(&owner->btrfs_state_change_map[state], #lock, \
++ &lock##_key, 0); \
++ } while (0)
++
+ static inline void btrfs_wake_unfinished_drop(struct btrfs_fs_info *fs_info)
+ {
+ clear_and_wake_up_bit(BTRFS_FS_UNFINISHED_DROPS, &fs_info->flags);
+diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
+index 811d743e26e6..68c6cb4e9283 100644
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -2992,6 +2992,14 @@ void btrfs_init_fs_info(struct btrfs_fs_info *fs_info)
+
+ btrfs_lockdep_init_map(fs_info, btrfs_trans_num_writers);
+ btrfs_lockdep_init_map(fs_info, btrfs_trans_num_extwriters);
++ btrfs_state_lockdep_init_map(fs_info, btrfs_trans_commit_start,
++ BTRFS_LOCKDEP_TRANS_COMMIT_START);
++ btrfs_state_lockdep_init_map(fs_info, btrfs_trans_unblocked,
++ BTRFS_LOCKDEP_TRANS_UNBLOCKED);
++ btrfs_state_lockdep_init_map(fs_info, btrfs_trans_super_committed,
++ BTRFS_LOCKDEP_TRANS_SUPER_COMMITTED);
++ btrfs_state_lockdep_init_map(fs_info, btrfs_trans_completed,
++ BTRFS_LOCKDEP_TRANS_COMPLETED);
+
+ INIT_LIST_HEAD(&fs_info->dirty_cowonly_roots);
+ INIT_LIST_HEAD(&fs_info->space_info);
+diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c
+index 44e47db4c8e8..d3576f84020d 100644
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -550,6 +550,7 @@ static void wait_current_trans(struct btrfs_fs_info *fs_info)
+ refcount_inc(&cur_trans->use_count);
+ spin_unlock(&fs_info->trans_lock);
+
++ btrfs_might_wait_for_state(fs_info, BTRFS_LOCKDEP_TRANS_UNBLOCKED);
+ wait_event(fs_info->transaction_wait,
+ cur_trans->state >= TRANS_STATE_UNBLOCKED ||
+ TRANS_ABORTED(cur_trans));
+@@ -868,6 +869,15 @@ static noinline void wait_for_commit(struct btrfs_transaction *commit,
+ u64 transid = commit->transid;
+ bool put = false;
+
++ /*
++ * At the moment this function is called with min_state either being
++ * TRANS_STATE_COMPLETED or TRANS_STATE_SUPER_COMMITTED.
++ */
++ if (min_state == TRANS_STATE_COMPLETED)
++ btrfs_might_wait_for_state(fs_info, BTRFS_LOCKDEP_TRANS_COMPLETED);
++ else
++ btrfs_might_wait_for_state(fs_info, BTRFS_LOCKDEP_TRANS_SUPER_COMMITTED);
++
+ while (1) {
+ wait_event(commit->commit_wait, commit->state >= min_state);
+ if (put)
+@@ -1980,6 +1990,7 @@ void btrfs_commit_transaction_async(struct btrfs_trans_handle *trans)
+ * Wait for the current transaction commit to start and block
+ * subsequent transaction joins
+ */
++ btrfs_might_wait_for_state(fs_info, BTRFS_LOCKDEP_TRANS_COMMIT_START);
+ wait_event(fs_info->transaction_blocked_wait,
+ cur_trans->state >= TRANS_STATE_COMMIT_START ||
+ TRANS_ABORTED(cur_trans));
+@@ -2137,12 +2148,12 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans)
+ ktime_t interval;
+
+ ASSERT(refcount_read(&trans->use_count) == 1);
++ btrfs_trans_state_lockdep_acquire(fs_info, BTRFS_LOCKDEP_TRANS_COMMIT_START);
+
+ /* Stop the commit early if ->aborted is set */
+ if (TRANS_ABORTED(cur_trans)) {
+ ret = cur_trans->aborted;
+- btrfs_end_transaction(trans);
+- return ret;
++ goto lockdep_trans_commit_start_release;
+ }
+
+ btrfs_trans_release_metadata(trans);
+@@ -2159,10 +2170,8 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans)
+ * Any running threads may add more while we are here.
+ */
+ ret = btrfs_run_delayed_refs(trans, 0);
+- if (ret) {
+- btrfs_end_transaction(trans);
+- return ret;
+- }
++ if (ret)
++ goto lockdep_trans_commit_start_release;
+ }
+
+ btrfs_create_pending_block_groups(trans);
+@@ -2191,10 +2200,8 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans)
+
+ if (run_it) {
+ ret = btrfs_start_dirty_block_groups(trans);
+- if (ret) {
+- btrfs_end_transaction(trans);
+- return ret;
+- }
++ if (ret)
++ goto lockdep_trans_commit_start_release;
+ }
+ }
+
+@@ -2209,6 +2216,9 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans)
+
+ if (trans->in_fsync)
+ want_state = TRANS_STATE_SUPER_COMMITTED;
++
++ btrfs_trans_state_lockdep_release(fs_info,
++ BTRFS_LOCKDEP_TRANS_COMMIT_START);
+ ret = btrfs_end_transaction(trans);
+ wait_for_commit(cur_trans, want_state);
+
+@@ -2222,6 +2232,7 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans)
+
+ cur_trans->state = TRANS_STATE_COMMIT_START;
+ wake_up(&fs_info->transaction_blocked_wait);
++ btrfs_trans_state_lockdep_release(fs_info, BTRFS_LOCKDEP_TRANS_COMMIT_START);
+
+ if (cur_trans->list.prev != &fs_info->trans_list) {
+ enum btrfs_trans_state want_state = TRANS_STATE_COMPLETED;
+@@ -2323,6 +2334,16 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans)
+ wait_event(cur_trans->writer_wait,
+ atomic_read(&cur_trans->num_writers) == 1);
+
++ /*
++ * Make lockdep happy by acquiring the state locks after
++ * btrfs_trans_num_writers is released. If we acquired the state locks
++ * before releasing the btrfs_trans_num_writers lock then lockdep would
++ * complain because we did not follow the reverse order unlocking rule.
++ */
++ btrfs_trans_state_lockdep_acquire(fs_info, BTRFS_LOCKDEP_TRANS_COMPLETED);
++ btrfs_trans_state_lockdep_acquire(fs_info, BTRFS_LOCKDEP_TRANS_SUPER_COMMITTED);
++ btrfs_trans_state_lockdep_acquire(fs_info, BTRFS_LOCKDEP_TRANS_UNBLOCKED);
++
+ /*
+ * We've started the commit, clear the flag in case we were triggered to
+ * do an async commit but somebody else started before the transaction
+@@ -2332,6 +2353,7 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans)
+
+ if (TRANS_ABORTED(cur_trans)) {
+ ret = cur_trans->aborted;
++ btrfs_trans_state_lockdep_release(fs_info, BTRFS_LOCKDEP_TRANS_UNBLOCKED);
+ goto scrub_continue;
+ }
+ /*
+@@ -2466,6 +2488,7 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans)
+ mutex_unlock(&fs_info->reloc_mutex);
+
+ wake_up(&fs_info->transaction_wait);
++ btrfs_trans_state_lockdep_release(fs_info, BTRFS_LOCKDEP_TRANS_UNBLOCKED);
+
+ ret = btrfs_write_and_wait_transaction(trans);
+ if (ret) {
+@@ -2497,6 +2520,7 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans)
+ */
+ cur_trans->state = TRANS_STATE_SUPER_COMMITTED;
+ wake_up(&cur_trans->commit_wait);
++ btrfs_trans_state_lockdep_release(fs_info, BTRFS_LOCKDEP_TRANS_SUPER_COMMITTED);
+
+ btrfs_finish_extent_commit(trans);
+
+@@ -2510,6 +2534,7 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans)
+ */
+ cur_trans->state = TRANS_STATE_COMPLETED;
+ wake_up(&cur_trans->commit_wait);
++ btrfs_trans_state_lockdep_release(fs_info, BTRFS_LOCKDEP_TRANS_COMPLETED);
+
+ spin_lock(&fs_info->trans_lock);
+ list_del_init(&cur_trans->list);
+@@ -2538,7 +2563,10 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans)
+
+ unlock_reloc:
+ mutex_unlock(&fs_info->reloc_mutex);
++ btrfs_trans_state_lockdep_release(fs_info, BTRFS_LOCKDEP_TRANS_UNBLOCKED);
+ scrub_continue:
++ btrfs_trans_state_lockdep_release(fs_info, BTRFS_LOCKDEP_TRANS_SUPER_COMMITTED);
++ btrfs_trans_state_lockdep_release(fs_info, BTRFS_LOCKDEP_TRANS_COMPLETED);
+ btrfs_scrub_continue(fs_info);
+ cleanup_transaction:
+ btrfs_trans_release_metadata(trans);
+@@ -2556,6 +2584,11 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans)
+ btrfs_lockdep_release(fs_info, btrfs_trans_num_extwriters);
+ btrfs_lockdep_release(fs_info, btrfs_trans_num_writers);
+ goto cleanup_transaction;
++
++lockdep_trans_commit_start_release:
++ btrfs_trans_state_lockdep_release(fs_info, BTRFS_LOCKDEP_TRANS_COMMIT_START);
++ btrfs_end_transaction(trans);
++ return ret;
+ }
+
+ /*
+--
+2.35.1
+
--- /dev/null
+From 9b390e7dfd1a0faeff4012513dc4864e9df58bab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Jul 2022 15:11:46 -0700
+Subject: btrfs: add macros for annotating wait events with lockdep
+
+From: Ioannis Angelakopoulos <iangelak@fb.com>
+
+[ Upstream commit ab9a323f9ab576000795285dd7ac6afeedf29e32 ]
+
+Introduce four macros that are used to annotate wait events in btrfs code
+with lockdep;
+
+ 1) the btrfs_lockdep_init_map
+ 2) the btrfs_lockdep_acquire,
+ 3) the btrfs_lockdep_release
+ 4) the btrfs_might_wait_for_event macros.
+
+The btrfs_lockdep_init_map macro is used to initialize a lockdep map.
+
+The btrfs_lockdep_<acquire,release> macros are used by threads to take
+the lockdep map as readers (shared lock) and release it, respectively.
+
+The btrfs_might_wait_for_event macro is used by threads to take the
+lockdep map as writers (exclusive lock) and release it.
+
+In general, the lockdep annotation for wait events work as follows:
+
+The condition for a wait event can be modified and signaled at the same
+time by multiple threads. These threads hold the lockdep map as readers
+when they enter a context in which blocking would prevent signaling the
+condition. Frequently, this occurs when a thread violates a condition
+(lockdep map acquire), before restoring it and signaling it at a later
+point (lockdep map release).
+
+The threads that block on the wait event take the lockdep map as writers
+(exclusive lock). These threads have to block until all the threads that
+hold the lockdep map as readers signal the condition for the wait event
+and release the lockdep map.
+
+The lockdep annotation is used to warn about potential deadlock scenarios
+that involve the threads that modify and signal the wait event condition
+and threads that block on the wait event. A simple example is illustrated
+below:
+
+Without lockdep:
+
+TA TB
+cond = false
+ lock(A)
+ wait_event(w, cond)
+ unlock(A)
+lock(A)
+cond = true
+signal(w)
+unlock(A)
+
+With lockdep:
+
+TA TB
+rwsem_acquire_read(lockdep_map)
+cond = false
+ lock(A)
+ rwsem_acquire(lockdep_map)
+ rwsem_release(lockdep_map)
+ wait_event(w, cond)
+ unlock(A)
+lock(A)
+cond = true
+signal(w)
+unlock(A)
+rwsem_release(lockdep_map)
+
+In the second case, with the lockdep annotation, lockdep would warn about
+an ABBA deadlock, while the first case would just deadlock at some point.
+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Ioannis Angelakopoulos <iangelak@fb.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ctree.h | 45 +++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 45 insertions(+)
+
+diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
+index df8c99c99df9..dfeb7174219e 100644
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -1174,6 +1174,51 @@ enum {
+ BTRFS_ROOT_RESET_LOCKDEP_CLASS,
+ };
+
++/*
++ * Lockdep annotation for wait events.
++ *
++ * @owner: The struct where the lockdep map is defined
++ * @lock: The lockdep map corresponding to a wait event
++ *
++ * This macro is used to annotate a wait event. In this case a thread acquires
++ * the lockdep map as writer (exclusive lock) because it has to block until all
++ * the threads that hold the lock as readers signal the condition for the wait
++ * event and release their locks.
++ */
++#define btrfs_might_wait_for_event(owner, lock) \
++ do { \
++ rwsem_acquire(&owner->lock##_map, 0, 0, _THIS_IP_); \
++ rwsem_release(&owner->lock##_map, _THIS_IP_); \
++ } while (0)
++
++/*
++ * Protection for the resource/condition of a wait event.
++ *
++ * @owner: The struct where the lockdep map is defined
++ * @lock: The lockdep map corresponding to a wait event
++ *
++ * Many threads can modify the condition for the wait event at the same time
++ * and signal the threads that block on the wait event. The threads that modify
++ * the condition and do the signaling acquire the lock as readers (shared
++ * lock).
++ */
++#define btrfs_lockdep_acquire(owner, lock) \
++ rwsem_acquire_read(&owner->lock##_map, 0, 0, _THIS_IP_)
++
++/*
++ * Used after signaling the condition for a wait event to release the lockdep
++ * map held by a reader thread.
++ */
++#define btrfs_lockdep_release(owner, lock) \
++ rwsem_release(&owner->lock##_map, _THIS_IP_)
++
++/* Initialization of the lockdep map */
++#define btrfs_lockdep_init_map(owner, lock) \
++ do { \
++ static struct lock_class_key lock##_key; \
++ lockdep_init_map(&owner->lock##_map, #lock, &lock##_key, 0); \
++ } while (0)
++
+ static inline void btrfs_wake_unfinished_drop(struct btrfs_fs_info *fs_info)
+ {
+ clear_and_wake_up_bit(BTRFS_FS_UNFINISHED_DROPS, &fs_info->flags);
+--
+2.35.1
+
--- /dev/null
+From f405bb590036e32502c7d4698281340aab21f78d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Aug 2022 16:10:26 -0400
+Subject: btrfs: call __btrfs_remove_free_space_cache_locked on cache load
+ failure
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit 8a1ae2781dee9fc21ca82db682d37bea4bd074ad ]
+
+Now that lockdep is staying enabled through our entire CI runs I started
+seeing the following stack in generic/475
+
+------------[ cut here ]------------
+WARNING: CPU: 1 PID: 2171864 at fs/btrfs/discard.c:604 btrfs_discard_update_discardable+0x98/0xb0
+CPU: 1 PID: 2171864 Comm: kworker/u4:0 Not tainted 5.19.0-rc8+ #789
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014
+Workqueue: btrfs-cache btrfs_work_helper
+RIP: 0010:btrfs_discard_update_discardable+0x98/0xb0
+RSP: 0018:ffffb857c2f7bad0 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: ffff8c85c605c200 RCX: 0000000000000001
+RDX: 0000000000000000 RSI: ffffffff86807c5b RDI: ffffffff868a831e
+RBP: ffff8c85c4c54000 R08: 0000000000000000 R09: 0000000000000000
+R10: ffff8c85c66932f0 R11: 0000000000000001 R12: ffff8c85c3899010
+R13: ffff8c85d5be4f40 R14: ffff8c85c4c54000 R15: ffff8c86114bfa80
+FS: 0000000000000000(0000) GS:ffff8c863bd00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f2e7f168160 CR3: 000000010289a004 CR4: 0000000000370ee0
+Call Trace:
+
+ __btrfs_remove_free_space_cache+0x27/0x30
+ load_free_space_cache+0xad2/0xaf0
+ caching_thread+0x40b/0x650
+ ? lock_release+0x137/0x2d0
+ btrfs_work_helper+0xf2/0x3e0
+ ? lock_is_held_type+0xe2/0x140
+ process_one_work+0x271/0x590
+ ? process_one_work+0x590/0x590
+ worker_thread+0x52/0x3b0
+ ? process_one_work+0x590/0x590
+ kthread+0xf0/0x120
+ ? kthread_complete_and_exit+0x20/0x20
+ ret_from_fork+0x1f/0x30
+
+This is the code
+
+ ctl = block_group->free_space_ctl;
+ discard_ctl = &block_group->fs_info->discard_ctl;
+
+ lockdep_assert_held(&ctl->tree_lock);
+
+We have a temporary free space ctl for loading the free space cache in
+order to avoid having allocations happening while we're loading the
+cache. When we hit an error we free it all up, however this also calls
+btrfs_discard_update_discardable, which requires
+block_group->free_space_ctl->tree_lock to be held. However this is our
+temporary ctl so this lock isn't held. Fix this by calling
+__btrfs_remove_free_space_cache_locked instead so that we only clean up
+the entries and do not mess with the discardable stats.
+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/free-space-cache.c | 53 +++++++++++++++++++++++--------------
+ 1 file changed, 33 insertions(+), 20 deletions(-)
+
+diff --git a/fs/btrfs/free-space-cache.c b/fs/btrfs/free-space-cache.c
+index 835071fa39a9..2f88053cfc5e 100644
+--- a/fs/btrfs/free-space-cache.c
++++ b/fs/btrfs/free-space-cache.c
+@@ -48,6 +48,25 @@ static void bitmap_clear_bits(struct btrfs_free_space_ctl *ctl,
+ struct btrfs_free_space *info, u64 offset,
+ u64 bytes, bool update_stats);
+
++static void __btrfs_remove_free_space_cache_locked(
++ struct btrfs_free_space_ctl *ctl)
++{
++ struct btrfs_free_space *info;
++ struct rb_node *node;
++
++ while ((node = rb_last(&ctl->free_space_offset)) != NULL) {
++ info = rb_entry(node, struct btrfs_free_space, offset_index);
++ if (!info->bitmap) {
++ unlink_free_space(ctl, info, true);
++ kmem_cache_free(btrfs_free_space_cachep, info);
++ } else {
++ free_bitmap(ctl, info);
++ }
++
++ cond_resched_lock(&ctl->tree_lock);
++ }
++}
++
+ static struct inode *__lookup_free_space_inode(struct btrfs_root *root,
+ struct btrfs_path *path,
+ u64 offset)
+@@ -881,7 +900,14 @@ static int __load_free_space_cache(struct btrfs_root *root, struct inode *inode,
+ return ret;
+ free_cache:
+ io_ctl_drop_pages(&io_ctl);
+- __btrfs_remove_free_space_cache(ctl);
++
++ /*
++ * We need to call the _locked variant so we don't try to update the
++ * discard counters.
++ */
++ spin_lock(&ctl->tree_lock);
++ __btrfs_remove_free_space_cache_locked(ctl);
++ spin_unlock(&ctl->tree_lock);
+ goto out;
+ }
+
+@@ -1017,7 +1043,13 @@ int load_free_space_cache(struct btrfs_block_group *block_group)
+ if (ret == 0)
+ ret = 1;
+ } else {
++ /*
++ * We need to call the _locked variant so we don't try to update
++ * the discard counters.
++ */
++ spin_lock(&tmp_ctl.tree_lock);
+ __btrfs_remove_free_space_cache(&tmp_ctl);
++ spin_unlock(&tmp_ctl.tree_lock);
+ btrfs_warn(fs_info,
+ "block group %llu has wrong amount of free space",
+ block_group->start);
+@@ -2980,25 +3012,6 @@ static void __btrfs_return_cluster_to_free_space(
+ btrfs_put_block_group(block_group);
+ }
+
+-static void __btrfs_remove_free_space_cache_locked(
+- struct btrfs_free_space_ctl *ctl)
+-{
+- struct btrfs_free_space *info;
+- struct rb_node *node;
+-
+- while ((node = rb_last(&ctl->free_space_offset)) != NULL) {
+- info = rb_entry(node, struct btrfs_free_space, offset_index);
+- if (!info->bitmap) {
+- unlink_free_space(ctl, info, true);
+- kmem_cache_free(btrfs_free_space_cachep, info);
+- } else {
+- free_bitmap(ctl, info);
+- }
+-
+- cond_resched_lock(&ctl->tree_lock);
+- }
+-}
+-
+ void __btrfs_remove_free_space_cache(struct btrfs_free_space_ctl *ctl)
+ {
+ spin_lock(&ctl->tree_lock);
+--
+2.35.1
+
--- /dev/null
+From a029bfa12be1da1c419fa9f774fbb645899d2832 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Jul 2022 15:11:57 -0700
+Subject: btrfs: change the lockdep class of free space inode's invalidate_lock
+
+From: Ioannis Angelakopoulos <iangelak@fb.com>
+
+[ Upstream commit 9d7464c87b159bbf763c24faeb7a2dcaac96e4a1 ]
+
+Reinitialize the class of the lockdep map for struct inode's
+mapping->invalidate_lock in load_free_space_cache() function in
+fs/btrfs/free-space-cache.c. This will prevent lockdep from producing
+false positives related to execution paths that make use of free space
+inodes and paths that make use of normal inodes.
+
+Specifically, with this change lockdep will create separate lock
+dependencies that include the invalidate_lock, in the case that free
+space inodes are used and in the case that normal inodes are used.
+
+The lockdep class for this lock was first initialized in
+inode_init_always() in fs/inode.c.
+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Ioannis Angelakopoulos <iangelak@fb.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/free-space-cache.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/fs/btrfs/free-space-cache.c b/fs/btrfs/free-space-cache.c
+index 85404c62a1c2..835071fa39a9 100644
+--- a/fs/btrfs/free-space-cache.c
++++ b/fs/btrfs/free-space-cache.c
+@@ -920,6 +920,8 @@ static int copy_free_space_cache(struct btrfs_block_group *block_group,
+ return ret;
+ }
+
++static struct lock_class_key btrfs_free_space_inode_key;
++
+ int load_free_space_cache(struct btrfs_block_group *block_group)
+ {
+ struct btrfs_fs_info *fs_info = block_group->fs_info;
+@@ -989,6 +991,14 @@ int load_free_space_cache(struct btrfs_block_group *block_group)
+ }
+ spin_unlock(&block_group->lock);
+
++ /*
++ * Reinitialize the class of struct inode's mapping->invalidate_lock for
++ * free space inodes to prevent false positives related to locks for normal
++ * inodes.
++ */
++ lockdep_set_class(&(&inode->i_data)->invalidate_lock,
++ &btrfs_free_space_inode_key);
++
+ ret = __load_free_space_cache(fs_info->tree_root, inode, &tmp_ctl,
+ path, block_group->start);
+ btrfs_free_path(path);
+--
+2.35.1
+
--- /dev/null
+From e0be5b40aa9590bb5a5e2e1cda7141ab157304ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Aug 2022 20:16:22 +0800
+Subject: btrfs: check superblock to ensure the fs was not modified at thaw
+ time
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit a05d3c9153145283ce9c58a1d7a9056fbb85f6a1 ]
+
+[BACKGROUND]
+There is an incident report that, one user hibernated the system, with
+one btrfs on removable device still mounted.
+
+Then by some incident, the btrfs got mounted and modified by another
+system/OS, then back to the hibernated system.
+
+After resuming from the hibernation, new write happened into the victim btrfs.
+
+Now the fs is completely broken, since the underlying btrfs is no longer
+the same one before the hibernation, and the user lost their data due to
+various transid mismatch.
+
+[REPRODUCER]
+We can emulate the situation using the following small script:
+
+ truncate -s 1G $dev
+ mkfs.btrfs -f $dev
+ mount $dev $mnt
+ fsstress -w -d $mnt -n 500
+ sync
+ xfs_freeze -f $mnt
+ cp $dev $dev.backup
+
+ # There is no way to mount the same cloned fs on the same system,
+ # as the conflicting fsid will be rejected by btrfs.
+ # Thus here we have to wipe the fs using a different btrfs.
+ mkfs.btrfs -f $dev.backup
+
+ dd if=$dev.backup of=$dev bs=1M
+ xfs_freeze -u $mnt
+ fsstress -w -d $mnt -n 20
+ umount $mnt
+ btrfs check $dev
+
+The final fsck will fail due to some tree blocks has incorrect fsid.
+
+This is enough to emulate the problem hit by the unfortunate user.
+
+[ENHANCEMENT]
+Although such case should not be that common, it can still happen from
+time to time.
+
+From the view of btrfs, we can detect any unexpected super block change,
+and if there is any unexpected change, we just mark the fs read-only,
+and thaw the fs.
+
+By this we can limit the damage to minimal, and I hope no one would lose
+their data by this anymore.
+
+Suggested-by: Goffredo Baroncelli <kreijack@libero.it>
+Link: https://lore.kernel.org/linux-btrfs/83bf3b4b-7f4c-387a-b286-9251e3991e34@bluemole.com/
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/disk-io.c | 25 ++++++++++++++-----
+ fs/btrfs/disk-io.h | 4 +++-
+ fs/btrfs/super.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++
+ fs/btrfs/volumes.c | 2 +-
+ 4 files changed, 83 insertions(+), 8 deletions(-)
+
+diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
+index e0e1730e67d7..d9881b54efd1 100644
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -2600,8 +2600,8 @@ static int btrfs_read_roots(struct btrfs_fs_info *fs_info)
+ * 1, 2 2nd and 3rd backup copy
+ * -1 skip bytenr check
+ */
+-static int validate_super(struct btrfs_fs_info *fs_info,
+- struct btrfs_super_block *sb, int mirror_num)
++int btrfs_validate_super(struct btrfs_fs_info *fs_info,
++ struct btrfs_super_block *sb, int mirror_num)
+ {
+ u64 nodesize = btrfs_super_nodesize(sb);
+ u64 sectorsize = btrfs_super_sectorsize(sb);
+@@ -2785,7 +2785,7 @@ static int validate_super(struct btrfs_fs_info *fs_info,
+ */
+ static int btrfs_validate_mount_super(struct btrfs_fs_info *fs_info)
+ {
+- return validate_super(fs_info, fs_info->super_copy, 0);
++ return btrfs_validate_super(fs_info, fs_info->super_copy, 0);
+ }
+
+ /*
+@@ -2799,7 +2799,7 @@ static int btrfs_validate_write_super(struct btrfs_fs_info *fs_info,
+ {
+ int ret;
+
+- ret = validate_super(fs_info, sb, -1);
++ ret = btrfs_validate_super(fs_info, sb, -1);
+ if (ret < 0)
+ goto out;
+ if (!btrfs_supported_super_csum(btrfs_super_csum_type(sb))) {
+@@ -3846,7 +3846,7 @@ static void btrfs_end_super_write(struct bio *bio)
+ }
+
+ struct btrfs_super_block *btrfs_read_dev_one_super(struct block_device *bdev,
+- int copy_num)
++ int copy_num, bool drop_cache)
+ {
+ struct btrfs_super_block *super;
+ struct page *page;
+@@ -3864,6 +3864,19 @@ struct btrfs_super_block *btrfs_read_dev_one_super(struct block_device *bdev,
+ if (bytenr + BTRFS_SUPER_INFO_SIZE >= bdev_nr_bytes(bdev))
+ return ERR_PTR(-EINVAL);
+
++ if (drop_cache) {
++ /* This should only be called with the primary sb. */
++ ASSERT(copy_num == 0);
++
++ /*
++ * Drop the page of the primary superblock, so later read will
++ * always read from the device.
++ */
++ invalidate_inode_pages2_range(mapping,
++ bytenr >> PAGE_SHIFT,
++ (bytenr + BTRFS_SUPER_INFO_SIZE) >> PAGE_SHIFT);
++ }
++
+ page = read_cache_page_gfp(mapping, bytenr >> PAGE_SHIFT, GFP_NOFS);
+ if (IS_ERR(page))
+ return ERR_CAST(page);
+@@ -3895,7 +3908,7 @@ struct btrfs_super_block *btrfs_read_dev_super(struct block_device *bdev)
+ * later supers, using BTRFS_SUPER_MIRROR_MAX instead
+ */
+ for (i = 0; i < 1; i++) {
+- super = btrfs_read_dev_one_super(bdev, i);
++ super = btrfs_read_dev_one_super(bdev, i, false);
+ if (IS_ERR(super))
+ continue;
+
+diff --git a/fs/btrfs/disk-io.h b/fs/btrfs/disk-io.h
+index 47ad8e0a2d33..aef981de672c 100644
+--- a/fs/btrfs/disk-io.h
++++ b/fs/btrfs/disk-io.h
+@@ -46,10 +46,12 @@ int __cold open_ctree(struct super_block *sb,
+ struct btrfs_fs_devices *fs_devices,
+ char *options);
+ void __cold close_ctree(struct btrfs_fs_info *fs_info);
++int btrfs_validate_super(struct btrfs_fs_info *fs_info,
++ struct btrfs_super_block *sb, int mirror_num);
+ int write_all_supers(struct btrfs_fs_info *fs_info, int max_mirrors);
+ struct btrfs_super_block *btrfs_read_dev_super(struct block_device *bdev);
+ struct btrfs_super_block *btrfs_read_dev_one_super(struct block_device *bdev,
+- int copy_num);
++ int copy_num, bool drop_cache);
+ int btrfs_commit_super(struct btrfs_fs_info *fs_info);
+ struct btrfs_root *btrfs_read_tree_root(struct btrfs_root *tree_root,
+ struct btrfs_key *key);
+diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
+index ad3ce9700eaf..079855e9c881 100644
+--- a/fs/btrfs/super.c
++++ b/fs/btrfs/super.c
+@@ -2562,11 +2562,71 @@ static int btrfs_freeze(struct super_block *sb)
+ return btrfs_commit_transaction(trans);
+ }
+
++static int check_dev_super(struct btrfs_device *dev)
++{
++ struct btrfs_fs_info *fs_info = dev->fs_info;
++ struct btrfs_super_block *sb;
++ int ret = 0;
++
++ /* This should be called with fs still frozen. */
++ ASSERT(test_bit(BTRFS_FS_FROZEN, &fs_info->flags));
++
++ /* Missing dev, no need to check. */
++ if (!dev->bdev)
++ return 0;
++
++ /* Only need to check the primary super block. */
++ sb = btrfs_read_dev_one_super(dev->bdev, 0, true);
++ if (IS_ERR(sb))
++ return PTR_ERR(sb);
++
++ /* Btrfs_validate_super() includes fsid check against super->fsid. */
++ ret = btrfs_validate_super(fs_info, sb, 0);
++ if (ret < 0)
++ goto out;
++
++ if (btrfs_super_generation(sb) != fs_info->last_trans_committed) {
++ btrfs_err(fs_info, "transid mismatch, has %llu expect %llu",
++ btrfs_super_generation(sb),
++ fs_info->last_trans_committed);
++ ret = -EUCLEAN;
++ goto out;
++ }
++out:
++ btrfs_release_disk_super(sb);
++ return ret;
++}
++
+ static int btrfs_unfreeze(struct super_block *sb)
+ {
+ struct btrfs_fs_info *fs_info = btrfs_sb(sb);
++ struct btrfs_device *device;
++ int ret = 0;
+
++ /*
++ * Make sure the fs is not changed by accident (like hibernation then
++ * modified by other OS).
++ * If we found anything wrong, we mark the fs error immediately.
++ *
++ * And since the fs is frozen, no one can modify the fs yet, thus
++ * we don't need to hold device_list_mutex.
++ */
++ list_for_each_entry(device, &fs_info->fs_devices->devices, dev_list) {
++ ret = check_dev_super(device);
++ if (ret < 0) {
++ btrfs_handle_fs_error(fs_info, ret,
++ "super block on devid %llu got modified unexpectedly",
++ device->devid);
++ break;
++ }
++ }
+ clear_bit(BTRFS_FS_FROZEN, &fs_info->flags);
++
++ /*
++ * We still return 0, to allow VFS layer to unfreeze the fs even the
++ * above checks failed. Since the fs is either fine or read-only, we're
++ * safe to continue, without causing further damage.
++ */
+ return 0;
+ }
+
+diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
+index f63ff91e2883..b4df6f74855c 100644
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -2017,7 +2017,7 @@ void btrfs_scratch_superblocks(struct btrfs_fs_info *fs_info,
+ struct page *page;
+ int ret;
+
+- disk_super = btrfs_read_dev_one_super(bdev, copy_num);
++ disk_super = btrfs_read_dev_one_super(bdev, copy_num, false);
+ if (IS_ERR(disk_super))
+ continue;
+
+--
+2.35.1
+
--- /dev/null
+From fba5d505b1dd649164b27c1b902cf6af2d91a029 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Aug 2022 17:28:20 +0200
+Subject: btrfs: don't print information about space cache or tree every
+ remount
+
+From: Maciej S. Szmigiero <maciej.szmigiero@oracle.com>
+
+[ Upstream commit dbecac26630014d336a8e5ea67096ff18210fb9c ]
+
+btrfs currently prints information about space cache or free space tree
+being in use on every remount, regardless whether such remount actually
+enabled or disabled one of these features.
+
+This is actually unnecessary since providing remount options changing the
+state of these features will explicitly print the appropriate notice.
+
+Let's instead print such unconditional information just on an initial mount
+to avoid filling the kernel log when, for example, laptop-mode-tools
+remount the fs on some events.
+
+Signed-off-by: Maciej S. Szmigiero <maciej.szmigiero@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/super.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
+index 6eeb3402b4a2..ad3ce9700eaf 100644
+--- a/fs/btrfs/super.c
++++ b/fs/btrfs/super.c
+@@ -626,6 +626,7 @@ int btrfs_parse_options(struct btrfs_fs_info *info, char *options,
+ int saved_compress_level;
+ bool saved_compress_force;
+ int no_compress = 0;
++ const bool remounting = test_bit(BTRFS_FS_STATE_REMOUNTING, &info->fs_state);
+
+ if (btrfs_fs_compat_ro(info, FREE_SPACE_TREE))
+ btrfs_set_opt(info->mount_opt, FREE_SPACE_TREE);
+@@ -1137,10 +1138,12 @@ int btrfs_parse_options(struct btrfs_fs_info *info, char *options,
+ }
+ if (!ret)
+ ret = btrfs_check_mountopts_zoned(info);
+- if (!ret && btrfs_test_opt(info, SPACE_CACHE))
+- btrfs_info(info, "disk space caching is enabled");
+- if (!ret && btrfs_test_opt(info, FREE_SPACE_TREE))
+- btrfs_info(info, "using free space tree");
++ if (!ret && !remounting) {
++ if (btrfs_test_opt(info, SPACE_CACHE))
++ btrfs_info(info, "disk space caching is enabled");
++ if (btrfs_test_opt(info, FREE_SPACE_TREE))
++ btrfs_info(info, "using free space tree");
++ }
+ return ret;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 455062e2a519128c2e1d88cefa3c9e8db1f4a6d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Aug 2022 09:35:57 +0800
+Subject: btrfs: dump extra info if one free space cache has more bitmaps than
+ it should
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 62cd9d4474282a1eb84f945955c56cbfc42e1ffe ]
+
+There is an internal report on hitting the following ASSERT() in
+recalculate_thresholds():
+
+ ASSERT(ctl->total_bitmaps <= max_bitmaps);
+
+Above @max_bitmaps is calculated using the following variables:
+
+- bytes_per_bg
+ 8 * 4096 * 4096 (128M) for x86_64/x86.
+
+- block_group->length
+ The length of the block group.
+
+@max_bitmaps is the rounded up value of block_group->length / 128M.
+
+Normally one free space cache should not have more bitmaps than above
+value, but when it happens the ASSERT() can be triggered if
+CONFIG_BTRFS_ASSERT is also enabled.
+
+But the ASSERT() itself won't provide enough info to know which is going
+wrong.
+Is the bg too small thus it only allows one bitmap?
+Or is there something else wrong?
+
+So although I haven't found extra reports or crash dump to do further
+investigation, add the extra info to make it more helpful to debug.
+
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/free-space-cache.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/btrfs/free-space-cache.c b/fs/btrfs/free-space-cache.c
+index 996da650ecdc..85404c62a1c2 100644
+--- a/fs/btrfs/free-space-cache.c
++++ b/fs/btrfs/free-space-cache.c
+@@ -693,6 +693,12 @@ static void recalculate_thresholds(struct btrfs_free_space_ctl *ctl)
+
+ max_bitmaps = max_t(u64, max_bitmaps, 1);
+
++ if (ctl->total_bitmaps > max_bitmaps)
++ btrfs_err(block_group->fs_info,
++"invalid free space control: bg start=%llu len=%llu total_bitmaps=%u unit=%u max_bitmaps=%llu bytes_per_bg=%llu",
++ block_group->start, block_group->length,
++ ctl->total_bitmaps, ctl->unit, max_bitmaps,
++ bytes_per_bg);
+ ASSERT(ctl->total_bitmaps <= max_bitmaps);
+
+ /*
+--
+2.35.1
+
--- /dev/null
+From 1895aea733da6440417c727ac11c86be54f1405c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Aug 2022 14:53:02 +0800
+Subject: btrfs: scrub: properly report super block errors in system log
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit e69bf81c9a339f1b2c041b112a6fbb9f60fc9340 ]
+
+[PROBLEM]
+
+Unlike data/metadata corruption, if scrub detected some error in the
+super block, the only error message is from the updated device status:
+
+ BTRFS info (device dm-1): scrub: started on devid 2
+ BTRFS error (device dm-1): bdev /dev/mapper/test-scratch2 errs: wr 0, rd 0, flush 0, corrupt 1, gen 0
+ BTRFS info (device dm-1): scrub: finished on devid 2 with status: 0
+
+This is not helpful at all.
+
+[CAUSE]
+Unlike data/metadata error reporting, there is no visible report in
+kernel dmesg to report supper block errors.
+
+In fact, return value of scrub_checksum_super() is intentionally
+skipped, thus scrub_handle_errored_block() will never be called for
+super blocks.
+
+[FIX]
+Make super block errors to output an error message, now the full
+dmesg would looks like this:
+
+ BTRFS info (device dm-1): scrub: started on devid 2
+ BTRFS warning (device dm-1): super block error on device /dev/mapper/test-scratch2, physical 67108864
+ BTRFS error (device dm-1): bdev /dev/mapper/test-scratch2 errs: wr 0, rd 0, flush 0, corrupt 1, gen 0
+ BTRFS info (device dm-1): scrub: finished on devid 2 with status: 0
+ BTRFS info (device dm-1): scrub: started on devid 2
+
+This fix involves:
+
+- Move the super_errors reporting to scrub_handle_errored_block()
+ This allows the device status message to show after the super block
+ error message.
+ But now we no longer distinguish super block corruption and generation
+ mismatch, now all counted as corruption.
+
+- Properly check the return value from scrub_checksum_super()
+- Add extra super block error reporting for scrub_print_warning().
+
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/scrub.c | 33 ++++++++++++---------------------
+ 1 file changed, 12 insertions(+), 21 deletions(-)
+
+diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c
+index 3afe5fa50a63..0fe7c4882e1f 100644
+--- a/fs/btrfs/scrub.c
++++ b/fs/btrfs/scrub.c
+@@ -729,6 +729,13 @@ static void scrub_print_warning(const char *errstr, struct scrub_block *sblock)
+ dev = sblock->sectors[0]->dev;
+ fs_info = sblock->sctx->fs_info;
+
++ /* Super block error, no need to search extent tree. */
++ if (sblock->sectors[0]->flags & BTRFS_EXTENT_FLAG_SUPER) {
++ btrfs_warn_in_rcu(fs_info, "%s on device %s, physical %llu",
++ errstr, rcu_str_deref(dev->name),
++ sblock->sectors[0]->physical);
++ return;
++ }
+ path = btrfs_alloc_path();
+ if (!path)
+ return;
+@@ -804,7 +811,7 @@ static inline void scrub_put_recover(struct btrfs_fs_info *fs_info,
+ static int scrub_handle_errored_block(struct scrub_block *sblock_to_check)
+ {
+ struct scrub_ctx *sctx = sblock_to_check->sctx;
+- struct btrfs_device *dev;
++ struct btrfs_device *dev = sblock_to_check->sectors[0]->dev;
+ struct btrfs_fs_info *fs_info;
+ u64 logical;
+ unsigned int failed_mirror_index;
+@@ -825,13 +832,15 @@ static int scrub_handle_errored_block(struct scrub_block *sblock_to_check)
+ fs_info = sctx->fs_info;
+ if (sblock_to_check->sectors[0]->flags & BTRFS_EXTENT_FLAG_SUPER) {
+ /*
+- * if we find an error in a super block, we just report it.
++ * If we find an error in a super block, we just report it.
+ * They will get written with the next transaction commit
+ * anyway
+ */
++ scrub_print_warning("super block error", sblock_to_check);
+ spin_lock(&sctx->stat_lock);
+ ++sctx->stat.super_errors;
+ spin_unlock(&sctx->stat_lock);
++ btrfs_dev_stat_inc_and_print(dev, BTRFS_DEV_STAT_CORRUPTION_ERRS);
+ return 0;
+ }
+ logical = sblock_to_check->sectors[0]->logical;
+@@ -840,7 +849,6 @@ static int scrub_handle_errored_block(struct scrub_block *sblock_to_check)
+ is_metadata = !(sblock_to_check->sectors[0]->flags &
+ BTRFS_EXTENT_FLAG_DATA);
+ have_csum = sblock_to_check->sectors[0]->have_csum;
+- dev = sblock_to_check->sectors[0]->dev;
+
+ if (!sctx->is_dev_replace && btrfs_repair_one_zone(fs_info, logical))
+ return 0;
+@@ -1762,7 +1770,7 @@ static int scrub_checksum(struct scrub_block *sblock)
+ else if (flags & BTRFS_EXTENT_FLAG_TREE_BLOCK)
+ ret = scrub_checksum_tree_block(sblock);
+ else if (flags & BTRFS_EXTENT_FLAG_SUPER)
+- (void)scrub_checksum_super(sblock);
++ ret = scrub_checksum_super(sblock);
+ else
+ WARN_ON(1);
+ if (ret)
+@@ -1901,23 +1909,6 @@ static int scrub_checksum_super(struct scrub_block *sblock)
+ if (memcmp(calculated_csum, s->csum, sctx->fs_info->csum_size))
+ ++fail_cor;
+
+- if (fail_cor + fail_gen) {
+- /*
+- * if we find an error in a super block, we just report it.
+- * They will get written with the next transaction commit
+- * anyway
+- */
+- spin_lock(&sctx->stat_lock);
+- ++sctx->stat.super_errors;
+- spin_unlock(&sctx->stat_lock);
+- if (fail_cor)
+- btrfs_dev_stat_inc_and_print(sector->dev,
+- BTRFS_DEV_STAT_CORRUPTION_ERRS);
+- else
+- btrfs_dev_stat_inc_and_print(sector->dev,
+- BTRFS_DEV_STAT_GENERATION_ERRS);
+- }
+-
+ return fail_cor + fail_gen;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 28896fc5bb084876a978d85940a8ccb737d05f3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Aug 2022 14:53:03 +0800
+Subject: btrfs: scrub: try to fix super block errors
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit f9eab5f0bba76742af654f33d517bf62a0db8f12 ]
+
+[BUG]
+The following script shows that, although scrub can detect super block
+errors, it never tries to fix it:
+
+ mkfs.btrfs -f -d raid1 -m raid1 $dev1 $dev2
+ xfs_io -c "pwrite 67108864 4k" $dev2
+
+ mount $dev1 $mnt
+ btrfs scrub start -B $dev2
+ btrfs scrub start -Br $dev2
+ umount $mnt
+
+The first scrub reports the super error correctly:
+
+ scrub done for f3289218-abd3-41ac-a630-202f766c0859
+ Scrub started: Tue Aug 2 14:44:11 2022
+ Status: finished
+ Duration: 0:00:00
+ Total to scrub: 1.26GiB
+ Rate: 0.00B/s
+ Error summary: super=1
+ Corrected: 0
+ Uncorrectable: 0
+ Unverified: 0
+
+But the second read-only scrub still reports the same super error:
+
+ Scrub started: Tue Aug 2 14:44:11 2022
+ Status: finished
+ Duration: 0:00:00
+ Total to scrub: 1.26GiB
+ Rate: 0.00B/s
+ Error summary: super=1
+ Corrected: 0
+ Uncorrectable: 0
+ Unverified: 0
+
+[CAUSE]
+The comments already shows that super block can be easily fixed by
+committing a transaction:
+
+ /*
+ * If we find an error in a super block, we just report it.
+ * They will get written with the next transaction commit
+ * anyway
+ */
+
+But the truth is, such assumption is not always true, and since scrub
+should try to repair every error it found (except for read-only scrub),
+we should really actively commit a transaction to fix this.
+
+[FIX]
+Just commit a transaction if we found any super block errors, after
+everything else is done.
+
+We cannot do this just after scrub_supers(), as
+btrfs_commit_transaction() will try to pause and wait for the running
+scrub, thus we can not call it with scrub_lock hold.
+
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/scrub.c | 36 ++++++++++++++++++++++++++++++++++++
+ 1 file changed, 36 insertions(+)
+
+diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c
+index 0fe7c4882e1f..7d9b09e3ca70 100644
+--- a/fs/btrfs/scrub.c
++++ b/fs/btrfs/scrub.c
+@@ -4093,6 +4093,7 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start,
+ int ret;
+ struct btrfs_device *dev;
+ unsigned int nofs_flag;
++ bool need_commit = false;
+
+ if (btrfs_fs_closing(fs_info))
+ return -EAGAIN;
+@@ -4196,6 +4197,12 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start,
+ */
+ nofs_flag = memalloc_nofs_save();
+ if (!is_dev_replace) {
++ u64 old_super_errors;
++
++ spin_lock(&sctx->stat_lock);
++ old_super_errors = sctx->stat.super_errors;
++ spin_unlock(&sctx->stat_lock);
++
+ btrfs_info(fs_info, "scrub: started on devid %llu", devid);
+ /*
+ * by holding device list mutex, we can
+@@ -4204,6 +4211,16 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start,
+ mutex_lock(&fs_info->fs_devices->device_list_mutex);
+ ret = scrub_supers(sctx, dev);
+ mutex_unlock(&fs_info->fs_devices->device_list_mutex);
++
++ spin_lock(&sctx->stat_lock);
++ /*
++ * Super block errors found, but we can not commit transaction
++ * at current context, since btrfs_commit_transaction() needs
++ * to pause the current running scrub (hold by ourselves).
++ */
++ if (sctx->stat.super_errors > old_super_errors && !sctx->readonly)
++ need_commit = true;
++ spin_unlock(&sctx->stat_lock);
+ }
+
+ if (!ret)
+@@ -4230,6 +4247,25 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start,
+ scrub_workers_put(fs_info);
+ scrub_put_ctx(sctx);
+
++ /*
++ * We found some super block errors before, now try to force a
++ * transaction commit, as scrub has finished.
++ */
++ if (need_commit) {
++ struct btrfs_trans_handle *trans;
++
++ trans = btrfs_start_transaction(fs_info->tree_root, 0);
++ if (IS_ERR(trans)) {
++ ret = PTR_ERR(trans);
++ btrfs_err(fs_info,
++ "scrub: failed to start transaction to fix super block errors: %d", ret);
++ return ret;
++ }
++ ret = btrfs_commit_transaction(trans);
++ if (ret < 0)
++ btrfs_err(fs_info,
++ "scrub: failed to commit transaction to fix super block errors: %d", ret);
++ }
+ return ret;
+ out:
+ scrub_workers_put(fs_info);
+--
+2.35.1
+
--- /dev/null
+From 72845648c29a262b9cfbbe0e1ac678db0bc6166d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Sep 2022 17:53:19 -0400
+Subject: btrfs: separate out the eb and extent state leak helpers
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit a40246e8afc0af3ffdee21854fb755c9364b8346 ]
+
+Currently we have the add/del functions generic so that we can use them
+for both extent buffers and extent states. We want to separate this
+code however, so separate these helpers into per-object helpers in
+anticipation of the split.
+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/extent_io.c | 58 +++++++++++++++++++++++++++++---------------
+ 1 file changed, 38 insertions(+), 20 deletions(-)
+
+diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
+index cf4f19e80e2f..d9d254b59bd1 100644
+--- a/fs/btrfs/extent_io.c
++++ b/fs/btrfs/extent_io.c
+@@ -44,25 +44,42 @@ static inline bool extent_state_in_tree(const struct extent_state *state)
+ static LIST_HEAD(states);
+ static DEFINE_SPINLOCK(leak_lock);
+
+-static inline void btrfs_leak_debug_add(spinlock_t *lock,
+- struct list_head *new,
+- struct list_head *head)
++static inline void btrfs_leak_debug_add_eb(struct extent_buffer *eb)
++{
++ struct btrfs_fs_info *fs_info = eb->fs_info;
++ unsigned long flags;
++
++ spin_lock_irqsave(&fs_info->eb_leak_lock, flags);
++ list_add(&eb->leak_list, &fs_info->allocated_ebs);
++ spin_unlock_irqrestore(&fs_info->eb_leak_lock, flags);
++}
++
++static inline void btrfs_leak_debug_add_state(struct extent_state *state)
+ {
+ unsigned long flags;
+
+- spin_lock_irqsave(lock, flags);
+- list_add(new, head);
+- spin_unlock_irqrestore(lock, flags);
++ spin_lock_irqsave(&leak_lock, flags);
++ list_add(&state->leak_list, &states);
++ spin_unlock_irqrestore(&leak_lock, flags);
++}
++
++static inline void btrfs_leak_debug_del_eb(struct extent_buffer *eb)
++{
++ struct btrfs_fs_info *fs_info = eb->fs_info;
++ unsigned long flags;
++
++ spin_lock_irqsave(&fs_info->eb_leak_lock, flags);
++ list_del(&eb->leak_list);
++ spin_unlock_irqrestore(&fs_info->eb_leak_lock, flags);
+ }
+
+-static inline void btrfs_leak_debug_del(spinlock_t *lock,
+- struct list_head *entry)
++static inline void btrfs_leak_debug_del_state(struct extent_state *state)
+ {
+ unsigned long flags;
+
+- spin_lock_irqsave(lock, flags);
+- list_del(entry);
+- spin_unlock_irqrestore(lock, flags);
++ spin_lock_irqsave(&leak_lock, flags);
++ list_del(&state->leak_list);
++ spin_unlock_irqrestore(&leak_lock, flags);
+ }
+
+ void btrfs_extent_buffer_leak_debug_check(struct btrfs_fs_info *fs_info)
+@@ -126,9 +143,11 @@ static inline void __btrfs_debug_check_extent_io_range(const char *caller,
+ }
+ }
+ #else
+-#define btrfs_leak_debug_add(lock, new, head) do {} while (0)
+-#define btrfs_leak_debug_del(lock, entry) do {} while (0)
+-#define btrfs_extent_state_leak_debug_check() do {} while (0)
++#define btrfs_leak_debug_add_eb(eb) do {} while (0)
++#define btrfs_leak_debug_add_state(state) do {} while (0)
++#define btrfs_leak_debug_del_eb(eb) do {} while (0)
++#define btrfs_leak_debug_del_state(state) do {} while (0)
++#define btrfs_extent_state_leak_debug_check() do {} while (0)
+ #define btrfs_debug_check_extent_io_range(c, s, e) do {} while (0)
+ #endif
+
+@@ -353,7 +372,7 @@ static struct extent_state *alloc_extent_state(gfp_t mask)
+ state->state = 0;
+ state->failrec = NULL;
+ RB_CLEAR_NODE(&state->rb_node);
+- btrfs_leak_debug_add(&leak_lock, &state->leak_list, &states);
++ btrfs_leak_debug_add_state(state);
+ refcount_set(&state->refs, 1);
+ init_waitqueue_head(&state->wq);
+ trace_alloc_extent_state(state, mask, _RET_IP_);
+@@ -366,7 +385,7 @@ void free_extent_state(struct extent_state *state)
+ return;
+ if (refcount_dec_and_test(&state->refs)) {
+ WARN_ON(extent_state_in_tree(state));
+- btrfs_leak_debug_del(&leak_lock, &state->leak_list);
++ btrfs_leak_debug_del_state(state);
+ trace_free_extent_state(state, _RET_IP_);
+ kmem_cache_free(extent_state_cache, state);
+ }
+@@ -5856,7 +5875,7 @@ static void btrfs_release_extent_buffer_pages(struct extent_buffer *eb)
+ static inline void btrfs_release_extent_buffer(struct extent_buffer *eb)
+ {
+ btrfs_release_extent_buffer_pages(eb);
+- btrfs_leak_debug_del(&eb->fs_info->eb_leak_lock, &eb->leak_list);
++ btrfs_leak_debug_del_eb(eb);
+ __free_extent_buffer(eb);
+ }
+
+@@ -5873,8 +5892,7 @@ __alloc_extent_buffer(struct btrfs_fs_info *fs_info, u64 start,
+ eb->bflags = 0;
+ init_rwsem(&eb->lock);
+
+- btrfs_leak_debug_add(&fs_info->eb_leak_lock, &eb->leak_list,
+- &fs_info->allocated_ebs);
++ btrfs_leak_debug_add_eb(eb);
+ INIT_LIST_HEAD(&eb->release_list);
+
+ spin_lock_init(&eb->refs_lock);
+@@ -6342,7 +6360,7 @@ static int release_extent_buffer(struct extent_buffer *eb)
+ spin_unlock(&eb->refs_lock);
+ }
+
+- btrfs_leak_debug_del(&eb->fs_info->eb_leak_lock, &eb->leak_list);
++ btrfs_leak_debug_del_eb(eb);
+ /* Should be safe to release our pages at this point */
+ btrfs_release_extent_buffer_pages(eb);
+ #ifdef CONFIG_BTRFS_FS_RUN_SANITY_TESTS
+--
+2.35.1
+
--- /dev/null
+From 5ad0f74461f6f4a6c941a0214ea50824075c8a48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Sep 2022 09:55:56 +0800
+Subject: can: bcm: check the result of can_send() in bcm_can_tx()
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit 3fd7bfd28cfd68ae80a2fe92ea1615722cc2ee6e ]
+
+If can_send() fail, it should not update frames_abs counter
+in bcm_can_tx(). Add the result check for can_send() in bcm_can_tx().
+
+Suggested-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Suggested-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Link: https://lore.kernel.org/all/9851878e74d6d37aee2f1ee76d68361a46f89458.1663206163.git.william.xuanziyang@huawei.com
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/bcm.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/can/bcm.c b/net/can/bcm.c
+index e60161bec850..f16271a7ae2e 100644
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -274,6 +274,7 @@ static void bcm_can_tx(struct bcm_op *op)
+ struct sk_buff *skb;
+ struct net_device *dev;
+ struct canfd_frame *cf = op->frames + op->cfsiz * op->currframe;
++ int err;
+
+ /* no target device? => exit */
+ if (!op->ifindex)
+@@ -298,11 +299,11 @@ static void bcm_can_tx(struct bcm_op *op)
+ /* send with loopback */
+ skb->dev = dev;
+ can_skb_set_owner(skb, op->sk);
+- can_send(skb, 1);
++ err = can_send(skb, 1);
++ if (!err)
++ op->frames_abs++;
+
+- /* update statistics */
+ op->currframe++;
+- op->frames_abs++;
+
+ /* reached last frame? */
+ if (op->currframe >= op->nframes)
+--
+2.35.1
+
--- /dev/null
+From 8b891242bff602c5046eed9d740e3164ed349362 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Aug 2022 21:38:00 +0200
+Subject: can: rx-offload: can_rx_offload_init_queue(): fix typo
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit 766108d91246530d31b42765046f7ec2d1e42581 ]
+
+Fix typo "rounted" -> "rounded".
+
+Link: https://lore.kernel.org/all/20220811093617.1861938-2-mkl@pengutronix.de
+Fixes: d254586c3453 ("can: rx-offload: Add support for HW fifo based irq offloading")
+Reported-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/dev/rx-offload.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/dev/rx-offload.c b/drivers/net/can/dev/rx-offload.c
+index a32a01c172d4..ad8eb243fe78 100644
+--- a/drivers/net/can/dev/rx-offload.c
++++ b/drivers/net/can/dev/rx-offload.c
+@@ -329,7 +329,7 @@ static int can_rx_offload_init_queue(struct net_device *dev,
+ {
+ offload->dev = dev;
+
+- /* Limit queue len to 4x the weight (rounted to next power of two) */
++ /* Limit queue len to 4x the weight (rounded to next power of two) */
+ offload->skb_queue_len_max = 2 << fls(weight);
+ offload->skb_queue_len_max *= 4;
+ skb_queue_head_init(&offload->skb_queue);
+--
+2.35.1
+
--- /dev/null
+From 782b31a48ac9ff0e3f4e4ac6a13777621d74977c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Sep 2022 16:57:36 -0400
+Subject: cgroup/cpuset: Enable update_tasks_cpumask() on top_cpuset
+
+From: Waiman Long <longman@redhat.com>
+
+[ Upstream commit ec5fbdfb99d18482619ac42605cb80fbb56068ee ]
+
+Previously, update_tasks_cpumask() is not supposed to be called with
+top cpuset. With cpuset partition that takes CPUs away from the top
+cpuset, adjusting the cpus_mask of the tasks in the top cpuset is
+necessary. Percpu kthreads, however, are ignored.
+
+Fixes: ee8dde0cd2ce ("cpuset: Add new v2 cpuset.sched.partition flag")
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/cgroup/cpuset.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c
+index 1f3a55297f39..50bf837571ac 100644
+--- a/kernel/cgroup/cpuset.c
++++ b/kernel/cgroup/cpuset.c
+@@ -33,6 +33,7 @@
+ #include <linux/interrupt.h>
+ #include <linux/kernel.h>
+ #include <linux/kmod.h>
++#include <linux/kthread.h>
+ #include <linux/list.h>
+ #include <linux/mempolicy.h>
+ #include <linux/mm.h>
+@@ -1127,10 +1128,18 @@ static void update_tasks_cpumask(struct cpuset *cs)
+ {
+ struct css_task_iter it;
+ struct task_struct *task;
++ bool top_cs = cs == &top_cpuset;
+
+ css_task_iter_start(&cs->css, 0, &it);
+- while ((task = css_task_iter_next(&it)))
++ while ((task = css_task_iter_next(&it))) {
++ /*
++ * Percpu kthreads in top_cpuset are ignored
++ */
++ if (top_cs && (task->flags & PF_KTHREAD) &&
++ kthread_is_per_cpu(task))
++ continue;
+ set_cpus_allowed_ptr(task, cs->effective_cpus);
++ }
+ css_task_iter_end(&it);
+ }
+
+@@ -2092,12 +2101,7 @@ static int update_prstate(struct cpuset *cs, int new_prs)
+ update_flag(CS_CPU_EXCLUSIVE, cs, 0);
+ }
+
+- /*
+- * Update cpumask of parent's tasks except when it is the top
+- * cpuset as some system daemons cannot be mapped to other CPUs.
+- */
+- if (parent != &top_cpuset)
+- update_tasks_cpumask(parent);
++ update_tasks_cpumask(parent);
+
+ if (parent->child_ecpus_count)
+ update_sibling_cpumasks(parent, cs, &tmpmask);
+--
+2.35.1
+
--- /dev/null
+From da21919d14e66271230c4da5bd61c43353c07b8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 18:52:35 +0200
+Subject: cgroup: Honor caller's cgroup NS when resolving path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michal Koutný <mkoutny@suse.com>
+
+[ Upstream commit 74e4b956eb1cac0e4c10c240339b1bbfbc9a4c48 ]
+
+cgroup_get_from_path() is not widely used function. Its callers presume
+the path is resolved under cgroup namespace. (There is one caller
+currently and resolving in init NS won't make harm (netfilter). However,
+future users may be subject to different effects when resolving
+globally.)
+Since, there's currently no use for the global resolution, modify the
+existing function to take cgroup NS into account.
+
+Fixes: a79a908fd2b0 ("cgroup: introduce cgroup namespaces")
+Signed-off-by: Michal Koutný <mkoutny@suse.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/cgroup/cgroup.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
+index 5f2090d051ac..29296a6374ef 100644
+--- a/kernel/cgroup/cgroup.c
++++ b/kernel/cgroup/cgroup.c
+@@ -6638,8 +6638,12 @@ struct cgroup *cgroup_get_from_path(const char *path)
+ {
+ struct kernfs_node *kn;
+ struct cgroup *cgrp = ERR_PTR(-ENOENT);
++ struct cgroup *root_cgrp;
+
+- kn = kernfs_walk_and_get(cgrp_dfl_root.cgrp.kn, path);
++ spin_lock_irq(&css_set_lock);
++ root_cgrp = current_cgns_cgroup_from_root(&cgrp_dfl_root);
++ kn = kernfs_walk_and_get(root_cgrp->kn, path);
++ spin_unlock_irq(&css_set_lock);
+ if (!kn)
+ goto out;
+
+--
+2.35.1
+
--- /dev/null
+From e946e793ba9337f012505e8c1a0833dd55090053 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Sep 2022 20:57:05 -0300
+Subject: cifs: return correct error in ->calc_signature()
+
+From: Enzo Matsumiya <ematsumiya@suse.de>
+
+[ Upstream commit 09a1f9a168ae1f69f701689429871793174417d2 ]
+
+If an error happens while getting the key or session in the
+->calc_signature implementations, 0 (success) is returned. Fix it by
+returning a proper error code.
+
+Since it seems to be highly unlikely to happen wrap the rc check in
+unlikely() too.
+
+Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Fixes: 32811d242ff6 ("cifs: Start using per session key for smb2/3 for signature generation")
+Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/smb2transport.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/fs/cifs/smb2transport.c b/fs/cifs/smb2transport.c
+index 1a5fc3314dbf..4640fc4a8b13 100644
+--- a/fs/cifs/smb2transport.c
++++ b/fs/cifs/smb2transport.c
+@@ -225,9 +225,9 @@ smb2_calc_signature(struct smb_rqst *rqst, struct TCP_Server_Info *server,
+ struct smb_rqst drqst;
+
+ ses = smb2_find_smb_ses(server, le64_to_cpu(shdr->SessionId));
+- if (!ses) {
++ if (unlikely(!ses)) {
+ cifs_server_dbg(VFS, "%s: Could not find session\n", __func__);
+- return 0;
++ return -ENOENT;
+ }
+
+ memset(smb2_signature, 0x0, SMB2_HMACSHA256_SIZE);
+@@ -557,8 +557,10 @@ smb3_calc_signature(struct smb_rqst *rqst, struct TCP_Server_Info *server,
+ u8 key[SMB3_SIGN_KEY_SIZE];
+
+ rc = smb2_get_sign_key(le64_to_cpu(shdr->SessionId), server, key);
+- if (rc)
+- return 0;
++ if (unlikely(rc)) {
++ cifs_server_dbg(VFS, "%s: Could not get signing key\n", __func__);
++ return rc;
++ }
+
+ if (allocate_crypto) {
+ rc = cifs_alloc_hash("cmac(aes)", &hash, &sdesc);
+--
+2.35.1
+
--- /dev/null
+From cf273fdb632637d71b29c60dc5a48df5b548325c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Apr 2022 13:34:26 +0930
+Subject: clk: ast2600: BCLK comes from EPLL
+
+From: Joel Stanley <joel@jms.id.au>
+
+[ Upstream commit b8c1dc9c00b252b3be853720a71b05ed451ddd9f ]
+
+This correction was made in the u-boot SDK recently. There are no
+in-tree users of this clock so the impact is minimal.
+
+Fixes: d3d04f6c330a ("clk: Add support for AST2600 SoC")
+Link: https://github.com/AspeedTech-BMC/u-boot/commit/8ad54a5ae15f27fea5e894cc2539a20d90019717
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Link: https://lore.kernel.org/r/20220421040426.171256-1-joel@jms.id.au
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk-ast2600.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/clk-ast2600.c b/drivers/clk/clk-ast2600.c
+index 24dab2312bc6..9c3305bcb27a 100644
+--- a/drivers/clk/clk-ast2600.c
++++ b/drivers/clk/clk-ast2600.c
+@@ -622,7 +622,7 @@ static int aspeed_g6_clk_probe(struct platform_device *pdev)
+ regmap_write(map, 0x308, 0x12000); /* 3x3 = 9 */
+
+ /* P-Bus (BCLK) clock divider */
+- hw = clk_hw_register_divider_table(dev, "bclk", "hpll", 0,
++ hw = clk_hw_register_divider_table(dev, "bclk", "epll", 0,
+ scu_g6_base + ASPEED_G6_CLK_SELECTION1, 20, 3, 0,
+ ast2600_div_table,
+ &aspeed_g6_clk_lock);
+--
+2.35.1
+
--- /dev/null
+From 6dbdd1c028b9ad1fe802a7b4d19bcfa25a26cc91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Sep 2022 01:53:58 +0300
+Subject: clk: baikal-t1: Add SATA internal ref clock buffer
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit 081a9b7c74eae4e12b2cb1b86720f836a8f29247 ]
+
+It turns out the internal SATA reference clock signal will stay
+unavailable for the SATA interface consumer until the buffer on it's way
+is ungated. So aside with having the actual clock divider enabled we need
+to ungate a buffer placed on the signal way to the SATA controller (most
+likely some rudiment from the initial SoC release). Seeing the switch flag
+is placed in the same register as the SATA-ref clock divider at a
+non-standard ffset, let's implement it as a separate clock controller with
+the set-rate propagation to the parental clock divider wrapper. As such
+we'll be able to disable/enable and still change the original clock source
+rate.
+
+Fixes: 353afa3a8d2e ("clk: Add Baikal-T1 CCU Dividers driver")
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Link: https://lore.kernel.org/r/20220929225402.9696-5-Sergey.Semin@baikalelectronics.ru
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/baikal-t1/ccu-div.c | 64 +++++++++++++++++++++++++++++
+ drivers/clk/baikal-t1/ccu-div.h | 4 ++
+ drivers/clk/baikal-t1/clk-ccu-div.c | 18 +++++++-
+ 3 files changed, 85 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/clk/baikal-t1/ccu-div.c b/drivers/clk/baikal-t1/ccu-div.c
+index bbfa3526ee10..a6642f3d33d4 100644
+--- a/drivers/clk/baikal-t1/ccu-div.c
++++ b/drivers/clk/baikal-t1/ccu-div.c
+@@ -34,6 +34,7 @@
+ #define CCU_DIV_CTL_CLKDIV_MASK(_width) \
+ GENMASK((_width) + CCU_DIV_CTL_CLKDIV_FLD - 1, CCU_DIV_CTL_CLKDIV_FLD)
+ #define CCU_DIV_CTL_LOCK_SHIFTED BIT(27)
++#define CCU_DIV_CTL_GATE_REF_BUF BIT(28)
+ #define CCU_DIV_CTL_LOCK_NORMAL BIT(31)
+
+ #define CCU_DIV_RST_DELAY_US 1
+@@ -170,6 +171,40 @@ static int ccu_div_gate_is_enabled(struct clk_hw *hw)
+ return !!(val & CCU_DIV_CTL_EN);
+ }
+
++static int ccu_div_buf_enable(struct clk_hw *hw)
++{
++ struct ccu_div *div = to_ccu_div(hw);
++ unsigned long flags;
++
++ spin_lock_irqsave(&div->lock, flags);
++ regmap_update_bits(div->sys_regs, div->reg_ctl,
++ CCU_DIV_CTL_GATE_REF_BUF, 0);
++ spin_unlock_irqrestore(&div->lock, flags);
++
++ return 0;
++}
++
++static void ccu_div_buf_disable(struct clk_hw *hw)
++{
++ struct ccu_div *div = to_ccu_div(hw);
++ unsigned long flags;
++
++ spin_lock_irqsave(&div->lock, flags);
++ regmap_update_bits(div->sys_regs, div->reg_ctl,
++ CCU_DIV_CTL_GATE_REF_BUF, CCU_DIV_CTL_GATE_REF_BUF);
++ spin_unlock_irqrestore(&div->lock, flags);
++}
++
++static int ccu_div_buf_is_enabled(struct clk_hw *hw)
++{
++ struct ccu_div *div = to_ccu_div(hw);
++ u32 val = 0;
++
++ regmap_read(div->sys_regs, div->reg_ctl, &val);
++
++ return !(val & CCU_DIV_CTL_GATE_REF_BUF);
++}
++
+ static unsigned long ccu_div_var_recalc_rate(struct clk_hw *hw,
+ unsigned long parent_rate)
+ {
+@@ -323,6 +358,7 @@ static const struct ccu_div_dbgfs_bit ccu_div_bits[] = {
+ CCU_DIV_DBGFS_BIT_ATTR("div_en", CCU_DIV_CTL_EN),
+ CCU_DIV_DBGFS_BIT_ATTR("div_rst", CCU_DIV_CTL_RST),
+ CCU_DIV_DBGFS_BIT_ATTR("div_bypass", CCU_DIV_CTL_SET_CLKDIV),
++ CCU_DIV_DBGFS_BIT_ATTR("div_buf", CCU_DIV_CTL_GATE_REF_BUF),
+ CCU_DIV_DBGFS_BIT_ATTR("div_lock", CCU_DIV_CTL_LOCK_NORMAL)
+ };
+
+@@ -441,6 +477,9 @@ static void ccu_div_var_debug_init(struct clk_hw *hw, struct dentry *dentry)
+ continue;
+ }
+
++ if (!strcmp("div_buf", name))
++ continue;
++
+ bits[didx] = ccu_div_bits[bidx];
+ bits[didx].div = div;
+
+@@ -477,6 +516,21 @@ static void ccu_div_gate_debug_init(struct clk_hw *hw, struct dentry *dentry)
+ &ccu_div_dbgfs_fixed_clkdiv_fops);
+ }
+
++static void ccu_div_buf_debug_init(struct clk_hw *hw, struct dentry *dentry)
++{
++ struct ccu_div *div = to_ccu_div(hw);
++ struct ccu_div_dbgfs_bit *bit;
++
++ bit = kmalloc(sizeof(*bit), GFP_KERNEL);
++ if (!bit)
++ return;
++
++ *bit = ccu_div_bits[3];
++ bit->div = div;
++ debugfs_create_file_unsafe(bit->name, ccu_div_dbgfs_mode, dentry, bit,
++ &ccu_div_dbgfs_bit_fops);
++}
++
+ static void ccu_div_fixed_debug_init(struct clk_hw *hw, struct dentry *dentry)
+ {
+ struct ccu_div *div = to_ccu_div(hw);
+@@ -489,6 +543,7 @@ static void ccu_div_fixed_debug_init(struct clk_hw *hw, struct dentry *dentry)
+
+ #define ccu_div_var_debug_init NULL
+ #define ccu_div_gate_debug_init NULL
++#define ccu_div_buf_debug_init NULL
+ #define ccu_div_fixed_debug_init NULL
+
+ #endif /* !CONFIG_DEBUG_FS */
+@@ -520,6 +575,13 @@ static const struct clk_ops ccu_div_gate_ops = {
+ .debug_init = ccu_div_gate_debug_init
+ };
+
++static const struct clk_ops ccu_div_buf_ops = {
++ .enable = ccu_div_buf_enable,
++ .disable = ccu_div_buf_disable,
++ .is_enabled = ccu_div_buf_is_enabled,
++ .debug_init = ccu_div_buf_debug_init
++};
++
+ static const struct clk_ops ccu_div_fixed_ops = {
+ .recalc_rate = ccu_div_fixed_recalc_rate,
+ .round_rate = ccu_div_fixed_round_rate,
+@@ -566,6 +628,8 @@ struct ccu_div *ccu_div_hw_register(const struct ccu_div_init_data *div_init)
+ } else if (div_init->type == CCU_DIV_GATE) {
+ hw_init.ops = &ccu_div_gate_ops;
+ div->divider = div_init->divider;
++ } else if (div_init->type == CCU_DIV_BUF) {
++ hw_init.ops = &ccu_div_buf_ops;
+ } else if (div_init->type == CCU_DIV_FIXED) {
+ hw_init.ops = &ccu_div_fixed_ops;
+ div->divider = div_init->divider;
+diff --git a/drivers/clk/baikal-t1/ccu-div.h b/drivers/clk/baikal-t1/ccu-div.h
+index b6a9c8e45318..4eb49ff4803c 100644
+--- a/drivers/clk/baikal-t1/ccu-div.h
++++ b/drivers/clk/baikal-t1/ccu-div.h
+@@ -15,8 +15,10 @@
+
+ /*
+ * CCU Divider private clock IDs
++ * @CCU_SYS_SATA_CLK: CCU SATA internal clock
+ * @CCU_SYS_XGMAC_CLK: CCU XGMAC internal clock
+ */
++#define CCU_SYS_SATA_CLK -1
+ #define CCU_SYS_XGMAC_CLK -2
+
+ /*
+@@ -37,11 +39,13 @@
+ * enum ccu_div_type - CCU Divider types
+ * @CCU_DIV_VAR: Clocks gate with variable divider.
+ * @CCU_DIV_GATE: Clocks gate with fixed divider.
++ * @CCU_DIV_BUF: Clock gate with no divider.
+ * @CCU_DIV_FIXED: Ungateable clock with fixed divider.
+ */
+ enum ccu_div_type {
+ CCU_DIV_VAR,
+ CCU_DIV_GATE,
++ CCU_DIV_BUF,
+ CCU_DIV_FIXED
+ };
+
+diff --git a/drivers/clk/baikal-t1/clk-ccu-div.c b/drivers/clk/baikal-t1/clk-ccu-div.c
+index 3953ae5664be..90f4fda406ee 100644
+--- a/drivers/clk/baikal-t1/clk-ccu-div.c
++++ b/drivers/clk/baikal-t1/clk-ccu-div.c
+@@ -76,6 +76,16 @@
+ .divider = _divider \
+ }
+
++#define CCU_DIV_BUF_INFO(_id, _name, _pname, _base, _flags) \
++ { \
++ .id = _id, \
++ .name = _name, \
++ .parent_name = _pname, \
++ .base = _base, \
++ .type = CCU_DIV_BUF, \
++ .flags = _flags \
++ }
++
+ #define CCU_DIV_FIXED_INFO(_id, _name, _pname, _divider) \
+ { \
+ .id = _id, \
+@@ -188,11 +198,14 @@ static const struct ccu_div_rst_map axi_rst_map[] = {
+ * for the SoC devices registers IO-operations.
+ */
+ static const struct ccu_div_info sys_info[] = {
+- CCU_DIV_VAR_INFO(CCU_SYS_SATA_REF_CLK, "sys_sata_ref_clk",
++ CCU_DIV_VAR_INFO(CCU_SYS_SATA_CLK, "sys_sata_clk",
+ "sata_clk", CCU_SYS_SATA_REF_BASE, 4,
+ CLK_SET_RATE_GATE,
+ CCU_DIV_SKIP_ONE | CCU_DIV_LOCK_SHIFTED |
+ CCU_DIV_RESET_DOMAIN),
++ CCU_DIV_BUF_INFO(CCU_SYS_SATA_REF_CLK, "sys_sata_ref_clk",
++ "sys_sata_clk", CCU_SYS_SATA_REF_BASE,
++ CLK_SET_RATE_PARENT),
+ CCU_DIV_VAR_INFO(CCU_SYS_APB_CLK, "sys_apb_clk",
+ "pcie_clk", CCU_SYS_APB_BASE, 5,
+ CLK_IS_CRITICAL, CCU_DIV_RESET_DOMAIN),
+@@ -398,6 +411,9 @@ static int ccu_div_clk_register(struct ccu_div_data *data)
+ init.base = info->base;
+ init.sys_regs = data->sys_regs;
+ init.divider = info->divider;
++ } else if (init.type == CCU_DIV_BUF) {
++ init.base = info->base;
++ init.sys_regs = data->sys_regs;
+ } else {
+ init.divider = info->divider;
+ }
+--
+2.35.1
+
--- /dev/null
+From 476c68e2512c917715aeefa47cab8fd7ff8765bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Sep 2022 01:53:57 +0300
+Subject: clk: baikal-t1: Add shared xGMAC ref/ptp clocks internal parent
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit e2eef312762e0b5a5a70d29fe59a245c0a3cffa0 ]
+
+Baikal-T1 CCU reference manual says that both xGMAC reference and xGMAC
+PTP clocks are generated by two different wrappers with the same constant
+divider thus each producing a 156.25 MHz signal. But for some reason both
+of these clock sources are gated by a single switch-flag in the CCU
+registers space - CCU_SYS_XGMAC_BASE.BIT(0). In order to make the clocks
+handled independently we need to define a shared parental gate so the base
+clock signal would be switched off only if both of the child-clocks are
+disabled.
+
+Note the ID is intentionally set to -2 since we are going to add a one
+more internal clock identifier in the next commit.
+
+Fixes: 353afa3a8d2e ("clk: Add Baikal-T1 CCU Dividers driver")
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Link: https://lore.kernel.org/r/20220929225402.9696-4-Sergey.Semin@baikalelectronics.ru
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/baikal-t1/ccu-div.c | 1 +
+ drivers/clk/baikal-t1/ccu-div.h | 6 ++++++
+ drivers/clk/baikal-t1/clk-ccu-div.c | 8 +++++---
+ 3 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/clk/baikal-t1/ccu-div.c b/drivers/clk/baikal-t1/ccu-div.c
+index 4062092d67f9..bbfa3526ee10 100644
+--- a/drivers/clk/baikal-t1/ccu-div.c
++++ b/drivers/clk/baikal-t1/ccu-div.c
+@@ -579,6 +579,7 @@ struct ccu_div *ccu_div_hw_register(const struct ccu_div_init_data *div_init)
+ goto err_free_div;
+ }
+ parent_data.fw_name = div_init->parent_name;
++ parent_data.name = div_init->parent_name;
+ hw_init.parent_data = &parent_data;
+ hw_init.num_parents = 1;
+
+diff --git a/drivers/clk/baikal-t1/ccu-div.h b/drivers/clk/baikal-t1/ccu-div.h
+index 795665caefbd..b6a9c8e45318 100644
+--- a/drivers/clk/baikal-t1/ccu-div.h
++++ b/drivers/clk/baikal-t1/ccu-div.h
+@@ -13,6 +13,12 @@
+ #include <linux/bits.h>
+ #include <linux/of.h>
+
++/*
++ * CCU Divider private clock IDs
++ * @CCU_SYS_XGMAC_CLK: CCU XGMAC internal clock
++ */
++#define CCU_SYS_XGMAC_CLK -2
++
+ /*
+ * CCU Divider private flags
+ * @CCU_DIV_SKIP_ONE: Due to some reason divider can't be set to 1.
+diff --git a/drivers/clk/baikal-t1/clk-ccu-div.c b/drivers/clk/baikal-t1/clk-ccu-div.c
+index ea77eec40ddd..3953ae5664be 100644
+--- a/drivers/clk/baikal-t1/clk-ccu-div.c
++++ b/drivers/clk/baikal-t1/clk-ccu-div.c
+@@ -204,10 +204,12 @@ static const struct ccu_div_info sys_info[] = {
+ "eth_clk", CCU_SYS_GMAC1_BASE, 5),
+ CCU_DIV_FIXED_INFO(CCU_SYS_GMAC1_PTP_CLK, "sys_gmac1_ptp_clk",
+ "eth_clk", 10),
+- CCU_DIV_GATE_INFO(CCU_SYS_XGMAC_REF_CLK, "sys_xgmac_ref_clk",
+- "eth_clk", CCU_SYS_XGMAC_BASE, 8),
++ CCU_DIV_GATE_INFO(CCU_SYS_XGMAC_CLK, "sys_xgmac_clk",
++ "eth_clk", CCU_SYS_XGMAC_BASE, 1),
++ CCU_DIV_FIXED_INFO(CCU_SYS_XGMAC_REF_CLK, "sys_xgmac_ref_clk",
++ "sys_xgmac_clk", 8),
+ CCU_DIV_FIXED_INFO(CCU_SYS_XGMAC_PTP_CLK, "sys_xgmac_ptp_clk",
+- "eth_clk", 8),
++ "sys_xgmac_clk", 8),
+ CCU_DIV_GATE_INFO(CCU_SYS_USB_CLK, "sys_usb_clk",
+ "eth_clk", CCU_SYS_USB_BASE, 10),
+ CCU_DIV_VAR_INFO(CCU_SYS_PVT_CLK, "sys_pvt_clk",
+--
+2.35.1
+
--- /dev/null
+From e404e0f4e18fa9b30560b52a8166de464ae8b5f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Sep 2022 01:53:56 +0300
+Subject: clk: baikal-t1: Fix invalid xGMAC PTP clock divider
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit 3c742088686ce922704aec5b11d09bcc5a396589 ]
+
+Most likely due to copy-paste mistake the divider has been set to 10 while
+according to the SoC reference manual it's supposed to be 8 thus having
+PTP clock frequency of 156.25 MHz.
+
+Fixes: 353afa3a8d2e ("clk: Add Baikal-T1 CCU Dividers driver")
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Link: https://lore.kernel.org/r/20220929225402.9696-3-Sergey.Semin@baikalelectronics.ru
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/baikal-t1/clk-ccu-div.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/baikal-t1/clk-ccu-div.c b/drivers/clk/baikal-t1/clk-ccu-div.c
+index f141fda12b09..ea77eec40ddd 100644
+--- a/drivers/clk/baikal-t1/clk-ccu-div.c
++++ b/drivers/clk/baikal-t1/clk-ccu-div.c
+@@ -207,7 +207,7 @@ static const struct ccu_div_info sys_info[] = {
+ CCU_DIV_GATE_INFO(CCU_SYS_XGMAC_REF_CLK, "sys_xgmac_ref_clk",
+ "eth_clk", CCU_SYS_XGMAC_BASE, 8),
+ CCU_DIV_FIXED_INFO(CCU_SYS_XGMAC_PTP_CLK, "sys_xgmac_ptp_clk",
+- "eth_clk", 10),
++ "eth_clk", 8),
+ CCU_DIV_GATE_INFO(CCU_SYS_USB_CLK, "sys_usb_clk",
+ "eth_clk", CCU_SYS_USB_BASE, 10),
+ CCU_DIV_VAR_INFO(CCU_SYS_PVT_CLK, "sys_pvt_clk",
+--
+2.35.1
+
--- /dev/null
+From de296f658b9076d91fd6655335ffd5d7b9218eeb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Sep 2022 16:10:37 +0200
+Subject: clk: bcm2835: fix bcm2835_clock_rate_from_divisor declaration
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+[ Upstream commit 0b919a3728691c172312dee99ba654055ccd8c84 ]
+
+The return value of bcm2835_clock_rate_from_divisor is always unsigned
+and also all caller expect this. So fix the declaration accordingly.
+
+Fixes: 41691b8862e2 ("clk: bcm2835: Add support for programming the audio domain clocks")
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Link: https://lore.kernel.org/r/20220904141037.38816-1-stefan.wahren@i2se.com
+Reviewed-by: Ivan T. Ivanov <iivanov@suse.de>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/bcm/clk-bcm2835.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c
+index 19de0e83b65d..f1102b4c7e88 100644
+--- a/drivers/clk/bcm/clk-bcm2835.c
++++ b/drivers/clk/bcm/clk-bcm2835.c
+@@ -966,9 +966,9 @@ static u32 bcm2835_clock_choose_div(struct clk_hw *hw,
+ return div;
+ }
+
+-static long bcm2835_clock_rate_from_divisor(struct bcm2835_clock *clock,
+- unsigned long parent_rate,
+- u32 div)
++static unsigned long bcm2835_clock_rate_from_divisor(struct bcm2835_clock *clock,
++ unsigned long parent_rate,
++ u32 div)
+ {
+ const struct bcm2835_clock_data *data = clock->data;
+ u64 temp;
+--
+2.35.1
+
--- /dev/null
+From b46a1e053268e5d2f65a7f0f84c68f9be452f8c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Sep 2022 10:45:09 +0200
+Subject: clk: bcm2835: Make peripheral PLLC critical
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maxime Ripard <maxime@cerno.tech>
+
+[ Upstream commit 6c5422851d8be8c7451e968fd2e6da41b6109e17 ]
+
+When testing for a series affecting the VEC, it was discovered that
+turning off and on the VEC clock is crashing the system.
+
+It turns out that, when disabling the VEC clock, it's the only child of
+the PLLC-per clock which will also get disabled. The source of the crash
+is PLLC-per being disabled.
+
+It's likely that some other device might not take a clock reference that
+it actually needs, but it's unclear which at this point. Let's make
+PLLC-per critical so that we don't have that crash.
+
+Reported-by: Noralf Trønnes <noralf@tronnes.org>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://lore.kernel.org/r/20220926084509.12233-1-maxime@cerno.tech
+Reviewed-by: Stefan Wahren <stefan.wahren@i2se.com>
+Acked-by: Noralf Trønnes <noralf@tronnes.org>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Stable-dep-of: 0b919a372869 ("clk: bcm2835: fix bcm2835_clock_rate_from_divisor declaration")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/bcm/clk-bcm2835.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c
+index 48a1eb9f2d55..19de0e83b65d 100644
+--- a/drivers/clk/bcm/clk-bcm2835.c
++++ b/drivers/clk/bcm/clk-bcm2835.c
+@@ -1784,7 +1784,7 @@ static const struct bcm2835_clk_desc clk_desc_array[] = {
+ .load_mask = CM_PLLC_LOADPER,
+ .hold_mask = CM_PLLC_HOLDPER,
+ .fixed_divider = 1,
+- .flags = CLK_SET_RATE_PARENT),
++ .flags = CLK_IS_CRITICAL | CLK_SET_RATE_PARENT),
+
+ /*
+ * PLLD is the display PLL, used to drive DSI display panels.
+--
+2.35.1
+
--- /dev/null
+From 232206a3097c08c00f9567cb86c39f415b269b62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Sep 2022 11:13:04 +0300
+Subject: clk: bcm2835: Round UART input clock up
+
+From: Ivan T. Ivanov <iivanov@suse.de>
+
+[ Upstream commit f690a4d7a8f66430662975511c86819dc9965bcc ]
+
+It was reported that RPi3[1] and RPi Zero 2W boards have issues with
+the Bluetooth. It turns out that when switching from initial to
+operation speed host and device no longer can talk each other because
+host uses incorrect UART baud rate.
+
+The UART driver used in this case is amba-pl011. Original fix, see
+below Github link[2], was inside pl011 module, but somehow it didn't
+look as the right place to fix. Beside that this original rounding
+function is not exactly perfect for all possible clock values. So I
+deiced to move the hack to the platform which actually need it.
+
+The UART clock is initialised to be as close to the requested
+frequency as possible without exceeding it. Now that there is a
+clock manager that returns the actual frequencies, an expected
+48MHz clock is reported as 47999625. If the requested baud rate
+== requested clock/16, there is no headroom and the slight
+reduction in actual clock rate results in failure.
+
+If increasing a clock by less than 0.1% changes it from ..999..
+to ..000.., round it up.
+
+[1] https://bugzilla.suse.com/show_bug.cgi?id=1188238
+[2] https://github.com/raspberrypi/linux/commit/ab3f1b39537f6d3825b8873006fbe2fc5ff057b7
+
+Cc: Phil Elwell <phil@raspberrypi.com>
+Signed-off-by: Ivan T. Ivanov <iivanov@suse.de>
+Reviewed-by: Stefan Wahren <stefan.wahren@i2se.com>
+Link: https://lore.kernel.org/r/20220912081306.24662-1-iivanov@suse.de
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/bcm/clk-bcm2835.c | 35 +++++++++++++++++++++++++++++++++--
+ 1 file changed, 33 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c
+index f1102b4c7e88..e74fe6219d14 100644
+--- a/drivers/clk/bcm/clk-bcm2835.c
++++ b/drivers/clk/bcm/clk-bcm2835.c
+@@ -30,6 +30,7 @@
+ #include <linux/debugfs.h>
+ #include <linux/delay.h>
+ #include <linux/io.h>
++#include <linux/math.h>
+ #include <linux/module.h>
+ #include <linux/of_device.h>
+ #include <linux/platform_device.h>
+@@ -502,6 +503,8 @@ struct bcm2835_clock_data {
+ bool low_jitter;
+
+ u32 tcnt_mux;
++
++ bool round_up;
+ };
+
+ struct bcm2835_gate_data {
+@@ -993,12 +996,34 @@ static unsigned long bcm2835_clock_rate_from_divisor(struct bcm2835_clock *clock
+ return temp;
+ }
+
++static unsigned long bcm2835_round_rate(unsigned long rate)
++{
++ unsigned long scaler;
++ unsigned long limit;
++
++ limit = rate / 100000;
++
++ scaler = 1;
++ while (scaler < limit)
++ scaler *= 10;
++
++ /*
++ * If increasing a clock by less than 0.1% changes it
++ * from ..999.. to ..000.., round up.
++ */
++ if ((rate + scaler - 1) / scaler % 1000 == 0)
++ rate = roundup(rate, scaler);
++
++ return rate;
++}
++
+ static unsigned long bcm2835_clock_get_rate(struct clk_hw *hw,
+ unsigned long parent_rate)
+ {
+ struct bcm2835_clock *clock = bcm2835_clock_from_hw(hw);
+ struct bcm2835_cprman *cprman = clock->cprman;
+ const struct bcm2835_clock_data *data = clock->data;
++ unsigned long rate;
+ u32 div;
+
+ if (data->int_bits == 0 && data->frac_bits == 0)
+@@ -1006,7 +1031,12 @@ static unsigned long bcm2835_clock_get_rate(struct clk_hw *hw,
+
+ div = cprman_read(cprman, data->div_reg);
+
+- return bcm2835_clock_rate_from_divisor(clock, parent_rate, div);
++ rate = bcm2835_clock_rate_from_divisor(clock, parent_rate, div);
++
++ if (data->round_up)
++ rate = bcm2835_round_rate(rate);
++
++ return rate;
+ }
+
+ static void bcm2835_clock_wait_busy(struct bcm2835_clock *clock)
+@@ -2143,7 +2173,8 @@ static const struct bcm2835_clk_desc clk_desc_array[] = {
+ .div_reg = CM_UARTDIV,
+ .int_bits = 10,
+ .frac_bits = 12,
+- .tcnt_mux = 28),
++ .tcnt_mux = 28,
++ .round_up = true),
+
+ /* TV encoder clock. Only operating frequency is 108Mhz. */
+ [BCM2835_CLOCK_VEC] = REGISTER_PER_CLK(
+--
+2.35.1
+
--- /dev/null
+From 1ddcbf5f41cbeaabe5280ad1dd010a804c07a2dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Jul 2022 16:49:00 +0800
+Subject: clk: berlin: Add of_node_put() for of_get_parent()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 37c381b812dcbfde9c3f1f3d3e75fdfc1b40d5bc ]
+
+In berlin2_clock_setup() and berlin2q_clock_setup(), we need to
+call of_node_put() for the reference returned by of_get_parent()
+which has increased the refcount. We should call *_put() in fail
+path or when it is not used anymore.
+
+Fixes: 26b3b6b959b2 ("clk: berlin: prepare simple-mfd conversion")
+Signed-off-by: Liang He <windhl@126.com>
+Link: https://lore.kernel.org/r/20220708084900.311684-1-windhl@126.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/berlin/bg2.c | 5 ++++-
+ drivers/clk/berlin/bg2q.c | 6 +++++-
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/berlin/bg2.c b/drivers/clk/berlin/bg2.c
+index bccdfa00fd37..67a9edbba29c 100644
+--- a/drivers/clk/berlin/bg2.c
++++ b/drivers/clk/berlin/bg2.c
+@@ -500,12 +500,15 @@ static void __init berlin2_clock_setup(struct device_node *np)
+ int n, ret;
+
+ clk_data = kzalloc(struct_size(clk_data, hws, MAX_CLKS), GFP_KERNEL);
+- if (!clk_data)
++ if (!clk_data) {
++ of_node_put(parent_np);
+ return;
++ }
+ clk_data->num = MAX_CLKS;
+ hws = clk_data->hws;
+
+ gbase = of_iomap(parent_np, 0);
++ of_node_put(parent_np);
+ if (!gbase)
+ return;
+
+diff --git a/drivers/clk/berlin/bg2q.c b/drivers/clk/berlin/bg2q.c
+index e9518d35f262..dd2784bb75b6 100644
+--- a/drivers/clk/berlin/bg2q.c
++++ b/drivers/clk/berlin/bg2q.c
+@@ -286,19 +286,23 @@ static void __init berlin2q_clock_setup(struct device_node *np)
+ int n, ret;
+
+ clk_data = kzalloc(struct_size(clk_data, hws, MAX_CLKS), GFP_KERNEL);
+- if (!clk_data)
++ if (!clk_data) {
++ of_node_put(parent_np);
+ return;
++ }
+ clk_data->num = MAX_CLKS;
+ hws = clk_data->hws;
+
+ gbase = of_iomap(parent_np, 0);
+ if (!gbase) {
++ of_node_put(parent_np);
+ pr_err("%pOF: Unable to map global base\n", np);
+ return;
+ }
+
+ /* BG2Q CPU PLL is not part of global registers */
+ cpupll_base = of_iomap(parent_np, 1);
++ of_node_put(parent_np);
+ if (!cpupll_base) {
+ pr_err("%pOF: Unable to map cpupll base\n", np);
+ iounmap(gbase);
+--
+2.35.1
+
--- /dev/null
+From fb1f3ada91a657538c12abc69e16b5ee1bc663e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Aug 2022 14:12:49 +0200
+Subject: clk: gcc-sc8280xp: keep PCIe power-domains always-on
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit 12d2a4769380f0dc9ba6f827839869db2b81ef00 ]
+
+The Qualcomm PCIe driver does not yet implement suspend so to keep the
+PCIe power domains always-on for now to avoid crashing during resume.
+
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/20220805121250.10347-2-johan+linaro@kernel.org
+Stable-dep-of: 5a6d30675d17 ("clk: qcom: gcc-msm8916: use ARRAY_SIZE instead of specifying num_parents")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/gcc-sc8280xp.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/clk/qcom/gcc-sc8280xp.c b/drivers/clk/qcom/gcc-sc8280xp.c
+index a2f3ffcc5849..eaeada42e13a 100644
+--- a/drivers/clk/qcom/gcc-sc8280xp.c
++++ b/drivers/clk/qcom/gcc-sc8280xp.c
+@@ -6768,6 +6768,10 @@ static struct gdsc pcie_1_tunnel_gdsc = {
+ .flags = VOTABLE,
+ };
+
++/*
++ * The Qualcomm PCIe driver does not yet implement suspend so to keep the
++ * PCIe power domains always-on for now.
++ */
+ static struct gdsc pcie_2a_gdsc = {
+ .gdscr = 0x9d004,
+ .collapse_ctrl = 0x52128,
+@@ -6776,7 +6780,7 @@ static struct gdsc pcie_2a_gdsc = {
+ .name = "pcie_2a_gdsc",
+ },
+ .pwrsts = PWRSTS_OFF_ON,
+- .flags = VOTABLE,
++ .flags = VOTABLE | ALWAYS_ON,
+ };
+
+ static struct gdsc pcie_2b_gdsc = {
+@@ -6787,7 +6791,7 @@ static struct gdsc pcie_2b_gdsc = {
+ .name = "pcie_2b_gdsc",
+ },
+ .pwrsts = PWRSTS_OFF_ON,
+- .flags = VOTABLE,
++ .flags = VOTABLE | ALWAYS_ON,
+ };
+
+ static struct gdsc pcie_3a_gdsc = {
+@@ -6798,7 +6802,7 @@ static struct gdsc pcie_3a_gdsc = {
+ .name = "pcie_3a_gdsc",
+ },
+ .pwrsts = PWRSTS_OFF_ON,
+- .flags = VOTABLE,
++ .flags = VOTABLE | ALWAYS_ON,
+ };
+
+ static struct gdsc pcie_3b_gdsc = {
+@@ -6809,7 +6813,7 @@ static struct gdsc pcie_3b_gdsc = {
+ .name = "pcie_3b_gdsc",
+ },
+ .pwrsts = PWRSTS_OFF_ON,
+- .flags = VOTABLE,
++ .flags = VOTABLE | ALWAYS_ON,
+ };
+
+ static struct gdsc pcie_4_gdsc = {
+@@ -6820,7 +6824,7 @@ static struct gdsc pcie_4_gdsc = {
+ .name = "pcie_4_gdsc",
+ },
+ .pwrsts = PWRSTS_OFF_ON,
+- .flags = VOTABLE,
++ .flags = VOTABLE | ALWAYS_ON,
+ };
+
+ static struct gdsc ufs_card_gdsc = {
+--
+2.35.1
+
--- /dev/null
+From 3b60e927dd1447d9ab0e1a1e5bb749410255c7de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Sep 2022 11:32:06 +0800
+Subject: clk: imx: scu: fix memleak on platform_device_add() fails
+
+From: Lin Yujun <linyujun809@huawei.com>
+
+[ Upstream commit 855ae87a2073ebf1b395e020de54fdf9ce7d166f ]
+
+No error handling is performed when platform_device_add()
+fails. Add error processing before return, and modified
+the return value.
+
+Fixes: 77d8f3068c63 ("clk: imx: scu: add two cells binding support")
+Signed-off-by: Lin Yujun <linyujun809@huawei.com>
+Link: https://lore.kernel.org/r/20220914033206.98046-1-linyujun809@huawei.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-scu.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/clk/imx/clk-scu.c b/drivers/clk/imx/clk-scu.c
+index c56e406138db..1e6870f3671f 100644
+--- a/drivers/clk/imx/clk-scu.c
++++ b/drivers/clk/imx/clk-scu.c
+@@ -695,7 +695,11 @@ struct clk_hw *imx_clk_scu_alloc_dev(const char *name,
+ pr_warn("%s: failed to attached the power domain %d\n",
+ name, ret);
+
+- platform_device_add(pdev);
++ ret = platform_device_add(pdev);
++ if (ret) {
++ platform_device_put(pdev);
++ return ERR_PTR(ret);
++ }
+
+ /* For API backwards compatiblilty, simply return NULL for success */
+ return NULL;
+--
+2.35.1
+
--- /dev/null
+From 43a948b4edd5355f88c5be9dd39a7474e4205f92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Aug 2022 09:34:28 +0800
+Subject: clk: imx8mp: tune the order of enet_qos_root_clk
+
+From: Peng Fan <peng.fan@nxp.com>
+
+[ Upstream commit c68cd258a67730c24566b9688d7c134e67459ac6 ]
+
+The enet_qos_root_clk takes sim_enet_root_clk as parent. When
+registering enet_qos_root_clk, it will be put into clk orphan list,
+because sim_enet_root_clk is not ready.
+
+When sim_enet_root_clk is ready, clk_core_reparent_orphans_nolock will
+set enet_qos_root_clk parent to sim_enet_root_clk.
+
+Because CLK_OPS_PARENT_ENABLE is set, sim_enet_root_clk will be
+enabled and disabled during the enet_qos_root_clk reparent phase.
+
+All the above are correct. But with M7 booted early and using
+enet, M7 enet feature will be broken, because clk driver probe phase
+disable the needed clks, in case M7 firmware not configure
+sim_enet_root_clk.
+
+And tune the order would also save cpu cycles.
+
+Reviewed-by: Ye Li <ye.li@nxp.com>
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Link: https://lore.kernel.org/r/20220815013428.476015-1-peng.fan@oss.nxp.com
+Stable-dep-of: 855ae87a2073 ("clk: imx: scu: fix memleak on platform_device_add() fails")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-imx8mp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/imx/clk-imx8mp.c b/drivers/clk/imx/clk-imx8mp.c
+index e89db568f5a8..652ae58c2735 100644
+--- a/drivers/clk/imx/clk-imx8mp.c
++++ b/drivers/clk/imx/clk-imx8mp.c
+@@ -665,8 +665,8 @@ static int imx8mp_clocks_probe(struct platform_device *pdev)
+ hws[IMX8MP_CLK_CAN1_ROOT] = imx_clk_hw_gate2("can1_root_clk", "can1", ccm_base + 0x4350, 0);
+ hws[IMX8MP_CLK_CAN2_ROOT] = imx_clk_hw_gate2("can2_root_clk", "can2", ccm_base + 0x4360, 0);
+ hws[IMX8MP_CLK_SDMA1_ROOT] = imx_clk_hw_gate4("sdma1_root_clk", "ipg_root", ccm_base + 0x43a0, 0);
+- hws[IMX8MP_CLK_ENET_QOS_ROOT] = imx_clk_hw_gate4("enet_qos_root_clk", "sim_enet_root_clk", ccm_base + 0x43b0, 0);
+ hws[IMX8MP_CLK_SIM_ENET_ROOT] = imx_clk_hw_gate4("sim_enet_root_clk", "enet_axi", ccm_base + 0x4400, 0);
++ hws[IMX8MP_CLK_ENET_QOS_ROOT] = imx_clk_hw_gate4("enet_qos_root_clk", "sim_enet_root_clk", ccm_base + 0x43b0, 0);
+ hws[IMX8MP_CLK_GPU2D_ROOT] = imx_clk_hw_gate4("gpu2d_root_clk", "gpu2d_core", ccm_base + 0x4450, 0);
+ hws[IMX8MP_CLK_GPU3D_ROOT] = imx_clk_hw_gate4("gpu3d_root_clk", "gpu3d_core", ccm_base + 0x4460, 0);
+ hws[IMX8MP_CLK_UART1_ROOT] = imx_clk_hw_gate4("uart1_root_clk", "uart1", ccm_base + 0x4490, 0);
+--
+2.35.1
+
--- /dev/null
+From 4c249b26fc9529bb39f905aac0e6c2c25761fab6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 12:11:23 +0200
+Subject: clk: mediatek: clk-mt8195-mfg: Reparent mfg_bg3d and propagate rate
+ changes
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit a5f7bf5458c2cf6730106e16a6373638a0e5ed1e ]
+
+The MFG_BG3D is a gate to enable/disable clock output to the GPU,
+but the actual output is decided by multiple muxes; in particular:
+mfg_ck_fast_ref muxes between "slow" (top_mfg_core_tmp) and
+"fast" (MFGPLL) clock, while top_mfg_core_tmp muxes between the
+26MHz clock and various system PLLs.
+
+The clock gate comes after all the muxes, so its parent is
+mfg_ck_fast_reg, not top_mfg_core_tmp.
+Reparent MFG_BG3D to the latter to match the hardware and add the
+CLK_SET_RATE_PARENT flag to it: this way we ensure propagating
+rate changes that are requested on MFG_BG3D along its entire clock
+tree.
+
+Fixes: 35016f10c0e5 ("clk: mediatek: Add MT8195 mfgcfg clock support")
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
+Link: https://lore.kernel.org/r/20220927101128.44758-6-angelogioacchino.delregno@collabora.com
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/mediatek/clk-mt8195-mfg.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/mediatek/clk-mt8195-mfg.c b/drivers/clk/mediatek/clk-mt8195-mfg.c
+index 9411c556a5a9..c94cb71bd9b9 100644
+--- a/drivers/clk/mediatek/clk-mt8195-mfg.c
++++ b/drivers/clk/mediatek/clk-mt8195-mfg.c
+@@ -17,10 +17,12 @@ static const struct mtk_gate_regs mfg_cg_regs = {
+ };
+
+ #define GATE_MFG(_id, _name, _parent, _shift) \
+- GATE_MTK(_id, _name, _parent, &mfg_cg_regs, _shift, &mtk_clk_gate_ops_setclr)
++ GATE_MTK_FLAGS(_id, _name, _parent, &mfg_cg_regs, \
++ _shift, &mtk_clk_gate_ops_setclr, \
++ CLK_SET_RATE_PARENT)
+
+ static const struct mtk_gate mfg_clks[] = {
+- GATE_MFG(CLK_MFG_BG3D, "mfg_bg3d", "top_mfg_core_tmp", 0),
++ GATE_MFG(CLK_MFG_BG3D, "mfg_bg3d", "mfg_ck_fast_ref", 0),
+ };
+
+ static const struct mtk_clk_desc mfg_desc = {
+--
+2.35.1
+
--- /dev/null
+From b92aa1cf7dc0f19b4f84d33e866fadade008a6d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Aug 2022 15:32:55 -0400
+Subject: clk: mediatek: clk-mt8195-vdo0: Set rate on vdo0_dp_intf0_dp_intf's
+ parent
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit 3f0dadd230cc2630202a977fe52cd1dd7a7579a7 ]
+
+Add the CLK_SET_RATE_PARENT flag to the CLK_VDO0_DP_INTF0_DP_INTF
+clock: this is required to trigger clock source selection on
+CLK_TOP_EDP, while avoiding to manage the enablement of the former
+separately from the latter in the displayport driver.
+
+Fixes: 70282c90d4a2 ("clk: mediatek: Add MT8195 vdosys0 clock support")
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Tested-by: Bo-Chen Chen <rex-bc.chen@mediatek.com>
+Reviewed-by: Bo-Chen Chen <rex-bc.chen@mediatek.com>
+Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+
+Link: https://lore.kernel.org/r/20220816193257.658487-2-nfraprado@collabora.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/mediatek/clk-mt8195-vdo0.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/clk/mediatek/clk-mt8195-vdo0.c b/drivers/clk/mediatek/clk-mt8195-vdo0.c
+index 261a7f76dd3c..07b46bfd5040 100644
+--- a/drivers/clk/mediatek/clk-mt8195-vdo0.c
++++ b/drivers/clk/mediatek/clk-mt8195-vdo0.c
+@@ -37,6 +37,10 @@ static const struct mtk_gate_regs vdo0_2_cg_regs = {
+ #define GATE_VDO0_2(_id, _name, _parent, _shift) \
+ GATE_MTK(_id, _name, _parent, &vdo0_2_cg_regs, _shift, &mtk_clk_gate_ops_setclr)
+
++#define GATE_VDO0_2_FLAGS(_id, _name, _parent, _shift, _flags) \
++ GATE_MTK_FLAGS(_id, _name, _parent, &vdo0_2_cg_regs, _shift, \
++ &mtk_clk_gate_ops_setclr, _flags)
++
+ static const struct mtk_gate vdo0_clks[] = {
+ /* VDO0_0 */
+ GATE_VDO0_0(CLK_VDO0_DISP_OVL0, "vdo0_disp_ovl0", "top_vpp", 0),
+@@ -85,7 +89,8 @@ static const struct mtk_gate vdo0_clks[] = {
+ /* VDO0_2 */
+ GATE_VDO0_2(CLK_VDO0_DSI0_DSI, "vdo0_dsi0_dsi", "top_dsi_occ", 0),
+ GATE_VDO0_2(CLK_VDO0_DSI1_DSI, "vdo0_dsi1_dsi", "top_dsi_occ", 8),
+- GATE_VDO0_2(CLK_VDO0_DP_INTF0_DP_INTF, "vdo0_dp_intf0_dp_intf", "top_edp", 16),
++ GATE_VDO0_2_FLAGS(CLK_VDO0_DP_INTF0_DP_INTF, "vdo0_dp_intf0_dp_intf",
++ "top_edp", 16, CLK_SET_RATE_PARENT),
+ };
+
+ static int clk_mt8195_vdo0_probe(struct platform_device *pdev)
+--
+2.35.1
+
--- /dev/null
+From ad661699998f4ba6f3283ee486b3d43dca6270ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Aug 2022 15:32:56 -0400
+Subject: clk: mediatek: clk-mt8195-vdo1: Reparent and set rate on
+ vdo1_dpintf's parent
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit f24d71feb206631116ff9adaa6d43650c5dd8849 ]
+
+Like it was done for the vdo0_dp_intf0_dp_intf clock (used for eDP),
+add the CLK_SET_RATE_PARENT flag to CLK_VDO1_DPINTF (used for DP)
+and also fix its parent clock name as it has to be "top_dp" for two
+reasons:
+ - This is its real parent!
+ - Likewise to eDP/VDO0 counterpart, we need clock source
+ selection on CLK_TOP_DP.
+
+Fixes: 269987505ba9 ("clk: mediatek: Add MT8195 vdosys1 clock support")
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Tested-by: Bo-Chen Chen <rex-bc.chen@mediatek.com>
+Reviewed-by: Bo-Chen Chen <rex-bc.chen@mediatek.com>
+Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+Link: https://lore.kernel.org/r/20220816193257.658487-3-nfraprado@collabora.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/mediatek/clk-mt8195-vdo1.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/clk/mediatek/clk-mt8195-vdo1.c b/drivers/clk/mediatek/clk-mt8195-vdo1.c
+index 3378487d2c90..d54d7726d186 100644
+--- a/drivers/clk/mediatek/clk-mt8195-vdo1.c
++++ b/drivers/clk/mediatek/clk-mt8195-vdo1.c
+@@ -43,6 +43,10 @@ static const struct mtk_gate_regs vdo1_3_cg_regs = {
+ #define GATE_VDO1_2(_id, _name, _parent, _shift) \
+ GATE_MTK(_id, _name, _parent, &vdo1_2_cg_regs, _shift, &mtk_clk_gate_ops_setclr)
+
++#define GATE_VDO1_2_FLAGS(_id, _name, _parent, _shift, _flags) \
++ GATE_MTK_FLAGS(_id, _name, _parent, &vdo1_2_cg_regs, _shift, \
++ &mtk_clk_gate_ops_setclr, _flags)
++
+ #define GATE_VDO1_3(_id, _name, _parent, _shift) \
+ GATE_MTK(_id, _name, _parent, &vdo1_3_cg_regs, _shift, &mtk_clk_gate_ops_setclr)
+
+@@ -99,7 +103,7 @@ static const struct mtk_gate vdo1_clks[] = {
+ GATE_VDO1_2(CLK_VDO1_DISP_MONITOR_DPI0, "vdo1_disp_monitor_dpi0", "top_vpp", 1),
+ GATE_VDO1_2(CLK_VDO1_DPI1, "vdo1_dpi1", "top_vpp", 8),
+ GATE_VDO1_2(CLK_VDO1_DISP_MONITOR_DPI1, "vdo1_disp_monitor_dpi1", "top_vpp", 9),
+- GATE_VDO1_2(CLK_VDO1_DPINTF, "vdo1_dpintf", "top_vpp", 16),
++ GATE_VDO1_2_FLAGS(CLK_VDO1_DPINTF, "vdo1_dpintf", "top_dp", 16, CLK_SET_RATE_PARENT),
+ GATE_VDO1_2(CLK_VDO1_DISP_MONITOR_DPINTF, "vdo1_disp_monitor_dpintf", "top_vpp", 17),
+ /* VDO1_3 */
+ GATE_VDO1_3(CLK_VDO1_26M_SLOW, "vdo1_26m_slow", "clk26m", 8),
+--
+2.35.1
+
--- /dev/null
+From b56c6018ce6eb8c4ba60f12f29ddf1c65714bbec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Sep 2022 18:25:18 +0800
+Subject: clk: mediatek: fix unregister function in mtk_clk_register_dividers
+ cleanup
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit 20f7a0dba9075fb0e3d645495bc24d7025b58de1 ]
+
+When the cleanup paths for the various clk register APIs in the MediaTek
+clk library were added, the one in the dividers type used the wrong type
+of unregister function. This would result in incorrect dereferencing of
+the clk pointer and freeing of invalid pointers.
+
+Fix this by switching to the correct type of clk unregistration call.
+
+Fixes: 3c3ba2ab0226 ("clk: mediatek: mtk: Implement error handling in register APIs")
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20220926102523.2367530-2-wenst@chromium.org
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/mediatek/clk-mtk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/mediatek/clk-mtk.c b/drivers/clk/mediatek/clk-mtk.c
+index 05a188c62119..9b82956260d3 100644
+--- a/drivers/clk/mediatek/clk-mtk.c
++++ b/drivers/clk/mediatek/clk-mtk.c
+@@ -393,7 +393,7 @@ int mtk_clk_register_dividers(const struct mtk_clk_divider *mcds, int num,
+ if (IS_ERR_OR_NULL(clk_data->hws[mcd->id]))
+ continue;
+
+- mtk_clk_unregister_composite(clk_data->hws[mcd->id]);
++ clk_hw_unregister_divider(clk_data->hws[mcd->id]);
+ clk_data->hws[mcd->id] = ERR_PTR(-ENOENT);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From a2f704ac99c7b49be6019841beb04cce7b5d0647 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Sep 2022 18:25:19 +0800
+Subject: clk: mediatek: Migrate remaining clk_unregister_*() to
+ clk_hw_unregister_*()
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit fef14676fc4be40b8441745a3c96b7e7d7d8592d ]
+
+During the previous |struct clk| to |struct clk_hw| clk provider API
+migration in commit 6f691a586296 ("clk: mediatek: Switch to clk_hw
+provider APIs"), a few clk_unregister_*() calls were missed.
+
+Migrate the remaining ones to the |struct clk_hw| provider API, i.e.
+change clk_unregister_*() to clk_hw_unregister_*().
+
+Fixes: 6f691a586296 ("clk: mediatek: Switch to clk_hw provider APIs")
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20220926102523.2367530-3-wenst@chromium.org
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/mediatek/clk-mtk.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/clk/mediatek/clk-mtk.c b/drivers/clk/mediatek/clk-mtk.c
+index 9b82956260d3..e1b445f2c5c5 100644
+--- a/drivers/clk/mediatek/clk-mtk.c
++++ b/drivers/clk/mediatek/clk-mtk.c
+@@ -80,7 +80,7 @@ int mtk_clk_register_fixed_clks(const struct mtk_fixed_clk *clks, int num,
+ if (IS_ERR_OR_NULL(clk_data->hws[rc->id]))
+ continue;
+
+- clk_unregister_fixed_rate(clk_data->hws[rc->id]->clk);
++ clk_hw_unregister_fixed_rate(clk_data->hws[rc->id]);
+ clk_data->hws[rc->id] = ERR_PTR(-ENOENT);
+ }
+
+@@ -102,7 +102,7 @@ void mtk_clk_unregister_fixed_clks(const struct mtk_fixed_clk *clks, int num,
+ if (IS_ERR_OR_NULL(clk_data->hws[rc->id]))
+ continue;
+
+- clk_unregister_fixed_rate(clk_data->hws[rc->id]->clk);
++ clk_hw_unregister_fixed_rate(clk_data->hws[rc->id]);
+ clk_data->hws[rc->id] = ERR_PTR(-ENOENT);
+ }
+ }
+@@ -146,7 +146,7 @@ int mtk_clk_register_factors(const struct mtk_fixed_factor *clks, int num,
+ if (IS_ERR_OR_NULL(clk_data->hws[ff->id]))
+ continue;
+
+- clk_unregister_fixed_factor(clk_data->hws[ff->id]->clk);
++ clk_hw_unregister_fixed_factor(clk_data->hws[ff->id]);
+ clk_data->hws[ff->id] = ERR_PTR(-ENOENT);
+ }
+
+@@ -168,7 +168,7 @@ void mtk_clk_unregister_factors(const struct mtk_fixed_factor *clks, int num,
+ if (IS_ERR_OR_NULL(clk_data->hws[ff->id]))
+ continue;
+
+- clk_unregister_fixed_factor(clk_data->hws[ff->id]->clk);
++ clk_hw_unregister_fixed_factor(clk_data->hws[ff->id]);
+ clk_data->hws[ff->id] = ERR_PTR(-ENOENT);
+ }
+ }
+@@ -414,7 +414,7 @@ void mtk_clk_unregister_dividers(const struct mtk_clk_divider *mcds, int num,
+ if (IS_ERR_OR_NULL(clk_data->hws[mcd->id]))
+ continue;
+
+- clk_unregister_divider(clk_data->hws[mcd->id]->clk);
++ clk_hw_unregister_divider(clk_data->hws[mcd->id]);
+ clk_data->hws[mcd->id] = ERR_PTR(-ENOENT);
+ }
+ }
+--
+2.35.1
+
--- /dev/null
+From 3e1009c2c83e0936b94941c25ca9b93af577b743 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 12:11:20 +0200
+Subject: clk: mediatek: mt8183: mfgcfg: Propagate rate changes to parent
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit 9f94f545f258b15bfa6357eb62e1e307b712851e ]
+
+The only clock in the MT8183 MFGCFG block feeds the GPU. Propagate its
+rate change requests to its parent, so that DVFS for the GPU can work
+properly.
+
+Fixes: acddfc2c261b ("clk: mediatek: Add MT8183 clock support")
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20220927101128.44758-3-angelogioacchino.delregno@collabora.com
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/mediatek/clk-mt8183-mfgcfg.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/clk/mediatek/clk-mt8183-mfgcfg.c b/drivers/clk/mediatek/clk-mt8183-mfgcfg.c
+index d774edaf760b..230299728859 100644
+--- a/drivers/clk/mediatek/clk-mt8183-mfgcfg.c
++++ b/drivers/clk/mediatek/clk-mt8183-mfgcfg.c
+@@ -18,9 +18,9 @@ static const struct mtk_gate_regs mfg_cg_regs = {
+ .sta_ofs = 0x0,
+ };
+
+-#define GATE_MFG(_id, _name, _parent, _shift) \
+- GATE_MTK(_id, _name, _parent, &mfg_cg_regs, _shift, \
+- &mtk_clk_gate_ops_setclr)
++#define GATE_MFG(_id, _name, _parent, _shift) \
++ GATE_MTK_FLAGS(_id, _name, _parent, &mfg_cg_regs, _shift, \
++ &mtk_clk_gate_ops_setclr, CLK_SET_RATE_PARENT)
+
+ static const struct mtk_gate mfg_clks[] = {
+ GATE_MFG(CLK_MFG_BG3D, "mfg_bg3d", "mfg_sel", 0)
+--
+2.35.1
+
--- /dev/null
+From 8dd76d2d5be589d32c64deaa82824b5d9254c957 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Jul 2022 11:33:16 +0200
+Subject: clk: mediatek: mt8195-infra_ao: Set pwrmcu clocks as critical
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit 3f10f49cd9f8ab6471639d4ca2c6db9451121779 ]
+
+The pwrmcu is responsible for power management and idle states in SSPM:
+on older SoCs this was managed in Linux drivers like sspm/mcupm/eemgpu
+but, at least on MT8195, this functionality was transferred to the ATF
+firmware.
+For this reason, turning off the pwrmcu related clocks from the kernel
+will lead to unability to resume the platform after suspend and other
+currently unknown PM related side-effects.
+
+Set the PWRMCU and PWRMCU_BUS_H clocks as critical to prevent the
+kernel from turning them off, fixing the aforementioned issue.
+
+Fixes: e2edf59dec0b ("clk: mediatek: Add MT8195 infrastructure clock support")
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20220719093316.37253-1-angelogioacchino.delregno@collabora.com
+Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/mediatek/clk-mt8195-infra_ao.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/clk/mediatek/clk-mt8195-infra_ao.c b/drivers/clk/mediatek/clk-mt8195-infra_ao.c
+index 97657f255618..832160c92996 100644
+--- a/drivers/clk/mediatek/clk-mt8195-infra_ao.c
++++ b/drivers/clk/mediatek/clk-mt8195-infra_ao.c
+@@ -55,8 +55,12 @@ static const struct mtk_gate_regs infra_ao4_cg_regs = {
+ #define GATE_INFRA_AO1(_id, _name, _parent, _shift) \
+ GATE_INFRA_AO1_FLAGS(_id, _name, _parent, _shift, 0)
+
++#define GATE_INFRA_AO2_FLAGS(_id, _name, _parent, _shift, _flag) \
++ GATE_MTK_FLAGS(_id, _name, _parent, &infra_ao2_cg_regs, _shift, \
++ &mtk_clk_gate_ops_setclr, _flag)
++
+ #define GATE_INFRA_AO2(_id, _name, _parent, _shift) \
+- GATE_MTK(_id, _name, _parent, &infra_ao2_cg_regs, _shift, &mtk_clk_gate_ops_setclr)
++ GATE_INFRA_AO2_FLAGS(_id, _name, _parent, _shift, 0)
+
+ #define GATE_INFRA_AO3_FLAGS(_id, _name, _parent, _shift, _flag) \
+ GATE_MTK_FLAGS(_id, _name, _parent, &infra_ao3_cg_regs, _shift, \
+@@ -136,8 +140,11 @@ static const struct mtk_gate infra_ao_clks[] = {
+ GATE_INFRA_AO2(CLK_INFRA_AO_UNIPRO_SYS, "infra_ao_unipro_sys", "top_ufs", 11),
+ GATE_INFRA_AO2(CLK_INFRA_AO_UNIPRO_TICK, "infra_ao_unipro_tick", "top_ufs_tick1us", 12),
+ GATE_INFRA_AO2(CLK_INFRA_AO_UFS_MP_SAP_B, "infra_ao_ufs_mp_sap_b", "top_ufs_mp_sap_cfg", 13),
+- GATE_INFRA_AO2(CLK_INFRA_AO_PWRMCU, "infra_ao_pwrmcu", "top_pwrmcu", 15),
+- GATE_INFRA_AO2(CLK_INFRA_AO_PWRMCU_BUS_H, "infra_ao_pwrmcu_bus_h", "top_axi", 17),
++ /* pwrmcu is used by ATF for platform PM: clocks must never be disabled by the kernel */
++ GATE_INFRA_AO2_FLAGS(CLK_INFRA_AO_PWRMCU, "infra_ao_pwrmcu", "top_pwrmcu", 15,
++ CLK_IS_CRITICAL),
++ GATE_INFRA_AO2_FLAGS(CLK_INFRA_AO_PWRMCU_BUS_H, "infra_ao_pwrmcu_bus_h", "top_axi", 17,
++ CLK_IS_CRITICAL),
+ GATE_INFRA_AO2(CLK_INFRA_AO_APDMA_B, "infra_ao_apdma_b", "top_axi", 18),
+ GATE_INFRA_AO2(CLK_INFRA_AO_SPI4, "infra_ao_spi4", "top_spi", 25),
+ GATE_INFRA_AO2(CLK_INFRA_AO_SPI5, "infra_ao_spi5", "top_spi", 26),
+--
+2.35.1
+
--- /dev/null
+From 4fb14431924b25e21e69851c2520a03bc690fa07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jun 2022 22:10:38 +0800
+Subject: clk: meson: Hold reference returned by of_get_parent()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 89ab396d712f7c91fe94f55cff23460426f5fc81 ]
+
+We should hold the reference returned by of_get_parent() and use it
+to call of_node_put() for refcount balance.
+
+Fixes: 88e2da81241e ("clk: meson: aoclk: refactor common code into dedicated file")
+Fixes: 6682bd4d443f ("clk: meson: factorise meson64 peripheral clock controller drivers")
+Fixes: bb6eddd1d28c ("clk: meson: meson8b: use the HHI syscon if available")
+
+Signed-off-by: Liang He <windhl@126.com>
+Link: https://lore.kernel.org/r/20220628141038.168383-1-windhl@126.com
+Reviewed-by: Neil Armstrong <narmstrong@baylibre.com>
+Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/meson/meson-aoclk.c | 5 ++++-
+ drivers/clk/meson/meson-eeclk.c | 5 ++++-
+ drivers/clk/meson/meson8b.c | 5 ++++-
+ 3 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/clk/meson/meson-aoclk.c b/drivers/clk/meson/meson-aoclk.c
+index 27cd2c1f3f61..434cd8f9de82 100644
+--- a/drivers/clk/meson/meson-aoclk.c
++++ b/drivers/clk/meson/meson-aoclk.c
+@@ -38,6 +38,7 @@ int meson_aoclkc_probe(struct platform_device *pdev)
+ struct meson_aoclk_reset_controller *rstc;
+ struct meson_aoclk_data *data;
+ struct device *dev = &pdev->dev;
++ struct device_node *np;
+ struct regmap *regmap;
+ int ret, clkid;
+
+@@ -49,7 +50,9 @@ int meson_aoclkc_probe(struct platform_device *pdev)
+ if (!rstc)
+ return -ENOMEM;
+
+- regmap = syscon_node_to_regmap(of_get_parent(dev->of_node));
++ np = of_get_parent(dev->of_node);
++ regmap = syscon_node_to_regmap(np);
++ of_node_put(np);
+ if (IS_ERR(regmap)) {
+ dev_err(dev, "failed to get regmap\n");
+ return PTR_ERR(regmap);
+diff --git a/drivers/clk/meson/meson-eeclk.c b/drivers/clk/meson/meson-eeclk.c
+index 8d5a5dab955a..0e5e6b57eb20 100644
+--- a/drivers/clk/meson/meson-eeclk.c
++++ b/drivers/clk/meson/meson-eeclk.c
+@@ -18,6 +18,7 @@ int meson_eeclkc_probe(struct platform_device *pdev)
+ {
+ const struct meson_eeclkc_data *data;
+ struct device *dev = &pdev->dev;
++ struct device_node *np;
+ struct regmap *map;
+ int ret, i;
+
+@@ -26,7 +27,9 @@ int meson_eeclkc_probe(struct platform_device *pdev)
+ return -EINVAL;
+
+ /* Get the hhi system controller node */
+- map = syscon_node_to_regmap(of_get_parent(dev->of_node));
++ np = of_get_parent(dev->of_node);
++ map = syscon_node_to_regmap(np);
++ of_node_put(np);
+ if (IS_ERR(map)) {
+ dev_err(dev,
+ "failed to get HHI regmap\n");
+diff --git a/drivers/clk/meson/meson8b.c b/drivers/clk/meson/meson8b.c
+index 8f3b7a94a667..827e78fb16a8 100644
+--- a/drivers/clk/meson/meson8b.c
++++ b/drivers/clk/meson/meson8b.c
+@@ -3792,12 +3792,15 @@ static void __init meson8b_clkc_init_common(struct device_node *np,
+ struct clk_hw_onecell_data *clk_hw_onecell_data)
+ {
+ struct meson8b_clk_reset *rstc;
++ struct device_node *parent_np;
+ const char *notifier_clk_name;
+ struct clk *notifier_clk;
+ struct regmap *map;
+ int i, ret;
+
+- map = syscon_node_to_regmap(of_get_parent(np));
++ parent_np = of_get_parent(np);
++ map = syscon_node_to_regmap(parent_np);
++ of_node_put(parent_np);
+ if (IS_ERR(map)) {
+ pr_err("failed to get HHI regmap - Trying obsolete regs\n");
+ return;
+--
+2.35.1
+
--- /dev/null
+From 6cc1efb08cfc43014d598fd8dfcd7952dd0b2fce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Aug 2022 23:00:00 +0200
+Subject: clk: move from strlcpy with unused retval to strscpy
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit c19edff61210eb846bf8ec44c9f87d1ca9efdfd2 ]
+
+Follow the advice of the below link and prefer 'strscpy' in this
+subsystem. Conversion is 1:1 because the return value is not used.
+Generated by a coccinelle script.
+
+Link: https://lore.kernel.org/r/CAHk-=wgfRnXz0W3D37d01q3JFkr_i_uTL=V6A6G1oUZcprmknw@mail.gmail.com/
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Link: https://lore.kernel.org/r/20220818210000.6600-1-wsa+renesas@sang-engineering.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Stable-dep-of: 9c59a01caba2 ("clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clkdev.c | 2 +-
+ drivers/clk/mvebu/dove-divider.c | 2 +-
+ drivers/clk/tegra/clk-bpmp.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/clk/clkdev.c b/drivers/clk/clkdev.c
+index 67f601a41023..a4d4bd3f5be5 100644
+--- a/drivers/clk/clkdev.c
++++ b/drivers/clk/clkdev.c
+@@ -165,7 +165,7 @@ vclkdev_alloc(struct clk_hw *hw, const char *con_id, const char *dev_fmt,
+
+ cla->cl.clk_hw = hw;
+ if (con_id) {
+- strlcpy(cla->con_id, con_id, sizeof(cla->con_id));
++ strscpy(cla->con_id, con_id, sizeof(cla->con_id));
+ cla->cl.con_id = cla->con_id;
+ }
+
+diff --git a/drivers/clk/mvebu/dove-divider.c b/drivers/clk/mvebu/dove-divider.c
+index 7e35c891e168..0a90452ee808 100644
+--- a/drivers/clk/mvebu/dove-divider.c
++++ b/drivers/clk/mvebu/dove-divider.c
+@@ -170,7 +170,7 @@ static struct clk *clk_register_dove_divider(struct device *dev,
+ .num_parents = num_parents,
+ };
+
+- strlcpy(name, dc->name, sizeof(name));
++ strscpy(name, dc->name, sizeof(name));
+
+ dc->hw.init = &init;
+ dc->base = base;
+diff --git a/drivers/clk/tegra/clk-bpmp.c b/drivers/clk/tegra/clk-bpmp.c
+index 3748a39dae7c..d82a71f10c2c 100644
+--- a/drivers/clk/tegra/clk-bpmp.c
++++ b/drivers/clk/tegra/clk-bpmp.c
+@@ -349,7 +349,7 @@ static int tegra_bpmp_clk_get_info(struct tegra_bpmp *bpmp, unsigned int id,
+ if (err < 0)
+ return err;
+
+- strlcpy(info->name, response.name, MRQ_CLK_NAME_MAXLEN);
++ strscpy(info->name, response.name, MRQ_CLK_NAME_MAXLEN);
+ info->num_parents = response.num_parents;
+
+ for (i = 0; i < info->num_parents; i++)
+--
+2.35.1
+
--- /dev/null
+From 2a7d1a4282444c9b3d89dee5de053d92e5f3fc40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Jun 2022 09:43:08 +0800
+Subject: clk: nomadik: Add missing of_node_put()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 28a0b0984e76df8fd64b6850fa56cf5201e6e638 ]
+
+In nomadik_src_init(), of_find_matching_node() will return a node
+pointer with refcount incremented. We should use of_node_put() in
+fail path or when it is not used anymore.
+
+Signed-off-by: Liang He <windhl@126.com>
+Link: https://lore.kernel.org/r/20220617014308.4001511-1-windhl@126.com
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Stable-dep-of: 89ab396d712f ("clk: meson: Hold reference returned by of_get_parent()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk-nomadik.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/clk/clk-nomadik.c b/drivers/clk/clk-nomadik.c
+index bad2677e11ae..71fbe687fa7b 100644
+--- a/drivers/clk/clk-nomadik.c
++++ b/drivers/clk/clk-nomadik.c
+@@ -99,7 +99,7 @@ static void __init nomadik_src_init(void)
+ if (!src_base) {
+ pr_err("%s: must have src parent node with REGS (%pOFn)\n",
+ __func__, np);
+- return;
++ goto out_put;
+ }
+
+ /* Set all timers to use the 2.4 MHz TIMCLK */
+@@ -132,6 +132,9 @@ static void __init nomadik_src_init(void)
+ }
+ writel(val, src_base + SRC_XTALCR);
+ register_reboot_notifier(&nomadik_clk_reboot_notifier);
++
++out_put:
++ of_node_put(np);
+ }
+
+ /**
+--
+2.35.1
+
--- /dev/null
+From 5319ac1a79fdb0aa534b7427947853f201544247 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jun 2022 22:31:55 +0800
+Subject: clk: oxnas: Hold reference returned by of_get_parent()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 1d6aa08c54cd0e005210ab8e3b1e92ede70f8a4f ]
+
+In oxnas_stdclk_probe(), we need to hold the reference returned by
+of_get_parent() and use it to call of_node_put() for refcount
+balance.
+
+Fixes: 0bbd72b4c64f ("clk: Add Oxford Semiconductor OXNAS Standard Clocks")
+Signed-off-by: Liang He <windhl@126.com>
+Link: https://lore.kernel.org/r/20220628143155.170550-1-windhl@126.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk-oxnas.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/clk-oxnas.c b/drivers/clk/clk-oxnas.c
+index cda5e258355b..584e293156ad 100644
+--- a/drivers/clk/clk-oxnas.c
++++ b/drivers/clk/clk-oxnas.c
+@@ -207,7 +207,7 @@ static const struct of_device_id oxnas_stdclk_dt_ids[] = {
+
+ static int oxnas_stdclk_probe(struct platform_device *pdev)
+ {
+- struct device_node *np = pdev->dev.of_node;
++ struct device_node *np = pdev->dev.of_node, *parent_np;
+ const struct oxnas_stdclk_data *data;
+ struct regmap *regmap;
+ int ret;
+@@ -215,7 +215,9 @@ static int oxnas_stdclk_probe(struct platform_device *pdev)
+
+ data = of_device_get_match_data(&pdev->dev);
+
+- regmap = syscon_node_to_regmap(of_get_parent(np));
++ parent_np = of_get_parent(np);
++ regmap = syscon_node_to_regmap(parent_np);
++ of_node_put(parent_np);
+ if (IS_ERR(regmap)) {
+ dev_err(&pdev->dev, "failed to have parent regmap\n");
+ return PTR_ERR(regmap);
+--
+2.35.1
+
--- /dev/null
+From 597c8d95bbdea21b3b4a70470e65aa1c34d6d412 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Aug 2022 00:06:22 +0200
+Subject: clk: qcom: apss-ipq6018: mark apcs_alias0_core_clk as critical
+
+From: Robert Marko <robimarko@gmail.com>
+
+[ Upstream commit 86e78995c93ee182433f965babfccd48417d4dcf ]
+
+While fixing up the driver I noticed that my IPQ8074 board was hanging
+after CPUFreq switched the frequency during boot, WDT would eventually
+reset it.
+
+So mark apcs_alias0_core_clk as critical since its the clock feeding the
+CPU cluster and must never be disabled.
+
+Fixes: 5e77b4ef1b19 ("clk: qcom: Add ipq6018 apss clock controller")
+Signed-off-by: Robert Marko <robimarko@gmail.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20220818220628.339366-3-robimarko@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/apss-ipq6018.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/qcom/apss-ipq6018.c b/drivers/clk/qcom/apss-ipq6018.c
+index d78ff2f310bf..b5d93657e1ee 100644
+--- a/drivers/clk/qcom/apss-ipq6018.c
++++ b/drivers/clk/qcom/apss-ipq6018.c
+@@ -57,7 +57,7 @@ static struct clk_branch apcs_alias0_core_clk = {
+ .parent_hws = (const struct clk_hw *[]){
+ &apcs_alias0_clk_src.clkr.hw },
+ .num_parents = 1,
+- .flags = CLK_SET_RATE_PARENT,
++ .flags = CLK_SET_RATE_PARENT | CLK_IS_CRITICAL,
+ .ops = &clk_branch2_ops,
+ },
+ },
+--
+2.35.1
+
--- /dev/null
+From 18f7fc8354f8397f79487fc8fbfcd7f27122ea48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Jul 2022 22:38:22 +0200
+Subject: clk: qcom: gcc-sdm660: Use floor ops for SDCC1 clock
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit 6956c18f4ad9200aa945f7ea37d65a05afc49d51 ]
+
+In commit 3f905469c8ce ("clk: qcom: gcc: Use floor ops for SDCC clocks")
+floor ops were applied to SDCC2 only, but flooring is also required on
+the SDCC1 apps clock which is used by the eMMC card on Sony's Nile
+platform, and otherwise result in the typicial "Card appears
+overclocked" warnings observed on many other platforms before:
+
+ mmc0: Card appears overclocked; req 52000000 Hz, actual 100000000 Hz
+ mmc0: Card appears overclocked; req 52000000 Hz, actual 100000000 Hz
+ mmc0: Card appears overclocked; req 104000000 Hz, actual 192000000 Hz
+
+Fixes: f2a76a2955c0 ("clk: qcom: Add Global Clock controller (GCC) driver for SDM660")
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Tested-by: Alexey Minnekhanov <alexeymin@postmarketos.org>
+Reviewed-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20220714203822.186448-1-marijn.suijten@somainline.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/gcc-sdm660.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/qcom/gcc-sdm660.c b/drivers/clk/qcom/gcc-sdm660.c
+index 9b97425008ce..db918c92a522 100644
+--- a/drivers/clk/qcom/gcc-sdm660.c
++++ b/drivers/clk/qcom/gcc-sdm660.c
+@@ -757,7 +757,7 @@ static struct clk_rcg2 sdcc1_apps_clk_src = {
+ .name = "sdcc1_apps_clk_src",
+ .parent_data = gcc_parent_data_xo_gpll0_gpll4_gpll0_early_div,
+ .num_parents = ARRAY_SIZE(gcc_parent_data_xo_gpll0_gpll4_gpll0_early_div),
+- .ops = &clk_rcg2_ops,
++ .ops = &clk_rcg2_floor_ops,
+ },
+ };
+
+--
+2.35.1
+
--- /dev/null
+From cfab03d9c6c85bd19a8119ca89b9f599967fd1a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 10:56:18 +0300
+Subject: clk: qcom: gcc-sm6115: Override default Alpha PLL regs
+
+From: Adam Skladowski <a_skl39@protonmail.com>
+
+[ Upstream commit 068a0605ef5a6b430e7278c169bfcd25b680b28f ]
+
+The DEFAULT and BRAMMO PLL offsets are non-standard in downstream, but
+currently only BRAMMO ones are overridden. Override DEFAULT ones too.
+
+A very similar thing is happening in gcc-qcm2290 driver.
+
+Fixes: cbe63bfdc54f ("clk: qcom: Add Global Clock controller (GCC) driver for SM6115")
+Signed-off-by: Adam Skladowski <a_skl39@protonmail.com>
+Signed-off-by: Iskren Chernev <iskren.chernev@gmail.com>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20220830075620.974009-2-iskren.chernev@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/gcc-sm6115.c | 46 +++++++++++++++++++++++------------
+ 1 file changed, 30 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/clk/qcom/gcc-sm6115.c b/drivers/clk/qcom/gcc-sm6115.c
+index 68fe9f6f0d2f..e24a977c2580 100644
+--- a/drivers/clk/qcom/gcc-sm6115.c
++++ b/drivers/clk/qcom/gcc-sm6115.c
+@@ -53,11 +53,25 @@ static struct pll_vco gpll10_vco[] = {
+ { 750000000, 1500000000, 1 },
+ };
+
++static const u8 clk_alpha_pll_regs_offset[][PLL_OFF_MAX_REGS] = {
++ [CLK_ALPHA_PLL_TYPE_DEFAULT] = {
++ [PLL_OFF_L_VAL] = 0x04,
++ [PLL_OFF_ALPHA_VAL] = 0x08,
++ [PLL_OFF_ALPHA_VAL_U] = 0x0c,
++ [PLL_OFF_TEST_CTL] = 0x10,
++ [PLL_OFF_TEST_CTL_U] = 0x14,
++ [PLL_OFF_USER_CTL] = 0x18,
++ [PLL_OFF_USER_CTL_U] = 0x1c,
++ [PLL_OFF_CONFIG_CTL] = 0x20,
++ [PLL_OFF_STATUS] = 0x24,
++ },
++};
++
+ static struct clk_alpha_pll gpll0 = {
+ .offset = 0x0,
+ .vco_table = default_vco,
+ .num_vco = ARRAY_SIZE(default_vco),
+- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT],
++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT],
+ .clkr = {
+ .enable_reg = 0x79000,
+ .enable_mask = BIT(0),
+@@ -83,7 +97,7 @@ static struct clk_alpha_pll_postdiv gpll0_out_aux2 = {
+ .post_div_table = post_div_table_gpll0_out_aux2,
+ .num_post_div = ARRAY_SIZE(post_div_table_gpll0_out_aux2),
+ .width = 4,
+- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT],
++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT],
+ .clkr.hw.init = &(struct clk_init_data){
+ .name = "gpll0_out_aux2",
+ .parent_hws = (const struct clk_hw *[]){ &gpll0.clkr.hw },
+@@ -115,7 +129,7 @@ static struct clk_alpha_pll_postdiv gpll0_out_main = {
+ .post_div_table = post_div_table_gpll0_out_main,
+ .num_post_div = ARRAY_SIZE(post_div_table_gpll0_out_main),
+ .width = 4,
+- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT],
++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT],
+ .clkr.hw.init = &(struct clk_init_data){
+ .name = "gpll0_out_main",
+ .parent_hws = (const struct clk_hw *[]){ &gpll0.clkr.hw },
+@@ -137,7 +151,7 @@ static struct clk_alpha_pll gpll10 = {
+ .offset = 0xa000,
+ .vco_table = gpll10_vco,
+ .num_vco = ARRAY_SIZE(gpll10_vco),
+- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT],
++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT],
+ .clkr = {
+ .enable_reg = 0x79000,
+ .enable_mask = BIT(10),
+@@ -163,7 +177,7 @@ static struct clk_alpha_pll_postdiv gpll10_out_main = {
+ .post_div_table = post_div_table_gpll10_out_main,
+ .num_post_div = ARRAY_SIZE(post_div_table_gpll10_out_main),
+ .width = 4,
+- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT],
++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT],
+ .clkr.hw.init = &(struct clk_init_data){
+ .name = "gpll10_out_main",
+ .parent_hws = (const struct clk_hw *[]){ &gpll10.clkr.hw },
+@@ -189,7 +203,7 @@ static struct clk_alpha_pll gpll11 = {
+ .vco_table = default_vco,
+ .num_vco = ARRAY_SIZE(default_vco),
+ .flags = SUPPORTS_DYNAMIC_UPDATE,
+- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT],
++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT],
+ .clkr = {
+ .enable_reg = 0x79000,
+ .enable_mask = BIT(11),
+@@ -215,7 +229,7 @@ static struct clk_alpha_pll_postdiv gpll11_out_main = {
+ .post_div_table = post_div_table_gpll11_out_main,
+ .num_post_div = ARRAY_SIZE(post_div_table_gpll11_out_main),
+ .width = 4,
+- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT],
++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT],
+ .clkr.hw.init = &(struct clk_init_data){
+ .name = "gpll11_out_main",
+ .parent_hws = (const struct clk_hw *[]){ &gpll11.clkr.hw },
+@@ -229,7 +243,7 @@ static struct clk_alpha_pll gpll3 = {
+ .offset = 0x3000,
+ .vco_table = default_vco,
+ .num_vco = ARRAY_SIZE(default_vco),
+- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT],
++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT],
+ .clkr = {
+ .enable_reg = 0x79000,
+ .enable_mask = BIT(3),
+@@ -248,7 +262,7 @@ static struct clk_alpha_pll gpll4 = {
+ .offset = 0x4000,
+ .vco_table = default_vco,
+ .num_vco = ARRAY_SIZE(default_vco),
+- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT],
++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT],
+ .clkr = {
+ .enable_reg = 0x79000,
+ .enable_mask = BIT(4),
+@@ -274,7 +288,7 @@ static struct clk_alpha_pll_postdiv gpll4_out_main = {
+ .post_div_table = post_div_table_gpll4_out_main,
+ .num_post_div = ARRAY_SIZE(post_div_table_gpll4_out_main),
+ .width = 4,
+- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT],
++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT],
+ .clkr.hw.init = &(struct clk_init_data){
+ .name = "gpll4_out_main",
+ .parent_hws = (const struct clk_hw *[]){ &gpll4.clkr.hw },
+@@ -287,7 +301,7 @@ static struct clk_alpha_pll gpll6 = {
+ .offset = 0x6000,
+ .vco_table = default_vco,
+ .num_vco = ARRAY_SIZE(default_vco),
+- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT],
++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT],
+ .clkr = {
+ .enable_reg = 0x79000,
+ .enable_mask = BIT(6),
+@@ -313,7 +327,7 @@ static struct clk_alpha_pll_postdiv gpll6_out_main = {
+ .post_div_table = post_div_table_gpll6_out_main,
+ .num_post_div = ARRAY_SIZE(post_div_table_gpll6_out_main),
+ .width = 4,
+- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT],
++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT],
+ .clkr.hw.init = &(struct clk_init_data){
+ .name = "gpll6_out_main",
+ .parent_hws = (const struct clk_hw *[]){ &gpll6.clkr.hw },
+@@ -326,7 +340,7 @@ static struct clk_alpha_pll gpll7 = {
+ .offset = 0x7000,
+ .vco_table = default_vco,
+ .num_vco = ARRAY_SIZE(default_vco),
+- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT],
++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT],
+ .clkr = {
+ .enable_reg = 0x79000,
+ .enable_mask = BIT(7),
+@@ -352,7 +366,7 @@ static struct clk_alpha_pll_postdiv gpll7_out_main = {
+ .post_div_table = post_div_table_gpll7_out_main,
+ .num_post_div = ARRAY_SIZE(post_div_table_gpll7_out_main),
+ .width = 4,
+- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT],
++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT],
+ .clkr.hw.init = &(struct clk_init_data){
+ .name = "gpll7_out_main",
+ .parent_hws = (const struct clk_hw *[]){ &gpll7.clkr.hw },
+@@ -380,7 +394,7 @@ static struct clk_alpha_pll gpll8 = {
+ .offset = 0x8000,
+ .vco_table = default_vco,
+ .num_vco = ARRAY_SIZE(default_vco),
+- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT],
++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT],
+ .flags = SUPPORTS_DYNAMIC_UPDATE,
+ .clkr = {
+ .enable_reg = 0x79000,
+@@ -407,7 +421,7 @@ static struct clk_alpha_pll_postdiv gpll8_out_main = {
+ .post_div_table = post_div_table_gpll8_out_main,
+ .num_post_div = ARRAY_SIZE(post_div_table_gpll8_out_main),
+ .width = 4,
+- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT],
++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT],
+ .clkr.hw.init = &(struct clk_init_data){
+ .name = "gpll8_out_main",
+ .parent_hws = (const struct clk_hw *[]){ &gpll8.clkr.hw },
+--
+2.35.1
+
--- /dev/null
+From f74969d69d2d8401a3775d5682fa85fcc0b0e552 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Sep 2022 00:02:07 +0700
+Subject: clk: qcom: sm6115: Select QCOM_GDSC
+
+From: Dang Huynh <danct12@riseup.net>
+
+[ Upstream commit 50ee65dc512b9b5c4de354cf3b4dded34f46c571 ]
+
+While working on the Fxtec Pro1X device, this error shows up with
+my own minimal configuration:
+
+gcc-sm6115: probe of 1400000.clock-controller failed with error -38
+
+The clock driver depends on CONFIG_QCOM_GDSC and after enabling
+that, the driver probes successfully.
+
+Signed-off-by: Dang Huynh <danct12@riseup.net>
+Fixes: cbe63bfdc54f ("clk: qcom: Add Global Clock controller (GCC)
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20220910170207.1592220-1-danct12@riseup.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clk/qcom/Kconfig b/drivers/clk/qcom/Kconfig
+index 1cf1ef70e347..d566fbdebdf9 100644
+--- a/drivers/clk/qcom/Kconfig
++++ b/drivers/clk/qcom/Kconfig
+@@ -645,6 +645,7 @@ config SM_DISPCC_6350
+
+ config SM_GCC_6115
+ tristate "SM6115 and SM4250 Global Clock Controller"
++ select QCOM_GDSC
+ help
+ Support for the global clock controller on SM6115 and SM4250 devices.
+ Say Y if you want to use peripheral devices such as UART, SPI,
+--
+2.35.1
+
--- /dev/null
+From 45510612ed9066d4160c19308c37436b72ab2461 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jun 2022 22:38:51 +0800
+Subject: clk: qoriq: Hold reference returned by of_get_parent()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit a8ea4273bc26256ce3cce83164f0f51c5bf6e127 ]
+
+In legacy_init_clockgen(), we need to hold the reference returned
+by of_get_parent() and use it to call of_node_put() for refcount
+balance.
+
+Beside, in create_sysclk(), we need to call of_node_put() on 'sysclk'
+also for refcount balance.
+
+Fixes: 0dfc86b3173f ("clk: qoriq: Move chip-specific knowledge into driver")
+Signed-off-by: Liang He <windhl@126.com>
+Link: https://lore.kernel.org/r/20220628143851.171299-1-windhl@126.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk-qoriq.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/clk-qoriq.c b/drivers/clk/clk-qoriq.c
+index 88898b97a443..5eddb9f0d6bd 100644
+--- a/drivers/clk/clk-qoriq.c
++++ b/drivers/clk/clk-qoriq.c
+@@ -1063,8 +1063,13 @@ static void __init _clockgen_init(struct device_node *np, bool legacy);
+ */
+ static void __init legacy_init_clockgen(struct device_node *np)
+ {
+- if (!clockgen.node)
+- _clockgen_init(of_get_parent(np), true);
++ if (!clockgen.node) {
++ struct device_node *parent_np;
++
++ parent_np = of_get_parent(np);
++ _clockgen_init(parent_np, true);
++ of_node_put(parent_np);
++ }
+ }
+
+ /* Legacy node */
+@@ -1159,6 +1164,7 @@ static struct clk * __init create_sysclk(const char *name)
+ sysclk = of_get_child_by_name(clockgen.node, "sysclk");
+ if (sysclk) {
+ clk = sysclk_from_fixed(sysclk, name);
++ of_node_put(sysclk);
+ if (!IS_ERR(clk))
+ return clk;
+ }
+--
+2.35.1
+
--- /dev/null
+From 7785a71d37e4872ed135f3adddb475fe70792b1c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Jul 2022 11:13:57 +0900
+Subject: clk: samsung: exynosautov9: correct register offsets of peric0/c1
+
+From: Chanho Park <chanho61.park@samsung.com>
+
+[ Upstream commit 67d98943408bce835185688cb75ebbb45b91e572 ]
+
+Some register offsets of peric0 and peric1 cmu blocks need to be
+corrected and re-ordered by numerical order.
+
+Fixes: f2dd366992d0 ("clk: samsung: exynosautov9: add cmu_peric0 clock support")
+Fixes: b35f27fe73d8 ("clk: samsung: exynosautov9: add cmu_peric1 clock support")
+Signed-off-by: Chanho Park <chanho61.park@samsung.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20220727021357.152421-4-chanho61.park@samsung.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/samsung/clk-exynosautov9.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/clk/samsung/clk-exynosautov9.c b/drivers/clk/samsung/clk-exynosautov9.c
+index d9e1f8e4a7b4..487a71b32a00 100644
+--- a/drivers/clk/samsung/clk-exynosautov9.c
++++ b/drivers/clk/samsung/clk-exynosautov9.c
+@@ -1170,9 +1170,9 @@ static const struct samsung_cmu_info fsys2_cmu_info __initconst = {
+ #define CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_PCLK_2 0x2058
+ #define CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_PCLK_3 0x205c
+ #define CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_PCLK_4 0x2060
+-#define CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_PCLK_7 0x206c
+ #define CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_PCLK_5 0x2064
+ #define CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_PCLK_6 0x2068
++#define CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_PCLK_7 0x206c
+ #define CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_PCLK_8 0x2070
+ #define CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_PCLK_9 0x2074
+ #define CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_PCLK_10 0x204c
+@@ -1418,14 +1418,14 @@ static const struct samsung_cmu_info peric0_cmu_info __initconst = {
+ #define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_IPCLK_11 0x2020
+ #define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_0 0x2044
+ #define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_1 0x2048
+-#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_2 0x2058
+-#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_3 0x205c
+-#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_4 0x2060
+-#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_7 0x206c
+-#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_5 0x2064
+-#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_6 0x2068
+-#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_8 0x2070
+-#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_9 0x2074
++#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_2 0x2054
++#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_3 0x2058
++#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_4 0x205c
++#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_5 0x2060
++#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_6 0x2064
++#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_7 0x2068
++#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_8 0x206c
++#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_9 0x2070
+ #define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_10 0x204c
+ #define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_11 0x2050
+
+@@ -1463,9 +1463,9 @@ static const unsigned long peric1_clk_regs[] __initconst = {
+ CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_2,
+ CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_3,
+ CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_4,
+- CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_7,
+ CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_5,
+ CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_6,
++ CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_7,
+ CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_8,
+ CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_9,
+ CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_10,
+--
+2.35.1
+
--- /dev/null
+From f451a8ce5830c250384547efdc040dd09b9f9249 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Jul 2022 08:47:29 +0800
+Subject: clk: sprd: Hold reference returned by of_get_parent()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 91e6455bf715fb1558a0bf8f645ec1c131254a3c ]
+
+We should hold the reference returned by of_get_parent() and use it
+to call of_node_put() for refcount balance.
+
+Fixes: f95e8c7923d1 ("clk: sprd: support to get regmap from parent node")
+Signed-off-by: Liang He <windhl@126.com>
+Link: https://lore.kernel.org/r/20220704004729.272481-1-windhl@126.com
+Reviewed-by: Orson Zhai <orsonzhai@gmail.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/sprd/common.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/clk/sprd/common.c b/drivers/clk/sprd/common.c
+index d620bbbcdfc8..ce81e4087a8f 100644
+--- a/drivers/clk/sprd/common.c
++++ b/drivers/clk/sprd/common.c
+@@ -41,7 +41,7 @@ int sprd_clk_regmap_init(struct platform_device *pdev,
+ {
+ void __iomem *base;
+ struct device *dev = &pdev->dev;
+- struct device_node *node = dev->of_node;
++ struct device_node *node = dev->of_node, *np;
+ struct regmap *regmap;
+
+ if (of_find_property(node, "sprd,syscon", NULL)) {
+@@ -50,9 +50,10 @@ int sprd_clk_regmap_init(struct platform_device *pdev,
+ pr_err("%s: failed to get syscon regmap\n", __func__);
+ return PTR_ERR(regmap);
+ }
+- } else if (of_device_is_compatible(of_get_parent(dev->of_node),
+- "syscon")) {
+- regmap = device_node_to_regmap(of_get_parent(dev->of_node));
++ } else if (of_device_is_compatible(np = of_get_parent(node), "syscon") ||
++ (of_node_put(np), 0)) {
++ regmap = device_node_to_regmap(np);
++ of_node_put(np);
+ if (IS_ERR(regmap)) {
+ dev_err(dev, "failed to get regmap from its parent.\n");
+ return PTR_ERR(regmap);
+--
+2.35.1
+
--- /dev/null
+From 2cc16f8c18499c7cda01049e535c3abf8e1467b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jun 2022 22:24:15 +0800
+Subject: clk: st: Hold reference returned by of_get_parent()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 429973306f860470cbbb8402c8c53143b450faba ]
+
+We should hold the reference returned by of_get_parent() and use it
+to call of_node_put() for refcount balance.
+
+Fixes: 3efe64ef5186 ("clk: st: clkgen-fsyn: search reg within node or parent")
+Fixes: 810251b0d36a ("clk: st: clkgen-mux: search reg within node or parent")
+
+Signed-off-by: Liang He <windhl@126.com>
+Link: https://lore.kernel.org/r/20220628142416.169808-1-windhl@126.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/st/clkgen-fsyn.c | 5 ++++-
+ drivers/clk/st/clkgen-mux.c | 5 ++++-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/st/clkgen-fsyn.c b/drivers/clk/st/clkgen-fsyn.c
+index 582a22c04919..d820292a381d 100644
+--- a/drivers/clk/st/clkgen-fsyn.c
++++ b/drivers/clk/st/clkgen-fsyn.c
+@@ -987,6 +987,7 @@ static void __init st_of_quadfs_setup(struct device_node *np,
+ const char *pll_name, *clk_parent_name;
+ void __iomem *reg;
+ spinlock_t *lock;
++ struct device_node *parent_np;
+
+ /*
+ * First check for reg property within the node to keep backward
+@@ -994,7 +995,9 @@ static void __init st_of_quadfs_setup(struct device_node *np,
+ */
+ reg = of_iomap(np, 0);
+ if (!reg) {
+- reg = of_iomap(of_get_parent(np), 0);
++ parent_np = of_get_parent(np);
++ reg = of_iomap(parent_np, 0);
++ of_node_put(parent_np);
+ if (!reg) {
+ pr_err("%s: Failed to get base address\n", __func__);
+ return;
+diff --git a/drivers/clk/st/clkgen-mux.c b/drivers/clk/st/clkgen-mux.c
+index ee39af7a0b72..596e939ad905 100644
+--- a/drivers/clk/st/clkgen-mux.c
++++ b/drivers/clk/st/clkgen-mux.c
+@@ -56,6 +56,7 @@ static void __init st_of_clkgen_mux_setup(struct device_node *np,
+ void __iomem *reg;
+ const char **parents;
+ int num_parents = 0;
++ struct device_node *parent_np;
+
+ /*
+ * First check for reg property within the node to keep backward
+@@ -63,7 +64,9 @@ static void __init st_of_clkgen_mux_setup(struct device_node *np,
+ */
+ reg = of_iomap(np, 0);
+ if (!reg) {
+- reg = of_iomap(of_get_parent(np), 0);
++ parent_np = of_get_parent(np);
++ reg = of_iomap(parent_np, 0);
++ of_node_put(parent_np);
+ if (!reg) {
+ pr_err("%s: Failed to get base address\n", __func__);
+ return;
+--
+2.35.1
+
--- /dev/null
+From 680b29e147bc1ad7a09c20cb88a02b897d191b09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 May 2022 18:38:34 +0400
+Subject: clk: tegra: Fix refcount leak in tegra114_clock_init
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit db16a80c76ea395766913082b1e3f939dde29b2c ]
+
+of_find_matching_node() returns a node pointer with refcount
+incremented, we should use of_node_put() on it when not need anymore.
+Add missing of_node_put() to avoid refcount leak.
+
+Fixes: 2cb5efefd6f7 ("clk: tegra: Implement clocks for Tegra114")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20220523143834.7587-1-linmq006@gmail.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/tegra/clk-tegra114.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clk/tegra/clk-tegra114.c b/drivers/clk/tegra/clk-tegra114.c
+index ef718c4b3826..f7405a58877e 100644
+--- a/drivers/clk/tegra/clk-tegra114.c
++++ b/drivers/clk/tegra/clk-tegra114.c
+@@ -1317,6 +1317,7 @@ static void __init tegra114_clock_init(struct device_node *np)
+ }
+
+ pmc_base = of_iomap(node, 0);
++ of_node_put(node);
+ if (!pmc_base) {
+ pr_err("Can't map pmc registers\n");
+ WARN_ON(1);
+--
+2.35.1
+
--- /dev/null
+From 3052d186ee562ae5dd03e714438139fdb3eabb48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 May 2022 18:26:08 +0400
+Subject: clk: tegra: Fix refcount leak in tegra210_clock_init
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 56c78cb1f00a9dde8cd762131ce8f4c5eb046fbb ]
+
+of_find_matching_node() returns a node pointer with refcount
+incremented, we should use of_node_put() on it when not need anymore.
+Add missing of_node_put() to avoid refcount leak.
+
+Fixes: 6b301a059eb2 ("clk: tegra: Add support for Tegra210 clocks")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20220523142608.65074-1-linmq006@gmail.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/tegra/clk-tegra210.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clk/tegra/clk-tegra210.c b/drivers/clk/tegra/clk-tegra210.c
+index b9099012dc7b..499f999e91e1 100644
+--- a/drivers/clk/tegra/clk-tegra210.c
++++ b/drivers/clk/tegra/clk-tegra210.c
+@@ -3748,6 +3748,7 @@ static void __init tegra210_clock_init(struct device_node *np)
+ }
+
+ pmc_base = of_iomap(node, 0);
++ of_node_put(node);
+ if (!pmc_base) {
+ pr_err("Can't map pmc registers\n");
+ WARN_ON(1);
+--
+2.35.1
+
--- /dev/null
+From 81aeb3492c8400c26d9974faf8a6a976b3fcbefc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 May 2022 19:28:11 +0400
+Subject: clk: tegra20: Fix refcount leak in tegra20_clock_init
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 4e343bafe03ff68a62f48f8235cf98f2c685468b ]
+
+of_find_matching_node() returns a node pointer with refcount
+incremented, we should use of_node_put() on it when not need anymore.
+Add missing of_node_put() to avoid refcount leak.
+
+Fixes: 37c26a906527 ("clk: tegra: add clock support for Tegra20")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20220523152811.19692-1-linmq006@gmail.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/tegra/clk-tegra20.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clk/tegra/clk-tegra20.c b/drivers/clk/tegra/clk-tegra20.c
+index be3c33441cfc..8a4514f6d503 100644
+--- a/drivers/clk/tegra/clk-tegra20.c
++++ b/drivers/clk/tegra/clk-tegra20.c
+@@ -1131,6 +1131,7 @@ static void __init tegra20_clock_init(struct device_node *np)
+ }
+
+ pmc_base = of_iomap(node, 0);
++ of_node_put(node);
+ if (!pmc_base) {
+ pr_err("Can't map pmc registers\n");
+ BUG();
+--
+2.35.1
+
--- /dev/null
+From e8fd4671ec76a6413c5844d36af977cb51be9b2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Sep 2022 11:11:21 +0800
+Subject: clk: ti: Balance of_node_get() calls for of_find_node_by_name()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 058a3996b888ab60eb1857fb4fd28f1b89a9a95a ]
+
+In ti_find_clock_provider(), of_find_node_by_name() will call
+of_node_put() for the 'from' argument, possibly putting the node one too
+many times. Let's maintain the of_node_get() from the previous search
+and only put when we're exiting the function early. This should avoid a
+misbalanced reference count on the node.
+
+Fixes: 51f661ef9a10 ("clk: ti: Add ti_find_clock_provider() to use clock-output-names")
+Signed-off-by: Liang He <windhl@126.com>
+Link: https://lore.kernel.org/r/20220915031121.4003589-1-windhl@126.com
+[sboyd@kernel.org: Rewrite commit text, maintain reference instead of
+get again]
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/ti/clk.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/ti/clk.c b/drivers/clk/ti/clk.c
+index 373e9438b57a..1dc2f15fb75b 100644
+--- a/drivers/clk/ti/clk.c
++++ b/drivers/clk/ti/clk.c
+@@ -140,11 +140,12 @@ static struct device_node *ti_find_clock_provider(struct device_node *from,
+ break;
+ }
+ }
+- of_node_put(from);
+ kfree(tmp);
+
+- if (found)
++ if (found) {
++ of_node_put(from);
+ return np;
++ }
+
+ /* Fall back to using old node name base provider name */
+ return of_find_node_by_name(from, name);
+--
+2.35.1
+
--- /dev/null
+From 75c70986b1d322ec6054b247337c71442940c4ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Jun 2022 07:08:36 +0400
+Subject: clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 9c59a01caba26ec06fefd6ca1f22d5fd1de57d63 ]
+
+pm_runtime_get_sync() will increment pm usage counter.
+Forgetting to putting operation will result in reference leak.
+Add missing pm_runtime_put_sync in some error paths.
+
+Fixes: 9ac33b0ce81f ("CLK: TI: Driver for DRA7 ATL (Audio Tracking Logic)")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20220602030838.52057-1-linmq006@gmail.com
+Reviewed-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/ti/clk-dra7-atl.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/clk/ti/clk-dra7-atl.c b/drivers/clk/ti/clk-dra7-atl.c
+index f0f5bf68b6d2..ff4d6a951681 100644
+--- a/drivers/clk/ti/clk-dra7-atl.c
++++ b/drivers/clk/ti/clk-dra7-atl.c
+@@ -245,14 +245,16 @@ static int of_dra7_atl_clk_probe(struct platform_device *pdev)
+ if (rc) {
+ pr_err("%s: failed to lookup atl clock %d\n", __func__,
+ i);
+- return -EINVAL;
++ ret = -EINVAL;
++ goto pm_put;
+ }
+
+ clk = of_clk_get_from_provider(&clkspec);
+ if (IS_ERR(clk)) {
+ pr_err("%s: failed to get atl clock %d from provider\n",
+ __func__, i);
+- return PTR_ERR(clk);
++ ret = PTR_ERR(clk);
++ goto pm_put;
+ }
+
+ cdesc = to_atl_desc(__clk_get_hw(clk));
+@@ -285,8 +287,9 @@ static int of_dra7_atl_clk_probe(struct platform_device *pdev)
+ if (cdesc->enabled)
+ atl_clk_enable(__clk_get_hw(clk));
+ }
+- pm_runtime_put_sync(cinfo->dev);
+
++pm_put:
++ pm_runtime_put_sync(cinfo->dev);
+ return ret;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 6c59af31209c37db31722a85bf9d6bee5d4485e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Sep 2022 01:53:55 +0300
+Subject: clk: vc5: Fix 5P49V6901 outputs disabling when enabling FOD
+
+From: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+
+[ Upstream commit c388cc804016cf0f65afdc2362b120aa594ff3e6 ]
+
+We have discovered random glitches during the system boot up procedure.
+The problem investigation led us to the weird outcomes: when none of the
+Renesas 5P49V6901 ports are explicitly enabled by the kernel driver, the
+glitches disappeared. It was a mystery since the SoC external clock
+domains were fed with different 5P49V6901 outputs. The driver code didn't
+seem like bogus either. We almost despaired to find out a root cause when
+the solution has been found for a more modern revision of the chip. It
+turned out the 5P49V6901 clock generator stopped its output for a short
+period of time during the VC5_OUT_DIV_CONTROL register writing. The same
+problem was found for the 5P49V6965 revision of the chip and was
+successfully fixed in commit fc336ae622df ("clk: vc5: fix output disabling
+when enabling a FOD") by enabling the "bypass_sync" flag hidden inside
+"Unused Factory Reserved Register". Even though the 5P49V6901 registers
+description and programming guide doesn't provide any intel regarding that
+flag, setting it up anyway in the officially unused register completely
+eliminated the denoted glitches. Thus let's activate the functionality
+submitted in commit fc336ae622df ("clk: vc5: fix output disabling when
+enabling a FOD") for the Renesas 5P49V6901 chip too in order to remove the
+ports implicit inter-dependency.
+
+Fixes: dbf6b16f5683 ("clk: vc5: Add support for IDT VersaClock 5P49V6901")
+Signed-off-by: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Reviewed-by: Luca Ceresoli <luca@lucaceresoli.net>
+Link: https://lore.kernel.org/r/20220929225402.9696-2-Sergey.Semin@baikalelectronics.ru
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk-versaclock5.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/clk-versaclock5.c b/drivers/clk/clk-versaclock5.c
+index e7be3e54b9be..03cfef494b49 100644
+--- a/drivers/clk/clk-versaclock5.c
++++ b/drivers/clk/clk-versaclock5.c
+@@ -1204,7 +1204,7 @@ static const struct vc5_chip_info idt_5p49v6901_info = {
+ .model = IDT_VC6_5P49V6901,
+ .clk_fod_cnt = 4,
+ .clk_out_cnt = 5,
+- .flags = VC5_HAS_PFD_FREQ_DBL,
++ .flags = VC5_HAS_PFD_FREQ_DBL | VC5_HAS_BYPASS_SYNC_BIT,
+ };
+
+ static const struct vc5_chip_info idt_5p49v6965_info = {
+--
+2.35.1
+
--- /dev/null
+From 458b16c8aaa9753424bec956401dc1f9170ad2cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 May 2022 12:31:54 +0530
+Subject: clk: zynqmp: Fix stack-out-of-bounds in strncpy`
+
+From: Ian Nam <young.kwan.nam@xilinx.com>
+
+[ Upstream commit dd80fb2dbf1cd8751efbe4e53e54056f56a9b115 ]
+
+"BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68"
+
+Linux-ATF interface is using 16 bytes of SMC payload. In case clock name is
+longer than 15 bytes, string terminated NULL character will not be received
+by Linux. Add explicit NULL character at last byte to fix issues when clock
+name is longer.
+
+This fixes below bug reported by KASAN:
+
+ ==================================================================
+ BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68
+ Read of size 1 at addr ffff0008c89a7410 by task swapper/0/1
+
+ CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.4.0-00396-g81ef9e7-dirty #3
+ Hardware name: Xilinx Versal vck190 Eval board revA (QSPI) (DT)
+ Call trace:
+ dump_backtrace+0x0/0x1e8
+ show_stack+0x14/0x20
+ dump_stack+0xd4/0x108
+ print_address_description.isra.0+0xbc/0x37c
+ __kasan_report+0x144/0x198
+ kasan_report+0xc/0x18
+ __asan_load1+0x5c/0x68
+ strncpy+0x30/0x68
+ zynqmp_clock_probe+0x238/0x7b8
+ platform_drv_probe+0x6c/0xc8
+ really_probe+0x14c/0x418
+ driver_probe_device+0x74/0x130
+ __device_attach_driver+0xc4/0xe8
+ bus_for_each_drv+0xec/0x150
+ __device_attach+0x160/0x1d8
+ device_initial_probe+0x10/0x18
+ bus_probe_device+0xe0/0xf0
+ device_add+0x528/0x950
+ of_device_add+0x5c/0x80
+ of_platform_device_create_pdata+0x120/0x168
+ of_platform_bus_create+0x244/0x4e0
+ of_platform_populate+0x50/0xe8
+ zynqmp_firmware_probe+0x370/0x3a8
+ platform_drv_probe+0x6c/0xc8
+ really_probe+0x14c/0x418
+ driver_probe_device+0x74/0x130
+ device_driver_attach+0x94/0xa0
+ __driver_attach+0x70/0x108
+ bus_for_each_dev+0xe4/0x158
+ driver_attach+0x30/0x40
+ bus_add_driver+0x21c/0x2b8
+ driver_register+0xbc/0x1d0
+ __platform_driver_register+0x7c/0x88
+ zynqmp_firmware_driver_init+0x1c/0x24
+ do_one_initcall+0xa4/0x234
+ kernel_init_freeable+0x1b0/0x24c
+ kernel_init+0x10/0x110
+ ret_from_fork+0x10/0x18
+
+ The buggy address belongs to the page:
+ page:ffff0008f9be1c88 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
+ raw: 0008d00000000000 ffff0008f9be1c90 ffff0008f9be1c90 0000000000000000
+ raw: 0000000000000000 0000000000000000 00000000ffffffff
+ page dumped because: kasan: bad access detected
+
+ addr ffff0008c89a7410 is located in stack of task swapper/0/1 at offset 112 in frame:
+ zynqmp_clock_probe+0x0/0x7b8
+
+ this frame has 3 objects:
+ [32, 44) 'response'
+ [64, 80) 'ret_payload'
+ [96, 112) 'name'
+
+ Memory state around the buggy address:
+ ffff0008c89a7300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff0008c89a7380: 00 00 00 00 f1 f1 f1 f1 00 04 f2 f2 00 00 f2 f2
+ >ffff0008c89a7400: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
+ ^
+ ffff0008c89a7480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff0008c89a7500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ==================================================================
+
+Signed-off-by: Ian Nam <young.kwan.nam@xilinx.com>
+Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+Link: https://lore.kernel.org/r/20220510070154.29528-3-shubhrajyoti.datta@xilinx.com
+Acked-by: Michal Simek <michal.simek@amd.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/zynqmp/clkc.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/clk/zynqmp/clkc.c b/drivers/clk/zynqmp/clkc.c
+index eb25303eefed..2c9da6623b84 100644
+--- a/drivers/clk/zynqmp/clkc.c
++++ b/drivers/clk/zynqmp/clkc.c
+@@ -710,6 +710,13 @@ static void zynqmp_get_clock_info(void)
+ FIELD_PREP(CLK_ATTR_NODE_INDEX, i);
+
+ zynqmp_pm_clock_get_name(clock[i].clk_id, &name);
++
++ /*
++ * Terminate with NULL character in case name provided by firmware
++ * is longer and truncated due to size limit.
++ */
++ name.name[sizeof(name.name) - 1] = '\0';
++
+ if (!strcmp(name.name, RESERVED_CLK_NAME))
+ continue;
+ strncpy(clock[i].clk_name, name.name, MAX_NAME_LEN);
+--
+2.35.1
+
--- /dev/null
+From d1776d109ec6ffc33576b5f9cb4c296b2c528a63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 22:20:30 +0800
+Subject: clk: zynqmp: pll: rectify rate rounding in zynqmp_pll_round_rate
+
+From: Quanyang Wang <quanyang.wang@windriver.com>
+
+[ Upstream commit 30eaf02149ecc3c5815e45d27187bf09e925071d ]
+
+The function zynqmp_pll_round_rate is used to find a most appropriate
+PLL frequency which the hardware can generate according to the desired
+frequency. For example, if the desired frequency is 297MHz, considering
+the limited range from PS_PLL_VCO_MIN (1.5GHz) to PS_PLL_VCO_MAX (3.0GHz)
+of PLL, zynqmp_pll_round_rate should return 1.872GHz (297MHz * 5).
+
+There are two problems with the current code of zynqmp_pll_round_rate:
+
+1) When the rate is below PS_PLL_VCO_MIN, it can't find a correct rate
+when the parameter "rate" is an integer multiple of *prate, in other words,
+if "f" is zero, zynqmp_pll_round_rate won't return a valid frequency which
+is from PS_PLL_VCO_MIN to PS_PLL_VCO_MAX. For example, *prate is 33MHz
+and the rate is 660MHz, zynqmp_pll_round_rate will not boost up rate and
+just return 660MHz, and this will cause clk_calc_new_rates failure since
+zynqmp_pll_round_rate returns an invalid rate out of its boundaries.
+
+2) Even if the rate is higher than PS_PLL_VCO_MIN, there is still a risk
+that zynqmp_pll_round_rate returns an invalid rate because the function
+DIV_ROUND_CLOSEST makes some loss in the fractional part. If the parent
+clock *prate is 33333333Hz and we want to set the PLL rate to 1.5GHz,
+this function will return 1499999985Hz by using the formula below:
+ value = *prate * DIV_ROUND_CLOSEST(rate, *prate)).
+This value is also invalid since it's slightly smaller than PS_PLL_VCO_MIN.
+because DIV_ROUND_CLOSEST makes some loss in the fractional part.
+
+Signed-off-by: Quanyang Wang <quanyang.wang@windriver.com>
+Link: https://lore.kernel.org/r/20220826142030.213805-1-quanyang.wang@windriver.com
+Reviewed-by: Shubhrajyoti Datta <shubhrajyoti.datta@amd.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/zynqmp/pll.c | 31 +++++++++++++++----------------
+ 1 file changed, 15 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/clk/zynqmp/pll.c b/drivers/clk/zynqmp/pll.c
+index 91a6b4cc910e..0d3e1377b092 100644
+--- a/drivers/clk/zynqmp/pll.c
++++ b/drivers/clk/zynqmp/pll.c
+@@ -102,26 +102,25 @@ static long zynqmp_pll_round_rate(struct clk_hw *hw, unsigned long rate,
+ unsigned long *prate)
+ {
+ u32 fbdiv;
+- long rate_div, f;
++ u32 mult, div;
+
+- /* Enable the fractional mode if needed */
+- rate_div = (rate * FRAC_DIV) / *prate;
+- f = rate_div % FRAC_DIV;
+- if (f) {
+- if (rate > PS_PLL_VCO_MAX) {
+- fbdiv = rate / PS_PLL_VCO_MAX;
+- rate = rate / (fbdiv + 1);
+- }
+- if (rate < PS_PLL_VCO_MIN) {
+- fbdiv = DIV_ROUND_UP(PS_PLL_VCO_MIN, rate);
+- rate = rate * fbdiv;
+- }
+- return rate;
++ /* Let rate fall inside the range PS_PLL_VCO_MIN ~ PS_PLL_VCO_MAX */
++ if (rate > PS_PLL_VCO_MAX) {
++ div = DIV_ROUND_UP(rate, PS_PLL_VCO_MAX);
++ rate = rate / div;
++ }
++ if (rate < PS_PLL_VCO_MIN) {
++ mult = DIV_ROUND_UP(PS_PLL_VCO_MIN, rate);
++ rate = rate * mult;
+ }
+
+ fbdiv = DIV_ROUND_CLOSEST(rate, *prate);
+- fbdiv = clamp_t(u32, fbdiv, PLL_FBDIV_MIN, PLL_FBDIV_MAX);
+- return *prate * fbdiv;
++ if (fbdiv < PLL_FBDIV_MIN || fbdiv > PLL_FBDIV_MAX) {
++ fbdiv = clamp_t(u32, fbdiv, PLL_FBDIV_MIN, PLL_FBDIV_MAX);
++ rate = *prate * fbdiv;
++ }
++
++ return rate;
+ }
+
+ /**
+--
+2.35.1
+
--- /dev/null
+From aa35da596b448f6d4fb9d11ae03265fd6628f0c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Sep 2022 14:14:24 +0800
+Subject: clocksource/drivers/arm_arch_timer: Fix handling of ARM erratum
+ 858921
+
+From: Kunkun Jiang <jiangkunkun@huawei.com>
+
+[ Upstream commit 6c3b62d93e195f78c1437c8fa7581e9b2f00886e ]
+
+The commit a38b71b0833e ("clocksource/drivers/arm_arch_timer:
+Move system register timer programming over to CVAL") moves the
+programming of the timers from the countdown timer (TVAL) over
+to the comparator (CVAL). This makes it necessary to read the
+counter when programming next event. However, the workaround of
+Cortex-A73 erratum 858921 does not set the corresponding
+set_next_event_phys and set_next_event_virt.
+
+Add the appropriate hooks to apply the erratum mitigation when
+programming the next timer event.
+
+Fixes: a38b71b0833e ("clocksource/drivers/arm_arch_timer: Move system register timer programming over to CVAL")
+Signed-off-by: Kunkun Jiang <jiangkunkun@huawei.com>
+Acked-by: Marc Zyngier <maz@kernel.org>
+Reviewed-by: Oliver Upton <oliver.upton@linux.dev>
+Link: https://lore.kernel.org/r/20220914061424.1260-1-jiangkunkun@huawei.com
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/arm_arch_timer.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/clocksource/arm_arch_timer.c b/drivers/clocksource/arm_arch_timer.c
+index 8122a1646925..a7ff77550e17 100644
+--- a/drivers/clocksource/arm_arch_timer.c
++++ b/drivers/clocksource/arm_arch_timer.c
+@@ -473,6 +473,8 @@ static const struct arch_timer_erratum_workaround ool_workarounds[] = {
+ .desc = "ARM erratum 858921",
+ .read_cntpct_el0 = arm64_858921_read_cntpct_el0,
+ .read_cntvct_el0 = arm64_858921_read_cntvct_el0,
++ .set_next_event_phys = erratum_set_next_event_phys,
++ .set_next_event_virt = erratum_set_next_event_virt,
+ },
+ #endif
+ #ifdef CONFIG_SUN50I_ERRATUM_UNKNOWN1
+--
+2.35.1
+
--- /dev/null
+From fa28dbe36d36001f3fc47181cdd5dd4c4e66647c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Sep 2022 11:30:18 +0800
+Subject: clocksource/drivers/timer-gxp: Add missing error handling in
+ gxp_timer_probe
+
+From: Lin Yujun <linyujun809@huawei.com>
+
+[ Upstream commit 0e2c8e6d769bcdc4f6634a02c545356282275e68 ]
+
+Add platform_device_put() to make sure to free the platform
+device in the event platform_device_add() fails.
+
+Fixes: 5184f4bf151b ("clocksource/drivers/timer-gxp: Add HPE GXP Timer")
+Signed-off-by: Lin Yujun <linyujun809@huawei.com>
+Link: https://lore.kernel.org/r/20220914033018.97484-1-linyujun809@huawei.com
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/timer-gxp.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/clocksource/timer-gxp.c b/drivers/clocksource/timer-gxp.c
+index 8b38b3212388..fe4fa8d7b3f1 100644
+--- a/drivers/clocksource/timer-gxp.c
++++ b/drivers/clocksource/timer-gxp.c
+@@ -171,6 +171,7 @@ static int gxp_timer_probe(struct platform_device *pdev)
+ {
+ struct platform_device *gxp_watchdog_device;
+ struct device *dev = &pdev->dev;
++ int ret;
+
+ if (!gxp_timer) {
+ pr_err("Gxp Timer not initialized, cannot create watchdog");
+@@ -187,7 +188,11 @@ static int gxp_timer_probe(struct platform_device *pdev)
+ gxp_watchdog_device->dev.platform_data = gxp_timer->counter;
+ gxp_watchdog_device->dev.parent = dev;
+
+- return platform_device_add(gxp_watchdog_device);
++ ret = platform_device_add(gxp_watchdog_device);
++ if (ret)
++ platform_device_put(gxp_watchdog_device);
++
++ return ret;
+ }
+
+ static const struct of_device_id gxp_timer_of_match[] = {
+--
+2.35.1
+
--- /dev/null
+From d25068b9669700293c08becb7fcdd86694868809 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Jul 2022 09:06:48 +0200
+Subject: coresight: docs: Fix a broken reference
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit b99ee26a1a98a8ac0d8241224c40e6c047091d4d ]
+
+Since the commit in Fixes: tag, "coresight-cpu-debug.txt" has been turned
+into "arm,coresight-cpu-debug.yaml".
+
+Update the doc accordingly to avoid a 'make htmldocs' warning
+
+Fixes: 66d052047ca8 ("dt-bindings: arm: Convert CoreSight CPU debug to DT schema")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: James Clark <james.clark@arm.com>
+Link: https://lore.kernel.org/r/c7f864854e9e03916017712017ff59132c51c338.1659251193.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/trace/coresight/coresight-cpu-debug.rst | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/Documentation/trace/coresight/coresight-cpu-debug.rst b/Documentation/trace/coresight/coresight-cpu-debug.rst
+index 993dd294b81b..836b35532667 100644
+--- a/Documentation/trace/coresight/coresight-cpu-debug.rst
++++ b/Documentation/trace/coresight/coresight-cpu-debug.rst
+@@ -117,7 +117,8 @@ divide into below cases:
+ Device Tree Bindings
+ --------------------
+
+-See Documentation/devicetree/bindings/arm/coresight-cpu-debug.txt for details.
++See Documentation/devicetree/bindings/arm/arm,coresight-cpu-debug.yaml for
++details.
+
+
+ How to use the module
+--
+2.35.1
+
--- /dev/null
+From 85c37cb7cbe5ccb30663f4f827c120c68acfcc90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Jul 2022 18:59:25 -0700
+Subject: coresight: trbe: fix Kconfig "its" grammar
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 8c6989e5463a2d9415b743a20e3b843a2354beec ]
+
+Use the possessive "its" instead of the contraction "it's"
+where appropriate.
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Anshuman Khandual <anshuman.khandual@arm.com>
+Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
+Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: coresight@lists.linaro.org
+Cc: linux-arm-kernel@lists.infradead.org
+Link: https://lore.kernel.org/r/20220715015925.12569-1-rdunlap@infradead.org
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Stable-dep-of: b99ee26a1a98 ("coresight: docs: Fix a broken reference")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/coresight/Kconfig | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwtracing/coresight/Kconfig b/drivers/hwtracing/coresight/Kconfig
+index 514a9b8086e3..45c1eb5dfcb7 100644
+--- a/drivers/hwtracing/coresight/Kconfig
++++ b/drivers/hwtracing/coresight/Kconfig
+@@ -193,10 +193,10 @@ config CORESIGHT_TRBE
+ depends on ARM64 && CORESIGHT_SOURCE_ETM4X
+ help
+ This driver provides support for percpu Trace Buffer Extension (TRBE).
+- TRBE always needs to be used along with it's corresponding percpu ETE
++ TRBE always needs to be used along with its corresponding percpu ETE
+ component. ETE generates trace data which is then captured with TRBE.
+ Unlike traditional sink devices, TRBE is a CPU feature accessible via
+- system registers. But it's explicit dependency with trace unit (ETE)
++ system registers. But its explicit dependency with trace unit (ETE)
+ requires it to be plugged in as a coresight sink device.
+
+ To compile this driver as a module, choose M here: the module will be
+--
+2.35.1
+
--- /dev/null
+From 3e76fdfd0fda435ad5e0a1eed28143634ea9111f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 09:56:00 +0800
+Subject: cpufreq: amd-pstate: Fix initial highest_perf value
+
+From: Perry Yuan <Perry.Yuan@amd.com>
+
+[ Upstream commit bedadcfb011fef55273bd686e8893fdd8911dcdb ]
+
+To avoid some new AMD processors use wrong highest perf when amd pstate
+driver loaded, this fix will query the highest perf from MSR register
+MSR_AMD_CPPC_CAP1 and cppc_acpi interface firstly, then compare with the
+highest perf value got by calling amd_get_highest_perf() function.
+
+The lower value will be the correct highest perf we need to use.
+Otherwise the CPU max MHz will be incorrect if the
+amd_get_highest_perf() did not cover the new process family and model ID.
+
+Like this lscpu info, the max frequency is incorrect.
+
+Vendor ID: AuthenticAMD
+ Socket(s): 1
+ Stepping: 2
+ CPU max MHz: 5410.0000
+ CPU min MHz: 400.0000
+ BogoMIPS: 5600.54
+
+Fixes: 3743d55b289c2 (x86, sched: Fix the AMD CPPC maximum performance value on certain AMD Ryzen generations)
+Acked-by: Huang Rui <ray.huang@amd.com>
+Signed-off-by: Perry Yuan <Perry.Yuan@amd.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/amd-pstate.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/cpufreq/amd-pstate.c b/drivers/cpufreq/amd-pstate.c
+index 9ac75c1cde9c..365f3ad166a7 100644
+--- a/drivers/cpufreq/amd-pstate.c
++++ b/drivers/cpufreq/amd-pstate.c
+@@ -152,6 +152,7 @@ static inline int amd_pstate_enable(bool enable)
+ static int pstate_init_perf(struct amd_cpudata *cpudata)
+ {
+ u64 cap1;
++ u32 highest_perf;
+
+ int ret = rdmsrl_safe_on_cpu(cpudata->cpu, MSR_AMD_CPPC_CAP1,
+ &cap1);
+@@ -163,7 +164,11 @@ static int pstate_init_perf(struct amd_cpudata *cpudata)
+ *
+ * CPPC entry doesn't indicate the highest performance in some ASICs.
+ */
+- WRITE_ONCE(cpudata->highest_perf, amd_get_highest_perf());
++ highest_perf = amd_get_highest_perf();
++ if (highest_perf > AMD_CPPC_HIGHEST_PERF(cap1))
++ highest_perf = AMD_CPPC_HIGHEST_PERF(cap1);
++
++ WRITE_ONCE(cpudata->highest_perf, highest_perf);
+
+ WRITE_ONCE(cpudata->nominal_perf, AMD_CPPC_NOMINAL_PERF(cap1));
+ WRITE_ONCE(cpudata->lowest_nonlinear_perf, AMD_CPPC_LOWNONLIN_PERF(cap1));
+@@ -175,12 +180,17 @@ static int pstate_init_perf(struct amd_cpudata *cpudata)
+ static int cppc_init_perf(struct amd_cpudata *cpudata)
+ {
+ struct cppc_perf_caps cppc_perf;
++ u32 highest_perf;
+
+ int ret = cppc_get_perf_caps(cpudata->cpu, &cppc_perf);
+ if (ret)
+ return ret;
+
+- WRITE_ONCE(cpudata->highest_perf, amd_get_highest_perf());
++ highest_perf = amd_get_highest_perf();
++ if (highest_perf > cppc_perf.highest_perf)
++ highest_perf = cppc_perf.highest_perf;
++
++ WRITE_ONCE(cpudata->highest_perf, highest_perf);
+
+ WRITE_ONCE(cpudata->nominal_perf, cppc_perf.nominal_perf);
+ WRITE_ONCE(cpudata->lowest_nonlinear_perf,
+--
+2.35.1
+
--- /dev/null
+From d6187669e61fb32ccc9e516ce5fff0c186cfffa6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Aug 2022 00:35:45 +0800
+Subject: cpufreq: amd_pstate: fix wrong lowest perf fetch
+
+From: Perry Yuan <Perry.Yuan@amd.com>
+
+[ Upstream commit b185c5053c65b7704ead4537e4d4d9b33dc398dc ]
+
+Fix the wrong lowest perf value reading which is used for new
+des_perf calculation by governor requested, the incorrect min_perf will
+get incorrect des_perf to be set , that will cause the system frequency
+changing unexpectedly.
+
+Reviewed-by: Huang Rui <ray.huang@amd.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Perry Yuan <Perry.Yuan@amd.com>
+Signed-off-by: Su Jinzhou <jinzhou.su@amd.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/amd-pstate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/cpufreq/amd-pstate.c b/drivers/cpufreq/amd-pstate.c
+index 365f3ad166a7..d63a28c5f95a 100644
+--- a/drivers/cpufreq/amd-pstate.c
++++ b/drivers/cpufreq/amd-pstate.c
+@@ -322,7 +322,7 @@ static int amd_pstate_target(struct cpufreq_policy *policy,
+ return -ENODEV;
+
+ cap_perf = READ_ONCE(cpudata->highest_perf);
+- min_perf = READ_ONCE(cpudata->lowest_nonlinear_perf);
++ min_perf = READ_ONCE(cpudata->lowest_perf);
+ max_perf = cap_perf;
+
+ freqs.old = policy->cur;
+--
+2.35.1
+
--- /dev/null
+From c2e989bec5ce541cd7d4ad84dbfe55865b99380f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Sep 2022 13:28:57 -0700
+Subject: cpufreq: intel_pstate: Add Tigerlake support in no-HWP mode
+
+From: Doug Smythies <dsmythies@telus.net>
+
+[ Upstream commit 71bb5c82aaaea007167f3ba68d3a669c74d7d55d ]
+
+Users may disable HWP in firmware, in which case intel_pstate wouldn't load
+unless the CPU model is explicitly supported.
+
+Add TIGERLAKE to the list of CPUs that can register intel_pstate while not
+advertising the HWP capability. Without this change, an TIGERLAKE in no-HWP
+mode could only use the acpi_cpufreq frequency scaling driver.
+
+See also commits:
+d8de7a44e11f: cpufreq: intel_pstate: Add Skylake servers support
+fbdc21e9b038: cpufreq: intel_pstate: Add Icelake servers support in no-HWP mode
+706c5328851d: cpufreq: intel_pstate: Add Cometlake support in no-HWP mode
+
+Reported by: M. Cargi Ari <cagriari@pm.me>
+Signed-off-by: Doug Smythies <dsmythies@telus.net>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/intel_pstate.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
+index 57cdb3679885..fc3ebeb0bbe5 100644
+--- a/drivers/cpufreq/intel_pstate.c
++++ b/drivers/cpufreq/intel_pstate.c
+@@ -2416,6 +2416,7 @@ static const struct x86_cpu_id intel_pstate_cpu_ids[] = {
+ X86_MATCH(SKYLAKE_X, core_funcs),
+ X86_MATCH(COMETLAKE, core_funcs),
+ X86_MATCH(ICELAKE_X, core_funcs),
++ X86_MATCH(TIGERLAKE, core_funcs),
+ {}
+ };
+ MODULE_DEVICE_TABLE(x86cpu, intel_pstate_cpu_ids);
+--
+2.35.1
+
--- /dev/null
+From c9edb433f1aae3016b59e5cff9c4eab1b297c081 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Jul 2022 14:15:53 +0530
+Subject: cpuidle: riscv-sbi: Fix CPU_PM_CPU_IDLE_ENTER_xyz() macro usage
+
+From: Anup Patel <apatel@ventanamicro.com>
+
+[ Upstream commit cfadbb9df8c4dc917787da4458327e5ec14743d4 ]
+
+Currently, we are using CPU_PM_CPU_IDLE_ENTER_PARAM() for all SBI HSM
+suspend types so retentive suspend types are also treated non-retentive
+and kernel will do redundant additional work for these states.
+
+The BIT[31] of SBI HSM suspend types allows us to differentiate between
+retentive and non-retentive suspend types so we should use this BIT
+to call appropriate CPU_PM_CPU_IDLE_ENTER_xyz() macro.
+
+Fixes: 6abf32f1d9c5 ("cpuidle: Add RISC-V SBI CPU idle driver")
+Signed-off-by: Anup Patel <apatel@ventanamicro.com>
+Link: https://lore.kernel.org/r/20220718084553.2056169-1-apatel@ventanamicro.com/
+Reviewed-by: Andrew Jones <ajones@ventanamicro.com>
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpuidle/cpuidle-riscv-sbi.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/cpuidle/cpuidle-riscv-sbi.c b/drivers/cpuidle/cpuidle-riscv-sbi.c
+index 862a2876f1c9..05fe2902df9a 100644
+--- a/drivers/cpuidle/cpuidle-riscv-sbi.c
++++ b/drivers/cpuidle/cpuidle-riscv-sbi.c
+@@ -97,8 +97,13 @@ static int sbi_cpuidle_enter_state(struct cpuidle_device *dev,
+ struct cpuidle_driver *drv, int idx)
+ {
+ u32 *states = __this_cpu_read(sbi_cpuidle_data.states);
++ u32 state = states[idx];
+
+- return CPU_PM_CPU_IDLE_ENTER_PARAM(sbi_suspend, idx, states[idx]);
++ if (state & SBI_HSM_SUSP_NON_RET_BIT)
++ return CPU_PM_CPU_IDLE_ENTER_PARAM(sbi_suspend, idx, state);
++ else
++ return CPU_PM_CPU_IDLE_ENTER_RETENTION_PARAM(sbi_suspend,
++ idx, state);
+ }
+
+ static int __sbi_enter_domain_idle_state(struct cpuidle_device *dev,
+--
+2.35.1
+
--- /dev/null
+From 09fd9e789436b513e000c4c3a59b7cb906b53d09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Aug 2022 19:37:06 +0100
+Subject: crypto: akcipher - default implementation for setting a private key
+
+From: Ignat Korchagin <ignat@cloudflare.com>
+
+[ Upstream commit bc155c6c188c2f0c5749993b1405673d25a80389 ]
+
+Changes from v1:
+ * removed the default implementation from set_pub_key: it is assumed that
+ an implementation must always have this callback defined as there are
+ no use case for an algorithm, which doesn't need a public key
+
+Many akcipher implementations (like ECDSA) support only signature
+verifications, so they don't have all callbacks defined.
+
+Commit 78a0324f4a53 ("crypto: akcipher - default implementations for
+request callbacks") introduced default callbacks for sign/verify
+operations, which just return an error code.
+
+However, these are not enough, because before calling sign the caller would
+likely call set_priv_key first on the instantiated transform (as the
+in-kernel testmgr does). This function does not have a default stub, so the
+kernel crashes, when trying to set a private key on an akcipher, which
+doesn't support signature generation.
+
+I've noticed this, when trying to add a KAT vector for ECDSA signature to
+the testmgr.
+
+With this patch the testmgr returns an error in dmesg (as it should)
+instead of crashing the kernel NULL ptr dereference.
+
+Fixes: 78a0324f4a53 ("crypto: akcipher - default implementations for request callbacks")
+Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/akcipher.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/crypto/akcipher.c b/crypto/akcipher.c
+index f866085c8a4a..ab975a420e1e 100644
+--- a/crypto/akcipher.c
++++ b/crypto/akcipher.c
+@@ -120,6 +120,12 @@ static int akcipher_default_op(struct akcipher_request *req)
+ return -ENOSYS;
+ }
+
++static int akcipher_default_set_key(struct crypto_akcipher *tfm,
++ const void *key, unsigned int keylen)
++{
++ return -ENOSYS;
++}
++
+ int crypto_register_akcipher(struct akcipher_alg *alg)
+ {
+ struct crypto_alg *base = &alg->base;
+@@ -132,6 +138,8 @@ int crypto_register_akcipher(struct akcipher_alg *alg)
+ alg->encrypt = akcipher_default_op;
+ if (!alg->decrypt)
+ alg->decrypt = akcipher_default_op;
++ if (!alg->set_priv_key)
++ alg->set_priv_key = akcipher_default_set_key;
+
+ akcipher_prepare_alg(alg);
+ return crypto_register_alg(base);
+--
+2.35.1
+
--- /dev/null
+From d1a8ad3a71b749a9d5d73bad6333585bed5bef8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Sep 2022 09:43:27 +0300
+Subject: crypto: cavium - prevent integer overflow loading firmware
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 2526d6bf27d15054bb0778b2f7bc6625fd934905 ]
+
+The "code_length" value comes from the firmware file. If your firmware
+is untrusted realistically there is probably very little you can do to
+protect yourself. Still we try to limit the damage as much as possible.
+Also Smatch marks any data read from the filesystem as untrusted and
+prints warnings if it not capped correctly.
+
+The "ntohl(ucode->code_length) * 2" multiplication can have an
+integer overflow.
+
+Fixes: 9e2c7d99941d ("crypto: cavium - Add Support for Octeon-tx CPT Engine")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/cavium/cpt/cptpf_main.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/cavium/cpt/cptpf_main.c b/drivers/crypto/cavium/cpt/cptpf_main.c
+index 8c32d0eb8fcf..6872ac344001 100644
+--- a/drivers/crypto/cavium/cpt/cptpf_main.c
++++ b/drivers/crypto/cavium/cpt/cptpf_main.c
+@@ -253,6 +253,7 @@ static int cpt_ucode_load_fw(struct cpt_device *cpt, const u8 *fw, bool is_ae)
+ const struct firmware *fw_entry;
+ struct device *dev = &cpt->pdev->dev;
+ struct ucode_header *ucode;
++ unsigned int code_length;
+ struct microcode *mcode;
+ int j, ret = 0;
+
+@@ -263,11 +264,12 @@ static int cpt_ucode_load_fw(struct cpt_device *cpt, const u8 *fw, bool is_ae)
+ ucode = (struct ucode_header *)fw_entry->data;
+ mcode = &cpt->mcode[cpt->next_mc_idx];
+ memcpy(mcode->version, (u8 *)fw_entry->data, CPT_UCODE_VERSION_SZ);
+- mcode->code_size = ntohl(ucode->code_length) * 2;
+- if (!mcode->code_size) {
++ code_length = ntohl(ucode->code_length);
++ if (code_length == 0 || code_length >= INT_MAX / 2) {
+ ret = -EINVAL;
+ goto fw_release;
+ }
++ mcode->code_size = code_length * 2;
+
+ mcode->is_ae = is_ae;
+ mcode->core_mask = 0ULL;
+--
+2.35.1
+
--- /dev/null
+From 787887b29c40fae5189d4d85469e7b1c7aa60d4f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Aug 2022 19:32:09 +0000
+Subject: crypto: ccp - Fail the PSP initialization when writing psp data file
+ failed
+
+From: Jacky Li <jackyli@google.com>
+
+[ Upstream commit efb4b01c1c993d245e6608076684ff2162cf9dc6 ]
+
+Currently the OS continues the PSP initialization when there is a write
+failure to the init_ex_file. Therefore, the userspace would be told that
+SEV is properly INIT'd even though the psp data file is not updated.
+This is problematic because later when asked for the SEV data, the OS
+won't be able to provide it.
+
+Fixes: 3d725965f836 ("crypto: ccp - Add SEV_INIT_EX support")
+Reported-by: Peter Gonda <pgonda@google.com>
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Jacky Li <jackyli@google.com>
+Acked-by: David Rientjes <rientjes@google.com>
+Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ccp/sev-dev.c | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c
+index 9f588c9728f8..6c49e6d06114 100644
+--- a/drivers/crypto/ccp/sev-dev.c
++++ b/drivers/crypto/ccp/sev-dev.c
+@@ -231,7 +231,7 @@ static int sev_read_init_ex_file(void)
+ return 0;
+ }
+
+-static void sev_write_init_ex_file(void)
++static int sev_write_init_ex_file(void)
+ {
+ struct sev_device *sev = psp_master->sev_data;
+ struct file *fp;
+@@ -241,14 +241,16 @@ static void sev_write_init_ex_file(void)
+ lockdep_assert_held(&sev_cmd_mutex);
+
+ if (!sev_init_ex_buffer)
+- return;
++ return 0;
+
+ fp = open_file_as_root(init_ex_path, O_CREAT | O_WRONLY, 0600);
+ if (IS_ERR(fp)) {
++ int ret = PTR_ERR(fp);
++
+ dev_err(sev->dev,
+- "SEV: could not open file for write, error %ld\n",
+- PTR_ERR(fp));
+- return;
++ "SEV: could not open file for write, error %d\n",
++ ret);
++ return ret;
+ }
+
+ nwrite = kernel_write(fp, sev_init_ex_buffer, NV_LENGTH, &offset);
+@@ -259,18 +261,20 @@ static void sev_write_init_ex_file(void)
+ dev_err(sev->dev,
+ "SEV: failed to write %u bytes to non volatile memory area, ret %ld\n",
+ NV_LENGTH, nwrite);
+- return;
++ return -EIO;
+ }
+
+ dev_dbg(sev->dev, "SEV: write successful to NV file\n");
++
++ return 0;
+ }
+
+-static void sev_write_init_ex_file_if_required(int cmd_id)
++static int sev_write_init_ex_file_if_required(int cmd_id)
+ {
+ lockdep_assert_held(&sev_cmd_mutex);
+
+ if (!sev_init_ex_buffer)
+- return;
++ return 0;
+
+ /*
+ * Only a few platform commands modify the SPI/NV area, but none of the
+@@ -285,10 +289,10 @@ static void sev_write_init_ex_file_if_required(int cmd_id)
+ case SEV_CMD_PEK_GEN:
+ break;
+ default:
+- return;
++ return 0;
+ }
+
+- sev_write_init_ex_file();
++ return sev_write_init_ex_file();
+ }
+
+ static int __sev_do_cmd_locked(int cmd, void *data, int *psp_ret)
+@@ -361,7 +365,7 @@ static int __sev_do_cmd_locked(int cmd, void *data, int *psp_ret)
+ cmd, reg & PSP_CMDRESP_ERR_MASK);
+ ret = -EIO;
+ } else {
+- sev_write_init_ex_file_if_required(cmd);
++ ret = sev_write_init_ex_file_if_required(cmd);
+ }
+
+ print_hex_dump_debug("(out): ", DUMP_PREFIX_OFFSET, 16, 2, data,
+--
+2.35.1
+
--- /dev/null
+From d63b9f663d3d607de0ffb91aa642361af05a8503 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Sep 2022 22:47:12 +0800
+Subject: crypto: ccp - Release dma channels before dmaengine unrgister
+
+From: Koba Ko <koba.ko@canonical.com>
+
+[ Upstream commit 68dbe80f5b510c66c800b9e8055235c5b07e37d1 ]
+
+A warning is shown during shutdown,
+
+__dma_async_device_channel_unregister called while 2 clients hold a reference
+WARNING: CPU: 15 PID: 1 at drivers/dma/dmaengine.c:1110 __dma_async_device_channel_unregister+0xb7/0xc0
+
+Call dma_release_channel for occupied channles before dma_async_device_unregister.
+
+Fixes: 54cce8ecb925 ("crypto: ccp - ccp_dmaengine_unregister release dma channels")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Koba Ko <koba.ko@canonical.com>
+Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ccp/ccp-dmaengine.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/ccp/ccp-dmaengine.c b/drivers/crypto/ccp/ccp-dmaengine.c
+index 7d4b4ad1db1f..9f753cb4f5f1 100644
+--- a/drivers/crypto/ccp/ccp-dmaengine.c
++++ b/drivers/crypto/ccp/ccp-dmaengine.c
+@@ -641,6 +641,10 @@ static void ccp_dma_release(struct ccp_device *ccp)
+ for (i = 0; i < ccp->cmd_q_count; i++) {
+ chan = ccp->ccp_dma_chan + i;
+ dma_chan = &chan->dma_chan;
++
++ if (dma_chan->client_count)
++ dma_release_channel(dma_chan);
++
+ tasklet_kill(&chan->cleanup_tasklet);
+ list_del_rcu(&dma_chan->device_node);
+ }
+@@ -766,8 +770,8 @@ void ccp_dmaengine_unregister(struct ccp_device *ccp)
+ if (!dmaengine)
+ return;
+
+- dma_async_device_unregister(dma_dev);
+ ccp_dma_release(ccp);
++ dma_async_device_unregister(dma_dev);
+
+ kmem_cache_destroy(ccp->dma_desc_cache);
+ kmem_cache_destroy(ccp->dma_cmd_cache);
+--
+2.35.1
+
--- /dev/null
+From 275e62c7a374401754a60e6f9e57b54ed1412dcc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Aug 2022 18:27:37 +0800
+Subject: crypto: hisilicon/qm - fix missing put dfx access
+
+From: Weili Qian <qianweili@huawei.com>
+
+[ Upstream commit 5afc904f443de2afd31c4e0686ba178beede86fe ]
+
+In function qm_cmd_write(), if function returns from
+branch 'atomic_read(&qm->status.flags) == QM_STOP',
+the got dfx access is forgotten to put.
+
+Fixes: 607c191b371d ("crypto: hisilicon - support runtime PM for accelerator device")
+Signed-off-by: Weili Qian <qianweili@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/hisilicon/qm.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/hisilicon/qm.c b/drivers/crypto/hisilicon/qm.c
+index ad83c194d664..9fa2efe60153 100644
+--- a/drivers/crypto/hisilicon/qm.c
++++ b/drivers/crypto/hisilicon/qm.c
+@@ -2245,8 +2245,10 @@ static ssize_t qm_cmd_write(struct file *filp, const char __user *buffer,
+ return ret;
+
+ /* Judge if the instance is being reset. */
+- if (unlikely(atomic_read(&qm->status.flags) == QM_STOP))
+- return 0;
++ if (unlikely(atomic_read(&qm->status.flags) == QM_STOP)) {
++ ret = 0;
++ goto put_dfx_access;
++ }
+
+ if (count > QM_DBG_WRITE_LEN) {
+ ret = -ENOSPC;
+--
+2.35.1
+
--- /dev/null
+From dfe95f0ee22c5080d24ea17e496b8e9538c86f17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Jul 2022 10:07:58 +0800
+Subject: crypto: hisilicon/zip - fix mismatch in get/set sgl_sge_nr
+
+From: Ye Weihua <yeweihua4@huawei.com>
+
+[ Upstream commit d74f9340097a881869c4c22ca376654cc2516ecc ]
+
+KASAN reported this Bug:
+
+ [17619.659757] BUG: KASAN: global-out-of-bounds in param_get_int+0x34/0x60
+ [17619.673193] Read of size 4 at addr fffff01332d7ed00 by task read_all/1507958
+ ...
+ [17619.698934] The buggy address belongs to the variable:
+ [17619.708371] sgl_sge_nr+0x0/0xffffffffffffa300 [hisi_zip]
+
+There is a mismatch in hisi_zip when get/set the variable sgl_sge_nr.
+The type of sgl_sge_nr is u16, and get/set sgl_sge_nr by
+param_get/set_int.
+
+Replacing param_get/set_int to param_get/set_ushort can fix this bug.
+
+Fixes: f081fda293ffb ("crypto: hisilicon - add sgl_sge_nr module param for zip")
+Signed-off-by: Ye Weihua <yeweihua4@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/hisilicon/zip/zip_crypto.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/hisilicon/zip/zip_crypto.c b/drivers/crypto/hisilicon/zip/zip_crypto.c
+index ad35434a3fdb..06a2d6e81ae9 100644
+--- a/drivers/crypto/hisilicon/zip/zip_crypto.c
++++ b/drivers/crypto/hisilicon/zip/zip_crypto.c
+@@ -123,12 +123,12 @@ static int sgl_sge_nr_set(const char *val, const struct kernel_param *kp)
+ if (ret || n == 0 || n > HISI_ACC_SGL_SGE_NR_MAX)
+ return -EINVAL;
+
+- return param_set_int(val, kp);
++ return param_set_ushort(val, kp);
+ }
+
+ static const struct kernel_param_ops sgl_sge_nr_ops = {
+ .set = sgl_sge_nr_set,
+- .get = param_get_int,
++ .get = param_get_ushort,
+ };
+
+ static u16 sgl_sge_nr = HZIP_SGL_SGE_NR;
+--
+2.35.1
+
--- /dev/null
+From f05b58aee57d4595686d3da831e89b0e950a6fda Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Sep 2022 10:51:28 +0800
+Subject: crypto: inside-secure - Change swab to swab32
+
+From: Peter Harliman Liem <pliem@maxlinear.com>
+
+[ Upstream commit 664593407e936b6438fbfaaf98876910fd31cf9a ]
+
+The use of swab() is causing failures in 64-bit arch, as it
+translates to __swab64() instead of the intended __swab32().
+It eventually causes wrong results in xcbcmac & cmac algo.
+
+Fixes: 78cf1c8bfcb8 ("crypto: inside-secure - Move ipad/opad into safexcel_context")
+Signed-off-by: Peter Harliman Liem <pliem@maxlinear.com>
+Acked-by: Antoine Tenart <atenart@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/inside-secure/safexcel_hash.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/crypto/inside-secure/safexcel_hash.c b/drivers/crypto/inside-secure/safexcel_hash.c
+index bc60b5802256..2124416742f8 100644
+--- a/drivers/crypto/inside-secure/safexcel_hash.c
++++ b/drivers/crypto/inside-secure/safexcel_hash.c
+@@ -383,7 +383,7 @@ static int safexcel_ahash_send_req(struct crypto_async_request *async, int ring,
+ u32 x;
+
+ x = ipad[i] ^ ipad[i + 4];
+- cache[i] ^= swab(x);
++ cache[i] ^= swab32(x);
+ }
+ }
+ cache_len = AES_BLOCK_SIZE;
+@@ -821,7 +821,7 @@ static int safexcel_ahash_final(struct ahash_request *areq)
+ u32 *result = (void *)areq->result;
+
+ /* K3 */
+- result[i] = swab(ctx->base.ipad.word[i + 4]);
++ result[i] = swab32(ctx->base.ipad.word[i + 4]);
+ }
+ areq->result[0] ^= 0x80; // 10- padding
+ crypto_cipher_encrypt_one(ctx->kaes, areq->result, areq->result);
+@@ -2106,7 +2106,7 @@ static int safexcel_xcbcmac_setkey(struct crypto_ahash *tfm, const u8 *key,
+ crypto_cipher_encrypt_one(ctx->kaes, (u8 *)key_tmp + AES_BLOCK_SIZE,
+ "\x3\x3\x3\x3\x3\x3\x3\x3\x3\x3\x3\x3\x3\x3\x3\x3");
+ for (i = 0; i < 3 * AES_BLOCK_SIZE / sizeof(u32); i++)
+- ctx->base.ipad.word[i] = swab(key_tmp[i]);
++ ctx->base.ipad.word[i] = swab32(key_tmp[i]);
+
+ crypto_cipher_clear_flags(ctx->kaes, CRYPTO_TFM_REQ_MASK);
+ crypto_cipher_set_flags(ctx->kaes, crypto_ahash_get_flags(tfm) &
+@@ -2189,7 +2189,7 @@ static int safexcel_cmac_setkey(struct crypto_ahash *tfm, const u8 *key,
+ return ret;
+
+ for (i = 0; i < len / sizeof(u32); i++)
+- ctx->base.ipad.word[i + 8] = swab(aes.key_enc[i]);
++ ctx->base.ipad.word[i + 8] = swab32(aes.key_enc[i]);
+
+ /* precompute the CMAC key material */
+ crypto_cipher_clear_flags(ctx->kaes, CRYPTO_TFM_REQ_MASK);
+--
+2.35.1
+
--- /dev/null
+From ec25206905b17c3df733ef993ee4c5c82ac912a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Sep 2022 09:43:19 +0300
+Subject: crypto: marvell/octeontx - prevent integer overflows
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit caca37cf6c749ff0303f68418cfe7b757a4e0697 ]
+
+The "code_length" value comes from the firmware file. If your firmware
+is untrusted realistically there is probably very little you can do to
+protect yourself. Still we try to limit the damage as much as possible.
+Also Smatch marks any data read from the filesystem as untrusted and
+prints warnings if it not capped correctly.
+
+The "code_length * 2" can overflow. The round_up(ucode_size, 16) +
+sizeof() expression can overflow too. Prevent these overflows.
+
+Fixes: d9110b0b01ff ("crypto: marvell - add support for OCTEON TX CPT engine")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../crypto/marvell/octeontx/otx_cptpf_ucode.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c b/drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c
+index 40b482198ebc..a765eefb18c2 100644
+--- a/drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c
++++ b/drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c
+@@ -286,6 +286,7 @@ static int process_tar_file(struct device *dev,
+ struct tar_ucode_info_t *tar_info;
+ struct otx_cpt_ucode_hdr *ucode_hdr;
+ int ucode_type, ucode_size;
++ unsigned int code_length;
+
+ /*
+ * If size is less than microcode header size then don't report
+@@ -303,7 +304,13 @@ static int process_tar_file(struct device *dev,
+ if (get_ucode_type(ucode_hdr, &ucode_type))
+ return 0;
+
+- ucode_size = ntohl(ucode_hdr->code_length) * 2;
++ code_length = ntohl(ucode_hdr->code_length);
++ if (code_length >= INT_MAX / 2) {
++ dev_err(dev, "Invalid code_length %u\n", code_length);
++ return -EINVAL;
++ }
++
++ ucode_size = code_length * 2;
+ if (!ucode_size || (size < round_up(ucode_size, 16) +
+ sizeof(struct otx_cpt_ucode_hdr) + OTX_CPT_UCODE_SIGN_LEN)) {
+ dev_err(dev, "Ucode %s invalid size\n", filename);
+@@ -886,6 +893,7 @@ static int ucode_load(struct device *dev, struct otx_cpt_ucode *ucode,
+ {
+ struct otx_cpt_ucode_hdr *ucode_hdr;
+ const struct firmware *fw;
++ unsigned int code_length;
+ int ret;
+
+ set_ucode_filename(ucode, ucode_filename);
+@@ -896,7 +904,13 @@ static int ucode_load(struct device *dev, struct otx_cpt_ucode *ucode,
+ ucode_hdr = (struct otx_cpt_ucode_hdr *) fw->data;
+ memcpy(ucode->ver_str, ucode_hdr->ver_str, OTX_CPT_UCODE_VER_STR_SZ);
+ ucode->ver_num = ucode_hdr->ver_num;
+- ucode->size = ntohl(ucode_hdr->code_length) * 2;
++ code_length = ntohl(ucode_hdr->code_length);
++ if (code_length >= INT_MAX / 2) {
++ dev_err(dev, "Ucode invalid code_length %u\n", code_length);
++ ret = -EINVAL;
++ goto release_fw;
++ }
++ ucode->size = code_length * 2;
+ if (!ucode->size || (fw->size < round_up(ucode->size, 16)
+ + sizeof(struct otx_cpt_ucode_hdr) + OTX_CPT_UCODE_SIGN_LEN)) {
+ dev_err(dev, "Ucode %s invalid size\n", ucode_filename);
+--
+2.35.1
+
--- /dev/null
+From fb63facafc8d7079ea277e928287e2398b1a94fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 12:32:16 +0200
+Subject: crypto: qat - fix default value of WDT timer
+
+From: Lucas Segarra Fernandez <lucas.segarra.fernandez@intel.com>
+
+[ Upstream commit cc40b04c08400d86d2d6ea0159e0617e717f729c ]
+
+The QAT HW supports an hardware mechanism to detect an accelerator hang.
+The reporting of a hang occurs after a watchdog timer (WDT) expires.
+
+The value of the WDT set previously was too small and was causing false
+positives.
+Change the default value of the WDT to 0x7000000ULL to avoid this.
+
+Fixes: 1c4d9d5bbb5a ("crypto: qat - enable detection of accelerators hang")
+Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Lucas Segarra Fernandez <lucas.segarra.fernandez@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/adf_gen4_hw_data.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/qat/qat_common/adf_gen4_hw_data.h b/drivers/crypto/qat/qat_common/adf_gen4_hw_data.h
+index 43b8f864806b..4fb4b3df5a18 100644
+--- a/drivers/crypto/qat/qat_common/adf_gen4_hw_data.h
++++ b/drivers/crypto/qat/qat_common/adf_gen4_hw_data.h
+@@ -107,7 +107,7 @@ do { \
+ * Timeout is in cycles. Clock speed may vary across products but this
+ * value should be a few milli-seconds.
+ */
+-#define ADF_SSM_WDT_DEFAULT_VALUE 0x200000
++#define ADF_SSM_WDT_DEFAULT_VALUE 0x7000000ULL
+ #define ADF_SSM_WDT_PKE_DEFAULT_VALUE 0x8000000
+ #define ADF_SSMWDTL_OFFSET 0x54
+ #define ADF_SSMWDTH_OFFSET 0x5C
+--
+2.35.1
+
--- /dev/null
+From a2dad91c8fc6fb002bce75dd681477fa24397132 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Sep 2022 11:49:12 +0100
+Subject: crypto: qat - fix DMA transfer direction
+
+From: Damian Muszynski <damian.muszynski@intel.com>
+
+[ Upstream commit cf5bb835b7c8a5fee7f26455099cca7feb57f5e9 ]
+
+When CONFIG_DMA_API_DEBUG is selected, while running the crypto self
+test on the QAT crypto algorithms, the function add_dma_entry() reports
+a warning similar to the one below, saying that overlapping mappings
+are not supported. This occurs in tests where the input and the output
+scatter list point to the same buffers (i.e. two different scatter lists
+which point to the same chunks of memory).
+
+The logic that implements the mapping uses the flag DMA_BIDIRECTIONAL
+for both the input and the output scatter lists which leads to
+overlapped write mappings. These are not supported by the DMA layer.
+
+Fix by specifying the correct DMA transfer directions when mapping
+buffers. For in-place operations where the input scatter list
+matches the output scatter list, buffers are mapped once with
+DMA_BIDIRECTIONAL, otherwise input buffers are mapped using the flag
+DMA_TO_DEVICE and output buffers are mapped with DMA_FROM_DEVICE.
+Overlapping a read mapping with a write mapping is a valid case in
+dma-coherent devices like QAT.
+The function that frees and unmaps the buffers, qat_alg_free_bufl()
+has been changed accordingly to the changes to the mapping function.
+
+ DMA-API: 4xxx 0000:06:00.0: cacheline tracking EEXIST, overlapping mappings aren't supported
+ WARNING: CPU: 53 PID: 4362 at kernel/dma/debug.c:570 add_dma_entry+0x1e9/0x270
+ ...
+ Call Trace:
+ dma_map_page_attrs+0x82/0x2d0
+ ? preempt_count_add+0x6a/0xa0
+ qat_alg_sgl_to_bufl+0x45b/0x990 [intel_qat]
+ qat_alg_aead_dec+0x71/0x250 [intel_qat]
+ crypto_aead_decrypt+0x3d/0x70
+ test_aead_vec_cfg+0x649/0x810
+ ? number+0x310/0x3a0
+ ? vsnprintf+0x2a3/0x550
+ ? scnprintf+0x42/0x70
+ ? valid_sg_divisions.constprop.0+0x86/0xa0
+ ? test_aead_vec+0xdf/0x120
+ test_aead_vec+0xdf/0x120
+ alg_test_aead+0x185/0x400
+ alg_test+0x3d8/0x500
+ ? crypto_acomp_scomp_free_ctx+0x30/0x30
+ ? __schedule+0x32a/0x12a0
+ ? ttwu_queue_wakelist+0xbf/0x110
+ ? _raw_spin_unlock_irqrestore+0x23/0x40
+ ? try_to_wake_up+0x83/0x570
+ ? _raw_spin_unlock_irqrestore+0x23/0x40
+ ? __set_cpus_allowed_ptr_locked+0xea/0x1b0
+ ? crypto_acomp_scomp_free_ctx+0x30/0x30
+ cryptomgr_test+0x27/0x50
+ kthread+0xe6/0x110
+ ? kthread_complete_and_exit+0x20/0x20
+ ret_from_fork+0x1f/0x30
+
+Fixes: d370cec ("crypto: qat - Intel(R) QAT crypto interface")
+Link: https://lore.kernel.org/linux-crypto/20220223080400.139367-1-gilad@benyossef.com/
+Signed-off-by: Damian Muszynski <damian.muszynski@intel.com>
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/qat_algs.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/crypto/qat/qat_common/qat_algs.c b/drivers/crypto/qat/qat_common/qat_algs.c
+index fb45fa83841c..cad9c58caab1 100644
+--- a/drivers/crypto/qat/qat_common/qat_algs.c
++++ b/drivers/crypto/qat/qat_common/qat_algs.c
+@@ -673,11 +673,14 @@ static void qat_alg_free_bufl(struct qat_crypto_instance *inst,
+ dma_addr_t blpout = qat_req->buf.bloutp;
+ size_t sz = qat_req->buf.sz;
+ size_t sz_out = qat_req->buf.sz_out;
++ int bl_dma_dir;
+ int i;
+
++ bl_dma_dir = blp != blpout ? DMA_TO_DEVICE : DMA_BIDIRECTIONAL;
++
+ for (i = 0; i < bl->num_bufs; i++)
+ dma_unmap_single(dev, bl->bufers[i].addr,
+- bl->bufers[i].len, DMA_BIDIRECTIONAL);
++ bl->bufers[i].len, bl_dma_dir);
+
+ dma_unmap_single(dev, blp, sz, DMA_TO_DEVICE);
+
+@@ -691,7 +694,7 @@ static void qat_alg_free_bufl(struct qat_crypto_instance *inst,
+ for (i = bufless; i < blout->num_bufs; i++) {
+ dma_unmap_single(dev, blout->bufers[i].addr,
+ blout->bufers[i].len,
+- DMA_BIDIRECTIONAL);
++ DMA_FROM_DEVICE);
+ }
+ dma_unmap_single(dev, blpout, sz_out, DMA_TO_DEVICE);
+
+@@ -716,6 +719,7 @@ static int qat_alg_sgl_to_bufl(struct qat_crypto_instance *inst,
+ struct scatterlist *sg;
+ size_t sz_out, sz = struct_size(bufl, bufers, n);
+ int node = dev_to_node(&GET_DEV(inst->accel_dev));
++ int bufl_dma_dir;
+
+ if (unlikely(!n))
+ return -EINVAL;
+@@ -733,6 +737,8 @@ static int qat_alg_sgl_to_bufl(struct qat_crypto_instance *inst,
+ qat_req->buf.sgl_src_valid = true;
+ }
+
++ bufl_dma_dir = sgl != sglout ? DMA_TO_DEVICE : DMA_BIDIRECTIONAL;
++
+ for_each_sg(sgl, sg, n, i)
+ bufl->bufers[i].addr = DMA_MAPPING_ERROR;
+
+@@ -744,7 +750,7 @@ static int qat_alg_sgl_to_bufl(struct qat_crypto_instance *inst,
+
+ bufl->bufers[y].addr = dma_map_single(dev, sg_virt(sg),
+ sg->length,
+- DMA_BIDIRECTIONAL);
++ bufl_dma_dir);
+ bufl->bufers[y].len = sg->length;
+ if (unlikely(dma_mapping_error(dev, bufl->bufers[y].addr)))
+ goto err_in;
+@@ -787,7 +793,7 @@ static int qat_alg_sgl_to_bufl(struct qat_crypto_instance *inst,
+
+ bufers[y].addr = dma_map_single(dev, sg_virt(sg),
+ sg->length,
+- DMA_BIDIRECTIONAL);
++ DMA_FROM_DEVICE);
+ if (unlikely(dma_mapping_error(dev, bufers[y].addr)))
+ goto err_out;
+ bufers[y].len = sg->length;
+@@ -817,7 +823,7 @@ static int qat_alg_sgl_to_bufl(struct qat_crypto_instance *inst,
+ if (!dma_mapping_error(dev, buflout->bufers[i].addr))
+ dma_unmap_single(dev, buflout->bufers[i].addr,
+ buflout->bufers[i].len,
+- DMA_BIDIRECTIONAL);
++ DMA_FROM_DEVICE);
+
+ if (!qat_req->buf.sgl_dst_valid)
+ kfree(buflout);
+@@ -831,7 +837,7 @@ static int qat_alg_sgl_to_bufl(struct qat_crypto_instance *inst,
+ if (!dma_mapping_error(dev, bufl->bufers[i].addr))
+ dma_unmap_single(dev, bufl->bufers[i].addr,
+ bufl->bufers[i].len,
+- DMA_BIDIRECTIONAL);
++ bufl_dma_dir);
+
+ if (!qat_req->buf.sgl_src_valid)
+ kfree(bufl);
+--
+2.35.1
+
--- /dev/null
+From 7fa931835d2e5b70481f5b4e349f50fed7b90def Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Jul 2022 12:09:28 +0800
+Subject: crypto: sahara - don't sleep when in softirq
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 108586eba094b318e6a831f977f4ddcc403a15da ]
+
+Function of sahara_aes_crypt maybe could be called by function
+of crypto_skcipher_encrypt during the rx softirq, so it is not
+allowed to use mutex lock.
+
+Fixes: c0c3c89ae347 ("crypto: sahara - replace tasklets with...")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/sahara.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c
+index 457084b344c1..b07ae4ba165e 100644
+--- a/drivers/crypto/sahara.c
++++ b/drivers/crypto/sahara.c
+@@ -26,10 +26,10 @@
+ #include <linux/kernel.h>
+ #include <linux/kthread.h>
+ #include <linux/module.h>
+-#include <linux/mutex.h>
+ #include <linux/of.h>
+ #include <linux/of_device.h>
+ #include <linux/platform_device.h>
++#include <linux/spinlock.h>
+
+ #define SHA_BUFFER_LEN PAGE_SIZE
+ #define SAHARA_MAX_SHA_BLOCK_SIZE SHA256_BLOCK_SIZE
+@@ -196,7 +196,7 @@ struct sahara_dev {
+ void __iomem *regs_base;
+ struct clk *clk_ipg;
+ struct clk *clk_ahb;
+- struct mutex queue_mutex;
++ spinlock_t queue_spinlock;
+ struct task_struct *kthread;
+ struct completion dma_completion;
+
+@@ -642,9 +642,9 @@ static int sahara_aes_crypt(struct skcipher_request *req, unsigned long mode)
+
+ rctx->mode = mode;
+
+- mutex_lock(&dev->queue_mutex);
++ spin_lock_bh(&dev->queue_spinlock);
+ err = crypto_enqueue_request(&dev->queue, &req->base);
+- mutex_unlock(&dev->queue_mutex);
++ spin_unlock_bh(&dev->queue_spinlock);
+
+ wake_up_process(dev->kthread);
+
+@@ -1043,10 +1043,10 @@ static int sahara_queue_manage(void *data)
+ do {
+ __set_current_state(TASK_INTERRUPTIBLE);
+
+- mutex_lock(&dev->queue_mutex);
++ spin_lock_bh(&dev->queue_spinlock);
+ backlog = crypto_get_backlog(&dev->queue);
+ async_req = crypto_dequeue_request(&dev->queue);
+- mutex_unlock(&dev->queue_mutex);
++ spin_unlock_bh(&dev->queue_spinlock);
+
+ if (backlog)
+ backlog->complete(backlog, -EINPROGRESS);
+@@ -1092,9 +1092,9 @@ static int sahara_sha_enqueue(struct ahash_request *req, int last)
+ rctx->first = 1;
+ }
+
+- mutex_lock(&dev->queue_mutex);
++ spin_lock_bh(&dev->queue_spinlock);
+ ret = crypto_enqueue_request(&dev->queue, &req->base);
+- mutex_unlock(&dev->queue_mutex);
++ spin_unlock_bh(&dev->queue_spinlock);
+
+ wake_up_process(dev->kthread);
+
+@@ -1449,7 +1449,7 @@ static int sahara_probe(struct platform_device *pdev)
+
+ crypto_init_queue(&dev->queue, SAHARA_QUEUE_LENGTH);
+
+- mutex_init(&dev->queue_mutex);
++ spin_lock_init(&dev->queue_spinlock);
+
+ dev_ptr = dev;
+
+--
+2.35.1
+
--- /dev/null
+From 627316298aa7d05fb37c7e1bc83b3db556f5ba67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Apr 2022 17:17:23 +0800
+Subject: cw1200: fix incorrect check to determine if no element is found in
+ list
+
+From: Xiaomeng Tong <xiam0nd.tong@gmail.com>
+
+[ Upstream commit 86df5de5c632d3bd940f59bbb14ae912aa9cc363 ]
+
+The bug is here: "} else if (item) {".
+
+The list iterator value will *always* be set and non-NULL by
+list_for_each_entry(), so it is incorrect to assume that the iterator
+value will be NULL if the list is empty or no element is found in list.
+
+Use a new value 'iter' as the list iterator, while use the old value
+'item' as a dedicated pointer to point to the found element, which
+1. can fix this bug, due to now 'item' is NULL only if it's not found.
+2. do not need to change all the uses of 'item' after the loop.
+3. can also limit the scope of the list iterator 'iter' *only inside*
+ the traversal loop by simply declaring 'iter' inside the loop in the
+ future, as usage of the iterator outside of the list_for_each_entry
+ is considered harmful. https://lkml.org/lkml/2022/2/17/1032
+
+Fixes: a910e4a94f692 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets")
+Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20220413091723.17596-1-xiam0nd.tong@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/st/cw1200/queue.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/wireless/st/cw1200/queue.c b/drivers/net/wireless/st/cw1200/queue.c
+index e06da4b3b0d4..805a3c1bf8fe 100644
+--- a/drivers/net/wireless/st/cw1200/queue.c
++++ b/drivers/net/wireless/st/cw1200/queue.c
+@@ -91,23 +91,25 @@ static void __cw1200_queue_gc(struct cw1200_queue *queue,
+ bool unlock)
+ {
+ struct cw1200_queue_stats *stats = queue->stats;
+- struct cw1200_queue_item *item = NULL, *tmp;
++ struct cw1200_queue_item *item = NULL, *iter, *tmp;
+ bool wakeup_stats = false;
+
+- list_for_each_entry_safe(item, tmp, &queue->queue, head) {
+- if (time_is_after_jiffies(item->queue_timestamp + queue->ttl))
++ list_for_each_entry_safe(iter, tmp, &queue->queue, head) {
++ if (time_is_after_jiffies(iter->queue_timestamp + queue->ttl)) {
++ item = iter;
+ break;
++ }
+ --queue->num_queued;
+- --queue->link_map_cache[item->txpriv.link_id];
++ --queue->link_map_cache[iter->txpriv.link_id];
+ spin_lock_bh(&stats->lock);
+ --stats->num_queued;
+- if (!--stats->link_map_cache[item->txpriv.link_id])
++ if (!--stats->link_map_cache[iter->txpriv.link_id])
+ wakeup_stats = true;
+ spin_unlock_bh(&stats->lock);
+ cw1200_debug_tx_ttl(stats->priv);
+- cw1200_queue_register_post_gc(head, item);
+- item->skb = NULL;
+- list_move_tail(&item->head, &queue->free_pool);
++ cw1200_queue_register_post_gc(head, iter);
++ iter->skb = NULL;
++ list_move_tail(&iter->head, &queue->free_pool);
+ }
+
+ if (wakeup_stats)
+--
+2.35.1
+
--- /dev/null
+From 9e9ef8ef75372445466f2b0a378ea53c71b61fea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Sep 2022 11:17:00 +0530
+Subject: dmaengine: dw-edma: Remove runtime PM support
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+
+[ Upstream commit a0188eb6e71c93ab7dd9bfa4305fac43c70db309 ]
+
+Currently, the dw-edma driver enables the runtime_pm for parent device
+(chip->dev) and increments/decrements the refcount during alloc/free
+chan resources callbacks.
+
+This leads to a problem when the eDMA driver has been probed, but the
+channels were not used. This scenario can happen when the DW PCIe driver
+probes eDMA driver successfully, but the PCI EPF driver decides not to
+use eDMA channels and use iATU instead for PCI transfers.
+
+In this case, the underlying device would be runtime suspended due to
+pm_runtime_enable() in dw_edma_probe() and the PCI EPF driver would have
+no knowledge of it.
+
+Ideally, the eDMA driver should not be the one doing the runtime PM of
+the parent device. The responsibility should instead belong to the client
+drivers like PCI EPF.
+
+So let's remove the runtime PM support from eDMA driver.
+
+Cc: Serge Semin <fancer.lancer@gmail.com>
+Cc: Frank Li <Frank.Li@nxp.com>
+Reviewed-by: Serge Semin <fancer.lancer@gmail.com>
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://lore.kernel.org/r/20220910054700.12205-1-manivannan.sadhasivam@linaro.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/dw-edma/dw-edma-core.c | 12 ------------
+ 1 file changed, 12 deletions(-)
+
+diff --git a/drivers/dma/dw-edma/dw-edma-core.c b/drivers/dma/dw-edma/dw-edma-core.c
+index 07f756479663..c54b24ff5206 100644
+--- a/drivers/dma/dw-edma/dw-edma-core.c
++++ b/drivers/dma/dw-edma/dw-edma-core.c
+@@ -9,7 +9,6 @@
+ #include <linux/module.h>
+ #include <linux/device.h>
+ #include <linux/kernel.h>
+-#include <linux/pm_runtime.h>
+ #include <linux/dmaengine.h>
+ #include <linux/err.h>
+ #include <linux/interrupt.h>
+@@ -682,15 +681,12 @@ static int dw_edma_alloc_chan_resources(struct dma_chan *dchan)
+ if (chan->status != EDMA_ST_IDLE)
+ return -EBUSY;
+
+- pm_runtime_get(chan->dw->chip->dev);
+-
+ return 0;
+ }
+
+ static void dw_edma_free_chan_resources(struct dma_chan *dchan)
+ {
+ unsigned long timeout = jiffies + msecs_to_jiffies(5000);
+- struct dw_edma_chan *chan = dchan2dw_edma_chan(dchan);
+ int ret;
+
+ while (time_before(jiffies, timeout)) {
+@@ -703,8 +699,6 @@ static void dw_edma_free_chan_resources(struct dma_chan *dchan)
+
+ cpu_relax();
+ }
+-
+- pm_runtime_put(chan->dw->chip->dev);
+ }
+
+ static int dw_edma_channel_setup(struct dw_edma *dw, bool write,
+@@ -977,9 +971,6 @@ int dw_edma_probe(struct dw_edma_chip *chip)
+ if (err)
+ goto err_irq_free;
+
+- /* Power management */
+- pm_runtime_enable(dev);
+-
+ /* Turn debugfs on */
+ dw_edma_v0_core_debugfs_on(dw);
+
+@@ -1009,9 +1000,6 @@ int dw_edma_remove(struct dw_edma_chip *chip)
+ for (i = (dw->nr_irqs - 1); i >= 0; i--)
+ free_irq(chip->ops->irq_vector(dev, i), &dw->irq[i]);
+
+- /* Power management */
+- pm_runtime_disable(dev);
+-
+ /* Deregister eDMA device */
+ dma_async_device_unregister(&dw->wr_edma);
+ list_for_each_entry_safe(chan, _chan, &dw->wr_edma.channels,
+--
+2.35.1
+
--- /dev/null
+From 104cc6834bc52c37eecee491784cc06fa15f959c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 14:22:47 +0800
+Subject: dmaengine: hisilicon: Add multi-thread support for a DMA channel
+
+From: Jie Hai <haijie1@huawei.com>
+
+[ Upstream commit 2cbb95883c990d0002a77e13d3278913ab26ad79 ]
+
+When we get a DMA channel and try to use it in multiple threads it
+will cause oops and hanging the system.
+
+% echo 100 > /sys/module/dmatest/parameters/threads_per_chan
+% echo 100 > /sys/module/dmatest/parameters/iterations
+% echo 1 > /sys/module/dmatest/parameters/run
+[383493.327077] Unable to handle kernel paging request at virtual
+ address dead000000000108
+[383493.335103] Mem abort info:
+[383493.335103] ESR = 0x96000044
+[383493.335105] EC = 0x25: DABT (current EL), IL = 32 bits
+[383493.335107] SET = 0, FnV = 0
+[383493.335108] EA = 0, S1PTW = 0
+[383493.335109] FSC = 0x04: level 0 translation fault
+[383493.335110] Data abort info:
+[383493.335111] ISV = 0, ISS = 0x00000044
+[383493.364739] CM = 0, WnR = 1
+[383493.367793] [dead000000000108] address between user and kernel
+ address ranges
+[383493.375021] Internal error: Oops: 96000044 [#1] PREEMPT SMP
+[383493.437574] CPU: 63 PID: 27895 Comm: dma0chan0-copy2 Kdump:
+ loaded Tainted: GO 5.17.0-rc4+ #2
+[383493.457851] pstate: 204000c9 (nzCv daIF +PAN -UAO -TCO -DIT
+ -SSBS BTYPE=--)
+[383493.465331] pc : vchan_tx_submit+0x64/0xa0
+[383493.469957] lr : vchan_tx_submit+0x34/0xa0
+
+This occurs because the transmission timed out, and that's due
+to data race. Each thread rewrite channels's descriptor as soon as
+device_issue_pending is called. It leads to the situation that
+the driver thinks that it uses the right descriptor in interrupt
+handler while channels's descriptor has been changed by other
+thread. The descriptor which in fact reported interrupt will not
+be handled any more, as well as its tx->callback.
+That's why timeout reports.
+
+With current fixes channels' descriptor changes it's value only
+when it has been used. A new descriptor is acquired from
+vc->desc_issued queue that is already filled with descriptors
+that are ready to be sent. Threads have no direct access to DMA
+channel descriptor. In case of channel's descriptor is busy, try
+to submit to HW again when a descriptor is completed. In this case,
+vc->desc_issued may be empty when hisi_dma_start_transfer is called,
+so delete error reporting on this. Now it is just possible to queue
+a descriptor for further processing.
+
+Fixes: e9f08b65250d ("dmaengine: hisilicon: Add Kunpeng DMA engine support")
+Signed-off-by: Jie Hai <haijie1@huawei.com>
+Acked-by: Zhou Wang <wangzhou1@hisilicon.com>
+Link: https://lore.kernel.org/r/20220830062251.52993-4-haijie1@huawei.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/hisi_dma.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/dma/hisi_dma.c b/drivers/dma/hisi_dma.c
+index 837f7e4adfa6..0233b42143c7 100644
+--- a/drivers/dma/hisi_dma.c
++++ b/drivers/dma/hisi_dma.c
+@@ -271,7 +271,6 @@ static void hisi_dma_start_transfer(struct hisi_dma_chan *chan)
+
+ vd = vchan_next_desc(&chan->vc);
+ if (!vd) {
+- dev_err(&hdma_dev->pdev->dev, "no issued task!\n");
+ chan->desc = NULL;
+ return;
+ }
+@@ -303,7 +302,7 @@ static void hisi_dma_issue_pending(struct dma_chan *c)
+
+ spin_lock_irqsave(&chan->vc.lock, flags);
+
+- if (vchan_issue_pending(&chan->vc))
++ if (vchan_issue_pending(&chan->vc) && !chan->desc)
+ hisi_dma_start_transfer(chan);
+
+ spin_unlock_irqrestore(&chan->vc.lock, flags);
+@@ -441,11 +440,10 @@ static irqreturn_t hisi_dma_irq(int irq, void *data)
+ chan->qp_num, chan->cq_head);
+ if (FIELD_GET(STATUS_MASK, cqe->w0) == STATUS_SUCC) {
+ vchan_cookie_complete(&desc->vd);
++ hisi_dma_start_transfer(chan);
+ } else {
+ dev_err(&hdma_dev->pdev->dev, "task error!\n");
+ }
+-
+- chan->desc = NULL;
+ }
+
+ spin_unlock(&chan->vc.lock);
+--
+2.35.1
+
--- /dev/null
+From e104078c8bcb2a4eb6666f90e2f8d21e17b93301 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 14:22:45 +0800
+Subject: dmaengine: hisilicon: Disable channels when unregister hisi_dma
+
+From: Jie Hai <haijie1@huawei.com>
+
+[ Upstream commit e3bdaa04ada31f46d0586df83a2789b8913053c5 ]
+
+When hisi_dma is unloaded or unbinded, all of channels should be
+disabled. This patch disables DMA channels when driver is unloaded
+or unbinded.
+
+Fixes: e9f08b65250d ("dmaengine: hisilicon: Add Kunpeng DMA engine support")
+Signed-off-by: Jie Hai <haijie1@huawei.com>
+Acked-by: Zhou Wang <wangzhou1@hisilicon.com>
+Link: https://lore.kernel.org/r/20220830062251.52993-2-haijie1@huawei.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/hisi_dma.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/dma/hisi_dma.c b/drivers/dma/hisi_dma.c
+index 43817ced3a3e..98bc488893cc 100644
+--- a/drivers/dma/hisi_dma.c
++++ b/drivers/dma/hisi_dma.c
+@@ -180,7 +180,8 @@ static void hisi_dma_reset_qp_point(struct hisi_dma_dev *hdma_dev, u32 index)
+ hisi_dma_chan_write(hdma_dev->base, HISI_DMA_CQ_HEAD_PTR, index, 0);
+ }
+
+-static void hisi_dma_reset_hw_chan(struct hisi_dma_chan *chan)
++static void hisi_dma_reset_or_disable_hw_chan(struct hisi_dma_chan *chan,
++ bool disable)
+ {
+ struct hisi_dma_dev *hdma_dev = chan->hdma_dev;
+ u32 index = chan->qp_num, tmp;
+@@ -201,8 +202,11 @@ static void hisi_dma_reset_hw_chan(struct hisi_dma_chan *chan)
+ hisi_dma_do_reset(hdma_dev, index);
+ hisi_dma_reset_qp_point(hdma_dev, index);
+ hisi_dma_pause_dma(hdma_dev, index, false);
+- hisi_dma_enable_dma(hdma_dev, index, true);
+- hisi_dma_unmask_irq(hdma_dev, index);
++
++ if (!disable) {
++ hisi_dma_enable_dma(hdma_dev, index, true);
++ hisi_dma_unmask_irq(hdma_dev, index);
++ }
+
+ ret = readl_relaxed_poll_timeout(hdma_dev->base +
+ HISI_DMA_Q_FSM_STS + index * HISI_DMA_OFFSET, tmp,
+@@ -218,7 +222,7 @@ static void hisi_dma_free_chan_resources(struct dma_chan *c)
+ struct hisi_dma_chan *chan = to_hisi_dma_chan(c);
+ struct hisi_dma_dev *hdma_dev = chan->hdma_dev;
+
+- hisi_dma_reset_hw_chan(chan);
++ hisi_dma_reset_or_disable_hw_chan(chan, false);
+ vchan_free_chan_resources(&chan->vc);
+
+ memset(chan->sq, 0, sizeof(struct hisi_dma_sqe) * hdma_dev->chan_depth);
+@@ -394,7 +398,7 @@ static void hisi_dma_enable_qp(struct hisi_dma_dev *hdma_dev, u32 qp_index)
+
+ static void hisi_dma_disable_qp(struct hisi_dma_dev *hdma_dev, u32 qp_index)
+ {
+- hisi_dma_reset_hw_chan(&hdma_dev->chan[qp_index]);
++ hisi_dma_reset_or_disable_hw_chan(&hdma_dev->chan[qp_index], true);
+ }
+
+ static void hisi_dma_enable_qps(struct hisi_dma_dev *hdma_dev)
+--
+2.35.1
+
--- /dev/null
+From ba951ed2bdfde8e5fe757effd3e7c5e8f07dcaad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 14:22:46 +0800
+Subject: dmaengine: hisilicon: Fix CQ head update
+
+From: Jie Hai <haijie1@huawei.com>
+
+[ Upstream commit 94477a79cf80e8ab55b68f14bc579a12ddea1e0b ]
+
+After completion of data transfer of one or multiple descriptors,
+the completion status and the current head pointer to submission
+queue are written into the CQ and interrupt can be generated to
+inform the software. In interrupt process CQ is read and cq_head
+is updated.
+
+hisi_dma_irq updates cq_head only when the completion status is
+success. When an abnormal interrupt reports, cq_head will not update
+which will cause subsequent interrupt processes read the error CQ
+and never report the correct status.
+
+This patch updates cq_head whenever CQ is accessed.
+
+Fixes: e9f08b65250d ("dmaengine: hisilicon: Add Kunpeng DMA engine support")
+Signed-off-by: Jie Hai <haijie1@huawei.com>
+Acked-by: Zhou Wang <wangzhou1@hisilicon.com>
+Link: https://lore.kernel.org/r/20220830062251.52993-3-haijie1@huawei.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/hisi_dma.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/dma/hisi_dma.c b/drivers/dma/hisi_dma.c
+index 98bc488893cc..837f7e4adfa6 100644
+--- a/drivers/dma/hisi_dma.c
++++ b/drivers/dma/hisi_dma.c
+@@ -436,12 +436,10 @@ static irqreturn_t hisi_dma_irq(int irq, void *data)
+ desc = chan->desc;
+ cqe = chan->cq + chan->cq_head;
+ if (desc) {
++ chan->cq_head = (chan->cq_head + 1) % hdma_dev->chan_depth;
++ hisi_dma_chan_write(hdma_dev->base, HISI_DMA_CQ_HEAD_PTR,
++ chan->qp_num, chan->cq_head);
+ if (FIELD_GET(STATUS_MASK, cqe->w0) == STATUS_SUCC) {
+- chan->cq_head = (chan->cq_head + 1) %
+- hdma_dev->chan_depth;
+- hisi_dma_chan_write(hdma_dev->base,
+- HISI_DMA_CQ_HEAD_PTR, chan->qp_num,
+- chan->cq_head);
+ vchan_cookie_complete(&desc->vd);
+ } else {
+ dev_err(&hdma_dev->pdev->dev, "task error!\n");
+--
+2.35.1
+
--- /dev/null
+From 70a8d0c72e8e22212cd11f21dd641441cfc1226b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Aug 2022 09:37:09 -0700
+Subject: dmaengine: idxd: avoid deadlock in process_misc_interrupts()
+
+From: Jerry Snitselaar <jsnitsel@redhat.com>
+
+[ Upstream commit 407171717a4f4d2d80825584643374a2dfdb0540 ]
+
+idxd_device_clear_state() now grabs the idxd->dev_lock
+itself, so don't grab the lock prior to calling it.
+
+This was seen in testing after dmar fault occurred on system,
+resulting in lockup stack traces.
+
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: Dave Jiang <dave.jiang@intel.com>
+Cc: Vinod Koul <vkoul@kernel.org>
+Cc: dmaengine@vger.kernel.org
+Fixes: cf4ac3fef338 ("dmaengine: idxd: fix lockdep warning on device driver removal")
+Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Link: https://lore.kernel.org/r/20220823163709.2102468-1-jsnitsel@redhat.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/idxd/irq.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/dma/idxd/irq.c b/drivers/dma/idxd/irq.c
+index 743ead5ebc57..5b9921475be6 100644
+--- a/drivers/dma/idxd/irq.c
++++ b/drivers/dma/idxd/irq.c
+@@ -324,13 +324,11 @@ static int process_misc_interrupts(struct idxd_device *idxd, u32 cause)
+ idxd->state = IDXD_DEV_HALTED;
+ idxd_wqs_quiesce(idxd);
+ idxd_wqs_unmap_portal(idxd);
+- spin_lock(&idxd->dev_lock);
+ idxd_device_clear_state(idxd);
+ dev_err(&idxd->pdev->dev,
+ "idxd halted, need %s.\n",
+ gensts.reset_type == IDXD_DEVICE_RESET_FLR ?
+ "FLR" : "system reset");
+- spin_unlock(&idxd->dev_lock);
+ return -ENXIO;
+ }
+ }
+--
+2.35.1
+
--- /dev/null
+From aca04f28dfaf63985603b860dffd5d8e487e0d73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Sep 2022 09:58:42 -0700
+Subject: dmaengine: ioat: stop mod_timer from resurrecting deleted timer in
+ __cleanup()
+
+From: Dave Jiang <dave.jiang@intel.com>
+
+[ Upstream commit 898ec89dbb55b8294695ad71694a0684e62b2a73 ]
+
+User reports observing timer event report channel halted but no error
+observed in CHANERR register. The driver finished self-test and released
+channel resources. Debug shows that __cleanup() can call
+mod_timer() after the timer has been deleted and thus resurrect the
+timer. While harmless, it causes suprious error message to be emitted.
+Use mod_timer_pending() call to prevent deleted timer from being
+resurrected.
+
+Fixes: 3372de5813e4 ("dmaengine: ioatdma: removal of dma_v3.c and relevant ioat3 references")
+Signed-off-by: Dave Jiang <dave.jiang@intel.com>
+Link: https://lore.kernel.org/r/166360672197.3851724.17040290563764838369.stgit@djiang5-desk3.ch.intel.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/ioat/dma.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/dma/ioat/dma.c b/drivers/dma/ioat/dma.c
+index 37ff4ec7db76..e2070df6cad2 100644
+--- a/drivers/dma/ioat/dma.c
++++ b/drivers/dma/ioat/dma.c
+@@ -656,7 +656,7 @@ static void __cleanup(struct ioatdma_chan *ioat_chan, dma_addr_t phys_complete)
+ if (active - i == 0) {
+ dev_dbg(to_dev(ioat_chan), "%s: cancel completion timeout\n",
+ __func__);
+- mod_timer(&ioat_chan->timer, jiffies + IDLE_TIMEOUT);
++ mod_timer_pending(&ioat_chan->timer, jiffies + IDLE_TIMEOUT);
+ }
+
+ /* microsecond delay by sysfs variable per pending descriptor */
+@@ -682,7 +682,7 @@ static void ioat_cleanup(struct ioatdma_chan *ioat_chan)
+
+ if (chanerr &
+ (IOAT_CHANERR_HANDLE_MASK | IOAT_CHANERR_RECOVER_MASK)) {
+- mod_timer(&ioat_chan->timer, jiffies + IDLE_TIMEOUT);
++ mod_timer_pending(&ioat_chan->timer, jiffies + IDLE_TIMEOUT);
+ ioat_eh(ioat_chan);
+ }
+ }
+@@ -879,7 +879,7 @@ static void check_active(struct ioatdma_chan *ioat_chan)
+ }
+
+ if (test_and_clear_bit(IOAT_CHAN_ACTIVE, &ioat_chan->state))
+- mod_timer(&ioat_chan->timer, jiffies + IDLE_TIMEOUT);
++ mod_timer_pending(&ioat_chan->timer, jiffies + IDLE_TIMEOUT);
+ }
+
+ static void ioat_reboot_chan(struct ioatdma_chan *ioat_chan)
+--
+2.35.1
+
--- /dev/null
+From 2f9c4412a5bfcf61fb69dcbed844614011d7f86e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Aug 2022 11:18:35 +0530
+Subject: dmaengine: ti: k3-udma: Reset UDMA_CHAN_RT byte counters to prevent
+ overflow
+
+From: Vaishnav Achath <vaishnav.a@ti.com>
+
+[ Upstream commit 7c94dcfa8fcff2dba53915f1dabfee49a3df8b88 ]
+
+UDMA_CHAN_RT_*BCNT_REG stores the real-time channel bytecount statistics.
+These registers are 32-bit hardware counters and the driver uses these
+counters to monitor the operational progress status for a channel, when
+transferring more than 4GB of data it was observed that these counters
+overflow and completion calculation of a operation gets affected and the
+transfer hangs indefinitely.
+
+This commit adds changes to decrease the byte count for every complete
+transaction so that these registers never overflow and the proper byte
+count statistics is maintained for ongoing transaction by the RT counters.
+
+Earlier uc->bcnt used to maintain a count of the completed bytes at driver
+side, since the RT counters maintain the statistics of current transaction
+now, the maintenance of uc->bcnt is not necessary.
+
+Signed-off-by: Vaishnav Achath <vaishnav.a@ti.com>
+Acked-by: Peter Ujfalusi <peter.ujfalusi@gmail.com>
+Link: https://lore.kernel.org/r/20220802054835.19482-1-vaishnav.a@ti.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/ti/k3-udma.c | 25 +++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/dma/ti/k3-udma.c b/drivers/dma/ti/k3-udma.c
+index 2f0d2c68c93c..fcfcde947b30 100644
+--- a/drivers/dma/ti/k3-udma.c
++++ b/drivers/dma/ti/k3-udma.c
+@@ -300,8 +300,6 @@ struct udma_chan {
+
+ struct udma_tx_drain tx_drain;
+
+- u32 bcnt; /* number of bytes completed since the start of the channel */
+-
+ /* Channel configuration parameters */
+ struct udma_chan_config config;
+
+@@ -757,6 +755,20 @@ static void udma_reset_rings(struct udma_chan *uc)
+ }
+ }
+
++static void udma_decrement_byte_counters(struct udma_chan *uc, u32 val)
++{
++ if (uc->desc->dir == DMA_DEV_TO_MEM) {
++ udma_rchanrt_write(uc, UDMA_CHAN_RT_BCNT_REG, val);
++ udma_rchanrt_write(uc, UDMA_CHAN_RT_SBCNT_REG, val);
++ udma_rchanrt_write(uc, UDMA_CHAN_RT_PEER_BCNT_REG, val);
++ } else {
++ udma_tchanrt_write(uc, UDMA_CHAN_RT_BCNT_REG, val);
++ udma_tchanrt_write(uc, UDMA_CHAN_RT_SBCNT_REG, val);
++ if (!uc->bchan)
++ udma_tchanrt_write(uc, UDMA_CHAN_RT_PEER_BCNT_REG, val);
++ }
++}
++
+ static void udma_reset_counters(struct udma_chan *uc)
+ {
+ u32 val;
+@@ -790,8 +802,6 @@ static void udma_reset_counters(struct udma_chan *uc)
+ val = udma_rchanrt_read(uc, UDMA_CHAN_RT_PEER_BCNT_REG);
+ udma_rchanrt_write(uc, UDMA_CHAN_RT_PEER_BCNT_REG, val);
+ }
+-
+- uc->bcnt = 0;
+ }
+
+ static int udma_reset_chan(struct udma_chan *uc, bool hard)
+@@ -1115,7 +1125,7 @@ static void udma_check_tx_completion(struct work_struct *work)
+ if (uc->desc) {
+ struct udma_desc *d = uc->desc;
+
+- uc->bcnt += d->residue;
++ udma_decrement_byte_counters(uc, d->residue);
+ udma_start(uc);
+ vchan_cookie_complete(&d->vd);
+ break;
+@@ -1168,7 +1178,7 @@ static irqreturn_t udma_ring_irq_handler(int irq, void *data)
+ vchan_cyclic_callback(&d->vd);
+ } else {
+ if (udma_is_desc_really_done(uc, d)) {
+- uc->bcnt += d->residue;
++ udma_decrement_byte_counters(uc, d->residue);
+ udma_start(uc);
+ vchan_cookie_complete(&d->vd);
+ } else {
+@@ -1204,7 +1214,7 @@ static irqreturn_t udma_udma_irq_handler(int irq, void *data)
+ vchan_cyclic_callback(&d->vd);
+ } else {
+ /* TODO: figure out the real amount of data */
+- uc->bcnt += d->residue;
++ udma_decrement_byte_counters(uc, d->residue);
+ udma_start(uc);
+ vchan_cookie_complete(&d->vd);
+ }
+@@ -3809,7 +3819,6 @@ static enum dma_status udma_tx_status(struct dma_chan *chan,
+ bcnt = udma_tchanrt_read(uc, UDMA_CHAN_RT_BCNT_REG);
+ }
+
+- bcnt -= uc->bcnt;
+ if (bcnt && !(bcnt % uc->desc->residue))
+ residue = 0;
+ else
+--
+2.35.1
+
--- /dev/null
+From bfe97b3c82c4550cdff6971e0aebd1756bf0fac2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Sep 2022 14:22:47 +0300
+Subject: drivers: serial: jsm: fix some leaks in probe
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 1d5859ef229e381f4db38dce8ed58e4bf862006b ]
+
+This error path needs to unwind instead of just returning directly.
+
+Fixes: 03a8482c17dd ("drivers: serial: jsm: Enable support for Digi Classic adapters")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/YyxFh1+lOeZ9WfKO@kili
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/jsm/jsm_driver.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/jsm/jsm_driver.c b/drivers/tty/serial/jsm/jsm_driver.c
+index 0ea799bf8dbb..417a5b6bffc3 100644
+--- a/drivers/tty/serial/jsm/jsm_driver.c
++++ b/drivers/tty/serial/jsm/jsm_driver.c
+@@ -211,7 +211,8 @@ static int jsm_probe_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+
+ break;
+ default:
+- return -ENXIO;
++ rc = -ENXIO;
++ goto out_kfree_brd;
+ }
+
+ rc = request_irq(brd->irq, brd->bd_ops->intr, IRQF_SHARED, "JSM", brd);
+--
+2.35.1
+
--- /dev/null
+From c47f2cb89da2d1773407b1bee6e0d311f6fe7489 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Aug 2022 11:02:19 +0800
+Subject: drm/admgpu: Skip CG/PG on SOC21 under SRIOV VF
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yifan Zha <Yifan.Zha@amd.com>
+
+[ Upstream commit 828418259254863e0af5805bd712284e2bd88e3b ]
+
+[Why]
+There is no CG(Clock Gating)/PG(Power Gating) requirement on SRIOV VF.
+For multi VF, VF should not enable any CG/PG features.
+For one VF, PF will program CG/PG related registers.
+
+[How]
+Do not set any cg/pg flag bit at early init under sriov.
+
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Yifan Zha <Yifan.Zha@amd.com>
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/soc21.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/soc21.c b/drivers/gpu/drm/amd/amdgpu/soc21.c
+index 276ff6709881..9c3463b48139 100644
+--- a/drivers/gpu/drm/amd/amdgpu/soc21.c
++++ b/drivers/gpu/drm/amd/amdgpu/soc21.c
+@@ -583,6 +583,10 @@ static int soc21_common_early_init(void *handle)
+ AMD_PG_SUPPORT_JPEG |
+ AMD_PG_SUPPORT_ATHUB |
+ AMD_PG_SUPPORT_MMHUB;
++ if (amdgpu_sriov_vf(adev)) {
++ adev->cg_flags = 0;
++ adev->pg_flags = 0;
++ }
+ adev->external_rev_id = adev->rev_id + 0x1; // TODO: need update
+ break;
+ case IP_VERSION(11, 0, 2):
+--
+2.35.1
+
--- /dev/null
+From 82551a45b1977127a9d4e0e7ba1eecdb95b6933f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Sep 2022 00:12:44 +0800
+Subject: drm/amd/display: correct hostvm flag
+
+From: Sherry Wang <Yao.Wang1@amd.com>
+
+[ Upstream commit 796d6a37ff5ffaf9f2dc0f3f4bf9f4a1034c00de ]
+
+[Why]
+Hostvm should be enabled/disabled accordding to
+the status of riommu_active, but hostvm always
+be disabled on DCN31 which causes underflow
+
+[How]
+Set correct hostvm flag on DCN31
+
+Reviewed-by: Charlene Liu <Charlene.Liu@amd.com>
+Acked-by: Wayne Lin <wayne.lin@amd.com>
+Signed-off-by: Sherry Wang <Yao.Wang1@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c
+index aedff18aff56..2e5a21856eee 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c
+@@ -891,7 +891,7 @@ static const struct dc_debug_options debug_defaults_drv = {
+ .optimize_edp_link_rate = true,
+ .enable_sw_cntl_psr = true,
+ .enable_z9_disable_interface = true, /* Allow support for the PMFW interface for disable Z9*/
+- .dml_hostvm_override = DML_HOSTVM_OVERRIDE_FALSE,
++ .dml_hostvm_override = DML_HOSTVM_NO_OVERRIDE,
+ };
+
+ static const struct dc_debug_options debug_defaults_diags = {
+--
+2.35.1
+
--- /dev/null
+From 276170299bcd3f6cbea11dcb0bd6a576a1ac7a83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 15:01:46 -0400
+Subject: drm/amd/display: fix array-bounds error in
+ dc_stream_remove_writeback()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hamza Mahfooz <hamza.mahfooz@amd.com>
+
+[ Upstream commit 5d8c3e836fc224dfe633e41f7f2856753b39a905 ]
+
+Address the following error:
+drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c: In function ‘dc_stream_remove_writeback’:
+drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c:527:55: error: array subscript [0, 0] is outside array bounds of ‘struct dc_writeback_info[1]’ [-Werror=array-bounds]
+ 527 | stream->writeback_info[j] = stream->writeback_info[i];
+ | ~~~~~~~~~~~~~~~~~~~~~~^~~
+In file included from ./drivers/gpu/drm/amd/amdgpu/../display/dc/dc.h:1269,
+ from ./drivers/gpu/drm/amd/amdgpu/../display/dc/inc/core_types.h:29,
+ from ./drivers/gpu/drm/amd/amdgpu/../display/dc/basics/dc_common.h:29,
+ from drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c:27:
+./drivers/gpu/drm/amd/amdgpu/../display/dc/dc_stream.h:241:34: note: while referencing ‘writeback_info’
+ 241 | struct dc_writeback_info writeback_info[MAX_DWB_PIPES];
+ |
+
+Currently, we aren't checking to see if j remains within
+writeback_info[]'s bounds. So, add a check to make sure that we aren't
+overflowing the buffer.
+
+Reviewed-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Signed-off-by: Hamza Mahfooz <hamza.mahfooz@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc_stream.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_stream.c b/drivers/gpu/drm/amd/display/dc/core/dc_stream.c
+index 0c85ab5933b4..f0a8bd924f43 100644
+--- a/drivers/gpu/drm/amd/display/dc/core/dc_stream.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc_stream.c
+@@ -519,7 +519,7 @@ bool dc_stream_remove_writeback(struct dc *dc,
+ }
+
+ /* remove writeback info for disabled writeback pipes from stream */
+- for (i = 0, j = 0; i < stream->num_wb_info; i++) {
++ for (i = 0, j = 0; i < stream->num_wb_info && j < MAX_DWB_PIPES; i++) {
+ if (stream->writeback_info[i].wb_enabled) {
+ if (i != j)
+ /* trim the array */
+--
+2.35.1
+
--- /dev/null
+From 77ef1f27ce6143fc6e4c353cd3f857a3030be1bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Aug 2022 17:43:26 -0300
+Subject: drm/amd/display: fix overflow on MIN_I64 definition
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: David Gow <davidgow@google.com>
+
+[ Upstream commit 6ae0632d17759852c07e2d1e0a31c728eb6ba246 ]
+
+The definition of MIN_I64 in bw_fixed.c can cause gcc to whinge about
+integer overflow, because it is treated as a positive value, which is
+then negated. The temporary positive value is not necessarily
+representable.
+
+This causes the following warning:
+../drivers/gpu/drm/amd/amdgpu/../display/dc/dml/calcs/bw_fixed.c:30:19:
+warning: integer overflow in expression ‘-9223372036854775808’ of type
+‘long long int’ results in ‘-9223372036854775808’ [-Woverflow]
+ 30 | (int64_t)(-(1LL << 63))
+ | ^
+
+Writing out (-MAX_I64 - 1) works instead.
+
+Signed-off-by: David Gow <davidgow@google.com>
+Signed-off-by: Tales Aparecida <tales.aparecida@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dml/calcs/bw_fixed.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dml/calcs/bw_fixed.c b/drivers/gpu/drm/amd/display/dc/dml/calcs/bw_fixed.c
+index 6ca288fb5fb9..2d46bc527b21 100644
+--- a/drivers/gpu/drm/amd/display/dc/dml/calcs/bw_fixed.c
++++ b/drivers/gpu/drm/amd/display/dc/dml/calcs/bw_fixed.c
+@@ -26,12 +26,12 @@
+ #include "bw_fixed.h"
+
+
+-#define MIN_I64 \
+- (int64_t)(-(1LL << 63))
+-
+ #define MAX_I64 \
+ (int64_t)((1ULL << 63) - 1)
+
++#define MIN_I64 \
++ (-MAX_I64 - 1)
++
+ #define FRACTIONAL_PART_MASK \
+ ((1ULL << BW_FIXED_BITS_PER_FRACTIONAL_PART) - 1)
+
+--
+2.35.1
+
--- /dev/null
+From 04d6aa979704b0eda467618cde9c961f9c37937c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Sep 2022 15:03:50 -0400
+Subject: drm/amd/display: Fix urgent latency override for DCN32/DCN321
+
+From: George Shen <george.shen@amd.com>
+
+[ Upstream commit e7f2f4cd67443ce308480ca461806fcc3456e0ba ]
+
+[Why]
+The urgent latency override is useful when debugging issues
+relating to underflow.
+
+Current overridden variable is not correct and has no effect
+on DCN3.2 and DCN3.21 DML calculations.
+
+[How]
+For DCN3.2 and DCN3.21, override the correct urgent latency
+variable when bounding box override is present.
+
+Reviewed-by: Alvin Lee <alvin.lee2@amd.com>
+Reviewed-by: Nevenko Stupar <Nevenko.Stupar@amd.com>
+Acked-by: Wayne Lin <wayne.lin@amd.com>
+Signed-off-by: George Shen <george.shen@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c | 1 +
+ drivers/gpu/drm/amd/display/dc/dml/dcn321/dcn321_fpu.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c b/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c
+index e573e706430d..b9d3a4000c3d 100644
+--- a/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c
++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c
+@@ -2199,6 +2199,7 @@ void dcn32_update_bw_bounding_box_fpu(struct dc *dc, struct clk_bw_params *bw_pa
+ if ((int)(dcn3_2_soc.urgent_latency_us * 1000) != dc->bb_overrides.urgent_latency_ns
+ && dc->bb_overrides.urgent_latency_ns) {
+ dcn3_2_soc.urgent_latency_us = dc->bb_overrides.urgent_latency_ns / 1000.0;
++ dcn3_2_soc.urgent_latency_pixel_data_only_us = dc->bb_overrides.urgent_latency_ns / 1000.0;
+ }
+
+ if ((int)(dcn3_2_soc.dram_clock_change_latency_us * 1000)
+diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn321/dcn321_fpu.c b/drivers/gpu/drm/amd/display/dc/dml/dcn321/dcn321_fpu.c
+index c87091683b5d..b6369758b491 100644
+--- a/drivers/gpu/drm/amd/display/dc/dml/dcn321/dcn321_fpu.c
++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn321/dcn321_fpu.c
+@@ -489,6 +489,7 @@ void dcn321_update_bw_bounding_box_fpu(struct dc *dc, struct clk_bw_params *bw_p
+ if ((int)(dcn3_21_soc.urgent_latency_us * 1000) != dc->bb_overrides.urgent_latency_ns
+ && dc->bb_overrides.urgent_latency_ns) {
+ dcn3_21_soc.urgent_latency_us = dc->bb_overrides.urgent_latency_ns / 1000.0;
++ dcn3_21_soc.urgent_latency_pixel_data_only_us = dc->bb_overrides.urgent_latency_ns / 1000.0;
+ }
+
+ if ((int)(dcn3_21_soc.dram_clock_change_latency_us * 1000)
+--
+2.35.1
+
--- /dev/null
+From 33dbc9775d493aab5b5cb0dd07c57b6b1bdac4ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 16:41:21 +0800
+Subject: drm/amd/display: Fix variable dereferenced before check
+
+From: sunliming <sunliming@kylinos.cn>
+
+[ Upstream commit 45a92f45f4578ff89da7dc5ef50bab4ef870f3b7 ]
+
+Fixes the following smatch warning:
+
+drivers/gpu/drm/amd/amdgpu/../display/dc/dc_dmub_srv.c:311 dc_dmub_srv_p_state_delegate()
+warn: variable dereferenced before check 'dc' (see line 309)
+
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: sunliming <sunliming@kylinos.cn>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c b/drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c
+index 76c05ff12e95..755c4f9de6da 100644
+--- a/drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c
++++ b/drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c
+@@ -323,11 +323,13 @@ bool dc_dmub_srv_p_state_delegate(struct dc *dc, bool should_manage_pstate, stru
+ struct dmub_cmd_fw_assisted_mclk_switch_config *config_data = &cmd.fw_assisted_mclk_switch.config_data;
+ int i = 0;
+ int ramp_up_num_steps = 1; // TODO: Ramp is currently disabled. Reenable it.
+- uint8_t visual_confirm_enabled = dc->debug.visual_confirm == VISUAL_CONFIRM_FAMS;
++ uint8_t visual_confirm_enabled;
+
+ if (dc == NULL)
+ return false;
+
++ visual_confirm_enabled = dc->debug.visual_confirm == VISUAL_CONFIRM_FAMS;
++
+ // Format command.
+ cmd.fw_assisted_mclk_switch.header.type = DMUB_CMD__FW_ASSISTED_MCLK_SWITCH;
+ cmd.fw_assisted_mclk_switch.header.sub_type = DMUB_CMD__FAMS_SETUP_FW_CTRL;
+--
+2.35.1
+
--- /dev/null
+From d34aeb44fef901d6b41c1c1b1621f3e867253ac2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Sep 2022 15:23:38 -0400
+Subject: drm/amd/display: polling vid stream status in hpo dp blank
+
+From: Wenjing Liu <wenjing.liu@amd.com>
+
+[ Upstream commit e32df0c7ecead95d70ca89f39b1b2b02a59ff691 ]
+
+[why]
+vid stream control is double bufferred, if we don't wait for video
+stream enable set to 0, we may get temporary image corruption
+showing on the stream when setting PIXEL_TO_SYMBOL_FIFO_ENABLE to 0.
+
+Reviewed-by: Ariel Bernstein <Eric.Bernstein@amd.com>
+Acked-by: Jasdeep Dhillon <jdhillon@amd.com>
+Signed-off-by: Wenjing Liu <wenjing.liu@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../drm/amd/display/dc/dcn31/dcn31_hpo_dp_stream_encoder.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hpo_dp_stream_encoder.c b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hpo_dp_stream_encoder.c
+index 23621ff08c90..52fb2bf3d578 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hpo_dp_stream_encoder.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hpo_dp_stream_encoder.c
+@@ -150,9 +150,9 @@ static void dcn31_hpo_dp_stream_enc_dp_blank(
+ * 10us*5000=50ms. This covers 41.7ms of minimum 24 Hz mode +
+ * a little more because we may not trust delay accuracy.
+ */
+- //REG_WAIT(DP_SYM32_ENC_VID_STREAM_CONTROL,
+- // VID_STREAM_STATUS, 0,
+- // 10, 5000);
++ REG_WAIT(DP_SYM32_ENC_VID_STREAM_CONTROL,
++ VID_STREAM_STATUS, 0,
++ 10, 5000);
+
+ /* Disable SDP tranmission */
+ REG_UPDATE(DP_SYM32_ENC_SDP_CONTROL,
+--
+2.35.1
+
--- /dev/null
+From 8d930fb7c5fdf22b349da54e55035c8daf533e6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Sep 2022 18:07:59 -0400
+Subject: drm/amd/display: Remove interface for periodic interrupt 1
+
+From: Aric Cyr <aric.cyr@amd.com>
+
+[ Upstream commit 97d8d6f075bd8f988589be02b91f6fa644d0b0b8 ]
+
+[why]
+Only a single VLINE interrupt is available so interface should not
+expose the second one which is used by DMU firmware.
+
+[how]
+Remove references to periodic_interrupt1 and VLINE1 from DC interfaces.
+
+Reviewed-by: Jaehyun Chung <jaehyun.chung@amd.com>
+Acked-by: Jasdeep Dhillon <jdhillon@amd.com>
+Signed-off-by: Aric Cyr <aric.cyr@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc.c | 16 +++------
+ drivers/gpu/drm/amd/display/dc/dc_stream.h | 6 ++--
+ .../amd/display/dc/dcn10/dcn10_hw_sequencer.c | 35 ++++++-------------
+ .../amd/display/dc/dcn10/dcn10_hw_sequencer.h | 3 +-
+ .../gpu/drm/amd/display/dc/inc/hw_sequencer.h | 8 +----
+ 5 files changed, 18 insertions(+), 50 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c
+index fb22c3d70528..18d6ee666297 100644
+--- a/drivers/gpu/drm/amd/display/dc/core/dc.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c
+@@ -2753,11 +2753,8 @@ static void copy_stream_update_to_stream(struct dc *dc,
+ if (update->abm_level)
+ stream->abm_level = *update->abm_level;
+
+- if (update->periodic_interrupt0)
+- stream->periodic_interrupt0 = *update->periodic_interrupt0;
+-
+- if (update->periodic_interrupt1)
+- stream->periodic_interrupt1 = *update->periodic_interrupt1;
++ if (update->periodic_interrupt)
++ stream->periodic_interrupt = *update->periodic_interrupt;
+
+ if (update->gamut_remap)
+ stream->gamut_remap_matrix = *update->gamut_remap;
+@@ -2987,13 +2984,8 @@ static void commit_planes_do_stream_update(struct dc *dc,
+
+ if (!pipe_ctx->top_pipe && !pipe_ctx->prev_odm_pipe && pipe_ctx->stream == stream) {
+
+- if (stream_update->periodic_interrupt0 &&
+- dc->hwss.setup_periodic_interrupt)
+- dc->hwss.setup_periodic_interrupt(dc, pipe_ctx, VLINE0);
+-
+- if (stream_update->periodic_interrupt1 &&
+- dc->hwss.setup_periodic_interrupt)
+- dc->hwss.setup_periodic_interrupt(dc, pipe_ctx, VLINE1);
++ if (stream_update->periodic_interrupt && dc->hwss.setup_periodic_interrupt)
++ dc->hwss.setup_periodic_interrupt(dc, pipe_ctx);
+
+ if ((stream_update->hdr_static_metadata && !stream->use_dynamic_meta) ||
+ stream_update->vrr_infopacket ||
+diff --git a/drivers/gpu/drm/amd/display/dc/dc_stream.h b/drivers/gpu/drm/amd/display/dc/dc_stream.h
+index f87f852d4829..ae0922e98ef7 100644
+--- a/drivers/gpu/drm/amd/display/dc/dc_stream.h
++++ b/drivers/gpu/drm/amd/display/dc/dc_stream.h
+@@ -212,8 +212,7 @@ struct dc_stream_state {
+ /* DMCU info */
+ unsigned int abm_level;
+
+- struct periodic_interrupt_config periodic_interrupt0;
+- struct periodic_interrupt_config periodic_interrupt1;
++ struct periodic_interrupt_config periodic_interrupt;
+
+ /* from core_stream struct */
+ struct dc_context *ctx;
+@@ -283,8 +282,7 @@ struct dc_stream_update {
+ struct dc_info_packet *hdr_static_metadata;
+ unsigned int *abm_level;
+
+- struct periodic_interrupt_config *periodic_interrupt0;
+- struct periodic_interrupt_config *periodic_interrupt1;
++ struct periodic_interrupt_config *periodic_interrupt;
+
+ struct dc_info_packet *vrr_infopacket;
+ struct dc_info_packet *vsc_infopacket;
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
+index 5b5d952b2b8c..bc9b92838ea9 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c
+@@ -3768,7 +3768,7 @@ void dcn10_calc_vupdate_position(
+ {
+ const struct dc_crtc_timing *dc_crtc_timing = &pipe_ctx->stream->timing;
+ int vline_int_offset_from_vupdate =
+- pipe_ctx->stream->periodic_interrupt0.lines_offset;
++ pipe_ctx->stream->periodic_interrupt.lines_offset;
+ int vupdate_offset_from_vsync = dc->hwss.get_vupdate_offset_from_vsync(pipe_ctx);
+ int start_position;
+
+@@ -3793,18 +3793,10 @@ void dcn10_calc_vupdate_position(
+ static void dcn10_cal_vline_position(
+ struct dc *dc,
+ struct pipe_ctx *pipe_ctx,
+- enum vline_select vline,
+ uint32_t *start_line,
+ uint32_t *end_line)
+ {
+- enum vertical_interrupt_ref_point ref_point = INVALID_POINT;
+-
+- if (vline == VLINE0)
+- ref_point = pipe_ctx->stream->periodic_interrupt0.ref_point;
+- else if (vline == VLINE1)
+- ref_point = pipe_ctx->stream->periodic_interrupt1.ref_point;
+-
+- switch (ref_point) {
++ switch (pipe_ctx->stream->periodic_interrupt.ref_point) {
+ case START_V_UPDATE:
+ dcn10_calc_vupdate_position(
+ dc,
+@@ -3813,7 +3805,9 @@ static void dcn10_cal_vline_position(
+ end_line);
+ break;
+ case START_V_SYNC:
+- // Suppose to do nothing because vsync is 0;
++ // vsync is line 0 so start_line is just the requested line offset
++ *start_line = pipe_ctx->stream->periodic_interrupt.lines_offset;
++ *end_line = *start_line + 2;
+ break;
+ default:
+ ASSERT(0);
+@@ -3823,24 +3817,15 @@ static void dcn10_cal_vline_position(
+
+ void dcn10_setup_periodic_interrupt(
+ struct dc *dc,
+- struct pipe_ctx *pipe_ctx,
+- enum vline_select vline)
++ struct pipe_ctx *pipe_ctx)
+ {
+ struct timing_generator *tg = pipe_ctx->stream_res.tg;
++ uint32_t start_line = 0;
++ uint32_t end_line = 0;
+
+- if (vline == VLINE0) {
+- uint32_t start_line = 0;
+- uint32_t end_line = 0;
++ dcn10_cal_vline_position(dc, pipe_ctx, &start_line, &end_line);
+
+- dcn10_cal_vline_position(dc, pipe_ctx, vline, &start_line, &end_line);
+-
+- tg->funcs->setup_vertical_interrupt0(tg, start_line, end_line);
+-
+- } else if (vline == VLINE1) {
+- pipe_ctx->stream_res.tg->funcs->setup_vertical_interrupt1(
+- tg,
+- pipe_ctx->stream->periodic_interrupt1.lines_offset);
+- }
++ tg->funcs->setup_vertical_interrupt0(tg, start_line, end_line);
+ }
+
+ void dcn10_setup_vupdate_interrupt(struct dc *dc, struct pipe_ctx *pipe_ctx)
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.h b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.h
+index 9ae07c77fdc0..0ef7bf7ddb75 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.h
++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.h
+@@ -175,8 +175,7 @@ void dcn10_set_cursor_attribute(struct pipe_ctx *pipe_ctx);
+ void dcn10_set_cursor_sdr_white_level(struct pipe_ctx *pipe_ctx);
+ void dcn10_setup_periodic_interrupt(
+ struct dc *dc,
+- struct pipe_ctx *pipe_ctx,
+- enum vline_select vline);
++ struct pipe_ctx *pipe_ctx);
+ enum dc_status dcn10_set_clock(struct dc *dc,
+ enum dc_clock_type clock_type,
+ uint32_t clk_khz,
+diff --git a/drivers/gpu/drm/amd/display/dc/inc/hw_sequencer.h b/drivers/gpu/drm/amd/display/dc/inc/hw_sequencer.h
+index ccb3c719fc4d..ac94dba72c18 100644
+--- a/drivers/gpu/drm/amd/display/dc/inc/hw_sequencer.h
++++ b/drivers/gpu/drm/amd/display/dc/inc/hw_sequencer.h
+@@ -32,11 +32,6 @@
+ #include "inc/hw/link_encoder.h"
+ #include "core_status.h"
+
+-enum vline_select {
+- VLINE0,
+- VLINE1
+-};
+-
+ struct pipe_ctx;
+ struct dc_state;
+ struct dc_stream_status;
+@@ -116,8 +111,7 @@ struct hw_sequencer_funcs {
+ int group_index, int group_size,
+ struct pipe_ctx *grouped_pipes[]);
+ void (*setup_periodic_interrupt)(struct dc *dc,
+- struct pipe_ctx *pipe_ctx,
+- enum vline_select vline);
++ struct pipe_ctx *pipe_ctx);
+ void (*set_drr)(struct pipe_ctx **pipe_ctx, int num_pipes,
+ struct dc_crtc_timing_adjust adjust);
+ void (*set_static_screen_control)(struct pipe_ctx **pipe_ctx,
+--
+2.35.1
+
--- /dev/null
+From 22a93ccb4747bfed617a65522136de892eb68821 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Aug 2022 23:49:56 -0700
+Subject: drm/amd: fix potential memory leak
+
+From: Bernard Zhao <bernard@vivo.com>
+
+[ Upstream commit 6160216fd2c97107e8a9ab39863b056d677fcd85 ]
+
+This patch fix potential memory leak (clk_src) when function run
+into last return NULL.
+
+s/free/kfree/ - Alex
+
+Signed-off-by: Bernard Zhao <bernard@vivo.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn314/dcn314_resource.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_resource.c b/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_resource.c
+index 3cd7c91655c5..6d721fadcbee 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_resource.c
+@@ -1720,6 +1720,7 @@ static struct clock_source *dcn30_clock_source_create(
+ }
+
+ BREAK_TO_DEBUGGER();
++ kfree(clk_src);
+ return NULL;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 35eb294aca34fba56f76a12dbe8a0bb7cfbb6eb7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 16:57:54 +0800
+Subject: drm/amdgpu: add missing pci_disable_device() in
+ amdgpu_pmops_runtime_resume()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 6b11af6d1c8f5d4135332bb932baaa06e511173d ]
+
+Add missing pci_disable_device() if amdgpu_device_resume() fails.
+
+Fixes: 8e4d5d43cc6c ("drm/amdgpu: Handling of amdgpu_device_resume return value for graceful teardown")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+index 429fcdf28836..de7144b06e93 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+@@ -2563,8 +2563,11 @@ static int amdgpu_pmops_runtime_resume(struct device *dev)
+ amdgpu_device_baco_exit(drm_dev);
+ }
+ ret = amdgpu_device_resume(drm_dev, false);
+- if (ret)
++ if (ret) {
++ if (amdgpu_device_supports_px(drm_dev))
++ pci_disable_device(pdev);
+ return ret;
++ }
+
+ if (amdgpu_device_supports_px(drm_dev))
+ drm_dev->switch_power_state = DRM_SWITCH_POWER_ON;
+--
+2.35.1
+
--- /dev/null
+From 4112b3560f36c91e4291f159d56e7eed4ecd3d43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 17:24:53 +0800
+Subject: drm/amdgpu: fix initial connector audio value
+
+From: hongao <hongao@uniontech.com>
+
+[ Upstream commit 4bb71fce58f30df3f251118291d6b0187ce531e6 ]
+
+This got lost somewhere along the way, This fixes
+audio not working until set_property was called.
+
+Signed-off-by: hongao <hongao@uniontech.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
+index b7933c2ce765..491d4846fc02 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
+@@ -1674,10 +1674,12 @@ amdgpu_connector_add(struct amdgpu_device *adev,
+ adev->mode_info.dither_property,
+ AMDGPU_FMT_DITHER_DISABLE);
+
+- if (amdgpu_audio != 0)
++ if (amdgpu_audio != 0) {
+ drm_object_attach_property(&amdgpu_connector->base.base,
+ adev->mode_info.audio_property,
+ AMDGPU_AUDIO_AUTO);
++ amdgpu_connector->audio = AMDGPU_AUDIO_AUTO;
++ }
+
+ subpixel_order = SubPixelHorizontalRGB;
+ connector->interlace_allowed = true;
+@@ -1799,6 +1801,7 @@ amdgpu_connector_add(struct amdgpu_device *adev,
+ drm_object_attach_property(&amdgpu_connector->base.base,
+ adev->mode_info.audio_property,
+ AMDGPU_AUDIO_AUTO);
++ amdgpu_connector->audio = AMDGPU_AUDIO_AUTO;
+ }
+ drm_object_attach_property(&amdgpu_connector->base.base,
+ adev->mode_info.dither_property,
+@@ -1852,6 +1855,7 @@ amdgpu_connector_add(struct amdgpu_device *adev,
+ drm_object_attach_property(&amdgpu_connector->base.base,
+ adev->mode_info.audio_property,
+ AMDGPU_AUDIO_AUTO);
++ amdgpu_connector->audio = AMDGPU_AUDIO_AUTO;
+ }
+ drm_object_attach_property(&amdgpu_connector->base.base,
+ adev->mode_info.dither_property,
+@@ -1902,6 +1906,7 @@ amdgpu_connector_add(struct amdgpu_device *adev,
+ drm_object_attach_property(&amdgpu_connector->base.base,
+ adev->mode_info.audio_property,
+ AMDGPU_AUDIO_AUTO);
++ amdgpu_connector->audio = AMDGPU_AUDIO_AUTO;
+ }
+ drm_object_attach_property(&amdgpu_connector->base.base,
+ adev->mode_info.dither_property,
+--
+2.35.1
+
--- /dev/null
+From 977fc6f2a8188050ab856d5bfbf8fd017527c2d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Sep 2022 19:34:32 -0300
+Subject: drm/amdgpu: Fix memory leak in hpd_rx_irq_create_workqueue()
+
+From: Rafael Mendonca <rafaelmendsr@gmail.com>
+
+[ Upstream commit 7136f956c73c4ba50bfeb61653dfd6a9669ea915 ]
+
+If construction of the array of work queues to handle hpd_rx_irq offload
+work fails, we need to unwind. Destroy all the created workqueues and
+the allocated memory for the hpd_rx_irq_offload_work_queue struct array.
+
+Fixes: 8e794421bc98 ("drm/amd/display: Fork thread to offload work of hpd_rx_irq")
+Signed-off-by: Rafael Mendonca <rafaelmendsr@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index 6e36427aab46..194142c581c8 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -1296,13 +1296,21 @@ static struct hpd_rx_irq_offload_work_queue *hpd_rx_irq_create_workqueue(struct
+
+ if (hpd_rx_offload_wq[i].wq == NULL) {
+ DRM_ERROR("create amdgpu_dm_hpd_rx_offload_wq fail!");
+- return NULL;
++ goto out_err;
+ }
+
+ spin_lock_init(&hpd_rx_offload_wq[i].offload_lock);
+ }
+
+ return hpd_rx_offload_wq;
++
++out_err:
++ for (i = 0; i < max_caps; i++) {
++ if (hpd_rx_offload_wq[i].wq)
++ destroy_workqueue(hpd_rx_offload_wq[i].wq);
++ }
++ kfree(hpd_rx_offload_wq);
++ return NULL;
+ }
+
+ struct amdgpu_stutter_quirk {
+--
+2.35.1
+
--- /dev/null
+From 9b70c754cd9f43a24a25f5edf9c5f64307b8f890 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Sep 2022 15:46:30 -0400
+Subject: drm/amdgpu: SDMA update use unlocked iterator
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Philip Yang <Philip.Yang@amd.com>
+
+[ Upstream commit 3913f0179ba366f7d7d160c506ce00de1602bbc4 ]
+
+SDMA update page table may be called from unlocked context, this
+generate below warning. Use unlocked iterator to handle this case.
+
+WARNING: CPU: 0 PID: 1475 at
+drivers/dma-buf/dma-resv.c:483 dma_resv_iter_next
+Call Trace:
+ dma_resv_iter_first+0x43/0xa0
+ amdgpu_vm_sdma_update+0x69/0x2d0 [amdgpu]
+ amdgpu_vm_ptes_update+0x29c/0x870 [amdgpu]
+ amdgpu_vm_update_range+0x2f6/0x6c0 [amdgpu]
+ svm_range_unmap_from_gpus+0x115/0x300 [amdgpu]
+ svm_range_cpu_invalidate_pagetables+0x510/0x5e0 [amdgpu]
+ __mmu_notifier_invalidate_range_start+0x1d3/0x230
+ unmap_vmas+0x140/0x150
+ unmap_region+0xa8/0x110
+
+Signed-off-by: Philip Yang <Philip.Yang@amd.com>
+Suggested-by: Felix Kuehling <felix.kuehling@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_vm_sdma.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_sdma.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_sdma.c
+index 1fd3cbca20a2..718db7d98e5a 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_sdma.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_sdma.c
+@@ -211,12 +211,15 @@ static int amdgpu_vm_sdma_update(struct amdgpu_vm_update_params *p,
+ int r;
+
+ /* Wait for PD/PT moves to be completed */
+- dma_resv_for_each_fence(&cursor, bo->tbo.base.resv,
+- DMA_RESV_USAGE_KERNEL, fence) {
++ dma_resv_iter_begin(&cursor, bo->tbo.base.resv, DMA_RESV_USAGE_KERNEL);
++ dma_resv_for_each_fence_unlocked(&cursor, fence) {
+ r = amdgpu_sync_fence(&p->job->sync, fence);
+- if (r)
++ if (r) {
++ dma_resv_iter_end(&cursor);
+ return r;
++ }
+ }
++ dma_resv_iter_end(&cursor);
+
+ do {
+ ndw = p->num_dw_left;
+--
+2.35.1
+
--- /dev/null
+From 1c40ad5e1a5ab2fd8002f7b2cb55551caa8a0795 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Jul 2022 13:43:50 +0800
+Subject: drm/amdgpu: Skip the program of MMMC_VM_AGP_* in SRIOV on MMHUB
+ v3_0_0
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yifan Zha <Yifan.Zha@amd.com>
+
+[ Upstream commit c1026c6f319724dc88fc08d9d9d35bcbdf492b42 ]
+
+[Why]
+VF should not program these registers, the value were defined in the host.
+
+[How]
+Skip writing them in SRIOV environment and program them on host side.
+
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Yifan Zha <Yifan.Zha@amd.com>
+Signed-off-by: Horace Chen <horace.chen@amd.com>
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/mmhub_v3_0.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/mmhub_v3_0.c b/drivers/gpu/drm/amd/amdgpu/mmhub_v3_0.c
+index bc11b2de37ae..a1d26c4d80b8 100644
+--- a/drivers/gpu/drm/amd/amdgpu/mmhub_v3_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v3_0.c
+@@ -169,17 +169,17 @@ static void mmhub_v3_0_init_system_aperture_regs(struct amdgpu_device *adev)
+ uint64_t value;
+ uint32_t tmp;
+
+- /* Disable AGP. */
+- WREG32_SOC15(MMHUB, 0, regMMMC_VM_AGP_BASE, 0);
+- WREG32_SOC15(MMHUB, 0, regMMMC_VM_AGP_TOP, 0);
+- WREG32_SOC15(MMHUB, 0, regMMMC_VM_AGP_BOT, 0x00FFFFFF);
+-
+ if (!amdgpu_sriov_vf(adev)) {
+ /*
+ * the new L1 policy will block SRIOV guest from writing
+ * these regs, and they will be programed at host.
+ * so skip programing these regs.
+ */
++ /* Disable AGP. */
++ WREG32_SOC15(MMHUB, 0, regMMMC_VM_AGP_BASE, 0);
++ WREG32_SOC15(MMHUB, 0, regMMMC_VM_AGP_TOP, 0);
++ WREG32_SOC15(MMHUB, 0, regMMMC_VM_AGP_BOT, 0x00FFFFFF);
++
+ /* Program the system aperture low logical page number. */
+ WREG32_SOC15(MMHUB, 0, regMMMC_VM_SYSTEM_APERTURE_LOW_ADDR,
+ adev->gmc.vram_start >> 18);
+--
+2.35.1
+
--- /dev/null
+From e4458383e9bdd3d5a614a8766e65b42451b56645 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Sep 2022 17:45:59 -0400
+Subject: drm/amdkfd: Fix UBSAN shift-out-of-bounds warning
+
+From: Felix Kuehling <Felix.Kuehling@amd.com>
+
+[ Upstream commit b292cafe2dd02d96a07147e4b160927e8399d5cc ]
+
+This was fixed in initialize_cpsch before, but not in initialize_nocpsch.
+Factor sdma bitmap initialization into a helper function to apply the
+correct implementation in both cases without duplicating it.
+
+v2: Added a range check
+
+Reported-by: Ellis Michael <ellis@ellismichael.com>
+Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Reviewed-by: Graham Sider <Graham.Sider@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../drm/amd/amdkfd/kfd_device_queue_manager.c | 45 +++++++++----------
+ 1 file changed, 21 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+index 007a3db69df1..ecb4c3abc629 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+@@ -1242,6 +1242,24 @@ static void init_interrupts(struct device_queue_manager *dqm)
+ dqm->dev->kfd2kgd->init_interrupts(dqm->dev->adev, i);
+ }
+
++static void init_sdma_bitmaps(struct device_queue_manager *dqm)
++{
++ unsigned int num_sdma_queues =
++ min_t(unsigned int, sizeof(dqm->sdma_bitmap)*8,
++ get_num_sdma_queues(dqm));
++ unsigned int num_xgmi_sdma_queues =
++ min_t(unsigned int, sizeof(dqm->xgmi_sdma_bitmap)*8,
++ get_num_xgmi_sdma_queues(dqm));
++
++ if (num_sdma_queues)
++ dqm->sdma_bitmap = GENMASK_ULL(num_sdma_queues-1, 0);
++ if (num_xgmi_sdma_queues)
++ dqm->xgmi_sdma_bitmap = GENMASK_ULL(num_xgmi_sdma_queues-1, 0);
++
++ dqm->sdma_bitmap &= ~get_reserved_sdma_queues_bitmap(dqm);
++ pr_info("sdma_bitmap: %llx\n", dqm->sdma_bitmap);
++}
++
+ static int initialize_nocpsch(struct device_queue_manager *dqm)
+ {
+ int pipe, queue;
+@@ -1270,11 +1288,7 @@ static int initialize_nocpsch(struct device_queue_manager *dqm)
+
+ memset(dqm->vmid_pasid, 0, sizeof(dqm->vmid_pasid));
+
+- dqm->sdma_bitmap = ~0ULL >> (64 - get_num_sdma_queues(dqm));
+- dqm->sdma_bitmap &= ~(get_reserved_sdma_queues_bitmap(dqm));
+- pr_info("sdma_bitmap: %llx\n", dqm->sdma_bitmap);
+-
+- dqm->xgmi_sdma_bitmap = ~0ULL >> (64 - get_num_xgmi_sdma_queues(dqm));
++ init_sdma_bitmaps(dqm);
+
+ return 0;
+ }
+@@ -1452,9 +1466,6 @@ static int set_sched_resources(struct device_queue_manager *dqm)
+
+ static int initialize_cpsch(struct device_queue_manager *dqm)
+ {
+- uint64_t num_sdma_queues;
+- uint64_t num_xgmi_sdma_queues;
+-
+ pr_debug("num of pipes: %d\n", get_pipes_per_mec(dqm));
+
+ mutex_init(&dqm->lock_hidden);
+@@ -1463,24 +1474,10 @@ static int initialize_cpsch(struct device_queue_manager *dqm)
+ dqm->active_cp_queue_count = 0;
+ dqm->gws_queue_count = 0;
+ dqm->active_runlist = false;
+-
+- num_sdma_queues = get_num_sdma_queues(dqm);
+- if (num_sdma_queues >= BITS_PER_TYPE(dqm->sdma_bitmap))
+- dqm->sdma_bitmap = ULLONG_MAX;
+- else
+- dqm->sdma_bitmap = (BIT_ULL(num_sdma_queues) - 1);
+-
+- dqm->sdma_bitmap &= ~(get_reserved_sdma_queues_bitmap(dqm));
+- pr_info("sdma_bitmap: %llx\n", dqm->sdma_bitmap);
+-
+- num_xgmi_sdma_queues = get_num_xgmi_sdma_queues(dqm);
+- if (num_xgmi_sdma_queues >= BITS_PER_TYPE(dqm->xgmi_sdma_bitmap))
+- dqm->xgmi_sdma_bitmap = ULLONG_MAX;
+- else
+- dqm->xgmi_sdma_bitmap = (BIT_ULL(num_xgmi_sdma_queues) - 1);
+-
+ INIT_WORK(&dqm->hw_exception_work, kfd_process_hw_exception);
+
++ init_sdma_bitmaps(dqm);
++
+ return 0;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 6785fc02a6140005c6fa7054faaf83dc87b6f73c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Sep 2022 16:29:57 +0200
+Subject: drm/bochs: fix blanking
+
+From: Gerd Hoffmann <kraxel@redhat.com>
+
+[ Upstream commit e740ceb53e4579a7a4063712cebecac3c343b189 ]
+
+VGA_IS1_RC is the color mode register (VGA_IS1_RM the one for monochrome
+mode, note C vs. M at the end). So when using VGA_IS1_RC make sure the
+vga device is actually in color mode and set the corresponding bit in the
+misc register.
+
+Reproducible when booting VMs in UEFI mode with some edk2 versions (edk2
+fix is on the way too). Doesn't happen in BIOS mode because in that
+case the vgabios already flips the bit.
+
+Fixes: 250e743915d4 ("drm/bochs: Add screen blanking support")
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: http://patchwork.freedesktop.org/patch/msgid/20220906142957.2763577-1-kraxel@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/tiny/bochs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/tiny/bochs.c b/drivers/gpu/drm/tiny/bochs.c
+index 82364a0a7b18..490fa92a4dce 100644
+--- a/drivers/gpu/drm/tiny/bochs.c
++++ b/drivers/gpu/drm/tiny/bochs.c
+@@ -309,6 +309,8 @@ static void bochs_hw_fini(struct drm_device *dev)
+ static void bochs_hw_blank(struct bochs_device *bochs, bool blank)
+ {
+ DRM_DEBUG_DRIVER("hw_blank %d\n", blank);
++ /* enable color bit (so VGA_IS1_RC access works) */
++ bochs_vga_writeb(bochs, VGA_MIS_W, VGA_MIS_COLOR);
+ /* discard ar_flip_flop */
+ (void)bochs_vga_readb(bochs, VGA_IS1_RC);
+ /* blank or unblank; we need only update index and set 0x20 */
+--
+2.35.1
+
--- /dev/null
+From 88b32ad3576f0ac3cdf8aed0b7738109f4af7529 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Jun 2022 16:48:53 +0200
+Subject: drm: bridge: adv7511: fix CEC power down control register offset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alvin Šipraga <alsi@bang-olufsen.dk>
+
+[ Upstream commit 1d22b6033ea113a4c3850dfa2c0770885c81aec8 ]
+
+The ADV7511_REG_CEC_CTRL = 0xE2 register is part of the main register
+map - not the CEC register map. As such, we shouldn't apply an offset to
+the register address. Doing so will cause us to address a bogus register
+for chips with a CEC register map offset (e.g. ADV7533).
+
+Fixes: 3b1b975003e4 ("drm: adv7511/33: add HDMI CEC support")
+Signed-off-by: Alvin Šipraga <alsi@bang-olufsen.dk>
+Reviewed-by: Robert Foss <robert.foss@linaro.org>
+Signed-off-by: Robert Foss <robert.foss@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220612144854.2223873-2-alvin@pqrs.dk
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/adv7511/adv7511.h | 5 +----
+ drivers/gpu/drm/bridge/adv7511/adv7511_cec.c | 4 ++--
+ 2 files changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511.h b/drivers/gpu/drm/bridge/adv7511/adv7511.h
+index a031a0cd1f18..94de73cbeb2d 100644
+--- a/drivers/gpu/drm/bridge/adv7511/adv7511.h
++++ b/drivers/gpu/drm/bridge/adv7511/adv7511.h
+@@ -394,10 +394,7 @@ void adv7511_cec_irq_process(struct adv7511 *adv7511, unsigned int irq1);
+ #else
+ static inline int adv7511_cec_init(struct device *dev, struct adv7511 *adv7511)
+ {
+- unsigned int offset = adv7511->type == ADV7533 ?
+- ADV7533_REG_CEC_OFFSET : 0;
+-
+- regmap_write(adv7511->regmap, ADV7511_REG_CEC_CTRL + offset,
++ regmap_write(adv7511->regmap, ADV7511_REG_CEC_CTRL,
+ ADV7511_CEC_CTRL_POWER_DOWN);
+ return 0;
+ }
+diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_cec.c b/drivers/gpu/drm/bridge/adv7511/adv7511_cec.c
+index 0b266f28f150..99964f5a5457 100644
+--- a/drivers/gpu/drm/bridge/adv7511/adv7511_cec.c
++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_cec.c
+@@ -359,7 +359,7 @@ int adv7511_cec_init(struct device *dev, struct adv7511 *adv7511)
+ goto err_cec_alloc;
+ }
+
+- regmap_write(adv7511->regmap, ADV7511_REG_CEC_CTRL + offset, 0);
++ regmap_write(adv7511->regmap, ADV7511_REG_CEC_CTRL, 0);
+ /* cec soft reset */
+ regmap_write(adv7511->regmap_cec,
+ ADV7511_REG_CEC_SOFT_RESET + offset, 0x01);
+@@ -386,7 +386,7 @@ int adv7511_cec_init(struct device *dev, struct adv7511 *adv7511)
+ dev_info(dev, "Initializing CEC failed with error %d, disabling CEC\n",
+ ret);
+ err_cec_parse_dt:
+- regmap_write(adv7511->regmap, ADV7511_REG_CEC_CTRL + offset,
++ regmap_write(adv7511->regmap, ADV7511_REG_CEC_CTRL,
+ ADV7511_CEC_CTRL_POWER_DOWN);
+ return ret == -EPROBE_DEFER ? ret : 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From e10c1640a17169acbfb342521067c3dbf9c563bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Jun 2022 16:48:54 +0200
+Subject: drm: bridge: adv7511: unregister cec i2c device after cec adapter
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alvin Šipraga <alsi@bang-olufsen.dk>
+
+[ Upstream commit 40cdb02cb9f965732eb543d47f15bef8d10f0f5f ]
+
+cec_unregister_adapter() assumes that the underlying adapter ops are
+callable. For example, if the CEC adapter currently has a valid physical
+address, then the unregistration procedure will invalidate the physical
+address by setting it to f.f.f.f. Whence the following kernel oops
+observed after removing the adv7511 module:
+
+ Unable to handle kernel execution of user memory at virtual address 0000000000000000
+ Internal error: Oops: 86000004 [#1] PREEMPT_RT SMP
+ Call trace:
+ 0x0
+ adv7511_cec_adap_log_addr+0x1ac/0x1c8 [adv7511]
+ cec_adap_unconfigure+0x44/0x90 [cec]
+ __cec_s_phys_addr.part.0+0x68/0x230 [cec]
+ __cec_s_phys_addr+0x40/0x50 [cec]
+ cec_unregister_adapter+0xb4/0x118 [cec]
+ adv7511_remove+0x60/0x90 [adv7511]
+ i2c_device_remove+0x34/0xe0
+ device_release_driver_internal+0x114/0x1f0
+ driver_detach+0x54/0xe0
+ bus_remove_driver+0x60/0xd8
+ driver_unregister+0x34/0x60
+ i2c_del_driver+0x2c/0x68
+ adv7511_exit+0x1c/0x67c [adv7511]
+ __arm64_sys_delete_module+0x154/0x288
+ invoke_syscall+0x48/0x100
+ el0_svc_common.constprop.0+0x48/0xe8
+ do_el0_svc+0x28/0x88
+ el0_svc+0x1c/0x50
+ el0t_64_sync_handler+0xa8/0xb0
+ el0t_64_sync+0x15c/0x160
+ Code: bad PC value
+ ---[ end trace 0000000000000000 ]---
+
+Protect against this scenario by unregistering i2c_cec after
+unregistering the CEC adapter. Duly disable the CEC clock afterwards
+too.
+
+Fixes: 3b1b975003e4 ("drm: adv7511/33: add HDMI CEC support")
+Signed-off-by: Alvin Šipraga <alsi@bang-olufsen.dk>
+Reviewed-by: Robert Foss <robert.foss@linaro.org>
+Signed-off-by: Robert Foss <robert.foss@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220612144854.2223873-3-alvin@pqrs.dk
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
+index 38bf28720f3a..6031bdd92342 100644
+--- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
+@@ -1340,9 +1340,6 @@ static int adv7511_remove(struct i2c_client *i2c)
+ {
+ struct adv7511 *adv7511 = i2c_get_clientdata(i2c);
+
+- i2c_unregister_device(adv7511->i2c_cec);
+- clk_disable_unprepare(adv7511->cec_clk);
+-
+ adv7511_uninit_regulators(adv7511);
+
+ drm_bridge_remove(&adv7511->bridge);
+@@ -1350,6 +1347,8 @@ static int adv7511_remove(struct i2c_client *i2c)
+ adv7511_audio_exit(adv7511);
+
+ cec_unregister_adapter(adv7511->cec_adap);
++ i2c_unregister_device(adv7511->i2c_cec);
++ clk_disable_unprepare(adv7511->cec_clk);
+
+ i2c_unregister_device(adv7511->i2c_packet);
+ i2c_unregister_device(adv7511->i2c_edid);
+--
+2.35.1
+
--- /dev/null
+From 33fcd927619208ab4ca4adb76adfddd50e1d1195 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Jul 2022 14:54:46 +0800
+Subject: drm/bridge: anx7625: Fix refcount bug in anx7625_parse_dt()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 1d43a5120ab49f22ba6c5901ad3994e254510303 ]
+
+In anx7625_parse_dt(), 'pdata->mipi_host_node' will be assigned a
+new reference with of_graph_get_remote_node() which will increase
+the refcount of the object, correspondingly, we should call
+of_node_put() for the old reference stored in the 'pdata->mipi_host_node'.
+
+Fixes: 8bdfc5dae4e3 ("drm/bridge: anx7625: Add anx7625 MIPI DSI/DPI to DP")
+Signed-off-by: Liang He <windhl@126.com>
+Reviewed-by: Robert Foss <robert.foss@linaro.org>
+Signed-off-by: Robert Foss <robert.foss@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220719065447.1080817-1-windhl@126.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/analogix/anx7625.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/bridge/analogix/anx7625.c b/drivers/gpu/drm/bridge/analogix/anx7625.c
+index d1f1d525aeb6..79fc7a50b497 100644
+--- a/drivers/gpu/drm/bridge/analogix/anx7625.c
++++ b/drivers/gpu/drm/bridge/analogix/anx7625.c
+@@ -1642,6 +1642,7 @@ static int anx7625_parse_dt(struct device *dev,
+ anx7625_get_swing_setting(dev, pdata);
+
+ pdata->is_dpi = 0; /* default dsi mode */
++ of_node_put(pdata->mipi_host_node);
+ pdata->mipi_host_node = of_graph_get_remote_node(np, 0, 0);
+ if (!pdata->mipi_host_node) {
+ DRM_DEV_ERROR(dev, "fail to get internal panel.\n");
+--
+2.35.1
+
--- /dev/null
+From 6986cdaa875b595d68b2c1f1c1f6f0d7a422513d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Jul 2022 13:55:40 +0300
+Subject: drm/bridge: Avoid uninitialized variable warning
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 7d1202738efda60155d98b370b3c70d336be0eea ]
+
+This code works, but technically it uses "num_in_bus_fmts" before it
+has been initialized so it leads to static checker warnings and probably
+KMEMsan warnings at run time. Initialize the variable to zero to
+silence the warning.
+
+Fixes: f32df58acc68 ("drm/bridge: Add the necessary bits to support bus format negotiation")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://patchwork.freedesktop.org/patch/msgid/YrrIs3hoGcPVmXc5@kili
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_bridge.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_bridge.c b/drivers/gpu/drm/drm_bridge.c
+index 6abf7a2407e9..1545c50fd1c8 100644
+--- a/drivers/gpu/drm/drm_bridge.c
++++ b/drivers/gpu/drm/drm_bridge.c
+@@ -847,8 +847,8 @@ static int select_bus_fmt_recursive(struct drm_bridge *first_bridge,
+ struct drm_connector_state *conn_state,
+ u32 out_bus_fmt)
+ {
++ unsigned int i, num_in_bus_fmts = 0;
+ struct drm_bridge_state *cur_state;
+- unsigned int num_in_bus_fmts, i;
+ struct drm_bridge *prev_bridge;
+ u32 *in_bus_fmts;
+ int ret;
+@@ -969,7 +969,7 @@ drm_atomic_bridge_chain_select_bus_fmts(struct drm_bridge *bridge,
+ struct drm_connector *conn = conn_state->connector;
+ struct drm_encoder *encoder = bridge->encoder;
+ struct drm_bridge_state *last_bridge_state;
+- unsigned int i, num_out_bus_fmts;
++ unsigned int i, num_out_bus_fmts = 0;
+ struct drm_bridge *last_bridge;
+ u32 *out_bus_fmts;
+ int ret = 0;
+--
+2.35.1
+
--- /dev/null
+From c0e40d1c07f5051f461454ff8d19bc2a7f224bc5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 20:57:33 +0200
+Subject: drm: bridge: dw_hdmi: only trigger hotplug event on link change
+
+From: Lucas Stach <l.stach@pengutronix.de>
+
+[ Upstream commit da09daf881082266e4075657fac53c7966de8e4d ]
+
+There are two events that signal a real change of the link state: HPD going
+high means the sink is newly connected or wants the source to re-read the
+EDID, RX sense going low is a indication that the link has been disconnected.
+
+Ignore the other two events that also trigger interrupts, but don't need
+immediate attention: HPD going low does not necessarily mean the link has
+been lost and should not trigger a immediate read of the status. RX sense
+going high also does not require a detect cycle, as HPD going high is the
+right point in time to read the EDID.
+
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Reviewed-by: Neil Armstrong <narmstrong@baylibre.com> (v1)
+Reviewed-by: Robert Foss <robert.foss@linaro.org>
+Signed-off-by: Robert Foss <robert.foss@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220826185733.3213248-1-l.stach@pengutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/synopsys/dw-hdmi.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
+index 25a60eb4d67c..40d8ca37f5bc 100644
+--- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
++++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c
+@@ -3096,6 +3096,7 @@ static irqreturn_t dw_hdmi_irq(int irq, void *dev_id)
+ {
+ struct dw_hdmi *hdmi = dev_id;
+ u8 intr_stat, phy_int_pol, phy_pol_mask, phy_stat;
++ enum drm_connector_status status = connector_status_unknown;
+
+ intr_stat = hdmi_readb(hdmi, HDMI_IH_PHY_STAT0);
+ phy_int_pol = hdmi_readb(hdmi, HDMI_PHY_POL0);
+@@ -3134,13 +3135,15 @@ static irqreturn_t dw_hdmi_irq(int irq, void *dev_id)
+ cec_notifier_phys_addr_invalidate(hdmi->cec_notifier);
+ mutex_unlock(&hdmi->cec_notifier_mutex);
+ }
+- }
+
+- if (intr_stat & HDMI_IH_PHY_STAT0_HPD) {
+- enum drm_connector_status status = phy_int_pol & HDMI_PHY_HPD
+- ? connector_status_connected
+- : connector_status_disconnected;
++ if (phy_stat & HDMI_PHY_HPD)
++ status = connector_status_connected;
++
++ if (!(phy_stat & (HDMI_PHY_HPD | HDMI_PHY_RX_SENSE)))
++ status = connector_status_disconnected;
++ }
+
++ if (status != connector_status_unknown) {
+ dev_dbg(hdmi->dev, "EVENT=%s\n",
+ status == connector_status_connected ?
+ "plugin" : "plugout");
+--
+2.35.1
+
--- /dev/null
+From b0f0d760d06f1c005e1a6a7690fabf806bd3cdaf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 12:57:56 +0800
+Subject: drm/bridge: it6505: Fix the order of DP_SET_POWER commands
+
+From: Pin-yen Lin <treapking@chromium.org>
+
+[ Upstream commit 7c1dceaffd99247bf443606730515b54d6285969 ]
+
+Send DP_SET_POWER_D3 command to the downstream before stopping DP, so the
+suspend process will not be interrupted by the HPD interrupt. Also modify
+the order in .atomic_enable callback to make the callbacks symmetric.
+
+Fixes: 46ca7da7f1e8 ("drm/bridge: it6505: Send DPCD SET_POWER to downstream")
+Signed-off-by: Pin-yen Lin <treapking@chromium.org>
+Reviewed-by: Robert Foss <robert.foss@linaro.org>
+Signed-off-by: Robert Foss <robert.foss@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220830045756.1655954-1-treapking@chromium.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/ite-it6505.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/ite-it6505.c b/drivers/gpu/drm/bridge/ite-it6505.c
+index e5626035f311..a09d1a39ab0a 100644
+--- a/drivers/gpu/drm/bridge/ite-it6505.c
++++ b/drivers/gpu/drm/bridge/ite-it6505.c
+@@ -2945,9 +2945,6 @@ static void it6505_bridge_atomic_enable(struct drm_bridge *bridge,
+ if (ret)
+ dev_err(dev, "Failed to setup AVI infoframe: %d", ret);
+
+- it6505_drm_dp_link_set_power(&it6505->aux, &it6505->link,
+- DP_SET_POWER_D0);
+-
+ it6505_update_video_parameter(it6505, mode);
+
+ ret = it6505_send_video_infoframe(it6505, &frame);
+@@ -2957,6 +2954,9 @@ static void it6505_bridge_atomic_enable(struct drm_bridge *bridge,
+
+ it6505_int_mask_enable(it6505);
+ it6505_video_reset(it6505);
++
++ it6505_drm_dp_link_set_power(&it6505->aux, &it6505->link,
++ DP_SET_POWER_D0);
+ }
+
+ static void it6505_bridge_atomic_disable(struct drm_bridge *bridge,
+@@ -2968,9 +2968,9 @@ static void it6505_bridge_atomic_disable(struct drm_bridge *bridge,
+ DRM_DEV_DEBUG_DRIVER(dev, "start");
+
+ if (it6505->powered) {
+- it6505_video_disable(it6505);
+ it6505_drm_dp_link_set_power(&it6505->aux, &it6505->link,
+ DP_SET_POWER_D3);
++ it6505_video_disable(it6505);
+ }
+ }
+
+--
+2.35.1
+
--- /dev/null
+From f15b6ec686a0c0dc00e9eb5477f252d20dc14657 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Jul 2022 17:39:20 +0800
+Subject: drm/bridge: it6505: Power on downstream device in .atomic_enable
+
+From: Pin-Yen Lin <treapking@chromium.org>
+
+[ Upstream commit fbc1fdaa8338ec4ebd862d918a0ce3e12033e8a3 ]
+
+Send DPCD DP_SET_POWER_D0 command to the monitor in .atomic_enable
+callback. Without this command, some monitors won't show up again after
+changing the resolution.
+
+Fixes: 46ca7da7f1e8 ("drm/bridge: it6505: Send DPCD SET_POWER to downstream")
+
+Signed-off-by: Pin-Yen Lin <treapking@chromium.org>
+Reviewed-by: Allen Chen <allen.chen@ite.com.tw>
+Fixes: 46ca7da7f1e8 ("drm/bridge: it6505: Send DPCD SET_POWER to downstream")
+Signed-off-by: Robert Foss <robert.foss@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220714173715.v2.1.I85af54e9ceda74ec69f661852825845f983fc343@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/ite-it6505.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/bridge/ite-it6505.c b/drivers/gpu/drm/bridge/ite-it6505.c
+index 4b673c4792d7..e5626035f311 100644
+--- a/drivers/gpu/drm/bridge/ite-it6505.c
++++ b/drivers/gpu/drm/bridge/ite-it6505.c
+@@ -2945,6 +2945,9 @@ static void it6505_bridge_atomic_enable(struct drm_bridge *bridge,
+ if (ret)
+ dev_err(dev, "Failed to setup AVI infoframe: %d", ret);
+
++ it6505_drm_dp_link_set_power(&it6505->aux, &it6505->link,
++ DP_SET_POWER_D0);
++
+ it6505_update_video_parameter(it6505, mode);
+
+ ret = it6505_send_video_infoframe(it6505, &frame);
+--
+2.35.1
+
--- /dev/null
+From ac87f6418c541f1cb1e362cf18c18052b3a9e27e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 15:34:50 +0800
+Subject: drm/bridge: megachips: Fix a null pointer dereference bug
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit 1ff673333d46d2c1b053ebd0c1c7c7c79e36943e ]
+
+When removing the module we will get the following warning:
+
+[ 31.911505] i2c-core: driver [stdp2690-ge-b850v3-fw] unregistered
+[ 31.912484] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI
+[ 31.913338] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
+[ 31.915280] RIP: 0010:drm_bridge_remove+0x97/0x130
+[ 31.921825] Call Trace:
+[ 31.922533] stdp4028_ge_b850v3_fw_remove+0x34/0x60 [megachips_stdpxxxx_ge_b850v3_fw]
+[ 31.923139] i2c_device_remove+0x181/0x1f0
+
+The two bridges (stdp2690, stdp4028) do not probe at the same time, so
+the driver does not call ge_b850v3_resgiter() when probing, causing the
+driver to try to remove the object that has not been initialized.
+
+Fix this by checking whether both the bridges are probed.
+
+Fixes: 11632d4aa2b3 ("drm/bridge: megachips: Ensure both bridges are probed before registration")
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Robert Foss <robert.foss@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220830073450.1897020-1-zheyuma97@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c
+index cce98bf2a4e7..72248a565579 100644
+--- a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c
++++ b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c
+@@ -296,7 +296,9 @@ static void ge_b850v3_lvds_remove(void)
+ * This check is to avoid both the drivers
+ * removing the bridge in their remove() function
+ */
+- if (!ge_b850v3_lvds_ptr)
++ if (!ge_b850v3_lvds_ptr ||
++ !ge_b850v3_lvds_ptr->stdp2690_i2c ||
++ !ge_b850v3_lvds_ptr->stdp4028_i2c)
+ goto out;
+
+ drm_bridge_remove(&ge_b850v3_lvds_ptr->bridge);
+--
+2.35.1
+
--- /dev/null
+From 86abd686c7d91ba8894fe834dece03f7ee2f87b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Jul 2022 17:22:58 +0800
+Subject: drm/bridge: parade-ps8640: Fix regulator supply order
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit fc94224c2e0ae8d83ac511a3ef4962178505469d ]
+
+The datasheet says that VDD12 must be enabled and at full voltage before
+VDD33 is enabled.
+
+Reorder the bulk regulator supply names so that VDD12 is enabled before
+VDD33. Any enable ramp delays should be handled by setting proper
+constraints on the regulators.
+
+Fixes: bc1aee7fc8f0 ("drm/bridge: Add I2C based driver for ps8640 bridge")
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Reviewed-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Robert Foss <robert.foss@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220721092258.3397461-1-wenst@chromium.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/parade-ps8640.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/parade-ps8640.c b/drivers/gpu/drm/bridge/parade-ps8640.c
+index 31e88cb39f8a..49107a6cdac1 100644
+--- a/drivers/gpu/drm/bridge/parade-ps8640.c
++++ b/drivers/gpu/drm/bridge/parade-ps8640.c
+@@ -631,8 +631,8 @@ static int ps8640_probe(struct i2c_client *client)
+ if (!ps_bridge)
+ return -ENOMEM;
+
+- ps_bridge->supplies[0].supply = "vdd33";
+- ps_bridge->supplies[1].supply = "vdd12";
++ ps_bridge->supplies[0].supply = "vdd12";
++ ps_bridge->supplies[1].supply = "vdd33";
+ ret = devm_regulator_bulk_get(dev, ARRAY_SIZE(ps_bridge->supplies),
+ ps_bridge->supplies);
+ if (ret)
+--
+2.35.1
+
--- /dev/null
+From 4e8fd93fc8efb08de35e28a166ee0f032d5b5066 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Jul 2022 14:54:47 +0800
+Subject: drm/bridge: tc358767: Add of_node_put() when breaking out of loop
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 14e7157afb055248ed34901fcd6fbf54201cfea1 ]
+
+In tc_probe_bridge_endpoint(), we should call of_node_put() when
+breaking out of the for_each_endpoint_of_node() which will automatically
+increase and decrease the refcount.
+
+Fixes: 71f7d9c03118 ("drm/bridge: tc358767: Detect bridge mode from connected endpoints in DT")
+Signed-off-by: Liang He <windhl@126.com>
+Reviewed-by: Robert Foss <robert.foss@linaro.org>
+Signed-off-by: Robert Foss <robert.foss@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220719065447.1080817-2-windhl@126.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/tc358767.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/tc358767.c b/drivers/gpu/drm/bridge/tc358767.c
+index 02bd757a8987..1dc107f13645 100644
+--- a/drivers/gpu/drm/bridge/tc358767.c
++++ b/drivers/gpu/drm/bridge/tc358767.c
+@@ -2010,9 +2010,10 @@ static int tc_probe_bridge_endpoint(struct tc_data *tc)
+
+ for_each_endpoint_of_node(dev->of_node, node) {
+ of_graph_parse_endpoint(node, &endpoint);
+- if (endpoint.port > 2)
++ if (endpoint.port > 2) {
++ of_node_put(node);
+ return -EINVAL;
+-
++ }
+ mode |= BIT(endpoint.port);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From eb47ca5144c3dc96b84be556e9701f1c204ee8d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Sep 2022 22:49:00 -0700
+Subject: drm/dp: Don't rewrite link config when setting phy test pattern
+
+From: Khaled Almahallawy <khaled.almahallawy@intel.com>
+
+[ Upstream commit 7b4d8db657192066bc6f1f6635d348413dac1e18 ]
+
+The sequence for Source DP PHY CTS automation is [2][1]:
+1- Emulate successful Link Training(LT)
+2- Short HPD and change link rates and number of lanes by LT.
+(This is same flow for Link Layer CTS)
+3- Short HPD and change PHY test pattern and swing/pre-emphasis
+levels (This step should not trigger LT)
+
+The problem is with DP PHY compliance setup as follow:
+
+ [DPTX + on board LTTPR]------Main Link--->[Scope]
+ ^ |
+ | |
+ | |
+ ----------Aux Ch------>[Aux Emulator]
+
+At step 3, before writing TRAINING_LANEx_SET/LINK_QUAL_PATTERN_SET
+to declare the pattern/swing requested by scope, we write link
+config in LINK_BW_SET/LANE_COUNT_SET on a port that has LTTPR.
+As LTTPR snoops aux transaction, LINK_BW_SET/LANE_COUNT_SET writes
+indicate a LT will start [Check DP 2.0 E11 -Sec 3.6.8.2 & 3.6.8.6.3],
+and LTTPR will reset the link and stop sending DP signals to
+DPTX/Scope causing the measurements to fail. Note that step 3 will
+not trigger LT and DP link will never recovered by the
+Aux Emulator/Scope.
+
+The reset of link can be tested with a monitor connected to LTTPR
+port simply by writing to LINK_BW_SET or LANE_COUNT_SET as follow
+
+ igt/tools/dpcd_reg write --offset=0x100 --value 0x14 --device=2
+
+OR
+
+ printf '\x14' | sudo dd of=/dev/drm_dp_aux2 bs=1 count=1 conv=notrunc
+ seek=$((0x100))
+
+This single aux write causes the screen to blank, sending short HPD to
+DPTX, setting LINK_STATUS_UPDATE = 1 in DPCD 0x204, and triggering LT.
+
+As stated in [1]:
+"Before any TX electrical testing can be performed, the link between a
+DPTX and DPRX (in this case, a piece of test equipment), including all
+LTTPRs within the path, shall be trained as defined in this Standard."
+
+In addition, changing Phy pattern/Swing/Pre-emphasis (Step 3) uses the
+same link rate and lane count applied on step 2, so no need to redo LT.
+
+The fix is to not rewrite link config in step 3, and just writes
+TRAINING_LANEx_SET and LINK_QUAL_PATTERN_SET
+
+[1]: DP 2.0 E11 - 3.6.11.1 LTTPR DPTX_PHY Electrical Compliance
+
+[2]: Configuring UnigrafDPTC Controller - Automation Test Sequence
+https://www.keysight.com/us/en/assets/9922-01244/help-files/
+D9040DPPC-DisplayPort-Test-Software-Online-Help-latest.chm
+
+Cc: Imre Deak <imre.deak@intel.com>
+Cc: Jani Nikula <jani.nikula@intel.com>
+Cc: Or Cochvi <or.cochvi@intel.com>
+Signed-off-by: Khaled Almahallawy <khaled.almahallawy@intel.com>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220916054900.415804-1-khaled.almahallawy@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/display/drm_dp_helper.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+diff --git a/drivers/gpu/drm/display/drm_dp_helper.c b/drivers/gpu/drm/display/drm_dp_helper.c
+index e5bab236b3ae..4c0c4e3d1e20 100644
+--- a/drivers/gpu/drm/display/drm_dp_helper.c
++++ b/drivers/gpu/drm/display/drm_dp_helper.c
+@@ -2638,17 +2638,8 @@ int drm_dp_set_phy_test_pattern(struct drm_dp_aux *aux,
+ struct drm_dp_phy_test_params *data, u8 dp_rev)
+ {
+ int err, i;
+- u8 link_config[2];
+ u8 test_pattern;
+
+- link_config[0] = drm_dp_link_rate_to_bw_code(data->link_rate);
+- link_config[1] = data->num_lanes;
+- if (data->enhanced_frame_cap)
+- link_config[1] |= DP_LANE_COUNT_ENHANCED_FRAME_EN;
+- err = drm_dp_dpcd_write(aux, DP_LINK_BW_SET, link_config, 2);
+- if (err < 0)
+- return err;
+-
+ test_pattern = data->phy_pattern;
+ if (dp_rev < 0x12) {
+ test_pattern = (test_pattern << 2) &
+--
+2.35.1
+
--- /dev/null
+From 2079d8c04f211f332d9d94d8fbc3a5dc2a211ed9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Feb 2022 15:40:25 +0000
+Subject: drm/dp_mst: fix drm_dp_dpcd_read return value checks
+
+From: Simon Ser <contact@emersion.fr>
+
+[ Upstream commit 2ac6cdd581f48c8f68747156fde5868486a44985 ]
+
+drm_dp_dpcd_read returns the number of bytes read. The previous code
+would print garbage on DPCD error, and would exit with on error on
+success.
+
+Signed-off-by: Simon Ser <contact@emersion.fr>
+Fixes: cb897542c6d2 ("drm/dp_mst: Fix W=1 warnings")
+Cc: Lyude Paul <lyude@redhat.com>
+Cc: Benjamin Gaignard <benjamin.gaignard@st.com>
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/473500/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/display/drm_dp_mst_topology.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/display/drm_dp_mst_topology.c b/drivers/gpu/drm/display/drm_dp_mst_topology.c
+index 57e65423e50d..7a94a5288e8d 100644
+--- a/drivers/gpu/drm/display/drm_dp_mst_topology.c
++++ b/drivers/gpu/drm/display/drm_dp_mst_topology.c
+@@ -4907,14 +4907,14 @@ void drm_dp_mst_dump_topology(struct seq_file *m,
+ seq_printf(m, "dpcd: %*ph\n", DP_RECEIVER_CAP_SIZE, buf);
+
+ ret = drm_dp_dpcd_read(mgr->aux, DP_FAUX_CAP, buf, 2);
+- if (ret) {
++ if (ret != 2) {
+ seq_printf(m, "faux/mst read failed\n");
+ goto out;
+ }
+ seq_printf(m, "faux/mst: %*ph\n", 2, buf);
+
+ ret = drm_dp_dpcd_read(mgr->aux, DP_MSTM_CTRL, buf, 1);
+- if (ret) {
++ if (ret != 1) {
+ seq_printf(m, "mst ctrl read failed\n");
+ goto out;
+ }
+@@ -4922,7 +4922,7 @@ void drm_dp_mst_dump_topology(struct seq_file *m,
+
+ /* dump the standard OUI branch header */
+ ret = drm_dp_dpcd_read(mgr->aux, DP_BRANCH_OUI, buf, DP_BRANCH_OUI_HEADER_SIZE);
+- if (ret) {
++ if (ret != DP_BRANCH_OUI_HEADER_SIZE) {
+ seq_printf(m, "branch oui read failed\n");
+ goto out;
+ }
+--
+2.35.1
+
--- /dev/null
+From 8bf2b90038f49a6a81e60d49118000b00a271056 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Sep 2022 09:31:00 +0900
+Subject: drm/exynos: Fix return type for mixer_mode_valid and hdmi_mode_valid
+
+From: Nathan Huckleberry <nhuck@google.com>
+
+[ Upstream commit 1261255531088208daeca818e2b486030b5339e5 ]
+
+The field mode_valid in exynos_drm_crtc_ops is expected to be of type enum
+drm_mode_status (*mode_valid)(struct exynos_drm_crtc *crtc,
+ const struct drm_display_mode *mode);
+
+Likewise for mode_valid in drm_connector_helper_funcs.
+
+The mismatched return type breaks forward edge kCFI since the underlying
+function definition does not match the function hook definition.
+
+The return type of mixer_mode_valid and hdmi_mode_valid should be changed
+from int to enum drm_mode_status.
+
+Reported-by: Dan Carpenter <error27@gmail.com>
+Link: https://protect2.fireeye.com/v1/url?k=3e644738-5fef521d-3e65cc77-
+74fe485cbff6-36ad29bf912d3c9f&q=1&e=5cc06174-77dd-4abd-ab50-
+155da5711aa3&u=https%3A%2F%2Fgithub.com%2FClangBuiltLinux%2Flinux%2Fissues%2F
+1703
+Cc: llvm@lists.linux.dev
+Signed-off-by: Nathan Huckleberry <nhuck@google.com>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/exynos/exynos_hdmi.c | 4 ++--
+ drivers/gpu/drm/exynos/exynos_mixer.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/exynos/exynos_hdmi.c b/drivers/gpu/drm/exynos/exynos_hdmi.c
+index 10b0036f8a2e..8453359c92e8 100644
+--- a/drivers/gpu/drm/exynos/exynos_hdmi.c
++++ b/drivers/gpu/drm/exynos/exynos_hdmi.c
+@@ -922,8 +922,8 @@ static int hdmi_find_phy_conf(struct hdmi_context *hdata, u32 pixel_clock)
+ return -EINVAL;
+ }
+
+-static int hdmi_mode_valid(struct drm_connector *connector,
+- struct drm_display_mode *mode)
++static enum drm_mode_status hdmi_mode_valid(struct drm_connector *connector,
++ struct drm_display_mode *mode)
+ {
+ struct hdmi_context *hdata = connector_to_hdmi(connector);
+ int ret;
+diff --git a/drivers/gpu/drm/exynos/exynos_mixer.c b/drivers/gpu/drm/exynos/exynos_mixer.c
+index 65260a658684..8d333db813b7 100644
+--- a/drivers/gpu/drm/exynos/exynos_mixer.c
++++ b/drivers/gpu/drm/exynos/exynos_mixer.c
+@@ -1045,7 +1045,7 @@ static void mixer_atomic_disable(struct exynos_drm_crtc *crtc)
+ clear_bit(MXR_BIT_POWERED, &ctx->flags);
+ }
+
+-static int mixer_mode_valid(struct exynos_drm_crtc *crtc,
++static enum drm_mode_status mixer_mode_valid(struct exynos_drm_crtc *crtc,
+ const struct drm_display_mode *mode)
+ {
+ struct mixer_context *ctx = crtc->ctx;
+--
+2.35.1
+
--- /dev/null
+From a01499f4d326b30e5f1b9e78caa7ff217498ed6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Aug 2022 17:42:43 -0700
+Subject: drm: fix drm_mipi_dbi build errors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit eb7de496451bd969e203f02f66585131228ba4ae ]
+
+drm_mipi_dbi needs lots of DRM_KMS_HELPER support, so select
+that Kconfig symbol like it is done is most other uses, and
+the way that it was before MIPS_DBI was moved from tinydrm
+to its core location.
+
+Fixes these build errors:
+
+ld: drivers/gpu/drm/drm_mipi_dbi.o: in function `mipi_dbi_buf_copy':
+drivers/gpu/drm/drm_mipi_dbi.c:205: undefined reference to `drm_gem_fb_get_obj'
+ld: drivers/gpu/drm/drm_mipi_dbi.c:211: undefined reference to `drm_gem_fb_begin_cpu_access'
+ld: drivers/gpu/drm/drm_mipi_dbi.c:215: undefined reference to `drm_gem_fb_vmap'
+ld: drivers/gpu/drm/drm_mipi_dbi.c:222: undefined reference to `drm_fb_swab'
+ld: drivers/gpu/drm/drm_mipi_dbi.c:224: undefined reference to `drm_fb_memcpy'
+ld: drivers/gpu/drm/drm_mipi_dbi.c:227: undefined reference to `drm_fb_xrgb8888_to_rgb565'
+ld: drivers/gpu/drm/drm_mipi_dbi.c:235: undefined reference to `drm_gem_fb_vunmap'
+ld: drivers/gpu/drm/drm_mipi_dbi.c:237: undefined reference to `drm_gem_fb_end_cpu_access'
+ld: drivers/gpu/drm/drm_mipi_dbi.o: in function `mipi_dbi_dev_init_with_formats':
+ld: drivers/gpu/drm/drm_mipi_dbi.o:/X64/../drivers/gpu/drm/drm_mipi_dbi.c:469: undefined reference to `drm_gem_fb_create_with_dirty'
+
+Fixes: 174102f4de23 ("drm/tinydrm: Move mipi-dbi")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Cc: Dillon Min <dillon.minfei@gmail.com>
+Cc: Linus Walleij <linus.walleij@linaro.org>
+Cc: Sam Ravnborg <sam@ravnborg.org>
+Cc: Noralf Trønnes <noralf@tronnes.org>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Thierry Reding <thierry.reding@gmail.com>
+Cc: dri-devel@lists.freedesktop.org
+Cc: David Airlie <airlied@linux.ie>
+Cc: Daniel Vetter <daniel@ffwll.ch>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220823004243.11596-1-rdunlap@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/Kconfig b/drivers/gpu/drm/Kconfig
+index 6c2256e8474b..679ad054ea4b 100644
+--- a/drivers/gpu/drm/Kconfig
++++ b/drivers/gpu/drm/Kconfig
+@@ -31,6 +31,7 @@ menuconfig DRM
+ config DRM_MIPI_DBI
+ tristate
+ depends on DRM
++ select DRM_KMS_HELPER
+
+ config DRM_MIPI_DSI
+ bool
+--
+2.35.1
+
--- /dev/null
+From 7187781d0039c9ef7cabfe54aed40e8c285af5bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Jul 2022 01:09:13 +0200
+Subject: drm/format-helper: Fix test on big endian architectures
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Expósito <jose.exposito89@gmail.com>
+
+[ Upstream commit 18c8485236a5e3f491b670c018ae391c9cb84dfa ]
+
+The tests fail on big endian architectures, like PowerPC:
+
+ $ ./tools/testing/kunit/kunit.py run \
+ --kunitconfig=drivers/gpu/drm/tests \
+ --arch=powerpc --cross_compile=powerpc64-linux-gnu-
+
+Transform the XRGB8888 buffer from little endian to the CPU endian
+before calling the conversion function to avoid this error.
+
+Fixes: 8f456104915f ("drm/format-helper: Add KUnit tests for drm_fb_xrgb8888_to_rgb332()")
+Reported-by: David Gow <davidgow@google.com>
+Reviewed-by: David Gow <davidgow@google.com>
+Signed-off-by: José Expósito <jose.exposito89@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220726230916.390575-2-jose.exposito89@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/tests/drm_format_helper_test.c | 23 +++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/tests/drm_format_helper_test.c b/drivers/gpu/drm/tests/drm_format_helper_test.c
+index 98583bf56044..eefaba3aaea2 100644
+--- a/drivers/gpu/drm/tests/drm_format_helper_test.c
++++ b/drivers/gpu/drm/tests/drm_format_helper_test.c
+@@ -111,6 +111,21 @@ static size_t conversion_buf_size(u32 dst_format, unsigned int dst_pitch,
+ return dst_pitch * drm_rect_height(clip);
+ }
+
++static u32 *le32buf_to_cpu(struct kunit *test, const u32 *buf, size_t buf_size)
++{
++ u32 *dst = NULL;
++ int n;
++
++ dst = kunit_kzalloc(test, sizeof(*dst) * buf_size, GFP_KERNEL);
++ if (!dst)
++ return NULL;
++
++ for (n = 0; n < buf_size; n++)
++ dst[n] = le32_to_cpu((__force __le32)buf[n]);
++
++ return dst;
++}
++
+ static void xrgb8888_to_rgb332_case_desc(struct xrgb8888_to_rgb332_case *t,
+ char *desc)
+ {
+@@ -125,6 +140,7 @@ static void xrgb8888_to_rgb332_test(struct kunit *test)
+ const struct xrgb8888_to_rgb332_case *params = test->param_value;
+ size_t dst_size;
+ __u8 *dst = NULL;
++ __u32 *src = NULL;
+
+ struct drm_framebuffer fb = {
+ .format = drm_format_info(DRM_FORMAT_XRGB8888),
+@@ -138,8 +154,11 @@ static void xrgb8888_to_rgb332_test(struct kunit *test)
+ dst = kunit_kzalloc(test, dst_size, GFP_KERNEL);
+ KUNIT_ASSERT_NOT_ERR_OR_NULL(test, dst);
+
+- drm_fb_xrgb8888_to_rgb332(dst, params->dst_pitch, params->xrgb8888,
+- &fb, ¶ms->clip);
++ src = le32buf_to_cpu(test, params->xrgb8888, TEST_BUF_SIZE);
++ KUNIT_ASSERT_NOT_ERR_OR_NULL(test, src);
++
++ drm_fb_xrgb8888_to_rgb332(dst, params->dst_pitch, src, &fb,
++ ¶ms->clip);
+ KUNIT_EXPECT_EQ(test, memcmp(dst, params->expected, dst_size), 0);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From a6b1881d3ba0226de2c0c32d47876f27bcf01180 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Jun 2022 15:30:49 +0300
+Subject: drm/i915/dg2: Bump up CDCLK for DG2
+
+From: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
+
+[ Upstream commit 859161b952a453b86362f168fadef72a8ba31a05 ]
+
+We seem to need this W/A same way as for TGL, in order
+to fix some of the underruns, which we currently have and
+those not related to PSR.
+
+Signed-off-by: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
+Reviewed-by: Uma Shankar <uma.shankar@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220614123049.16183-2-stanislav.lisovskiy@intel.com
+Stable-dep-of: 4234ea300512 ("drm/i915/display: avoid warnings when registering dual panel backlight")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/display/intel_cdclk.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/display/intel_cdclk.c b/drivers/gpu/drm/i915/display/intel_cdclk.c
+index 6e80162632dd..86a22c3766e5 100644
+--- a/drivers/gpu/drm/i915/display/intel_cdclk.c
++++ b/drivers/gpu/drm/i915/display/intel_cdclk.c
+@@ -2300,7 +2300,7 @@ int intel_crtc_compute_min_cdclk(const struct intel_crtc_state *crtc_state)
+ min_cdclk = max(min_cdclk, (int)crtc_state->pixel_rate);
+
+ /*
+- * HACK. Currently for TGL platforms we calculate
++ * HACK. Currently for TGL/DG2 platforms we calculate
+ * min_cdclk initially based on pixel_rate divided
+ * by 2, accounting for also plane requirements,
+ * however in some cases the lowest possible CDCLK
+@@ -2308,7 +2308,7 @@ int intel_crtc_compute_min_cdclk(const struct intel_crtc_state *crtc_state)
+ * Explicitly stating here that this seems to be currently
+ * rather a Hack, than final solution.
+ */
+- if (IS_TIGERLAKE(dev_priv)) {
++ if (IS_TIGERLAKE(dev_priv) || IS_DG2(dev_priv)) {
+ /*
+ * Clamp to max_cdclk_freq in case pixel rate is higher,
+ * in order not to break an 8K, but still leave W/A at place.
+--
+2.35.1
+
--- /dev/null
+From 299c5a8bbfa2562ba358249b922baa2bcb0e96f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Jun 2022 21:39:59 -0700
+Subject: drm/i915/reset: Handle reset timeouts under unrelated kernel hangs
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+[ Upstream commit 1dab4561a341afdbaafe0ce6091106d0c63c79e0 ]
+
+When resuming after hibernate sometimes we see hangs in unrelated kernel
+subsystems. These hangs often result in the following i915 trace:
+
+i915 0000:00:02.0: [drm] *ERROR* \
+ intel_gt_reset_global timed out, cancelling all in-flight rendering
+
+implying our reset task has been starved by the hanging kernel subsystem,
+causing us to inappropiately declare the system as wedged beyond recovery.
+
+The trace would be caused by our synchronize_srcu_expedited() taking more
+than the allowed 5s due to the unrelated kernel hang. But we neither need
+to perform that synchronisation inside the reset watchdog, nor do we need
+such a short timeout before declaring the device as unrecoverable.
+
+v2: Restore watchdog timeout to the previous 5 seconds (Ashutosh)
+
+Bug: https://gitlab.freedesktop.org/drm/intel/-/issues/3575
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Ashutosh Dixit <ashutosh.dixit@intel.com>
+Reviewed-by: Ashutosh Dixit <ashutosh.dixit@intel.com>
+Signed-off-by: Matthew Auld <matthew.auld@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220630043959.5708-1-ashutosh.dixit@intel.com
+Stable-dep-of: 774ce1510e6c ("drm/i915/guc: support v69 in parallel to v70")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gt/intel_reset.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/intel_reset.c b/drivers/gpu/drm/i915/gt/intel_reset.c
+index c68d36fb5bbd..1211774e1d91 100644
+--- a/drivers/gpu/drm/i915/gt/intel_reset.c
++++ b/drivers/gpu/drm/i915/gt/intel_reset.c
+@@ -1281,9 +1281,6 @@ static void intel_gt_reset_global(struct intel_gt *gt,
+ intel_wedge_on_timeout(&w, gt, 5 * HZ) {
+ intel_display_prepare_reset(gt->i915);
+
+- /* Flush everyone using a resource about to be clobbered */
+- synchronize_srcu_expedited(>->reset.backoff_srcu);
+-
+ intel_gt_reset(gt, engine_mask, reason);
+
+ intel_display_finish_reset(gt->i915);
+@@ -1392,6 +1389,9 @@ void intel_gt_handle_error(struct intel_gt *gt,
+ }
+ }
+
++ /* Flush everyone using a resource about to be clobbered */
++ synchronize_srcu_expedited(>->reset.backoff_srcu);
++
+ intel_gt_reset_global(gt, engine_mask, msg);
+
+ if (!intel_uc_uses_guc_submission(>->uc)) {
+--
+2.35.1
+
--- /dev/null
+From f4ee6bdf7aea8e0ad21c7f936f4d3ce61b59adf9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Jul 2022 16:39:21 +0100
+Subject: drm/komeda: Fix handling of atomic commits in the atomic_commit_tail
+ hook
+
+From: Liviu Dudau <liviu.dudau@arm.com>
+
+[ Upstream commit eaa225b6b52233d45457fd33730e1528c604d92d ]
+
+Komeda driver relies on the generic DRM atomic helper functions to handle
+commits. It only implements an atomic_commit_tail hook for the
+mode_config_helper_funcs and even that one is pretty close to the generic
+implementation with the exception of additional dma_fence signalling.
+
+What the generic helper framework doesn't do is waiting for the actual
+hardware to signal that the commit parameters have been written into the
+appropriate registers. As we signal CRTC events only on the irq handlers,
+we need to flush the configuration and wait for the hardware to respond.
+
+Add the Komeda specific implementation for atomic_commit_hw_done() that
+flushes and waits for flip done before calling drm_atomic_helper_commit_hw_done().
+
+The fix was prompted by a patch from Carsten Haitzler where he was trying to
+solve the same issue but in a different way that I think can lead to wrong
+event signaling to userspace.
+
+Reported-by: Carsten Haitzler <carsten.haitzler@arm.com>
+Tested-by: Carsten Haitzler <carsten.haitzler@arm.com>
+Reviewed-by: Carsten Haitzler <carsten.haitzler@arm.com>
+Signed-off-by: Liviu Dudau <liviu.dudau@arm.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220722122139.288486-1-liviu.dudau@arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/arm/display/komeda/komeda_crtc.c | 4 ++--
+ .../gpu/drm/arm/display/komeda/komeda_kms.c | 21 ++++++++++++++++++-
+ .../gpu/drm/arm/display/komeda/komeda_kms.h | 2 ++
+ 3 files changed, 24 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_crtc.c b/drivers/gpu/drm/arm/display/komeda/komeda_crtc.c
+index 59172acb9738..292f533d8cf0 100644
+--- a/drivers/gpu/drm/arm/display/komeda/komeda_crtc.c
++++ b/drivers/gpu/drm/arm/display/komeda/komeda_crtc.c
+@@ -235,7 +235,7 @@ void komeda_crtc_handle_event(struct komeda_crtc *kcrtc,
+ crtc->state->event = NULL;
+ drm_crtc_send_vblank_event(crtc, event);
+ } else {
+- DRM_WARN("CRTC[%d]: FLIP happen but no pending commit.\n",
++ DRM_WARN("CRTC[%d]: FLIP happened but no pending commit.\n",
+ drm_crtc_index(&kcrtc->base));
+ }
+ spin_unlock_irqrestore(&crtc->dev->event_lock, flags);
+@@ -286,7 +286,7 @@ komeda_crtc_atomic_enable(struct drm_crtc *crtc,
+ komeda_crtc_do_flush(crtc, old);
+ }
+
+-static void
++void
+ komeda_crtc_flush_and_wait_for_flip_done(struct komeda_crtc *kcrtc,
+ struct completion *input_flip_done)
+ {
+diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_kms.c b/drivers/gpu/drm/arm/display/komeda/komeda_kms.c
+index 93b7f09b96ca..327051bba5b6 100644
+--- a/drivers/gpu/drm/arm/display/komeda/komeda_kms.c
++++ b/drivers/gpu/drm/arm/display/komeda/komeda_kms.c
+@@ -69,6 +69,25 @@ static const struct drm_driver komeda_kms_driver = {
+ .minor = 1,
+ };
+
++static void komeda_kms_atomic_commit_hw_done(struct drm_atomic_state *state)
++{
++ struct drm_device *dev = state->dev;
++ struct komeda_kms_dev *kms = to_kdev(dev);
++ int i;
++
++ for (i = 0; i < kms->n_crtcs; i++) {
++ struct komeda_crtc *kcrtc = &kms->crtcs[i];
++
++ if (kcrtc->base.state->active) {
++ struct completion *flip_done = NULL;
++ if (kcrtc->base.state->event)
++ flip_done = kcrtc->base.state->event->base.completion;
++ komeda_crtc_flush_and_wait_for_flip_done(kcrtc, flip_done);
++ }
++ }
++ drm_atomic_helper_commit_hw_done(state);
++}
++
+ static void komeda_kms_commit_tail(struct drm_atomic_state *old_state)
+ {
+ struct drm_device *dev = old_state->dev;
+@@ -81,7 +100,7 @@ static void komeda_kms_commit_tail(struct drm_atomic_state *old_state)
+
+ drm_atomic_helper_commit_modeset_enables(dev, old_state);
+
+- drm_atomic_helper_commit_hw_done(old_state);
++ komeda_kms_atomic_commit_hw_done(old_state);
+
+ drm_atomic_helper_wait_for_flip_done(dev, old_state);
+
+diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_kms.h b/drivers/gpu/drm/arm/display/komeda/komeda_kms.h
+index 7889e380ab23..7339339ef6b8 100644
+--- a/drivers/gpu/drm/arm/display/komeda/komeda_kms.h
++++ b/drivers/gpu/drm/arm/display/komeda/komeda_kms.h
+@@ -183,6 +183,8 @@ void komeda_kms_cleanup_private_objs(struct komeda_kms_dev *kms);
+
+ void komeda_crtc_handle_event(struct komeda_crtc *kcrtc,
+ struct komeda_events *evts);
++void komeda_crtc_flush_and_wait_for_flip_done(struct komeda_crtc *kcrtc,
++ struct completion *input_flip_done);
+
+ struct komeda_kms_dev *komeda_kms_attach(struct komeda_dev *mdev);
+ void komeda_kms_detach(struct komeda_kms_dev *kms);
+--
+2.35.1
+
--- /dev/null
+From 3340f2a267c63305369f1c7e9cde23d84e3fe49e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Sep 2022 02:09:39 +0100
+Subject: drm/meson: explicitly remove aggregate driver at module unload time
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Adrián Larumbe <adrian.larumbe@collabora.com>
+
+[ Upstream commit 8616f2a0589a80e08434212324250eb22f6a66ce ]
+
+Because component_master_del wasn't being called when unloading the
+meson_drm module, the aggregate device would linger forever in the global
+aggregate_devices list. That means when unloading and reloading the
+meson_dw_hdmi module, component_add would call into
+try_to_bring_up_aggregate_device and find the unbound meson_drm aggregate
+device.
+
+This would in turn dereference some of the aggregate_device's struct
+entries which point to memory automatically freed by the devres API when
+unbinding the aggregate device from meson_drv_unbind, and trigger an
+use-after-free bug:
+
+[ +0.000014] =============================================================
+[ +0.000007] BUG: KASAN: use-after-free in find_components+0x468/0x500
+[ +0.000017] Read of size 8 at addr ffff000006731688 by task modprobe/2536
+[ +0.000018] CPU: 4 PID: 2536 Comm: modprobe Tainted: G C O 5.19.0-rc6-lrmbkasan+ #1
+[ +0.000010] Hardware name: Hardkernel ODROID-N2Plus (DT)
+[ +0.000008] Call trace:
+[ +0.000005] dump_backtrace+0x1ec/0x280
+[ +0.000011] show_stack+0x24/0x80
+[ +0.000007] dump_stack_lvl+0x98/0xd4
+[ +0.000010] print_address_description.constprop.0+0x80/0x520
+[ +0.000011] print_report+0x128/0x260
+[ +0.000007] kasan_report+0xb8/0xfc
+[ +0.000007] __asan_report_load8_noabort+0x3c/0x50
+[ +0.000009] find_components+0x468/0x500
+[ +0.000008] try_to_bring_up_aggregate_device+0x64/0x390
+[ +0.000009] __component_add+0x1dc/0x49c
+[ +0.000009] component_add+0x20/0x30
+[ +0.000008] meson_dw_hdmi_probe+0x28/0x34 [meson_dw_hdmi]
+[ +0.000013] platform_probe+0xd0/0x220
+[ +0.000008] really_probe+0x3ac/0xa80
+[ +0.000008] __driver_probe_device+0x1f8/0x400
+[ +0.000008] driver_probe_device+0x68/0x1b0
+[ +0.000008] __driver_attach+0x20c/0x480
+[ +0.000009] bus_for_each_dev+0x114/0x1b0
+[ +0.000007] driver_attach+0x48/0x64
+[ +0.000009] bus_add_driver+0x390/0x564
+[ +0.000007] driver_register+0x1a8/0x3e4
+[ +0.000009] __platform_driver_register+0x6c/0x94
+[ +0.000007] meson_dw_hdmi_platform_driver_init+0x30/0x1000 [meson_dw_hdmi]
+[ +0.000014] do_one_initcall+0xc4/0x2b0
+[ +0.000008] do_init_module+0x154/0x570
+[ +0.000010] load_module+0x1a78/0x1ea4
+[ +0.000008] __do_sys_init_module+0x184/0x1cc
+[ +0.000008] __arm64_sys_init_module+0x78/0xb0
+[ +0.000008] invoke_syscall+0x74/0x260
+[ +0.000008] el0_svc_common.constprop.0+0xcc/0x260
+[ +0.000009] do_el0_svc+0x50/0x70
+[ +0.000008] el0_svc+0x68/0x1a0
+[ +0.000009] el0t_64_sync_handler+0x11c/0x150
+[ +0.000009] el0t_64_sync+0x18c/0x190
+
+[ +0.000014] Allocated by task 902:
+[ +0.000007] kasan_save_stack+0x2c/0x5c
+[ +0.000009] __kasan_kmalloc+0x90/0xd0
+[ +0.000007] __kmalloc_node+0x240/0x580
+[ +0.000010] memcg_alloc_slab_cgroups+0xa4/0x1ac
+[ +0.000010] memcg_slab_post_alloc_hook+0xbc/0x4c0
+[ +0.000008] kmem_cache_alloc_node+0x1d0/0x490
+[ +0.000009] __alloc_skb+0x1d4/0x310
+[ +0.000010] alloc_skb_with_frags+0x8c/0x620
+[ +0.000008] sock_alloc_send_pskb+0x5ac/0x6d0
+[ +0.000010] unix_dgram_sendmsg+0x2e0/0x12f0
+[ +0.000010] sock_sendmsg+0xcc/0x110
+[ +0.000007] sock_write_iter+0x1d0/0x304
+[ +0.000008] new_sync_write+0x364/0x460
+[ +0.000007] vfs_write+0x420/0x5ac
+[ +0.000008] ksys_write+0x19c/0x1f0
+[ +0.000008] __arm64_sys_write+0x78/0xb0
+[ +0.000007] invoke_syscall+0x74/0x260
+[ +0.000008] el0_svc_common.constprop.0+0x1a8/0x260
+[ +0.000009] do_el0_svc+0x50/0x70
+[ +0.000007] el0_svc+0x68/0x1a0
+[ +0.000008] el0t_64_sync_handler+0x11c/0x150
+[ +0.000008] el0t_64_sync+0x18c/0x190
+
+[ +0.000013] Freed by task 2509:
+[ +0.000008] kasan_save_stack+0x2c/0x5c
+[ +0.000007] kasan_set_track+0x2c/0x40
+[ +0.000008] kasan_set_free_info+0x28/0x50
+[ +0.000008] ____kasan_slab_free+0x128/0x1d4
+[ +0.000008] __kasan_slab_free+0x18/0x24
+[ +0.000007] slab_free_freelist_hook+0x108/0x230
+[ +0.000010] kfree+0x110/0x35c
+[ +0.000008] release_nodes+0xf0/0x16c
+[ +0.000008] devres_release_all+0xfc/0x180
+[ +0.000008] device_unbind_cleanup+0x24/0x164
+[ +0.000008] device_release_driver_internal+0x3e8/0x5b0
+[ +0.000010] driver_detach+0xac/0x1b0
+[ +0.000008] bus_remove_driver+0x158/0x29c
+[ +0.000008] driver_unregister+0x70/0xb0
+[ +0.000009] platform_driver_unregister+0x20/0x2c
+[ +0.000007] 0xffff800003722d98
+[ +0.000012] __do_sys_delete_module+0x288/0x400
+[ +0.000009] __arm64_sys_delete_module+0x5c/0x80
+[ +0.000008] invoke_syscall+0x74/0x260
+[ +0.000008] el0_svc_common.constprop.0+0xcc/0x260
+[ +0.000008] do_el0_svc+0x50/0x70
+[ +0.000007] el0_svc+0x68/0x1a0
+[ +0.000008] el0t_64_sync_handler+0x11c/0x150
+[ +0.000009] el0t_64_sync+0x18c/0x190
+
+[ +0.000013] Last potentially related work creation:
+[ +0.000007] kasan_save_stack+0x2c/0x5c
+[ +0.000007] __kasan_record_aux_stack+0xb8/0xf0
+[ +0.000009] kasan_record_aux_stack_noalloc+0x14/0x20
+[ +0.000008] insert_work+0x54/0x290
+[ +0.000009] __queue_work+0x48c/0xd24
+[ +0.000008] queue_work_on+0x90/0x11c
+[ +0.000008] call_usermodehelper_exec+0x188/0x404
+[ +0.000010] kobject_uevent_env+0x5a8/0x794
+[ +0.000010] kobject_uevent+0x14/0x20
+[ +0.000008] driver_register+0x230/0x3e4
+[ +0.000009] __platform_driver_register+0x6c/0x94
+[ +0.000007] gxbb_driver_init+0x28/0x34
+[ +0.000010] do_one_initcall+0xc4/0x2b0
+[ +0.000008] do_initcalls+0x20c/0x24c
+[ +0.000010] kernel_init_freeable+0x22c/0x278
+[ +0.000009] kernel_init+0x3c/0x170
+[ +0.000008] ret_from_fork+0x10/0x20
+
+[ +0.000013] The buggy address belongs to the object at ffff000006731600
+ which belongs to the cache kmalloc-256 of size 256
+[ +0.000009] The buggy address is located 136 bytes inside of
+ 256-byte region [ffff000006731600, ffff000006731700)
+
+[ +0.000015] The buggy address belongs to the physical page:
+[ +0.000008] page:fffffc000019cc00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff000006730a00 pfn:0x6730
+[ +0.000011] head:fffffc000019cc00 order:2 compound_mapcount:0 compound_pincount:0
+[ +0.000008] flags: 0xffff00000010200(slab|head|node=0|zone=0|lastcpupid=0xffff)
+[ +0.000016] raw: 0ffff00000010200 fffffc00000c3d08 fffffc0000ef2b08 ffff000000002680
+[ +0.000009] raw: ffff000006730a00 0000000000150014 00000001ffffffff 0000000000000000
+[ +0.000006] page dumped because: kasan: bad access detected
+
+[ +0.000011] Memory state around the buggy address:
+[ +0.000007] ffff000006731580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ +0.000007] ffff000006731600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ +0.000007] >ffff000006731680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ +0.000007] ^
+[ +0.000006] ffff000006731700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ +0.000007] ffff000006731780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ +0.000006] ==================================================================
+
+Fix by adding 'remove' driver callback for meson-drm, and explicitly deleting the
+aggregate device.
+
+Signed-off-by: Adrián Larumbe <adrian.larumbe@collabora.com>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220919010940.419893-3-adrian.larumbe@collabora.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/meson/meson_drv.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/gpu/drm/meson/meson_drv.c b/drivers/gpu/drm/meson/meson_drv.c
+index 7df149d42728..8444d90165fb 100644
+--- a/drivers/gpu/drm/meson/meson_drv.c
++++ b/drivers/gpu/drm/meson/meson_drv.c
+@@ -493,6 +493,13 @@ static int meson_drv_probe(struct platform_device *pdev)
+ return 0;
+ };
+
++static int meson_drv_remove(struct platform_device *pdev)
++{
++ component_master_del(&pdev->dev, &meson_drv_master_ops);
++
++ return 0;
++}
++
+ static struct meson_drm_match_data meson_drm_gxbb_data = {
+ .compat = VPU_COMPATIBLE_GXBB,
+ };
+@@ -530,6 +537,7 @@ static const struct dev_pm_ops meson_drv_pm_ops = {
+
+ static struct platform_driver meson_drm_platform_driver = {
+ .probe = meson_drv_probe,
++ .remove = meson_drv_remove,
+ .shutdown = meson_drv_shutdown,
+ .driver = {
+ .name = "meson-drm",
+--
+2.35.1
+
--- /dev/null
+From e015d3e3f260c25f279c470c7d14d428b9dd2f8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 23:28:42 +0100
+Subject: drm/meson: remove drm bridges at aggregate driver unbind time
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Adrián Larumbe <adrian.larumbe@collabora.com>
+
+[ Upstream commit 09847723c12fc2753749cec3939a02ee92dac468 ]
+
+drm bridges added by meson_encoder_hdmi_init and meson_encoder_cvbs_init
+were not manually removed at module unload time, which caused dangling
+references to freed memory to remain linked in the global bridge_list.
+
+When loading the driver modules back in, the same functions would again
+call drm_bridge_add, and when traversing the global bridge_list, would
+end up peeking into freed memory.
+
+Once again KASAN revealed the problem:
+
+[ +0.000095] =============================================================
+[ +0.000008] BUG: KASAN: use-after-free in __list_add_valid+0x9c/0x120
+[ +0.000018] Read of size 8 at addr ffff00003da291f0 by task modprobe/2483
+
+[ +0.000018] CPU: 3 PID: 2483 Comm: modprobe Tainted: G C O 5.19.0-rc6-lrmbkasan+ #1
+[ +0.000011] Hardware name: Hardkernel ODROID-N2Plus (DT)
+[ +0.000008] Call trace:
+[ +0.000006] dump_backtrace+0x1ec/0x280
+[ +0.000012] show_stack+0x24/0x80
+[ +0.000008] dump_stack_lvl+0x98/0xd4
+[ +0.000011] print_address_description.constprop.0+0x80/0x520
+[ +0.000011] print_report+0x128/0x260
+[ +0.000008] kasan_report+0xb8/0xfc
+[ +0.000008] __asan_report_load8_noabort+0x3c/0x50
+[ +0.000009] __list_add_valid+0x9c/0x120
+[ +0.000009] drm_bridge_add+0x6c/0x104 [drm]
+[ +0.000165] dw_hdmi_probe+0x1900/0x2360 [dw_hdmi]
+[ +0.000022] meson_dw_hdmi_bind+0x520/0x814 [meson_dw_hdmi]
+[ +0.000014] component_bind+0x174/0x520
+[ +0.000012] component_bind_all+0x1a8/0x38c
+[ +0.000010] meson_drv_bind_master+0x5e8/0xb74 [meson_drm]
+[ +0.000032] meson_drv_bind+0x20/0x2c [meson_drm]
+[ +0.000027] try_to_bring_up_aggregate_device+0x19c/0x390
+[ +0.000010] component_master_add_with_match+0x1c8/0x284
+[ +0.000009] meson_drv_probe+0x274/0x280 [meson_drm]
+[ +0.000026] platform_probe+0xd0/0x220
+[ +0.000009] really_probe+0x3ac/0xa80
+[ +0.000009] __driver_probe_device+0x1f8/0x400
+[ +0.000009] driver_probe_device+0x68/0x1b0
+[ +0.000009] __driver_attach+0x20c/0x480
+[ +0.000008] bus_for_each_dev+0x114/0x1b0
+[ +0.000009] driver_attach+0x48/0x64
+[ +0.000008] bus_add_driver+0x390/0x564
+[ +0.000009] driver_register+0x1a8/0x3e4
+[ +0.000009] __platform_driver_register+0x6c/0x94
+[ +0.000008] meson_drm_platform_driver_init+0x3c/0x1000 [meson_drm]
+[ +0.000027] do_one_initcall+0xc4/0x2b0
+[ +0.000011] do_init_module+0x154/0x570
+[ +0.000011] load_module+0x1a78/0x1ea4
+[ +0.000008] __do_sys_init_module+0x184/0x1cc
+[ +0.000009] __arm64_sys_init_module+0x78/0xb0
+[ +0.000009] invoke_syscall+0x74/0x260
+[ +0.000009] el0_svc_common.constprop.0+0xcc/0x260
+[ +0.000008] do_el0_svc+0x50/0x70
+[ +0.000007] el0_svc+0x68/0x1a0
+[ +0.000012] el0t_64_sync_handler+0x11c/0x150
+[ +0.000008] el0t_64_sync+0x18c/0x190
+
+[ +0.000016] Allocated by task 879:
+[ +0.000008] kasan_save_stack+0x2c/0x5c
+[ +0.000011] __kasan_kmalloc+0x90/0xd0
+[ +0.000007] __kmalloc+0x278/0x4a0
+[ +0.000011] mpi_resize+0x13c/0x1d0
+[ +0.000011] mpi_powm+0xd24/0x1570
+[ +0.000009] rsa_enc+0x1a4/0x30c
+[ +0.000009] pkcs1pad_verify+0x3f0/0x580
+[ +0.000009] public_key_verify_signature+0x7a8/0xba4
+[ +0.000010] public_key_verify_signature_2+0x40/0x60
+[ +0.000008] verify_signature+0xb4/0x114
+[ +0.000008] pkcs7_validate_trust_one.constprop.0+0x3b8/0x574
+[ +0.000009] pkcs7_validate_trust+0xb8/0x15c
+[ +0.000008] verify_pkcs7_message_sig+0xec/0x1b0
+[ +0.000012] verify_pkcs7_signature+0x78/0xac
+[ +0.000007] mod_verify_sig+0x110/0x190
+[ +0.000009] module_sig_check+0x114/0x1e0
+[ +0.000009] load_module+0xa0/0x1ea4
+[ +0.000008] __do_sys_init_module+0x184/0x1cc
+[ +0.000008] __arm64_sys_init_module+0x78/0xb0
+[ +0.000008] invoke_syscall+0x74/0x260
+[ +0.000009] el0_svc_common.constprop.0+0x1a8/0x260
+[ +0.000008] do_el0_svc+0x50/0x70
+[ +0.000007] el0_svc+0x68/0x1a0
+[ +0.000009] el0t_64_sync_handler+0x11c/0x150
+[ +0.000009] el0t_64_sync+0x18c/0x190
+
+[ +0.000013] Freed by task 2422:
+[ +0.000008] kasan_save_stack+0x2c/0x5c
+[ +0.000009] kasan_set_track+0x2c/0x40
+[ +0.000007] kasan_set_free_info+0x28/0x50
+[ +0.000009] ____kasan_slab_free+0x128/0x1d4
+[ +0.000008] __kasan_slab_free+0x18/0x24
+[ +0.000007] slab_free_freelist_hook+0x108/0x230
+[ +0.000010] kfree+0x110/0x35c
+[ +0.000008] release_nodes+0xf0/0x16c
+[ +0.000009] devres_release_group+0x180/0x270
+[ +0.000008] take_down_aggregate_device+0xcc/0x160
+[ +0.000010] component_del+0x18c/0x360
+[ +0.000009] meson_dw_hdmi_remove+0x28/0x40 [meson_dw_hdmi]
+[ +0.000013] platform_remove+0x64/0xb0
+[ +0.000008] device_remove+0xb8/0x154
+[ +0.000009] device_release_driver_internal+0x398/0x5b0
+[ +0.000009] driver_detach+0xac/0x1b0
+[ +0.000009] bus_remove_driver+0x158/0x29c
+[ +0.000008] driver_unregister+0x70/0xb0
+[ +0.000009] platform_driver_unregister+0x20/0x2c
+[ +0.000007] meson_dw_hdmi_platform_driver_exit+0x1c/0x30 [meson_dw_hdmi]
+[ +0.000012] __do_sys_delete_module+0x288/0x400
+[ +0.000009] __arm64_sys_delete_module+0x5c/0x80
+[ +0.000009] invoke_syscall+0x74/0x260
+[ +0.000008] el0_svc_common.constprop.0+0xcc/0x260
+[ +0.000008] do_el0_svc+0x50/0x70
+[ +0.000007] el0_svc+0x68/0x1a0
+[ +0.000008] el0t_64_sync_handler+0x11c/0x150
+[ +0.000009] el0t_64_sync+0x18c/0x190
+
+[ +0.000013] The buggy address belongs to the object at ffff00003da29000
+ which belongs to the cache kmalloc-1k of size 1024
+[ +0.000008] The buggy address is located 496 bytes inside of
+ 1024-byte region [ffff00003da29000, ffff00003da29400)
+
+[ +0.000015] The buggy address belongs to the physical page:
+[ +0.000009] page:fffffc0000f68a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3da28
+[ +0.000012] head:fffffc0000f68a00 order:3 compound_mapcount:0 compound_pincount:0
+[ +0.000009] flags: 0xffff00000010200(slab|head|node=0|zone=0|lastcpupid=0xffff)
+[ +0.000019] raw: 0ffff00000010200 fffffc0000eb5c08 fffffc0000d96608 ffff000000002a80
+[ +0.000008] raw: 0000000000000000 00000000000a000a 00000001ffffffff 0000000000000000
+[ +0.000008] page dumped because: kasan: bad access detected
+
+[ +0.000011] Memory state around the buggy address:
+[ +0.000009] ffff00003da29080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ +0.000007] ffff00003da29100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ +0.000007] >ffff00003da29180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ +0.000007] ^
+[ +0.000008] ffff00003da29200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ +0.000006] ffff00003da29280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ +0.000007] ==================================================================
+
+Fix by keeping track of which encoders were initialised in the meson_drm
+structure and manually removing their bridges at aggregate driver's unbind
+time.
+
+Signed-off-by: Adrián Larumbe <adrian.larumbe@collabora.com>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220920222842.1053234-1-adrian.larumbe@collabora.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/meson/meson_drv.c | 4 ++++
+ drivers/gpu/drm/meson/meson_drv.h | 7 +++++++
+ drivers/gpu/drm/meson/meson_encoder_cvbs.c | 13 +++++++++++++
+ drivers/gpu/drm/meson/meson_encoder_cvbs.h | 1 +
+ drivers/gpu/drm/meson/meson_encoder_hdmi.c | 13 +++++++++++++
+ drivers/gpu/drm/meson/meson_encoder_hdmi.h | 1 +
+ 6 files changed, 39 insertions(+)
+
+diff --git a/drivers/gpu/drm/meson/meson_drv.c b/drivers/gpu/drm/meson/meson_drv.c
+index 8444d90165fb..86b90d0f5780 100644
+--- a/drivers/gpu/drm/meson/meson_drv.c
++++ b/drivers/gpu/drm/meson/meson_drv.c
+@@ -390,6 +390,10 @@ static void meson_drv_unbind(struct device *dev)
+ drm_atomic_helper_shutdown(drm);
+ free_irq(priv->vsync_irq, drm);
+ drm_dev_put(drm);
++
++ meson_encoder_hdmi_remove(priv);
++ meson_encoder_cvbs_remove(priv);
++
+ component_unbind_all(dev, drm);
+
+ if (priv->afbcd.ops)
+diff --git a/drivers/gpu/drm/meson/meson_drv.h b/drivers/gpu/drm/meson/meson_drv.h
+index 177dac3ca3be..c62ee358456f 100644
+--- a/drivers/gpu/drm/meson/meson_drv.h
++++ b/drivers/gpu/drm/meson/meson_drv.h
+@@ -25,6 +25,12 @@ enum vpu_compatible {
+ VPU_COMPATIBLE_G12A = 3,
+ };
+
++enum {
++ MESON_ENC_CVBS = 0,
++ MESON_ENC_HDMI,
++ MESON_ENC_LAST,
++};
++
+ struct meson_drm_match_data {
+ enum vpu_compatible compat;
+ struct meson_afbcd_ops *afbcd_ops;
+@@ -51,6 +57,7 @@ struct meson_drm {
+ struct drm_crtc *crtc;
+ struct drm_plane *primary_plane;
+ struct drm_plane *overlay_plane;
++ void *encoders[MESON_ENC_LAST];
+
+ const struct meson_drm_soc_limits *limits;
+
+diff --git a/drivers/gpu/drm/meson/meson_encoder_cvbs.c b/drivers/gpu/drm/meson/meson_encoder_cvbs.c
+index 8110a6e39320..5675bc2a92cf 100644
+--- a/drivers/gpu/drm/meson/meson_encoder_cvbs.c
++++ b/drivers/gpu/drm/meson/meson_encoder_cvbs.c
+@@ -281,5 +281,18 @@ int meson_encoder_cvbs_init(struct meson_drm *priv)
+ }
+ drm_connector_attach_encoder(connector, &meson_encoder_cvbs->encoder);
+
++ priv->encoders[MESON_ENC_CVBS] = meson_encoder_cvbs;
++
+ return 0;
+ }
++
++void meson_encoder_cvbs_remove(struct meson_drm *priv)
++{
++ struct meson_encoder_cvbs *meson_encoder_cvbs;
++
++ if (priv->encoders[MESON_ENC_CVBS]) {
++ meson_encoder_cvbs = priv->encoders[MESON_ENC_CVBS];
++ drm_bridge_remove(&meson_encoder_cvbs->bridge);
++ drm_bridge_remove(meson_encoder_cvbs->next_bridge);
++ }
++}
+diff --git a/drivers/gpu/drm/meson/meson_encoder_cvbs.h b/drivers/gpu/drm/meson/meson_encoder_cvbs.h
+index 61d9d183ce7f..09710fec3c66 100644
+--- a/drivers/gpu/drm/meson/meson_encoder_cvbs.h
++++ b/drivers/gpu/drm/meson/meson_encoder_cvbs.h
+@@ -25,5 +25,6 @@ struct meson_cvbs_mode {
+ extern struct meson_cvbs_mode meson_cvbs_modes[MESON_CVBS_MODES_COUNT];
+
+ int meson_encoder_cvbs_init(struct meson_drm *priv);
++void meson_encoder_cvbs_remove(struct meson_drm *priv);
+
+ #endif /* __MESON_VENC_CVBS_H */
+diff --git a/drivers/gpu/drm/meson/meson_encoder_hdmi.c b/drivers/gpu/drm/meson/meson_encoder_hdmi.c
+index 2f616c55c271..53231bfdf7e2 100644
+--- a/drivers/gpu/drm/meson/meson_encoder_hdmi.c
++++ b/drivers/gpu/drm/meson/meson_encoder_hdmi.c
+@@ -452,6 +452,8 @@ int meson_encoder_hdmi_init(struct meson_drm *priv)
+ meson_encoder_hdmi->cec_notifier = notifier;
+ }
+
++ priv->encoders[MESON_ENC_HDMI] = meson_encoder_hdmi;
++
+ dev_dbg(priv->dev, "HDMI encoder initialized\n");
+
+ return 0;
+@@ -460,3 +462,14 @@ int meson_encoder_hdmi_init(struct meson_drm *priv)
+ of_node_put(remote);
+ return ret;
+ }
++
++void meson_encoder_hdmi_remove(struct meson_drm *priv)
++{
++ struct meson_encoder_hdmi *meson_encoder_hdmi;
++
++ if (priv->encoders[MESON_ENC_HDMI]) {
++ meson_encoder_hdmi = priv->encoders[MESON_ENC_HDMI];
++ drm_bridge_remove(&meson_encoder_hdmi->bridge);
++ drm_bridge_remove(meson_encoder_hdmi->next_bridge);
++ }
++}
+diff --git a/drivers/gpu/drm/meson/meson_encoder_hdmi.h b/drivers/gpu/drm/meson/meson_encoder_hdmi.h
+index ed19494f0956..a6cd38eb5f71 100644
+--- a/drivers/gpu/drm/meson/meson_encoder_hdmi.h
++++ b/drivers/gpu/drm/meson/meson_encoder_hdmi.h
+@@ -8,5 +8,6 @@
+ #define __MESON_ENCODER_HDMI_H
+
+ int meson_encoder_hdmi_init(struct meson_drm *priv);
++void meson_encoder_hdmi_remove(struct meson_drm *priv);
+
+ #endif /* __MESON_ENCODER_HDMI_H */
+--
+2.35.1
+
--- /dev/null
+From 6938499455a4ead01952db94cb3ced27c6b9f674 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Sep 2022 02:09:38 +0100
+Subject: drm/meson: reorder driver deinit sequence to fix use-after-free bug
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Adrián Larumbe <adrian.larumbe@collabora.com>
+
+[ Upstream commit 31c519981eb141c7ec39bfd5be25d35f02edb868 ]
+
+Unloading the driver triggers the following KASAN warning:
+
+[ +0.006275] =============================================================
+[ +0.000029] BUG: KASAN: use-after-free in __list_del_entry_valid+0xe0/0x1a0
+[ +0.000026] Read of size 8 at addr ffff000020c395e0 by task rmmod/2695
+
+[ +0.000019] CPU: 5 PID: 2695 Comm: rmmod Tainted: G C O 5.19.0-rc6-lrmbkasan+ #1
+[ +0.000013] Hardware name: Hardkernel ODROID-N2Plus (DT)
+[ +0.000008] Call trace:
+[ +0.000007] dump_backtrace+0x1ec/0x280
+[ +0.000013] show_stack+0x24/0x80
+[ +0.000008] dump_stack_lvl+0x98/0xd4
+[ +0.000011] print_address_description.constprop.0+0x80/0x520
+[ +0.000011] print_report+0x128/0x260
+[ +0.000007] kasan_report+0xb8/0xfc
+[ +0.000008] __asan_report_load8_noabort+0x3c/0x50
+[ +0.000010] __list_del_entry_valid+0xe0/0x1a0
+[ +0.000009] drm_atomic_private_obj_fini+0x30/0x200 [drm]
+[ +0.000172] drm_bridge_detach+0x94/0x260 [drm]
+[ +0.000145] drm_encoder_cleanup+0xa4/0x290 [drm]
+[ +0.000144] drm_mode_config_cleanup+0x118/0x740 [drm]
+[ +0.000143] drm_mode_config_init_release+0x1c/0x2c [drm]
+[ +0.000144] drm_managed_release+0x170/0x414 [drm]
+[ +0.000142] drm_dev_put.part.0+0xc0/0x124 [drm]
+[ +0.000143] drm_dev_put+0x20/0x30 [drm]
+[ +0.000142] meson_drv_unbind+0x1d8/0x2ac [meson_drm]
+[ +0.000028] take_down_aggregate_device+0xb0/0x160
+[ +0.000016] component_del+0x18c/0x360
+[ +0.000009] meson_dw_hdmi_remove+0x28/0x40 [meson_dw_hdmi]
+[ +0.000015] platform_remove+0x64/0xb0
+[ +0.000009] device_remove+0xb8/0x154
+[ +0.000009] device_release_driver_internal+0x398/0x5b0
+[ +0.000009] driver_detach+0xac/0x1b0
+[ +0.000009] bus_remove_driver+0x158/0x29c
+[ +0.000009] driver_unregister+0x70/0xb0
+[ +0.000008] platform_driver_unregister+0x20/0x2c
+[ +0.000008] meson_dw_hdmi_platform_driver_exit+0x1c/0x30 [meson_dw_hdmi]
+[ +0.000012] __do_sys_delete_module+0x288/0x400
+[ +0.000011] __arm64_sys_delete_module+0x5c/0x80
+[ +0.000009] invoke_syscall+0x74/0x260
+[ +0.000009] el0_svc_common.constprop.0+0xcc/0x260
+[ +0.000009] do_el0_svc+0x50/0x70
+[ +0.000007] el0_svc+0x68/0x1a0
+[ +0.000012] el0t_64_sync_handler+0x11c/0x150
+[ +0.000008] el0t_64_sync+0x18c/0x190
+
+[ +0.000018] Allocated by task 0:
+[ +0.000007] (stack is not available)
+
+[ +0.000011] Freed by task 2695:
+[ +0.000008] kasan_save_stack+0x2c/0x5c
+[ +0.000011] kasan_set_track+0x2c/0x40
+[ +0.000008] kasan_set_free_info+0x28/0x50
+[ +0.000009] ____kasan_slab_free+0x128/0x1d4
+[ +0.000008] __kasan_slab_free+0x18/0x24
+[ +0.000007] slab_free_freelist_hook+0x108/0x230
+[ +0.000011] kfree+0x110/0x35c
+[ +0.000008] release_nodes+0xf0/0x16c
+[ +0.000009] devres_release_group+0x180/0x270
+[ +0.000008] component_unbind+0x128/0x1e0
+[ +0.000010] component_unbind_all+0x1b8/0x264
+[ +0.000009] meson_drv_unbind+0x1a0/0x2ac [meson_drm]
+[ +0.000025] take_down_aggregate_device+0xb0/0x160
+[ +0.000009] component_del+0x18c/0x360
+[ +0.000009] meson_dw_hdmi_remove+0x28/0x40 [meson_dw_hdmi]
+[ +0.000012] platform_remove+0x64/0xb0
+[ +0.000008] device_remove+0xb8/0x154
+[ +0.000009] device_release_driver_internal+0x398/0x5b0
+[ +0.000009] driver_detach+0xac/0x1b0
+[ +0.000009] bus_remove_driver+0x158/0x29c
+[ +0.000008] driver_unregister+0x70/0xb0
+[ +0.000008] platform_driver_unregister+0x20/0x2c
+[ +0.000008] meson_dw_hdmi_platform_driver_exit+0x1c/0x30 [meson_dw_hdmi]
+[ +0.000011] __do_sys_delete_module+0x288/0x400
+[ +0.000010] __arm64_sys_delete_module+0x5c/0x80
+[ +0.000008] invoke_syscall+0x74/0x260
+[ +0.000008] el0_svc_common.constprop.0+0xcc/0x260
+[ +0.000008] do_el0_svc+0x50/0x70
+[ +0.000007] el0_svc+0x68/0x1a0
+[ +0.000009] el0t_64_sync_handler+0x11c/0x150
+[ +0.000009] el0t_64_sync+0x18c/0x190
+
+[ +0.000014] The buggy address belongs to the object at ffff000020c39000
+ which belongs to the cache kmalloc-4k of size 4096
+[ +0.000008] The buggy address is located 1504 bytes inside of
+ 4096-byte region [ffff000020c39000, ffff000020c3a000)
+
+[ +0.000016] The buggy address belongs to the physical page:
+[ +0.000009] page:fffffc0000830e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20c38
+[ +0.000013] head:fffffc0000830e00 order:3 compound_mapcount:0 compound_pincount:0
+[ +0.000008] flags: 0xffff00000010200(slab|head|node=0|zone=0|lastcpupid=0xffff)
+[ +0.000019] raw: 0ffff00000010200 fffffc0000fd4808 fffffc0000126208 ffff000000002e80
+[ +0.000009] raw: 0000000000000000 0000000000020002 00000001ffffffff 0000000000000000
+[ +0.000008] page dumped because: kasan: bad access detected
+
+[ +0.000011] Memory state around the buggy address:
+[ +0.000008] ffff000020c39480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ +0.000007] ffff000020c39500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ +0.000007] >ffff000020c39580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ +0.000007] ^
+[ +0.000007] ffff000020c39600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ +0.000007] ffff000020c39680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ +0.000006] ==================================================================
+
+The reason this is happening is unloading meson-dw-hdmi will cause the
+component API to take down the aggregate device, which in turn will cause
+all devres-managed memory to be freed, including the struct dw_hdmi
+allocated in dw_hdmi_probe. This struct embeds a struct drm_bridge that is
+added at the end of the function, and which is later on picked up in
+meson_encoder_hdmi_init.
+
+However, when attaching the bridge to the encoder created in
+meson_encoder_hdmi_init, it's linked to the encoder's bridge chain, from
+where it never leaves, even after devres_release_group is called when the
+driver's components are unbound and the embedding structure freed.
+
+Then, when calling drm_dev_put in the aggregate driver's unbind function,
+drm_bridge_detach is called for every single bridge linked to the encoder,
+including the one whose memory had already been deallocated.
+
+Fix by calling component_unbind_all after drm_dev_put.
+
+Signed-off-by: Adrián Larumbe <adrian.larumbe@collabora.com>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220919010940.419893-2-adrian.larumbe@collabora.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/meson/meson_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/meson/meson_drv.c b/drivers/gpu/drm/meson/meson_drv.c
+index bd4ca11d3ff5..7df149d42728 100644
+--- a/drivers/gpu/drm/meson/meson_drv.c
++++ b/drivers/gpu/drm/meson/meson_drv.c
+@@ -388,9 +388,9 @@ static void meson_drv_unbind(struct device *dev)
+ drm_dev_unregister(drm);
+ drm_kms_helper_poll_fini(drm);
+ drm_atomic_helper_shutdown(drm);
+- component_unbind_all(dev, drm);
+ free_irq(priv->vsync_irq, drm);
+ drm_dev_put(drm);
++ component_unbind_all(dev, drm);
+
+ if (priv->afbcd.ops)
+ priv->afbcd.ops->exit(priv);
+--
+2.35.1
+
--- /dev/null
+From 119c5afc9ce12d6e444ed8a3d3ea57a745e502e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Jul 2022 19:38:31 +0200
+Subject: drm/mipi-dsi: Detach devices when removing the host
+
+From: Maxime Ripard <maxime@cerno.tech>
+
+[ Upstream commit 668a8f17b5290d04ef7343636a5588a0692731a1 ]
+
+Whenever the MIPI-DSI host is unregistered, the code of
+mipi_dsi_host_unregister() loops over every device currently found on that
+bus and will unregister it.
+
+However, it doesn't detach it from the bus first, which leads to all kind
+of resource leaks if the host wants to perform some clean up whenever a
+device is detached.
+
+Fixes: 068a00233969 ("drm: Add MIPI DSI bus support")
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://lore.kernel.org/r/20220711173939.1132294-2-maxime@cerno.tech
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_mipi_dsi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c
+index c40bde96cfdf..c317ee9fa445 100644
+--- a/drivers/gpu/drm/drm_mipi_dsi.c
++++ b/drivers/gpu/drm/drm_mipi_dsi.c
+@@ -346,6 +346,7 @@ static int mipi_dsi_remove_device_fn(struct device *dev, void *priv)
+ {
+ struct mipi_dsi_device *dsi = to_mipi_dsi_device(dev);
+
++ mipi_dsi_detach(dsi);
+ mipi_dsi_device_unregister(dsi);
+
+ return 0;
+--
+2.35.1
+
--- /dev/null
+From acecbd0649bb04af72c6df2fdbc89b38c25883b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Aug 2022 13:15:50 -0700
+Subject: drm/msm/dp: correct 1.62G link rate at dp_catalog_ctrl_config_msa()
+
+From: Kuogee Hsieh <quic_khsieh@quicinc.com>
+
+[ Upstream commit aa0bff10af1c4b92e6b56e3e1b7f81c660d3ba78 ]
+
+At current implementation there is an extra 0 at 1.62G link rate which
+cause no correct pixel_div selected for 1.62G link rate to calculate
+mvid and nvid. This patch delete the extra 0 to have mvid and nvid be
+calculated correctly.
+
+Changes in v2:
+-- fix Fixes tag's text
+
+Changes in v3:
+-- fix misspelling of "Reviewed-by"
+
+Fixes: 937f941ca06f ("drm/msm/dp: Use qmp phy for DP PLL and PHY")
+Signed-off-by: Kuogee Hsieh <quic_khsieh@quicinc.com>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/499328/
+Link: https://lore.kernel.org/r/1661372150-3764-1-git-send-email-quic_khsieh@quicinc.com
+[DB: rewrapped commit message]
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dp/dp_catalog.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/dp/dp_catalog.c b/drivers/gpu/drm/msm/dp/dp_catalog.c
+index 7257515871a9..676279d0ca8d 100644
+--- a/drivers/gpu/drm/msm/dp/dp_catalog.c
++++ b/drivers/gpu/drm/msm/dp/dp_catalog.c
+@@ -431,7 +431,7 @@ void dp_catalog_ctrl_config_msa(struct dp_catalog *dp_catalog,
+
+ if (rate == link_rate_hbr3)
+ pixel_div = 6;
+- else if (rate == 1620000 || rate == 270000)
++ else if (rate == 162000 || rate == 270000)
+ pixel_div = 2;
+ else if (rate == link_rate_hbr2)
+ pixel_div = 4;
+--
+2.35.1
+
--- /dev/null
+From 08ea5e28186601f9a739dd5927eeecd7174a2d39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Jun 2022 15:57:01 +0300
+Subject: drm/msm/dpu: index dpu_kms->hw_vbif using vbif_idx
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 7538f80ae0d98bf51eb89eee5344aec219902d42 ]
+
+Remove loops over hw_vbif. Instead always VBIF's idx as an index in the
+array. This fixes an error in dpu_kms_hw_init(), where we fill
+dpu_kms->hw_vbif[i], but check for an error pointer at
+dpu_kms->hw_vbif[vbif_idx].
+
+Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/489569/
+Link: https://lore.kernel.org/r/20220615125703.24647-1-dmitry.baryshkov@linaro.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 12 ++++------
+ drivers/gpu/drm/msm/disp/dpu1/dpu_vbif.c | 29 +++++++++++-------------
+ 2 files changed, 18 insertions(+), 23 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
+index 8646fd0603cb..c99c7a218ddb 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
+@@ -823,12 +823,10 @@ static void _dpu_kms_hw_destroy(struct dpu_kms *dpu_kms)
+ _dpu_kms_mmu_destroy(dpu_kms);
+
+ if (dpu_kms->catalog) {
+- for (i = 0; i < dpu_kms->catalog->vbif_count; i++) {
+- u32 vbif_idx = dpu_kms->catalog->vbif[i].id;
+-
+- if ((vbif_idx < VBIF_MAX) && dpu_kms->hw_vbif[vbif_idx]) {
+- dpu_hw_vbif_destroy(dpu_kms->hw_vbif[vbif_idx]);
+- dpu_kms->hw_vbif[vbif_idx] = NULL;
++ for (i = 0; i < ARRAY_SIZE(dpu_kms->hw_vbif); i++) {
++ if (dpu_kms->hw_vbif[i]) {
++ dpu_hw_vbif_destroy(dpu_kms->hw_vbif[i]);
++ dpu_kms->hw_vbif[i] = NULL;
+ }
+ }
+ }
+@@ -1110,7 +1108,7 @@ static int dpu_kms_hw_init(struct msm_kms *kms)
+ for (i = 0; i < dpu_kms->catalog->vbif_count; i++) {
+ u32 vbif_idx = dpu_kms->catalog->vbif[i].id;
+
+- dpu_kms->hw_vbif[i] = dpu_hw_vbif_init(vbif_idx,
++ dpu_kms->hw_vbif[vbif_idx] = dpu_hw_vbif_init(vbif_idx,
+ dpu_kms->vbif[vbif_idx], dpu_kms->catalog);
+ if (IS_ERR_OR_NULL(dpu_kms->hw_vbif[vbif_idx])) {
+ rc = PTR_ERR(dpu_kms->hw_vbif[vbif_idx]);
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_vbif.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_vbif.c
+index 21d20373eb8b..a18fb649301c 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_vbif.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_vbif.c
+@@ -11,6 +11,14 @@
+ #include "dpu_hw_vbif.h"
+ #include "dpu_trace.h"
+
++static struct dpu_hw_vbif *dpu_get_vbif(struct dpu_kms *dpu_kms, enum dpu_vbif vbif_idx)
++{
++ if (vbif_idx < ARRAY_SIZE(dpu_kms->hw_vbif))
++ return dpu_kms->hw_vbif[vbif_idx];
++
++ return NULL;
++}
++
+ /**
+ * _dpu_vbif_wait_for_xin_halt - wait for the xin to halt
+ * @vbif: Pointer to hardware vbif driver
+@@ -148,20 +156,15 @@ static u32 _dpu_vbif_get_ot_limit(struct dpu_hw_vbif *vbif,
+ void dpu_vbif_set_ot_limit(struct dpu_kms *dpu_kms,
+ struct dpu_vbif_set_ot_params *params)
+ {
+- struct dpu_hw_vbif *vbif = NULL;
++ struct dpu_hw_vbif *vbif;
+ struct dpu_hw_mdp *mdp;
+ bool forced_on = false;
+ u32 ot_lim;
+- int ret, i;
++ int ret;
+
+ mdp = dpu_kms->hw_mdp;
+
+- for (i = 0; i < ARRAY_SIZE(dpu_kms->hw_vbif); i++) {
+- if (dpu_kms->hw_vbif[i] &&
+- dpu_kms->hw_vbif[i]->idx == params->vbif_idx)
+- vbif = dpu_kms->hw_vbif[i];
+- }
+-
++ vbif = dpu_get_vbif(dpu_kms, params->vbif_idx);
+ if (!vbif || !mdp) {
+ DRM_DEBUG_ATOMIC("invalid arguments vbif %d mdp %d\n",
+ vbif != NULL, mdp != NULL);
+@@ -204,7 +207,7 @@ void dpu_vbif_set_ot_limit(struct dpu_kms *dpu_kms,
+ void dpu_vbif_set_qos_remap(struct dpu_kms *dpu_kms,
+ struct dpu_vbif_set_qos_params *params)
+ {
+- struct dpu_hw_vbif *vbif = NULL;
++ struct dpu_hw_vbif *vbif;
+ struct dpu_hw_mdp *mdp;
+ bool forced_on = false;
+ const struct dpu_vbif_qos_tbl *qos_tbl;
+@@ -216,13 +219,7 @@ void dpu_vbif_set_qos_remap(struct dpu_kms *dpu_kms,
+ }
+ mdp = dpu_kms->hw_mdp;
+
+- for (i = 0; i < ARRAY_SIZE(dpu_kms->hw_vbif); i++) {
+- if (dpu_kms->hw_vbif[i] &&
+- dpu_kms->hw_vbif[i]->idx == params->vbif_idx) {
+- vbif = dpu_kms->hw_vbif[i];
+- break;
+- }
+- }
++ vbif = dpu_get_vbif(dpu_kms, params->vbif_idx);
+
+ if (!vbif || !vbif->cap) {
+ DPU_ERROR("invalid vbif %d\n", params->vbif_idx);
+--
+2.35.1
+
--- /dev/null
+From 3ea8208d49a0865f551e4eae0c25e6901de6e354 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Aug 2022 14:56:30 +0300
+Subject: drm/msm: lookup the ICC paths in both mdp5/dpu and mdss devices
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 5ccdcecaf8f732f593e359ebfb65de96b11bae66 ]
+
+The commit 6874f48bb8b0 ("drm/msm: make mdp5/dpu devices master
+components") changed the MDP5 driver to look for the interconnect paths
+in the MDSS device rather than in the MDP5 device itself. This was left
+unnoticed since on my testing devices the interconnects probably didn't
+reach the sync state.
+
+Rather than just using the MDP5 device for ICC path lookups for the MDP5
+devices, introduce an additional helper to check both MDP5/DPU and MDSS
+nodes. This will be helpful for the MDP5->DPU conversion, since the
+driver will have to check both nodes.
+
+Fixes: 6874f48bb8b0 ("drm/msm: make mdp5/dpu devices master components")
+Reported-by: Marijn Suijten <marijn.suijten@somainline.org>
+Reported-by: Yassine Oudjana <y.oudjana@protonmail.com>
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Tested-by: Marijn Suijten <marijn.suijten@somainline.org> # On sdm630
+Tested-by: Yassine Oudjana <y.oudjana@protonmail.com> # msm8996
+Patchwork: https://patchwork.freedesktop.org/patch/496488/
+Link: https://lore.kernel.org/r/20220805115630.506391-1-dmitry.baryshkov@linaro.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 7 ++-----
+ drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c | 9 +++------
+ drivers/gpu/drm/msm/msm_drv.h | 2 ++
+ drivers/gpu/drm/msm/msm_io_utils.c | 22 ++++++++++++++++++++++
+ 4 files changed, 29 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
+index 008e1420e6e5..8646fd0603cb 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
+@@ -384,12 +384,9 @@ static int dpu_kms_parse_data_bus_icc_path(struct dpu_kms *dpu_kms)
+ struct icc_path *path1;
+ struct drm_device *dev = dpu_kms->dev;
+ struct device *dpu_dev = dev->dev;
+- struct device *mdss_dev = dpu_dev->parent;
+
+- /* Interconnects are a part of MDSS device tree binding, not the
+- * MDP/DPU device. */
+- path0 = of_icc_get(mdss_dev, "mdp0-mem");
+- path1 = of_icc_get(mdss_dev, "mdp1-mem");
++ path0 = msm_icc_get(dpu_dev, "mdp0-mem");
++ path1 = msm_icc_get(dpu_dev, "mdp1-mem");
+
+ if (IS_ERR_OR_NULL(path0))
+ return PTR_ERR_OR_ZERO(path0);
+diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c
+index d2a48caf9d27..b0d21838a134 100644
+--- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c
++++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c
+@@ -902,12 +902,9 @@ static int mdp5_init(struct platform_device *pdev, struct drm_device *dev)
+
+ static int mdp5_setup_interconnect(struct platform_device *pdev)
+ {
+- /* Interconnects are a part of MDSS device tree binding, not the
+- * MDP5 device. */
+- struct device *mdss_dev = pdev->dev.parent;
+- struct icc_path *path0 = of_icc_get(mdss_dev, "mdp0-mem");
+- struct icc_path *path1 = of_icc_get(mdss_dev, "mdp1-mem");
+- struct icc_path *path_rot = of_icc_get(mdss_dev, "rotator-mem");
++ struct icc_path *path0 = msm_icc_get(&pdev->dev, "mdp0-mem");
++ struct icc_path *path1 = msm_icc_get(&pdev->dev, "mdp1-mem");
++ struct icc_path *path_rot = msm_icc_get(&pdev->dev, "rotator-mem");
+
+ if (IS_ERR(path0))
+ return PTR_ERR(path0);
+diff --git a/drivers/gpu/drm/msm/msm_drv.h b/drivers/gpu/drm/msm/msm_drv.h
+index b3689a2d27d7..80da0d3cfdc1 100644
+--- a/drivers/gpu/drm/msm/msm_drv.h
++++ b/drivers/gpu/drm/msm/msm_drv.h
+@@ -433,6 +433,8 @@ void __iomem *msm_ioremap_size(struct platform_device *pdev, const char *name,
+ phys_addr_t *size);
+ void __iomem *msm_ioremap_quiet(struct platform_device *pdev, const char *name);
+
++struct icc_path *msm_icc_get(struct device *dev, const char *name);
++
+ #define msm_writel(data, addr) writel((data), (addr))
+ #define msm_readl(addr) readl((addr))
+
+diff --git a/drivers/gpu/drm/msm/msm_io_utils.c b/drivers/gpu/drm/msm/msm_io_utils.c
+index 7b504617833a..d02cd29ce829 100644
+--- a/drivers/gpu/drm/msm/msm_io_utils.c
++++ b/drivers/gpu/drm/msm/msm_io_utils.c
+@@ -5,6 +5,8 @@
+ * Author: Rob Clark <robdclark@gmail.com>
+ */
+
++#include <linux/interconnect.h>
++
+ #include "msm_drv.h"
+
+ /*
+@@ -124,3 +126,23 @@ void msm_hrtimer_work_init(struct msm_hrtimer_work *work,
+ work->worker = worker;
+ kthread_init_work(&work->work, fn);
+ }
++
++struct icc_path *msm_icc_get(struct device *dev, const char *name)
++{
++ struct device *mdss_dev = dev->parent;
++ struct icc_path *path;
++
++ path = of_icc_get(dev, name);
++ if (path)
++ return path;
++
++ /*
++ * If there are no interconnects attached to the corresponding device
++ * node, of_icc_get() will return NULL.
++ *
++ * If the MDP5/DPU device node doesn't have interconnects, lookup the
++ * path in the parent (MDSS) device.
++ */
++ return of_icc_get(mdss_dev, name);
++
++}
+--
+2.35.1
+
--- /dev/null
+From 4dab53beae7aa74ee48b2d188b01c8c2cc4bedee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Aug 2022 15:46:12 +0200
+Subject: drm/msm: Make .remove and .shutdown HW shutdown consistent
+
+From: Javier Martinez Canillas <javierm@redhat.com>
+
+[ Upstream commit 0a58d2ae572adaec8d046f8d35b40c2c32ac7468 ]
+
+Drivers' .remove and .shutdown callbacks are executed on different code
+paths. The former is called when a device is removed from the bus, while
+the latter is called at system shutdown time to quiesce the device.
+
+This means that some overlap exists between the two, because both have to
+take care of properly shutting down the hardware. But currently the logic
+used in these two callbacks isn't consistent in msm drivers, which could
+lead to kernel panic.
+
+For example, on .remove the component is deleted and its .unbind callback
+leads to the hardware being shutdown but only if the DRM device has been
+marked as registered.
+
+That check doesn't exist in the .shutdown logic and this can lead to the
+driver calling drm_atomic_helper_shutdown() for a DRM device that hasn't
+been properly initialized.
+
+A situation like this can happen if drivers for expected sub-devices fail
+to probe, since the .bind callback will never be executed. If that is the
+case, drm_atomic_helper_shutdown() will attempt to take mutexes that are
+only initialized if drm_mode_config_init() is called during a device bind.
+
+This bug was attempted to be fixed in commit 623f279c7781 ("drm/msm: fix
+shutdown hook in case GPU components failed to bind"), but unfortunately
+it still happens in some cases as the one mentioned above, i.e:
+
+ systemd-shutdown[1]: Powering off.
+ kvm: exiting hardware virtualization
+ platform wifi-firmware.0: Removing from iommu group 12
+ platform video-firmware.0: Removing from iommu group 10
+ ------------[ cut here ]------------
+ WARNING: CPU: 6 PID: 1 at drivers/gpu/drm/drm_modeset_lock.c:317 drm_modeset_lock_all_ctx+0x3c4/0x3d0
+ ...
+ Hardware name: Google CoachZ (rev3+) (DT)
+ pstate: a0400009 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : drm_modeset_lock_all_ctx+0x3c4/0x3d0
+ lr : drm_modeset_lock_all_ctx+0x48/0x3d0
+ sp : ffff80000805bb80
+ x29: ffff80000805bb80 x28: ffff327c00128000 x27: 0000000000000000
+ x26: 0000000000000000 x25: 0000000000000001 x24: ffffc95d820ec030
+ x23: ffff327c00bbd090 x22: ffffc95d8215eca0 x21: ffff327c039c5800
+ x20: ffff327c039c5988 x19: ffff80000805bbe8 x18: 0000000000000034
+ x17: 000000040044ffff x16: ffffc95d80cac920 x15: 0000000000000000
+ x14: 0000000000000315 x13: 0000000000000315 x12: 0000000000000000
+ x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
+ x8 : ffff80000805bc28 x7 : 0000000000000000 x6 : 0000000000000000
+ x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
+ x2 : ffff327c00128000 x1 : 0000000000000000 x0 : ffff327c039c59b0
+ Call trace:
+ drm_modeset_lock_all_ctx+0x3c4/0x3d0
+ drm_atomic_helper_shutdown+0x70/0x134
+ msm_drv_shutdown+0x30/0x40
+ platform_shutdown+0x28/0x40
+ device_shutdown+0x148/0x350
+ kernel_power_off+0x38/0x80
+ __do_sys_reboot+0x288/0x2c0
+ __arm64_sys_reboot+0x28/0x34
+ invoke_syscall+0x48/0x114
+ el0_svc_common.constprop.0+0x44/0xec
+ do_el0_svc+0x2c/0xc0
+ el0_svc+0x2c/0x84
+ el0t_64_sync_handler+0x11c/0x150
+ el0t_64_sync+0x18c/0x190
+ ---[ end trace 0000000000000000 ]---
+ Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018
+ Mem abort info:
+ ESR = 0x0000000096000004
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ FSC = 0x04: level 0 translation fault
+ Data abort info:
+ ISV = 0, ISS = 0x00000004
+ CM = 0, WnR = 0
+ user pgtable: 4k pages, 48-bit VAs, pgdp=000000010eab1000
+ [0000000000000018] pgd=0000000000000000, p4d=0000000000000000
+ Internal error: Oops: 96000004 [#1] PREEMPT SMP
+ ...
+ Hardware name: Google CoachZ (rev3+) (DT)
+ pstate: a0400009 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : ww_mutex_lock+0x28/0x32c
+ lr : drm_modeset_lock_all_ctx+0x1b0/0x3d0
+ sp : ffff80000805bb50
+ x29: ffff80000805bb50 x28: ffff327c00128000 x27: 0000000000000000
+ x26: 0000000000000000 x25: 0000000000000001 x24: 0000000000000018
+ x23: ffff80000805bc10 x22: ffff327c039c5ad8 x21: ffff327c039c5800
+ x20: ffff80000805bbe8 x19: 0000000000000018 x18: 0000000000000034
+ x17: 000000040044ffff x16: ffffc95d80cac920 x15: 0000000000000000
+ x14: 0000000000000315 x13: 0000000000000315 x12: 0000000000000000
+ x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
+ x8 : ffff80000805bc28 x7 : 0000000000000000 x6 : 0000000000000000
+ x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
+ x2 : ffff327c00128000 x1 : 0000000000000000 x0 : 0000000000000018
+ Call trace:
+ ww_mutex_lock+0x28/0x32c
+ drm_modeset_lock_all_ctx+0x1b0/0x3d0
+ drm_atomic_helper_shutdown+0x70/0x134
+ msm_drv_shutdown+0x30/0x40
+ platform_shutdown+0x28/0x40
+ device_shutdown+0x148/0x350
+ kernel_power_off+0x38/0x80
+ __do_sys_reboot+0x288/0x2c0
+ __arm64_sys_reboot+0x28/0x34
+ invoke_syscall+0x48/0x114
+ el0_svc_common.constprop.0+0x44/0xec
+ do_el0_svc+0x2c/0xc0
+ el0_svc+0x2c/0x84
+ el0t_64_sync_handler+0x11c/0x150
+ el0t_64_sync+0x18c/0x190
+ Code: aa0103f4 d503201f d2800001 aa0103e3 (c8e37c02)
+ ---[ end trace 0000000000000000 ]---
+ Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
+ Kernel Offset: 0x495d77c00000 from 0xffff800008000000
+ PHYS_OFFSET: 0xffffcd8500000000
+ CPU features: 0x800,00c2a015,19801c82
+ Memory Limit: none
+ ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b ]---
+
+Fixes: 9d5cbf5fe46e ("drm/msm: add shutdown support for display platform_driver")
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220816134612.916527-1-javierm@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_drv.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c
+index 16884db272de..0759e2d99f59 100644
+--- a/drivers/gpu/drm/msm/msm_drv.c
++++ b/drivers/gpu/drm/msm/msm_drv.c
+@@ -1244,10 +1244,15 @@ void msm_drv_shutdown(struct platform_device *pdev)
+ struct msm_drm_private *priv = platform_get_drvdata(pdev);
+ struct drm_device *drm = priv ? priv->dev : NULL;
+
+- if (!priv || !priv->kms)
+- return;
+-
+- drm_atomic_helper_shutdown(drm);
++ /*
++ * Shutdown the hw if we're far enough along where things might be on.
++ * If we run this too early, we'll end up panicking in any variety of
++ * places. Since we don't register the drm device until late in
++ * msm_drm_init, drm_dev->registered is used as an indicator that the
++ * shutdown will be successful.
++ */
++ if (drm && drm->registered)
++ drm_atomic_helper_shutdown(drm);
+ }
+
+ static struct platform_driver msm_platform_driver = {
+--
+2.35.1
+
--- /dev/null
+From cb3940d53ef05030063d94e6d33378da31bb9d81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Jul 2022 17:43:06 +0800
+Subject: drm/nouveau/nouveau_bo: fix potential memory leak in
+ nouveau_bo_alloc()
+
+From: Jianglei Nie <niejianglei2021@163.com>
+
+[ Upstream commit 6dc548745d5b5102e3c53dc5097296ac270b6c69 ]
+
+nouveau_bo_alloc() allocates a memory chunk for "nvbo" with kzalloc().
+When some error occurs, "nvbo" should be released. But when
+WARN_ON(pi < 0)) equals true, the function return ERR_PTR without
+releasing the "nvbo", which will lead to a memory leak.
+
+We should release the "nvbo" with kfree() if WARN_ON(pi < 0)) equals true.
+
+Signed-off-by: Jianglei Nie <niejianglei2021@163.com>
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Reviewed-by: Lyude Paul <lyude@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220705094306.2244103-1-niejianglei2021@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_bo.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/nouveau/nouveau_bo.c b/drivers/gpu/drm/nouveau/nouveau_bo.c
+index e29175e4b44c..07a327ad5e2a 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_bo.c
++++ b/drivers/gpu/drm/nouveau/nouveau_bo.c
+@@ -281,8 +281,10 @@ nouveau_bo_alloc(struct nouveau_cli *cli, u64 *size, int *align, u32 domain,
+ break;
+ }
+
+- if (WARN_ON(pi < 0))
++ if (WARN_ON(pi < 0)) {
++ kfree(nvbo);
+ return ERR_PTR(-EINVAL);
++ }
+
+ /* Disable compression if suitable settings couldn't be found. */
+ if (nvbo->comp && !vmm->page[pi].comp) {
+--
+2.35.1
+
--- /dev/null
+From 25c3cc48a1ffeae32ac21c3fcc721f4e3526fb95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Jul 2022 22:43:48 +0800
+Subject: drm/omap: dss: Fix refcount leak bugs
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 8b42057e62120813ebe9274f508fa785b7cab33a ]
+
+In dss_init_ports() and __dss_uninit_ports(), we should call
+of_node_put() for the reference returned by of_graph_get_port_by_id()
+in fail path or when it is not used anymore.
+
+Fixes: 09bffa6e5192 ("drm: omap: use common OF graph helpers")
+Signed-off-by: Liang He <windhl@126.com>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220722144348.1306569-1-windhl@126.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/omapdrm/dss/dss.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/omapdrm/dss/dss.c b/drivers/gpu/drm/omapdrm/dss/dss.c
+index 0399f3390a0a..c4febb861910 100644
+--- a/drivers/gpu/drm/omapdrm/dss/dss.c
++++ b/drivers/gpu/drm/omapdrm/dss/dss.c
+@@ -1176,6 +1176,7 @@ static void __dss_uninit_ports(struct dss_device *dss, unsigned int num_ports)
+ default:
+ break;
+ }
++ of_node_put(port);
+ }
+ }
+
+@@ -1208,11 +1209,13 @@ static int dss_init_ports(struct dss_device *dss)
+ default:
+ break;
+ }
++ of_node_put(port);
+ }
+
+ return 0;
+
+ error:
++ of_node_put(port);
+ __dss_uninit_ports(dss, i);
+ return r;
+ }
+--
+2.35.1
+
--- /dev/null
+From e519901f5d820dc5daee9c8b0b8ce2620ced0e26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Aug 2022 20:24:03 +0200
+Subject: drm: panel-orientation-quirks: Add quirk for Anbernic Win600
+
+From: Maya Matuszczyk <maccraft123mc@gmail.com>
+
+[ Upstream commit 770e19076065e079a32f33eb11be2057c87f1cde ]
+
+This device is another x86 gaming handheld, and as (hopefully) there is
+only one set of DMI IDs it's using DMI_EXACT_MATCH
+
+Signed-off-by: Maya Matuszczyk <maccraft123mc@gmail.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220803182402.1217293-1-maccraft123mc@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_panel_orientation_quirks.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+index fc1728d46ac2..64b194af003c 100644
+--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+@@ -128,6 +128,12 @@ static const struct dmi_system_id orientation_data[] = {
+ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "One S1003"),
+ },
+ .driver_data = (void *)&lcd800x1280_rightside_up,
++ }, { /* Anbernic Win600 */
++ .matches = {
++ DMI_EXACT_MATCH(DMI_BOARD_VENDOR, "Anbernic"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Win600"),
++ },
++ .driver_data = (void *)&lcd720x1280_rightside_up,
+ }, { /* Asus T100HA */
+ .matches = {
+ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+--
+2.35.1
+
--- /dev/null
+From f850b74a22166d977391ea278c009af8559139bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 21:19:47 +0200
+Subject: drm: panel-orientation-quirks: Add quirk for Aya Neo Air
+
+From: Maya Matuszczyk <maccraft123mc@gmail.com>
+
+[ Upstream commit e10ea7b9b90219da305a16b3c1252169715a807b ]
+
+Yet another x86 gaming handheld.
+
+This one has many SKUs with quite a few of DMI strings,
+so let's just use a catchall, just as with Aya Neo Next.
+
+Signed-off-by: Maya Matuszczyk <maccraft123mc@gmail.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220825191946.1678798-1-maccraft123mc@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_panel_orientation_quirks.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+index 64b194af003c..8a0c0e0bb5bd 100644
+--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+@@ -103,6 +103,12 @@ static const struct drm_dmi_panel_orientation_data lcd800x1280_rightside_up = {
+ .orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP,
+ };
+
++static const struct drm_dmi_panel_orientation_data lcd1080x1920_leftside_up = {
++ .width = 1080,
++ .height = 1920,
++ .orientation = DRM_MODE_PANEL_ORIENTATION_LEFT_UP,
++};
++
+ static const struct drm_dmi_panel_orientation_data lcd1200x1920_rightside_up = {
+ .width = 1200,
+ .height = 1920,
+@@ -158,6 +164,12 @@ static const struct dmi_system_id orientation_data[] = {
+ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "AYA NEO 2021"),
+ },
+ .driver_data = (void *)&lcd800x1280_rightside_up,
++ }, { /* AYA NEO AIR */
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "AYANEO"),
++ DMI_MATCH(DMI_BOARD_NAME, "AIR"),
++ },
++ .driver_data = (void *)&lcd1080x1920_leftside_up,
+ }, { /* AYA NEO NEXT */
+ .matches = {
+ DMI_EXACT_MATCH(DMI_BOARD_VENDOR, "AYANEO"),
+--
+2.35.1
+
--- /dev/null
+From 3bbcba2eef85f228da06054e1cd4e544159d407d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Aug 2022 17:42:27 -0700
+Subject: drm/panel: use 'select' for Ili9341 panel driver helpers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 84dfc46594b0167e5d3736273b0e0e05365da641 ]
+
+Use 'select' instead of 'depends on' for DRM helpers for the
+Ilitek ILI9341 panel driver.
+This is what is done in the vast majority of other cases and
+this makes it possible to fix a build error with drm_mipi_dbi.
+
+Fixes: 5a04227326b0 ("drm/panel: Add ilitek ili9341 panel driver")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Dillon Min <dillon.minfei@gmail.com>
+Cc: Linus Walleij <linus.walleij@linaro.org>
+Cc: Sam Ravnborg <sam@ravnborg.org>
+Cc: Noralf Trønnes <noralf@tronnes.org>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Thierry Reding <thierry.reding@gmail.com>
+Cc: dri-devel@lists.freedesktop.org
+Cc: David Airlie <airlied@linux.ie>
+Cc: Daniel Vetter <daniel@ffwll.ch>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220823004227.10820-1-rdunlap@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panel/Kconfig | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/panel/Kconfig b/drivers/gpu/drm/panel/Kconfig
+index a9043eacce97..a582ddd583c2 100644
+--- a/drivers/gpu/drm/panel/Kconfig
++++ b/drivers/gpu/drm/panel/Kconfig
+@@ -165,8 +165,8 @@ config DRM_PANEL_ILITEK_IL9322
+ config DRM_PANEL_ILITEK_ILI9341
+ tristate "Ilitek ILI9341 240x320 QVGA panels"
+ depends on OF && SPI
+- depends on DRM_KMS_HELPER
+- depends on DRM_GEM_CMA_HELPER
++ select DRM_KMS_HELPER
++ select DRM_GEM_DMA_HELPER
+ depends on BACKLIGHT_CLASS_DEVICE
+ select DRM_MIPI_DBI
+ help
+--
+2.35.1
+
--- /dev/null
+From 15ed5e266c14227359ce2eb34d320998c2d99f20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Jul 2022 21:15:50 +0800
+Subject: drm:pl111: Add of_node_put() when breaking out of
+ for_each_available_child_of_node()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit e0686dc6f2252e009c455fe99e2ce9d62a60eb47 ]
+
+The reference 'child' in the iteration of for_each_available_child_of_node()
+is only escaped out into a local variable which is only used to check
+its value. So we still need to the of_node_put() when breaking of the
+for_each_available_child_of_node() which will automatically increase
+and decrease the refcount.
+
+Fixes: ca454bd42dc2 ("drm/pl111: Support the Versatile Express")
+Signed-off-by: Liang He <windhl@126.com>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220711131550.361350-1-windhl@126.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/pl111/pl111_versatile.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/pl111/pl111_versatile.c b/drivers/gpu/drm/pl111/pl111_versatile.c
+index efb01a554574..1b436b75fd39 100644
+--- a/drivers/gpu/drm/pl111/pl111_versatile.c
++++ b/drivers/gpu/drm/pl111/pl111_versatile.c
+@@ -404,6 +404,7 @@ static int pl111_vexpress_clcd_init(struct device *dev, struct device_node *np,
+ if (of_device_is_compatible(child, "arm,pl111")) {
+ has_coretile_clcd = true;
+ ct_clcd = child;
++ of_node_put(child);
+ break;
+ }
+ if (of_device_is_compatible(child, "arm,hdlcd")) {
+--
+2.35.1
+
--- /dev/null
+From a8e68457e36276e93ed5b912ada727130800e720 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Jul 2022 12:02:14 +0200
+Subject: drm: Prevent drm_copy_field() to attempt copying a NULL pointer
+
+From: Javier Martinez Canillas <javierm@redhat.com>
+
+[ Upstream commit f6ee30407e883042482ad4ad30da5eaba47872ee ]
+
+There are some struct drm_driver fields that are required by drivers since
+drm_copy_field() attempts to copy them to user-space via DRM_IOCTL_VERSION.
+
+But it can be possible that a driver has a bug and did not set some of the
+fields, which leads to drm_copy_field() attempting to copy a NULL pointer:
+
+[ +10.395966] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000
+[ +0.010955] Mem abort info:
+[ +0.002835] ESR = 0x0000000096000004
+[ +0.003872] EC = 0x25: DABT (current EL), IL = 32 bits
+[ +0.005395] SET = 0, FnV = 0
+[ +0.003113] EA = 0, S1PTW = 0
+[ +0.003182] FSC = 0x04: level 0 translation fault
+[ +0.004964] Data abort info:
+[ +0.002919] ISV = 0, ISS = 0x00000004
+[ +0.003886] CM = 0, WnR = 0
+[ +0.003040] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000115dad000
+[ +0.006536] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
+[ +0.006925] Internal error: Oops: 96000004 [#1] SMP
+...
+[ +0.011113] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ +0.007061] pc : __pi_strlen+0x14/0x150
+[ +0.003895] lr : drm_copy_field+0x30/0x1a4
+[ +0.004156] sp : ffff8000094b3a50
+[ +0.003355] x29: ffff8000094b3a50 x28: ffff8000094b3b70 x27: 0000000000000040
+[ +0.007242] x26: ffff443743c2ba00 x25: 0000000000000000 x24: 0000000000000040
+[ +0.007243] x23: ffff443743c2ba00 x22: ffff8000094b3b70 x21: 0000000000000000
+[ +0.007241] x20: 0000000000000000 x19: ffff8000094b3b90 x18: 0000000000000000
+[ +0.007241] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaab14b9af40
+[ +0.007241] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
+[ +0.007239] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa524ad67d4d8
+[ +0.007242] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : 6c6e6263606e7141
+[ +0.007239] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
+[ +0.007241] x2 : 0000000000000000 x1 : ffff8000094b3b90 x0 : 0000000000000000
+[ +0.007240] Call trace:
+[ +0.002475] __pi_strlen+0x14/0x150
+[ +0.003537] drm_version+0x84/0xac
+[ +0.003448] drm_ioctl_kernel+0xa8/0x16c
+[ +0.003975] drm_ioctl+0x270/0x580
+[ +0.003448] __arm64_sys_ioctl+0xb8/0xfc
+[ +0.003978] invoke_syscall+0x78/0x100
+[ +0.003799] el0_svc_common.constprop.0+0x4c/0xf4
+[ +0.004767] do_el0_svc+0x38/0x4c
+[ +0.003357] el0_svc+0x34/0x100
+[ +0.003185] el0t_64_sync_handler+0x11c/0x150
+[ +0.004418] el0t_64_sync+0x190/0x194
+[ +0.003716] Code: 92402c04 b200c3e8 f13fc09f 5400088c (a9400c02)
+[ +0.006180] ---[ end trace 0000000000000000 ]---
+
+Reported-by: Peter Robinson <pbrobinson@gmail.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220705100215.572498-3-javierm@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_ioctl.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c
+index e1b9a03e619c..ca2a6e6101dc 100644
+--- a/drivers/gpu/drm/drm_ioctl.c
++++ b/drivers/gpu/drm/drm_ioctl.c
+@@ -474,6 +474,12 @@ static int drm_copy_field(char __user *buf, size_t *buf_len, const char *value)
+ {
+ size_t len;
+
++ /* don't attempt to copy a NULL pointer */
++ if (WARN_ONCE(!value, "BUG: the value to copy was not set!")) {
++ *buf_len = 0;
++ return 0;
++ }
++
+ /* don't overflow userbuf */
+ len = strlen(value);
+ if (len > *buf_len)
+--
+2.35.1
+
--- /dev/null
+From 256123fd0dd631be31870e0ac94f38637ae9d5d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Jul 2022 12:02:13 +0200
+Subject: drm: Use size_t type for len variable in drm_copy_field()
+
+From: Javier Martinez Canillas <javierm@redhat.com>
+
+[ Upstream commit 94dc3471d1b2b58b3728558d0e3f264e9ce6ff59 ]
+
+The strlen() function returns a size_t which is an unsigned int on 32-bit
+arches and an unsigned long on 64-bit arches. But in the drm_copy_field()
+function, the strlen() return value is assigned to an 'int len' variable.
+
+Later, the len variable is passed as copy_from_user() third argument that
+is an unsigned long parameter as well.
+
+In theory, this can lead to an integer overflow via type conversion. Since
+the assignment happens to a signed int lvalue instead of a size_t lvalue.
+
+In practice though, that's unlikely since the values copied are set by DRM
+drivers and not controlled by userspace. But using a size_t for len is the
+correct thing to do anyways.
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Tested-by: Peter Robinson <pbrobinson@gmail.com>
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220705100215.572498-2-javierm@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_ioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c
+index 8faad23dc1d8..e1b9a03e619c 100644
+--- a/drivers/gpu/drm/drm_ioctl.c
++++ b/drivers/gpu/drm/drm_ioctl.c
+@@ -472,7 +472,7 @@ EXPORT_SYMBOL(drm_invalid_op);
+ */
+ static int drm_copy_field(char __user *buf, size_t *buf_len, const char *value)
+ {
+- int len;
++ size_t len;
+
+ /* don't overflow userbuf */
+ len = strlen(value);
+--
+2.35.1
+
--- /dev/null
+From 851c5d9accd06c1405a4346e783deed0eac1406c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Jul 2022 19:38:42 +0200
+Subject: drm/vc4: drv: Call component_unbind_all()
+
+From: Maxime Ripard <maxime@cerno.tech>
+
+[ Upstream commit 6cf61bf49c9bdb9ba2d33be812d90dd406326c6c ]
+
+While we were using the component framework to deal with all the DRM
+subdevices, we were not calling component_unbind_all().
+
+This leads to none of the subdevices freeing up their resources as part of
+their unbind() or device managed hooks.
+
+Fixes: c8b75bca92cb ("drm/vc4: Add KMS support for Raspberry Pi.")
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://lore.kernel.org/r/20220711173939.1132294-13-maxime@cerno.tech
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_drv.c | 14 ++++++++++++--
+ drivers/gpu/drm/vc4/vc4_drv.h | 1 +
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_drv.c b/drivers/gpu/drm/vc4/vc4_drv.c
+index 292d1b6a01b6..6b8dfa1e7650 100644
+--- a/drivers/gpu/drm/vc4/vc4_drv.c
++++ b/drivers/gpu/drm/vc4/vc4_drv.c
+@@ -267,6 +267,13 @@ static void vc4_match_add_drivers(struct device *dev,
+ }
+ }
+
++static void vc4_component_unbind_all(void *ptr)
++{
++ struct vc4_dev *vc4 = ptr;
++
++ component_unbind_all(vc4->dev, &vc4->base);
++}
++
+ static const struct of_device_id vc4_dma_range_matches[] = {
+ { .compatible = "brcm,bcm2711-hvs" },
+ { .compatible = "brcm,bcm2835-hvs" },
+@@ -310,6 +317,7 @@ static int vc4_drm_bind(struct device *dev)
+ if (IS_ERR(vc4))
+ return PTR_ERR(vc4);
+ vc4->is_vc5 = is_vc5;
++ vc4->dev = dev;
+
+ drm = &vc4->base;
+ platform_set_drvdata(pdev, drm);
+@@ -360,6 +368,10 @@ static int vc4_drm_bind(struct device *dev)
+ if (ret)
+ return ret;
+
++ ret = devm_add_action_or_reset(dev, vc4_component_unbind_all, vc4);
++ if (ret)
++ return ret;
++
+ ret = vc4_plane_create_additional_planes(drm);
+ if (ret)
+ goto unbind_all;
+@@ -380,8 +392,6 @@ static int vc4_drm_bind(struct device *dev)
+ return 0;
+
+ unbind_all:
+- component_unbind_all(dev, drm);
+-
+ return ret;
+ }
+
+diff --git a/drivers/gpu/drm/vc4/vc4_drv.h b/drivers/gpu/drm/vc4/vc4_drv.h
+index 1beb96b77b8c..950056b83843 100644
+--- a/drivers/gpu/drm/vc4/vc4_drv.h
++++ b/drivers/gpu/drm/vc4/vc4_drv.h
+@@ -76,6 +76,7 @@ struct vc4_perfmon {
+
+ struct vc4_dev {
+ struct drm_device base;
++ struct device *dev;
+
+ bool is_vc5;
+
+--
+2.35.1
+
--- /dev/null
+From 89ec9d5fb2c26c5d5cfa6f6e908aade485cec799 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Jul 2022 19:39:23 +0200
+Subject: drm/vc4: txp: Protect device resources
+
+From: Maxime Ripard <maxime@cerno.tech>
+
+[ Upstream commit b7345c9799da578c150fde3072446e4049c39c41 ]
+
+Our current code now mixes some resources whose lifetime are tied to the
+device (clocks, IO mappings, etc.) and some that are tied to the DRM device
+(encoder, bridge).
+
+The device one will be freed at unbind time, but the DRM one will only be
+freed when the last user of the DRM device closes its file handle.
+
+So we end up with a time window during which we can call the encoder hooks,
+but we don't have access to the underlying resources and device.
+
+Let's protect all those sections with drm_dev_enter() and drm_dev_exit() so
+that we bail out if we are during that window.
+
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://lore.kernel.org/r/20220711173939.1132294-54-maxime@cerno.tech
+Stable-dep-of: fcfd3e5fb2f0 ("drm/lcdif: Clean up headers")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_txp.c | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_txp.c b/drivers/gpu/drm/vc4/vc4_txp.c
+index d20b0bc51a18..a6724f15b107 100644
+--- a/drivers/gpu/drm/vc4/vc4_txp.c
++++ b/drivers/gpu/drm/vc4/vc4_txp.c
+@@ -15,6 +15,7 @@
+
+ #include <drm/drm_atomic.h>
+ #include <drm/drm_atomic_helper.h>
++#include <drm/drm_drv.h>
+ #include <drm/drm_edid.h>
+ #include <drm/drm_fb_cma_helper.h>
+ #include <drm/drm_fourcc.h>
+@@ -276,6 +277,7 @@ static int vc4_txp_connector_atomic_check(struct drm_connector *conn,
+ static void vc4_txp_connector_atomic_commit(struct drm_connector *conn,
+ struct drm_atomic_state *state)
+ {
++ struct drm_device *drm = conn->dev;
+ struct drm_connector_state *conn_state = drm_atomic_get_new_connector_state(state,
+ conn);
+ struct vc4_txp *txp = connector_to_vc4_txp(conn);
+@@ -283,6 +285,7 @@ static void vc4_txp_connector_atomic_commit(struct drm_connector *conn,
+ struct drm_display_mode *mode;
+ struct drm_framebuffer *fb;
+ u32 ctrl;
++ int idx;
+ int i;
+
+ if (WARN_ON(!conn_state->writeback_job))
+@@ -312,6 +315,9 @@ static void vc4_txp_connector_atomic_commit(struct drm_connector *conn,
+ */
+ ctrl |= TXP_ALPHA_INVERT;
+
++ if (!drm_dev_enter(drm, &idx))
++ return;
++
+ gem = drm_fb_cma_get_gem_obj(fb, 0);
+ TXP_WRITE(TXP_DST_PTR, gem->paddr + fb->offsets[0]);
+ TXP_WRITE(TXP_DST_PITCH, fb->pitches[0]);
+@@ -322,6 +328,8 @@ static void vc4_txp_connector_atomic_commit(struct drm_connector *conn,
+ TXP_WRITE(TXP_DST_CTRL, ctrl);
+
+ drm_writeback_queue_job(&txp->connector, conn_state);
++
++ drm_dev_exit(idx);
+ }
+
+ static const struct drm_connector_helper_funcs vc4_txp_connector_helper_funcs = {
+@@ -354,7 +362,12 @@ static const struct drm_connector_funcs vc4_txp_connector_funcs = {
+
+ static void vc4_txp_encoder_disable(struct drm_encoder *encoder)
+ {
++ struct drm_device *drm = encoder->dev;
+ struct vc4_txp *txp = encoder_to_vc4_txp(encoder);
++ int idx;
++
++ if (!drm_dev_enter(drm, &idx))
++ return;
+
+ if (TXP_READ(TXP_DST_CTRL) & TXP_BUSY) {
+ unsigned long timeout = jiffies + msecs_to_jiffies(1000);
+@@ -369,6 +382,8 @@ static void vc4_txp_encoder_disable(struct drm_encoder *encoder)
+ }
+
+ TXP_WRITE(TXP_DST_CTRL, TXP_POWERDOWN);
++
++ drm_dev_exit(idx);
+ }
+
+ static const struct drm_encoder_helper_funcs vc4_txp_encoder_helper_funcs = {
+@@ -453,6 +468,16 @@ static irqreturn_t vc4_txp_interrupt(int irq, void *data)
+ struct vc4_txp *txp = data;
+ struct vc4_crtc *vc4_crtc = &txp->base;
+
++ /*
++ * We don't need to protect the register access using
++ * drm_dev_enter() there because the interrupt handler lifetime
++ * is tied to the device itself, and not to the DRM device.
++ *
++ * So when the device will be gone, one of the first thing we
++ * will be doing will be to unregister the interrupt handler,
++ * and then unregister the DRM device. drm_dev_enter() would
++ * thus always succeed if we are here.
++ */
+ TXP_WRITE(TXP_DST_CTRL, TXP_READ(TXP_DST_CTRL) & ~TXP_EI);
+ vc4_crtc_handle_vblank(vc4_crtc);
+ drm_writeback_signal_completion(&txp->connector, 0);
+--
+2.35.1
+
--- /dev/null
+From db8511102c7fd0545c93a13a261c78e08e532d78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Aug 2022 15:11:42 +0200
+Subject: drm/vc4: vec: Fix timings for VEC modes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mateusz Kwiatkowski <kfyatek+publicgit@gmail.com>
+
+[ Upstream commit 30d7565be96b3946c18a1ce3fd538f7946839092 ]
+
+This commit fixes vertical timings of the VEC (composite output) modes
+to accurately represent the 525-line ("NTSC") and 625-line ("PAL") ITU-R
+standards.
+
+Previous timings were actually defined as 502 and 601 lines, resulting
+in non-standard 62.69 Hz and 52 Hz signals being generated,
+respectively.
+
+Signed-off-by: Mateusz Kwiatkowski <kfyatek+publicgit@gmail.com>
+Acked-by: Noralf Trønnes <noralf@tronnes.org>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220728-rpi-analog-tv-properties-v2-28-459522d653a7@cerno.tech
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_vec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_vec.c b/drivers/gpu/drm/vc4/vc4_vec.c
+index 11fc3d6f66b1..4e2250b8fa23 100644
+--- a/drivers/gpu/drm/vc4/vc4_vec.c
++++ b/drivers/gpu/drm/vc4/vc4_vec.c
+@@ -256,7 +256,7 @@ static void vc4_vec_ntsc_j_mode_set(struct vc4_vec *vec)
+ static const struct drm_display_mode ntsc_mode = {
+ DRM_MODE("720x480", DRM_MODE_TYPE_DRIVER, 13500,
+ 720, 720 + 14, 720 + 14 + 64, 720 + 14 + 64 + 60, 0,
+- 480, 480 + 3, 480 + 3 + 3, 480 + 3 + 3 + 16, 0,
++ 480, 480 + 7, 480 + 7 + 6, 525, 0,
+ DRM_MODE_FLAG_INTERLACE)
+ };
+
+@@ -278,7 +278,7 @@ static void vc4_vec_pal_m_mode_set(struct vc4_vec *vec)
+ static const struct drm_display_mode pal_mode = {
+ DRM_MODE("720x576", DRM_MODE_TYPE_DRIVER, 13500,
+ 720, 720 + 20, 720 + 20 + 64, 720 + 20 + 64 + 60, 0,
+- 576, 576 + 2, 576 + 2 + 3, 576 + 2 + 3 + 20, 0,
++ 576, 576 + 4, 576 + 4 + 6, 625, 0,
+ DRM_MODE_FLAG_INTERLACE)
+ };
+
+--
+2.35.1
+
--- /dev/null
+From c9facf04f10517b55f86dd5e5008904407c721d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jun 2022 23:07:18 +0300
+Subject: drm/virtio: Correct drm_gem_shmem_get_sg_table() error handling
+
+From: Dmitry Osipenko <dmitry.osipenko@collabora.com>
+
+[ Upstream commit 64b88afbd92fbf434759d1896a7cf705e1c00e79 ]
+
+Previous commit fixed checking of the ERR_PTR value returned by
+drm_gem_shmem_get_sg_table(), but it missed to zero out the shmem->pages,
+which will crash virtio_gpu_cleanup_object(). Add the missing zeroing of
+the shmem->pages.
+
+Fixes: c24968734abf ("drm/virtio: Fix NULL vs IS_ERR checking in virtio_gpu_object_shmem_init")
+Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>
+Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20220630200726.1884320-2-dmitry.osipenko@collabora.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/virtio/virtgpu_object.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/virtio/virtgpu_object.c b/drivers/gpu/drm/virtio/virtgpu_object.c
+index b38c338211aa..75a159df0af6 100644
+--- a/drivers/gpu/drm/virtio/virtgpu_object.c
++++ b/drivers/gpu/drm/virtio/virtgpu_object.c
+@@ -170,6 +170,7 @@ static int virtio_gpu_object_shmem_init(struct virtio_gpu_device *vgdev,
+ shmem->pages = drm_gem_shmem_get_sg_table(&bo->base);
+ if (IS_ERR(shmem->pages)) {
+ drm_gem_shmem_unpin(&bo->base);
++ shmem->pages = NULL;
+ return PTR_ERR(shmem->pages);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From d6bdb7e5a8095a013642f94db89ea243f96e669f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Aug 2022 15:40:00 -0700
+Subject: drm/virtio: Fix same-context optimization
+
+From: Rob Clark <robdclark@chromium.org>
+
+[ Upstream commit 3007dc2af6e86ac00b4daf7414142637fdf50bfa ]
+
+When VIRTGPU_EXECBUF_RING_IDX is used, we should be considering the
+timeline that the EB if running on rather than the global driver fence
+context.
+
+Fixes: 85c83ea915ed ("drm/virtio: implement context init: allocate an array of fence contexts")
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Link: http://patchwork.freedesktop.org/patch/msgid/20220812224001.2806463-1-robdclark@gmail.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/virtio/virtgpu_ioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/virtio/virtgpu_ioctl.c b/drivers/gpu/drm/virtio/virtgpu_ioctl.c
+index 9b2702116f93..3b1701607aae 100644
+--- a/drivers/gpu/drm/virtio/virtgpu_ioctl.c
++++ b/drivers/gpu/drm/virtio/virtgpu_ioctl.c
+@@ -168,7 +168,7 @@ static int virtio_gpu_execbuffer_ioctl(struct drm_device *dev, void *data,
+ * array contains any fence from a foreign context.
+ */
+ ret = 0;
+- if (!dma_fence_match_context(in_fence, vgdev->fence_drv.context))
++ if (!dma_fence_match_context(in_fence, fence_ctx + ring_idx))
+ ret = dma_fence_wait(in_fence, true);
+
+ dma_fence_put(in_fence);
+--
+2.35.1
+
--- /dev/null
+From a2730912fddf4a69dd12904d24d7c72e6094f125 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Aug 2022 12:06:01 -0700
+Subject: drm/virtio: set fb_modifiers_not_supported
+
+From: Chia-I Wu <olvaffe@gmail.com>
+
+[ Upstream commit 85faca8ca0f659263b5fb2385e4c231cc075bd84 ]
+
+Without this, the drm core advertises LINEAR modifier which is
+incorrect.
+
+Also userspace virgl does not support modifiers. For example, it causes
+chrome on ozone/drm to fail with "Failed to create scanout buffer".
+
+Fixes: 2af104290da5 ("drm: introduce fb_modifiers_not_supported flag in mode_config")
+Suggested-by: Shao-Chuan Lee <shaochuan@chromium.org>
+Signed-off-by: Chia-I Wu <olvaffe@gmail.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20220831190601.1295129-1-olvaffe@gmail.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/virtio/virtgpu_display.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/virtio/virtgpu_display.c b/drivers/gpu/drm/virtio/virtgpu_display.c
+index 5c7f198c0712..9ea7611a9e0f 100644
+--- a/drivers/gpu/drm/virtio/virtgpu_display.c
++++ b/drivers/gpu/drm/virtio/virtgpu_display.c
+@@ -349,6 +349,8 @@ int virtio_gpu_modeset_init(struct virtio_gpu_device *vgdev)
+ vgdev->ddev->mode_config.max_width = XRES_MAX;
+ vgdev->ddev->mode_config.max_height = YRES_MAX;
+
++ vgdev->ddev->mode_config.fb_modifiers_not_supported = true;
++
+ for (i = 0 ; i < vgdev->num_scanouts; ++i)
+ vgdev_output_init(vgdev, i);
+
+--
+2.35.1
+
--- /dev/null
+From a9e265e8e0cb222a40c36918da88477fd843701e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Sep 2022 17:47:51 -0300
+Subject: drm/vmwgfx: Fix memory leak in vmw_mksstat_add_ioctl()
+
+From: Rafael Mendonca <rafaelmendsr@gmail.com>
+
+[ Upstream commit a40c7f61d12fbd1e785e59140b9efd57127c0c33 ]
+
+If the copy of the description string from userspace fails, then the page
+for the instance descriptor doesn't get freed before returning -EFAULT,
+which leads to a memleak.
+
+Fixes: 7a7a933edd6c ("drm/vmwgfx: Introduce VMware mks-guest-stats")
+Signed-off-by: Rafael Mendonca <rafaelmendsr@gmail.com>
+Reviewed-by: Martin Krastev <krastevm@vmware.com>
+Signed-off-by: Zack Rusin <zackr@vmware.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220916204751.720716-1-rafaelmendsr@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_msg.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c b/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
+index 2aceac7856e2..089046fa21be 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
+@@ -1076,6 +1076,7 @@ int vmw_mksstat_add_ioctl(struct drm_device *dev, void *data,
+
+ if (desc_len < 0) {
+ atomic_set(&dev_priv->mksstat_user_pids[slot], 0);
++ __free_page(page);
+ return -EFAULT;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From d60faea58303f87d3fb72023ea7c797b8b1b1a7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 11:05:06 -0500
+Subject: dt-bindings: arm: ti: k3: Sort the am654 board enums
+
+From: Nishanth Menon <nm@ti.com>
+
+[ Upstream commit 5f120a4dc7a71187fdae0a11f6c65b7e2cf7a2d7 ]
+
+Use alphabetical sort to organize the am654 board names.
+
+Suggested-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20220830160507.7726-2-nm@ti.com
+Stable-dep-of: 0d0a0b441346 ("arm64: dts: ti: k3-j7200: fix main pinmux range")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/devicetree/bindings/arm/ti/k3.yaml | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/Documentation/devicetree/bindings/arm/ti/k3.yaml b/Documentation/devicetree/bindings/arm/ti/k3.yaml
+index 61c6ab4f52e2..7e93e87dcdf4 100644
+--- a/Documentation/devicetree/bindings/arm/ti/k3.yaml
++++ b/Documentation/devicetree/bindings/arm/ti/k3.yaml
+@@ -22,11 +22,11 @@ properties:
+ - description: K3 AM654 SoC
+ items:
+ - enum:
+- - ti,am654-evm
+- - siemens,iot2050-basic
+- - siemens,iot2050-basic-pg2
+ - siemens,iot2050-advanced
+ - siemens,iot2050-advanced-pg2
++ - siemens,iot2050-basic
++ - siemens,iot2050-basic-pg2
++ - ti,am654-evm
+ - const: ti,am654
+
+ - description: K3 J721E SoC
+--
+2.35.1
+
--- /dev/null
+From c08000f765db0f59135071785a8ba5999d7ce03b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Jul 2022 11:13:55 +0900
+Subject: dt-bindings: clock: exynosautov9: correct clock numbering of
+ peric0/c1
+
+From: Chanho Park <chanho61.park@samsung.com>
+
+[ Upstream commit b6740089b740b842d5e6ff55b4b2c3bf5961c69a ]
+
+There are duplicated definitions of peric0 and peric1 cmu blocks. Thus,
+they should be defined correctly as numerical order.
+
+Fixes: 680e1c8370a2 ("dt-bindings: clock: add clock binding definitions for Exynos Auto v9")
+Signed-off-by: Chanho Park <chanho61.park@samsung.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20220727021357.152421-2-chanho61.park@samsung.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../dt-bindings/clock/samsung,exynosautov9.h | 56 +++++++++----------
+ 1 file changed, 28 insertions(+), 28 deletions(-)
+
+diff --git a/include/dt-bindings/clock/samsung,exynosautov9.h b/include/dt-bindings/clock/samsung,exynosautov9.h
+index ea9f91b4eb1a..a7db6516593f 100644
+--- a/include/dt-bindings/clock/samsung,exynosautov9.h
++++ b/include/dt-bindings/clock/samsung,exynosautov9.h
+@@ -226,21 +226,21 @@
+ #define CLK_GOUT_PERIC0_IPCLK_8 28
+ #define CLK_GOUT_PERIC0_IPCLK_9 29
+ #define CLK_GOUT_PERIC0_IPCLK_10 30
+-#define CLK_GOUT_PERIC0_IPCLK_11 30
+-#define CLK_GOUT_PERIC0_PCLK_0 31
+-#define CLK_GOUT_PERIC0_PCLK_1 32
+-#define CLK_GOUT_PERIC0_PCLK_2 33
+-#define CLK_GOUT_PERIC0_PCLK_3 34
+-#define CLK_GOUT_PERIC0_PCLK_4 35
+-#define CLK_GOUT_PERIC0_PCLK_5 36
+-#define CLK_GOUT_PERIC0_PCLK_6 37
+-#define CLK_GOUT_PERIC0_PCLK_7 38
+-#define CLK_GOUT_PERIC0_PCLK_8 39
+-#define CLK_GOUT_PERIC0_PCLK_9 40
+-#define CLK_GOUT_PERIC0_PCLK_10 41
+-#define CLK_GOUT_PERIC0_PCLK_11 42
++#define CLK_GOUT_PERIC0_IPCLK_11 31
++#define CLK_GOUT_PERIC0_PCLK_0 32
++#define CLK_GOUT_PERIC0_PCLK_1 33
++#define CLK_GOUT_PERIC0_PCLK_2 34
++#define CLK_GOUT_PERIC0_PCLK_3 35
++#define CLK_GOUT_PERIC0_PCLK_4 36
++#define CLK_GOUT_PERIC0_PCLK_5 37
++#define CLK_GOUT_PERIC0_PCLK_6 38
++#define CLK_GOUT_PERIC0_PCLK_7 39
++#define CLK_GOUT_PERIC0_PCLK_8 40
++#define CLK_GOUT_PERIC0_PCLK_9 41
++#define CLK_GOUT_PERIC0_PCLK_10 42
++#define CLK_GOUT_PERIC0_PCLK_11 43
+
+-#define PERIC0_NR_CLK 43
++#define PERIC0_NR_CLK 44
+
+ /* CMU_PERIC1 */
+ #define CLK_MOUT_PERIC1_BUS_USER 1
+@@ -272,21 +272,21 @@
+ #define CLK_GOUT_PERIC1_IPCLK_8 28
+ #define CLK_GOUT_PERIC1_IPCLK_9 29
+ #define CLK_GOUT_PERIC1_IPCLK_10 30
+-#define CLK_GOUT_PERIC1_IPCLK_11 30
+-#define CLK_GOUT_PERIC1_PCLK_0 31
+-#define CLK_GOUT_PERIC1_PCLK_1 32
+-#define CLK_GOUT_PERIC1_PCLK_2 33
+-#define CLK_GOUT_PERIC1_PCLK_3 34
+-#define CLK_GOUT_PERIC1_PCLK_4 35
+-#define CLK_GOUT_PERIC1_PCLK_5 36
+-#define CLK_GOUT_PERIC1_PCLK_6 37
+-#define CLK_GOUT_PERIC1_PCLK_7 38
+-#define CLK_GOUT_PERIC1_PCLK_8 39
+-#define CLK_GOUT_PERIC1_PCLK_9 40
+-#define CLK_GOUT_PERIC1_PCLK_10 41
+-#define CLK_GOUT_PERIC1_PCLK_11 42
++#define CLK_GOUT_PERIC1_IPCLK_11 31
++#define CLK_GOUT_PERIC1_PCLK_0 32
++#define CLK_GOUT_PERIC1_PCLK_1 33
++#define CLK_GOUT_PERIC1_PCLK_2 34
++#define CLK_GOUT_PERIC1_PCLK_3 35
++#define CLK_GOUT_PERIC1_PCLK_4 36
++#define CLK_GOUT_PERIC1_PCLK_5 37
++#define CLK_GOUT_PERIC1_PCLK_6 38
++#define CLK_GOUT_PERIC1_PCLK_7 39
++#define CLK_GOUT_PERIC1_PCLK_8 40
++#define CLK_GOUT_PERIC1_PCLK_9 41
++#define CLK_GOUT_PERIC1_PCLK_10 42
++#define CLK_GOUT_PERIC1_PCLK_11 43
+
+-#define PERIC1_NR_CLK 43
++#define PERIC1_NR_CLK 44
+
+ /* CMU_PERIS */
+ #define CLK_MOUT_PERIS_BUS_USER 1
+--
+2.35.1
+
--- /dev/null
+From f7a4b50ca04ba53165dba35a919cdede8ade1949 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Sep 2022 15:40:46 -0600
+Subject: dyndbg: drop EXPORTed dynamic_debug_exec_queries
+
+From: Jim Cromie <jim.cromie@gmail.com>
+
+[ Upstream commit e26ef3af964acfea311403126acee8c56c89e26b ]
+
+This exported fn is unused, and will not be needed. Lets dump it.
+
+The export was added to let drm control pr_debugs, as part of using
+them to avoid drm_debug_enabled overheads. But its better to just
+implement the drm.debug bitmap interface, then its available for
+everyone.
+
+Fixes: a2d375eda771 ("dyndbg: refine export, rename to dynamic_debug_exec_queries()")
+Fixes: 4c0d77828d4f ("dyndbg: export ddebug_exec_queries")
+Acked-by: Jason Baron <jbaron@akamai.com>
+Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Jim Cromie <jim.cromie@gmail.com>
+Link: https://lore.kernel.org/r/20220904214134.408619-10-jim.cromie@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/dynamic_debug.h | 9 ---------
+ lib/dynamic_debug.c | 29 -----------------------------
+ 2 files changed, 38 deletions(-)
+
+diff --git a/include/linux/dynamic_debug.h b/include/linux/dynamic_debug.h
+index f30b01aa9fa4..8d9eec5f6d8b 100644
+--- a/include/linux/dynamic_debug.h
++++ b/include/linux/dynamic_debug.h
+@@ -55,9 +55,6 @@ struct _ddebug {
+
+ #if defined(CONFIG_DYNAMIC_DEBUG_CORE)
+
+-/* exported for module authors to exercise >control */
+-int dynamic_debug_exec_queries(const char *query, const char *modname);
+-
+ int ddebug_add_module(struct _ddebug *tab, unsigned int n,
+ const char *modname);
+ extern int ddebug_remove_module(const char *mod_name);
+@@ -221,12 +218,6 @@ static inline int ddebug_dyndbg_module_param_cb(char *param, char *val,
+ rowsize, groupsize, buf, len, ascii); \
+ } while (0)
+
+-static inline int dynamic_debug_exec_queries(const char *query, const char *modname)
+-{
+- pr_warn("kernel not built with CONFIG_DYNAMIC_DEBUG_CORE\n");
+- return 0;
+-}
+-
+ #endif /* !CONFIG_DYNAMIC_DEBUG_CORE */
+
+ #endif
+diff --git a/lib/dynamic_debug.c b/lib/dynamic_debug.c
+index 4d168efcf779..c9b3d9e5d470 100644
+--- a/lib/dynamic_debug.c
++++ b/lib/dynamic_debug.c
+@@ -557,35 +557,6 @@ static int ddebug_exec_queries(char *query, const char *modname)
+ return nfound;
+ }
+
+-/**
+- * dynamic_debug_exec_queries - select and change dynamic-debug prints
+- * @query: query-string described in admin-guide/dynamic-debug-howto
+- * @modname: string containing module name, usually &module.mod_name
+- *
+- * This uses the >/proc/dynamic_debug/control reader, allowing module
+- * authors to modify their dynamic-debug callsites. The modname is
+- * canonically struct module.mod_name, but can also be null or a
+- * module-wildcard, for example: "drm*".
+- */
+-int dynamic_debug_exec_queries(const char *query, const char *modname)
+-{
+- int rc;
+- char *qry; /* writable copy of query */
+-
+- if (!query) {
+- pr_err("non-null query/command string expected\n");
+- return -EINVAL;
+- }
+- qry = kstrndup(query, PAGE_SIZE, GFP_KERNEL);
+- if (!qry)
+- return -ENOMEM;
+-
+- rc = ddebug_exec_queries(qry, modname);
+- kfree(qry);
+- return rc;
+-}
+-EXPORT_SYMBOL_GPL(dynamic_debug_exec_queries);
+-
+ #define PREFIX_SIZE 64
+
+ static int remaining(int wrote)
+--
+2.35.1
+
--- /dev/null
+From 9c27914b55c2beacdfe3b0107117802fff8a8ffd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Sep 2022 15:40:39 -0600
+Subject: dyndbg: fix module.dyndbg handling
+
+From: Jim Cromie <jim.cromie@gmail.com>
+
+[ Upstream commit 85d6b66d31c35158364058ee98fb69ab5bb6a6b1 ]
+
+For CONFIG_DYNAMIC_DEBUG=N, the ddebug_dyndbg_module_param_cb()
+stub-fn is too permissive:
+
+bash-5.1# modprobe drm JUNKdyndbg
+bash-5.1# modprobe drm dyndbgJUNK
+[ 42.933220] dyndbg param is supported only in CONFIG_DYNAMIC_DEBUG builds
+[ 42.937484] ACPI: bus type drm_connector registered
+
+This caused no ill effects, because unknown parameters are either
+ignored by default with an "unknown parameter" warning, or ignored
+because dyndbg allows its no-effect use on non-dyndbg builds.
+
+But since the code has an explicit feedback message, it should be
+issued accurately. Fix with strcmp for exact param-name match.
+
+Fixes: b48420c1d301 dynamic_debug: make dynamic-debug work for module initialization
+Reported-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Acked-by: Jason Baron <jbaron@akamai.com>
+Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Jim Cromie <jim.cromie@gmail.com>
+Link: https://lore.kernel.org/r/20220904214134.408619-3-jim.cromie@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/dynamic_debug.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/dynamic_debug.h b/include/linux/dynamic_debug.h
+index dce631e678dd..f30b01aa9fa4 100644
+--- a/include/linux/dynamic_debug.h
++++ b/include/linux/dynamic_debug.h
+@@ -201,7 +201,7 @@ static inline int ddebug_remove_module(const char *mod)
+ static inline int ddebug_dyndbg_module_param_cb(char *param, char *val,
+ const char *modname)
+ {
+- if (strstr(param, "dyndbg")) {
++ if (!strcmp(param, "dyndbg")) {
+ /* avoid pr_warn(), which wants pr_fmt() fully defined */
+ printk(KERN_WARNING "dyndbg param is supported only in "
+ "CONFIG_DYNAMIC_DEBUG builds\n");
+--
+2.35.1
+
--- /dev/null
+From 55c4ad1622dc360f6618898acd350562ae12ae0d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Sep 2022 15:40:38 -0600
+Subject: dyndbg: fix static_branch manipulation
+
+From: Jim Cromie <jim.cromie@gmail.com>
+
+[ Upstream commit ee879be38bc87f8cedc79ae2742958db6533ca59 ]
+
+In https://lore.kernel.org/lkml/20211209150910.GA23668@axis.com/
+
+Vincent's patch commented on, and worked around, a bug toggling
+static_branch's, when a 2nd PRINTK-ish flag was added. The bug
+results in a premature static_branch_disable when the 1st of 2 flags
+was disabled.
+
+The cited commit computed newflags, but then in the JUMP_LABEL block,
+failed to use that result, instead using just one of the terms in it.
+Using newflags instead made the code work properly.
+
+This is Vincents test-case, reduced. It needs the 2nd flag to
+demonstrate the bug, but it's explanatory here.
+
+pt_test() {
+ echo 5 > /sys/module/dynamic_debug/verbose
+
+ site="module tcp" # just one callsite
+ echo " $site =_ " > /proc/dynamic_debug/control # clear it
+
+ # A B ~A ~B
+ for flg in +T +p "-T #broke here" -p; do
+ echo " $site $flg " > /proc/dynamic_debug/control
+ done;
+
+ # A B ~B ~A
+ for flg in +T +p "-p #broke here" -T; do
+ echo " $site $flg " > /proc/dynamic_debug/control
+ done
+}
+pt_test
+
+Fixes: 84da83a6ffc0 dyndbg: combine flags & mask into a struct, simplify with it
+CC: vincent.whitchurch@axis.com
+Acked-by: Jason Baron <jbaron@akamai.com>
+Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Jim Cromie <jim.cromie@gmail.com>
+Link: https://lore.kernel.org/r/20220904214134.408619-2-jim.cromie@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/dynamic_debug.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/dynamic_debug.c b/lib/dynamic_debug.c
+index dd7f56af9aed..a56c1286ffa4 100644
+--- a/lib/dynamic_debug.c
++++ b/lib/dynamic_debug.c
+@@ -211,10 +211,11 @@ static int ddebug_change(const struct ddebug_query *query,
+ continue;
+ #ifdef CONFIG_JUMP_LABEL
+ if (dp->flags & _DPRINTK_FLAGS_PRINT) {
+- if (!(modifiers->flags & _DPRINTK_FLAGS_PRINT))
++ if (!(newflags & _DPRINTK_FLAGS_PRINT))
+ static_branch_disable(&dp->key.dd_key_true);
+- } else if (modifiers->flags & _DPRINTK_FLAGS_PRINT)
++ } else if (newflags & _DPRINTK_FLAGS_PRINT) {
+ static_branch_enable(&dp->key.dd_key_true);
++ }
+ #endif
+ dp->flags = newflags;
+ v4pr_info("changed %s:%d [%s]%s =%s\n",
+--
+2.35.1
+
--- /dev/null
+From 6a6285f398cb881dae90662a88cc7426ce8ba109 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Sep 2022 15:40:44 -0600
+Subject: dyndbg: let query-modname override actual module name
+
+From: Jim Cromie <jim.cromie@gmail.com>
+
+[ Upstream commit e75ef56f74965f426dd819a41336b640ffdd8fbc ]
+
+dyndbg's control-parser: ddebug_parse_query(), requires that search
+terms: module, func, file, lineno, are used only once in a query; a
+thing cannot be named both foo and bar.
+
+The cited commit added an overriding module modname, taken from the
+module loader, which is authoritative. So it set query.module 1st,
+which disallowed its use in the query-string.
+
+But now, its useful to allow a module-load to enable classes across a
+whole (or part of) a subsystem at once.
+
+ # enable (dynamic-debug in) drm only
+ modprobe drm dyndbg="class DRM_UT_CORE +p"
+
+ # get drm_helper too
+ modprobe drm dyndbg="class DRM_UT_CORE module drm* +p"
+
+ # get everything that knows DRM_UT_CORE
+ modprobe drm dyndbg="class DRM_UT_CORE module * +p"
+
+ # also for boot-args:
+ drm.dyndbg="class DRM_UT_CORE module * +p"
+
+So convert the override into a default, by filling it only when/after
+the query-string omitted the module.
+
+NB: the query class FOO handling is forthcoming.
+
+Fixes: 8e59b5cfb9a6 dynamic_debug: add modname arg to exec_query callchain
+Acked-by: Jason Baron <jbaron@akamai.com>
+Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Jim Cromie <jim.cromie@gmail.com>
+Link: https://lore.kernel.org/r/20220904214134.408619-8-jim.cromie@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/dynamic_debug.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/dynamic_debug.c b/lib/dynamic_debug.c
+index a56c1286ffa4..4d168efcf779 100644
+--- a/lib/dynamic_debug.c
++++ b/lib/dynamic_debug.c
+@@ -384,10 +384,6 @@ static int ddebug_parse_query(char *words[], int nwords,
+ return -EINVAL;
+ }
+
+- if (modname)
+- /* support $modname.dyndbg=<multiple queries> */
+- query->module = modname;
+-
+ for (i = 0; i < nwords; i += 2) {
+ char *keyword = words[i];
+ char *arg = words[i+1];
+@@ -428,6 +424,13 @@ static int ddebug_parse_query(char *words[], int nwords,
+ if (rc)
+ return rc;
+ }
++ if (!query->module && modname)
++ /*
++ * support $modname.dyndbg=<multiple queries>, when
++ * not given in the query itself
++ */
++ query->module = modname;
++
+ vpr_info_dq(query, "parsed");
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From 5aa096949b65c9aa7fe543eae6a3fc8749a99827 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Sep 2022 10:39:48 +0800
+Subject: erofs: fix order >= MAX_ORDER warning due to crafted negative i_size
+
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+
+[ Upstream commit 1dd73601a1cba37a0ed5f89a8662c90191df5873 ]
+
+As syzbot reported [1], the root cause is that i_size field is a
+signed type, and negative i_size is also less than EROFS_BLKSIZ.
+As a consequence, it's handled as fast symlink unexpectedly.
+
+Let's fall back to the generic path to deal with such unusual i_size.
+
+[1] https://lore.kernel.org/r/000000000000ac8efa05e7feaa1f@google.com
+
+Reported-by: syzbot+f966c13b1b4fc0403b19@syzkaller.appspotmail.com
+Fixes: 431339ba9042 ("staging: erofs: add inode operations")
+Reviewed-by: Yue Hu <huyue2@coolpad.com>
+Link: https://lore.kernel.org/r/20220909023948.28925-1-hsiangkao@linux.alibaba.com
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/erofs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/erofs/inode.c b/fs/erofs/inode.c
+index 95a403720e8c..16cf9a283557 100644
+--- a/fs/erofs/inode.c
++++ b/fs/erofs/inode.c
+@@ -214,7 +214,7 @@ static int erofs_fill_symlink(struct inode *inode, void *kaddr,
+
+ /* if it cannot be handled with fast symlink scheme */
+ if (vi->datalayout != EROFS_INODE_FLAT_INLINE ||
+- inode->i_size >= EROFS_BLKSIZ) {
++ inode->i_size >= EROFS_BLKSIZ || inode->i_size < 0) {
+ inode->i_op = &erofs_symlink_iops;
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From 647af68a2d99027b942180394409855dd061c16a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Sep 2022 12:34:51 +0800
+Subject: erofs: use kill_anon_super() to kill super in fscache mode
+
+From: Jia Zhu <zhujia.zj@bytedance.com>
+
+[ Upstream commit 1015c1016c231b26d4e2c9b3da65b6c043eb97a3 ]
+
+Use kill_anon_super() instead of generic_shutdown_super() since the
+mount() in erofs fscache mode uses get_tree_nodev() and associated
+anon bdev needs to be freed.
+
+Fixes: 9c0cc9c729657 ("erofs: add 'fsid' mount option")
+Suggested-by: Jingbo Xu <jefflexu@linux.alibaba.com>
+Signed-off-by: Jia Zhu <zhujia.zj@bytedance.com>
+Reviewed-by: Jingbo Xu <jefflexu@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20220918043456.147-2-zhujia.zj@bytedance.com
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/erofs/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/erofs/super.c b/fs/erofs/super.c
+index 3173debeaa5a..9716d355a63e 100644
+--- a/fs/erofs/super.c
++++ b/fs/erofs/super.c
+@@ -879,7 +879,7 @@ static void erofs_kill_sb(struct super_block *sb)
+ WARN_ON(sb->s_magic != EROFS_SUPER_MAGIC);
+
+ if (erofs_is_fscache_mode(sb))
+- generic_shutdown_super(sb);
++ kill_anon_super(sb);
+ else
+ kill_block_super(sb);
+
+--
+2.35.1
+
--- /dev/null
+From a6d14d91cef1d139e88900c837f70bfef6d1b9d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 17:16:51 +0200
+Subject: esp: choose the correct inner protocol for GSO on inter address
+ family tunnels
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 26dbd66eab8080be51759e48280da04015221e22 ]
+
+Commit 23c7f8d7989e ("net: Fix esp GSO on inter address family
+tunnels.") is incomplete. It passes to skb_eth_gso_segment the
+protocol for the outer IP version, instead of the inner IP version, so
+we end up calling inet_gso_segment on an inner IPv6 packet and
+ipv6_gso_segment on an inner IPv4 packet and the packets are dropped.
+
+This patch completes the fix by selecting the correct protocol based
+on the inner mode's family.
+
+Fixes: c35fe4106b92 ("xfrm: Add mode handlers for IPsec on layer 2")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/esp4_offload.c | 5 ++++-
+ net/ipv6/esp6_offload.c | 5 ++++-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c
+index 935026f4c807..170152772d33 100644
+--- a/net/ipv4/esp4_offload.c
++++ b/net/ipv4/esp4_offload.c
+@@ -110,7 +110,10 @@ static struct sk_buff *xfrm4_tunnel_gso_segment(struct xfrm_state *x,
+ struct sk_buff *skb,
+ netdev_features_t features)
+ {
+- return skb_eth_gso_segment(skb, features, htons(ETH_P_IP));
++ __be16 type = x->inner_mode.family == AF_INET6 ? htons(ETH_P_IPV6)
++ : htons(ETH_P_IP);
++
++ return skb_eth_gso_segment(skb, features, type);
+ }
+
+ static struct sk_buff *xfrm4_transport_gso_segment(struct xfrm_state *x,
+diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
+index 3a293838a91d..79d43548279c 100644
+--- a/net/ipv6/esp6_offload.c
++++ b/net/ipv6/esp6_offload.c
+@@ -145,7 +145,10 @@ static struct sk_buff *xfrm6_tunnel_gso_segment(struct xfrm_state *x,
+ struct sk_buff *skb,
+ netdev_features_t features)
+ {
+- return skb_eth_gso_segment(skb, features, htons(ETH_P_IPV6));
++ __be16 type = x->inner_mode.family == AF_INET ? htons(ETH_P_IP)
++ : htons(ETH_P_IPV6);
++
++ return skb_eth_gso_segment(skb, features, type);
+ }
+
+ static struct sk_buff *xfrm6_transport_gso_segment(struct xfrm_state *x,
+--
+2.35.1
+
--- /dev/null
+From 71a3fe8df68971451946dd1c12b7e5a22abd2ea2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Sep 2022 11:12:36 -0700
+Subject: eth: alx: take rtnl_lock on resume
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 6ad1c94e1e7e374d88f0cfd77936dddb8339aaba ]
+
+Zbynek reports that alx trips an rtnl assertion on resume:
+
+ RTNL: assertion failed at net/core/dev.c (2891)
+ RIP: 0010:netif_set_real_num_tx_queues+0x1ac/0x1c0
+ Call Trace:
+ <TASK>
+ __alx_open+0x230/0x570 [alx]
+ alx_resume+0x54/0x80 [alx]
+ ? pci_legacy_resume+0x80/0x80
+ dpm_run_callback+0x4a/0x150
+ device_resume+0x8b/0x190
+ async_resume+0x19/0x30
+ async_run_entry_fn+0x30/0x130
+ process_one_work+0x1e5/0x3b0
+
+indeed the driver does not hold rtnl_lock during its internal close
+and re-open functions during suspend/resume. Note that this is not
+a huge bug as the driver implements its own locking, and does not
+implement changing the number of queues, but we need to silence
+the splat.
+
+Fixes: 4a5fe57e7751 ("alx: use fine-grained locking instead of RTNL")
+Reported-and-tested-by: Zbynek Michl <zbynek.michl@gmail.com>
+Reviewed-by: Niels Dossche <dossche.niels@gmail.com>
+Link: https://lore.kernel.org/r/20220928181236.1053043-1-kuba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/atheros/alx/main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/atheros/alx/main.c b/drivers/net/ethernet/atheros/alx/main.c
+index a89b93cb4e26..d5939586c82e 100644
+--- a/drivers/net/ethernet/atheros/alx/main.c
++++ b/drivers/net/ethernet/atheros/alx/main.c
+@@ -1912,11 +1912,14 @@ static int alx_suspend(struct device *dev)
+
+ if (!netif_running(alx->dev))
+ return 0;
++
++ rtnl_lock();
+ netif_device_detach(alx->dev);
+
+ mutex_lock(&alx->mtx);
+ __alx_stop(alx);
+ mutex_unlock(&alx->mtx);
++ rtnl_unlock();
+
+ return 0;
+ }
+@@ -1927,6 +1930,7 @@ static int alx_resume(struct device *dev)
+ struct alx_hw *hw = &alx->hw;
+ int err;
+
++ rtnl_lock();
+ mutex_lock(&alx->mtx);
+ alx_reset_phy(hw);
+
+@@ -1943,6 +1947,7 @@ static int alx_resume(struct device *dev)
+
+ unlock:
+ mutex_unlock(&alx->mtx);
++ rtnl_unlock();
+ return err;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From ed8a503900ae3feb07a09844cc4131af36caef61 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Sep 2022 14:57:40 +0530
+Subject: eth: lan743x: reject extts for non-pci11x1x devices
+
+From: Raju Lakkaraju <Raju.Lakkaraju@microchip.com>
+
+[ Upstream commit cb4b12071a4b68df323c339f60805834246b3e9e ]
+
+Remove PTP_PF_EXTTS support for non-PCI11x1x devices since they do not support
+the PTP-IO Input event triggered timestamping mechanisms added
+
+Fixes: 60942c397af6 ("net: lan743x: Add support for PTP-IO Event Input External Timestamp (extts)")
+Signed-off-by: Raju Lakkaraju <Raju.Lakkaraju@microchip.com>
+Reviewed-by: Horatiu Vultur <horatiu.vultur@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microchip/lan743x_ptp.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/ethernet/microchip/lan743x_ptp.c b/drivers/net/ethernet/microchip/lan743x_ptp.c
+index 6a11e2ceb013..da3ea905adbb 100644
+--- a/drivers/net/ethernet/microchip/lan743x_ptp.c
++++ b/drivers/net/ethernet/microchip/lan743x_ptp.c
+@@ -1049,6 +1049,10 @@ static int lan743x_ptpci_verify_pin_config(struct ptp_clock_info *ptp,
+ enum ptp_pin_function func,
+ unsigned int chan)
+ {
++ struct lan743x_ptp *lan_ptp =
++ container_of(ptp, struct lan743x_ptp, ptp_clock_info);
++ struct lan743x_adapter *adapter =
++ container_of(lan_ptp, struct lan743x_adapter, ptp);
+ int result = 0;
+
+ /* Confirm the requested function is supported. Parameter
+@@ -1057,7 +1061,10 @@ static int lan743x_ptpci_verify_pin_config(struct ptp_clock_info *ptp,
+ switch (func) {
+ case PTP_PF_NONE:
+ case PTP_PF_PEROUT:
++ break;
+ case PTP_PF_EXTTS:
++ if (!adapter->is_pci11x1x)
++ result = -1;
+ break;
+ case PTP_PF_PHYSYNC:
+ default:
+--
+2.35.1
+
--- /dev/null
+From bf98249d4efb223de87381b2486d79c4021681c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Oct 2022 01:57:25 +0800
+Subject: eth: sp7021: fix use after free bug in spl2sw_nvmem_get_mac_address
+
+From: Zheng Wang <zyytlz.wz@163.com>
+
+[ Upstream commit 12aece8b01507a2d357a1861f470e83621fbb6f2 ]
+
+This frees "mac" and tries to display its address as part of the error
+message on the next line. Swap the order.
+
+Fixes: fd3040b9394c ("net: ethernet: Add driver for Sunplus SP7021")
+Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sunplus/spl2sw_driver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/sunplus/spl2sw_driver.c b/drivers/net/ethernet/sunplus/spl2sw_driver.c
+index 546206640492..61d1d07dc070 100644
+--- a/drivers/net/ethernet/sunplus/spl2sw_driver.c
++++ b/drivers/net/ethernet/sunplus/spl2sw_driver.c
+@@ -248,8 +248,8 @@ static int spl2sw_nvmem_get_mac_address(struct device *dev, struct device_node *
+
+ /* Check if mac address is valid */
+ if (!is_valid_ether_addr(mac)) {
+- kfree(mac);
+ dev_info(dev, "Invalid mac address in nvmem (%pM)!\n", mac);
++ kfree(mac);
+ return -EINVAL;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 58f101ef2a8891f0efc852fdd09657b681add687 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Aug 2022 06:59:59 -0700
+Subject: eventfd: guard wake_up in eventfd fs calls as well
+
+From: Dylan Yudaken <dylany@fb.com>
+
+[ Upstream commit 9f0deaa12d832f488500a5afe9b912e9b3cfc432 ]
+
+Guard wakeups that the user can trigger, and that may end up triggering a
+call back into eventfd_signal. This is in addition to the current approach
+that only guards in eventfd_signal.
+
+Rename in_eventfd_signal -> in_eventfd at the same time to reflect this.
+
+Without this there would be a deadlock in the following code using libaio:
+
+int main()
+{
+ struct io_context *ctx = NULL;
+ struct iocb iocb;
+ struct iocb *iocbs[] = { &iocb };
+ int evfd;
+ uint64_t val = 1;
+
+ evfd = eventfd(0, EFD_CLOEXEC);
+ assert(!io_setup(2, &ctx));
+ io_prep_poll(&iocb, evfd, POLLIN);
+ io_set_eventfd(&iocb, evfd);
+ assert(1 == io_submit(ctx, 1, iocbs));
+ write(evfd, &val, 8);
+}
+
+Signed-off-by: Dylan Yudaken <dylany@fb.com>
+Reviewed-by: Jens Axboe <axboe@kernel.dk>
+Link: https://lore.kernel.org/r/20220816135959.1490641-1-dylany@fb.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: 3b8fdd1dc35e ("io_uring/fdinfo: fix sqe dumping for IORING_SETUP_SQE128")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/eventfd.c | 10 +++++++---
+ include/linux/eventfd.h | 2 +-
+ include/linux/sched.h | 2 +-
+ 3 files changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/fs/eventfd.c b/fs/eventfd.c
+index 3627dd7d25db..c0ffee99ad23 100644
+--- a/fs/eventfd.c
++++ b/fs/eventfd.c
+@@ -69,17 +69,17 @@ __u64 eventfd_signal(struct eventfd_ctx *ctx, __u64 n)
+ * it returns false, the eventfd_signal() call should be deferred to a
+ * safe context.
+ */
+- if (WARN_ON_ONCE(current->in_eventfd_signal))
++ if (WARN_ON_ONCE(current->in_eventfd))
+ return 0;
+
+ spin_lock_irqsave(&ctx->wqh.lock, flags);
+- current->in_eventfd_signal = 1;
++ current->in_eventfd = 1;
+ if (ULLONG_MAX - ctx->count < n)
+ n = ULLONG_MAX - ctx->count;
+ ctx->count += n;
+ if (waitqueue_active(&ctx->wqh))
+ wake_up_locked_poll(&ctx->wqh, EPOLLIN);
+- current->in_eventfd_signal = 0;
++ current->in_eventfd = 0;
+ spin_unlock_irqrestore(&ctx->wqh.lock, flags);
+
+ return n;
+@@ -253,8 +253,10 @@ static ssize_t eventfd_read(struct kiocb *iocb, struct iov_iter *to)
+ __set_current_state(TASK_RUNNING);
+ }
+ eventfd_ctx_do_read(ctx, &ucnt);
++ current->in_eventfd = 1;
+ if (waitqueue_active(&ctx->wqh))
+ wake_up_locked_poll(&ctx->wqh, EPOLLOUT);
++ current->in_eventfd = 0;
+ spin_unlock_irq(&ctx->wqh.lock);
+ if (unlikely(copy_to_iter(&ucnt, sizeof(ucnt), to) != sizeof(ucnt)))
+ return -EFAULT;
+@@ -301,8 +303,10 @@ static ssize_t eventfd_write(struct file *file, const char __user *buf, size_t c
+ }
+ if (likely(res > 0)) {
+ ctx->count += ucnt;
++ current->in_eventfd = 1;
+ if (waitqueue_active(&ctx->wqh))
+ wake_up_locked_poll(&ctx->wqh, EPOLLIN);
++ current->in_eventfd = 0;
+ }
+ spin_unlock_irq(&ctx->wqh.lock);
+
+diff --git a/include/linux/eventfd.h b/include/linux/eventfd.h
+index 305d5f19093b..30eb30d6909b 100644
+--- a/include/linux/eventfd.h
++++ b/include/linux/eventfd.h
+@@ -46,7 +46,7 @@ void eventfd_ctx_do_read(struct eventfd_ctx *ctx, __u64 *cnt);
+
+ static inline bool eventfd_signal_allowed(void)
+ {
+- return !current->in_eventfd_signal;
++ return !current->in_eventfd;
+ }
+
+ #else /* CONFIG_EVENTFD */
+diff --git a/include/linux/sched.h b/include/linux/sched.h
+index e7b2f8a5c711..8d82d6d32670 100644
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -936,7 +936,7 @@ struct task_struct {
+ #endif
+ #ifdef CONFIG_EVENTFD
+ /* Recursion prevention for eventfd_signal() */
+- unsigned in_eventfd_signal:1;
++ unsigned in_eventfd:1;
+ #endif
+ #ifdef CONFIG_IOMMU_SVA
+ unsigned pasid_activated:1;
+--
+2.35.1
+
--- /dev/null
+From c69ecca73fec9524c5750e3929d466909dce2041 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Sep 2022 17:29:33 +0200
+Subject: ext2: Use kvmalloc() for group descriptor array
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit e7c7fbb9a8574ebd89cc05db49d806c7476863ad ]
+
+Array of group descriptor block buffers can get rather large. In theory
+in can reach 1MB for perfectly valid filesystem and even more for
+maliciously crafted ones. Use kvmalloc() to allocate the array to avoid
+straining memory allocator with large order allocations unnecessarily.
+
+Reported-by: syzbot+0f2f7e65a3007d39539f@syzkaller.appspotmail.com
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext2/super.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/ext2/super.c b/fs/ext2/super.c
+index afb31af9302d..03f2af98b1b4 100644
+--- a/fs/ext2/super.c
++++ b/fs/ext2/super.c
+@@ -163,7 +163,7 @@ static void ext2_put_super (struct super_block * sb)
+ db_count = sbi->s_gdb_count;
+ for (i = 0; i < db_count; i++)
+ brelse(sbi->s_group_desc[i]);
+- kfree(sbi->s_group_desc);
++ kvfree(sbi->s_group_desc);
+ kfree(sbi->s_debts);
+ percpu_counter_destroy(&sbi->s_freeblocks_counter);
+ percpu_counter_destroy(&sbi->s_freeinodes_counter);
+@@ -1092,7 +1092,7 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent)
+ }
+ db_count = (sbi->s_groups_count + EXT2_DESC_PER_BLOCK(sb) - 1) /
+ EXT2_DESC_PER_BLOCK(sb);
+- sbi->s_group_desc = kmalloc_array(db_count,
++ sbi->s_group_desc = kvmalloc_array(db_count,
+ sizeof(struct buffer_head *),
+ GFP_KERNEL);
+ if (sbi->s_group_desc == NULL) {
+@@ -1218,7 +1218,7 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent)
+ for (i = 0; i < db_count; i++)
+ brelse(sbi->s_group_desc[i]);
+ failed_mount_group_desc:
+- kfree(sbi->s_group_desc);
++ kvfree(sbi->s_group_desc);
+ kfree(sbi->s_debts);
+ failed_mount:
+ brelse(bh);
+--
+2.35.1
+
--- /dev/null
+From d92c21f858fefb7cb5b94b96a40cabd48d984fc8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Jul 2022 10:25:19 +0000
+Subject: ext4: continue to expand file system when the target size doesn't
+ reach
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jerry Lee 李修賢 <jerrylee@qnap.com>
+
+[ Upstream commit df3cb754d13d2cd5490db9b8d536311f8413a92e ]
+
+When expanding a file system from (16TiB-2MiB) to 18TiB, the operation
+exits early which leads to result inconsistency between resize2fs and
+Ext4 kernel driver.
+
+=== before ===
+○ → resize2fs /dev/mapper/thin
+resize2fs 1.45.5 (07-Jan-2020)
+Filesystem at /dev/mapper/thin is mounted on /mnt/test; on-line resizing required
+old_desc_blocks = 2048, new_desc_blocks = 2304
+The filesystem on /dev/mapper/thin is now 4831837696 (4k) blocks long.
+
+[ 865.186308] EXT4-fs (dm-5): mounted filesystem with ordered data mode. Opts: (null). Quota mode: none.
+[ 912.091502] dm-4: detected capacity change from 34359738368 to 38654705664
+[ 970.030550] dm-5: detected capacity change from 34359734272 to 38654701568
+[ 1000.012751] EXT4-fs (dm-5): resizing filesystem from 4294966784 to 4831837696 blocks
+[ 1000.012878] EXT4-fs (dm-5): resized filesystem to 4294967296
+
+=== after ===
+[ 129.104898] EXT4-fs (dm-5): mounted filesystem with ordered data mode. Opts: (null). Quota mode: none.
+[ 143.773630] dm-4: detected capacity change from 34359738368 to 38654705664
+[ 198.203246] dm-5: detected capacity change from 34359734272 to 38654701568
+[ 207.918603] EXT4-fs (dm-5): resizing filesystem from 4294966784 to 4831837696 blocks
+[ 207.918754] EXT4-fs (dm-5): resizing filesystem from 4294967296 to 4831837696 blocks
+[ 207.918758] EXT4-fs (dm-5): Converting file system to meta_bg
+[ 207.918790] EXT4-fs (dm-5): resizing filesystem from 4294967296 to 4831837696 blocks
+[ 221.454050] EXT4-fs (dm-5): resized to 4658298880 blocks
+[ 227.634613] EXT4-fs (dm-5): resized filesystem to 4831837696
+
+Signed-off-by: Jerry Lee <jerrylee@qnap.com>
+Link: https://lore.kernel.org/r/PU1PR04MB22635E739BD21150DC182AC6A18C9@PU1PR04MB2263.apcprd04.prod.outlook.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Stable-dep-of: 426d15ad1141 ("ext4: don't run ext4lazyinit for read-only filesystems")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/resize.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
+index fea2a68d067b..6dfe9ccae0c5 100644
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -2122,7 +2122,7 @@ int ext4_resize_fs(struct super_block *sb, ext4_fsblk_t n_blocks_count)
+ goto out;
+ }
+
+- if (ext4_blocks_count(es) == n_blocks_count)
++ if (ext4_blocks_count(es) == n_blocks_count && n_blocks_count_retry == 0)
+ goto out;
+
+ err = ext4_alloc_flex_bg_array(sb, n_group + 1);
+--
+2.35.1
+
--- /dev/null
+From 4d73901a7589cf662b6a771fd2746713c4cef252 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Jul 2022 20:24:53 -0700
+Subject: ext4: don't run ext4lazyinit for read-only filesystems
+
+From: Josh Triplett <josh@joshtriplett.org>
+
+[ Upstream commit 426d15ad11419066f7042ffa8fbf1b5c21a1ecbe ]
+
+On a read-only filesystem, we won't invoke the block allocator, so we
+don't need to prefetch the block bitmaps.
+
+This avoids starting and running the ext4lazyinit thread at all on a
+system with no read-write ext4 filesystems (for instance, a container VM
+with read-only filesystems underneath an overlayfs).
+
+Fixes: 21175ca434c5 ("ext4: make prefetch_block_bitmaps default")
+Signed-off-by: Josh Triplett <josh@joshtriplett.org>
+Reviewed-by: Lukas Czerner <lczerner@redhat.com>
+Link: https://lore.kernel.org/r/48b41da1498fcac3287e2e06b660680646c1c050.1659323972.git.josh@joshtriplett.org
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/super.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/ext4/super.c b/fs/ext4/super.c
+index 323dbcfd285c..091db733834e 100644
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -3962,9 +3962,9 @@ int ext4_register_li_request(struct super_block *sb,
+ goto out;
+ }
+
+- if (test_opt(sb, NO_PREFETCH_BLOCK_BITMAPS) &&
+- (first_not_zeroed == ngroups || sb_rdonly(sb) ||
+- !test_opt(sb, INIT_INODE_TABLE)))
++ if (sb_rdonly(sb) ||
++ (test_opt(sb, NO_PREFETCH_BLOCK_BITMAPS) &&
++ (first_not_zeroed == ngroups || !test_opt(sb, INIT_INODE_TABLE))))
+ goto out;
+
+ elr = ext4_li_request_new(sb, first_not_zeroed);
+--
+2.35.1
+
--- /dev/null
+From 4e24983b3bb9ac86917a91eab9add1f54fdb8061 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Sep 2022 12:59:17 +0800
+Subject: f2fs: fix race condition on setting FI_NO_EXTENT flag
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+[ Upstream commit 07725adc55c0a414c10acb5c8c86cea34b95ddef ]
+
+The following scenarios exist.
+process A: process B:
+->f2fs_drop_extent_tree ->f2fs_update_extent_cache_range
+ ->f2fs_update_extent_tree_range
+ ->write_lock
+ ->set_inode_flag
+ ->is_inode_flag_set
+ ->__free_extent_tree // Shouldn't
+ // have been
+ // cleaned up
+ // here
+ ->write_lock
+
+In this case, the "FI_NO_EXTENT" flag is set between
+f2fs_update_extent_tree_range and is_inode_flag_set
+by other process. it leads to clearing the whole exten
+tree which should not have happened. And we fix it by
+move the setting it to the range of write_lock.
+
+Fixes:5f281fab9b9a3 ("f2fs: disable extent_cache for fcollapse/finsert inodes")
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/extent_cache.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/fs/f2fs/extent_cache.c b/fs/f2fs/extent_cache.c
+index 866e72b29bd5..761fd42c93f2 100644
+--- a/fs/f2fs/extent_cache.c
++++ b/fs/f2fs/extent_cache.c
+@@ -804,9 +804,8 @@ void f2fs_drop_extent_tree(struct inode *inode)
+ if (!f2fs_may_extent_tree(inode))
+ return;
+
+- set_inode_flag(inode, FI_NO_EXTENT);
+-
+ write_lock(&et->lock);
++ set_inode_flag(inode, FI_NO_EXTENT);
+ __free_extent_tree(sbi, et);
+ if (et->largest.len) {
+ et->largest.len = 0;
+--
+2.35.1
+
--- /dev/null
+From 28101df3d381150b3f0e541bea4c23e6f902c7db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Sep 2022 21:28:46 +0800
+Subject: f2fs: fix to account FS_CP_DATA_IO correctly
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit d80afefb17e01aa0c46a8eebc01882e0ebd8b0f6 ]
+
+f2fs_inode_info.cp_task was introduced for FS_CP_DATA_IO accounting
+since commit b0af6d491a6b ("f2fs: add app/fs io stat").
+
+However, cp_task usage coverage has been increased due to below
+commits:
+commit 040d2bb318d1 ("f2fs: fix to avoid deadloop if data_flush is on")
+commit 186857c5a14a ("f2fs: fix potential recursive call when enabling data_flush")
+
+So that, if data_flush mountoption is on, when data flush was
+triggered from background, the IO from data flush will be accounted
+as checkpoint IO type incorrectly.
+
+In order to fix this issue, this patch splits cp_task into two:
+a) cp_task: used for IO accounting
+b) wb_task: used to avoid deadlock
+
+Fixes: 040d2bb318d1 ("f2fs: fix to avoid deadloop if data_flush is on")
+Fixes: 186857c5a14a ("f2fs: fix potential recursive call when enabling data_flush")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/checkpoint.c | 13 +++++++++----
+ fs/f2fs/data.c | 4 ++--
+ fs/f2fs/f2fs.h | 4 +++-
+ fs/f2fs/segment.c | 2 +-
+ 4 files changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c
+index f051a73e464a..e04ed60cc9e2 100644
+--- a/fs/f2fs/checkpoint.c
++++ b/fs/f2fs/checkpoint.c
+@@ -1061,7 +1061,8 @@ void f2fs_remove_dirty_inode(struct inode *inode)
+ spin_unlock(&sbi->inode_lock[type]);
+ }
+
+-int f2fs_sync_dirty_inodes(struct f2fs_sb_info *sbi, enum inode_type type)
++int f2fs_sync_dirty_inodes(struct f2fs_sb_info *sbi, enum inode_type type,
++ bool from_cp)
+ {
+ struct list_head *head;
+ struct inode *inode;
+@@ -1096,11 +1097,15 @@ int f2fs_sync_dirty_inodes(struct f2fs_sb_info *sbi, enum inode_type type)
+ if (inode) {
+ unsigned long cur_ino = inode->i_ino;
+
+- F2FS_I(inode)->cp_task = current;
++ if (from_cp)
++ F2FS_I(inode)->cp_task = current;
++ F2FS_I(inode)->wb_task = current;
+
+ filemap_fdatawrite(inode->i_mapping);
+
+- F2FS_I(inode)->cp_task = NULL;
++ F2FS_I(inode)->wb_task = NULL;
++ if (from_cp)
++ F2FS_I(inode)->cp_task = NULL;
+
+ iput(inode);
+ /* We need to give cpu to another writers. */
+@@ -1229,7 +1234,7 @@ static int block_operations(struct f2fs_sb_info *sbi)
+ /* write all the dirty dentry pages */
+ if (get_pages(sbi, F2FS_DIRTY_DENTS)) {
+ f2fs_unlock_all(sbi);
+- err = f2fs_sync_dirty_inodes(sbi, DIR_INODE);
++ err = f2fs_sync_dirty_inodes(sbi, DIR_INODE, true);
+ if (err)
+ return err;
+ cond_resched();
+diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
+index aa3ccddfa037..5e88272d94e4 100644
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -2856,7 +2856,7 @@ int f2fs_write_single_data_page(struct page *page, int *submitted,
+ }
+ unlock_page(page);
+ if (!S_ISDIR(inode->i_mode) && !IS_NOQUOTA(inode) &&
+- !F2FS_I(inode)->cp_task && allow_balance)
++ !F2FS_I(inode)->wb_task && allow_balance)
+ f2fs_balance_fs(sbi, need_balance_fs);
+
+ if (unlikely(f2fs_cp_error(sbi))) {
+@@ -3156,7 +3156,7 @@ static inline bool __should_serialize_io(struct inode *inode,
+ struct writeback_control *wbc)
+ {
+ /* to avoid deadlock in path of data flush */
+- if (F2FS_I(inode)->cp_task)
++ if (F2FS_I(inode)->wb_task)
+ return false;
+
+ if (!S_ISREG(inode->i_mode))
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index 30fdda714e95..1e57b11ffe2a 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -786,6 +786,7 @@ struct f2fs_inode_info {
+ unsigned int clevel; /* maximum level of given file name */
+ struct task_struct *task; /* lookup and create consistency */
+ struct task_struct *cp_task; /* separate cp/wb IO stats*/
++ struct task_struct *wb_task; /* indicate inode is in context of writeback */
+ nid_t i_xattr_nid; /* node id that contains xattrs */
+ loff_t last_disk_size; /* lastly written file size */
+ spinlock_t i_size_lock; /* protect last_disk_size */
+@@ -3741,7 +3742,8 @@ int f2fs_recover_orphan_inodes(struct f2fs_sb_info *sbi);
+ int f2fs_get_valid_checkpoint(struct f2fs_sb_info *sbi);
+ void f2fs_update_dirty_folio(struct inode *inode, struct folio *folio);
+ void f2fs_remove_dirty_inode(struct inode *inode);
+-int f2fs_sync_dirty_inodes(struct f2fs_sb_info *sbi, enum inode_type type);
++int f2fs_sync_dirty_inodes(struct f2fs_sb_info *sbi, enum inode_type type,
++ bool from_cp);
+ void f2fs_wait_on_all_pages(struct f2fs_sb_info *sbi, int type);
+ u64 f2fs_get_sectors_written(struct f2fs_sb_info *sbi);
+ int f2fs_write_checkpoint(struct f2fs_sb_info *sbi, struct cp_control *cpc);
+diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
+index 0de21f82d7bc..84bad18ce13d 100644
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -476,7 +476,7 @@ void f2fs_balance_fs_bg(struct f2fs_sb_info *sbi, bool from_bg)
+ mutex_lock(&sbi->flush_lock);
+
+ blk_start_plug(&plug);
+- f2fs_sync_dirty_inodes(sbi, FILE_INODE);
++ f2fs_sync_dirty_inodes(sbi, FILE_INODE, false);
+ blk_finish_plug(&plug);
+
+ mutex_unlock(&sbi->flush_lock);
+--
+2.35.1
+
--- /dev/null
+From 3aad170adafdf3ce4aac4e0c9300efa1a98164ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Sep 2022 17:07:55 -0300
+Subject: firmware: google: Test spinlock on panic path to avoid lockups
+
+From: Guilherme G. Piccoli <gpiccoli@igalia.com>
+
+[ Upstream commit 3e081438b8e639cc76ef1a5ce0c1bd8a154082c7 ]
+
+Currently the gsmi driver registers a panic notifier as well as
+reboot and die notifiers. The callbacks registered are called in
+atomic and very limited context - for instance, panic disables
+preemption and local IRQs, also all secondary CPUs (not executing
+the panic path) are shutdown.
+
+With that said, taking a spinlock in this scenario is a dangerous
+invitation for lockup scenarios. So, fix that by checking if the
+spinlock is free to acquire in the panic notifier callback - if not,
+bail-out and avoid a potential hang.
+
+Fixes: 74c5b31c6618 ("driver: Google EFI SMI")
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Ard Biesheuvel <ardb@kernel.org>
+Cc: David Gow <davidgow@google.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Julius Werner <jwerner@chromium.org>
+Cc: Petr Mladek <pmladek@suse.com>
+Reviewed-by: Evan Green <evgreen@chromium.org>
+Signed-off-by: Guilherme G. Piccoli <gpiccoli@igalia.com>
+Link: https://lore.kernel.org/r/20220909200755.189679-1-gpiccoli@igalia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/google/gsmi.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/firmware/google/gsmi.c b/drivers/firmware/google/gsmi.c
+index adaa492c3d2d..4e2575dfeb90 100644
+--- a/drivers/firmware/google/gsmi.c
++++ b/drivers/firmware/google/gsmi.c
+@@ -681,6 +681,15 @@ static struct notifier_block gsmi_die_notifier = {
+ static int gsmi_panic_callback(struct notifier_block *nb,
+ unsigned long reason, void *arg)
+ {
++
++ /*
++ * Panic callbacks are executed with all other CPUs stopped,
++ * so we must not attempt to spin waiting for gsmi_dev.lock
++ * to be released.
++ */
++ if (spin_is_locked(&gsmi_dev.lock))
++ return NOTIFY_DONE;
++
+ gsmi_shutdown_reason(GSMI_SHUTDOWN_PANIC);
+ return NOTIFY_DONE;
+ }
+--
+2.35.1
+
--- /dev/null
+From a61433c38717635fde462b286e5e00db6b6b7b8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Sep 2022 15:48:08 +0800
+Subject: flow_dissector: Do not count vlan tags inside tunnel payload
+
+From: Qingqing Yang <qingqing.yang@broadcom.com>
+
+[ Upstream commit 9f87eb4246994e32a4e4ea88476b20ab3b412840 ]
+
+We've met the problem that when there is a vlan tag inside
+GRE encapsulation, the match of num_of_vlans fails.
+It is caused by the vlan tag inside GRE payload has been
+counted into num_of_vlans, which is not expected.
+
+One example packet is like this:
+Ethernet II, Src: Broadcom_68:56:07 (00:10:18:68:56:07)
+ Dst: Broadcom_68:56:08 (00:10:18:68:56:08)
+802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 100
+Internet Protocol Version 4, Src: 192.168.1.4, Dst: 192.168.1.200
+Generic Routing Encapsulation (Transparent Ethernet bridging)
+Ethernet II, Src: Broadcom_68:58:07 (00:10:18:68:58:07)
+ Dst: Broadcom_68:58:08 (00:10:18:68:58:08)
+802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 200
+...
+It should match the (num_of_vlans 1) rule, but it matches
+the (num_of_vlans 2) rule.
+
+The vlan tags inside the GRE or other tunnel encapsulated payload
+should not be taken into num_of_vlans.
+The fix is to stop counting the vlan number when the encapsulation
+bit is set.
+
+Fixes: 34951fcf26c5 ("flow_dissector: Add number of vlan tags dissector")
+Signed-off-by: Qingqing Yang <qingqing.yang@broadcom.com>
+Reviewed-by: Boris Sukholitko <boris.sukholitko@broadcom.com>
+Link: https://lore.kernel.org/r/20220919074808.136640-1-qingqing.yang@broadcom.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/flow_dissector.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
+index 5dc3860e9fc7..7105529abb0f 100644
+--- a/net/core/flow_dissector.c
++++ b/net/core/flow_dissector.c
+@@ -1173,8 +1173,8 @@ bool __skb_flow_dissect(const struct net *net,
+ nhoff += sizeof(*vlan);
+ }
+
+- if (dissector_uses_key(flow_dissector,
+- FLOW_DISSECTOR_KEY_NUM_OF_VLANS)) {
++ if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_NUM_OF_VLANS) &&
++ !(key_control->flags & FLOW_DIS_ENCAPSULATION)) {
+ struct flow_dissector_key_num_of_vlans *key_nvs;
+
+ key_nvs = skb_flow_dissector_target(flow_dissector,
+--
+2.35.1
+
--- /dev/null
+From fd78585902fa2ec8bbb9237154f862083d308048 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 13:02:26 -0700
+Subject: fortify: Fix __compiletime_strlen() under UBSAN_BOUNDS_LOCAL
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit d07c0acb4f41cc42a0d97530946965b3e4fa68c1 ]
+
+With CONFIG_FORTIFY=y and CONFIG_UBSAN_LOCAL_BOUNDS=y enabled, we observe
+a runtime panic while running Android's Compatibility Test Suite's (CTS)
+android.hardware.input.cts.tests. This is stemming from a strlen()
+call in hidinput_allocate().
+
+__compiletime_strlen() is implemented in terms of __builtin_object_size(),
+then does an array access to check for NUL-termination. A quirk of
+__builtin_object_size() is that for strings whose values are runtime
+dependent, __builtin_object_size(str, 1 or 0) returns the maximum size
+of possible values when those sizes are determinable at compile time.
+Example:
+
+ static const char *v = "FOO BAR";
+ static const char *y = "FOO BA";
+ unsigned long x (int z) {
+ // Returns 8, which is:
+ // max(__builtin_object_size(v, 1), __builtin_object_size(y, 1))
+ return __builtin_object_size(z ? v : y, 1);
+ }
+
+So when FORTIFY_SOURCE is enabled, the current implementation of
+__compiletime_strlen() will try to access beyond the end of y at runtime
+using the size of v. Mixed with UBSAN_LOCAL_BOUNDS we get a fault.
+
+hidinput_allocate() has a local C string whose value is control flow
+dependent on a switch statement, so __builtin_object_size(str, 1)
+evaluates to the maximum string length, making all other cases fault on
+the last character check. hidinput_allocate() could be cleaned up to
+avoid runtime calls to strlen() since the local variable can only have
+literal values, so there's no benefit to trying to fortify the strlen
+call site there.
+
+Perform a __builtin_constant_p() check against index 0 earlier in the
+macro to filter out the control-flow-dependant case. Add a KUnit test
+for checking the expected behavioral characteristics of FORTIFY_SOURCE
+internals.
+
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: Tom Rix <trix@redhat.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: "Steven Rostedt (Google)" <rostedt@goodmis.org>
+Cc: David Gow <davidgow@google.com>
+Cc: Yury Norov <yury.norov@gmail.com>
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Sander Vanheule <sander@svanheule.net>
+Cc: linux-hardening@vger.kernel.org
+Cc: llvm@lists.linux.dev
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Tested-by: Android Treehugger Robot
+Link: https://android-review.googlesource.com/c/kernel/common/+/2206839
+Co-developed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/fortify-string.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
+index 3b401fa0f374..fce2fb2fc962 100644
+--- a/include/linux/fortify-string.h
++++ b/include/linux/fortify-string.h
+@@ -19,7 +19,8 @@ void __write_overflow_field(size_t avail, size_t wanted) __compiletime_warning("
+ unsigned char *__p = (unsigned char *)(p); \
+ size_t __ret = (size_t)-1; \
+ size_t __p_size = __builtin_object_size(p, 1); \
+- if (__p_size != (size_t)-1) { \
++ if (__p_size != (size_t)-1 && \
++ __builtin_constant_p(*__p)) { \
+ size_t __p_len = __p_size - 1; \
+ if (__builtin_constant_p(__p[__p_len]) && \
+ __p[__p_len] == '\0') \
+--
+2.35.1
+
--- /dev/null
+From a5aec5d372f898a6c261c9c84aee553fc1fc8b64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Jul 2022 07:56:44 -0700
+Subject: fpga: dfl-pci: Add IDs for Intel N6000, N6001 and C6100 cards
+
+From: Matthew Gerlach <matthew.gerlach@linux.intel.com>
+
+[ Upstream commit 65f5c01033ab85f8d385d65c4b51fe31459da603 ]
+
+Add pci_dev_table entries supporting the Intel N6000, N6001
+and C6100 cards to the dfl-pci driver.
+
+Signed-off-by: Matthew Gerlach <matthew.gerlach@linux.intel.com>
+Signed-off-by: Tianfei Zhang <tianfei.zhang@intel.com>
+Tested-by: Marco Pagani <marpagan@redhat.com>
+Reviewed-by: Tom Rix <trix@redhat.com>
+Acked-by: Wu Hao <hao.wu@intel.com>
+Acked-by: Xu Yilun <yilun.xu@intel.com>
+Link: https://lore.kernel.org/r/20220719145644.242481-1-matthew.gerlach@linux.intel.com
+Signed-off-by: Xu Yilun <yilun.xu@intel.com>
+Stable-dep-of: 939bc5453b8c ("fpga: prevent integer overflow in dfl_feature_ioctl_set_irq()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/fpga/dfl-pci.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/drivers/fpga/dfl-pci.c b/drivers/fpga/dfl-pci.c
+index fd1fa55c9113..0914e7328b1a 100644
+--- a/drivers/fpga/dfl-pci.c
++++ b/drivers/fpga/dfl-pci.c
+@@ -77,12 +77,18 @@ static void cci_pci_free_irq(struct pci_dev *pcidev)
+ #define PCIE_DEVICE_ID_INTEL_PAC_D5005 0x0B2B
+ #define PCIE_DEVICE_ID_SILICOM_PAC_N5010 0x1000
+ #define PCIE_DEVICE_ID_SILICOM_PAC_N5011 0x1001
++#define PCIE_DEVICE_ID_INTEL_DFL 0xbcce
++/* PCI Subdevice ID for PCIE_DEVICE_ID_INTEL_DFL */
++#define PCIE_SUBDEVICE_ID_INTEL_N6000 0x1770
++#define PCIE_SUBDEVICE_ID_INTEL_N6001 0x1771
++#define PCIE_SUBDEVICE_ID_INTEL_C6100 0x17d4
+
+ /* VF Device */
+ #define PCIE_DEVICE_ID_VF_INT_5_X 0xBCBF
+ #define PCIE_DEVICE_ID_VF_INT_6_X 0xBCC1
+ #define PCIE_DEVICE_ID_VF_DSC_1_X 0x09C5
+ #define PCIE_DEVICE_ID_INTEL_PAC_D5005_VF 0x0B2C
++#define PCIE_DEVICE_ID_INTEL_DFL_VF 0xbccf
+
+ static struct pci_device_id cci_pcie_id_tbl[] = {
+ {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCIE_DEVICE_ID_PF_INT_5_X),},
+@@ -96,6 +102,18 @@ static struct pci_device_id cci_pcie_id_tbl[] = {
+ {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCIE_DEVICE_ID_INTEL_PAC_D5005_VF),},
+ {PCI_DEVICE(PCI_VENDOR_ID_SILICOM_DENMARK, PCIE_DEVICE_ID_SILICOM_PAC_N5010),},
+ {PCI_DEVICE(PCI_VENDOR_ID_SILICOM_DENMARK, PCIE_DEVICE_ID_SILICOM_PAC_N5011),},
++ {PCI_DEVICE_SUB(PCI_VENDOR_ID_INTEL, PCIE_DEVICE_ID_INTEL_DFL,
++ PCI_VENDOR_ID_INTEL, PCIE_SUBDEVICE_ID_INTEL_N6000),},
++ {PCI_DEVICE_SUB(PCI_VENDOR_ID_INTEL, PCIE_DEVICE_ID_INTEL_DFL_VF,
++ PCI_VENDOR_ID_INTEL, PCIE_SUBDEVICE_ID_INTEL_N6000),},
++ {PCI_DEVICE_SUB(PCI_VENDOR_ID_INTEL, PCIE_DEVICE_ID_INTEL_DFL,
++ PCI_VENDOR_ID_INTEL, PCIE_SUBDEVICE_ID_INTEL_N6001),},
++ {PCI_DEVICE_SUB(PCI_VENDOR_ID_INTEL, PCIE_DEVICE_ID_INTEL_DFL_VF,
++ PCI_VENDOR_ID_INTEL, PCIE_SUBDEVICE_ID_INTEL_N6001),},
++ {PCI_DEVICE_SUB(PCI_VENDOR_ID_INTEL, PCIE_DEVICE_ID_INTEL_DFL,
++ PCI_VENDOR_ID_INTEL, PCIE_SUBDEVICE_ID_INTEL_C6100),},
++ {PCI_DEVICE_SUB(PCI_VENDOR_ID_INTEL, PCIE_DEVICE_ID_INTEL_DFL_VF,
++ PCI_VENDOR_ID_INTEL, PCIE_SUBDEVICE_ID_INTEL_C6100),},
+ {0,}
+ };
+ MODULE_DEVICE_TABLE(pci, cci_pcie_id_tbl);
+--
+2.35.1
+
--- /dev/null
+From 72018435d7553c2a39ede2b92b5c21b0ddc5f65d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Sep 2022 08:18:45 +0300
+Subject: fpga: prevent integer overflow in dfl_feature_ioctl_set_irq()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 939bc5453b8cbdde9f1e5110ce8309aedb1b501a ]
+
+The "hdr.count * sizeof(s32)" multiplication can overflow on 32 bit
+systems leading to memory corruption. Use array_size() to fix that.
+
+Fixes: 322b598be4d9 ("fpga: dfl: introduce interrupt trigger setting API")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Xu Yilun <yilun.xu@intel.com>
+Link: https://lore.kernel.org/r/YxBAtYCM38dM7yzI@kili
+Signed-off-by: Xu Yilun <yilun.xu@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/fpga/dfl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/fpga/dfl.c b/drivers/fpga/dfl.c
+index 5498bc337f8b..b9aae85ba930 100644
+--- a/drivers/fpga/dfl.c
++++ b/drivers/fpga/dfl.c
+@@ -1866,7 +1866,7 @@ long dfl_feature_ioctl_set_irq(struct platform_device *pdev,
+ return -EINVAL;
+
+ fds = memdup_user((void __user *)(arg + sizeof(hdr)),
+- hdr.count * sizeof(s32));
++ array_size(hdr.count, sizeof(s32)));
+ if (IS_ERR(fds))
+ return PTR_ERR(fds);
+
+--
+2.35.1
+
--- /dev/null
+From 250f1da0a9bfccfa97640a2da9996adac6d24815 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Aug 2022 15:43:13 -0400
+Subject: fs: dlm: fix race in lowcomms
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 30ea3257e8766027c4d8d609dcbd256ff9a76073 ]
+
+This patch fixes a race between queue_work() in
+_dlm_lowcomms_commit_msg() and srcu_read_unlock(). The queue_work() can
+take the final reference of a dlm_msg and so msg->idx can contain
+garbage which is signaled by the following warning:
+
+[ 676.237050] ------------[ cut here ]------------
+[ 676.237052] WARNING: CPU: 0 PID: 1060 at include/linux/srcu.h:189 dlm_lowcomms_commit_msg+0x41/0x50
+[ 676.238945] Modules linked in: dlm_locktorture torture rpcsec_gss_krb5 intel_rapl_msr intel_rapl_common iTCO_wdt iTCO_vendor_support qxl kvm_intel drm_ttm_helper vmw_vsock_virtio_transport kvm vmw_vsock_virtio_transport_common ttm irqbypass crc32_pclmul joydev crc32c_intel serio_raw drm_kms_helper vsock virtio_scsi virtio_console virtio_balloon snd_pcm drm syscopyarea sysfillrect sysimgblt snd_timer fb_sys_fops i2c_i801 lpc_ich snd i2c_smbus soundcore pcspkr
+[ 676.244227] CPU: 0 PID: 1060 Comm: lock_torture_wr Not tainted 5.19.0-rc3+ #1546
+[ 676.245216] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-2.module+el8.7.0+15506+033991b0 04/01/2014
+[ 676.246460] RIP: 0010:dlm_lowcomms_commit_msg+0x41/0x50
+[ 676.247132] Code: fe ff ff ff 75 24 48 c7 c6 bd 0f 49 bb 48 c7 c7 38 7c 01 bd e8 00 e7 ca ff 89 de 48 c7 c7 60 78 01 bd e8 42 3d cd ff 5b 5d c3 <0f> 0b eb d8 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48
+[ 676.249253] RSP: 0018:ffffa401c18ffc68 EFLAGS: 00010282
+[ 676.249855] RAX: 0000000000000001 RBX: 00000000ffff8b76 RCX: 0000000000000006
+[ 676.250713] RDX: 0000000000000000 RSI: ffffffffbccf3a10 RDI: ffffffffbcc7b62e
+[ 676.251610] RBP: ffffa401c18ffc70 R08: 0000000000000001 R09: 0000000000000001
+[ 676.252481] R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000005
+[ 676.253421] R13: ffff8b76786ec370 R14: ffff8b76786ec370 R15: ffff8b76786ec480
+[ 676.254257] FS: 0000000000000000(0000) GS:ffff8b7777800000(0000) knlGS:0000000000000000
+[ 676.255239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 676.255897] CR2: 00005590205d88b8 CR3: 000000017656c003 CR4: 0000000000770ee0
+[ 676.256734] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 676.257567] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 676.258397] PKRU: 55555554
+[ 676.258729] Call Trace:
+[ 676.259063] <TASK>
+[ 676.259354] dlm_midcomms_commit_mhandle+0xcc/0x110
+[ 676.259964] queue_bast+0x8b/0xb0
+[ 676.260423] grant_pending_locks+0x166/0x1b0
+[ 676.261007] _unlock_lock+0x75/0x90
+[ 676.261469] unlock_lock.isra.57+0x62/0xa0
+[ 676.262009] dlm_unlock+0x21e/0x330
+[ 676.262457] ? lock_torture_stats+0x80/0x80 [dlm_locktorture]
+[ 676.263183] torture_unlock+0x5a/0x90 [dlm_locktorture]
+[ 676.263815] ? preempt_count_sub+0xba/0x100
+[ 676.264361] ? complete+0x1d/0x60
+[ 676.264777] lock_torture_writer+0xb8/0x150 [dlm_locktorture]
+[ 676.265555] kthread+0x10a/0x130
+[ 676.266007] ? kthread_complete_and_exit+0x20/0x20
+[ 676.266616] ret_from_fork+0x22/0x30
+[ 676.267097] </TASK>
+[ 676.267381] irq event stamp: 9579855
+[ 676.267824] hardirqs last enabled at (9579863): [<ffffffffbb14e6f8>] __up_console_sem+0x58/0x60
+[ 676.268896] hardirqs last disabled at (9579872): [<ffffffffbb14e6dd>] __up_console_sem+0x3d/0x60
+[ 676.270008] softirqs last enabled at (9579798): [<ffffffffbc200349>] __do_softirq+0x349/0x4c7
+[ 676.271438] softirqs last disabled at (9579897): [<ffffffffbb0d54c0>] irq_exit_rcu+0xb0/0xf0
+[ 676.272796] ---[ end trace 0000000000000000 ]---
+
+I reproduced this warning with dlm_locktorture test which is currently
+not upstream. However this patch fix the issue by make a additional
+refcount between dlm_lowcomms_new_msg() and dlm_lowcomms_commit_msg().
+In case of the race the kref_put() in dlm_lowcomms_commit_msg() will be
+the final put.
+
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/lowcomms.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/dlm/lowcomms.c b/fs/dlm/lowcomms.c
+index a4e84e8d94c8..59f64c596233 100644
+--- a/fs/dlm/lowcomms.c
++++ b/fs/dlm/lowcomms.c
+@@ -1336,6 +1336,8 @@ struct dlm_msg *dlm_lowcomms_new_msg(int nodeid, int len, gfp_t allocation,
+ return NULL;
+ }
+
++ /* for dlm_lowcomms_commit_msg() */
++ kref_get(&msg->ref);
+ /* we assume if successful commit must called */
+ msg->idx = idx;
+ return msg;
+@@ -1375,6 +1377,8 @@ void dlm_lowcomms_commit_msg(struct dlm_msg *msg)
+ {
+ _dlm_lowcomms_commit_msg(msg);
+ srcu_read_unlock(&connections_srcu, msg->idx);
++ /* because dlm_lowcomms_new_msg() */
++ kref_put(&msg->ref, dlm_msg_release);
+ }
+ #endif
+
+--
+2.35.1
+
--- /dev/null
+From b85bdbcda08d53cc7429a2592980f006f3d7c4ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Sep 2022 12:32:06 -0700
+Subject: fscrypt: stop using keyrings subsystem for fscrypt_master_key
+
+From: Eric Biggers <ebiggers@google.com>
+
+[ Upstream commit d7e7b9af104c7b389a0c21eb26532511bce4b510 ]
+
+The approach of fs/crypto/ internally managing the fscrypt_master_key
+structs as the payloads of "struct key" objects contained in a
+"struct key" keyring has outlived its usefulness. The original idea was
+to simplify the code by reusing code from the keyrings subsystem.
+However, several issues have arisen that can't easily be resolved:
+
+- When a master key struct is destroyed, blk_crypto_evict_key() must be
+ called on any per-mode keys embedded in it. (This started being the
+ case when inline encryption support was added.) Yet, the keyrings
+ subsystem can arbitrarily delay the destruction of keys, even past the
+ time the filesystem was unmounted. Therefore, currently there is no
+ easy way to call blk_crypto_evict_key() when a master key is
+ destroyed. Currently, this is worked around by holding an extra
+ reference to the filesystem's request_queue(s). But it was overlooked
+ that the request_queue reference is *not* guaranteed to pin the
+ corresponding blk_crypto_profile too; for device-mapper devices that
+ support inline crypto, it doesn't. This can cause a use-after-free.
+
+- When the last inode that was using an incompletely-removed master key
+ is evicted, the master key removal is completed by removing the key
+ struct from the keyring. Currently this is done via key_invalidate().
+ Yet, key_invalidate() takes the key semaphore. This can deadlock when
+ called from the shrinker, since in fscrypt_ioctl_add_key(), memory is
+ allocated with GFP_KERNEL under the same semaphore.
+
+- More generally, the fact that the keyrings subsystem can arbitrarily
+ delay the destruction of keys (via garbage collection delay, or via
+ random processes getting temporary key references) is undesirable, as
+ it means we can't strictly guarantee that all secrets are ever wiped.
+
+- Doing the master key lookups via the keyrings subsystem results in the
+ key_permission LSM hook being called. fscrypt doesn't want this, as
+ all access control for encrypted files is designed to happen via the
+ files themselves, like any other files. The workaround which SELinux
+ users are using is to change their SELinux policy to grant key search
+ access to all domains. This works, but it is an odd extra step that
+ shouldn't really have to be done.
+
+The fix for all these issues is to change the implementation to what I
+should have done originally: don't use the keyrings subsystem to keep
+track of the filesystem's fscrypt_master_key structs. Instead, just
+store them in a regular kernel data structure, and rework the reference
+counting, locking, and lifetime accordingly. Retain support for
+RCU-mode key lookups by using a hash table. Replace fscrypt_sb_free()
+with fscrypt_sb_delete(), which releases the keys synchronously and runs
+a bit earlier during unmount, so that block devices are still available.
+
+A side effect of this patch is that neither the master keys themselves
+nor the filesystem keyrings will be listed in /proc/keys anymore.
+("Master key users" and the master key users keyrings will still be
+listed.) However, this was mostly an implementation detail, and it was
+intended just for debugging purposes. I don't know of anyone using it.
+
+This patch does *not* change how "master key users" (->mk_users) works;
+that still uses the keyrings subsystem. That is still needed for key
+quotas, and changing that isn't necessary to solve the issues listed
+above. If we decide to change that too, it would be a separate patch.
+
+I've marked this as fixing the original commit that added the fscrypt
+keyring, but as noted above the most important issue that this patch
+fixes wasn't introduced until the addition of inline encryption support.
+
+Fixes: 22d94f493bfb ("fscrypt: add FS_IOC_ADD_ENCRYPTION_KEY ioctl")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Link: https://lore.kernel.org/r/20220901193208.138056-2-ebiggers@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/crypto/fscrypt_private.h | 71 ++++--
+ fs/crypto/hooks.c | 10 +-
+ fs/crypto/keyring.c | 486 +++++++++++++++++++-----------------
+ fs/crypto/keysetup.c | 81 +++---
+ fs/crypto/policy.c | 8 +-
+ fs/super.c | 2 +-
+ include/linux/fs.h | 2 +-
+ include/linux/fscrypt.h | 4 +-
+ 8 files changed, 353 insertions(+), 311 deletions(-)
+
+diff --git a/fs/crypto/fscrypt_private.h b/fs/crypto/fscrypt_private.h
+index 3afdaa084773..577cae7facb0 100644
+--- a/fs/crypto/fscrypt_private.h
++++ b/fs/crypto/fscrypt_private.h
+@@ -225,7 +225,7 @@ struct fscrypt_info {
+ * will be NULL if the master key was found in a process-subscribed
+ * keyring rather than in the filesystem-level keyring.
+ */
+- struct key *ci_master_key;
++ struct fscrypt_master_key *ci_master_key;
+
+ /*
+ * Link in list of inodes that were unlocked with the master key.
+@@ -436,6 +436,40 @@ struct fscrypt_master_key_secret {
+ */
+ struct fscrypt_master_key {
+
++ /*
++ * Back-pointer to the super_block of the filesystem to which this
++ * master key has been added. Only valid if ->mk_active_refs > 0.
++ */
++ struct super_block *mk_sb;
++
++ /*
++ * Link in ->mk_sb->s_master_keys->key_hashtable.
++ * Only valid if ->mk_active_refs > 0.
++ */
++ struct hlist_node mk_node;
++
++ /* Semaphore that protects ->mk_secret and ->mk_users */
++ struct rw_semaphore mk_sem;
++
++ /*
++ * Active and structural reference counts. An active ref guarantees
++ * that the struct continues to exist, continues to be in the keyring
++ * ->mk_sb->s_master_keys, and that any embedded subkeys (e.g.
++ * ->mk_direct_keys) that have been prepared continue to exist.
++ * A structural ref only guarantees that the struct continues to exist.
++ *
++ * There is one active ref associated with ->mk_secret being present,
++ * and one active ref for each inode in ->mk_decrypted_inodes.
++ *
++ * There is one structural ref associated with the active refcount being
++ * nonzero. Finding a key in the keyring also takes a structural ref,
++ * which is then held temporarily while the key is operated on.
++ */
++ refcount_t mk_active_refs;
++ refcount_t mk_struct_refs;
++
++ struct rcu_head mk_rcu_head;
++
+ /*
+ * The secret key material. After FS_IOC_REMOVE_ENCRYPTION_KEY is
+ * executed, this is wiped and no new inodes can be unlocked with this
+@@ -444,7 +478,10 @@ struct fscrypt_master_key {
+ * FS_IOC_REMOVE_ENCRYPTION_KEY can be retried, or
+ * FS_IOC_ADD_ENCRYPTION_KEY can add the secret again.
+ *
+- * Locking: protected by this master key's key->sem.
++ * While ->mk_secret is present, one ref in ->mk_active_refs is held.
++ *
++ * Locking: protected by ->mk_sem. The manipulation of ->mk_active_refs
++ * associated with this field is protected by ->mk_sem as well.
+ */
+ struct fscrypt_master_key_secret mk_secret;
+
+@@ -465,22 +502,12 @@ struct fscrypt_master_key {
+ *
+ * This is NULL for v1 policy keys; those can only be added by root.
+ *
+- * Locking: in addition to this keyring's own semaphore, this is
+- * protected by this master key's key->sem, so we can do atomic
+- * search+insert. It can also be searched without taking any locks, but
+- * in that case the returned key may have already been removed.
++ * Locking: protected by ->mk_sem. (We don't just rely on the keyrings
++ * subsystem semaphore ->mk_users->sem, as we need support for atomic
++ * search+insert along with proper synchronization with ->mk_secret.)
+ */
+ struct key *mk_users;
+
+- /*
+- * Length of ->mk_decrypted_inodes, plus one if mk_secret is present.
+- * Once this goes to 0, the master key is removed from ->s_master_keys.
+- * The 'struct fscrypt_master_key' will continue to live as long as the
+- * 'struct key' whose payload it is, but we won't let this reference
+- * count rise again.
+- */
+- refcount_t mk_refcount;
+-
+ /*
+ * List of inodes that were unlocked using this key. This allows the
+ * inodes to be evicted efficiently if the key is removed.
+@@ -506,10 +533,10 @@ static inline bool
+ is_master_key_secret_present(const struct fscrypt_master_key_secret *secret)
+ {
+ /*
+- * The READ_ONCE() is only necessary for fscrypt_drop_inode() and
+- * fscrypt_key_describe(). These run in atomic context, so they can't
+- * take the key semaphore and thus 'secret' can change concurrently
+- * which would be a data race. But they only need to know whether the
++ * The READ_ONCE() is only necessary for fscrypt_drop_inode().
++ * fscrypt_drop_inode() runs in atomic context, so it can't take the key
++ * semaphore and thus 'secret' can change concurrently which would be a
++ * data race. But fscrypt_drop_inode() only need to know whether the
+ * secret *was* present at the time of check, so READ_ONCE() suffices.
+ */
+ return READ_ONCE(secret->size) != 0;
+@@ -538,7 +565,11 @@ static inline int master_key_spec_len(const struct fscrypt_key_specifier *spec)
+ return 0;
+ }
+
+-struct key *
++void fscrypt_put_master_key(struct fscrypt_master_key *mk);
++
++void fscrypt_put_master_key_activeref(struct fscrypt_master_key *mk);
++
++struct fscrypt_master_key *
+ fscrypt_find_master_key(struct super_block *sb,
+ const struct fscrypt_key_specifier *mk_spec);
+
+diff --git a/fs/crypto/hooks.c b/fs/crypto/hooks.c
+index 7c01025879b3..7b8c5a1104b5 100644
+--- a/fs/crypto/hooks.c
++++ b/fs/crypto/hooks.c
+@@ -5,8 +5,6 @@
+ * Encryption hooks for higher-level filesystem operations.
+ */
+
+-#include <linux/key.h>
+-
+ #include "fscrypt_private.h"
+
+ /**
+@@ -142,7 +140,6 @@ int fscrypt_prepare_setflags(struct inode *inode,
+ unsigned int oldflags, unsigned int flags)
+ {
+ struct fscrypt_info *ci;
+- struct key *key;
+ struct fscrypt_master_key *mk;
+ int err;
+
+@@ -158,14 +155,13 @@ int fscrypt_prepare_setflags(struct inode *inode,
+ ci = inode->i_crypt_info;
+ if (ci->ci_policy.version != FSCRYPT_POLICY_V2)
+ return -EINVAL;
+- key = ci->ci_master_key;
+- mk = key->payload.data[0];
+- down_read(&key->sem);
++ mk = ci->ci_master_key;
++ down_read(&mk->mk_sem);
+ if (is_master_key_secret_present(&mk->mk_secret))
+ err = fscrypt_derive_dirhash_key(ci, mk);
+ else
+ err = -ENOKEY;
+- up_read(&key->sem);
++ up_read(&mk->mk_sem);
+ return err;
+ }
+ return 0;
+diff --git a/fs/crypto/keyring.c b/fs/crypto/keyring.c
+index caee9f8620dd..9b98d6a576e6 100644
+--- a/fs/crypto/keyring.c
++++ b/fs/crypto/keyring.c
+@@ -18,6 +18,7 @@
+ * information about these ioctls.
+ */
+
++#include <asm/unaligned.h>
+ #include <crypto/skcipher.h>
+ #include <linux/key-type.h>
+ #include <linux/random.h>
+@@ -25,6 +26,18 @@
+
+ #include "fscrypt_private.h"
+
++/* The master encryption keys for a filesystem (->s_master_keys) */
++struct fscrypt_keyring {
++ /*
++ * Lock that protects ->key_hashtable. It does *not* protect the
++ * fscrypt_master_key structs themselves.
++ */
++ spinlock_t lock;
++
++ /* Hash table that maps fscrypt_key_specifier to fscrypt_master_key */
++ struct hlist_head key_hashtable[128];
++};
++
+ static void wipe_master_key_secret(struct fscrypt_master_key_secret *secret)
+ {
+ fscrypt_destroy_hkdf(&secret->hkdf);
+@@ -38,20 +51,70 @@ static void move_master_key_secret(struct fscrypt_master_key_secret *dst,
+ memzero_explicit(src, sizeof(*src));
+ }
+
+-static void free_master_key(struct fscrypt_master_key *mk)
++static void fscrypt_free_master_key(struct rcu_head *head)
++{
++ struct fscrypt_master_key *mk =
++ container_of(head, struct fscrypt_master_key, mk_rcu_head);
++ /*
++ * The master key secret and any embedded subkeys should have already
++ * been wiped when the last active reference to the fscrypt_master_key
++ * struct was dropped; doing it here would be unnecessarily late.
++ * Nevertheless, use kfree_sensitive() in case anything was missed.
++ */
++ kfree_sensitive(mk);
++}
++
++void fscrypt_put_master_key(struct fscrypt_master_key *mk)
++{
++ if (!refcount_dec_and_test(&mk->mk_struct_refs))
++ return;
++ /*
++ * No structural references left, so free ->mk_users, and also free the
++ * fscrypt_master_key struct itself after an RCU grace period ensures
++ * that concurrent keyring lookups can no longer find it.
++ */
++ WARN_ON(refcount_read(&mk->mk_active_refs) != 0);
++ key_put(mk->mk_users);
++ mk->mk_users = NULL;
++ call_rcu(&mk->mk_rcu_head, fscrypt_free_master_key);
++}
++
++void fscrypt_put_master_key_activeref(struct fscrypt_master_key *mk)
+ {
++ struct super_block *sb = mk->mk_sb;
++ struct fscrypt_keyring *keyring = sb->s_master_keys;
+ size_t i;
+
+- wipe_master_key_secret(&mk->mk_secret);
++ if (!refcount_dec_and_test(&mk->mk_active_refs))
++ return;
++ /*
++ * No active references left, so complete the full removal of this
++ * fscrypt_master_key struct by removing it from the keyring and
++ * destroying any subkeys embedded in it.
++ */
++
++ spin_lock(&keyring->lock);
++ hlist_del_rcu(&mk->mk_node);
++ spin_unlock(&keyring->lock);
++
++ /*
++ * ->mk_active_refs == 0 implies that ->mk_secret is not present and
++ * that ->mk_decrypted_inodes is empty.
++ */
++ WARN_ON(is_master_key_secret_present(&mk->mk_secret));
++ WARN_ON(!list_empty(&mk->mk_decrypted_inodes));
+
+ for (i = 0; i <= FSCRYPT_MODE_MAX; i++) {
+ fscrypt_destroy_prepared_key(&mk->mk_direct_keys[i]);
+ fscrypt_destroy_prepared_key(&mk->mk_iv_ino_lblk_64_keys[i]);
+ fscrypt_destroy_prepared_key(&mk->mk_iv_ino_lblk_32_keys[i]);
+ }
++ memzero_explicit(&mk->mk_ino_hash_key,
++ sizeof(mk->mk_ino_hash_key));
++ mk->mk_ino_hash_key_initialized = false;
+
+- key_put(mk->mk_users);
+- kfree_sensitive(mk);
++ /* Drop the structural ref associated with the active refs. */
++ fscrypt_put_master_key(mk);
+ }
+
+ static inline bool valid_key_spec(const struct fscrypt_key_specifier *spec)
+@@ -61,44 +124,6 @@ static inline bool valid_key_spec(const struct fscrypt_key_specifier *spec)
+ return master_key_spec_len(spec) != 0;
+ }
+
+-static int fscrypt_key_instantiate(struct key *key,
+- struct key_preparsed_payload *prep)
+-{
+- key->payload.data[0] = (struct fscrypt_master_key *)prep->data;
+- return 0;
+-}
+-
+-static void fscrypt_key_destroy(struct key *key)
+-{
+- free_master_key(key->payload.data[0]);
+-}
+-
+-static void fscrypt_key_describe(const struct key *key, struct seq_file *m)
+-{
+- seq_puts(m, key->description);
+-
+- if (key_is_positive(key)) {
+- const struct fscrypt_master_key *mk = key->payload.data[0];
+-
+- if (!is_master_key_secret_present(&mk->mk_secret))
+- seq_puts(m, ": secret removed");
+- }
+-}
+-
+-/*
+- * Type of key in ->s_master_keys. Each key of this type represents a master
+- * key which has been added to the filesystem. Its payload is a
+- * 'struct fscrypt_master_key'. The "." prefix in the key type name prevents
+- * users from adding keys of this type via the keyrings syscalls rather than via
+- * the intended method of FS_IOC_ADD_ENCRYPTION_KEY.
+- */
+-static struct key_type key_type_fscrypt = {
+- .name = "._fscrypt",
+- .instantiate = fscrypt_key_instantiate,
+- .destroy = fscrypt_key_destroy,
+- .describe = fscrypt_key_describe,
+-};
+-
+ static int fscrypt_user_key_instantiate(struct key *key,
+ struct key_preparsed_payload *prep)
+ {
+@@ -131,32 +156,6 @@ static struct key_type key_type_fscrypt_user = {
+ .describe = fscrypt_user_key_describe,
+ };
+
+-/* Search ->s_master_keys or ->mk_users */
+-static struct key *search_fscrypt_keyring(struct key *keyring,
+- struct key_type *type,
+- const char *description)
+-{
+- /*
+- * We need to mark the keyring reference as "possessed" so that we
+- * acquire permission to search it, via the KEY_POS_SEARCH permission.
+- */
+- key_ref_t keyref = make_key_ref(keyring, true /* possessed */);
+-
+- keyref = keyring_search(keyref, type, description, false);
+- if (IS_ERR(keyref)) {
+- if (PTR_ERR(keyref) == -EAGAIN || /* not found */
+- PTR_ERR(keyref) == -EKEYREVOKED) /* recently invalidated */
+- keyref = ERR_PTR(-ENOKEY);
+- return ERR_CAST(keyref);
+- }
+- return key_ref_to_ptr(keyref);
+-}
+-
+-#define FSCRYPT_FS_KEYRING_DESCRIPTION_SIZE \
+- (CONST_STRLEN("fscrypt-") + sizeof_field(struct super_block, s_id))
+-
+-#define FSCRYPT_MK_DESCRIPTION_SIZE (2 * FSCRYPT_KEY_IDENTIFIER_SIZE + 1)
+-
+ #define FSCRYPT_MK_USERS_DESCRIPTION_SIZE \
+ (CONST_STRLEN("fscrypt-") + 2 * FSCRYPT_KEY_IDENTIFIER_SIZE + \
+ CONST_STRLEN("-users") + 1)
+@@ -164,21 +163,6 @@ static struct key *search_fscrypt_keyring(struct key *keyring,
+ #define FSCRYPT_MK_USER_DESCRIPTION_SIZE \
+ (2 * FSCRYPT_KEY_IDENTIFIER_SIZE + CONST_STRLEN(".uid.") + 10 + 1)
+
+-static void format_fs_keyring_description(
+- char description[FSCRYPT_FS_KEYRING_DESCRIPTION_SIZE],
+- const struct super_block *sb)
+-{
+- sprintf(description, "fscrypt-%s", sb->s_id);
+-}
+-
+-static void format_mk_description(
+- char description[FSCRYPT_MK_DESCRIPTION_SIZE],
+- const struct fscrypt_key_specifier *mk_spec)
+-{
+- sprintf(description, "%*phN",
+- master_key_spec_len(mk_spec), (u8 *)&mk_spec->u);
+-}
+-
+ static void format_mk_users_keyring_description(
+ char description[FSCRYPT_MK_USERS_DESCRIPTION_SIZE],
+ const u8 mk_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE])
+@@ -199,20 +183,15 @@ static void format_mk_user_description(
+ /* Create ->s_master_keys if needed. Synchronized by fscrypt_add_key_mutex. */
+ static int allocate_filesystem_keyring(struct super_block *sb)
+ {
+- char description[FSCRYPT_FS_KEYRING_DESCRIPTION_SIZE];
+- struct key *keyring;
++ struct fscrypt_keyring *keyring;
+
+ if (sb->s_master_keys)
+ return 0;
+
+- format_fs_keyring_description(description, sb);
+- keyring = keyring_alloc(description, GLOBAL_ROOT_UID, GLOBAL_ROOT_GID,
+- current_cred(), KEY_POS_SEARCH |
+- KEY_USR_SEARCH | KEY_USR_READ | KEY_USR_VIEW,
+- KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
+- if (IS_ERR(keyring))
+- return PTR_ERR(keyring);
+-
++ keyring = kzalloc(sizeof(*keyring), GFP_KERNEL);
++ if (!keyring)
++ return -ENOMEM;
++ spin_lock_init(&keyring->lock);
+ /*
+ * Pairs with the smp_load_acquire() in fscrypt_find_master_key().
+ * I.e., here we publish ->s_master_keys with a RELEASE barrier so that
+@@ -222,21 +201,75 @@ static int allocate_filesystem_keyring(struct super_block *sb)
+ return 0;
+ }
+
+-void fscrypt_sb_free(struct super_block *sb)
++/*
++ * This is called at unmount time to release all encryption keys that have been
++ * added to the filesystem, along with the keyring that contains them.
++ *
++ * Note that besides clearing and freeing memory, this might need to evict keys
++ * from the keyslots of an inline crypto engine. Therefore, this must be called
++ * while the filesystem's underlying block device(s) are still available.
++ */
++void fscrypt_sb_delete(struct super_block *sb)
+ {
+- key_put(sb->s_master_keys);
++ struct fscrypt_keyring *keyring = sb->s_master_keys;
++ size_t i;
++
++ if (!keyring)
++ return;
++
++ for (i = 0; i < ARRAY_SIZE(keyring->key_hashtable); i++) {
++ struct hlist_head *bucket = &keyring->key_hashtable[i];
++ struct fscrypt_master_key *mk;
++ struct hlist_node *tmp;
++
++ hlist_for_each_entry_safe(mk, tmp, bucket, mk_node) {
++ /*
++ * Since all inodes were already evicted, every key
++ * remaining in the keyring should have an empty inode
++ * list, and should only still be in the keyring due to
++ * the single active ref associated with ->mk_secret.
++ * There should be no structural refs beyond the one
++ * associated with the active ref.
++ */
++ WARN_ON(refcount_read(&mk->mk_active_refs) != 1);
++ WARN_ON(refcount_read(&mk->mk_struct_refs) != 1);
++ WARN_ON(!is_master_key_secret_present(&mk->mk_secret));
++ wipe_master_key_secret(&mk->mk_secret);
++ fscrypt_put_master_key_activeref(mk);
++ }
++ }
++ kfree_sensitive(keyring);
+ sb->s_master_keys = NULL;
+ }
+
++static struct hlist_head *
++fscrypt_mk_hash_bucket(struct fscrypt_keyring *keyring,
++ const struct fscrypt_key_specifier *mk_spec)
++{
++ /*
++ * Since key specifiers should be "random" values, it is sufficient to
++ * use a trivial hash function that just takes the first several bits of
++ * the key specifier.
++ */
++ unsigned long i = get_unaligned((unsigned long *)&mk_spec->u);
++
++ return &keyring->key_hashtable[i % ARRAY_SIZE(keyring->key_hashtable)];
++}
++
+ /*
+- * Find the specified master key in ->s_master_keys.
+- * Returns ERR_PTR(-ENOKEY) if not found.
++ * Find the specified master key struct in ->s_master_keys and take a structural
++ * ref to it. The structural ref guarantees that the key struct continues to
++ * exist, but it does *not* guarantee that ->s_master_keys continues to contain
++ * the key struct. The structural ref needs to be dropped by
++ * fscrypt_put_master_key(). Returns NULL if the key struct is not found.
+ */
+-struct key *fscrypt_find_master_key(struct super_block *sb,
+- const struct fscrypt_key_specifier *mk_spec)
++struct fscrypt_master_key *
++fscrypt_find_master_key(struct super_block *sb,
++ const struct fscrypt_key_specifier *mk_spec)
+ {
+- struct key *keyring;
+- char description[FSCRYPT_MK_DESCRIPTION_SIZE];
++ struct fscrypt_keyring *keyring;
++ struct hlist_head *bucket;
++ struct fscrypt_master_key *mk;
+
+ /*
+ * Pairs with the smp_store_release() in allocate_filesystem_keyring().
+@@ -246,10 +279,38 @@ struct key *fscrypt_find_master_key(struct super_block *sb,
+ */
+ keyring = smp_load_acquire(&sb->s_master_keys);
+ if (keyring == NULL)
+- return ERR_PTR(-ENOKEY); /* No keyring yet, so no keys yet. */
+-
+- format_mk_description(description, mk_spec);
+- return search_fscrypt_keyring(keyring, &key_type_fscrypt, description);
++ return NULL; /* No keyring yet, so no keys yet. */
++
++ bucket = fscrypt_mk_hash_bucket(keyring, mk_spec);
++ rcu_read_lock();
++ switch (mk_spec->type) {
++ case FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR:
++ hlist_for_each_entry_rcu(mk, bucket, mk_node) {
++ if (mk->mk_spec.type ==
++ FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR &&
++ memcmp(mk->mk_spec.u.descriptor,
++ mk_spec->u.descriptor,
++ FSCRYPT_KEY_DESCRIPTOR_SIZE) == 0 &&
++ refcount_inc_not_zero(&mk->mk_struct_refs))
++ goto out;
++ }
++ break;
++ case FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER:
++ hlist_for_each_entry_rcu(mk, bucket, mk_node) {
++ if (mk->mk_spec.type ==
++ FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER &&
++ memcmp(mk->mk_spec.u.identifier,
++ mk_spec->u.identifier,
++ FSCRYPT_KEY_IDENTIFIER_SIZE) == 0 &&
++ refcount_inc_not_zero(&mk->mk_struct_refs))
++ goto out;
++ }
++ break;
++ }
++ mk = NULL;
++out:
++ rcu_read_unlock();
++ return mk;
+ }
+
+ static int allocate_master_key_users_keyring(struct fscrypt_master_key *mk)
+@@ -277,17 +338,30 @@ static int allocate_master_key_users_keyring(struct fscrypt_master_key *mk)
+ static struct key *find_master_key_user(struct fscrypt_master_key *mk)
+ {
+ char description[FSCRYPT_MK_USER_DESCRIPTION_SIZE];
++ key_ref_t keyref;
+
+ format_mk_user_description(description, mk->mk_spec.u.identifier);
+- return search_fscrypt_keyring(mk->mk_users, &key_type_fscrypt_user,
+- description);
++
++ /*
++ * We need to mark the keyring reference as "possessed" so that we
++ * acquire permission to search it, via the KEY_POS_SEARCH permission.
++ */
++ keyref = keyring_search(make_key_ref(mk->mk_users, true /*possessed*/),
++ &key_type_fscrypt_user, description, false);
++ if (IS_ERR(keyref)) {
++ if (PTR_ERR(keyref) == -EAGAIN || /* not found */
++ PTR_ERR(keyref) == -EKEYREVOKED) /* recently invalidated */
++ keyref = ERR_PTR(-ENOKEY);
++ return ERR_CAST(keyref);
++ }
++ return key_ref_to_ptr(keyref);
+ }
+
+ /*
+ * Give the current user a "key" in ->mk_users. This charges the user's quota
+ * and marks the master key as added by the current user, so that it cannot be
+- * removed by another user with the key. Either the master key's key->sem must
+- * be held for write, or the master key must be still undergoing initialization.
++ * removed by another user with the key. Either ->mk_sem must be held for
++ * write, or the master key must be still undergoing initialization.
+ */
+ static int add_master_key_user(struct fscrypt_master_key *mk)
+ {
+@@ -309,7 +383,7 @@ static int add_master_key_user(struct fscrypt_master_key *mk)
+
+ /*
+ * Remove the current user's "key" from ->mk_users.
+- * The master key's key->sem must be held for write.
++ * ->mk_sem must be held for write.
+ *
+ * Returns 0 if removed, -ENOKEY if not found, or another -errno code.
+ */
+@@ -327,63 +401,49 @@ static int remove_master_key_user(struct fscrypt_master_key *mk)
+ }
+
+ /*
+- * Allocate a new fscrypt_master_key which contains the given secret, set it as
+- * the payload of a new 'struct key' of type fscrypt, and link the 'struct key'
+- * into the given keyring. Synchronized by fscrypt_add_key_mutex.
++ * Allocate a new fscrypt_master_key, transfer the given secret over to it, and
++ * insert it into sb->s_master_keys.
+ */
+-static int add_new_master_key(struct fscrypt_master_key_secret *secret,
+- const struct fscrypt_key_specifier *mk_spec,
+- struct key *keyring)
++static int add_new_master_key(struct super_block *sb,
++ struct fscrypt_master_key_secret *secret,
++ const struct fscrypt_key_specifier *mk_spec)
+ {
++ struct fscrypt_keyring *keyring = sb->s_master_keys;
+ struct fscrypt_master_key *mk;
+- char description[FSCRYPT_MK_DESCRIPTION_SIZE];
+- struct key *key;
+ int err;
+
+ mk = kzalloc(sizeof(*mk), GFP_KERNEL);
+ if (!mk)
+ return -ENOMEM;
+
++ mk->mk_sb = sb;
++ init_rwsem(&mk->mk_sem);
++ refcount_set(&mk->mk_struct_refs, 1);
+ mk->mk_spec = *mk_spec;
+
+- move_master_key_secret(&mk->mk_secret, secret);
+-
+- refcount_set(&mk->mk_refcount, 1); /* secret is present */
+ INIT_LIST_HEAD(&mk->mk_decrypted_inodes);
+ spin_lock_init(&mk->mk_decrypted_inodes_lock);
+
+ if (mk_spec->type == FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER) {
+ err = allocate_master_key_users_keyring(mk);
+ if (err)
+- goto out_free_mk;
++ goto out_put;
+ err = add_master_key_user(mk);
+ if (err)
+- goto out_free_mk;
++ goto out_put;
+ }
+
+- /*
+- * Note that we don't charge this key to anyone's quota, since when
+- * ->mk_users is in use those keys are charged instead, and otherwise
+- * (when ->mk_users isn't in use) only root can add these keys.
+- */
+- format_mk_description(description, mk_spec);
+- key = key_alloc(&key_type_fscrypt, description,
+- GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),
+- KEY_POS_SEARCH | KEY_USR_SEARCH | KEY_USR_VIEW,
+- KEY_ALLOC_NOT_IN_QUOTA, NULL);
+- if (IS_ERR(key)) {
+- err = PTR_ERR(key);
+- goto out_free_mk;
+- }
+- err = key_instantiate_and_link(key, mk, sizeof(*mk), keyring, NULL);
+- key_put(key);
+- if (err)
+- goto out_free_mk;
++ move_master_key_secret(&mk->mk_secret, secret);
++ refcount_set(&mk->mk_active_refs, 1); /* ->mk_secret is present */
+
++ spin_lock(&keyring->lock);
++ hlist_add_head_rcu(&mk->mk_node,
++ fscrypt_mk_hash_bucket(keyring, mk_spec));
++ spin_unlock(&keyring->lock);
+ return 0;
+
+-out_free_mk:
+- free_master_key(mk);
++out_put:
++ fscrypt_put_master_key(mk);
+ return err;
+ }
+
+@@ -392,42 +452,34 @@ static int add_new_master_key(struct fscrypt_master_key_secret *secret,
+ static int add_existing_master_key(struct fscrypt_master_key *mk,
+ struct fscrypt_master_key_secret *secret)
+ {
+- struct key *mk_user;
+- bool rekey;
+ int err;
+
+ /*
+ * If the current user is already in ->mk_users, then there's nothing to
+- * do. (Not applicable for v1 policy keys, which have NULL ->mk_users.)
++ * do. Otherwise, we need to add the user to ->mk_users. (Neither is
++ * applicable for v1 policy keys, which have NULL ->mk_users.)
+ */
+ if (mk->mk_users) {
+- mk_user = find_master_key_user(mk);
++ struct key *mk_user = find_master_key_user(mk);
++
+ if (mk_user != ERR_PTR(-ENOKEY)) {
+ if (IS_ERR(mk_user))
+ return PTR_ERR(mk_user);
+ key_put(mk_user);
+ return 0;
+ }
+- }
+-
+- /* If we'll be re-adding ->mk_secret, try to take the reference. */
+- rekey = !is_master_key_secret_present(&mk->mk_secret);
+- if (rekey && !refcount_inc_not_zero(&mk->mk_refcount))
+- return KEY_DEAD;
+-
+- /* Add the current user to ->mk_users, if applicable. */
+- if (mk->mk_users) {
+ err = add_master_key_user(mk);
+- if (err) {
+- if (rekey && refcount_dec_and_test(&mk->mk_refcount))
+- return KEY_DEAD;
++ if (err)
+ return err;
+- }
+ }
+
+ /* Re-add the secret if needed. */
+- if (rekey)
++ if (!is_master_key_secret_present(&mk->mk_secret)) {
++ if (!refcount_inc_not_zero(&mk->mk_active_refs))
++ return KEY_DEAD;
+ move_master_key_secret(&mk->mk_secret, secret);
++ }
++
+ return 0;
+ }
+
+@@ -436,38 +488,36 @@ static int do_add_master_key(struct super_block *sb,
+ const struct fscrypt_key_specifier *mk_spec)
+ {
+ static DEFINE_MUTEX(fscrypt_add_key_mutex);
+- struct key *key;
++ struct fscrypt_master_key *mk;
+ int err;
+
+ mutex_lock(&fscrypt_add_key_mutex); /* serialize find + link */
+-retry:
+- key = fscrypt_find_master_key(sb, mk_spec);
+- if (IS_ERR(key)) {
+- err = PTR_ERR(key);
+- if (err != -ENOKEY)
+- goto out_unlock;
++
++ mk = fscrypt_find_master_key(sb, mk_spec);
++ if (!mk) {
+ /* Didn't find the key in ->s_master_keys. Add it. */
+ err = allocate_filesystem_keyring(sb);
+- if (err)
+- goto out_unlock;
+- err = add_new_master_key(secret, mk_spec, sb->s_master_keys);
++ if (!err)
++ err = add_new_master_key(sb, secret, mk_spec);
+ } else {
+ /*
+ * Found the key in ->s_master_keys. Re-add the secret if
+ * needed, and add the user to ->mk_users if needed.
+ */
+- down_write(&key->sem);
+- err = add_existing_master_key(key->payload.data[0], secret);
+- up_write(&key->sem);
++ down_write(&mk->mk_sem);
++ err = add_existing_master_key(mk, secret);
++ up_write(&mk->mk_sem);
+ if (err == KEY_DEAD) {
+- /* Key being removed or needs to be removed */
+- key_invalidate(key);
+- key_put(key);
+- goto retry;
++ /*
++ * We found a key struct, but it's already been fully
++ * removed. Ignore the old struct and add a new one.
++ * fscrypt_add_key_mutex means we don't need to worry
++ * about concurrent adds.
++ */
++ err = add_new_master_key(sb, secret, mk_spec);
+ }
+- key_put(key);
++ fscrypt_put_master_key(mk);
+ }
+-out_unlock:
+ mutex_unlock(&fscrypt_add_key_mutex);
+ return err;
+ }
+@@ -771,19 +821,19 @@ int fscrypt_verify_key_added(struct super_block *sb,
+ const u8 identifier[FSCRYPT_KEY_IDENTIFIER_SIZE])
+ {
+ struct fscrypt_key_specifier mk_spec;
+- struct key *key, *mk_user;
+ struct fscrypt_master_key *mk;
++ struct key *mk_user;
+ int err;
+
+ mk_spec.type = FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER;
+ memcpy(mk_spec.u.identifier, identifier, FSCRYPT_KEY_IDENTIFIER_SIZE);
+
+- key = fscrypt_find_master_key(sb, &mk_spec);
+- if (IS_ERR(key)) {
+- err = PTR_ERR(key);
++ mk = fscrypt_find_master_key(sb, &mk_spec);
++ if (!mk) {
++ err = -ENOKEY;
+ goto out;
+ }
+- mk = key->payload.data[0];
++ down_read(&mk->mk_sem);
+ mk_user = find_master_key_user(mk);
+ if (IS_ERR(mk_user)) {
+ err = PTR_ERR(mk_user);
+@@ -791,7 +841,8 @@ int fscrypt_verify_key_added(struct super_block *sb,
+ key_put(mk_user);
+ err = 0;
+ }
+- key_put(key);
++ up_read(&mk->mk_sem);
++ fscrypt_put_master_key(mk);
+ out:
+ if (err == -ENOKEY && capable(CAP_FOWNER))
+ err = 0;
+@@ -953,11 +1004,10 @@ static int do_remove_key(struct file *filp, void __user *_uarg, bool all_users)
+ struct super_block *sb = file_inode(filp)->i_sb;
+ struct fscrypt_remove_key_arg __user *uarg = _uarg;
+ struct fscrypt_remove_key_arg arg;
+- struct key *key;
+ struct fscrypt_master_key *mk;
+ u32 status_flags = 0;
+ int err;
+- bool dead;
++ bool inodes_remain;
+
+ if (copy_from_user(&arg, uarg, sizeof(arg)))
+ return -EFAULT;
+@@ -977,12 +1027,10 @@ static int do_remove_key(struct file *filp, void __user *_uarg, bool all_users)
+ return -EACCES;
+
+ /* Find the key being removed. */
+- key = fscrypt_find_master_key(sb, &arg.key_spec);
+- if (IS_ERR(key))
+- return PTR_ERR(key);
+- mk = key->payload.data[0];
+-
+- down_write(&key->sem);
++ mk = fscrypt_find_master_key(sb, &arg.key_spec);
++ if (!mk)
++ return -ENOKEY;
++ down_write(&mk->mk_sem);
+
+ /* If relevant, remove current user's (or all users) claim to the key */
+ if (mk->mk_users && mk->mk_users->keys.nr_leaves_on_tree != 0) {
+@@ -991,7 +1039,7 @@ static int do_remove_key(struct file *filp, void __user *_uarg, bool all_users)
+ else
+ err = remove_master_key_user(mk);
+ if (err) {
+- up_write(&key->sem);
++ up_write(&mk->mk_sem);
+ goto out_put_key;
+ }
+ if (mk->mk_users->keys.nr_leaves_on_tree != 0) {
+@@ -1003,26 +1051,22 @@ static int do_remove_key(struct file *filp, void __user *_uarg, bool all_users)
+ status_flags |=
+ FSCRYPT_KEY_REMOVAL_STATUS_FLAG_OTHER_USERS;
+ err = 0;
+- up_write(&key->sem);
++ up_write(&mk->mk_sem);
+ goto out_put_key;
+ }
+ }
+
+ /* No user claims remaining. Go ahead and wipe the secret. */
+- dead = false;
++ err = -ENOKEY;
+ if (is_master_key_secret_present(&mk->mk_secret)) {
+ wipe_master_key_secret(&mk->mk_secret);
+- dead = refcount_dec_and_test(&mk->mk_refcount);
+- }
+- up_write(&key->sem);
+- if (dead) {
+- /*
+- * No inodes reference the key, and we wiped the secret, so the
+- * key object is free to be removed from the keyring.
+- */
+- key_invalidate(key);
++ fscrypt_put_master_key_activeref(mk);
+ err = 0;
+- } else {
++ }
++ inodes_remain = refcount_read(&mk->mk_active_refs) > 0;
++ up_write(&mk->mk_sem);
++
++ if (inodes_remain) {
+ /* Some inodes still reference this key; try to evict them. */
+ err = try_to_lock_encrypted_files(sb, mk);
+ if (err == -EBUSY) {
+@@ -1038,7 +1082,7 @@ static int do_remove_key(struct file *filp, void __user *_uarg, bool all_users)
+ * has been fully removed including all files locked.
+ */
+ out_put_key:
+- key_put(key);
++ fscrypt_put_master_key(mk);
+ if (err == 0)
+ err = put_user(status_flags, &uarg->removal_status_flags);
+ return err;
+@@ -1085,7 +1129,6 @@ int fscrypt_ioctl_get_key_status(struct file *filp, void __user *uarg)
+ {
+ struct super_block *sb = file_inode(filp)->i_sb;
+ struct fscrypt_get_key_status_arg arg;
+- struct key *key;
+ struct fscrypt_master_key *mk;
+ int err;
+
+@@ -1102,19 +1145,18 @@ int fscrypt_ioctl_get_key_status(struct file *filp, void __user *uarg)
+ arg.user_count = 0;
+ memset(arg.__out_reserved, 0, sizeof(arg.__out_reserved));
+
+- key = fscrypt_find_master_key(sb, &arg.key_spec);
+- if (IS_ERR(key)) {
+- if (key != ERR_PTR(-ENOKEY))
+- return PTR_ERR(key);
++ mk = fscrypt_find_master_key(sb, &arg.key_spec);
++ if (!mk) {
+ arg.status = FSCRYPT_KEY_STATUS_ABSENT;
+ err = 0;
+ goto out;
+ }
+- mk = key->payload.data[0];
+- down_read(&key->sem);
++ down_read(&mk->mk_sem);
+
+ if (!is_master_key_secret_present(&mk->mk_secret)) {
+- arg.status = FSCRYPT_KEY_STATUS_INCOMPLETELY_REMOVED;
++ arg.status = refcount_read(&mk->mk_active_refs) > 0 ?
++ FSCRYPT_KEY_STATUS_INCOMPLETELY_REMOVED :
++ FSCRYPT_KEY_STATUS_ABSENT /* raced with full removal */;
+ err = 0;
+ goto out_release_key;
+ }
+@@ -1136,8 +1178,8 @@ int fscrypt_ioctl_get_key_status(struct file *filp, void __user *uarg)
+ }
+ err = 0;
+ out_release_key:
+- up_read(&key->sem);
+- key_put(key);
++ up_read(&mk->mk_sem);
++ fscrypt_put_master_key(mk);
+ out:
+ if (!err && copy_to_user(uarg, &arg, sizeof(arg)))
+ err = -EFAULT;
+@@ -1149,13 +1191,9 @@ int __init fscrypt_init_keyring(void)
+ {
+ int err;
+
+- err = register_key_type(&key_type_fscrypt);
+- if (err)
+- return err;
+-
+ err = register_key_type(&key_type_fscrypt_user);
+ if (err)
+- goto err_unregister_fscrypt;
++ return err;
+
+ err = register_key_type(&key_type_fscrypt_provisioning);
+ if (err)
+@@ -1165,7 +1203,5 @@ int __init fscrypt_init_keyring(void)
+
+ err_unregister_fscrypt_user:
+ unregister_key_type(&key_type_fscrypt_user);
+-err_unregister_fscrypt:
+- unregister_key_type(&key_type_fscrypt);
+ return err;
+ }
+diff --git a/fs/crypto/keysetup.c b/fs/crypto/keysetup.c
+index fbc71abdabe3..e037a7b8e9e4 100644
+--- a/fs/crypto/keysetup.c
++++ b/fs/crypto/keysetup.c
+@@ -9,7 +9,6 @@
+ */
+
+ #include <crypto/skcipher.h>
+-#include <linux/key.h>
+ #include <linux/random.h>
+
+ #include "fscrypt_private.h"
+@@ -159,6 +158,7 @@ void fscrypt_destroy_prepared_key(struct fscrypt_prepared_key *prep_key)
+ {
+ crypto_free_skcipher(prep_key->tfm);
+ fscrypt_destroy_inline_crypt_key(prep_key);
++ memzero_explicit(prep_key, sizeof(*prep_key));
+ }
+
+ /* Given a per-file encryption key, set up the file's crypto transform object */
+@@ -412,20 +412,18 @@ static bool fscrypt_valid_master_key_size(const struct fscrypt_master_key *mk,
+ /*
+ * Find the master key, then set up the inode's actual encryption key.
+ *
+- * If the master key is found in the filesystem-level keyring, then the
+- * corresponding 'struct key' is returned in *master_key_ret with its semaphore
+- * read-locked. This is needed to ensure that only one task links the
+- * fscrypt_info into ->mk_decrypted_inodes (as multiple tasks may race to create
+- * an fscrypt_info for the same inode), and to synchronize the master key being
+- * removed with a new inode starting to use it.
++ * If the master key is found in the filesystem-level keyring, then it is
++ * returned in *mk_ret with its semaphore read-locked. This is needed to ensure
++ * that only one task links the fscrypt_info into ->mk_decrypted_inodes (as
++ * multiple tasks may race to create an fscrypt_info for the same inode), and to
++ * synchronize the master key being removed with a new inode starting to use it.
+ */
+ static int setup_file_encryption_key(struct fscrypt_info *ci,
+ bool need_dirhash_key,
+- struct key **master_key_ret)
++ struct fscrypt_master_key **mk_ret)
+ {
+- struct key *key;
+- struct fscrypt_master_key *mk = NULL;
+ struct fscrypt_key_specifier mk_spec;
++ struct fscrypt_master_key *mk;
+ int err;
+
+ err = fscrypt_select_encryption_impl(ci);
+@@ -436,11 +434,10 @@ static int setup_file_encryption_key(struct fscrypt_info *ci,
+ if (err)
+ return err;
+
+- key = fscrypt_find_master_key(ci->ci_inode->i_sb, &mk_spec);
+- if (IS_ERR(key)) {
+- if (key != ERR_PTR(-ENOKEY) ||
+- ci->ci_policy.version != FSCRYPT_POLICY_V1)
+- return PTR_ERR(key);
++ mk = fscrypt_find_master_key(ci->ci_inode->i_sb, &mk_spec);
++ if (!mk) {
++ if (ci->ci_policy.version != FSCRYPT_POLICY_V1)
++ return -ENOKEY;
+
+ /*
+ * As a legacy fallback for v1 policies, search for the key in
+@@ -450,9 +447,7 @@ static int setup_file_encryption_key(struct fscrypt_info *ci,
+ */
+ return fscrypt_setup_v1_file_key_via_subscribed_keyrings(ci);
+ }
+-
+- mk = key->payload.data[0];
+- down_read(&key->sem);
++ down_read(&mk->mk_sem);
+
+ /* Has the secret been removed (via FS_IOC_REMOVE_ENCRYPTION_KEY)? */
+ if (!is_master_key_secret_present(&mk->mk_secret)) {
+@@ -480,18 +475,18 @@ static int setup_file_encryption_key(struct fscrypt_info *ci,
+ if (err)
+ goto out_release_key;
+
+- *master_key_ret = key;
++ *mk_ret = mk;
+ return 0;
+
+ out_release_key:
+- up_read(&key->sem);
+- key_put(key);
++ up_read(&mk->mk_sem);
++ fscrypt_put_master_key(mk);
+ return err;
+ }
+
+ static void put_crypt_info(struct fscrypt_info *ci)
+ {
+- struct key *key;
++ struct fscrypt_master_key *mk;
+
+ if (!ci)
+ return;
+@@ -501,24 +496,18 @@ static void put_crypt_info(struct fscrypt_info *ci)
+ else if (ci->ci_owns_key)
+ fscrypt_destroy_prepared_key(&ci->ci_enc_key);
+
+- key = ci->ci_master_key;
+- if (key) {
+- struct fscrypt_master_key *mk = key->payload.data[0];
+-
++ mk = ci->ci_master_key;
++ if (mk) {
+ /*
+ * Remove this inode from the list of inodes that were unlocked
+- * with the master key.
+- *
+- * In addition, if we're removing the last inode from a key that
+- * already had its secret removed, invalidate the key so that it
+- * gets removed from ->s_master_keys.
++ * with the master key. In addition, if we're removing the last
++ * inode from a master key struct that already had its secret
++ * removed, then complete the full removal of the struct.
+ */
+ spin_lock(&mk->mk_decrypted_inodes_lock);
+ list_del(&ci->ci_master_key_link);
+ spin_unlock(&mk->mk_decrypted_inodes_lock);
+- if (refcount_dec_and_test(&mk->mk_refcount))
+- key_invalidate(key);
+- key_put(key);
++ fscrypt_put_master_key_activeref(mk);
+ }
+ memzero_explicit(ci, sizeof(*ci));
+ kmem_cache_free(fscrypt_info_cachep, ci);
+@@ -532,7 +521,7 @@ fscrypt_setup_encryption_info(struct inode *inode,
+ {
+ struct fscrypt_info *crypt_info;
+ struct fscrypt_mode *mode;
+- struct key *master_key = NULL;
++ struct fscrypt_master_key *mk = NULL;
+ int res;
+
+ res = fscrypt_initialize(inode->i_sb->s_cop->flags);
+@@ -555,8 +544,7 @@ fscrypt_setup_encryption_info(struct inode *inode,
+ WARN_ON(mode->ivsize > FSCRYPT_MAX_IV_SIZE);
+ crypt_info->ci_mode = mode;
+
+- res = setup_file_encryption_key(crypt_info, need_dirhash_key,
+- &master_key);
++ res = setup_file_encryption_key(crypt_info, need_dirhash_key, &mk);
+ if (res)
+ goto out;
+
+@@ -571,12 +559,9 @@ fscrypt_setup_encryption_info(struct inode *inode,
+ * We won the race and set ->i_crypt_info to our crypt_info.
+ * Now link it into the master key's inode list.
+ */
+- if (master_key) {
+- struct fscrypt_master_key *mk =
+- master_key->payload.data[0];
+-
+- refcount_inc(&mk->mk_refcount);
+- crypt_info->ci_master_key = key_get(master_key);
++ if (mk) {
++ crypt_info->ci_master_key = mk;
++ refcount_inc(&mk->mk_active_refs);
+ spin_lock(&mk->mk_decrypted_inodes_lock);
+ list_add(&crypt_info->ci_master_key_link,
+ &mk->mk_decrypted_inodes);
+@@ -586,9 +571,9 @@ fscrypt_setup_encryption_info(struct inode *inode,
+ }
+ res = 0;
+ out:
+- if (master_key) {
+- up_read(&master_key->sem);
+- key_put(master_key);
++ if (mk) {
++ up_read(&mk->mk_sem);
++ fscrypt_put_master_key(mk);
+ }
+ put_crypt_info(crypt_info);
+ return res;
+@@ -753,7 +738,6 @@ EXPORT_SYMBOL(fscrypt_free_inode);
+ int fscrypt_drop_inode(struct inode *inode)
+ {
+ const struct fscrypt_info *ci = fscrypt_get_info(inode);
+- const struct fscrypt_master_key *mk;
+
+ /*
+ * If ci is NULL, then the inode doesn't have an encryption key set up
+@@ -763,7 +747,6 @@ int fscrypt_drop_inode(struct inode *inode)
+ */
+ if (!ci || !ci->ci_master_key)
+ return 0;
+- mk = ci->ci_master_key->payload.data[0];
+
+ /*
+ * With proper, non-racy use of FS_IOC_REMOVE_ENCRYPTION_KEY, all inodes
+@@ -782,6 +765,6 @@ int fscrypt_drop_inode(struct inode *inode)
+ * then the thread removing the key will either evict the inode itself
+ * or will correctly detect that it wasn't evicted due to the race.
+ */
+- return !is_master_key_secret_present(&mk->mk_secret);
++ return !is_master_key_secret_present(&ci->ci_master_key->mk_secret);
+ }
+ EXPORT_SYMBOL_GPL(fscrypt_drop_inode);
+diff --git a/fs/crypto/policy.c b/fs/crypto/policy.c
+index 80b8ca0f340b..8485e7eaee2b 100644
+--- a/fs/crypto/policy.c
++++ b/fs/crypto/policy.c
+@@ -744,12 +744,8 @@ int fscrypt_set_context(struct inode *inode, void *fs_data)
+ * delayed key setup that requires the inode number.
+ */
+ if (ci->ci_policy.version == FSCRYPT_POLICY_V2 &&
+- (ci->ci_policy.v2.flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32)) {
+- const struct fscrypt_master_key *mk =
+- ci->ci_master_key->payload.data[0];
+-
+- fscrypt_hash_inode_number(ci, mk);
+- }
++ (ci->ci_policy.v2.flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32))
++ fscrypt_hash_inode_number(ci, ci->ci_master_key);
+
+ return inode->i_sb->s_cop->set_context(inode, &ctx, ctxsize, fs_data);
+ }
+diff --git a/fs/super.c b/fs/super.c
+index 734ed584a946..6a82660e1adb 100644
+--- a/fs/super.c
++++ b/fs/super.c
+@@ -291,7 +291,6 @@ static void __put_super(struct super_block *s)
+ WARN_ON(s->s_inode_lru.node);
+ WARN_ON(!list_empty(&s->s_mounts));
+ security_sb_free(s);
+- fscrypt_sb_free(s);
+ put_user_ns(s->s_user_ns);
+ kfree(s->s_subtype);
+ call_rcu(&s->rcu, destroy_super_rcu);
+@@ -480,6 +479,7 @@ void generic_shutdown_super(struct super_block *sb)
+ evict_inodes(sb);
+ /* only nonzero refcount inodes can have marks */
+ fsnotify_sb_delete(sb);
++ fscrypt_sb_delete(sb);
+ security_sb_delete(sb);
+
+ if (sb->s_dio_done_wq) {
+diff --git a/include/linux/fs.h b/include/linux/fs.h
+index 56a4b4b02477..7203f5582fd4 100644
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -1472,7 +1472,7 @@ struct super_block {
+ const struct xattr_handler **s_xattr;
+ #ifdef CONFIG_FS_ENCRYPTION
+ const struct fscrypt_operations *s_cop;
+- struct key *s_master_keys; /* master crypto keys in use */
++ struct fscrypt_keyring *s_master_keys; /* master crypto keys in use */
+ #endif
+ #ifdef CONFIG_FS_VERITY
+ const struct fsverity_operations *s_vop;
+diff --git a/include/linux/fscrypt.h b/include/linux/fscrypt.h
+index 7d2f1e0f23b1..d86f43bd9550 100644
+--- a/include/linux/fscrypt.h
++++ b/include/linux/fscrypt.h
+@@ -312,7 +312,7 @@ fscrypt_free_dummy_policy(struct fscrypt_dummy_policy *dummy_policy)
+ }
+
+ /* keyring.c */
+-void fscrypt_sb_free(struct super_block *sb);
++void fscrypt_sb_delete(struct super_block *sb);
+ int fscrypt_ioctl_add_key(struct file *filp, void __user *arg);
+ int fscrypt_add_test_dummy_key(struct super_block *sb,
+ const struct fscrypt_dummy_policy *dummy_policy);
+@@ -526,7 +526,7 @@ fscrypt_free_dummy_policy(struct fscrypt_dummy_policy *dummy_policy)
+ }
+
+ /* keyring.c */
+-static inline void fscrypt_sb_free(struct super_block *sb)
++static inline void fscrypt_sb_delete(struct super_block *sb)
+ {
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 9b88d0d2e3e07889b90f8cd007c2a68f7da52233 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Jan 2022 15:34:11 +0800
+Subject: fsi: core: Check error number after calling ida_simple_get
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 35af9fb49bc5c6d61ef70b501c3a56fe161cce3e ]
+
+If allocation fails, the ida_simple_get() will return error number.
+So master->idx could be error number and be used in dev_set_name().
+Therefore, it should be better to check it and return error if fails,
+like the ida_simple_get() in __fsi_get_new_minor().
+
+Fixes: 09aecfab93b8 ("drivers/fsi: Add fsi master definition")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Reviewed-by: Eddie James <eajames@linux.ibm.com>
+Link: https://lore.kernel.org/r/20220111073411.614138-1-jiasheng@iscas.ac.cn
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/fsi/fsi-core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/fsi/fsi-core.c b/drivers/fsi/fsi-core.c
+index 3a7b78e36701..5858e6339a10 100644
+--- a/drivers/fsi/fsi-core.c
++++ b/drivers/fsi/fsi-core.c
+@@ -1314,6 +1314,9 @@ int fsi_master_register(struct fsi_master *master)
+
+ mutex_init(&master->scan_lock);
+ master->idx = ida_simple_get(&master_ida, 0, INT_MAX, GFP_KERNEL);
++ if (master->idx < 0)
++ return master->idx;
++
+ dev_set_name(&master->dev, "fsi%d", master->idx);
+ master->dev.class = &fsi_master_class;
+
+--
+2.35.1
+
--- /dev/null
+From 0e2d0ea45d17e526358fe2d168129f8922c2e68b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Apr 2022 08:59:11 +0000
+Subject: fsi: master-ast-cf: Fix missing of_node_put in fsi_master_acf_probe
+
+From: Lv Ruyi <lv.ruyi@zte.com.cn>
+
+[ Upstream commit 182d98e00e4745fe253cb0c24c63bbac253464a2 ]
+
+of_parse_phandle returns node pointer with refcount incremented, use
+of_node_put() on it when done.
+
+Reported-by: Zeal Robot <zealci@zte.com.cn>
+Signed-off-by: Lv Ruyi <lv.ruyi@zte.com.cn>
+Link: https://lore.kernel.org/r/20220407085911.2491719-1-lv.ruyi@zte.com.cn
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/fsi/fsi-master-ast-cf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/fsi/fsi-master-ast-cf.c b/drivers/fsi/fsi-master-ast-cf.c
+index 24292acdbaf8..5f608ef8b53c 100644
+--- a/drivers/fsi/fsi-master-ast-cf.c
++++ b/drivers/fsi/fsi-master-ast-cf.c
+@@ -1324,12 +1324,14 @@ static int fsi_master_acf_probe(struct platform_device *pdev)
+ }
+ master->cvic = devm_of_iomap(&pdev->dev, np, 0, NULL);
+ if (IS_ERR(master->cvic)) {
++ of_node_put(np);
+ rc = PTR_ERR(master->cvic);
+ dev_err(&pdev->dev, "Error %d mapping CVIC\n", rc);
+ goto err_free;
+ }
+ rc = of_property_read_u32(np, "copro-sw-interrupts",
+ &master->cvic_sw_irq);
++ of_node_put(np);
+ if (rc) {
+ dev_err(&pdev->dev, "Can't find coprocessor SW interrupt\n");
+ goto err_free;
+--
+2.35.1
+
--- /dev/null
+From 38dd4dbcec2bc5c17635735dc807dfef21ddf22b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 May 2022 14:44:24 -0500
+Subject: fsi: occ: Prevent use after free
+
+From: Eddie James <eajames@linux.ibm.com>
+
+[ Upstream commit d3e1e24604031b0d83b6c2d38f54eeea265cfcc0 ]
+
+Use get_device and put_device in the open and close functions to
+make sure the device doesn't get freed while a file descriptor is
+open.
+Also, lock around the freeing of the device buffer and check the
+buffer before using it in the submit function.
+
+Signed-off-by: Eddie James <eajames@linux.ibm.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20220513194424.53468-1-eajames@linux.ibm.com
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/fsi/fsi-occ.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/fsi/fsi-occ.c b/drivers/fsi/fsi-occ.c
+index c9cc75fbdfb9..28c176d038a2 100644
+--- a/drivers/fsi/fsi-occ.c
++++ b/drivers/fsi/fsi-occ.c
+@@ -94,6 +94,7 @@ static int occ_open(struct inode *inode, struct file *file)
+ client->occ = occ;
+ mutex_init(&client->lock);
+ file->private_data = client;
++ get_device(occ->dev);
+
+ /* We allocate a 1-page buffer, make sure it all fits */
+ BUILD_BUG_ON((OCC_CMD_DATA_BYTES + 3) > PAGE_SIZE);
+@@ -197,6 +198,7 @@ static int occ_release(struct inode *inode, struct file *file)
+ {
+ struct occ_client *client = file->private_data;
+
++ put_device(client->occ->dev);
+ free_page((unsigned long)client->buffer);
+ kfree(client);
+
+@@ -493,12 +495,19 @@ int fsi_occ_submit(struct device *dev, const void *request, size_t req_len,
+ for (i = 1; i < req_len - 2; ++i)
+ checksum += byte_request[i];
+
+- mutex_lock(&occ->occ_lock);
++ rc = mutex_lock_interruptible(&occ->occ_lock);
++ if (rc)
++ return rc;
+
+ occ->client_buffer = response;
+ occ->client_buffer_size = user_resp_len;
+ occ->client_response_size = 0;
+
++ if (!occ->buffer) {
++ rc = -ENOENT;
++ goto done;
++ }
++
+ /*
+ * Get a sequence number and update the counter. Avoid a sequence
+ * number of 0 which would pass the response check below even if the
+@@ -671,10 +680,13 @@ static int occ_remove(struct platform_device *pdev)
+ {
+ struct occ *occ = platform_get_drvdata(pdev);
+
+- kvfree(occ->buffer);
+-
+ misc_deregister(&occ->mdev);
+
++ mutex_lock(&occ->occ_lock);
++ kvfree(occ->buffer);
++ occ->buffer = NULL;
++ mutex_unlock(&occ->occ_lock);
++
+ device_for_each_child(&pdev->dev, NULL, occ_unregister_child);
+
+ ida_simple_remove(&occ_ida, occ->idx);
+--
+2.35.1
+
--- /dev/null
+From a88fe03cfa1c0412a5840ef0e70e445a1d4514d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Sep 2022 17:41:46 -0700
+Subject: ftrace: Fix recursive locking direct_mutex in
+ ftrace_modify_direct_caller
+
+From: Song Liu <song@kernel.org>
+
+[ Upstream commit 9d2ce78ddcee159eb6a97449e9c68b6d60b9cec4 ]
+
+Naveen reported recursive locking of direct_mutex with sample
+ftrace-direct-modify.ko:
+
+[ 74.762406] WARNING: possible recursive locking detected
+[ 74.762887] 6.0.0-rc6+ #33 Not tainted
+[ 74.763216] --------------------------------------------
+[ 74.763672] event-sample-fn/1084 is trying to acquire lock:
+[ 74.764152] ffffffff86c9d6b0 (direct_mutex){+.+.}-{3:3}, at: \
+ register_ftrace_function+0x1f/0x180
+[ 74.764922]
+[ 74.764922] but task is already holding lock:
+[ 74.765421] ffffffff86c9d6b0 (direct_mutex){+.+.}-{3:3}, at: \
+ modify_ftrace_direct+0x34/0x1f0
+[ 74.766142]
+[ 74.766142] other info that might help us debug this:
+[ 74.766701] Possible unsafe locking scenario:
+[ 74.766701]
+[ 74.767216] CPU0
+[ 74.767437] ----
+[ 74.767656] lock(direct_mutex);
+[ 74.767952] lock(direct_mutex);
+[ 74.768245]
+[ 74.768245] *** DEADLOCK ***
+[ 74.768245]
+[ 74.768750] May be due to missing lock nesting notation
+[ 74.768750]
+[ 74.769332] 1 lock held by event-sample-fn/1084:
+[ 74.769731] #0: ffffffff86c9d6b0 (direct_mutex){+.+.}-{3:3}, at: \
+ modify_ftrace_direct+0x34/0x1f0
+[ 74.770496]
+[ 74.770496] stack backtrace:
+[ 74.770884] CPU: 4 PID: 1084 Comm: event-sample-fn Not tainted ...
+[ 74.771498] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), ...
+[ 74.772474] Call Trace:
+[ 74.772696] <TASK>
+[ 74.772896] dump_stack_lvl+0x44/0x5b
+[ 74.773223] __lock_acquire.cold.74+0xac/0x2b7
+[ 74.773616] lock_acquire+0xd2/0x310
+[ 74.773936] ? register_ftrace_function+0x1f/0x180
+[ 74.774357] ? lock_is_held_type+0xd8/0x130
+[ 74.774744] ? my_tramp2+0x11/0x11 [ftrace_direct_modify]
+[ 74.775213] __mutex_lock+0x99/0x1010
+[ 74.775536] ? register_ftrace_function+0x1f/0x180
+[ 74.775954] ? slab_free_freelist_hook.isra.43+0x115/0x160
+[ 74.776424] ? ftrace_set_hash+0x195/0x220
+[ 74.776779] ? register_ftrace_function+0x1f/0x180
+[ 74.777194] ? kfree+0x3e1/0x440
+[ 74.777482] ? my_tramp2+0x11/0x11 [ftrace_direct_modify]
+[ 74.777941] ? __schedule+0xb40/0xb40
+[ 74.778258] ? register_ftrace_function+0x1f/0x180
+[ 74.778672] ? my_tramp1+0xf/0xf [ftrace_direct_modify]
+[ 74.779128] register_ftrace_function+0x1f/0x180
+[ 74.779527] ? ftrace_set_filter_ip+0x33/0x70
+[ 74.779910] ? __schedule+0xb40/0xb40
+[ 74.780231] ? my_tramp1+0xf/0xf [ftrace_direct_modify]
+[ 74.780678] ? my_tramp2+0x11/0x11 [ftrace_direct_modify]
+[ 74.781147] ftrace_modify_direct_caller+0x5b/0x90
+[ 74.781563] ? 0xffffffffa0201000
+[ 74.781859] ? my_tramp1+0xf/0xf [ftrace_direct_modify]
+[ 74.782309] modify_ftrace_direct+0x1b2/0x1f0
+[ 74.782690] ? __schedule+0xb40/0xb40
+[ 74.783014] ? simple_thread+0x2a/0xb0 [ftrace_direct_modify]
+[ 74.783508] ? __schedule+0xb40/0xb40
+[ 74.783832] ? my_tramp2+0x11/0x11 [ftrace_direct_modify]
+[ 74.784294] simple_thread+0x76/0xb0 [ftrace_direct_modify]
+[ 74.784766] kthread+0xf5/0x120
+[ 74.785052] ? kthread_complete_and_exit+0x20/0x20
+[ 74.785464] ret_from_fork+0x22/0x30
+[ 74.785781] </TASK>
+
+Fix this by using register_ftrace_function_nolock in
+ftrace_modify_direct_caller.
+
+Link: https://lkml.kernel.org/r/20220927004146.1215303-1-song@kernel.org
+
+Fixes: 53cd885bc5c3 ("ftrace: Allow IPMODIFY and DIRECT ops on the same function")
+Reported-and-tested-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/ftrace.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
+index 2edda4962367..83362a155791 100644
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -5439,6 +5439,8 @@ static struct ftrace_ops stub_ops = {
+ * it is safe to modify the ftrace record, where it should be
+ * currently calling @old_addr directly, to call @new_addr.
+ *
++ * This is called with direct_mutex locked.
++ *
+ * Safety checks should be made to make sure that the code at
+ * @rec->ip is currently calling @old_addr. And this must
+ * also update entry->direct to @new_addr.
+@@ -5451,6 +5453,8 @@ int __weak ftrace_modify_direct_caller(struct ftrace_func_entry *entry,
+ unsigned long ip = rec->ip;
+ int ret;
+
++ lockdep_assert_held(&direct_mutex);
++
+ /*
+ * The ftrace_lock was used to determine if the record
+ * had more than one registered user to it. If it did,
+@@ -5473,7 +5477,7 @@ int __weak ftrace_modify_direct_caller(struct ftrace_func_entry *entry,
+ if (ret)
+ goto out_lock;
+
+- ret = register_ftrace_function(&stub_ops);
++ ret = register_ftrace_function_nolock(&stub_ops);
+ if (ret) {
+ ftrace_set_filter_ip(&stub_ops, ip, 1, 0);
+ goto out_lock;
+--
+2.35.1
+
--- /dev/null
+From 1e6acc9484262499cdc1df7b7051273c3341a80a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Jul 2022 15:31:19 +0800
+Subject: gpu: lontium-lt9611: Fix NULL pointer dereference in
+ lt9611_connector_init()
+
+From: Zeng Jingxiang <linuszeng@tencent.com>
+
+[ Upstream commit ef8886f321c5dab8124b9153d25afa2a71d05323 ]
+
+A NULL check for bridge->encoder shows that it may be NULL, but it
+already been dereferenced on all paths leading to the check.
+812 if (!bridge->encoder) {
+
+Dereference the pointer bridge->encoder.
+810 drm_connector_attach_encoder(<9611->connector, bridge->encoder);
+
+Signed-off-by: Zeng Jingxiang <linuszeng@tencent.com>
+Signed-off-by: Robert Foss <robert.foss@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220727073119.1578972-1-zengjx95@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/lontium-lt9611.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/bridge/lontium-lt9611.c b/drivers/gpu/drm/bridge/lontium-lt9611.c
+index 8a60e83482a0..5fccacc159f0 100644
+--- a/drivers/gpu/drm/bridge/lontium-lt9611.c
++++ b/drivers/gpu/drm/bridge/lontium-lt9611.c
+@@ -813,13 +813,14 @@ static int lt9611_connector_init(struct drm_bridge *bridge, struct lt9611 *lt961
+
+ drm_connector_helper_add(<9611->connector,
+ <9611_bridge_connector_helper_funcs);
+- drm_connector_attach_encoder(<9611->connector, bridge->encoder);
+
+ if (!bridge->encoder) {
+ DRM_ERROR("Parent encoder object not found");
+ return -ENODEV;
+ }
+
++ drm_connector_attach_encoder(<9611->connector, bridge->encoder);
++
+ return 0;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From e067f3eae04f2cd15f85ad1aa5ec1126ed273d06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Aug 2022 16:23:56 +0300
+Subject: habanalabs: ignore EEPROM errors during boot
+
+From: Ofir Bitton <obitton@habana.ai>
+
+[ Upstream commit d155df4f628a5312a485235aa8cc5ba78e11ea65 ]
+
+EEPROM errors reported by firmware are basically warnings and
+should not fail the boot process.
+
+Signed-off-by: Ofir Bitton <obitton@habana.ai>
+Reviewed-by: Oded Gabbay <ogabbay@kernel.org>
+Signed-off-by: Oded Gabbay <ogabbay@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/habanalabs/common/firmware_if.c | 9 +++++++++
+ drivers/misc/habanalabs/include/common/hl_boot_if.h | 5 +++++
+ 2 files changed, 14 insertions(+)
+
+diff --git a/drivers/misc/habanalabs/common/firmware_if.c b/drivers/misc/habanalabs/common/firmware_if.c
+index 608ca67527a5..4a3350ee87d3 100644
+--- a/drivers/misc/habanalabs/common/firmware_if.c
++++ b/drivers/misc/habanalabs/common/firmware_if.c
+@@ -581,6 +581,15 @@ static bool fw_report_boot_dev0(struct hl_device *hdev, u32 err_val,
+ dev_dbg(hdev->dev, "Device status0 %#x\n", sts_val);
+
+ /* All warnings should go here in order not to reach the unknown error validation */
++ if (err_val & CPU_BOOT_ERR0_EEPROM_FAIL) {
++ dev_warn(hdev->dev,
++ "Device boot warning - EEPROM failure detected, default settings applied\n");
++ /* This is a warning so we don't want it to disable the
++ * device
++ */
++ err_val &= ~CPU_BOOT_ERR0_EEPROM_FAIL;
++ }
++
+ if (err_val & CPU_BOOT_ERR0_DRAM_SKIPPED) {
+ dev_warn(hdev->dev,
+ "Device boot warning - Skipped DRAM initialization\n");
+diff --git a/drivers/misc/habanalabs/include/common/hl_boot_if.h b/drivers/misc/habanalabs/include/common/hl_boot_if.h
+index a3594119bc51..3e705355c9cc 100644
+--- a/drivers/misc/habanalabs/include/common/hl_boot_if.h
++++ b/drivers/misc/habanalabs/include/common/hl_boot_if.h
+@@ -34,6 +34,7 @@ enum cpu_boot_err {
+ CPU_BOOT_ERR_BINNING_FAIL = 19,
+ CPU_BOOT_ERR_TPM_FAIL = 20,
+ CPU_BOOT_ERR_TMP_THRESH_INIT_FAIL = 21,
++ CPU_BOOT_ERR_EEPROM_FAIL = 22,
+ CPU_BOOT_ERR_ENABLED = 31,
+ CPU_BOOT_ERR_SCND_EN = 63,
+ CPU_BOOT_ERR_LAST = 64 /* we have 2 registers of 32 bits */
+@@ -115,6 +116,9 @@ enum cpu_boot_err {
+ * CPU_BOOT_ERR0_TMP_THRESH_INIT_FAIL Failed to set threshold for tmperature
+ * sensor.
+ *
++ * CPU_BOOT_ERR_EEPROM_FAIL Failed reading EEPROM data. Defaults
++ * are used.
++ *
+ * CPU_BOOT_ERR0_ENABLED Error registers enabled.
+ * This is a main indication that the
+ * running FW populates the error
+@@ -139,6 +143,7 @@ enum cpu_boot_err {
+ #define CPU_BOOT_ERR0_BINNING_FAIL (1 << CPU_BOOT_ERR_BINNING_FAIL)
+ #define CPU_BOOT_ERR0_TPM_FAIL (1 << CPU_BOOT_ERR_TPM_FAIL)
+ #define CPU_BOOT_ERR0_TMP_THRESH_INIT_FAIL (1 << CPU_BOOT_ERR_TMP_THRESH_INIT_FAIL)
++#define CPU_BOOT_ERR0_EEPROM_FAIL (1 << CPU_BOOT_ERR_EEPROM_FAIL)
+ #define CPU_BOOT_ERR0_ENABLED (1 << CPU_BOOT_ERR_ENABLED)
+ #define CPU_BOOT_ERR1_ENABLED (1 << CPU_BOOT_ERR_ENABLED)
+
+--
+2.35.1
+
--- /dev/null
+From a928eb142a44c95f2afeca52d15c285ff4d4bce8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 13:01:03 +0300
+Subject: habanalabs: remove some f/w descriptor validations
+
+From: farah kassabri <fkassabri@habana.ai>
+
+[ Upstream commit 6b9b9e244fdd0d6c5ee21b7b9d74282d9e43733a ]
+
+To be forward-backward compatible with the firmware in the initial
+communication during preboot, we need to remove the validation of the
+header size. This will allow us to add more fields to the
+lkd_fw_comms_desc structure.
+
+Instead of the validation of the header size, we just print warning
+when some mismatch in descriptor has been revealed, and we calculate
+the CRC base on descriptor size reported by the firmware instead of
+calculating it ourselves.
+
+Signed-off-by: farah kassabri <fkassabri@habana.ai>
+Reviewed-by: Oded Gabbay <ogabbay@kernel.org>
+Signed-off-by: Oded Gabbay <ogabbay@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/habanalabs/common/firmware_if.c | 43 +++++++-------------
+ 1 file changed, 14 insertions(+), 29 deletions(-)
+
+diff --git a/drivers/misc/habanalabs/common/firmware_if.c b/drivers/misc/habanalabs/common/firmware_if.c
+index 4a3350ee87d3..b89a1e2c19d4 100644
+--- a/drivers/misc/habanalabs/common/firmware_if.c
++++ b/drivers/misc/habanalabs/common/firmware_if.c
+@@ -1863,50 +1863,36 @@ static int hl_fw_dynamic_validate_descriptor(struct hl_device *hdev,
+ u64 addr;
+ int rc;
+
+- if (le32_to_cpu(fw_desc->header.magic) != HL_COMMS_DESC_MAGIC) {
+- dev_err(hdev->dev, "Invalid magic for dynamic FW descriptor (%x)\n",
++ if (le32_to_cpu(fw_desc->header.magic) != HL_COMMS_DESC_MAGIC)
++ dev_warn(hdev->dev, "Invalid magic for dynamic FW descriptor (%x)\n",
+ fw_desc->header.magic);
+- return -EIO;
+- }
+
+- if (fw_desc->header.version != HL_COMMS_DESC_VER) {
+- dev_err(hdev->dev, "Invalid version for dynamic FW descriptor (%x)\n",
++ if (fw_desc->header.version != HL_COMMS_DESC_VER)
++ dev_warn(hdev->dev, "Invalid version for dynamic FW descriptor (%x)\n",
+ fw_desc->header.version);
+- return -EIO;
+- }
+
+ /*
+- * calc CRC32 of data without header.
++ * Calc CRC32 of data without header. use the size of the descriptor
++ * reported by firmware, without calculating it ourself, to allow adding
++ * more fields to the lkd_fw_comms_desc structure.
+ * note that no alignment/stride address issues here as all structures
+- * are 64 bit padded
++ * are 64 bit padded.
+ */
+- data_size = sizeof(struct lkd_fw_comms_desc) -
+- sizeof(struct comms_desc_header);
+ data_ptr = (u8 *)fw_desc + sizeof(struct comms_desc_header);
+-
+- if (le16_to_cpu(fw_desc->header.size) != data_size) {
+- dev_err(hdev->dev,
+- "Invalid descriptor size 0x%x, expected size 0x%zx\n",
+- le16_to_cpu(fw_desc->header.size), data_size);
+- return -EIO;
+- }
++ data_size = le16_to_cpu(fw_desc->header.size);
+
+ data_crc32 = hl_fw_compat_crc32(data_ptr, data_size);
+-
+ if (data_crc32 != le32_to_cpu(fw_desc->header.crc32)) {
+- dev_err(hdev->dev,
+- "CRC32 mismatch for dynamic FW descriptor (%x:%x)\n",
+- data_crc32, fw_desc->header.crc32);
++ dev_err(hdev->dev, "CRC32 mismatch for dynamic FW descriptor (%x:%x)\n",
++ data_crc32, fw_desc->header.crc32);
+ return -EIO;
+ }
+
+ /* find memory region to which to copy the image */
+ addr = le64_to_cpu(fw_desc->img_addr);
+ region_id = hl_get_pci_memory_region(hdev, addr);
+- if ((region_id != PCI_REGION_SRAM) &&
+- ((region_id != PCI_REGION_DRAM))) {
+- dev_err(hdev->dev,
+- "Invalid region to copy FW image address=%llx\n", addr);
++ if ((region_id != PCI_REGION_SRAM) && ((region_id != PCI_REGION_DRAM))) {
++ dev_err(hdev->dev, "Invalid region to copy FW image address=%llx\n", addr);
+ return -EIO;
+ }
+
+@@ -1923,8 +1909,7 @@ static int hl_fw_dynamic_validate_descriptor(struct hl_device *hdev,
+ fw_loader->dynamic_loader.fw_image_size,
+ region);
+ if (rc) {
+- dev_err(hdev->dev,
+- "invalid mem transfer request for FW image\n");
++ dev_err(hdev->dev, "invalid mem transfer request for FW image\n");
+ return rc;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 21ee5161576d2235be7c72cb1b1d65f38a4e7f1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 15:57:25 +0530
+Subject: HID: amd_sfh: Change dev_err to dev_dbg for additional debug info
+
+From: Basavaraj Natikar <Basavaraj.Natikar@amd.com>
+
+[ Upstream commit beb18bb22cd4fb88648bb2925d56f36131c1ac21 ]
+
+Users should only be notified at most one time on systems doesn't have
+any sensors connected or non-supported systems.
+
+Check the return code and don't display error messages in those
+conditions.
+
+Signed-off-by: Basavaraj Natikar <Basavaraj.Natikar@amd.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Stable-dep-of: 68266bdcceec ("HID: amd_sfh: Handle condition of "no sensors" for SFH1.1")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c
+index 70436f9fad2f..d840efb4a2e2 100644
+--- a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c
++++ b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c
+@@ -286,13 +286,13 @@ int amd_sfh1_1_init(struct amd_mp2_dev *mp2)
+
+ phy_base <<= 21;
+ if (!devm_request_mem_region(dev, phy_base, 128 * 1024, "amd_sfh")) {
+- dev_err(dev, "can't reserve mmio registers\n");
++ dev_dbg(dev, "can't reserve mmio registers\n");
+ return -ENOMEM;
+ }
+
+ mp2->vsbase = devm_ioremap(dev, phy_base, 128 * 1024);
+ if (!mp2->vsbase) {
+- dev_err(dev, "failed to remap vsbase\n");
++ dev_dbg(dev, "failed to remap vsbase\n");
+ return -ENOMEM;
+ }
+
+@@ -301,7 +301,7 @@ int amd_sfh1_1_init(struct amd_mp2_dev *mp2)
+
+ memcpy_fromio(&binfo, mp2->vsbase, sizeof(struct sfh_base_info));
+ if (binfo.sbase.fw_info.fw_ver == 0 || binfo.sbase.s_list.sl.sensors == 0) {
+- dev_err(dev, "failed to get sensors\n");
++ dev_dbg(dev, "failed to get sensors\n");
+ return -EOPNOTSUPP;
+ }
+ dev_dbg(dev, "firmware version 0x%x\n", binfo.sbase.fw_info.fw_ver);
+--
+2.35.1
+
--- /dev/null
+From 545a737ffad47598f89345494d50b40dd0cfa611 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 15:57:26 +0530
+Subject: HID: amd_sfh: Handle condition of "no sensors" for SFH1.1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Basavaraj Natikar <Basavaraj.Natikar@amd.com>
+
+[ Upstream commit 68266bdcceec10ea364e62c63732cd6fe5a256a8 ]
+
+Based on num_hid_devices, each sensor device registers to HID. If
+"no sensors" then amd_sfh work initialization and scheduling
+doesn’t make sense and return ENODEV to stop driver probe.
+Hence add a check for num_hid_devices to handle special
+case in the situation of "no sensors" for SFH1.1.
+
+Fixes: 93ce5e0231d7 ("HID: amd_sfh: Implement SFH1.1 functionality")
+Signed-off-by: Basavaraj Natikar <Basavaraj.Natikar@amd.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c
+index d840efb4a2e2..4da2f9f62aba 100644
+--- a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c
++++ b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c
+@@ -110,6 +110,8 @@ static int amd_sfh1_1_hid_client_init(struct amd_mp2_dev *privdata)
+ amd_sfh1_1_set_desc_ops(mp2_ops);
+
+ cl_data->num_hid_devices = amd_sfh_get_sensor_num(privdata, &cl_data->sensor_idx[0]);
++ if (cl_data->num_hid_devices == 0)
++ return -ENODEV;
+
+ INIT_DELAYED_WORK(&cl_data->work, amd_sfh_work);
+ INIT_DELAYED_WORK(&cl_data->work_buffer, amd_sfh_work_buffer);
+--
+2.35.1
+
--- /dev/null
+From bdc0c73db8ce523e726c171da05b07c375823bde Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Sep 2022 10:55:57 +0000
+Subject: HID: nintendo: check analog user calibration for plausibility
+
+From: Johnothan King <johnothanking@protonmail.com>
+
+[ Upstream commit 50503e360eeb968a3d00234c9cc4057d774c3e9a ]
+
+Arne Wendt writes:
+ Cheap clone controllers may (falsely) report as having a user
+ calibration for the analog sticks in place, but return
+ wrong/impossible values for the actual calibration data.
+ In the present case at mine, the controller reports having a
+ user calibration in place and successfully executes the read
+ commands. The reported user calibration however is
+ min = center = max = 0.
+
+ This pull request addresses problems of this kind by checking the
+ provided user calibration-data for plausibility (min < center < max)
+ and falling back to the default values if implausible.
+
+I'll note that I was experiencing a crash because of this bug when using
+the GuliKit KingKong 2 controller. The crash manifests as a divide by
+zero error in the kernel logs:
+kernel: divide error: 0000 [#1] PREEMPT SMP NOPTI
+
+Link: https://github.com/nicman23/dkms-hid-nintendo/pull/25
+Link: https://github.com/DanielOgorchock/linux/issues/36
+Co-authored-by: Arne Wendt <arne.wendt@tuhh.de>
+Signed-off-by: Johnothan King <johnothanking@protonmail.com>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Link: https://lore.kernel.org/r/gvpL2G6VwXGJPvxX5KRiu9pVjvTivgayug_jdKDY6zfuAaAqncP9BkKLosjwUXNlgVVTMfJSKfwPF1K79cKAkwGComyC21vCV3q9B3EXNkE=@protonmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-nintendo.c | 55 +++++++++++++++++++++-----------------
+ 1 file changed, 30 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/hid/hid-nintendo.c b/drivers/hid/hid-nintendo.c
+index 6028af3c3aae..c3774a468b22 100644
+--- a/drivers/hid/hid-nintendo.c
++++ b/drivers/hid/hid-nintendo.c
+@@ -760,12 +760,31 @@ static int joycon_read_stick_calibration(struct joycon_ctlr *ctlr, u16 cal_addr,
+ cal_y->max = cal_y->center + y_max_above;
+ cal_y->min = cal_y->center - y_min_below;
+
+- return 0;
++ /* check if calibration values are plausible */
++ if (cal_x->min >= cal_x->center || cal_x->center >= cal_x->max ||
++ cal_y->min >= cal_y->center || cal_y->center >= cal_y->max)
++ ret = -EINVAL;
++
++ return ret;
+ }
+
+ static const u16 DFLT_STICK_CAL_CEN = 2000;
+ static const u16 DFLT_STICK_CAL_MAX = 3500;
+ static const u16 DFLT_STICK_CAL_MIN = 500;
++static void joycon_use_default_calibration(struct hid_device *hdev,
++ struct joycon_stick_cal *cal_x,
++ struct joycon_stick_cal *cal_y,
++ const char *stick, int ret)
++{
++ hid_warn(hdev,
++ "Failed to read %s stick cal, using defaults; e=%d\n",
++ stick, ret);
++
++ cal_x->center = cal_y->center = DFLT_STICK_CAL_CEN;
++ cal_x->max = cal_y->max = DFLT_STICK_CAL_MAX;
++ cal_x->min = cal_y->min = DFLT_STICK_CAL_MIN;
++}
++
+ static int joycon_request_calibration(struct joycon_ctlr *ctlr)
+ {
+ u16 left_stick_addr = JC_CAL_FCT_DATA_LEFT_ADDR;
+@@ -793,38 +812,24 @@ static int joycon_request_calibration(struct joycon_ctlr *ctlr)
+ &ctlr->left_stick_cal_x,
+ &ctlr->left_stick_cal_y,
+ true);
+- if (ret) {
+- hid_warn(ctlr->hdev,
+- "Failed to read left stick cal, using dflts; e=%d\n",
+- ret);
+-
+- ctlr->left_stick_cal_x.center = DFLT_STICK_CAL_CEN;
+- ctlr->left_stick_cal_x.max = DFLT_STICK_CAL_MAX;
+- ctlr->left_stick_cal_x.min = DFLT_STICK_CAL_MIN;
+
+- ctlr->left_stick_cal_y.center = DFLT_STICK_CAL_CEN;
+- ctlr->left_stick_cal_y.max = DFLT_STICK_CAL_MAX;
+- ctlr->left_stick_cal_y.min = DFLT_STICK_CAL_MIN;
+- }
++ if (ret)
++ joycon_use_default_calibration(ctlr->hdev,
++ &ctlr->left_stick_cal_x,
++ &ctlr->left_stick_cal_y,
++ "left", ret);
+
+ /* read the right stick calibration data */
+ ret = joycon_read_stick_calibration(ctlr, right_stick_addr,
+ &ctlr->right_stick_cal_x,
+ &ctlr->right_stick_cal_y,
+ false);
+- if (ret) {
+- hid_warn(ctlr->hdev,
+- "Failed to read right stick cal, using dflts; e=%d\n",
+- ret);
+-
+- ctlr->right_stick_cal_x.center = DFLT_STICK_CAL_CEN;
+- ctlr->right_stick_cal_x.max = DFLT_STICK_CAL_MAX;
+- ctlr->right_stick_cal_x.min = DFLT_STICK_CAL_MIN;
+
+- ctlr->right_stick_cal_y.center = DFLT_STICK_CAL_CEN;
+- ctlr->right_stick_cal_y.max = DFLT_STICK_CAL_MAX;
+- ctlr->right_stick_cal_y.min = DFLT_STICK_CAL_MIN;
+- }
++ if (ret)
++ joycon_use_default_calibration(ctlr->hdev,
++ &ctlr->right_stick_cal_x,
++ &ctlr->right_stick_cal_y,
++ "right", ret);
+
+ hid_dbg(ctlr->hdev, "calibration:\n"
+ "l_x_c=%d l_x_max=%d l_x_min=%d\n"
+--
+2.35.1
+
--- /dev/null
+From 02c765f62c44f1eae17a0ad0a4428206099af84c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Sep 2022 12:31:15 -0700
+Subject: HID: roccat: Fix use-after-free in roccat_read()
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit cacdb14b1c8d3804a3a7d31773bc7569837b71a4 ]
+
+roccat_report_event() is responsible for registering
+roccat-related reports in struct roccat_device.
+
+int roccat_report_event(int minor, u8 const *data)
+{
+ struct roccat_device *device;
+ struct roccat_reader *reader;
+ struct roccat_report *report;
+ uint8_t *new_value;
+
+ device = devices[minor];
+
+ new_value = kmemdup(data, device->report_size, GFP_ATOMIC);
+ if (!new_value)
+ return -ENOMEM;
+
+ report = &device->cbuf[device->cbuf_end];
+
+ /* passing NULL is safe */
+ kfree(report->value);
+ ...
+
+The registered report is stored in the struct roccat_device member
+"struct roccat_report cbuf[ROCCAT_CBUF_SIZE];".
+If more reports are received than the "ROCCAT_CBUF_SIZE" value,
+kfree() the saved report from cbuf[0] and allocates a new reprot.
+Since there is no lock when this kfree() is performed,
+kfree() can be performed even while reading the saved report.
+
+static ssize_t roccat_read(struct file *file, char __user *buffer,
+ size_t count, loff_t *ppos)
+{
+ struct roccat_reader *reader = file->private_data;
+ struct roccat_device *device = reader->device;
+ struct roccat_report *report;
+ ssize_t retval = 0, len;
+ DECLARE_WAITQUEUE(wait, current);
+
+ mutex_lock(&device->cbuf_lock);
+
+ ...
+
+ report = &device->cbuf[reader->cbuf_start];
+ /*
+ * If report is larger than requested amount of data, rest of report
+ * is lost!
+ */
+ len = device->report_size > count ? count : device->report_size;
+
+ if (copy_to_user(buffer, report->value, len)) {
+ retval = -EFAULT;
+ goto exit_unlock;
+ }
+ ...
+
+The roccat_read() function receives the device->cbuf report and
+delivers it to the user through copy_to_user().
+If the N+ROCCAT_CBUF_SIZE th report is received while copying of
+the Nth report->value is in progress, the pointer that copy_to_user()
+is working on is kfree()ed and UAF read may occur. (race condition)
+
+Since the device node of this driver does not set separate permissions,
+this is not a security vulnerability, but because it is used for
+requesting screen display of profile or dpi settings,
+a user using the roccat device can apply udev to this device node or
+There is a possibility to use it by giving.
+
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-roccat.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/hid/hid-roccat.c b/drivers/hid/hid-roccat.c
+index 26373b82fe81..6da80e442fdd 100644
+--- a/drivers/hid/hid-roccat.c
++++ b/drivers/hid/hid-roccat.c
+@@ -257,6 +257,8 @@ int roccat_report_event(int minor, u8 const *data)
+ if (!new_value)
+ return -ENOMEM;
+
++ mutex_lock(&device->cbuf_lock);
++
+ report = &device->cbuf[device->cbuf_end];
+
+ /* passing NULL is safe */
+@@ -276,6 +278,8 @@ int roccat_report_event(int minor, u8 const *data)
+ reader->cbuf_start = (reader->cbuf_start + 1) % ROCCAT_CBUF_SIZE;
+ }
+
++ mutex_unlock(&device->cbuf_lock);
++
+ wake_up_interruptible(&device->wait);
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From ac2d2e8d1e07410c57864cfe6c65a561fde9ecca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Sep 2022 20:36:13 -0400
+Subject: hid: topre: Add driver fixing report descriptor
+
+From: Harry Stern <harry@harrystern.net>
+
+[ Upstream commit a109d5c45b3d6728b9430716b915afbe16eef27c ]
+
+The Topre REALFORCE R2 firmware incorrectly reports that interface
+descriptor number 1, input report descriptor 2's events are array events
+rather than variable events. That particular report descriptor is used
+to report keypresses when there are more than 6 keys held at a time.
+This bug prevents events from this interface from being registered
+properly, so only 6 keypresses (from a different interface) can be
+registered at once, rather than full n-key rollover.
+
+This commit fixes the bug by setting the correct value in a report_fixup
+function.
+
+The original bug report can be found here:
+Link: https://gitlab.freedesktop.org/libinput/libinput/-/issues/804
+
+Thanks to Benjamin Tissoires for diagnosing the issue with the report
+descriptor.
+
+Signed-off-by: Harry Stern <harry@harrystern.net>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Link: https://lore.kernel.org/r/20220911003614.297613-1-harry@harrystern.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/Kconfig | 6 +++++
+ drivers/hid/Makefile | 1 +
+ drivers/hid/hid-ids.h | 3 +++
+ drivers/hid/hid-topre.c | 49 +++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 59 insertions(+)
+ create mode 100644 drivers/hid/hid-topre.c
+
+diff --git a/drivers/hid/Kconfig b/drivers/hid/Kconfig
+index 6ce92830b5d1..c4308d4988dc 100644
+--- a/drivers/hid/Kconfig
++++ b/drivers/hid/Kconfig
+@@ -1141,6 +1141,12 @@ config HID_TOPSEED
+ Say Y if you have a TopSeed Cyberlink or BTC Emprex or Conceptronic
+ CLLRCMCE remote control.
+
++config HID_TOPRE
++ tristate "Topre REALFORCE keyboards"
++ depends on HID
++ help
++ Say Y for N-key rollover support on Topre REALFORCE R2 108 key keyboards.
++
+ config HID_THINGM
+ tristate "ThingM blink(1) USB RGB LED"
+ depends on HID
+diff --git a/drivers/hid/Makefile b/drivers/hid/Makefile
+index b0bef8098139..bccaec0d77d3 100644
+--- a/drivers/hid/Makefile
++++ b/drivers/hid/Makefile
+@@ -123,6 +123,7 @@ obj-$(CONFIG_HID_GREENASIA) += hid-gaff.o
+ obj-$(CONFIG_HID_THRUSTMASTER) += hid-tmff.o hid-thrustmaster.o
+ obj-$(CONFIG_HID_TIVO) += hid-tivo.o
+ obj-$(CONFIG_HID_TOPSEED) += hid-topseed.o
++obj-$(CONFIG_HID_TOPRE) += hid-topre.o
+ obj-$(CONFIG_HID_TWINHAN) += hid-twinhan.o
+ obj-$(CONFIG_HID_U2FZERO) += hid-u2fzero.o
+ hid-uclogic-objs := hid-uclogic-core.o \
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index f80d6193fca6..50bab12d9476 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -1231,6 +1231,9 @@
+ #define USB_DEVICE_ID_TIVO_SLIDE 0x1201
+ #define USB_DEVICE_ID_TIVO_SLIDE_PRO 0x1203
+
++#define USB_VENDOR_ID_TOPRE 0x0853
++#define USB_DEVICE_ID_TOPRE_REALFORCE_R2_108 0x0148
++
+ #define USB_VENDOR_ID_TOPSEED 0x0766
+ #define USB_DEVICE_ID_TOPSEED_CYBERLINK 0x0204
+
+diff --git a/drivers/hid/hid-topre.c b/drivers/hid/hid-topre.c
+new file mode 100644
+index 000000000000..88a91cdad5f8
+--- /dev/null
++++ b/drivers/hid/hid-topre.c
+@@ -0,0 +1,49 @@
++// SPDX-License-Identifier: GPL-2.0+
++/*
++ * HID driver for Topre REALFORCE Keyboards
++ *
++ * Copyright (c) 2022 Harry Stern <harry@harrystern.net>
++ *
++ * Based on the hid-macally driver
++ */
++
++#include <linux/hid.h>
++#include <linux/module.h>
++
++#include "hid-ids.h"
++
++MODULE_AUTHOR("Harry Stern <harry@harrystern.net>");
++MODULE_DESCRIPTION("REALFORCE R2 Keyboard driver");
++MODULE_LICENSE("GPL");
++
++/*
++ * Fix the REALFORCE R2's non-boot interface's report descriptor to match the
++ * events it's actually sending. It claims to send array events but is instead
++ * sending variable events.
++ */
++static __u8 *topre_report_fixup(struct hid_device *hdev, __u8 *rdesc,
++ unsigned int *rsize)
++{
++ if (*rsize >= 119 && rdesc[69] == 0x29 && rdesc[70] == 0xe7 &&
++ rdesc[71] == 0x81 && rdesc[72] == 0x00) {
++ hid_info(hdev,
++ "fixing up Topre REALFORCE keyboard report descriptor\n");
++ rdesc[72] = 0x02;
++ }
++ return rdesc;
++}
++
++static const struct hid_device_id topre_id_table[] = {
++ { HID_USB_DEVICE(USB_VENDOR_ID_TOPRE,
++ USB_DEVICE_ID_TOPRE_REALFORCE_R2_108) },
++ { }
++};
++MODULE_DEVICE_TABLE(hid, topre_id_table);
++
++static struct hid_driver topre_driver = {
++ .name = "topre",
++ .id_table = topre_id_table,
++ .report_fixup = topre_report_fixup,
++};
++
++module_hid_driver(topre_driver);
+--
+2.35.1
+
--- /dev/null
+From 9247c978b0ba75d0b93089148db8f9136568aca4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Aug 2022 16:26:15 +0200
+Subject: HID: uclogic: Add missing suffix for digitalizers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Expósito <jose.exposito89@gmail.com>
+
+[ Upstream commit 0977fda0587cbc5403651ba169e264aa01e8a026 ]
+
+The Pen (0x02) application usage was changed to Digitalizer (0x01) in
+commit f7d8e387d9ae ("HID: uclogic: Switch to Digitizer usage for
+styluses"). However, a suffix was not selected for the new usage.
+
+Handle the digitalizer application usage in uclogic_input_configured()
+and add the required suffix.
+
+Signed-off-by: José Expósito <jose.exposito89@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Stable-dep-of: 609174edeb75 ("HID: uclogic: Fix warning in uclogic_rdesc_template_apply")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-uclogic-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/hid/hid-uclogic-core.c b/drivers/hid/hid-uclogic-core.c
+index 47a17375c7fc..ff46604ef1d8 100644
+--- a/drivers/hid/hid-uclogic-core.c
++++ b/drivers/hid/hid-uclogic-core.c
+@@ -153,6 +153,7 @@ static int uclogic_input_configured(struct hid_device *hdev,
+ suffix = "Pad";
+ break;
+ case HID_DG_PEN:
++ case HID_DG_DIGITIZER:
+ suffix = "Pen";
+ break;
+ case HID_CP_CONSUMER_CONTROL:
+--
+2.35.1
+
--- /dev/null
+From b6bc2cb4470651e2ac93080336dc181d543bf967 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Aug 2022 16:27:06 +0200
+Subject: HID: uclogic: Fix warning in uclogic_rdesc_template_apply
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Expósito <jose.exposito89@gmail.com>
+
+[ Upstream commit 609174edeb758d1e2d713e7ab4e09ea8d45aa4f7 ]
+
+Building with Sparse enabled prints this warning:
+
+ warning: incorrect type in assignment (different base types)
+ expected signed int x
+ got restricted __le32 [usertype]
+
+Cast the return value of cpu_to_le32() to fix the warning.
+
+Fixes: 08177f4 ("HID: uclogic: merge hid-huion driver in hid-uclogic")
+Signed-off-by: José Expósito <jose.exposito89@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-uclogic-rdesc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-uclogic-rdesc.c b/drivers/hid/hid-uclogic-rdesc.c
+index 3d68e8b0784d..81ca22398ed5 100644
+--- a/drivers/hid/hid-uclogic-rdesc.c
++++ b/drivers/hid/hid-uclogic-rdesc.c
+@@ -1113,7 +1113,7 @@ __u8 *uclogic_rdesc_template_apply(const __u8 *template_ptr,
+ memcmp(p, pen_head, sizeof(pen_head)) == 0 &&
+ p[sizeof(pen_head)] < param_num) {
+ v = param_list[p[sizeof(pen_head)]];
+- put_unaligned(cpu_to_le32(v), (s32 *)p);
++ put_unaligned((__force u32)cpu_to_le32(v), (s32 *)p);
+ p += sizeof(pen_head) + 1;
+ } else if (memcmp(p, btn_head, sizeof(btn_head)) == 0 &&
+ p[sizeof(btn_head)] < param_num) {
+--
+2.35.1
+
--- /dev/null
+From 096c20b6592a2e541b7402cc6ed47dc0d48f5700 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Apr 2022 08:52:32 +0000
+Subject: HSI: omap_ssi: Fix refcount leak in ssi_probe
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 9a2ea132df860177b33c9fd421b26c4e9a0a9396 ]
+
+When returning or breaking early from a
+for_each_available_child_of_node() loop, we need to explicitly call
+of_node_put() on the child node to possibly release the node.
+
+Fixes: b209e047bc74 ("HSI: Introduce OMAP SSI driver")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hsi/controllers/omap_ssi_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/hsi/controllers/omap_ssi_core.c b/drivers/hsi/controllers/omap_ssi_core.c
+index 44a3f5660c10..eb9820158318 100644
+--- a/drivers/hsi/controllers/omap_ssi_core.c
++++ b/drivers/hsi/controllers/omap_ssi_core.c
+@@ -524,6 +524,7 @@ static int ssi_probe(struct platform_device *pd)
+ if (!childpdev) {
+ err = -ENODEV;
+ dev_err(&pd->dev, "failed to create ssi controller port\n");
++ of_node_put(child);
+ goto out3;
+ }
+ }
+--
+2.35.1
+
--- /dev/null
+From 37d3acdd5c7489708717a3f3d0d6461473c93f43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 12:12:27 +0200
+Subject: HSI: omap_ssi_port: Fix dma_map_sg error check
+
+From: Jack Wang <jinpu.wang@ionos.com>
+
+[ Upstream commit 551e325bbd3fb8b5a686ac1e6cf76e5641461cf2 ]
+
+dma_map_sg return 0 on error, in case of error return -EIO
+to caller.
+
+Cc: Sebastian Reichel <sre@kernel.org>
+Cc: linux-kernel@vger.kernel.org (open list)
+Fixes: b209e047bc74 ("HSI: Introduce OMAP SSI driver")
+Signed-off-by: Jack Wang <jinpu.wang@ionos.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hsi/controllers/omap_ssi_port.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/hsi/controllers/omap_ssi_port.c b/drivers/hsi/controllers/omap_ssi_port.c
+index a0cb5be246e1..b9495b720f1b 100644
+--- a/drivers/hsi/controllers/omap_ssi_port.c
++++ b/drivers/hsi/controllers/omap_ssi_port.c
+@@ -230,10 +230,10 @@ static int ssi_start_dma(struct hsi_msg *msg, int lch)
+ if (msg->ttype == HSI_MSG_READ) {
+ err = dma_map_sg(&ssi->device, msg->sgt.sgl, msg->sgt.nents,
+ DMA_FROM_DEVICE);
+- if (err < 0) {
++ if (!err) {
+ dev_dbg(&ssi->device, "DMA map SG failed !\n");
+ pm_runtime_put_autosuspend(omap_port->pdev);
+- return err;
++ return -EIO;
+ }
+ csdp = SSI_DST_BURST_4x32_BIT | SSI_DST_MEMORY_PORT |
+ SSI_SRC_SINGLE_ACCESS0 | SSI_SRC_PERIPHERAL_PORT |
+@@ -247,10 +247,10 @@ static int ssi_start_dma(struct hsi_msg *msg, int lch)
+ } else {
+ err = dma_map_sg(&ssi->device, msg->sgt.sgl, msg->sgt.nents,
+ DMA_TO_DEVICE);
+- if (err < 0) {
++ if (!err) {
+ dev_dbg(&ssi->device, "DMA map SG failed !\n");
+ pm_runtime_put_autosuspend(omap_port->pdev);
+- return err;
++ return -EIO;
+ }
+ csdp = SSI_SRC_BURST_4x32_BIT | SSI_SRC_MEMORY_PORT |
+ SSI_DST_SINGLE_ACCESS0 | SSI_DST_PERIPHERAL_PORT |
+--
+2.35.1
+
--- /dev/null
+From 7aac7a783bbf17adcbea2c42803466e9482cb63b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Sep 2022 15:48:01 +0800
+Subject: HSI: ssi_protocol: fix potential resource leak in ssip_pn_open()
+
+From: Jianglei Nie <niejianglei2021@163.com>
+
+[ Upstream commit b28dbcb379e6a7f80262c2732a57681b1ee548ca ]
+
+ssip_pn_open() claims the HSI client's port with hsi_claim_port(). When
+hsi_register_port_event() gets some error and returns a negetive value,
+the HSI client's port should be released with hsi_release_port().
+
+Fix it by calling hsi_release_port() when hsi_register_port_event() fails.
+
+Signed-off-by: Jianglei Nie <niejianglei2021@163.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hsi/clients/ssi_protocol.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/hsi/clients/ssi_protocol.c b/drivers/hsi/clients/ssi_protocol.c
+index 21f11a5b965b..49ffd808d17f 100644
+--- a/drivers/hsi/clients/ssi_protocol.c
++++ b/drivers/hsi/clients/ssi_protocol.c
+@@ -931,6 +931,7 @@ static int ssip_pn_open(struct net_device *dev)
+ if (err < 0) {
+ dev_err(&cl->device, "Register HSI port event failed (%d)\n",
+ err);
++ hsi_release_port(cl);
+ return err;
+ }
+ dev_dbg(&cl->device, "Configuring SSI port\n");
+--
+2.35.1
+
--- /dev/null
+From d515d9bff1ef1c51d9609c80f3cd56820d6147b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Apr 2022 10:49:56 -0500
+Subject: hwmon (occ): Retry for checksum failure
+
+From: Eddie James <eajames@linux.ibm.com>
+
+[ Upstream commit dbed963ed62c4c2b8870a02c8b7dcb0c2af3ee0b ]
+
+Due to the OCC communication design with a shared SRAM area,
+checkum errors are expected due to corrupted buffer from OCC
+communications with other system components. Therefore, retry
+the command twice in the event of a checksum failure.
+
+Signed-off-by: Eddie James <eajames@linux.ibm.com>
+Acked-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20220426154956.27205-3-eajames@linux.ibm.com
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/occ/p9_sbe.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/hwmon/occ/p9_sbe.c b/drivers/hwmon/occ/p9_sbe.c
+index c1e0a1d96cd4..f3791a589b01 100644
+--- a/drivers/hwmon/occ/p9_sbe.c
++++ b/drivers/hwmon/occ/p9_sbe.c
+@@ -14,6 +14,8 @@
+
+ #include "common.h"
+
++#define OCC_CHECKSUM_RETRIES 3
++
+ struct p9_sbe_occ {
+ struct occ occ;
+ bool sbe_error;
+@@ -80,18 +82,23 @@ static bool p9_sbe_occ_save_ffdc(struct p9_sbe_occ *ctx, const void *resp,
+ static int p9_sbe_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len,
+ void *resp, size_t resp_len)
+ {
++ size_t original_resp_len = resp_len;
+ struct p9_sbe_occ *ctx = to_p9_sbe_occ(occ);
+- int rc;
++ int rc, i;
+
+- rc = fsi_occ_submit(ctx->sbe, cmd, len, resp, &resp_len);
+- if (rc < 0) {
++ for (i = 0; i < OCC_CHECKSUM_RETRIES; ++i) {
++ rc = fsi_occ_submit(ctx->sbe, cmd, len, resp, &resp_len);
++ if (rc >= 0)
++ break;
+ if (resp_len) {
+ if (p9_sbe_occ_save_ffdc(ctx, resp, resp_len))
+ sysfs_notify(&occ->bus_dev->kobj, NULL,
+ bin_attr_ffdc.attr.name);
++ return rc;
+ }
+-
+- return rc;
++ if (rc != -EBADE)
++ return rc;
++ resp_len = original_resp_len;
+ }
+
+ switch (((struct occ_response *)resp)->return_status) {
+--
+2.35.1
+
--- /dev/null
+From cd3f8926f9e8a763ff1d7972a5df2db6ba4723c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Sep 2022 15:16:42 +0300
+Subject: hwmon: (pmbus/mp2888) Fix sensors readouts for MPS Multi-phase mp2888
+ controller
+
+From: Oleksandr Shamray <oleksandrs@nvidia.com>
+
+[ Upstream commit 525dd5aed67a2f4f7278116fb92a24e6a53e2622 ]
+
+Fix scale factors for reading MPS Multi-phase mp2888 controller.
+Fixed sensors:
+ - PIN/POUT: based on vendor documentation, set bscale factor 0.5W/LSB
+ - IOUT: based on vendor documentation, set scale factor 0.25 A/LSB
+
+Fixes: e4db7719d037 ("hwmon: (pmbus) Add support for MPS Multi-phase mp2888 controller")
+Signed-off-by: Oleksandr Shamray <oleksandrs@nvidia.com>
+Reviewed-by: Vadim Pasternak <vadimp@nvidia.com>
+Link: https://lore.kernel.org/r/20220929121642.63051-1-oleksandrs@nvidia.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/pmbus/mp2888.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/hwmon/pmbus/mp2888.c b/drivers/hwmon/pmbus/mp2888.c
+index 8ecd4adfef40..24e5194706cf 100644
+--- a/drivers/hwmon/pmbus/mp2888.c
++++ b/drivers/hwmon/pmbus/mp2888.c
+@@ -34,7 +34,7 @@ struct mp2888_data {
+ int curr_sense_gain;
+ };
+
+-#define to_mp2888_data(x) container_of(x, struct mp2888_data, info)
++#define to_mp2888_data(x) container_of(x, struct mp2888_data, info)
+
+ static int mp2888_read_byte_data(struct i2c_client *client, int page, int reg)
+ {
+@@ -109,7 +109,7 @@ mp2888_read_phase(struct i2c_client *client, struct mp2888_data *data, int page,
+ * - Kcs is the DrMOS current sense gain of power stage, which is obtained from the
+ * register MP2888_MFR_VR_CONFIG1, bits 13-12 with the following selection of DrMOS
+ * (data->curr_sense_gain):
+- * 00b - 5µA/A, 01b - 8.5µA/A, 10b - 9.7µA/A, 11b - 10µA/A.
++ * 00b - 8.5µA/A, 01b - 9.7µA/A, 1b - 10µA/A, 11b - 5µA/A.
+ * - Rcs is the internal phase current sense resistor. This parameter depends on hardware
+ * assembly. By default it is set to 1kΩ. In case of different assembly, user should
+ * scale this parameter by dividing it by Rcs.
+@@ -118,10 +118,9 @@ mp2888_read_phase(struct i2c_client *client, struct mp2888_data *data, int page,
+ * because sampling of current occurrence of bit weight has a big deviation, especially for
+ * light load.
+ */
+- ret = DIV_ROUND_CLOSEST(ret * 100 - 9800, data->curr_sense_gain);
+- ret = (data->phase_curr_resolution) ? ret * 2 : ret;
++ ret = DIV_ROUND_CLOSEST(ret * 200 - 19600, data->curr_sense_gain);
+ /* Scale according to total current resolution. */
+- ret = (data->total_curr_resolution) ? ret * 8 : ret * 4;
++ ret = (data->total_curr_resolution) ? ret * 2 : ret;
+ return ret;
+ }
+
+@@ -212,7 +211,7 @@ static int mp2888_read_word_data(struct i2c_client *client, int page, int phase,
+ ret = pmbus_read_word_data(client, page, phase, reg);
+ if (ret < 0)
+ return ret;
+- ret = data->total_curr_resolution ? ret * 2 : ret;
++ ret = data->total_curr_resolution ? ret : DIV_ROUND_CLOSEST(ret, 2);
+ break;
+ case PMBUS_POUT_OP_WARN_LIMIT:
+ ret = pmbus_read_word_data(client, page, phase, reg);
+@@ -223,7 +222,7 @@ static int mp2888_read_word_data(struct i2c_client *client, int page, int phase,
+ * set 1. Actual power is reported with 0.5W or 1W respectively resolution. Scaling
+ * is needed to match both.
+ */
+- ret = data->total_curr_resolution ? ret * 4 : ret * 2;
++ ret = data->total_curr_resolution ? ret * 2 : ret;
+ break;
+ /*
+ * The below registers are not implemented by device or implemented not according to the
+--
+2.35.1
+
--- /dev/null
+From 77cabc0788ee73c6911cda0dca43bb74255ef897 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Sep 2022 12:11:51 +0200
+Subject: hwmon: (sht4x) do not overflow clamping operation on 32-bit platforms
+
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+
+[ Upstream commit f9c0cf8f26de367c58e48b02b1cdb9c377626e6f ]
+
+On 32-bit platforms, long is 32 bits, so (long)UINT_MAX is less than
+(long)SHT4X_MIN_POLL_INTERVAL, which means the clamping operation is
+bogus. Fix this by clamping at INT_MAX, so that the upperbound is the
+same on all platforms.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Link: https://lore.kernel.org/r/20220924101151.4168414-1-Jason@zx2c4.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/sht4x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/sht4x.c b/drivers/hwmon/sht4x.c
+index c19df3ade48e..13ac2d8f22c7 100644
+--- a/drivers/hwmon/sht4x.c
++++ b/drivers/hwmon/sht4x.c
+@@ -129,7 +129,7 @@ static int sht4x_read_values(struct sht4x_data *data)
+
+ static ssize_t sht4x_interval_write(struct sht4x_data *data, long val)
+ {
+- data->update_interval = clamp_val(val, SHT4X_MIN_POLL_INTERVAL, UINT_MAX);
++ data->update_interval = clamp_val(val, SHT4X_MIN_POLL_INTERVAL, INT_MAX);
+
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From 9c52effa02ba06cb6246e0f09614e1e726804243 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Aug 2022 20:04:18 +0000
+Subject: hwrng: arm-smccc-trng - fix NO_ENTROPY handling
+
+From: James Cowgill <james.cowgill@blaize.com>
+
+[ Upstream commit 042b4b169c6fb9d4df268d66282d7302dd73d37b ]
+
+The SMCCC_RET_TRNG_NO_ENTROPY switch arm is never used because the
+NO_ENTROPY return value is negative and negative values are handled
+above the switch by immediately returning.
+
+Fix by handling errors using a default arm in the switch.
+
+Fixes: 0888d04b47a1 ("hwrng: Add Arm SMCCC TRNG based driver")
+Signed-off-by: James Cowgill <james.cowgill@blaize.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/hw_random/arm_smccc_trng.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/char/hw_random/arm_smccc_trng.c b/drivers/char/hw_random/arm_smccc_trng.c
+index b24ac39a903b..e34c3ea692b6 100644
+--- a/drivers/char/hw_random/arm_smccc_trng.c
++++ b/drivers/char/hw_random/arm_smccc_trng.c
+@@ -71,8 +71,6 @@ static int smccc_trng_read(struct hwrng *rng, void *data, size_t max, bool wait)
+ MAX_BITS_PER_CALL);
+
+ arm_smccc_1_1_invoke(ARM_SMCCC_TRNG_RND, bits, &res);
+- if ((int)res.a0 < 0)
+- return (int)res.a0;
+
+ switch ((int)res.a0) {
+ case SMCCC_RET_SUCCESS:
+@@ -88,6 +86,8 @@ static int smccc_trng_read(struct hwrng *rng, void *data, size_t max, bool wait)
+ return copied;
+ cond_resched();
+ break;
++ default:
++ return -EIO;
+ }
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 7fb7f9362cb0f15ec030adaaac0351167046201a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Aug 2022 13:19:03 +0200
+Subject: hwrng: imx-rngc - Moving IRQ handler registering after
+ imx_rngc_irq_mask_clear()
+
+From: Kshitiz Varshney <kshitiz.varshney@nxp.com>
+
+[ Upstream commit 10a2199caf437e893d9027d97700b3c6010048b7 ]
+
+Issue:
+While servicing interrupt, if the IRQ happens to be because of a SEED_DONE
+due to a previous boot stage, you end up completing the completion
+prematurely, hence causing kernel to crash while booting.
+
+Fix:
+Moving IRQ handler registering after imx_rngc_irq_mask_clear()
+
+Fixes: 1d5449445bd0 (hwrng: mx-rngc - add a driver for Freescale RNGC)
+Signed-off-by: Kshitiz Varshney <kshitiz.varshney@nxp.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/hw_random/imx-rngc.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/char/hw_random/imx-rngc.c b/drivers/char/hw_random/imx-rngc.c
+index e32c52c10d4d..1d7ce7443586 100644
+--- a/drivers/char/hw_random/imx-rngc.c
++++ b/drivers/char/hw_random/imx-rngc.c
+@@ -264,13 +264,6 @@ static int imx_rngc_probe(struct platform_device *pdev)
+ if (rng_type != RNGC_TYPE_RNGC && rng_type != RNGC_TYPE_RNGB)
+ return -ENODEV;
+
+- ret = devm_request_irq(&pdev->dev,
+- irq, imx_rngc_irq, 0, pdev->name, (void *)rngc);
+- if (ret) {
+- dev_err(rngc->dev, "Can't get interrupt working.\n");
+- return ret;
+- }
+-
+ init_completion(&rngc->rng_op_done);
+
+ rngc->rng.name = pdev->name;
+@@ -284,6 +277,13 @@ static int imx_rngc_probe(struct platform_device *pdev)
+
+ imx_rngc_irq_mask_clear(rngc);
+
++ ret = devm_request_irq(&pdev->dev,
++ irq, imx_rngc_irq, 0, pdev->name, (void *)rngc);
++ if (ret) {
++ dev_err(rngc->dev, "Can't get interrupt working.\n");
++ return ret;
++ }
++
+ if (self_test) {
+ ret = imx_rngc_self_test(rngc);
+ if (ret) {
+--
+2.35.1
+
--- /dev/null
+From 6bf7202da3cc61cc0cffc4683f26c628c2ef1337 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Aug 2022 21:37:42 +0200
+Subject: hwrng: imx-rngc - use devm_clk_get_enabled
+
+From: Martin Kaiser <martin@kaiser.cx>
+
+[ Upstream commit 6a2bc448423cea44e7dba0f72d7c82ae04ab201e ]
+
+Use the new devm_clk_get_enabled function to get our clock.
+
+We don't have to disable and unprepare the clock ourselves any more in
+error paths and in the remove function.
+
+Signed-off-by: Martin Kaiser <martin@kaiser.cx>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Stable-dep-of: 10a2199caf43 ("hwrng: imx-rngc - Moving IRQ handler registering after imx_rngc_irq_mask_clear()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/hw_random/imx-rngc.c | 25 ++++++-------------------
+ 1 file changed, 6 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/char/hw_random/imx-rngc.c b/drivers/char/hw_random/imx-rngc.c
+index b05d676ca814..e32c52c10d4d 100644
+--- a/drivers/char/hw_random/imx-rngc.c
++++ b/drivers/char/hw_random/imx-rngc.c
+@@ -245,7 +245,7 @@ static int imx_rngc_probe(struct platform_device *pdev)
+ if (IS_ERR(rngc->base))
+ return PTR_ERR(rngc->base);
+
+- rngc->clk = devm_clk_get(&pdev->dev, NULL);
++ rngc->clk = devm_clk_get_enabled(&pdev->dev, NULL);
+ if (IS_ERR(rngc->clk)) {
+ dev_err(&pdev->dev, "Can not get rng_clk\n");
+ return PTR_ERR(rngc->clk);
+@@ -255,26 +255,20 @@ static int imx_rngc_probe(struct platform_device *pdev)
+ if (irq < 0)
+ return irq;
+
+- ret = clk_prepare_enable(rngc->clk);
+- if (ret)
+- return ret;
+-
+ ver_id = readl(rngc->base + RNGC_VER_ID);
+ rng_type = ver_id >> RNGC_TYPE_SHIFT;
+ /*
+ * This driver supports only RNGC and RNGB. (There's a different
+ * driver for RNGA.)
+ */
+- if (rng_type != RNGC_TYPE_RNGC && rng_type != RNGC_TYPE_RNGB) {
+- ret = -ENODEV;
+- goto err;
+- }
++ if (rng_type != RNGC_TYPE_RNGC && rng_type != RNGC_TYPE_RNGB)
++ return -ENODEV;
+
+ ret = devm_request_irq(&pdev->dev,
+ irq, imx_rngc_irq, 0, pdev->name, (void *)rngc);
+ if (ret) {
+ dev_err(rngc->dev, "Can't get interrupt working.\n");
+- goto err;
++ return ret;
+ }
+
+ init_completion(&rngc->rng_op_done);
+@@ -294,14 +288,14 @@ static int imx_rngc_probe(struct platform_device *pdev)
+ ret = imx_rngc_self_test(rngc);
+ if (ret) {
+ dev_err(rngc->dev, "self test failed\n");
+- goto err;
++ return ret;
+ }
+ }
+
+ ret = hwrng_register(&rngc->rng);
+ if (ret) {
+ dev_err(&pdev->dev, "hwrng registration failed\n");
+- goto err;
++ return ret;
+ }
+
+ dev_info(&pdev->dev,
+@@ -309,11 +303,6 @@ static int imx_rngc_probe(struct platform_device *pdev)
+ rng_type == RNGC_TYPE_RNGB ? 'B' : 'C',
+ (ver_id >> RNGC_VER_MAJ_SHIFT) & 0xff, ver_id & 0xff);
+ return 0;
+-
+-err:
+- clk_disable_unprepare(rngc->clk);
+-
+- return ret;
+ }
+
+ static int __exit imx_rngc_remove(struct platform_device *pdev)
+@@ -322,8 +311,6 @@ static int __exit imx_rngc_remove(struct platform_device *pdev)
+
+ hwrng_unregister(&rngc->rng);
+
+- clk_disable_unprepare(rngc->clk);
+-
+ return 0;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From cf3fc2a30f6ac5cb40d8c265af3bb46dbe136868 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Sep 2022 12:42:14 +0300
+Subject: i2c: designware-pci: Group AMD NAVI quirk parts together
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 65769162ae4b7f2d82e54998be446226b05fcd8f ]
+
+The code is ogranized in a way that all related parts
+to the certain platform quirk go together. This is not
+the case for AMD NAVI. Shuffle code to make it happen.
+
+While at it, drop the frequency definition and use
+hard coded value as it's done for other platforms and
+add a comment to the PCI ID list.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Acked-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-designware-pcidrv.c | 30 +++++++++++-----------
+ 1 file changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-designware-pcidrv.c b/drivers/i2c/busses/i2c-designware-pcidrv.c
+index 608e61209455..ca368482b246 100644
+--- a/drivers/i2c/busses/i2c-designware-pcidrv.c
++++ b/drivers/i2c/busses/i2c-designware-pcidrv.c
+@@ -27,7 +27,6 @@
+ #include "i2c-ccgx-ucsi.h"
+
+ #define DRIVER_NAME "i2c-designware-pci"
+-#define AMD_CLK_RATE_HZ 100000
+
+ enum dw_pci_ctl_id_t {
+ medfield,
+@@ -100,11 +99,6 @@ static u32 mfld_get_clk_rate_khz(struct dw_i2c_dev *dev)
+ return 25000;
+ }
+
+-static u32 navi_amd_get_clk_rate_khz(struct dw_i2c_dev *dev)
+-{
+- return AMD_CLK_RATE_HZ;
+-}
+-
+ static int mfld_setup(struct pci_dev *pdev, struct dw_pci_controller *c)
+ {
+ struct dw_i2c_dev *dev = dev_get_drvdata(&pdev->dev);
+@@ -126,15 +120,6 @@ static int mfld_setup(struct pci_dev *pdev, struct dw_pci_controller *c)
+ return -ENODEV;
+ }
+
+-static int navi_amd_setup(struct pci_dev *pdev, struct dw_pci_controller *c)
+-{
+- struct dw_i2c_dev *dev = dev_get_drvdata(&pdev->dev);
+-
+- dev->flags |= MODEL_AMD_NAVI_GPU;
+- dev->timings.bus_freq_hz = I2C_MAX_STANDARD_MODE_FREQ;
+- return 0;
+-}
+-
+ static int mrfld_setup(struct pci_dev *pdev, struct dw_pci_controller *c)
+ {
+ /*
+@@ -159,6 +144,20 @@ static u32 ehl_get_clk_rate_khz(struct dw_i2c_dev *dev)
+ return 100000;
+ }
+
++static u32 navi_amd_get_clk_rate_khz(struct dw_i2c_dev *dev)
++{
++ return 100000;
++}
++
++static int navi_amd_setup(struct pci_dev *pdev, struct dw_pci_controller *c)
++{
++ struct dw_i2c_dev *dev = dev_get_drvdata(&pdev->dev);
++
++ dev->flags |= MODEL_AMD_NAVI_GPU;
++ dev->timings.bus_freq_hz = I2C_MAX_STANDARD_MODE_FREQ;
++ return 0;
++}
++
+ static struct dw_pci_controller dw_pci_controllers[] = {
+ [medfield] = {
+ .bus_num = -1,
+@@ -389,6 +388,7 @@ static const struct pci_device_id i2_designware_pci_ids[] = {
+ { PCI_VDEVICE(INTEL, 0x4bbe), elkhartlake },
+ { PCI_VDEVICE(INTEL, 0x4bbf), elkhartlake },
+ { PCI_VDEVICE(INTEL, 0x4bc0), elkhartlake },
++ /* AMD NAVI */
+ { PCI_VDEVICE(ATI, 0x7314), navi_amd },
+ { PCI_VDEVICE(ATI, 0x73a4), navi_amd },
+ { PCI_VDEVICE(ATI, 0x73e4), navi_amd },
+--
+2.35.1
+
--- /dev/null
+From f7b69cfe17591f48a81873243efc339f9d187ea3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Sep 2022 15:45:04 -0400
+Subject: i2c: mlxbf: support lock mechanism
+
+From: Asmaa Mnebhi <asmaa@nvidia.com>
+
+[ Upstream commit 86067ccfa1424a26491542d6f6d7546d40b61a10 ]
+
+Linux is not the only entity using the BlueField I2C busses so
+support a lock mechanism provided by hardware to avoid issues
+when multiple entities are trying to access the same bus.
+
+The lock is acquired whenever written explicitely or the lock
+register is read. So make sure it is always released at the end
+of a successful or failed transaction.
+
+Fixes: b5b5b32081cd206b (i2c: mlxbf: I2C SMBus driver for Mellanox BlueField SoC)
+Reviewed-by: Khalil Blaiech <kblaiech@nvidia.com>
+Signed-off-by: Asmaa Mnebhi <asmaa@nvidia.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-mlxbf.c | 44 ++++++++++++++++++++++++++++++----
+ 1 file changed, 39 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-mlxbf.c b/drivers/i2c/busses/i2c-mlxbf.c
+index ad5efd7497d1..0e840eba4fd6 100644
+--- a/drivers/i2c/busses/i2c-mlxbf.c
++++ b/drivers/i2c/busses/i2c-mlxbf.c
+@@ -306,6 +306,7 @@ static u64 mlxbf_i2c_corepll_frequency;
+ * exact.
+ */
+ #define MLXBF_I2C_SMBUS_TIMEOUT (300 * 1000) /* 300ms */
++#define MLXBF_I2C_SMBUS_LOCK_POLL_TIMEOUT (300 * 1000) /* 300ms */
+
+ /* Encapsulates timing parameters. */
+ struct mlxbf_i2c_timings {
+@@ -514,6 +515,25 @@ static bool mlxbf_smbus_master_wait_for_idle(struct mlxbf_i2c_priv *priv)
+ return false;
+ }
+
++/*
++ * wait for the lock to be released before acquiring it.
++ */
++static bool mlxbf_i2c_smbus_master_lock(struct mlxbf_i2c_priv *priv)
++{
++ if (mlxbf_smbus_poll(priv->smbus->io, MLXBF_I2C_SMBUS_MASTER_GW,
++ MLXBF_I2C_MASTER_LOCK_BIT, true,
++ MLXBF_I2C_SMBUS_LOCK_POLL_TIMEOUT))
++ return true;
++
++ return false;
++}
++
++static void mlxbf_i2c_smbus_master_unlock(struct mlxbf_i2c_priv *priv)
++{
++ /* Clear the gw to clear the lock */
++ writel(0, priv->smbus->io + MLXBF_I2C_SMBUS_MASTER_GW);
++}
++
+ static bool mlxbf_i2c_smbus_transaction_success(u32 master_status,
+ u32 cause_status)
+ {
+@@ -705,10 +725,19 @@ mlxbf_i2c_smbus_start_transaction(struct mlxbf_i2c_priv *priv,
+ slave = request->slave & GENMASK(6, 0);
+ addr = slave << 1;
+
+- /* First of all, check whether the HW is idle. */
+- if (WARN_ON(!mlxbf_smbus_master_wait_for_idle(priv)))
++ /*
++ * Try to acquire the smbus gw lock before any reads of the GW register since
++ * a read sets the lock.
++ */
++ if (WARN_ON(!mlxbf_i2c_smbus_master_lock(priv)))
+ return -EBUSY;
+
++ /* Check whether the HW is idle */
++ if (WARN_ON(!mlxbf_smbus_master_wait_for_idle(priv))) {
++ ret = -EBUSY;
++ goto out_unlock;
++ }
++
+ /* Set first byte. */
+ data_desc[data_idx++] = addr;
+
+@@ -732,8 +761,10 @@ mlxbf_i2c_smbus_start_transaction(struct mlxbf_i2c_priv *priv,
+ write_en = 1;
+ write_len += operation->length;
+ if (data_idx + operation->length >
+- MLXBF_I2C_MASTER_DATA_DESC_SIZE)
+- return -ENOBUFS;
++ MLXBF_I2C_MASTER_DATA_DESC_SIZE) {
++ ret = -ENOBUFS;
++ goto out_unlock;
++ }
+ memcpy(data_desc + data_idx,
+ operation->buffer, operation->length);
+ data_idx += operation->length;
+@@ -765,7 +796,7 @@ mlxbf_i2c_smbus_start_transaction(struct mlxbf_i2c_priv *priv,
+ ret = mlxbf_i2c_smbus_enable(priv, slave, write_len, block_en,
+ pec_en, 0);
+ if (ret)
+- return ret;
++ goto out_unlock;
+ }
+
+ if (read_en) {
+@@ -792,6 +823,9 @@ mlxbf_i2c_smbus_start_transaction(struct mlxbf_i2c_priv *priv,
+ priv->smbus->io + MLXBF_I2C_SMBUS_MASTER_FSM);
+ }
+
++out_unlock:
++ mlxbf_i2c_smbus_master_unlock(priv);
++
+ return ret;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 1ac62806a9689502211624b4e1c9edef9554e421 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Sep 2022 18:26:16 -0700
+Subject: ia64: export memory_add_physaddr_to_nid to fix cxl build error
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 97c318bfbe84efded246e80428054f300042f110 ]
+
+cxl_pmem.ko uses memory_add_physaddr_to_nid() but ia64 does not export it,
+so this causes a build error:
+
+ERROR: modpost: "memory_add_physaddr_to_nid" [drivers/cxl/cxl_pmem.ko] undefined!
+
+Fix this by exporting that function.
+
+Fixes: 8c2676a5870a ("hot-add-mem x86_64: memory_add_physaddr_to_nid node fixup")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Ben Widawsky <bwidawsk@kernel.org>
+Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: linux-ia64@vger.kernel.org
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Keith Mannthey <kmannth@us.ibm.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/ia64/mm/numa.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/ia64/mm/numa.c b/arch/ia64/mm/numa.c
+index d6579ec3ea32..4c7b1f50e3b7 100644
+--- a/arch/ia64/mm/numa.c
++++ b/arch/ia64/mm/numa.c
+@@ -75,5 +75,6 @@ int memory_add_physaddr_to_nid(u64 addr)
+ return 0;
+ return nid;
+ }
++EXPORT_SYMBOL(memory_add_physaddr_to_nid);
+ #endif
+ #endif
+--
+2.35.1
+
--- /dev/null
+From aac6a4e7456ec430eb41701cffb68c66fc8fc1c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Aug 2022 13:32:33 +0200
+Subject: iavf: Fix race between iavf_close and iavf_reset_task
+
+From: Michal Jaron <michalx.jaron@intel.com>
+
+[ Upstream commit 11c12adcbc1598d91e73ab6ddfa41d25a01478ed ]
+
+During stress tests with adding VF to namespace and changing vf's
+trust there was a race between iavf_reset_task and iavf_close.
+Sometimes when IAVF_FLAG_AQ_DISABLE_QUEUES from iavf_close was sent
+to PF after reset and before IAVF_AQ_GET_CONFIG was sent then PF
+returns error IAVF_NOT_SUPPORTED to disable queues request and
+following requests. There is need to get_config before other
+aq_required will be send but iavf_close clears all flags, if
+get_config was not sent before iavf_close, then it will not be send
+at all.
+
+In case when IAVF_FLAG_AQ_GET_OFFLOAD_VLAN_V2_CAPS was sent before
+IAVF_FLAG_AQ_DISABLE_QUEUES then there was rtnl_lock deadlock
+between iavf_close and iavf_adminq_task until iavf_close timeouts
+and disable queues was sent after iavf_close ends.
+
+There was also a problem with sending delete/add filters.
+Sometimes when filters was not yet added to PF and in
+iavf_close all filters was set to remove there might be a try
+to remove nonexistent filters on PF.
+
+Add aq_required_tmp to save aq_required flags and send them after
+disable_queues will be handled. Clear flags given to iavf_down
+different than IAVF_FLAG_AQ_GET_CONFIG as this flag is necessary
+to sent other aq_required. Remove some flags that we don't
+want to send as we are in iavf_close and we want to disable
+interface. Remove filters which was not yet sent and send del
+filters flags only when there are filters to remove.
+
+Signed-off-by: Michal Jaron <michalx.jaron@intel.com>
+Signed-off-by: Mateusz Palczewski <mateusz.palczewski@intel.com>
+Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 177 ++++++++++++++++----
+ 1 file changed, 141 insertions(+), 36 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index 0c89f16bf1e2..79fef8c59d65 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -1267,66 +1267,138 @@ static void iavf_up_complete(struct iavf_adapter *adapter)
+ }
+
+ /**
+- * iavf_down - Shutdown the connection processing
++ * iavf_clear_mac_vlan_filters - Remove mac and vlan filters not sent to PF
++ * yet and mark other to be removed.
+ * @adapter: board private structure
+- *
+- * Expects to be called while holding the __IAVF_IN_CRITICAL_TASK bit lock.
+ **/
+-void iavf_down(struct iavf_adapter *adapter)
++static void iavf_clear_mac_vlan_filters(struct iavf_adapter *adapter)
+ {
+- struct net_device *netdev = adapter->netdev;
+- struct iavf_vlan_filter *vlf;
+- struct iavf_cloud_filter *cf;
+- struct iavf_fdir_fltr *fdir;
+- struct iavf_mac_filter *f;
+- struct iavf_adv_rss *rss;
+-
+- if (adapter->state <= __IAVF_DOWN_PENDING)
+- return;
+-
+- netif_carrier_off(netdev);
+- netif_tx_disable(netdev);
+- adapter->link_up = false;
+- iavf_napi_disable_all(adapter);
+- iavf_irq_disable(adapter);
++ struct iavf_vlan_filter *vlf, *vlftmp;
++ struct iavf_mac_filter *f, *ftmp;
+
+ spin_lock_bh(&adapter->mac_vlan_list_lock);
+-
+ /* clear the sync flag on all filters */
+ __dev_uc_unsync(adapter->netdev, NULL);
+ __dev_mc_unsync(adapter->netdev, NULL);
+
+ /* remove all MAC filters */
+- list_for_each_entry(f, &adapter->mac_filter_list, list) {
+- f->remove = true;
++ list_for_each_entry_safe(f, ftmp, &adapter->mac_filter_list,
++ list) {
++ if (f->add) {
++ list_del(&f->list);
++ kfree(f);
++ } else {
++ f->remove = true;
++ }
+ }
+
+ /* remove all VLAN filters */
+- list_for_each_entry(vlf, &adapter->vlan_filter_list, list) {
+- vlf->remove = true;
++ list_for_each_entry_safe(vlf, vlftmp, &adapter->vlan_filter_list,
++ list) {
++ if (vlf->add) {
++ list_del(&vlf->list);
++ kfree(vlf);
++ } else {
++ vlf->remove = true;
++ }
+ }
+-
+ spin_unlock_bh(&adapter->mac_vlan_list_lock);
++}
++
++/**
++ * iavf_clear_cloud_filters - Remove cloud filters not sent to PF yet and
++ * mark other to be removed.
++ * @adapter: board private structure
++ **/
++static void iavf_clear_cloud_filters(struct iavf_adapter *adapter)
++{
++ struct iavf_cloud_filter *cf, *cftmp;
+
+ /* remove all cloud filters */
+ spin_lock_bh(&adapter->cloud_filter_list_lock);
+- list_for_each_entry(cf, &adapter->cloud_filter_list, list) {
+- cf->del = true;
++ list_for_each_entry_safe(cf, cftmp, &adapter->cloud_filter_list,
++ list) {
++ if (cf->add) {
++ list_del(&cf->list);
++ kfree(cf);
++ adapter->num_cloud_filters--;
++ } else {
++ cf->del = true;
++ }
+ }
+ spin_unlock_bh(&adapter->cloud_filter_list_lock);
++}
++
++/**
++ * iavf_clear_fdir_filters - Remove fdir filters not sent to PF yet and mark
++ * other to be removed.
++ * @adapter: board private structure
++ **/
++static void iavf_clear_fdir_filters(struct iavf_adapter *adapter)
++{
++ struct iavf_fdir_fltr *fdir, *fdirtmp;
+
+ /* remove all Flow Director filters */
+ spin_lock_bh(&adapter->fdir_fltr_lock);
+- list_for_each_entry(fdir, &adapter->fdir_list_head, list) {
+- fdir->state = IAVF_FDIR_FLTR_DEL_REQUEST;
++ list_for_each_entry_safe(fdir, fdirtmp, &adapter->fdir_list_head,
++ list) {
++ if (fdir->state == IAVF_FDIR_FLTR_ADD_REQUEST) {
++ list_del(&fdir->list);
++ kfree(fdir);
++ adapter->fdir_active_fltr--;
++ } else {
++ fdir->state = IAVF_FDIR_FLTR_DEL_REQUEST;
++ }
+ }
+ spin_unlock_bh(&adapter->fdir_fltr_lock);
++}
++
++/**
++ * iavf_clear_adv_rss_conf - Remove adv rss conf not sent to PF yet and mark
++ * other to be removed.
++ * @adapter: board private structure
++ **/
++static void iavf_clear_adv_rss_conf(struct iavf_adapter *adapter)
++{
++ struct iavf_adv_rss *rss, *rsstmp;
+
+ /* remove all advance RSS configuration */
+ spin_lock_bh(&adapter->adv_rss_lock);
+- list_for_each_entry(rss, &adapter->adv_rss_list_head, list)
+- rss->state = IAVF_ADV_RSS_DEL_REQUEST;
++ list_for_each_entry_safe(rss, rsstmp, &adapter->adv_rss_list_head,
++ list) {
++ if (rss->state == IAVF_ADV_RSS_ADD_REQUEST) {
++ list_del(&rss->list);
++ kfree(rss);
++ } else {
++ rss->state = IAVF_ADV_RSS_DEL_REQUEST;
++ }
++ }
+ spin_unlock_bh(&adapter->adv_rss_lock);
++}
++
++/**
++ * iavf_down - Shutdown the connection processing
++ * @adapter: board private structure
++ *
++ * Expects to be called while holding the __IAVF_IN_CRITICAL_TASK bit lock.
++ **/
++void iavf_down(struct iavf_adapter *adapter)
++{
++ struct net_device *netdev = adapter->netdev;
++
++ if (adapter->state <= __IAVF_DOWN_PENDING)
++ return;
++
++ netif_carrier_off(netdev);
++ netif_tx_disable(netdev);
++ adapter->link_up = false;
++ iavf_napi_disable_all(adapter);
++ iavf_irq_disable(adapter);
++
++ iavf_clear_mac_vlan_filters(adapter);
++ iavf_clear_cloud_filters(adapter);
++ iavf_clear_fdir_filters(adapter);
++ iavf_clear_adv_rss_conf(adapter);
+
+ if (!(adapter->flags & IAVF_FLAG_PF_COMMS_FAILED)) {
+ /* cancel any current operation */
+@@ -1335,11 +1407,16 @@ void iavf_down(struct iavf_adapter *adapter)
+ * here for this to complete. The watchdog is still running
+ * and it will take care of this.
+ */
+- adapter->aq_required = IAVF_FLAG_AQ_DEL_MAC_FILTER;
+- adapter->aq_required |= IAVF_FLAG_AQ_DEL_VLAN_FILTER;
+- adapter->aq_required |= IAVF_FLAG_AQ_DEL_CLOUD_FILTER;
+- adapter->aq_required |= IAVF_FLAG_AQ_DEL_FDIR_FILTER;
+- adapter->aq_required |= IAVF_FLAG_AQ_DEL_ADV_RSS_CFG;
++ if (!list_empty(&adapter->mac_filter_list))
++ adapter->aq_required |= IAVF_FLAG_AQ_DEL_MAC_FILTER;
++ if (!list_empty(&adapter->vlan_filter_list))
++ adapter->aq_required |= IAVF_FLAG_AQ_DEL_VLAN_FILTER;
++ if (!list_empty(&adapter->cloud_filter_list))
++ adapter->aq_required |= IAVF_FLAG_AQ_DEL_CLOUD_FILTER;
++ if (!list_empty(&adapter->fdir_list_head))
++ adapter->aq_required |= IAVF_FLAG_AQ_DEL_FDIR_FILTER;
++ if (!list_empty(&adapter->adv_rss_list_head))
++ adapter->aq_required |= IAVF_FLAG_AQ_DEL_ADV_RSS_CFG;
+ adapter->aq_required |= IAVF_FLAG_AQ_DISABLE_QUEUES;
+ }
+
+@@ -4178,6 +4255,7 @@ static int iavf_open(struct net_device *netdev)
+ static int iavf_close(struct net_device *netdev)
+ {
+ struct iavf_adapter *adapter = netdev_priv(netdev);
++ u64 aq_to_restore;
+ int status;
+
+ mutex_lock(&adapter->crit_lock);
+@@ -4190,6 +4268,29 @@ static int iavf_close(struct net_device *netdev)
+ set_bit(__IAVF_VSI_DOWN, adapter->vsi.state);
+ if (CLIENT_ENABLED(adapter))
+ adapter->flags |= IAVF_FLAG_CLIENT_NEEDS_CLOSE;
++ /* We cannot send IAVF_FLAG_AQ_GET_OFFLOAD_VLAN_V2_CAPS before
++ * IAVF_FLAG_AQ_DISABLE_QUEUES because in such case there is rtnl
++ * deadlock with adminq_task() until iavf_close timeouts. We must send
++ * IAVF_FLAG_AQ_GET_CONFIG before IAVF_FLAG_AQ_DISABLE_QUEUES to make
++ * disable queues possible for vf. Give only necessary flags to
++ * iavf_down and save other to set them right before iavf_close()
++ * returns, when IAVF_FLAG_AQ_DISABLE_QUEUES will be already sent and
++ * iavf will be in DOWN state.
++ */
++ aq_to_restore = adapter->aq_required;
++ adapter->aq_required &= IAVF_FLAG_AQ_GET_CONFIG;
++
++ /* Remove flags which we do not want to send after close or we want to
++ * send before disable queues.
++ */
++ aq_to_restore &= ~(IAVF_FLAG_AQ_GET_CONFIG |
++ IAVF_FLAG_AQ_ENABLE_QUEUES |
++ IAVF_FLAG_AQ_CONFIGURE_QUEUES |
++ IAVF_FLAG_AQ_ADD_VLAN_FILTER |
++ IAVF_FLAG_AQ_ADD_MAC_FILTER |
++ IAVF_FLAG_AQ_ADD_CLOUD_FILTER |
++ IAVF_FLAG_AQ_ADD_FDIR_FILTER |
++ IAVF_FLAG_AQ_ADD_ADV_RSS_CFG);
+
+ iavf_down(adapter);
+ iavf_change_state(adapter, __IAVF_DOWN_PENDING);
+@@ -4213,6 +4314,10 @@ static int iavf_close(struct net_device *netdev)
+ msecs_to_jiffies(500));
+ if (!status)
+ netdev_warn(netdev, "Device resources not yet released\n");
++
++ mutex_lock(&adapter->crit_lock);
++ adapter->aq_required |= aq_to_restore;
++ mutex_unlock(&adapter->crit_lock);
+ return 0;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From da1aef13acaf3b266a51ff20baf2699f7caf334b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Jul 2022 13:33:38 -0300
+Subject: IB/mlx5: Call io_stop_wc() after writing to WC MMIO
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 19d6214ad6dfffda1a5bdc2b34ea75ba45a1a60a ]
+
+This new function is defined only on ARM and serves to guarantee a barrier
+in the WC operation. The barrier means that another run of this loop will
+not combine with the stores this loop created.
+
+On x86 this is happening implicitly because of the spin_unlock().
+
+Link: https://lore.kernel.org/r/0-v1-c5dade92f363+11-mlx5_io_stop_wc_jgg@nvidia.com
+Suggested-by: Pavel Shamis <Pavel.Shamis@arm.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Stable-dep-of: 13ad1125b941 ("RDMA/mlx5: Don't compare mkey tags in DEVX indirect mkey")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/mem.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/hw/mlx5/mem.c b/drivers/infiniband/hw/mlx5/mem.c
+index 6191aa833ac2..6b29e9ca323e 100644
+--- a/drivers/infiniband/hw/mlx5/mem.c
++++ b/drivers/infiniband/hw/mlx5/mem.c
+@@ -152,6 +152,7 @@ static int post_send_nop(struct mlx5_ib_dev *dev, struct ib_qp *ibqp, u64 wr_id,
+ for (i = 0; i < 8; i++)
+ mlx5_write64(&mmio_wqe[i * 2],
+ bf->bfreg->map + bf->offset + i * 8);
++ io_stop_wc();
+
+ bf->offset ^= bf->buf_size;
+
+--
+2.35.1
+
--- /dev/null
+From 07026237915f2a67e8a5a22b2430dc22905484e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Sep 2022 17:14:57 +0800
+Subject: IB/rdmavt: Add __init/__exit annotations to module init/exit funcs
+
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+
+[ Upstream commit 78657a445ca7603024348781c921f8ecaee10a49 ]
+
+Add missing __init/__exit annotations to module init/exit funcs.
+
+Fixes: 0194621b2253 ("IB/rdmavt: Create module framework and handle driver registration")
+Link: https://lore.kernel.org/r/20220924091457.52446-1-xiujianfeng@huawei.com
+Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rdmavt/vt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/sw/rdmavt/vt.c b/drivers/infiniband/sw/rdmavt/vt.c
+index 59481ae39505..d61f8de7f21c 100644
+--- a/drivers/infiniband/sw/rdmavt/vt.c
++++ b/drivers/infiniband/sw/rdmavt/vt.c
+@@ -15,7 +15,7 @@
+ MODULE_LICENSE("Dual BSD/GPL");
+ MODULE_DESCRIPTION("RDMA Verbs Transport Library");
+
+-static int rvt_init(void)
++static int __init rvt_init(void)
+ {
+ int ret = rvt_driver_cq_init();
+
+@@ -26,7 +26,7 @@ static int rvt_init(void)
+ }
+ module_init(rvt_init);
+
+-static void rvt_cleanup(void)
++static void __exit rvt_cleanup(void)
+ {
+ rvt_cq_exit();
+ }
+--
+2.35.1
+
--- /dev/null
+From 3e1ef5b52cf2c3bbdf55fa5b711fa438f640a988 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Sep 2022 17:08:43 +0900
+Subject: IB: Set IOVA/LENGTH on IB_MR in core/uverbs layers
+
+From: Daisuke Matsuda <matsuda-daisuke@fujitsu.com>
+
+[ Upstream commit 241f9a27e0fc0eaf23e3d52c8450f10648cd11f1 ]
+
+Set 'iova' and 'length' on ib_mr in ib_uverbs and ib_core layers to let all
+drivers have the members filled. Also, this commit removes redundancy in
+the respective drivers.
+
+Previously, commit 04c0a5fcfcf65 ("IB/uverbs: Set IOVA on IB MR in uverbs
+layer") changed to set 'iova', but seems to have missed 'length' and the
+ib_core layer at that time.
+
+Fixes: 04c0a5fcfcf65 ("IB/uverbs: Set IOVA on IB MR in uverbs layer")
+Signed-off-by: Daisuke Matsuda <matsuda-daisuke@fujitsu.com>
+Link: https://lore.kernel.org/r/20220921080844.1616883-1-matsuda-daisuke@fujitsu.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/uverbs_cmd.c | 5 ++++-
+ drivers/infiniband/core/verbs.c | 2 ++
+ drivers/infiniband/hw/hns/hns_roce_mr.c | 1 -
+ drivers/infiniband/hw/mlx4/mr.c | 1 -
+ 4 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
+index 046376bd68e2..4796f6a8828c 100644
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -739,6 +739,7 @@ static int ib_uverbs_reg_mr(struct uverbs_attr_bundle *attrs)
+ mr->uobject = uobj;
+ atomic_inc(&pd->usecnt);
+ mr->iova = cmd.hca_va;
++ mr->length = cmd.length;
+
+ rdma_restrack_new(&mr->res, RDMA_RESTRACK_MR);
+ rdma_restrack_set_name(&mr->res, NULL);
+@@ -861,8 +862,10 @@ static int ib_uverbs_rereg_mr(struct uverbs_attr_bundle *attrs)
+ mr->pd = new_pd;
+ atomic_inc(&new_pd->usecnt);
+ }
+- if (cmd.flags & IB_MR_REREG_TRANS)
++ if (cmd.flags & IB_MR_REREG_TRANS) {
+ mr->iova = cmd.hca_va;
++ mr->length = cmd.length;
++ }
+ }
+
+ memset(&resp, 0, sizeof(resp));
+diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c
+index e54b3f1b730e..f8964c8cf0ad 100644
+--- a/drivers/infiniband/core/verbs.c
++++ b/drivers/infiniband/core/verbs.c
+@@ -2149,6 +2149,8 @@ struct ib_mr *ib_reg_user_mr(struct ib_pd *pd, u64 start, u64 length,
+ mr->pd = pd;
+ mr->dm = NULL;
+ atomic_inc(&pd->usecnt);
++ mr->iova = virt_addr;
++ mr->length = length;
+
+ rdma_restrack_new(&mr->res, RDMA_RESTRACK_MR);
+ rdma_restrack_parent_name(&mr->res, &pd->res);
+diff --git a/drivers/infiniband/hw/hns/hns_roce_mr.c b/drivers/infiniband/hw/hns/hns_roce_mr.c
+index 867972c2a894..dedfa56f5773 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_mr.c
++++ b/drivers/infiniband/hw/hns/hns_roce_mr.c
+@@ -249,7 +249,6 @@ struct ib_mr *hns_roce_reg_user_mr(struct ib_pd *pd, u64 start, u64 length,
+ goto err_alloc_pbl;
+
+ mr->ibmr.rkey = mr->ibmr.lkey = mr->key;
+- mr->ibmr.length = length;
+
+ return &mr->ibmr;
+
+diff --git a/drivers/infiniband/hw/mlx4/mr.c b/drivers/infiniband/hw/mlx4/mr.c
+index 04a67b481608..a40bf58bcdd3 100644
+--- a/drivers/infiniband/hw/mlx4/mr.c
++++ b/drivers/infiniband/hw/mlx4/mr.c
+@@ -439,7 +439,6 @@ struct ib_mr *mlx4_ib_reg_user_mr(struct ib_pd *pd, u64 start, u64 length,
+ goto err_mr;
+
+ mr->ibmr.rkey = mr->ibmr.lkey = mr->mmr.key;
+- mr->ibmr.length = length;
+ mr->ibmr.page_size = 1U << shift;
+
+ return &mr->ibmr;
+--
+2.35.1
+
--- /dev/null
+From bf0389418811046e22c4d81561f33ffca444e28d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Jul 2022 16:15:57 -0700
+Subject: ice: set tx_tstamps when creating new Tx rings via ethtool
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+[ Upstream commit b3b173745c8cab1e24d6821488b60abed3acb24d ]
+
+When the user changes the number of queues via ethtool, the driver
+allocates new rings. This allocation did not initialize tx_tstamps. This
+results in the tx_tstamps field being zero (due to kcalloc allocation), and
+would result in a NULL pointer dereference when attempting a transmit
+timestamp on the new ring.
+
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Gurucharan <gurucharanx.g@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Stable-dep-of: fc5ae5b44eb2 ("Bluetooth: L2CAP: Fix build errors in some archs")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_ethtool.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c
+index a6fff8ebaf9d..bbf6a300078e 100644
+--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c
++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c
+@@ -2826,6 +2826,7 @@ ice_set_ringparam(struct net_device *netdev, struct ethtool_ringparam *ring,
+ tx_rings[i].count = new_tx_cnt;
+ tx_rings[i].desc = NULL;
+ tx_rings[i].tx_buf = NULL;
++ tx_rings[i].tx_tstamps = &pf->ptp.port.tx;
+ err = ice_setup_tx_ring(&tx_rings[i]);
+ if (err) {
+ while (i--)
+--
+2.35.1
+
--- /dev/null
+From 21e39a94481018bb3394e11b54847c15528c6886 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Jun 2022 13:29:23 +0100
+Subject: iio: ABI: Fix wrong format of differential capacitance channel ABI.
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 1efc41035f1841acf0af2bab153158e27ce94f10 ]
+
+in_ only occurs once in these attributes.
+
+Fixes: 0baf29d658c7 ("staging:iio:documentation Add abi docs for capacitance adcs.")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20220626122938.582107-3-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/ABI/testing/sysfs-bus-iio | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Documentation/ABI/testing/sysfs-bus-iio b/Documentation/ABI/testing/sysfs-bus-iio
+index e81ba6f5e1c8..6e1b925f30bf 100644
+--- a/Documentation/ABI/testing/sysfs-bus-iio
++++ b/Documentation/ABI/testing/sysfs-bus-iio
+@@ -196,7 +196,7 @@ Description:
+ Raw capacitance measurement from channel Y. Units after
+ application of scale and offset are nanofarads.
+
+-What: /sys/.../iio:deviceX/in_capacitanceY-in_capacitanceZ_raw
++What: /sys/.../iio:deviceX/in_capacitanceY-capacitanceZ_raw
+ KernelVersion: 3.2
+ Contact: linux-iio@vger.kernel.org
+ Description:
+--
+2.35.1
+
--- /dev/null
+From 9ce84831860835842e7a1118c99363db814789f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Aug 2022 13:28:38 +0300
+Subject: iio: adc: at91-sama5d2_adc: check return status for pressure and
+ touch
+
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+
+[ Upstream commit d84ace944a3b24529798dbae1340dea098473155 ]
+
+Check return status of at91_adc_read_position() and
+at91_adc_read_pressure() in at91_adc_read_info_raw().
+
+Fixes: 6794e23fa3fe ("iio: adc: at91-sama5d2_adc: add support for oversampling resolution")
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Link: https://lore.kernel.org/r/20220803102855.2191070-3-claudiu.beznea@microchip.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/at91-sama5d2_adc.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iio/adc/at91-sama5d2_adc.c b/drivers/iio/adc/at91-sama5d2_adc.c
+index ac9ef89fba17..08d1f806c839 100644
+--- a/drivers/iio/adc/at91-sama5d2_adc.c
++++ b/drivers/iio/adc/at91-sama5d2_adc.c
+@@ -1544,8 +1544,10 @@ static int at91_adc_read_info_raw(struct iio_dev *indio_dev,
+ *val = tmp_val;
+ mutex_unlock(&st->lock);
+ iio_device_release_direct_mode(indio_dev);
++ if (ret > 0)
++ ret = at91_adc_adjust_val_osr(st, val);
+
+- return at91_adc_adjust_val_osr(st, val);
++ return ret;
+ }
+ if (chan->type == IIO_PRESSURE) {
+ ret = iio_device_claim_direct_mode(indio_dev);
+@@ -1558,8 +1560,10 @@ static int at91_adc_read_info_raw(struct iio_dev *indio_dev,
+ *val = tmp_val;
+ mutex_unlock(&st->lock);
+ iio_device_release_direct_mode(indio_dev);
++ if (ret > 0)
++ ret = at91_adc_adjust_val_osr(st, val);
+
+- return at91_adc_adjust_val_osr(st, val);
++ return ret;
+ }
+
+ /* in this case we have a voltage channel */
+--
+2.35.1
+
--- /dev/null
+From 4361b2a09799fd30f9b8bf98c8b0ac358fd715df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Aug 2022 13:28:40 +0300
+Subject: iio: adc: at91-sama5d2_adc: disable/prepare buffer on suspend/resume
+
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+
+[ Upstream commit 808175e21d9b7f866eda742e8970f27b78afe5db ]
+
+In case triggered buffers are enabled while system is suspended they will
+not work anymore after resume. For this call at91_adc_buffer_postdisable()
+on suspend and at91_adc_buffer_prepare() on resume. On tests it has been
+seen that at91_adc_buffer_postdisable() call is not necessary but it has
+been kept because it also does the book keeping for DMA. On resume path
+there is no need to call at91_adc_configure_touch() as it is embedded in
+at91_adc_buffer_prepare().
+
+Fixes: 073c662017f2f ("iio: adc: at91-sama5d2_adc: add support for DMA")
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Link: https://lore.kernel.org/r/20220803102855.2191070-5-claudiu.beznea@microchip.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/at91-sama5d2_adc.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/iio/adc/at91-sama5d2_adc.c b/drivers/iio/adc/at91-sama5d2_adc.c
+index 3734ddc82952..e2c82c5a2fac 100644
+--- a/drivers/iio/adc/at91-sama5d2_adc.c
++++ b/drivers/iio/adc/at91-sama5d2_adc.c
+@@ -2116,6 +2116,9 @@ static int at91_adc_suspend(struct device *dev)
+ struct iio_dev *indio_dev = dev_get_drvdata(dev);
+ struct at91_adc_state *st = iio_priv(indio_dev);
+
++ if (iio_buffer_enabled(indio_dev))
++ at91_adc_buffer_postdisable(indio_dev);
++
+ /*
+ * Do a sofware reset of the ADC before we go to suspend.
+ * this will ensure that all pins are free from being muxed by the ADC
+@@ -2159,14 +2162,11 @@ static int at91_adc_resume(struct device *dev)
+ if (!iio_buffer_enabled(indio_dev))
+ return 0;
+
+- /* check if we are enabling triggered buffer or the touchscreen */
+- if (at91_adc_current_chan_is_touch(indio_dev))
+- return at91_adc_configure_touch(st, true);
+- else
+- return at91_adc_configure_trigger(st->trig, true);
++ ret = at91_adc_buffer_prepare(indio_dev);
++ if (ret)
++ goto vref_disable_resume;
+
+- /* not needed but more explicit */
+- return 0;
++ return at91_adc_configure_trigger(st->trig, true);
+
+ vref_disable_resume:
+ regulator_disable(st->vref);
+--
+2.35.1
+
--- /dev/null
+From 2f19037e7b7a2a466d28ff97e9e745d49a1fb739 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Aug 2022 13:28:37 +0300
+Subject: iio: adc: at91-sama5d2_adc: fix AT91_SAMA5D2_MR_TRACKTIM_MAX
+
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+
+[ Upstream commit bb73d5d9164c57c4bb916739a98e5cd8e0a5ed8c ]
+
+All ADC HW versions handled by this driver (SAMA5D2, SAM9X60, SAMA7G5)
+have MR.TRACKTIM on 4 bits. Fix AT91_SAMA5D2_MR_TRACKTIM_MAX to reflect
+this.
+
+Fixes: 27e177190891 ("iio:adc:at91_adc8xx: introduce new atmel adc driver")
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Link: https://lore.kernel.org/r/20220803102855.2191070-2-claudiu.beznea@microchip.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/at91-sama5d2_adc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iio/adc/at91-sama5d2_adc.c b/drivers/iio/adc/at91-sama5d2_adc.c
+index 279430c1d88c..ac9ef89fba17 100644
+--- a/drivers/iio/adc/at91-sama5d2_adc.c
++++ b/drivers/iio/adc/at91-sama5d2_adc.c
+@@ -77,7 +77,7 @@ struct at91_adc_reg_layout {
+ #define AT91_SAMA5D2_MR_ANACH BIT(23)
+ /* Tracking Time */
+ #define AT91_SAMA5D2_MR_TRACKTIM(v) ((v) << 24)
+-#define AT91_SAMA5D2_MR_TRACKTIM_MAX 0xff
++#define AT91_SAMA5D2_MR_TRACKTIM_MAX 0xf
+ /* Transfer Time */
+ #define AT91_SAMA5D2_MR_TRANSFER(v) ((v) << 28)
+ #define AT91_SAMA5D2_MR_TRANSFER_MAX 0x3
+--
+2.35.1
+
--- /dev/null
+From 9af51aa4738b2b47ff3d0ee32505018d75ea17a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Aug 2022 13:28:39 +0300
+Subject: iio: adc: at91-sama5d2_adc: lock around oversampling and sample freq
+
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+
+[ Upstream commit 9780a23ed5a0a0a63683e078f576719a98d4fb70 ]
+
+.read_raw()/.write_raw() could be called asynchronously from user space
+or other in kernel drivers. Without locking on st->lock these could be
+called asynchronously while there is a conversion in progress. Read will
+be harmless but changing registers while conversion is in progress may
+lead to inconsistent results. Thus, to avoid this lock st->lock.
+
+Fixes: 27e177190891 ("iio:adc:at91_adc8xx: introduce new atmel adc driver")
+Fixes: 6794e23fa3fe ("iio: adc: at91-sama5d2_adc: add support for oversampling resolution")
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Link: https://lore.kernel.org/r/20220803102855.2191070-4-claudiu.beznea@microchip.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/at91-sama5d2_adc.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/iio/adc/at91-sama5d2_adc.c b/drivers/iio/adc/at91-sama5d2_adc.c
+index 08d1f806c839..3734ddc82952 100644
+--- a/drivers/iio/adc/at91-sama5d2_adc.c
++++ b/drivers/iio/adc/at91-sama5d2_adc.c
+@@ -1542,10 +1542,10 @@ static int at91_adc_read_info_raw(struct iio_dev *indio_dev,
+ ret = at91_adc_read_position(st, chan->channel,
+ &tmp_val);
+ *val = tmp_val;
+- mutex_unlock(&st->lock);
+- iio_device_release_direct_mode(indio_dev);
+ if (ret > 0)
+ ret = at91_adc_adjust_val_osr(st, val);
++ mutex_unlock(&st->lock);
++ iio_device_release_direct_mode(indio_dev);
+
+ return ret;
+ }
+@@ -1558,10 +1558,10 @@ static int at91_adc_read_info_raw(struct iio_dev *indio_dev,
+ ret = at91_adc_read_pressure(st, chan->channel,
+ &tmp_val);
+ *val = tmp_val;
+- mutex_unlock(&st->lock);
+- iio_device_release_direct_mode(indio_dev);
+ if (ret > 0)
+ ret = at91_adc_adjust_val_osr(st, val);
++ mutex_unlock(&st->lock);
++ iio_device_release_direct_mode(indio_dev);
+
+ return ret;
+ }
+@@ -1650,16 +1650,20 @@ static int at91_adc_write_raw(struct iio_dev *indio_dev,
+ /* if no change, optimize out */
+ if (val == st->oversampling_ratio)
+ return 0;
++ mutex_lock(&st->lock);
+ st->oversampling_ratio = val;
+ /* update ratio */
+ at91_adc_config_emr(st);
++ mutex_unlock(&st->lock);
+ return 0;
+ case IIO_CHAN_INFO_SAMP_FREQ:
+ if (val < st->soc_info.min_sample_rate ||
+ val > st->soc_info.max_sample_rate)
+ return -EINVAL;
+
++ mutex_lock(&st->lock);
+ at91_adc_setup_samp_freq(indio_dev, val);
++ mutex_unlock(&st->lock);
+ return 0;
+ default:
+ return -EINVAL;
+--
+2.35.1
+
--- /dev/null
+From c0d9294f9a2f4a4db3b52b1040bf686742b6a46d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Jul 2022 14:28:50 +0200
+Subject: iio: inkern: fix return value in devm_of_iio_channel_get_by_name()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nuno Sá <nuno.sa@analog.com>
+
+[ Upstream commit 9e878dbc0e8322f8b2f5ab0093c1e89926362dbe ]
+
+of_iio_channel_get_by_name() can either return NULL or an error pointer
+so that only doing IS_ERR() is not enough. Fix it by checking the NULL
+pointer case and return -ENODEV in that case. Note this is done like this
+so that users of the function (which only check for error pointers) do
+not need to be changed. This is not ideal since we are losing error codes
+and as such, in a follow up change, things will be unified so that
+of_iio_channel_get_by_name() only returns error codes.
+
+Fixes: 6e39b145cef7 ("iio: provide of_iio_channel_get_by_name() and devm_ version it")
+Signed-off-by: Nuno Sá <nuno.sa@analog.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20220715122903.332535-3-nuno.sa@analog.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/inkern.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/iio/inkern.c b/drivers/iio/inkern.c
+index 9d87057794fc..87fd2a0d44f2 100644
+--- a/drivers/iio/inkern.c
++++ b/drivers/iio/inkern.c
+@@ -412,6 +412,8 @@ struct iio_channel *devm_of_iio_channel_get_by_name(struct device *dev,
+ channel = of_iio_channel_get_by_name(np, channel_name);
+ if (IS_ERR(channel))
+ return channel;
++ if (!channel)
++ return ERR_PTR(-ENODEV);
+
+ ret = devm_add_action_or_reset(dev, devm_iio_channel_free, channel);
+ if (ret)
+--
+2.35.1
+
--- /dev/null
+From 8339554b725c988f0e806ab5830bf304b3d7d5da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Jul 2022 14:28:49 +0200
+Subject: iio: inkern: only release the device node when done with it
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nuno Sá <nuno.sa@analog.com>
+
+[ Upstream commit 79c3e84874c7d14f04ad58313b64955a0d2e9437 ]
+
+'of_node_put()' can potentially release the memory pointed to by
+'iiospec.np' which would leave us with an invalid pointer (and we would
+still pass it in 'of_xlate()'). Note that it is not guaranteed for the
+of_node lifespan to be attached to the device (to which is attached)
+lifespan so that there is (even though very unlikely) the possibility
+for the node to be freed while the device is still around. Thus, as there
+are indeed some of_xlate users which do access the node, a race is indeed
+possible.
+
+As such, we can only release the node after we are done with it.
+
+Fixes: 17d82b47a215d ("iio: Add OF support")
+Signed-off-by: Nuno Sá <nuno.sa@analog.com>
+Link: https://lore.kernel.org/r/20220715122903.332535-2-nuno.sa@analog.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/inkern.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iio/inkern.c b/drivers/iio/inkern.c
+index df74765d33dc..9d87057794fc 100644
+--- a/drivers/iio/inkern.c
++++ b/drivers/iio/inkern.c
+@@ -165,9 +165,10 @@ static int __of_iio_channel_get(struct iio_channel *channel,
+
+ idev = bus_find_device(&iio_bus_type, NULL, iiospec.np,
+ iio_dev_node_match);
+- of_node_put(iiospec.np);
+- if (idev == NULL)
++ if (idev == NULL) {
++ of_node_put(iiospec.np);
+ return -EPROBE_DEFER;
++ }
+
+ indio_dev = dev_to_iio_dev(idev);
+ channel->indio_dev = indio_dev;
+@@ -175,6 +176,7 @@ static int __of_iio_channel_get(struct iio_channel *channel,
+ index = indio_dev->info->of_xlate(indio_dev, &iiospec);
+ else
+ index = __of_iio_simple_xlate(indio_dev, &iiospec);
++ of_node_put(iiospec.np);
+ if (index < 0)
+ goto err_put;
+ channel->channel = &indio_dev->channels[index];
+--
+2.35.1
+
--- /dev/null
+From 93c189dda5a8d240380686014a6ab81f90f00ff8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Aug 2022 23:54:06 +0200
+Subject: iio: magnetometer: yas530: Change data type of hard_offsets to signed
+
+From: Jakob Hauser <jahau@rocketmail.com>
+
+[ Upstream commit e137fafc8985cf152a4bb6f18ae83ebb06816df1 ]
+
+The "hard_offsets" are currently unsigned u8 but they should be signed as they
+can get negative. They are signed in function yas5xx_meaure_offsets() and in the
+Yamaha drivers [1][2].
+
+[1] https://github.com/NovaFusion/android_kernel_samsung_golden/blob/cm-12.1/drivers/sensor/compass/yas.h#L156
+[2] https://github.com/msm8916-mainline/android_kernel_qcom_msm8916/blob/GT-I9195I/drivers/iio/magnetometer/yas_mag_drv-yas532.c#L91
+
+Fixes: de8860b1ed47 ("iio: magnetometer: Add driver for Yamaha YAS530")
+Signed-off-by: Jakob Hauser <jahau@rocketmail.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/40f052bf6491457d0c5c0ed4c3534dc6fa251c3c.1660337264.git.jahau@rocketmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/magnetometer/yamaha-yas530.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iio/magnetometer/yamaha-yas530.c b/drivers/iio/magnetometer/yamaha-yas530.c
+index aeaa4da6923b..d1f16729c60e 100644
+--- a/drivers/iio/magnetometer/yamaha-yas530.c
++++ b/drivers/iio/magnetometer/yamaha-yas530.c
+@@ -132,7 +132,7 @@ struct yas5xx {
+ unsigned int version;
+ char name[16];
+ struct yas5xx_calibration calibration;
+- u8 hard_offsets[3];
++ s8 hard_offsets[3];
+ struct iio_mount_matrix orientation;
+ struct regmap *map;
+ struct regulator_bulk_data regs[2];
+--
+2.35.1
+
--- /dev/null
+From 21c1e34351ccc36a1b781c01e0f165f86ca9c282 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Aug 2022 11:18:40 +0200
+Subject: iio: Use per-device lockdep class for mlock
+
+From: Vincent Whitchurch <vincent.whitchurch@axis.com>
+
+[ Upstream commit 2bc9cd66eb25d0fefbb081421d6586495e25840e ]
+
+If an IIO driver uses callbacks from another IIO driver and calls
+iio_channel_start_all_cb() from one of its buffer setup ops, then
+lockdep complains due to the lock nesting, as in the below example with
+lmp91000.
+
+Since the locks are being taken on different IIO devices, there is no
+actual deadlock. Fix the warning by telling lockdep to use a different
+class for each iio_device.
+
+ ============================================
+ WARNING: possible recursive locking detected
+ --------------------------------------------
+ python3/23 is trying to acquire lock:
+ (&indio_dev->mlock){+.+.}-{3:3}, at: iio_update_buffers
+
+ but task is already holding lock:
+ (&indio_dev->mlock){+.+.}-{3:3}, at: enable_store
+
+ other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(&indio_dev->mlock);
+ lock(&indio_dev->mlock);
+
+ *** DEADLOCK ***
+
+ May be due to missing lock nesting notation
+
+ 5 locks held by python3/23:
+ #0: (sb_writers#5){.+.+}-{0:0}, at: ksys_write
+ #1: (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter
+ #2: (kn->active#14){.+.+}-{0:0}, at: kernfs_fop_write_iter
+ #3: (&indio_dev->mlock){+.+.}-{3:3}, at: enable_store
+ #4: (&iio_dev_opaque->info_exist_lock){+.+.}-{3:3}, at: iio_update_buffers
+
+ Call Trace:
+ __mutex_lock
+ iio_update_buffers
+ iio_channel_start_all_cb
+ lmp91000_buffer_postenable
+ __iio_update_buffers
+ enable_store
+
+Fixes: 67e17300dc1d76 ("iio: potentiostat: add LMP91000 support")
+Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20220829091840.2791846-1-vincent.whitchurch@axis.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/industrialio-core.c | 5 +++++
+ include/linux/iio/iio-opaque.h | 2 ++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
+index 0f4dbda3b9d3..921d8e8643a2 100644
+--- a/drivers/iio/industrialio-core.c
++++ b/drivers/iio/industrialio-core.c
+@@ -1621,6 +1621,8 @@ static void iio_dev_release(struct device *device)
+
+ iio_device_detach_buffers(indio_dev);
+
++ lockdep_unregister_key(&iio_dev_opaque->mlock_key);
++
+ ida_free(&iio_ida, iio_dev_opaque->id);
+ kfree(iio_dev_opaque);
+ }
+@@ -1680,6 +1682,9 @@ struct iio_dev *iio_device_alloc(struct device *parent, int sizeof_priv)
+ INIT_LIST_HEAD(&iio_dev_opaque->buffer_list);
+ INIT_LIST_HEAD(&iio_dev_opaque->ioctl_handlers);
+
++ lockdep_register_key(&iio_dev_opaque->mlock_key);
++ lockdep_set_class(&indio_dev->mlock, &iio_dev_opaque->mlock_key);
++
+ return indio_dev;
+ }
+ EXPORT_SYMBOL(iio_device_alloc);
+diff --git a/include/linux/iio/iio-opaque.h b/include/linux/iio/iio-opaque.h
+index 6b3586b3f952..d1f8b30a7c8b 100644
+--- a/include/linux/iio/iio-opaque.h
++++ b/include/linux/iio/iio-opaque.h
+@@ -11,6 +11,7 @@
+ * checked by device drivers but should be considered
+ * read-only as this is a core internal bit
+ * @driver_module: used to make it harder to undercut users
++ * @mlock_key: lockdep class for iio_dev lock
+ * @info_exist_lock: lock to prevent use during removal
+ * @trig_readonly: mark the current trigger immutable
+ * @event_interface: event chrdevs associated with interrupt lines
+@@ -42,6 +43,7 @@ struct iio_dev_opaque {
+ int currentmode;
+ int id;
+ struct module *driver_module;
++ struct lock_class_key mlock_key;
+ struct mutex info_exist_lock;
+ bool trig_readonly;
+ struct iio_event_interface *event_interface;
+--
+2.35.1
+
--- /dev/null
+From 58cf095bc7cc3642d0c21d5cc90cd06bdb89751b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Aug 2022 17:18:42 -0400
+Subject: ima: fix blocking of security.ima xattrs of unsupported algorithms
+
+From: Mimi Zohar <zohar@linux.ibm.com>
+
+[ Upstream commit 5926586f291b53cb8a0c9631fc19489be1186e2d ]
+
+Limit validating the hash algorithm to just security.ima xattr, not
+the security.evm xattr or any of the protected EVM security xattrs,
+nor posix acls.
+
+Fixes: 50f742dd9147 ("IMA: block writes of the security.ima xattr with unsupported algorithms")
+Reported-by: Christian Brauner <brauner@kernel.org>
+Acked-by: Christian Brauner (Microsoft) <brauner@kernel.org>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/integrity/ima/ima_appraise.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
+index bde74fcecee3..3e0fbbd99534 100644
+--- a/security/integrity/ima/ima_appraise.c
++++ b/security/integrity/ima/ima_appraise.c
+@@ -750,22 +750,26 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name,
+ const struct evm_ima_xattr_data *xvalue = xattr_value;
+ int digsig = 0;
+ int result;
++ int err;
+
+ result = ima_protect_xattr(dentry, xattr_name, xattr_value,
+ xattr_value_len);
+ if (result == 1) {
+ if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST))
+ return -EINVAL;
++
++ err = validate_hash_algo(dentry, xvalue, xattr_value_len);
++ if (err)
++ return err;
++
+ digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG);
+ } else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) {
+ digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG);
+ }
+ if (result == 1 || evm_revalidate_status(xattr_name)) {
+- result = validate_hash_algo(dentry, xvalue, xattr_value_len);
+- if (result)
+- return result;
+-
+ ima_reset_appraise_flags(d_backing_inode(dentry), digsig);
++ if (result == 1)
++ result = 0;
+ }
+ return result;
+ }
+--
+2.35.1
+
--- /dev/null
+From e65be5ddabf3a6411b76762667ee91a896b849ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Sep 2022 06:40:37 -0600
+Subject: io_uring/fdinfo: fix sqe dumping for IORING_SETUP_SQE128
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ Upstream commit 3b8fdd1dc35e395d19efbc8391a809a5b954ecf4 ]
+
+If we have doubly sized SQEs, then we need to shift the sq index by 1
+to account for using two entries for a single request. The CQE dumping
+gets this right, but the SQE one does not.
+
+Improve the SQE dumping in general, the information dumped is pretty
+sparse and doesn't even cover the whole basic part of the SQE. Include
+information on the extended part of the SQE, if doubly sized SQEs are
+in use. A typical dump now looks like the following:
+
+[...]
+SQEs: 32
+ 32: opcode:URING_CMD, fd:0, flags:1, off:3225964160, addr:0x0, rw_flags:0x0, buf_index:0 user_data:2721, e0:0x0, e1:0xffffb8041000, e2:0x100000000000, e3:0x5500, e4:0x7, e5:0x0, e6:0x0, e7:0x0
+ 33: opcode:URING_CMD, fd:0, flags:1, off:3225964160, addr:0x0, rw_flags:0x0, buf_index:0 user_data:2722, e0:0x0, e1:0xffffb8043000, e2:0x100000000000, e3:0x5508, e4:0x7, e5:0x0, e6:0x0, e7:0x0
+ 34: opcode:URING_CMD, fd:0, flags:1, off:3225964160, addr:0x0, rw_flags:0x0, buf_index:0 user_data:2723, e0:0x0, e1:0xffffb8045000, e2:0x100000000000, e3:0x5510, e4:0x7, e5:0x0, e6:0x0, e7:0x0
+[...]
+
+Fixes: ebdeb7c01d02 ("io_uring: add support for 128-byte SQEs")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ io_uring/fdinfo.c | 32 ++++++++++++++++++++++++++------
+ 1 file changed, 26 insertions(+), 6 deletions(-)
+
+diff --git a/io_uring/fdinfo.c b/io_uring/fdinfo.c
+index b29e2d02216f..6d4cc7a92724 100644
+--- a/io_uring/fdinfo.c
++++ b/io_uring/fdinfo.c
+@@ -60,6 +60,7 @@ static __cold void __io_uring_show_fdinfo(struct io_ring_ctx *ctx,
+ unsigned int cq_head = READ_ONCE(r->cq.head);
+ unsigned int cq_tail = READ_ONCE(r->cq.tail);
+ unsigned int cq_shift = 0;
++ unsigned int sq_shift = 0;
+ unsigned int sq_entries, cq_entries;
+ bool has_lock;
+ bool is_cqe32 = (ctx->flags & IORING_SETUP_CQE32);
+@@ -67,6 +68,8 @@ static __cold void __io_uring_show_fdinfo(struct io_ring_ctx *ctx,
+
+ if (is_cqe32)
+ cq_shift = 1;
++ if (ctx->flags & IORING_SETUP_SQE128)
++ sq_shift = 1;
+
+ /*
+ * we may get imprecise sqe and cqe info if uring is actively running
+@@ -82,19 +85,36 @@ static __cold void __io_uring_show_fdinfo(struct io_ring_ctx *ctx,
+ seq_printf(m, "CqHead:\t%u\n", cq_head);
+ seq_printf(m, "CqTail:\t%u\n", cq_tail);
+ seq_printf(m, "CachedCqTail:\t%u\n", ctx->cached_cq_tail);
+- seq_printf(m, "SQEs:\t%u\n", sq_tail - ctx->cached_sq_head);
++ seq_printf(m, "SQEs:\t%u\n", sq_tail - sq_head);
+ sq_entries = min(sq_tail - sq_head, ctx->sq_entries);
+ for (i = 0; i < sq_entries; i++) {
+ unsigned int entry = i + sq_head;
+- unsigned int sq_idx = READ_ONCE(ctx->sq_array[entry & sq_mask]);
+ struct io_uring_sqe *sqe;
++ unsigned int sq_idx;
+
++ sq_idx = READ_ONCE(ctx->sq_array[entry & sq_mask]);
+ if (sq_idx > sq_mask)
+ continue;
+- sqe = &ctx->sq_sqes[sq_idx];
+- seq_printf(m, "%5u: opcode:%d, fd:%d, flags:%x, user_data:%llu\n",
+- sq_idx, sqe->opcode, sqe->fd, sqe->flags,
+- sqe->user_data);
++ sqe = &ctx->sq_sqes[sq_idx << 1];
++ seq_printf(m, "%5u: opcode:%s, fd:%d, flags:%x, off:%llu, "
++ "addr:0x%llx, rw_flags:0x%x, buf_index:%d "
++ "user_data:%llu",
++ sq_idx, io_uring_get_opcode(sqe->opcode), sqe->fd,
++ sqe->flags, (unsigned long long) sqe->off,
++ (unsigned long long) sqe->addr, sqe->rw_flags,
++ sqe->buf_index, sqe->user_data);
++ if (sq_shift) {
++ u64 *sqeb = (void *) (sqe + 1);
++ int size = sizeof(struct io_uring_sqe) / sizeof(u64);
++ int j;
++
++ for (j = 0; j < size; j++) {
++ seq_printf(m, ", e%d:0x%llx", j,
++ (unsigned long long) *sqeb);
++ sqeb++;
++ }
++ }
++ seq_printf(m, "\n");
+ }
+ seq_printf(m, "CQEs:\t%u\n", cq_tail - cq_head);
+ cq_entries = min(cq_tail - cq_head, ctx->cq_entries);
+--
+2.35.1
+
--- /dev/null
+From 6643c46bbbe7a3476a150cb54de74a13592da1c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Sep 2022 14:53:25 +0100
+Subject: io_uring: fix CQE reordering
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+[ Upstream commit aa1df3a360a0c50e0f0086a785d75c2785c29967 ]
+
+Overflowing CQEs may result in reordering, which is buggy in case of
+links, F_MORE and so on. If we guarantee that we don't reorder for
+the unlikely event of a CQ ring overflow, then we can further extend
+this to not have to terminate multishot requests if it happens. For
+other operations, like zerocopy sends, we have no choice but to honor
+CQE ordering.
+
+Reported-by: Dylan Yudaken <dylany@fb.com>
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/ec3bc55687b0768bbe20fb62d7d06cfced7d7e70.1663892031.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ io_uring/io_uring.c | 12 ++++++++++--
+ io_uring/io_uring.h | 12 +++++++++---
+ 2 files changed, 19 insertions(+), 5 deletions(-)
+
+diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
+index a22a32acf590..c5dd483a7de2 100644
+--- a/io_uring/io_uring.c
++++ b/io_uring/io_uring.c
+@@ -567,7 +567,7 @@ static bool __io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force)
+
+ io_cq_lock(ctx);
+ while (!list_empty(&ctx->cq_overflow_list)) {
+- struct io_uring_cqe *cqe = io_get_cqe(ctx);
++ struct io_uring_cqe *cqe = io_get_cqe_overflow(ctx, true);
+ struct io_overflow_cqe *ocqe;
+
+ if (!cqe && !force)
+@@ -694,12 +694,19 @@ bool io_req_cqe_overflow(struct io_kiocb *req)
+ * control dependency is enough as we're using WRITE_ONCE to
+ * fill the cq entry
+ */
+-struct io_uring_cqe *__io_get_cqe(struct io_ring_ctx *ctx)
++struct io_uring_cqe *__io_get_cqe(struct io_ring_ctx *ctx, bool overflow)
+ {
+ struct io_rings *rings = ctx->rings;
+ unsigned int off = ctx->cached_cq_tail & (ctx->cq_entries - 1);
+ unsigned int free, queued, len;
+
++ /*
++ * Posting into the CQ when there are pending overflowed CQEs may break
++ * ordering guarantees, which will affect links, F_MORE users and more.
++ * Force overflow the completion.
++ */
++ if (!overflow && (ctx->check_cq & BIT(IO_CHECK_CQ_OVERFLOW_BIT)))
++ return NULL;
+
+ /* userspace may cheat modifying the tail, be safe and do min */
+ queued = min(__io_cqring_events(ctx), ctx->cq_entries);
+@@ -2232,6 +2239,7 @@ static int io_cqring_wait(struct io_ring_ctx *ctx, int min_events,
+
+ do {
+ io_cqring_overflow_flush(ctx);
++
+ if (io_cqring_events(ctx) >= min_events)
+ return 0;
+ if (!io_run_task_work())
+diff --git a/io_uring/io_uring.h b/io_uring/io_uring.h
+index 2f73f83af960..45809ae6f64e 100644
+--- a/io_uring/io_uring.h
++++ b/io_uring/io_uring.h
+@@ -24,7 +24,7 @@ enum {
+ IOU_STOP_MULTISHOT = -ECANCELED,
+ };
+
+-struct io_uring_cqe *__io_get_cqe(struct io_ring_ctx *ctx);
++struct io_uring_cqe *__io_get_cqe(struct io_ring_ctx *ctx, bool overflow);
+ bool io_req_cqe_overflow(struct io_kiocb *req);
+ int io_run_task_work_sig(void);
+ void io_req_complete_failed(struct io_kiocb *req, s32 res);
+@@ -91,7 +91,8 @@ static inline void io_cq_lock(struct io_ring_ctx *ctx)
+
+ void io_cq_unlock_post(struct io_ring_ctx *ctx);
+
+-static inline struct io_uring_cqe *io_get_cqe(struct io_ring_ctx *ctx)
++static inline struct io_uring_cqe *io_get_cqe_overflow(struct io_ring_ctx *ctx,
++ bool overflow)
+ {
+ if (likely(ctx->cqe_cached < ctx->cqe_sentinel)) {
+ struct io_uring_cqe *cqe = ctx->cqe_cached;
+@@ -103,7 +104,12 @@ static inline struct io_uring_cqe *io_get_cqe(struct io_ring_ctx *ctx)
+ return cqe;
+ }
+
+- return __io_get_cqe(ctx);
++ return __io_get_cqe(ctx, overflow);
++}
++
++static inline struct io_uring_cqe *io_get_cqe(struct io_ring_ctx *ctx)
++{
++ return io_get_cqe_overflow(ctx, false);
+ }
+
+ static inline bool __io_fill_cqe_req(struct io_ring_ctx *ctx,
+--
+2.35.1
+
--- /dev/null
+From 3cc946a1cb24a546b6bb91b08424e91e5b0b1c36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Sep 2022 10:57:05 -0600
+Subject: io_uring/rw: defer fsnotify calls to task context
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ Upstream commit b000145e9907809406d8164c3b2b8861d95aecd1 ]
+
+We can't call these off the kiocb completion as that might be off
+soft/hard irq context. Defer the calls to when we process the
+task_work for this request. That avoids valid complaints like:
+
+stack backtrace:
+CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.0.0-rc6-syzkaller-00321-g105a36f3694e #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
+ print_usage_bug kernel/locking/lockdep.c:3961 [inline]
+ valid_state kernel/locking/lockdep.c:3973 [inline]
+ mark_lock_irq kernel/locking/lockdep.c:4176 [inline]
+ mark_lock.part.0.cold+0x18/0xd8 kernel/locking/lockdep.c:4632
+ mark_lock kernel/locking/lockdep.c:4596 [inline]
+ mark_usage kernel/locking/lockdep.c:4527 [inline]
+ __lock_acquire+0x11d9/0x56d0 kernel/locking/lockdep.c:5007
+ lock_acquire kernel/locking/lockdep.c:5666 [inline]
+ lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631
+ __fs_reclaim_acquire mm/page_alloc.c:4674 [inline]
+ fs_reclaim_acquire+0x115/0x160 mm/page_alloc.c:4688
+ might_alloc include/linux/sched/mm.h:271 [inline]
+ slab_pre_alloc_hook mm/slab.h:700 [inline]
+ slab_alloc mm/slab.c:3278 [inline]
+ __kmem_cache_alloc_lru mm/slab.c:3471 [inline]
+ kmem_cache_alloc+0x39/0x520 mm/slab.c:3491
+ fanotify_alloc_fid_event fs/notify/fanotify/fanotify.c:580 [inline]
+ fanotify_alloc_event fs/notify/fanotify/fanotify.c:813 [inline]
+ fanotify_handle_event+0x1130/0x3f40 fs/notify/fanotify/fanotify.c:948
+ send_to_group fs/notify/fsnotify.c:360 [inline]
+ fsnotify+0xafb/0x1680 fs/notify/fsnotify.c:570
+ __fsnotify_parent+0x62f/0xa60 fs/notify/fsnotify.c:230
+ fsnotify_parent include/linux/fsnotify.h:77 [inline]
+ fsnotify_file include/linux/fsnotify.h:99 [inline]
+ fsnotify_access include/linux/fsnotify.h:309 [inline]
+ __io_complete_rw_common+0x485/0x720 io_uring/rw.c:195
+ io_complete_rw+0x1a/0x1f0 io_uring/rw.c:228
+ iomap_dio_complete_work fs/iomap/direct-io.c:144 [inline]
+ iomap_dio_bio_end_io+0x438/0x5e0 fs/iomap/direct-io.c:178
+ bio_endio+0x5f9/0x780 block/bio.c:1564
+ req_bio_endio block/blk-mq.c:695 [inline]
+ blk_update_request+0x3fc/0x1300 block/blk-mq.c:825
+ scsi_end_request+0x7a/0x9a0 drivers/scsi/scsi_lib.c:541
+ scsi_io_completion+0x173/0x1f70 drivers/scsi/scsi_lib.c:971
+ scsi_complete+0x122/0x3b0 drivers/scsi/scsi_lib.c:1438
+ blk_complete_reqs+0xad/0xe0 block/blk-mq.c:1022
+ __do_softirq+0x1d3/0x9c6 kernel/softirq.c:571
+ invoke_softirq kernel/softirq.c:445 [inline]
+ __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650
+ irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
+ common_interrupt+0xa9/0xc0 arch/x86/kernel/irq.c:240
+
+Fixes: f63cf5192fe3 ("io_uring: ensure that fsnotify is always called")
+Link: https://lore.kernel.org/all/20220929135627.ykivmdks2w5vzrwg@quack3/
+Reported-by: syzbot+dfcc5f4da15868df7d4d@syzkaller.appspotmail.com
+Reported-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ io_uring/rw.c | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+diff --git a/io_uring/rw.c b/io_uring/rw.c
+index 295e3456d68e..eda14e8ec009 100644
+--- a/io_uring/rw.c
++++ b/io_uring/rw.c
+@@ -186,14 +186,6 @@ static void kiocb_end_write(struct io_kiocb *req)
+
+ static bool __io_complete_rw_common(struct io_kiocb *req, long res)
+ {
+- struct io_rw *rw = io_kiocb_to_cmd(req, struct io_rw);
+-
+- if (rw->kiocb.ki_flags & IOCB_WRITE) {
+- kiocb_end_write(req);
+- fsnotify_modify(req->file);
+- } else {
+- fsnotify_access(req->file);
+- }
+ if (unlikely(res != req->cqe.res)) {
+ if ((res == -EAGAIN || res == -EOPNOTSUPP) &&
+ io_rw_should_reissue(req)) {
+@@ -220,6 +212,20 @@ static inline int io_fixup_rw_res(struct io_kiocb *req, long res)
+ return res;
+ }
+
++static void io_req_rw_complete(struct io_kiocb *req, bool *locked)
++{
++ struct io_rw *rw = io_kiocb_to_cmd(req, struct io_rw);
++
++ if (rw->kiocb.ki_flags & IOCB_WRITE) {
++ kiocb_end_write(req);
++ fsnotify_modify(req->file);
++ } else {
++ fsnotify_access(req->file);
++ }
++
++ io_req_task_complete(req, locked);
++}
++
+ static void io_complete_rw(struct kiocb *kiocb, long res)
+ {
+ struct io_rw *rw = container_of(kiocb, struct io_rw, kiocb);
+@@ -228,7 +234,7 @@ static void io_complete_rw(struct kiocb *kiocb, long res)
+ if (__io_complete_rw_common(req, res))
+ return;
+ io_req_set_res(req, io_fixup_rw_res(req, res), 0);
+- req->io_task_work.func = io_req_task_complete;
++ req->io_task_work.func = io_req_rw_complete;
+ io_req_task_work_add(req);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 83c385995f38d1fa70b8759e6c6a11cfb6bb3e55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Sep 2022 17:02:32 -0700
+Subject: iomap: iomap: fix memory corruption when recording errors during
+ writeback
+
+From: Darrick J. Wong <djwong@kernel.org>
+
+[ Upstream commit 3d5f3ba1ac28059bdf7000cae2403e4e984308d2 ]
+
+Every now and then I see this crash on arm64:
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000000000000f8
+Buffer I/O error on dev dm-0, logical block 8733687, async page read
+Mem abort info:
+ ESR = 0x0000000096000006
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ FSC = 0x06: level 2 translation fault
+Data abort info:
+ ISV = 0, ISS = 0x00000006
+ CM = 0, WnR = 0
+user pgtable: 64k pages, 42-bit VAs, pgdp=0000000139750000
+[00000000000000f8] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000, pmd=0000000000000000
+Internal error: Oops: 96000006 [#1] PREEMPT SMP
+Buffer I/O error on dev dm-0, logical block 8733688, async page read
+Dumping ftrace buffer:
+Buffer I/O error on dev dm-0, logical block 8733689, async page read
+ (ftrace buffer empty)
+XFS (dm-0): log I/O error -5
+Modules linked in: dm_thin_pool dm_persistent_data
+XFS (dm-0): Metadata I/O Error (0x1) detected at xfs_trans_read_buf_map+0x1ec/0x590 [xfs] (fs/xfs/xfs_trans_buf.c:296).
+ dm_bio_prison
+XFS (dm-0): Please unmount the filesystem and rectify the problem(s)
+XFS (dm-0): xfs_imap_lookup: xfs_ialloc_read_agi() returned error -5, agno 0
+ dm_bufio dm_log_writes xfs nft_chain_nat xt_REDIRECT nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_REJECT
+potentially unexpected fatal signal 6.
+ nf_reject_ipv6
+potentially unexpected fatal signal 6.
+ ipt_REJECT nf_reject_ipv4
+CPU: 1 PID: 122166 Comm: fsstress Tainted: G W 6.0.0-rc5-djwa #rc5 3004c9f1de887ebae86015f2677638ce51ee7
+ rpcsec_gss_krb5 auth_rpcgss xt_tcpudp ip_set_hash_ip ip_set_hash_net xt_set nft_compat ip_set_hash_mac ip_set nf_tables
+Hardware name: QEMU KVM Virtual Machine, BIOS 1.5.1 06/16/2021
+pstate: 60001000 (nZCv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--)
+ ip_tables
+pc : 000003fd6d7df200
+ x_tables
+lr : 000003fd6d7df1ec
+ overlay nfsv4
+CPU: 0 PID: 54031 Comm: u4:3 Tainted: G W 6.0.0-rc5-djwa #rc5 3004c9f1de887ebae86015f2677638ce51ee7405
+Hardware name: QEMU KVM Virtual Machine, BIOS 1.5.1 06/16/2021
+Workqueue: writeback wb_workfn
+sp : 000003ffd9522fd0
+ (flush-253:0)
+pstate: 60401005 (nZCv daif +PAN -UAO -TCO -DIT +SSBS BTYPE=--)
+pc : errseq_set+0x1c/0x100
+x29: 000003ffd9522fd0 x28: 0000000000000023 x27: 000002acefeb6780
+x26: 0000000000000005 x25: 0000000000000001 x24: 0000000000000000
+x23: 00000000ffffffff x22: 0000000000000005
+lr : __filemap_set_wb_err+0x24/0xe0
+ x21: 0000000000000006
+sp : fffffe000f80f760
+x29: fffffe000f80f760 x28: 0000000000000003 x27: fffffe000f80f9f8
+x26: 0000000002523000 x25: 00000000fffffffb x24: fffffe000f80f868
+x23: fffffe000f80fbb0 x22: fffffc0180c26a78 x21: 0000000002530000
+x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000000
+
+x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
+x14: 0000000000000001 x13: 0000000000470af3 x12: fffffc0058f70000
+x11: 0000000000000040 x10: 0000000000001b20 x9 : fffffe000836b288
+x8 : fffffc00eb9fd480 x7 : 0000000000f83659 x6 : 0000000000000000
+x5 : 0000000000000869 x4 : 0000000000000005 x3 : 00000000000000f8
+x20: 000003fd6d740020 x19: 000000000001dd36 x18: 0000000000000001
+x17: 000003fd6d78704c x16: 0000000000000001 x15: 000002acfac87668
+x2 : 0000000000000ffa x1 : 00000000fffffffb x0 : 00000000000000f8
+Call trace:
+ errseq_set+0x1c/0x100
+ __filemap_set_wb_err+0x24/0xe0
+ iomap_do_writepage+0x5e4/0xd5c
+ write_cache_pages+0x208/0x674
+ iomap_writepages+0x34/0x60
+ xfs_vm_writepages+0x8c/0xcc [xfs 7a861f39c43631f15d3a5884246ba5035d4ca78b]
+x14: 0000000000000000 x13: 2064656e72757465 x12: 0000000000002180
+x11: 000003fd6d8a82d0 x10: 0000000000000000 x9 : 000003fd6d8ae288
+x8 : 0000000000000083 x7 : 00000000ffffffff x6 : 00000000ffffffee
+x5 : 00000000fbad2887 x4 : 000003fd6d9abb58 x3 : 000003fd6d740020
+x2 : 0000000000000006 x1 : 000000000001dd36 x0 : 0000000000000000
+CPU: 1 PID: 122167 Comm: fsstress Tainted: G W 6.0.0-rc5-djwa #rc5 3004c9f1de887ebae86015f2677638ce51ee7
+ do_writepages+0x90/0x1c4
+ __writeback_single_inode+0x4c/0x4ac
+Hardware name: QEMU KVM Virtual Machine, BIOS 1.5.1 06/16/2021
+ writeback_sb_inodes+0x214/0x4ac
+ wb_writeback+0xf4/0x3b0
+pstate: 60001000 (nZCv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--)
+ wb_workfn+0xfc/0x580
+ process_one_work+0x1e8/0x480
+pc : 000003fd6d7df200
+ worker_thread+0x78/0x430
+
+This crash is a result of iomap_writepage_map encountering some sort of
+error during writeback and wanting to set that error code in the file
+mapping so that fsync will report it. Unfortunately, the code
+dereferences folio->mapping after unlocking the folio, which means that
+another thread could have removed the page from the page cache
+(writeback doesn't hold the invalidation lock) and give it to somebody
+else.
+
+At best we crash the system like above; at worst, we corrupt memory or
+set an error on some other unsuspecting file while failing to record the
+problems with *this* file. Regardless, fix the problem by reporting the
+error to the inode mapping.
+
+NOTE: Commit 598ecfbaa742 lifted the XFS writeback code to iomap, so
+this fix should be backported to XFS in the 4.6-5.4 kernels in addition
+to iomap in the 5.5-5.19 kernels.
+
+Fixes: e735c0079465 ("iomap: Convert iomap_add_to_ioend() to take a folio") # 5.17 onward
+Fixes: 598ecfbaa742 ("iomap: lift the xfs writeback code to iomap") # 5.5-5.16, needs backporting
+Fixes: 150d5be09ce4 ("xfs: remove xfs_cancel_ioend") # 4.6-5.4, needs backporting
+Signed-off-by: Darrick J. Wong <djwong@kernel.org>
+Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/iomap/buffered-io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c
+index ca5c62901541..77d59c159248 100644
+--- a/fs/iomap/buffered-io.c
++++ b/fs/iomap/buffered-io.c
+@@ -1421,7 +1421,7 @@ iomap_writepage_map(struct iomap_writepage_ctx *wpc,
+ if (!count)
+ folio_end_writeback(folio);
+ done:
+- mapping_set_error(folio->mapping, error);
++ mapping_set_error(inode->i_mapping, error);
+ return error;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 04d1cca840b4aeb369f7ccdca87889575f8000c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Aug 2022 19:44:10 +0800
+Subject: iommu/arm-smmu-v3: Make default domain type of HiSilicon PTT device
+ to identity
+
+From: Yicong Yang <yangyicong@hisilicon.com>
+
+[ Upstream commit 24b6c7798a0122012ca848ea0d25e973334266b0 ]
+
+The DMA operations of HiSilicon PTT device can only work properly with
+identical mappings. So add a quirk for the device to force the domain
+as passthrough.
+
+Acked-by: Will Deacon <will@kernel.org>
+Signed-off-by: Yicong Yang <yangyicong@hisilicon.com>
+Reviewed-by: John Garry <john.garry@huawei.com>
+Link: https://lore.kernel.org/r/20220816114414.4092-2-yangyicong@huawei.com
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
+index d32b02336411..71f7edded9cf 100644
+--- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
++++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
+@@ -2817,6 +2817,26 @@ static int arm_smmu_dev_disable_feature(struct device *dev,
+ }
+ }
+
++/*
++ * HiSilicon PCIe tune and trace device can be used to trace TLP headers on the
++ * PCIe link and save the data to memory by DMA. The hardware is restricted to
++ * use identity mapping only.
++ */
++#define IS_HISI_PTT_DEVICE(pdev) ((pdev)->vendor == PCI_VENDOR_ID_HUAWEI && \
++ (pdev)->device == 0xa12e)
++
++static int arm_smmu_def_domain_type(struct device *dev)
++{
++ if (dev_is_pci(dev)) {
++ struct pci_dev *pdev = to_pci_dev(dev);
++
++ if (IS_HISI_PTT_DEVICE(pdev))
++ return IOMMU_DOMAIN_IDENTITY;
++ }
++
++ return 0;
++}
++
+ static struct iommu_ops arm_smmu_ops = {
+ .capable = arm_smmu_capable,
+ .domain_alloc = arm_smmu_domain_alloc,
+@@ -2831,6 +2851,7 @@ static struct iommu_ops arm_smmu_ops = {
+ .sva_unbind = arm_smmu_sva_unbind,
+ .sva_get_pasid = arm_smmu_sva_get_pasid,
+ .page_response = arm_smmu_page_response,
++ .def_domain_type = arm_smmu_def_domain_type,
+ .pgsize_bitmap = -1UL, /* Restricted during device attach */
+ .owner = THIS_MODULE,
+ .default_domain_ops = &(const struct iommu_domain_ops) {
+--
+2.35.1
+
--- /dev/null
+From cd25ba8f6185ac57756be4f6abb38ae8c006597c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Sep 2022 12:47:20 +0100
+Subject: iommu/iova: Fix module config properly
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+[ Upstream commit 4f58330fcc8482aa90674e1f40f601e82f18ed4a ]
+
+IOMMU_IOVA is intended to be an optional library for users to select as
+and when they desire. Since it can be a module now, this means that
+built-in code which has chosen not to select it should not fail to link
+if it happens to have selected as a module by someone else. Replace
+IS_ENABLED() with IS_REACHABLE() to do the right thing.
+
+CC: Thierry Reding <thierry.reding@gmail.com>
+Reported-by: John Garry <john.garry@huawei.com>
+Fixes: 15bbdec3931e ("iommu: Make the iova library a module")
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Reviewed-by: Thierry Reding <treding@nvidia.com>
+Link: https://lore.kernel.org/r/548c2f683ca379aface59639a8f0cccc3a1ac050.1663069227.git.robin.murphy@arm.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/iova.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/iova.h b/include/linux/iova.h
+index c6ba6d95d79c..83c00fac2acb 100644
+--- a/include/linux/iova.h
++++ b/include/linux/iova.h
+@@ -75,7 +75,7 @@ static inline unsigned long iova_pfn(struct iova_domain *iovad, dma_addr_t iova)
+ return iova >> iova_shift(iovad);
+ }
+
+-#if IS_ENABLED(CONFIG_IOMMU_IOVA)
++#if IS_REACHABLE(CONFIG_IOMMU_IOVA)
+ int iova_cache_get(void);
+ void iova_cache_put(void);
+
+--
+2.35.1
+
--- /dev/null
+From 1b33868833d3b86abac214efcd94b73968189af9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Aug 2022 17:32:39 +0300
+Subject: iommu/omap: Fix buffer overflow in debugfs
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 184233a5202786b20220acd2d04ddf909ef18f29 ]
+
+There are two issues here:
+
+1) The "len" variable needs to be checked before the very first write.
+ Otherwise if omap2_iommu_dump_ctx() with "bytes" less than 32 it is a
+ buffer overflow.
+2) The snprintf() function returns the number of bytes that *would* have
+ been copied if there were enough space. But we want to know the
+ number of bytes which were *actually* copied so use scnprintf()
+ instead.
+
+Fixes: bd4396f09a4a ("iommu/omap: Consolidate OMAP IOMMU modules")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Robin Murphy <robin.murphy@arm.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Link: https://lore.kernel.org/r/YuvYh1JbE3v+abd5@kili
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/omap-iommu-debug.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iommu/omap-iommu-debug.c b/drivers/iommu/omap-iommu-debug.c
+index a99afb5d9011..259f65291d90 100644
+--- a/drivers/iommu/omap-iommu-debug.c
++++ b/drivers/iommu/omap-iommu-debug.c
+@@ -32,12 +32,12 @@ static inline bool is_omap_iommu_detached(struct omap_iommu *obj)
+ ssize_t bytes; \
+ const char *str = "%20s: %08x\n"; \
+ const int maxcol = 32; \
+- bytes = snprintf(p, maxcol, str, __stringify(name), \
++ if (len < maxcol) \
++ goto out; \
++ bytes = scnprintf(p, maxcol, str, __stringify(name), \
+ iommu_read_reg(obj, MMU_##name)); \
+ p += bytes; \
+ len -= bytes; \
+- if (len < maxcol) \
+- goto out; \
+ } while (0)
+
+ static ssize_t
+--
+2.35.1
+
--- /dev/null
+From 5cf2dd55d8c41d39e029a825eb232f4f50834a3b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Jul 2022 14:23:01 +0800
+Subject: ipc: mqueue: fix possible memory leak in init_mqueue_fs()
+
+From: Hangyu Hua <hbh25y@gmail.com>
+
+[ Upstream commit c579d60f0d0cd87552f64fdebe68b5d941d20309 ]
+
+commit db7cfc380900 ("ipc: Free mq_sysctls if ipc namespace creation
+failed")
+
+Here's a similar memory leak to the one fixed by the patch above.
+retire_mq_sysctls need to be called when init_mqueue_fs fails after
+setup_mq_sysctls.
+
+Fixes: dc55e35f9e81 ("ipc: Store mqueue sysctls in the ipc namespace")
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Link: https://lkml.kernel.org/r/20220715062301.19311-1-hbh25y@gmail.com
+Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ ipc/mqueue.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ipc/mqueue.c b/ipc/mqueue.c
+index f98de32aeea1..9cf314b3f079 100644
+--- a/ipc/mqueue.c
++++ b/ipc/mqueue.c
+@@ -1746,6 +1746,7 @@ static int __init init_mqueue_fs(void)
+ unregister_filesystem(&mqueue_fs_type);
+ out_sysctl:
+ kmem_cache_destroy(mqueue_inode_cachep);
++ retire_mq_sysctls(&init_ipc_ns);
+ return error;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From b65721e30e7753791f44c94c72095bfd7b055999 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 Aug 2022 09:48:09 +0900
+Subject: kbuild: remove the target in signal traps when interrupted
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit a7f3257da8a86b96fb9bf1bba40ae0bbd7f1885a ]
+
+When receiving some signal, GNU Make automatically deletes the target if
+it has already been changed by the interrupted recipe.
+
+If the target is possibly incomplete due to interruption, it must be
+deleted so that it will be remade from scratch on the next run of make.
+Otherwise, the target would remain corrupted permanently because its
+timestamp had already been updated.
+
+Thanks to this behavior of Make, you can stop the build any time by
+pressing Ctrl-C, and just run 'make' to resume it.
+
+Kbuild also relies on this feature, but it is equivalently important
+for any build systems that make decisions based on timestamps (if you
+want to support Ctrl-C reliably).
+
+However, this does not always work as claimed; Make immediately dies
+with Ctrl-C if its stderr goes into a pipe.
+
+ [Test Makefile]
+
+ foo:
+ echo hello > $@
+ sleep 3
+ echo world >> $@
+
+ [Test Result]
+
+ $ make # hit Ctrl-C
+ echo hello > foo
+ sleep 3
+ ^Cmake: *** Deleting file 'foo'
+ make: *** [Makefile:3: foo] Interrupt
+
+ $ make 2>&1 | cat # hit Ctrl-C
+ echo hello > foo
+ sleep 3
+ ^C$ # 'foo' is often left-over
+
+The reason is because SIGINT is sent to the entire process group.
+In this example, SIGINT kills 'cat', and 'make' writes the message to
+the closed pipe, then dies with SIGPIPE before cleaning the target.
+
+A typical bad scenario (as reported by [1], [2]) is to save build log
+by using the 'tee' command:
+
+ $ make 2>&1 | tee log
+
+This can be problematic for any build systems based on Make, so I hope
+it will be fixed in GNU Make. The maintainer of GNU Make stated this is
+a long-standing issue and difficult to fix [3]. It has not been fixed
+yet as of writing.
+
+So, we cannot rely on Make cleaning the target. We can do it by
+ourselves, in signal traps.
+
+As far as I understand, Make takes care of SIGHUP, SIGINT, SIGQUIT, and
+SITERM for the target removal. I added the traps for them, and also for
+SIGPIPE just in case cmd_* rule prints something to stdout or stderr
+(but I did not observe an actual case where SIGPIPE was triggered).
+
+[Note 1]
+
+The trap handler might be worth explaining.
+
+ rm -f $@; trap - $(sig); kill -s $(sig) $$
+
+This lets the shell kill itself by the signal it caught, so the parent
+process can tell the child has exited on the signal. Generally, this is
+a proper manner for handling signals, in case the calling program (like
+Bash) may monitor WIFSIGNALED() and WTERMSIG() for WCE although this may
+not be a big deal here because GNU Make handles SIGHUP, SIGINT, SIGQUIT
+in WUE and SIGTERM in IUE.
+
+ IUE - Immediate Unconditional Exit
+ WUE - Wait and Unconditional Exit
+ WCE - Wait and Cooperative Exit
+
+For details, see "Proper handling of SIGINT/SIGQUIT" [4].
+
+[Note 2]
+
+Reverting 392885ee82d3 ("kbuild: let fixdep directly write to .*.cmd
+files") would directly address [1], but it only saves if_changed_dep.
+As reported in [2], all commands that use redirection can potentially
+leave an empty (i.e. broken) target.
+
+[Note 3]
+
+Another (even safer) approach might be to always write to a temporary
+file, and rename it to $@ at the end of the recipe.
+
+ <command> > $(tmp-target)
+ mv $(tmp-target) $@
+
+It would require a lot of Makefile changes, and result in ugly code,
+so I did not take it.
+
+[Note 4]
+
+A little more thoughts about a pattern rule with multiple targets (or
+a grouped target).
+
+ %.x %.y: %.z
+ <recipe>
+
+When interrupted, GNU Make deletes both %.x and %.y, while this solution
+only deletes $@. Probably, this is not a big deal. The next run of make
+will execute the rule again to create $@ along with the other files.
+
+[1]: https://lore.kernel.org/all/YLeot94yAaM4xbMY@gmail.com/
+[2]: https://lore.kernel.org/all/20220510221333.2770571-1-robh@kernel.org/
+[3]: https://lists.gnu.org/archive/html/help-make/2021-06/msg00001.html
+[4]: https://www.cons.org/cracauer/sigint.html
+
+Fixes: 392885ee82d3 ("kbuild: let fixdep directly write to .*.cmd files")
+Reported-by: Ingo Molnar <mingo@kernel.org>
+Reported-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Tested-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Nicolas Schier <nicolas@fjasle.eu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/Kbuild.include | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/scripts/Kbuild.include b/scripts/Kbuild.include
+index ece44b735061..2bc08ace38a3 100644
+--- a/scripts/Kbuild.include
++++ b/scripts/Kbuild.include
+@@ -100,8 +100,29 @@ echo-cmd = $(if $($(quiet)cmd_$(1)),\
+ quiet_redirect :=
+ silent_redirect := exec >/dev/null;
+
++# Delete the target on interruption
++#
++# GNU Make automatically deletes the target if it has already been changed by
++# the interrupted recipe. So, you can safely stop the build by Ctrl-C (Make
++# will delete incomplete targets), and resume it later.
++#
++# However, this does not work when the stderr is piped to another program, like
++# $ make >&2 | tee log
++# Make dies with SIGPIPE before cleaning the targets.
++#
++# To address it, we clean the target in signal traps.
++#
++# Make deletes the target when it catches SIGHUP, SIGINT, SIGQUIT, SIGTERM.
++# So, we cover them, and also SIGPIPE just in case.
++#
++# Of course, this is unneeded for phony targets.
++delete-on-interrupt = \
++ $(if $(filter-out $(PHONY), $@), \
++ $(foreach sig, HUP INT QUIT TERM PIPE, \
++ trap 'rm -f $@; trap - $(sig); kill -s $(sig) $$$$' $(sig);))
++
+ # printing commands
+-cmd = @set -e; $(echo-cmd) $($(quiet)redirect) $(cmd_$(1))
++cmd = @set -e; $(echo-cmd) $($(quiet)redirect) $(delete-on-interrupt) $(cmd_$(1))
+
+ ###
+ # if_changed - execute command if any prerequisite is newer than
+--
+2.35.1
+
--- /dev/null
+From b06e1bc54b575c3556c082e606e896081d469158 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Sep 2022 14:41:12 +0200
+Subject: kbuild: rpm-pkg: fix breakage when V=1 is used
+
+From: Janis Schoetterl-Glausch <scgl@linux.ibm.com>
+
+[ Upstream commit 2e07005f4813a9ff6e895787e0c2d1fea859b033 ]
+
+Doing make V=1 binrpm-pkg results in:
+
+ Executing(%install): /bin/sh -e /var/tmp/rpm-tmp.EgV6qJ
+ + umask 022
+ + cd .
+ + /bin/rm -rf /home/scgl/rpmbuild/BUILDROOT/kernel-6.0.0_rc5+-1.s390x
+ + /bin/mkdir -p /home/scgl/rpmbuild/BUILDROOT
+ + /bin/mkdir /home/scgl/rpmbuild/BUILDROOT/kernel-6.0.0_rc5+-1.s390x
+ + mkdir -p /home/scgl/rpmbuild/BUILDROOT/kernel-6.0.0_rc5+-1.s390x/boot
+ + make -f ./Makefile image_name
+ + cp test -e include/generated/autoconf.h -a -e include/config/auto.conf || ( \ echo >&2; \ echo >&2 " ERROR: Kernel configuration is invalid."; \ echo >&2 " include/generated/autoconf.h or include/config/auto.conf are missing.";\ echo >&2 " Run 'make oldconfig && make prepare' on kernel src to fix it."; \ echo >&2 ; \ /bin/false) arch/s390/boot/bzImage /home/scgl/rpmbuild/BUILDROOT/kernel-6.0.0_rc5+-1.s390x/boot/vmlinuz-6.0.0-rc5+
+ cp: invalid option -- 'e'
+ Try 'cp --help' for more information.
+ error: Bad exit status from /var/tmp/rpm-tmp.EgV6qJ (%install)
+
+Because the make call to get the image name is verbose and prints
+additional information.
+
+Fixes: 993bdde94547 ("kbuild: add image_name to no-sync-config-targets")
+Signed-off-by: Janis Schoetterl-Glausch <scgl@linux.ibm.com>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/package/mkspec | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/scripts/package/mkspec b/scripts/package/mkspec
+index 8fa7c5b8a1a1..c920c1b18e7a 100755
+--- a/scripts/package/mkspec
++++ b/scripts/package/mkspec
+@@ -88,10 +88,10 @@ $S
+ mkdir -p %{buildroot}/boot
+ %ifarch ia64
+ mkdir -p %{buildroot}/boot/efi
+- cp \$($MAKE image_name) %{buildroot}/boot/efi/vmlinuz-$KERNELRELEASE
++ cp \$($MAKE -s image_name) %{buildroot}/boot/efi/vmlinuz-$KERNELRELEASE
+ ln -s efi/vmlinuz-$KERNELRELEASE %{buildroot}/boot/
+ %else
+- cp \$($MAKE image_name) %{buildroot}/boot/vmlinuz-$KERNELRELEASE
++ cp \$($MAKE -s image_name) %{buildroot}/boot/vmlinuz-$KERNELRELEASE
+ %endif
+ $M $MAKE %{?_smp_mflags} INSTALL_MOD_PATH=%{buildroot} modules_install
+ $MAKE %{?_smp_mflags} INSTALL_HDR_PATH=%{buildroot}/usr headers_install
+--
+2.35.1
+
--- /dev/null
+From e99b742f17dbde7a4ec125d0ff86b7485a3209d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Aug 2022 17:06:56 +0100
+Subject: kselftest/arm64: Fix validatation termination record after
+ EXTRA_CONTEXT
+
+From: Mark Brown <broonie@kernel.org>
+
+[ Upstream commit 5c152c2f66f9368394b89ac90dc7483476ef7b88 ]
+
+When arm64 signal context data overflows the base struct sigcontext it gets
+placed in an extra buffer pointed to by a record of type EXTRA_CONTEXT in
+the base struct sigcontext which is required to be the last record in the
+base struct sigframe. The current validation code attempts to check this
+by using GET_RESV_NEXT_HEAD() to step forward from the current record to
+the next but that is a macro which assumes it is being provided with a
+struct _aarch64_ctx and uses the size there to skip forward to the next
+record. Instead validate_extra_context() passes it a struct extra_context
+which has a separate size field. This compiles but results in us trying
+to validate a termination record in completely the wrong place, at best
+failing validation and at worst just segfaulting. Fix this by passing
+the struct _aarch64_ctx we meant to into the macro.
+
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20220829160703.874492-4-broonie@kernel.org
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/arm64/signal/testcases/testcases.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/arm64/signal/testcases/testcases.c b/tools/testing/selftests/arm64/signal/testcases/testcases.c
+index 84c36bee4d82..d98828cb542b 100644
+--- a/tools/testing/selftests/arm64/signal/testcases/testcases.c
++++ b/tools/testing/selftests/arm64/signal/testcases/testcases.c
+@@ -33,7 +33,7 @@ bool validate_extra_context(struct extra_context *extra, char **err)
+ return false;
+
+ fprintf(stderr, "Validating EXTRA...\n");
+- term = GET_RESV_NEXT_HEAD(extra);
++ term = GET_RESV_NEXT_HEAD(&extra->head);
+ if (!term || term->magic || term->size) {
+ *err = "Missing terminator after EXTRA context";
+ return false;
+--
+2.35.1
+
--- /dev/null
+From 6df6ee6aa80c0ffb1f45001da2e5e20f45440c03 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Aug 2022 14:34:14 +0800
+Subject: KVM: fix memoryleak in kvm_init()
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit 5a2a961be2ad6a16eb388a80442443b353c11d16 ]
+
+When alloc_cpumask_var_node() fails for a certain cpu, there might be some
+allocated cpumasks for percpu cpu_kick_mask. We should free these cpumasks
+or memoryleak will occur.
+
+Fixes: baff59ccdc65 ("KVM: Pre-allocate cpumasks for kvm_make_all_cpus_request_except()")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Link: https://lore.kernel.org/r/20220823063414.59778-1-linmiaohe@huawei.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ virt/kvm/kvm_main.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
+index 584a5bab3af3..dcf47da44844 100644
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -5881,7 +5881,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
+
+ r = kvm_async_pf_init();
+ if (r)
+- goto out_free_5;
++ goto out_free_4;
+
+ kvm_chardev_ops.owner = module;
+
+@@ -5905,10 +5905,9 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
+
+ out_unreg:
+ kvm_async_pf_deinit();
+-out_free_5:
++out_free_4:
+ for_each_possible_cpu(cpu)
+ free_cpumask_var(per_cpu(cpu_kick_mask, cpu));
+-out_free_4:
+ kmem_cache_destroy(kvm_vcpu_cache);
+ out_free_3:
+ unregister_reboot_notifier(&kvm_reboot_notifier);
+--
+2.35.1
+
--- /dev/null
+From a5026653be6ccf7dff187ec87d628ef4ba5d89c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 23:16:06 +0000
+Subject: KVM: nVMX: Add a helper to identify low-priority #DB traps
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit 2b384165f4d15540f94998b751f50058642ad110 ]
+
+Add a helper to identify "low"-priority #DB traps, i.e. trap-like #DBs
+that aren't TSS T flag #DBs, and tweak the related code to operate on any
+queued exception. A future commit will separate exceptions that are
+intercepted by L1, i.e. cause nested VM-Exit, from those that do NOT
+trigger nested VM-Exit. I.e. there will be multiple exception structs
+and multiple invocations of the helpers.
+
+No functional change intended.
+
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
+Link: https://lore.kernel.org/r/20220830231614.3580124-20-seanjc@google.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Stable-dep-of: 7709aba8f716 ("KVM: x86: Morph pending exceptions to pending VM-Exits at queue time")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx/nested.c | 23 +++++++++++++++++------
+ 1 file changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
+index 7655b5acbbcd..dfd5e13e5202 100644
+--- a/arch/x86/kvm/vmx/nested.c
++++ b/arch/x86/kvm/vmx/nested.c
+@@ -3871,14 +3871,24 @@ static void nested_vmx_inject_exception_vmexit(struct kvm_vcpu *vcpu,
+ * from the emulator (because such #DBs are fault-like and thus don't trigger
+ * actions that fire on instruction retire).
+ */
+-static inline unsigned long vmx_get_pending_dbg_trap(struct kvm_vcpu *vcpu)
++static unsigned long vmx_get_pending_dbg_trap(struct kvm_queued_exception *ex)
+ {
+- if (!vcpu->arch.exception.pending ||
+- vcpu->arch.exception.vector != DB_VECTOR)
++ if (!ex->pending || ex->vector != DB_VECTOR)
+ return 0;
+
+ /* General Detect #DBs are always fault-like. */
+- return vcpu->arch.exception.payload & ~DR6_BD;
++ return ex->payload & ~DR6_BD;
++}
++
++/*
++ * Returns true if there's a pending #DB exception that is lower priority than
++ * a pending Monitor Trap Flag VM-Exit. TSS T-flag #DBs are not emulated by
++ * KVM, but could theoretically be injected by userspace. Note, this code is
++ * imperfect, see above.
++ */
++static bool vmx_is_low_priority_db_trap(struct kvm_queued_exception *ex)
++{
++ return vmx_get_pending_dbg_trap(ex) & ~DR6_BT;
+ }
+
+ /*
+@@ -3890,8 +3900,9 @@ static inline unsigned long vmx_get_pending_dbg_trap(struct kvm_vcpu *vcpu)
+ */
+ static void nested_vmx_update_pending_dbg(struct kvm_vcpu *vcpu)
+ {
+- unsigned long pending_dbg = vmx_get_pending_dbg_trap(vcpu);
++ unsigned long pending_dbg;
+
++ pending_dbg = vmx_get_pending_dbg_trap(&vcpu->arch.exception);
+ if (pending_dbg)
+ vmcs_writel(GUEST_PENDING_DBG_EXCEPTIONS, pending_dbg);
+ }
+@@ -3961,7 +3972,7 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu)
+ * prioritize SMI over MTF and trap-like #DBs.
+ */
+ if (vcpu->arch.exception.pending &&
+- !(vmx_get_pending_dbg_trap(vcpu) & ~DR6_BT)) {
++ !vmx_is_low_priority_db_trap(&vcpu->arch.exception)) {
+ if (block_nested_exceptions)
+ return -EBUSY;
+ if (!nested_vmx_check_exception(vcpu, &exit_qual))
+--
+2.35.1
+
--- /dev/null
+From 48c98fb5bd6fccc2492ce5f3b5e0e24ddd705383 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 23:15:57 +0000
+Subject: KVM: nVMX: Ignore SIPI that arrives in L2 when vCPU is not in WFS
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit c2086eca86585bfd8132dd91e802497a202185c8 ]
+
+Fall through to handling other pending exception/events for L2 if SIPI
+is pending while the CPU is not in Wait-for-SIPI. KVM correctly ignores
+the event, but incorrectly returns immediately, e.g. a SIPI coincident
+with another event could lead to KVM incorrectly routing the event to L1
+instead of L2.
+
+Fixes: bf0cd88ce363 ("KVM: x86: emulate wait-for-SIPI and SIPI-VMExit")
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
+Link: https://lore.kernel.org/r/20220830231614.3580124-11-seanjc@google.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx/nested.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
+index 93c34841e51e..c06c25fb9cbe 100644
+--- a/arch/x86/kvm/vmx/nested.c
++++ b/arch/x86/kvm/vmx/nested.c
+@@ -3937,10 +3937,12 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu)
+ return -EBUSY;
+
+ clear_bit(KVM_APIC_SIPI, &apic->pending_events);
+- if (vcpu->arch.mp_state == KVM_MP_STATE_INIT_RECEIVED)
++ if (vcpu->arch.mp_state == KVM_MP_STATE_INIT_RECEIVED) {
+ nested_vmx_vmexit(vcpu, EXIT_REASON_SIPI_SIGNAL, 0,
+ apic->sipi_vector & 0xFFUL);
+- return 0;
++ return 0;
++ }
++ /* Fallthrough, the SIPI is completely ignored. */
+ }
+
+ /*
+--
+2.35.1
+
--- /dev/null
+From ce3c7cd86f3efdea63bb63bad636972751fe18fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 23:15:54 +0000
+Subject: KVM: nVMX: Prioritize TSS T-flag #DBs over Monitor Trap Flag
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit b9d44f9091ac6c325fc2f7b7671b462fb36abbed ]
+
+Service TSS T-flag #DBs prior to pending MTFs, as such #DBs are higher
+priority than MTF. KVM itself doesn't emulate TSS #DBs, and any such
+exceptions injected from L1 will be handled by hardware (or morphed to
+a fault-like exception if injection fails), but theoretically userspace
+could pend a TSS T-flag #DB in conjunction with a pending MTF.
+
+Note, there's no known use case this fixes, it's purely to be technically
+correct with respect to Intel's SDM.
+
+Cc: Oliver Upton <oupton@google.com>
+Cc: Peter Shier <pshier@google.com>
+Fixes: 5ef8acbdd687 ("KVM: nVMX: Emulate MTF when performing instruction emulation")
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
+Link: https://lore.kernel.org/r/20220830231614.3580124-8-seanjc@google.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx/nested.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
+index 4b96b5a25ba5..93c34841e51e 100644
+--- a/arch/x86/kvm/vmx/nested.c
++++ b/arch/x86/kvm/vmx/nested.c
+@@ -3944,15 +3944,17 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu)
+ }
+
+ /*
+- * Process any exceptions that are not debug traps before MTF.
++ * Process exceptions that are higher priority than Monitor Trap Flag:
++ * fault-like exceptions, TSS T flag #DB (not emulated by KVM, but
++ * could theoretically come in from userspace), and ICEBP (INT1).
+ *
+ * Note that only a pending nested run can block a pending exception.
+ * Otherwise an injected NMI/interrupt should either be
+ * lost or delivered to the nested hypervisor in the IDT_VECTORING_INFO,
+ * while delivering the pending exception.
+ */
+-
+- if (vcpu->arch.exception.pending && !vmx_get_pending_dbg_trap(vcpu)) {
++ if (vcpu->arch.exception.pending &&
++ !(vmx_get_pending_dbg_trap(vcpu) & ~DR6_BT)) {
+ if (vmx->nested.nested_run_pending)
+ return -EBUSY;
+ if (!nested_vmx_check_exception(vcpu, &exit_qual))
+--
+2.35.1
+
--- /dev/null
+From 74aca2738bdc8deee250f0cdc6dd4959c9dfac3f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 23:15:53 +0000
+Subject: KVM: nVMX: Treat General Detect #DB (DR7.GD=1) as fault-like
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit 8d178f460772ecdee8e6d72389b43a8d35a14ff5 ]
+
+Exclude General Detect #DBs, which have fault-like behavior but also have
+a non-zero payload (DR6.BD=1), from nVMX's handling of pending debug
+traps. Opportunistically rewrite the comment to better document what is
+being checked, i.e. "has a non-zero payload" vs. "has a payload", and to
+call out the many caveats surrounding #DBs that KVM dodges one way or
+another.
+
+Cc: Oliver Upton <oupton@google.com>
+Cc: Peter Shier <pshier@google.com>
+Fixes: 684c0422da71 ("KVM: nVMX: Handle pending #DB when injecting INIT VM-exit")
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
+Link: https://lore.kernel.org/r/20220830231614.3580124-7-seanjc@google.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx/nested.c | 36 +++++++++++++++++++++++++-----------
+ 1 file changed, 25 insertions(+), 11 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
+index 03d348fa6485..4b96b5a25ba5 100644
+--- a/arch/x86/kvm/vmx/nested.c
++++ b/arch/x86/kvm/vmx/nested.c
+@@ -3858,16 +3858,29 @@ static void nested_vmx_inject_exception_vmexit(struct kvm_vcpu *vcpu,
+ }
+
+ /*
+- * Returns true if a debug trap is pending delivery.
++ * Returns true if a debug trap is (likely) pending delivery. Infer the class
++ * of a #DB (trap-like vs. fault-like) from the exception payload (to-be-DR6).
++ * Using the payload is flawed because code breakpoints (fault-like) and data
++ * breakpoints (trap-like) set the same bits in DR6 (breakpoint detected), i.e.
++ * this will return false positives if a to-be-injected code breakpoint #DB is
++ * pending (from KVM's perspective, but not "pending" across an instruction
++ * boundary). ICEBP, a.k.a. INT1, is also not reflected here even though it
++ * too is trap-like.
+ *
+- * In KVM, debug traps bear an exception payload. As such, the class of a #DB
+- * exception may be inferred from the presence of an exception payload.
++ * KVM "works" despite these flaws as ICEBP isn't currently supported by the
++ * emulator, Monitor Trap Flag is not marked pending on intercepted #DBs (the
++ * #DB has already happened), and MTF isn't marked pending on code breakpoints
++ * from the emulator (because such #DBs are fault-like and thus don't trigger
++ * actions that fire on instruction retire).
+ */
+-static inline bool vmx_pending_dbg_trap(struct kvm_vcpu *vcpu)
++static inline unsigned long vmx_get_pending_dbg_trap(struct kvm_vcpu *vcpu)
+ {
+- return vcpu->arch.exception.pending &&
+- vcpu->arch.exception.nr == DB_VECTOR &&
+- vcpu->arch.exception.payload;
++ if (!vcpu->arch.exception.pending ||
++ vcpu->arch.exception.nr != DB_VECTOR)
++ return 0;
++
++ /* General Detect #DBs are always fault-like. */
++ return vcpu->arch.exception.payload & ~DR6_BD;
+ }
+
+ /*
+@@ -3879,9 +3892,10 @@ static inline bool vmx_pending_dbg_trap(struct kvm_vcpu *vcpu)
+ */
+ static void nested_vmx_update_pending_dbg(struct kvm_vcpu *vcpu)
+ {
+- if (vmx_pending_dbg_trap(vcpu))
+- vmcs_writel(GUEST_PENDING_DBG_EXCEPTIONS,
+- vcpu->arch.exception.payload);
++ unsigned long pending_dbg = vmx_get_pending_dbg_trap(vcpu);
++
++ if (pending_dbg)
++ vmcs_writel(GUEST_PENDING_DBG_EXCEPTIONS, pending_dbg);
+ }
+
+ static bool nested_vmx_preemption_timer_pending(struct kvm_vcpu *vcpu)
+@@ -3938,7 +3952,7 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu)
+ * while delivering the pending exception.
+ */
+
+- if (vcpu->arch.exception.pending && !vmx_pending_dbg_trap(vcpu)) {
++ if (vcpu->arch.exception.pending && !vmx_get_pending_dbg_trap(vcpu)) {
+ if (vmx->nested.nested_run_pending)
+ return -EBUSY;
+ if (!nested_vmx_check_exception(vcpu, &exit_qual))
+--
+2.35.1
+
--- /dev/null
+From 9960eda0640025a4b547fa5ca741bbb2ac8dc0c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 23:15:58 +0000
+Subject: KVM: nVMX: Unconditionally clear mtf_pending on nested VM-Exit
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit 593a5c2e3c12a2f65967739267093255c47e9fe0 ]
+
+Clear mtf_pending on nested VM-Exit instead of handling the clear on a
+case-by-case basis in vmx_check_nested_events(). The pending MTF should
+never survive nested VM-Exit, as it is a property of KVM's run of the
+current L2, i.e. should never affect the next L2 run by L1. In practice,
+this is likely a nop as getting to L1 with nested_run_pending is
+impossible, and KVM doesn't correctly handle morphing a pending exception
+that occurs on a prior injected exception (need for re-injected exception
+being the other case where MTF isn't cleared). However, KVM will
+hopefully soon correctly deal with a pending exception on top of an
+injected exception.
+
+Add a TODO to document that KVM has an inversion priority bug between
+SMIs and MTF (and trap-like #DBS), and that KVM also doesn't properly
+save/restore MTF across SMI/RSM.
+
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
+Link: https://lore.kernel.org/r/20220830231614.3580124-12-seanjc@google.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Stable-dep-of: 7709aba8f716 ("KVM: x86: Morph pending exceptions to pending VM-Exits at queue time")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx/nested.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
+index c06c25fb9cbe..0aa40ea496a8 100644
+--- a/arch/x86/kvm/vmx/nested.c
++++ b/arch/x86/kvm/vmx/nested.c
+@@ -3910,16 +3910,8 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu)
+ unsigned long exit_qual;
+ bool block_nested_events =
+ vmx->nested.nested_run_pending || kvm_event_needs_reinjection(vcpu);
+- bool mtf_pending = vmx->nested.mtf_pending;
+ struct kvm_lapic *apic = vcpu->arch.apic;
+
+- /*
+- * Clear the MTF state. If a higher priority VM-exit is delivered first,
+- * this state is discarded.
+- */
+- if (!block_nested_events)
+- vmx->nested.mtf_pending = false;
+-
+ if (lapic_in_kernel(vcpu) &&
+ test_bit(KVM_APIC_INIT, &apic->pending_events)) {
+ if (block_nested_events)
+@@ -3928,6 +3920,9 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu)
+ clear_bit(KVM_APIC_INIT, &apic->pending_events);
+ if (vcpu->arch.mp_state != KVM_MP_STATE_INIT_RECEIVED)
+ nested_vmx_vmexit(vcpu, EXIT_REASON_INIT_SIGNAL, 0, 0);
++
++ /* MTF is discarded if the vCPU is in WFS. */
++ vmx->nested.mtf_pending = false;
+ return 0;
+ }
+
+@@ -3950,6 +3945,11 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu)
+ * fault-like exceptions, TSS T flag #DB (not emulated by KVM, but
+ * could theoretically come in from userspace), and ICEBP (INT1).
+ *
++ * TODO: SMIs have higher priority than MTF and trap-like #DBs (except
++ * for TSS T flag #DBs). KVM also doesn't save/restore pending MTF
++ * across SMI/RSM as it should; that needs to be addressed in order to
++ * prioritize SMI over MTF and trap-like #DBs.
++ *
+ * Note that only a pending nested run can block a pending exception.
+ * Otherwise an injected NMI/interrupt should either be
+ * lost or delivered to the nested hypervisor in the IDT_VECTORING_INFO,
+@@ -3965,7 +3965,7 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu)
+ return 0;
+ }
+
+- if (mtf_pending) {
++ if (vmx->nested.mtf_pending) {
+ if (block_nested_events)
+ return -EBUSY;
+ nested_vmx_update_pending_dbg(vcpu);
+@@ -4562,6 +4562,9 @@ void nested_vmx_vmexit(struct kvm_vcpu *vcpu, u32 vm_exit_reason,
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+ struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
+
++ /* Pending MTF traps are discarded on VM-Exit. */
++ vmx->nested.mtf_pending = false;
++
+ /* trying to cancel vmlaunch/vmresume is a bug */
+ WARN_ON_ONCE(vmx->nested.nested_run_pending);
+
+--
+2.35.1
+
--- /dev/null
+From 890cdfadae6607769ae9504dec90df8e4cb95943 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Aug 2022 19:25:17 -0300
+Subject: KVM: PPC: Book3S HV: Fix decrementer migration
+
+From: Fabiano Rosas <farosas@linux.ibm.com>
+
+[ Upstream commit 0a5bfb824a6ea35e54b7e5ac6f881beea5e309d2 ]
+
+We used to have a workaround[1] for a hang during migration that was
+made ineffective when we converted the decrementer expiry to be
+relative to guest timebase.
+
+The point of the workaround was that in the absence of an explicit
+decrementer expiry value provided by userspace during migration, KVM
+needs to initialize dec_expires to a value that will result in an
+expired decrementer after subtracting the current guest timebase. That
+stops the vcpu from hanging after migration due to a decrementer
+that's too large.
+
+If the dec_expires is now relative to guest timebase, its
+initialization needs to be guest timebase-relative as well, otherwise
+we end up with a decrementer expiry that is still larger than the
+guest timebase.
+
+1- https://git.kernel.org/torvalds/c/5855564c8ab2
+
+Fixes: 3c1a4322bba7 ("KVM: PPC: Book3S HV: Change dec_expires to be relative to guest timebase")
+Signed-off-by: Fabiano Rosas <farosas@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20220816222517.1916391-1-farosas@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kvm/book3s_hv.c | 18 ++++++++++++++++--
+ arch/powerpc/kvm/powerpc.c | 1 -
+ 2 files changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
+index 57d0835e56fd..917abda9e5ce 100644
+--- a/arch/powerpc/kvm/book3s_hv.c
++++ b/arch/powerpc/kvm/book3s_hv.c
+@@ -2517,10 +2517,24 @@ static int kvmppc_set_one_reg_hv(struct kvm_vcpu *vcpu, u64 id,
+ r = set_vpa(vcpu, &vcpu->arch.dtl, addr, len);
+ break;
+ case KVM_REG_PPC_TB_OFFSET:
++ {
+ /* round up to multiple of 2^24 */
+- vcpu->arch.vcore->tb_offset =
+- ALIGN(set_reg_val(id, *val), 1UL << 24);
++ u64 tb_offset = ALIGN(set_reg_val(id, *val), 1UL << 24);
++
++ /*
++ * Now that we know the timebase offset, update the
++ * decrementer expiry with a guest timebase value. If
++ * the userspace does not set DEC_EXPIRY, this ensures
++ * a migrated vcpu at least starts with an expired
++ * decrementer, which is better than a large one that
++ * causes a hang.
++ */
++ if (!vcpu->arch.dec_expires && tb_offset)
++ vcpu->arch.dec_expires = get_tb() + tb_offset;
++
++ vcpu->arch.vcore->tb_offset = tb_offset;
+ break;
++ }
+ case KVM_REG_PPC_LPCR:
+ kvmppc_set_lpcr(vcpu, set_reg_val(id, *val), true);
+ break;
+diff --git a/arch/powerpc/kvm/powerpc.c b/arch/powerpc/kvm/powerpc.c
+index fb1490761c87..757491dd6b7b 100644
+--- a/arch/powerpc/kvm/powerpc.c
++++ b/arch/powerpc/kvm/powerpc.c
+@@ -786,7 +786,6 @@ int kvm_arch_vcpu_create(struct kvm_vcpu *vcpu)
+
+ hrtimer_init(&vcpu->arch.dec_timer, CLOCK_REALTIME, HRTIMER_MODE_ABS);
+ vcpu->arch.dec_timer.function = kvmppc_decrementer_wakeup;
+- vcpu->arch.dec_expires = get_tb();
+
+ #ifdef CONFIG_KVM_EXIT_TIMING
+ mutex_init(&vcpu->arch.exit_timing_lock);
+--
+2.35.1
+
--- /dev/null
+From 3f7b9afa2b8e5b655f45b72f75eadd94a2ece613 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Sep 2022 23:25:41 +1000
+Subject: KVM: PPC: Book3S HV P9: Clear vcpu cpu fields before enabling host
+ irqs
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit bc91c04bfff7cdf676011b97bb21b2861d7b21c9 ]
+
+On guest entry, vcpu->cpu and vcpu->arch.thread_cpu are set after
+disabling host irqs. On guest exit there is a window whre tick time
+accounting briefly enables irqs before these fields are cleared.
+
+Move them up to ensure they are cleared before host irqs are run.
+This is possibly not a problem, but is more symmetric and makes the
+fields less surprising.
+
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20220908132545.4085849-1-npiggin@gmail.com
+Stable-dep-of: 1a5486b3c351 ("KVM: PPC: Book3S HV P9: Restore stolen time logging in dtl")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kvm/book3s_hv.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
+index d72df696837d..0f8dee657336 100644
+--- a/arch/powerpc/kvm/book3s_hv.c
++++ b/arch/powerpc/kvm/book3s_hv.c
+@@ -4629,6 +4629,9 @@ int kvmhv_run_single_vcpu(struct kvm_vcpu *vcpu, u64 time_limit,
+
+ set_irq_happened(trap);
+
++ vcpu->cpu = -1;
++ vcpu->arch.thread_cpu = -1;
++
+ context_tracking_guest_exit();
+ if (!vtime_accounting_enabled_this_cpu()) {
+ powerpc_local_irq_pmu_restore(flags);
+@@ -4644,9 +4647,6 @@ int kvmhv_run_single_vcpu(struct kvm_vcpu *vcpu, u64 time_limit,
+ }
+ vtime_account_guest_exit();
+
+- vcpu->cpu = -1;
+- vcpu->arch.thread_cpu = -1;
+-
+ powerpc_local_irq_pmu_restore(flags);
+
+ preempt_enable();
+--
+2.35.1
+
--- /dev/null
+From 5d52e92c4206869cc55d9336d147dc0ed9e6b857 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Sep 2022 23:25:42 +1000
+Subject: KVM: PPC: Book3S HV P9: Fix irq disabling in tick accounting
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit c953f7500b65f2b157d1eb468ca8b86328834cce ]
+
+kvmhv_run_single_vcpu() disables PMIs as well as Linux irqs,
+however the tick time accounting code enables and disables irqs and
+not PMIs within this region. By chance this might not actually cause
+a bug, but it is clearly an incorrect use of the APIs.
+
+Fixes: 2251fbe76395e ("KVM: PPC: Book3S HV P9: Improve mtmsrd scheduling by delaying MSR[EE] disable")
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20220908132545.4085849-2-npiggin@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kvm/book3s_hv.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
+index 917abda9e5ce..d72df696837d 100644
+--- a/arch/powerpc/kvm/book3s_hv.c
++++ b/arch/powerpc/kvm/book3s_hv.c
+@@ -4631,7 +4631,7 @@ int kvmhv_run_single_vcpu(struct kvm_vcpu *vcpu, u64 time_limit,
+
+ context_tracking_guest_exit();
+ if (!vtime_accounting_enabled_this_cpu()) {
+- local_irq_enable();
++ powerpc_local_irq_pmu_restore(flags);
+ /*
+ * Service IRQs here before vtime_account_guest_exit() so any
+ * ticks that occurred while running the guest are accounted to
+@@ -4640,7 +4640,7 @@ int kvmhv_run_single_vcpu(struct kvm_vcpu *vcpu, u64 time_limit,
+ * interrupts here, which has the problem that it accounts
+ * interrupt processing overhead to the host.
+ */
+- local_irq_disable();
++ powerpc_local_irq_pmu_save(flags);
+ }
+ vtime_account_guest_exit();
+
+--
+2.35.1
+
--- /dev/null
+From afe3395a6c00b7cb77f86640479cda6046f95a6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Sep 2022 23:25:44 +1000
+Subject: KVM: PPC: Book3S HV P9: Restore stolen time logging in dtl
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit 1a5486b3c3517aa1f608a10003ade4da122cb175 ]
+
+Stolen time logging in dtl was removed from the P9 path, so guests had
+no stolen time accounting. Add it back in a simpler way that still
+avoids locks and per-core accounting code.
+
+Fixes: ecb6a7207f92 ("KVM: PPC: Book3S HV P9: Remove most of the vcore logic")
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20220908132545.4085849-4-npiggin@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kvm/book3s_hv.c | 49 +++++++++++++++++++++++++++++++++---
+ 1 file changed, 45 insertions(+), 4 deletions(-)
+
+diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
+index 0f8dee657336..2feacb1ee9d9 100644
+--- a/arch/powerpc/kvm/book3s_hv.c
++++ b/arch/powerpc/kvm/book3s_hv.c
+@@ -249,6 +249,7 @@ static void kvmppc_fast_vcpu_kick_hv(struct kvm_vcpu *vcpu)
+
+ /*
+ * We use the vcpu_load/put functions to measure stolen time.
++ *
+ * Stolen time is counted as time when either the vcpu is able to
+ * run as part of a virtual core, but the task running the vcore
+ * is preempted or sleeping, or when the vcpu needs something done
+@@ -278,6 +279,12 @@ static void kvmppc_fast_vcpu_kick_hv(struct kvm_vcpu *vcpu)
+ * lock. The stolen times are measured in units of timebase ticks.
+ * (Note that the != TB_NIL checks below are purely defensive;
+ * they should never fail.)
++ *
++ * The POWER9 path is simpler, one vcpu per virtual core so the
++ * former case does not exist. If a vcpu is preempted when it is
++ * BUSY_IN_HOST and not ceded or otherwise blocked, then accumulate
++ * the stolen cycles in busy_stolen. RUNNING is not a preemptible
++ * state in the P9 path.
+ */
+
+ static void kvmppc_core_start_stolen(struct kvmppc_vcore *vc, u64 tb)
+@@ -311,8 +318,14 @@ static void kvmppc_core_vcpu_load_hv(struct kvm_vcpu *vcpu, int cpu)
+ unsigned long flags;
+ u64 now;
+
+- if (cpu_has_feature(CPU_FTR_ARCH_300))
++ if (cpu_has_feature(CPU_FTR_ARCH_300)) {
++ if (vcpu->arch.busy_preempt != TB_NIL) {
++ WARN_ON_ONCE(vcpu->arch.state != KVMPPC_VCPU_BUSY_IN_HOST);
++ vc->stolen_tb += mftb() - vcpu->arch.busy_preempt;
++ vcpu->arch.busy_preempt = TB_NIL;
++ }
+ return;
++ }
+
+ now = mftb();
+
+@@ -340,8 +353,21 @@ static void kvmppc_core_vcpu_put_hv(struct kvm_vcpu *vcpu)
+ unsigned long flags;
+ u64 now;
+
+- if (cpu_has_feature(CPU_FTR_ARCH_300))
++ if (cpu_has_feature(CPU_FTR_ARCH_300)) {
++ /*
++ * In the P9 path, RUNNABLE is not preemptible
++ * (nor takes host interrupts)
++ */
++ WARN_ON_ONCE(vcpu->arch.state == KVMPPC_VCPU_RUNNABLE);
++ /*
++ * Account stolen time when preempted while the vcpu task is
++ * running in the kernel (but not in qemu, which is INACTIVE).
++ */
++ if (task_is_running(current) &&
++ vcpu->arch.state == KVMPPC_VCPU_BUSY_IN_HOST)
++ vcpu->arch.busy_preempt = mftb();
+ return;
++ }
+
+ now = mftb();
+
+@@ -740,6 +766,18 @@ static void __kvmppc_create_dtl_entry(struct kvm_vcpu *vcpu,
+ vcpu->arch.dtl.dirty = true;
+ }
+
++static void kvmppc_create_dtl_entry_p9(struct kvm_vcpu *vcpu,
++ struct kvmppc_vcore *vc,
++ u64 now)
++{
++ unsigned long stolen;
++
++ stolen = vc->stolen_tb - vcpu->arch.stolen_logged;
++ vcpu->arch.stolen_logged = vc->stolen_tb;
++
++ __kvmppc_create_dtl_entry(vcpu, vc->pcpu, now, stolen);
++}
++
+ static void kvmppc_create_dtl_entry(struct kvm_vcpu *vcpu,
+ struct kvmppc_vcore *vc)
+ {
+@@ -4534,7 +4572,6 @@ int kvmhv_run_single_vcpu(struct kvm_vcpu *vcpu, u64 time_limit,
+ vc = vcpu->arch.vcore;
+ vcpu->arch.ceded = 0;
+ vcpu->arch.run_task = current;
+- vcpu->arch.state = KVMPPC_VCPU_RUNNABLE;
+ vcpu->arch.last_inst = KVM_INST_FETCH_FAILED;
+
+ /* See if the MMU is ready to go */
+@@ -4561,6 +4598,8 @@ int kvmhv_run_single_vcpu(struct kvm_vcpu *vcpu, u64 time_limit,
+ /* flags save not required, but irq_pmu has no disable/enable API */
+ powerpc_local_irq_pmu_save(flags);
+
++ vcpu->arch.state = KVMPPC_VCPU_RUNNABLE;
++
+ if (signal_pending(current))
+ goto sigpend;
+ if (need_resched() || !kvm->arch.mmu_ready)
+@@ -4605,7 +4644,7 @@ int kvmhv_run_single_vcpu(struct kvm_vcpu *vcpu, u64 time_limit,
+
+ tb = mftb();
+
+- __kvmppc_create_dtl_entry(vcpu, pcpu, tb + vc->tb_offset, 0);
++ kvmppc_create_dtl_entry_p9(vcpu, vc, tb + vc->tb_offset);
+
+ trace_kvm_guest_enter(vcpu);
+
+@@ -4631,6 +4670,7 @@ int kvmhv_run_single_vcpu(struct kvm_vcpu *vcpu, u64 time_limit,
+
+ vcpu->cpu = -1;
+ vcpu->arch.thread_cpu = -1;
++ vcpu->arch.state = KVMPPC_VCPU_BUSY_IN_HOST;
+
+ context_tracking_guest_exit();
+ if (!vtime_accounting_enabled_this_cpu()) {
+@@ -4708,6 +4748,7 @@ int kvmhv_run_single_vcpu(struct kvm_vcpu *vcpu, u64 time_limit,
+ out:
+ vcpu->cpu = -1;
+ vcpu->arch.thread_cpu = -1;
++ vcpu->arch.state = KVMPPC_VCPU_BUSY_IN_HOST;
+ powerpc_local_irq_pmu_restore(flags);
+ preempt_enable();
+ goto done;
+--
+2.35.1
+
--- /dev/null
+From 60973cdaf3fd26815a9f305379f542e6f93b166a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 23:15:59 +0000
+Subject: KVM: VMX: Inject #PF on ENCLS as "emulated" #PF
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit bfcb08a0b9e99b959814a329fabace22c3df046d ]
+
+Treat #PFs that occur during emulation of ENCLS as, wait for it, emulated
+page faults. Practically speaking, this is a glorified nop as the
+exception is never of the nested flavor, and it's extremely unlikely the
+guest is relying on the side effect of an implicit INVLPG on the faulting
+address.
+
+Fixes: 70210c044b4e ("KVM: VMX: Add SGX ENCLS[ECREATE] handler to enforce CPUID restrictions")
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
+Link: https://lore.kernel.org/r/20220830231614.3580124-13-seanjc@google.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx/sgx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/vmx/sgx.c b/arch/x86/kvm/vmx/sgx.c
+index aba8cebdc587..8f95c7c01433 100644
+--- a/arch/x86/kvm/vmx/sgx.c
++++ b/arch/x86/kvm/vmx/sgx.c
+@@ -129,7 +129,7 @@ static int sgx_inject_fault(struct kvm_vcpu *vcpu, gva_t gva, int trapnr)
+ ex.address = gva;
+ ex.error_code_valid = true;
+ ex.nested_page_fault = false;
+- kvm_inject_page_fault(vcpu, &ex);
++ kvm_inject_emulated_page_fault(vcpu, &ex);
+ } else {
+ kvm_inject_gp(vcpu, 0);
+ }
+--
+2.35.1
+
--- /dev/null
+From 2af948a8e9becc744b8a2f1d0718d6e255df8b46 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 15:37:08 +0200
+Subject: KVM: x86: Check for existing Hyper-V vCPU in kvm_hv_vcpu_init()
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit 1cac8d9f6bd25df3713103e44e2d9ca0c2e03c33 ]
+
+When potentially allocating/initializing the Hyper-V vCPU struct, check
+for an existing instance in kvm_hv_vcpu_init() instead of requiring
+callers to perform the check. Relying on callers to do the check is
+risky as it's all too easy for KVM to overwrite vcpu->arch.hyperv and
+leak memory, and it adds additional burden on callers without much
+benefit.
+
+No functional change intended.
+
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Reviewed-by: Wei Liu <wei.liu@kernel.org>
+Link: https://lore.kernel.org/r/20220830133737.1539624-5-vkuznets@redhat.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Stable-dep-of: 3be29eb7b525 ("KVM: x86: Report error when setting CPUID if Hyper-V allocation fails")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/hyperv.c | 27 ++++++++++++---------------
+ 1 file changed, 12 insertions(+), 15 deletions(-)
+
+diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c
+index 611c349a08bf..8aadd31ed058 100644
+--- a/arch/x86/kvm/hyperv.c
++++ b/arch/x86/kvm/hyperv.c
+@@ -936,9 +936,12 @@ static void stimer_init(struct kvm_vcpu_hv_stimer *stimer, int timer_index)
+
+ static int kvm_hv_vcpu_init(struct kvm_vcpu *vcpu)
+ {
+- struct kvm_vcpu_hv *hv_vcpu;
++ struct kvm_vcpu_hv *hv_vcpu = to_hv_vcpu(vcpu);
+ int i;
+
++ if (hv_vcpu)
++ return 0;
++
+ hv_vcpu = kzalloc(sizeof(struct kvm_vcpu_hv), GFP_KERNEL_ACCOUNT);
+ if (!hv_vcpu)
+ return -ENOMEM;
+@@ -962,11 +965,9 @@ int kvm_hv_activate_synic(struct kvm_vcpu *vcpu, bool dont_zero_synic_pages)
+ struct kvm_vcpu_hv_synic *synic;
+ int r;
+
+- if (!to_hv_vcpu(vcpu)) {
+- r = kvm_hv_vcpu_init(vcpu);
+- if (r)
+- return r;
+- }
++ r = kvm_hv_vcpu_init(vcpu);
++ if (r)
++ return r;
+
+ synic = to_hv_synic(vcpu);
+
+@@ -1660,10 +1661,8 @@ int kvm_hv_set_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 data, bool host)
+ if (!host && !vcpu->arch.hyperv_enabled)
+ return 1;
+
+- if (!to_hv_vcpu(vcpu)) {
+- if (kvm_hv_vcpu_init(vcpu))
+- return 1;
+- }
++ if (kvm_hv_vcpu_init(vcpu))
++ return 1;
+
+ if (kvm_hv_msr_partition_wide(msr)) {
+ int r;
+@@ -1683,10 +1682,8 @@ int kvm_hv_get_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata, bool host)
+ if (!host && !vcpu->arch.hyperv_enabled)
+ return 1;
+
+- if (!to_hv_vcpu(vcpu)) {
+- if (kvm_hv_vcpu_init(vcpu))
+- return 1;
+- }
++ if (kvm_hv_vcpu_init(vcpu))
++ return 1;
+
+ if (kvm_hv_msr_partition_wide(msr)) {
+ int r;
+@@ -2000,7 +1997,7 @@ void kvm_hv_set_cpuid(struct kvm_vcpu *vcpu)
+ return;
+ }
+
+- if (!to_hv_vcpu(vcpu) && kvm_hv_vcpu_init(vcpu))
++ if (kvm_hv_vcpu_init(vcpu))
+ return;
+
+ hv_vcpu = to_hv_vcpu(vcpu);
+--
+2.35.1
+
--- /dev/null
+From e1f7f2457b1342553570bfcaeadae1496f75eec1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Jul 2022 15:43:29 -0700
+Subject: kvm: x86: Do proper cleanup if kvm_x86_ops->vm_init() fails
+
+From: Junaid Shahid <junaids@google.com>
+
+[ Upstream commit b24ede22538b4d984cbe20532bbcb303692e7f52 ]
+
+If vm_init() fails [which can happen, for instance, if a memory
+allocation fails during avic_vm_init()], we need to cleanup some
+state in order to avoid resource leaks.
+
+Signed-off-by: Junaid Shahid <junaids@google.com>
+Link: https://lore.kernel.org/r/20220729224329.323378-1-junaids@google.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Stable-dep-of: 5a2a961be2ad ("KVM: fix memoryleak in kvm_init()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/x86.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index e2435090f225..14cb589683a1 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -12103,6 +12103,10 @@ int kvm_arch_init_vm(struct kvm *kvm, unsigned long type)
+ if (ret)
+ goto out_page_track;
+
++ ret = static_call(kvm_x86_vm_init)(kvm);
++ if (ret)
++ goto out_uninit_mmu;
++
+ INIT_HLIST_HEAD(&kvm->arch.mask_notifier_list);
+ INIT_LIST_HEAD(&kvm->arch.assigned_dev_head);
+ atomic_set(&kvm->arch.noncoherent_dma_count, 0);
+@@ -12138,8 +12142,10 @@ int kvm_arch_init_vm(struct kvm *kvm, unsigned long type)
+ kvm_hv_init_vm(kvm);
+ kvm_xen_init_vm(kvm);
+
+- return static_call(kvm_x86_vm_init)(kvm);
++ return 0;
+
++out_uninit_mmu:
++ kvm_mmu_uninit_vm(kvm);
+ out_page_track:
+ kvm_page_track_cleanup(kvm);
+ out:
+--
+2.35.1
+
--- /dev/null
+From 37892c242b5293bddc508ec7fa3c598104fc29c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 23:16:05 +0000
+Subject: KVM: x86: Evaluate ability to inject SMI/NMI/IRQ after potential
+ VM-Exit
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit 28360f88706837fc3f1ac8944b45b4a630a71c75 ]
+
+Determine whether or not new events can be injected after checking nested
+events. If a VM-Exit occurred during nested event handling, any previous
+event that needed re-injection is gone from's KVM perspective; the event
+is captured in the vmc*12 VM-Exit information, but doesn't exist in terms
+of what needs to be done for entry to L1.
+
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
+Link: https://lore.kernel.org/r/20220830231614.3580124-19-seanjc@google.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Stable-dep-of: 7709aba8f716 ("KVM: x86: Morph pending exceptions to pending VM-Exits at queue time")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/x86.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 15229a5ad9ff..01d59f93d93e 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -9683,7 +9683,7 @@ static void kvm_inject_exception(struct kvm_vcpu *vcpu)
+
+ static int inject_pending_event(struct kvm_vcpu *vcpu, bool *req_immediate_exit)
+ {
+- bool can_inject = !kvm_event_needs_reinjection(vcpu);
++ bool can_inject;
+ int r;
+
+ /*
+@@ -9748,7 +9748,13 @@ static int inject_pending_event(struct kvm_vcpu *vcpu, bool *req_immediate_exit)
+ if (r < 0)
+ goto out;
+
+- /* try to inject new event if pending */
++ /*
++ * New events, other than exceptions, cannot be injected if KVM needs
++ * to re-inject a previous event. See above comments on re-injecting
++ * for why pending exceptions get priority.
++ */
++ can_inject = !kvm_event_needs_reinjection(vcpu);
++
+ if (vcpu->arch.exception.pending) {
+ /*
+ * Fault-class exceptions, except #DBs, set RF=1 in the RFLAGS
+--
+2.35.1
+
--- /dev/null
+From 3b49b279b88de56dc9d042feb7b8bf101a21ea30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 23:16:02 +0000
+Subject: KVM: x86: Formalize blocking of nested pending exceptions
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit 72c14e00bdc445e96045c28d04bba45cbe69cf95 ]
+
+Capture nested_run_pending as block_pending_exceptions so that the logic
+of why exceptions are blocked only needs to be documented once instead of
+at every place that employs the logic.
+
+No functional change intended.
+
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
+Link: https://lore.kernel.org/r/20220830231614.3580124-16-seanjc@google.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Stable-dep-of: 7709aba8f716 ("KVM: x86: Morph pending exceptions to pending VM-Exits at queue time")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/svm/nested.c | 26 ++++++++++++++++----------
+ arch/x86/kvm/vmx/nested.c | 27 +++++++++++++++++----------
+ 2 files changed, 33 insertions(+), 20 deletions(-)
+
+diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c
+index 8f991592d277..a6111392985c 100644
+--- a/arch/x86/kvm/svm/nested.c
++++ b/arch/x86/kvm/svm/nested.c
+@@ -1356,10 +1356,22 @@ static inline bool nested_exit_on_init(struct vcpu_svm *svm)
+
+ static int svm_check_nested_events(struct kvm_vcpu *vcpu)
+ {
+- struct vcpu_svm *svm = to_svm(vcpu);
+- bool block_nested_events =
+- kvm_event_needs_reinjection(vcpu) || svm->nested.nested_run_pending;
+ struct kvm_lapic *apic = vcpu->arch.apic;
++ struct vcpu_svm *svm = to_svm(vcpu);
++ /*
++ * Only a pending nested run blocks a pending exception. If there is a
++ * previously injected event, the pending exception occurred while said
++ * event was being delivered and thus needs to be handled.
++ */
++ bool block_nested_exceptions = svm->nested.nested_run_pending;
++ /*
++ * New events (not exceptions) are only recognized at instruction
++ * boundaries. If an event needs reinjection, then KVM is handling a
++ * VM-Exit that occurred _during_ instruction execution; new events are
++ * blocked until the instruction completes.
++ */
++ bool block_nested_events = block_nested_exceptions ||
++ kvm_event_needs_reinjection(vcpu);
+
+ if (lapic_in_kernel(vcpu) &&
+ test_bit(KVM_APIC_INIT, &apic->pending_events)) {
+@@ -1372,13 +1384,7 @@ static int svm_check_nested_events(struct kvm_vcpu *vcpu)
+ }
+
+ if (vcpu->arch.exception.pending) {
+- /*
+- * Only a pending nested run can block a pending exception.
+- * Otherwise an injected NMI/interrupt should either be
+- * lost or delivered to the nested hypervisor in the EXITINTINFO
+- * vmcb field, while delivering the pending exception.
+- */
+- if (svm->nested.nested_run_pending)
++ if (block_nested_exceptions)
+ return -EBUSY;
+ if (!nested_exit_on_exception(svm))
+ return 0;
+diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
+index 83239d47fc0f..7655b5acbbcd 100644
+--- a/arch/x86/kvm/vmx/nested.c
++++ b/arch/x86/kvm/vmx/nested.c
+@@ -3904,11 +3904,23 @@ static bool nested_vmx_preemption_timer_pending(struct kvm_vcpu *vcpu)
+
+ static int vmx_check_nested_events(struct kvm_vcpu *vcpu)
+ {
++ struct kvm_lapic *apic = vcpu->arch.apic;
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+ unsigned long exit_qual;
+- bool block_nested_events =
+- vmx->nested.nested_run_pending || kvm_event_needs_reinjection(vcpu);
+- struct kvm_lapic *apic = vcpu->arch.apic;
++ /*
++ * Only a pending nested run blocks a pending exception. If there is a
++ * previously injected event, the pending exception occurred while said
++ * event was being delivered and thus needs to be handled.
++ */
++ bool block_nested_exceptions = vmx->nested.nested_run_pending;
++ /*
++ * New events (not exceptions) are only recognized at instruction
++ * boundaries. If an event needs reinjection, then KVM is handling a
++ * VM-Exit that occurred _during_ instruction execution; new events are
++ * blocked until the instruction completes.
++ */
++ bool block_nested_events = block_nested_exceptions ||
++ kvm_event_needs_reinjection(vcpu);
+
+ if (lapic_in_kernel(vcpu) &&
+ test_bit(KVM_APIC_INIT, &apic->pending_events)) {
+@@ -3947,15 +3959,10 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu)
+ * for TSS T flag #DBs). KVM also doesn't save/restore pending MTF
+ * across SMI/RSM as it should; that needs to be addressed in order to
+ * prioritize SMI over MTF and trap-like #DBs.
+- *
+- * Note that only a pending nested run can block a pending exception.
+- * Otherwise an injected NMI/interrupt should either be
+- * lost or delivered to the nested hypervisor in the IDT_VECTORING_INFO,
+- * while delivering the pending exception.
+ */
+ if (vcpu->arch.exception.pending &&
+ !(vmx_get_pending_dbg_trap(vcpu) & ~DR6_BT)) {
+- if (vmx->nested.nested_run_pending)
++ if (block_nested_exceptions)
+ return -EBUSY;
+ if (!nested_vmx_check_exception(vcpu, &exit_qual))
+ goto no_vmexit;
+@@ -3972,7 +3979,7 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu)
+ }
+
+ if (vcpu->arch.exception.pending) {
+- if (vmx->nested.nested_run_pending)
++ if (block_nested_exceptions)
+ return -EBUSY;
+ if (!nested_vmx_check_exception(vcpu, &exit_qual))
+ goto no_vmexit;
+--
+2.35.1
+
--- /dev/null
+From 7a5eb73b397d1336923a66280c1a818b1479792e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 23:16:04 +0000
+Subject: KVM: x86: Hoist nested event checks above event injection logic
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit 6c593b5276e6ce411dcdf03e2f7d4b93c2e7138e ]
+
+Perform nested event checks before re-injecting exceptions/events into
+L2. If a pending exception causes VM-Exit to L1, re-injecting events
+into vmcs02 is premature and wasted effort. Take care to ensure events
+that need to be re-injected are still re-injected if checking for nested
+events "fails", i.e. if KVM needs to force an immediate entry+exit to
+complete the to-be-re-injecteed event.
+
+Keep the "can_inject" logic the same for now; it too can be pushed below
+the nested checks, but is a slightly riskier change (see past bugs about
+events not being properly purged on nested VM-Exit).
+
+Add and/or modify comments to better document the various interactions.
+Of note is the comment regarding "blocking" previously injected NMIs and
+IRQs if an exception is pending. The old comment isn't wrong strictly
+speaking, but it failed to capture the reason why the logic even exists.
+
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
+Link: https://lore.kernel.org/r/20220830231614.3580124-18-seanjc@google.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Stable-dep-of: 7709aba8f716 ("KVM: x86: Morph pending exceptions to pending VM-Exits at queue time")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/x86.c | 89 +++++++++++++++++++++++++++-------------------
+ 1 file changed, 53 insertions(+), 36 deletions(-)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 14182b5b2c93..15229a5ad9ff 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -9683,53 +9683,70 @@ static void kvm_inject_exception(struct kvm_vcpu *vcpu)
+
+ static int inject_pending_event(struct kvm_vcpu *vcpu, bool *req_immediate_exit)
+ {
++ bool can_inject = !kvm_event_needs_reinjection(vcpu);
+ int r;
+- bool can_inject = true;
+
+- /* try to reinject previous events if any */
++ /*
++ * Process nested events first, as nested VM-Exit supercedes event
++ * re-injection. If there's an event queued for re-injection, it will
++ * be saved into the appropriate vmc{b,s}12 fields on nested VM-Exit.
++ */
++ if (is_guest_mode(vcpu))
++ r = kvm_check_nested_events(vcpu);
++ else
++ r = 0;
+
+- if (vcpu->arch.exception.injected) {
+- kvm_inject_exception(vcpu);
+- can_inject = false;
+- }
+ /*
+- * Do not inject an NMI or interrupt if there is a pending
+- * exception. Exceptions and interrupts are recognized at
+- * instruction boundaries, i.e. the start of an instruction.
+- * Trap-like exceptions, e.g. #DB, have higher priority than
+- * NMIs and interrupts, i.e. traps are recognized before an
+- * NMI/interrupt that's pending on the same instruction.
+- * Fault-like exceptions, e.g. #GP and #PF, are the lowest
+- * priority, but are only generated (pended) during instruction
+- * execution, i.e. a pending fault-like exception means the
+- * fault occurred on the *previous* instruction and must be
+- * serviced prior to recognizing any new events in order to
+- * fully complete the previous instruction.
++ * Re-inject exceptions and events *especially* if immediate entry+exit
++ * to/from L2 is needed, as any event that has already been injected
++ * into L2 needs to complete its lifecycle before injecting a new event.
++ *
++ * Don't re-inject an NMI or interrupt if there is a pending exception.
++ * This collision arises if an exception occurred while vectoring the
++ * injected event, KVM intercepted said exception, and KVM ultimately
++ * determined the fault belongs to the guest and queues the exception
++ * for injection back into the guest.
++ *
++ * "Injected" interrupts can also collide with pending exceptions if
++ * userspace ignores the "ready for injection" flag and blindly queues
++ * an interrupt. In that case, prioritizing the exception is correct,
++ * as the exception "occurred" before the exit to userspace. Trap-like
++ * exceptions, e.g. most #DBs, have higher priority than interrupts.
++ * And while fault-like exceptions, e.g. #GP and #PF, are the lowest
++ * priority, they're only generated (pended) during instruction
++ * execution, and interrupts are recognized at instruction boundaries.
++ * Thus a pending fault-like exception means the fault occurred on the
++ * *previous* instruction and must be serviced prior to recognizing any
++ * new events in order to fully complete the previous instruction.
+ */
+- else if (!vcpu->arch.exception.pending) {
+- if (vcpu->arch.nmi_injected) {
+- static_call(kvm_x86_inject_nmi)(vcpu);
+- can_inject = false;
+- } else if (vcpu->arch.interrupt.injected) {
+- static_call(kvm_x86_inject_irq)(vcpu, true);
+- can_inject = false;
+- }
+- }
++ if (vcpu->arch.exception.injected)
++ kvm_inject_exception(vcpu);
++ else if (vcpu->arch.exception.pending)
++ ; /* see above */
++ else if (vcpu->arch.nmi_injected)
++ static_call(kvm_x86_inject_nmi)(vcpu);
++ else if (vcpu->arch.interrupt.injected)
++ static_call(kvm_x86_inject_irq)(vcpu, true);
+
++ /*
++ * Exceptions that morph to VM-Exits are handled above, and pending
++ * exceptions on top of injected exceptions that do not VM-Exit should
++ * either morph to #DF or, sadly, override the injected exception.
++ */
+ WARN_ON_ONCE(vcpu->arch.exception.injected &&
+ vcpu->arch.exception.pending);
+
+ /*
+- * Call check_nested_events() even if we reinjected a previous event
+- * in order for caller to determine if it should require immediate-exit
+- * from L2 to L1 due to pending L1 events which require exit
+- * from L2 to L1.
++ * Bail if immediate entry+exit to/from the guest is needed to complete
++ * nested VM-Enter or event re-injection so that a different pending
++ * event can be serviced (or if KVM needs to exit to userspace).
++ *
++ * Otherwise, continue processing events even if VM-Exit occurred. The
++ * VM-Exit will have cleared exceptions that were meant for L2, but
++ * there may now be events that can be injected into L1.
+ */
+- if (is_guest_mode(vcpu)) {
+- r = kvm_check_nested_events(vcpu);
+- if (r < 0)
+- goto out;
+- }
++ if (r < 0)
++ goto out;
+
+ /* try to inject new event if pending */
+ if (vcpu->arch.exception.pending) {
+--
+2.35.1
+
--- /dev/null
+From 35646ab067697782bc4fe48ae07c7b0515e6446d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 23:16:01 +0000
+Subject: KVM: x86: Make kvm_queued_exception a properly named, visible struct
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit d4963e319f1f7851a098df6610a27f9f4cf6d42a ]
+
+Move the definition of "struct kvm_queued_exception" out of kvm_vcpu_arch
+in anticipation of adding a second instance in kvm_vcpu_arch to handle
+exceptions that occur when vectoring an injected exception and are
+morphed to VM-Exit instead of leading to #DF.
+
+Opportunistically take advantage of the churn to rename "nr" to "vector".
+
+No functional change intended.
+
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
+Link: https://lore.kernel.org/r/20220830231614.3580124-15-seanjc@google.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Stable-dep-of: 7709aba8f716 ("KVM: x86: Morph pending exceptions to pending VM-Exits at queue time")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/kvm_host.h | 23 +++++-----
+ arch/x86/kvm/svm/nested.c | 47 ++++++++++---------
+ arch/x86/kvm/svm/svm.c | 14 +++---
+ arch/x86/kvm/vmx/nested.c | 42 +++++++++--------
+ arch/x86/kvm/vmx/vmx.c | 20 ++++-----
+ arch/x86/kvm/x86.c | 80 ++++++++++++++++-----------------
+ arch/x86/kvm/x86.h | 3 +-
+ 7 files changed, 113 insertions(+), 116 deletions(-)
+
+diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
+index aa381ab69a19..36e4fde359a7 100644
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -639,6 +639,17 @@ struct kvm_vcpu_xen {
+ struct timer_list poll_timer;
+ };
+
++struct kvm_queued_exception {
++ bool pending;
++ bool injected;
++ bool has_error_code;
++ u8 vector;
++ u32 error_code;
++ unsigned long payload;
++ bool has_payload;
++ u8 nested_apf;
++};
++
+ struct kvm_vcpu_arch {
+ /*
+ * rip and regs accesses must go through
+@@ -738,16 +749,8 @@ struct kvm_vcpu_arch {
+
+ u8 event_exit_inst_len;
+
+- struct kvm_queued_exception {
+- bool pending;
+- bool injected;
+- bool has_error_code;
+- u8 nr;
+- u32 error_code;
+- unsigned long payload;
+- bool has_payload;
+- u8 nested_apf;
+- } exception;
++ /* Exceptions to be injected to the guest. */
++ struct kvm_queued_exception exception;
+
+ struct kvm_queued_interrupt {
+ bool injected;
+diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c
+index 76dcc8a3e849..8f991592d277 100644
+--- a/arch/x86/kvm/svm/nested.c
++++ b/arch/x86/kvm/svm/nested.c
+@@ -468,7 +468,7 @@ static void nested_save_pending_event_to_vmcb12(struct vcpu_svm *svm,
+ unsigned int nr;
+
+ if (vcpu->arch.exception.injected) {
+- nr = vcpu->arch.exception.nr;
++ nr = vcpu->arch.exception.vector;
+ exit_int_info = nr | SVM_EVTINJ_VALID | SVM_EVTINJ_TYPE_EXEPT;
+
+ if (vcpu->arch.exception.has_error_code) {
+@@ -1306,42 +1306,45 @@ int nested_svm_check_permissions(struct kvm_vcpu *vcpu)
+
+ static bool nested_exit_on_exception(struct vcpu_svm *svm)
+ {
+- unsigned int nr = svm->vcpu.arch.exception.nr;
++ unsigned int vector = svm->vcpu.arch.exception.vector;
+
+- return (svm->nested.ctl.intercepts[INTERCEPT_EXCEPTION] & BIT(nr));
++ return (svm->nested.ctl.intercepts[INTERCEPT_EXCEPTION] & BIT(vector));
+ }
+
+-static void nested_svm_inject_exception_vmexit(struct vcpu_svm *svm)
++static void nested_svm_inject_exception_vmexit(struct kvm_vcpu *vcpu)
+ {
+- unsigned int nr = svm->vcpu.arch.exception.nr;
++ struct kvm_queued_exception *ex = &vcpu->arch.exception;
++ struct vcpu_svm *svm = to_svm(vcpu);
+ struct vmcb *vmcb = svm->vmcb;
+
+- vmcb->control.exit_code = SVM_EXIT_EXCP_BASE + nr;
++ vmcb->control.exit_code = SVM_EXIT_EXCP_BASE + ex->vector;
+ vmcb->control.exit_code_hi = 0;
+
+- if (svm->vcpu.arch.exception.has_error_code)
+- vmcb->control.exit_info_1 = svm->vcpu.arch.exception.error_code;
++ if (ex->has_error_code)
++ vmcb->control.exit_info_1 = ex->error_code;
+
+ /*
+ * EXITINFO2 is undefined for all exception intercepts other
+ * than #PF.
+ */
+- if (nr == PF_VECTOR) {
+- if (svm->vcpu.arch.exception.nested_apf)
+- vmcb->control.exit_info_2 = svm->vcpu.arch.apf.nested_apf_token;
+- else if (svm->vcpu.arch.exception.has_payload)
+- vmcb->control.exit_info_2 = svm->vcpu.arch.exception.payload;
++ if (ex->vector == PF_VECTOR) {
++ if (ex->nested_apf)
++ vmcb->control.exit_info_2 = vcpu->arch.apf.nested_apf_token;
++ else if (ex->has_payload)
++ vmcb->control.exit_info_2 = ex->payload;
+ else
+- vmcb->control.exit_info_2 = svm->vcpu.arch.cr2;
+- } else if (nr == DB_VECTOR) {
++ vmcb->control.exit_info_2 = vcpu->arch.cr2;
++ } else if (ex->vector == DB_VECTOR) {
+ /* See inject_pending_event. */
+- kvm_deliver_exception_payload(&svm->vcpu);
+- if (svm->vcpu.arch.dr7 & DR7_GD) {
+- svm->vcpu.arch.dr7 &= ~DR7_GD;
+- kvm_update_dr7(&svm->vcpu);
++ kvm_deliver_exception_payload(vcpu, ex);
++
++ if (vcpu->arch.dr7 & DR7_GD) {
++ vcpu->arch.dr7 &= ~DR7_GD;
++ kvm_update_dr7(vcpu);
+ }
+- } else
+- WARN_ON(svm->vcpu.arch.exception.has_payload);
++ } else {
++ WARN_ON(ex->has_payload);
++ }
+
+ nested_svm_vmexit(svm);
+ }
+@@ -1379,7 +1382,7 @@ static int svm_check_nested_events(struct kvm_vcpu *vcpu)
+ return -EBUSY;
+ if (!nested_exit_on_exception(svm))
+ return 0;
+- nested_svm_inject_exception_vmexit(svm);
++ nested_svm_inject_exception_vmexit(vcpu);
+ return 0;
+ }
+
+diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
+index f3813dbacb9f..b96c091f6c3d 100644
+--- a/arch/x86/kvm/svm/svm.c
++++ b/arch/x86/kvm/svm/svm.c
+@@ -463,22 +463,20 @@ static int svm_update_soft_interrupt_rip(struct kvm_vcpu *vcpu)
+
+ static void svm_queue_exception(struct kvm_vcpu *vcpu)
+ {
++ struct kvm_queued_exception *ex = &vcpu->arch.exception;
+ struct vcpu_svm *svm = to_svm(vcpu);
+- unsigned nr = vcpu->arch.exception.nr;
+- bool has_error_code = vcpu->arch.exception.has_error_code;
+- u32 error_code = vcpu->arch.exception.error_code;
+
+- kvm_deliver_exception_payload(vcpu);
++ kvm_deliver_exception_payload(vcpu, ex);
+
+- if (kvm_exception_is_soft(nr) &&
++ if (kvm_exception_is_soft(ex->vector) &&
+ svm_update_soft_interrupt_rip(vcpu))
+ return;
+
+- svm->vmcb->control.event_inj = nr
++ svm->vmcb->control.event_inj = ex->vector
+ | SVM_EVTINJ_VALID
+- | (has_error_code ? SVM_EVTINJ_VALID_ERR : 0)
++ | (ex->has_error_code ? SVM_EVTINJ_VALID_ERR : 0)
+ | SVM_EVTINJ_TYPE_EXEPT;
+- svm->vmcb->control.event_inj_err = error_code;
++ svm->vmcb->control.event_inj_err = ex->error_code;
+ }
+
+ static void svm_init_erratum_383(void)
+diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
+index 0aa40ea496a8..83239d47fc0f 100644
+--- a/arch/x86/kvm/vmx/nested.c
++++ b/arch/x86/kvm/vmx/nested.c
+@@ -446,29 +446,27 @@ static bool nested_vmx_is_page_fault_vmexit(struct vmcs12 *vmcs12,
+ */
+ static int nested_vmx_check_exception(struct kvm_vcpu *vcpu, unsigned long *exit_qual)
+ {
++ struct kvm_queued_exception *ex = &vcpu->arch.exception;
+ struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
+- unsigned int nr = vcpu->arch.exception.nr;
+- bool has_payload = vcpu->arch.exception.has_payload;
+- unsigned long payload = vcpu->arch.exception.payload;
+
+- if (nr == PF_VECTOR) {
+- if (vcpu->arch.exception.nested_apf) {
++ if (ex->vector == PF_VECTOR) {
++ if (ex->nested_apf) {
+ *exit_qual = vcpu->arch.apf.nested_apf_token;
+ return 1;
+ }
+- if (nested_vmx_is_page_fault_vmexit(vmcs12,
+- vcpu->arch.exception.error_code)) {
+- *exit_qual = has_payload ? payload : vcpu->arch.cr2;
++ if (nested_vmx_is_page_fault_vmexit(vmcs12, ex->error_code)) {
++ *exit_qual = ex->has_payload ? ex->payload : vcpu->arch.cr2;
+ return 1;
+ }
+- } else if (vmcs12->exception_bitmap & (1u << nr)) {
+- if (nr == DB_VECTOR) {
+- if (!has_payload) {
+- payload = vcpu->arch.dr6;
+- payload &= ~DR6_BT;
+- payload ^= DR6_ACTIVE_LOW;
++ } else if (vmcs12->exception_bitmap & (1u << ex->vector)) {
++ if (ex->vector == DB_VECTOR) {
++ if (ex->has_payload) {
++ *exit_qual = ex->payload;
++ } else {
++ *exit_qual = vcpu->arch.dr6;
++ *exit_qual &= ~DR6_BT;
++ *exit_qual ^= DR6_ACTIVE_LOW;
+ }
+- *exit_qual = payload;
+ } else
+ *exit_qual = 0;
+ return 1;
+@@ -3723,7 +3721,7 @@ static void vmcs12_save_pending_event(struct kvm_vcpu *vcpu,
+ is_double_fault(exit_intr_info))) {
+ vmcs12->idt_vectoring_info_field = 0;
+ } else if (vcpu->arch.exception.injected) {
+- nr = vcpu->arch.exception.nr;
++ nr = vcpu->arch.exception.vector;
+ idt_vectoring = nr | VECTORING_INFO_VALID_MASK;
+
+ if (kvm_exception_is_soft(nr)) {
+@@ -3827,11 +3825,11 @@ static int vmx_complete_nested_posted_interrupt(struct kvm_vcpu *vcpu)
+ static void nested_vmx_inject_exception_vmexit(struct kvm_vcpu *vcpu,
+ unsigned long exit_qual)
+ {
++ struct kvm_queued_exception *ex = &vcpu->arch.exception;
++ u32 intr_info = ex->vector | INTR_INFO_VALID_MASK;
+ struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
+- unsigned int nr = vcpu->arch.exception.nr;
+- u32 intr_info = nr | INTR_INFO_VALID_MASK;
+
+- if (vcpu->arch.exception.has_error_code) {
++ if (ex->has_error_code) {
+ /*
+ * Intel CPUs do not generate error codes with bits 31:16 set,
+ * and more importantly VMX disallows setting bits 31:16 in the
+@@ -3841,11 +3839,11 @@ static void nested_vmx_inject_exception_vmexit(struct kvm_vcpu *vcpu,
+ * generate "full" 32-bit error codes, so KVM allows userspace
+ * to inject exception error codes with bits 31:16 set.
+ */
+- vmcs12->vm_exit_intr_error_code = (u16)vcpu->arch.exception.error_code;
++ vmcs12->vm_exit_intr_error_code = (u16)ex->error_code;
+ intr_info |= INTR_INFO_DELIVER_CODE_MASK;
+ }
+
+- if (kvm_exception_is_soft(nr))
++ if (kvm_exception_is_soft(ex->vector))
+ intr_info |= INTR_TYPE_SOFT_EXCEPTION;
+ else
+ intr_info |= INTR_TYPE_HARD_EXCEPTION;
+@@ -3876,7 +3874,7 @@ static void nested_vmx_inject_exception_vmexit(struct kvm_vcpu *vcpu,
+ static inline unsigned long vmx_get_pending_dbg_trap(struct kvm_vcpu *vcpu)
+ {
+ if (!vcpu->arch.exception.pending ||
+- vcpu->arch.exception.nr != DB_VECTOR)
++ vcpu->arch.exception.vector != DB_VECTOR)
+ return 0;
+
+ /* General Detect #DBs are always fault-like. */
+diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
+index 7f3581960eb5..0f68ed966944 100644
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -1659,7 +1659,7 @@ static void vmx_update_emulated_instruction(struct kvm_vcpu *vcpu)
+ */
+ if (nested_cpu_has_mtf(vmcs12) &&
+ (!vcpu->arch.exception.pending ||
+- vcpu->arch.exception.nr == DB_VECTOR))
++ vcpu->arch.exception.vector == DB_VECTOR))
+ vmx->nested.mtf_pending = true;
+ else
+ vmx->nested.mtf_pending = false;
+@@ -1686,15 +1686,13 @@ static void vmx_clear_hlt(struct kvm_vcpu *vcpu)
+
+ static void vmx_queue_exception(struct kvm_vcpu *vcpu)
+ {
++ struct kvm_queued_exception *ex = &vcpu->arch.exception;
++ u32 intr_info = ex->vector | INTR_INFO_VALID_MASK;
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+- unsigned nr = vcpu->arch.exception.nr;
+- bool has_error_code = vcpu->arch.exception.has_error_code;
+- u32 error_code = vcpu->arch.exception.error_code;
+- u32 intr_info = nr | INTR_INFO_VALID_MASK;
+
+- kvm_deliver_exception_payload(vcpu);
++ kvm_deliver_exception_payload(vcpu, ex);
+
+- if (has_error_code) {
++ if (ex->has_error_code) {
+ /*
+ * Despite the error code being architecturally defined as 32
+ * bits, and the VMCS field being 32 bits, Intel CPUs and thus
+@@ -1705,21 +1703,21 @@ static void vmx_queue_exception(struct kvm_vcpu *vcpu)
+ * the upper bits to avoid VM-Fail, losing information that
+ * does't really exist is preferable to killing the VM.
+ */
+- vmcs_write32(VM_ENTRY_EXCEPTION_ERROR_CODE, (u16)error_code);
++ vmcs_write32(VM_ENTRY_EXCEPTION_ERROR_CODE, (u16)ex->error_code);
+ intr_info |= INTR_INFO_DELIVER_CODE_MASK;
+ }
+
+ if (vmx->rmode.vm86_active) {
+ int inc_eip = 0;
+- if (kvm_exception_is_soft(nr))
++ if (kvm_exception_is_soft(ex->vector))
+ inc_eip = vcpu->arch.event_exit_inst_len;
+- kvm_inject_realmode_interrupt(vcpu, nr, inc_eip);
++ kvm_inject_realmode_interrupt(vcpu, ex->vector, inc_eip);
+ return;
+ }
+
+ WARN_ON_ONCE(vmx->emulation_required);
+
+- if (kvm_exception_is_soft(nr)) {
++ if (kvm_exception_is_soft(ex->vector)) {
+ vmcs_write32(VM_ENTRY_INSTRUCTION_LEN,
+ vmx->vcpu.arch.event_exit_inst_len);
+ intr_info |= INTR_TYPE_SOFT_EXCEPTION;
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 14cb589683a1..14182b5b2c93 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -556,16 +556,13 @@ static int exception_type(int vector)
+ return EXCPT_FAULT;
+ }
+
+-void kvm_deliver_exception_payload(struct kvm_vcpu *vcpu)
++void kvm_deliver_exception_payload(struct kvm_vcpu *vcpu,
++ struct kvm_queued_exception *ex)
+ {
+- unsigned nr = vcpu->arch.exception.nr;
+- bool has_payload = vcpu->arch.exception.has_payload;
+- unsigned long payload = vcpu->arch.exception.payload;
+-
+- if (!has_payload)
++ if (!ex->has_payload)
+ return;
+
+- switch (nr) {
++ switch (ex->vector) {
+ case DB_VECTOR:
+ /*
+ * "Certain debug exceptions may clear bit 0-3. The
+@@ -590,8 +587,8 @@ void kvm_deliver_exception_payload(struct kvm_vcpu *vcpu)
+ * So they need to be flipped for DR6.
+ */
+ vcpu->arch.dr6 |= DR6_ACTIVE_LOW;
+- vcpu->arch.dr6 |= payload;
+- vcpu->arch.dr6 ^= payload & DR6_ACTIVE_LOW;
++ vcpu->arch.dr6 |= ex->payload;
++ vcpu->arch.dr6 ^= ex->payload & DR6_ACTIVE_LOW;
+
+ /*
+ * The #DB payload is defined as compatible with the 'pending
+@@ -602,12 +599,12 @@ void kvm_deliver_exception_payload(struct kvm_vcpu *vcpu)
+ vcpu->arch.dr6 &= ~BIT(12);
+ break;
+ case PF_VECTOR:
+- vcpu->arch.cr2 = payload;
++ vcpu->arch.cr2 = ex->payload;
+ break;
+ }
+
+- vcpu->arch.exception.has_payload = false;
+- vcpu->arch.exception.payload = 0;
++ ex->has_payload = false;
++ ex->payload = 0;
+ }
+ EXPORT_SYMBOL_GPL(kvm_deliver_exception_payload);
+
+@@ -646,17 +643,18 @@ static void kvm_multiple_exception(struct kvm_vcpu *vcpu,
+ vcpu->arch.exception.injected = false;
+ }
+ vcpu->arch.exception.has_error_code = has_error;
+- vcpu->arch.exception.nr = nr;
++ vcpu->arch.exception.vector = nr;
+ vcpu->arch.exception.error_code = error_code;
+ vcpu->arch.exception.has_payload = has_payload;
+ vcpu->arch.exception.payload = payload;
+ if (!is_guest_mode(vcpu))
+- kvm_deliver_exception_payload(vcpu);
++ kvm_deliver_exception_payload(vcpu,
++ &vcpu->arch.exception);
+ return;
+ }
+
+ /* to check exception */
+- prev_nr = vcpu->arch.exception.nr;
++ prev_nr = vcpu->arch.exception.vector;
+ if (prev_nr == DF_VECTOR) {
+ /* triple fault -> shutdown */
+ kvm_make_request(KVM_REQ_TRIPLE_FAULT, vcpu);
+@@ -674,7 +672,7 @@ static void kvm_multiple_exception(struct kvm_vcpu *vcpu,
+ vcpu->arch.exception.pending = true;
+ vcpu->arch.exception.injected = false;
+ vcpu->arch.exception.has_error_code = true;
+- vcpu->arch.exception.nr = DF_VECTOR;
++ vcpu->arch.exception.vector = DF_VECTOR;
+ vcpu->arch.exception.error_code = 0;
+ vcpu->arch.exception.has_payload = false;
+ vcpu->arch.exception.payload = 0;
+@@ -5023,25 +5021,24 @@ static int kvm_vcpu_ioctl_x86_set_mce(struct kvm_vcpu *vcpu,
+ static void kvm_vcpu_ioctl_x86_get_vcpu_events(struct kvm_vcpu *vcpu,
+ struct kvm_vcpu_events *events)
+ {
++ struct kvm_queued_exception *ex = &vcpu->arch.exception;
++
+ process_nmi(vcpu);
+
+ if (kvm_check_request(KVM_REQ_SMI, vcpu))
+ process_smi(vcpu);
+
+ /*
+- * In guest mode, payload delivery should be deferred,
+- * so that the L1 hypervisor can intercept #PF before
+- * CR2 is modified (or intercept #DB before DR6 is
+- * modified under nVMX). Unless the per-VM capability,
+- * KVM_CAP_EXCEPTION_PAYLOAD, is set, we may not defer the delivery of
+- * an exception payload and handle after a KVM_GET_VCPU_EVENTS. Since we
+- * opportunistically defer the exception payload, deliver it if the
+- * capability hasn't been requested before processing a
+- * KVM_GET_VCPU_EVENTS.
++ * In guest mode, payload delivery should be deferred if the exception
++ * will be intercepted by L1, e.g. KVM should not modifying CR2 if L1
++ * intercepts #PF, ditto for DR6 and #DBs. If the per-VM capability,
++ * KVM_CAP_EXCEPTION_PAYLOAD, is not set, userspace may or may not
++ * propagate the payload and so it cannot be safely deferred. Deliver
++ * the payload if the capability hasn't been requested.
+ */
+ if (!vcpu->kvm->arch.exception_payload_enabled &&
+- vcpu->arch.exception.pending && vcpu->arch.exception.has_payload)
+- kvm_deliver_exception_payload(vcpu);
++ ex->pending && ex->has_payload)
++ kvm_deliver_exception_payload(vcpu, ex);
+
+ /*
+ * The API doesn't provide the instruction length for software
+@@ -5049,26 +5046,25 @@ static void kvm_vcpu_ioctl_x86_get_vcpu_events(struct kvm_vcpu *vcpu,
+ * isn't advanced, we should expect to encounter the exception
+ * again.
+ */
+- if (kvm_exception_is_soft(vcpu->arch.exception.nr)) {
++ if (kvm_exception_is_soft(ex->vector)) {
+ events->exception.injected = 0;
+ events->exception.pending = 0;
+ } else {
+- events->exception.injected = vcpu->arch.exception.injected;
+- events->exception.pending = vcpu->arch.exception.pending;
++ events->exception.injected = ex->injected;
++ events->exception.pending = ex->pending;
+ /*
+ * For ABI compatibility, deliberately conflate
+ * pending and injected exceptions when
+ * KVM_CAP_EXCEPTION_PAYLOAD isn't enabled.
+ */
+ if (!vcpu->kvm->arch.exception_payload_enabled)
+- events->exception.injected |=
+- vcpu->arch.exception.pending;
++ events->exception.injected |= ex->pending;
+ }
+- events->exception.nr = vcpu->arch.exception.nr;
+- events->exception.has_error_code = vcpu->arch.exception.has_error_code;
+- events->exception.error_code = vcpu->arch.exception.error_code;
+- events->exception_has_payload = vcpu->arch.exception.has_payload;
+- events->exception_payload = vcpu->arch.exception.payload;
++ events->exception.nr = ex->vector;
++ events->exception.has_error_code = ex->has_error_code;
++ events->exception.error_code = ex->error_code;
++ events->exception_has_payload = ex->has_payload;
++ events->exception_payload = ex->payload;
+
+ events->interrupt.injected =
+ vcpu->arch.interrupt.injected && !vcpu->arch.interrupt.soft;
+@@ -5140,7 +5136,7 @@ static int kvm_vcpu_ioctl_x86_set_vcpu_events(struct kvm_vcpu *vcpu,
+ process_nmi(vcpu);
+ vcpu->arch.exception.injected = events->exception.injected;
+ vcpu->arch.exception.pending = events->exception.pending;
+- vcpu->arch.exception.nr = events->exception.nr;
++ vcpu->arch.exception.vector = events->exception.nr;
+ vcpu->arch.exception.has_error_code = events->exception.has_error_code;
+ vcpu->arch.exception.error_code = events->exception.error_code;
+ vcpu->arch.exception.has_payload = events->exception_has_payload;
+@@ -9675,7 +9671,7 @@ int kvm_check_nested_events(struct kvm_vcpu *vcpu)
+
+ static void kvm_inject_exception(struct kvm_vcpu *vcpu)
+ {
+- trace_kvm_inj_exception(vcpu->arch.exception.nr,
++ trace_kvm_inj_exception(vcpu->arch.exception.vector,
+ vcpu->arch.exception.has_error_code,
+ vcpu->arch.exception.error_code,
+ vcpu->arch.exception.injected);
+@@ -9747,12 +9743,12 @@ static int inject_pending_event(struct kvm_vcpu *vcpu, bool *req_immediate_exit)
+ * describe the behavior of General Detect #DBs, which are
+ * fault-like. They do _not_ set RF, a la code breakpoints.
+ */
+- if (exception_type(vcpu->arch.exception.nr) == EXCPT_FAULT)
++ if (exception_type(vcpu->arch.exception.vector) == EXCPT_FAULT)
+ __kvm_set_rflags(vcpu, kvm_get_rflags(vcpu) |
+ X86_EFLAGS_RF);
+
+- if (vcpu->arch.exception.nr == DB_VECTOR) {
+- kvm_deliver_exception_payload(vcpu);
++ if (vcpu->arch.exception.vector == DB_VECTOR) {
++ kvm_deliver_exception_payload(vcpu, &vcpu->arch.exception);
+ if (vcpu->arch.dr7 & DR7_GD) {
+ vcpu->arch.dr7 &= ~DR7_GD;
+ kvm_update_dr7(vcpu);
+diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
+index 1926d2cb8e79..4147d27f9fbc 100644
+--- a/arch/x86/kvm/x86.h
++++ b/arch/x86/kvm/x86.h
+@@ -286,7 +286,8 @@ int kvm_write_guest_virt_system(struct kvm_vcpu *vcpu,
+
+ int handle_ud(struct kvm_vcpu *vcpu);
+
+-void kvm_deliver_exception_payload(struct kvm_vcpu *vcpu);
++void kvm_deliver_exception_payload(struct kvm_vcpu *vcpu,
++ struct kvm_queued_exception *ex);
+
+ void kvm_vcpu_mtrr_init(struct kvm_vcpu *vcpu);
+ u8 kvm_mtrr_get_guest_memory_type(struct kvm_vcpu *vcpu, gfn_t gfn);
+--
+2.35.1
+
--- /dev/null
+From 80c076cb1e7ff649cd729910c9f9058780e124cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Aug 2022 14:32:37 +0800
+Subject: KVM: x86/mmu: fix memoryleak in kvm_mmu_vendor_module_init()
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit d7c9bfb9caaffd496ae44b258ec7c793677d3eeb ]
+
+When register_shrinker() fails, KVM doesn't release the percpu counter
+kvm_total_used_mmu_pages leading to memoryleak. Fix this issue by calling
+percpu_counter_destroy() when register_shrinker() fails.
+
+Fixes: ab271bd4dfd5 ("x86: kvm: propagate register_shrinker return code")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Link: https://lore.kernel.org/r/20220823063237.47299-1-linmiaohe@huawei.com
+[sean: tweak shortlog and changelog]
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/mmu/mmu.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
+index 3552e6af3684..858bc53cfab4 100644
+--- a/arch/x86/kvm/mmu/mmu.c
++++ b/arch/x86/kvm/mmu/mmu.c
+@@ -6704,10 +6704,12 @@ int kvm_mmu_vendor_module_init(void)
+
+ ret = register_shrinker(&mmu_shrinker, "x86-mmu");
+ if (ret)
+- goto out;
++ goto out_shrinker;
+
+ return 0;
+
++out_shrinker:
++ percpu_counter_destroy(&kvm_total_used_mmu_pages);
+ out:
+ mmu_destroy_caches();
+ return ret;
+--
+2.35.1
+
--- /dev/null
+From 2c2075dbd009341c0223762348ffd9d61e289200 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 23:16:08 +0000
+Subject: KVM: x86: Morph pending exceptions to pending VM-Exits at queue time
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit 7709aba8f71613ae5d18d8c00adb54948e6bedb3 ]
+
+Morph pending exceptions to pending VM-Exits (due to interception) when
+the exception is queued instead of waiting until nested events are
+checked at VM-Entry. This fixes a longstanding bug where KVM fails to
+handle an exception that occurs during delivery of a previous exception,
+KVM (L0) and L1 both want to intercept the exception (e.g. #PF for shadow
+paging), and KVM determines that the exception is in the guest's domain,
+i.e. queues the new exception for L2. Deferring the interception check
+causes KVM to esclate various combinations of injected+pending exceptions
+to double fault (#DF) without consulting L1's interception desires, and
+ends up injecting a spurious #DF into L2.
+
+KVM has fudged around the issue for #PF by special casing emulated #PF
+injection for shadow paging, but the underlying issue is not unique to
+shadow paging in L0, e.g. if KVM is intercepting #PF because the guest
+has a smaller maxphyaddr and L1 (but not L0) is using shadow paging.
+Other exceptions are affected as well, e.g. if KVM is intercepting #GP
+for one of SVM's workaround or for the VMware backdoor emulation stuff.
+The other cases have gone unnoticed because the #DF is spurious if and
+only if L1 resolves the exception, e.g. KVM's goofs go unnoticed if L1
+would have injected #DF anyways.
+
+The hack-a-fix has also led to ugly code, e.g. bailing from the emulator
+if #PF injection forced a nested VM-Exit and the emulator finds itself
+back in L1. Allowing for direct-to-VM-Exit queueing also neatly solves
+the async #PF in L2 mess; no need to set a magic flag and token, simply
+queue a #PF nested VM-Exit.
+
+Deal with event migration by flagging that a pending exception was queued
+by userspace and check for interception at the next KVM_RUN, e.g. so that
+KVM does the right thing regardless of the order in which userspace
+restores nested state vs. event state.
+
+When "getting" events from userspace, simply drop any pending excpetion
+that is destined to be intercepted if there is also an injected exception
+to be migrated. Ideally, KVM would migrate both events, but that would
+require new ABI, and practically speaking losing the event is unlikely to
+be noticed, let alone fatal. The injected exception is captured, RIP
+still points at the original faulting instruction, etc... So either the
+injection on the target will trigger the same intercepted exception, or
+the source of the intercepted exception was transient and/or
+non-deterministic, thus dropping it is ok-ish.
+
+Fixes: a04aead144fd ("KVM: nSVM: fix running nested guests when npt=0")
+Fixes: feaf0c7dc473 ("KVM: nVMX: Do not generate #DF if #PF happens during exception delivery into L2")
+Cc: Jim Mattson <jmattson@google.com>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
+Link: https://lore.kernel.org/r/20220830231614.3580124-22-seanjc@google.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/kvm_host.h | 12 ++-
+ arch/x86/kvm/svm/nested.c | 45 +++------
+ arch/x86/kvm/vmx/nested.c | 109 ++++++++++------------
+ arch/x86/kvm/vmx/vmx.c | 6 +-
+ arch/x86/kvm/x86.c | 159 ++++++++++++++++++++++----------
+ arch/x86/kvm/x86.h | 7 ++
+ 6 files changed, 188 insertions(+), 150 deletions(-)
+
+diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
+index 36e4fde359a7..bad74c8fbc65 100644
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -647,7 +647,6 @@ struct kvm_queued_exception {
+ u32 error_code;
+ unsigned long payload;
+ bool has_payload;
+- u8 nested_apf;
+ };
+
+ struct kvm_vcpu_arch {
+@@ -749,8 +748,12 @@ struct kvm_vcpu_arch {
+
+ u8 event_exit_inst_len;
+
++ bool exception_from_userspace;
++
+ /* Exceptions to be injected to the guest. */
+ struct kvm_queued_exception exception;
++ /* Exception VM-Exits to be synthesized to L1. */
++ struct kvm_queued_exception exception_vmexit;
+
+ struct kvm_queued_interrupt {
+ bool injected;
+@@ -861,7 +864,6 @@ struct kvm_vcpu_arch {
+ u32 id;
+ bool send_user_only;
+ u32 host_apf_flags;
+- unsigned long nested_apf_token;
+ bool delivery_as_pf_vmexit;
+ bool pageready_pending;
+ } apf;
+@@ -1637,9 +1639,9 @@ struct kvm_x86_ops {
+
+ struct kvm_x86_nested_ops {
+ void (*leave_nested)(struct kvm_vcpu *vcpu);
++ bool (*is_exception_vmexit)(struct kvm_vcpu *vcpu, u8 vector,
++ u32 error_code);
+ int (*check_events)(struct kvm_vcpu *vcpu);
+- bool (*handle_page_fault_workaround)(struct kvm_vcpu *vcpu,
+- struct x86_exception *fault);
+ bool (*hv_timer_pending)(struct kvm_vcpu *vcpu);
+ void (*triple_fault)(struct kvm_vcpu *vcpu);
+ int (*get_state)(struct kvm_vcpu *vcpu,
+@@ -1866,7 +1868,7 @@ void kvm_queue_exception_p(struct kvm_vcpu *vcpu, unsigned nr, unsigned long pay
+ void kvm_requeue_exception(struct kvm_vcpu *vcpu, unsigned nr);
+ void kvm_requeue_exception_e(struct kvm_vcpu *vcpu, unsigned nr, u32 error_code);
+ void kvm_inject_page_fault(struct kvm_vcpu *vcpu, struct x86_exception *fault);
+-bool kvm_inject_emulated_page_fault(struct kvm_vcpu *vcpu,
++void kvm_inject_emulated_page_fault(struct kvm_vcpu *vcpu,
+ struct x86_exception *fault);
+ bool kvm_require_cpl(struct kvm_vcpu *vcpu, int required_cpl);
+ bool kvm_require_dr(struct kvm_vcpu *vcpu, int dr);
+diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c
+index a6111392985c..405075286965 100644
+--- a/arch/x86/kvm/svm/nested.c
++++ b/arch/x86/kvm/svm/nested.c
+@@ -55,28 +55,6 @@ static void nested_svm_inject_npf_exit(struct kvm_vcpu *vcpu,
+ nested_svm_vmexit(svm);
+ }
+
+-static bool nested_svm_handle_page_fault_workaround(struct kvm_vcpu *vcpu,
+- struct x86_exception *fault)
+-{
+- struct vcpu_svm *svm = to_svm(vcpu);
+- struct vmcb *vmcb = svm->vmcb;
+-
+- WARN_ON(!is_guest_mode(vcpu));
+-
+- if (vmcb12_is_intercept(&svm->nested.ctl,
+- INTERCEPT_EXCEPTION_OFFSET + PF_VECTOR) &&
+- !WARN_ON_ONCE(svm->nested.nested_run_pending)) {
+- vmcb->control.exit_code = SVM_EXIT_EXCP_BASE + PF_VECTOR;
+- vmcb->control.exit_code_hi = 0;
+- vmcb->control.exit_info_1 = fault->error_code;
+- vmcb->control.exit_info_2 = fault->address;
+- nested_svm_vmexit(svm);
+- return true;
+- }
+-
+- return false;
+-}
+-
+ static u64 nested_svm_get_tdp_pdptr(struct kvm_vcpu *vcpu, int index)
+ {
+ struct vcpu_svm *svm = to_svm(vcpu);
+@@ -1304,16 +1282,17 @@ int nested_svm_check_permissions(struct kvm_vcpu *vcpu)
+ return 0;
+ }
+
+-static bool nested_exit_on_exception(struct vcpu_svm *svm)
++static bool nested_svm_is_exception_vmexit(struct kvm_vcpu *vcpu, u8 vector,
++ u32 error_code)
+ {
+- unsigned int vector = svm->vcpu.arch.exception.vector;
++ struct vcpu_svm *svm = to_svm(vcpu);
+
+ return (svm->nested.ctl.intercepts[INTERCEPT_EXCEPTION] & BIT(vector));
+ }
+
+ static void nested_svm_inject_exception_vmexit(struct kvm_vcpu *vcpu)
+ {
+- struct kvm_queued_exception *ex = &vcpu->arch.exception;
++ struct kvm_queued_exception *ex = &vcpu->arch.exception_vmexit;
+ struct vcpu_svm *svm = to_svm(vcpu);
+ struct vmcb *vmcb = svm->vmcb;
+
+@@ -1328,9 +1307,7 @@ static void nested_svm_inject_exception_vmexit(struct kvm_vcpu *vcpu)
+ * than #PF.
+ */
+ if (ex->vector == PF_VECTOR) {
+- if (ex->nested_apf)
+- vmcb->control.exit_info_2 = vcpu->arch.apf.nested_apf_token;
+- else if (ex->has_payload)
++ if (ex->has_payload)
+ vmcb->control.exit_info_2 = ex->payload;
+ else
+ vmcb->control.exit_info_2 = vcpu->arch.cr2;
+@@ -1383,15 +1360,19 @@ static int svm_check_nested_events(struct kvm_vcpu *vcpu)
+ return 0;
+ }
+
+- if (vcpu->arch.exception.pending) {
++ if (vcpu->arch.exception_vmexit.pending) {
+ if (block_nested_exceptions)
+ return -EBUSY;
+- if (!nested_exit_on_exception(svm))
+- return 0;
+ nested_svm_inject_exception_vmexit(vcpu);
+ return 0;
+ }
+
++ if (vcpu->arch.exception.pending) {
++ if (block_nested_exceptions)
++ return -EBUSY;
++ return 0;
++ }
++
+ if (vcpu->arch.smi_pending && !svm_smi_blocked(vcpu)) {
+ if (block_nested_events)
+ return -EBUSY;
+@@ -1729,8 +1710,8 @@ static bool svm_get_nested_state_pages(struct kvm_vcpu *vcpu)
+
+ struct kvm_x86_nested_ops svm_nested_ops = {
+ .leave_nested = svm_leave_nested,
++ .is_exception_vmexit = nested_svm_is_exception_vmexit,
+ .check_events = svm_check_nested_events,
+- .handle_page_fault_workaround = nested_svm_handle_page_fault_workaround,
+ .triple_fault = nested_svm_triple_fault,
+ .get_nested_state_pages = svm_get_nested_state_pages,
+ .get_state = svm_get_nested_state,
+diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
+index dfd5e13e5202..4bb3ccf82d63 100644
+--- a/arch/x86/kvm/vmx/nested.c
++++ b/arch/x86/kvm/vmx/nested.c
+@@ -439,59 +439,22 @@ static bool nested_vmx_is_page_fault_vmexit(struct vmcs12 *vmcs12,
+ return inequality ^ bit;
+ }
+
+-
+-/*
+- * KVM wants to inject page-faults which it got to the guest. This function
+- * checks whether in a nested guest, we need to inject them to L1 or L2.
+- */
+-static int nested_vmx_check_exception(struct kvm_vcpu *vcpu, unsigned long *exit_qual)
+-{
+- struct kvm_queued_exception *ex = &vcpu->arch.exception;
+- struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
+-
+- if (ex->vector == PF_VECTOR) {
+- if (ex->nested_apf) {
+- *exit_qual = vcpu->arch.apf.nested_apf_token;
+- return 1;
+- }
+- if (nested_vmx_is_page_fault_vmexit(vmcs12, ex->error_code)) {
+- *exit_qual = ex->has_payload ? ex->payload : vcpu->arch.cr2;
+- return 1;
+- }
+- } else if (vmcs12->exception_bitmap & (1u << ex->vector)) {
+- if (ex->vector == DB_VECTOR) {
+- if (ex->has_payload) {
+- *exit_qual = ex->payload;
+- } else {
+- *exit_qual = vcpu->arch.dr6;
+- *exit_qual &= ~DR6_BT;
+- *exit_qual ^= DR6_ACTIVE_LOW;
+- }
+- } else
+- *exit_qual = 0;
+- return 1;
+- }
+-
+- return 0;
+-}
+-
+-static bool nested_vmx_handle_page_fault_workaround(struct kvm_vcpu *vcpu,
+- struct x86_exception *fault)
++static bool nested_vmx_is_exception_vmexit(struct kvm_vcpu *vcpu, u8 vector,
++ u32 error_code)
+ {
+ struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
+
+- WARN_ON(!is_guest_mode(vcpu));
++ /*
++ * Drop bits 31:16 of the error code when performing the #PF mask+match
++ * check. All VMCS fields involved are 32 bits, but Intel CPUs never
++ * set bits 31:16 and VMX disallows setting bits 31:16 in the injected
++ * error code. Including the to-be-dropped bits in the check might
++ * result in an "impossible" or missed exit from L1's perspective.
++ */
++ if (vector == PF_VECTOR)
++ return nested_vmx_is_page_fault_vmexit(vmcs12, (u16)error_code);
+
+- if (nested_vmx_is_page_fault_vmexit(vmcs12, fault->error_code) &&
+- !WARN_ON_ONCE(to_vmx(vcpu)->nested.nested_run_pending)) {
+- vmcs12->vm_exit_intr_error_code = fault->error_code;
+- nested_vmx_vmexit(vcpu, EXIT_REASON_EXCEPTION_NMI,
+- PF_VECTOR | INTR_TYPE_HARD_EXCEPTION |
+- INTR_INFO_DELIVER_CODE_MASK | INTR_INFO_VALID_MASK,
+- fault->address);
+- return true;
+- }
+- return false;
++ return (vmcs12->exception_bitmap & (1u << vector));
+ }
+
+ static int nested_vmx_check_io_bitmap_controls(struct kvm_vcpu *vcpu,
+@@ -3822,12 +3785,24 @@ static int vmx_complete_nested_posted_interrupt(struct kvm_vcpu *vcpu)
+ return -ENXIO;
+ }
+
+-static void nested_vmx_inject_exception_vmexit(struct kvm_vcpu *vcpu,
+- unsigned long exit_qual)
++static void nested_vmx_inject_exception_vmexit(struct kvm_vcpu *vcpu)
+ {
+- struct kvm_queued_exception *ex = &vcpu->arch.exception;
++ struct kvm_queued_exception *ex = &vcpu->arch.exception_vmexit;
+ u32 intr_info = ex->vector | INTR_INFO_VALID_MASK;
+ struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
++ unsigned long exit_qual;
++
++ if (ex->has_payload) {
++ exit_qual = ex->payload;
++ } else if (ex->vector == PF_VECTOR) {
++ exit_qual = vcpu->arch.cr2;
++ } else if (ex->vector == DB_VECTOR) {
++ exit_qual = vcpu->arch.dr6;
++ exit_qual &= ~DR6_BT;
++ exit_qual ^= DR6_ACTIVE_LOW;
++ } else {
++ exit_qual = 0;
++ }
+
+ if (ex->has_error_code) {
+ /*
+@@ -3917,7 +3892,6 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu)
+ {
+ struct kvm_lapic *apic = vcpu->arch.apic;
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+- unsigned long exit_qual;
+ /*
+ * Only a pending nested run blocks a pending exception. If there is a
+ * previously injected event, the pending exception occurred while said
+@@ -3971,14 +3945,20 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu)
+ * across SMI/RSM as it should; that needs to be addressed in order to
+ * prioritize SMI over MTF and trap-like #DBs.
+ */
++ if (vcpu->arch.exception_vmexit.pending &&
++ !vmx_is_low_priority_db_trap(&vcpu->arch.exception_vmexit)) {
++ if (block_nested_exceptions)
++ return -EBUSY;
++
++ nested_vmx_inject_exception_vmexit(vcpu);
++ return 0;
++ }
++
+ if (vcpu->arch.exception.pending &&
+ !vmx_is_low_priority_db_trap(&vcpu->arch.exception)) {
+ if (block_nested_exceptions)
+ return -EBUSY;
+- if (!nested_vmx_check_exception(vcpu, &exit_qual))
+- goto no_vmexit;
+- nested_vmx_inject_exception_vmexit(vcpu, exit_qual);
+- return 0;
++ goto no_vmexit;
+ }
+
+ if (vmx->nested.mtf_pending) {
+@@ -3989,15 +3969,20 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu)
+ return 0;
+ }
+
+- if (vcpu->arch.exception.pending) {
++ if (vcpu->arch.exception_vmexit.pending) {
+ if (block_nested_exceptions)
+ return -EBUSY;
+- if (!nested_vmx_check_exception(vcpu, &exit_qual))
+- goto no_vmexit;
+- nested_vmx_inject_exception_vmexit(vcpu, exit_qual);
++
++ nested_vmx_inject_exception_vmexit(vcpu);
+ return 0;
+ }
+
++ if (vcpu->arch.exception.pending) {
++ if (block_nested_exceptions)
++ return -EBUSY;
++ goto no_vmexit;
++ }
++
+ if (nested_vmx_preemption_timer_pending(vcpu)) {
+ if (block_nested_events)
+ return -EBUSY;
+@@ -6868,8 +6853,8 @@ __init int nested_vmx_hardware_setup(int (*exit_handlers[])(struct kvm_vcpu *))
+
+ struct kvm_x86_nested_ops vmx_nested_ops = {
+ .leave_nested = vmx_leave_nested,
++ .is_exception_vmexit = nested_vmx_is_exception_vmexit,
+ .check_events = vmx_check_nested_events,
+- .handle_page_fault_workaround = nested_vmx_handle_page_fault_workaround,
+ .hv_timer_pending = nested_vmx_preemption_timer_pending,
+ .triple_fault = nested_vmx_triple_fault,
+ .get_state = vmx_get_nested_state,
+diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
+index 0f68ed966944..9c2b8e2b2a28 100644
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -1659,7 +1659,9 @@ static void vmx_update_emulated_instruction(struct kvm_vcpu *vcpu)
+ */
+ if (nested_cpu_has_mtf(vmcs12) &&
+ (!vcpu->arch.exception.pending ||
+- vcpu->arch.exception.vector == DB_VECTOR))
++ vcpu->arch.exception.vector == DB_VECTOR) &&
++ (!vcpu->arch.exception_vmexit.pending ||
++ vcpu->arch.exception_vmexit.vector == DB_VECTOR))
+ vmx->nested.mtf_pending = true;
+ else
+ vmx->nested.mtf_pending = false;
+@@ -5718,7 +5720,7 @@ static bool vmx_emulation_required_with_pending_exception(struct kvm_vcpu *vcpu)
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+
+ return vmx->emulation_required && !vmx->rmode.vm86_active &&
+- (vcpu->arch.exception.pending || vcpu->arch.exception.injected);
++ (kvm_is_exception_pending(vcpu) || vcpu->arch.exception.injected);
+ }
+
+ static int handle_invalid_guest_state(struct kvm_vcpu *vcpu)
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 01d59f93d93e..8264e41b4fea 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -608,6 +608,21 @@ void kvm_deliver_exception_payload(struct kvm_vcpu *vcpu,
+ }
+ EXPORT_SYMBOL_GPL(kvm_deliver_exception_payload);
+
++static void kvm_queue_exception_vmexit(struct kvm_vcpu *vcpu, unsigned int vector,
++ bool has_error_code, u32 error_code,
++ bool has_payload, unsigned long payload)
++{
++ struct kvm_queued_exception *ex = &vcpu->arch.exception_vmexit;
++
++ ex->vector = vector;
++ ex->injected = false;
++ ex->pending = true;
++ ex->has_error_code = has_error_code;
++ ex->error_code = error_code;
++ ex->has_payload = has_payload;
++ ex->payload = payload;
++}
++
+ static void kvm_multiple_exception(struct kvm_vcpu *vcpu,
+ unsigned nr, bool has_error, u32 error_code,
+ bool has_payload, unsigned long payload, bool reinject)
+@@ -617,18 +632,31 @@ static void kvm_multiple_exception(struct kvm_vcpu *vcpu,
+
+ kvm_make_request(KVM_REQ_EVENT, vcpu);
+
++ /*
++ * If the exception is destined for L2 and isn't being reinjected,
++ * morph it to a VM-Exit if L1 wants to intercept the exception. A
++ * previously injected exception is not checked because it was checked
++ * when it was original queued, and re-checking is incorrect if _L1_
++ * injected the exception, in which case it's exempt from interception.
++ */
++ if (!reinject && is_guest_mode(vcpu) &&
++ kvm_x86_ops.nested_ops->is_exception_vmexit(vcpu, nr, error_code)) {
++ kvm_queue_exception_vmexit(vcpu, nr, has_error, error_code,
++ has_payload, payload);
++ return;
++ }
++
+ if (!vcpu->arch.exception.pending && !vcpu->arch.exception.injected) {
+ queue:
+ if (reinject) {
+ /*
+- * On vmentry, vcpu->arch.exception.pending is only
+- * true if an event injection was blocked by
+- * nested_run_pending. In that case, however,
+- * vcpu_enter_guest requests an immediate exit,
+- * and the guest shouldn't proceed far enough to
+- * need reinjection.
++ * On VM-Entry, an exception can be pending if and only
++ * if event injection was blocked by nested_run_pending.
++ * In that case, however, vcpu_enter_guest() requests an
++ * immediate exit, and the guest shouldn't proceed far
++ * enough to need reinjection.
+ */
+- WARN_ON_ONCE(vcpu->arch.exception.pending);
++ WARN_ON_ONCE(kvm_is_exception_pending(vcpu));
+ vcpu->arch.exception.injected = true;
+ if (WARN_ON_ONCE(has_payload)) {
+ /*
+@@ -734,20 +762,22 @@ static int complete_emulated_insn_gp(struct kvm_vcpu *vcpu, int err)
+ void kvm_inject_page_fault(struct kvm_vcpu *vcpu, struct x86_exception *fault)
+ {
+ ++vcpu->stat.pf_guest;
+- vcpu->arch.exception.nested_apf =
+- is_guest_mode(vcpu) && fault->async_page_fault;
+- if (vcpu->arch.exception.nested_apf) {
+- vcpu->arch.apf.nested_apf_token = fault->address;
+- kvm_queue_exception_e(vcpu, PF_VECTOR, fault->error_code);
+- } else {
++
++ /*
++ * Async #PF in L2 is always forwarded to L1 as a VM-Exit regardless of
++ * whether or not L1 wants to intercept "regular" #PF.
++ */
++ if (is_guest_mode(vcpu) && fault->async_page_fault)
++ kvm_queue_exception_vmexit(vcpu, PF_VECTOR,
++ true, fault->error_code,
++ true, fault->address);
++ else
+ kvm_queue_exception_e_p(vcpu, PF_VECTOR, fault->error_code,
+ fault->address);
+- }
+ }
+ EXPORT_SYMBOL_GPL(kvm_inject_page_fault);
+
+-/* Returns true if the page fault was immediately morphed into a VM-Exit. */
+-bool kvm_inject_emulated_page_fault(struct kvm_vcpu *vcpu,
++void kvm_inject_emulated_page_fault(struct kvm_vcpu *vcpu,
+ struct x86_exception *fault)
+ {
+ struct kvm_mmu *fault_mmu;
+@@ -765,26 +795,7 @@ bool kvm_inject_emulated_page_fault(struct kvm_vcpu *vcpu,
+ kvm_mmu_invalidate_gva(vcpu, fault_mmu, fault->address,
+ fault_mmu->root.hpa);
+
+- /*
+- * A workaround for KVM's bad exception handling. If KVM injected an
+- * exception into L2, and L2 encountered a #PF while vectoring the
+- * injected exception, manually check to see if L1 wants to intercept
+- * #PF, otherwise queuing the #PF will lead to #DF or a lost exception.
+- * In all other cases, defer the check to nested_ops->check_events(),
+- * which will correctly handle priority (this does not). Note, other
+- * exceptions, e.g. #GP, are theoretically affected, #PF is simply the
+- * most problematic, e.g. when L0 and L1 are both intercepting #PF for
+- * shadow paging.
+- *
+- * TODO: Rewrite exception handling to track injected and pending
+- * (VM-Exit) exceptions separately.
+- */
+- if (unlikely(vcpu->arch.exception.injected && is_guest_mode(vcpu)) &&
+- kvm_x86_ops.nested_ops->handle_page_fault_workaround(vcpu, fault))
+- return true;
+-
+ fault_mmu->inject_page_fault(vcpu, fault);
+- return false;
+ }
+ EXPORT_SYMBOL_GPL(kvm_inject_emulated_page_fault);
+
+@@ -4846,7 +4857,7 @@ static int kvm_vcpu_ready_for_interrupt_injection(struct kvm_vcpu *vcpu)
+ return (kvm_arch_interrupt_allowed(vcpu) &&
+ kvm_cpu_accept_dm_intr(vcpu) &&
+ !kvm_event_needs_reinjection(vcpu) &&
+- !vcpu->arch.exception.pending);
++ !kvm_is_exception_pending(vcpu));
+ }
+
+ static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
+@@ -5021,13 +5032,27 @@ static int kvm_vcpu_ioctl_x86_set_mce(struct kvm_vcpu *vcpu,
+ static void kvm_vcpu_ioctl_x86_get_vcpu_events(struct kvm_vcpu *vcpu,
+ struct kvm_vcpu_events *events)
+ {
+- struct kvm_queued_exception *ex = &vcpu->arch.exception;
++ struct kvm_queued_exception *ex;
+
+ process_nmi(vcpu);
+
+ if (kvm_check_request(KVM_REQ_SMI, vcpu))
+ process_smi(vcpu);
+
++ /*
++ * KVM's ABI only allows for one exception to be migrated. Luckily,
++ * the only time there can be two queued exceptions is if there's a
++ * non-exiting _injected_ exception, and a pending exiting exception.
++ * In that case, ignore the VM-Exiting exception as it's an extension
++ * of the injected exception.
++ */
++ if (vcpu->arch.exception_vmexit.pending &&
++ !vcpu->arch.exception.pending &&
++ !vcpu->arch.exception.injected)
++ ex = &vcpu->arch.exception_vmexit;
++ else
++ ex = &vcpu->arch.exception;
++
+ /*
+ * In guest mode, payload delivery should be deferred if the exception
+ * will be intercepted by L1, e.g. KVM should not modifying CR2 if L1
+@@ -5134,6 +5159,19 @@ static int kvm_vcpu_ioctl_x86_set_vcpu_events(struct kvm_vcpu *vcpu,
+ return -EINVAL;
+
+ process_nmi(vcpu);
++
++ /*
++ * Flag that userspace is stuffing an exception, the next KVM_RUN will
++ * morph the exception to a VM-Exit if appropriate. Do this only for
++ * pending exceptions, already-injected exceptions are not subject to
++ * intercpetion. Note, userspace that conflates pending and injected
++ * is hosed, and will incorrectly convert an injected exception into a
++ * pending exception, which in turn may cause a spurious VM-Exit.
++ */
++ vcpu->arch.exception_from_userspace = events->exception.pending;
++
++ vcpu->arch.exception_vmexit.pending = false;
++
+ vcpu->arch.exception.injected = events->exception.injected;
+ vcpu->arch.exception.pending = events->exception.pending;
+ vcpu->arch.exception.vector = events->exception.nr;
+@@ -8164,18 +8202,17 @@ static void toggle_interruptibility(struct kvm_vcpu *vcpu, u32 mask)
+ }
+ }
+
+-static bool inject_emulated_exception(struct kvm_vcpu *vcpu)
++static void inject_emulated_exception(struct kvm_vcpu *vcpu)
+ {
+ struct x86_emulate_ctxt *ctxt = vcpu->arch.emulate_ctxt;
+- if (ctxt->exception.vector == PF_VECTOR)
+- return kvm_inject_emulated_page_fault(vcpu, &ctxt->exception);
+
+- if (ctxt->exception.error_code_valid)
++ if (ctxt->exception.vector == PF_VECTOR)
++ kvm_inject_emulated_page_fault(vcpu, &ctxt->exception);
++ else if (ctxt->exception.error_code_valid)
+ kvm_queue_exception_e(vcpu, ctxt->exception.vector,
+ ctxt->exception.error_code);
+ else
+ kvm_queue_exception(vcpu, ctxt->exception.vector);
+- return false;
+ }
+
+ static struct x86_emulate_ctxt *alloc_emulate_ctxt(struct kvm_vcpu *vcpu)
+@@ -8773,8 +8810,7 @@ int x86_emulate_instruction(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa,
+
+ if (ctxt->have_exception) {
+ r = 1;
+- if (inject_emulated_exception(vcpu))
+- return r;
++ inject_emulated_exception(vcpu);
+ } else if (vcpu->arch.pio.count) {
+ if (!vcpu->arch.pio.in) {
+ /* FIXME: return into emulator if single-stepping. */
+@@ -9721,7 +9757,7 @@ static int inject_pending_event(struct kvm_vcpu *vcpu, bool *req_immediate_exit)
+ */
+ if (vcpu->arch.exception.injected)
+ kvm_inject_exception(vcpu);
+- else if (vcpu->arch.exception.pending)
++ else if (kvm_is_exception_pending(vcpu))
+ ; /* see above */
+ else if (vcpu->arch.nmi_injected)
+ static_call(kvm_x86_inject_nmi)(vcpu);
+@@ -9748,6 +9784,14 @@ static int inject_pending_event(struct kvm_vcpu *vcpu, bool *req_immediate_exit)
+ if (r < 0)
+ goto out;
+
++ /*
++ * A pending exception VM-Exit should either result in nested VM-Exit
++ * or force an immediate re-entry and exit to/from L2, and exception
++ * VM-Exits cannot be injected (flag should _never_ be set).
++ */
++ WARN_ON_ONCE(vcpu->arch.exception_vmexit.injected ||
++ vcpu->arch.exception_vmexit.pending);
++
+ /*
+ * New events, other than exceptions, cannot be injected if KVM needs
+ * to re-inject a previous event. See above comments on re-injecting
+@@ -9847,7 +9891,7 @@ static int inject_pending_event(struct kvm_vcpu *vcpu, bool *req_immediate_exit)
+ kvm_x86_ops.nested_ops->hv_timer_pending(vcpu))
+ *req_immediate_exit = true;
+
+- WARN_ON(vcpu->arch.exception.pending);
++ WARN_ON(kvm_is_exception_pending(vcpu));
+ return 0;
+
+ out:
+@@ -10866,6 +10910,7 @@ static void kvm_put_guest_fpu(struct kvm_vcpu *vcpu)
+
+ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu)
+ {
++ struct kvm_queued_exception *ex = &vcpu->arch.exception;
+ struct kvm_run *kvm_run = vcpu->run;
+ int r;
+
+@@ -10924,6 +10969,21 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu)
+ }
+ }
+
++ /*
++ * If userspace set a pending exception and L2 is active, convert it to
++ * a pending VM-Exit if L1 wants to intercept the exception.
++ */
++ if (vcpu->arch.exception_from_userspace && is_guest_mode(vcpu) &&
++ kvm_x86_ops.nested_ops->is_exception_vmexit(vcpu, ex->vector,
++ ex->error_code)) {
++ kvm_queue_exception_vmexit(vcpu, ex->vector,
++ ex->has_error_code, ex->error_code,
++ ex->has_payload, ex->payload);
++ ex->injected = false;
++ ex->pending = false;
++ }
++ vcpu->arch.exception_from_userspace = false;
++
+ if (unlikely(vcpu->arch.complete_userspace_io)) {
+ int (*cui)(struct kvm_vcpu *) = vcpu->arch.complete_userspace_io;
+ vcpu->arch.complete_userspace_io = NULL;
+@@ -11030,6 +11090,7 @@ static void __set_regs(struct kvm_vcpu *vcpu, struct kvm_regs *regs)
+ kvm_set_rflags(vcpu, regs->rflags | X86_EFLAGS_FIXED);
+
+ vcpu->arch.exception.pending = false;
++ vcpu->arch.exception_vmexit.pending = false;
+
+ kvm_make_request(KVM_REQ_EVENT, vcpu);
+ }
+@@ -11410,7 +11471,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(struct kvm_vcpu *vcpu,
+
+ if (dbg->control & (KVM_GUESTDBG_INJECT_DB | KVM_GUESTDBG_INJECT_BP)) {
+ r = -EBUSY;
+- if (vcpu->arch.exception.pending)
++ if (kvm_is_exception_pending(vcpu))
+ goto out;
+ if (dbg->control & KVM_GUESTDBG_INJECT_DB)
+ kvm_queue_exception(vcpu, DB_VECTOR);
+@@ -12643,7 +12704,7 @@ static inline bool kvm_vcpu_has_events(struct kvm_vcpu *vcpu)
+ if (vcpu->arch.pv.pv_unhalted)
+ return true;
+
+- if (vcpu->arch.exception.pending)
++ if (kvm_is_exception_pending(vcpu))
+ return true;
+
+ if (kvm_test_request(KVM_REQ_NMI, vcpu) ||
+@@ -12898,7 +12959,7 @@ bool kvm_can_do_async_pf(struct kvm_vcpu *vcpu)
+ {
+ if (unlikely(!lapic_in_kernel(vcpu) ||
+ kvm_event_needs_reinjection(vcpu) ||
+- vcpu->arch.exception.pending))
++ kvm_is_exception_pending(vcpu)))
+ return false;
+
+ if (kvm_hlt_in_guest(vcpu->kvm) && !kvm_can_deliver_async_pf(vcpu))
+diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
+index 4147d27f9fbc..256745d1a2c3 100644
+--- a/arch/x86/kvm/x86.h
++++ b/arch/x86/kvm/x86.h
+@@ -82,10 +82,17 @@ static inline unsigned int __shrink_ple_window(unsigned int val,
+ void kvm_service_local_tlb_flush_requests(struct kvm_vcpu *vcpu);
+ int kvm_check_nested_events(struct kvm_vcpu *vcpu);
+
++static inline bool kvm_is_exception_pending(struct kvm_vcpu *vcpu)
++{
++ return vcpu->arch.exception.pending ||
++ vcpu->arch.exception_vmexit.pending;
++}
++
+ static inline void kvm_clear_exception_queue(struct kvm_vcpu *vcpu)
+ {
+ vcpu->arch.exception.pending = false;
+ vcpu->arch.exception.injected = false;
++ vcpu->arch.exception_vmexit.pending = false;
+ }
+
+ static inline void kvm_queue_interrupt(struct kvm_vcpu *vcpu, u8 vector,
+--
+2.35.1
+
--- /dev/null
+From 1abbad519136449cb6a4dd537e30dbf56cb3ff9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 15:37:09 +0200
+Subject: KVM: x86: Report error when setting CPUID if Hyper-V allocation fails
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit 3be29eb7b5251a772e2033761a9b67981fdfb0f7 ]
+
+Return -ENOMEM back to userspace if allocating the Hyper-V vCPU struct
+fails when enabling Hyper-V in guest CPUID. Silently ignoring failure
+means that KVM will not have an up-to-date CPUID cache if allocating the
+struct succeeds later on, e.g. when activating SynIC.
+
+Rejecting the CPUID operation also guarantess that vcpu->arch.hyperv is
+non-NULL if hyperv_enabled is true, which will allow for additional
+cleanup, e.g. in the eVMCS code.
+
+Note, the initialization needs to be done before CPUID is set, and more
+subtly before kvm_check_cpuid(), which potentially enables dynamic
+XFEATURES. Sadly, there's no easy way to avoid exposing Hyper-V details
+to CPUID or vice versa. Expose kvm_hv_vcpu_init() and the Hyper-V CPUID
+signature to CPUID instead of exposing cpuid_entry2_find() outside of
+CPUID code. It's hard to envision kvm_hv_vcpu_init() being misused,
+whereas cpuid_entry2_find() absolutely shouldn't be used outside of core
+CPUID code.
+
+Fixes: 10d7bf1e46dc ("KVM: x86: hyper-v: Cache guest CPUID leaves determining features availability")
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Link: https://lore.kernel.org/r/20220830133737.1539624-6-vkuznets@redhat.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/cpuid.c | 18 +++++++++++++++++-
+ arch/x86/kvm/hyperv.c | 30 ++++++++++++++----------------
+ arch/x86/kvm/hyperv.h | 6 +++++-
+ 3 files changed, 36 insertions(+), 18 deletions(-)
+
+diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
+index 2796dde06302..7065462378e2 100644
+--- a/arch/x86/kvm/cpuid.c
++++ b/arch/x86/kvm/cpuid.c
+@@ -311,6 +311,15 @@ void kvm_update_cpuid_runtime(struct kvm_vcpu *vcpu)
+ }
+ EXPORT_SYMBOL_GPL(kvm_update_cpuid_runtime);
+
++static bool kvm_cpuid_has_hyperv(struct kvm_cpuid_entry2 *entries, int nent)
++{
++ struct kvm_cpuid_entry2 *entry;
++
++ entry = cpuid_entry2_find(entries, nent, HYPERV_CPUID_INTERFACE,
++ KVM_CPUID_INDEX_NOT_SIGNIFICANT);
++ return entry && entry->eax == HYPERV_CPUID_SIGNATURE_EAX;
++}
++
+ static void kvm_vcpu_after_set_cpuid(struct kvm_vcpu *vcpu)
+ {
+ struct kvm_lapic *apic = vcpu->arch.apic;
+@@ -346,7 +355,8 @@ static void kvm_vcpu_after_set_cpuid(struct kvm_vcpu *vcpu)
+ vcpu->arch.cr4_guest_rsvd_bits =
+ __cr4_reserved_bits(guest_cpuid_has, vcpu);
+
+- kvm_hv_set_cpuid(vcpu);
++ kvm_hv_set_cpuid(vcpu, kvm_cpuid_has_hyperv(vcpu->arch.cpuid_entries,
++ vcpu->arch.cpuid_nent));
+
+ /* Invoke the vendor callback only after the above state is updated. */
+ static_call(kvm_x86_vcpu_after_set_cpuid)(vcpu);
+@@ -409,6 +419,12 @@ static int kvm_set_cpuid(struct kvm_vcpu *vcpu, struct kvm_cpuid_entry2 *e2,
+ return 0;
+ }
+
++ if (kvm_cpuid_has_hyperv(e2, nent)) {
++ r = kvm_hv_vcpu_init(vcpu);
++ if (r)
++ return r;
++ }
++
+ r = kvm_check_cpuid(vcpu, e2, nent);
+ if (r)
+ return r;
+diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c
+index 8aadd31ed058..bf4729e8cc80 100644
+--- a/arch/x86/kvm/hyperv.c
++++ b/arch/x86/kvm/hyperv.c
+@@ -38,9 +38,6 @@
+ #include "irq.h"
+ #include "fpu.h"
+
+-/* "Hv#1" signature */
+-#define HYPERV_CPUID_SIGNATURE_EAX 0x31237648
+-
+ #define KVM_HV_MAX_SPARSE_VCPU_SET_BITS DIV_ROUND_UP(KVM_MAX_VCPUS, 64)
+
+ static void stimer_mark_pending(struct kvm_vcpu_hv_stimer *stimer,
+@@ -934,7 +931,7 @@ static void stimer_init(struct kvm_vcpu_hv_stimer *stimer, int timer_index)
+ stimer_prepare_msg(stimer);
+ }
+
+-static int kvm_hv_vcpu_init(struct kvm_vcpu *vcpu)
++int kvm_hv_vcpu_init(struct kvm_vcpu *vcpu)
+ {
+ struct kvm_vcpu_hv *hv_vcpu = to_hv_vcpu(vcpu);
+ int i;
+@@ -1984,26 +1981,27 @@ static u64 kvm_hv_send_ipi(struct kvm_vcpu *vcpu, struct kvm_hv_hcall *hc)
+ return HV_STATUS_SUCCESS;
+ }
+
+-void kvm_hv_set_cpuid(struct kvm_vcpu *vcpu)
++void kvm_hv_set_cpuid(struct kvm_vcpu *vcpu, bool hyperv_enabled)
+ {
++ struct kvm_vcpu_hv *hv_vcpu = to_hv_vcpu(vcpu);
+ struct kvm_cpuid_entry2 *entry;
+- struct kvm_vcpu_hv *hv_vcpu;
+
+- entry = kvm_find_cpuid_entry(vcpu, HYPERV_CPUID_INTERFACE);
+- if (entry && entry->eax == HYPERV_CPUID_SIGNATURE_EAX) {
+- vcpu->arch.hyperv_enabled = true;
+- } else {
+- vcpu->arch.hyperv_enabled = false;
+- return;
+- }
++ vcpu->arch.hyperv_enabled = hyperv_enabled;
+
+- if (kvm_hv_vcpu_init(vcpu))
++ if (!hv_vcpu) {
++ /*
++ * KVM should have already allocated kvm_vcpu_hv if Hyper-V is
++ * enabled in CPUID.
++ */
++ WARN_ON_ONCE(vcpu->arch.hyperv_enabled);
+ return;
+-
+- hv_vcpu = to_hv_vcpu(vcpu);
++ }
+
+ memset(&hv_vcpu->cpuid_cache, 0, sizeof(hv_vcpu->cpuid_cache));
+
++ if (!vcpu->arch.hyperv_enabled)
++ return;
++
+ entry = kvm_find_cpuid_entry(vcpu, HYPERV_CPUID_FEATURES);
+ if (entry) {
+ hv_vcpu->cpuid_cache.features_eax = entry->eax;
+diff --git a/arch/x86/kvm/hyperv.h b/arch/x86/kvm/hyperv.h
+index da2737f2a956..1030b1b50552 100644
+--- a/arch/x86/kvm/hyperv.h
++++ b/arch/x86/kvm/hyperv.h
+@@ -23,6 +23,9 @@
+
+ #include <linux/kvm_host.h>
+
++/* "Hv#1" signature */
++#define HYPERV_CPUID_SIGNATURE_EAX 0x31237648
++
+ /*
+ * The #defines related to the synthetic debugger are required by KDNet, but
+ * they are not documented in the Hyper-V TLFS because the synthetic debugger
+@@ -141,7 +144,8 @@ void kvm_hv_request_tsc_page_update(struct kvm *kvm);
+
+ void kvm_hv_init_vm(struct kvm *kvm);
+ void kvm_hv_destroy_vm(struct kvm *kvm);
+-void kvm_hv_set_cpuid(struct kvm_vcpu *vcpu);
++int kvm_hv_vcpu_init(struct kvm_vcpu *vcpu);
++void kvm_hv_set_cpuid(struct kvm_vcpu *vcpu, bool hyperv_enabled);
+ int kvm_hv_set_enforce_cpuid(struct kvm_vcpu *vcpu, bool enforce);
+ int kvm_vm_ioctl_hv_eventfd(struct kvm *kvm, struct kvm_hyperv_eventfd *args);
+ int kvm_get_hv_cpuid(struct kvm_vcpu *vcpu, struct kvm_cpuid2 *cpuid,
+--
+2.35.1
+
--- /dev/null
+From 062c933fa4de64d23cc794af74f175ad605bc167 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 15:37:07 +0200
+Subject: KVM: x86: Zero out entire Hyper-V CPUID cache before processing
+ entries
+
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+[ Upstream commit ce2196b831b1e9f8982b2904fc3e8658cc0e6573 ]
+
+Wipe the whole 'hv_vcpu->cpuid_cache' with memset() instead of having to
+zero each particular member when the corresponding CPUID entry was not
+found.
+
+No functional change intended.
+
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+[sean: split to separate patch]
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Reviewed-by: Wei Liu <wei.liu@kernel.org>
+Link: https://lore.kernel.org/r/20220830133737.1539624-4-vkuznets@redhat.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Stable-dep-of: 3be29eb7b525 ("KVM: x86: Report error when setting CPUID if Hyper-V allocation fails")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/hyperv.c | 11 ++---------
+ 1 file changed, 2 insertions(+), 9 deletions(-)
+
+diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c
+index ed804447589c..611c349a08bf 100644
+--- a/arch/x86/kvm/hyperv.c
++++ b/arch/x86/kvm/hyperv.c
+@@ -2005,31 +2005,24 @@ void kvm_hv_set_cpuid(struct kvm_vcpu *vcpu)
+
+ hv_vcpu = to_hv_vcpu(vcpu);
+
++ memset(&hv_vcpu->cpuid_cache, 0, sizeof(hv_vcpu->cpuid_cache));
++
+ entry = kvm_find_cpuid_entry(vcpu, HYPERV_CPUID_FEATURES);
+ if (entry) {
+ hv_vcpu->cpuid_cache.features_eax = entry->eax;
+ hv_vcpu->cpuid_cache.features_ebx = entry->ebx;
+ hv_vcpu->cpuid_cache.features_edx = entry->edx;
+- } else {
+- hv_vcpu->cpuid_cache.features_eax = 0;
+- hv_vcpu->cpuid_cache.features_ebx = 0;
+- hv_vcpu->cpuid_cache.features_edx = 0;
+ }
+
+ entry = kvm_find_cpuid_entry(vcpu, HYPERV_CPUID_ENLIGHTMENT_INFO);
+ if (entry) {
+ hv_vcpu->cpuid_cache.enlightenments_eax = entry->eax;
+ hv_vcpu->cpuid_cache.enlightenments_ebx = entry->ebx;
+- } else {
+- hv_vcpu->cpuid_cache.enlightenments_eax = 0;
+- hv_vcpu->cpuid_cache.enlightenments_ebx = 0;
+ }
+
+ entry = kvm_find_cpuid_entry(vcpu, HYPERV_CPUID_SYNDBG_PLATFORM_CAPABILITIES);
+ if (entry)
+ hv_vcpu->cpuid_cache.syndbg_cap_eax = entry->eax;
+- else
+- hv_vcpu->cpuid_cache.syndbg_cap_eax = 0;
+ }
+
+ int kvm_hv_set_enforce_cpuid(struct kvm_vcpu *vcpu, bool enforce)
+--
+2.35.1
+
--- /dev/null
+From 000363787c80459b639749067d7c3bdfef20c0af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Aug 2022 10:02:27 +0200
+Subject: leds: lm3601x: Don't use mutex after it was destroyed
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 32f7eed0c763a9b89f6b357ec54b48398fc7b99e ]
+
+The mutex might still be in use until the devm cleanup callback
+devm_led_classdev_flash_release() is called. This only happens some time
+after lm3601x_remove() completed.
+
+Fixes: e63a744871a3 ("leds: lm3601x: Convert class registration to device managed")
+Acked-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/flash/leds-lm3601x.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/leds/flash/leds-lm3601x.c b/drivers/leds/flash/leds-lm3601x.c
+index d0e1d4814042..3d1272748201 100644
+--- a/drivers/leds/flash/leds-lm3601x.c
++++ b/drivers/leds/flash/leds-lm3601x.c
+@@ -444,8 +444,6 @@ static int lm3601x_remove(struct i2c_client *client)
+ {
+ struct lm3601x_led *led = i2c_get_clientdata(client);
+
+- mutex_destroy(&led->lock);
+-
+ return regmap_update_bits(led->regmap, LM3601X_ENABLE_REG,
+ LM3601X_ENABLE_MASK,
+ LM3601X_MODE_STANDBY);
+--
+2.35.1
+
--- /dev/null
+From f7db7d32eefc03d065d5a59ccfab999c65c1fee5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Aug 2022 18:20:21 +0800
+Subject: libbpf: Do not require executable permission for shared libraries
+
+From: Hengqi Chen <hengqi.chen@gmail.com>
+
+[ Upstream commit 9e32084ef1c33a87a736d6ce3fcb95b60dac9aa1 ]
+
+Currently, resolve_full_path() requires executable permission for both
+programs and shared libraries. This causes failures on distos like Debian
+since the shared libraries are not installed executable and Linux is not
+requiring shared libraries to have executable permissions. Let's remove
+executable permission check for shared libraries.
+
+Reported-by: Goro Fuji <goro@fastly.com>
+Signed-off-by: Hengqi Chen <hengqi.chen@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20220806102021.3867130-1-hengqi.chen@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index c0af210f1acd..6b40c8672ff9 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -10671,15 +10671,17 @@ static const char *arch_specific_lib_paths(void)
+ static int resolve_full_path(const char *file, char *result, size_t result_sz)
+ {
+ const char *search_paths[3] = {};
+- int i;
++ int i, perm;
+
+ if (str_has_sfx(file, ".so") || strstr(file, ".so.")) {
+ search_paths[0] = getenv("LD_LIBRARY_PATH");
+ search_paths[1] = "/usr/lib64:/usr/lib";
+ search_paths[2] = arch_specific_lib_paths();
++ perm = R_OK;
+ } else {
+ search_paths[0] = getenv("PATH");
+ search_paths[1] = "/usr/bin:/usr/sbin";
++ perm = R_OK | X_OK;
+ }
+
+ for (i = 0; i < ARRAY_SIZE(search_paths); i++) {
+@@ -10698,8 +10700,8 @@ static int resolve_full_path(const char *file, char *result, size_t result_sz)
+ if (!seg_len)
+ continue;
+ snprintf(result, result_sz, "%.*s/%s", seg_len, s, file);
+- /* ensure it is an executable file/link */
+- if (access(result, R_OK | X_OK) < 0)
++ /* ensure it has required permissions */
++ if (access(result, perm) < 0)
+ continue;
+ pr_debug("resolved '%s' to '%s'\n", file, result);
+ return 0;
+--
+2.35.1
+
--- /dev/null
+From 60556600d27124f6e1fdd7ef5b9425be0e9d935e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Sep 2022 21:29:39 -0700
+Subject: libbpf: Don't require full struct enum64 in UAPI headers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 87dbdc230d162bf9ee1ac77c8ade178b6b1e199e ]
+
+Drop the requirement for system-wide kernel UAPI headers to provide full
+struct btf_enum64 definition. This is an unexpected requirement that
+slipped in libbpf 1.0 and put unnecessary pressure ([0]) on users to have
+a bleeding-edge kernel UAPI header from unreleased Linux 6.0.
+
+To achieve this, we forward declare struct btf_enum64. But that's not
+enough as there is btf_enum64_value() helper that expects to know the
+layout of struct btf_enum64. So we get a bit creative with
+reinterpreting memory layout as array of __u32 and accesing lo32/hi32
+fields as array elements. Alternative way would be to have a local
+pointer variable for anonymous struct with exactly the same layout as
+struct btf_enum64, but that gets us into C++ compiler errors complaining
+about invalid type casts. So play it safe, if ugly.
+
+ [0] Closes: https://github.com/libbpf/libbpf/issues/562
+
+Fixes: d90ec262b35b ("libbpf: Add enum64 support for btf_dump")
+Reported-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Link: https://lore.kernel.org/bpf/20220927042940.147185-1-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/btf.h | 25 ++++++++++++++++++++++++-
+ 1 file changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/btf.h b/tools/lib/bpf/btf.h
+index 583760df83b4..d421d656a076 100644
+--- a/tools/lib/bpf/btf.h
++++ b/tools/lib/bpf/btf.h
+@@ -487,6 +487,8 @@ static inline struct btf_enum *btf_enum(const struct btf_type *t)
+ return (struct btf_enum *)(t + 1);
+ }
+
++struct btf_enum64;
++
+ static inline struct btf_enum64 *btf_enum64(const struct btf_type *t)
+ {
+ return (struct btf_enum64 *)(t + 1);
+@@ -494,7 +496,28 @@ static inline struct btf_enum64 *btf_enum64(const struct btf_type *t)
+
+ static inline __u64 btf_enum64_value(const struct btf_enum64 *e)
+ {
+- return ((__u64)e->val_hi32 << 32) | e->val_lo32;
++ /* struct btf_enum64 is introduced in Linux 6.0, which is very
++ * bleeding-edge. Here we are avoiding relying on struct btf_enum64
++ * definition coming from kernel UAPI headers to support wider range
++ * of system-wide kernel headers.
++ *
++ * Given this header can be also included from C++ applications, that
++ * further restricts C tricks we can use (like using compatible
++ * anonymous struct). So just treat struct btf_enum64 as
++ * a three-element array of u32 and access second (lo32) and third
++ * (hi32) elements directly.
++ *
++ * For reference, here is a struct btf_enum64 definition:
++ *
++ * const struct btf_enum64 {
++ * __u32 name_off;
++ * __u32 val_lo32;
++ * __u32 val_hi32;
++ * };
++ */
++ const __u32 *e64 = (const __u32 *)e;
++
++ return ((__u64)e64[2] << 32) | e64[1];
+ }
+
+ static inline struct btf_member *btf_members(const struct btf_type *t)
+--
+2.35.1
+
--- /dev/null
+From 84abc32390c2c7f95082274e2f99a4190311646c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Aug 2022 09:14:03 -0600
+Subject: libbpf: Ensure functions with always_inline attribute are inline
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: James Hilliard <james.hilliard1@gmail.com>
+
+[ Upstream commit d25f40ff68aa61c838947bb9adee6c6b36e77453 ]
+
+GCC expects the always_inline attribute to only be set on inline
+functions, as such we should make all functions with this attribute
+use the __always_inline macro which makes the function inline and
+sets the attribute.
+
+Fixes errors like:
+/home/buildroot/bpf-next/tools/testing/selftests/bpf/tools/include/bpf/bpf_tracing.h:439:1: error: ‘always_inline’ function might not be inlinable [-Werror=attributes]
+ 439 | ____##name(unsigned long long *ctx, ##args)
+ | ^~~~
+
+Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Link: https://lore.kernel.org/bpf/20220803151403.793024-1-james.hilliard1@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/bpf_tracing.h | 14 +++++++-------
+ tools/lib/bpf/usdt.bpf.h | 4 ++--
+ 2 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/tools/lib/bpf/bpf_tracing.h b/tools/lib/bpf/bpf_tracing.h
+index 43ca3aff2292..5fdb93da423b 100644
+--- a/tools/lib/bpf/bpf_tracing.h
++++ b/tools/lib/bpf/bpf_tracing.h
+@@ -426,7 +426,7 @@ struct pt_regs;
+ */
+ #define BPF_PROG(name, args...) \
+ name(unsigned long long *ctx); \
+-static __attribute__((always_inline)) typeof(name(0)) \
++static __always_inline typeof(name(0)) \
+ ____##name(unsigned long long *ctx, ##args); \
+ typeof(name(0)) name(unsigned long long *ctx) \
+ { \
+@@ -435,7 +435,7 @@ typeof(name(0)) name(unsigned long long *ctx) \
+ return ____##name(___bpf_ctx_cast(args)); \
+ _Pragma("GCC diagnostic pop") \
+ } \
+-static __attribute__((always_inline)) typeof(name(0)) \
++static __always_inline typeof(name(0)) \
+ ____##name(unsigned long long *ctx, ##args)
+
+ struct pt_regs;
+@@ -460,7 +460,7 @@ struct pt_regs;
+ */
+ #define BPF_KPROBE(name, args...) \
+ name(struct pt_regs *ctx); \
+-static __attribute__((always_inline)) typeof(name(0)) \
++static __always_inline typeof(name(0)) \
+ ____##name(struct pt_regs *ctx, ##args); \
+ typeof(name(0)) name(struct pt_regs *ctx) \
+ { \
+@@ -469,7 +469,7 @@ typeof(name(0)) name(struct pt_regs *ctx) \
+ return ____##name(___bpf_kprobe_args(args)); \
+ _Pragma("GCC diagnostic pop") \
+ } \
+-static __attribute__((always_inline)) typeof(name(0)) \
++static __always_inline typeof(name(0)) \
+ ____##name(struct pt_regs *ctx, ##args)
+
+ #define ___bpf_kretprobe_args0() ctx
+@@ -484,7 +484,7 @@ ____##name(struct pt_regs *ctx, ##args)
+ */
+ #define BPF_KRETPROBE(name, args...) \
+ name(struct pt_regs *ctx); \
+-static __attribute__((always_inline)) typeof(name(0)) \
++static __always_inline typeof(name(0)) \
+ ____##name(struct pt_regs *ctx, ##args); \
+ typeof(name(0)) name(struct pt_regs *ctx) \
+ { \
+@@ -540,7 +540,7 @@ static __always_inline typeof(name(0)) ____##name(struct pt_regs *ctx, ##args)
+ #define BPF_KSYSCALL(name, args...) \
+ name(struct pt_regs *ctx); \
+ extern _Bool LINUX_HAS_SYSCALL_WRAPPER __kconfig; \
+-static __attribute__((always_inline)) typeof(name(0)) \
++static __always_inline typeof(name(0)) \
+ ____##name(struct pt_regs *ctx, ##args); \
+ typeof(name(0)) name(struct pt_regs *ctx) \
+ { \
+@@ -555,7 +555,7 @@ typeof(name(0)) name(struct pt_regs *ctx) \
+ return ____##name(___bpf_syscall_args(args)); \
+ _Pragma("GCC diagnostic pop") \
+ } \
+-static __attribute__((always_inline)) typeof(name(0)) \
++static __always_inline typeof(name(0)) \
+ ____##name(struct pt_regs *ctx, ##args)
+
+ #define BPF_KPROBE_SYSCALL BPF_KSYSCALL
+diff --git a/tools/lib/bpf/usdt.bpf.h b/tools/lib/bpf/usdt.bpf.h
+index 4f2adc0bd6ca..fdfd235e52c4 100644
+--- a/tools/lib/bpf/usdt.bpf.h
++++ b/tools/lib/bpf/usdt.bpf.h
+@@ -232,7 +232,7 @@ long bpf_usdt_cookie(struct pt_regs *ctx)
+ */
+ #define BPF_USDT(name, args...) \
+ name(struct pt_regs *ctx); \
+-static __attribute__((always_inline)) typeof(name(0)) \
++static __always_inline typeof(name(0)) \
+ ____##name(struct pt_regs *ctx, ##args); \
+ typeof(name(0)) name(struct pt_regs *ctx) \
+ { \
+@@ -241,7 +241,7 @@ typeof(name(0)) name(struct pt_regs *ctx) \
+ return ____##name(___bpf_usdt_args(args)); \
+ _Pragma("GCC diagnostic pop") \
+ } \
+-static __attribute__((always_inline)) typeof(name(0)) \
++static __always_inline typeof(name(0)) \
+ ____##name(struct pt_regs *ctx, ##args)
+
+ #endif /* __USDT_BPF_H__ */
+--
+2.35.1
+
--- /dev/null
+From c50cfb75f3513d6e2ab5464306abb395f085b482 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Sep 2022 12:30:52 -0700
+Subject: libbpf: Fix crash if SEC("freplace") programs don't have
+ attach_prog_fd set
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 749c202cb6ea40f4d7ac95c4a1217a7b506f43a8 ]
+
+Fix SIGSEGV caused by libbpf trying to find attach type in vmlinux BTF
+for freplace programs. It's wrong to search in vmlinux BTF and libbpf
+doesn't even mark vmlinux BTF as required for freplace programs. So
+trying to search anything in obj->vmlinux_btf might cause NULL
+dereference if nothing else in BPF object requires vmlinux BTF.
+
+Instead, error out if freplace (EXT) program doesn't specify
+attach_prog_fd during at the load time.
+
+Fixes: 91abb4a6d79d ("libbpf: Support attachment of BPF tracing programs to kernel modules")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20220909193053.577111-3-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index 159f60a245c0..c0af210f1acd 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -9060,11 +9060,15 @@ static int libbpf_find_attach_btf_id(struct bpf_program *prog, const char *attac
+ int err = 0;
+
+ /* BPF program's BTF ID */
+- if (attach_prog_fd) {
++ if (prog->type == BPF_PROG_TYPE_EXT || attach_prog_fd) {
++ if (!attach_prog_fd) {
++ pr_warn("prog '%s': attach program FD is not set\n", prog->name);
++ return -EINVAL;
++ }
+ err = libbpf_find_prog_btf_id(attach_name, attach_prog_fd);
+ if (err < 0) {
+- pr_warn("failed to find BPF program (FD %d) BTF ID for '%s': %d\n",
+- attach_prog_fd, attach_name, err);
++ pr_warn("prog '%s': failed to find BPF program (FD %d) BTF ID for '%s': %d\n",
++ prog->name, attach_prog_fd, attach_name, err);
+ return err;
+ }
+ *btf_obj_fd = 0;
+@@ -9081,7 +9085,8 @@ static int libbpf_find_attach_btf_id(struct bpf_program *prog, const char *attac
+ err = find_kernel_btf_id(prog->obj, attach_name, attach_type, btf_obj_fd, btf_type_id);
+ }
+ if (err) {
+- pr_warn("failed to find kernel BTF type ID of '%s': %d\n", attach_name, err);
++ pr_warn("prog '%s': failed to find kernel BTF type ID of '%s': %d\n",
++ prog->name, attach_name, err);
+ return err;
+ }
+ return 0;
+--
+2.35.1
+
--- /dev/null
+From e14f6a13eb6ed84a7ae7b1ce4fd1e8580dd26f93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Sep 2022 16:48:09 +0800
+Subject: libbpf: Fix NULL pointer exception in API btf_dump__dump_type_data
+
+From: Xin Liu <liuxin350@huawei.com>
+
+[ Upstream commit 7620bffbf72cd66a5d18e444a143b5b5989efa87 ]
+
+We found that function btf_dump__dump_type_data can be called by the
+user as an API, but in this function, the `opts` parameter may be used
+as a null pointer.This causes `opts->indent_str` to trigger a NULL
+pointer exception.
+
+Fixes: 2ce8450ef5a3 ("libbpf: add bpf_object__open_{file, mem} w/ extensible opts")
+Signed-off-by: Xin Liu <liuxin350@huawei.com>
+Signed-off-by: Weibin Kong <kongweibin2@huawei.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20220917084809.30770-1-liuxin350@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/btf_dump.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/btf_dump.c b/tools/lib/bpf/btf_dump.c
+index 627edb5bb6de..4221f73a74d0 100644
+--- a/tools/lib/bpf/btf_dump.c
++++ b/tools/lib/bpf/btf_dump.c
+@@ -2385,7 +2385,7 @@ int btf_dump__dump_type_data(struct btf_dump *d, __u32 id,
+ d->typed_dump->indent_lvl = OPTS_GET(opts, indent_level, 0);
+
+ /* default indent string is a tab */
+- if (!opts->indent_str)
++ if (!OPTS_GET(opts, indent_str, NULL))
+ d->typed_dump->indent_str[0] = '\t';
+ else
+ libbpf_strlcpy(d->typed_dump->indent_str, opts->indent_str,
+--
+2.35.1
+
--- /dev/null
+From fc507139c99490c30a4fdf361558432b6583cf97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Sep 2022 17:07:08 +0800
+Subject: libbpf: Fix overrun in netlink attribute iteration
+
+From: Xin Liu <liuxin350@huawei.com>
+
+[ Upstream commit 51e05a8cf8eb34da7473823b7f236a77adfef0b4 ]
+
+I accidentally found that a change in commit 1045b03e07d8 ("netlink: fix
+overrun in attribute iteration") was not synchronized to the function
+`nla_ok` in tools/lib/bpf/nlattr.c, I think it is necessary to modify,
+this patch will do it.
+
+Signed-off-by: Xin Liu <liuxin350@huawei.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20220930090708.62394-1-liuxin350@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/nlattr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/nlattr.c b/tools/lib/bpf/nlattr.c
+index f57e77a6e40f..3900d052ed19 100644
+--- a/tools/lib/bpf/nlattr.c
++++ b/tools/lib/bpf/nlattr.c
+@@ -32,7 +32,7 @@ static struct nlattr *nla_next(const struct nlattr *nla, int *remaining)
+
+ static int nla_ok(const struct nlattr *nla, int remaining)
+ {
+- return remaining >= sizeof(*nla) &&
++ return remaining >= (int)sizeof(*nla) &&
+ nla->nla_len >= sizeof(*nla) &&
+ nla->nla_len <= remaining;
+ }
+--
+2.35.1
+
--- /dev/null
+From 840907e2c3ddba191cce6d1dd2ba876e60d44cdf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Aug 2022 17:19:26 -0700
+Subject: libbpf: Fix potential NULL dereference when parsing ELF
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit d4e6d684f3bea46a2fc195765c77a3b26bcb080e ]
+
+Fix if condition filtering empty ELF sections to prevent NULL
+dereference.
+
+Fixes: 47ea7417b074 ("libbpf: Skip empty sections in bpf_object__init_global_data_maps")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Hao Luo <haoluo@google.com>
+Link: https://lore.kernel.org/bpf/20220816001929.369487-2-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index 77e3797cf75a..159f60a245c0 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -1643,7 +1643,7 @@ static int bpf_object__init_global_data_maps(struct bpf_object *obj)
+ sec_desc = &obj->efile.secs[sec_idx];
+
+ /* Skip recognized sections with size 0. */
+- if (sec_desc->data && sec_desc->data->d_size == 0)
++ if (!sec_desc->data || sec_desc->data->d_size == 0)
+ continue;
+
+ switch (sec_desc->sec_type) {
+--
+2.35.1
+
--- /dev/null
+From b6158655e7cab61ffe665009fcb576e2add7bf26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Jul 2022 19:51:09 -0700
+Subject: libbpf: Initialize err in probe_map_create
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 3045f42a64324d339125a8a1a1763bb9e1e08300 ]
+
+GCC-11 warns about the possibly unitialized err variable in
+probe_map_create:
+
+libbpf_probes.c: In function 'probe_map_create':
+libbpf_probes.c:361:38: error: 'err' may be used uninitialized in this function [-Werror=maybe-uninitialized]
+ 361 | return fd < 0 && err == exp_err ? 1 : 0;
+ | ~~~~^~~~~~~~~~
+
+Fixes: 878d8def0603 ("libbpf: Rework feature-probing APIs")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Link: https://lore.kernel.org/bpf/20220801025109.1206633-1-f.fainelli@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf_probes.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/libbpf_probes.c b/tools/lib/bpf/libbpf_probes.c
+index 0b5398786bf3..6d495656f554 100644
+--- a/tools/lib/bpf/libbpf_probes.c
++++ b/tools/lib/bpf/libbpf_probes.c
+@@ -193,7 +193,7 @@ static int probe_map_create(enum bpf_map_type map_type)
+ LIBBPF_OPTS(bpf_map_create_opts, opts);
+ int key_size, value_size, max_entries;
+ __u32 btf_key_type_id = 0, btf_value_type_id = 0;
+- int fd = -1, btf_fd = -1, fd_inner = -1, exp_err = 0, err;
++ int fd = -1, btf_fd = -1, fd_inner = -1, exp_err = 0, err = 0;
+
+ key_size = sizeof(__u32);
+ value_size = sizeof(__u32);
+--
+2.35.1
+
--- /dev/null
+From 70ae7d459f840af450fc44645c14af71204894b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Sep 2022 16:05:59 -0700
+Subject: libbpf: restore memory layout of bpf_object_open_opts
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit dbdea9b36fb61da3b9a1be0dd63542e2bfd3e5d7 ]
+
+When attach_prog_fd field was removed in libbpf 1.0 and replaced with
+`long: 0` placeholder, it actually shifted all the subsequent fields by
+8 byte. This is due to `long: 0` promising to adjust next field's offset
+to long-aligned offset. But in this case we were already long-aligned
+as pin_root_path is a pointer. So `long: 0` had no effect, and thus
+didn't feel the gap created by removed attach_prog_fd.
+
+Non-zero bitfield should have been used instead. I validated using
+pahole. Originally kconfig field was at offset 40. With `long: 0` it's
+at offset 32, which is wrong. With this change it's back at offset 40.
+
+While technically libbpf 1.0 is allowed to break backwards
+compatibility and applications should have been recompiled against
+libbpf 1.0 headers, but given how trivial it is to preserve memory
+layout, let's fix this.
+
+Reported-by: Grant Seltzer Richman <grantseltzer@gmail.com>
+Fixes: 146bf811f5ac ("libbpf: remove most other deprecated high-level APIs")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/r/20220923230559.666608-1-andrii@kernel.org
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.h | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/libbpf.h b/tools/lib/bpf/libbpf.h
+index 61493c4cddac..9f956e6058ed 100644
+--- a/tools/lib/bpf/libbpf.h
++++ b/tools/lib/bpf/libbpf.h
+@@ -118,7 +118,9 @@ struct bpf_object_open_opts {
+ * auto-pinned to that path on load; defaults to "/sys/fs/bpf".
+ */
+ const char *pin_root_path;
+- long :0;
++
++ __u32 :32; /* stub out now removed attach_prog_fd */
++
+ /* Additional kernel config content that augments and overrides
+ * system Kconfig for CONFIG_xxx externs.
+ */
+--
+2.35.1
+
--- /dev/null
+From 53cf72d08dd3e8e7e86b880f4355459ce35bcfe7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Jul 2022 17:26:49 -0600
+Subject: libbpf: Skip empty sections in bpf_object__init_global_data_maps
+
+From: James Hilliard <james.hilliard1@gmail.com>
+
+[ Upstream commit 47ea7417b0744324424405fc1207e266053237a9 ]
+
+The GNU assembler generates an empty .bss section. This is a well
+established behavior in GAS that happens in all supported targets.
+
+The LLVM assembler doesn't generate an empty .bss section.
+
+bpftool chokes on the empty .bss section.
+
+Additionally in bpf_object__elf_collect the sec_desc->data is not
+initialized when a section is not recognized. In this case, this
+happens with .comment.
+
+So we must check that sec_desc->data is initialized before checking
+if the size is 0.
+
+Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Link: https://lore.kernel.org/bpf/20220731232649.4668-1-james.hilliard1@gmail.com
+Stable-dep-of: 3045f42a6432 ("libbpf: Initialize err in probe_map_create")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index 50d41815f431..77e3797cf75a 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -1642,6 +1642,10 @@ static int bpf_object__init_global_data_maps(struct bpf_object *obj)
+ for (sec_idx = 1; sec_idx < obj->efile.sec_cnt; sec_idx++) {
+ sec_desc = &obj->efile.secs[sec_idx];
+
++ /* Skip recognized sections with size 0. */
++ if (sec_desc->data && sec_desc->data->d_size == 0)
++ continue;
++
+ switch (sec_desc->sec_type) {
+ case SEC_DATA:
+ sec_name = elf_sec_name(obj, elf_sec_by_idx(obj, sec_idx));
+--
+2.35.1
+
--- /dev/null
+From 76dfe5d873c9954917f856d204c65045553d6279 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Sep 2022 15:29:53 +0900
+Subject: linux/export: use inline assembler to populate symbol CRCs
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit f3304ecd7f060db1d4197fbdce5a503259f770d3 ]
+
+Since commit 7b4537199a4a ("kbuild: link symbol CRCs at final link,
+removing CONFIG_MODULE_REL_CRCS"), the module versioning on the
+(non-upstreamed-yet) kvx Linux port is broken due to unexpected padding
+for __crc_* symbols. The kvx GCC adds padding so u32 gets 8-byte
+alignment instead of 4.
+
+I do not know if this happens for upstream architectures in general,
+but any compiler has the freedom to insert padding for faster access.
+
+Use the inline assembler to directly specify the wanted data layout.
+This is how we previously did before the breakage.
+
+Link: https://lore.kernel.org/lkml/20220817161438.32039-1-ysionneau@kalray.eu/
+Link: https://lore.kernel.org/linux-kbuild/31ce5305-a76b-13d7-ea55-afca82c46cf2@kalray.eu/
+Fixes: 7b4537199a4a ("kbuild: link symbol CRCs at final link, removing CONFIG_MODULE_REL_CRCS")
+Reported-by: Yann Sionneau <ysionneau@kalray.eu>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Tested-by: Yann Sionneau <ysionneau@kalray.eu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/export-internal.h | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/export-internal.h b/include/linux/export-internal.h
+index c2b1d4fd5987..fe7e6ba918f1 100644
+--- a/include/linux/export-internal.h
++++ b/include/linux/export-internal.h
+@@ -10,8 +10,10 @@
+ #include <linux/compiler.h>
+ #include <linux/types.h>
+
+-/* __used is needed to keep __crc_* for LTO */
+ #define SYMBOL_CRC(sym, crc, sec) \
+- u32 __section("___kcrctab" sec "+" #sym) __used __crc_##sym = crc
++ asm(".section \"___kcrctab" sec "+" #sym "\",\"a\"" "\n" \
++ "__crc_" #sym ":" "\n" \
++ ".long " #crc "\n" \
++ ".previous" "\n")
+
+ #endif /* __LINUX_EXPORT_INTERNAL_H__ */
+--
+2.35.1
+
--- /dev/null
+From caf760b893541c268b44b5d52ac9ea52c7e770ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Aug 2022 17:53:17 +0300
+Subject: locks: fix TOCTOU race when granting write lease
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+[ Upstream commit d6da19c9cace63290ccfccb1fc35151ffefc0bec ]
+
+Thread A trying to acquire a write lease checks the value of i_readcount
+and i_writecount in check_conflicting_open() to verify that its own fd
+is the only fd referencing the file.
+
+Thread B trying to open the file for read will call break_lease() in
+do_dentry_open() before incrementing i_readcount, which leaves a small
+window where thread A can acquire the write lease and then thread B
+completes the open of the file for read without breaking the write lease
+that was acquired by thread A.
+
+Fix this race by incrementing i_readcount before checking for existing
+leases, same as the case with i_writecount.
+
+Use a helper put_file_access() to decrement i_readcount or i_writecount
+in do_dentry_open() and __fput().
+
+Fixes: 387e3746d01c ("locks: eliminate false positive conflicts for write lease")
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/file_table.c | 7 +------
+ fs/internal.h | 10 ++++++++++
+ fs/open.c | 11 ++++-------
+ 3 files changed, 15 insertions(+), 13 deletions(-)
+
+diff --git a/fs/file_table.c b/fs/file_table.c
+index 99c6796c9f28..dd88701e54a9 100644
+--- a/fs/file_table.c
++++ b/fs/file_table.c
+@@ -324,12 +324,7 @@ static void __fput(struct file *file)
+ }
+ fops_put(file->f_op);
+ put_pid(file->f_owner.pid);
+- if ((mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ)
+- i_readcount_dec(inode);
+- if (mode & FMODE_WRITER) {
+- put_write_access(inode);
+- __mnt_drop_write(mnt);
+- }
++ put_file_access(file);
+ dput(dentry);
+ if (unlikely(mode & FMODE_NEED_UNMOUNT))
+ dissolve_on_fput(mnt);
+diff --git a/fs/internal.h b/fs/internal.h
+index 3e206d3e317c..4372d67a3753 100644
+--- a/fs/internal.h
++++ b/fs/internal.h
+@@ -102,6 +102,16 @@ extern void chroot_fs_refs(const struct path *, const struct path *);
+ extern struct file *alloc_empty_file(int, const struct cred *);
+ extern struct file *alloc_empty_file_noaccount(int, const struct cred *);
+
++static inline void put_file_access(struct file *file)
++{
++ if ((file->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ) {
++ i_readcount_dec(file->f_inode);
++ } else if (file->f_mode & FMODE_WRITER) {
++ put_write_access(file->f_inode);
++ __mnt_drop_write(file->f_path.mnt);
++ }
++}
++
+ /*
+ * super.c
+ */
+diff --git a/fs/open.c b/fs/open.c
+index cf7e5c350a54..a81319b6177f 100644
+--- a/fs/open.c
++++ b/fs/open.c
+@@ -842,7 +842,9 @@ static int do_dentry_open(struct file *f,
+ return 0;
+ }
+
+- if (f->f_mode & FMODE_WRITE && !special_file(inode->i_mode)) {
++ if ((f->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ) {
++ i_readcount_inc(inode);
++ } else if (f->f_mode & FMODE_WRITE && !special_file(inode->i_mode)) {
+ error = get_write_access(inode);
+ if (unlikely(error))
+ goto cleanup_file;
+@@ -882,8 +884,6 @@ static int do_dentry_open(struct file *f,
+ goto cleanup_all;
+ }
+ f->f_mode |= FMODE_OPENED;
+- if ((f->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ)
+- i_readcount_inc(inode);
+ if ((f->f_mode & FMODE_READ) &&
+ likely(f->f_op->read || f->f_op->read_iter))
+ f->f_mode |= FMODE_CAN_READ;
+@@ -937,10 +937,7 @@ static int do_dentry_open(struct file *f,
+ if (WARN_ON_ONCE(error > 0))
+ error = -EINVAL;
+ fops_put(f->f_op);
+- if (f->f_mode & FMODE_WRITER) {
+- put_write_access(inode);
+- __mnt_drop_write(f->f_path.mnt);
+- }
++ put_file_access(f);
+ cleanup_file:
+ path_put(&f->f_path);
+ f->f_path.mnt = NULL;
+--
+2.35.1
+
--- /dev/null
+From 8222dae4451abc1d5b3ff74e4efc132e2390f393 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 15:08:34 +0200
+Subject: m68k: Process bootinfo records before saving them
+
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+
+[ Upstream commit 7c236d93c6764dcaca7ab66d76768a044647876d ]
+
+The RNG seed boot record is memzeroed after processing, in order to
+preserve forward secrecy. By saving the bootinfo for procfs prior to
+that, forward secrecy is violated, since it becomes possible to recover
+past states. So, save the bootinfo block only after first processing
+them.
+
+Fixes: a1ee38ab1a75 ("m68k: virt: Use RNG seed from bootinfo block")
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Link: https://lore.kernel.org/r/20220927130835.1629806-1-Jason@zx2c4.com
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/kernel/setup_mm.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch/m68k/kernel/setup_mm.c b/arch/m68k/kernel/setup_mm.c
+index e62fa8f2149b..7e7ef67cff8b 100644
+--- a/arch/m68k/kernel/setup_mm.c
++++ b/arch/m68k/kernel/setup_mm.c
+@@ -109,10 +109,9 @@ extern void paging_init(void);
+
+ static void __init m68k_parse_bootinfo(const struct bi_record *record)
+ {
++ const struct bi_record *first_record = record;
+ uint16_t tag;
+
+- save_bootinfo(record);
+-
+ while ((tag = be16_to_cpu(record->tag)) != BI_LAST) {
+ int unknown = 0;
+ const void *data = record->data;
+@@ -182,6 +181,8 @@ static void __init m68k_parse_bootinfo(const struct bi_record *record)
+ record = (struct bi_record *)((unsigned long)record + size);
+ }
+
++ save_bootinfo(first_record);
++
+ m68k_realnum_memory = m68k_num_memory;
+ #ifdef CONFIG_SINGLE_MEMORY_CHUNK
+ if (m68k_num_memory > 1) {
+--
+2.35.1
+
--- /dev/null
+From bcf3d547da7e59c431beaad0c7009275b32b2be7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 12:13:35 +0200
+Subject: mailbox: bcm-ferxrm-mailbox: Fix error check for dma_map_sg
+
+From: Jack Wang <jinpu.wang@ionos.com>
+
+[ Upstream commit 6b207ce8a96a71e966831e3a13c38143ba9a73c1 ]
+
+dma_map_sg return 0 on error, fix the error check, and return -EIO
+to caller.
+
+Fixes: dbc049eee730 ("mailbox: Add driver for Broadcom FlexRM ring manager")
+Signed-off-by: Jack Wang <jinpu.wang@ionos.com>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/bcm-flexrm-mailbox.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/mailbox/bcm-flexrm-mailbox.c b/drivers/mailbox/bcm-flexrm-mailbox.c
+index fda16f76401e..bf6e86b0ed09 100644
+--- a/drivers/mailbox/bcm-flexrm-mailbox.c
++++ b/drivers/mailbox/bcm-flexrm-mailbox.c
+@@ -622,15 +622,15 @@ static int flexrm_spu_dma_map(struct device *dev, struct brcm_message *msg)
+
+ rc = dma_map_sg(dev, msg->spu.src, sg_nents(msg->spu.src),
+ DMA_TO_DEVICE);
+- if (rc < 0)
+- return rc;
++ if (!rc)
++ return -EIO;
+
+ rc = dma_map_sg(dev, msg->spu.dst, sg_nents(msg->spu.dst),
+ DMA_FROM_DEVICE);
+- if (rc < 0) {
++ if (!rc) {
+ dma_unmap_sg(dev, msg->spu.src, sg_nents(msg->spu.src),
+ DMA_TO_DEVICE);
+- return rc;
++ return -EIO;
+ }
+
+ return 0;
+--
+2.35.1
+
--- /dev/null
+From 3ff61b23257ca9cc48e2440aa719e38d4e823982 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Sep 2022 11:01:36 +0800
+Subject: mailbox: imx: fix RST channel support
+
+From: Peng Fan <peng.fan@nxp.com>
+
+[ Upstream commit 7e5cd064f73ccecd2ac1aadca078394bd25ea3ce ]
+
+Because IMX_MU_xCR_MAX was increased to 5, some mu cfgs were not updated
+to include the CR register. Add the missed CR register to xcr array.
+
+Fixes: 82ab513baed5 ("mailbox: imx: support RST channel")
+Reported-by: Liu Ying <victor.liu@nxp.com>
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Tested-by: Liu Ying <victor.liu@nxp.com> # i.MX8qm/qxp MEK boards boot
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/imx-mailbox.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/mailbox/imx-mailbox.c b/drivers/mailbox/imx-mailbox.c
+index 02922073c9ef..20f2ec880ad6 100644
+--- a/drivers/mailbox/imx-mailbox.c
++++ b/drivers/mailbox/imx-mailbox.c
+@@ -904,7 +904,7 @@ static const struct imx_mu_dcfg imx_mu_cfg_imx7ulp = {
+ .xTR = 0x20,
+ .xRR = 0x40,
+ .xSR = {0x60, 0x60, 0x60, 0x60},
+- .xCR = {0x64, 0x64, 0x64, 0x64},
++ .xCR = {0x64, 0x64, 0x64, 0x64, 0x64},
+ };
+
+ static const struct imx_mu_dcfg imx_mu_cfg_imx8ulp = {
+@@ -927,7 +927,7 @@ static const struct imx_mu_dcfg imx_mu_cfg_imx8ulp_s4 = {
+ .xTR = 0x200,
+ .xRR = 0x280,
+ .xSR = {0xC, 0x118, 0x124, 0x12C},
+- .xCR = {0x110, 0x114, 0x120, 0x128},
++ .xCR = {0x8, 0x110, 0x114, 0x120, 0x128},
+ };
+
+ static const struct imx_mu_dcfg imx_mu_cfg_imx93_s4 = {
+@@ -938,7 +938,7 @@ static const struct imx_mu_dcfg imx_mu_cfg_imx93_s4 = {
+ .xTR = 0x200,
+ .xRR = 0x280,
+ .xSR = {0xC, 0x118, 0x124, 0x12C},
+- .xCR = {0x110, 0x114, 0x120, 0x128},
++ .xCR = {0x8, 0x110, 0x114, 0x120, 0x128},
+ };
+
+ static const struct imx_mu_dcfg imx_mu_cfg_imx8_scu = {
+@@ -949,7 +949,7 @@ static const struct imx_mu_dcfg imx_mu_cfg_imx8_scu = {
+ .xTR = 0x0,
+ .xRR = 0x10,
+ .xSR = {0x20, 0x20, 0x20, 0x20},
+- .xCR = {0x24, 0x24, 0x24, 0x24},
++ .xCR = {0x24, 0x24, 0x24, 0x24, 0x24},
+ };
+
+ static const struct imx_mu_dcfg imx_mu_cfg_imx8_seco = {
+@@ -960,7 +960,7 @@ static const struct imx_mu_dcfg imx_mu_cfg_imx8_seco = {
+ .xTR = 0x0,
+ .xRR = 0x10,
+ .xSR = {0x20, 0x20, 0x20, 0x20},
+- .xCR = {0x24, 0x24, 0x24, 0x24},
++ .xCR = {0x24, 0x24, 0x24, 0x24, 0x24},
+ };
+
+ static const struct of_device_id imx_mu_dt_ids[] = {
+--
+2.35.1
+
--- /dev/null
+From adddf0bead7936691fee4c19e970c429df2ee59f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Aug 2022 08:08:12 +0100
+Subject: mailbox: mpfs: account for mbox offsets while sending
+
+From: Conor Dooley <conor.dooley@microchip.com>
+
+[ Upstream commit 0d1aadfe10ba17ebdeb96abb9638eb0f623f9b55 ]
+
+The mailbox offset is not only used for receiving messages, but it is
+also used by messages sent to the system controller by Linux that have a
+payload, such as the "digital signature service". It is also overloaded
+by certain other services (reprogramming of the FPGA fabric, see Link:)
+to have a meaning other than the offset the system controller should
+read from.
+When the driver was written, no such services of the latter type were
+in use & those of the former used an offset of zero so this has gone
+un-noticed.
+
+Link: https://www.microsemi.com/document-portal/doc_download/1245815-polarfire-fpga-and-polarfire-soc-fpga-system-services-user-guide # Section 5.2
+Fixes: 83d7b1560810 ("mbox: add polarfire soc system controller mailbox")
+Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/mailbox-mpfs.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/mailbox/mailbox-mpfs.c b/drivers/mailbox/mailbox-mpfs.c
+index e432a8f0d148..cfacb3f320a6 100644
+--- a/drivers/mailbox/mailbox-mpfs.c
++++ b/drivers/mailbox/mailbox-mpfs.c
+@@ -100,21 +100,20 @@ static int mpfs_mbox_send_data(struct mbox_chan *chan, void *data)
+
+ for (index = 0; index < (msg->cmd_data_size / 4); index++)
+ writel_relaxed(word_buf[index],
+- mbox->mbox_base + index * 0x4);
++ mbox->mbox_base + msg->mbox_offset + index * 0x4);
+ if (extra_bits) {
+ u8 i;
+ u8 byte_off = ALIGN_DOWN(msg->cmd_data_size, 4);
+ u8 *byte_buf = msg->cmd_data + byte_off;
+
+- val = readl_relaxed(mbox->mbox_base + index * 0x4);
++ val = readl_relaxed(mbox->mbox_base + msg->mbox_offset + index * 0x4);
+
+ for (i = 0u; i < extra_bits; i++) {
+ val &= ~(0xffu << (i * 8u));
+ val |= (byte_buf[i] << (i * 8u));
+ }
+
+- writel_relaxed(val,
+- mbox->mbox_base + index * 0x4);
++ writel_relaxed(val, mbox->mbox_base + msg->mbox_offset + index * 0x4);
+ }
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 7e1421a24ad12b78a6431b5796f9e1f4fc190e80 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Aug 2022 08:08:11 +0100
+Subject: mailbox: mpfs: fix handling of the reg property
+
+From: Conor Dooley <conor.dooley@microchip.com>
+
+[ Upstream commit 2e10289d1f304f5082a4dda55a677b72b3bdb581 ]
+
+The "data" region of the PolarFire SoC's system controller mailbox is
+not one continuous register space - the system controller's QSPI sits
+between the control and data registers. Split the "data" reg into two
+parts: "data" & "control". Optionally get the "data" register address
+from the 3rd reg property in the devicetree & fall back to using the
+old base + MAILBOX_REG_OFFSET that the current code uses.
+
+Fixes: 83d7b1560810 ("mbox: add polarfire soc system controller mailbox")
+Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/mailbox-mpfs.c | 24 ++++++++++++++----------
+ 1 file changed, 14 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/mailbox/mailbox-mpfs.c b/drivers/mailbox/mailbox-mpfs.c
+index 4e34854d1238..e432a8f0d148 100644
+--- a/drivers/mailbox/mailbox-mpfs.c
++++ b/drivers/mailbox/mailbox-mpfs.c
+@@ -62,6 +62,7 @@ struct mpfs_mbox {
+ struct mbox_controller controller;
+ struct device *dev;
+ int irq;
++ void __iomem *ctrl_base;
+ void __iomem *mbox_base;
+ void __iomem *int_reg;
+ struct mbox_chan chans[1];
+@@ -73,7 +74,7 @@ static bool mpfs_mbox_busy(struct mpfs_mbox *mbox)
+ {
+ u32 status;
+
+- status = readl_relaxed(mbox->mbox_base + SERVICES_SR_OFFSET);
++ status = readl_relaxed(mbox->ctrl_base + SERVICES_SR_OFFSET);
+
+ return status & SCB_STATUS_BUSY_MASK;
+ }
+@@ -99,14 +100,13 @@ static int mpfs_mbox_send_data(struct mbox_chan *chan, void *data)
+
+ for (index = 0; index < (msg->cmd_data_size / 4); index++)
+ writel_relaxed(word_buf[index],
+- mbox->mbox_base + MAILBOX_REG_OFFSET + index * 0x4);
++ mbox->mbox_base + index * 0x4);
+ if (extra_bits) {
+ u8 i;
+ u8 byte_off = ALIGN_DOWN(msg->cmd_data_size, 4);
+ u8 *byte_buf = msg->cmd_data + byte_off;
+
+- val = readl_relaxed(mbox->mbox_base +
+- MAILBOX_REG_OFFSET + index * 0x4);
++ val = readl_relaxed(mbox->mbox_base + index * 0x4);
+
+ for (i = 0u; i < extra_bits; i++) {
+ val &= ~(0xffu << (i * 8u));
+@@ -114,14 +114,14 @@ static int mpfs_mbox_send_data(struct mbox_chan *chan, void *data)
+ }
+
+ writel_relaxed(val,
+- mbox->mbox_base + MAILBOX_REG_OFFSET + index * 0x4);
++ mbox->mbox_base + index * 0x4);
+ }
+ }
+
+ opt_sel = ((msg->mbox_offset << 7u) | (msg->cmd_opcode & 0x7fu));
+ tx_trigger = (opt_sel << SCB_CTRL_POS) & SCB_CTRL_MASK;
+ tx_trigger |= SCB_CTRL_REQ_MASK | SCB_STATUS_NOTIFY_MASK;
+- writel_relaxed(tx_trigger, mbox->mbox_base + SERVICES_CR_OFFSET);
++ writel_relaxed(tx_trigger, mbox->ctrl_base + SERVICES_CR_OFFSET);
+
+ return 0;
+ }
+@@ -141,7 +141,7 @@ static void mpfs_mbox_rx_data(struct mbox_chan *chan)
+ if (!mpfs_mbox_busy(mbox)) {
+ for (i = 0; i < num_words; i++) {
+ response->resp_msg[i] =
+- readl_relaxed(mbox->mbox_base + MAILBOX_REG_OFFSET
++ readl_relaxed(mbox->mbox_base
+ + mbox->resp_offset + i * 0x4);
+ }
+ }
+@@ -200,14 +200,18 @@ static int mpfs_mbox_probe(struct platform_device *pdev)
+ if (!mbox)
+ return -ENOMEM;
+
+- mbox->mbox_base = devm_platform_get_and_ioremap_resource(pdev, 0, ®s);
+- if (IS_ERR(mbox->mbox_base))
+- return PTR_ERR(mbox->mbox_base);
++ mbox->ctrl_base = devm_platform_get_and_ioremap_resource(pdev, 0, ®s);
++ if (IS_ERR(mbox->ctrl_base))
++ return PTR_ERR(mbox->ctrl_base);
+
+ mbox->int_reg = devm_platform_get_and_ioremap_resource(pdev, 1, ®s);
+ if (IS_ERR(mbox->int_reg))
+ return PTR_ERR(mbox->int_reg);
+
++ mbox->mbox_base = devm_platform_get_and_ioremap_resource(pdev, 2, ®s);
++ if (IS_ERR(mbox->mbox_base)) // account for the old dt-binding w/ 2 regs
++ mbox->mbox_base = mbox->ctrl_base + MAILBOX_REG_OFFSET;
++
+ mbox->irq = platform_get_irq(pdev, 0);
+ if (mbox->irq < 0)
+ return mbox->irq;
+--
+2.35.1
+
--- /dev/null
+From 5562c10eace5dd5316dd87e06f53e2d147529e99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 09:46:27 -0600
+Subject: md/raid5: Ensure stripe_fill happens on non-read IO with journal
+
+From: Logan Gunthorpe <logang@deltatee.com>
+
+[ Upstream commit e2eed85bc75138a9eeb63863d20f8904ac42a577 ]
+
+When doing degrade/recover tests using the journal a kernel BUG
+is hit at drivers/md/raid5.c:4381 in handle_parity_checks5():
+
+ BUG_ON(!test_bit(R5_UPTODATE, &dev->flags));
+
+This was found to occur because handle_stripe_fill() was skipped
+for stripes in the journal due to a condition in that function.
+Thus blocks were not fetched and R5_UPTODATE was not set when
+the code reached handle_parity_checks5().
+
+To fix this, don't skip handle_stripe_fill() unless the stripe is
+for read.
+
+Fixes: 07e83364845e ("md/r5cache: shift complex rmw from read path to write path")
+Link: https://lore.kernel.org/linux-raid/e05c4239-41a9-d2f7-3cfa-4aa9d2cea8c1@deltatee.com/
+Suggested-by: Song Liu <song@kernel.org>
+Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid5.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
+index 31a0cbf63384..4ec33fd62018 100644
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -4047,7 +4047,7 @@ static void handle_stripe_fill(struct stripe_head *sh,
+ * back cache (prexor with orig_page, and then xor with
+ * page) in the read path
+ */
+- if (s->injournal && s->failed) {
++ if (s->to_read && s->injournal && s->failed) {
+ if (test_bit(STRIPE_R5C_CACHING, &sh->state))
+ r5c_make_stripe_write_out(sh);
+ goto out;
+--
+2.35.1
+
--- /dev/null
+From 76dd15d48183a9ad81881b8cb1f1d72d84e4cec8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Sep 2022 10:15:14 -0600
+Subject: md/raid5: Remove unnecessary bio_put() in raid5_read_one_chunk()
+
+From: David Sloan <david.sloan@eideticom.com>
+
+[ Upstream commit c66a6f41e09ad386fd2cce22b9cded837bbbc704 ]
+
+When running chunk-sized reads on disks with badblocks duplicate bio
+free/puts are observed:
+
+ =============================================================================
+ BUG bio-200 (Not tainted): Object already free
+ -----------------------------------------------------------------------------
+ Allocated in mempool_alloc_slab+0x17/0x20 age=3 cpu=2 pid=7504
+ __slab_alloc.constprop.0+0x5a/0xb0
+ kmem_cache_alloc+0x31e/0x330
+ mempool_alloc_slab+0x17/0x20
+ mempool_alloc+0x100/0x2b0
+ bio_alloc_bioset+0x181/0x460
+ do_mpage_readpage+0x776/0xd00
+ mpage_readahead+0x166/0x320
+ blkdev_readahead+0x15/0x20
+ read_pages+0x13f/0x5f0
+ page_cache_ra_unbounded+0x18d/0x220
+ force_page_cache_ra+0x181/0x1c0
+ page_cache_sync_ra+0x65/0xb0
+ filemap_get_pages+0x1df/0xaf0
+ filemap_read+0x1e1/0x700
+ blkdev_read_iter+0x1e5/0x330
+ vfs_read+0x42a/0x570
+ Freed in mempool_free_slab+0x17/0x20 age=3 cpu=2 pid=7504
+ kmem_cache_free+0x46d/0x490
+ mempool_free_slab+0x17/0x20
+ mempool_free+0x66/0x190
+ bio_free+0x78/0x90
+ bio_put+0x100/0x1a0
+ raid5_make_request+0x2259/0x2450
+ md_handle_request+0x402/0x600
+ md_submit_bio+0xd9/0x120
+ __submit_bio+0x11f/0x1b0
+ submit_bio_noacct_nocheck+0x204/0x480
+ submit_bio_noacct+0x32e/0xc70
+ submit_bio+0x98/0x1a0
+ mpage_readahead+0x250/0x320
+ blkdev_readahead+0x15/0x20
+ read_pages+0x13f/0x5f0
+ page_cache_ra_unbounded+0x18d/0x220
+ Slab 0xffffea000481b600 objects=21 used=0 fp=0xffff8881206d8940 flags=0x17ffffc0010201(locked|slab|head|node=0|zone=2|lastcpupid=0x1fffff)
+ CPU: 0 PID: 34525 Comm: kworker/u24:2 Not tainted 6.0.0-rc2-localyes-265166-gf11c5343fa3f #143
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
+ Workqueue: raid5wq raid5_do_work
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x5a/0x78
+ dump_stack+0x10/0x16
+ print_trailer+0x158/0x165
+ object_err+0x35/0x50
+ free_debug_processing.cold+0xb7/0xbe
+ __slab_free+0x1ae/0x330
+ kmem_cache_free+0x46d/0x490
+ mempool_free_slab+0x17/0x20
+ mempool_free+0x66/0x190
+ bio_free+0x78/0x90
+ bio_put+0x100/0x1a0
+ mpage_end_io+0x36/0x150
+ bio_endio+0x2fd/0x360
+ md_end_io_acct+0x7e/0x90
+ bio_endio+0x2fd/0x360
+ handle_failed_stripe+0x960/0xb80
+ handle_stripe+0x1348/0x3760
+ handle_active_stripes.constprop.0+0x72a/0xaf0
+ raid5_do_work+0x177/0x330
+ process_one_work+0x616/0xb20
+ worker_thread+0x2bd/0x6f0
+ kthread+0x179/0x1b0
+ ret_from_fork+0x22/0x30
+ </TASK>
+
+The double free is caused by an unnecessary bio_put() in the
+if(is_badblock(...)) error path in raid5_read_one_chunk().
+
+The error path was moved ahead of bio_alloc_clone() in c82aa1b76787c
+("md/raid5: move checking badblock before clone bio in
+raid5_read_one_chunk"). The previous code checked and freed align_bio
+which required a bio_put. After the move that is no longer needed as
+raid_bio is returned to the control of the common io path which
+performs its own endio resulting in a double free on bad device blocks.
+
+Fixes: c82aa1b76787c ("md/raid5: move checking badblock before clone bio in raid5_read_one_chunk")
+Signed-off-by: David Sloan <david.sloan@eideticom.com>
+Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Guoqing Jiang <Guoqing.jiang@linux.dev>
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid5.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
+index 4ec33fd62018..db149d28f639 100644
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -5542,7 +5542,6 @@ static int raid5_read_one_chunk(struct mddev *mddev, struct bio *raid_bio)
+
+ if (is_badblock(rdev, sector, bio_sectors(raid_bio), &first_bad,
+ &bad_sectors)) {
+- bio_put(raid_bio);
+ rdev_dec_pending(rdev, mddev);
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From e476a382cf4653808004a39becdb7dd8fb1f42d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Sep 2022 10:28:37 -0600
+Subject: md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d
+
+From: Logan Gunthorpe <logang@deltatee.com>
+
+[ Upstream commit 5e2cf333b7bd5d3e62595a44d598a254c697cd74 ]
+
+A complicated deadlock exists when using the journal and an elevated
+group_thrtead_cnt. It was found with loop devices, but its not clear
+whether it can be seen with real disks. The deadlock can occur simply
+by writing data with an fio script.
+
+When the deadlock occurs, multiple threads will hang in different ways:
+
+ 1) The group threads will hang in the blk-wbt code with bios waiting to
+ be submitted to the block layer:
+
+ io_schedule+0x70/0xb0
+ rq_qos_wait+0x153/0x210
+ wbt_wait+0x115/0x1b0
+ io_schedule+0x70/0xb0
+ rq_qos_wait+0x153/0x210
+ wbt_wait+0x115/0x1b0
+ __rq_qos_throttle+0x38/0x60
+ blk_mq_submit_bio+0x589/0xcd0
+ wbt_wait+0x115/0x1b0
+ __rq_qos_throttle+0x38/0x60
+ blk_mq_submit_bio+0x589/0xcd0
+ __submit_bio+0xe6/0x100
+ submit_bio_noacct_nocheck+0x42e/0x470
+ submit_bio_noacct+0x4c2/0xbb0
+ ops_run_io+0x46b/0x1a30
+ handle_stripe+0xcd3/0x36b0
+ handle_active_stripes.constprop.0+0x6f6/0xa60
+ raid5_do_work+0x177/0x330
+
+ Or:
+ io_schedule+0x70/0xb0
+ rq_qos_wait+0x153/0x210
+ wbt_wait+0x115/0x1b0
+ __rq_qos_throttle+0x38/0x60
+ blk_mq_submit_bio+0x589/0xcd0
+ __submit_bio+0xe6/0x100
+ submit_bio_noacct_nocheck+0x42e/0x470
+ submit_bio_noacct+0x4c2/0xbb0
+ flush_deferred_bios+0x136/0x170
+ raid5_do_work+0x262/0x330
+
+ 2) The r5l_reclaim thread will hang in the same way, submitting a
+ bio to the block layer:
+
+ io_schedule+0x70/0xb0
+ rq_qos_wait+0x153/0x210
+ wbt_wait+0x115/0x1b0
+ __rq_qos_throttle+0x38/0x60
+ blk_mq_submit_bio+0x589/0xcd0
+ __submit_bio+0xe6/0x100
+ submit_bio_noacct_nocheck+0x42e/0x470
+ submit_bio_noacct+0x4c2/0xbb0
+ submit_bio+0x3f/0xf0
+ md_super_write+0x12f/0x1b0
+ md_update_sb.part.0+0x7c6/0xff0
+ md_update_sb+0x30/0x60
+ r5l_do_reclaim+0x4f9/0x5e0
+ r5l_reclaim_thread+0x69/0x30b
+
+ However, before hanging, the MD_SB_CHANGE_PENDING flag will be
+ set for sb_flags in r5l_write_super_and_discard_space(). This
+ flag will never be cleared because the submit_bio() call never
+ returns.
+
+ 3) Due to the MD_SB_CHANGE_PENDING flag being set, handle_stripe()
+ will do no processing on any pending stripes and re-set
+ STRIPE_HANDLE. This will cause the raid5d thread to enter an
+ infinite loop, constantly trying to handle the same stripes
+ stuck in the queue.
+
+ The raid5d thread has a blk_plug that holds a number of bios
+ that are also stuck waiting seeing the thread is in a loop
+ that never schedules. These bios have been accounted for by
+ blk-wbt thus preventing the other threads above from
+ continuing when they try to submit bios. --Deadlock.
+
+To fix this, add the same wait_event() that is used in raid5_do_work()
+to raid5d() such that if MD_SB_CHANGE_PENDING is set, the thread will
+schedule and wait until the flag is cleared. The schedule action will
+flush the plug which will allow the r5l_reclaim thread to continue,
+thus preventing the deadlock.
+
+However, md_check_recovery() calls can also clear MD_SB_CHANGE_PENDING
+from the same thread and can thus deadlock if the thread is put to
+sleep. So avoid waiting if md_check_recovery() is being called in the
+loop.
+
+It's not clear when the deadlock was introduced, but the similar
+wait_event() call in raid5_do_work() was added in 2017 by this
+commit:
+
+ 16d997b78b15 ("md/raid5: simplfy delaying of writes while metadata
+ is updated.")
+
+Link: https://lore.kernel.org/r/7f3b87b6-b52a-f737-51d7-a4eec5c44112@deltatee.com
+Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid5.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
+index db149d28f639..caaae10e33f8 100644
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -36,6 +36,7 @@
+ */
+
+ #include <linux/blkdev.h>
++#include <linux/delay.h>
+ #include <linux/kthread.h>
+ #include <linux/raid/pq.h>
+ #include <linux/async_tx.h>
+@@ -6780,7 +6781,18 @@ static void raid5d(struct md_thread *thread)
+ spin_unlock_irq(&conf->device_lock);
+ md_check_recovery(mddev);
+ spin_lock_irq(&conf->device_lock);
++
++ /*
++ * Waiting on MD_SB_CHANGE_PENDING below may deadlock
++ * seeing md_check_recovery() is needed to clear
++ * the flag when using mdmon.
++ */
++ continue;
+ }
++
++ wait_event_lock_irq(mddev->sb_wait,
++ !test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags),
++ conf->device_lock);
+ }
+ pr_debug("%d stripes handled\n", handled);
+
+--
+2.35.1
+
--- /dev/null
+From 3966d808b3978d65615f8550be377cc6370a6775 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Sep 2022 10:15:15 -0600
+Subject: md: Remove extra mddev_get() in md_seq_start()
+
+From: Logan Gunthorpe <logang@deltatee.com>
+
+[ Upstream commit 3bfc3bcd787c48aa31e4fde4a6dfcef4cd7ee2c2 ]
+
+A regression is seen where mddev devices stay permanently after they
+are stopped due to an elevated reference count.
+
+This was tracked down to an extra mddev_get() in md_seq_start().
+
+It only happened rarely because most of the time the md_seq_start()
+is called with a zero offset. The path with an extra mddev_get() only
+happens when it starts with a non-zero offset.
+
+The commit noted below changed an mddev_get() to check its success
+but inadvertently left the original call in. Remove the extra call.
+
+Fixes: 12a6caf27324 ("md: only delete entries from all_mddevs when the disk is freed")
+Signed-off-by: Logan Gunthorpe <logang@deltatee.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Guoqing Jiang <Guoqing.jiang@linux.dev>
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 729be2c5296c..470a975e4be9 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -8156,7 +8156,6 @@ static void *md_seq_start(struct seq_file *seq, loff_t *pos)
+ list_for_each(tmp,&all_mddevs)
+ if (!l--) {
+ mddev = list_entry(tmp, struct mddev, all_mddevs);
+- mddev_get(mddev);
+ if (!mddev_get(mddev))
+ continue;
+ spin_unlock(&all_mddevs_lock);
+--
+2.35.1
+
--- /dev/null
+From 9f62ae13ee319ab4af07d741ef2ba9100c25cd6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Aug 2022 11:51:04 -0700
+Subject: md: Replace snprintf with scnprintf
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Saurabh Sengar <ssengar@linux.microsoft.com>
+
+[ Upstream commit 1727fd5015d8f93474148f94e34cda5aa6ad4a43 ]
+
+Current code produces a warning as shown below when total characters
+in the constituent block device names plus the slashes exceeds 200.
+snprintf() returns the number of characters generated from the given
+input, which could cause the expression “200 – len” to wrap around
+to a large positive number. Fix this by using scnprintf() instead,
+which returns the actual number of characters written into the buffer.
+
+[ 1513.267938] ------------[ cut here ]------------
+[ 1513.267943] WARNING: CPU: 15 PID: 37247 at <snip>/lib/vsprintf.c:2509 vsnprintf+0x2c8/0x510
+[ 1513.267944] Modules linked in: <snip>
+[ 1513.267969] CPU: 15 PID: 37247 Comm: mdadm Not tainted 5.4.0-1085-azure #90~18.04.1-Ubuntu
+[ 1513.267969] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 05/09/2022
+[ 1513.267971] RIP: 0010:vsnprintf+0x2c8/0x510
+<-snip->
+[ 1513.267982] Call Trace:
+[ 1513.267986] snprintf+0x45/0x70
+[ 1513.267990] ? disk_name+0x71/0xa0
+[ 1513.267993] dump_zones+0x114/0x240 [raid0]
+[ 1513.267996] ? _cond_resched+0x19/0x40
+[ 1513.267998] raid0_run+0x19e/0x270 [raid0]
+[ 1513.268000] md_run+0x5e0/0xc50
+[ 1513.268003] ? security_capable+0x3f/0x60
+[ 1513.268005] do_md_run+0x19/0x110
+[ 1513.268006] md_ioctl+0x195e/0x1f90
+[ 1513.268007] blkdev_ioctl+0x91f/0x9f0
+[ 1513.268010] block_ioctl+0x3d/0x50
+[ 1513.268012] do_vfs_ioctl+0xa9/0x640
+[ 1513.268014] ? __fput+0x162/0x260
+[ 1513.268016] ksys_ioctl+0x75/0x80
+[ 1513.268017] __x64_sys_ioctl+0x1a/0x20
+[ 1513.268019] do_syscall_64+0x5e/0x200
+[ 1513.268021] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 766038846e875 ("md/raid0: replace printk() with pr_*()")
+Reviewed-by: Michael Kelley <mikelley@microsoft.com>
+Acked-by: Guoqing Jiang <guoqing.jiang@linux.dev>
+Signed-off-by: Saurabh Sengar <ssengar@linux.microsoft.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid0.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/md/raid0.c b/drivers/md/raid0.c
+index 78addfe4a0c9..857c49399c28 100644
+--- a/drivers/md/raid0.c
++++ b/drivers/md/raid0.c
+@@ -47,7 +47,7 @@ static void dump_zones(struct mddev *mddev)
+ int len = 0;
+
+ for (k = 0; k < conf->strip_zone[j].nb_dev; k++)
+- len += snprintf(line+len, 200-len, "%s%pg", k?"/":"",
++ len += scnprintf(line+len, 200-len, "%s%pg", k?"/":"",
+ conf->devlist[j * raid_disks + k]->bdev);
+ pr_debug("md: zone%d=[%s]\n", j, line);
+
+--
+2.35.1
+
--- /dev/null
+From a3421d2bbf87d08c0dd5157a7f887af4a20fe483 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Aug 2022 06:57:00 +0200
+Subject: media: airspy: fix memory leak in airspy probe
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit 23bc5eb55f8c9607965c20d9ddcc13cb1ae59568 ]
+
+The commit ca9dc8d06ab6 ("media: airspy: respect the DMA coherency
+ rules") moves variable buf from stack to heap, however, it only frees
+buf in the error handling code, missing deallocation in the success
+path.
+
+Fix this by freeing buf in the success path since this variable does not
+have any references in other code.
+
+Fixes: ca9dc8d06ab6 ("media: airspy: respect the DMA coherency rules")
+Reported-by: syzbot+bb25f85e5aa482864dc0@syzkaller.appspotmail.com
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Reviewed-by: Tommaso Merciai <tommaso.merciai@amarulasolution.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/airspy/airspy.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/media/usb/airspy/airspy.c b/drivers/media/usb/airspy/airspy.c
+index 240a7cc56777..7b1c40132555 100644
+--- a/drivers/media/usb/airspy/airspy.c
++++ b/drivers/media/usb/airspy/airspy.c
+@@ -1070,6 +1070,10 @@ static int airspy_probe(struct usb_interface *intf,
+ ret);
+ goto err_free_controls;
+ }
++
++ /* Free buf if success*/
++ kfree(buf);
++
+ dev_info(s->dev, "Registered as %s\n",
+ video_device_node_name(&s->vdev));
+ dev_notice(s->dev, "SDR API is still slightly experimental and functionality changes may follow\n");
+--
+2.35.1
+
--- /dev/null
+From af2157715c99b3c54c2e6bdfc3cb61286e6cb41f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Jul 2022 09:38:00 +0200
+Subject: media: amphion: adjust the encoder's value range of gop size
+
+From: Ming Qian <ming.qian@nxp.com>
+
+[ Upstream commit 996f4e89fabe44ab9ac0aabb0697aeecbe717eca ]
+
+adjust the value range of gop size from [0, 65535] to [1, 8000].
+when the gop size is set to a too large value,
+it may affect the encoded picture quality.
+so constrain it to a reasonable range.
+
+Fixes: 0401e659c1f92 ("media: amphion: add v4l2 m2m vpu encoder stateful driver")
+Signed-off-by: Ming Qian <ming.qian@nxp.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/amphion/venc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/amphion/venc.c b/drivers/media/platform/amphion/venc.c
+index 461524dd1e44..37212f087fdd 100644
+--- a/drivers/media/platform/amphion/venc.c
++++ b/drivers/media/platform/amphion/venc.c
+@@ -644,7 +644,7 @@ static int venc_ctrl_init(struct vpu_inst *inst)
+ BITRATE_DEFAULT_PEAK);
+
+ v4l2_ctrl_new_std(&inst->ctrl_handler, &venc_ctrl_ops,
+- V4L2_CID_MPEG_VIDEO_GOP_SIZE, 0, (1 << 16) - 1, 1, 30);
++ V4L2_CID_MPEG_VIDEO_GOP_SIZE, 1, 8000, 1, 30);
+
+ v4l2_ctrl_new_std(&inst->ctrl_handler, &venc_ctrl_ops,
+ V4L2_CID_MPEG_VIDEO_B_FRAMES, 0, 4, 1, 0);
+--
+2.35.1
+
--- /dev/null
+From bb581b61f56eeb6b90f7f4af357f510b13cced60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Jul 2022 05:02:29 +0200
+Subject: media: amphion: don't change the colorspace reported by decoder.
+
+From: Ming Qian <ming.qian@nxp.com>
+
+[ Upstream commit 61c2698ee60630c6a7d2e99850fa81ff6450270a ]
+
+decoder will report the colorspace information
+which is parsed from the sequence header,
+if they are unspecified, just let application to determine it,
+don't change it in driver.
+
+Fixes: 6de8d628df6ef ("media: amphion: add v4l2 m2m vpu decoder stateful driver")
+Signed-off-by: Ming Qian <ming.qian@nxp.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/amphion/vdec.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/media/platform/amphion/vdec.c b/drivers/media/platform/amphion/vdec.c
+index 9e64041cc1c1..feb75dc204de 100644
+--- a/drivers/media/platform/amphion/vdec.c
++++ b/drivers/media/platform/amphion/vdec.c
+@@ -808,14 +808,6 @@ static void vdec_init_fmt(struct vpu_inst *inst)
+ inst->cap_format.field = V4L2_FIELD_NONE;
+ else
+ inst->cap_format.field = V4L2_FIELD_SEQ_TB;
+- if (vdec->codec_info.color_primaries == V4L2_COLORSPACE_DEFAULT)
+- vdec->codec_info.color_primaries = V4L2_COLORSPACE_REC709;
+- if (vdec->codec_info.transfer_chars == V4L2_XFER_FUNC_DEFAULT)
+- vdec->codec_info.transfer_chars = V4L2_XFER_FUNC_709;
+- if (vdec->codec_info.matrix_coeffs == V4L2_YCBCR_ENC_DEFAULT)
+- vdec->codec_info.matrix_coeffs = V4L2_YCBCR_ENC_709;
+- if (vdec->codec_info.full_range == V4L2_QUANTIZATION_DEFAULT)
+- vdec->codec_info.full_range = V4L2_QUANTIZATION_LIM_RANGE;
+ }
+
+ static void vdec_init_crop(struct vpu_inst *inst)
+@@ -1555,6 +1547,14 @@ static int vdec_get_debug_info(struct vpu_inst *inst, char *str, u32 size, u32 i
+ vdec->codec_info.frame_rate.numerator,
+ vdec->codec_info.frame_rate.denominator);
+ break;
++ case 9:
++ num = scnprintf(str, size, "colorspace: %d, %d, %d, %d (%d)\n",
++ vdec->codec_info.color_primaries,
++ vdec->codec_info.transfer_chars,
++ vdec->codec_info.matrix_coeffs,
++ vdec->codec_info.full_range,
++ vdec->codec_info.vui_present);
++ break;
+ default:
+ break;
+ }
+--
+2.35.1
+
--- /dev/null
+From f7c07775ff147e8c46fe456d3d99329c795d37d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Aug 2022 05:18:21 +0200
+Subject: media: amphion: fix a bug that vpu core may not resume after suspend
+
+From: Ming Qian <ming.qian@nxp.com>
+
+[ Upstream commit 0202a665bf17fbe98fed954944aabbcb4f14a4cc ]
+
+driver will enable the vpu core when request the first instance
+on the core.
+one vpu core can only support 8 streaming instances in the same
+time, the instance won't be added to core's list before streamon.
+
+so the actual instance count may be greater then the number in
+the core's list.
+
+in pm resume callback, driver will resume the core immediately if
+core's list is not empty.
+but this check is not accurate,
+if suspend during one instance is requested, but not streamon,
+then after suspend, the core won't be resume, and led to instance failure.
+
+use the request_count instead of the core's list to check
+whether is the core needed to resume immediately after suspend.
+
+And it can make the pm suspend and resume callback more clear.
+
+Fixes: 9f599f351e86 ("media: amphion: add vpu core driver")
+Signed-off-by: Ming Qian <ming.qian@nxp.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/amphion/vpu.h | 1 -
+ drivers/media/platform/amphion/vpu_core.c | 84 ++++++++++++-----------
+ drivers/media/platform/amphion/vpu_core.h | 1 +
+ drivers/media/platform/amphion/vpu_dbg.c | 9 ++-
+ 4 files changed, 51 insertions(+), 44 deletions(-)
+
+diff --git a/drivers/media/platform/amphion/vpu.h b/drivers/media/platform/amphion/vpu.h
+index f914de6ed81e..beac0309ca8d 100644
+--- a/drivers/media/platform/amphion/vpu.h
++++ b/drivers/media/platform/amphion/vpu.h
+@@ -119,7 +119,6 @@ struct vpu_mbox {
+ enum vpu_core_state {
+ VPU_CORE_DEINIT = 0,
+ VPU_CORE_ACTIVE,
+- VPU_CORE_SNAPSHOT,
+ VPU_CORE_HANG
+ };
+
+diff --git a/drivers/media/platform/amphion/vpu_core.c b/drivers/media/platform/amphion/vpu_core.c
+index 73faa50d2865..f9ec1753f7c8 100644
+--- a/drivers/media/platform/amphion/vpu_core.c
++++ b/drivers/media/platform/amphion/vpu_core.c
+@@ -89,7 +89,7 @@ static int vpu_core_boot_done(struct vpu_core *core)
+ core->supported_instance_count = min(core->supported_instance_count, count);
+ }
+ core->fw_version = fw_version;
+- core->state = VPU_CORE_ACTIVE;
++ vpu_core_set_state(core, VPU_CORE_ACTIVE);
+
+ return 0;
+ }
+@@ -172,10 +172,26 @@ int vpu_alloc_dma(struct vpu_core *core, struct vpu_buffer *buf)
+ return __vpu_alloc_dma(core->dev, buf);
+ }
+
+-static void vpu_core_check_hang(struct vpu_core *core)
++void vpu_core_set_state(struct vpu_core *core, enum vpu_core_state state)
+ {
+- if (core->hang_mask)
+- core->state = VPU_CORE_HANG;
++ if (state != core->state)
++ vpu_trace(core->dev, "vpu core state change from %d to %d\n", core->state, state);
++ core->state = state;
++ if (core->state == VPU_CORE_DEINIT)
++ core->hang_mask = 0;
++}
++
++static void vpu_core_update_state(struct vpu_core *core)
++{
++ if (!vpu_iface_get_power_state(core)) {
++ if (core->request_count)
++ vpu_core_set_state(core, VPU_CORE_HANG);
++ else
++ vpu_core_set_state(core, VPU_CORE_DEINIT);
++
++ } else if (core->state == VPU_CORE_ACTIVE && core->hang_mask) {
++ vpu_core_set_state(core, VPU_CORE_HANG);
++ }
+ }
+
+ static struct vpu_core *vpu_core_find_proper_by_type(struct vpu_dev *vpu, u32 type)
+@@ -188,11 +204,13 @@ static struct vpu_core *vpu_core_find_proper_by_type(struct vpu_dev *vpu, u32 ty
+ dev_dbg(c->dev, "instance_mask = 0x%lx, state = %d\n", c->instance_mask, c->state);
+ if (c->type != type)
+ continue;
++ mutex_lock(&c->lock);
++ vpu_core_update_state(c);
++ mutex_unlock(&c->lock);
+ if (c->state == VPU_CORE_DEINIT) {
+ core = c;
+ break;
+ }
+- vpu_core_check_hang(c);
+ if (c->state != VPU_CORE_ACTIVE)
+ continue;
+ if (c->request_count < request_count) {
+@@ -409,6 +427,12 @@ int vpu_inst_register(struct vpu_inst *inst)
+ }
+
+ mutex_lock(&core->lock);
++ if (core->state != VPU_CORE_ACTIVE) {
++ dev_err(core->dev, "vpu core is not active, state = %d\n", core->state);
++ ret = -EINVAL;
++ goto exit;
++ }
++
+ if (inst->id >= 0 && inst->id < core->supported_instance_count)
+ goto exit;
+
+@@ -450,7 +474,7 @@ int vpu_inst_unregister(struct vpu_inst *inst)
+ vpu_core_release_instance(core, inst->id);
+ inst->id = VPU_INST_NULL_ID;
+ }
+- vpu_core_check_hang(core);
++ vpu_core_update_state(core);
+ if (core->state == VPU_CORE_HANG && !core->instance_mask) {
+ int err;
+
+@@ -459,7 +483,7 @@ int vpu_inst_unregister(struct vpu_inst *inst)
+ err = vpu_core_sw_reset(core);
+ mutex_lock(&core->lock);
+ if (!err) {
+- core->state = VPU_CORE_ACTIVE;
++ vpu_core_set_state(core, VPU_CORE_ACTIVE);
+ core->hang_mask = 0;
+ }
+ }
+@@ -609,7 +633,7 @@ static int vpu_core_probe(struct platform_device *pdev)
+ mutex_init(&core->cmd_lock);
+ init_completion(&core->cmp);
+ init_waitqueue_head(&core->ack_wq);
+- core->state = VPU_CORE_DEINIT;
++ vpu_core_set_state(core, VPU_CORE_DEINIT);
+
+ core->res = of_device_get_match_data(dev);
+ if (!core->res)
+@@ -758,33 +782,18 @@ static int __maybe_unused vpu_core_resume(struct device *dev)
+ mutex_lock(&core->lock);
+ pm_runtime_resume_and_get(dev);
+ vpu_core_get_vpu(core);
+- if (core->state != VPU_CORE_SNAPSHOT)
+- goto exit;
+
+- if (!vpu_iface_get_power_state(core)) {
+- if (!list_empty(&core->instances)) {
++ if (core->request_count) {
++ if (!vpu_iface_get_power_state(core))
+ ret = vpu_core_boot(core, false);
+- if (ret) {
+- dev_err(core->dev, "%s boot fail\n", __func__);
+- core->state = VPU_CORE_DEINIT;
+- goto exit;
+- }
+- } else {
+- core->state = VPU_CORE_DEINIT;
+- }
+- } else {
+- if (!list_empty(&core->instances)) {
++ else
+ ret = vpu_core_sw_reset(core);
+- if (ret) {
+- dev_err(core->dev, "%s sw_reset fail\n", __func__);
+- core->state = VPU_CORE_HANG;
+- goto exit;
+- }
++ if (ret) {
++ dev_err(core->dev, "resume fail\n");
++ vpu_core_set_state(core, VPU_CORE_HANG);
+ }
+- core->state = VPU_CORE_ACTIVE;
+ }
+-
+-exit:
++ vpu_core_update_state(core);
+ pm_runtime_put_sync(dev);
+ mutex_unlock(&core->lock);
+
+@@ -798,18 +807,11 @@ static int __maybe_unused vpu_core_suspend(struct device *dev)
+ int ret = 0;
+
+ mutex_lock(&core->lock);
+- if (core->state == VPU_CORE_ACTIVE) {
+- if (!list_empty(&core->instances)) {
+- ret = vpu_core_snapshot(core);
+- if (ret) {
+- mutex_unlock(&core->lock);
+- return ret;
+- }
+- }
+-
+- core->state = VPU_CORE_SNAPSHOT;
+- }
++ if (core->request_count)
++ ret = vpu_core_snapshot(core);
+ mutex_unlock(&core->lock);
++ if (ret)
++ return ret;
+
+ vpu_core_cancel_work(core);
+
+diff --git a/drivers/media/platform/amphion/vpu_core.h b/drivers/media/platform/amphion/vpu_core.h
+index 00a662997da4..65b562642603 100644
+--- a/drivers/media/platform/amphion/vpu_core.h
++++ b/drivers/media/platform/amphion/vpu_core.h
+@@ -11,5 +11,6 @@ u32 csr_readl(struct vpu_core *core, u32 reg);
+ int vpu_alloc_dma(struct vpu_core *core, struct vpu_buffer *buf);
+ void vpu_free_dma(struct vpu_buffer *buf);
+ struct vpu_inst *vpu_core_find_instance(struct vpu_core *core, u32 index);
++void vpu_core_set_state(struct vpu_core *core, enum vpu_core_state state);
+
+ #endif
+diff --git a/drivers/media/platform/amphion/vpu_dbg.c b/drivers/media/platform/amphion/vpu_dbg.c
+index f72c8a506b22..260f1c4b8f8d 100644
+--- a/drivers/media/platform/amphion/vpu_dbg.c
++++ b/drivers/media/platform/amphion/vpu_dbg.c
+@@ -15,6 +15,7 @@
+ #include <linux/debugfs.h>
+ #include "vpu.h"
+ #include "vpu_defs.h"
++#include "vpu_core.h"
+ #include "vpu_helpers.h"
+ #include "vpu_cmds.h"
+ #include "vpu_rpc.h"
+@@ -233,6 +234,10 @@ static int vpu_dbg_core(struct seq_file *s, void *data)
+ if (seq_write(s, str, num))
+ return 0;
+
++ num = scnprintf(str, sizeof(str), "power %s\n",
++ vpu_iface_get_power_state(core) ? "on" : "off");
++ if (seq_write(s, str, num))
++ return 0;
+ num = scnprintf(str, sizeof(str), "state = %d\n", core->state);
+ if (seq_write(s, str, num))
+ return 0;
+@@ -346,10 +351,10 @@ static ssize_t vpu_dbg_core_write(struct file *file,
+
+ pm_runtime_resume_and_get(core->dev);
+ mutex_lock(&core->lock);
+- if (core->state != VPU_CORE_DEINIT && !core->instance_mask) {
++ if (vpu_iface_get_power_state(core) && !core->request_count) {
+ dev_info(core->dev, "reset\n");
+ if (!vpu_core_sw_reset(core)) {
+- core->state = VPU_CORE_ACTIVE;
++ vpu_core_set_state(core, VPU_CORE_ACTIVE);
+ core->hang_mask = 0;
+ }
+ }
+--
+2.35.1
+
--- /dev/null
+From 5a49814b49f90536ac8284c3a94b20c8eb86e801 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Jul 2022 09:15:49 +0200
+Subject: media: amphion: insert picture startcode after seek for vc1g format
+
+From: Ming Qian <ming.qian@nxp.com>
+
+[ Upstream commit f7fd6c318c8a5d06bf3fe611f30763d62eaaf7f0 ]
+
+For format vc1, the amphion vpu requires driver to
+help insert some custom startcode before sequence and frame.
+the startcode is different for vc1l and vc1g format.
+
+But the sequence startcode is only needed at the beginning,
+and it's not expected after seek.
+driver need to treat the codec header and the first frame after seek
+as a normal frame, and insert picture startcode for it.
+
+In previous patch, I just fix it for vc1l format,
+and should fix the similar issue for vc1g too.
+
+Fixes: e670f5d672ef (media: amphion: only insert the first sequence startcode for vc1l format)
+Signed-off-by: Ming Qian <ming.qian@nxp.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/amphion/vpu_malone.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/amphion/vpu_malone.c b/drivers/media/platform/amphion/vpu_malone.c
+index f4a488bf9880..51e0702f9ae1 100644
+--- a/drivers/media/platform/amphion/vpu_malone.c
++++ b/drivers/media/platform/amphion/vpu_malone.c
+@@ -1293,7 +1293,7 @@ static int vpu_malone_insert_scode_vc1_g_pic(struct malone_scode_t *scode)
+ vbuf = to_vb2_v4l2_buffer(scode->vb);
+ data = vb2_plane_vaddr(scode->vb, 0);
+
+- if (vbuf->sequence == 0 || vpu_vb_is_codecconfig(vbuf))
++ if (scode->inst->total_input_count == 0 || vpu_vb_is_codecconfig(vbuf))
+ return 0;
+ if (MALONE_VC1_CONTAIN_NAL(*data))
+ return 0;
+--
+2.35.1
+
--- /dev/null
+From 8e50ca2ce60e569a0d55f0fdef05a9068e7cfe5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Jul 2022 04:23:38 +0200
+Subject: media: cx88: Fix a null-ptr-deref bug in buffer_prepare()
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit 2b064d91440b33fba5b452f2d1b31f13ae911d71 ]
+
+When the driver calls cx88_risc_buffer() to prepare the buffer, the
+function call may fail, resulting in a empty buffer and null-ptr-deref
+later in buffer_queue().
+
+The following log can reveal it:
+
+[ 41.822762] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
+[ 41.824488] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+[ 41.828027] RIP: 0010:buffer_queue+0xc2/0x500
+[ 41.836311] Call Trace:
+[ 41.836945] __enqueue_in_driver+0x141/0x360
+[ 41.837262] vb2_start_streaming+0x62/0x4a0
+[ 41.838216] vb2_core_streamon+0x1da/0x2c0
+[ 41.838516] __vb2_init_fileio+0x981/0xbc0
+[ 41.839141] __vb2_perform_fileio+0xbf9/0x1120
+[ 41.840072] vb2_fop_read+0x20e/0x400
+[ 41.840346] v4l2_read+0x215/0x290
+[ 41.840603] vfs_read+0x162/0x4c0
+
+Fix this by checking the return value of cx88_risc_buffer()
+
+[hverkuil: fix coding style issues]
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/cx88/cx88-vbi.c | 9 +++---
+ drivers/media/pci/cx88/cx88-video.c | 43 +++++++++++++++--------------
+ 2 files changed, 26 insertions(+), 26 deletions(-)
+
+diff --git a/drivers/media/pci/cx88/cx88-vbi.c b/drivers/media/pci/cx88/cx88-vbi.c
+index a075788c64d4..469aeaa725ad 100644
+--- a/drivers/media/pci/cx88/cx88-vbi.c
++++ b/drivers/media/pci/cx88/cx88-vbi.c
+@@ -144,11 +144,10 @@ static int buffer_prepare(struct vb2_buffer *vb)
+ return -EINVAL;
+ vb2_set_plane_payload(vb, 0, size);
+
+- cx88_risc_buffer(dev->pci, &buf->risc, sgt->sgl,
+- 0, VBI_LINE_LENGTH * lines,
+- VBI_LINE_LENGTH, 0,
+- lines);
+- return 0;
++ return cx88_risc_buffer(dev->pci, &buf->risc, sgt->sgl,
++ 0, VBI_LINE_LENGTH * lines,
++ VBI_LINE_LENGTH, 0,
++ lines);
+ }
+
+ static void buffer_finish(struct vb2_buffer *vb)
+diff --git a/drivers/media/pci/cx88/cx88-video.c b/drivers/media/pci/cx88/cx88-video.c
+index d3729be89252..b509c2a03852 100644
+--- a/drivers/media/pci/cx88/cx88-video.c
++++ b/drivers/media/pci/cx88/cx88-video.c
+@@ -431,6 +431,7 @@ static int queue_setup(struct vb2_queue *q,
+
+ static int buffer_prepare(struct vb2_buffer *vb)
+ {
++ int ret;
+ struct vb2_v4l2_buffer *vbuf = to_vb2_v4l2_buffer(vb);
+ struct cx8800_dev *dev = vb->vb2_queue->drv_priv;
+ struct cx88_core *core = dev->core;
+@@ -445,35 +446,35 @@ static int buffer_prepare(struct vb2_buffer *vb)
+
+ switch (core->field) {
+ case V4L2_FIELD_TOP:
+- cx88_risc_buffer(dev->pci, &buf->risc,
+- sgt->sgl, 0, UNSET,
+- buf->bpl, 0, core->height);
++ ret = cx88_risc_buffer(dev->pci, &buf->risc,
++ sgt->sgl, 0, UNSET,
++ buf->bpl, 0, core->height);
+ break;
+ case V4L2_FIELD_BOTTOM:
+- cx88_risc_buffer(dev->pci, &buf->risc,
+- sgt->sgl, UNSET, 0,
+- buf->bpl, 0, core->height);
++ ret = cx88_risc_buffer(dev->pci, &buf->risc,
++ sgt->sgl, UNSET, 0,
++ buf->bpl, 0, core->height);
+ break;
+ case V4L2_FIELD_SEQ_TB:
+- cx88_risc_buffer(dev->pci, &buf->risc,
+- sgt->sgl,
+- 0, buf->bpl * (core->height >> 1),
+- buf->bpl, 0,
+- core->height >> 1);
++ ret = cx88_risc_buffer(dev->pci, &buf->risc,
++ sgt->sgl,
++ 0, buf->bpl * (core->height >> 1),
++ buf->bpl, 0,
++ core->height >> 1);
+ break;
+ case V4L2_FIELD_SEQ_BT:
+- cx88_risc_buffer(dev->pci, &buf->risc,
+- sgt->sgl,
+- buf->bpl * (core->height >> 1), 0,
+- buf->bpl, 0,
+- core->height >> 1);
++ ret = cx88_risc_buffer(dev->pci, &buf->risc,
++ sgt->sgl,
++ buf->bpl * (core->height >> 1), 0,
++ buf->bpl, 0,
++ core->height >> 1);
+ break;
+ case V4L2_FIELD_INTERLACED:
+ default:
+- cx88_risc_buffer(dev->pci, &buf->risc,
+- sgt->sgl, 0, buf->bpl,
+- buf->bpl, buf->bpl,
+- core->height >> 1);
++ ret = cx88_risc_buffer(dev->pci, &buf->risc,
++ sgt->sgl, 0, buf->bpl,
++ buf->bpl, buf->bpl,
++ core->height >> 1);
+ break;
+ }
+ dprintk(2,
+@@ -481,7 +482,7 @@ static int buffer_prepare(struct vb2_buffer *vb)
+ buf, buf->vb.vb2_buf.index, __func__,
+ core->width, core->height, dev->fmt->depth, dev->fmt->fourcc,
+ (unsigned long)buf->risc.dma);
+- return 0;
++ return ret;
+ }
+
+ static void buffer_finish(struct vb2_buffer *vb)
+--
+2.35.1
+
--- /dev/null
+From f62652e3d1d152a9f0ad63ee20aa06e68e1460b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Jul 2022 16:30:03 +0200
+Subject: media: exynos4-is: fimc-is: Add of_node_put() when breaking out of
+ loop
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 211f8304fa21aaedc2c247f0c9d6c7f1aaa61ad7 ]
+
+In fimc_is_register_subdevs(), we need to call of_node_put() for
+the reference 'i2c_bus' when breaking out of the
+for_each_compatible_node() which has increased the refcount.
+
+Fixes: 9a761e436843 ("[media] exynos4-is: Add Exynos4x12 FIMC-IS driver")
+Signed-off-by: Liang He <windhl@126.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/samsung/exynos4-is/fimc-is.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/platform/samsung/exynos4-is/fimc-is.c b/drivers/media/platform/samsung/exynos4-is/fimc-is.c
+index e3072d69c49f..a7704ff069d6 100644
+--- a/drivers/media/platform/samsung/exynos4-is/fimc-is.c
++++ b/drivers/media/platform/samsung/exynos4-is/fimc-is.c
+@@ -213,6 +213,7 @@ static int fimc_is_register_subdevs(struct fimc_is *is)
+
+ if (ret < 0 || index >= FIMC_IS_SENSORS_NUM) {
+ of_node_put(child);
++ of_node_put(i2c_bus);
+ return ret;
+ }
+ index++;
+--
+2.35.1
+
--- /dev/null
+From e22621567980decfb468f4838104a1f3c9df2aa5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Aug 2022 06:42:42 +0200
+Subject: media: mediatek: vcodec: Skip non CBR bitrate mode
+
+From: Hirokazu Honda <hiroh@chromium.org>
+
+[ Upstream commit e7bfdf0a854037e8c0597f1f44f72651869c424d ]
+
+V4L2_MPEG_VIDEO_BITRATE_MODE_CBR is the only bitrate mode supported
+by the mediatek driver. The other bitrates must be skipped in
+QUERY_MENU.
+
+Fixes: d8e8aa866ed8 ("media: mediatek: vcodec: Report supported bitrate modes")
+Signed-off-by: Hirokazu Honda <hiroh@chromium.org>
+Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/mediatek/vcodec/mtk_vcodec_enc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_enc.c b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_enc.c
+index 25e816863597..27c5fdaabed4 100644
+--- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_enc.c
++++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_enc.c
+@@ -1403,7 +1403,8 @@ int mtk_vcodec_enc_ctrls_setup(struct mtk_vcodec_ctx *ctx)
+ V4L2_MPEG_VIDEO_VP8_PROFILE_0, 0, V4L2_MPEG_VIDEO_VP8_PROFILE_0);
+ v4l2_ctrl_new_std_menu(handler, ops, V4L2_CID_MPEG_VIDEO_BITRATE_MODE,
+ V4L2_MPEG_VIDEO_BITRATE_MODE_CBR,
+- 0, V4L2_MPEG_VIDEO_BITRATE_MODE_CBR);
++ ~(1 << V4L2_MPEG_VIDEO_BITRATE_MODE_CBR),
++ V4L2_MPEG_VIDEO_BITRATE_MODE_CBR);
+
+
+ if (handler->error) {
+--
+2.35.1
+
--- /dev/null
+From 4918b5705e47f23ed99098eb1d1d93900836bf32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Aug 2022 08:57:53 +0200
+Subject: media: meson: vdec: add missing clk_disable_unprepare on error in
+ vdec_hevc_start()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Xu Qiang <xuqiang36@huawei.com>
+
+[ Upstream commit 4029372233e13e281f8c387f279f9f064ced3810 ]
+
+Add the missing clk_disable_unprepare() before return
+from vdec_hevc_start() in the error handling case.
+
+Fixes: 823a7300340e (“media: meson: vdec: add common HEVC decoder support”)
+Signed-off-by: Xu Qiang <xuqiang36@huawei.com>
+Reviewed-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/meson/vdec/vdec_hevc.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/media/meson/vdec/vdec_hevc.c b/drivers/staging/media/meson/vdec/vdec_hevc.c
+index 9530e580e57a..afced435c907 100644
+--- a/drivers/staging/media/meson/vdec/vdec_hevc.c
++++ b/drivers/staging/media/meson/vdec/vdec_hevc.c
+@@ -167,8 +167,12 @@ static int vdec_hevc_start(struct amvdec_session *sess)
+
+ clk_set_rate(core->vdec_hevc_clk, 666666666);
+ ret = clk_prepare_enable(core->vdec_hevc_clk);
+- if (ret)
++ if (ret) {
++ if (core->platform->revision == VDEC_REVISION_G12A ||
++ core->platform->revision == VDEC_REVISION_SM1)
++ clk_disable_unprepare(core->vdec_hevcf_clk);
+ return ret;
++ }
+
+ if (core->platform->revision == VDEC_REVISION_SM1)
+ regmap_update_bits(core->regmap_ao, AO_RTI_GEN_PWR_SLEEP0,
+--
+2.35.1
+
--- /dev/null
+From 7cd98c16ec3f587045af136adb4fe88a991b9d7c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Aug 2022 10:58:19 +0200
+Subject: media: platform: fix some double free in meson-ge2d and mtk-jpeg and
+ s5p-mfc
+
+From: Hangyu Hua <hbh25y@gmail.com>
+
+[ Upstream commit c65c3f3a2cbf21ed429d9b9c725bdb5dc6abf4cf ]
+
+video_unregister_device will release device internally. There is no need to
+call video_device_release after video_unregister_device.
+
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/amlogic/meson-ge2d/ge2d.c | 1 -
+ drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c | 1 -
+ drivers/media/platform/samsung/s5p-mfc/s5p_mfc.c | 3 +--
+ 3 files changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/media/platform/amlogic/meson-ge2d/ge2d.c b/drivers/media/platform/amlogic/meson-ge2d/ge2d.c
+index 5e7b319f300d..142d421a8d76 100644
+--- a/drivers/media/platform/amlogic/meson-ge2d/ge2d.c
++++ b/drivers/media/platform/amlogic/meson-ge2d/ge2d.c
+@@ -1030,7 +1030,6 @@ static int ge2d_remove(struct platform_device *pdev)
+
+ video_unregister_device(ge2d->vfd);
+ v4l2_m2m_release(ge2d->m2m_dev);
+- video_device_release(ge2d->vfd);
+ v4l2_device_unregister(&ge2d->v4l2_dev);
+ clk_disable_unprepare(ge2d->clk);
+
+diff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
+index 87685a62a5c2..3071b61946c3 100644
+--- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
++++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
+@@ -1414,7 +1414,6 @@ static int mtk_jpeg_remove(struct platform_device *pdev)
+
+ pm_runtime_disable(&pdev->dev);
+ video_unregister_device(jpeg->vdev);
+- video_device_release(jpeg->vdev);
+ v4l2_m2m_release(jpeg->m2m_dev);
+ v4l2_device_unregister(&jpeg->v4l2_dev);
+
+diff --git a/drivers/media/platform/samsung/s5p-mfc/s5p_mfc.c b/drivers/media/platform/samsung/s5p-mfc/s5p_mfc.c
+index 761341934925..f85d1eebafac 100644
+--- a/drivers/media/platform/samsung/s5p-mfc/s5p_mfc.c
++++ b/drivers/media/platform/samsung/s5p-mfc/s5p_mfc.c
+@@ -1399,6 +1399,7 @@ static int s5p_mfc_probe(struct platform_device *pdev)
+ /* Deinit MFC if probe had failed */
+ err_enc_reg:
+ video_unregister_device(dev->vfd_dec);
++ dev->vfd_dec = NULL;
+ err_dec_reg:
+ video_device_release(dev->vfd_enc);
+ err_enc_alloc:
+@@ -1444,8 +1445,6 @@ static int s5p_mfc_remove(struct platform_device *pdev)
+
+ video_unregister_device(dev->vfd_enc);
+ video_unregister_device(dev->vfd_dec);
+- video_device_release(dev->vfd_enc);
+- video_device_release(dev->vfd_dec);
+ v4l2_device_unregister(&dev->v4l2_dev);
+ s5p_mfc_unconfigure_dma_memory(dev);
+
+--
+2.35.1
+
--- /dev/null
+From 3f152ebafc7baec42fe6e5e9bfca3a88e179f098 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Jul 2022 18:12:36 +0800
+Subject: media: tm6000: Fix unused value in vidioc_try_fmt_vid_cap()
+
+From: Zeng Jingxiang <linuszeng@tencent.com>
+
+[ Upstream commit d682869daa23938b5e8919db45c4b5b227749712 ]
+
+Coverity warns of an unused value:
+
+assigned_value: Assign the value of the variable f->fmt.pix.field
+to field here, but that stored value is overwritten.
+before it can be used.
+919 field = f->fmt.pix.field;
+920
+
+value_overwrite: Overwriting previous write to field with
+the value of V4L2_FIELD_INTERLACED.
+921 field = V4L2_FIELD_INTERLACED;
+
+Fixes: ed57256f6fe8 ("[media] tm6000: fix G/TRY_FMT")
+Signed-off-by: Zeng Jingxiang <linuszeng@tencent.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/tm6000/tm6000-video.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/media/usb/tm6000/tm6000-video.c b/drivers/media/usb/tm6000/tm6000-video.c
+index d855a19551f3..e06ed21edbdd 100644
+--- a/drivers/media/usb/tm6000/tm6000-video.c
++++ b/drivers/media/usb/tm6000/tm6000-video.c
+@@ -916,8 +916,6 @@ static int vidioc_try_fmt_vid_cap(struct file *file, void *priv,
+ return -EINVAL;
+ }
+
+- field = f->fmt.pix.field;
+-
+ field = V4L2_FIELD_INTERLACED;
+
+ tm6000_get_std_res(dev);
+--
+2.35.1
+
--- /dev/null
+From 1642ee1d995e8e4b081fdecccd2480b586d9c900 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 Jan 2022 18:04:39 +0100
+Subject: media: uvcvideo: Fix memory leak in uvc_gpio_parse
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Expósito <jose.exposito89@gmail.com>
+
+[ Upstream commit f0f078457f18f10696888f8d0e6aba9deb9cde92 ]
+
+Previously the unit buffer was allocated before checking the IRQ for
+privacy GPIO. In case of error, the unit buffer was leaked.
+
+Allocate the unit buffer after the IRQ to avoid it.
+
+Addresses-Coverity-ID: 1474639 ("Resource leak")
+
+Fixes: 2886477ff987 ("media: uvcvideo: Implement UVC_EXT_GPIO_UNIT")
+Signed-off-by: José Expósito <jose.exposito89@gmail.com>
+Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_driver.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c
+index d509a4a2f08e..822e9694f092 100644
+--- a/drivers/media/usb/uvc/uvc_driver.c
++++ b/drivers/media/usb/uvc/uvc_driver.c
+@@ -1553,10 +1553,6 @@ static int uvc_gpio_parse(struct uvc_device *dev)
+ if (IS_ERR_OR_NULL(gpio_privacy))
+ return PTR_ERR_OR_ZERO(gpio_privacy);
+
+- unit = uvc_alloc_entity(UVC_EXT_GPIO_UNIT, UVC_EXT_GPIO_UNIT_ID, 0, 1);
+- if (!unit)
+- return -ENOMEM;
+-
+ irq = gpiod_to_irq(gpio_privacy);
+ if (irq < 0) {
+ if (irq != EPROBE_DEFER)
+@@ -1565,6 +1561,10 @@ static int uvc_gpio_parse(struct uvc_device *dev)
+ return irq;
+ }
+
++ unit = uvc_alloc_entity(UVC_EXT_GPIO_UNIT, UVC_EXT_GPIO_UNIT_ID, 0, 1);
++ if (!unit)
++ return -ENOMEM;
++
+ unit->gpio.gpio_privacy = gpio_privacy;
+ unit->gpio.irq = irq;
+ unit->gpio.bControlSize = 1;
+--
+2.35.1
+
--- /dev/null
+From 5c46d011d820ebef7edac0471769df60e847210d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Jul 2022 10:53:31 +0200
+Subject: media: uvcvideo: Use entity get_cur in uvc_ctrl_set
+
+From: Yunke Cao <yunkec@google.com>
+
+[ Upstream commit 5f36851c36b30f713f588ed2b60aa7b4512e2c76 ]
+
+Entity controls should get_cur using an entity-defined function
+instead of via a query. Fix this in uvc_ctrl_set.
+
+Fixes: 65900c581d01 ("media: uvcvideo: Allow entity-defined get_info and get_cur")
+Signed-off-by: Yunke Cao <yunkec@google.com>
+Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_ctrl.c | 83 ++++++++++++++++++--------------
+ 1 file changed, 46 insertions(+), 37 deletions(-)
+
+diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
+index 8c208db9600b..53250ea75dfb 100644
+--- a/drivers/media/usb/uvc/uvc_ctrl.c
++++ b/drivers/media/usb/uvc/uvc_ctrl.c
+@@ -985,36 +985,56 @@ static s32 __uvc_ctrl_get_value(struct uvc_control_mapping *mapping,
+ return value;
+ }
+
+-static int __uvc_ctrl_get(struct uvc_video_chain *chain,
+- struct uvc_control *ctrl, struct uvc_control_mapping *mapping,
+- s32 *value)
++static int __uvc_ctrl_load_cur(struct uvc_video_chain *chain,
++ struct uvc_control *ctrl)
+ {
++ u8 *data;
+ int ret;
+
+- if ((ctrl->info.flags & UVC_CTRL_FLAG_GET_CUR) == 0)
+- return -EACCES;
++ if (ctrl->loaded)
++ return 0;
+
+- if (!ctrl->loaded) {
+- if (ctrl->entity->get_cur) {
+- ret = ctrl->entity->get_cur(chain->dev,
+- ctrl->entity,
+- ctrl->info.selector,
+- uvc_ctrl_data(ctrl, UVC_CTRL_DATA_CURRENT),
+- ctrl->info.size);
+- } else {
+- ret = uvc_query_ctrl(chain->dev, UVC_GET_CUR,
+- ctrl->entity->id,
+- chain->dev->intfnum,
+- ctrl->info.selector,
+- uvc_ctrl_data(ctrl, UVC_CTRL_DATA_CURRENT),
+- ctrl->info.size);
+- }
+- if (ret < 0)
+- return ret;
++ data = uvc_ctrl_data(ctrl, UVC_CTRL_DATA_CURRENT);
+
++ if ((ctrl->info.flags & UVC_CTRL_FLAG_GET_CUR) == 0) {
++ memset(data, 0, ctrl->info.size);
+ ctrl->loaded = 1;
++
++ return 0;
+ }
+
++ if (ctrl->entity->get_cur)
++ ret = ctrl->entity->get_cur(chain->dev, ctrl->entity,
++ ctrl->info.selector, data,
++ ctrl->info.size);
++ else
++ ret = uvc_query_ctrl(chain->dev, UVC_GET_CUR,
++ ctrl->entity->id, chain->dev->intfnum,
++ ctrl->info.selector, data,
++ ctrl->info.size);
++
++ if (ret < 0)
++ return ret;
++
++ ctrl->loaded = 1;
++
++ return ret;
++}
++
++static int __uvc_ctrl_get(struct uvc_video_chain *chain,
++ struct uvc_control *ctrl,
++ struct uvc_control_mapping *mapping,
++ s32 *value)
++{
++ int ret;
++
++ if ((ctrl->info.flags & UVC_CTRL_FLAG_GET_CUR) == 0)
++ return -EACCES;
++
++ ret = __uvc_ctrl_load_cur(chain, ctrl);
++ if (ret < 0)
++ return ret;
++
+ *value = __uvc_ctrl_get_value(mapping,
+ uvc_ctrl_data(ctrl, UVC_CTRL_DATA_CURRENT));
+
+@@ -1810,21 +1830,10 @@ int uvc_ctrl_set(struct uvc_fh *handle,
+ * needs to be loaded from the device to perform the read-modify-write
+ * operation.
+ */
+- if (!ctrl->loaded && (ctrl->info.size * 8) != mapping->size) {
+- if ((ctrl->info.flags & UVC_CTRL_FLAG_GET_CUR) == 0) {
+- memset(uvc_ctrl_data(ctrl, UVC_CTRL_DATA_CURRENT),
+- 0, ctrl->info.size);
+- } else {
+- ret = uvc_query_ctrl(chain->dev, UVC_GET_CUR,
+- ctrl->entity->id, chain->dev->intfnum,
+- ctrl->info.selector,
+- uvc_ctrl_data(ctrl, UVC_CTRL_DATA_CURRENT),
+- ctrl->info.size);
+- if (ret < 0)
+- return ret;
+- }
+-
+- ctrl->loaded = 1;
++ if ((ctrl->info.size * 8) != mapping->size) {
++ ret = __uvc_ctrl_load_cur(chain, ctrl);
++ if (ret < 0)
++ return ret;
+ }
+
+ /* Backup the current value in case we need to rollback later. */
+--
+2.35.1
+
--- /dev/null
+From 5cc036de01c402cf40cccf04dcb95af5e18e8313 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Jul 2022 12:21:07 +0200
+Subject: media: v4l2-ctrls: allocate space for arrays
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 5f2c5c69a61dc5411d436c1a422f8a1ee195a924 ]
+
+Just like dynamic arrays, also allocate space for regular arrays.
+
+This is in preparation for allowing to change the array size from
+a driver.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Stable-dep-of: 211f8304fa21 ("media: exynos4-is: fimc-is: Add of_node_put() when breaking out of loop")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/v4l2-core/v4l2-ctrls-api.c | 8 +++---
+ drivers/media/v4l2-core/v4l2-ctrls-core.c | 33 +++++++++++------------
+ include/media/v4l2-ctrls.h | 17 ++++++------
+ 3 files changed, 28 insertions(+), 30 deletions(-)
+
+diff --git a/drivers/media/v4l2-core/v4l2-ctrls-api.c b/drivers/media/v4l2-core/v4l2-ctrls-api.c
+index 50d012ba3c02..1b90bd7c4010 100644
+--- a/drivers/media/v4l2-core/v4l2-ctrls-api.c
++++ b/drivers/media/v4l2-core/v4l2-ctrls-api.c
+@@ -105,8 +105,8 @@ static int user_to_new(struct v4l2_ext_control *c, struct v4l2_ctrl *ctrl)
+
+ ctrl->is_new = 0;
+ if (ctrl->is_dyn_array &&
+- c->size > ctrl->p_dyn_alloc_elems * ctrl->elem_size) {
+- void *old = ctrl->p_dyn;
++ c->size > ctrl->p_array_alloc_elems * ctrl->elem_size) {
++ void *old = ctrl->p_array;
+ void *tmp = kvzalloc(2 * c->size, GFP_KERNEL);
+
+ if (!tmp)
+@@ -115,8 +115,8 @@ static int user_to_new(struct v4l2_ext_control *c, struct v4l2_ctrl *ctrl)
+ memcpy(tmp + c->size, ctrl->p_cur.p, ctrl->elems * ctrl->elem_size);
+ ctrl->p_new.p = tmp;
+ ctrl->p_cur.p = tmp + c->size;
+- ctrl->p_dyn = tmp;
+- ctrl->p_dyn_alloc_elems = c->size / ctrl->elem_size;
++ ctrl->p_array = tmp;
++ ctrl->p_array_alloc_elems = c->size / ctrl->elem_size;
+ kvfree(old);
+ }
+
+diff --git a/drivers/media/v4l2-core/v4l2-ctrls-core.c b/drivers/media/v4l2-core/v4l2-ctrls-core.c
+index 1f85828d6694..9871c77f559b 100644
+--- a/drivers/media/v4l2-core/v4l2-ctrls-core.c
++++ b/drivers/media/v4l2-core/v4l2-ctrls-core.c
+@@ -1135,14 +1135,14 @@ int req_to_new(struct v4l2_ctrl_ref *ref)
+
+ /*
+ * Check if the number of elements in the request is more than the
+- * elements in ctrl->p_dyn. If so, attempt to realloc ctrl->p_dyn.
+- * Note that p_dyn is allocated with twice the number of elements
++ * elements in ctrl->p_array. If so, attempt to realloc ctrl->p_array.
++ * Note that p_array is allocated with twice the number of elements
+ * in the dynamic array since it has to store both the current and
+ * new value of such a control.
+ */
+- if (ref->p_req_elems > ctrl->p_dyn_alloc_elems) {
++ if (ref->p_req_elems > ctrl->p_array_alloc_elems) {
+ unsigned int sz = ref->p_req_elems * ctrl->elem_size;
+- void *old = ctrl->p_dyn;
++ void *old = ctrl->p_array;
+ void *tmp = kvzalloc(2 * sz, GFP_KERNEL);
+
+ if (!tmp)
+@@ -1151,8 +1151,8 @@ int req_to_new(struct v4l2_ctrl_ref *ref)
+ memcpy(tmp + sz, ctrl->p_cur.p, ctrl->elems * ctrl->elem_size);
+ ctrl->p_new.p = tmp;
+ ctrl->p_cur.p = tmp + sz;
+- ctrl->p_dyn = tmp;
+- ctrl->p_dyn_alloc_elems = ref->p_req_elems;
++ ctrl->p_array = tmp;
++ ctrl->p_array_alloc_elems = ref->p_req_elems;
+ kvfree(old);
+ }
+
+@@ -1252,7 +1252,7 @@ void v4l2_ctrl_handler_free(struct v4l2_ctrl_handler *hdl)
+ list_del(&ctrl->node);
+ list_for_each_entry_safe(sev, next_sev, &ctrl->ev_subs, node)
+ list_del(&sev->node);
+- kvfree(ctrl->p_dyn);
++ kvfree(ctrl->p_array);
+ kvfree(ctrl);
+ }
+ kvfree(hdl->buckets);
+@@ -1584,11 +1584,10 @@ static struct v4l2_ctrl *v4l2_ctrl_new(struct v4l2_ctrl_handler *hdl,
+ V4L2_CTRL_FLAG_EXECUTE_ON_WRITE;
+ else if (type == V4L2_CTRL_TYPE_CTRL_CLASS)
+ flags |= V4L2_CTRL_FLAG_READ_ONLY;
+- else if (!(flags & V4L2_CTRL_FLAG_DYNAMIC_ARRAY) &&
++ else if (!is_array &&
+ (type == V4L2_CTRL_TYPE_INTEGER64 ||
+ type == V4L2_CTRL_TYPE_STRING ||
+- type >= V4L2_CTRL_COMPOUND_TYPES ||
+- is_array))
++ type >= V4L2_CTRL_COMPOUND_TYPES))
+ sz_extra += 2 * tot_ctrl_size;
+
+ if (type >= V4L2_CTRL_COMPOUND_TYPES && p_def.p_const)
+@@ -1632,14 +1631,14 @@ static struct v4l2_ctrl *v4l2_ctrl_new(struct v4l2_ctrl_handler *hdl,
+ ctrl->cur.val = ctrl->val = def;
+ data = &ctrl[1];
+
+- if (ctrl->is_dyn_array) {
+- ctrl->p_dyn_alloc_elems = elems;
+- ctrl->p_dyn = kvzalloc(2 * elems * elem_size, GFP_KERNEL);
+- if (!ctrl->p_dyn) {
++ if (ctrl->is_array) {
++ ctrl->p_array_alloc_elems = elems;
++ ctrl->p_array = kvzalloc(2 * elems * elem_size, GFP_KERNEL);
++ if (!ctrl->p_array) {
+ kvfree(ctrl);
+ return NULL;
+ }
+- data = ctrl->p_dyn;
++ data = ctrl->p_array;
+ }
+
+ if (!ctrl->is_int) {
+@@ -1651,7 +1650,7 @@ static struct v4l2_ctrl *v4l2_ctrl_new(struct v4l2_ctrl_handler *hdl,
+ }
+
+ if (type >= V4L2_CTRL_COMPOUND_TYPES && p_def.p_const) {
+- if (ctrl->is_dyn_array)
++ if (ctrl->is_array)
+ ctrl->p_def.p = &ctrl[1];
+ else
+ ctrl->p_def.p = ctrl->p_cur.p + tot_ctrl_size;
+@@ -1664,7 +1663,7 @@ static struct v4l2_ctrl *v4l2_ctrl_new(struct v4l2_ctrl_handler *hdl,
+ }
+
+ if (handler_new_ref(hdl, ctrl, NULL, false, false)) {
+- kvfree(ctrl->p_dyn);
++ kvfree(ctrl->p_array);
+ kvfree(ctrl);
+ return NULL;
+ }
+diff --git a/include/media/v4l2-ctrls.h b/include/media/v4l2-ctrls.h
+index 00828a4f9404..5ddd506ae7b9 100644
+--- a/include/media/v4l2-ctrls.h
++++ b/include/media/v4l2-ctrls.h
+@@ -203,7 +203,7 @@ typedef void (*v4l2_ctrl_notify_fnc)(struct v4l2_ctrl *ctrl, void *priv);
+ * @elem_size: The size in bytes of the control.
+ * @new_elems: The number of elements in p_new. This is the same as @elems,
+ * except for dynamic arrays. In that case it is in the range of
+- * 1 to @p_dyn_alloc_elems.
++ * 1 to @p_array_alloc_elems.
+ * @dims: The size of each dimension.
+ * @nr_of_dims:The number of dimensions in @dims.
+ * @menu_skip_mask: The control's skip mask for menu controls. This makes it
+@@ -227,12 +227,11 @@ typedef void (*v4l2_ctrl_notify_fnc)(struct v4l2_ctrl *ctrl, void *priv);
+ * not freed when the control is deleted. Should this be needed
+ * then a new internal bitfield can be added to tell the framework
+ * to free this pointer.
+- * @p_dyn: Pointer to the dynamically allocated array. Only valid if
+- * @is_dyn_array is true.
+- * @p_dyn_alloc_elems: The number of elements in the dynamically allocated
+- * array for both the cur and new values. So @p_dyn is actually
+- * sized for 2 * @p_dyn_alloc_elems * @elem_size. Only valid if
+- * @is_dyn_array is true.
++ * @p_array: Pointer to the allocated array. Only valid if @is_array is true.
++ * @p_array_alloc_elems: The number of elements in the allocated
++ * array for both the cur and new values. So @p_array is actually
++ * sized for 2 * @p_array_alloc_elems * @elem_size. Only valid if
++ * @is_array is true.
+ * @cur: Structure to store the current value.
+ * @cur.val: The control's current value, if the @type is represented via
+ * a u32 integer (see &enum v4l2_ctrl_type).
+@@ -291,8 +290,8 @@ struct v4l2_ctrl {
+ };
+ unsigned long flags;
+ void *priv;
+- void *p_dyn;
+- u32 p_dyn_alloc_elems;
++ void *p_array;
++ u32 p_array_alloc_elems;
+ s32 val;
+ struct {
+ s32 val;
+--
+2.35.1
+
--- /dev/null
+From 8d2e9422c424812e64021d4cb26660e4dcb4e514 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Jun 2022 06:25:14 +0200
+Subject: media: xilinx: vipp: Fix refcount leak in xvip_graph_dma_init
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 1c78f19c3a0ea312a8178a6bfd8934eb93e9b10a ]
+
+of_get_child_by_name() returns a node pointer with refcount
+incremented, we should use of_node_put() on it when not need anymore.
+Add missing of_node_put() to avoid refcount leak.
+
+Fixes: df3305156f98 ("[media] v4l: xilinx: Add Xilinx Video IP core")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/xilinx/xilinx-vipp.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/platform/xilinx/xilinx-vipp.c b/drivers/media/platform/xilinx/xilinx-vipp.c
+index f34f8b077e03..0a16c218a50a 100644
+--- a/drivers/media/platform/xilinx/xilinx-vipp.c
++++ b/drivers/media/platform/xilinx/xilinx-vipp.c
+@@ -471,7 +471,7 @@ static int xvip_graph_dma_init(struct xvip_composite_device *xdev)
+ {
+ struct device_node *ports;
+ struct device_node *port;
+- int ret;
++ int ret = 0;
+
+ ports = of_get_child_by_name(xdev->dev->of_node, "ports");
+ if (ports == NULL) {
+@@ -481,13 +481,14 @@ static int xvip_graph_dma_init(struct xvip_composite_device *xdev)
+
+ for_each_child_of_node(ports, port) {
+ ret = xvip_graph_dma_init_one(xdev, port);
+- if (ret < 0) {
++ if (ret) {
+ of_node_put(port);
+- return ret;
++ break;
+ }
+ }
+
+- return 0;
++ of_node_put(ports);
++ return ret;
+ }
+
+ static void xvip_graph_cleanup(struct xvip_composite_device *xdev)
+--
+2.35.1
+
--- /dev/null
+From 158598f88778bd0ff79c9428121f3c44909cda52 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Jul 2022 16:56:39 +0800
+Subject: memory: of: Fix refcount leak bug in of_get_ddr_timings()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 05215fb32010d4afb68fbdbb4d237df6e2d4567b ]
+
+We should add the of_node_put() when breaking out of
+for_each_child_of_node() as it will automatically increase
+and decrease the refcount.
+
+Fixes: e6b42eb6a66c ("memory: emif: add device tree support to emif driver")
+Signed-off-by: Liang He <windhl@126.com>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20220719085640.1210583-1-windhl@126.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/of_memory.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/memory/of_memory.c b/drivers/memory/of_memory.c
+index dbdf87bc0b78..8e2ef4bf6b17 100644
+--- a/drivers/memory/of_memory.c
++++ b/drivers/memory/of_memory.c
+@@ -134,6 +134,7 @@ const struct lpddr2_timings *of_get_ddr_timings(struct device_node *np_ddr,
+ for_each_child_of_node(np_ddr, np_tim) {
+ if (of_device_is_compatible(np_tim, tim_compat)) {
+ if (of_do_get_timings(np_tim, &timings[i])) {
++ of_node_put(np_tim);
+ devm_kfree(dev, timings);
+ goto default_timings;
+ }
+--
+2.35.1
+
--- /dev/null
+From 1a2b6b0fdddc31b966d2c706ef283ba23156094e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Jul 2022 16:56:40 +0800
+Subject: memory: of: Fix refcount leak bug in of_lpddr3_get_ddr_timings()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 48af14fb0eaa63d9aa68f59fb0b205ec55a95636 ]
+
+We should add the of_node_put() when breaking out of
+for_each_child_of_node() as it will automatically increase
+and decrease the refcount.
+
+Fixes: 976897dd96db ("memory: Extend of_memory with LPDDR3 support")
+Signed-off-by: Liang He <windhl@126.com>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20220719085640.1210583-2-windhl@126.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/of_memory.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/memory/of_memory.c b/drivers/memory/of_memory.c
+index 8e2ef4bf6b17..fcd20d85d385 100644
+--- a/drivers/memory/of_memory.c
++++ b/drivers/memory/of_memory.c
+@@ -285,6 +285,7 @@ const struct lpddr3_timings
+ if (of_device_is_compatible(np_tim, tim_compat)) {
+ if (of_lpddr3_do_get_timings(np_tim, &timings[i])) {
+ devm_kfree(dev, timings);
++ of_node_put(np_tim);
+ goto default_timings;
+ }
+ i++;
+--
+2.35.1
+
--- /dev/null
+From 50654083481c4da502da34080d7bf3df87c75088 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Jul 2022 11:13:24 +0800
+Subject: memory: pl353-smc: Fix refcount leak bug in pl353_smc_probe()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 61b3c876c1cbdb1efd1f52a1f348580e6e14efb6 ]
+
+The break of for_each_available_child_of_node() needs a
+corresponding of_node_put() when the reference 'child' is not
+used anymore. Here we do not need to call of_node_put() in
+fail path as '!match' means no break.
+
+While the of_platform_device_create() will created a new
+reference by 'child' but it has considered the refcounting.
+
+Fixes: fee10bd22678 ("memory: pl353: Add driver for arm pl353 static memory controller")
+Signed-off-by: Liang He <windhl@126.com>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20220716031324.447680-1-windhl@126.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/pl353-smc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/memory/pl353-smc.c b/drivers/memory/pl353-smc.c
+index f84b98278745..d39ee7d06665 100644
+--- a/drivers/memory/pl353-smc.c
++++ b/drivers/memory/pl353-smc.c
+@@ -122,6 +122,7 @@ static int pl353_smc_probe(struct amba_device *adev, const struct amba_id *id)
+ }
+
+ of_platform_device_create(child, NULL, &adev->dev);
++ of_node_put(child);
+
+ return 0;
+
+--
+2.35.1
+
--- /dev/null
+From 250bd62ebc28602bad88da1b9b7a2695314286f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Sep 2022 11:20:04 +0200
+Subject: mfd: da9061: Fix Failed to set Two-Wire Bus Mode.
+
+From: Jens Hillenstedt <jens.hillenstedt@ise.de>
+
+[ Upstream commit 834382ea32865a4bdeae83ec2dcb9321dc9489f2 ]
+
+In da9062_i2c_probe() regmap_clear_bits() tries to access CONFIG_J
+register. As CONFIG_J is not present in da9061_aa_writeable_ranges[] probe
+of da9061 fails:
+
+ da9062 2-0058: Entering I2C mode!
+ da9062 2-0058: Failed to set Two-Wire Bus Mode.
+ da9062: probe of 2-0058 failed with error -5
+
+Add CONFIG_J register to da9061_aa_writeable_ranges[].
+
+Fixes: 5c6f0f456351 ("mfd: da9062: Support SMBus and I2C mode")
+Signed-off-by: Jens Hillenstedt <jens.hillenstedt@ise.de>
+Reviewed-by: Adam Ward <DLG-Adam.Ward.opensource@dm.renesas.com>
+Signed-off-by: Lee Jones <lee@kernel.org>
+Link: https://lore.kernel.org/r/20220915092004.168744-1-jens.hillenstedt@ise.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/da9062-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/mfd/da9062-core.c b/drivers/mfd/da9062-core.c
+index 2774b2cbaea6..c2acdbcd5d6b 100644
+--- a/drivers/mfd/da9062-core.c
++++ b/drivers/mfd/da9062-core.c
+@@ -453,6 +453,7 @@ static const struct regmap_range da9061_aa_writeable_ranges[] = {
+ regmap_reg_range(DA9062AA_VBUCK1_B, DA9062AA_VBUCK4_B),
+ regmap_reg_range(DA9062AA_VBUCK3_B, DA9062AA_VBUCK3_B),
+ regmap_reg_range(DA9062AA_VLDO1_B, DA9062AA_VLDO4_B),
++ regmap_reg_range(DA9062AA_CONFIG_J, DA9062AA_CONFIG_J),
+ regmap_reg_range(DA9062AA_GP_ID_0, DA9062AA_GP_ID_19),
+ };
+
+--
+2.35.1
+
--- /dev/null
+From c64188425c96b61bb38cdce6a18c758e37472936 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Jul 2022 14:06:23 +0200
+Subject: mfd: fsl-imx25: Fix an error handling path in mx25_tsadc_setup_irq()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 3fa9e4cfb55da512ebfd57336fde468830719298 ]
+
+If devm_of_platform_populate() fails, some resources need to be
+released.
+
+Introduce a mx25_tsadc_unset_irq() function that undoes
+mx25_tsadc_setup_irq() and call it both from the new error handling path
+of the probe and in the remove function.
+
+Fixes: a55196eff6d6 ("mfd: fsl-imx25: Use devm_of_platform_populate()")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Lee Jones <lee@kernel.org>
+Link: https://lore.kernel.org/r/d404e04828fc06bcfddf81f9f3e9b4babbe35415.1659269156.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/fsl-imx25-tsadc.c | 32 ++++++++++++++++++++++++--------
+ 1 file changed, 24 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/mfd/fsl-imx25-tsadc.c b/drivers/mfd/fsl-imx25-tsadc.c
+index 37e5e02a1d05..85f7982d26d2 100644
+--- a/drivers/mfd/fsl-imx25-tsadc.c
++++ b/drivers/mfd/fsl-imx25-tsadc.c
+@@ -84,6 +84,19 @@ static int mx25_tsadc_setup_irq(struct platform_device *pdev,
+ return 0;
+ }
+
++static int mx25_tsadc_unset_irq(struct platform_device *pdev)
++{
++ struct mx25_tsadc *tsadc = platform_get_drvdata(pdev);
++ int irq = platform_get_irq(pdev, 0);
++
++ if (irq) {
++ irq_set_chained_handler_and_data(irq, NULL, NULL);
++ irq_domain_remove(tsadc->domain);
++ }
++
++ return 0;
++}
++
+ static void mx25_tsadc_setup_clk(struct platform_device *pdev,
+ struct mx25_tsadc *tsadc)
+ {
+@@ -171,18 +184,21 @@ static int mx25_tsadc_probe(struct platform_device *pdev)
+
+ platform_set_drvdata(pdev, tsadc);
+
+- return devm_of_platform_populate(dev);
++ ret = devm_of_platform_populate(dev);
++ if (ret)
++ goto err_irq;
++
++ return 0;
++
++err_irq:
++ mx25_tsadc_unset_irq(pdev);
++
++ return ret;
+ }
+
+ static int mx25_tsadc_remove(struct platform_device *pdev)
+ {
+- struct mx25_tsadc *tsadc = platform_get_drvdata(pdev);
+- int irq = platform_get_irq(pdev, 0);
+-
+- if (irq) {
+- irq_set_chained_handler_and_data(irq, NULL, NULL);
+- irq_domain_remove(tsadc->domain);
+- }
++ mx25_tsadc_unset_irq(pdev);
+
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From 9127497dea076f4bc8b4a75dac544e5eb1ea3e01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Aug 2022 13:53:05 +0300
+Subject: mfd: fsl-imx25: Fix check for platform_get_irq() errors
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 75db7907355ca5e2ff606e9dd3e86b6c3a455fe2 ]
+
+The mx25_tsadc_remove() function assumes all non-zero returns are success
+but the platform_get_irq() function returns negative on error and
+positive non-zero values on success. It never returns zero, but if it
+did then treat that as a success.
+
+Fixes: 18f773937968 ("mfd: fsl-imx25: Clean up irq settings during removal")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Martin Kaiser <martin@kaiser.cx>
+Signed-off-by: Lee Jones <lee@kernel.org>
+Link: https://lore.kernel.org/r/YvTfkbVQWYKMKS/t@kili
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/fsl-imx25-tsadc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mfd/fsl-imx25-tsadc.c b/drivers/mfd/fsl-imx25-tsadc.c
+index 85f7982d26d2..823595bcc9b7 100644
+--- a/drivers/mfd/fsl-imx25-tsadc.c
++++ b/drivers/mfd/fsl-imx25-tsadc.c
+@@ -69,7 +69,7 @@ static int mx25_tsadc_setup_irq(struct platform_device *pdev,
+ int irq;
+
+ irq = platform_get_irq(pdev, 0);
+- if (irq <= 0)
++ if (irq < 0)
+ return irq;
+
+ tsadc->domain = irq_domain_add_simple(np, 2, 0, &mx25_tsadc_domain_ops,
+@@ -89,7 +89,7 @@ static int mx25_tsadc_unset_irq(struct platform_device *pdev)
+ struct mx25_tsadc *tsadc = platform_get_drvdata(pdev);
+ int irq = platform_get_irq(pdev, 0);
+
+- if (irq) {
++ if (irq >= 0) {
+ irq_set_chained_handler_and_data(irq, NULL, NULL);
+ irq_domain_remove(tsadc->domain);
+ }
+--
+2.35.1
+
--- /dev/null
+From 209b7e6b824cc7a4f5dd80a856f1c9891b011142 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Aug 2022 14:42:02 +0300
+Subject: mfd: intel_soc_pmic: Fix an error handling path in
+ intel_soc_pmic_i2c_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 48749cabba109397b4e7dd556e85718ec0ec114d ]
+
+The commit in Fixes: has added a pwm_add_table() call in the probe() and
+a pwm_remove_table() call in the remove(), but forget to update the error
+handling path of the probe.
+
+Add the missing pwm_remove_table() call.
+
+Fixes: a3aa9a93df9f ("mfd: intel_soc_pmic_core: ADD PWM lookup table for CRC PMIC based PWM")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Lee Jones <lee@kernel.org>
+Link: https://lore.kernel.org/r/20220801114211.36267-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/intel_soc_pmic_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/mfd/intel_soc_pmic_core.c b/drivers/mfd/intel_soc_pmic_core.c
+index 5e8c94e008ed..85d070bce0e2 100644
+--- a/drivers/mfd/intel_soc_pmic_core.c
++++ b/drivers/mfd/intel_soc_pmic_core.c
+@@ -77,6 +77,7 @@ static int intel_soc_pmic_i2c_probe(struct i2c_client *i2c,
+ return 0;
+
+ err_del_irq_chip:
++ pwm_remove_table(crc_pwm_lookup, ARRAY_SIZE(crc_pwm_lookup));
+ regmap_del_irq_chip(pmic->irq, pmic->irq_chip_data);
+ return ret;
+ }
+--
+2.35.1
+
--- /dev/null
+From ad97041bb2e4ef2188ed5e541fdb61b7246d5480 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Jul 2022 11:55:38 +0200
+Subject: mfd: lp8788: Fix an error handling path in lp8788_irq_init() and
+ lp8788_irq_init()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 557244f6284f30613f2d61f14b579303165876c3 ]
+
+In lp8788_irq_init(), if an error occurs after a successful
+irq_domain_add_linear() call, it must be undone by a corresponding
+irq_domain_remove() call.
+
+irq_domain_remove() should also be called in lp8788_irq_exit() for the same
+reason.
+
+Fixes: eea6b7cc53aa ("mfd: Add lp8788 mfd driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Lee Jones <lee@kernel.org>
+Link: https://lore.kernel.org/r/bcd5a72c9c1c383dd6324680116426e32737655a.1659261275.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/lp8788-irq.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/mfd/lp8788-irq.c b/drivers/mfd/lp8788-irq.c
+index 348439a3fbbd..39006297f3d2 100644
+--- a/drivers/mfd/lp8788-irq.c
++++ b/drivers/mfd/lp8788-irq.c
+@@ -175,6 +175,7 @@ int lp8788_irq_init(struct lp8788 *lp, int irq)
+ IRQF_TRIGGER_FALLING | IRQF_ONESHOT,
+ "lp8788-irq", irqd);
+ if (ret) {
++ irq_domain_remove(lp->irqdm);
+ dev_err(lp->dev, "failed to create a thread for IRQ_N\n");
+ return ret;
+ }
+@@ -188,4 +189,6 @@ void lp8788_irq_exit(struct lp8788 *lp)
+ {
+ if (lp->irq)
+ free_irq(lp->irq, lp->irqdm);
++ if (lp->irqdm)
++ irq_domain_remove(lp->irqdm);
+ }
+--
+2.35.1
+
--- /dev/null
+From c2fdb6a362335e829103e8036b285b3ae1a71593 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Jul 2022 11:55:27 +0200
+Subject: mfd: lp8788: Fix an error handling path in lp8788_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit becfdcd75126b20b8ec10066c5e85b34f8994ad5 ]
+
+Should an error occurs in mfd_add_devices(), some resources need to be
+released, as already done in the .remove() function.
+
+Add an error handling path and a lp8788_irq_exit() call to undo a previous
+lp8788_irq_init().
+
+Fixes: eea6b7cc53aa ("mfd: Add lp8788 mfd driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Lee Jones <lee@kernel.org>
+Link: https://lore.kernel.org/r/18398722da9df9490722d853e4797350189ae79b.1659261275.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/lp8788.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mfd/lp8788.c b/drivers/mfd/lp8788.c
+index c223d2c6a363..998e8cc408a0 100644
+--- a/drivers/mfd/lp8788.c
++++ b/drivers/mfd/lp8788.c
+@@ -195,8 +195,16 @@ static int lp8788_probe(struct i2c_client *cl, const struct i2c_device_id *id)
+ if (ret)
+ return ret;
+
+- return mfd_add_devices(lp->dev, -1, lp8788_devs,
+- ARRAY_SIZE(lp8788_devs), NULL, 0, NULL);
++ ret = mfd_add_devices(lp->dev, -1, lp8788_devs,
++ ARRAY_SIZE(lp8788_devs), NULL, 0, NULL);
++ if (ret)
++ goto err_exit_irq;
++
++ return 0;
++
++err_exit_irq:
++ lp8788_irq_exit(lp);
++ return ret;
+ }
+
+ static int lp8788_remove(struct i2c_client *cl)
+--
+2.35.1
+
--- /dev/null
+From 63cc48c3c3418ddc312a12b79c637df8e701d9a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Sep 2022 17:11:12 +0800
+Subject: mfd: sm501: Add check for platform_driver_register()
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 8325a6c24ad78b8c1acc3c42b098ee24105d68e5 ]
+
+As platform_driver_register() can return error numbers,
+it should be better to check platform_driver_register()
+and deal with the exception.
+
+Fixes: b6d6454fdb66 ("[PATCH] mfd: SM501 core driver")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Signed-off-by: Lee Jones <lee@kernel.org>
+Link: https://lore.kernel.org/r/20220913091112.1739138-1-jiasheng@iscas.ac.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/sm501.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/sm501.c b/drivers/mfd/sm501.c
+index bc0a2c38653e..3ac4508a6742 100644
+--- a/drivers/mfd/sm501.c
++++ b/drivers/mfd/sm501.c
+@@ -1720,7 +1720,12 @@ static struct platform_driver sm501_plat_driver = {
+
+ static int __init sm501_base_init(void)
+ {
+- platform_driver_register(&sm501_plat_driver);
++ int ret;
++
++ ret = platform_driver_register(&sm501_plat_driver);
++ if (ret < 0)
++ return ret;
++
+ return pci_register_driver(&sm501_pci_driver);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 96a488dd284292ddc68f071b4df751919cff1bea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Aug 2022 16:39:32 -0500
+Subject: micrel: ksz8851: fixes struct pointer issue
+
+From: Jerry Ray <jerry.ray@microchip.com>
+
+[ Upstream commit fef5de753ff01887cfa50990532c3890fccb9338 ]
+
+Issue found during code review. This bug has no impact as long as the
+ks8851_net structure is the first element of the ks8851_net_spi structure.
+As long as the offset to the ks8851_net struct is zero, the container_of()
+macro is subtracting 0 and therefore no damage done. But if the
+ks8851_net_spi struct is ever modified such that the ks8851_net struct
+within it is no longer the first element of the struct, then the bug would
+manifest itself and cause problems.
+
+struct ks8851_net is contained within ks8851_net_spi.
+ks is contained within kss.
+kss is the priv_data of the netdev structure.
+
+Signed-off-by: Jerry Ray <jerry.ray@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/micrel/ks8851_spi.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/micrel/ks8851_spi.c b/drivers/net/ethernet/micrel/ks8851_spi.c
+index 82d55fc27edc..70bc7253454f 100644
+--- a/drivers/net/ethernet/micrel/ks8851_spi.c
++++ b/drivers/net/ethernet/micrel/ks8851_spi.c
+@@ -413,7 +413,8 @@ static int ks8851_probe_spi(struct spi_device *spi)
+
+ spi->bits_per_word = 8;
+
+- ks = netdev_priv(netdev);
++ kss = netdev_priv(netdev);
++ ks = &kss->ks8851;
+
+ ks->lock = ks8851_lock_spi;
+ ks->unlock = ks8851_unlock_spi;
+@@ -433,8 +434,6 @@ static int ks8851_probe_spi(struct spi_device *spi)
+ IRQ_RXPSI) /* RX process stop */
+ ks->rc_ier = STD_IRQ;
+
+- kss = to_ks8851_spi(ks);
+-
+ kss->spidev = spi;
+ mutex_init(&kss->lock);
+ INIT_WORK(&kss->tx_work, ks8851_tx_work);
+--
+2.35.1
+
--- /dev/null
+From 467d08e54d1cb28313222ac4e9d961b52e8ab630 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Sep 2022 16:05:56 -0700
+Subject: MIPS: BCM47XX: Cast memcmp() of function to (void *)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 0dedcf6e3301836eb70cfa649052e7ce4fcd13ba ]
+
+Clang is especially sensitive about argument type matching when using
+__overloaded functions (like memcmp(), etc). Help it see that function
+pointers are just "void *". Avoids this error:
+
+arch/mips/bcm47xx/prom.c:89:8: error: no matching function for call to 'memcmp'
+ if (!memcmp(prom_init, prom_init + mem, 32))
+ ^~~~~~
+include/linux/string.h:156:12: note: candidate function not viable: no known conversion from 'void (void)' to 'const void *' for 1st argument extern int memcmp(const void *,const void *,__kernel_size_t);
+
+Cc: Hauke Mehrtens <hauke@hauke-m.de>
+Cc: "Rafał Miłecki" <zajec5@gmail.com>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: linux-mips@vger.kernel.org
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: llvm@lists.linux.dev
+Reported-by: kernel test robot <lkp@intel.com>
+Link: https://lore.kernel.org/lkml/202209080652.sz2d68e5-lkp@intel.com
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/bcm47xx/prom.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/mips/bcm47xx/prom.c b/arch/mips/bcm47xx/prom.c
+index ab203e66ba0d..a9bea411d928 100644
+--- a/arch/mips/bcm47xx/prom.c
++++ b/arch/mips/bcm47xx/prom.c
+@@ -86,7 +86,7 @@ static __init void prom_init_mem(void)
+ pr_debug("Assume 128MB RAM\n");
+ break;
+ }
+- if (!memcmp(prom_init, prom_init + mem, 32))
++ if (!memcmp((void *)prom_init, (void *)prom_init + mem, 32))
+ break;
+ }
+ lowmem = mem;
+@@ -159,7 +159,7 @@ void __init bcm47xx_prom_highmem_init(void)
+
+ off = EXTVBASE + __pa(off);
+ for (extmem = 128 << 20; extmem < 512 << 20; extmem <<= 1) {
+- if (!memcmp(prom_init, (void *)(off + extmem), 16))
++ if (!memcmp((void *)prom_init, (void *)(off + extmem), 16))
+ break;
+ }
+ extmem -= lowmem;
+--
+2.35.1
+
--- /dev/null
+From c0257ae10205020741c3df658b693ad492d47ff9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 20:25:55 +0300
+Subject: mips: dts: ralink: mt7621: fix external phy on GB-PC2
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arınç ÜNAL <arinc.unal@arinc9.com>
+
+[ Upstream commit 247825f991b34440f9b9d4fe607502435a42ac7b ]
+
+The address of the external phy on the mdio bus is 5. Update the devicetree
+for GB-PC2 accordingly.
+
+Fixes: 5bc148649cf3 ("staging: mt7621-dts: fix GB-PC2 devicetree")
+Signed-off-by: Arınç ÜNAL <arinc.unal@arinc9.com>
+Reviewed-by: Sergio Paracuellos <sergio.paracuellos@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/boot/dts/ralink/mt7621-gnubee-gb-pc2.dts | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/mips/boot/dts/ralink/mt7621-gnubee-gb-pc2.dts b/arch/mips/boot/dts/ralink/mt7621-gnubee-gb-pc2.dts
+index 34006e667780..0d01e542a0a6 100644
+--- a/arch/mips/boot/dts/ralink/mt7621-gnubee-gb-pc2.dts
++++ b/arch/mips/boot/dts/ralink/mt7621-gnubee-gb-pc2.dts
+@@ -83,12 +83,12 @@
+
+ &gmac1 {
+ status = "okay";
+- phy-handle = <ðphy7>;
++ phy-handle = <ðphy5>;
+ };
+
+ &mdio {
+- ethphy7: ethernet-phy@7 {
+- reg = <7>;
++ ethphy5: ethernet-phy@5 {
++ reg = <5>;
+ phy-mode = "rgmii-rxid";
+ };
+ };
+--
+2.35.1
+
--- /dev/null
+From e4d4b8df16852bc548ec5794bc309c8208b25972 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Sep 2022 11:29:17 +0800
+Subject: MIPS: SGI-IP27: Fix platform-device leak in bridge_platform_create()
+
+From: Lin Yujun <linyujun809@huawei.com>
+
+[ Upstream commit 11bec9cba4de06b3c0e9e4041453c2caaa1cbec1 ]
+
+In error case in bridge_platform_create after calling
+platform_device_add()/platform_device_add_data()/
+platform_device_add_resources(), release the failed
+'pdev' or it will be leak, call platform_device_put()
+to fix this problem.
+
+Besides, 'pdev' is divided into 'pdev_wd' and 'pdev_bd',
+use platform_device_unregister() to release sgi_w1
+resources when xtalk-bridge registration fails.
+
+Fixes: 5dc76a96e95a ("MIPS: PCI: use information from 1-wire PROM for IOC3 detection")
+Signed-off-by: Lin Yujun <linyujun809@huawei.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/sgi-ip27/ip27-xtalk.c | 70 +++++++++++++++++++++++----------
+ 1 file changed, 50 insertions(+), 20 deletions(-)
+
+diff --git a/arch/mips/sgi-ip27/ip27-xtalk.c b/arch/mips/sgi-ip27/ip27-xtalk.c
+index e762886d1dda..5143d1cf8984 100644
+--- a/arch/mips/sgi-ip27/ip27-xtalk.c
++++ b/arch/mips/sgi-ip27/ip27-xtalk.c
+@@ -27,15 +27,18 @@ static void bridge_platform_create(nasid_t nasid, int widget, int masterwid)
+ {
+ struct xtalk_bridge_platform_data *bd;
+ struct sgi_w1_platform_data *wd;
+- struct platform_device *pdev;
++ struct platform_device *pdev_wd;
++ struct platform_device *pdev_bd;
+ struct resource w1_res;
+ unsigned long offset;
+
+ offset = NODE_OFFSET(nasid);
+
+ wd = kzalloc(sizeof(*wd), GFP_KERNEL);
+- if (!wd)
+- goto no_mem;
++ if (!wd) {
++ pr_warn("xtalk:n%d/%x bridge create out of memory\n", nasid, widget);
++ return;
++ }
+
+ snprintf(wd->dev_id, sizeof(wd->dev_id), "bridge-%012lx",
+ offset + (widget << SWIN_SIZE_BITS));
+@@ -46,24 +49,35 @@ static void bridge_platform_create(nasid_t nasid, int widget, int masterwid)
+ w1_res.end = w1_res.start + 3;
+ w1_res.flags = IORESOURCE_MEM;
+
+- pdev = platform_device_alloc("sgi_w1", PLATFORM_DEVID_AUTO);
+- if (!pdev) {
+- kfree(wd);
+- goto no_mem;
++ pdev_wd = platform_device_alloc("sgi_w1", PLATFORM_DEVID_AUTO);
++ if (!pdev_wd) {
++ pr_warn("xtalk:n%d/%x bridge create out of memory\n", nasid, widget);
++ goto err_kfree_wd;
++ }
++ if (platform_device_add_resources(pdev_wd, &w1_res, 1)) {
++ pr_warn("xtalk:n%d/%x bridge failed to add platform resources.\n", nasid, widget);
++ goto err_put_pdev_wd;
++ }
++ if (platform_device_add_data(pdev_wd, wd, sizeof(*wd))) {
++ pr_warn("xtalk:n%d/%x bridge failed to add platform data.\n", nasid, widget);
++ goto err_put_pdev_wd;
++ }
++ if (platform_device_add(pdev_wd)) {
++ pr_warn("xtalk:n%d/%x bridge failed to add platform device.\n", nasid, widget);
++ goto err_put_pdev_wd;
+ }
+- platform_device_add_resources(pdev, &w1_res, 1);
+- platform_device_add_data(pdev, wd, sizeof(*wd));
+ /* platform_device_add_data() duplicates the data */
+ kfree(wd);
+- platform_device_add(pdev);
+
+ bd = kzalloc(sizeof(*bd), GFP_KERNEL);
+- if (!bd)
+- goto no_mem;
+- pdev = platform_device_alloc("xtalk-bridge", PLATFORM_DEVID_AUTO);
+- if (!pdev) {
+- kfree(bd);
+- goto no_mem;
++ if (!bd) {
++ pr_warn("xtalk:n%d/%x bridge create out of memory\n", nasid, widget);
++ goto err_unregister_pdev_wd;
++ }
++ pdev_bd = platform_device_alloc("xtalk-bridge", PLATFORM_DEVID_AUTO);
++ if (!pdev_bd) {
++ pr_warn("xtalk:n%d/%x bridge create out of memory\n", nasid, widget);
++ goto err_kfree_bd;
+ }
+
+
+@@ -84,15 +98,31 @@ static void bridge_platform_create(nasid_t nasid, int widget, int masterwid)
+ bd->io.flags = IORESOURCE_IO;
+ bd->io_offset = offset;
+
+- platform_device_add_data(pdev, bd, sizeof(*bd));
++ if (platform_device_add_data(pdev_bd, bd, sizeof(*bd))) {
++ pr_warn("xtalk:n%d/%x bridge failed to add platform data.\n", nasid, widget);
++ goto err_put_pdev_bd;
++ }
++ if (platform_device_add(pdev_bd)) {
++ pr_warn("xtalk:n%d/%x bridge failed to add platform device.\n", nasid, widget);
++ goto err_put_pdev_bd;
++ }
+ /* platform_device_add_data() duplicates the data */
+ kfree(bd);
+- platform_device_add(pdev);
+ pr_info("xtalk:n%d/%x bridge widget\n", nasid, widget);
+ return;
+
+-no_mem:
+- pr_warn("xtalk:n%d/%x bridge create out of memory\n", nasid, widget);
++err_put_pdev_bd:
++ platform_device_put(pdev_bd);
++err_kfree_bd:
++ kfree(bd);
++err_unregister_pdev_wd:
++ platform_device_unregister(pdev_wd);
++ return;
++err_put_pdev_wd:
++ platform_device_put(pdev_wd);
++err_kfree_wd:
++ kfree(wd);
++ return;
+ }
+
+ static int probe_one_port(nasid_t nasid, int widget, int masterwid)
+--
+2.35.1
+
--- /dev/null
+From 1e3e150b1e632b5095f3f822c10d7eb16f2d747e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Sep 2022 11:28:07 +0800
+Subject: MIPS: SGI-IP30: Fix platform-device leak in bridge_platform_create()
+
+From: Lin Yujun <linyujun809@huawei.com>
+
+[ Upstream commit 1e6d11fe72e311c1989991ee318d239f650fa318 ]
+
+In error case in bridge_platform_create after calling
+platform_device_add()/platform_device_add_data()/
+platform_device_add_resources(), release the failed
+'pdev' or it will be leak, call platform_device_put()
+to fix this problem.
+
+Besides, 'pdev' is divided into 'pdev_wd' and 'pdev_bd',
+use platform_device_unregister() to release sgi_w1
+resources when xtalk-bridge registration fails.
+
+Fixes: fd27234f24ae ("MIPS: add support for SGI Octane (IP30)")
+Signed-off-by: Lin Yujun <linyujun809@huawei.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/sgi-ip30/ip30-xtalk.c | 70 +++++++++++++++++++++++----------
+ 1 file changed, 50 insertions(+), 20 deletions(-)
+
+diff --git a/arch/mips/sgi-ip30/ip30-xtalk.c b/arch/mips/sgi-ip30/ip30-xtalk.c
+index 8129524421cb..7ceb2b23ea1c 100644
+--- a/arch/mips/sgi-ip30/ip30-xtalk.c
++++ b/arch/mips/sgi-ip30/ip30-xtalk.c
+@@ -40,12 +40,15 @@ static void bridge_platform_create(int widget, int masterwid)
+ {
+ struct xtalk_bridge_platform_data *bd;
+ struct sgi_w1_platform_data *wd;
+- struct platform_device *pdev;
++ struct platform_device *pdev_wd;
++ struct platform_device *pdev_bd;
+ struct resource w1_res;
+
+ wd = kzalloc(sizeof(*wd), GFP_KERNEL);
+- if (!wd)
+- goto no_mem;
++ if (!wd) {
++ pr_warn("xtalk:%x bridge create out of memory\n", widget);
++ return;
++ }
+
+ snprintf(wd->dev_id, sizeof(wd->dev_id), "bridge-%012lx",
+ IP30_SWIN_BASE(widget));
+@@ -56,24 +59,35 @@ static void bridge_platform_create(int widget, int masterwid)
+ w1_res.end = w1_res.start + 3;
+ w1_res.flags = IORESOURCE_MEM;
+
+- pdev = platform_device_alloc("sgi_w1", PLATFORM_DEVID_AUTO);
+- if (!pdev) {
+- kfree(wd);
+- goto no_mem;
++ pdev_wd = platform_device_alloc("sgi_w1", PLATFORM_DEVID_AUTO);
++ if (!pdev_wd) {
++ pr_warn("xtalk:%x bridge create out of memory\n", widget);
++ goto err_kfree_wd;
++ }
++ if (platform_device_add_resources(pdev_wd, &w1_res, 1)) {
++ pr_warn("xtalk:%x bridge failed to add platform resources.\n", widget);
++ goto err_put_pdev_wd;
++ }
++ if (platform_device_add_data(pdev_wd, wd, sizeof(*wd))) {
++ pr_warn("xtalk:%x bridge failed to add platform data.\n", widget);
++ goto err_put_pdev_wd;
++ }
++ if (platform_device_add(pdev_wd)) {
++ pr_warn("xtalk:%x bridge failed to add platform device.\n", widget);
++ goto err_put_pdev_wd;
+ }
+- platform_device_add_resources(pdev, &w1_res, 1);
+- platform_device_add_data(pdev, wd, sizeof(*wd));
+ /* platform_device_add_data() duplicates the data */
+ kfree(wd);
+- platform_device_add(pdev);
+
+ bd = kzalloc(sizeof(*bd), GFP_KERNEL);
+- if (!bd)
+- goto no_mem;
+- pdev = platform_device_alloc("xtalk-bridge", PLATFORM_DEVID_AUTO);
+- if (!pdev) {
+- kfree(bd);
+- goto no_mem;
++ if (!bd) {
++ pr_warn("xtalk:%x bridge create out of memory\n", widget);
++ goto err_unregister_pdev_wd;
++ }
++ pdev_bd = platform_device_alloc("xtalk-bridge", PLATFORM_DEVID_AUTO);
++ if (!pdev_bd) {
++ pr_warn("xtalk:%x bridge create out of memory\n", widget);
++ goto err_kfree_bd;
+ }
+
+ bd->bridge_addr = IP30_RAW_SWIN_BASE(widget);
+@@ -93,15 +107,31 @@ static void bridge_platform_create(int widget, int masterwid)
+ bd->io.flags = IORESOURCE_IO;
+ bd->io_offset = IP30_SWIN_BASE(widget);
+
+- platform_device_add_data(pdev, bd, sizeof(*bd));
++ if (platform_device_add_data(pdev_bd, bd, sizeof(*bd))) {
++ pr_warn("xtalk:%x bridge failed to add platform data.\n", widget);
++ goto err_put_pdev_bd;
++ }
++ if (platform_device_add(pdev_bd)) {
++ pr_warn("xtalk:%x bridge failed to add platform device.\n", widget);
++ goto err_put_pdev_bd;
++ }
+ /* platform_device_add_data() duplicates the data */
+ kfree(bd);
+- platform_device_add(pdev);
+ pr_info("xtalk:%x bridge widget\n", widget);
+ return;
+
+-no_mem:
+- pr_warn("xtalk:%x bridge create out of memory\n", widget);
++err_put_pdev_bd:
++ platform_device_put(pdev_bd);
++err_kfree_bd:
++ kfree(bd);
++err_unregister_pdev_wd:
++ platform_device_unregister(pdev_wd);
++ return;
++err_put_pdev_wd:
++ platform_device_put(pdev_wd);
++err_kfree_wd:
++ kfree(wd);
++ return;
+ }
+
+ static unsigned int __init xbow_widget_active(s8 wid)
+--
+2.35.1
+
--- /dev/null
+From 19dec594dc54ffebe99cee9601ec7df645e97729 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Aug 2022 16:26:00 +0800
+Subject: misc: ocxl: fix possible refcount leak in afu_ioctl()
+
+From: Hangyu Hua <hbh25y@gmail.com>
+
+[ Upstream commit c3b69ba5114c860d730870c03ab4ee45276e5e35 ]
+
+eventfd_ctx_put need to be called to put the refcount that gotten by
+eventfd_ctx_fdget when ocxl_irq_set_handler fails.
+
+Fixes: 060146614643 ("ocxl: move event_fd handling to frontend")
+Acked-by: Frederic Barrat <fbarrat@linux.ibm.com>
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Link: https://lore.kernel.org/r/20220824082600.36159-1-hbh25y@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/ocxl/file.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/misc/ocxl/file.c b/drivers/misc/ocxl/file.c
+index 6777c419a8da..d46dba2df5a1 100644
+--- a/drivers/misc/ocxl/file.c
++++ b/drivers/misc/ocxl/file.c
+@@ -257,6 +257,8 @@ static long afu_ioctl(struct file *file, unsigned int cmd,
+ if (IS_ERR(ev_ctx))
+ return PTR_ERR(ev_ctx);
+ rc = ocxl_irq_set_handler(ctx, irq_id, irq_handler, irq_free, ev_ctx);
++ if (rc)
++ eventfd_ctx_put(ev_ctx);
+ break;
+
+ case OCXL_IOCTL_GET_METADATA:
+--
+2.35.1
+
--- /dev/null
+From 65169f2a6522325cef08da62ed9a6f907921fcda Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Sep 2022 21:39:38 +0800
+Subject: mISDN: fix use-after-free bugs in l1oip timer handlers
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+[ Upstream commit 2568a7e0832ee30b0a351016d03062ab4e0e0a3f ]
+
+The l1oip_cleanup() traverses the l1oip_ilist and calls
+release_card() to cleanup module and stack. However,
+release_card() calls del_timer() to delete the timers
+such as keep_tl and timeout_tl. If the timer handler is
+running, the del_timer() will not stop it and result in
+UAF bugs. One of the processes is shown below:
+
+ (cleanup routine) | (timer handler)
+release_card() | l1oip_timeout()
+ ... |
+ del_timer() | ...
+ ... |
+ kfree(hc) //FREE |
+ | hc->timeout_on = 0 //USE
+
+Fix by calling del_timer_sync() in release_card(), which
+makes sure the timer handlers have finished before the
+resources, such as l1oip and so on, have been deallocated.
+
+What's more, the hc->workq and hc->socket_thread can kick
+those timers right back in. We add a bool flag to show
+if card is released. Then, check this flag in hc->workq
+and hc->socket_thread.
+
+Fixes: 3712b42d4b1b ("Add layer1 over IP support")
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/mISDN/l1oip.h | 1 +
+ drivers/isdn/mISDN/l1oip_core.c | 13 +++++++------
+ 2 files changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/isdn/mISDN/l1oip.h b/drivers/isdn/mISDN/l1oip.h
+index 7ea10db20e3a..48133d022812 100644
+--- a/drivers/isdn/mISDN/l1oip.h
++++ b/drivers/isdn/mISDN/l1oip.h
+@@ -59,6 +59,7 @@ struct l1oip {
+ int bundle; /* bundle channels in one frm */
+ int codec; /* codec to use for transmis. */
+ int limit; /* limit number of bchannels */
++ bool shutdown; /* if card is released */
+
+ /* timer */
+ struct timer_list keep_tl;
+diff --git a/drivers/isdn/mISDN/l1oip_core.c b/drivers/isdn/mISDN/l1oip_core.c
+index 2c40412466e6..a77195e378b7 100644
+--- a/drivers/isdn/mISDN/l1oip_core.c
++++ b/drivers/isdn/mISDN/l1oip_core.c
+@@ -275,7 +275,7 @@ l1oip_socket_send(struct l1oip *hc, u8 localcodec, u8 channel, u32 chanmask,
+ p = frame;
+
+ /* restart timer */
+- if (time_before(hc->keep_tl.expires, jiffies + 5 * HZ))
++ if (time_before(hc->keep_tl.expires, jiffies + 5 * HZ) && !hc->shutdown)
+ mod_timer(&hc->keep_tl, jiffies + L1OIP_KEEPALIVE * HZ);
+ else
+ hc->keep_tl.expires = jiffies + L1OIP_KEEPALIVE * HZ;
+@@ -601,7 +601,9 @@ l1oip_socket_parse(struct l1oip *hc, struct sockaddr_in *sin, u8 *buf, int len)
+ goto multiframe;
+
+ /* restart timer */
+- if (time_before(hc->timeout_tl.expires, jiffies + 5 * HZ) || !hc->timeout_on) {
++ if ((time_before(hc->timeout_tl.expires, jiffies + 5 * HZ) ||
++ !hc->timeout_on) &&
++ !hc->shutdown) {
+ hc->timeout_on = 1;
+ mod_timer(&hc->timeout_tl, jiffies + L1OIP_TIMEOUT * HZ);
+ } else /* only adjust timer */
+@@ -1232,11 +1234,10 @@ release_card(struct l1oip *hc)
+ {
+ int ch;
+
+- if (timer_pending(&hc->keep_tl))
+- del_timer(&hc->keep_tl);
++ hc->shutdown = true;
+
+- if (timer_pending(&hc->timeout_tl))
+- del_timer(&hc->timeout_tl);
++ del_timer_sync(&hc->keep_tl);
++ del_timer_sync(&hc->timeout_tl);
+
+ cancel_work_sync(&hc->workq);
+
+--
+2.35.1
+
--- /dev/null
+From de8aa42b1490adac3a01f2156585bbabc416a199 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 09:33:57 +0200
+Subject: mmc: au1xmmc: Fix an error handling path in au1xmmc_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 5cbedf52608cc3cbc1c2a9a861fb671620427a20 ]
+
+If clk_prepare_enable() fails, there is no point in calling
+clk_disable_unprepare() in the error handling path.
+
+Move the out_clk label at the right place.
+
+Fixes: b6507596dfd6 ("MIPS: Alchemy: au1xmmc: use clk framework")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/21d99886d07fa7fcbec74992657dabad98c935c4.1661412818.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/au1xmmc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/au1xmmc.c b/drivers/mmc/host/au1xmmc.c
+index a9a0837153d8..c88b039dc9fb 100644
+--- a/drivers/mmc/host/au1xmmc.c
++++ b/drivers/mmc/host/au1xmmc.c
+@@ -1097,8 +1097,9 @@ static int au1xmmc_probe(struct platform_device *pdev)
+ if (host->platdata && host->platdata->cd_setup &&
+ !(mmc->caps & MMC_CAP_NEEDS_POLL))
+ host->platdata->cd_setup(mmc, 0);
+-out_clk:
++
+ clk_disable_unprepare(host->clk);
++out_clk:
+ clk_put(host->clk);
+ out_irq:
+ free_irq(host->irq, host);
+--
+2.35.1
+
--- /dev/null
+From 57dae2b262de0c9a125d9033819cd0faa0232d05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Sep 2022 21:43:22 -0400
+Subject: mmc: sdhci-msm: add compatible string check for sdm670
+
+From: Richard Acayan <mailingradian@gmail.com>
+
+[ Upstream commit 4de95950d970c71a9e82a24573bb7a44fd95baa1 ]
+
+The Snapdragon 670 has the same quirk as Snapdragon 845 (needing to
+restore the dll config). Add a compatible string check to detect the need
+for this.
+
+Signed-off-by: Richard Acayan <mailingradian@gmail.com>
+Reviewed-by: Bhupesh Sharma <bhupesh.sharma@linaro.org>
+Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20220923014322.33620-3-mailingradian@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-msm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/mmc/host/sdhci-msm.c b/drivers/mmc/host/sdhci-msm.c
+index dc2991422a87..3a091a387ecb 100644
+--- a/drivers/mmc/host/sdhci-msm.c
++++ b/drivers/mmc/host/sdhci-msm.c
+@@ -2441,6 +2441,7 @@ static const struct of_device_id sdhci_msm_dt_match[] = {
+ */
+ {.compatible = "qcom,sdhci-msm-v4", .data = &sdhci_msm_mci_var},
+ {.compatible = "qcom,sdhci-msm-v5", .data = &sdhci_msm_v5_var},
++ {.compatible = "qcom,sdm670-sdhci", .data = &sdm845_sdhci_var},
+ {.compatible = "qcom,sdm845-sdhci", .data = &sdm845_sdhci_var},
+ {.compatible = "qcom,sc7180-sdhci", .data = &sdm845_sdhci_var},
+ {},
+--
+2.35.1
+
--- /dev/null
+From 1da113ee3b8aab295338b0a89fe717ec496bef32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Sep 2022 21:06:40 +0200
+Subject: mmc: wmt-sdmmc: Fix an error handling path in wmt_mci_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit cb58188ad90a61784a56a64f5107faaf2ad323e7 ]
+
+A dma_free_coherent() call is missing in the error handling path of the
+probe, as already done in the remove function.
+
+Fixes: 3a96dff0f828 ("mmc: SD/MMC Host Controller for Wondermedia WM8505/WM8650")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/53fc6ffa5d1c428fefeae7d313cf4a669c3a1e98.1663873255.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/wmt-sdmmc.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/wmt-sdmmc.c b/drivers/mmc/host/wmt-sdmmc.c
+index 163ac9df8cca..9b5c503e3a3f 100644
+--- a/drivers/mmc/host/wmt-sdmmc.c
++++ b/drivers/mmc/host/wmt-sdmmc.c
+@@ -846,7 +846,7 @@ static int wmt_mci_probe(struct platform_device *pdev)
+ if (IS_ERR(priv->clk_sdmmc)) {
+ dev_err(&pdev->dev, "Error getting clock\n");
+ ret = PTR_ERR(priv->clk_sdmmc);
+- goto fail5;
++ goto fail5_and_a_half;
+ }
+
+ ret = clk_prepare_enable(priv->clk_sdmmc);
+@@ -863,6 +863,9 @@ static int wmt_mci_probe(struct platform_device *pdev)
+ return 0;
+ fail6:
+ clk_put(priv->clk_sdmmc);
++fail5_and_a_half:
++ dma_free_coherent(&pdev->dev, mmc->max_blk_count * 16,
++ priv->dma_desc_buffer, priv->dma_desc_device_addr);
+ fail5:
+ free_irq(dma_irq, priv);
+ fail4:
+--
+2.35.1
+
--- /dev/null
+From cf9280ef99923f38acbd3f559c9a38c3b42d0afc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Oct 2022 14:38:12 +0100
+Subject: module: tracking: Keep a record of tainted unloaded modules only
+
+From: Aaron Tomlin <atomlin@redhat.com>
+
+[ Upstream commit 47cc75aa92837a9d3f15157d6272ff285585d75d ]
+
+This ensures that no module record/or entry is added to the
+unloaded_tainted_modules list if it does not carry a taint.
+
+Reported-by: Alexey Dobriyan <adobriyan@gmail.com>
+Fixes: 99bd9956551b ("module: Introduce module unload taint tracking")
+Signed-off-by: Aaron Tomlin <atomlin@redhat.com>
+Acked-by: Luis Chamberlain <mcgrof@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/module/tracking.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/kernel/module/tracking.c b/kernel/module/tracking.c
+index 7f8133044d09..af52cabfe632 100644
+--- a/kernel/module/tracking.c
++++ b/kernel/module/tracking.c
+@@ -21,6 +21,9 @@ int try_add_tainted_module(struct module *mod)
+
+ module_assert_mutex_or_preempt();
+
++ if (!mod->taints)
++ goto out;
++
+ list_for_each_entry_rcu(mod_taint, &unloaded_tainted_modules, list,
+ lockdep_is_held(&module_mutex)) {
+ if (!strcmp(mod_taint->name, mod->name) &&
+--
+2.35.1
+
--- /dev/null
+From a4595c946d935305ac80e2a97ec106fe784986d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Jul 2022 17:16:44 +0800
+Subject: mtd: devices: docg3: check the return value of devm_ioremap() in the
+ probe
+
+From: William Dean <williamsukatube@gmail.com>
+
+[ Upstream commit 26e784433e6c65735cd6d93a8db52531970d9a60 ]
+
+The function devm_ioremap() in docg3_probe() can fail, so
+its return value should be checked.
+
+Fixes: 82402aeb8c81e ("mtd: docg3: Use devm_*() functions")
+Reported-by: Hacash Robot <hacashRobot@santino.com>
+Signed-off-by: William Dean <williamsukatube@gmail.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20220722091644.2937953-1-williamsukatube@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/devices/docg3.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/devices/docg3.c b/drivers/mtd/devices/docg3.c
+index 5b0ae5ddad74..27c08f22dec8 100644
+--- a/drivers/mtd/devices/docg3.c
++++ b/drivers/mtd/devices/docg3.c
+@@ -1974,9 +1974,14 @@ static int __init docg3_probe(struct platform_device *pdev)
+ dev_err(dev, "No I/O memory resource defined\n");
+ return ret;
+ }
+- base = devm_ioremap(dev, ress->start, DOC_IOSPACE_SIZE);
+
+ ret = -ENOMEM;
++ base = devm_ioremap(dev, ress->start, DOC_IOSPACE_SIZE);
++ if (!base) {
++ dev_err(dev, "devm_ioremap dev failed\n");
++ return ret;
++ }
++
+ cascade = devm_kcalloc(dev, DOC_MAX_NBFLOORS, sizeof(*cascade),
+ GFP_KERNEL);
+ if (!cascade)
+--
+2.35.1
+
--- /dev/null
+From 02fae436c06c9beed745054fbdfd606201fc2f40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Jul 2022 20:43:28 +0200
+Subject: mtd: rawnand: fsl_elbc: Fix none ECC mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 049e43b9fd8fd2966940485da163d67e96ee3fea ]
+
+Commit f6424c22aa36 ("mtd: rawnand: fsl_elbc: Make SW ECC work") added
+support for specifying ECC mode via DTS and skipping autodetection.
+
+But it broke explicit specification of HW ECC mode in DTS as correct
+settings for HW ECC mode are applied only when NONE mode or nothing was
+specified in DTS file.
+
+Also it started aliasing NONE mode to be same as when ECC mode was not
+specified and disallowed usage of ON_DIE mode.
+
+Fix all these issues. Use autodetection of ECC mode only in case when mode
+was really not specified in DTS file by checking that ecc value is invalid.
+Set HW ECC settings either when HW ECC was specified in DTS or it was
+autodetected. And do not fail when ON_DIE mode is set.
+
+Fixes: f6424c22aa36 ("mtd: rawnand: fsl_elbc: Make SW ECC work")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Reviewed-by: Marek Behún <kabel@kernel.org>
+Reviewed-by: Marek Behún <kabel@kernel.org>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20220707184328.3845-1-pali@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/fsl_elbc_nand.c | 28 ++++++++++++++++------------
+ 1 file changed, 16 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/mtd/nand/raw/fsl_elbc_nand.c b/drivers/mtd/nand/raw/fsl_elbc_nand.c
+index aab93b9e6052..a18d121396aa 100644
+--- a/drivers/mtd/nand/raw/fsl_elbc_nand.c
++++ b/drivers/mtd/nand/raw/fsl_elbc_nand.c
+@@ -726,36 +726,40 @@ static int fsl_elbc_attach_chip(struct nand_chip *chip)
+ struct fsl_lbc_regs __iomem *lbc = ctrl->regs;
+ unsigned int al;
+
+- switch (chip->ecc.engine_type) {
+ /*
+ * if ECC was not chosen in DT, decide whether to use HW or SW ECC from
+ * CS Base Register
+ */
+- case NAND_ECC_ENGINE_TYPE_NONE:
++ if (chip->ecc.engine_type == NAND_ECC_ENGINE_TYPE_INVALID) {
+ /* If CS Base Register selects full hardware ECC then use it */
+ if ((in_be32(&lbc->bank[priv->bank].br) & BR_DECC) ==
+ BR_DECC_CHK_GEN) {
+- chip->ecc.read_page = fsl_elbc_read_page;
+- chip->ecc.write_page = fsl_elbc_write_page;
+- chip->ecc.write_subpage = fsl_elbc_write_subpage;
+-
+ chip->ecc.engine_type = NAND_ECC_ENGINE_TYPE_ON_HOST;
+- mtd_set_ooblayout(mtd, &fsl_elbc_ooblayout_ops);
+- chip->ecc.size = 512;
+- chip->ecc.bytes = 3;
+- chip->ecc.strength = 1;
+ } else {
+ /* otherwise fall back to default software ECC */
+ chip->ecc.engine_type = NAND_ECC_ENGINE_TYPE_SOFT;
+ chip->ecc.algo = NAND_ECC_ALGO_HAMMING;
+ }
++ }
++
++ switch (chip->ecc.engine_type) {
++ /* if HW ECC was chosen, setup ecc and oob layout */
++ case NAND_ECC_ENGINE_TYPE_ON_HOST:
++ chip->ecc.read_page = fsl_elbc_read_page;
++ chip->ecc.write_page = fsl_elbc_write_page;
++ chip->ecc.write_subpage = fsl_elbc_write_subpage;
++ mtd_set_ooblayout(mtd, &fsl_elbc_ooblayout_ops);
++ chip->ecc.size = 512;
++ chip->ecc.bytes = 3;
++ chip->ecc.strength = 1;
+ break;
+
+- /* if SW ECC was chosen in DT, we do not need to set anything here */
++ /* if none or SW ECC was chosen, we do not need to set anything here */
++ case NAND_ECC_ENGINE_TYPE_NONE:
+ case NAND_ECC_ENGINE_TYPE_SOFT:
++ case NAND_ECC_ENGINE_TYPE_ON_DIE:
+ break;
+
+- /* should we also implement *_ECC_ENGINE_CONTROLLER to do as above? */
+ default:
+ return -EINVAL;
+ }
+--
+2.35.1
+
--- /dev/null
+From 13b832c23c488548eeea4be050a9f5e454a82a9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 3 Jul 2022 01:12:24 +0200
+Subject: mtd: rawnand: intel: Don't re-define NAND_DATA_IFACE_CHECK_ONLY
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+[ Upstream commit ebe0cd60fcffd499f8020fde9b3b74acba9c22af ]
+
+NAND_DATA_IFACE_CHECK_ONLY is already defined in
+include/linux/mtd/rawnand.h which is also included by the driver. Drop
+the re-definition from the intel-nand-controller driver.
+
+Fixes: 0b1039f016e8a3 ("mtd: rawnand: Add NAND controller support on Intel LGM SoC")
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20220702231227.1579176-6-martin.blumenstingl@googlemail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/intel-nand-controller.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/mtd/nand/raw/intel-nand-controller.c b/drivers/mtd/nand/raw/intel-nand-controller.c
+index 056835fd4562..3df16d5ecae8 100644
+--- a/drivers/mtd/nand/raw/intel-nand-controller.c
++++ b/drivers/mtd/nand/raw/intel-nand-controller.c
+@@ -100,8 +100,6 @@
+
+ #define HSNAND_ECC_OFFSET 0x008
+
+-#define NAND_DATA_IFACE_CHECK_ONLY -1
+-
+ #define MAX_CS 2
+
+ #define USEC_PER_SEC 1000000L
+--
+2.35.1
+
--- /dev/null
+From dee80ed0b8b6c845ba4bef42c89e08a76fd0fa74 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 3 Jul 2022 01:12:22 +0200
+Subject: mtd: rawnand: intel: Read the chip-select line from the correct OF
+ node
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+[ Upstream commit bfc618fcc3f167ad082053e81e9d664e724c6288 ]
+
+The chip select has to be read from the flash node which is a child node
+of the NAND controller.
+
+Fixes: 0b1039f016e8a3 ("mtd: rawnand: Add NAND controller support on Intel LGM SoC")
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20220702231227.1579176-4-martin.blumenstingl@googlemail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/intel-nand-controller.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mtd/nand/raw/intel-nand-controller.c b/drivers/mtd/nand/raw/intel-nand-controller.c
+index e91b879b32bd..3df3f32423f9 100644
+--- a/drivers/mtd/nand/raw/intel-nand-controller.c
++++ b/drivers/mtd/nand/raw/intel-nand-controller.c
+@@ -16,6 +16,7 @@
+ #include <linux/mtd/rawnand.h>
+ #include <linux/mtd/nand.h>
+
++#include <linux/of.h>
+ #include <linux/platform_device.h>
+ #include <linux/sched.h>
+ #include <linux/slab.h>
+@@ -580,6 +581,7 @@ static int ebu_nand_probe(struct platform_device *pdev)
+ {
+ struct device *dev = &pdev->dev;
+ struct ebu_nand_controller *ebu_host;
++ struct device_node *chip_np;
+ struct nand_chip *nand;
+ struct mtd_info *mtd;
+ struct resource *res;
+@@ -604,7 +606,12 @@ static int ebu_nand_probe(struct platform_device *pdev)
+ if (IS_ERR(ebu_host->hsnand))
+ return PTR_ERR(ebu_host->hsnand);
+
+- ret = device_property_read_u32(dev, "reg", &cs);
++ chip_np = of_get_next_child(dev->of_node, NULL);
++ if (!chip_np)
++ return dev_err_probe(dev, -EINVAL,
++ "Could not find child node for the NAND chip\n");
++
++ ret = of_property_read_u32(chip_np, "reg", &cs);
+ if (ret) {
+ dev_err(dev, "failed to get chip select: %d\n", ret);
+ return ret;
+@@ -660,7 +667,7 @@ static int ebu_nand_probe(struct platform_device *pdev)
+ writel(ebu_host->cs[cs].addr_sel | EBU_ADDR_MASK(5) | EBU_ADDR_SEL_REGEN,
+ ebu_host->ebu + EBU_ADDR_SEL(cs));
+
+- nand_set_flash_node(&ebu_host->chip, dev->of_node);
++ nand_set_flash_node(&ebu_host->chip, chip_np);
+
+ mtd = nand_to_mtd(&ebu_host->chip);
+ if (!mtd->name) {
+--
+2.35.1
+
--- /dev/null
+From 835c107b208bc2ae6962b2409599d436dbfeb0e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 3 Jul 2022 01:12:23 +0200
+Subject: mtd: rawnand: intel: Remove undocumented compatible string
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+[ Upstream commit 68c02ebaa34d41063ccbbc789a352537ddc3cd8a ]
+
+The "intel,nand-controller" compatible string is not part of the
+dt-bindings. Remove it from the driver as it's not supposed to be used
+without any documentation for it.
+
+Fixes: 0b1039f016e8a3 ("mtd: rawnand: Add NAND controller support on Intel LGM SoC")
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20220702231227.1579176-5-martin.blumenstingl@googlemail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/intel-nand-controller.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/mtd/nand/raw/intel-nand-controller.c b/drivers/mtd/nand/raw/intel-nand-controller.c
+index 3df3f32423f9..056835fd4562 100644
+--- a/drivers/mtd/nand/raw/intel-nand-controller.c
++++ b/drivers/mtd/nand/raw/intel-nand-controller.c
+@@ -723,7 +723,6 @@ static int ebu_nand_remove(struct platform_device *pdev)
+ }
+
+ static const struct of_device_id ebu_nand_match[] = {
+- { .compatible = "intel,nand-controller" },
+ { .compatible = "intel,lgm-ebunand" },
+ {}
+ };
+--
+2.35.1
+
--- /dev/null
+From 6320ed76c9c4e4339c5c797092627b4e7e498afe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Jul 2022 10:12:12 +0300
+Subject: mtd: rawnand: meson: fix bit map use in meson_nfc_ecc_correct()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 3e4ad3212cf22687410b1e8f4e68feec50646113 ]
+
+The meson_nfc_ecc_correct() function accidentally does a right shift
+instead of a left shift so it only works for BIT(0). Also use
+BIT_ULL() because "correct_bitmap" is a u64 and we want to avoid
+shift wrapping bugs.
+
+Fixes: 8fae856c5350 ("mtd: rawnand: meson: add support for Amlogic NAND flash controller")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Liang Yang <liang.yang@amlogic.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/YuI2zF1hP65+LE7r@kili
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/raw/meson_nand.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mtd/nand/raw/meson_nand.c b/drivers/mtd/nand/raw/meson_nand.c
+index 829b76b303aa..ad2ffd0ca800 100644
+--- a/drivers/mtd/nand/raw/meson_nand.c
++++ b/drivers/mtd/nand/raw/meson_nand.c
+@@ -454,7 +454,7 @@ static int meson_nfc_ecc_correct(struct nand_chip *nand, u32 *bitflips,
+ if (ECC_ERR_CNT(*info) != ECC_UNCORRECTABLE) {
+ mtd->ecc_stats.corrected += ECC_ERR_CNT(*info);
+ *bitflips = max_t(u32, *bitflips, ECC_ERR_CNT(*info));
+- *correct_bitmap |= 1 >> i;
++ *correct_bitmap |= BIT_ULL(i);
+ continue;
+ }
+ if ((nand->options & NAND_NEED_SCRAMBLING) &&
+@@ -800,7 +800,7 @@ static int meson_nfc_read_page_hwecc(struct nand_chip *nand, u8 *buf,
+ u8 *data = buf + i * ecc->size;
+ u8 *oob = nand->oob_poi + i * (ecc->bytes + 2);
+
+- if (correct_bitmap & (1 << i))
++ if (correct_bitmap & BIT_ULL(i))
+ continue;
+ ret = nand_check_erased_ecc_chunk(data, ecc->size,
+ oob, ecc->bytes + 2,
+--
+2.35.1
+
--- /dev/null
+From 05f12e1eeb85a617f861fba401eaa985088f0454 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Aug 2022 19:21:27 +0800
+Subject: mwifiex: fix sleep in atomic context bugs caused by dev_coredumpv
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+[ Upstream commit 551e4745c7f218da7070b36a06318592913676ff ]
+
+There are sleep in atomic context bugs when uploading device dump
+data in mwifiex. The root cause is that dev_coredumpv could not
+be used in atomic contexts, because it calls dev_set_name which
+include operations that may sleep. The call tree shows execution
+paths that could lead to bugs:
+
+ (Interrupt context)
+fw_dump_timer_fn
+ mwifiex_upload_device_dump
+ dev_coredumpv(..., GFP_KERNEL)
+ dev_coredumpm()
+ kzalloc(sizeof(*devcd), gfp); //may sleep
+ dev_set_name
+ kobject_set_name_vargs
+ kvasprintf_const(GFP_KERNEL, ...); //may sleep
+ kstrdup(s, GFP_KERNEL); //may sleep
+
+The corresponding fail log is shown below:
+
+[ 135.275938] usb 1-1: == mwifiex dump information to /sys/class/devcoredump start
+[ 135.281029] BUG: sleeping function called from invalid context at include/linux/sched/mm.h:265
+...
+[ 135.293613] Call Trace:
+[ 135.293613] <IRQ>
+[ 135.293613] dump_stack_lvl+0x57/0x7d
+[ 135.293613] __might_resched.cold+0x138/0x173
+[ 135.293613] ? dev_coredumpm+0xca/0x2e0
+[ 135.293613] kmem_cache_alloc_trace+0x189/0x1f0
+[ 135.293613] ? devcd_match_failing+0x30/0x30
+[ 135.293613] dev_coredumpm+0xca/0x2e0
+[ 135.293613] ? devcd_freev+0x10/0x10
+[ 135.293613] dev_coredumpv+0x1c/0x20
+[ 135.293613] ? devcd_match_failing+0x30/0x30
+[ 135.293613] mwifiex_upload_device_dump+0x65/0xb0
+[ 135.293613] ? mwifiex_dnld_fw+0x1b0/0x1b0
+[ 135.293613] call_timer_fn+0x122/0x3d0
+[ 135.293613] ? msleep_interruptible+0xb0/0xb0
+[ 135.293613] ? lock_downgrade+0x3c0/0x3c0
+[ 135.293613] ? __next_timer_interrupt+0x13c/0x160
+[ 135.293613] ? lockdep_hardirqs_on_prepare+0xe/0x220
+[ 135.293613] ? mwifiex_dnld_fw+0x1b0/0x1b0
+[ 135.293613] __run_timers.part.0+0x3f8/0x540
+[ 135.293613] ? call_timer_fn+0x3d0/0x3d0
+[ 135.293613] ? arch_restore_msi_irqs+0x10/0x10
+[ 135.293613] ? lapic_next_event+0x31/0x40
+[ 135.293613] run_timer_softirq+0x4f/0xb0
+[ 135.293613] __do_softirq+0x1c2/0x651
+...
+[ 135.293613] RIP: 0010:default_idle+0xb/0x10
+[ 135.293613] RSP: 0018:ffff888006317e68 EFLAGS: 00000246
+[ 135.293613] RAX: ffffffff82ad8d10 RBX: ffff888006301cc0 RCX: ffffffff82ac90e1
+[ 135.293613] RDX: ffffed100d9ff1b4 RSI: ffffffff831ad140 RDI: ffffffff82ad8f20
+[ 135.293613] RBP: 0000000000000003 R08: 0000000000000000 R09: ffff88806cff8d9b
+[ 135.293613] R10: ffffed100d9ff1b3 R11: 0000000000000001 R12: ffffffff84593410
+[ 135.293613] R13: 0000000000000000 R14: 0000000000000000 R15: 1ffff11000c62fd2
+...
+[ 135.389205] usb 1-1: == mwifiex dump information to /sys/class/devcoredump end
+
+This patch uses delayed work to replace timer and moves the operations
+that may sleep into a delayed work in order to mitigate bugs, it was
+tested on Marvell 88W8801 chip whose port is usb and the firmware is
+usb8801_uapsta.bin. The following is the result after using delayed
+work to replace timer.
+
+[ 134.936453] usb 1-1: == mwifiex dump information to /sys/class/devcoredump start
+[ 135.043344] usb 1-1: == mwifiex dump information to /sys/class/devcoredump end
+
+As we can see, there is no bug now.
+
+Fixes: f5ecd02a8b20 ("mwifiex: device dump support for usb interface")
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Reviewed-by: Brian Norris <briannorris@chromium.org>
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/5cfa5c473ff6d069cb67760ffa04a2f84ef450a8.1661252818.git.duoming@zju.edu.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/init.c | 9 +++++----
+ drivers/net/wireless/marvell/mwifiex/main.h | 3 ++-
+ drivers/net/wireless/marvell/mwifiex/sta_event.c | 6 +++---
+ 3 files changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/init.c b/drivers/net/wireless/marvell/mwifiex/init.c
+index fc77489cc511..7dddb4b5dea1 100644
+--- a/drivers/net/wireless/marvell/mwifiex/init.c
++++ b/drivers/net/wireless/marvell/mwifiex/init.c
+@@ -51,9 +51,10 @@ static void wakeup_timer_fn(struct timer_list *t)
+ adapter->if_ops.card_reset(adapter);
+ }
+
+-static void fw_dump_timer_fn(struct timer_list *t)
++static void fw_dump_work(struct work_struct *work)
+ {
+- struct mwifiex_adapter *adapter = from_timer(adapter, t, devdump_timer);
++ struct mwifiex_adapter *adapter =
++ container_of(work, struct mwifiex_adapter, devdump_work.work);
+
+ mwifiex_upload_device_dump(adapter);
+ }
+@@ -309,7 +310,7 @@ static void mwifiex_init_adapter(struct mwifiex_adapter *adapter)
+ adapter->active_scan_triggered = false;
+ timer_setup(&adapter->wakeup_timer, wakeup_timer_fn, 0);
+ adapter->devdump_len = 0;
+- timer_setup(&adapter->devdump_timer, fw_dump_timer_fn, 0);
++ INIT_DELAYED_WORK(&adapter->devdump_work, fw_dump_work);
+ }
+
+ /*
+@@ -388,7 +389,7 @@ static void
+ mwifiex_adapter_cleanup(struct mwifiex_adapter *adapter)
+ {
+ del_timer(&adapter->wakeup_timer);
+- del_timer_sync(&adapter->devdump_timer);
++ cancel_delayed_work_sync(&adapter->devdump_work);
+ mwifiex_cancel_all_pending_cmd(adapter);
+ wake_up_interruptible(&adapter->cmd_wait_q.wait);
+ wake_up_interruptible(&adapter->hs_activate_wait_q);
+diff --git a/drivers/net/wireless/marvell/mwifiex/main.h b/drivers/net/wireless/marvell/mwifiex/main.h
+index 87729d251fed..63f861e6b28a 100644
+--- a/drivers/net/wireless/marvell/mwifiex/main.h
++++ b/drivers/net/wireless/marvell/mwifiex/main.h
+@@ -37,6 +37,7 @@
+ #include <linux/pm_runtime.h>
+ #include <linux/slab.h>
+ #include <linux/of_irq.h>
++#include <linux/workqueue.h>
+
+ #include "decl.h"
+ #include "ioctl.h"
+@@ -1043,7 +1044,7 @@ struct mwifiex_adapter {
+ /* Device dump data/length */
+ void *devdump_data;
+ int devdump_len;
+- struct timer_list devdump_timer;
++ struct delayed_work devdump_work;
+
+ bool ignore_btcoex_events;
+ };
+diff --git a/drivers/net/wireless/marvell/mwifiex/sta_event.c b/drivers/net/wireless/marvell/mwifiex/sta_event.c
+index b95e90a7d124..e80e372cce8c 100644
+--- a/drivers/net/wireless/marvell/mwifiex/sta_event.c
++++ b/drivers/net/wireless/marvell/mwifiex/sta_event.c
+@@ -611,8 +611,8 @@ mwifiex_fw_dump_info_event(struct mwifiex_private *priv,
+ * transmission event get lost, in this cornel case,
+ * user would still get partial of the dump.
+ */
+- mod_timer(&adapter->devdump_timer,
+- jiffies + msecs_to_jiffies(MWIFIEX_TIMER_10S));
++ schedule_delayed_work(&adapter->devdump_work,
++ msecs_to_jiffies(MWIFIEX_TIMER_10S));
+ }
+
+ /* Overflow check */
+@@ -631,7 +631,7 @@ mwifiex_fw_dump_info_event(struct mwifiex_private *priv,
+ return;
+
+ upload_dump:
+- del_timer_sync(&adapter->devdump_timer);
++ cancel_delayed_work_sync(&adapter->devdump_work);
+ mwifiex_upload_device_dump(adapter);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 44b09389c02e9029fe1bc7c5625923b0df97b8b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Sep 2022 01:35:02 +0900
+Subject: nbd: Fix hung when signal interrupts nbd_start_device_ioctl()
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit 1de7c3cf48fc41cd95adb12bd1ea9033a917798a ]
+
+syzbot reported hung task [1]. The following program is a simplified
+version of the reproducer:
+
+int main(void)
+{
+ int sv[2], fd;
+
+ if (socketpair(AF_UNIX, SOCK_STREAM, 0, sv) < 0)
+ return 1;
+ if ((fd = open("/dev/nbd0", 0)) < 0)
+ return 1;
+ if (ioctl(fd, NBD_SET_SIZE_BLOCKS, 0x81) < 0)
+ return 1;
+ if (ioctl(fd, NBD_SET_SOCK, sv[0]) < 0)
+ return 1;
+ if (ioctl(fd, NBD_DO_IT) < 0)
+ return 1;
+ return 0;
+}
+
+When signal interrupt nbd_start_device_ioctl() waiting the condition
+atomic_read(&config->recv_threads) == 0, the task can hung because it
+waits the completion of the inflight IOs.
+
+This patch fixes the issue by clearing queue, not just shutdown, when
+signal interrupt nbd_start_device_ioctl().
+
+Link: https://syzkaller.appspot.com/bug?id=7d89a3ffacd2b83fdd39549bc4d8e0a89ef21239 [1]
+Reported-by: syzbot+38e6c55d4969a14c1534@syzkaller.appspotmail.com
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Link: https://lore.kernel.org/r/20220907163502.577561-1-syoshida@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/nbd.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index 2a709daefbc4..2a2a1d996a57 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -1413,10 +1413,12 @@ static int nbd_start_device_ioctl(struct nbd_device *nbd)
+ mutex_unlock(&nbd->config_lock);
+ ret = wait_event_interruptible(config->recv_wq,
+ atomic_read(&config->recv_threads) == 0);
+- if (ret)
++ if (ret) {
+ sock_shutdown(nbd);
+- flush_workqueue(nbd->recv_workq);
++ nbd_clear_que(nbd);
++ }
+
++ flush_workqueue(nbd->recv_workq);
+ mutex_lock(&nbd->config_lock);
+ nbd_bdev_reset(nbd);
+ /* user requested, ignore socket errors */
+--
+2.35.1
+
--- /dev/null
+From d56419e8549fe1ebe417cc28351ded4793000569 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Sep 2022 12:40:30 -0700
+Subject: net: ax88796c: Fix return type of ax88796c_start_xmit
+
+From: Nathan Huckleberry <nhuck@google.com>
+
+[ Upstream commit fcb7c210a24209ea8f6f32593580b57f52382ec2 ]
+
+The ndo_start_xmit field in net_device_ops is expected to be of type
+netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev).
+
+The mismatched return type breaks forward edge kCFI since the underlying
+function definition does not match the function hook definition.
+
+The return type of ax88796c_start_xmit should be changed from int to
+netdev_tx_t.
+
+Reported-by: Dan Carpenter <error27@gmail.com>
+Link: https://github.com/ClangBuiltLinux/linux/issues/1703
+Cc: llvm@lists.linux.dev
+Signed-off-by: Nathan Huckleberry <nhuck@google.com>
+Acked-by: Lukasz Stelmach <l.stelmach@samsung.com>
+Link: https://lore.kernel.org/r/20220912194031.808425-1-nhuck@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/asix/ax88796c_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/asix/ax88796c_main.c b/drivers/net/ethernet/asix/ax88796c_main.c
+index 6ba5b024a7be..f1d610efd69e 100644
+--- a/drivers/net/ethernet/asix/ax88796c_main.c
++++ b/drivers/net/ethernet/asix/ax88796c_main.c
+@@ -381,7 +381,7 @@ static int ax88796c_hard_xmit(struct ax88796c_device *ax_local)
+ return 1;
+ }
+
+-static int
++static netdev_tx_t
+ ax88796c_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+ {
+ struct ax88796c_device *ax_local = to_ax88796c_device(ndev);
+--
+2.35.1
+
--- /dev/null
+From f78032f1717f00c01413e94d527539165d15b35a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Aug 2022 17:39:01 -0600
+Subject: net: axienet: Switch to 64-bit RX/TX statistics
+
+From: Robert Hancock <robert.hancock@calian.com>
+
+[ Upstream commit cb45a8bf4693965e89d115cd2c510f12bc127c37 ]
+
+The RX and TX byte/packet statistics in this driver could be overflowed
+relatively quickly on a 32-bit platform. Switch these stats to use the
+u64_stats infrastructure to avoid this.
+
+Signed-off-by: Robert Hancock <robert.hancock@calian.com>
+Link: https://lore.kernel.org/r/20220829233901.3429419-1-robert.hancock@calian.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/xilinx/xilinx_axienet.h | 12 ++++++
+ .../net/ethernet/xilinx/xilinx_axienet_main.c | 37 +++++++++++++++++--
+ 2 files changed, 45 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet.h b/drivers/net/ethernet/xilinx/xilinx_axienet.h
+index f2e2261b4b7d..8ff4333de2ad 100644
+--- a/drivers/net/ethernet/xilinx/xilinx_axienet.h
++++ b/drivers/net/ethernet/xilinx/xilinx_axienet.h
+@@ -402,6 +402,9 @@ struct axidma_bd {
+ * @rx_bd_num: Size of RX buffer descriptor ring
+ * @rx_bd_ci: Stores the index of the Rx buffer descriptor in the ring being
+ * accessed currently.
++ * @rx_packets: RX packet count for statistics
++ * @rx_bytes: RX byte count for statistics
++ * @rx_stat_sync: Synchronization object for RX stats
+ * @napi_tx: NAPI TX control structure
+ * @tx_dma_cr: Nominal content of TX DMA control register
+ * @tx_bd_v: Virtual address of the TX buffer descriptor ring
+@@ -411,6 +414,9 @@ struct axidma_bd {
+ * complete. Only updated at runtime by TX NAPI poll.
+ * @tx_bd_tail: Stores the index of the next Tx buffer descriptor in the ring
+ * to be populated.
++ * @tx_packets: TX packet count for statistics
++ * @tx_bytes: TX byte count for statistics
++ * @tx_stat_sync: Synchronization object for TX stats
+ * @dma_err_task: Work structure to process Axi DMA errors
+ * @tx_irq: Axidma TX IRQ number
+ * @rx_irq: Axidma RX IRQ number
+@@ -458,6 +464,9 @@ struct axienet_local {
+ dma_addr_t rx_bd_p;
+ u32 rx_bd_num;
+ u32 rx_bd_ci;
++ u64_stats_t rx_packets;
++ u64_stats_t rx_bytes;
++ struct u64_stats_sync rx_stat_sync;
+
+ struct napi_struct napi_tx;
+ u32 tx_dma_cr;
+@@ -466,6 +475,9 @@ struct axienet_local {
+ u32 tx_bd_num;
+ u32 tx_bd_ci;
+ u32 tx_bd_tail;
++ u64_stats_t tx_packets;
++ u64_stats_t tx_bytes;
++ struct u64_stats_sync tx_stat_sync;
+
+ struct work_struct dma_err_task;
+
+diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+index 1760930ec0c4..9262988d26a3 100644
+--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+@@ -752,8 +752,10 @@ static int axienet_tx_poll(struct napi_struct *napi, int budget)
+ if (lp->tx_bd_ci >= lp->tx_bd_num)
+ lp->tx_bd_ci %= lp->tx_bd_num;
+
+- ndev->stats.tx_packets += packets;
+- ndev->stats.tx_bytes += size;
++ u64_stats_update_begin(&lp->tx_stat_sync);
++ u64_stats_add(&lp->tx_packets, packets);
++ u64_stats_add(&lp->tx_bytes, size);
++ u64_stats_update_end(&lp->tx_stat_sync);
+
+ /* Matches barrier in axienet_start_xmit */
+ smp_mb();
+@@ -984,8 +986,10 @@ static int axienet_rx_poll(struct napi_struct *napi, int budget)
+ cur_p = &lp->rx_bd_v[lp->rx_bd_ci];
+ }
+
+- lp->ndev->stats.rx_packets += packets;
+- lp->ndev->stats.rx_bytes += size;
++ u64_stats_update_begin(&lp->rx_stat_sync);
++ u64_stats_add(&lp->rx_packets, packets);
++ u64_stats_add(&lp->rx_bytes, size);
++ u64_stats_update_end(&lp->rx_stat_sync);
+
+ if (tail_p)
+ axienet_dma_out_addr(lp, XAXIDMA_RX_TDESC_OFFSET, tail_p);
+@@ -1292,10 +1296,32 @@ static int axienet_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
+ return phylink_mii_ioctl(lp->phylink, rq, cmd);
+ }
+
++static void
++axienet_get_stats64(struct net_device *dev, struct rtnl_link_stats64 *stats)
++{
++ struct axienet_local *lp = netdev_priv(dev);
++ unsigned int start;
++
++ netdev_stats_to_stats64(stats, &dev->stats);
++
++ do {
++ start = u64_stats_fetch_begin_irq(&lp->rx_stat_sync);
++ stats->rx_packets = u64_stats_read(&lp->rx_packets);
++ stats->rx_bytes = u64_stats_read(&lp->rx_bytes);
++ } while (u64_stats_fetch_retry_irq(&lp->rx_stat_sync, start));
++
++ do {
++ start = u64_stats_fetch_begin_irq(&lp->tx_stat_sync);
++ stats->tx_packets = u64_stats_read(&lp->tx_packets);
++ stats->tx_bytes = u64_stats_read(&lp->tx_bytes);
++ } while (u64_stats_fetch_retry_irq(&lp->tx_stat_sync, start));
++}
++
+ static const struct net_device_ops axienet_netdev_ops = {
+ .ndo_open = axienet_open,
+ .ndo_stop = axienet_stop,
+ .ndo_start_xmit = axienet_start_xmit,
++ .ndo_get_stats64 = axienet_get_stats64,
+ .ndo_change_mtu = axienet_change_mtu,
+ .ndo_set_mac_address = netdev_set_mac_address,
+ .ndo_validate_addr = eth_validate_addr,
+@@ -1850,6 +1876,9 @@ static int axienet_probe(struct platform_device *pdev)
+ lp->rx_bd_num = RX_BD_NUM_DEFAULT;
+ lp->tx_bd_num = TX_BD_NUM_DEFAULT;
+
++ u64_stats_init(&lp->rx_stat_sync);
++ u64_stats_init(&lp->tx_stat_sync);
++
+ netif_napi_add(ndev, &lp->napi_rx, axienet_rx_poll, NAPI_POLL_WEIGHT);
+ netif_napi_add(ndev, &lp->napi_tx, axienet_tx_poll, NAPI_POLL_WEIGHT);
+
+--
+2.35.1
+
--- /dev/null
+From e055ac35c332080dacca622cc7c1795cca0077b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 15:54:07 +0800
+Subject: net: broadcom: Fix return type for implementation of
+
+From: GUO Zihua <guozihua@huawei.com>
+
+[ Upstream commit 12f7bd252221d4f9e000e20530e50129241e3a67 ]
+
+Since Linux now supports CFI, it will be a good idea to fix mismatched
+return type for implementation of hooks. Otherwise this might get
+cought out by CFI and cause a panic.
+
+bcm4908_enet_start_xmit() would return either NETDEV_TX_BUSY or
+NETDEV_TX_OK, so change the return type to netdev_tx_t directly.
+
+Signed-off-by: GUO Zihua <guozihua@huawei.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20220902075407.52358-1-guozihua@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bcm4908_enet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bcm4908_enet.c b/drivers/net/ethernet/broadcom/bcm4908_enet.c
+index c131d8118489..e5e17a182f9d 100644
+--- a/drivers/net/ethernet/broadcom/bcm4908_enet.c
++++ b/drivers/net/ethernet/broadcom/bcm4908_enet.c
+@@ -507,7 +507,7 @@ static int bcm4908_enet_stop(struct net_device *netdev)
+ return 0;
+ }
+
+-static int bcm4908_enet_start_xmit(struct sk_buff *skb, struct net_device *netdev)
++static netdev_tx_t bcm4908_enet_start_xmit(struct sk_buff *skb, struct net_device *netdev)
+ {
+ struct bcm4908_enet *enet = netdev_priv(netdev);
+ struct bcm4908_enet_dma_ring *ring = &enet->tx_ring;
+--
+2.35.1
+
--- /dev/null
+From 527b15e38c9887ae3ebbe0bdc0713478bfe98631 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Sep 2022 12:47:19 -0700
+Subject: net: davicom: Fix return type of dm9000_start_xmit
+
+From: Nathan Huckleberry <nhuck@google.com>
+
+[ Upstream commit 0191580b000d50089a0b351f7cdbec4866e3d0d2 ]
+
+The ndo_start_xmit field in net_device_ops is expected to be of type
+netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev).
+
+The mismatched return type breaks forward edge kCFI since the underlying
+function definition does not match the function hook definition.
+
+The return type of dm9000_start_xmit should be changed from int to
+netdev_tx_t.
+
+Reported-by: Dan Carpenter <error27@gmail.com>
+Link: https://github.com/ClangBuiltLinux/linux/issues/1703
+Cc: llvm@lists.linux.dev
+Signed-off-by: Nathan Huckleberry <nhuck@google.com>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Link: https://lore.kernel.org/r/20220912194722.809525-1-nhuck@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/davicom/dm9000.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/davicom/dm9000.c b/drivers/net/ethernet/davicom/dm9000.c
+index 0985ab216566..186a5e0a7862 100644
+--- a/drivers/net/ethernet/davicom/dm9000.c
++++ b/drivers/net/ethernet/davicom/dm9000.c
+@@ -1012,7 +1012,7 @@ static void dm9000_send_packet(struct net_device *dev,
+ * Hardware start transmission.
+ * Send a packet to media from the upper layer.
+ */
+-static int
++static netdev_tx_t
+ dm9000_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ {
+ unsigned long flags;
+--
+2.35.1
+
--- /dev/null
+From e8cc5416570c9a10d8011c96bb8ffa157ddf585b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Sep 2022 12:53:07 -0700
+Subject: net: ethernet: litex: Fix return type of liteeth_start_xmit
+
+From: Nathan Huckleberry <nhuck@google.com>
+
+[ Upstream commit 40662333dd7c64664247a6138bc33f3974e3a331 ]
+
+The ndo_start_xmit field in net_device_ops is expected to be of type
+netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev).
+
+The mismatched return type breaks forward edge kCFI since the underlying
+function definition does not match the function hook definition.
+
+The return type of liteeth_start_xmit should be changed from int to
+netdev_tx_t.
+
+Reported-by: Dan Carpenter <error27@gmail.com>
+Link: https://github.com/ClangBuiltLinux/linux/issues/1703
+Cc: llvm@lists.linux.dev
+Signed-off-by: Nathan Huckleberry <nhuck@google.com>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Acked-by: Gabriel Somlo <gsomlo@gmail.com>
+Link: https://lore.kernel.org/r/20220912195307.812229-1-nhuck@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/litex/litex_liteeth.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/litex/litex_liteeth.c b/drivers/net/ethernet/litex/litex_liteeth.c
+index fdd99f0de424..35f24e0f0934 100644
+--- a/drivers/net/ethernet/litex/litex_liteeth.c
++++ b/drivers/net/ethernet/litex/litex_liteeth.c
+@@ -152,7 +152,8 @@ static int liteeth_stop(struct net_device *netdev)
+ return 0;
+ }
+
+-static int liteeth_start_xmit(struct sk_buff *skb, struct net_device *netdev)
++static netdev_tx_t liteeth_start_xmit(struct sk_buff *skb,
++ struct net_device *netdev)
+ {
+ struct liteeth *priv = netdev_priv(netdev);
+ void __iomem *txbuffer;
+--
+2.35.1
+
--- /dev/null
+From 37936c71fe02e0748b89444dedda1c3cdbe3afd5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Sep 2022 12:50:19 -0700
+Subject: net: ethernet: ti: davinci_emac: Fix return type of emac_dev_xmit
+
+From: Nathan Huckleberry <nhuck@google.com>
+
+[ Upstream commit 5972ca946098487c5155fe13654743f9010f5ed5 ]
+
+The ndo_start_xmit field in net_device_ops is expected to be of type
+netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev).
+
+The mismatched return type breaks forward edge kCFI since the underlying
+function definition does not match the function hook definition.
+
+The return type of emac_dev_xmit should be changed from int to
+netdev_tx_t.
+
+Reported-by: Dan Carpenter <error27@gmail.com>
+Link: https://github.com/ClangBuiltLinux/linux/issues/1703
+Cc: llvm@lists.linux.dev
+Signed-off-by: Nathan Huckleberry <nhuck@google.com>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Link: https://lore.kernel.org/r/20220912195023.810319-1-nhuck@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ti/davinci_emac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/ti/davinci_emac.c b/drivers/net/ethernet/ti/davinci_emac.c
+index 2a3e4e842fa5..e203a5984f03 100644
+--- a/drivers/net/ethernet/ti/davinci_emac.c
++++ b/drivers/net/ethernet/ti/davinci_emac.c
+@@ -949,7 +949,7 @@ static void emac_tx_handler(void *token, int len, int status)
+ *
+ * Returns success(NETDEV_TX_OK) or error code (typically out of desc's)
+ */
+-static int emac_dev_xmit(struct sk_buff *skb, struct net_device *ndev)
++static netdev_tx_t emac_dev_xmit(struct sk_buff *skb, struct net_device *ndev)
+ {
+ struct device *emac_dev = &ndev->dev;
+ int ret_code;
+--
+2.35.1
+
--- /dev/null
+From d8ecbd3673aa2e011ea6c195142c09032cf6d0e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Aug 2022 15:14:06 +0530
+Subject: net: ethernet: ti: davinci_mdio: Add workaround for errata i2329
+
+From: Ravi Gunasekaran <r-gunasekaran@ti.com>
+
+[ Upstream commit d04807b80691c6041ca8e3dcf1870d1bf1082c22 ]
+
+On the CPSW and ICSS peripherals, there is a possibility that the MDIO
+interface returns corrupt data on MDIO reads or writes incorrect data
+on MDIO writes. There is also a possibility for the MDIO interface to
+become unavailable until the next peripheral reset.
+
+The workaround is to configure the MDIO in manual mode and disable the
+MDIO state machine and emulate the MDIO protocol by reading and writing
+appropriate fields in MDIO_MANUAL_IF_REG register of the MDIO controller
+to manipulate the MDIO clock and data pins.
+
+More details about the errata i2329 and the workaround is available in:
+https://www.ti.com/lit/er/sprz487a/sprz487a.pdf
+
+Add implementation to disable MDIO state machine, configure MDIO in manual
+mode and achieve MDIO read and writes via MDIO Bitbanging
+
+Signed-off-by: Ravi Gunasekaran <r-gunasekaran@ti.com>
+Reported-by: kernel test robot <lkp@intel.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ti/davinci_mdio.c | 242 +++++++++++++++++++++++--
+ 1 file changed, 231 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/ethernet/ti/davinci_mdio.c b/drivers/net/ethernet/ti/davinci_mdio.c
+index ea3772618043..946b9753ccfb 100644
+--- a/drivers/net/ethernet/ti/davinci_mdio.c
++++ b/drivers/net/ethernet/ti/davinci_mdio.c
+@@ -26,6 +26,8 @@
+ #include <linux/of_device.h>
+ #include <linux/of_mdio.h>
+ #include <linux/pinctrl/consumer.h>
++#include <linux/mdio-bitbang.h>
++#include <linux/sys_soc.h>
+
+ /*
+ * This timeout definition is a worst-case ultra defensive measure against
+@@ -41,6 +43,7 @@
+
+ struct davinci_mdio_of_param {
+ int autosuspend_delay_ms;
++ bool manual_mode;
+ };
+
+ struct davinci_mdio_regs {
+@@ -49,6 +52,15 @@ struct davinci_mdio_regs {
+ #define CONTROL_IDLE BIT(31)
+ #define CONTROL_ENABLE BIT(30)
+ #define CONTROL_MAX_DIV (0xffff)
++#define CONTROL_CLKDIV GENMASK(15, 0)
++
++#define MDIO_MAN_MDCLK_O BIT(2)
++#define MDIO_MAN_OE BIT(1)
++#define MDIO_MAN_PIN BIT(0)
++#define MDIO_MANUALMODE BIT(31)
++
++#define MDIO_PIN 0
++
+
+ u32 alive;
+ u32 link;
+@@ -59,7 +71,9 @@ struct davinci_mdio_regs {
+ u32 userintmasked;
+ u32 userintmaskset;
+ u32 userintmaskclr;
+- u32 __reserved_1[20];
++ u32 manualif;
++ u32 poll;
++ u32 __reserved_1[18];
+
+ struct {
+ u32 access;
+@@ -79,6 +93,7 @@ static const struct mdio_platform_data default_pdata = {
+
+ struct davinci_mdio_data {
+ struct mdio_platform_data pdata;
++ struct mdiobb_ctrl bb_ctrl;
+ struct davinci_mdio_regs __iomem *regs;
+ struct clk *clk;
+ struct device *dev;
+@@ -90,6 +105,7 @@ struct davinci_mdio_data {
+ */
+ bool skip_scan;
+ u32 clk_div;
++ bool manual_mode;
+ };
+
+ static void davinci_mdio_init_clk(struct davinci_mdio_data *data)
+@@ -128,9 +144,122 @@ static void davinci_mdio_enable(struct davinci_mdio_data *data)
+ writel(data->clk_div | CONTROL_ENABLE, &data->regs->control);
+ }
+
+-static int davinci_mdio_reset(struct mii_bus *bus)
++static void davinci_mdio_disable(struct davinci_mdio_data *data)
++{
++ u32 reg;
++
++ /* Disable MDIO state machine */
++ reg = readl(&data->regs->control);
++
++ reg &= ~CONTROL_CLKDIV;
++ reg |= data->clk_div;
++
++ reg &= ~CONTROL_ENABLE;
++ writel(reg, &data->regs->control);
++}
++
++static void davinci_mdio_enable_manual_mode(struct davinci_mdio_data *data)
++{
++ u32 reg;
++ /* set manual mode */
++ reg = readl(&data->regs->poll);
++ reg |= MDIO_MANUALMODE;
++ writel(reg, &data->regs->poll);
++}
++
++static void davinci_set_mdc(struct mdiobb_ctrl *ctrl, int level)
++{
++ struct davinci_mdio_data *data;
++ u32 reg;
++
++ data = container_of(ctrl, struct davinci_mdio_data, bb_ctrl);
++ reg = readl(&data->regs->manualif);
++
++ if (level)
++ reg |= MDIO_MAN_MDCLK_O;
++ else
++ reg &= ~MDIO_MAN_MDCLK_O;
++
++ writel(reg, &data->regs->manualif);
++}
++
++static void davinci_set_mdio_dir(struct mdiobb_ctrl *ctrl, int output)
++{
++ struct davinci_mdio_data *data;
++ u32 reg;
++
++ data = container_of(ctrl, struct davinci_mdio_data, bb_ctrl);
++ reg = readl(&data->regs->manualif);
++
++ if (output)
++ reg |= MDIO_MAN_OE;
++ else
++ reg &= ~MDIO_MAN_OE;
++
++ writel(reg, &data->regs->manualif);
++}
++
++static void davinci_set_mdio_data(struct mdiobb_ctrl *ctrl, int value)
++{
++ struct davinci_mdio_data *data;
++ u32 reg;
++
++ data = container_of(ctrl, struct davinci_mdio_data, bb_ctrl);
++ reg = readl(&data->regs->manualif);
++
++ if (value)
++ reg |= MDIO_MAN_PIN;
++ else
++ reg &= ~MDIO_MAN_PIN;
++
++ writel(reg, &data->regs->manualif);
++}
++
++static int davinci_get_mdio_data(struct mdiobb_ctrl *ctrl)
++{
++ struct davinci_mdio_data *data;
++ unsigned long reg;
++
++ data = container_of(ctrl, struct davinci_mdio_data, bb_ctrl);
++ reg = readl(&data->regs->manualif);
++ return test_bit(MDIO_PIN, ®);
++}
++
++static int davinci_mdiobb_read(struct mii_bus *bus, int phy, int reg)
++{
++ int ret;
++
++ ret = pm_runtime_resume_and_get(bus->parent);
++ if (ret < 0)
++ return ret;
++
++ ret = mdiobb_read(bus, phy, reg);
++
++ pm_runtime_mark_last_busy(bus->parent);
++ pm_runtime_put_autosuspend(bus->parent);
++
++ return ret;
++}
++
++static int davinci_mdiobb_write(struct mii_bus *bus, int phy, int reg,
++ u16 val)
++{
++ int ret;
++
++ ret = pm_runtime_resume_and_get(bus->parent);
++ if (ret < 0)
++ return ret;
++
++ ret = mdiobb_write(bus, phy, reg, val);
++
++ pm_runtime_mark_last_busy(bus->parent);
++ pm_runtime_put_autosuspend(bus->parent);
++
++ return ret;
++}
++
++static int davinci_mdio_common_reset(struct davinci_mdio_data *data)
+ {
+- struct davinci_mdio_data *data = bus->priv;
+ u32 phy_mask, ver;
+ int ret;
+
+@@ -138,6 +267,11 @@ static int davinci_mdio_reset(struct mii_bus *bus)
+ if (ret < 0)
+ return ret;
+
++ if (data->manual_mode) {
++ davinci_mdio_disable(data);
++ davinci_mdio_enable_manual_mode(data);
++ }
++
+ /* wait for scan logic to settle */
+ msleep(PHY_MAX_ADDR * data->access_time);
+
+@@ -171,6 +305,23 @@ static int davinci_mdio_reset(struct mii_bus *bus)
+ return 0;
+ }
+
++static int davinci_mdio_reset(struct mii_bus *bus)
++{
++ struct davinci_mdio_data *data = bus->priv;
++
++ return davinci_mdio_common_reset(data);
++}
++
++static int davinci_mdiobb_reset(struct mii_bus *bus)
++{
++ struct mdiobb_ctrl *ctrl = bus->priv;
++ struct davinci_mdio_data *data;
++
++ data = container_of(ctrl, struct davinci_mdio_data, bb_ctrl);
++
++ return davinci_mdio_common_reset(data);
++}
++
+ /* wait until hardware is ready for another user access */
+ static inline int wait_for_user_access(struct davinci_mdio_data *data)
+ {
+@@ -318,6 +469,28 @@ static int davinci_mdio_probe_dt(struct mdio_platform_data *data,
+ return 0;
+ }
+
++struct k3_mdio_soc_data {
++ bool manual_mode;
++};
++
++static const struct k3_mdio_soc_data am65_mdio_soc_data = {
++ .manual_mode = true,
++};
++
++static const struct soc_device_attribute k3_mdio_socinfo[] = {
++ { .family = "AM62X", .revision = "SR1.0", .data = &am65_mdio_soc_data },
++ { .family = "AM64X", .revision = "SR1.0", .data = &am65_mdio_soc_data },
++ { .family = "AM64X", .revision = "SR2.0", .data = &am65_mdio_soc_data },
++ { .family = "AM65X", .revision = "SR1.0", .data = &am65_mdio_soc_data },
++ { .family = "AM65X", .revision = "SR2.0", .data = &am65_mdio_soc_data },
++ { .family = "J7200", .revision = "SR1.0", .data = &am65_mdio_soc_data },
++ { .family = "J7200", .revision = "SR2.0", .data = &am65_mdio_soc_data },
++ { .family = "J721E", .revision = "SR1.0", .data = &am65_mdio_soc_data },
++ { .family = "J721E", .revision = "SR2.0", .data = &am65_mdio_soc_data },
++ { .family = "J721S2", .revision = "SR1.0", .data = &am65_mdio_soc_data},
++ { /* sentinel */ },
++};
++
+ #if IS_ENABLED(CONFIG_OF)
+ static const struct davinci_mdio_of_param of_cpsw_mdio_data = {
+ .autosuspend_delay_ms = 100,
+@@ -331,6 +504,14 @@ static const struct of_device_id davinci_mdio_of_mtable[] = {
+ MODULE_DEVICE_TABLE(of, davinci_mdio_of_mtable);
+ #endif
+
++static const struct mdiobb_ops davinci_mdiobb_ops = {
++ .owner = THIS_MODULE,
++ .set_mdc = davinci_set_mdc,
++ .set_mdio_dir = davinci_set_mdio_dir,
++ .set_mdio_data = davinci_set_mdio_data,
++ .get_mdio_data = davinci_get_mdio_data,
++};
++
+ static int davinci_mdio_probe(struct platform_device *pdev)
+ {
+ struct mdio_platform_data *pdata = dev_get_platdata(&pdev->dev);
+@@ -345,7 +526,26 @@ static int davinci_mdio_probe(struct platform_device *pdev)
+ if (!data)
+ return -ENOMEM;
+
+- data->bus = devm_mdiobus_alloc(dev);
++ data->manual_mode = false;
++ data->bb_ctrl.ops = &davinci_mdiobb_ops;
++
++ if (IS_ENABLED(CONFIG_OF) && dev->of_node) {
++ const struct soc_device_attribute *soc_match_data;
++
++ soc_match_data = soc_device_match(k3_mdio_socinfo);
++ if (soc_match_data && soc_match_data->data) {
++ const struct k3_mdio_soc_data *socdata =
++ soc_match_data->data;
++
++ data->manual_mode = socdata->manual_mode;
++ }
++ }
++
++ if (data->manual_mode)
++ data->bus = alloc_mdio_bitbang(&data->bb_ctrl);
++ else
++ data->bus = devm_mdiobus_alloc(dev);
++
+ if (!data->bus) {
+ dev_err(dev, "failed to alloc mii bus\n");
+ return -ENOMEM;
+@@ -371,11 +571,20 @@ static int davinci_mdio_probe(struct platform_device *pdev)
+ }
+
+ data->bus->name = dev_name(dev);
+- data->bus->read = davinci_mdio_read;
+- data->bus->write = davinci_mdio_write;
+- data->bus->reset = davinci_mdio_reset;
++
++ if (data->manual_mode) {
++ data->bus->read = davinci_mdiobb_read;
++ data->bus->write = davinci_mdiobb_write;
++ data->bus->reset = davinci_mdiobb_reset;
++
++ dev_info(dev, "Configuring MDIO in manual mode\n");
++ } else {
++ data->bus->read = davinci_mdio_read;
++ data->bus->write = davinci_mdio_write;
++ data->bus->reset = davinci_mdio_reset;
++ data->bus->priv = data;
++ }
+ data->bus->parent = dev;
+- data->bus->priv = data;
+
+ data->clk = devm_clk_get(dev, "fck");
+ if (IS_ERR(data->clk)) {
+@@ -433,9 +642,13 @@ static int davinci_mdio_remove(struct platform_device *pdev)
+ {
+ struct davinci_mdio_data *data = platform_get_drvdata(pdev);
+
+- if (data->bus)
++ if (data->bus) {
+ mdiobus_unregister(data->bus);
+
++ if (data->manual_mode)
++ free_mdio_bitbang(data->bus);
++ }
++
+ pm_runtime_dont_use_autosuspend(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
+
+@@ -452,7 +665,9 @@ static int davinci_mdio_runtime_suspend(struct device *dev)
+ ctrl = readl(&data->regs->control);
+ ctrl &= ~CONTROL_ENABLE;
+ writel(ctrl, &data->regs->control);
+- wait_for_idle(data);
++
++ if (!data->manual_mode)
++ wait_for_idle(data);
+
+ return 0;
+ }
+@@ -461,7 +676,12 @@ static int davinci_mdio_runtime_resume(struct device *dev)
+ {
+ struct davinci_mdio_data *data = dev_get_drvdata(dev);
+
+- davinci_mdio_enable(data);
++ if (data->manual_mode) {
++ davinci_mdio_disable(data);
++ davinci_mdio_enable_manual_mode(data);
++ } else {
++ davinci_mdio_enable(data);
++ }
+ return 0;
+ }
+ #endif
+--
+2.35.1
+
--- /dev/null
+From e19c9e2df1f0c811f0683c434047d90b95ca46de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Sep 2022 13:55:13 +0000
+Subject: net: fs_enet: Fix wrong check in do_pd_setup
+
+From: Zheng Yongjun <zhengyongjun3@huawei.com>
+
+[ Upstream commit ec3f06b542a960806a81345042e4eee3f8c5dec4 ]
+
+Should check of_iomap return value 'fep->fec.fecp' instead of 'fep->fcc.fccp'
+
+Fixes: 976de6a8c304 ("fs_enet: Be an of_platform device when CONFIG_PPC_CPM_NEW_BINDING is set.")
+Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com>
+Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fs_enet/mac-fec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/freescale/fs_enet/mac-fec.c b/drivers/net/ethernet/freescale/fs_enet/mac-fec.c
+index 99fe2c210d0f..61f4b6e50d29 100644
+--- a/drivers/net/ethernet/freescale/fs_enet/mac-fec.c
++++ b/drivers/net/ethernet/freescale/fs_enet/mac-fec.c
+@@ -98,7 +98,7 @@ static int do_pd_setup(struct fs_enet_private *fep)
+ return -EINVAL;
+
+ fep->fec.fecp = of_iomap(ofdev->dev.of_node, 0);
+- if (!fep->fcc.fccp)
++ if (!fep->fec.fecp)
+ return -EINVAL;
+
+ return 0;
+--
+2.35.1
+
--- /dev/null
+From c130eb6e82fc2e93b2b9e304d18aa1c08c6645f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 14:37:49 +0300
+Subject: net: ftmac100: fix endianness-related issues from 'sparse'
+
+From: Sergei Antonov <saproj@gmail.com>
+
+[ Upstream commit 9df696b3b3a4c96c3219eb87c7bf03fb50e490b8 ]
+
+Sparse found a number of endianness-related issues of these kinds:
+
+.../ftmac100.c:192:32: warning: restricted __le32 degrades to integer
+
+.../ftmac100.c:208:23: warning: incorrect type in assignment (different base types)
+.../ftmac100.c:208:23: expected unsigned int rxdes0
+.../ftmac100.c:208:23: got restricted __le32 [usertype]
+
+.../ftmac100.c:249:23: warning: invalid assignment: &=
+.../ftmac100.c:249:23: left side has type unsigned int
+.../ftmac100.c:249:23: right side has type restricted __le32
+
+.../ftmac100.c:527:16: warning: cast to restricted __le32
+
+Change type of some fields from 'unsigned int' to '__le32' to fix it.
+
+Signed-off-by: Sergei Antonov <saproj@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20220902113749.1408562-1-saproj@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/faraday/ftmac100.h | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/faraday/ftmac100.h b/drivers/net/ethernet/faraday/ftmac100.h
+index fe986f1673fc..8af32f9070f4 100644
+--- a/drivers/net/ethernet/faraday/ftmac100.h
++++ b/drivers/net/ethernet/faraday/ftmac100.h
+@@ -122,9 +122,9 @@
+ * Transmit descriptor, aligned to 16 bytes
+ */
+ struct ftmac100_txdes {
+- unsigned int txdes0;
+- unsigned int txdes1;
+- unsigned int txdes2; /* TXBUF_BADR */
++ __le32 txdes0;
++ __le32 txdes1;
++ __le32 txdes2; /* TXBUF_BADR */
+ unsigned int txdes3; /* not used by HW */
+ } __attribute__ ((aligned(16)));
+
+@@ -143,9 +143,9 @@ struct ftmac100_txdes {
+ * Receive descriptor, aligned to 16 bytes
+ */
+ struct ftmac100_rxdes {
+- unsigned int rxdes0;
+- unsigned int rxdes1;
+- unsigned int rxdes2; /* RXBUF_BADR */
++ __le32 rxdes0;
++ __le32 rxdes1;
++ __le32 rxdes2; /* RXBUF_BADR */
+ unsigned int rxdes3; /* not used by HW */
+ } __attribute__ ((aligned(16)));
+
+--
+2.35.1
+
--- /dev/null
+From 2df1fc309c650ff057f6df4ff02c08982afa253d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Oct 2022 01:43:44 +0900
+Subject: net/ieee802154: reject zero-sized raw_sendmsg()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit 3a4d061c699bd3eedc80dc97a4b2a2e1af83c6f5 ]
+
+syzbot is hitting skb_assert_len() warning at raw_sendmsg() for ieee802154
+socket. What commit dc633700f00f726e ("net/af_packet: check len when
+min_header_len equals to 0") does also applies to ieee802154 socket.
+
+Link: https://syzkaller.appspot.com/bug?extid=5ea725c25d06fb9114c4
+Reported-by: syzbot <syzbot+5ea725c25d06fb9114c4@syzkaller.appspotmail.com>
+Fixes: fd1894224407c484 ("bpf: Don't redirect packets with invalid pkt_len")
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ieee802154/socket.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
+index 7889e1ef7fad..cbd0e2ac4ffe 100644
+--- a/net/ieee802154/socket.c
++++ b/net/ieee802154/socket.c
+@@ -251,6 +251,9 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
+ return -EOPNOTSUPP;
+ }
+
++ if (!size)
++ return -EINVAL;
++
+ lock_sock(sk);
+ if (!sk->sk_bound_dev_if)
+ dev = dev_getfirstbyhwtype(sock_net(sk), ARPHRD_IEEE802154);
+--
+2.35.1
+
--- /dev/null
+From e26c761cbf0c9b8751c573719f0065bfbb659f6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Aug 2022 21:37:54 +0800
+Subject: net: If sock is dead don't access sock's sk_wq in
+ sk_stream_wait_memory
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit 3f8ef65af927db247418d4e1db49164d7a158fc5 ]
+
+Fixes the below NULL pointer dereference:
+
+ [...]
+ [ 14.471200] Call Trace:
+ [ 14.471562] <TASK>
+ [ 14.471882] lock_acquire+0x245/0x2e0
+ [ 14.472416] ? remove_wait_queue+0x12/0x50
+ [ 14.473014] ? _raw_spin_lock_irqsave+0x17/0x50
+ [ 14.473681] _raw_spin_lock_irqsave+0x3d/0x50
+ [ 14.474318] ? remove_wait_queue+0x12/0x50
+ [ 14.474907] remove_wait_queue+0x12/0x50
+ [ 14.475480] sk_stream_wait_memory+0x20d/0x340
+ [ 14.476127] ? do_wait_intr_irq+0x80/0x80
+ [ 14.476704] do_tcp_sendpages+0x287/0x600
+ [ 14.477283] tcp_bpf_push+0xab/0x260
+ [ 14.477817] tcp_bpf_sendmsg_redir+0x297/0x500
+ [ 14.478461] ? __local_bh_enable_ip+0x77/0xe0
+ [ 14.479096] tcp_bpf_send_verdict+0x105/0x470
+ [ 14.479729] tcp_bpf_sendmsg+0x318/0x4f0
+ [ 14.480311] sock_sendmsg+0x2d/0x40
+ [ 14.480822] ____sys_sendmsg+0x1b4/0x1c0
+ [ 14.481390] ? copy_msghdr_from_user+0x62/0x80
+ [ 14.482048] ___sys_sendmsg+0x78/0xb0
+ [ 14.482580] ? vmf_insert_pfn_prot+0x91/0x150
+ [ 14.483215] ? __do_fault+0x2a/0x1a0
+ [ 14.483738] ? do_fault+0x15e/0x5d0
+ [ 14.484246] ? __handle_mm_fault+0x56b/0x1040
+ [ 14.484874] ? lock_is_held_type+0xdf/0x130
+ [ 14.485474] ? find_held_lock+0x2d/0x90
+ [ 14.486046] ? __sys_sendmsg+0x41/0x70
+ [ 14.486587] __sys_sendmsg+0x41/0x70
+ [ 14.487105] ? intel_pmu_drain_pebs_core+0x350/0x350
+ [ 14.487822] do_syscall_64+0x34/0x80
+ [ 14.488345] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+ [...]
+
+The test scenario has the following flow:
+
+thread1 thread2
+----------- ---------------
+ tcp_bpf_sendmsg
+ tcp_bpf_send_verdict
+ tcp_bpf_sendmsg_redir sock_close
+ tcp_bpf_push_locked __sock_release
+ tcp_bpf_push //inet_release
+ do_tcp_sendpages sock->ops->release
+ sk_stream_wait_memory // tcp_close
+ sk_wait_event sk->sk_prot->close
+ release_sock(__sk);
+ ***
+ lock_sock(sk);
+ __tcp_close
+ sock_orphan(sk)
+ sk->sk_wq = NULL
+ release_sock
+ ****
+ lock_sock(__sk);
+ remove_wait_queue(sk_sleep(sk), &wait);
+ sk_sleep(sk)
+ //NULL pointer dereference
+ &rcu_dereference_raw(sk->sk_wq)->wait
+
+While waiting for memory in thread1, the socket is released with its wait
+queue because thread2 has closed it. This caused by tcp_bpf_send_verdict
+didn't increase the f_count of psock->sk_redir->sk_socket->file in thread1.
+
+We should check if SOCK_DEAD flag is set on wakeup in sk_stream_wait_memory
+before accessing the wait queue.
+
+Suggested-by: Jakub Sitnicki <jakub@cloudflare.com>
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Cc: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/bpf/20220823133755.314697-2-liujian56@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/stream.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/core/stream.c b/net/core/stream.c
+index ccc083cdef23..1105057ce00a 100644
+--- a/net/core/stream.c
++++ b/net/core/stream.c
+@@ -159,7 +159,8 @@ int sk_stream_wait_memory(struct sock *sk, long *timeo_p)
+ *timeo_p = current_timeo;
+ }
+ out:
+- remove_wait_queue(sk_sleep(sk), &wait);
++ if (!sock_flag(sk, SOCK_DEAD))
++ remove_wait_queue(sk_sleep(sk), &wait);
+ return err;
+
+ do_error:
+--
+2.35.1
+
--- /dev/null
+From a35eddc489c3abc2963121c4ef39508741336869 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Sep 2022 14:43:40 -0700
+Subject: net: korina: Fix return type of korina_send_packet
+
+From: Nathan Huckleberry <nhuck@google.com>
+
+[ Upstream commit 106c67ce46f3c82dd276e983668a91d6ed631173 ]
+
+The ndo_start_xmit field in net_device_ops is expected to be of type
+netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev).
+
+The mismatched return type breaks forward edge kCFI since the underlying
+function definition does not match the function hook definition.
+
+The return type of korina_send_packet should be changed from int to
+netdev_tx_t.
+
+Reported-by: Dan Carpenter <error27@gmail.com>
+Link: https://github.com/ClangBuiltLinux/linux/issues/1703
+Cc: llvm@lists.linux.dev
+Signed-off-by: Nathan Huckleberry <nhuck@google.com>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Link: https://lore.kernel.org/r/20220912214344.928925-1-nhuck@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/korina.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/korina.c b/drivers/net/ethernet/korina.c
+index df9a8eefa007..eec6a9ec528b 100644
+--- a/drivers/net/ethernet/korina.c
++++ b/drivers/net/ethernet/korina.c
+@@ -416,7 +416,8 @@ static void korina_abort_rx(struct net_device *dev)
+ }
+
+ /* transmit packet */
+-static int korina_send_packet(struct sk_buff *skb, struct net_device *dev)
++static netdev_tx_t korina_send_packet(struct sk_buff *skb,
++ struct net_device *dev)
+ {
+ struct korina_private *lp = netdev_priv(dev);
+ u32 chain_prev, chain_next;
+--
+2.35.1
+
--- /dev/null
+From 5a04b7109cf96397e17cb0f5ea7f50752ff95408 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Sep 2022 11:27:03 -0700
+Subject: net: lan966x: Fix return type of lan966x_port_xmit
+
+From: Nathan Huckleberry <nhuck@google.com>
+
+[ Upstream commit 450a580fc4b5e7f7fb8d9b1a0208bf0d1efc53a8 ]
+
+The ndo_start_xmit field in net_device_ops is expected to be of type
+netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev).
+
+The mismatched return type breaks forward edge kCFI since the underlying
+function definition does not match the function hook definition.
+
+The return type of lan966x_port_xmit should be changed from int to
+netdev_tx_t.
+
+Reported-by: Dan Carpenter <error27@gmail.com>
+Link: https://github.com/ClangBuiltLinux/linux/issues/1703
+Cc: llvm@lists.linux.dev
+Signed-off-by: Nathan Huckleberry <nhuck@google.com>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Link: https://lore.kernel.org/r/20220929182704.64438-1-nhuck@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microchip/lan966x/lan966x_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c
+index d928b75f3780..be40c6d3ec68 100644
+--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c
++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c
+@@ -344,7 +344,8 @@ static void lan966x_ifh_set_timestamp(void *ifh, u64 timestamp)
+ IFH_POS_TIMESTAMP, IFH_LEN * 4, PACK, 0);
+ }
+
+-static int lan966x_port_xmit(struct sk_buff *skb, struct net_device *dev)
++static netdev_tx_t lan966x_port_xmit(struct sk_buff *skb,
++ struct net_device *dev)
+ {
+ struct lan966x_port *port = netdev_priv(dev);
+ struct lan966x *lan966x = port->lan966x;
+--
+2.35.1
+
--- /dev/null
+From b1edf9c6c525200301847cc2db144e155d16efb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 16:15:21 +0800
+Subject: net: lantiq_etop: Fix return type for implementation of
+ ndo_start_xmit
+
+From: GUO Zihua <guozihua@huawei.com>
+
+[ Upstream commit c8ef3c94bda0e21123202d057d4a299698fa0ed9 ]
+
+Since Linux now supports CFI, it will be a good idea to fix mismatched
+return type for implementation of hooks. Otherwise this might get
+cought out by CFI and cause a panic.
+
+ltq_etop_tx() would return either NETDEV_TX_BUSY or NETDEV_TX_OK, so
+change the return type to netdev_tx_t directly.
+
+Signed-off-by: GUO Zihua <guozihua@huawei.com>
+Link: https://lore.kernel.org/r/20220902081521.59867-1-guozihua@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/lantiq_etop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/lantiq_etop.c b/drivers/net/ethernet/lantiq_etop.c
+index 7cedbe1fdfd7..59aab4086dcc 100644
+--- a/drivers/net/ethernet/lantiq_etop.c
++++ b/drivers/net/ethernet/lantiq_etop.c
+@@ -470,7 +470,7 @@ ltq_etop_stop(struct net_device *dev)
+ return 0;
+ }
+
+-static int
++static netdev_tx_t
+ ltq_etop_tx(struct sk_buff *skb, struct net_device *dev)
+ {
+ int queue = skb_get_queue_mapping(skb);
+--
+2.35.1
+
--- /dev/null
+From 45847cf03543af3731e79c59931bf874ae225766 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Oct 2022 17:19:27 +0100
+Subject: net: mvpp2: fix mvpp2 debugfs leak
+
+From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+
+[ Upstream commit 0152dfee235e87660f52a117fc9f70dc55956bb4 ]
+
+When mvpp2 is unloaded, the driver specific debugfs directory is not
+removed, which technically leads to a memory leak. However, this
+directory is only created when the first device is probed, so the
+hardware is present. Removing the module is only something a developer
+would to when e.g. testing out changes, so the module would be
+reloaded. So this memory leak is minor.
+
+The original attempt in commit fe2c9c61f668 ("net: mvpp2: debugfs: fix
+memory leak when using debugfs_lookup()") that was labelled as a memory
+leak fix was not, it fixed a refcount leak, but in doing so created a
+problem when the module is reloaded - the directory already exists, but
+mvpp2_root is NULL, so we lose all debugfs entries. This fix has been
+reverted.
+
+This is the alternative fix, where we remove the offending directory
+whenever the driver is unloaded.
+
+Fixes: 21da57a23125 ("net: mvpp2: add a debugfs interface for the Header Parser")
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Marcin Wojtas <mw@semihalf.com>
+Link: https://lore.kernel.org/r/E1ofOAB-00CzkG-UO@rmk-PC.armlinux.org.uk
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 1 +
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c | 10 ++++++++--
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 13 ++++++++++++-
+ 3 files changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h
+index ad73a488fc5f..11e603686a27 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h
+@@ -1530,6 +1530,7 @@ u32 mvpp2_read(struct mvpp2 *priv, u32 offset);
+ void mvpp2_dbgfs_init(struct mvpp2 *priv, const char *name);
+
+ void mvpp2_dbgfs_cleanup(struct mvpp2 *priv);
++void mvpp2_dbgfs_exit(void);
+
+ void mvpp23_rx_fifo_fc_en(struct mvpp2 *priv, int port, bool en);
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c
+index 4a3baa7e0142..75e83ea2a926 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c
+@@ -691,6 +691,13 @@ static int mvpp2_dbgfs_port_init(struct dentry *parent,
+ return 0;
+ }
+
++static struct dentry *mvpp2_root;
++
++void mvpp2_dbgfs_exit(void)
++{
++ debugfs_remove(mvpp2_root);
++}
++
+ void mvpp2_dbgfs_cleanup(struct mvpp2 *priv)
+ {
+ debugfs_remove_recursive(priv->dbgfs_dir);
+@@ -700,10 +707,9 @@ void mvpp2_dbgfs_cleanup(struct mvpp2 *priv)
+
+ void mvpp2_dbgfs_init(struct mvpp2 *priv, const char *name)
+ {
+- struct dentry *mvpp2_dir, *mvpp2_root;
++ struct dentry *mvpp2_dir;
+ int ret, i;
+
+- mvpp2_root = debugfs_lookup(MVPP2_DRIVER_NAME, NULL);
+ if (!mvpp2_root)
+ mvpp2_root = debugfs_create_dir(MVPP2_DRIVER_NAME, NULL);
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+index b84128b549b4..eaa51cd7456b 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+@@ -7706,7 +7706,18 @@ static struct platform_driver mvpp2_driver = {
+ },
+ };
+
+-module_platform_driver(mvpp2_driver);
++static int __init mvpp2_driver_init(void)
++{
++ return platform_driver_register(&mvpp2_driver);
++}
++module_init(mvpp2_driver_init);
++
++static void __exit mvpp2_driver_exit(void)
++{
++ platform_driver_unregister(&mvpp2_driver);
++ mvpp2_dbgfs_exit();
++}
++module_exit(mvpp2_driver_exit);
+
+ MODULE_DESCRIPTION("Marvell PPv2 Ethernet Driver - www.marvell.com");
+ MODULE_AUTHOR("Marcin Wojtas <mw@semihalf.com>");
+--
+2.35.1
+
--- /dev/null
+From 65098f0d363207274c6ca9b2608090d1f226c8a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Aug 2022 13:18:51 +0200
+Subject: net-next: Fix IP_UNICAST_IF option behavior for connected sockets
+
+From: Richard Gobert <richardbgobert@gmail.com>
+
+[ Upstream commit 0e4d354762cefd3e16b4cff8988ff276e45effc4 ]
+
+The IP_UNICAST_IF socket option is used to set the outgoing interface
+for outbound packets.
+
+The IP_UNICAST_IF socket option was added as it was needed by the
+Wine project, since no other existing option (SO_BINDTODEVICE socket
+option, IP_PKTINFO socket option or the bind function) provided the
+needed characteristics needed by the IP_UNICAST_IF socket option. [1]
+The IP_UNICAST_IF socket option works well for unconnected sockets,
+that is, the interface specified by the IP_UNICAST_IF socket option
+is taken into consideration in the route lookup process when a packet
+is being sent. However, for connected sockets, the outbound interface
+is chosen when connecting the socket, and in the route lookup process
+which is done when a packet is being sent, the interface specified by
+the IP_UNICAST_IF socket option is being ignored.
+
+This inconsistent behavior was reported and discussed in an issue
+opened on systemd's GitHub project [2]. Also, a bug report was
+submitted in the kernel's bugzilla [3].
+
+To understand the problem in more detail, we can look at what happens
+for UDP packets over IPv4 (The same analysis was done separately in
+the referenced systemd issue).
+When a UDP packet is sent the udp_sendmsg function gets called and
+the following happens:
+
+1. The oif member of the struct ipcm_cookie ipc (which stores the
+output interface of the packet) is initialized by the ipcm_init_sk
+function to inet->sk.sk_bound_dev_if (the device set by the
+SO_BINDTODEVICE socket option).
+
+2. If the IP_PKTINFO socket option was set, the oif member gets
+overridden by the call to the ip_cmsg_send function.
+
+3. If no output interface was selected yet, the interface specified
+by the IP_UNICAST_IF socket option is used.
+
+4. If the socket is connected and no destination address is
+specified in the send function, the struct ipcm_cookie ipc is not
+taken into consideration and the cached route, that was calculated in
+the connect function is being used.
+
+Thus, for a connected socket, the IP_UNICAST_IF sockopt isn't taken
+into consideration.
+
+This patch corrects the behavior of the IP_UNICAST_IF socket option
+for connect()ed sockets by taking into consideration the
+IP_UNICAST_IF sockopt when connecting the socket.
+
+In order to avoid reconnecting the socket, this option is still
+ignored when applied on an already connected socket until connect()
+is called again by the Richard Gobert.
+
+Change the __ip4_datagram_connect function, which is called during
+socket connection, to take into consideration the interface set by
+the IP_UNICAST_IF socket option, in a similar way to what is done in
+the udp_sendmsg function.
+
+[1] https://lore.kernel.org/netdev/1328685717.4736.4.camel@edumazet-laptop/T/
+[2] https://github.com/systemd/systemd/issues/11935#issuecomment-618691018
+[3] https://bugzilla.kernel.org/show_bug.cgi?id=210255
+
+Signed-off-by: Richard Gobert <richardbgobert@gmail.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://lore.kernel.org/r/20220829111554.GA1771@debian
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/datagram.c | 2 ++
+ tools/testing/selftests/net/fcnal-test.sh | 30 +++++++++++++++++++++++
+ tools/testing/selftests/net/nettest.c | 16 ++++++++++--
+ 3 files changed, 46 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/datagram.c b/net/ipv4/datagram.c
+index ffd57523331f..405a8c2aea64 100644
+--- a/net/ipv4/datagram.c
++++ b/net/ipv4/datagram.c
+@@ -42,6 +42,8 @@ int __ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len
+ oif = inet->mc_index;
+ if (!saddr)
+ saddr = inet->mc_addr;
++ } else if (!oif) {
++ oif = inet->uc_index;
+ }
+ fl4 = &inet->cork.fl.u.ip4;
+ rt = ip_route_connect(fl4, usin->sin_addr.s_addr, saddr, oif,
+diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/selftests/net/fcnal-test.sh
+index 03b586760164..31c3b6ebd388 100755
+--- a/tools/testing/selftests/net/fcnal-test.sh
++++ b/tools/testing/selftests/net/fcnal-test.sh
+@@ -1466,6 +1466,13 @@ ipv4_udp_novrf()
+ run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP}
+ log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF"
+
++ log_start
++ run_cmd_nsb nettest -D -s &
++ sleep 1
++ run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} -U
++ log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF, with connect()"
++
++
+ log_start
+ show_hint "Should fail 'Connection refused'"
+ run_cmd nettest -D -r ${a}
+@@ -1525,6 +1532,13 @@ ipv4_udp_novrf()
+ run_cmd nettest -D -d ${NSA_DEV} -S -r ${a}
+ log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection"
+
++ log_start
++ run_cmd nettest -s -D &
++ sleep 1
++ run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} -U
++ log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection, with connect()"
++
++
+ # IPv4 with device bind has really weird behavior - it overrides the
+ # fib lookup, generates an rtable and tries to send the packet. This
+ # causes failures for local traffic at different places
+@@ -1550,6 +1564,15 @@ ipv4_udp_novrf()
+ sleep 1
+ run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S
+ log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
++
++ log_start
++ show_hint "Should fail since addresses on loopback are out of device scope"
++ run_cmd nettest -D -s &
++ sleep 1
++ run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -U
++ log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()"
++
++
+ done
+
+ a=${NSA_IP}
+@@ -3157,6 +3180,13 @@ ipv6_udp_novrf()
+ sleep 1
+ run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S
+ log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
++
++ log_start
++ show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
++ run_cmd nettest -6 -D -s &
++ sleep 1
++ run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -U
++ log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()"
+ done
+
+ a=${NSA_IP6}
+diff --git a/tools/testing/selftests/net/nettest.c b/tools/testing/selftests/net/nettest.c
+index d9a6fd2cd9d3..7900fa98eccb 100644
+--- a/tools/testing/selftests/net/nettest.c
++++ b/tools/testing/selftests/net/nettest.c
+@@ -127,6 +127,9 @@ struct sock_args {
+
+ /* ESP in UDP encap test */
+ int use_xfrm;
++
++ /* use send() and connect() instead of sendto */
++ int datagram_connect;
+ };
+
+ static int server_mode;
+@@ -979,6 +982,11 @@ static int send_msg(int sd, void *addr, socklen_t alen, struct sock_args *args)
+ log_err_errno("write failed sending msg to peer");
+ return 1;
+ }
++ } else if (args->datagram_connect) {
++ if (send(sd, msg, msglen, 0) < 0) {
++ log_err_errno("send failed sending msg to peer");
++ return 1;
++ }
+ } else if (args->ifindex && args->use_cmsg) {
+ if (send_msg_cmsg(sd, addr, alen, args->ifindex, args->version))
+ return 1;
+@@ -1659,7 +1667,7 @@ static int connectsock(void *addr, socklen_t alen, struct sock_args *args)
+ if (args->has_local_ip && bind_socket(sd, args))
+ goto err;
+
+- if (args->type != SOCK_STREAM)
++ if (args->type != SOCK_STREAM && !args->datagram_connect)
+ goto out;
+
+ if (args->password && tcp_md5sig(sd, addr, alen, args))
+@@ -1854,7 +1862,7 @@ static int ipc_parent(int cpid, int fd, struct sock_args *args)
+ return client_status;
+ }
+
+-#define GETOPT_STR "sr:l:c:p:t:g:P:DRn:M:X:m:d:I:BN:O:SCi6xL:0:1:2:3:Fbqf"
++#define GETOPT_STR "sr:l:c:p:t:g:P:DRn:M:X:m:d:I:BN:O:SUCi6xL:0:1:2:3:Fbqf"
+ #define OPT_FORCE_BIND_KEY_IFINDEX 1001
+ #define OPT_NO_BIND_KEY_IFINDEX 1002
+
+@@ -1891,6 +1899,7 @@ static void print_usage(char *prog)
+ " -I dev bind socket to given device name - server mode\n"
+ " -S use setsockopt (IP_UNICAST_IF or IP_MULTICAST_IF)\n"
+ " to set device binding\n"
++ " -U Use connect() and send() for datagram sockets\n"
+ " -f bind socket with the IP[V6]_FREEBIND option\n"
+ " -C use cmsg and IP_PKTINFO to specify device binding\n"
+ "\n"
+@@ -2074,6 +2083,9 @@ int main(int argc, char *argv[])
+ case 'x':
+ args.use_xfrm = 1;
+ break;
++ case 'U':
++ args.datagram_connect = 1;
++ break;
+ default:
+ print_usage(argv[0]);
+ return 1;
+--
+2.35.1
+
--- /dev/null
+From 881f4b8eac0bd530be295707e9a05196d9bec952 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Sep 2022 12:48:43 +0800
+Subject: net: prestera: acl: Add check for kmemdup
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 9e6fd874c7bb47b6a4295abc4c81b2f41b97e970 ]
+
+As the kemdup could return NULL, it should be better to check the return
+value and return error if fails.
+Moreover, the return value of prestera_acl_ruleset_keymask_set() should
+be checked by cascade.
+
+Fixes: 604ba230902d ("net: prestera: flower template support")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Reviewed-by: Taras Chornyi<tchornyi@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/prestera/prestera_acl.c | 8 ++++++--
+ drivers/net/ethernet/marvell/prestera/prestera_acl.h | 4 ++--
+ drivers/net/ethernet/marvell/prestera/prestera_flower.c | 6 +++++-
+ 3 files changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/prestera/prestera_acl.c b/drivers/net/ethernet/marvell/prestera/prestera_acl.c
+index 3d4b85f2d541..f6b2933859d0 100644
+--- a/drivers/net/ethernet/marvell/prestera/prestera_acl.c
++++ b/drivers/net/ethernet/marvell/prestera/prestera_acl.c
+@@ -178,10 +178,14 @@ prestera_acl_ruleset_create(struct prestera_acl *acl,
+ return ERR_PTR(err);
+ }
+
+-void prestera_acl_ruleset_keymask_set(struct prestera_acl_ruleset *ruleset,
+- void *keymask)
++int prestera_acl_ruleset_keymask_set(struct prestera_acl_ruleset *ruleset,
++ void *keymask)
+ {
+ ruleset->keymask = kmemdup(keymask, ACL_KEYMASK_SIZE, GFP_KERNEL);
++ if (!ruleset->keymask)
++ return -ENOMEM;
++
++ return 0;
+ }
+
+ int prestera_acl_ruleset_offload(struct prestera_acl_ruleset *ruleset)
+diff --git a/drivers/net/ethernet/marvell/prestera/prestera_acl.h b/drivers/net/ethernet/marvell/prestera/prestera_acl.h
+index 03fc5b9dc925..131bfbc87cd7 100644
+--- a/drivers/net/ethernet/marvell/prestera/prestera_acl.h
++++ b/drivers/net/ethernet/marvell/prestera/prestera_acl.h
+@@ -185,8 +185,8 @@ struct prestera_acl_ruleset *
+ prestera_acl_ruleset_lookup(struct prestera_acl *acl,
+ struct prestera_flow_block *block,
+ u32 chain_index);
+-void prestera_acl_ruleset_keymask_set(struct prestera_acl_ruleset *ruleset,
+- void *keymask);
++int prestera_acl_ruleset_keymask_set(struct prestera_acl_ruleset *ruleset,
++ void *keymask);
+ bool prestera_acl_ruleset_is_offload(struct prestera_acl_ruleset *ruleset);
+ int prestera_acl_ruleset_offload(struct prestera_acl_ruleset *ruleset);
+ void prestera_acl_ruleset_put(struct prestera_acl_ruleset *ruleset);
+diff --git a/drivers/net/ethernet/marvell/prestera/prestera_flower.c b/drivers/net/ethernet/marvell/prestera/prestera_flower.c
+index 19d3b55c578e..cf551a8379ac 100644
+--- a/drivers/net/ethernet/marvell/prestera/prestera_flower.c
++++ b/drivers/net/ethernet/marvell/prestera/prestera_flower.c
+@@ -452,7 +452,9 @@ int prestera_flower_tmplt_create(struct prestera_flow_block *block,
+ }
+
+ /* preserve keymask/template to this ruleset */
+- prestera_acl_ruleset_keymask_set(ruleset, rule.re_key.match.mask);
++ err = prestera_acl_ruleset_keymask_set(ruleset, rule.re_key.match.mask);
++ if (err)
++ goto err_ruleset_keymask_set;
+
+ /* skip error, as it is not possible to reject template operation,
+ * so, keep the reference to the ruleset for rules to be added
+@@ -468,6 +470,8 @@ int prestera_flower_tmplt_create(struct prestera_flow_block *block,
+ list_add_rcu(&template->list, &block->template_list);
+ return 0;
+
++err_ruleset_keymask_set:
++ prestera_acl_ruleset_put(ruleset);
+ err_ruleset_get:
+ kfree(template);
+ err_malloc:
+--
+2.35.1
+
--- /dev/null
+From 64196464d56d2147861ec90d37efd083bf3a4a08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Aug 2022 14:18:21 +0300
+Subject: net: prestera: cache port state for non-phylink ports too
+
+From: Maksym Glubokiy <maksym.glubokiy@plvision.eu>
+
+[ Upstream commit 704438dd4f030c1b3d28a2a9c8f182c32d9b6bc4 ]
+
+Port event data must stored to port-state cache regardless of whether
+the port uses phylink or not since this data is used by ethtool.
+
+Fixes: 52323ef75414 ("net: marvell: prestera: add phylink support")
+Signed-off-by: Oleksandr Mazur <oleksandr.mazur@plvision.eu>
+Signed-off-by: Maksym Glubokiy <maksym.glubokiy@plvision.eu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/marvell/prestera/prestera_main.c | 36 +++++++++----------
+ 1 file changed, 17 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/prestera/prestera_main.c b/drivers/net/ethernet/marvell/prestera/prestera_main.c
+index a895862b4821..a0ad0bcbf89f 100644
+--- a/drivers/net/ethernet/marvell/prestera/prestera_main.c
++++ b/drivers/net/ethernet/marvell/prestera/prestera_main.c
+@@ -799,32 +799,30 @@ static void prestera_port_handle_event(struct prestera_switch *sw,
+
+ caching_dw = &port->cached_hw_stats.caching_dw;
+
+- if (port->phy_link) {
+- memset(&smac, 0, sizeof(smac));
+- smac.valid = true;
+- smac.oper = pevt->data.mac.oper;
+- if (smac.oper) {
+- smac.mode = pevt->data.mac.mode;
+- smac.speed = pevt->data.mac.speed;
+- smac.duplex = pevt->data.mac.duplex;
+- smac.fc = pevt->data.mac.fc;
+- smac.fec = pevt->data.mac.fec;
+- phylink_mac_change(port->phy_link, true);
+- } else {
+- phylink_mac_change(port->phy_link, false);
+- }
+- prestera_port_mac_state_cache_write(port, &smac);
++ memset(&smac, 0, sizeof(smac));
++ smac.valid = true;
++ smac.oper = pevt->data.mac.oper;
++ if (smac.oper) {
++ smac.mode = pevt->data.mac.mode;
++ smac.speed = pevt->data.mac.speed;
++ smac.duplex = pevt->data.mac.duplex;
++ smac.fc = pevt->data.mac.fc;
++ smac.fec = pevt->data.mac.fec;
+ }
++ prestera_port_mac_state_cache_write(port, &smac);
+
+ if (port->state_mac.oper) {
+- if (!port->phy_link)
++ if (port->phy_link)
++ phylink_mac_change(port->phy_link, true);
++ else
+ netif_carrier_on(port->dev);
+
+ if (!delayed_work_pending(caching_dw))
+ queue_delayed_work(prestera_wq, caching_dw, 0);
+- } else if (netif_running(port->dev) &&
+- netif_carrier_ok(port->dev)) {
+- if (!port->phy_link)
++ } else {
++ if (port->phy_link)
++ phylink_mac_change(port->phy_link, false);
++ else if (netif_running(port->dev) && netif_carrier_ok(port->dev))
+ netif_carrier_off(port->dev);
+
+ if (delayed_work_pending(caching_dw))
+--
+2.35.1
+
--- /dev/null
+From 355af3b6949bb1f98466970e72de164537fe2712 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Sep 2022 00:25:37 +0900
+Subject: net: rds: don't hold sock lock when cancelling work from
+ rds_tcp_reset_callbacks()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit a91b750fd6629354460282bbf5146c01b05c4859 ]
+
+syzbot is reporting lockdep warning at rds_tcp_reset_callbacks() [1], for
+commit ac3615e7f3cffe2a ("RDS: TCP: Reduce code duplication in
+rds_tcp_reset_callbacks()") added cancel_delayed_work_sync() into a section
+protected by lock_sock() without realizing that rds_send_xmit() might call
+lock_sock().
+
+We don't need to protect cancel_delayed_work_sync() using lock_sock(), for
+even if rds_{send,recv}_worker() re-queued this work while __flush_work()
+ from cancel_delayed_work_sync() was waiting for this work to complete,
+retried rds_{send,recv}_worker() is no-op due to the absence of RDS_CONN_UP
+bit.
+
+Link: https://syzkaller.appspot.com/bug?extid=78c55c7bc6f66e53dce2 [1]
+Reported-by: syzbot <syzbot+78c55c7bc6f66e53dce2@syzkaller.appspotmail.com>
+Co-developed-by: Hillf Danton <hdanton@sina.com>
+Signed-off-by: Hillf Danton <hdanton@sina.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Tested-by: syzbot <syzbot+78c55c7bc6f66e53dce2@syzkaller.appspotmail.com>
+Fixes: ac3615e7f3cffe2a ("RDS: TCP: Reduce code duplication in rds_tcp_reset_callbacks()")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rds/tcp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/rds/tcp.c b/net/rds/tcp.c
+index 73ee2771093d..d0ff413f697c 100644
+--- a/net/rds/tcp.c
++++ b/net/rds/tcp.c
+@@ -166,10 +166,10 @@ void rds_tcp_reset_callbacks(struct socket *sock,
+ */
+ atomic_set(&cp->cp_state, RDS_CONN_RESETTING);
+ wait_event(cp->cp_waitq, !test_bit(RDS_IN_XMIT, &cp->cp_flags));
+- lock_sock(osock->sk);
+ /* reset receive side state for rds_tcp_data_recv() for osock */
+ cancel_delayed_work_sync(&cp->cp_send_w);
+ cancel_delayed_work_sync(&cp->cp_recv_w);
++ lock_sock(osock->sk);
+ if (tc->t_tinc) {
+ rds_inc_put(&tc->t_tinc->ti_inc);
+ tc->t_tinc = NULL;
+--
+2.35.1
+
--- /dev/null
+From 78e364994951b79cf3885138b757a073b135c9fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 08:37:01 -0700
+Subject: net: sched: cls_u32: Avoid memcpy() false-positive warning
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 7cba18332e3635aaae60e4e7d4e52849de50d91b ]
+
+To work around a misbehavior of the compiler's ability to see into
+composite flexible array structs (as detailed in the coming memcpy()
+hardening series[1]), use unsafe_memcpy(), as the sizing,
+bounds-checking, and allocation are all very tightly coupled here.
+This silences the false-positive reported by syzbot:
+
+ memcpy: detected field-spanning write (size 80) of single field "&n->sel" at net/sched/cls_u32.c:1043 (size 16)
+
+[1] https://lore.kernel.org/linux-hardening/20220901065914.1417829-2-keescook@chromium.org
+
+Cc: Cong Wang <xiyou.wangcong@gmail.com>
+Cc: Jiri Pirko <jiri@resnulli.us>
+Reported-by: syzbot+a2c4601efc75848ba321@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/lkml/000000000000a96c0b05e97f0444@google.com/
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://lore.kernel.org/r/20220927153700.3071688-1-keescook@chromium.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/cls_u32.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
+index 4d27300c287c..5f33472aad36 100644
+--- a/net/sched/cls_u32.c
++++ b/net/sched/cls_u32.c
+@@ -1040,7 +1040,11 @@ static int u32_change(struct net *net, struct sk_buff *in_skb,
+ }
+ #endif
+
+- memcpy(&n->sel, s, sel_size);
++ unsafe_memcpy(&n->sel, s, sel_size,
++ /* A composite flex-array structure destination,
++ * which was correctly sized with struct_size(),
++ * bounds-checked against nla_len(), and allocated
++ * above. */);
+ RCU_INIT_POINTER(n->ht_up, ht);
+ n->handle = handle;
+ n->fshift = s->hmask ? ffs(ntohl(s->hmask)) - 1 : 0;
+--
+2.35.1
+
--- /dev/null
+From 7f6115df332c9df1dcdef01c14f18cb24d90cfa8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Sep 2022 08:58:15 +0200
+Subject: net: sparx5: fix function return type to match actual type
+
+From: Casper Andersson <casper.casan@gmail.com>
+
+[ Upstream commit 75554fe00f941c3c3d9344e88708093a14d2b4b8 ]
+
+Function returns error integer, not bool.
+
+Does not have any impact on functionality.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Casper Andersson <casper.casan@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20220906065815.3856323-1-casper.casan@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c | 4 ++--
+ drivers/net/ethernet/microchip/sparx5/sparx5_main.h | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c b/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c
+index a5837dbe0c7e..4af285918ea2 100644
+--- a/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c
++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c
+@@ -186,8 +186,8 @@ bool sparx5_mact_getnext(struct sparx5 *sparx5,
+ return ret == 0;
+ }
+
+-bool sparx5_mact_find(struct sparx5 *sparx5,
+- const unsigned char mac[ETH_ALEN], u16 vid, u32 *pcfg2)
++int sparx5_mact_find(struct sparx5 *sparx5,
++ const unsigned char mac[ETH_ALEN], u16 vid, u32 *pcfg2)
+ {
+ int ret;
+ u32 cfg2;
+diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_main.h b/drivers/net/ethernet/microchip/sparx5/sparx5_main.h
+index b197129044b5..d071ac3b7106 100644
+--- a/drivers/net/ethernet/microchip/sparx5/sparx5_main.h
++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_main.h
+@@ -307,8 +307,8 @@ int sparx5_mact_learn(struct sparx5 *sparx5, int port,
+ const unsigned char mac[ETH_ALEN], u16 vid);
+ bool sparx5_mact_getnext(struct sparx5 *sparx5,
+ unsigned char mac[ETH_ALEN], u16 *vid, u32 *pcfg2);
+-bool sparx5_mact_find(struct sparx5 *sparx5,
+- const unsigned char mac[ETH_ALEN], u16 vid, u32 *pcfg2);
++int sparx5_mact_find(struct sparx5 *sparx5,
++ const unsigned char mac[ETH_ALEN], u16 vid, u32 *pcfg2);
+ int sparx5_mact_forget(struct sparx5 *sparx5,
+ const unsigned char mac[ETH_ALEN], u16 vid);
+ int sparx5_add_mact_entry(struct sparx5 *sparx5,
+--
+2.35.1
+
--- /dev/null
+From 70f967af58b8c3ff7ab499f30b55dc504c10afae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Sep 2022 11:19:47 -0700
+Subject: net: sparx5: Fix return type of sparx5_port_xmit_impl
+
+From: Nathan Huckleberry <nhuck@google.com>
+
+[ Upstream commit 73ea735073599430818e89b8901452287a15a718 ]
+
+The ndo_start_xmit field in net_device_ops is expected to be of type
+netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev).
+
+The mismatched return type breaks forward edge kCFI since the underlying
+function definition does not match the function hook definition.
+
+The return type of sparx5_port_xmit_impl should be changed from int to
+netdev_tx_t.
+
+Reported-by: Dan Carpenter <error27@gmail.com>
+Link: https://github.com/ClangBuiltLinux/linux/issues/1703
+Cc: llvm@lists.linux.dev
+Signed-off-by: Nathan Huckleberry <nhuck@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microchip/sparx5/sparx5_main.h | 2 +-
+ drivers/net/ethernet/microchip/sparx5/sparx5_packet.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_main.h b/drivers/net/ethernet/microchip/sparx5/sparx5_main.h
+index d071ac3b7106..705d8852078f 100644
+--- a/drivers/net/ethernet/microchip/sparx5/sparx5_main.h
++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_main.h
+@@ -291,7 +291,7 @@ struct frame_info {
+ void sparx5_xtr_flush(struct sparx5 *sparx5, u8 grp);
+ void sparx5_ifh_parse(u32 *ifh, struct frame_info *info);
+ irqreturn_t sparx5_xtr_handler(int irq, void *_priv);
+-int sparx5_port_xmit_impl(struct sk_buff *skb, struct net_device *dev);
++netdev_tx_t sparx5_port_xmit_impl(struct sk_buff *skb, struct net_device *dev);
+ int sparx5_manual_injection_mode(struct sparx5 *sparx5);
+ void sparx5_port_inj_timer_setup(struct sparx5_port *port);
+
+diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c b/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c
+index 21844beba72d..83c16ca5b30f 100644
+--- a/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c
++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c
+@@ -222,13 +222,13 @@ static int sparx5_inject(struct sparx5 *sparx5,
+ return NETDEV_TX_OK;
+ }
+
+-int sparx5_port_xmit_impl(struct sk_buff *skb, struct net_device *dev)
++netdev_tx_t sparx5_port_xmit_impl(struct sk_buff *skb, struct net_device *dev)
+ {
+ struct net_device_stats *stats = &dev->stats;
+ struct sparx5_port *port = netdev_priv(dev);
+ struct sparx5 *sparx5 = port->sparx5;
+ u32 ifh[IFH_LEN];
+- int ret;
++ netdev_tx_t ret;
+
+ memset(ifh, 0, IFH_LEN * 4);
+ sparx5_set_port_ifh(ifh, port->portno);
+--
+2.35.1
+
--- /dev/null
+From 53b71b192729b471bd8614c887877d8166b4f504 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 16:15:50 +0800
+Subject: net: sunplus: Fix return type for implementation of ndo_start_xmit
+
+From: GUO Zihua <guozihua@huawei.com>
+
+[ Upstream commit 7b620e156097028e4c9b6481a84ec1e1e72877ca ]
+
+Since Linux now supports CFI, it will be a good idea to fix mismatched
+return type for implementation of hooks. Otherwise this might get
+cought out by CFI and cause a panic.
+
+spl2sw_ethernet_start_xmit() would return either NETDEV_TX_BUSY or
+NETDEV_TX_OK, so change the return type to netdev_tx_t directly.
+
+Signed-off-by: GUO Zihua <guozihua@huawei.com>
+Link: https://lore.kernel.org/r/20220902081550.60095-1-guozihua@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sunplus/spl2sw_driver.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/sunplus/spl2sw_driver.c b/drivers/net/ethernet/sunplus/spl2sw_driver.c
+index 61d1d07dc070..c9007b7dd832 100644
+--- a/drivers/net/ethernet/sunplus/spl2sw_driver.c
++++ b/drivers/net/ethernet/sunplus/spl2sw_driver.c
+@@ -62,7 +62,8 @@ static int spl2sw_ethernet_stop(struct net_device *ndev)
+ return 0;
+ }
+
+-static int spl2sw_ethernet_start_xmit(struct sk_buff *skb, struct net_device *ndev)
++static netdev_tx_t spl2sw_ethernet_start_xmit(struct sk_buff *skb,
++ struct net_device *ndev)
+ {
+ struct spl2sw_mac *mac = netdev_priv(ndev);
+ struct spl2sw_common *comm = mac->comm;
+--
+2.35.1
+
--- /dev/null
+From 58322d77a8b00572991f1ffdd1db142255915e34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Oct 2022 13:57:13 +0300
+Subject: net: wwan: iosm: Call mutex_init before locking it
+
+From: Maxim Mikityanskiy <maxtram95@gmail.com>
+
+[ Upstream commit ba0fbdb95da5ddd8db457ce6ba09d16dd979a294 ]
+
+wwan_register_ops calls wwan_create_default_link, which ends up in the
+ipc_wwan_newlink callback that locks ipc_wwan->if_mutex. However, this
+mutex is not yet initialized by that point. Fix it by moving mutex_init
+above the wwan_register_ops call. This also makes the order of
+operations in ipc_wwan_init symmetric to ipc_wwan_deinit.
+
+Fixes: 83068395bbfc ("net: iosm: create default link via WWAN core")
+Signed-off-by: Maxim Mikityanskiy <maxtram95@gmail.com>
+Reviewed-by: M Chetan Kumar <m.chetan.kumar@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wwan/iosm/iosm_ipc_wwan.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wwan/iosm/iosm_ipc_wwan.c b/drivers/net/wwan/iosm/iosm_ipc_wwan.c
+index 27151148c782..4712f01a7e33 100644
+--- a/drivers/net/wwan/iosm/iosm_ipc_wwan.c
++++ b/drivers/net/wwan/iosm/iosm_ipc_wwan.c
+@@ -323,15 +323,16 @@ struct iosm_wwan *ipc_wwan_init(struct iosm_imem *ipc_imem, struct device *dev)
+ ipc_wwan->dev = dev;
+ ipc_wwan->ipc_imem = ipc_imem;
+
++ mutex_init(&ipc_wwan->if_mutex);
++
+ /* WWAN core will create a netdev for the default IP MUX channel */
+ if (wwan_register_ops(ipc_wwan->dev, &iosm_wwan_ops, ipc_wwan,
+ IP_MUX_SESSION_DEFAULT)) {
++ mutex_destroy(&ipc_wwan->if_mutex);
+ kfree(ipc_wwan);
+ return NULL;
+ }
+
+- mutex_init(&ipc_wwan->if_mutex);
+-
+ return ipc_wwan;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 2a230c1f35ea04d2ec7798c191a98e758cfa695a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Sep 2022 14:44:55 -0700
+Subject: net: wwan: iosm: Fix return type of ipc_wwan_link_transmit
+
+From: Nathan Huckleberry <nhuck@google.com>
+
+[ Upstream commit 0c9441c430104dcf2cd066aae74dbeefb9f9e1bf ]
+
+The ndo_start_xmit field in net_device_ops is expected to be of type
+netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev).
+
+The mismatched return type breaks forward edge kCFI since the underlying
+function definition does not match the function hook definition.
+
+The return type of ipc_wwan_link_transmit should be changed from int to
+netdev_tx_t.
+
+Reported-by: Dan Carpenter <error27@gmail.com>
+Link: https://github.com/ClangBuiltLinux/linux/issues/1703
+Cc: llvm@lists.linux.dev
+Signed-off-by: Nathan Huckleberry <nhuck@google.com>
+Acked-by: Sergey Ryazanov <ryazanov.s.a@gmail.com>
+Link: https://lore.kernel.org/r/20220912214455.929028-1-nhuck@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wwan/iosm/iosm_ipc_wwan.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wwan/iosm/iosm_ipc_wwan.c b/drivers/net/wwan/iosm/iosm_ipc_wwan.c
+index 4712f01a7e33..2f1f8b5d5b59 100644
+--- a/drivers/net/wwan/iosm/iosm_ipc_wwan.c
++++ b/drivers/net/wwan/iosm/iosm_ipc_wwan.c
+@@ -103,8 +103,8 @@ static int ipc_wwan_link_stop(struct net_device *netdev)
+ }
+
+ /* Transmit a packet */
+-static int ipc_wwan_link_transmit(struct sk_buff *skb,
+- struct net_device *netdev)
++static netdev_tx_t ipc_wwan_link_transmit(struct sk_buff *skb,
++ struct net_device *netdev)
+ {
+ struct iosm_netdev_priv *priv = wwan_netdev_drvpriv(netdev);
+ struct iosm_wwan *ipc_wwan = priv->ipc_wwan;
+--
+2.35.1
+
--- /dev/null
+From c08ab8714d97020b2e528bd2b268a8474e9af9ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Sep 2022 14:45:10 -0700
+Subject: net: wwan: t7xx: Fix return type of t7xx_ccmni_start_xmit
+
+From: Nathan Huckleberry <nhuck@google.com>
+
+[ Upstream commit 73c99e26036529e633a0f2d628ad7ddff6594668 ]
+
+The ndo_start_xmit field in net_device_ops is expected to be of type
+netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev).
+
+The mismatched return type breaks forward edge kCFI since the underlying
+function definition does not match the function hook definition.
+
+The return type of t7xx_ccmni_start_xmit should be changed from int to
+netdev_tx_t.
+
+Reported-by: Dan Carpenter <error27@gmail.com>
+Link: https://github.com/ClangBuiltLinux/linux/issues/1703
+Cc: llvm@lists.linux.dev
+Signed-off-by: Nathan Huckleberry <nhuck@google.com>
+Acked-by: Sergey Ryazanov <ryazanov.s.a@gmail.com>
+Link: https://lore.kernel.org/r/20220912214510.929070-1-nhuck@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wwan/t7xx/t7xx_netdev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wwan/t7xx/t7xx_netdev.c b/drivers/net/wwan/t7xx/t7xx_netdev.c
+index c6b6547f2c6f..f71d3bc3b237 100644
+--- a/drivers/net/wwan/t7xx/t7xx_netdev.c
++++ b/drivers/net/wwan/t7xx/t7xx_netdev.c
+@@ -74,7 +74,7 @@ static int t7xx_ccmni_send_packet(struct t7xx_ccmni *ccmni, struct sk_buff *skb,
+ return 0;
+ }
+
+-static int t7xx_ccmni_start_xmit(struct sk_buff *skb, struct net_device *dev)
++static netdev_tx_t t7xx_ccmni_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ {
+ struct t7xx_ccmni *ccmni = wwan_netdev_drvpriv(dev);
+ int skb_len = skb->len;
+--
+2.35.1
+
--- /dev/null
+From 7a6ce87e72ba0df668f59ab337670f25ec1ecd90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 16:16:12 +0800
+Subject: net: xscale: Fix return type for implementation of ndo_start_xmit
+
+From: GUO Zihua <guozihua@huawei.com>
+
+[ Upstream commit 0dbaf0fa62329d9fe452d9041a707a33f6274f1f ]
+
+Since Linux now supports CFI, it will be a good idea to fix mismatched
+return type for implementation of hooks. Otherwise this might get
+cought out by CFI and cause a panic.
+
+eth_xmit() would return either NETDEV_TX_BUSY or NETDEV_TX_OK, so
+change the return type to netdev_tx_t directly.
+
+Signed-off-by: GUO Zihua <guozihua@huawei.com>
+Link: https://lore.kernel.org/r/20220902081612.60405-1-guozihua@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/xscale/ixp4xx_eth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/xscale/ixp4xx_eth.c b/drivers/net/ethernet/xscale/ixp4xx_eth.c
+index 3591b9edc9a1..3b05287b6889 100644
+--- a/drivers/net/ethernet/xscale/ixp4xx_eth.c
++++ b/drivers/net/ethernet/xscale/ixp4xx_eth.c
+@@ -841,7 +841,7 @@ static void eth_txdone_irq(void *unused)
+ }
+ }
+
+-static int eth_xmit(struct sk_buff *skb, struct net_device *dev)
++static netdev_tx_t eth_xmit(struct sk_buff *skb, struct net_device *dev)
+ {
+ struct port *port = netdev_priv(dev);
+ unsigned int txreadyq = port->plat->txreadyq;
+--
+2.35.1
+
--- /dev/null
+From c6f1fba34415cf91d40f7476a793530d30ae3a48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Sep 2022 11:29:40 +0200
+Subject: netfilter: conntrack: fix the gc rescheduling delay
+
+From: Antoine Tenart <atenart@kernel.org>
+
+[ Upstream commit 95eabdd207024312876d0ebed90b4c977e050e85 ]
+
+Commit 2cfadb761d3d ("netfilter: conntrack: revisit gc autotuning")
+changed the eviction rescheduling to the use average expiry of scanned
+entries (within 1-60s) by doing:
+
+ for (...) {
+ expires = clamp(nf_ct_expires(tmp), ...);
+ next_run += expires;
+ next_run /= 2;
+ }
+
+The issue is the above will make the average ('next_run' here) more
+dependent on the last expiration values than the firsts (for sets > 2).
+Depending on the expiration values used to compute the average, the
+result can be quite different than what's expected. To fix this we can
+do the following:
+
+ for (...) {
+ expires = clamp(nf_ct_expires(tmp), ...);
+ next_run += (expires - next_run) / ++count;
+ }
+
+Fixes: 2cfadb761d3d ("netfilter: conntrack: revisit gc autotuning")
+Cc: Florian Westphal <fw@strlen.de>
+Signed-off-by: Antoine Tenart <atenart@kernel.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_core.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
+index 1357a2729a4b..2e6d5f1e6d63 100644
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -67,6 +67,7 @@ struct conntrack_gc_work {
+ struct delayed_work dwork;
+ u32 next_bucket;
+ u32 avg_timeout;
++ u32 count;
+ u32 start_time;
+ bool exiting;
+ bool early_drop;
+@@ -1466,6 +1467,7 @@ static void gc_worker(struct work_struct *work)
+ unsigned int expired_count = 0;
+ unsigned long next_run;
+ s32 delta_time;
++ long count;
+
+ gc_work = container_of(work, struct conntrack_gc_work, dwork.work);
+
+@@ -1475,10 +1477,12 @@ static void gc_worker(struct work_struct *work)
+
+ if (i == 0) {
+ gc_work->avg_timeout = GC_SCAN_INTERVAL_INIT;
++ gc_work->count = 1;
+ gc_work->start_time = start_time;
+ }
+
+ next_run = gc_work->avg_timeout;
++ count = gc_work->count;
+
+ end_time = start_time + GC_SCAN_MAX_DURATION;
+
+@@ -1498,8 +1502,8 @@ static void gc_worker(struct work_struct *work)
+
+ hlist_nulls_for_each_entry_rcu(h, n, &ct_hash[i], hnnode) {
+ struct nf_conntrack_net *cnet;
+- unsigned long expires;
+ struct net *net;
++ long expires;
+
+ tmp = nf_ct_tuplehash_to_ctrack(h);
+
+@@ -1513,6 +1517,7 @@ static void gc_worker(struct work_struct *work)
+
+ gc_work->next_bucket = i;
+ gc_work->avg_timeout = next_run;
++ gc_work->count = count;
+
+ delta_time = nfct_time_stamp - gc_work->start_time;
+
+@@ -1528,8 +1533,8 @@ static void gc_worker(struct work_struct *work)
+ }
+
+ expires = clamp(nf_ct_expires(tmp), GC_SCAN_INTERVAL_MIN, GC_SCAN_INTERVAL_CLAMP);
++ expires = (expires - (long)next_run) / ++count;
+ next_run += expires;
+- next_run /= 2u;
+
+ if (nf_conntrack_max95 == 0 || gc_worker_skip_ct(tmp))
+ continue;
+@@ -1570,6 +1575,7 @@ static void gc_worker(struct work_struct *work)
+ delta_time = nfct_time_stamp - end_time;
+ if (delta_time > 0 && i < hashsz) {
+ gc_work->avg_timeout = next_run;
++ gc_work->count = count;
+ gc_work->next_bucket = i;
+ next_run = 0;
+ goto early_exit;
+--
+2.35.1
+
--- /dev/null
+From d5eec109e4a5b713437f4875e7aecf86721e00a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Sep 2022 11:29:41 +0200
+Subject: netfilter: conntrack: revisit the gc initial rescheduling bias
+
+From: Antoine Tenart <atenart@kernel.org>
+
+[ Upstream commit 2aa192757005f130b2dd3547dda6e462e761199f ]
+
+The previous commit changed the way the rescheduling delay is computed
+which has a side effect: the bias is now represented as much as the
+other entries in the rescheduling delay which makes the logic to kick in
+only with very large sets, as the initial interval is very large
+(INT_MAX).
+
+Revisit the GC initial bias to allow more frequent GC for smaller sets
+while still avoiding wakeups when a machine is mostly idle. We're moving
+from a large initial value to pretending we have 100 entries expiring at
+the upper bound. This way only a few entries having a small timeout
+won't impact much the rescheduling delay and non-idle machines will have
+enough entries to lower the delay when needed. This also improves
+readability as the initial bias is now linked to what is computed
+instead of being an arbitrary large value.
+
+Fixes: 2cfadb761d3d ("netfilter: conntrack: revisit gc autotuning")
+Suggested-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Antoine Tenart <atenart@kernel.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_core.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
+index 2e6d5f1e6d63..8f261cd5b3a5 100644
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -86,10 +86,12 @@ static DEFINE_MUTEX(nf_conntrack_mutex);
+ /* clamp timeouts to this value (TCP unacked) */
+ #define GC_SCAN_INTERVAL_CLAMP (300ul * HZ)
+
+-/* large initial bias so that we don't scan often just because we have
+- * three entries with a 1s timeout.
++/* Initial bias pretending we have 100 entries at the upper bound so we don't
++ * wakeup often just because we have three entries with a 1s timeout while still
++ * allowing non-idle machines to wakeup more often when needed.
+ */
+-#define GC_SCAN_INTERVAL_INIT INT_MAX
++#define GC_SCAN_INITIAL_COUNT 100
++#define GC_SCAN_INTERVAL_INIT GC_SCAN_INTERVAL_MAX
+
+ #define GC_SCAN_MAX_DURATION msecs_to_jiffies(10)
+ #define GC_SCAN_EXPIRED_MAX (64000u / HZ)
+@@ -1477,7 +1479,7 @@ static void gc_worker(struct work_struct *work)
+
+ if (i == 0) {
+ gc_work->avg_timeout = GC_SCAN_INTERVAL_INIT;
+- gc_work->count = 1;
++ gc_work->count = GC_SCAN_INITIAL_COUNT;
+ gc_work->start_time = start_time;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From b48ee32271fc1cf56e5d46bd82e4bfdecd748c7c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Sep 2022 13:07:31 +0200
+Subject: netfilter: nft_fib: Fix for rpath check with VRF devices
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit 2a8a7c0eaa8747c16aa4a48d573aa920d5c00a5c ]
+
+Analogous to commit b575b24b8eee3 ("netfilter: Fix rpfilter
+dropping vrf packets by mistake") but for nftables fib expression:
+Add special treatment of VRF devices so that typical reverse path
+filtering via 'fib saddr . iif oif' expression works as expected.
+
+Fixes: f6d0cbcf09c50 ("netfilter: nf_tables: add fib expression")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/netfilter/nft_fib_ipv4.c | 3 +++
+ net/ipv6/netfilter/nft_fib_ipv6.c | 6 +++++-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/netfilter/nft_fib_ipv4.c b/net/ipv4/netfilter/nft_fib_ipv4.c
+index b75cac69bd7e..7ade04ff972d 100644
+--- a/net/ipv4/netfilter/nft_fib_ipv4.c
++++ b/net/ipv4/netfilter/nft_fib_ipv4.c
+@@ -83,6 +83,9 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs,
+ else
+ oif = NULL;
+
++ if (priv->flags & NFTA_FIB_F_IIF)
++ fl4.flowi4_oif = l3mdev_master_ifindex_rcu(oif);
++
+ if (nft_hook(pkt) == NF_INET_PRE_ROUTING &&
+ nft_fib_is_loopback(pkt->skb, nft_in(pkt))) {
+ nft_fib_store_result(dest, priv, nft_in(pkt));
+diff --git a/net/ipv6/netfilter/nft_fib_ipv6.c b/net/ipv6/netfilter/nft_fib_ipv6.c
+index 8970d0b4faeb..1d7e520d9966 100644
+--- a/net/ipv6/netfilter/nft_fib_ipv6.c
++++ b/net/ipv6/netfilter/nft_fib_ipv6.c
+@@ -41,6 +41,9 @@ static int nft_fib6_flowi_init(struct flowi6 *fl6, const struct nft_fib *priv,
+ if (ipv6_addr_type(&fl6->daddr) & IPV6_ADDR_LINKLOCAL) {
+ lookup_flags |= RT6_LOOKUP_F_IFACE;
+ fl6->flowi6_oif = get_ifindex(dev ? dev : pkt->skb->dev);
++ } else if ((priv->flags & NFTA_FIB_F_IIF) &&
++ (netif_is_l3_master(dev) || netif_is_l3_slave(dev))) {
++ fl6->flowi6_oif = dev->ifindex;
+ }
+
+ if (ipv6_addr_type(&fl6->saddr) & IPV6_ADDR_UNICAST)
+@@ -197,7 +200,8 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs,
+ if (rt->rt6i_flags & (RTF_REJECT | RTF_ANYCAST | RTF_LOCAL))
+ goto put_rt_err;
+
+- if (oif && oif != rt->rt6i_idev->dev)
++ if (oif && oif != rt->rt6i_idev->dev &&
++ l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) != oif->ifindex)
+ goto put_rt_err;
+
+ nft_fib_store_result(dest, priv, rt->rt6i_idev->dev);
+--
+2.35.1
+
--- /dev/null
+From 6149fbd4cbf5170fd911954d98385f53cbb7453e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 21:37:49 -0700
+Subject: netlink: Bounds-check struct nlmsgerr creation
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 710d21fdff9a98d621cd4e64167f3ef8af4e2fd1 ]
+
+In preparation for FORTIFY_SOURCE doing bounds-check on memcpy(),
+switch from __nlmsg_put to nlmsg_put(), and explain the bounds check
+for dealing with the memcpy() across a composite flexible array struct.
+Avoids this future run-time warning:
+
+ memcpy: detected field-spanning write (size 32) of single field "&errmsg->msg" at net/netlink/af_netlink.c:2447 (size 16)
+
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Pablo Neira Ayuso <pablo@netfilter.org>
+Cc: Jozsef Kadlecsik <kadlec@netfilter.org>
+Cc: Florian Westphal <fw@strlen.de>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: syzbot <syzkaller@googlegroups.com>
+Cc: netfilter-devel@vger.kernel.org
+Cc: coreteam@netfilter.org
+Cc: netdev@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20220901071336.1418572-1-keescook@chromium.org
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipset/ip_set_core.c | 8 +++++---
+ net/netlink/af_netlink.c | 8 +++++---
+ 2 files changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
+index 16ae92054baa..6b31746f9be3 100644
+--- a/net/netfilter/ipset/ip_set_core.c
++++ b/net/netfilter/ipset/ip_set_core.c
+@@ -1719,11 +1719,13 @@ call_ad(struct net *net, struct sock *ctnl, struct sk_buff *skb,
+ skb2 = nlmsg_new(payload, GFP_KERNEL);
+ if (!skb2)
+ return -ENOMEM;
+- rep = __nlmsg_put(skb2, NETLINK_CB(skb).portid,
+- nlh->nlmsg_seq, NLMSG_ERROR, payload, 0);
++ rep = nlmsg_put(skb2, NETLINK_CB(skb).portid,
++ nlh->nlmsg_seq, NLMSG_ERROR, payload, 0);
+ errmsg = nlmsg_data(rep);
+ errmsg->error = ret;
+- memcpy(&errmsg->msg, nlh, nlh->nlmsg_len);
++ unsafe_memcpy(&errmsg->msg, nlh, nlh->nlmsg_len,
++ /* Bounds checked by the skb layer. */);
++
+ cmdattr = (void *)&errmsg->msg + min_len;
+
+ ret = nla_parse(cda, IPSET_ATTR_CMD_MAX, cmdattr,
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index 0cd91f813a3b..d8d3ed2096a3 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -2440,11 +2440,13 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
+ return;
+ }
+
+- rep = __nlmsg_put(skb, NETLINK_CB(in_skb).portid, nlh->nlmsg_seq,
+- NLMSG_ERROR, payload, flags);
++ rep = nlmsg_put(skb, NETLINK_CB(in_skb).portid, nlh->nlmsg_seq,
++ NLMSG_ERROR, payload, flags);
+ errmsg = nlmsg_data(rep);
+ errmsg->error = err;
+- memcpy(&errmsg->msg, nlh, payload > sizeof(*errmsg) ? nlh->nlmsg_len : sizeof(*nlh));
++ unsafe_memcpy(&errmsg->msg, nlh, payload > sizeof(*errmsg)
++ ? nlh->nlmsg_len : sizeof(*nlh),
++ /* Bounds checked by the skb layer. */);
+
+ if (nlk_has_extack && extack) {
+ if (extack->_msg) {
+--
+2.35.1
+
--- /dev/null
+From 68c21bc5454907c80c34f916b4a8924881e94e9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Sep 2022 07:27:04 +0200
+Subject: nfsd: Fix a memory leak in an error handling path
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit fd1ef88049de09bc70d60b549992524cfc0e66ff ]
+
+If this memdup_user() call fails, the memory allocated in a previous call
+a few lines above should be freed. Otherwise it leaks.
+
+Fixes: 6ee95d1c8991 ("nfsd: add support for upcall version 2")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4recover.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c
+index c634483d85d2..8f24485e0f04 100644
+--- a/fs/nfsd/nfs4recover.c
++++ b/fs/nfsd/nfs4recover.c
+@@ -815,8 +815,10 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
+ princhash.data = memdup_user(
+ &ci->cc_princhash.cp_data,
+ princhashlen);
+- if (IS_ERR_OR_NULL(princhash.data))
++ if (IS_ERR_OR_NULL(princhash.data)) {
++ kfree(name.data);
+ return -EFAULT;
++ }
+ princhash.len = princhashlen;
+ } else
+ princhash.len = 0;
+--
+2.35.1
+
--- /dev/null
+From c224f05fe1a686d4f0d7abdaa5935c359694ba15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Sep 2022 15:33:32 -0400
+Subject: NFSD: Fix handling of oversized NFSv4 COMPOUND requests
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit 7518a3dc5ea249d4112156ce71b8b184eb786151 ]
+
+If an NFS server returns NFS4ERR_RESOURCE on the first operation in
+an NFSv4 COMPOUND, there's no way for a client to know where the
+problem is and then simplify the compound to make forward progress.
+
+So instead, make NFSD process as many operations in an oversized
+COMPOUND as it can and then return NFS4ERR_RESOURCE on the first
+operation it did not process.
+
+pynfs NFSv4.0 COMP6 exercises this case, but checks only for the
+COMPOUND status code, not whether the server has processed any
+of the operations.
+
+pynfs NFSv4.1 SEQ6 and SEQ7 exercise the NFSv4.1 case, which detects
+too many operations per COMPOUND by checking against the limits
+negotiated when the session was created.
+
+Suggested-by: Bruce Fields <bfields@fieldses.org>
+Fixes: 0078117c6d91 ("nfsd: return RESOURCE not GARBAGE_ARGS on too many ops")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4proc.c | 19 +++++++++++++------
+ fs/nfsd/nfs4xdr.c | 12 +++---------
+ fs/nfsd/xdr4.h | 3 ++-
+ 3 files changed, 18 insertions(+), 16 deletions(-)
+
+diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
+index 0437210b9898..22de5e0249ea 100644
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -2633,9 +2633,6 @@ nfsd4_proc_compound(struct svc_rqst *rqstp)
+ status = nfserr_minor_vers_mismatch;
+ if (nfsd_minorversion(nn, args->minorversion, NFSD_TEST) <= 0)
+ goto out;
+- status = nfserr_resource;
+- if (args->opcnt > NFSD_MAX_OPS_PER_COMPOUND)
+- goto out;
+
+ status = nfs41_check_op_ordering(args);
+ if (status) {
+@@ -2648,10 +2645,20 @@ nfsd4_proc_compound(struct svc_rqst *rqstp)
+
+ rqstp->rq_lease_breaker = (void **)&cstate->clp;
+
+- trace_nfsd_compound(rqstp, args->opcnt);
++ trace_nfsd_compound(rqstp, args->client_opcnt);
+ while (!status && resp->opcnt < args->opcnt) {
+ op = &args->ops[resp->opcnt++];
+
++ if (unlikely(resp->opcnt == NFSD_MAX_OPS_PER_COMPOUND)) {
++ /* If there are still more operations to process,
++ * stop here and report NFS4ERR_RESOURCE. */
++ if (cstate->minorversion == 0 &&
++ args->client_opcnt > resp->opcnt) {
++ op->status = nfserr_resource;
++ goto encode_op;
++ }
++ }
++
+ /*
+ * The XDR decode routines may have pre-set op->status;
+ * for example, if there is a miscellaneous XDR error
+@@ -2727,8 +2734,8 @@ nfsd4_proc_compound(struct svc_rqst *rqstp)
+ status = op->status;
+ }
+
+- trace_nfsd_compound_status(args->opcnt, resp->opcnt, status,
+- nfsd4_op_name(op->opnum));
++ trace_nfsd_compound_status(args->client_opcnt, resp->opcnt,
++ status, nfsd4_op_name(op->opnum));
+
+ nfsd4_cstate_clear_replay(cstate);
+ nfsd4_increment_op_stats(op->opnum);
+diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
+index 1e9690a061ec..ac1b03cf05a5 100644
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -2357,16 +2357,10 @@ nfsd4_decode_compound(struct nfsd4_compoundargs *argp)
+
+ if (xdr_stream_decode_u32(argp->xdr, &argp->minorversion) < 0)
+ return false;
+- if (xdr_stream_decode_u32(argp->xdr, &argp->opcnt) < 0)
++ if (xdr_stream_decode_u32(argp->xdr, &argp->client_opcnt) < 0)
+ return false;
+-
+- /*
+- * NFS4ERR_RESOURCE is a more helpful error than GARBAGE_ARGS
+- * here, so we return success at the xdr level so that
+- * nfsd4_proc can handle this is an NFS-level error.
+- */
+- if (argp->opcnt > NFSD_MAX_OPS_PER_COMPOUND)
+- return true;
++ argp->opcnt = min_t(u32, argp->client_opcnt,
++ NFSD_MAX_OPS_PER_COMPOUND);
+
+ if (argp->opcnt > ARRAY_SIZE(argp->iops)) {
+ argp->ops = kzalloc(argp->opcnt * sizeof(*argp->ops), GFP_KERNEL);
+diff --git a/fs/nfsd/xdr4.h b/fs/nfsd/xdr4.h
+index 96267258e629..466e2786fc97 100644
+--- a/fs/nfsd/xdr4.h
++++ b/fs/nfsd/xdr4.h
+@@ -717,9 +717,10 @@ struct nfsd4_compoundargs {
+ struct svcxdr_tmpbuf *to_free;
+ struct svc_rqst *rqstp;
+
+- u32 taglen;
+ char * tag;
++ u32 taglen;
+ u32 minorversion;
++ u32 client_opcnt;
+ u32 opcnt;
+ struct nfsd4_op *ops;
+ struct nfsd4_op iops[8];
+--
+2.35.1
+
--- /dev/null
+From a75cd659943f4f3f052c7b97bab4603bbf61c20a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Sep 2022 10:59:16 -0700
+Subject: NFSD: fix use-after-free on source server when doing inter-server
+ copy
+
+From: Dai Ngo <dai.ngo@oracle.com>
+
+[ Upstream commit 019805fea91599b22dfa62ffb29c022f35abeb06 ]
+
+Use-after-free occurred when the laundromat tried to free expired
+cpntf_state entry on the s2s_cp_stateids list after inter-server
+copy completed. The sc_cp_list that the expired copy state was
+inserted on was already freed.
+
+When COPY completes, the Linux client normally sends LOCKU(lock_state x),
+FREE_STATEID(lock_state x) and CLOSE(open_state y) to the source server.
+The nfs4_put_stid call from nfsd4_free_stateid cleans up the copy state
+from the s2s_cp_stateids list before freeing the lock state's stid.
+
+However, sometimes the CLOSE was sent before the FREE_STATEID request.
+When this happens, the nfsd4_close_open_stateid call from nfsd4_close
+frees all lock states on its st_locks list without cleaning up the copy
+state on the sc_cp_list list. When the time the FREE_STATEID arrives the
+server returns BAD_STATEID since the lock state was freed. This causes
+the use-after-free error to occur when the laundromat tries to free
+the expired cpntf_state.
+
+This patch adds a call to nfs4_free_cpntf_statelist in
+nfsd4_close_open_stateid to clean up the copy state before calling
+free_ol_stateid_reaplist to free the lock state's stid on the reaplist.
+
+Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4state.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
+index c5d199d7e6b4..0bc36472f8b7 100644
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -1049,6 +1049,7 @@ static struct nfs4_ol_stateid * nfs4_alloc_open_stateid(struct nfs4_client *clp)
+
+ static void nfs4_free_deleg(struct nfs4_stid *stid)
+ {
++ WARN_ON(!list_empty(&stid->sc_cp_list));
+ kmem_cache_free(deleg_slab, stid);
+ atomic_long_dec(&num_delegations);
+ }
+@@ -1462,6 +1463,7 @@ static void nfs4_free_ol_stateid(struct nfs4_stid *stid)
+ release_all_access(stp);
+ if (stp->st_stateowner)
+ nfs4_put_stateowner(stp->st_stateowner);
++ WARN_ON(!list_empty(&stid->sc_cp_list));
+ kmem_cache_free(stateid_slab, stid);
+ }
+
+@@ -6684,6 +6686,7 @@ static void nfsd4_close_open_stateid(struct nfs4_ol_stateid *s)
+ struct nfs4_client *clp = s->st_stid.sc_client;
+ bool unhashed;
+ LIST_HEAD(reaplist);
++ struct nfs4_ol_stateid *stp;
+
+ spin_lock(&clp->cl_lock);
+ unhashed = unhash_open_stateid(s, &reaplist);
+@@ -6692,6 +6695,8 @@ static void nfsd4_close_open_stateid(struct nfs4_ol_stateid *s)
+ if (unhashed)
+ put_ol_stateid_locked(s, &reaplist);
+ spin_unlock(&clp->cl_lock);
++ list_for_each_entry(stp, &reaplist, st_locks)
++ nfs4_free_cpntf_statelist(clp->net, &stp->st_stid);
+ free_ol_stateid_reaplist(&reaplist);
+ } else {
+ spin_unlock(&clp->cl_lock);
+--
+2.35.1
+
--- /dev/null
+From 4908d8d5ca67c5281fd01a8e89c1e4eaa7fa7109 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Aug 2022 23:01:14 +0200
+Subject: NFSD: move from strlcpy with unused retval to strscpy
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 72f78ae00a8e5d7abe13abac8305a300f6afd74b ]
+
+Follow the advice of the below link and prefer 'strscpy' in this
+subsystem. Conversion is 1:1 because the return value is not used.
+Generated by a coccinelle script.
+
+Link: https://lore.kernel.org/r/CAHk-=wgfRnXz0W3D37d01q3JFkr_i_uTL=V6A6G1oUZcprmknw@mail.gmail.com/
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Stable-dep-of: fd1ef88049de ("nfsd: Fix a memory leak in an error handling path")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4idmap.c | 8 ++++----
+ fs/nfsd/nfs4proc.c | 2 +-
+ fs/nfsd/nfssvc.c | 2 +-
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/fs/nfsd/nfs4idmap.c b/fs/nfsd/nfs4idmap.c
+index f92161ce1f97..e70a1a2999b7 100644
+--- a/fs/nfsd/nfs4idmap.c
++++ b/fs/nfsd/nfs4idmap.c
+@@ -82,8 +82,8 @@ ent_init(struct cache_head *cnew, struct cache_head *citm)
+ new->id = itm->id;
+ new->type = itm->type;
+
+- strlcpy(new->name, itm->name, sizeof(new->name));
+- strlcpy(new->authname, itm->authname, sizeof(new->authname));
++ strscpy(new->name, itm->name, sizeof(new->name));
++ strscpy(new->authname, itm->authname, sizeof(new->authname));
+ }
+
+ static void
+@@ -548,7 +548,7 @@ idmap_name_to_id(struct svc_rqst *rqstp, int type, const char *name, u32 namelen
+ return nfserr_badowner;
+ memcpy(key.name, name, namelen);
+ key.name[namelen] = '\0';
+- strlcpy(key.authname, rqst_authname(rqstp), sizeof(key.authname));
++ strscpy(key.authname, rqst_authname(rqstp), sizeof(key.authname));
+ ret = idmap_lookup(rqstp, nametoid_lookup, &key, nn->nametoid_cache, &item);
+ if (ret == -ENOENT)
+ return nfserr_badowner;
+@@ -584,7 +584,7 @@ static __be32 idmap_id_to_name(struct xdr_stream *xdr,
+ int ret;
+ struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id);
+
+- strlcpy(key.authname, rqst_authname(rqstp), sizeof(key.authname));
++ strscpy(key.authname, rqst_authname(rqstp), sizeof(key.authname));
+ ret = idmap_lookup(rqstp, idtoname_lookup, &key, nn->idtoname_cache, &item);
+ if (ret == -ENOENT)
+ return encode_ascii_id(xdr, id);
+diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
+index a72ab97f77ef..0437210b9898 100644
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1343,7 +1343,7 @@ static __be32 nfsd4_ssc_setup_dul(struct nfsd_net *nn, char *ipaddr,
+ return 0;
+ }
+ if (work) {
+- strlcpy(work->nsui_ipaddr, ipaddr, sizeof(work->nsui_ipaddr) - 1);
++ strscpy(work->nsui_ipaddr, ipaddr, sizeof(work->nsui_ipaddr) - 1);
+ refcount_set(&work->nsui_refcnt, 2);
+ work->nsui_busy = true;
+ list_add_tail(&work->nsui_list, &nn->nfsd_ssc_mount_list);
+diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c
+index 4bb5baa17040..bfbd9f672f59 100644
+--- a/fs/nfsd/nfssvc.c
++++ b/fs/nfsd/nfssvc.c
+@@ -799,7 +799,7 @@ nfsd_svc(int nrservs, struct net *net, const struct cred *cred)
+ if (nrservs == 0 && nn->nfsd_serv == NULL)
+ goto out;
+
+- strlcpy(nn->nfsd_name, utsname()->nodename,
++ strscpy(nn->nfsd_name, utsname()->nodename,
+ sizeof(nn->nfsd_name));
+
+ error = nfsd_create_serv(net);
+--
+2.35.1
+
--- /dev/null
+From 15c9774ccf60a6f49e62949d52db2910e714baad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Sep 2022 15:10:05 -0400
+Subject: NFSD: Protect against send buffer overflow in NFSv2 READDIR
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit 00b4492686e0497fdb924a9d4c8f6f99377e176c ]
+
+Restore the previous limit on the @count argument to prevent a
+buffer overflow attack.
+
+Fixes: 53b1119a6e50 ("NFSD: Fix READDIR buffer overflow")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfsproc.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/fs/nfsd/nfsproc.c b/fs/nfsd/nfsproc.c
+index fcbf7e4083af..4b19cc727ea5 100644
+--- a/fs/nfsd/nfsproc.c
++++ b/fs/nfsd/nfsproc.c
+@@ -568,12 +568,11 @@ static void nfsd_init_dirlist_pages(struct svc_rqst *rqstp,
+ struct xdr_buf *buf = &resp->dirlist;
+ struct xdr_stream *xdr = &resp->xdr;
+
+- count = clamp(count, (u32)(XDR_UNIT * 2), svc_max_payload(rqstp));
+-
+ memset(buf, 0, sizeof(*buf));
+
+ /* Reserve room for the NULL ptr & eof flag (-2 words) */
+- buf->buflen = count - XDR_UNIT * 2;
++ buf->buflen = clamp(count, (u32)(XDR_UNIT * 2), (u32)PAGE_SIZE);
++ buf->buflen -= XDR_UNIT * 2;
+ buf->pages = rqstp->rq_next_page;
+ rqstp->rq_next_page++;
+
+--
+2.35.1
+
--- /dev/null
+From 80ce5f6b71b64ff1d0c2292cbd84cc4200157573 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Sep 2022 14:01:50 -0400
+Subject: NFSD: Return nfserr_serverfault if splice_ok but buf->pages have data
+
+From: Anna Schumaker <Anna.Schumaker@Netapp.com>
+
+[ Upstream commit 06981d560606ac48d61e5f4fff6738b925c93173 ]
+
+This was discussed with Chuck as part of this patch set. Returning
+nfserr_resource was decided to not be the best error message here, and
+he suggested changing to nfserr_serverfault instead.
+
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Link: https://lore.kernel.org/linux-nfs/20220907195259.926736-1-anna@kernel.org/T/#t
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4xdr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
+index ac1b03cf05a5..2960d0a8e8f9 100644
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -3988,7 +3988,7 @@ nfsd4_encode_read(struct nfsd4_compoundres *resp, __be32 nfserr,
+ }
+ if (resp->xdr->buf->page_len && splice_ok) {
+ WARN_ON_ONCE(1);
+- return nfserr_resource;
++ return nfserr_serverfault;
+ }
+ xdr_commit_encode(xdr);
+
+--
+2.35.1
+
--- /dev/null
+From ed32e2a3a538600978b1081c0e3700cd189cf655 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Aug 2022 14:38:40 +0200
+Subject: ntfs3: rework xattr handlers and switch to POSIX ACL VFS helpers
+
+From: Christian Brauner <brauner@kernel.org>
+
+[ Upstream commit a26aa12384158116c0d80d50e0bdc7b3323551e2 ]
+
+The xattr code in ntfs3 is currently a bit confused. For example, it
+defines a POSIX ACL i_op->set_acl() method but instead of relying on the
+generic POSIX ACL VFS helpers it defines its own set of xattr helpers
+with the consequence that i_op->set_acl() is currently dead code.
+
+Switch ntfs3 to rely on the VFS POSIX ACL xattr handlers. Also remove
+i_op->{g,s}et_acl() methods from symlink inode operations. Symlinks
+don't support xattrs.
+
+This is a preliminary change for the following patches which move
+handling idmapped mounts directly in posix_acl_xattr_set().
+
+This survives POSIX ACL xfstests.
+
+Fixes: be71b5cba2e6 ("fs/ntfs3: Add attrib operations")
+Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
+Reviewed-by: Seth Forshee (DigitalOcean) <sforshee@kernel.org>>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/inode.c | 2 -
+ fs/ntfs3/xattr.c | 102 +++--------------------------------------------
+ 2 files changed, 6 insertions(+), 98 deletions(-)
+
+diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c
+index 51363d4e8636..26a76ebfe58f 100644
+--- a/fs/ntfs3/inode.c
++++ b/fs/ntfs3/inode.c
+@@ -1927,8 +1927,6 @@ const struct inode_operations ntfs_link_inode_operations = {
+ .setattr = ntfs3_setattr,
+ .listxattr = ntfs_listxattr,
+ .permission = ntfs_permission,
+- .get_acl = ntfs_get_acl,
+- .set_acl = ntfs_set_acl,
+ };
+
+ const struct address_space_operations ntfs_aops = {
+diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c
+index 6ae1f56b7358..7de8718c68a9 100644
+--- a/fs/ntfs3/xattr.c
++++ b/fs/ntfs3/xattr.c
+@@ -625,67 +625,6 @@ int ntfs_set_acl(struct user_namespace *mnt_userns, struct inode *inode,
+ return ntfs_set_acl_ex(mnt_userns, inode, acl, type, false);
+ }
+
+-static int ntfs_xattr_get_acl(struct user_namespace *mnt_userns,
+- struct inode *inode, int type, void *buffer,
+- size_t size)
+-{
+- struct posix_acl *acl;
+- int err;
+-
+- if (!(inode->i_sb->s_flags & SB_POSIXACL)) {
+- ntfs_inode_warn(inode, "add mount option \"acl\" to use acl");
+- return -EOPNOTSUPP;
+- }
+-
+- acl = ntfs_get_acl(inode, type, false);
+- if (IS_ERR(acl))
+- return PTR_ERR(acl);
+-
+- if (!acl)
+- return -ENODATA;
+-
+- err = posix_acl_to_xattr(&init_user_ns, acl, buffer, size);
+- posix_acl_release(acl);
+-
+- return err;
+-}
+-
+-static int ntfs_xattr_set_acl(struct user_namespace *mnt_userns,
+- struct inode *inode, int type, const void *value,
+- size_t size)
+-{
+- struct posix_acl *acl;
+- int err;
+-
+- if (!(inode->i_sb->s_flags & SB_POSIXACL)) {
+- ntfs_inode_warn(inode, "add mount option \"acl\" to use acl");
+- return -EOPNOTSUPP;
+- }
+-
+- if (!inode_owner_or_capable(mnt_userns, inode))
+- return -EPERM;
+-
+- if (!value) {
+- acl = NULL;
+- } else {
+- acl = posix_acl_from_xattr(&init_user_ns, value, size);
+- if (IS_ERR(acl))
+- return PTR_ERR(acl);
+-
+- if (acl) {
+- err = posix_acl_valid(&init_user_ns, acl);
+- if (err)
+- goto release_and_out;
+- }
+- }
+-
+- err = ntfs_set_acl(mnt_userns, inode, acl, type);
+-
+-release_and_out:
+- posix_acl_release(acl);
+- return err;
+-}
+-
+ /*
+ * ntfs_init_acl - Initialize the ACLs of a new inode.
+ *
+@@ -852,23 +791,6 @@ static int ntfs_getxattr(const struct xattr_handler *handler, struct dentry *de,
+ goto out;
+ }
+
+-#ifdef CONFIG_NTFS3_FS_POSIX_ACL
+- if ((name_len == sizeof(XATTR_NAME_POSIX_ACL_ACCESS) - 1 &&
+- !memcmp(name, XATTR_NAME_POSIX_ACL_ACCESS,
+- sizeof(XATTR_NAME_POSIX_ACL_ACCESS))) ||
+- (name_len == sizeof(XATTR_NAME_POSIX_ACL_DEFAULT) - 1 &&
+- !memcmp(name, XATTR_NAME_POSIX_ACL_DEFAULT,
+- sizeof(XATTR_NAME_POSIX_ACL_DEFAULT)))) {
+- /* TODO: init_user_ns? */
+- err = ntfs_xattr_get_acl(
+- &init_user_ns, inode,
+- name_len == sizeof(XATTR_NAME_POSIX_ACL_ACCESS) - 1
+- ? ACL_TYPE_ACCESS
+- : ACL_TYPE_DEFAULT,
+- buffer, size);
+- goto out;
+- }
+-#endif
+ /* Deal with NTFS extended attribute. */
+ err = ntfs_get_ea(inode, name, name_len, buffer, size, NULL);
+
+@@ -981,22 +903,6 @@ static noinline int ntfs_setxattr(const struct xattr_handler *handler,
+ goto out;
+ }
+
+-#ifdef CONFIG_NTFS3_FS_POSIX_ACL
+- if ((name_len == sizeof(XATTR_NAME_POSIX_ACL_ACCESS) - 1 &&
+- !memcmp(name, XATTR_NAME_POSIX_ACL_ACCESS,
+- sizeof(XATTR_NAME_POSIX_ACL_ACCESS))) ||
+- (name_len == sizeof(XATTR_NAME_POSIX_ACL_DEFAULT) - 1 &&
+- !memcmp(name, XATTR_NAME_POSIX_ACL_DEFAULT,
+- sizeof(XATTR_NAME_POSIX_ACL_DEFAULT)))) {
+- err = ntfs_xattr_set_acl(
+- mnt_userns, inode,
+- name_len == sizeof(XATTR_NAME_POSIX_ACL_ACCESS) - 1
+- ? ACL_TYPE_ACCESS
+- : ACL_TYPE_DEFAULT,
+- value, size);
+- goto out;
+- }
+-#endif
+ /* Deal with NTFS extended attribute. */
+ err = ntfs_set_ea(inode, name, name_len, value, size, flags, 0);
+
+@@ -1086,7 +992,7 @@ static bool ntfs_xattr_user_list(struct dentry *dentry)
+ }
+
+ // clang-format off
+-static const struct xattr_handler ntfs_xattr_handler = {
++static const struct xattr_handler ntfs_other_xattr_handler = {
+ .prefix = "",
+ .get = ntfs_getxattr,
+ .set = ntfs_setxattr,
+@@ -1094,7 +1000,11 @@ static const struct xattr_handler ntfs_xattr_handler = {
+ };
+
+ const struct xattr_handler *ntfs_xattr_handlers[] = {
+- &ntfs_xattr_handler,
++#ifdef CONFIG_NTFS3_FS_POSIX_ACL
++ &posix_acl_access_xattr_handler,
++ &posix_acl_default_xattr_handler,
++#endif
++ &ntfs_other_xattr_handler,
+ NULL,
+ };
+ // clang-format on
+--
+2.35.1
+
--- /dev/null
+From a8fd19bb44b6aec880a0701103f5cf84034aa75d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Sep 2022 12:45:08 -0700
+Subject: nvme: copy firmware_rev on each init
+
+From: Keith Busch <kbusch@kernel.org>
+
+[ Upstream commit a8eb6c1ba48bddea82e8d74cbe6e119f006be97d ]
+
+The firmware revision can change on after a reset so copy the most
+recent info each time instead of just the first time, otherwise the
+sysfs firmware_rev entry may contain stale data.
+
+Reported-by: Jeff Lien <jeff.lien@wdc.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Reviewed-by: Chao Leng <lengchao@huawei.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 7991d28e6a6a..59e4b188fc71 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -2889,7 +2889,6 @@ static int nvme_init_subsystem(struct nvme_ctrl *ctrl, struct nvme_id_ctrl *id)
+ nvme_init_subnqn(subsys, ctrl, id);
+ memcpy(subsys->serial, id->sn, sizeof(subsys->serial));
+ memcpy(subsys->model, id->mn, sizeof(subsys->model));
+- memcpy(subsys->firmware_rev, id->fr, sizeof(subsys->firmware_rev));
+ subsys->vendor_id = le16_to_cpu(id->vid);
+ subsys->cmic = id->cmic;
+
+@@ -3108,6 +3107,8 @@ static int nvme_init_identify(struct nvme_ctrl *ctrl)
+ ctrl->quirks |= core_quirks[i].quirks;
+ }
+ }
++ memcpy(ctrl->subsys->firmware_rev, id->fr,
++ sizeof(ctrl->subsys->firmware_rev));
+
+ if (force_apst && (ctrl->quirks & NVME_QUIRK_NO_DEEPEST_PS)) {
+ dev_warn(ctrl->device, "forcibly allowing all power states due to nvme_core.force_apst -- use at your own risk\n");
+--
+2.35.1
+
--- /dev/null
+From 929be36a5bbb0d95856b8bb9f089f9a737519b08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Sep 2022 12:36:46 -0700
+Subject: nvme: handle effects after freeing the request
+
+From: Keith Busch <kbusch@kernel.org>
+
+[ Upstream commit bc8fb906b0ff9339b4286698cb7cd9cd5b8c53eb ]
+
+If a reset occurs after the scan work attempts to issue a command, the
+reset may quisce the admin queue, which blocks the scan work's command
+from dispatching. The scan work will not be able to complete while the
+queue is quiesced.
+
+Meanwhile, the reset work will cancel all outstanding admin tags and
+wait until all requests have transitioned to idle, which includes the
+passthrough request. But the passthrough request won't be set to idle
+until after the scan_work flushes, so we're deadlocked.
+
+Fix this by handling the end effects after the request has been freed.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216354
+Reported-by: Jonathan Derrick <Jonathan.Derrick@solidigm.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Chao Leng <lengchao@huawei.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 17 ++++++-----------
+ drivers/nvme/host/ioctl.c | 9 ++++++++-
+ drivers/nvme/host/nvme.h | 4 +++-
+ drivers/nvme/target/passthru.c | 7 ++++++-
+ 4 files changed, 23 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 8d5a7ae19844..7991d28e6a6a 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -1111,8 +1111,8 @@ static u32 nvme_passthru_start(struct nvme_ctrl *ctrl, struct nvme_ns *ns,
+ return effects;
+ }
+
+-static void nvme_passthru_end(struct nvme_ctrl *ctrl, u32 effects,
+- struct nvme_command *cmd, int status)
++void nvme_passthru_end(struct nvme_ctrl *ctrl, u32 effects,
++ struct nvme_command *cmd, int status)
+ {
+ if (effects & NVME_CMD_EFFECTS_CSE_MASK) {
+ nvme_unfreeze(ctrl);
+@@ -1148,21 +1148,16 @@ static void nvme_passthru_end(struct nvme_ctrl *ctrl, u32 effects,
+ break;
+ }
+ }
++EXPORT_SYMBOL_NS_GPL(nvme_passthru_end, NVME_TARGET_PASSTHRU);
+
+-int nvme_execute_passthru_rq(struct request *rq)
++int nvme_execute_passthru_rq(struct request *rq, u32 *effects)
+ {
+ struct nvme_command *cmd = nvme_req(rq)->cmd;
+ struct nvme_ctrl *ctrl = nvme_req(rq)->ctrl;
+ struct nvme_ns *ns = rq->q->queuedata;
+- u32 effects;
+- int ret;
+
+- effects = nvme_passthru_start(ctrl, ns, cmd->common.opcode);
+- ret = nvme_execute_rq(rq, false);
+- if (effects) /* nothing to be done for zero cmd effects */
+- nvme_passthru_end(ctrl, effects, cmd, ret);
+-
+- return ret;
++ *effects = nvme_passthru_start(ctrl, ns, cmd->common.opcode);
++ return nvme_execute_rq(rq, false);
+ }
+ EXPORT_SYMBOL_NS_GPL(nvme_execute_passthru_rq, NVME_TARGET_PASSTHRU);
+
+diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c
+index 27614bee7380..d3281f87cd6e 100644
+--- a/drivers/nvme/host/ioctl.c
++++ b/drivers/nvme/host/ioctl.c
+@@ -136,9 +136,11 @@ static int nvme_submit_user_cmd(struct request_queue *q,
+ unsigned bufflen, void __user *meta_buffer, unsigned meta_len,
+ u32 meta_seed, u64 *result, unsigned timeout, bool vec)
+ {
++ struct nvme_ctrl *ctrl;
+ struct request *req;
+ void *meta = NULL;
+ struct bio *bio;
++ u32 effects;
+ int ret;
+
+ req = nvme_alloc_user_request(q, cmd, ubuffer, bufflen, meta_buffer,
+@@ -147,8 +149,9 @@ static int nvme_submit_user_cmd(struct request_queue *q,
+ return PTR_ERR(req);
+
+ bio = req->bio;
++ ctrl = nvme_req(req)->ctrl;
+
+- ret = nvme_execute_passthru_rq(req);
++ ret = nvme_execute_passthru_rq(req, &effects);
+
+ if (result)
+ *result = le64_to_cpu(nvme_req(req)->result.u64);
+@@ -158,6 +161,10 @@ static int nvme_submit_user_cmd(struct request_queue *q,
+ if (bio)
+ blk_rq_unmap_user(bio);
+ blk_mq_free_request(req);
++
++ if (effects)
++ nvme_passthru_end(ctrl, effects, cmd, ret);
++
+ return ret;
+ }
+
+diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h
+index 1bdf714dcd9e..a0bf9560cf67 100644
+--- a/drivers/nvme/host/nvme.h
++++ b/drivers/nvme/host/nvme.h
+@@ -1023,7 +1023,9 @@ static inline void nvme_auth_free(struct nvme_ctrl *ctrl) {};
+
+ u32 nvme_command_effects(struct nvme_ctrl *ctrl, struct nvme_ns *ns,
+ u8 opcode);
+-int nvme_execute_passthru_rq(struct request *rq);
++int nvme_execute_passthru_rq(struct request *rq, u32 *effects);
++void nvme_passthru_end(struct nvme_ctrl *ctrl, u32 effects,
++ struct nvme_command *cmd, int status);
+ struct nvme_ctrl *nvme_ctrl_from_file(struct file *file);
+ struct nvme_ns *nvme_find_get_ns(struct nvme_ctrl *ctrl, unsigned nsid);
+ void nvme_put_ns(struct nvme_ns *ns);
+diff --git a/drivers/nvme/target/passthru.c b/drivers/nvme/target/passthru.c
+index 6f39a29828b1..94d3153bae54 100644
+--- a/drivers/nvme/target/passthru.c
++++ b/drivers/nvme/target/passthru.c
+@@ -215,9 +215,11 @@ static void nvmet_passthru_execute_cmd_work(struct work_struct *w)
+ {
+ struct nvmet_req *req = container_of(w, struct nvmet_req, p.work);
+ struct request *rq = req->p.rq;
++ struct nvme_ctrl *ctrl = nvme_req(rq)->ctrl;
++ u32 effects;
+ int status;
+
+- status = nvme_execute_passthru_rq(rq);
++ status = nvme_execute_passthru_rq(rq, &effects);
+
+ if (status == NVME_SC_SUCCESS &&
+ req->cmd->common.opcode == nvme_admin_identify) {
+@@ -238,6 +240,9 @@ static void nvmet_passthru_execute_cmd_work(struct work_struct *w)
+ req->cqe->result = nvme_req(rq)->result;
+ nvmet_req_complete(req, status);
+ blk_mq_free_request(rq);
++
++ if (effects)
++ nvme_passthru_end(ctrl, effects, req->cmd, status);
+ }
+
+ static void nvmet_passthru_req_done(struct request *rq,
+--
+2.35.1
+
--- /dev/null
+From eb2bf72634a2cbb8f38caca20fdfd0c49f837916 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Aug 2022 11:12:30 +0800
+Subject: nvmet-auth: clean up with done_kfree
+
+From: Jackie Liu <liuyun01@kylinos.cn>
+
+[ Upstream commit 42147981561c3344d2c6781fe7029e5900daa9fb ]
+
+Jump directly to done_kfree to release d, which is consistent with the
+code style behind.
+
+Reported-by: Genjian Zhang <zhanggenjian@kylinos.cn>
+Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/fabrics-cmd-auth.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/fabrics-cmd-auth.c
+index 0c078b6b1447..2c265504b87c 100644
+--- a/drivers/nvme/target/fabrics-cmd-auth.c
++++ b/drivers/nvme/target/fabrics-cmd-auth.c
+@@ -224,10 +224,8 @@ void nvmet_execute_auth_send(struct nvmet_req *req)
+ }
+
+ status = nvmet_copy_from_sgl(req, 0, d, tl);
+- if (status) {
+- kfree(d);
+- goto done;
+- }
++ if (status)
++ goto done_kfree;
+
+ data = d;
+ pr_debug("%s: ctrl %d qid %d type %d id %d step %x\n", __func__,
+--
+2.35.1
+
--- /dev/null
+From b97ac5834797ad235bd506b91f4ce9d9a2cc1080 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 15:37:18 +0200
+Subject: nvmet-auth: don't try to cancel a non-initialized work_struct
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 1befd944e05050d76950014f3dc04ed47faba2c3 ]
+
+Currently blktests nvme/002 trips up debugobjects if CONFIG_NVME_AUTH is
+enabled, but authentication is not on a queue. This is because
+nvmet_auth_sq_free cancels sq->auth_expired_work unconditionaly, while
+auth_expired_work is only ever initialized if authentication is enabled
+for a given controller.
+
+Fix this by calling most of what is nvmet_init_auth unconditionally
+when initializing the SQ, and just do the setting of the result
+field in the connect command handler.
+
+Fixes: db1312dd9548 ("nvmet: implement basic In-Band Authentication")
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/core.c | 1 +
+ drivers/nvme/target/fabrics-cmd-auth.c | 13 ++++---------
+ drivers/nvme/target/fabrics-cmd.c | 6 ++++--
+ drivers/nvme/target/nvmet.h | 7 ++++---
+ 4 files changed, 13 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
+index 7f4083cf953a..14677145bbba 100644
+--- a/drivers/nvme/target/core.c
++++ b/drivers/nvme/target/core.c
+@@ -832,6 +832,7 @@ int nvmet_sq_init(struct nvmet_sq *sq)
+ }
+ init_completion(&sq->free_done);
+ init_completion(&sq->confirm_done);
++ nvmet_auth_sq_init(sq);
+
+ return 0;
+ }
+diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/fabrics-cmd-auth.c
+index ebdf9aa81041..0c078b6b1447 100644
+--- a/drivers/nvme/target/fabrics-cmd-auth.c
++++ b/drivers/nvme/target/fabrics-cmd-auth.c
+@@ -23,17 +23,12 @@ static void nvmet_auth_expired_work(struct work_struct *work)
+ sq->dhchap_tid = -1;
+ }
+
+-void nvmet_init_auth(struct nvmet_ctrl *ctrl, struct nvmet_req *req)
++void nvmet_auth_sq_init(struct nvmet_sq *sq)
+ {
+- u32 result = le32_to_cpu(req->cqe->result.u32);
+-
+ /* Initialize in-band authentication */
+- INIT_DELAYED_WORK(&req->sq->auth_expired_work,
+- nvmet_auth_expired_work);
+- req->sq->authenticated = false;
+- req->sq->dhchap_step = NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE;
+- result |= (u32)NVME_CONNECT_AUTHREQ_ATR << 16;
+- req->cqe->result.u32 = cpu_to_le32(result);
++ INIT_DELAYED_WORK(&sq->auth_expired_work, nvmet_auth_expired_work);
++ sq->authenticated = false;
++ sq->dhchap_step = NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE;
+ }
+
+ static u16 nvmet_auth_negotiate(struct nvmet_req *req, void *d)
+diff --git a/drivers/nvme/target/fabrics-cmd.c b/drivers/nvme/target/fabrics-cmd.c
+index f91a56180d3d..bd739d8b6991 100644
+--- a/drivers/nvme/target/fabrics-cmd.c
++++ b/drivers/nvme/target/fabrics-cmd.c
+@@ -272,7 +272,8 @@ static void nvmet_execute_admin_connect(struct nvmet_req *req)
+ req->cqe->result.u16 = cpu_to_le16(ctrl->cntlid);
+
+ if (nvmet_has_auth(ctrl))
+- nvmet_init_auth(ctrl, req);
++ req->cqe->result.u32 |=
++ cpu_to_le32((u32)NVME_CONNECT_AUTHREQ_ATR << 16);
+ out:
+ kfree(d);
+ complete:
+@@ -334,7 +335,8 @@ static void nvmet_execute_io_connect(struct nvmet_req *req)
+ pr_debug("adding queue %d to ctrl %d.\n", qid, ctrl->cntlid);
+ req->cqe->result.u16 = cpu_to_le16(ctrl->cntlid);
+ if (nvmet_has_auth(ctrl))
+- nvmet_init_auth(ctrl, req);
++ req->cqe->result.u32 |=
++ cpu_to_le32((u32)NVME_CONNECT_AUTHREQ_ATR << 16);
+
+ out:
+ kfree(d);
+diff --git a/drivers/nvme/target/nvmet.h b/drivers/nvme/target/nvmet.h
+index 6ffeeb0a1c49..dfe3894205aa 100644
+--- a/drivers/nvme/target/nvmet.h
++++ b/drivers/nvme/target/nvmet.h
+@@ -704,7 +704,7 @@ int nvmet_auth_set_key(struct nvmet_host *host, const char *secret,
+ bool set_ctrl);
+ int nvmet_auth_set_host_hash(struct nvmet_host *host, const char *hash);
+ int nvmet_setup_auth(struct nvmet_ctrl *ctrl);
+-void nvmet_init_auth(struct nvmet_ctrl *ctrl, struct nvmet_req *req);
++void nvmet_auth_sq_init(struct nvmet_sq *sq);
+ void nvmet_destroy_auth(struct nvmet_ctrl *ctrl);
+ void nvmet_auth_sq_free(struct nvmet_sq *sq);
+ int nvmet_setup_dhgroup(struct nvmet_ctrl *ctrl, u8 dhgroup_id);
+@@ -726,8 +726,9 @@ static inline int nvmet_setup_auth(struct nvmet_ctrl *ctrl)
+ {
+ return 0;
+ }
+-static inline void nvmet_init_auth(struct nvmet_ctrl *ctrl,
+- struct nvmet_req *req) {};
++static inline void nvmet_auth_sq_init(struct nvmet_sq *sq)
++{
++}
+ static inline void nvmet_destroy_auth(struct nvmet_ctrl *ctrl) {};
+ static inline void nvmet_auth_sq_free(struct nvmet_sq *sq) {};
+ static inline bool nvmet_check_auth_status(struct nvmet_req *req)
+--
+2.35.1
+
--- /dev/null
+From a4c740795541b913fb1a6faa4544e04e5a8713b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 10:24:07 +0200
+Subject: nvmet: don't look at the request_queue in
+ nvmet_bdev_zone_mgmt_emulate_all
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 8df20252c06046ef4c68107bcaaca56c21028d8c ]
+
+nvmet is a consumer of the block layer and should not directly look at
+the request_queue. Just use the NUMA node ID from the gendisk instead of
+the request_queue.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/zns.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/target/zns.c b/drivers/nvme/target/zns.c
+index 835bfda86fcf..1254cf57e008 100644
+--- a/drivers/nvme/target/zns.c
++++ b/drivers/nvme/target/zns.c
+@@ -400,7 +400,6 @@ static u16 nvmet_bdev_zone_mgmt_emulate_all(struct nvmet_req *req)
+ {
+ struct block_device *bdev = req->ns->bdev;
+ unsigned int nr_zones = bdev_nr_zones(bdev);
+- struct request_queue *q = bdev_get_queue(bdev);
+ struct bio *bio = NULL;
+ sector_t sector = 0;
+ int ret;
+@@ -409,7 +408,7 @@ static u16 nvmet_bdev_zone_mgmt_emulate_all(struct nvmet_req *req)
+ };
+
+ d.zbitmap = kcalloc_node(BITS_TO_LONGS(nr_zones), sizeof(*(d.zbitmap)),
+- GFP_NOIO, q->node);
++ GFP_NOIO, bdev->bd_disk->node_id);
+ if (!d.zbitmap) {
+ ret = -ENOMEM;
+ goto out;
+--
+2.35.1
+
--- /dev/null
+From 80dde9422c812c4c9ec7d79131da0603b27a9a34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 10:26:26 +0200
+Subject: nvmet: don't look at the request_queue in nvmet_bdev_set_limits
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 84fe64f898913ef69f70a8d91aea613b5722b63b ]
+
+nvmet is a consumer of the block layer and should not directly look at
+the request_queue. Use the bdev_ helpers to retrieve the device limits
+instead.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/io-cmd-bdev.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/nvme/target/io-cmd-bdev.c b/drivers/nvme/target/io-cmd-bdev.c
+index 2dc1c1035626..77c20c0db9d5 100644
+--- a/drivers/nvme/target/io-cmd-bdev.c
++++ b/drivers/nvme/target/io-cmd-bdev.c
+@@ -12,11 +12,9 @@
+
+ void nvmet_bdev_set_limits(struct block_device *bdev, struct nvme_id_ns *id)
+ {
+- const struct queue_limits *ql = &bdev_get_queue(bdev)->limits;
+- /* Number of logical blocks per physical block. */
+- const u32 lpp = ql->physical_block_size / ql->logical_block_size;
+ /* Logical blocks per physical block, 0's based. */
+- const __le16 lpp0b = to0based(lpp);
++ const __le16 lpp0b = to0based(bdev_physical_block_size(bdev) /
++ bdev_logical_block_size(bdev));
+
+ /*
+ * For NVMe 1.2 and later, bit 1 indicates that the fields NAWUN,
+@@ -42,11 +40,12 @@ void nvmet_bdev_set_limits(struct block_device *bdev, struct nvme_id_ns *id)
+ /* NPWA = Namespace Preferred Write Alignment. 0's based */
+ id->npwa = id->npwg;
+ /* NPDG = Namespace Preferred Deallocate Granularity. 0's based */
+- id->npdg = to0based(ql->discard_granularity / ql->logical_block_size);
++ id->npdg = to0based(bdev_discard_granularity(bdev) /
++ bdev_logical_block_size(bdev));
+ /* NPDG = Namespace Preferred Deallocate Alignment */
+ id->npda = id->npdg;
+ /* NOWS = Namespace Optimal Write Size */
+- id->nows = to0based(ql->io_opt / ql->logical_block_size);
++ id->nows = to0based(bdev_io_opt(bdev) / bdev_logical_block_size(bdev));
+ }
+
+ void nvmet_bdev_ns_disable(struct nvmet_ns *ns)
+--
+2.35.1
+
--- /dev/null
+From cb9cdbabcede2f267ae525d0484dc98d733eb4f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Sep 2022 00:06:49 +0530
+Subject: nvmet-tcp: add bounds check on Transfer Tag
+
+From: Varun Prakash <varun@chelsio.com>
+
+[ Upstream commit b6a545ffa2c192b1e6da4a7924edac5ba9f4ea2b ]
+
+ttag is used as an index to get cmd in nvmet_tcp_handle_h2c_data_pdu(),
+add a bounds check to avoid out-of-bounds access.
+
+Signed-off-by: Varun Prakash <varun@chelsio.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/tcp.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
+index a3694a32f6d5..7dcf88cde189 100644
+--- a/drivers/nvme/target/tcp.c
++++ b/drivers/nvme/target/tcp.c
+@@ -935,10 +935,17 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
+ struct nvme_tcp_data_pdu *data = &queue->pdu.data;
+ struct nvmet_tcp_cmd *cmd;
+
+- if (likely(queue->nr_cmds))
++ if (likely(queue->nr_cmds)) {
++ if (unlikely(data->ttag >= queue->nr_cmds)) {
++ pr_err("queue %d: received out of bound ttag %u, nr_cmds %u\n",
++ queue->idx, data->ttag, queue->nr_cmds);
++ nvmet_tcp_fatal_error(queue);
++ return -EPROTO;
++ }
+ cmd = &queue->cmds[data->ttag];
+- else
++ } else {
+ cmd = &queue->connect;
++ }
+
+ if (le32_to_cpu(data->data_offset) != cmd->rbytes_done) {
+ pr_err("ttag %u unexpected data offset %u (expected %u)\n",
+--
+2.35.1
+
--- /dev/null
+From 519bb84f1861d9f7dbd1316784fd3b1eed0345a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Sep 2022 14:54:58 -0700
+Subject: objtool: Preserve special st_shndx indexes in elf_update_symbol
+
+From: Sami Tolvanen <samitolvanen@google.com>
+
+[ Upstream commit 5141d3a06b2da1731ac82091298b766a1f95d3d8 ]
+
+elf_update_symbol fails to preserve the special st_shndx values
+between [SHN_LORESERVE, SHN_HIRESERVE], which results in it
+converting SHN_ABS entries into SHN_UNDEF, for example. Explicitly
+check for the special indexes and ensure these symbols are not
+marked undefined.
+
+Fixes: ead165fa1042 ("objtool: Fix symbol creation")
+Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Tested-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20220908215504.3686827-17-samitolvanen@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/objtool/elf.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/tools/objtool/elf.c b/tools/objtool/elf.c
+index c25e957c1e52..7e24b09b1163 100644
+--- a/tools/objtool/elf.c
++++ b/tools/objtool/elf.c
+@@ -619,6 +619,11 @@ static int elf_update_symbol(struct elf *elf, struct section *symtab,
+ Elf64_Xword entsize = symtab->sh.sh_entsize;
+ int max_idx, idx = sym->idx;
+ Elf_Scn *s, *t = NULL;
++ bool is_special_shndx = sym->sym.st_shndx >= SHN_LORESERVE &&
++ sym->sym.st_shndx != SHN_XINDEX;
++
++ if (is_special_shndx)
++ shndx = sym->sym.st_shndx;
+
+ s = elf_getscn(elf->elf, symtab->idx);
+ if (!s) {
+@@ -704,7 +709,7 @@ static int elf_update_symbol(struct elf *elf, struct section *symtab,
+ }
+
+ /* setup extended section index magic and write the symbol */
+- if (shndx >= SHN_UNDEF && shndx < SHN_LORESERVE) {
++ if ((shndx >= SHN_UNDEF && shndx < SHN_LORESERVE) || is_special_shndx) {
+ sym->sym.st_shndx = shndx;
+ if (!shndx_data)
+ shndx = 0;
+--
+2.35.1
+
--- /dev/null
+From 1243bd3a6d9acea2e68073df77ccf0757dc84916 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Oct 2022 13:51:02 -0700
+Subject: once: add DO_ONCE_SLOW() for sleepable contexts
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 62c07983bef9d3e78e71189441e1a470f0d1e653 ]
+
+Christophe Leroy reported a ~80ms latency spike
+happening at first TCP connect() time.
+
+This is because __inet_hash_connect() uses get_random_once()
+to populate a perturbation table which became quite big
+after commit 4c2c8f03a5ab ("tcp: increase source port perturb table to 2^16")
+
+get_random_once() uses DO_ONCE(), which block hard irqs for the duration
+of the operation.
+
+This patch adds DO_ONCE_SLOW() which uses a mutex instead of a spinlock
+for operations where we prefer to stay in process context.
+
+Then __inet_hash_connect() can use get_random_slow_once()
+to populate its perturbation table.
+
+Fixes: 4c2c8f03a5ab ("tcp: increase source port perturb table to 2^16")
+Fixes: 190cc82489f4 ("tcp: change source port randomizarion at connect() time")
+Reported-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Link: https://lore.kernel.org/netdev/CANn89iLAEYBaoYajy0Y9UmGFff5GPxDUoG-ErVB2jDdRNQ5Tug@mail.gmail.com/T/#t
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Willy Tarreau <w@1wt.eu>
+Tested-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/once.h | 28 ++++++++++++++++++++++++++++
+ lib/once.c | 30 ++++++++++++++++++++++++++++++
+ net/ipv4/inet_hashtables.c | 4 ++--
+ 3 files changed, 60 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/once.h b/include/linux/once.h
+index b14d8b309d52..176ab75b42df 100644
+--- a/include/linux/once.h
++++ b/include/linux/once.h
+@@ -5,10 +5,18 @@
+ #include <linux/types.h>
+ #include <linux/jump_label.h>
+
++/* Helpers used from arbitrary contexts.
++ * Hard irqs are blocked, be cautious.
++ */
+ bool __do_once_start(bool *done, unsigned long *flags);
+ void __do_once_done(bool *done, struct static_key_true *once_key,
+ unsigned long *flags, struct module *mod);
+
++/* Variant for process contexts only. */
++bool __do_once_slow_start(bool *done);
++void __do_once_slow_done(bool *done, struct static_key_true *once_key,
++ struct module *mod);
++
+ /* Call a function exactly once. The idea of DO_ONCE() is to perform
+ * a function call such as initialization of random seeds, etc, only
+ * once, where DO_ONCE() can live in the fast-path. After @func has
+@@ -52,7 +60,27 @@ void __do_once_done(bool *done, struct static_key_true *once_key,
+ ___ret; \
+ })
+
++/* Variant of DO_ONCE() for process/sleepable contexts. */
++#define DO_ONCE_SLOW(func, ...) \
++ ({ \
++ bool ___ret = false; \
++ static bool __section(".data.once") ___done = false; \
++ static DEFINE_STATIC_KEY_TRUE(___once_key); \
++ if (static_branch_unlikely(&___once_key)) { \
++ ___ret = __do_once_slow_start(&___done); \
++ if (unlikely(___ret)) { \
++ func(__VA_ARGS__); \
++ __do_once_slow_done(&___done, &___once_key, \
++ THIS_MODULE); \
++ } \
++ } \
++ ___ret; \
++ })
++
+ #define get_random_once(buf, nbytes) \
+ DO_ONCE(get_random_bytes, (buf), (nbytes))
+
++#define get_random_slow_once(buf, nbytes) \
++ DO_ONCE_SLOW(get_random_bytes, (buf), (nbytes))
++
+ #endif /* _LINUX_ONCE_H */
+diff --git a/lib/once.c b/lib/once.c
+index 59149bf3bfb4..351f66aad310 100644
+--- a/lib/once.c
++++ b/lib/once.c
+@@ -66,3 +66,33 @@ void __do_once_done(bool *done, struct static_key_true *once_key,
+ once_disable_jump(once_key, mod);
+ }
+ EXPORT_SYMBOL(__do_once_done);
++
++static DEFINE_MUTEX(once_mutex);
++
++bool __do_once_slow_start(bool *done)
++ __acquires(once_mutex)
++{
++ mutex_lock(&once_mutex);
++ if (*done) {
++ mutex_unlock(&once_mutex);
++ /* Keep sparse happy by restoring an even lock count on
++ * this mutex. In case we return here, we don't call into
++ * __do_once_done but return early in the DO_ONCE_SLOW() macro.
++ */
++ __acquire(once_mutex);
++ return false;
++ }
++
++ return true;
++}
++EXPORT_SYMBOL(__do_once_slow_start);
++
++void __do_once_slow_done(bool *done, struct static_key_true *once_key,
++ struct module *mod)
++ __releases(once_mutex)
++{
++ *done = true;
++ mutex_unlock(&once_mutex);
++ once_disable_jump(once_key, mod);
++}
++EXPORT_SYMBOL(__do_once_slow_done);
+diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
+index b9d995b5ce24..f5950a7172d6 100644
+--- a/net/ipv4/inet_hashtables.c
++++ b/net/ipv4/inet_hashtables.c
+@@ -729,8 +729,8 @@ int __inet_hash_connect(struct inet_timewait_death_row *death_row,
+ if (likely(remaining > 1))
+ remaining &= ~1U;
+
+- net_get_random_once(table_perturb,
+- INET_TABLE_PERTURB_SIZE * sizeof(*table_perturb));
++ get_random_slow_once(table_perturb,
++ INET_TABLE_PERTURB_SIZE * sizeof(*table_perturb));
+ index = port_offset & (INET_TABLE_PERTURB_SIZE - 1);
+
+ offset = READ_ONCE(table_perturb[index]) + (port_offset >> 32);
+--
+2.35.1
+
--- /dev/null
+From 5eb80df706fbd840c1772eacd11f54247f890bfc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Aug 2022 11:06:34 -0400
+Subject: openvswitch: Fix double reporting of drops in dropwatch
+
+From: Mike Pattrick <mkp@redhat.com>
+
+[ Upstream commit 1100248a5c5ccd57059eb8d02ec077e839a23826 ]
+
+Frames sent to userspace can be reported as dropped in
+ovs_dp_process_packet, however, if they are dropped in the netlink code
+then netlink_attachskb will report the same frame as dropped.
+
+This patch checks for error codes which indicate that the frame has
+already been freed.
+
+Signed-off-by: Mike Pattrick <mkp@redhat.com>
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=2109946
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/datapath.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
+index 6c9d153afbee..b68ba3c72519 100644
+--- a/net/openvswitch/datapath.c
++++ b/net/openvswitch/datapath.c
+@@ -252,10 +252,17 @@ void ovs_dp_process_packet(struct sk_buff *skb, struct sw_flow_key *key)
+
+ upcall.mru = OVS_CB(skb)->mru;
+ error = ovs_dp_upcall(dp, skb, key, &upcall, 0);
+- if (unlikely(error))
+- kfree_skb(skb);
+- else
++ switch (error) {
++ case 0:
++ case -EAGAIN:
++ case -ERESTARTSYS:
++ case -EINTR:
+ consume_skb(skb);
++ break;
++ default:
++ kfree_skb(skb);
++ break;
++ }
+ stats_counter = &stats->n_missed;
+ goto out;
+ }
+--
+2.35.1
+
--- /dev/null
+From a989a37be16fd72e17fa51601f3aaf829470253e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Aug 2022 11:06:35 -0400
+Subject: openvswitch: Fix overreporting of drops in dropwatch
+
+From: Mike Pattrick <mkp@redhat.com>
+
+[ Upstream commit c21ab2afa2c64896a7f0e3cbc6845ec63dcfad2e ]
+
+Currently queue_userspace_packet will call kfree_skb for all frames,
+whether or not an error occurred. This can result in a single dropped
+frame being reported as multiple drops in dropwatch. This functions
+caller may also call kfree_skb in case of an error. This patch will
+consume the skbs instead and allow caller's to use kfree_skb.
+
+Signed-off-by: Mike Pattrick <mkp@redhat.com>
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=2109957
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/datapath.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
+index b68ba3c72519..93c596e3b22b 100644
+--- a/net/openvswitch/datapath.c
++++ b/net/openvswitch/datapath.c
+@@ -558,8 +558,9 @@ static int queue_userspace_packet(struct datapath *dp, struct sk_buff *skb,
+ out:
+ if (err)
+ skb_tx_error(skb);
+- kfree_skb(user_skb);
+- kfree_skb(nskb);
++ consume_skb(user_skb);
++ consume_skb(nskb);
++
+ return err;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 2420fabbb4e09ca542f3c29793d06dc54d1014cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Sep 2022 17:35:06 +0800
+Subject: phy: amlogic: phy-meson-axg-mipi-pcie-analog: Hold reference returned
+ by of_get_parent()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit c4c349be07aeec5f397a349046dc5fc0f2657691 ]
+
+As the of_get_parent() will increase the refcount of the node->parent
+and the reference will be discarded, so we should hold the reference
+with which we can decrease the refcount when done.
+
+Fixes: 8eff8b4e22d9 ("phy: amlogic: phy-meson-axg-mipi-pcie-analog: add support for MIPI DSI analog")
+Signed-off-by: Liang He <windhl@126.com>
+
+Link: https://lore.kernel.org/r/20220915093506.4009456-1-windhl@126.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/amlogic/phy-meson-axg-mipi-pcie-analog.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/phy/amlogic/phy-meson-axg-mipi-pcie-analog.c b/drivers/phy/amlogic/phy-meson-axg-mipi-pcie-analog.c
+index 1027ece6ca12..a3e1108b736d 100644
+--- a/drivers/phy/amlogic/phy-meson-axg-mipi-pcie-analog.c
++++ b/drivers/phy/amlogic/phy-meson-axg-mipi-pcie-analog.c
+@@ -197,7 +197,7 @@ static int phy_axg_mipi_pcie_analog_probe(struct platform_device *pdev)
+ struct phy_provider *phy;
+ struct device *dev = &pdev->dev;
+ struct phy_axg_mipi_pcie_analog_priv *priv;
+- struct device_node *np = dev->of_node;
++ struct device_node *np = dev->of_node, *parent_np;
+ struct regmap *map;
+ int ret;
+
+@@ -206,7 +206,9 @@ static int phy_axg_mipi_pcie_analog_probe(struct platform_device *pdev)
+ return -ENOMEM;
+
+ /* Get the hhi system controller node */
+- map = syscon_node_to_regmap(of_get_parent(dev->of_node));
++ parent_np = of_get_parent(dev->of_node);
++ map = syscon_node_to_regmap(parent_np);
++ of_node_put(parent_np);
+ if (IS_ERR(map)) {
+ dev_err(dev,
+ "failed to get HHI regmap\n");
+--
+2.35.1
+
--- /dev/null
+From 2eb1445d1ff0487c819d0008f90213095e0e048c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Sep 2022 14:07:46 +0800
+Subject: phy: phy-mtk-tphy: fix the phy type setting issue
+
+From: Chunfeng Yun <chunfeng.yun@mediatek.com>
+
+[ Upstream commit 931c05a8cb1be029ef2fbc1e4af313d4cb297c47 ]
+
+The PHY type is not set if the index is non zero, prepare type
+value according to the index, like as mask value.
+
+Fixes: 39099a443358 ("phy: phy-mtk-tphy: support type switch by pericfg")
+Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20220914060746.10004-7-chunfeng.yun@mediatek.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/mediatek/phy-mtk-tphy.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/phy/mediatek/phy-mtk-tphy.c b/drivers/phy/mediatek/phy-mtk-tphy.c
+index 8ee7682b8e93..bdffc21858f6 100644
+--- a/drivers/phy/mediatek/phy-mtk-tphy.c
++++ b/drivers/phy/mediatek/phy-mtk-tphy.c
+@@ -906,7 +906,7 @@ static int phy_type_syscon_get(struct mtk_phy_instance *instance,
+ static int phy_type_set(struct mtk_phy_instance *instance)
+ {
+ int type;
+- u32 mask;
++ u32 offset;
+
+ if (!instance->type_sw)
+ return 0;
+@@ -929,8 +929,9 @@ static int phy_type_set(struct mtk_phy_instance *instance)
+ return 0;
+ }
+
+- mask = RG_PHY_SW_TYPE << (instance->type_sw_index * BITS_PER_BYTE);
+- regmap_update_bits(instance->type_sw, instance->type_sw_reg, mask, type);
++ offset = instance->type_sw_index * BITS_PER_BYTE;
++ regmap_update_bits(instance->type_sw, instance->type_sw_reg,
++ RG_PHY_SW_TYPE << offset, type << offset);
+
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From 37c5dd64e85cd31a946e205b267272fa07c55e47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Sep 2022 13:07:13 +0200
+Subject: phy: qcom-qmp-combo: disable runtime PM on unbind
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit 4382d518d1887e62234560ea08a0203d11d28cc1 ]
+
+Make sure to disable runtime PM also on driver unbind.
+
+Fixes: ac0d239936bd ("phy: qcom-qmp: Add support for runtime PM").
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20220907110728.19092-2-johan+linaro@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qmp-combo.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-combo.c b/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
+index 4b1828976104..bbdca263058c 100644
+--- a/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
++++ b/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
+@@ -2537,7 +2537,9 @@ static int qcom_qmp_phy_combo_probe(struct platform_device *pdev)
+ return -ENOMEM;
+
+ pm_runtime_set_active(dev);
+- pm_runtime_enable(dev);
++ ret = devm_pm_runtime_enable(dev);
++ if (ret)
++ return ret;
+ /*
+ * Prevent runtime pm from being ON by default. Users can enable
+ * it using power/control in sysfs.
+@@ -2594,13 +2596,10 @@ static int qcom_qmp_phy_combo_probe(struct platform_device *pdev)
+ phy_provider = devm_of_phy_provider_register(dev, of_phy_simple_xlate);
+ if (!IS_ERR(phy_provider))
+ dev_info(dev, "Registered Qcom-QMP phy\n");
+- else
+- pm_runtime_disable(dev);
+
+ return PTR_ERR_OR_ZERO(phy_provider);
+
+ err_node_put:
+- pm_runtime_disable(dev);
+ of_node_put(child);
+ return ret;
+ }
+--
+2.35.1
+
--- /dev/null
+From 054adeef4adf42533f3432c3503e8554592552a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Sep 2022 12:23:33 +0200
+Subject: phy: qcom-qmp-combo: fix memleak on probe deferral
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit 2de8a325b1084330ae500380cc27edc39f488c30 ]
+
+Switch to using the device-managed of_iomap helper to avoid leaking
+memory on probe deferral and driver unbind.
+
+Note that this helper checks for already reserved regions and may fail
+if there are multiple devices claiming the same memory.
+
+Fixes: e78f3d15e115 ("phy: qcom-qmp: new qmp phy driver for qcom-chipsets")
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20220916102340.11520-5-johan+linaro@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qmp-combo.c | 32 ++++++++++++-----------
+ 1 file changed, 17 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-combo.c b/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
+index bbdca263058c..f089977c85bb 100644
+--- a/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
++++ b/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
+@@ -2350,17 +2350,17 @@ int qcom_qmp_phy_combo_create(struct device *dev, struct device_node *np, int id
+ * For dual lane PHYs: tx2 -> 3, rx2 -> 4, pcs_misc (optional) -> 5
+ * For single lane PHYs: pcs_misc (optional) -> 3.
+ */
+- qphy->tx = of_iomap(np, 0);
+- if (!qphy->tx)
+- return -ENOMEM;
++ qphy->tx = devm_of_iomap(dev, np, 0, NULL);
++ if (IS_ERR(qphy->tx))
++ return PTR_ERR(qphy->tx);
+
+- qphy->rx = of_iomap(np, 1);
+- if (!qphy->rx)
+- return -ENOMEM;
++ qphy->rx = devm_of_iomap(dev, np, 1, NULL);
++ if (IS_ERR(qphy->rx))
++ return PTR_ERR(qphy->rx);
+
+- qphy->pcs = of_iomap(np, 2);
+- if (!qphy->pcs)
+- return -ENOMEM;
++ qphy->pcs = devm_of_iomap(dev, np, 2, NULL);
++ if (IS_ERR(qphy->pcs))
++ return PTR_ERR(qphy->pcs);
+
+ if (cfg->pcs_usb_offset)
+ qphy->pcs_usb = qphy->pcs + cfg->pcs_usb_offset;
+@@ -2372,9 +2372,9 @@ int qcom_qmp_phy_combo_create(struct device *dev, struct device_node *np, int id
+ * offset from the first lane.
+ */
+ if (cfg->is_dual_lane_phy) {
+- qphy->tx2 = of_iomap(np, 3);
+- qphy->rx2 = of_iomap(np, 4);
+- if (!qphy->tx2 || !qphy->rx2) {
++ qphy->tx2 = devm_of_iomap(dev, np, 3, NULL);
++ qphy->rx2 = devm_of_iomap(dev, np, 4, NULL);
++ if (IS_ERR(qphy->tx2) || IS_ERR(qphy->rx2)) {
+ dev_warn(dev,
+ "Underspecified device tree, falling back to legacy register regions\n");
+
+@@ -2384,15 +2384,17 @@ int qcom_qmp_phy_combo_create(struct device *dev, struct device_node *np, int id
+ qphy->rx2 = qphy->rx + QMP_PHY_LEGACY_LANE_STRIDE;
+
+ } else {
+- qphy->pcs_misc = of_iomap(np, 5);
++ qphy->pcs_misc = devm_of_iomap(dev, np, 5, NULL);
+ }
+
+ } else {
+- qphy->pcs_misc = of_iomap(np, 3);
++ qphy->pcs_misc = devm_of_iomap(dev, np, 3, NULL);
+ }
+
+- if (!qphy->pcs_misc)
++ if (IS_ERR(qphy->pcs_misc)) {
+ dev_vdbg(dev, "PHY pcs_misc-reg not used\n");
++ qphy->pcs_misc = NULL;
++ }
+
+ /*
+ * Get PHY's Pipe clock, if any. USB3 and PCIe are PIPE3
+--
+2.35.1
+
--- /dev/null
+From b0679c6500ea26c60063bcf4d02b8ebfa44747de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Sep 2022 12:23:30 +0200
+Subject: phy: qcom-qmp-pcie: add pcs_misc sanity check
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit ecd5507e72ea03659dc2cc3e4393fbf8f4e2e02a ]
+
+Make sure that the (otherwise) optional pcs_misc IO region has been
+provided in case the configuration specifies a corresponding
+initialisation table to avoid crashing with malformed device trees.
+
+Note that the related debug message is now superfluous as the region is
+only used when the configuration has a pcs_misc table.
+
+Fixes: 421c9a0e9731 ("phy: qcom: qmp: Add SDM845 PCIe QMP PHY support")
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20220916102340.11520-2-johan+linaro@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qmp-pcie.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c b/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c
+index 2d65e1f56bfc..0e0f2482827a 100644
+--- a/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c
++++ b/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c
+@@ -2371,8 +2371,10 @@ int qcom_qmp_phy_pcie_create(struct device *dev, struct device_node *np, int id,
+ of_device_is_compatible(dev->of_node, "qcom,ipq6018-qmp-pcie-phy"))
+ qphy->pcs_misc = qphy->pcs + 0x400;
+
+- if (!qphy->pcs_misc)
+- dev_vdbg(dev, "PHY pcs_misc-reg not used\n");
++ if (!qphy->pcs_misc) {
++ if (cfg->pcs_misc_tbl || cfg->pcs_misc_tbl_sec)
++ return -EINVAL;
++ }
+
+ snprintf(prop_name, sizeof(prop_name), "pipe%d", id);
+ qphy->pipe_clk = devm_get_clk_from_child(dev, np, prop_name);
+--
+2.35.1
+
--- /dev/null
+From 904b84de86ab00f2be7d59265d3f042ed8c16866 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Sep 2022 12:23:31 +0200
+Subject: phy: qcom-qmp-pcie: fix memleak on probe deferral
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit 4be26f695ffa458b065b7942dbff9393bf0836ea ]
+
+Switch to using the device-managed of_iomap helper to avoid leaking
+memory on probe deferral and driver unbind.
+
+Note that this helper checks for already reserved regions and may fail
+if there are multiple devices claiming the same memory.
+
+Fixes: e78f3d15e115 ("phy: qcom-qmp: new qmp phy driver for qcom-chipsets")
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20220916102340.11520-3-johan+linaro@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qmp-pcie.c | 34 ++++++++++++------------
+ 1 file changed, 17 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c b/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c
+index 0e0f2482827a..819bcd975ba4 100644
+--- a/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c
++++ b/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c
+@@ -2329,17 +2329,17 @@ int qcom_qmp_phy_pcie_create(struct device *dev, struct device_node *np, int id,
+ * For dual lane PHYs: tx2 -> 3, rx2 -> 4, pcs_misc (optional) -> 5
+ * For single lane PHYs: pcs_misc (optional) -> 3.
+ */
+- qphy->tx = of_iomap(np, 0);
+- if (!qphy->tx)
+- return -ENOMEM;
++ qphy->tx = devm_of_iomap(dev, np, 0, NULL);
++ if (IS_ERR(qphy->tx))
++ return PTR_ERR(qphy->tx);
+
+- qphy->rx = of_iomap(np, 1);
+- if (!qphy->rx)
+- return -ENOMEM;
++ qphy->rx = devm_of_iomap(dev, np, 1, NULL);
++ if (IS_ERR(qphy->rx))
++ return PTR_ERR(qphy->rx);
+
+- qphy->pcs = of_iomap(np, 2);
+- if (!qphy->pcs)
+- return -ENOMEM;
++ qphy->pcs = devm_of_iomap(dev, np, 2, NULL);
++ if (IS_ERR(qphy->pcs))
++ return PTR_ERR(qphy->pcs);
+
+ /*
+ * If this is a dual-lane PHY, then there should be registers for the
+@@ -2348,9 +2348,9 @@ int qcom_qmp_phy_pcie_create(struct device *dev, struct device_node *np, int id,
+ * offset from the first lane.
+ */
+ if (cfg->is_dual_lane_phy) {
+- qphy->tx2 = of_iomap(np, 3);
+- qphy->rx2 = of_iomap(np, 4);
+- if (!qphy->tx2 || !qphy->rx2) {
++ qphy->tx2 = devm_of_iomap(dev, np, 3, NULL);
++ qphy->rx2 = devm_of_iomap(dev, np, 4, NULL);
++ if (IS_ERR(qphy->tx2) || IS_ERR(qphy->rx2)) {
+ dev_warn(dev,
+ "Underspecified device tree, falling back to legacy register regions\n");
+
+@@ -2360,20 +2360,20 @@ int qcom_qmp_phy_pcie_create(struct device *dev, struct device_node *np, int id,
+ qphy->rx2 = qphy->rx + QMP_PHY_LEGACY_LANE_STRIDE;
+
+ } else {
+- qphy->pcs_misc = of_iomap(np, 5);
++ qphy->pcs_misc = devm_of_iomap(dev, np, 5, NULL);
+ }
+
+ } else {
+- qphy->pcs_misc = of_iomap(np, 3);
++ qphy->pcs_misc = devm_of_iomap(dev, np, 3, NULL);
+ }
+
+- if (!qphy->pcs_misc &&
++ if (IS_ERR(qphy->pcs_misc) &&
+ of_device_is_compatible(dev->of_node, "qcom,ipq6018-qmp-pcie-phy"))
+ qphy->pcs_misc = qphy->pcs + 0x400;
+
+- if (!qphy->pcs_misc) {
++ if (IS_ERR(qphy->pcs_misc)) {
+ if (cfg->pcs_misc_tbl || cfg->pcs_misc_tbl_sec)
+- return -EINVAL;
++ return PTR_ERR(qphy->pcs_misc);
+ }
+
+ snprintf(prop_name, sizeof(prop_name), "pipe%d", id);
+--
+2.35.1
+
--- /dev/null
+From 87a01c97154a568e1fd26c5466d20d876ff53227 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Sep 2022 20:25:14 +0300
+Subject: phy: qcom-qmp-pcie: fix resource mapping for SDM845 QHP PHY
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 0a40891b83f257b25a2b983758f72f6813f361cb ]
+
+On SDM845 one of PCIe PHYs (the QHP one) has the same region for TX and
+RX registers. Since the commit 4be26f695ffa ("phy: qcom-qmp-pcie: fix
+memleak on probe deferral") added checking that resources are not
+allocated beforehand, this PHY can not be probed anymore. Fix this by
+skipping the map of ->rx resource on the QHP PHY and assign it manually.
+
+Fixes: 4be26f695ffa ("phy: qcom-qmp-pcie: fix memleak on probe deferral")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20220926172514.880776-1-dmitry.baryshkov@linaro.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qmp-pcie.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c b/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c
+index 819bcd975ba4..0baf62d80214 100644
+--- a/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c
++++ b/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c
+@@ -2333,7 +2333,10 @@ int qcom_qmp_phy_pcie_create(struct device *dev, struct device_node *np, int id,
+ if (IS_ERR(qphy->tx))
+ return PTR_ERR(qphy->tx);
+
+- qphy->rx = devm_of_iomap(dev, np, 1, NULL);
++ if (of_device_is_compatible(dev->of_node, "qcom,sdm845-qhp-pcie-phy"))
++ qphy->rx = qphy->tx;
++ else
++ qphy->rx = devm_of_iomap(dev, np, 1, NULL);
+ if (IS_ERR(qphy->rx))
+ return PTR_ERR(qphy->rx);
+
+--
+2.35.1
+
--- /dev/null
+From a06ae0a9467f4f612888a2949003679fe7cc33e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Sep 2022 12:23:32 +0200
+Subject: phy: qcom-qmp-pcie-msm8996: fix memleak on probe deferral
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit 1f69ededf8e80c42352e7f1c165a003614de9cc2 ]
+
+Switch to using the device-managed of_iomap helper to avoid leaking
+memory on probe deferral and driver unbind.
+
+Note that this helper checks for already reserved regions and may fail
+if there are multiple devices claiming the same memory.
+
+Fixes: e78f3d15e115 ("phy: qcom-qmp: new qmp phy driver for qcom-chipsets")
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20220916102340.11520-4-johan+linaro@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../phy/qualcomm/phy-qcom-qmp-pcie-msm8996.c | 23 +++++++++----------
+ 1 file changed, 11 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-pcie-msm8996.c b/drivers/phy/qualcomm/phy-qcom-qmp-pcie-msm8996.c
+index be6a94439b6c..14ea4ae95861 100644
+--- a/drivers/phy/qualcomm/phy-qcom-qmp-pcie-msm8996.c
++++ b/drivers/phy/qualcomm/phy-qcom-qmp-pcie-msm8996.c
+@@ -875,21 +875,20 @@ int qcom_qmp_phy_pcie_msm8996_create(struct device *dev, struct device_node *np,
+ * For dual lane PHYs: tx2 -> 3, rx2 -> 4, pcs_misc (optional) -> 5
+ * For single lane PHYs: pcs_misc (optional) -> 3.
+ */
+- qphy->tx = of_iomap(np, 0);
+- if (!qphy->tx)
+- return -ENOMEM;
+-
+- qphy->rx = of_iomap(np, 1);
+- if (!qphy->rx)
+- return -ENOMEM;
++ qphy->tx = devm_of_iomap(dev, np, 0, NULL);
++ if (IS_ERR(qphy->tx))
++ return PTR_ERR(qphy->tx);
+
+- qphy->pcs = of_iomap(np, 2);
+- if (!qphy->pcs)
+- return -ENOMEM;
++ qphy->rx = devm_of_iomap(dev, np, 1, NULL);
++ if (IS_ERR(qphy->rx))
++ return PTR_ERR(qphy->rx);
+
+- qphy->pcs_misc = of_iomap(np, 3);
++ qphy->pcs = devm_of_iomap(dev, np, 2, NULL);
++ if (IS_ERR(qphy->pcs))
++ return PTR_ERR(qphy->pcs);
+
+- if (!qphy->pcs_misc)
++ qphy->pcs_misc = devm_of_iomap(dev, np, 3, NULL);
++ if (IS_ERR(qphy->pcs_misc))
+ dev_vdbg(dev, "PHY pcs_misc-reg not used\n");
+
+ snprintf(prop_name, sizeof(prop_name), "pipe%d", id);
+--
+2.35.1
+
--- /dev/null
+From 16c0bb2a08f3574308e6a40045da6c6bc5170e1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Sep 2022 12:23:34 +0200
+Subject: phy: qcom-qmp-ufs: fix memleak on probe deferral
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit ef74a97f0df8758efe4476b4645961286aa86f0d ]
+
+Switch to using the device-managed of_iomap helper to avoid leaking
+memory on probe deferral and driver unbind.
+
+Note that this helper checks for already reserved regions and may fail
+if there are multiple devices claiming the same memory.
+
+Fixes: e78f3d15e115 ("phy: qcom-qmp: new qmp phy driver for qcom-chipsets")
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20220916102340.11520-6-johan+linaro@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qmp-ufs.c | 30 ++++++++++++-------------
+ 1 file changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-ufs.c b/drivers/phy/qualcomm/phy-qcom-qmp-ufs.c
+index c8583f5a54bd..f586e5260856 100644
+--- a/drivers/phy/qualcomm/phy-qcom-qmp-ufs.c
++++ b/drivers/phy/qualcomm/phy-qcom-qmp-ufs.c
+@@ -1188,17 +1188,17 @@ int qcom_qmp_phy_ufs_create(struct device *dev, struct device_node *np, int id,
+ * For dual lane PHYs: tx2 -> 3, rx2 -> 4, pcs_misc (optional) -> 5
+ * For single lane PHYs: pcs_misc (optional) -> 3.
+ */
+- qphy->tx = of_iomap(np, 0);
+- if (!qphy->tx)
+- return -ENOMEM;
++ qphy->tx = devm_of_iomap(dev, np, 0, NULL);
++ if (IS_ERR(qphy->tx))
++ return PTR_ERR(qphy->tx);
+
+- qphy->rx = of_iomap(np, 1);
+- if (!qphy->rx)
+- return -ENOMEM;
++ qphy->rx = devm_of_iomap(dev, np, 1, NULL);
++ if (IS_ERR(qphy->rx))
++ return PTR_ERR(qphy->rx);
+
+- qphy->pcs = of_iomap(np, 2);
+- if (!qphy->pcs)
+- return -ENOMEM;
++ qphy->pcs = devm_of_iomap(dev, np, 2, NULL);
++ if (IS_ERR(qphy->pcs))
++ return PTR_ERR(qphy->pcs);
+
+ /*
+ * If this is a dual-lane PHY, then there should be registers for the
+@@ -1207,9 +1207,9 @@ int qcom_qmp_phy_ufs_create(struct device *dev, struct device_node *np, int id,
+ * offset from the first lane.
+ */
+ if (cfg->is_dual_lane_phy) {
+- qphy->tx2 = of_iomap(np, 3);
+- qphy->rx2 = of_iomap(np, 4);
+- if (!qphy->tx2 || !qphy->rx2) {
++ qphy->tx2 = devm_of_iomap(dev, np, 3, NULL);
++ qphy->rx2 = devm_of_iomap(dev, np, 4, NULL);
++ if (IS_ERR(qphy->tx2) || IS_ERR(qphy->rx2)) {
+ dev_warn(dev,
+ "Underspecified device tree, falling back to legacy register regions\n");
+
+@@ -1219,14 +1219,14 @@ int qcom_qmp_phy_ufs_create(struct device *dev, struct device_node *np, int id,
+ qphy->rx2 = qphy->rx + QMP_PHY_LEGACY_LANE_STRIDE;
+
+ } else {
+- qphy->pcs_misc = of_iomap(np, 5);
++ qphy->pcs_misc = devm_of_iomap(dev, np, 5, NULL);
+ }
+
+ } else {
+- qphy->pcs_misc = of_iomap(np, 3);
++ qphy->pcs_misc = devm_of_iomap(dev, np, 3, NULL);
+ }
+
+- if (!qphy->pcs_misc)
++ if (IS_ERR(qphy->pcs_misc))
+ dev_vdbg(dev, "PHY pcs_misc-reg not used\n");
+
+ generic_phy = devm_phy_create(dev, np, &qcom_qmp_ufs_ops);
+--
+2.35.1
+
--- /dev/null
+From fa1b8e750de7697ed9d025ef5f6ba4ec827c10a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Sep 2022 13:07:21 +0200
+Subject: phy: qcom-qmp-usb: disable runtime PM on unbind
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit e57655e66806750785f9121c98a962404d02395b ]
+
+Make sure to disable runtime PM also on driver unbind.
+
+Fixes: ac0d239936bd ("phy: qcom-qmp: Add support for runtime PM").
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20220907110728.19092-10-johan+linaro@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-usb.c b/drivers/phy/qualcomm/phy-qcom-qmp-usb.c
+index 1d270356a97f..1eb4ec576361 100644
+--- a/drivers/phy/qualcomm/phy-qcom-qmp-usb.c
++++ b/drivers/phy/qualcomm/phy-qcom-qmp-usb.c
+@@ -2704,7 +2704,9 @@ static int qcom_qmp_phy_usb_probe(struct platform_device *pdev)
+ return -ENOMEM;
+
+ pm_runtime_set_active(dev);
+- pm_runtime_enable(dev);
++ ret = devm_pm_runtime_enable(dev);
++ if (ret)
++ return ret;
+ /*
+ * Prevent runtime pm from being ON by default. Users can enable
+ * it using power/control in sysfs.
+@@ -2738,13 +2740,10 @@ static int qcom_qmp_phy_usb_probe(struct platform_device *pdev)
+ phy_provider = devm_of_phy_provider_register(dev, of_phy_simple_xlate);
+ if (!IS_ERR(phy_provider))
+ dev_info(dev, "Registered Qcom-QMP phy\n");
+- else
+- pm_runtime_disable(dev);
+
+ return PTR_ERR_OR_ZERO(phy_provider);
+
+ err_node_put:
+- pm_runtime_disable(dev);
+ of_node_put(child);
+ return ret;
+ }
+--
+2.35.1
+
--- /dev/null
+From 73c530a52343ed1ac0209422c6b049e611f78561 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 13:29:23 +0200
+Subject: phy: qcom-qmp-usb: drop pipe clock lane suffix
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit c8c5d5e89ac52a462f48264863a7a32f0c76fa1d ]
+
+The pipe clock is defined in the "lane" node so there's no need to keep
+adding a redundant lane-number suffix to the clock name.
+
+Update driver to support the new binding where the pipe clock name has
+been deprecated by instead requesting the clock by index.
+
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20220830112923.3725-31-johan+linaro@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Stable-dep-of: a5d6b1ac56cb ("phy: qcom-qmp-usb: fix memleak on probe deferral")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-usb.c b/drivers/phy/qualcomm/phy-qcom-qmp-usb.c
+index 1eb4ec576361..9f2b6f33c2db 100644
+--- a/drivers/phy/qualcomm/phy-qcom-qmp-usb.c
++++ b/drivers/phy/qualcomm/phy-qcom-qmp-usb.c
+@@ -2496,7 +2496,6 @@ int qcom_qmp_phy_usb_create(struct device *dev, struct device_node *np, int id,
+ struct qcom_qmp *qmp = dev_get_drvdata(dev);
+ struct phy *generic_phy;
+ struct qmp_phy *qphy;
+- char prop_name[MAX_PROP_NAME];
+ int ret;
+
+ qphy = devm_kzalloc(dev, sizeof(*qphy), GFP_KERNEL);
+@@ -2555,8 +2554,7 @@ int qcom_qmp_phy_usb_create(struct device *dev, struct device_node *np, int id,
+ if (!qphy->pcs_misc)
+ dev_vdbg(dev, "PHY pcs_misc-reg not used\n");
+
+- snprintf(prop_name, sizeof(prop_name), "pipe%d", id);
+- qphy->pipe_clk = devm_get_clk_from_child(dev, np, prop_name);
++ qphy->pipe_clk = devm_get_clk_from_child(dev, np, NULL);
+ if (IS_ERR(qphy->pipe_clk)) {
+ return dev_err_probe(dev, PTR_ERR(qphy->pipe_clk),
+ "failed to get lane%d pipe clock\n", id);
+--
+2.35.1
+
--- /dev/null
+From e1c35c2f2b63651158f5c4744cf3b5cc3a1a2843 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Sep 2022 12:23:35 +0200
+Subject: phy: qcom-qmp-usb: fix memleak on probe deferral
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit a5d6b1ac56cbd6b5850a3a54e35f1cb71e8e8cdd ]
+
+Switch to using the device-managed of_iomap helper to avoid leaking
+memory on probe deferral and driver unbind.
+
+Note that this helper checks for already reserved regions and may fail
+if there are multiple devices claiming the same memory.
+
+Two bindings currently rely on overlapping mappings for the PCS region
+so fallback to non-exclusive mappings for those for now.
+
+Fixes: e78f3d15e115 ("phy: qcom-qmp: new qmp phy driver for qcom-chipsets")
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20220916102340.11520-7-johan+linaro@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 57 ++++++++++++++++++-------
+ 1 file changed, 42 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-usb.c b/drivers/phy/qualcomm/phy-qcom-qmp-usb.c
+index 9f2b6f33c2db..d14481a501d6 100644
+--- a/drivers/phy/qualcomm/phy-qcom-qmp-usb.c
++++ b/drivers/phy/qualcomm/phy-qcom-qmp-usb.c
+@@ -2489,6 +2489,21 @@ static const struct phy_ops qcom_qmp_phy_usb_ops = {
+ .owner = THIS_MODULE,
+ };
+
++static void __iomem *qmp_usb_iomap(struct device *dev, struct device_node *np,
++ int index, bool exclusive)
++{
++ struct resource res;
++
++ if (!exclusive) {
++ if (of_address_to_resource(np, index, &res))
++ return IOMEM_ERR_PTR(-EINVAL);
++
++ return devm_ioremap(dev, res.start, resource_size(&res));
++ }
++
++ return devm_of_iomap(dev, np, index, NULL);
++}
++
+ static
+ int qcom_qmp_phy_usb_create(struct device *dev, struct device_node *np, int id,
+ void __iomem *serdes, const struct qmp_phy_cfg *cfg)
+@@ -2496,8 +2511,18 @@ int qcom_qmp_phy_usb_create(struct device *dev, struct device_node *np, int id,
+ struct qcom_qmp *qmp = dev_get_drvdata(dev);
+ struct phy *generic_phy;
+ struct qmp_phy *qphy;
++ bool exclusive = true;
+ int ret;
+
++ /*
++ * FIXME: These bindings should be fixed to not rely on overlapping
++ * mappings for PCS.
++ */
++ if (of_device_is_compatible(dev->of_node, "qcom,sdx65-qmp-usb3-uni-phy"))
++ exclusive = false;
++ if (of_device_is_compatible(dev->of_node, "qcom,sm8350-qmp-usb3-uni-phy"))
++ exclusive = false;
++
+ qphy = devm_kzalloc(dev, sizeof(*qphy), GFP_KERNEL);
+ if (!qphy)
+ return -ENOMEM;
+@@ -2510,17 +2535,17 @@ int qcom_qmp_phy_usb_create(struct device *dev, struct device_node *np, int id,
+ * For dual lane PHYs: tx2 -> 3, rx2 -> 4, pcs_misc (optional) -> 5
+ * For single lane PHYs: pcs_misc (optional) -> 3.
+ */
+- qphy->tx = of_iomap(np, 0);
+- if (!qphy->tx)
+- return -ENOMEM;
++ qphy->tx = devm_of_iomap(dev, np, 0, NULL);
++ if (IS_ERR(qphy->tx))
++ return PTR_ERR(qphy->tx);
+
+- qphy->rx = of_iomap(np, 1);
+- if (!qphy->rx)
+- return -ENOMEM;
++ qphy->rx = devm_of_iomap(dev, np, 1, NULL);
++ if (IS_ERR(qphy->rx))
++ return PTR_ERR(qphy->rx);
+
+- qphy->pcs = of_iomap(np, 2);
+- if (!qphy->pcs)
+- return -ENOMEM;
++ qphy->pcs = qmp_usb_iomap(dev, np, 2, exclusive);
++ if (IS_ERR(qphy->pcs))
++ return PTR_ERR(qphy->pcs);
+
+ if (cfg->pcs_usb_offset)
+ qphy->pcs_usb = qphy->pcs + cfg->pcs_usb_offset;
+@@ -2532,9 +2557,9 @@ int qcom_qmp_phy_usb_create(struct device *dev, struct device_node *np, int id,
+ * offset from the first lane.
+ */
+ if (cfg->is_dual_lane_phy) {
+- qphy->tx2 = of_iomap(np, 3);
+- qphy->rx2 = of_iomap(np, 4);
+- if (!qphy->tx2 || !qphy->rx2) {
++ qphy->tx2 = devm_of_iomap(dev, np, 3, NULL);
++ qphy->rx2 = devm_of_iomap(dev, np, 4, NULL);
++ if (IS_ERR(qphy->tx2) || IS_ERR(qphy->rx2)) {
+ dev_warn(dev,
+ "Underspecified device tree, falling back to legacy register regions\n");
+
+@@ -2544,15 +2569,17 @@ int qcom_qmp_phy_usb_create(struct device *dev, struct device_node *np, int id,
+ qphy->rx2 = qphy->rx + QMP_PHY_LEGACY_LANE_STRIDE;
+
+ } else {
+- qphy->pcs_misc = of_iomap(np, 5);
++ qphy->pcs_misc = devm_of_iomap(dev, np, 5, NULL);
+ }
+
+ } else {
+- qphy->pcs_misc = of_iomap(np, 3);
++ qphy->pcs_misc = devm_of_iomap(dev, np, 3, NULL);
+ }
+
+- if (!qphy->pcs_misc)
++ if (IS_ERR(qphy->pcs_misc)) {
+ dev_vdbg(dev, "PHY pcs_misc-reg not used\n");
++ qphy->pcs_misc = NULL;
++ }
+
+ qphy->pipe_clk = devm_get_clk_from_child(dev, np, NULL);
+ if (IS_ERR(qphy->pipe_clk)) {
+--
+2.35.1
+
--- /dev/null
+From 3470bc3303710592e5428c3c5f2945b592a1fb45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Sep 2022 13:13:33 +0800
+Subject: phy: qualcomm: call clk_disable_unprepare in the error handling
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit c3966ced8eb8dc53b6c8d7f97d32cc8a2107d83e ]
+
+Smatch reports the following error:
+
+drivers/phy/qualcomm/phy-qcom-usb-hsic.c:82 qcom_usb_hsic_phy_power_on()
+warn: 'uphy->cal_clk' from clk_prepare_enable() not released on lines:
+58.
+drivers/phy/qualcomm/phy-qcom-usb-hsic.c:82 qcom_usb_hsic_phy_power_on()
+warn: 'uphy->cal_sleep_clk' from clk_prepare_enable() not released on
+lines: 58.
+drivers/phy/qualcomm/phy-qcom-usb-hsic.c:82 qcom_usb_hsic_phy_power_on()
+warn: 'uphy->phy_clk' from clk_prepare_enable() not released on lines:
+58.
+
+Fix this by calling proper clk_disable_unprepare calls.
+
+Fixes: 0b56e9a7e835 ("phy: Group vendor specific phy drivers")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20220914051334.69282-1-dzm91@hust.edu.cn
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/qualcomm/phy-qcom-usb-hsic.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-usb-hsic.c b/drivers/phy/qualcomm/phy-qcom-usb-hsic.c
+index 716a77748ed8..20f6dd37c7c1 100644
+--- a/drivers/phy/qualcomm/phy-qcom-usb-hsic.c
++++ b/drivers/phy/qualcomm/phy-qcom-usb-hsic.c
+@@ -54,8 +54,10 @@ static int qcom_usb_hsic_phy_power_on(struct phy *phy)
+
+ /* Configure pins for HSIC functionality */
+ pins_default = pinctrl_lookup_state(uphy->pctl, PINCTRL_STATE_DEFAULT);
+- if (IS_ERR(pins_default))
+- return PTR_ERR(pins_default);
++ if (IS_ERR(pins_default)) {
++ ret = PTR_ERR(pins_default);
++ goto err_ulpi;
++ }
+
+ ret = pinctrl_select_state(uphy->pctl, pins_default);
+ if (ret)
+--
+2.35.1
+
--- /dev/null
+From 3330886c2775c9fe43a41bd793b4775bc5f4af81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 14:45:42 -0400
+Subject: phy: rockchip-inno-usb2: Return zero after otg sync
+
+From: Peter Geis <pgwipeout@gmail.com>
+
+[ Upstream commit f340ed8664a55a467850ec1689996e63d9ee971a ]
+
+The otg sync state patch reuses the ret variable, but fails to set it to
+zero after use. This leads to a situation when the otg port is in
+peripheral mode where the otg phy aborts halfway through setup. It also
+fails to account for a failure to register the extcon notifier. Fix this
+by using our own variable and skipping otg sync in case of failure.
+
+Fixes: 8dc60f8da22f ("phy: rockchip-inno-usb2: Sync initial otg state")
+Reported-by: Markus Reichl <m.reichl@fivetechno.de>
+Reported-by: Michael Riesch <michael.riesch@wolfvision.net>
+Signed-off-by: Peter Geis <pgwipeout@gmail.com>
+Tested-by: Michael Riesch <michael.riesch@wolfvision.net>
+Tested-by: Markus Reichl <m.reichl@fivetechno.de>
+Reviewed-by: Samuel Holland <samuel@sholland.org>
+Link: https://lore.kernel.org/r/20220902184543.1234835-1-pgwipeout@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/rockchip/phy-rockchip-inno-usb2.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/phy/rockchip/phy-rockchip-inno-usb2.c b/drivers/phy/rockchip/phy-rockchip-inno-usb2.c
+index 0b1e9337ee8e..e6ededc51523 100644
+--- a/drivers/phy/rockchip/phy-rockchip-inno-usb2.c
++++ b/drivers/phy/rockchip/phy-rockchip-inno-usb2.c
+@@ -1124,7 +1124,7 @@ static int rockchip_usb2phy_otg_port_init(struct rockchip_usb2phy *rphy,
+ struct rockchip_usb2phy_port *rport,
+ struct device_node *child_np)
+ {
+- int ret;
++ int ret, id;
+
+ rport->port_id = USB2PHY_PORT_OTG;
+ rport->port_cfg = &rphy->phy_cfg->port_cfgs[USB2PHY_PORT_OTG];
+@@ -1162,13 +1162,15 @@ static int rockchip_usb2phy_otg_port_init(struct rockchip_usb2phy *rphy,
+
+ ret = devm_extcon_register_notifier(rphy->dev, rphy->edev,
+ EXTCON_USB_HOST, &rport->event_nb);
+- if (ret)
++ if (ret) {
+ dev_err(rphy->dev, "register USB HOST notifier failed\n");
++ goto out;
++ }
+
+ if (!of_property_read_bool(rphy->dev->of_node, "extcon")) {
+ /* do initial sync of usb state */
+- ret = property_enabled(rphy->grf, &rport->port_cfg->utmi_id);
+- extcon_set_state_sync(rphy->edev, EXTCON_USB_HOST, !ret);
++ id = property_enabled(rphy->grf, &rport->port_cfg->utmi_id);
++ extcon_set_state_sync(rphy->edev, EXTCON_USB_HOST, !id);
+ }
+ }
+
+--
+2.35.1
+
--- /dev/null
+From f3a3e583aed892490e99a724415bf34765986e3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Sep 2022 20:49:54 +0000
+Subject: platform/chrome: cros_ec: Notify the PM of wake events during resume
+
+From: Jameson Thies <jthies@google.com>
+
+[ Upstream commit 8edd2752b0aa498b3a61f3caee8f79f7e0567fad ]
+
+cros_ec_handle_event in the cros_ec driver can notify the PM of wake
+events. When a device is suspended, cros_ec_handle_event will not check
+MKBP events. Instead, received MKBP events are checked during resume by
+cros_ec_report_events_during_suspend. But
+cros_ec_report_events_during_suspend cannot notify the PM if received
+events are wake events, causing wake events to not be reported if
+received while the device is suspended.
+
+Update cros_ec_report_events_during_suspend to notify the PM of wake
+events during resume by calling pm_wakeup_event.
+
+Signed-off-by: Jameson Thies <jthies@google.com>
+Reviewed-by: Prashant Malani <pmalani@chromium.org>
+Reviewed-by: Benson Leung <bleung@chromium.org>
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Link: https://lore.kernel.org/r/20220913204954.2931042-1-jthies@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/chrome/cros_ec.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/chrome/cros_ec.c b/drivers/platform/chrome/cros_ec.c
+index 8aace50d446d..110df0fd4b00 100644
+--- a/drivers/platform/chrome/cros_ec.c
++++ b/drivers/platform/chrome/cros_ec.c
+@@ -349,10 +349,16 @@ EXPORT_SYMBOL(cros_ec_suspend);
+
+ static void cros_ec_report_events_during_suspend(struct cros_ec_device *ec_dev)
+ {
++ bool wake_event;
++
+ while (ec_dev->mkbp_event_supported &&
+- cros_ec_get_next_event(ec_dev, NULL, NULL) > 0)
++ cros_ec_get_next_event(ec_dev, &wake_event, NULL) > 0) {
+ blocking_notifier_call_chain(&ec_dev->event_notifier,
+ 1, ec_dev);
++
++ if (wake_event && device_may_wakeup(ec_dev->dev))
++ pm_wakeup_event(ec_dev->dev, 0);
++ }
+ }
+
+ /**
+--
+2.35.1
+
--- /dev/null
+From 057befb2d9d9ecc9e296193e4a03a0f399bfc1c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Aug 2022 19:08:02 +0000
+Subject: platform/chrome: cros_ec_typec: Add bit offset for DP VDO
+
+From: Prashant Malani <pmalani@chromium.org>
+
+[ Upstream commit 1903adae0464c1e1c36b132db474cb3aff7bc727 ]
+
+Use the right macro while constructing the DP_PORT_VDO to ensure the Pin
+Assignment offsets are correct.
+
+Fixes: 1ff5d97f070c ("platform/chrome: cros_ec_typec: Register port altmodes")
+Signed-off-by: Prashant Malani <pmalani@chromium.org>
+Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Reviewed-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Link: https://lore.kernel.org/r/20220819190807.1275937-2-pmalani@chromium.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/chrome/cros_ec_typec.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/chrome/cros_ec_typec.c b/drivers/platform/chrome/cros_ec_typec.c
+index de6ee0f926a6..4d81d8d45b73 100644
+--- a/drivers/platform/chrome/cros_ec_typec.c
++++ b/drivers/platform/chrome/cros_ec_typec.c
+@@ -25,7 +25,8 @@
+
+ #define DRV_NAME "cros-ec-typec"
+
+-#define DP_PORT_VDO (BIT(DP_PIN_ASSIGN_C) | BIT(DP_PIN_ASSIGN_D) | DP_CAP_DFP_D)
++#define DP_PORT_VDO (DP_CONF_SET_PIN_ASSIGN(BIT(DP_PIN_ASSIGN_C) | BIT(DP_PIN_ASSIGN_D)) | \
++ DP_CAP_DFP_D)
+
+ /* Supported alt modes. */
+ enum {
+--
+2.35.1
+
--- /dev/null
+From 1e4b6da45af5c301f1465f360a4a00b9f1647b72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Aug 2022 19:08:03 +0000
+Subject: platform/chrome: cros_ec_typec: Correct alt mode index
+
+From: Prashant Malani <pmalani@chromium.org>
+
+[ Upstream commit 4e477663e396f48c5cfc5f2d75d4b514f409516a ]
+
+Alt mode indices used by USB PD (Power Delivery) start with 1, not 0.
+
+Update the alt mdoe registration code to factor this in to the alt mode
+descriptor.
+
+Fixes: de0f49487db3 ("platform/chrome: cros_ec_typec: Register partner altmodes")
+Signed-off-by: Prashant Malani <pmalani@chromium.org>
+Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Reviewed-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Link: https://lore.kernel.org/r/20220819190807.1275937-3-pmalani@chromium.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/chrome/cros_ec_typec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/chrome/cros_ec_typec.c b/drivers/platform/chrome/cros_ec_typec.c
+index 4d81d8d45b73..dc5722db2066 100644
+--- a/drivers/platform/chrome/cros_ec_typec.c
++++ b/drivers/platform/chrome/cros_ec_typec.c
+@@ -698,7 +698,7 @@ static int cros_typec_register_altmodes(struct cros_typec_data *typec, int port_
+ for (j = 0; j < sop_disc->svids[i].mode_count; j++) {
+ memset(&desc, 0, sizeof(desc));
+ desc.svid = sop_disc->svids[i].svid;
+- desc.mode = j;
++ desc.mode = j + 1;
+ desc.vdo = sop_disc->svids[i].mode_vdo[j];
+
+ if (is_partner)
+--
+2.35.1
+
--- /dev/null
+From 6f715e58a37f994f72170c631b65b0c01551c792 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Aug 2022 01:08:43 +0300
+Subject: platform/chrome: fix double-free in chromeos_laptop_prepare()
+
+From: Rustam Subkhankulov <subkhankulov@ispras.ru>
+
+[ Upstream commit 6ad4194d6a1e1d11b285989cd648ef695b4a93c0 ]
+
+If chromeos_laptop_prepare_i2c_peripherals() fails after allocating memory
+for 'cros_laptop->i2c_peripherals', this memory is freed at 'err_out' label
+and nonzero value is returned. Then chromeos_laptop_destroy() is called,
+resulting in double-free error.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Signed-off-by: Rustam Subkhankulov <subkhankulov@ispras.ru>
+Fixes: 5020cd29d8bf ("platform/chrome: chromeos_laptop - supply properties for ACPI devices")
+Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Link: https://lore.kernel.org/r/20220813220843.2373004-1-subkhankulov@ispras.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/chrome/chromeos_laptop.c | 24 ++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/platform/chrome/chromeos_laptop.c b/drivers/platform/chrome/chromeos_laptop.c
+index 4e14b4d6635d..a2cdbfbaeae6 100644
+--- a/drivers/platform/chrome/chromeos_laptop.c
++++ b/drivers/platform/chrome/chromeos_laptop.c
+@@ -740,6 +740,7 @@ static int __init
+ chromeos_laptop_prepare_i2c_peripherals(struct chromeos_laptop *cros_laptop,
+ const struct chromeos_laptop *src)
+ {
++ struct i2c_peripheral *i2c_peripherals;
+ struct i2c_peripheral *i2c_dev;
+ struct i2c_board_info *info;
+ int i;
+@@ -748,17 +749,15 @@ chromeos_laptop_prepare_i2c_peripherals(struct chromeos_laptop *cros_laptop,
+ if (!src->num_i2c_peripherals)
+ return 0;
+
+- cros_laptop->i2c_peripherals = kmemdup(src->i2c_peripherals,
+- src->num_i2c_peripherals *
+- sizeof(*src->i2c_peripherals),
+- GFP_KERNEL);
+- if (!cros_laptop->i2c_peripherals)
++ i2c_peripherals = kmemdup(src->i2c_peripherals,
++ src->num_i2c_peripherals *
++ sizeof(*src->i2c_peripherals),
++ GFP_KERNEL);
++ if (!i2c_peripherals)
+ return -ENOMEM;
+
+- cros_laptop->num_i2c_peripherals = src->num_i2c_peripherals;
+-
+- for (i = 0; i < cros_laptop->num_i2c_peripherals; i++) {
+- i2c_dev = &cros_laptop->i2c_peripherals[i];
++ for (i = 0; i < src->num_i2c_peripherals; i++) {
++ i2c_dev = &i2c_peripherals[i];
+ info = &i2c_dev->board_info;
+
+ error = chromeos_laptop_setup_irq(i2c_dev);
+@@ -775,16 +774,19 @@ chromeos_laptop_prepare_i2c_peripherals(struct chromeos_laptop *cros_laptop,
+ }
+ }
+
++ cros_laptop->i2c_peripherals = i2c_peripherals;
++ cros_laptop->num_i2c_peripherals = src->num_i2c_peripherals;
++
+ return 0;
+
+ err_out:
+ while (--i >= 0) {
+- i2c_dev = &cros_laptop->i2c_peripherals[i];
++ i2c_dev = &i2c_peripherals[i];
+ info = &i2c_dev->board_info;
+ if (!IS_ERR_OR_NULL(info->fwnode))
+ fwnode_remove_software_node(info->fwnode);
+ }
+- kfree(cros_laptop->i2c_peripherals);
++ kfree(i2c_peripherals);
+ return error;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 30f64c441b7fdc11671b0c20a3ff899cc35f5ba7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Aug 2022 08:20:36 +0300
+Subject: platform/chrome: fix memory corruption in ioctl
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 8a07b45fd3c2dda24fad43639be5335a4595196a ]
+
+If "s_mem.bytes" is larger than the buffer size it leads to memory
+corruption.
+
+Fixes: eda2e30c6684 ("mfd / platform: cros_ec: Miscellaneous character device to talk with the EC")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Guenter Roeck <groeck@chromium.org>
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Link: https://lore.kernel.org/r/Yv8dpCFZJdbUT5ye@kili
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/chrome/cros_ec_chardev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/platform/chrome/cros_ec_chardev.c b/drivers/platform/chrome/cros_ec_chardev.c
+index fd33de546aee..0de7c255254e 100644
+--- a/drivers/platform/chrome/cros_ec_chardev.c
++++ b/drivers/platform/chrome/cros_ec_chardev.c
+@@ -327,6 +327,9 @@ static long cros_ec_chardev_ioctl_readmem(struct cros_ec_dev *ec,
+ if (copy_from_user(&s_mem, arg, sizeof(s_mem)))
+ return -EFAULT;
+
++ if (s_mem.bytes > sizeof(s_mem.buffer))
++ return -EINVAL;
++
+ num = ec_dev->cmd_readmem(ec_dev, s_mem.offset, s_mem.bytes,
+ s_mem.buffer);
+ if (num <= 0)
+--
+2.35.1
+
--- /dev/null
+From f27d19d70c04728fe1717525173b18f20c8f762d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Sep 2022 14:26:03 -0500
+Subject: platform/x86: hp-wmi: Setting thermal profile fails with 0x06
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jorge Lopez <jorge.lopez2@hp.com>
+
+[ Upstream commit 00b1829294b7c88ecba92c661fbe6fe347b364d2 ]
+
+Error 0x06 (invalid command parameter) is reported by hp-wmi module
+when reading the current thermal profile and then proceed to set it
+back. The failing condition occurs in Linux NixOS after user
+configures the thermal profile to ‘quiet mode’ in Windows. Quiet Fan
+Mode is supported in Windows but was not supported in hp-wmi module.
+
+This fix adds support for PLATFORM_PROFILE_QUIET in hp-wmi module for
+HP notebooks other than HP Omen series. Quiet thermal profile is not
+supported in HP Omen series notebooks.
+
+Signed-off-by: Jorge Lopez <jorge.lopez2@hp.com>
+Link: https://lore.kernel.org/r/20220912192603.4001-1-jorge.lopez2@hp.com
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/hp-wmi.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/hp-wmi.c b/drivers/platform/x86/hp-wmi.c
+index bc7020e9df9e..fc8dbbd6fc7c 100644
+--- a/drivers/platform/x86/hp-wmi.c
++++ b/drivers/platform/x86/hp-wmi.c
+@@ -177,7 +177,8 @@ enum hp_thermal_profile_omen_v1 {
+ enum hp_thermal_profile {
+ HP_THERMAL_PROFILE_PERFORMANCE = 0x00,
+ HP_THERMAL_PROFILE_DEFAULT = 0x01,
+- HP_THERMAL_PROFILE_COOL = 0x02
++ HP_THERMAL_PROFILE_COOL = 0x02,
++ HP_THERMAL_PROFILE_QUIET = 0x03,
+ };
+
+ #define IS_HWBLOCKED(x) ((x & HPWMI_POWER_FW_OR_HW) != HPWMI_POWER_FW_OR_HW)
+@@ -1194,6 +1195,9 @@ static int hp_wmi_platform_profile_get(struct platform_profile_handler *pprof,
+ case HP_THERMAL_PROFILE_COOL:
+ *profile = PLATFORM_PROFILE_COOL;
+ break;
++ case HP_THERMAL_PROFILE_QUIET:
++ *profile = PLATFORM_PROFILE_QUIET;
++ break;
+ default:
+ return -EINVAL;
+ }
+@@ -1216,6 +1220,9 @@ static int hp_wmi_platform_profile_set(struct platform_profile_handler *pprof,
+ case PLATFORM_PROFILE_COOL:
+ tp = HP_THERMAL_PROFILE_COOL;
+ break;
++ case PLATFORM_PROFILE_QUIET:
++ tp = HP_THERMAL_PROFILE_QUIET;
++ break;
+ default:
+ return -EOPNOTSUPP;
+ }
+@@ -1263,6 +1270,8 @@ static int thermal_profile_setup(void)
+
+ platform_profile_handler.profile_get = hp_wmi_platform_profile_get;
+ platform_profile_handler.profile_set = hp_wmi_platform_profile_set;
++
++ set_bit(PLATFORM_PROFILE_QUIET, platform_profile_handler.choices);
+ }
+
+ set_bit(PLATFORM_PROFILE_COOL, platform_profile_handler.choices);
+--
+2.35.1
+
--- /dev/null
+From 7132bb9907c654084b1f32be3bf834b8ae071374 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Sep 2022 23:04:07 +0200
+Subject: platform/x86: msi-laptop: Change DMI match / alias strings to fix
+ module autoloading
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 2a2565272a3628e45d61625e36ef17af7af4e3de ]
+
+On a MSI S270 with Fedora 37 x86_64 / systemd-251.4 the module does not
+properly autoload.
+
+This is likely caused by issues with how systemd-udevd handles the single
+quote char (') which is part of the sys_vendor / chassis_vendor strings
+on this laptop. As a workaround remove the single quote char + everything
+behind it from the sys_vendor + chassis_vendor matches. This fixes
+the module not autoloading.
+
+Link: https://github.com/systemd/systemd/issues/24715
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20220917210407.647432-1-hdegoede@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/msi-laptop.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c
+index 3e935303b143..0e804b6c2d24 100644
+--- a/drivers/platform/x86/msi-laptop.c
++++ b/drivers/platform/x86/msi-laptop.c
+@@ -596,11 +596,10 @@ static const struct dmi_system_id msi_dmi_table[] __initconst = {
+ {
+ .ident = "MSI S270",
+ .matches = {
+- DMI_MATCH(DMI_SYS_VENDOR, "MICRO-STAR INT'L CO.,LTD"),
++ DMI_MATCH(DMI_SYS_VENDOR, "MICRO-STAR INT"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "MS-1013"),
+ DMI_MATCH(DMI_PRODUCT_VERSION, "0131"),
+- DMI_MATCH(DMI_CHASSIS_VENDOR,
+- "MICRO-STAR INT'L CO.,LTD")
++ DMI_MATCH(DMI_CHASSIS_VENDOR, "MICRO-STAR INT")
+ },
+ .driver_data = &quirk_old_ec_model,
+ .callback = dmi_check_cb
+@@ -633,8 +632,7 @@ static const struct dmi_system_id msi_dmi_table[] __initconst = {
+ DMI_MATCH(DMI_SYS_VENDOR, "NOTEBOOK"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "SAM2000"),
+ DMI_MATCH(DMI_PRODUCT_VERSION, "0131"),
+- DMI_MATCH(DMI_CHASSIS_VENDOR,
+- "MICRO-STAR INT'L CO.,LTD")
++ DMI_MATCH(DMI_CHASSIS_VENDOR, "MICRO-STAR INT")
+ },
+ .driver_data = &quirk_old_ec_model,
+ .callback = dmi_check_cb
+--
+2.35.1
+
--- /dev/null
+From ab4b36e9438cb3092d8093e0af2254224afdaae2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 16:13:34 +0200
+Subject: platform/x86: msi-laptop: Fix old-ec check for backlight registering
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 83ac7a1c2ed5f17caa07cbbc84bad3c05dc3bf22 ]
+
+Commit 2cc6c717799f ("msi-laptop: Port to new backlight interface
+selection API") replaced this check:
+
+ if (!quirks->old_ec_model || acpi_video_backlight_support())
+ pr_info("Brightness ignored, ...");
+ else
+ do_register();
+
+With:
+
+ if (quirks->old_ec_model ||
+ acpi_video_get_backlight_type() == acpi_backlight_vendor)
+ do_register();
+
+But since the do_register() part was part of the else branch, the entire
+condition should be inverted. So not only the 2 statements on either
+side of the || should be inverted, but the || itself should be replaced
+with a &&.
+
+In practice this has likely not been an issue because the new-ec models
+(old_ec_model==false) likely all support ACPI video backlight control,
+making acpi_video_get_backlight_type() return acpi_backlight_video
+turning the second part of the || also false when old_ec_model == false.
+
+Fixes: 2cc6c717799f ("msi-laptop: Port to new backlight interface selection API")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20220825141336.208597-1-hdegoede@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/msi-laptop.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c
+index 24ffc8e2d2d1..0960205ee49f 100644
+--- a/drivers/platform/x86/msi-laptop.c
++++ b/drivers/platform/x86/msi-laptop.c
+@@ -1048,8 +1048,7 @@ static int __init msi_init(void)
+ return -EINVAL;
+
+ /* Register backlight stuff */
+-
+- if (quirks->old_ec_model ||
++ if (quirks->old_ec_model &&
+ acpi_video_get_backlight_type() == acpi_backlight_vendor) {
+ struct backlight_properties props;
+ memset(&props, 0, sizeof(struct backlight_properties));
+--
+2.35.1
+
--- /dev/null
+From 989c12a00436de01f9bf52d0dd27b77007622dac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 16:13:36 +0200
+Subject: platform/x86: msi-laptop: Fix resource cleanup
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 5523632aa10f906dfe2eb714ee748590dc7fc6b1 ]
+
+Fix the input-device not getting free-ed on probe-errors and
+fix the msi_touchpad_dwork not getting cancelled on neither
+probe-errors nor on remove.
+
+Fixes: 143a4c0284dc ("msi-laptop: send out touchpad on/off key")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20220825141336.208597-3-hdegoede@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/msi-laptop.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c
+index 0960205ee49f..3e935303b143 100644
+--- a/drivers/platform/x86/msi-laptop.c
++++ b/drivers/platform/x86/msi-laptop.c
+@@ -1116,6 +1116,8 @@ static int __init msi_init(void)
+ fail_create_group:
+ if (quirks->load_scm_model) {
+ i8042_remove_filter(msi_laptop_i8042_filter);
++ cancel_delayed_work_sync(&msi_touchpad_dwork);
++ input_unregister_device(msi_laptop_input_dev);
+ cancel_delayed_work_sync(&msi_rfkill_dwork);
+ cancel_work_sync(&msi_rfkill_work);
+ rfkill_cleanup();
+@@ -1136,6 +1138,7 @@ static void __exit msi_cleanup(void)
+ {
+ if (quirks->load_scm_model) {
+ i8042_remove_filter(msi_laptop_i8042_filter);
++ cancel_delayed_work_sync(&msi_touchpad_dwork);
+ input_unregister_device(msi_laptop_input_dev);
+ cancel_delayed_work_sync(&msi_rfkill_dwork);
+ cancel_work_sync(&msi_rfkill_work);
+--
+2.35.1
+
--- /dev/null
+From 9a7cf59e582ca5e1e1d7a0e7e3f1a385e75dc4e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Aug 2022 14:37:32 +0300
+Subject: platform/x86: pmc_atom: Improve quirk message to be less cryptic
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 32c9b75640aeb1b144f9e2963c1640f4cef7c6f2 ]
+
+Not everyone can get what "critclks" means in the message, improve
+it to make less cryptic.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20220801113734.36131-2-andriy.shevchenko@linux.intel.com
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/pmc_atom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/pmc_atom.c b/drivers/platform/x86/pmc_atom.c
+index 5c757c7f64de..f4046572a9fe 100644
+--- a/drivers/platform/x86/pmc_atom.c
++++ b/drivers/platform/x86/pmc_atom.c
+@@ -354,7 +354,7 @@ static bool pmc_clk_is_critical = true;
+
+ static int dmi_callback(const struct dmi_system_id *d)
+ {
+- pr_info("%s critclks quirk enabled\n", d->ident);
++ pr_info("%s: PMC critical clocks quirk enabled\n", d->ident);
+
+ return 1;
+ }
+--
+2.35.1
+
--- /dev/null
+From 35b63b7d8f3e3f3cee9b5bdce7473e9b1f7fe8e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Aug 2022 07:32:23 +0000
+Subject: power: supply: adp5061: fix out-of-bounds read in
+ adp5061_get_chg_type()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 9d47e01b9d807808224347935562f7043a358054 ]
+
+ADP5061_CHG_STATUS_1_CHG_STATUS is masked with 0x07, which means a length
+of 8, but adp5061_chg_type array size is 4, may end up reading 4 elements
+beyond the end of the adp5061_chg_type[] array.
+
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Acked-by: Michael Hennerich <michael.hennerich@analog.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/adp5061.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/power/supply/adp5061.c b/drivers/power/supply/adp5061.c
+index 003557043ab3..daee1161c305 100644
+--- a/drivers/power/supply/adp5061.c
++++ b/drivers/power/supply/adp5061.c
+@@ -427,11 +427,11 @@ static int adp5061_get_chg_type(struct adp5061_state *st,
+ if (ret < 0)
+ return ret;
+
+- chg_type = adp5061_chg_type[ADP5061_CHG_STATUS_1_CHG_STATUS(status1)];
+- if (chg_type > ADP5061_CHG_FAST_CV)
++ chg_type = ADP5061_CHG_STATUS_1_CHG_STATUS(status1);
++ if (chg_type >= ARRAY_SIZE(adp5061_chg_type))
+ val->intval = POWER_SUPPLY_STATUS_UNKNOWN;
+ else
+- val->intval = chg_type;
++ val->intval = adp5061_chg_type[chg_type];
+
+ return ret;
+ }
+--
+2.35.1
+
--- /dev/null
+From 0a5c2fa3a734cf21a4c8b93aca248ea1db02ba1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 14:08:26 +0800
+Subject: powercap: intel_rapl: fix UBSAN shift-out-of-bounds issue
+
+From: Chao Qin <chao.qin@intel.com>
+
+[ Upstream commit 2d93540014387d1c73b9ccc4d7895320df66d01b ]
+
+When value < time_unit, the parameter of ilog2() will be zero and
+the return value is -1. u64(-1) is too large for shift exponent
+and then will trigger shift-out-of-bounds:
+
+shift exponent 18446744073709551615 is too large for 32-bit type 'int'
+Call Trace:
+ rapl_compute_time_window_core
+ rapl_write_data_raw
+ set_time_window
+ store_constraint_time_window_us
+
+Signed-off-by: Chao Qin <chao.qin@intel.com>
+Acked-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/powercap/intel_rapl_common.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/powercap/intel_rapl_common.c b/drivers/powercap/intel_rapl_common.c
+index a2a2f4351463..33a3ca35cda0 100644
+--- a/drivers/powercap/intel_rapl_common.c
++++ b/drivers/powercap/intel_rapl_common.c
+@@ -994,6 +994,9 @@ static u64 rapl_compute_time_window_core(struct rapl_package *rp, u64 value,
+ y = value & 0x1f;
+ value = (1 << y) * (4 + f) * rp->time_unit / 4;
+ } else {
++ if (value < rp->time_unit)
++ return 0;
++
+ do_div(value, rp->time_unit);
+ y = ilog2(value);
+ f = div64_u64(4 * (value - (1 << y)), 1 << y);
+--
+2.35.1
+
--- /dev/null
+From 33d326eb676d9a518f7981f765a8a12914a799d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Sep 2022 15:42:59 +1000
+Subject: powerpc/64/interrupt: Fix false warning in context tracking due to
+ idle state
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit 56adbb7a8b6cc7fc9b940829c38494e53c9e57d1 ]
+
+Commit 171476775d32 ("context_tracking: Convert state to atomic_t")
+added a CONTEXT_IDLE state which can be encountered by interrupts from
+kernel mode in the idle thread, causing a false positive warning.
+
+Fixes: 171476775d32 ("context_tracking: Convert state to atomic_t")
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20220926054305.2671436-2-npiggin@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/interrupt.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/include/asm/interrupt.h b/arch/powerpc/include/asm/interrupt.h
+index 8069dbc4b8d1..b61555e30c7c 100644
+--- a/arch/powerpc/include/asm/interrupt.h
++++ b/arch/powerpc/include/asm/interrupt.h
+@@ -195,7 +195,8 @@ static inline void interrupt_enter_prepare(struct pt_regs *regs)
+ * so avoid recursion.
+ */
+ if (TRAP(regs) != INTERRUPT_PROGRAM) {
+- CT_WARN_ON(ct_state() != CONTEXT_KERNEL);
++ CT_WARN_ON(ct_state() != CONTEXT_KERNEL &&
++ ct_state() != CONTEXT_IDLE);
+ if (IS_ENABLED(CONFIG_PPC_IRQ_SOFT_MASK_DEBUG))
+ BUG_ON(is_implicit_soft_masked(regs));
+ }
+--
+2.35.1
+
--- /dev/null
+From efd9acb480290f3c06755909815e3ca47c79427e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Sep 2022 15:43:01 +1000
+Subject: powerpc/64/interrupt: Fix return to masked context after hard-mask
+ irq becomes pending
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit e485f6c751e0a969327336c635ca602feea117f0 ]
+
+If a synchronous interrupt (e.g., hash fault) is taken inside an
+irqs-disabled region which has MSR[EE]=1, then an asynchronous interrupt
+that is PACA_IRQ_MUST_HARD_MASK (e.g., PMI) is taken inside the
+synchronous interrupt handler, then the synchronous interrupt will
+return with MSR[EE]=1 and the asynchronous interrupt fires again.
+
+If the asynchronous interrupt is a PMI and the original context does not
+have PMIs disabled (only Linux IRQs), the asynchronous interrupt will
+fire despite having the PMI marked soft pending. This can confuse the
+perf code and cause warnings.
+
+This patch changes the interrupt return so that irqs-disabled MSR[EE]=1
+contexts will be returned to with MSR[EE]=0 if a PACA_IRQ_MUST_HARD_MASK
+interrupt has become pending in the meantime.
+
+The longer explanation for what happens:
+1. local_irq_disable()
+2. Hash fault interrupt fires, do_hash_fault handler runs
+3. interrupt_enter_prepare() sets IRQS_ALL_DISABLED
+4. interrupt_enter_prepare() sets MSR[EE]=1
+5. PMU interrupt fires, masked handler runs
+6. Masked handler marks PMI pending
+7. Masked handler returns with PACA_IRQ_HARD_DIS set, MSR[EE]=0
+8. do_hash_fault interrupt return handler runs
+9. interrupt_exit_kernel_prepare() clears PACA_IRQ_HARD_DIS
+10. interrupt returns with MSR[EE]=1
+11. PMU interrupt fires, perf handler runs
+
+Fixes: 4423eb5ae32e ("powerpc/64/interrupt: make normal synchronous interrupts enable MSR[EE] if possible")
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20220926054305.2671436-4-npiggin@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/interrupt.c | 10 ---------
+ arch/powerpc/kernel/interrupt_64.S | 34 +++++++++++++++++++++++++++---
+ 2 files changed, 31 insertions(+), 13 deletions(-)
+
+diff --git a/arch/powerpc/kernel/interrupt.c b/arch/powerpc/kernel/interrupt.c
+index 0e75cb03244a..f9db0a172401 100644
+--- a/arch/powerpc/kernel/interrupt.c
++++ b/arch/powerpc/kernel/interrupt.c
+@@ -431,16 +431,6 @@ notrace unsigned long interrupt_exit_kernel_prepare(struct pt_regs *regs)
+
+ if (unlikely(stack_store))
+ __hard_EE_RI_disable();
+- /*
+- * Returning to a kernel context with local irqs disabled.
+- * Here, if EE was enabled in the interrupted context, enable
+- * it on return as well. A problem exists here where a soft
+- * masked interrupt may have cleared MSR[EE] and set HARD_DIS
+- * here, and it will still exist on return to the caller. This
+- * will be resolved by the masked interrupt firing again.
+- */
+- if (regs->msr & MSR_EE)
+- local_paca->irq_happened &= ~PACA_IRQ_HARD_DIS;
+ #endif /* CONFIG_PPC64 */
+ }
+
+diff --git a/arch/powerpc/kernel/interrupt_64.S b/arch/powerpc/kernel/interrupt_64.S
+index ce25b28cf418..d76376ce7291 100644
+--- a/arch/powerpc/kernel/interrupt_64.S
++++ b/arch/powerpc/kernel/interrupt_64.S
+@@ -559,15 +559,43 @@ _ASM_NOKPROBE_SYMBOL(interrupt_return_\srr\()_kernel)
+ ld r11,SOFTE(r1)
+ cmpwi r11,IRQS_ENABLED
+ stb r11,PACAIRQSOFTMASK(r13)
+- bne 1f
++ beq .Linterrupt_return_\srr\()_soft_enabled
++
++ /*
++ * Returning to soft-disabled context.
++ * Check if a MUST_HARD_MASK interrupt has become pending, in which
++ * case we need to disable MSR[EE] in the return context.
++ */
++ ld r12,_MSR(r1)
++ andi. r10,r12,MSR_EE
++ beq .Lfast_kernel_interrupt_return_\srr\() // EE already disabled
++ lbz r11,PACAIRQHAPPENED(r13)
++ andi. r10,r11,PACA_IRQ_MUST_HARD_MASK
++ beq 1f // No HARD_MASK pending
++
++ /* Must clear MSR_EE from _MSR */
++#ifdef CONFIG_PPC_BOOK3S
++ li r10,0
++ /* Clear valid before changing _MSR */
++ .ifc \srr,srr
++ stb r10,PACASRR_VALID(r13)
++ .else
++ stb r10,PACAHSRR_VALID(r13)
++ .endif
++#endif
++ xori r12,r12,MSR_EE
++ std r12,_MSR(r1)
++ b .Lfast_kernel_interrupt_return_\srr\()
++
++.Linterrupt_return_\srr\()_soft_enabled:
+ #ifdef CONFIG_PPC_BOOK3S
+ lbz r11,PACAIRQHAPPENED(r13)
+ andi. r11,r11,(~PACA_IRQ_HARD_DIS)@l
+ bne- interrupt_return_\srr\()_kernel_restart
+ #endif
+- li r11,0
+- stb r11,PACAIRQHAPPENED(r13) # clear out possible HARD_DIS
+ 1:
++ li r11,0
++ stb r11,PACAIRQHAPPENED(r13) // clear the possible HARD_DIS
+
+ .Lfast_kernel_interrupt_return_\srr\():
+ cmpdi cr1,r3,0
+--
+2.35.1
+
--- /dev/null
+From e8cce008bd595e971d1286fcd0fff23f68ac4002 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Sep 2022 15:43:00 +1000
+Subject: powerpc/64: mark irqs hard disabled in boot paca
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit 799f7063c7645f9a751d17f5dfd73b952f962cd2 ]
+
+This prevents interrupts in early boot (e.g., program check) from
+enabling MSR[EE], potentially causing endian mismatch or other
+crashes when reporting early boot traps.
+
+Fixes: 4423eb5ae32ec ("powerpc/64/interrupt: make normal synchronous interrupts enable MSR[EE] if possible")
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20220926054305.2671436-3-npiggin@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/setup_64.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kernel/setup_64.c b/arch/powerpc/kernel/setup_64.c
+index 2b2d0b0fbb30..ce8fc6575eaa 100644
+--- a/arch/powerpc/kernel/setup_64.c
++++ b/arch/powerpc/kernel/setup_64.c
+@@ -182,8 +182,10 @@ static void __init fixup_boot_paca(void)
+ get_paca()->cpu_start = 1;
+ /* Allow percpu accesses to work until we setup percpu data */
+ get_paca()->data_offset = 0;
+- /* Mark interrupts disabled in PACA */
++ /* Mark interrupts soft and hard disabled in PACA */
+ irq_soft_mask_set(IRQS_DISABLED);
++ get_paca()->irq_happened = PACA_IRQ_HARD_DIS;
++ WARN_ON(mfmsr() & MSR_EE);
+ }
+
+ static void __init configure_exceptions(void)
+--
+2.35.1
+
--- /dev/null
+From cba6333767a77153884e3769cf7f20e736f69f92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Sep 2022 11:41:02 +1000
+Subject: powerpc/64s: Fix GENERIC_CPU build flags for PPC970 / G5
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit 58ec7f06b74e0d6e76c4110afce367c8b5f0837d ]
+
+Big-endian GENERIC_CPU supports 970, but builds with -mcpu=power5.
+POWER5 is ISA v2.02 whereas 970 is v2.01 plus Altivec. 2.02 added
+the popcntb instruction which a compiler might use.
+
+Use -mcpu=power4.
+
+Fixes: 471d7ff8b51b ("powerpc/64s: Remove POWER4 support")
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Reviewed-by: Segher Boessenkool <segher@kernel.crashing.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20220921014103.587954-1-npiggin@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile
+index 02742facf895..140a5e6471fe 100644
+--- a/arch/powerpc/Makefile
++++ b/arch/powerpc/Makefile
+@@ -152,7 +152,7 @@ CFLAGS-$(CONFIG_GENERIC_CPU) += -mcpu=power8
+ CFLAGS-$(CONFIG_GENERIC_CPU) += $(call cc-option,-mtune=power9,-mtune=power8)
+ else
+ CFLAGS-$(CONFIG_GENERIC_CPU) += $(call cc-option,-mtune=power7,$(call cc-option,-mtune=power5))
+-CFLAGS-$(CONFIG_GENERIC_CPU) += $(call cc-option,-mcpu=power5,-mcpu=power4)
++CFLAGS-$(CONFIG_GENERIC_CPU) += -mcpu=power4
+ endif
+ else ifdef CONFIG_PPC_BOOK3E_64
+ CFLAGS-$(CONFIG_GENERIC_CPU) += -mcpu=powerpc64
+--
+2.35.1
+
--- /dev/null
+From 8ac2ac83400d09440865e3d80b377cebd1455cec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Sep 2022 11:42:53 +1000
+Subject: powerpc/configs: Properly enable PAPR_SCM in pseries_defconfig
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit aa398d88aea4ec863bd7aea35d5035a37096dc59 ]
+
+My commit to add PAPR_SCM to pseries_defconfig failed to add the
+required dependencies, meaning the driver doesn't get built.
+
+Add the required LIBNVDIMM=m.
+
+Fixes: d6481a7195df ("powerpc/configs: Add PAPR_SCM to pseries_defconfig")
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20220901014253.252927-1-mpe@ellerman.id.au
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/configs/pseries_defconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/configs/pseries_defconfig b/arch/powerpc/configs/pseries_defconfig
+index b571d084c148..c05e37af9f1e 100644
+--- a/arch/powerpc/configs/pseries_defconfig
++++ b/arch/powerpc/configs/pseries_defconfig
+@@ -40,6 +40,7 @@ CONFIG_PPC_SPLPAR=y
+ CONFIG_DTL=y
+ CONFIG_PPC_SMLPAR=y
+ CONFIG_IBMEBUS=y
++CONFIG_LIBNVDIMM=m
+ CONFIG_PAPR_SCM=m
+ CONFIG_PPC_SVM=y
+ # CONFIG_PPC_PMAC is not set
+--
+2.35.1
+
--- /dev/null
+From 28c24e156f4fe101b68a532c628284ce26fb370d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Aug 2022 15:15:38 +0200
+Subject: powerpc: dts: turris1x.dts: Fix labels in DSA cpu port nodes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 8bf056f57f1d16c561e43f9af37301f23990cd21 ]
+
+DSA cpu port node has to be marked with "cpu" label.
+So fix it for both cpu port nodes.
+
+Fixes: 54c15ec3b738 ("powerpc: dts: Add DTS file for CZ.NIC Turris 1.x routers")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20220827131538.14577-1-pali@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/boot/dts/turris1x.dts | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/boot/dts/turris1x.dts b/arch/powerpc/boot/dts/turris1x.dts
+index 47027b4cebb3..045af668e928 100644
+--- a/arch/powerpc/boot/dts/turris1x.dts
++++ b/arch/powerpc/boot/dts/turris1x.dts
+@@ -147,7 +147,7 @@
+
+ port@0 {
+ reg = <0>;
+- label = "cpu1";
++ label = "cpu";
+ ethernet = <&enet1>;
+ phy-mode = "rgmii-id";
+
+@@ -184,7 +184,7 @@
+
+ port@6 {
+ reg = <6>;
+- label = "cpu0";
++ label = "cpu";
+ ethernet = <&enet0>;
+ phy-mode = "rgmii-id";
+
+--
+2.35.1
+
--- /dev/null
+From e2e4060e8c7de8c53905d2460d8b72b1d1defe23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Aug 2022 00:55:00 +0200
+Subject: powerpc: dts: turris1x.dts: Fix NOR partitions labels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit c9986f0aefd1ae22fe9cf794d49699643f1e268b ]
+
+Partition partition@20000 contains generic kernel image and it does not
+have to be used only for rescue purposes. Partition partition@1c0000
+contains bootable rescue system and partition partition@340000 contains
+factory image/data for restoring to NAND. So change partition labels to
+better fit their purpose by removing possible misleading substring "rootfs"
+from these labels.
+
+Fixes: 54c15ec3b738 ("powerpc: dts: Add DTS file for CZ.NIC Turris 1.x routers")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20220830225500.8856-1-pali@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/boot/dts/turris1x.dts | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/arch/powerpc/boot/dts/turris1x.dts b/arch/powerpc/boot/dts/turris1x.dts
+index 12e08271e61f..47027b4cebb3 100644
+--- a/arch/powerpc/boot/dts/turris1x.dts
++++ b/arch/powerpc/boot/dts/turris1x.dts
+@@ -263,21 +263,21 @@
+ };
+
+ partition@20000 {
+- /* 1.7 MB for Rescue Linux Kernel Image */
++ /* 1.7 MB for Linux Kernel Image */
+ reg = <0x00020000 0x001a0000>;
+- label = "rescue-kernel";
++ label = "kernel";
+ };
+
+ partition@1c0000 {
+ /* 1.5 MB for Rescue JFFS2 Root File System */
+ reg = <0x001c0000 0x00180000>;
+- label = "rescue-rootfs";
++ label = "rescue";
+ };
+
+ partition@340000 {
+- /* 11 MB for TAR.XZ Backup with content of NAND Root File System */
++ /* 11 MB for TAR.XZ Archive with Factory content of NAND Root File System */
+ reg = <0x00340000 0x00b00000>;
+- label = "backup-rootfs";
++ label = "factory";
+ };
+
+ partition@e40000 {
+--
+2.35.1
+
--- /dev/null
+From e216ab4a4d50f510836b5ef4f2740436c46e1322 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Sep 2022 16:55:48 +1000
+Subject: powerpc: Fix fallocate and fadvise64_64 compat parameter combination
+
+From: Rohan McLure <rmclure@linux.ibm.com>
+
+[ Upstream commit 016ff72bd2090903715c0f9422a44afbb966f4ee ]
+
+As reported[1] by Arnd, the arch-specific fadvise64_64 and fallocate
+compatibility handlers assume parameters are passed with 32-bit
+big-endian ABI. This affects the assignment of odd-even parameter pairs
+to the high or low words of a 64-bit syscall parameter.
+
+Fix fadvise64_64 fallocate compat handlers to correctly swap upper/lower
+32 bits conditioned on endianness.
+
+A future patch will replace the arch-specific compat fallocate with an
+asm-generic implementation. This patch is intended for ease of
+back-port.
+
+[1]: https://lore.kernel.org/all/be29926f-226e-48dc-871a-e29a54e80583@www.fastmail.com/
+
+Fixes: 57f48b4b74e7 ("powerpc/compat_sys: swap hi/lo parts of 64-bit syscall args in LE mode")
+Reported-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Rohan McLure <rmclure@linux.ibm.com>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20220921065605.1051927-9-rmclure@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/syscalls.h | 12 ++++++++++++
+ arch/powerpc/kernel/sys_ppc32.c | 14 +-------------
+ arch/powerpc/kernel/syscalls.c | 4 ++--
+ 3 files changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/syscalls.h b/arch/powerpc/include/asm/syscalls.h
+index a2b13e55254f..da40219b303a 100644
+--- a/arch/powerpc/include/asm/syscalls.h
++++ b/arch/powerpc/include/asm/syscalls.h
+@@ -8,6 +8,18 @@
+ #include <linux/types.h>
+ #include <linux/compat.h>
+
++/*
++ * long long munging:
++ * The 32 bit ABI passes long longs in an odd even register pair.
++ * High and low parts are swapped depending on endian mode,
++ * so define a macro (similar to mips linux32) to handle that.
++ */
++#ifdef __LITTLE_ENDIAN__
++#define merge_64(low, high) (((u64)high << 32) | low)
++#else
++#define merge_64(high, low) (((u64)high << 32) | low)
++#endif
++
+ struct rtas_args;
+
+ asmlinkage long sys_mmap(unsigned long addr, size_t len,
+diff --git a/arch/powerpc/kernel/sys_ppc32.c b/arch/powerpc/kernel/sys_ppc32.c
+index 16ff0399a257..719bfc6d1e3f 100644
+--- a/arch/powerpc/kernel/sys_ppc32.c
++++ b/arch/powerpc/kernel/sys_ppc32.c
+@@ -56,18 +56,6 @@ unsigned long compat_sys_mmap2(unsigned long addr, size_t len,
+ return sys_mmap(addr, len, prot, flags, fd, pgoff << 12);
+ }
+
+-/*
+- * long long munging:
+- * The 32 bit ABI passes long longs in an odd even register pair.
+- * High and low parts are swapped depending on endian mode,
+- * so define a macro (similar to mips linux32) to handle that.
+- */
+-#ifdef __LITTLE_ENDIAN__
+-#define merge_64(low, high) ((u64)high << 32) | low
+-#else
+-#define merge_64(high, low) ((u64)high << 32) | low
+-#endif
+-
+ compat_ssize_t compat_sys_pread64(unsigned int fd, char __user *ubuf, compat_size_t count,
+ u32 reg6, u32 pos1, u32 pos2)
+ {
+@@ -94,7 +82,7 @@ asmlinkage int compat_sys_truncate64(const char __user * path, u32 reg4,
+ asmlinkage long compat_sys_fallocate(int fd, int mode, u32 offset1, u32 offset2,
+ u32 len1, u32 len2)
+ {
+- return ksys_fallocate(fd, mode, ((loff_t)offset1 << 32) | offset2,
++ return ksys_fallocate(fd, mode, merge_64(offset1, offset2),
+ merge_64(len1, len2));
+ }
+
+diff --git a/arch/powerpc/kernel/syscalls.c b/arch/powerpc/kernel/syscalls.c
+index fc999140bc27..abc3fbb3c490 100644
+--- a/arch/powerpc/kernel/syscalls.c
++++ b/arch/powerpc/kernel/syscalls.c
+@@ -98,8 +98,8 @@ long ppc64_personality(unsigned long personality)
+ long ppc_fadvise64_64(int fd, int advice, u32 offset_high, u32 offset_low,
+ u32 len_high, u32 len_low)
+ {
+- return ksys_fadvise64_64(fd, (u64)offset_high << 32 | offset_low,
+- (u64)len_high << 32 | len_low, advice);
++ return ksys_fadvise64_64(fd, merge_64(offset_high, offset_low),
++ merge_64(len_high, len_low), advice);
+ }
+
+ SYSCALL_DEFINE0(switch_endian)
+--
+2.35.1
+
--- /dev/null
+From eebb0c3bd0d68173f82740bec46a564bcde6ac51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 23:21:02 +0200
+Subject: powerpc: Fix SPE Power ISA properties for e500v1 platforms
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 37b9345ce7f4ab17538ea62def6f6d430f091355 ]
+
+Commit 2eb28006431c ("powerpc/e500v2: Add Power ISA properties to comply
+with ePAPR 1.1") introduced new include file e500v2_power_isa.dtsi and
+should have used it for all e500v2 platforms. But apparently it was used
+also for e500v1 platforms mpc8540, mpc8541, mpc8555 and mpc8560.
+
+e500v1 cores compared to e500v2 do not support double precision floating
+point SPE instructions. Hence power-isa-sp.fd should not be set on e500v1
+platforms, which is in e500v2_power_isa.dtsi include file.
+
+Fix this issue by introducing a new e500v1_power_isa.dtsi include file and
+use it in all e500v1 device tree files.
+
+Fixes: 2eb28006431c ("powerpc/e500v2: Add Power ISA properties to comply with ePAPR 1.1")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20220902212103.22534-1-pali@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../boot/dts/fsl/e500v1_power_isa.dtsi | 51 +++++++++++++++++++
+ arch/powerpc/boot/dts/fsl/mpc8540ads.dts | 2 +-
+ arch/powerpc/boot/dts/fsl/mpc8541cds.dts | 2 +-
+ arch/powerpc/boot/dts/fsl/mpc8555cds.dts | 2 +-
+ arch/powerpc/boot/dts/fsl/mpc8560ads.dts | 2 +-
+ 5 files changed, 55 insertions(+), 4 deletions(-)
+ create mode 100644 arch/powerpc/boot/dts/fsl/e500v1_power_isa.dtsi
+
+diff --git a/arch/powerpc/boot/dts/fsl/e500v1_power_isa.dtsi b/arch/powerpc/boot/dts/fsl/e500v1_power_isa.dtsi
+new file mode 100644
+index 000000000000..7e2a90cde72e
+--- /dev/null
++++ b/arch/powerpc/boot/dts/fsl/e500v1_power_isa.dtsi
+@@ -0,0 +1,51 @@
++/*
++ * e500v1 Power ISA Device Tree Source (include)
++ *
++ * Copyright 2012 Freescale Semiconductor Inc.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions are met:
++ * * Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ * * Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * * Neither the name of Freescale Semiconductor nor the
++ * names of its contributors may be used to endorse or promote products
++ * derived from this software without specific prior written permission.
++ *
++ *
++ * ALTERNATIVELY, this software may be distributed under the terms of the
++ * GNU General Public License ("GPL") as published by the Free Software
++ * Foundation, either version 2 of that License or (at your option) any
++ * later version.
++ *
++ * THIS SOFTWARE IS PROVIDED BY Freescale Semiconductor "AS IS" AND ANY
++ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
++ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
++ * DISCLAIMED. IN NO EVENT SHALL Freescale Semiconductor BE LIABLE FOR ANY
++ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
++ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
++ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++/ {
++ cpus {
++ power-isa-version = "2.03";
++ power-isa-b; // Base
++ power-isa-e; // Embedded
++ power-isa-atb; // Alternate Time Base
++ power-isa-cs; // Cache Specification
++ power-isa-e.le; // Embedded.Little-Endian
++ power-isa-e.pm; // Embedded.Performance Monitor
++ power-isa-ecl; // Embedded Cache Locking
++ power-isa-mmc; // Memory Coherence
++ power-isa-sp; // Signal Processing Engine
++ power-isa-sp.fs; // SPE.Embedded Float Scalar Single
++ power-isa-sp.fv; // SPE.Embedded Float Vector
++ mmu-type = "power-embedded";
++ };
++};
+diff --git a/arch/powerpc/boot/dts/fsl/mpc8540ads.dts b/arch/powerpc/boot/dts/fsl/mpc8540ads.dts
+index 18a885130538..e03ae130162b 100644
+--- a/arch/powerpc/boot/dts/fsl/mpc8540ads.dts
++++ b/arch/powerpc/boot/dts/fsl/mpc8540ads.dts
+@@ -7,7 +7,7 @@
+
+ /dts-v1/;
+
+-/include/ "e500v2_power_isa.dtsi"
++/include/ "e500v1_power_isa.dtsi"
+
+ / {
+ model = "MPC8540ADS";
+diff --git a/arch/powerpc/boot/dts/fsl/mpc8541cds.dts b/arch/powerpc/boot/dts/fsl/mpc8541cds.dts
+index ac381e7b1c60..a2a6c5cf852e 100644
+--- a/arch/powerpc/boot/dts/fsl/mpc8541cds.dts
++++ b/arch/powerpc/boot/dts/fsl/mpc8541cds.dts
+@@ -7,7 +7,7 @@
+
+ /dts-v1/;
+
+-/include/ "e500v2_power_isa.dtsi"
++/include/ "e500v1_power_isa.dtsi"
+
+ / {
+ model = "MPC8541CDS";
+diff --git a/arch/powerpc/boot/dts/fsl/mpc8555cds.dts b/arch/powerpc/boot/dts/fsl/mpc8555cds.dts
+index 9f58db2a7e66..901b6ff06dfb 100644
+--- a/arch/powerpc/boot/dts/fsl/mpc8555cds.dts
++++ b/arch/powerpc/boot/dts/fsl/mpc8555cds.dts
+@@ -7,7 +7,7 @@
+
+ /dts-v1/;
+
+-/include/ "e500v2_power_isa.dtsi"
++/include/ "e500v1_power_isa.dtsi"
+
+ / {
+ model = "MPC8555CDS";
+diff --git a/arch/powerpc/boot/dts/fsl/mpc8560ads.dts b/arch/powerpc/boot/dts/fsl/mpc8560ads.dts
+index a24722ccaebf..c2f9aea78b29 100644
+--- a/arch/powerpc/boot/dts/fsl/mpc8560ads.dts
++++ b/arch/powerpc/boot/dts/fsl/mpc8560ads.dts
+@@ -7,7 +7,7 @@
+
+ /dts-v1/;
+
+-/include/ "e500v2_power_isa.dtsi"
++/include/ "e500v1_power_isa.dtsi"
+
+ / {
+ model = "MPC8560ADS";
+--
+2.35.1
+
--- /dev/null
+From ef6737784595fa093a220c56736953b75883e4b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Sep 2022 17:32:53 +0800
+Subject: powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()
+
+From: Li Huafei <lihuafei1@huawei.com>
+
+[ Upstream commit 97f88a3d723162781d6cbfdc7b9617eefab55b19 ]
+
+I found a null pointer reference in arch_prepare_kprobe():
+
+ # echo 'p cmdline_proc_show' > kprobe_events
+ # echo 'p cmdline_proc_show+16' >> kprobe_events
+ Kernel attempted to read user page (0) - exploit attempt? (uid: 0)
+ BUG: Kernel NULL pointer dereference on read at 0x00000000
+ Faulting instruction address: 0xc000000000050bfc
+ Oops: Kernel access of bad area, sig: 11 [#1]
+ LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV
+ Modules linked in:
+ CPU: 0 PID: 122 Comm: sh Not tainted 6.0.0-rc3-00007-gdcf8e5633e2e #10
+ NIP: c000000000050bfc LR: c000000000050bec CTR: 0000000000005bdc
+ REGS: c0000000348475b0 TRAP: 0300 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e)
+ MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 88002444 XER: 20040006
+ CFAR: c00000000022d100 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0
+ ...
+ NIP arch_prepare_kprobe+0x10c/0x2d0
+ LR arch_prepare_kprobe+0xfc/0x2d0
+ Call Trace:
+ 0xc0000000012f77a0 (unreliable)
+ register_kprobe+0x3c0/0x7a0
+ __register_trace_kprobe+0x140/0x1a0
+ __trace_kprobe_create+0x794/0x1040
+ trace_probe_create+0xc4/0xe0
+ create_or_delete_trace_kprobe+0x2c/0x80
+ trace_parse_run_command+0xf0/0x210
+ probes_write+0x20/0x40
+ vfs_write+0xfc/0x450
+ ksys_write+0x84/0x140
+ system_call_exception+0x17c/0x3a0
+ system_call_vectored_common+0xe8/0x278
+ --- interrupt: 3000 at 0x7fffa5682de0
+ NIP: 00007fffa5682de0 LR: 0000000000000000 CTR: 0000000000000000
+ REGS: c000000034847e80 TRAP: 3000 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e)
+ MSR: 900000000280f033 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 44002408 XER: 00000000
+
+The address being probed has some special:
+
+ cmdline_proc_show: Probe based on ftrace
+ cmdline_proc_show+16: Probe for the next instruction at the ftrace location
+
+The ftrace-based kprobe does not generate kprobe::ainsn::insn, it gets
+set to NULL. In arch_prepare_kprobe() it will check for:
+
+ ...
+ prev = get_kprobe(p->addr - 1);
+ preempt_enable_no_resched();
+ if (prev && ppc_inst_prefixed(ppc_inst_read(prev->ainsn.insn))) {
+ ...
+
+If prev is based on ftrace, 'ppc_inst_read(prev->ainsn.insn)' will occur
+with a null pointer reference. At this point prev->addr will not be a
+prefixed instruction, so the check can be skipped.
+
+Check if prev is ftrace-based kprobe before reading 'prev->ainsn.insn'
+to fix this problem.
+
+Fixes: b4657f7650ba ("powerpc/kprobes: Don't allow breakpoints on suffixes")
+Signed-off-by: Li Huafei <lihuafei1@huawei.com>
+[mpe: Trim oops]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20220923093253.177298-1-lihuafei1@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/kprobes.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kernel/kprobes.c b/arch/powerpc/kernel/kprobes.c
+index 912d4f8a13be..bd7b1a035459 100644
+--- a/arch/powerpc/kernel/kprobes.c
++++ b/arch/powerpc/kernel/kprobes.c
+@@ -161,7 +161,13 @@ int arch_prepare_kprobe(struct kprobe *p)
+ preempt_disable();
+ prev = get_kprobe(p->addr - 1);
+ preempt_enable_no_resched();
+- if (prev && ppc_inst_prefixed(ppc_inst_read(prev->ainsn.insn))) {
++
++ /*
++ * When prev is a ftrace-based kprobe, we don't have an insn, and it
++ * doesn't probe for prefixed instruction.
++ */
++ if (prev && !kprobe_ftrace(prev) &&
++ ppc_inst_prefixed(ppc_inst_read(prev->ainsn.insn))) {
+ printk("Cannot register a kprobe on the second word of prefixed instruction\n");
+ ret = -EINVAL;
+ }
+--
+2.35.1
+
--- /dev/null
+From 91c3bb1848f8ec653be1fc7c61cfd77220f10aaf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 18:00:08 +0200
+Subject: powerpc/math_emu/efp: Include module.h
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit cfe0d370e0788625ce0df3239aad07a2506c1796 ]
+
+When building with a recent version of clang, there are a couple of
+errors around the call to module_init():
+
+ arch/powerpc/math-emu/math_efp.c:927:1: error: type specifier missing, defaults to 'int'; ISO C99 and later do not support implicit int [-Wimplicit-int]
+ module_init(spe_mathemu_init);
+ ^
+ int
+ arch/powerpc/math-emu/math_efp.c:927:13: error: a parameter list without types is only allowed in a function definition
+ module_init(spe_mathemu_init);
+ ^
+ 2 errors generated.
+
+module_init() is a macro, which is not getting expanded because module.h
+is not included in this file. Add the include so that the macro can
+expand properly, clearing up the build failure.
+
+Fixes: ac6f120369ff ("powerpc/85xx: Workaroudn e500 CPU erratum A005")
+[chleroy: added fixes tag]
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Link: https://lore.kernel.org/r/8403854a4c187459b2f4da3537f51227b70b9223.1662134272.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/math-emu/math_efp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/math-emu/math_efp.c b/arch/powerpc/math-emu/math_efp.c
+index 39b84e7452e1..aa3bb8da1cb9 100644
+--- a/arch/powerpc/math-emu/math_efp.c
++++ b/arch/powerpc/math-emu/math_efp.c
+@@ -17,6 +17,7 @@
+
+ #include <linux/types.h>
+ #include <linux/prctl.h>
++#include <linux/module.h>
+
+ #include <linux/uaccess.h>
+ #include <asm/reg.h>
+--
+2.35.1
+
--- /dev/null
+From 5e48e56bbde2328d4b011b3c2be445c7731556d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Jul 2022 21:17:50 +0800
+Subject: powerpc/pci_dn: Add missing of_node_put()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 110a1fcb6c4d55144d8179983a475f17a1d6f832 ]
+
+In pci_add_device_node_info(), use of_node_put() to drop the reference
+to 'parent' returned by of_get_parent() to keep refcount balance.
+
+Fixes: cca87d303c85 ("powerpc/pci: Refactor pci_dn")
+Co-authored-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Liang He <windhl@126.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Reviewed-by: Tyrel Datwyler <tyreld@linux.ibm.com>
+Link: https://lore.kernel.org/r/20220701131750.240170-1-windhl@126.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/pci_dn.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/kernel/pci_dn.c b/arch/powerpc/kernel/pci_dn.c
+index 7a35fc25a304..38561d6a2079 100644
+--- a/arch/powerpc/kernel/pci_dn.c
++++ b/arch/powerpc/kernel/pci_dn.c
+@@ -330,6 +330,7 @@ struct pci_dn *pci_add_device_node_info(struct pci_controller *hose,
+ INIT_LIST_HEAD(&pdn->list);
+ parent = of_get_parent(dn);
+ pdn->parent = parent ? PCI_DN(parent) : NULL;
++ of_node_put(parent);
+ if (pdn->parent)
+ list_add_tail(&pdn->list, &pdn->parent->child_list);
+
+--
+2.35.1
+
--- /dev/null
+From 07decc0cb07121b356d5b3b1a71a00615e5ccd69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Sep 2022 14:17:03 +0000
+Subject: powerpc/powernv: add missing of_node_put() in opal_export_attrs()
+
+From: Zheng Yongjun <zhengyongjun3@huawei.com>
+
+[ Upstream commit 71a92e99c47900cc164620948b3863382cec4f1a ]
+
+After using 'np' returned by of_find_node_by_path(), of_node_put()
+need be called to decrease the refcount.
+
+Fixes: 11fe909d2362 ("powerpc/powernv: Add OPAL exports attributes to sysfs")
+Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20220906141703.118192-1-zhengyongjun3@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/powernv/opal.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/platforms/powernv/opal.c b/arch/powerpc/platforms/powernv/opal.c
+index 55a8fbfdb5b2..3510b55b36f8 100644
+--- a/arch/powerpc/platforms/powernv/opal.c
++++ b/arch/powerpc/platforms/powernv/opal.c
+@@ -892,6 +892,7 @@ static void opal_export_attrs(void)
+ kobj = kobject_create_and_add("exports", opal_kobj);
+ if (!kobj) {
+ pr_warn("kobject_create_and_add() of exports failed\n");
++ of_node_put(np);
+ return;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 42e45ea93a4b6e8b26e52876f4778c18edaa510d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Sep 2022 18:57:33 -0700
+Subject: powerpc/pseries/vas: Pass hw_cpu_id to node associativity HCALL
+
+From: Haren Myneni <haren@linux.ibm.com>
+
+[ Upstream commit f3e5d9e53e74d77e711a2c90a91a8b0836a9e0b3 ]
+
+Generally the hypervisor decides to allocate a window on different
+VAS instances. But if user space wishes to allocate on the current VAS
+instance where the process is executing, the kernel has to pass
+associativity domain IDs to allocate VAS window HCALL.
+
+To determine the associativity domain IDs for the current CPU,
+smp_processor_id() is passed to node associativity HCALL which may
+return H_P2 (-55) error during DLPAR CPU event. This is because Linux
+CPU numbers (smp_processor_id()) are not the same as the hypervisor's
+view of CPU numbers.
+
+Fix the issue by passing hard_smp_processor_id() with
+VPHN_FLAG_VCPU flag (PAPR 14.11.6.1 H_HOME_NODE_ASSOCIATIVITY).
+
+Fixes: b22f2d88e435 ("powerpc/pseries/vas: Integrate API with open/close windows")
+Reviewed-by: Nathan Lynch <nathanl@linux.ibm.com>
+Signed-off-by: Haren Myneni <haren@linux.ibm.com>
+[mpe: Update change log to mention Linux vs HV CPU numbers]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/55380253ea0c11341824cd4c0fc6bbcfc5752689.camel@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/pseries/vas.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/platforms/pseries/vas.c b/arch/powerpc/platforms/pseries/vas.c
+index 7e6e6dd2e33e..1a2cbc156e8f 100644
+--- a/arch/powerpc/platforms/pseries/vas.c
++++ b/arch/powerpc/platforms/pseries/vas.c
+@@ -333,7 +333,7 @@ static struct vas_window *vas_allocate_window(int vas_id, u64 flags,
+ * So no unpacking needs to be done.
+ */
+ rc = plpar_hcall9(H_HOME_NODE_ASSOCIATIVITY, domain,
+- VPHN_FLAG_VCPU, smp_processor_id());
++ VPHN_FLAG_VCPU, hard_smp_processor_id());
+ if (rc != H_SUCCESS) {
+ pr_err("H_HOME_NODE_ASSOCIATIVITY error: %d\n", rc);
+ goto out;
+--
+2.35.1
+
--- /dev/null
+From e857ac4a1ac0556f05f6feb144b3a6945e2fc94b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Jul 2022 22:52:33 +0800
+Subject: powerpc/sysdev/fsl_msi: Add missing of_node_put()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit def435c04ee984a5f9ed2711b2bfe946936c6a21 ]
+
+In fsl_setup_msi_irqs(), use of_node_put() to drop the reference
+returned by of_parse_phandle().
+
+Fixes: 895d603f945ba ("powerpc/fsl_msi: add support for the fsl, msi property in PCI nodes")
+Co-authored-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Liang He <windhl@126.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20220704145233.278539-1-windhl@126.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/sysdev/fsl_msi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/powerpc/sysdev/fsl_msi.c b/arch/powerpc/sysdev/fsl_msi.c
+index ef9a5999fa93..73c2d70706c0 100644
+--- a/arch/powerpc/sysdev/fsl_msi.c
++++ b/arch/powerpc/sysdev/fsl_msi.c
+@@ -209,8 +209,10 @@ static int fsl_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type)
+ dev_err(&pdev->dev,
+ "node %pOF has an invalid fsl,msi phandle %u\n",
+ hose->dn, np->phandle);
++ of_node_put(np);
+ return -EINVAL;
+ }
++ of_node_put(np);
+ }
+
+ msi_for_each_desc(entry, &pdev->dev, MSI_DESC_NOTASSOCIATED) {
+--
+2.35.1
+
--- /dev/null
+From d00004d07c6b878e989ea9d9aca753321a1e320a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Oct 2022 12:41:28 +0900
+Subject: r8152: Rate limit overflow messages
+
+From: Andrew Gaul <gaul@gaul.org>
+
+[ Upstream commit 93e2be344a7db169b7119de21ac1bf253b8c6907 ]
+
+My system shows almost 10 million of these messages over a 24-hour
+period which pollutes my logs.
+
+Signed-off-by: Andrew Gaul <gaul@google.com>
+Link: https://lore.kernel.org/r/20221002034128.2026653-1-gaul@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/r8152.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
+index 688905ea0a6d..e7b0b59e2bc8 100644
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -1874,7 +1874,9 @@ static void intr_callback(struct urb *urb)
+ "Stop submitting intr, status %d\n", status);
+ return;
+ case -EOVERFLOW:
+- netif_info(tp, intr, tp->netdev, "intr status -EOVERFLOW\n");
++ if (net_ratelimit())
++ netif_info(tp, intr, tp->netdev,
++ "intr status -EOVERFLOW\n");
+ goto resubmit;
+ /* -EPIPE: should clear the halt */
+ default:
+--
+2.35.1
+
--- /dev/null
+From 601cc0fab0de8b9f9e752ae3464b5951c9a684f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Oct 2022 00:31:00 +0200
+Subject: random: schedule jitter credit for next jiffy, not in two jiffies
+
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+
+[ Upstream commit 122733471384be8c23f019fbbd46bdf7be561dcd ]
+
+Counterintuitively, mod_timer(..., jiffies + 1) will cause the timer to
+fire not in the next jiffy, but in two jiffies. The way to cause
+the timer to fire in the next jiffy is with mod_timer(..., jiffies).
+Doing so then lets us bump the upper bound back up again.
+
+Fixes: 50ee7529ec45 ("random: try to actively add entropy rather than passively wait for it")
+Fixes: 829d680e82a9 ("random: cap jitter samples per bit to factor of HZ")
+Cc: Dominik Brodowski <linux@dominikbrodowski.net>
+Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Cc: Sultan Alsawaf <sultan@kerneltoast.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/random.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/char/random.c b/drivers/char/random.c
+index 060f999dcffb..46d6100fa3a7 100644
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1195,7 +1195,7 @@ static void __cold entropy_timer(struct timer_list *timer)
+ */
+ static void __cold try_to_generate_entropy(void)
+ {
+- enum { NUM_TRIAL_SAMPLES = 8192, MAX_SAMPLES_PER_BIT = HZ / 30 };
++ enum { NUM_TRIAL_SAMPLES = 8192, MAX_SAMPLES_PER_BIT = HZ / 15 };
+ struct entropy_timer_state stack;
+ unsigned int i, num_different = 0;
+ unsigned long last = random_get_entropy();
+@@ -1214,7 +1214,7 @@ static void __cold try_to_generate_entropy(void)
+ timer_setup_on_stack(&stack.timer, entropy_timer, 0);
+ while (!crng_ready() && !signal_pending(current)) {
+ if (!timer_pending(&stack.timer))
+- mod_timer(&stack.timer, jiffies + 1);
++ mod_timer(&stack.timer, jiffies);
+ mix_pool_bytes(&stack.entropy, sizeof(stack.entropy));
+ schedule();
+ stack.entropy = random_get_entropy();
+--
+2.35.1
+
--- /dev/null
+From 49dfe0a6602665a61812ed179d2dd3ea96106053 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Aug 2022 10:26:26 +0800
+Subject: rcu: Avoid triggering strict-GP irq-work when RCU is idle
+
+From: Zqiang <qiang1.zhang@intel.com>
+
+[ Upstream commit 621189a1fe93cb2b34d62c5cdb9e258bca044813 ]
+
+Kernels built with PREEMPT_RCU=y and RCU_STRICT_GRACE_PERIOD=y trigger
+irq-work from rcu_read_unlock(), and the resulting irq-work handler
+invokes rcu_preempt_deferred_qs_handle(). The point of this triggering
+is to force grace periods to end quickly in order to give tools like KASAN
+a better chance of detecting RCU usage bugs such as leaking RCU-protected
+pointers out of an RCU read-side critical section.
+
+However, this irq-work triggering is unconditional. This works, but
+there is no point in doing this irq-work unless the current grace period
+is waiting on the running CPU or task, which is not the common case.
+After all, in the common case there are many rcu_read_unlock() calls
+per CPU per grace period.
+
+This commit therefore triggers the irq-work only when the current grace
+period is waiting on the running CPU or task.
+
+This change was tested as follows on a four-CPU system:
+
+ echo rcu_preempt_deferred_qs_handler > /sys/kernel/debug/tracing/set_ftrace_filter
+ echo 1 > /sys/kernel/debug/tracing/function_profile_enabled
+ insmod rcutorture.ko
+ sleep 20
+ rmmod rcutorture.ko
+ echo 0 > /sys/kernel/debug/tracing/function_profile_enabled
+ echo > /sys/kernel/debug/tracing/set_ftrace_filter
+
+This procedure produces results in this per-CPU set of files:
+
+ /sys/kernel/debug/tracing/trace_stat/function*
+
+Sample output from one of these files is as follows:
+
+ Function Hit Time Avg s^2
+ -------- --- ---- --- ---
+ rcu_preempt_deferred_qs_handle 838746 182650.3 us 0.217 us 0.004 us
+
+The baseline sum of the "Hit" values (the number of calls to this
+function) was 3,319,015. With this commit, that sum was 1,140,359,
+for a 2.9x reduction. The worst-case variance across the CPUs was less
+than 25%, so this large effect size is statistically significant.
+
+The raw data is available in the Link: URL.
+
+Link: https://lore.kernel.org/all/20220808022626.12825-1-qiang1.zhang@intel.com/
+Signed-off-by: Zqiang <qiang1.zhang@intel.com>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/tree_plugin.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h
+index 438ecae6bd7e..49468b4d1b43 100644
+--- a/kernel/rcu/tree_plugin.h
++++ b/kernel/rcu/tree_plugin.h
+@@ -641,7 +641,8 @@ static void rcu_read_unlock_special(struct task_struct *t)
+
+ expboost = (t->rcu_blocked_node && READ_ONCE(t->rcu_blocked_node->exp_tasks)) ||
+ (rdp->grpmask & READ_ONCE(rnp->expmask)) ||
+- IS_ENABLED(CONFIG_RCU_STRICT_GRACE_PERIOD) ||
++ (IS_ENABLED(CONFIG_RCU_STRICT_GRACE_PERIOD) &&
++ ((rdp->grpmask & READ_ONCE(rnp->qsmask)) || t->rcu_blocked_node)) ||
+ (IS_ENABLED(CONFIG_RCU_BOOST) && irqs_were_disabled &&
+ t->rcu_blocked_node);
+ // Need to defer quiescent state until everything is enabled.
+--
+2.35.1
+
--- /dev/null
+From 5ccdfa91c9ef43eea71c265d18aac28208bf94b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Jun 2022 13:47:11 +0200
+Subject: rcu: Back off upon fill_page_cache_func() allocation failure
+
+From: Michal Hocko <mhocko@suse.com>
+
+[ Upstream commit 093590c16b447f53e66771c8579ae66c96f6ef61 ]
+
+The fill_page_cache_func() function allocates couple of pages to store
+kvfree_rcu_bulk_data structures. This is a lightweight (GFP_NORETRY)
+allocation which can fail under memory pressure. The function will,
+however keep retrying even when the previous attempt has failed.
+
+This retrying is in theory correct, but in practice the allocation is
+invoked from workqueue context, which means that if the memory reclaim
+gets stuck, these retries can hog the worker for quite some time.
+Although the workqueues subsystem automatically adjusts concurrency, such
+adjustment is not guaranteed to happen until the worker context sleeps.
+And the fill_page_cache_func() function's retry loop is not guaranteed
+to sleep (see the should_reclaim_retry() function).
+
+And we have seen this function cause workqueue lockups:
+
+kernel: BUG: workqueue lockup - pool cpus=93 node=1 flags=0x1 nice=0 stuck for 32s!
+[...]
+kernel: pool 74: cpus=37 node=0 flags=0x1 nice=0 hung=32s workers=2 manager: 2146
+kernel: pwq 498: cpus=249 node=1 flags=0x1 nice=0 active=4/256 refcnt=5
+kernel: in-flight: 1917:fill_page_cache_func
+kernel: pending: dbs_work_handler, free_work, kfree_rcu_monitor
+
+Originally, we thought that the root cause of this lockup was several
+retries with direct reclaim, but this is not yet confirmed. Furthermore,
+we have seen similar lockups without any heavy memory pressure. This
+suggests that there are other factors contributing to these lockups.
+However, it is not really clear that endless retries are desireable.
+
+So let's make the fill_page_cache_func() function back off after
+allocation failure.
+
+Cc: Uladzislau Rezki (Sony) <urezki@gmail.com>
+Cc: "Paul E. McKenney" <paulmck@kernel.org>
+Cc: Frederic Weisbecker <frederic@kernel.org>
+Cc: Neeraj Upadhyay <quic_neeraju@quicinc.com>
+Cc: Josh Triplett <josh@joshtriplett.org>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Lai Jiangshan <jiangshanlai@gmail.com>
+Cc: Joel Fernandes <joel@joelfernandes.org>
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+Reviewed-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/tree.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c
+index 79aea7df4345..eb435941e92f 100644
+--- a/kernel/rcu/tree.c
++++ b/kernel/rcu/tree.c
+@@ -3183,15 +3183,16 @@ static void fill_page_cache_func(struct work_struct *work)
+ bnode = (struct kvfree_rcu_bulk_data *)
+ __get_free_page(GFP_KERNEL | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN);
+
+- if (bnode) {
+- raw_spin_lock_irqsave(&krcp->lock, flags);
+- pushed = put_cached_bnode(krcp, bnode);
+- raw_spin_unlock_irqrestore(&krcp->lock, flags);
++ if (!bnode)
++ break;
+
+- if (!pushed) {
+- free_page((unsigned long) bnode);
+- break;
+- }
++ raw_spin_lock_irqsave(&krcp->lock, flags);
++ pushed = put_cached_bnode(krcp, bnode);
++ raw_spin_unlock_irqrestore(&krcp->lock, flags);
++
++ if (!pushed) {
++ free_page((unsigned long) bnode);
++ break;
+ }
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 5ea920627369f7b4622ccfaf1915d502e6276ac8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Jul 2022 16:26:05 +0800
+Subject: rcu-tasks: Convert RCU_LOCKDEP_WARN() to WARN_ONCE()
+
+From: Zqiang <qiang1.zhang@intel.com>
+
+[ Upstream commit fcd53c8a4dfa38bafb89efdd0b0f718f3a03f884 ]
+
+Kernels built with CONFIG_PROVE_RCU=y and CONFIG_DEBUG_LOCK_ALLOC=y
+attempt to emit a warning when the synchronize_rcu_tasks_generic()
+function is called during early boot while the rcu_scheduler_active
+variable is RCU_SCHEDULER_INACTIVE. However the warnings is not
+actually be printed because the debug_lockdep_rcu_enabled() returns
+false, exactly because the rcu_scheduler_active variable is still equal
+to RCU_SCHEDULER_INACTIVE.
+
+This commit therefore replaces RCU_LOCKDEP_WARN() with WARN_ONCE()
+to force these warnings to actually be printed.
+
+Signed-off-by: Zqiang <qiang1.zhang@intel.com>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/tasks.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/rcu/tasks.h b/kernel/rcu/tasks.h
+index 83c7e6620d40..469bf2a3b505 100644
+--- a/kernel/rcu/tasks.h
++++ b/kernel/rcu/tasks.h
+@@ -560,7 +560,7 @@ static int __noreturn rcu_tasks_kthread(void *arg)
+ static void synchronize_rcu_tasks_generic(struct rcu_tasks *rtp)
+ {
+ /* Complain if the scheduler has not started. */
+- RCU_LOCKDEP_WARN(rcu_scheduler_active == RCU_SCHEDULER_INACTIVE,
++ WARN_ONCE(rcu_scheduler_active == RCU_SCHEDULER_INACTIVE,
+ "synchronize_rcu_tasks called too soon");
+
+ // If the grace-period kthread is running, use it.
+--
+2.35.1
+
--- /dev/null
+From ba41f6aeaed9453a85aa206555611ad1c2218b62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Jul 2022 10:57:26 -0700
+Subject: rcu-tasks: Ensure RCU Tasks Trace loops have quiescent states
+
+From: Paul E. McKenney <paulmck@kernel.org>
+
+[ Upstream commit d6ad60635cafe900bcd11ad588d8accb36c36b1b ]
+
+The RCU Tasks Trace grace-period kthread loops across all CPUs, and
+there can be quite a few CPUs, with some commercially available systems
+sporting well over a thousand of them. Some of these loops can feature
+IPIs, which can take some time. This commit therefore places a call to
+cond_resched_tasks_rcu_qs() in each such loop.
+
+Link: https://docs.google.com/document/d/1V0YnG1HTWMt9WHJjroiJL9lf-hMrud4v8Fn3fhyY0cI/edit?usp=sharing
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/tasks.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/kernel/rcu/tasks.h b/kernel/rcu/tasks.h
+index 469bf2a3b505..f5bf6fb430da 100644
+--- a/kernel/rcu/tasks.h
++++ b/kernel/rcu/tasks.h
+@@ -1500,6 +1500,7 @@ static void rcu_tasks_trace_pregp_step(struct list_head *hop)
+ if (rcu_tasks_trace_pertask_prep(t, true))
+ trc_add_holdout(t, hop);
+ rcu_read_unlock();
++ cond_resched_tasks_rcu_qs();
+ }
+
+ // Only after all running tasks have been accounted for is it
+@@ -1520,6 +1521,7 @@ static void rcu_tasks_trace_pregp_step(struct list_head *hop)
+ raw_spin_lock_irqsave_rcu_node(rtpcp, flags);
+ }
+ raw_spin_unlock_irqrestore_rcu_node(rtpcp, flags);
++ cond_resched_tasks_rcu_qs();
+ }
+
+ // Re-enable CPU hotplug now that the holdout list is populated.
+@@ -1619,6 +1621,7 @@ static void check_all_holdout_tasks_trace(struct list_head *hop,
+ trc_del_holdout(t);
+ else if (needreport)
+ show_stalled_task_trace(t, firstreport);
++ cond_resched_tasks_rcu_qs();
+ }
+
+ // Re-enable CPU hotplug now that the holdout list scan has completed.
+--
+2.35.1
+
--- /dev/null
+From 970e2d94ac799a56900c17048ed0120ef934bff5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Sep 2022 13:09:02 +0300
+Subject: RDMA/cm: Use SLID in the work completion as the DLID in responder
+ side
+
+From: Mark Zhang <markzhang@nvidia.com>
+
+[ Upstream commit b7d95040c13f61a4a6a859c5355faf583eff9658 ]
+
+The responder should always use WC's SLID as the dlid, to follow the
+IB SPEC section "13.5.4.2 COMMON RESPONSE ACTIONS":
+A responder always takes the following actions in constructing a
+response packet:
+- The SLID of the received packet is used as the DLID in the response
+ packet.
+
+Fixes: ac3a949fb2ff ("IB/CM: Set appropriate slid and dlid when handling CM request")
+Signed-off-by: Mark Zhang <markzhang@nvidia.com>
+Reviewed-by: Mark Bloch <mbloch@nvidia.com>
+Link: https://lore.kernel.org/r/cd17c240231e059d2fc07c17dfe555d548b917eb.1662631201.git.leonro@nvidia.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cm.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c
+index b985e0d9bc05..5c910f5c01b3 100644
+--- a/drivers/infiniband/core/cm.c
++++ b/drivers/infiniband/core/cm.c
+@@ -1632,14 +1632,13 @@ static void cm_path_set_rec_type(struct ib_device *ib_device, u32 port_num,
+
+ static void cm_format_path_lid_from_req(struct cm_req_msg *req_msg,
+ struct sa_path_rec *primary_path,
+- struct sa_path_rec *alt_path)
++ struct sa_path_rec *alt_path,
++ struct ib_wc *wc)
+ {
+ u32 lid;
+
+ if (primary_path->rec_type != SA_PATH_REC_TYPE_OPA) {
+- sa_path_set_dlid(primary_path,
+- IBA_GET(CM_REQ_PRIMARY_LOCAL_PORT_LID,
+- req_msg));
++ sa_path_set_dlid(primary_path, wc->slid);
+ sa_path_set_slid(primary_path,
+ IBA_GET(CM_REQ_PRIMARY_REMOTE_PORT_LID,
+ req_msg));
+@@ -1676,7 +1675,8 @@ static void cm_format_path_lid_from_req(struct cm_req_msg *req_msg,
+
+ static void cm_format_paths_from_req(struct cm_req_msg *req_msg,
+ struct sa_path_rec *primary_path,
+- struct sa_path_rec *alt_path)
++ struct sa_path_rec *alt_path,
++ struct ib_wc *wc)
+ {
+ primary_path->dgid =
+ *IBA_GET_MEM_PTR(CM_REQ_PRIMARY_LOCAL_PORT_GID, req_msg);
+@@ -1734,7 +1734,7 @@ static void cm_format_paths_from_req(struct cm_req_msg *req_msg,
+ if (sa_path_is_roce(alt_path))
+ alt_path->roce.route_resolved = false;
+ }
+- cm_format_path_lid_from_req(req_msg, primary_path, alt_path);
++ cm_format_path_lid_from_req(req_msg, primary_path, alt_path, wc);
+ }
+
+ static u16 cm_get_bth_pkey(struct cm_work *work)
+@@ -2148,7 +2148,7 @@ static int cm_req_handler(struct cm_work *work)
+ if (cm_req_has_alt_path(req_msg))
+ work->path[1].rec_type = work->path[0].rec_type;
+ cm_format_paths_from_req(req_msg, &work->path[0],
+- &work->path[1]);
++ &work->path[1], work->mad_recv_wc->wc);
+ if (cm_id_priv->av.ah_attr.type == RDMA_AH_ATTR_TYPE_ROCE)
+ sa_path_set_dmac(&work->path[0],
+ cm_id_priv->av.ah_attr.roce.dmac);
+--
+2.35.1
+
--- /dev/null
+From 998bd2019552f0f0af857467aa5afe731ce0fbce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Sep 2022 14:13:23 -0500
+Subject: RDMA/irdma: Align AE id codes to correct flush code and event
+
+From: Sindhu-Devale <sindhu.devale@intel.com>
+
+[ Upstream commit 7f51a961f8c6b84752a48e950074a8c4a0808d91 ]
+
+A number of asynchronous event (AE) ids were not aligned to the
+correct flush_code and event_type. Fix these up so that the
+correct IBV error and event codes are returned to application.
+
+Also, add handling for new AE ids like IRDMA_AE_INVALID_REQUEST to
+return the correct WC error code.
+
+Fixes: 44d9e52977a1 ("RDMA/irdma: Implement device initialization definitions")
+Signed-off-by: Sindhu-Devale <sindhu.devale@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Link: https://lore.kernel.org/r/20220907191324.1173-2-shiraz.saleem@intel.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/defs.h | 1 +
+ drivers/infiniband/hw/irdma/hw.c | 51 +++++++++++++++++------------
+ drivers/infiniband/hw/irdma/type.h | 1 +
+ drivers/infiniband/hw/irdma/user.h | 1 +
+ drivers/infiniband/hw/irdma/utils.c | 3 ++
+ drivers/infiniband/hw/irdma/verbs.c | 2 ++
+ 6 files changed, 38 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/infiniband/hw/irdma/defs.h b/drivers/infiniband/hw/irdma/defs.h
+index e03e03082a5f..c1906cab5c8a 100644
+--- a/drivers/infiniband/hw/irdma/defs.h
++++ b/drivers/infiniband/hw/irdma/defs.h
+@@ -314,6 +314,7 @@ enum irdma_cqp_op_type {
+ #define IRDMA_AE_IB_REMOTE_ACCESS_ERROR 0x020d
+ #define IRDMA_AE_IB_REMOTE_OP_ERROR 0x020e
+ #define IRDMA_AE_WQE_LSMM_TOO_LONG 0x0220
++#define IRDMA_AE_INVALID_REQUEST 0x0223
+ #define IRDMA_AE_DDP_INVALID_MSN_GAP_IN_MSN 0x0301
+ #define IRDMA_AE_DDP_UBE_DDP_MESSAGE_TOO_LONG_FOR_AVAILABLE_BUFFER 0x0303
+ #define IRDMA_AE_DDP_UBE_INVALID_DDP_VERSION 0x0304
+diff --git a/drivers/infiniband/hw/irdma/hw.c b/drivers/infiniband/hw/irdma/hw.c
+index 4f132c6fb653..ab246447520b 100644
+--- a/drivers/infiniband/hw/irdma/hw.c
++++ b/drivers/infiniband/hw/irdma/hw.c
+@@ -138,59 +138,68 @@ static void irdma_set_flush_fields(struct irdma_sc_qp *qp,
+ qp->event_type = IRDMA_QP_EVENT_CATASTROPHIC;
+
+ switch (info->ae_id) {
+- case IRDMA_AE_AMP_UNALLOCATED_STAG:
+ case IRDMA_AE_AMP_BOUNDS_VIOLATION:
+ case IRDMA_AE_AMP_INVALID_STAG:
+- qp->event_type = IRDMA_QP_EVENT_ACCESS_ERR;
+- fallthrough;
++ case IRDMA_AE_AMP_RIGHTS_VIOLATION:
++ case IRDMA_AE_AMP_UNALLOCATED_STAG:
+ case IRDMA_AE_AMP_BAD_PD:
+- case IRDMA_AE_UDA_XMIT_BAD_PD:
++ case IRDMA_AE_AMP_BAD_QP:
++ case IRDMA_AE_AMP_BAD_STAG_KEY:
++ case IRDMA_AE_AMP_BAD_STAG_INDEX:
++ case IRDMA_AE_AMP_TO_WRAP:
++ case IRDMA_AE_PRIV_OPERATION_DENIED:
+ qp->flush_code = FLUSH_PROT_ERR;
++ qp->event_type = IRDMA_QP_EVENT_ACCESS_ERR;
+ break;
+- case IRDMA_AE_AMP_BAD_QP:
++ case IRDMA_AE_UDA_XMIT_BAD_PD:
+ case IRDMA_AE_WQE_UNEXPECTED_OPCODE:
+ qp->flush_code = FLUSH_LOC_QP_OP_ERR;
++ qp->event_type = IRDMA_QP_EVENT_CATASTROPHIC;
++ break;
++ case IRDMA_AE_UDA_XMIT_DGRAM_TOO_LONG:
++ case IRDMA_AE_UDA_XMIT_DGRAM_TOO_SHORT:
++ case IRDMA_AE_UDA_L4LEN_INVALID:
++ case IRDMA_AE_DDP_UBE_INVALID_MO:
++ case IRDMA_AE_DDP_UBE_DDP_MESSAGE_TOO_LONG_FOR_AVAILABLE_BUFFER:
++ qp->flush_code = FLUSH_LOC_LEN_ERR;
++ qp->event_type = IRDMA_QP_EVENT_CATASTROPHIC;
+ break;
+- case IRDMA_AE_AMP_BAD_STAG_KEY:
+- case IRDMA_AE_AMP_BAD_STAG_INDEX:
+- case IRDMA_AE_AMP_TO_WRAP:
+- case IRDMA_AE_AMP_RIGHTS_VIOLATION:
+ case IRDMA_AE_AMP_INVALIDATE_NO_REMOTE_ACCESS_RIGHTS:
+- case IRDMA_AE_PRIV_OPERATION_DENIED:
+- case IRDMA_AE_IB_INVALID_REQUEST:
+ case IRDMA_AE_IB_REMOTE_ACCESS_ERROR:
+ qp->flush_code = FLUSH_REM_ACCESS_ERR;
+ qp->event_type = IRDMA_QP_EVENT_ACCESS_ERR;
+ break;
+ case IRDMA_AE_LLP_SEGMENT_TOO_SMALL:
+- case IRDMA_AE_DDP_UBE_DDP_MESSAGE_TOO_LONG_FOR_AVAILABLE_BUFFER:
+- case IRDMA_AE_UDA_XMIT_DGRAM_TOO_LONG:
+- case IRDMA_AE_UDA_XMIT_DGRAM_TOO_SHORT:
+- case IRDMA_AE_UDA_L4LEN_INVALID:
++ case IRDMA_AE_LLP_RECEIVED_MPA_CRC_ERROR:
+ case IRDMA_AE_ROCE_RSP_LENGTH_ERROR:
+- qp->flush_code = FLUSH_LOC_LEN_ERR;
++ case IRDMA_AE_IB_REMOTE_OP_ERROR:
++ qp->flush_code = FLUSH_REM_OP_ERR;
++ qp->event_type = IRDMA_QP_EVENT_CATASTROPHIC;
+ break;
+ case IRDMA_AE_LCE_QP_CATASTROPHIC:
+ qp->flush_code = FLUSH_FATAL_ERR;
++ qp->event_type = IRDMA_QP_EVENT_CATASTROPHIC;
+ break;
+- case IRDMA_AE_DDP_UBE_INVALID_MO:
+ case IRDMA_AE_IB_RREQ_AND_Q1_FULL:
+- case IRDMA_AE_LLP_RECEIVED_MPA_CRC_ERROR:
+ qp->flush_code = FLUSH_GENERAL_ERR;
+ break;
+ case IRDMA_AE_LLP_TOO_MANY_RETRIES:
+ qp->flush_code = FLUSH_RETRY_EXC_ERR;
++ qp->event_type = IRDMA_QP_EVENT_CATASTROPHIC;
+ break;
+ case IRDMA_AE_AMP_MWBIND_INVALID_RIGHTS:
+ case IRDMA_AE_AMP_MWBIND_BIND_DISABLED:
+ case IRDMA_AE_AMP_MWBIND_INVALID_BOUNDS:
+ qp->flush_code = FLUSH_MW_BIND_ERR;
++ qp->event_type = IRDMA_QP_EVENT_ACCESS_ERR;
+ break;
+- case IRDMA_AE_IB_REMOTE_OP_ERROR:
+- qp->flush_code = FLUSH_REM_OP_ERR;
++ case IRDMA_AE_IB_INVALID_REQUEST:
++ qp->flush_code = FLUSH_REM_INV_REQ_ERR;
++ qp->event_type = IRDMA_QP_EVENT_REQ_ERR;
+ break;
+ default:
+- qp->flush_code = FLUSH_FATAL_ERR;
++ qp->flush_code = FLUSH_GENERAL_ERR;
++ qp->event_type = IRDMA_QP_EVENT_CATASTROPHIC;
+ break;
+ }
+ }
+diff --git a/drivers/infiniband/hw/irdma/type.h b/drivers/infiniband/hw/irdma/type.h
+index 9e7b8ecb137a..517d41a1c289 100644
+--- a/drivers/infiniband/hw/irdma/type.h
++++ b/drivers/infiniband/hw/irdma/type.h
+@@ -98,6 +98,7 @@ enum irdma_term_mpa_errors {
+ enum irdma_qp_event_type {
+ IRDMA_QP_EVENT_CATASTROPHIC,
+ IRDMA_QP_EVENT_ACCESS_ERR,
++ IRDMA_QP_EVENT_REQ_ERR,
+ };
+
+ enum irdma_hw_stats_index_32b {
+diff --git a/drivers/infiniband/hw/irdma/user.h b/drivers/infiniband/hw/irdma/user.h
+index ddd0ebbdd7d5..2ef61923c926 100644
+--- a/drivers/infiniband/hw/irdma/user.h
++++ b/drivers/infiniband/hw/irdma/user.h
+@@ -103,6 +103,7 @@ enum irdma_flush_opcode {
+ FLUSH_FATAL_ERR,
+ FLUSH_RETRY_EXC_ERR,
+ FLUSH_MW_BIND_ERR,
++ FLUSH_REM_INV_REQ_ERR,
+ };
+
+ enum irdma_cmpl_status {
+diff --git a/drivers/infiniband/hw/irdma/utils.c b/drivers/infiniband/hw/irdma/utils.c
+index 075defaabee5..8dfc9e154d73 100644
+--- a/drivers/infiniband/hw/irdma/utils.c
++++ b/drivers/infiniband/hw/irdma/utils.c
+@@ -2479,6 +2479,9 @@ void irdma_ib_qp_event(struct irdma_qp *iwqp, enum irdma_qp_event_type event)
+ case IRDMA_QP_EVENT_ACCESS_ERR:
+ ibevent.event = IB_EVENT_QP_ACCESS_ERR;
+ break;
++ case IRDMA_QP_EVENT_REQ_ERR:
++ ibevent.event = IB_EVENT_QP_REQ_ERR;
++ break;
+ }
+ ibevent.device = iwqp->ibqp.device;
+ ibevent.element.qp = &iwqp->ibqp;
+diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
+index 9b207f5084eb..6f07a913ef88 100644
+--- a/drivers/infiniband/hw/irdma/verbs.c
++++ b/drivers/infiniband/hw/irdma/verbs.c
+@@ -3315,6 +3315,8 @@ static enum ib_wc_status irdma_flush_err_to_ib_wc_status(enum irdma_flush_opcode
+ return IB_WC_RETRY_EXC_ERR;
+ case FLUSH_MW_BIND_ERR:
+ return IB_WC_MW_BIND_ERR;
++ case FLUSH_REM_INV_REQ_ERR:
++ return IB_WC_REM_INV_REQ_ERR;
+ case FLUSH_FATAL_ERR:
+ default:
+ return IB_WC_FATAL_ERR;
+--
+2.35.1
+
--- /dev/null
+From 1ad1e92d41022f6130f5cff4dc3a37bdcb950290 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Sep 2022 14:13:24 -0500
+Subject: RDMA/irdma: Validate udata inlen and outlen
+
+From: Shiraz Saleem <shiraz.saleem@intel.com>
+
+[ Upstream commit 34acb833cc83bdea912a160ff99b537e62bb4cf3 ]
+
+Currently ib_copy_from_udata and ib_copy_to_udata could underfill
+the request and response buffer if the user-space passes an undersized
+value for udata->inlen or udata->outlen respectively [1]
+This could lead to undesirable behavior.
+
+Zero initing the buffer only goes as far as preventing using the buffer
+uninitialized.
+
+Validate udata->inlen and udata->outlen passed from user-space to ensure
+they are at least the required minimum size.
+
+[1] https://lore.kernel.org/linux-rdma/MWHPR11MB0029F37D40D9D4A993F8F549E9D79@MWHPR11MB0029.namprd11.prod.outlook.com/
+
+Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Link: https://lore.kernel.org/r/20220907191324.1173-3-shiraz.saleem@intel.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/verbs.c | 67 ++++++++++++++++++++++++++---
+ 1 file changed, 60 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
+index 6f07a913ef88..a22afbb25bc5 100644
+--- a/drivers/infiniband/hw/irdma/verbs.c
++++ b/drivers/infiniband/hw/irdma/verbs.c
+@@ -299,13 +299,19 @@ static void irdma_alloc_push_page(struct irdma_qp *iwqp)
+ static int irdma_alloc_ucontext(struct ib_ucontext *uctx,
+ struct ib_udata *udata)
+ {
++#define IRDMA_ALLOC_UCTX_MIN_REQ_LEN offsetofend(struct irdma_alloc_ucontext_req, rsvd8)
++#define IRDMA_ALLOC_UCTX_MIN_RESP_LEN offsetofend(struct irdma_alloc_ucontext_resp, rsvd)
+ struct ib_device *ibdev = uctx->device;
+ struct irdma_device *iwdev = to_iwdev(ibdev);
+- struct irdma_alloc_ucontext_req req;
++ struct irdma_alloc_ucontext_req req = {};
+ struct irdma_alloc_ucontext_resp uresp = {};
+ struct irdma_ucontext *ucontext = to_ucontext(uctx);
+ struct irdma_uk_attrs *uk_attrs;
+
++ if (udata->inlen < IRDMA_ALLOC_UCTX_MIN_REQ_LEN ||
++ udata->outlen < IRDMA_ALLOC_UCTX_MIN_RESP_LEN)
++ return -EINVAL;
++
+ if (ib_copy_from_udata(&req, udata, min(sizeof(req), udata->inlen)))
+ return -EINVAL;
+
+@@ -317,7 +323,7 @@ static int irdma_alloc_ucontext(struct ib_ucontext *uctx,
+
+ uk_attrs = &iwdev->rf->sc_dev.hw_attrs.uk_attrs;
+ /* GEN_1 legacy support with libi40iw */
+- if (udata->outlen < sizeof(uresp)) {
++ if (udata->outlen == IRDMA_ALLOC_UCTX_MIN_RESP_LEN) {
+ if (uk_attrs->hw_rev != IRDMA_GEN_1)
+ return -EOPNOTSUPP;
+
+@@ -389,6 +395,7 @@ static void irdma_dealloc_ucontext(struct ib_ucontext *context)
+ */
+ static int irdma_alloc_pd(struct ib_pd *pd, struct ib_udata *udata)
+ {
++#define IRDMA_ALLOC_PD_MIN_RESP_LEN offsetofend(struct irdma_alloc_pd_resp, rsvd)
+ struct irdma_pd *iwpd = to_iwpd(pd);
+ struct irdma_device *iwdev = to_iwdev(pd->device);
+ struct irdma_sc_dev *dev = &iwdev->rf->sc_dev;
+@@ -398,6 +405,9 @@ static int irdma_alloc_pd(struct ib_pd *pd, struct ib_udata *udata)
+ u32 pd_id = 0;
+ int err;
+
++ if (udata && udata->outlen < IRDMA_ALLOC_PD_MIN_RESP_LEN)
++ return -EINVAL;
++
+ err = irdma_alloc_rsrc(rf, rf->allocated_pds, rf->max_pd, &pd_id,
+ &rf->next_pd);
+ if (err)
+@@ -814,12 +824,14 @@ static int irdma_create_qp(struct ib_qp *ibqp,
+ struct ib_qp_init_attr *init_attr,
+ struct ib_udata *udata)
+ {
++#define IRDMA_CREATE_QP_MIN_REQ_LEN offsetofend(struct irdma_create_qp_req, user_compl_ctx)
++#define IRDMA_CREATE_QP_MIN_RESP_LEN offsetofend(struct irdma_create_qp_resp, rsvd)
+ struct ib_pd *ibpd = ibqp->pd;
+ struct irdma_pd *iwpd = to_iwpd(ibpd);
+ struct irdma_device *iwdev = to_iwdev(ibpd->device);
+ struct irdma_pci_f *rf = iwdev->rf;
+ struct irdma_qp *iwqp = to_iwqp(ibqp);
+- struct irdma_create_qp_req req;
++ struct irdma_create_qp_req req = {};
+ struct irdma_create_qp_resp uresp = {};
+ u32 qp_num = 0;
+ int err_code;
+@@ -836,6 +848,10 @@ static int irdma_create_qp(struct ib_qp *ibqp,
+ if (err_code)
+ return err_code;
+
++ if (udata && (udata->inlen < IRDMA_CREATE_QP_MIN_REQ_LEN ||
++ udata->outlen < IRDMA_CREATE_QP_MIN_RESP_LEN))
++ return -EINVAL;
++
+ sq_size = init_attr->cap.max_send_wr;
+ rq_size = init_attr->cap.max_recv_wr;
+
+@@ -1120,6 +1136,8 @@ static int irdma_query_pkey(struct ib_device *ibdev, u32 port, u16 index,
+ int irdma_modify_qp_roce(struct ib_qp *ibqp, struct ib_qp_attr *attr,
+ int attr_mask, struct ib_udata *udata)
+ {
++#define IRDMA_MODIFY_QP_MIN_REQ_LEN offsetofend(struct irdma_modify_qp_req, rq_flush)
++#define IRDMA_MODIFY_QP_MIN_RESP_LEN offsetofend(struct irdma_modify_qp_resp, push_valid)
+ struct irdma_pd *iwpd = to_iwpd(ibqp->pd);
+ struct irdma_qp *iwqp = to_iwqp(ibqp);
+ struct irdma_device *iwdev = iwqp->iwdev;
+@@ -1138,6 +1156,13 @@ int irdma_modify_qp_roce(struct ib_qp *ibqp, struct ib_qp_attr *attr,
+ roce_info = &iwqp->roce_info;
+ udp_info = &iwqp->udp_info;
+
++ if (udata) {
++ /* udata inlen/outlen can be 0 when supporting legacy libi40iw */
++ if ((udata->inlen && udata->inlen < IRDMA_MODIFY_QP_MIN_REQ_LEN) ||
++ (udata->outlen && udata->outlen < IRDMA_MODIFY_QP_MIN_RESP_LEN))
++ return -EINVAL;
++ }
++
+ if (attr_mask & ~IB_QP_ATTR_STANDARD_BITS)
+ return -EOPNOTSUPP;
+
+@@ -1374,7 +1399,7 @@ int irdma_modify_qp_roce(struct ib_qp *ibqp, struct ib_qp_attr *attr,
+
+ if (iwqp->iwarp_state == IRDMA_QP_STATE_ERROR) {
+ spin_unlock_irqrestore(&iwqp->lock, flags);
+- if (udata) {
++ if (udata && udata->inlen) {
+ if (ib_copy_from_udata(&ureq, udata,
+ min(sizeof(ureq), udata->inlen)))
+ return -EINVAL;
+@@ -1426,7 +1451,7 @@ int irdma_modify_qp_roce(struct ib_qp *ibqp, struct ib_qp_attr *attr,
+ } else {
+ iwqp->ibqp_state = attr->qp_state;
+ }
+- if (udata && dev->hw_attrs.uk_attrs.hw_rev >= IRDMA_GEN_2) {
++ if (udata && udata->outlen && dev->hw_attrs.uk_attrs.hw_rev >= IRDMA_GEN_2) {
+ struct irdma_ucontext *ucontext;
+
+ ucontext = rdma_udata_to_drv_context(udata,
+@@ -1466,6 +1491,8 @@ int irdma_modify_qp_roce(struct ib_qp *ibqp, struct ib_qp_attr *attr,
+ int irdma_modify_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr, int attr_mask,
+ struct ib_udata *udata)
+ {
++#define IRDMA_MODIFY_QP_MIN_REQ_LEN offsetofend(struct irdma_modify_qp_req, rq_flush)
++#define IRDMA_MODIFY_QP_MIN_RESP_LEN offsetofend(struct irdma_modify_qp_resp, push_valid)
+ struct irdma_qp *iwqp = to_iwqp(ibqp);
+ struct irdma_device *iwdev = iwqp->iwdev;
+ struct irdma_sc_dev *dev = &iwdev->rf->sc_dev;
+@@ -1480,6 +1507,13 @@ int irdma_modify_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr, int attr_mask,
+ int err;
+ unsigned long flags;
+
++ if (udata) {
++ /* udata inlen/outlen can be 0 when supporting legacy libi40iw */
++ if ((udata->inlen && udata->inlen < IRDMA_MODIFY_QP_MIN_REQ_LEN) ||
++ (udata->outlen && udata->outlen < IRDMA_MODIFY_QP_MIN_RESP_LEN))
++ return -EINVAL;
++ }
++
+ if (attr_mask & ~IB_QP_ATTR_STANDARD_BITS)
+ return -EOPNOTSUPP;
+
+@@ -1565,7 +1599,7 @@ int irdma_modify_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr, int attr_mask,
+ case IB_QPS_RESET:
+ if (iwqp->iwarp_state == IRDMA_QP_STATE_ERROR) {
+ spin_unlock_irqrestore(&iwqp->lock, flags);
+- if (udata) {
++ if (udata && udata->inlen) {
+ if (ib_copy_from_udata(&ureq, udata,
+ min(sizeof(ureq), udata->inlen)))
+ return -EINVAL;
+@@ -1662,7 +1696,7 @@ int irdma_modify_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr, int attr_mask,
+ }
+ }
+ }
+- if (attr_mask & IB_QP_STATE && udata &&
++ if (attr_mask & IB_QP_STATE && udata && udata->outlen &&
+ dev->hw_attrs.uk_attrs.hw_rev >= IRDMA_GEN_2) {
+ struct irdma_ucontext *ucontext;
+
+@@ -1797,6 +1831,7 @@ static int irdma_destroy_cq(struct ib_cq *ib_cq, struct ib_udata *udata)
+ static int irdma_resize_cq(struct ib_cq *ibcq, int entries,
+ struct ib_udata *udata)
+ {
++#define IRDMA_RESIZE_CQ_MIN_REQ_LEN offsetofend(struct irdma_resize_cq_req, user_cq_buffer)
+ struct irdma_cq *iwcq = to_iwcq(ibcq);
+ struct irdma_sc_dev *dev = iwcq->sc_cq.dev;
+ struct irdma_cqp_request *cqp_request;
+@@ -1819,6 +1854,9 @@ static int irdma_resize_cq(struct ib_cq *ibcq, int entries,
+ IRDMA_FEATURE_CQ_RESIZE))
+ return -EOPNOTSUPP;
+
++ if (udata && udata->inlen < IRDMA_RESIZE_CQ_MIN_REQ_LEN)
++ return -EINVAL;
++
+ if (entries > rf->max_cqe)
+ return -EINVAL;
+
+@@ -1951,6 +1989,8 @@ static int irdma_create_cq(struct ib_cq *ibcq,
+ const struct ib_cq_init_attr *attr,
+ struct ib_udata *udata)
+ {
++#define IRDMA_CREATE_CQ_MIN_REQ_LEN offsetofend(struct irdma_create_cq_req, user_cq_buf)
++#define IRDMA_CREATE_CQ_MIN_RESP_LEN offsetofend(struct irdma_create_cq_resp, cq_size)
+ struct ib_device *ibdev = ibcq->device;
+ struct irdma_device *iwdev = to_iwdev(ibdev);
+ struct irdma_pci_f *rf = iwdev->rf;
+@@ -1969,6 +2009,11 @@ static int irdma_create_cq(struct ib_cq *ibcq,
+ err_code = cq_validate_flags(attr->flags, dev->hw_attrs.uk_attrs.hw_rev);
+ if (err_code)
+ return err_code;
++
++ if (udata && (udata->inlen < IRDMA_CREATE_CQ_MIN_REQ_LEN ||
++ udata->outlen < IRDMA_CREATE_CQ_MIN_RESP_LEN))
++ return -EINVAL;
++
+ err_code = irdma_alloc_rsrc(rf, rf->allocated_cqs, rf->max_cq, &cq_num,
+ &rf->next_cq);
+ if (err_code)
+@@ -2746,6 +2791,7 @@ static struct ib_mr *irdma_reg_user_mr(struct ib_pd *pd, u64 start, u64 len,
+ u64 virt, int access,
+ struct ib_udata *udata)
+ {
++#define IRDMA_MEM_REG_MIN_REQ_LEN offsetofend(struct irdma_mem_reg_req, sq_pages)
+ struct irdma_device *iwdev = to_iwdev(pd->device);
+ struct irdma_ucontext *ucontext;
+ struct irdma_pble_alloc *palloc;
+@@ -2763,6 +2809,9 @@ static struct ib_mr *irdma_reg_user_mr(struct ib_pd *pd, u64 start, u64 len,
+ if (len > iwdev->rf->sc_dev.hw_attrs.max_mr_size)
+ return ERR_PTR(-EINVAL);
+
++ if (udata->inlen < IRDMA_MEM_REG_MIN_REQ_LEN)
++ return ERR_PTR(-EINVAL);
++
+ region = ib_umem_get(pd->device, start, len, access);
+
+ if (IS_ERR(region)) {
+@@ -4298,12 +4347,16 @@ static int irdma_create_user_ah(struct ib_ah *ibah,
+ struct rdma_ah_init_attr *attr,
+ struct ib_udata *udata)
+ {
++#define IRDMA_CREATE_AH_MIN_RESP_LEN offsetofend(struct irdma_create_ah_resp, rsvd)
+ struct irdma_ah *ah = container_of(ibah, struct irdma_ah, ibah);
+ struct irdma_device *iwdev = to_iwdev(ibah->pd->device);
+ struct irdma_create_ah_resp uresp;
+ struct irdma_ah *parent_ah;
+ int err;
+
++ if (udata && udata->outlen < IRDMA_CREATE_AH_MIN_RESP_LEN)
++ return -EINVAL;
++
+ err = irdma_setup_ah(ibah, attr);
+ if (err)
+ return err;
+--
+2.35.1
+
--- /dev/null
+From 11ae94d16207bf8df4c7256e26f4c587d7cdd095 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Jul 2022 11:26:36 +0300
+Subject: RDMA/mlx5: Don't compare mkey tags in DEVX indirect mkey
+
+From: Aharon Landau <aharonl@nvidia.com>
+
+[ Upstream commit 13ad1125b941a5f257d9d3ae70485773abd34792 ]
+
+According to the ib spec:
+If the CI supports the Base Memory Management Extensions defined in this
+specification, the L_Key format must consist of:
+24 bit index in the most significant bits of the R_Key, and
+8 bit key in the least significant bits of the R_Key
+Through a successful Allocate L_Key verb invocation, the CI must let the
+consumer own the key portion of the returned R_Key
+
+Therefore, when creating a mkey using DEVX, the consumer is allowed to
+change the key part. The kernel should compare only the index part of a
+R_Key to determine equality with another R_Key.
+
+Adding capability in order not to break backward compatibility.
+
+Fixes: 534fd7aac56a ("IB/mlx5: Manage indirection mkey upon DEVX flow for ODP")
+Link: https://lore.kernel.org/r/3d669aacea85a3a15c3b3b953b3eaba3f80ef9be.1659255945.git.leonro@nvidia.com
+Signed-off-by: Aharon Landau <aharonl@nvidia.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 3 +++
+ drivers/infiniband/hw/mlx5/odp.c | 3 ++-
+ include/uapi/rdma/mlx5-abi.h | 1 +
+ 3 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
+index 883d7c60143e..1aa0c772b44d 100644
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -1826,6 +1826,9 @@ static int set_ucontext_resp(struct ib_ucontext *uctx,
+ if (MLX5_CAP_GEN(dev->mdev, drain_sigerr))
+ resp->comp_mask |= MLX5_IB_ALLOC_UCONTEXT_RESP_MASK_SQD2RTS;
+
++ resp->comp_mask |=
++ MLX5_IB_ALLOC_UCONTEXT_RESP_MASK_MKEY_UPDATE_TAG;
++
+ return 0;
+ }
+
+diff --git a/drivers/infiniband/hw/mlx5/odp.c b/drivers/infiniband/hw/mlx5/odp.c
+index e305bf1dc6c2..901a8b030236 100644
+--- a/drivers/infiniband/hw/mlx5/odp.c
++++ b/drivers/infiniband/hw/mlx5/odp.c
+@@ -795,7 +795,8 @@ static bool mkey_is_eq(struct mlx5_ib_mkey *mmkey, u32 key)
+ {
+ if (!mmkey)
+ return false;
+- if (mmkey->type == MLX5_MKEY_MW)
++ if (mmkey->type == MLX5_MKEY_MW ||
++ mmkey->type == MLX5_MKEY_INDIRECT_DEVX)
+ return mlx5_base_mkey(mmkey->key) == mlx5_base_mkey(key);
+ return mmkey->key == key;
+ }
+diff --git a/include/uapi/rdma/mlx5-abi.h b/include/uapi/rdma/mlx5-abi.h
+index 86be4a92b67b..a96b7d2770e1 100644
+--- a/include/uapi/rdma/mlx5-abi.h
++++ b/include/uapi/rdma/mlx5-abi.h
+@@ -104,6 +104,7 @@ enum mlx5_ib_alloc_ucontext_resp_mask {
+ MLX5_IB_ALLOC_UCONTEXT_RESP_MASK_ECE = 1UL << 2,
+ MLX5_IB_ALLOC_UCONTEXT_RESP_MASK_SQD2RTS = 1UL << 3,
+ MLX5_IB_ALLOC_UCONTEXT_RESP_MASK_REAL_TIME_TS = 1UL << 4,
++ MLX5_IB_ALLOC_UCONTEXT_RESP_MASK_MKEY_UPDATE_TAG = 1UL << 5,
+ };
+
+ enum mlx5_user_cmds_supp_uhw {
+--
+2.35.1
+
--- /dev/null
+From 27488902d4aad25517d5466243aded74df1c54ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Aug 2022 16:12:18 +0900
+Subject: RDMA/rxe: Delete error messages triggered by incoming Read requests
+
+From: Daisuke Matsuda <matsuda-daisuke@fujitsu.com>
+
+[ Upstream commit 2c02249fcbfc066bd33e2a7375c7006d4cb367f6 ]
+
+An incoming Read request causes multiple Read responses. If a user MR to
+copy data from is unavailable or responder cannot send a reply, then the
+error messages can be printed for each response attempt, resulting in
+message overflow.
+
+Link: https://lore.kernel.org/r/20220829071218.1639065-1-matsuda-daisuke@fujitsu.com
+Signed-off-by: Daisuke Matsuda <matsuda-daisuke@fujitsu.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_resp.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c
+index b36ec5c4d5e0..7c336db5cb54 100644
+--- a/drivers/infiniband/sw/rxe/rxe_resp.c
++++ b/drivers/infiniband/sw/rxe/rxe_resp.c
+@@ -809,10 +809,8 @@ static enum resp_states read_reply(struct rxe_qp *qp,
+ if (!skb)
+ return RESPST_ERR_RNR;
+
+- err = rxe_mr_copy(mr, res->read.va, payload_addr(&ack_pkt),
+- payload, RXE_FROM_MR_OBJ);
+- if (err)
+- pr_err("Failed copying memory\n");
++ rxe_mr_copy(mr, res->read.va, payload_addr(&ack_pkt),
++ payload, RXE_FROM_MR_OBJ);
+ if (mr)
+ rxe_put(mr);
+
+@@ -823,10 +821,8 @@ static enum resp_states read_reply(struct rxe_qp *qp,
+ }
+
+ err = rxe_xmit_packet(qp, &ack_pkt, skb);
+- if (err) {
+- pr_err("Failed sending RDMA reply.\n");
++ if (err)
+ return RESPST_ERR_RNR;
+- }
+
+ res->read.va += payload;
+ res->read.resid -= payload;
+--
+2.35.1
+
--- /dev/null
+From f73f62b760603bd2c4f03b4acfabd2259f5e95f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Aug 2022 21:16:13 -0400
+Subject: RDMA/rxe: Fix "kernel NULL pointer dereference" error
+
+From: Zhu Yanjun <yanjun.zhu@linux.dev>
+
+[ Upstream commit a625ca30eff806395175ebad3ac1399014bdb280 ]
+
+When rxe_queue_init in the function rxe_qp_init_req fails,
+both qp->req.task.func and qp->req.task.arg are not initialized.
+
+Because of creation of qp fails, the function rxe_create_qp will
+call rxe_qp_do_cleanup to handle allocated resource.
+
+Before calling __rxe_do_task, both qp->req.task.func and
+qp->req.task.arg should be checked.
+
+Fixes: 8700e3e7c485 ("Soft RoCE driver")
+Link: https://lore.kernel.org/r/20220822011615.805603-2-yanjun.zhu@linux.dev
+Reported-by: syzbot+ab99dc4c6e961eed8b8e@syzkaller.appspotmail.com
+Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Reviewed-by: Li Zhijian <lizhijian@fujitsu.com>
+Reviewed-by: Bob Pearson <rpearsonhpe@gmail.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_qp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c
+index 516bf9b95e48..fda03f9f03ed 100644
+--- a/drivers/infiniband/sw/rxe/rxe_qp.c
++++ b/drivers/infiniband/sw/rxe/rxe_qp.c
+@@ -797,7 +797,9 @@ static void rxe_qp_do_cleanup(struct work_struct *work)
+ rxe_cleanup_task(&qp->comp.task);
+
+ /* flush out any receive wr's or pending requests */
+- __rxe_do_task(&qp->req.task);
++ if (qp->req.task.func)
++ __rxe_do_task(&qp->req.task);
++
+ if (qp->sq.queue) {
+ __rxe_do_task(&qp->comp.task);
+ __rxe_do_task(&qp->req.task);
+--
+2.35.1
+
--- /dev/null
+From 224fced3ab7cb52b154d13db5cfe75dd179f4c66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 17:14:47 -0500
+Subject: RDMA/rxe: Fix resize_finish() in rxe_queue.c
+
+From: Bob Pearson <rpearsonhpe@gmail.com>
+
+[ Upstream commit fda5d0cf8aef12f0a4f714a96a4b2fce039a3e55 ]
+
+Currently in resize_finish() in rxe_queue.c there is a loop which copies
+the entries in the original queue into a newly allocated queue. The
+termination logic for this loop is incorrect. The call to
+queue_next_index() updates cons but has no effect on whether the queue is
+empty. So if the queue starts out empty nothing is copied but if it is not
+then the loop will run forever. This patch changes the loop to compare the
+value of cons to the original producer index.
+
+Fixes: ae6e843fe08d0 ("RDMA/rxe: Add memory barriers to kernel queues")
+Link: https://lore.kernel.org/r/20220825221446.6512-1-rpearsonhpe@gmail.com
+Signed-off-by: Bob Pearson <rpearsonhpe@gmail.com>
+Reviewed-by: Li Zhijian <lizhijian@fujitsu.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_queue.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_queue.c b/drivers/infiniband/sw/rxe/rxe_queue.c
+index dbd4971039c0..d6dbf5a0058d 100644
+--- a/drivers/infiniband/sw/rxe/rxe_queue.c
++++ b/drivers/infiniband/sw/rxe/rxe_queue.c
+@@ -112,23 +112,25 @@ static int resize_finish(struct rxe_queue *q, struct rxe_queue *new_q,
+ unsigned int num_elem)
+ {
+ enum queue_type type = q->type;
++ u32 new_prod;
+ u32 prod;
+ u32 cons;
+
+ if (!queue_empty(q, q->type) && (num_elem < queue_count(q, type)))
+ return -EINVAL;
+
+- prod = queue_get_producer(new_q, type);
++ new_prod = queue_get_producer(new_q, type);
++ prod = queue_get_producer(q, type);
+ cons = queue_get_consumer(q, type);
+
+- while (!queue_empty(q, type)) {
+- memcpy(queue_addr_from_index(new_q, prod),
++ while ((prod - cons) & q->index_mask) {
++ memcpy(queue_addr_from_index(new_q, new_prod),
+ queue_addr_from_index(q, cons), new_q->elem_size);
+- prod = queue_next_index(new_q, prod);
++ new_prod = queue_next_index(new_q, new_prod);
+ cons = queue_next_index(q, cons);
+ }
+
+- new_q->buf->producer_index = prod;
++ new_q->buf->producer_index = new_prod;
+ q->buf->consumer_index = cons;
+
+ /* update private index copies */
+--
+2.35.1
+
--- /dev/null
+From a453d48b2a3b705fd877b9e9ba963c7b7c0ded1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Aug 2022 21:16:14 -0400
+Subject: RDMA/rxe: Fix the error caused by qp->sk
+
+From: Zhu Yanjun <yanjun.zhu@linux.dev>
+
+[ Upstream commit 548ce2e66725dcba4e27d1e8ac468d5dd17fd509 ]
+
+When sock_create_kern in the function rxe_qp_init_req fails,
+qp->sk is set to NULL.
+
+Then the function rxe_create_qp will call rxe_qp_do_cleanup
+to handle allocated resource.
+
+Before handling qp->sk, this variable should be checked.
+
+Fixes: 8700e3e7c485 ("Soft RoCE driver")
+Link: https://lore.kernel.org/r/20220822011615.805603-3-yanjun.zhu@linux.dev
+Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Reviewed-by: Li Zhijian <lizhijian@fujitsu.com>
+Reviewed-by: Bob Pearson <rpearsonhpe@gmail.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_qp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c
+index fda03f9f03ed..d776dfda43b1 100644
+--- a/drivers/infiniband/sw/rxe/rxe_qp.c
++++ b/drivers/infiniband/sw/rxe/rxe_qp.c
+@@ -835,8 +835,10 @@ static void rxe_qp_do_cleanup(struct work_struct *work)
+
+ free_rd_atomic_resources(qp);
+
+- kernel_sock_shutdown(qp->sk, SHUT_RDWR);
+- sock_release(qp->sk);
++ if (qp->sk) {
++ kernel_sock_shutdown(qp->sk, SHUT_RDWR);
++ sock_release(qp->sk);
++ }
+ }
+
+ /* called when the last reference to the qp is dropped */
+--
+2.35.1
+
--- /dev/null
+From 3ca741f19f1ed4d57006a4ac5aa1ae94d68de06f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Aug 2022 13:31:54 -0500
+Subject: RDMA/rxe: Set pd early in mr alloc routines
+
+From: Bob Pearson <rpearsonhpe@gmail.com>
+
+[ Upstream commit 58651bbb30f87dab474eff31ab564391aa6ea1f3 ]
+
+Move setting of pd in mr objects ahead of any possible errors so that it
+will always be set in rxe_mr_cleanup() to avoid seg faults when
+rxe_put(mr_pd(mr)) is called.
+
+Fixes: cf40367961d8 ("RDMA/rxe: Move mr cleanup code to rxe_mr_cleanup()")
+Link: https://lore.kernel.org/r/20220805183153.32007-2-rpearsonhpe@gmail.com
+Signed-off-by: Bob Pearson <rpearsonhpe@gmail.com>
+Reviewed-by: Li Zhijian <lizhijian@fujitsu.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_loc.h | 6 +++---
+ drivers/infiniband/sw/rxe/rxe_mr.c | 11 ++++-------
+ drivers/infiniband/sw/rxe/rxe_verbs.c | 12 +++++++-----
+ 3 files changed, 14 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_loc.h b/drivers/infiniband/sw/rxe/rxe_loc.h
+index 22f6cc31d1d6..c2a5c8814a48 100644
+--- a/drivers/infiniband/sw/rxe/rxe_loc.h
++++ b/drivers/infiniband/sw/rxe/rxe_loc.h
+@@ -64,10 +64,10 @@ int rxe_mmap(struct ib_ucontext *context, struct vm_area_struct *vma);
+
+ /* rxe_mr.c */
+ u8 rxe_get_next_key(u32 last_key);
+-void rxe_mr_init_dma(struct rxe_pd *pd, int access, struct rxe_mr *mr);
+-int rxe_mr_init_user(struct rxe_pd *pd, u64 start, u64 length, u64 iova,
++void rxe_mr_init_dma(int access, struct rxe_mr *mr);
++int rxe_mr_init_user(struct rxe_dev *rxe, u64 start, u64 length, u64 iova,
+ int access, struct rxe_mr *mr);
+-int rxe_mr_init_fast(struct rxe_pd *pd, int max_pages, struct rxe_mr *mr);
++int rxe_mr_init_fast(int max_pages, struct rxe_mr *mr);
+ int rxe_mr_copy(struct rxe_mr *mr, u64 iova, void *addr, int length,
+ enum rxe_mr_copy_dir dir);
+ int copy_data(struct rxe_pd *pd, int access, struct rxe_dma_info *dma,
+diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c b/drivers/infiniband/sw/rxe/rxe_mr.c
+index 850b80f5ad8b..af34f198e645 100644
+--- a/drivers/infiniband/sw/rxe/rxe_mr.c
++++ b/drivers/infiniband/sw/rxe/rxe_mr.c
+@@ -103,17 +103,16 @@ static int rxe_mr_alloc(struct rxe_mr *mr, int num_buf)
+ return -ENOMEM;
+ }
+
+-void rxe_mr_init_dma(struct rxe_pd *pd, int access, struct rxe_mr *mr)
++void rxe_mr_init_dma(int access, struct rxe_mr *mr)
+ {
+ rxe_mr_init(access, mr);
+
+- mr->ibmr.pd = &pd->ibpd;
+ mr->access = access;
+ mr->state = RXE_MR_STATE_VALID;
+ mr->type = IB_MR_TYPE_DMA;
+ }
+
+-int rxe_mr_init_user(struct rxe_pd *pd, u64 start, u64 length, u64 iova,
++int rxe_mr_init_user(struct rxe_dev *rxe, u64 start, u64 length, u64 iova,
+ int access, struct rxe_mr *mr)
+ {
+ struct rxe_map **map;
+@@ -125,7 +124,7 @@ int rxe_mr_init_user(struct rxe_pd *pd, u64 start, u64 length, u64 iova,
+ int err;
+ int i;
+
+- umem = ib_umem_get(pd->ibpd.device, start, length, access);
++ umem = ib_umem_get(&rxe->ib_dev, start, length, access);
+ if (IS_ERR(umem)) {
+ pr_warn("%s: Unable to pin memory region err = %d\n",
+ __func__, (int)PTR_ERR(umem));
+@@ -175,7 +174,6 @@ int rxe_mr_init_user(struct rxe_pd *pd, u64 start, u64 length, u64 iova,
+ }
+ }
+
+- mr->ibmr.pd = &pd->ibpd;
+ mr->umem = umem;
+ mr->access = access;
+ mr->length = length;
+@@ -197,7 +195,7 @@ int rxe_mr_init_user(struct rxe_pd *pd, u64 start, u64 length, u64 iova,
+ return err;
+ }
+
+-int rxe_mr_init_fast(struct rxe_pd *pd, int max_pages, struct rxe_mr *mr)
++int rxe_mr_init_fast(int max_pages, struct rxe_mr *mr)
+ {
+ int err;
+
+@@ -208,7 +206,6 @@ int rxe_mr_init_fast(struct rxe_pd *pd, int max_pages, struct rxe_mr *mr)
+ if (err)
+ goto err1;
+
+- mr->ibmr.pd = &pd->ibpd;
+ mr->max_buf = max_pages;
+ mr->state = RXE_MR_STATE_FREE;
+ mr->type = IB_MR_TYPE_MEM_REG;
+diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.c b/drivers/infiniband/sw/rxe/rxe_verbs.c
+index e264cf69bf55..f54a3eba652f 100644
+--- a/drivers/infiniband/sw/rxe/rxe_verbs.c
++++ b/drivers/infiniband/sw/rxe/rxe_verbs.c
+@@ -903,7 +903,9 @@ static struct ib_mr *rxe_get_dma_mr(struct ib_pd *ibpd, int access)
+ return ERR_PTR(-ENOMEM);
+
+ rxe_get(pd);
+- rxe_mr_init_dma(pd, access, mr);
++ mr->ibmr.pd = ibpd;
++
++ rxe_mr_init_dma(access, mr);
+ rxe_finalize(mr);
+
+ return &mr->ibmr;
+@@ -928,8 +930,9 @@ static struct ib_mr *rxe_reg_user_mr(struct ib_pd *ibpd,
+
+
+ rxe_get(pd);
++ mr->ibmr.pd = ibpd;
+
+- err = rxe_mr_init_user(pd, start, length, iova, access, mr);
++ err = rxe_mr_init_user(rxe, start, length, iova, access, mr);
+ if (err)
+ goto err3;
+
+@@ -938,7 +941,6 @@ static struct ib_mr *rxe_reg_user_mr(struct ib_pd *ibpd,
+ return &mr->ibmr;
+
+ err3:
+- rxe_put(pd);
+ rxe_cleanup(mr);
+ err2:
+ return ERR_PTR(err);
+@@ -962,8 +964,9 @@ static struct ib_mr *rxe_alloc_mr(struct ib_pd *ibpd, enum ib_mr_type mr_type,
+ }
+
+ rxe_get(pd);
++ mr->ibmr.pd = ibpd;
+
+- err = rxe_mr_init_fast(pd, max_num_sg, mr);
++ err = rxe_mr_init_fast(max_num_sg, mr);
+ if (err)
+ goto err2;
+
+@@ -972,7 +975,6 @@ static struct ib_mr *rxe_alloc_mr(struct ib_pd *ibpd, enum ib_mr_type mr_type,
+ return &mr->ibmr;
+
+ err2:
+- rxe_put(pd);
+ rxe_cleanup(mr);
+ err1:
+ return ERR_PTR(err);
+--
+2.35.1
+
--- /dev/null
+From 65e3fa458a4371e55042aef1f75db0e5556d1717 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 10:12:02 +0200
+Subject: RDMA/siw: Always consume all skbuf data in sk_data_ready() upcall.
+
+From: Bernard Metzler <bmt@zurich.ibm.com>
+
+[ Upstream commit 754209850df8367c954ac1de7671c7430b1f342c ]
+
+For header and trailer/padding processing, siw did not consume new
+skb data until minimum amount present to fill current header or trailer
+structure, including potential payload padding. Not consuming any
+data during upcall may cause a receive stall, since tcp_read_sock()
+is not upcalling again if no new data arrive.
+A NFSoRDMA client got stuck at RDMA Write reception of unaligned
+payload, if the current skb did contain only the expected 3 padding
+bytes, but not the 4 bytes CRC trailer. Expecting 4 more bytes already
+arrived in another skb, and not consuming those 3 bytes in the current
+upcall left the Write incomplete, waiting for the CRC forever.
+
+Fixes: 8b6a361b8c48 ("rdma/siw: receive path")
+Reported-by: Olga Kornievskaia <kolga@netapp.com>
+Tested-by: Olga Kornievskaia <kolga@netapp.com>
+Signed-off-by: Bernard Metzler <bmt@zurich.ibm.com>
+Link: https://lore.kernel.org/r/20220920081202.223629-1-bmt@zurich.ibm.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/siw/siw_qp_rx.c | 27 +++++++++++++++------------
+ 1 file changed, 15 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/infiniband/sw/siw/siw_qp_rx.c b/drivers/infiniband/sw/siw/siw_qp_rx.c
+index 875ea6f1b04a..fd721cc19682 100644
+--- a/drivers/infiniband/sw/siw/siw_qp_rx.c
++++ b/drivers/infiniband/sw/siw/siw_qp_rx.c
+@@ -961,27 +961,28 @@ int siw_proc_terminate(struct siw_qp *qp)
+ static int siw_get_trailer(struct siw_qp *qp, struct siw_rx_stream *srx)
+ {
+ struct sk_buff *skb = srx->skb;
++ int avail = min(srx->skb_new, srx->fpdu_part_rem);
+ u8 *tbuf = (u8 *)&srx->trailer.crc - srx->pad;
+ __wsum crc_in, crc_own = 0;
+
+ siw_dbg_qp(qp, "expected %d, available %d, pad %u\n",
+ srx->fpdu_part_rem, srx->skb_new, srx->pad);
+
+- if (srx->skb_new < srx->fpdu_part_rem)
+- return -EAGAIN;
+-
+- skb_copy_bits(skb, srx->skb_offset, tbuf, srx->fpdu_part_rem);
++ skb_copy_bits(skb, srx->skb_offset, tbuf, avail);
+
+- if (srx->mpa_crc_hd && srx->pad)
+- crypto_shash_update(srx->mpa_crc_hd, tbuf, srx->pad);
++ srx->skb_new -= avail;
++ srx->skb_offset += avail;
++ srx->skb_copied += avail;
++ srx->fpdu_part_rem -= avail;
+
+- srx->skb_new -= srx->fpdu_part_rem;
+- srx->skb_offset += srx->fpdu_part_rem;
+- srx->skb_copied += srx->fpdu_part_rem;
++ if (srx->fpdu_part_rem)
++ return -EAGAIN;
+
+ if (!srx->mpa_crc_hd)
+ return 0;
+
++ if (srx->pad)
++ crypto_shash_update(srx->mpa_crc_hd, tbuf, srx->pad);
+ /*
+ * CRC32 is computed, transmitted and received directly in NBO,
+ * so there's never a reason to convert byte order.
+@@ -1083,10 +1084,9 @@ static int siw_get_hdr(struct siw_rx_stream *srx)
+ * completely received.
+ */
+ if (iwarp_pktinfo[opcode].hdr_len > sizeof(struct iwarp_ctrl_tagged)) {
+- bytes = iwarp_pktinfo[opcode].hdr_len - MIN_DDP_HDR;
++ int hdrlen = iwarp_pktinfo[opcode].hdr_len;
+
+- if (srx->skb_new < bytes)
+- return -EAGAIN;
++ bytes = min_t(int, hdrlen - MIN_DDP_HDR, srx->skb_new);
+
+ skb_copy_bits(skb, srx->skb_offset,
+ (char *)c_hdr + srx->fpdu_part_rcvd, bytes);
+@@ -1096,6 +1096,9 @@ static int siw_get_hdr(struct siw_rx_stream *srx)
+ srx->skb_new -= bytes;
+ srx->skb_offset += bytes;
+ srx->skb_copied += bytes;
++
++ if (srx->fpdu_part_rcvd < hdrlen)
++ return -EAGAIN;
+ }
+
+ /*
+--
+2.35.1
+
--- /dev/null
+From 0f57ba1989ed85cee73f0b5e1fb1751092326ac1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 10:25:03 +0200
+Subject: RDMA/siw: Fix QP destroy to wait for all references dropped.
+
+From: Bernard Metzler <bmt@zurich.ibm.com>
+
+[ Upstream commit a3c278807a459e6f50afee6971cabe74cccfb490 ]
+
+Delay QP destroy completion until all siw references to QP are
+dropped. The calling RDMA core will free QP structure after
+successful return from siw_qp_destroy() call, so siw must not
+hold any remaining reference to the QP upon return.
+A use-after-free was encountered in xfstest generic/460, while
+testing NFSoRDMA. Here, after a TCP connection drop by peer,
+the triggered siw_cm_work_handler got delayed until after
+QP destroy call, referencing a QP which has already freed.
+
+Fixes: 303ae1cdfdf7 ("rdma/siw: application interface")
+Reported-by: Olga Kornievskaia <kolga@netapp.com>
+Signed-off-by: Bernard Metzler <bmt@zurich.ibm.com>
+Link: https://lore.kernel.org/r/20220920082503.224189-1-bmt@zurich.ibm.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/siw/siw.h | 1 +
+ drivers/infiniband/sw/siw/siw_qp.c | 2 +-
+ drivers/infiniband/sw/siw/siw_verbs.c | 3 +++
+ 3 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/sw/siw/siw.h b/drivers/infiniband/sw/siw/siw.h
+index df03d84c6868..2f3a9cda3850 100644
+--- a/drivers/infiniband/sw/siw/siw.h
++++ b/drivers/infiniband/sw/siw/siw.h
+@@ -418,6 +418,7 @@ struct siw_qp {
+ struct ib_qp base_qp;
+ struct siw_device *sdev;
+ struct kref ref;
++ struct completion qp_free;
+ struct list_head devq;
+ int tx_cpu;
+ struct siw_qp_attrs attrs;
+diff --git a/drivers/infiniband/sw/siw/siw_qp.c b/drivers/infiniband/sw/siw/siw_qp.c
+index 7e01f2438afc..e6f634971228 100644
+--- a/drivers/infiniband/sw/siw/siw_qp.c
++++ b/drivers/infiniband/sw/siw/siw_qp.c
+@@ -1342,6 +1342,6 @@ void siw_free_qp(struct kref *ref)
+ vfree(qp->orq);
+
+ siw_put_tx_cpu(qp->tx_cpu);
+-
++ complete(&qp->qp_free);
+ atomic_dec(&sdev->num_qp);
+ }
+diff --git a/drivers/infiniband/sw/siw/siw_verbs.c b/drivers/infiniband/sw/siw/siw_verbs.c
+index 8dedae7ae79e..3e814cfb298c 100644
+--- a/drivers/infiniband/sw/siw/siw_verbs.c
++++ b/drivers/infiniband/sw/siw/siw_verbs.c
+@@ -480,6 +480,8 @@ int siw_create_qp(struct ib_qp *ibqp, struct ib_qp_init_attr *attrs,
+ list_add_tail(&qp->devq, &sdev->qp_list);
+ spin_unlock_irqrestore(&sdev->lock, flags);
+
++ init_completion(&qp->qp_free);
++
+ return 0;
+
+ err_out_xa:
+@@ -624,6 +626,7 @@ int siw_destroy_qp(struct ib_qp *base_qp, struct ib_udata *udata)
+ qp->scq = qp->rcq = NULL;
+
+ siw_qp_put(qp);
++ wait_for_completion(&qp->qp_free);
+
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From c46fb848b696ced8e5906d67ec170e35490417e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Sep 2022 16:31:39 -0700
+Subject: RDMA/srp: Fix srp_abort()
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 6dbe4a8dead84de474483910b02ec9e6a10fc1a9 ]
+
+Fix the code for converting a SCSI command pointer into an SRP request
+pointer.
+
+Cc: Xiao Yang <yangx.jy@fujitsu.com>
+Fixes: ad215aaea4f9 ("RDMA/srp: Make struct scsi_cmnd and struct srp_request adjacent")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://lore.kernel.org/r/20220908233139.3042628-1-bvanassche@acm.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/srp/ib_srp.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c
+index d7f69e593a63..9c9872868aee 100644
+--- a/drivers/infiniband/ulp/srp/ib_srp.c
++++ b/drivers/infiniband/ulp/srp/ib_srp.c
+@@ -2789,7 +2789,7 @@ static int srp_send_tsk_mgmt(struct srp_rdma_ch *ch, u64 req_tag, u64 lun,
+ static int srp_abort(struct scsi_cmnd *scmnd)
+ {
+ struct srp_target_port *target = host_to_target(scmnd->device->host);
+- struct srp_request *req = (struct srp_request *) scmnd->host_scribble;
++ struct srp_request *req = scsi_cmd_priv(scmnd);
+ u32 tag;
+ u16 ch_idx;
+ struct srp_rdma_ch *ch;
+@@ -2797,8 +2797,6 @@ static int srp_abort(struct scsi_cmnd *scmnd)
+
+ shost_printk(KERN_ERR, target->scsi_host, "SRP abort called\n");
+
+- if (!req)
+- return SUCCESS;
+ tag = blk_mq_unique_tag(scsi_cmd_to_rq(scmnd));
+ ch_idx = blk_mq_unique_tag_to_hwq(tag);
+ if (WARN_ON_ONCE(ch_idx >= target->ch_count))
+--
+2.35.1
+
--- /dev/null
+From 81f04d43847d593097f0e855ff7c6e552f49aee5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 14:38:59 -0700
+Subject: RDMA/srp: Handle dev_set_name() failure
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 351e458f725da8106eba920f3cdecf39a0e31136 ]
+
+Instead of ignoring dev_set_name() failure, handle dev_set_name()
+failure. Convert a device_register() call into device_initialize() and
+device_add() calls.
+
+Link: https://lore.kernel.org/r/20220825213900.864587-4-bvanassche@acm.org
+Reported-by: Bo Liu <liubo03@inspur.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Stable-dep-of: b05398aff9ad ("RDMA/srp: Support more than 255 rdma ports")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/srp/ib_srp.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c
+index 4039cd744d03..fc4777f22fd3 100644
+--- a/drivers/infiniband/ulp/srp/ib_srp.c
++++ b/drivers/infiniband/ulp/srp/ib_srp.c
+@@ -3902,12 +3902,13 @@ static struct srp_host *srp_add_port(struct srp_device *device, u8 port)
+ host->srp_dev = device;
+ host->port = port;
+
++ device_initialize(&host->dev);
+ host->dev.class = &srp_class;
+ host->dev.parent = device->dev->dev.parent;
+- dev_set_name(&host->dev, "srp-%s-%d", dev_name(&device->dev->dev),
+- port);
+-
+- if (device_register(&host->dev))
++ if (dev_set_name(&host->dev, "srp-%s-%d", dev_name(&device->dev->dev),
++ port))
++ goto put_host;
++ if (device_add(&host->dev))
+ goto put_host;
+ if (device_create_file(&host->dev, &dev_attr_add_target))
+ goto put_host;
+--
+2.35.1
+
--- /dev/null
+From dbbe4c253fcc084c7dd8c32b5696dc947b8fe98b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 14:38:57 -0700
+Subject: RDMA/srp: Rework the srp_add_port() error path
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit c8e4c23976554fb9dda1658bd1a3914b202815cd ]
+
+device_register() always calls device_initialize() so calling device_del()
+is safe even if device_register() fails. Implement the following advice
+from the comment block above device_register(): "NOTE: _Never_ directly free
+@dev after calling this function, even if it returned an error! Always use
+put_device() to give up the reference initialized in this function instead."
+Keep the kfree() call in the error path since srp_release_dev() does not
+free the host.
+
+Link: https://lore.kernel.org/r/20220825213900.864587-2-bvanassche@acm.org
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Stable-dep-of: b05398aff9ad ("RDMA/srp: Support more than 255 rdma ports")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/srp/ib_srp.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c
+index 9c9872868aee..4039cd744d03 100644
+--- a/drivers/infiniband/ulp/srp/ib_srp.c
++++ b/drivers/infiniband/ulp/srp/ib_srp.c
+@@ -3908,20 +3908,19 @@ static struct srp_host *srp_add_port(struct srp_device *device, u8 port)
+ port);
+
+ if (device_register(&host->dev))
+- goto free_host;
++ goto put_host;
+ if (device_create_file(&host->dev, &dev_attr_add_target))
+- goto err_class;
++ goto put_host;
+ if (device_create_file(&host->dev, &dev_attr_ibdev))
+- goto err_class;
++ goto put_host;
+ if (device_create_file(&host->dev, &dev_attr_port))
+- goto err_class;
++ goto put_host;
+
+ return host;
+
+-err_class:
+- device_unregister(&host->dev);
+-
+-free_host:
++put_host:
++ device_del(&host->dev);
++ put_device(&host->dev);
+ kfree(host);
+
+ return NULL;
+--
+2.35.1
+
--- /dev/null
+From 110fa4325c2b91cb93eb2669c4c6640e43c580bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Sep 2022 11:03:07 +0300
+Subject: RDMA/srp: Support more than 255 rdma ports
+
+From: Mikhael Goikhman <migo@nvidia.com>
+
+[ Upstream commit b05398aff9ad9dc701b261183a5d756165d28b51 ]
+
+Currently ib_srp module does not support devices with more than 256
+ports. Switch from u8 to u32 to fix the problem.
+
+Fixes: 1fb7f8973f51 ("RDMA: Support more than 255 rdma ports")
+Reviewed-by: Shay Drory <shayd@nvidia.com>
+Signed-off-by: Mikhael Goikhman <migo@nvidia.com>
+Link: https://lore.kernel.org/r/7d80d8844f1abb3a54170b7259f0a02be38080a6.1663747327.git.leonro@nvidia.com
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/srp/ib_srp.c | 12 ++++++------
+ drivers/infiniband/ulp/srp/ib_srp.h | 2 +-
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c
+index 96be06e8635c..ecbdcad1c0be 100644
+--- a/drivers/infiniband/ulp/srp/ib_srp.c
++++ b/drivers/infiniband/ulp/srp/ib_srp.c
+@@ -2989,7 +2989,7 @@ static ssize_t local_ib_port_show(struct device *dev,
+ {
+ struct srp_target_port *target = host_to_target(class_to_shost(dev));
+
+- return sysfs_emit(buf, "%d\n", target->srp_host->port);
++ return sysfs_emit(buf, "%u\n", target->srp_host->port);
+ }
+
+ static DEVICE_ATTR_RO(local_ib_port);
+@@ -3887,7 +3887,7 @@ static ssize_t port_show(struct device *dev, struct device_attribute *attr,
+ {
+ struct srp_host *host = container_of(dev, struct srp_host, dev);
+
+- return sysfs_emit(buf, "%d\n", host->port);
++ return sysfs_emit(buf, "%u\n", host->port);
+ }
+
+ static DEVICE_ATTR_RO(port);
+@@ -3899,7 +3899,7 @@ static struct attribute *srp_class_attrs[] = {
+ NULL
+ };
+
+-static struct srp_host *srp_add_port(struct srp_device *device, u8 port)
++static struct srp_host *srp_add_port(struct srp_device *device, u32 port)
+ {
+ struct srp_host *host;
+
+@@ -3917,7 +3917,7 @@ static struct srp_host *srp_add_port(struct srp_device *device, u8 port)
+ device_initialize(&host->dev);
+ host->dev.class = &srp_class;
+ host->dev.parent = device->dev->dev.parent;
+- if (dev_set_name(&host->dev, "srp-%s-%d", dev_name(&device->dev->dev),
++ if (dev_set_name(&host->dev, "srp-%s-%u", dev_name(&device->dev->dev),
+ port))
+ goto put_host;
+ if (device_add(&host->dev))
+@@ -3941,7 +3941,7 @@ static void srp_rename_dev(struct ib_device *device, void *client_data)
+ list_for_each_entry_safe(host, tmp_host, &srp_dev->dev_list, list) {
+ char name[IB_DEVICE_NAME_MAX + 8];
+
+- snprintf(name, sizeof(name), "srp-%s-%d",
++ snprintf(name, sizeof(name), "srp-%s-%u",
+ dev_name(&device->dev), host->port);
+ device_rename(&host->dev, name);
+ }
+@@ -3953,7 +3953,7 @@ static int srp_add_one(struct ib_device *device)
+ struct ib_device_attr *attr = &device->attrs;
+ struct srp_host *host;
+ int mr_page_shift;
+- unsigned int p;
++ u32 p;
+ u64 max_pages_per_mr;
+ unsigned int flags = 0;
+
+diff --git a/drivers/infiniband/ulp/srp/ib_srp.h b/drivers/infiniband/ulp/srp/ib_srp.h
+index 55a575e2cace..c80709dfbe77 100644
+--- a/drivers/infiniband/ulp/srp/ib_srp.h
++++ b/drivers/infiniband/ulp/srp/ib_srp.h
+@@ -120,7 +120,7 @@ struct srp_device {
+ */
+ struct srp_host {
+ struct srp_device *srp_dev;
+- u8 port;
++ u32 port;
+ struct device dev;
+ struct list_head target_list;
+ spinlock_t target_lock;
+--
+2.35.1
+
--- /dev/null
+From 14ab55e56e4200b6aeb7b89243c0aadfcf3a16d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 14:39:00 -0700
+Subject: RDMA/srp: Use the attribute group mechanism for sysfs attributes
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit b8a9c18c2f39bd84b8240b744b666114f7d62054 ]
+
+Simplify the SRP driver by using the attribute group mechanism instead
+of calling device_create_file() explicitly.
+
+Link: https://lore.kernel.org/r/20220825213900.864587-5-bvanassche@acm.org
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Stable-dep-of: b05398aff9ad ("RDMA/srp: Support more than 255 rdma ports")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/srp/ib_srp.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c
+index fc4777f22fd3..96be06e8635c 100644
+--- a/drivers/infiniband/ulp/srp/ib_srp.c
++++ b/drivers/infiniband/ulp/srp/ib_srp.c
+@@ -3180,8 +3180,13 @@ static void srp_release_dev(struct device *dev)
+ complete(&host->released);
+ }
+
++static struct attribute *srp_class_attrs[];
++
++ATTRIBUTE_GROUPS(srp_class);
++
+ static struct class srp_class = {
+ .name = "infiniband_srp",
++ .dev_groups = srp_class_groups,
+ .dev_release = srp_release_dev
+ };
+
+@@ -3887,6 +3892,13 @@ static ssize_t port_show(struct device *dev, struct device_attribute *attr,
+
+ static DEVICE_ATTR_RO(port);
+
++static struct attribute *srp_class_attrs[] = {
++ &dev_attr_add_target.attr,
++ &dev_attr_ibdev.attr,
++ &dev_attr_port.attr,
++ NULL
++};
++
+ static struct srp_host *srp_add_port(struct srp_device *device, u8 port)
+ {
+ struct srp_host *host;
+@@ -3910,12 +3922,6 @@ static struct srp_host *srp_add_port(struct srp_device *device, u8 port)
+ goto put_host;
+ if (device_add(&host->dev))
+ goto put_host;
+- if (device_create_file(&host->dev, &dev_attr_add_target))
+- goto put_host;
+- if (device_create_file(&host->dev, &dev_attr_ibdev))
+- goto put_host;
+- if (device_create_file(&host->dev, &dev_attr_port))
+- goto put_host;
+
+ return host;
+
+--
+2.35.1
+
--- /dev/null
+From d7740e912ea491036bcf05a82616b1a9448b7a93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Sep 2022 14:59:53 +0200
+Subject: regulator: core: Prevent integer underflow
+
+From: Patrick Rudolph <patrick.rudolph@9elements.com>
+
+[ Upstream commit 8d8e16592022c9650df8aedfe6552ed478d7135b ]
+
+By using a ratio of delay to poll_enabled_time that is not integer
+time_remaining underflows and does not exit the loop as expected.
+As delay could be derived from DT and poll_enabled_time is defined
+in the driver this can easily happen.
+
+Use a signed iterator to make sure that the loop exits once
+the remaining time is negative.
+
+Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
+Link: https://lore.kernel.org/r/20220909125954.577669-1-patrick.rudolph@9elements.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
+index d3e8dc32832d..c3871565fd7d 100644
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -2681,7 +2681,7 @@ static int _regulator_do_enable(struct regulator_dev *rdev)
+ * return -ETIMEDOUT.
+ */
+ if (rdev->desc->poll_enabled_time) {
+- unsigned int time_remaining = delay;
++ int time_remaining = delay;
+
+ while (time_remaining > 0) {
+ _regulator_delay_helper(rdev->desc->poll_enabled_time);
+--
+2.35.1
+
--- /dev/null
+From 6b046c340977a92d1b58ca290047861d8d1f38b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Sep 2022 17:11:44 +0300
+Subject: remoteproc: Harden rproc_handle_vdev() against integer overflow
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 7d7f8fe4e399519cc9ac68a475fec6d3a996341b ]
+
+The struct_size() macro protects against integer overflows but adding
+"+ rsc->config_len" introduces the risk of integer overflows again.
+Use size_add() to be safe.
+
+Fixes: c87846571587 ("remoteproc: use struct_size() helper")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Reviewed-by: Mukesh Ojha <quic_mojha@quicinc.com>
+Link: https://lore.kernel.org/r/YyMyoPoGOJUcEpZT@kili
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/remoteproc_core.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c
+index e5279ed9a8d7..4fc5ce2187ac 100644
+--- a/drivers/remoteproc/remoteproc_core.c
++++ b/drivers/remoteproc/remoteproc_core.c
+@@ -520,12 +520,13 @@ static int rproc_handle_vdev(struct rproc *rproc, void *ptr,
+ struct fw_rsc_vdev *rsc = ptr;
+ struct device *dev = &rproc->dev;
+ struct rproc_vdev *rvdev;
++ size_t rsc_size;
+ int i, ret;
+ char name[16];
+
+ /* make sure resource isn't truncated */
+- if (struct_size(rsc, vring, rsc->num_of_vrings) + rsc->config_len >
+- avail) {
++ rsc_size = struct_size(rsc, vring, rsc->num_of_vrings);
++ if (size_add(rsc_size, rsc->config_len) > avail) {
+ dev_err(dev, "vdev rsc is truncated\n");
+ return -EINVAL;
+ }
+--
+2.35.1
+
--- /dev/null
+From dc78c51c5ccdc9e4ff68f4795865d3ee0ffd40e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Aug 2022 20:43:18 +0800
+Subject: remoteproc: imx_dsp_rproc: fix argument 2 of rproc_mem_entry_init
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit 729c16326b7f3f4e83e4195f620a6ca0b7dfa25a ]
+
+There are sparse warning:
+drivers/remoteproc/imx_dsp_rproc.c:602:49: sparse: sparse: incorrect type in argument 2 (different address spaces) @@ expected void *va @@ got void [noderef] __iomem *[assigned] cpu_addr @@
+drivers/remoteproc/imx_dsp_rproc.c:602:49: sparse: expected void *va
+drivers/remoteproc/imx_dsp_rproc.c:602:49: sparse: got void [noderef] __iomem *[assigned] cpu_addr
+drivers/remoteproc/imx_dsp_rproc.c:638:49: sparse: sparse: incorrect type in argument 2 (different address spaces) @@ expected void *va @@ got void [noderef] __iomem *[assigned] cpu_addr @@
+drivers/remoteproc/imx_dsp_rproc.c:638:49: sparse: expected void *va
+drivers/remoteproc/imx_dsp_rproc.c:638:49: sparse: got void [noderef] __iomem *[assigned] cpu_addr
+
+Fixes: ec0e5549f358 ("remoteproc: imx_dsp_rproc: Add remoteproc driver for DSP on i.MX")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Link: https://lore.kernel.org/r/1660567398-24495-1-git-send-email-shengjiu.wang@nxp.com
+Acked-by: Mukesh Ojha <quic_mojha@quicinc.com>
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/imx_dsp_rproc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/remoteproc/imx_dsp_rproc.c b/drivers/remoteproc/imx_dsp_rproc.c
+index ca0817f8e41e..899aa8dd12f0 100644
+--- a/drivers/remoteproc/imx_dsp_rproc.c
++++ b/drivers/remoteproc/imx_dsp_rproc.c
+@@ -599,7 +599,7 @@ static int imx_dsp_rproc_add_carveout(struct imx_dsp_rproc *priv)
+ }
+
+ /* Register memory region */
+- mem = rproc_mem_entry_init(dev, cpu_addr, (dma_addr_t)att->sa,
++ mem = rproc_mem_entry_init(dev, (void __force *)cpu_addr, (dma_addr_t)att->sa,
+ att->size, da, NULL, NULL, "dsp_mem");
+
+ if (mem)
+@@ -635,7 +635,7 @@ static int imx_dsp_rproc_add_carveout(struct imx_dsp_rproc *priv)
+ }
+
+ /* Register memory region */
+- mem = rproc_mem_entry_init(dev, cpu_addr, (dma_addr_t)rmem->base,
++ mem = rproc_mem_entry_init(dev, (void __force *)cpu_addr, (dma_addr_t)rmem->base,
+ rmem->size, da, NULL, NULL, it.node->name);
+
+ if (mem)
+--
+2.35.1
+
--- /dev/null
+From fb4f6133d80c5e1147a18ba9ea303c71710d60ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Aug 2022 00:02:32 +0200
+Subject: remoteproc: imx_rproc: Simplify some error message
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit a1c3611dcfb08e62e165ab5c00122dd13f210166 ]
+
+dev_err_probe() already prints the error code in a human readable way, so
+there is no need to duplicate it as a numerical value at the end of the
+message.
+
+While at it, remove 'ret' that is mostly useless.
+
+Fixes: 2df7062002d0 ("remoteproc: imx_proc: enable virtio/mailbox")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/6b9343c2688117a340661d8ee491c2962c54a09a.1659736936.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/imx_rproc.c | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/remoteproc/imx_rproc.c b/drivers/remoteproc/imx_rproc.c
+index 38383e7de3c1..7cc4fd207e2d 100644
+--- a/drivers/remoteproc/imx_rproc.c
++++ b/drivers/remoteproc/imx_rproc.c
+@@ -646,7 +646,6 @@ static int imx_rproc_xtr_mbox_init(struct rproc *rproc)
+ struct imx_rproc *priv = rproc->priv;
+ struct device *dev = priv->dev;
+ struct mbox_client *cl;
+- int ret;
+
+ if (!of_get_property(dev->of_node, "mbox-names", NULL))
+ return 0;
+@@ -659,18 +658,15 @@ static int imx_rproc_xtr_mbox_init(struct rproc *rproc)
+ cl->rx_callback = imx_rproc_rx_callback;
+
+ priv->tx_ch = mbox_request_channel_byname(cl, "tx");
+- if (IS_ERR(priv->tx_ch)) {
+- ret = PTR_ERR(priv->tx_ch);
+- return dev_err_probe(cl->dev, ret,
+- "failed to request tx mailbox channel: %d\n", ret);
+- }
++ if (IS_ERR(priv->tx_ch))
++ return dev_err_probe(cl->dev, PTR_ERR(priv->tx_ch),
++ "failed to request tx mailbox channel\n");
+
+ priv->rx_ch = mbox_request_channel_byname(cl, "rx");
+ if (IS_ERR(priv->rx_ch)) {
+ mbox_free_channel(priv->tx_ch);
+- ret = PTR_ERR(priv->rx_ch);
+- return dev_err_probe(cl->dev, ret,
+- "failed to request rx mailbox channel: %d\n", ret);
++ return dev_err_probe(cl->dev, PTR_ERR(priv->rx_ch),
++ "failed to request rx mailbox channel\n");
+ }
+
+ return 0;
+--
+2.35.1
+
--- /dev/null
+From 48a03a33580d690a1159d8278f6b5f5f12a3c213 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Sep 2022 20:49:13 +0900
+Subject: Revert "usb: storage: Add quirk for Samsung Fit flash"
+
+From: sunghwan jung <onenowy@gmail.com>
+
+[ Upstream commit ad5dbfc123e6ffbbde194e2a4603323e09f741ee ]
+
+This reverts commit 86d92f5465958752481269348d474414dccb1552,
+which fix the timeout issue for "Samsung Fit Flash".
+
+But the commit affects not only "Samsung Fit Flash" but also other usb
+storages that use the same controller and causes severe performance
+regression.
+
+ # hdparm -t /dev/sda (without the quirk)
+ Timing buffered disk reads: 622 MB in 3.01 seconds = 206.66 MB/sec
+
+ # hdparm -t /dev/sda (with the quirk)
+ Timing buffered disk reads: 220 MB in 3.00 seconds = 73.32 MB/sec
+
+The commit author mentioned that "Issue was reproduced after device has
+bad block", so this quirk should be applied when we have the timeout
+issue with a device that has bad blocks.
+
+We revert the commit so that we apply this quirk by adding kernel
+paramters using a bootloader or other ways when we really need it,
+without the performance regression with devices that don't have the
+issue.
+
+Signed-off-by: sunghwan jung <onenowy@gmail.com>
+Link: https://lore.kernel.org/r/20220913114913.3073-1-onenowy@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/storage/unusual_devs.h | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h
+index 4993227ab293..20dcbccb290b 100644
+--- a/drivers/usb/storage/unusual_devs.h
++++ b/drivers/usb/storage/unusual_devs.h
+@@ -1275,12 +1275,6 @@ UNUSUAL_DEV( 0x090a, 0x1200, 0x0000, 0x9999,
+ USB_SC_RBC, USB_PR_BULK, NULL,
+ 0 ),
+
+-UNUSUAL_DEV(0x090c, 0x1000, 0x1100, 0x1100,
+- "Samsung",
+- "Flash Drive FIT",
+- USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+- US_FL_MAX_SECTORS_64),
+-
+ /* aeb */
+ UNUSUAL_DEV( 0x090c, 0x1132, 0x0000, 0xffff,
+ "Feiya",
+--
+2.35.1
+
--- /dev/null
+From fb97874fd0929937a4719f37eaa2c1f82c6fff16 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Jul 2022 10:34:51 +0800
+Subject: rtw89: ser: leave lps with mutex
+
+From: Zong-Zhe Yang <kevin_yang@realtek.com>
+
+[ Upstream commit 8676031bae1c91037d06341214f4150b33707c68 ]
+
+Calling rtw89_leave_lps() should hold rtwdev::mutex.
+So, fix it.
+
+Signed-off-by: Zong-Zhe Yang <kevin_yang@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20220704023453.19935-5-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw89/ser.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/realtek/rtw89/ser.c b/drivers/net/wireless/realtek/rtw89/ser.c
+index 726223f25dc6..7240364e8f7d 100644
+--- a/drivers/net/wireless/realtek/rtw89/ser.c
++++ b/drivers/net/wireless/realtek/rtw89/ser.c
+@@ -152,7 +152,10 @@ static void ser_state_run(struct rtw89_ser *ser, u8 evt)
+ rtw89_debug(rtwdev, RTW89_DBG_SER, "ser: %s receive %s\n",
+ ser_st_name(ser), ser_ev_name(ser, evt));
+
++ mutex_lock(&rtwdev->mutex);
+ rtw89_leave_lps(rtwdev);
++ mutex_unlock(&rtwdev->mutex);
++
+ ser->st_tbl[ser->state].st_func(ser, evt);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From c88269924fc3dfa0317019b48fb96586bbf2a351 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Sep 2022 18:32:08 +0800
+Subject: rv/monitor: Add __init/__exit annotations to module init/exit funcs
+
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+
+[ Upstream commit 834168fb2ce57681dee86a405ec560f54417830c ]
+
+Add missing __init/__exit annotations to module init/exit funcs.
+
+Link: https://lkml.kernel.org/r/20220922103208.162869-1-xiujianfeng@huawei.com
+
+Fixes: 24bce201d798 ("tools/rv: Add dot2k")
+Fixes: 8812d21219b9 ("rv/monitor: Add the wip monitor skeleton created by dot2k")
+Fixes: ccc319dcb450 ("rv/monitor: Add the wwnr monitor")
+Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
+Acked-by: Daniel Bristot de Oliveira <bristot@kernel.org>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/rv/monitors/wip/wip.c | 4 ++--
+ kernel/trace/rv/monitors/wwnr/wwnr.c | 4 ++--
+ tools/verification/dot2/dot2k_templates/main_global.c | 4 ++--
+ tools/verification/dot2/dot2k_templates/main_per_cpu.c | 4 ++--
+ tools/verification/dot2/dot2k_templates/main_per_task.c | 4 ++--
+ 5 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/kernel/trace/rv/monitors/wip/wip.c b/kernel/trace/rv/monitors/wip/wip.c
+index 83cace53b9fa..6be876e2f405 100644
+--- a/kernel/trace/rv/monitors/wip/wip.c
++++ b/kernel/trace/rv/monitors/wip/wip.c
+@@ -69,13 +69,13 @@ struct rv_monitor rv_wip = {
+ .enabled = 0,
+ };
+
+-static int register_wip(void)
++static int __init register_wip(void)
+ {
+ rv_register_monitor(&rv_wip);
+ return 0;
+ }
+
+-static void unregister_wip(void)
++static void __exit unregister_wip(void)
+ {
+ rv_unregister_monitor(&rv_wip);
+ }
+diff --git a/kernel/trace/rv/monitors/wwnr/wwnr.c b/kernel/trace/rv/monitors/wwnr/wwnr.c
+index 599225d9cf38..c1fac4808b02 100644
+--- a/kernel/trace/rv/monitors/wwnr/wwnr.c
++++ b/kernel/trace/rv/monitors/wwnr/wwnr.c
+@@ -68,13 +68,13 @@ struct rv_monitor rv_wwnr = {
+ .enabled = 0,
+ };
+
+-static int register_wwnr(void)
++static int __init register_wwnr(void)
+ {
+ rv_register_monitor(&rv_wwnr);
+ return 0;
+ }
+
+-static void unregister_wwnr(void)
++static void __exit unregister_wwnr(void)
+ {
+ rv_unregister_monitor(&rv_wwnr);
+ }
+diff --git a/tools/verification/dot2/dot2k_templates/main_global.c b/tools/verification/dot2/dot2k_templates/main_global.c
+index f4b712dbc92e..45fc6709701b 100644
+--- a/tools/verification/dot2/dot2k_templates/main_global.c
++++ b/tools/verification/dot2/dot2k_templates/main_global.c
+@@ -72,13 +72,13 @@ struct rv_monitor rv_MODEL_NAME = {
+ .enabled = 0,
+ };
+
+-static int register_MODEL_NAME(void)
++static int __init register_MODEL_NAME(void)
+ {
+ rv_register_monitor(&rv_MODEL_NAME);
+ return 0;
+ }
+
+-static void unregister_MODEL_NAME(void)
++static void __exit unregister_MODEL_NAME(void)
+ {
+ rv_unregister_monitor(&rv_MODEL_NAME);
+ }
+diff --git a/tools/verification/dot2/dot2k_templates/main_per_cpu.c b/tools/verification/dot2/dot2k_templates/main_per_cpu.c
+index 4080d1ca3354..9014c9ef657b 100644
+--- a/tools/verification/dot2/dot2k_templates/main_per_cpu.c
++++ b/tools/verification/dot2/dot2k_templates/main_per_cpu.c
+@@ -72,13 +72,13 @@ struct rv_monitor rv_MODEL_NAME = {
+ .enabled = 0,
+ };
+
+-static int register_MODEL_NAME(void)
++static int __init register_MODEL_NAME(void)
+ {
+ rv_register_monitor(&rv_MODEL_NAME);
+ return 0;
+ }
+
+-static void unregister_MODEL_NAME(void)
++static void __exit unregister_MODEL_NAME(void)
+ {
+ rv_unregister_monitor(&rv_MODEL_NAME);
+ }
+diff --git a/tools/verification/dot2/dot2k_templates/main_per_task.c b/tools/verification/dot2/dot2k_templates/main_per_task.c
+index 89197175384f..13d11620d19f 100644
+--- a/tools/verification/dot2/dot2k_templates/main_per_task.c
++++ b/tools/verification/dot2/dot2k_templates/main_per_task.c
+@@ -72,13 +72,13 @@ struct rv_monitor rv_MODEL_NAME = {
+ .enabled = 0,
+ };
+
+-static int register_MODEL_NAME(void)
++static int __init register_MODEL_NAME(void)
+ {
+ rv_register_monitor(&rv_MODEL_NAME);
+ return 0;
+ }
+
+-static void unregister_MODEL_NAME(void)
++static void __exit unregister_MODEL_NAME(void)
+ {
+ rv_unregister_monitor(&rv_MODEL_NAME);
+ }
+--
+2.35.1
+
--- /dev/null
+From 67e50b0c78052157df4c79c8ba8ad177ca45f0a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Sep 2022 15:09:37 +0200
+Subject: sbitmap: Avoid leaving waitqueue in invalid state in __sbq_wake_up()
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 48c033314f372478548203c583529f53080fd078 ]
+
+When __sbq_wake_up() decrements wait_cnt to 0 but races with someone
+else waking the waiter on the waitqueue (so the waitqueue becomes
+empty), it exits without reseting wait_cnt to wake_batch number. Once
+wait_cnt is 0, nobody will ever reset the wait_cnt or wake the new
+waiters resulting in possible deadlocks or busyloops. Fix the problem by
+making sure we reset wait_cnt even if we didn't wake up anybody in the
+end.
+
+Fixes: 040b83fcecfb ("sbitmap: fix possible io hung due to lost wakeup")
+Reported-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20220908130937.2795-1-jack@suse.cz
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/sbitmap.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/lib/sbitmap.c b/lib/sbitmap.c
+index 1f31147872e6..bb1970ad4875 100644
+--- a/lib/sbitmap.c
++++ b/lib/sbitmap.c
+@@ -605,6 +605,7 @@ static bool __sbq_wake_up(struct sbitmap_queue *sbq)
+ struct sbq_wait_state *ws;
+ unsigned int wake_batch;
+ int wait_cnt;
++ bool ret;
+
+ ws = sbq_wake_ptr(sbq);
+ if (!ws)
+@@ -615,12 +616,23 @@ static bool __sbq_wake_up(struct sbitmap_queue *sbq)
+ * For concurrent callers of this, callers should call this function
+ * again to wakeup a new batch on a different 'ws'.
+ */
+- if (wait_cnt < 0 || !waitqueue_active(&ws->wait))
++ if (wait_cnt < 0)
+ return true;
+
++ /*
++ * If we decremented queue without waiters, retry to avoid lost
++ * wakeups.
++ */
+ if (wait_cnt > 0)
+- return false;
++ return !waitqueue_active(&ws->wait);
+
++ /*
++ * When wait_cnt == 0, we have to be particularly careful as we are
++ * responsible to reset wait_cnt regardless whether we've actually
++ * woken up anybody. But in case we didn't wakeup anybody, we still
++ * need to retry.
++ */
++ ret = !waitqueue_active(&ws->wait);
+ wake_batch = READ_ONCE(sbq->wake_batch);
+
+ /*
+@@ -649,7 +661,7 @@ static bool __sbq_wake_up(struct sbitmap_queue *sbq)
+ sbq_index_atomic_inc(&sbq->wake_index);
+ atomic_set(&ws->wait_cnt, wake_batch);
+
+- return false;
++ return ret;
+ }
+
+ void sbitmap_queue_wake_up(struct sbitmap_queue *sbq)
+--
+2.35.1
+
--- /dev/null
+From 6a6fe39fb947ccbe768f23442c2bf11596c4e1dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Aug 2022 20:15:04 +0800
+Subject: sbitmap: fix possible io hung due to lost wakeup
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 040b83fcecfb86f3225d3a5de7fd9b3fbccf83b4 ]
+
+There are two problems can lead to lost wakeup:
+
+1) invalid wakeup on the wrong waitqueue:
+
+For example, 2 * wake_batch tags are put, while only wake_batch threads
+are woken:
+
+__sbq_wake_up
+ atomic_cmpxchg -> reset wait_cnt
+ __sbq_wake_up -> decrease wait_cnt
+ ...
+ __sbq_wake_up -> wait_cnt is decreased to 0 again
+ atomic_cmpxchg
+ sbq_index_atomic_inc -> increase wake_index
+ wake_up_nr -> wake up and waitqueue might be empty
+ sbq_index_atomic_inc -> increase again, one waitqueue is skipped
+ wake_up_nr -> invalid wake up because old wakequeue might be empty
+
+To fix the problem, increasing 'wake_index' before resetting 'wait_cnt'.
+
+2) 'wait_cnt' can be decreased while waitqueue is empty
+
+As pointed out by Jan Kara, following race is possible:
+
+CPU1 CPU2
+__sbq_wake_up __sbq_wake_up
+ sbq_wake_ptr() sbq_wake_ptr() -> the same
+ wait_cnt = atomic_dec_return()
+ /* decreased to 0 */
+ sbq_index_atomic_inc()
+ /* move to next waitqueue */
+ atomic_set()
+ /* reset wait_cnt */
+ wake_up_nr()
+ /* wake up on the old waitqueue */
+ wait_cnt = atomic_dec_return()
+ /*
+ * decrease wait_cnt in the old
+ * waitqueue, while it can be
+ * empty.
+ */
+
+Fix the problem by waking up before updating 'wake_index' and
+'wait_cnt'.
+
+With this patch, noted that 'wait_cnt' is still decreased in the old
+empty waitqueue, however, the wakeup is redirected to a active waitqueue,
+and the extra decrement on the old empty waitqueue is not handled.
+
+Fixes: 88459642cba4 ("blk-mq: abstract tag allocation out into sbitmap library")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20220803121504.212071-1-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/sbitmap.c | 55 ++++++++++++++++++++++++++++++---------------------
+ 1 file changed, 33 insertions(+), 22 deletions(-)
+
+diff --git a/lib/sbitmap.c b/lib/sbitmap.c
+index 29eb0484215a..1f31147872e6 100644
+--- a/lib/sbitmap.c
++++ b/lib/sbitmap.c
+@@ -611,32 +611,43 @@ static bool __sbq_wake_up(struct sbitmap_queue *sbq)
+ return false;
+
+ wait_cnt = atomic_dec_return(&ws->wait_cnt);
+- if (wait_cnt <= 0) {
+- int ret;
++ /*
++ * For concurrent callers of this, callers should call this function
++ * again to wakeup a new batch on a different 'ws'.
++ */
++ if (wait_cnt < 0 || !waitqueue_active(&ws->wait))
++ return true;
+
+- wake_batch = READ_ONCE(sbq->wake_batch);
++ if (wait_cnt > 0)
++ return false;
+
+- /*
+- * Pairs with the memory barrier in sbitmap_queue_resize() to
+- * ensure that we see the batch size update before the wait
+- * count is reset.
+- */
+- smp_mb__before_atomic();
++ wake_batch = READ_ONCE(sbq->wake_batch);
+
+- /*
+- * For concurrent callers of this, the one that failed the
+- * atomic_cmpxhcg() race should call this function again
+- * to wakeup a new batch on a different 'ws'.
+- */
+- ret = atomic_cmpxchg(&ws->wait_cnt, wait_cnt, wake_batch);
+- if (ret == wait_cnt) {
+- sbq_index_atomic_inc(&sbq->wake_index);
+- wake_up_nr(&ws->wait, wake_batch);
+- return false;
+- }
++ /*
++ * Wake up first in case that concurrent callers decrease wait_cnt
++ * while waitqueue is empty.
++ */
++ wake_up_nr(&ws->wait, wake_batch);
+
+- return true;
+- }
++ /*
++ * Pairs with the memory barrier in sbitmap_queue_resize() to
++ * ensure that we see the batch size update before the wait
++ * count is reset.
++ *
++ * Also pairs with the implicit barrier between decrementing wait_cnt
++ * and checking for waitqueue_active() to make sure waitqueue_active()
++ * sees result of the wakeup if atomic_dec_return() has seen the result
++ * of atomic_set().
++ */
++ smp_mb__before_atomic();
++
++ /*
++ * Increase wake_index before updating wait_cnt, otherwise concurrent
++ * callers can see valid wait_cnt in old waitqueue, which can cause
++ * invalid wakeup on the old waitqueue.
++ */
++ sbq_index_atomic_inc(&sbq->wake_index);
++ atomic_set(&ws->wait_cnt, wake_batch);
+
+ return false;
+ }
+--
+2.35.1
+
--- /dev/null
+From ac371312b04d6dcfbfc833ac34da12774f1ff70a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Aug 2022 19:01:15 +0800
+Subject: scsi: 3w-9xxx: Avoid disabling device if failing to enable it
+
+From: Letu Ren <fantasquex@gmail.com>
+
+[ Upstream commit 7eff437b5ee1309b34667844361c6bbb5c97df05 ]
+
+The original code will "goto out_disable_device" and call
+pci_disable_device() if pci_enable_device() fails. The kernel will generate
+a warning message like "3w-9xxx 0000:00:05.0: disabling already-disabled
+device".
+
+We shouldn't disable a device that failed to be enabled. A simple return is
+fine.
+
+Link: https://lore.kernel.org/r/20220829110115.38789-1-fantasquex@gmail.com
+Reported-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Letu Ren <fantasquex@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/3w-9xxx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/3w-9xxx.c b/drivers/scsi/3w-9xxx.c
+index cd823ff5deab..6cb9cca9565b 100644
+--- a/drivers/scsi/3w-9xxx.c
++++ b/drivers/scsi/3w-9xxx.c
+@@ -2006,7 +2006,7 @@ static int twa_probe(struct pci_dev *pdev, const struct pci_device_id *dev_id)
+ retval = pci_enable_device(pdev);
+ if (retval) {
+ TW_PRINTK(host, TW_DRIVER, 0x34, "Failed to enable pci device");
+- goto out_disable_device;
++ return -ENODEV;
+ }
+
+ pci_set_master(pdev);
+--
+2.35.1
+
--- /dev/null
+From f38b702e919ff2dd98cc5d6f1d9c434705e1b1ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Sep 2022 17:17:00 -0500
+Subject: scsi: iscsi: iscsi_tcp: Fix null-ptr-deref while calling
+ getpeername()
+
+From: Mike Christie <michael.christie@oracle.com>
+
+[ Upstream commit 57569c37f0add1b6489e1a1563c71519daf732cf ]
+
+Fix a NULL pointer crash that occurs when we are freeing the socket at the
+same time we access it via sysfs.
+
+The problem is that:
+
+ 1. iscsi_sw_tcp_conn_get_param() and iscsi_sw_tcp_host_get_param() take
+ the frwd_lock and do sock_hold() then drop the frwd_lock. sock_hold()
+ does a get on the "struct sock".
+
+ 2. iscsi_sw_tcp_release_conn() does sockfd_put() which does the last put
+ on the "struct socket" and that does __sock_release() which sets the
+ sock->ops to NULL.
+
+ 3. iscsi_sw_tcp_conn_get_param() and iscsi_sw_tcp_host_get_param() then
+ call kernel_getpeername() which accesses the NULL sock->ops.
+
+Above we do a get on the "struct sock", but we needed a get on the "struct
+socket". Originally, we just held the frwd_lock the entire time but in
+commit bcf3a2953d36 ("scsi: iscsi: iscsi_tcp: Avoid holding spinlock while
+calling getpeername()") we switched to refcount based because the network
+layer changed and started taking a mutex in that path, so we could no
+longer hold the frwd_lock.
+
+Instead of trying to maintain multiple refcounts, this just has us use a
+mutex for accessing the socket in the interface code paths.
+
+Link: https://lore.kernel.org/r/20220907221700.10302-1-michael.christie@oracle.com
+Fixes: bcf3a2953d36 ("scsi: iscsi: iscsi_tcp: Avoid holding spinlock while calling getpeername()")
+Signed-off-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/iscsi_tcp.c | 73 ++++++++++++++++++++++++++++------------
+ drivers/scsi/iscsi_tcp.h | 3 ++
+ 2 files changed, 55 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
+index 29b1bd755afe..5fb1f364e815 100644
+--- a/drivers/scsi/iscsi_tcp.c
++++ b/drivers/scsi/iscsi_tcp.c
+@@ -595,6 +595,8 @@ iscsi_sw_tcp_conn_create(struct iscsi_cls_session *cls_session,
+ INIT_WORK(&conn->recvwork, iscsi_sw_tcp_recv_data_work);
+ tcp_sw_conn->queue_recv = iscsi_recv_from_iscsi_q;
+
++ mutex_init(&tcp_sw_conn->sock_lock);
++
+ tfm = crypto_alloc_ahash("crc32c", 0, CRYPTO_ALG_ASYNC);
+ if (IS_ERR(tfm))
+ goto free_conn;
+@@ -629,11 +631,15 @@ iscsi_sw_tcp_conn_create(struct iscsi_cls_session *cls_session,
+
+ static void iscsi_sw_tcp_release_conn(struct iscsi_conn *conn)
+ {
+- struct iscsi_session *session = conn->session;
+ struct iscsi_tcp_conn *tcp_conn = conn->dd_data;
+ struct iscsi_sw_tcp_conn *tcp_sw_conn = tcp_conn->dd_data;
+ struct socket *sock = tcp_sw_conn->sock;
+
++ /*
++ * The iscsi transport class will make sure we are not called in
++ * parallel with start, stop, bind and destroys. However, this can be
++ * called twice if userspace does a stop then a destroy.
++ */
+ if (!sock)
+ return;
+
+@@ -649,9 +655,9 @@ static void iscsi_sw_tcp_release_conn(struct iscsi_conn *conn)
+
+ iscsi_suspend_rx(conn);
+
+- spin_lock_bh(&session->frwd_lock);
++ mutex_lock(&tcp_sw_conn->sock_lock);
+ tcp_sw_conn->sock = NULL;
+- spin_unlock_bh(&session->frwd_lock);
++ mutex_unlock(&tcp_sw_conn->sock_lock);
+ sockfd_put(sock);
+ }
+
+@@ -703,7 +709,6 @@ iscsi_sw_tcp_conn_bind(struct iscsi_cls_session *cls_session,
+ struct iscsi_cls_conn *cls_conn, uint64_t transport_eph,
+ int is_leading)
+ {
+- struct iscsi_session *session = cls_session->dd_data;
+ struct iscsi_conn *conn = cls_conn->dd_data;
+ struct iscsi_tcp_conn *tcp_conn = conn->dd_data;
+ struct iscsi_sw_tcp_conn *tcp_sw_conn = tcp_conn->dd_data;
+@@ -723,10 +728,10 @@ iscsi_sw_tcp_conn_bind(struct iscsi_cls_session *cls_session,
+ if (err)
+ goto free_socket;
+
+- spin_lock_bh(&session->frwd_lock);
++ mutex_lock(&tcp_sw_conn->sock_lock);
+ /* bind iSCSI connection and socket */
+ tcp_sw_conn->sock = sock;
+- spin_unlock_bh(&session->frwd_lock);
++ mutex_unlock(&tcp_sw_conn->sock_lock);
+
+ /* setup Socket parameters */
+ sk = sock->sk;
+@@ -763,8 +768,15 @@ static int iscsi_sw_tcp_conn_set_param(struct iscsi_cls_conn *cls_conn,
+ break;
+ case ISCSI_PARAM_DATADGST_EN:
+ iscsi_set_param(cls_conn, param, buf, buflen);
++
++ mutex_lock(&tcp_sw_conn->sock_lock);
++ if (!tcp_sw_conn->sock) {
++ mutex_unlock(&tcp_sw_conn->sock_lock);
++ return -ENOTCONN;
++ }
+ tcp_sw_conn->sendpage = conn->datadgst_en ?
+ sock_no_sendpage : tcp_sw_conn->sock->ops->sendpage;
++ mutex_unlock(&tcp_sw_conn->sock_lock);
+ break;
+ case ISCSI_PARAM_MAX_R2T:
+ return iscsi_tcp_set_max_r2t(conn, buf);
+@@ -779,8 +791,8 @@ static int iscsi_sw_tcp_conn_get_param(struct iscsi_cls_conn *cls_conn,
+ enum iscsi_param param, char *buf)
+ {
+ struct iscsi_conn *conn = cls_conn->dd_data;
+- struct iscsi_tcp_conn *tcp_conn = conn->dd_data;
+- struct iscsi_sw_tcp_conn *tcp_sw_conn = tcp_conn->dd_data;
++ struct iscsi_sw_tcp_conn *tcp_sw_conn;
++ struct iscsi_tcp_conn *tcp_conn;
+ struct sockaddr_in6 addr;
+ struct socket *sock;
+ int rc;
+@@ -790,21 +802,36 @@ static int iscsi_sw_tcp_conn_get_param(struct iscsi_cls_conn *cls_conn,
+ case ISCSI_PARAM_CONN_ADDRESS:
+ case ISCSI_PARAM_LOCAL_PORT:
+ spin_lock_bh(&conn->session->frwd_lock);
+- if (!tcp_sw_conn || !tcp_sw_conn->sock) {
++ if (!conn->session->leadconn) {
+ spin_unlock_bh(&conn->session->frwd_lock);
+ return -ENOTCONN;
+ }
+- sock = tcp_sw_conn->sock;
+- sock_hold(sock->sk);
++ /*
++ * The conn has been setup and bound, so just grab a ref
++ * incase a destroy runs while we are in the net layer.
++ */
++ iscsi_get_conn(conn->cls_conn);
+ spin_unlock_bh(&conn->session->frwd_lock);
+
++ tcp_conn = conn->dd_data;
++ tcp_sw_conn = tcp_conn->dd_data;
++
++ mutex_lock(&tcp_sw_conn->sock_lock);
++ sock = tcp_sw_conn->sock;
++ if (!sock) {
++ rc = -ENOTCONN;
++ goto sock_unlock;
++ }
++
+ if (param == ISCSI_PARAM_LOCAL_PORT)
+ rc = kernel_getsockname(sock,
+ (struct sockaddr *)&addr);
+ else
+ rc = kernel_getpeername(sock,
+ (struct sockaddr *)&addr);
+- sock_put(sock->sk);
++sock_unlock:
++ mutex_unlock(&tcp_sw_conn->sock_lock);
++ iscsi_put_conn(conn->cls_conn);
+ if (rc < 0)
+ return rc;
+
+@@ -842,17 +869,21 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
+ }
+ tcp_conn = conn->dd_data;
+ tcp_sw_conn = tcp_conn->dd_data;
+- sock = tcp_sw_conn->sock;
+- if (!sock) {
+- spin_unlock_bh(&session->frwd_lock);
+- return -ENOTCONN;
+- }
+- sock_hold(sock->sk);
++ /*
++ * The conn has been setup and bound, so just grab a ref
++ * incase a destroy runs while we are in the net layer.
++ */
++ iscsi_get_conn(conn->cls_conn);
+ spin_unlock_bh(&session->frwd_lock);
+
+- rc = kernel_getsockname(sock,
+- (struct sockaddr *)&addr);
+- sock_put(sock->sk);
++ mutex_lock(&tcp_sw_conn->sock_lock);
++ sock = tcp_sw_conn->sock;
++ if (!sock)
++ rc = -ENOTCONN;
++ else
++ rc = kernel_getsockname(sock, (struct sockaddr *)&addr);
++ mutex_unlock(&tcp_sw_conn->sock_lock);
++ iscsi_put_conn(conn->cls_conn);
+ if (rc < 0)
+ return rc;
+
+diff --git a/drivers/scsi/iscsi_tcp.h b/drivers/scsi/iscsi_tcp.h
+index 850a018aefb9..68e14a344904 100644
+--- a/drivers/scsi/iscsi_tcp.h
++++ b/drivers/scsi/iscsi_tcp.h
+@@ -28,6 +28,9 @@ struct iscsi_sw_tcp_send {
+
+ struct iscsi_sw_tcp_conn {
+ struct socket *sock;
++ /* Taken when accessing the sock from the netlink/sysfs interface */
++ struct mutex sock_lock;
++
+ struct work_struct recvwork;
+ bool queue_recv;
+
+--
+2.35.1
+
--- /dev/null
+From f55d7807bfb9223f699cf25a496da4a2e174e1a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 22:42:13 +0800
+Subject: scsi: libsas: Fix use-after-free bug in smp_execute_task_sg()
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+[ Upstream commit 46ba53c30666717cb06c2b3c5d896301cd00d0c0 ]
+
+When executing SMP task failed, the smp_execute_task_sg() calls del_timer()
+to delete "slow_task->timer". However, if the timer handler
+sas_task_internal_timedout() is running, the del_timer() in
+smp_execute_task_sg() will not stop it and a UAF will happen. The process
+is shown below:
+
+ (thread 1) | (thread 2)
+smp_execute_task_sg() | sas_task_internal_timedout()
+ ... |
+ del_timer() |
+ ... | ...
+ sas_free_task(task) |
+ kfree(task->slow_task) //FREE|
+ | task->slow_task->... //USE
+
+Fix by calling del_timer_sync() in smp_execute_task_sg(), which makes sure
+the timer handler have finished before the "task->slow_task" is
+deallocated.
+
+Link: https://lore.kernel.org/r/20220920144213.10536-1-duoming@zju.edu.cn
+Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
+Reviewed-by: Jason Yan <yanaijie@huawei.com>
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libsas/sas_expander.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
+index fa2209080cc2..5ce251830104 100644
+--- a/drivers/scsi/libsas/sas_expander.c
++++ b/drivers/scsi/libsas/sas_expander.c
+@@ -67,7 +67,7 @@ static int smp_execute_task_sg(struct domain_device *dev,
+ res = i->dft->lldd_execute_task(task, GFP_KERNEL);
+
+ if (res) {
+- del_timer(&task->slow_task->timer);
++ del_timer_sync(&task->slow_task->timer);
+ pr_notice("executing SMP task failed:%d\n", res);
+ break;
+ }
+--
+2.35.1
+
--- /dev/null
+From 722dd5a92bdad00eb9db5c4b0a36c33084b9cb29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Aug 2022 18:17:31 -0700
+Subject: scsi: lpfc: Fix null ndlp ptr dereference in abnormal exit path for
+ GFT_ID
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit 59b7e210a522b836a01516c71ee85d1d92c1f075 ]
+
+An error case exit from lpfc_cmpl_ct_cmd_gft_id() results in a call to
+lpfc_nlp_put() with a null pointer to a nodelist structure.
+
+Changed lpfc_cmpl_ct_cmd_gft_id() to initialize nodelist pointer upon
+entry.
+
+Link: https://lore.kernel.org/r/20220819011736.14141-3-jsmart2021@gmail.com
+Co-developed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_ct.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_ct.c b/drivers/scsi/lpfc/lpfc_ct.c
+index 13dfe285493d..b555ccb5ae34 100644
+--- a/drivers/scsi/lpfc/lpfc_ct.c
++++ b/drivers/scsi/lpfc/lpfc_ct.c
+@@ -1509,7 +1509,7 @@ lpfc_cmpl_ct_cmd_gft_id(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
+ struct lpfc_sli_ct_request *CTrsp;
+ int did;
+ struct lpfc_nodelist *ndlp = NULL;
+- struct lpfc_nodelist *ns_ndlp = NULL;
++ struct lpfc_nodelist *ns_ndlp = cmdiocb->ndlp;
+ uint32_t fc4_data_0, fc4_data_1;
+ u32 ulp_status = get_job_ulpstatus(phba, rspiocb);
+ u32 ulp_word4 = get_job_word4(phba, rspiocb);
+@@ -1522,15 +1522,12 @@ lpfc_cmpl_ct_cmd_gft_id(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
+ ulp_status, ulp_word4, did);
+
+ /* Ignore response if link flipped after this request was made */
+- if ((uint32_t) cmdiocb->event_tag != phba->fc_eventTag) {
++ if ((uint32_t)cmdiocb->event_tag != phba->fc_eventTag) {
+ lpfc_printf_vlog(vport, KERN_INFO, LOG_DISCOVERY,
+ "9046 Event tag mismatch. Ignoring NS rsp\n");
+ goto out;
+ }
+
+- /* Preserve the nameserver node to release the reference. */
+- ns_ndlp = cmdiocb->ndlp;
+-
+ if (ulp_status == IOSTAT_SUCCESS) {
+ /* Good status, continue checking */
+ CTrsp = (struct lpfc_sli_ct_request *)outp->virt;
+--
+2.35.1
+
--- /dev/null
+From 95778c6a95b6a1bf3e1930c5c3d3fb8364a33838 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Sep 2022 15:15:04 -0700
+Subject: scsi: lpfc: Fix various issues reported by tools
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit a4de8356b68e54149ebdbe6e748e2726152b650c ]
+
+This patch fixes below Smatch reported issues:
+
+ 1. lpfc_hbadisc.c:3020 lpfc_mbx_cmpl_fcf_rr_read_fcf_rec()
+ error: uninitialized symbol 'vlan_id'.
+
+ 2. lpfc_hbadisc.c:3121 lpfc_mbx_cmpl_read_fcf_rec()
+ error: uninitialized symbol 'vlan_id'.
+
+ 3. lpfc_init.c:335 lpfc_dump_wakeup_param_cmpl()
+ warn: always true condition '(prg->dist < 4) => (0-3 < 4)'
+
+ 4. lpfc_init.c:2419 lpfc_parse_vpd()
+ warn: inconsistent indenting.
+
+ 5. lpfc_init.c:13248 lpfc_sli4_enable_msi()
+ warn: 'phba->pcidev->irq' 2147483648 can't fit into 65535
+ 'eqhdl->irq'
+
+ 6. lpfc_debugfs.c:5300 lpfc_idiag_extacc_avail_get()
+ error: uninitialized symbol 'ext_cnt'
+
+ 7. lpfc_debugfs.c:5300 lpfc_idiag_extacc_avail_get()
+ error: uninitialized symbol 'ext_size'
+
+ 8. lpfc_vmid.c:248 lpfc_vmid_get_appid()
+ warn: sleeping in atomic context.
+
+ 9. lpfc_init.c:8342 lpfc_sli4_driver_resource_setup()
+ warn: missing error code 'rc'.
+
+10. lpfc_init.c:13573 lpfc_sli4_hba_unset()
+ warn: variable dereferenced before check 'phba->pport' (see
+ line 13546)
+
+11. lpfc_auth.c:1923 lpfc_auth_handle_dhchap_reply()
+ error: double free of 'hash_value'
+
+Fixes:
+
+ 1. Initialize vlan_id to LPFC_FCOE_NULL_VID.
+
+ 2. Initialize vlan_id to LPFC_FCOE_NULL_VID.
+
+ 3. prg->dist is a 2 bit field. Its value can only be between 0-3.
+ Remove redundent check 'if (prg->dist < 4)'.
+
+ 4. Fix inconsistent indenting. Moved logic into helper function
+ lpfc_fill_vpd().
+
+ 5. Define 'eqhdl->irq' as int value as pci_irq_vector() returns int.
+ Also, check for return value of pci_irq_vector() and log message in
+ case of failure.
+
+ 6. Initialize 'ext_cnt' to 0.
+
+ 7. Initialize 'ext_size' to 0.
+
+ 8. Use alloc_percpu_gfp() with GFP_ATOMIC flag.
+
+ 9. 'rc' was not updated when dma_pool_create() fails. Update 'rc =
+ -ENOMEM' when dma_pool_create() fails before calling goto statement.
+
+10. Add check for 'phba->pport' in lpfc_cpuhp_remove().
+
+11. Initialize 'hash_value' to NULL, same like 'aug_chal' variable.
+
+Link: https://lore.kernel.org/r/20220911221505.117655-13-jsmart2021@gmail.com
+Co-developed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_debugfs.c | 2 +-
+ drivers/scsi/lpfc/lpfc_hbadisc.c | 4 +-
+ drivers/scsi/lpfc/lpfc_init.c | 249 +++++++++++++++++--------------
+ drivers/scsi/lpfc/lpfc_sli.c | 3 +
+ drivers/scsi/lpfc/lpfc_sli4.h | 4 +-
+ drivers/scsi/lpfc/lpfc_vmid.c | 4 +-
+ 6 files changed, 148 insertions(+), 118 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
+index e37b028eae5f..f5252e45a48a 100644
+--- a/drivers/scsi/lpfc/lpfc_debugfs.c
++++ b/drivers/scsi/lpfc/lpfc_debugfs.c
+@@ -5156,7 +5156,7 @@ lpfc_idiag_mbxacc_write(struct file *file, const char __user *buf,
+ static int
+ lpfc_idiag_extacc_avail_get(struct lpfc_hba *phba, char *pbuffer, int len)
+ {
+- uint16_t ext_cnt, ext_size;
++ uint16_t ext_cnt = 0, ext_size = 0;
+
+ len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len,
+ "\nAvailable Extents Information:\n");
+diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
+index 2645def612e6..a488d00894ae 100644
+--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
+@@ -2964,7 +2964,7 @@ lpfc_mbx_cmpl_fcf_rr_read_fcf_rec(struct lpfc_hba *phba, LPFC_MBOXQ_t *mboxq)
+ uint32_t boot_flag, addr_mode;
+ uint16_t next_fcf_index, fcf_index;
+ uint16_t current_fcf_index;
+- uint16_t vlan_id;
++ uint16_t vlan_id = LPFC_FCOE_NULL_VID;
+ int rc;
+
+ /* If link state is not up, stop the roundrobin failover process */
+@@ -3069,7 +3069,7 @@ lpfc_mbx_cmpl_read_fcf_rec(struct lpfc_hba *phba, LPFC_MBOXQ_t *mboxq)
+ struct fcf_record *new_fcf_record;
+ uint32_t boot_flag, addr_mode;
+ uint16_t fcf_index, next_fcf_index;
+- uint16_t vlan_id;
++ uint16_t vlan_id = LPFC_FCOE_NULL_VID;
+ int rc;
+
+ /* If link state is not up, no need to proceed */
+diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
+index a76f2a120d9d..1a02134438fc 100644
+--- a/drivers/scsi/lpfc/lpfc_init.c
++++ b/drivers/scsi/lpfc/lpfc_init.c
+@@ -325,8 +325,7 @@ lpfc_dump_wakeup_param_cmpl(struct lpfc_hba *phba, LPFC_MBOXQ_t *pmboxq)
+ prog_id_word = pmboxq->u.mb.un.varWords[7];
+
+ /* Decode the Option rom version word to a readable string */
+- if (prg->dist < 4)
+- dist = dist_char[prg->dist];
++ dist = dist_char[prg->dist];
+
+ if ((prg->dist == 3) && (prg->num == 0))
+ snprintf(phba->OptionROMVersion, 32, "%d.%d%d",
+@@ -2258,6 +2257,101 @@ lpfc_handle_latt(struct lpfc_hba *phba)
+ return;
+ }
+
++static void
++lpfc_fill_vpd(struct lpfc_hba *phba, uint8_t *vpd, int length, int *pindex)
++{
++ int i, j;
++
++ while (length > 0) {
++ /* Look for Serial Number */
++ if ((vpd[*pindex] == 'S') && (vpd[*pindex + 1] == 'N')) {
++ *pindex += 2;
++ i = vpd[*pindex];
++ *pindex += 1;
++ j = 0;
++ length -= (3+i);
++ while (i--) {
++ phba->SerialNumber[j++] = vpd[(*pindex)++];
++ if (j == 31)
++ break;
++ }
++ phba->SerialNumber[j] = 0;
++ continue;
++ } else if ((vpd[*pindex] == 'V') && (vpd[*pindex + 1] == '1')) {
++ phba->vpd_flag |= VPD_MODEL_DESC;
++ *pindex += 2;
++ i = vpd[*pindex];
++ *pindex += 1;
++ j = 0;
++ length -= (3+i);
++ while (i--) {
++ phba->ModelDesc[j++] = vpd[(*pindex)++];
++ if (j == 255)
++ break;
++ }
++ phba->ModelDesc[j] = 0;
++ continue;
++ } else if ((vpd[*pindex] == 'V') && (vpd[*pindex + 1] == '2')) {
++ phba->vpd_flag |= VPD_MODEL_NAME;
++ *pindex += 2;
++ i = vpd[*pindex];
++ *pindex += 1;
++ j = 0;
++ length -= (3+i);
++ while (i--) {
++ phba->ModelName[j++] = vpd[(*pindex)++];
++ if (j == 79)
++ break;
++ }
++ phba->ModelName[j] = 0;
++ continue;
++ } else if ((vpd[*pindex] == 'V') && (vpd[*pindex + 1] == '3')) {
++ phba->vpd_flag |= VPD_PROGRAM_TYPE;
++ *pindex += 2;
++ i = vpd[*pindex];
++ *pindex += 1;
++ j = 0;
++ length -= (3+i);
++ while (i--) {
++ phba->ProgramType[j++] = vpd[(*pindex)++];
++ if (j == 255)
++ break;
++ }
++ phba->ProgramType[j] = 0;
++ continue;
++ } else if ((vpd[*pindex] == 'V') && (vpd[*pindex + 1] == '4')) {
++ phba->vpd_flag |= VPD_PORT;
++ *pindex += 2;
++ i = vpd[*pindex];
++ *pindex += 1;
++ j = 0;
++ length -= (3 + i);
++ while (i--) {
++ if ((phba->sli_rev == LPFC_SLI_REV4) &&
++ (phba->sli4_hba.pport_name_sta ==
++ LPFC_SLI4_PPNAME_GET)) {
++ j++;
++ (*pindex)++;
++ } else
++ phba->Port[j++] = vpd[(*pindex)++];
++ if (j == 19)
++ break;
++ }
++ if ((phba->sli_rev != LPFC_SLI_REV4) ||
++ (phba->sli4_hba.pport_name_sta ==
++ LPFC_SLI4_PPNAME_NON))
++ phba->Port[j] = 0;
++ continue;
++ } else {
++ *pindex += 2;
++ i = vpd[*pindex];
++ *pindex += 1;
++ *pindex += i;
++ length -= (3 + i);
++ }
++ }
++}
++
+ /**
+ * lpfc_parse_vpd - Parse VPD (Vital Product Data)
+ * @phba: pointer to lpfc hba data structure.
+@@ -2277,7 +2371,7 @@ lpfc_parse_vpd(struct lpfc_hba *phba, uint8_t *vpd, int len)
+ {
+ uint8_t lenlo, lenhi;
+ int Length;
+- int i, j;
++ int i;
+ int finished = 0;
+ int index = 0;
+
+@@ -2310,101 +2404,10 @@ lpfc_parse_vpd(struct lpfc_hba *phba, uint8_t *vpd, int len)
+ Length = ((((unsigned short)lenhi) << 8) + lenlo);
+ if (Length > len - index)
+ Length = len - index;
+- while (Length > 0) {
+- /* Look for Serial Number */
+- if ((vpd[index] == 'S') && (vpd[index+1] == 'N')) {
+- index += 2;
+- i = vpd[index];
+- index += 1;
+- j = 0;
+- Length -= (3+i);
+- while(i--) {
+- phba->SerialNumber[j++] = vpd[index++];
+- if (j == 31)
+- break;
+- }
+- phba->SerialNumber[j] = 0;
+- continue;
+- }
+- else if ((vpd[index] == 'V') && (vpd[index+1] == '1')) {
+- phba->vpd_flag |= VPD_MODEL_DESC;
+- index += 2;
+- i = vpd[index];
+- index += 1;
+- j = 0;
+- Length -= (3+i);
+- while(i--) {
+- phba->ModelDesc[j++] = vpd[index++];
+- if (j == 255)
+- break;
+- }
+- phba->ModelDesc[j] = 0;
+- continue;
+- }
+- else if ((vpd[index] == 'V') && (vpd[index+1] == '2')) {
+- phba->vpd_flag |= VPD_MODEL_NAME;
+- index += 2;
+- i = vpd[index];
+- index += 1;
+- j = 0;
+- Length -= (3+i);
+- while(i--) {
+- phba->ModelName[j++] = vpd[index++];
+- if (j == 79)
+- break;
+- }
+- phba->ModelName[j] = 0;
+- continue;
+- }
+- else if ((vpd[index] == 'V') && (vpd[index+1] == '3')) {
+- phba->vpd_flag |= VPD_PROGRAM_TYPE;
+- index += 2;
+- i = vpd[index];
+- index += 1;
+- j = 0;
+- Length -= (3+i);
+- while(i--) {
+- phba->ProgramType[j++] = vpd[index++];
+- if (j == 255)
+- break;
+- }
+- phba->ProgramType[j] = 0;
+- continue;
+- }
+- else if ((vpd[index] == 'V') && (vpd[index+1] == '4')) {
+- phba->vpd_flag |= VPD_PORT;
+- index += 2;
+- i = vpd[index];
+- index += 1;
+- j = 0;
+- Length -= (3+i);
+- while(i--) {
+- if ((phba->sli_rev == LPFC_SLI_REV4) &&
+- (phba->sli4_hba.pport_name_sta ==
+- LPFC_SLI4_PPNAME_GET)) {
+- j++;
+- index++;
+- } else
+- phba->Port[j++] = vpd[index++];
+- if (j == 19)
+- break;
+- }
+- if ((phba->sli_rev != LPFC_SLI_REV4) ||
+- (phba->sli4_hba.pport_name_sta ==
+- LPFC_SLI4_PPNAME_NON))
+- phba->Port[j] = 0;
+- continue;
+- }
+- else {
+- index += 2;
+- i = vpd[index];
+- index += 1;
+- index += i;
+- Length -= (3 + i);
+- }
+- }
+- finished = 0;
+- break;
++
++ lpfc_fill_vpd(phba, vpd, Length, &index);
++ finished = 0;
++ break;
+ case 0x78:
+ finished = 1;
+ break;
+@@ -8278,8 +8281,10 @@ lpfc_sli4_driver_resource_setup(struct lpfc_hba *phba)
+ &phba->pcidev->dev,
+ phba->cfg_sg_dma_buf_size,
+ i, 0);
+- if (!phba->lpfc_sg_dma_buf_pool)
++ if (!phba->lpfc_sg_dma_buf_pool) {
++ rc = -ENOMEM;
+ goto out_free_bsmbx;
++ }
+
+ phba->lpfc_cmd_rsp_buf_pool =
+ dma_pool_create("lpfc_cmd_rsp_buf_pool",
+@@ -8287,8 +8292,10 @@ lpfc_sli4_driver_resource_setup(struct lpfc_hba *phba)
+ sizeof(struct fcp_cmnd) +
+ sizeof(struct fcp_rsp),
+ i, 0);
+- if (!phba->lpfc_cmd_rsp_buf_pool)
++ if (!phba->lpfc_cmd_rsp_buf_pool) {
++ rc = -ENOMEM;
+ goto out_free_sg_dma_buf;
++ }
+
+ mempool_free(mboxq, phba->mbox_mem_pool);
+
+@@ -12379,7 +12386,7 @@ lpfc_hba_eq_hdl_array_init(struct lpfc_hba *phba)
+
+ for (i = 0; i < phba->cfg_irq_chann; i++) {
+ eqhdl = lpfc_get_eq_hdl(i);
+- eqhdl->irq = LPFC_VECTOR_MAP_EMPTY;
++ eqhdl->irq = LPFC_IRQ_EMPTY;
+ eqhdl->phba = phba;
+ }
+ }
+@@ -12752,7 +12759,7 @@ static void __lpfc_cpuhp_remove(struct lpfc_hba *phba)
+
+ static void lpfc_cpuhp_remove(struct lpfc_hba *phba)
+ {
+- if (phba->pport->fc_flag & FC_OFFLINE_MODE)
++ if (phba->pport && (phba->pport->fc_flag & FC_OFFLINE_MODE))
+ return;
+
+ __lpfc_cpuhp_remove(phba);
+@@ -13016,9 +13023,17 @@ lpfc_sli4_enable_msix(struct lpfc_hba *phba)
+ LPFC_DRIVER_HANDLER_NAME"%d", index);
+
+ eqhdl->idx = index;
+- rc = request_irq(pci_irq_vector(phba->pcidev, index),
+- &lpfc_sli4_hba_intr_handler, 0,
+- name, eqhdl);
++ rc = pci_irq_vector(phba->pcidev, index);
++ if (rc < 0) {
++ lpfc_printf_log(phba, KERN_WARNING, LOG_INIT,
++ "0489 MSI-X fast-path (%d) "
++ "pci_irq_vec failed (%d)\n", index, rc);
++ goto cfg_fail_out;
++ }
++ eqhdl->irq = rc;
++
++ rc = request_irq(eqhdl->irq, &lpfc_sli4_hba_intr_handler, 0,
++ name, eqhdl);
+ if (rc) {
+ lpfc_printf_log(phba, KERN_WARNING, LOG_INIT,
+ "0486 MSI-X fast-path (%d) "
+@@ -13026,8 +13041,6 @@ lpfc_sli4_enable_msix(struct lpfc_hba *phba)
+ goto cfg_fail_out;
+ }
+
+- eqhdl->irq = pci_irq_vector(phba->pcidev, index);
+-
+ if (aff_mask) {
+ /* If found a neighboring online cpu, set affinity */
+ if (cpu_select < nr_cpu_ids)
+@@ -13144,7 +13157,14 @@ lpfc_sli4_enable_msi(struct lpfc_hba *phba)
+ }
+
+ eqhdl = lpfc_get_eq_hdl(0);
+- eqhdl->irq = pci_irq_vector(phba->pcidev, 0);
++ rc = pci_irq_vector(phba->pcidev, 0);
++ if (rc < 0) {
++ pci_free_irq_vectors(phba->pcidev);
++ lpfc_printf_log(phba, KERN_WARNING, LOG_INIT,
++ "0496 MSI pci_irq_vec failed (%d)\n", rc);
++ return rc;
++ }
++ eqhdl->irq = rc;
+
+ cpu = cpumask_first(cpu_present_mask);
+ lpfc_assign_eq_map_info(phba, 0, LPFC_CPU_FIRST_IRQ, cpu);
+@@ -13171,8 +13191,8 @@ lpfc_sli4_enable_msi(struct lpfc_hba *phba)
+ * MSI-X -> MSI -> IRQ.
+ *
+ * Return codes
+- * 0 - successful
+- * other values - error
++ * Interrupt mode (2, 1, 0) - successful
++ * LPFC_INTR_ERROR - error
+ **/
+ static uint32_t
+ lpfc_sli4_enable_intr(struct lpfc_hba *phba, uint32_t cfg_mode)
+@@ -13217,7 +13237,14 @@ lpfc_sli4_enable_intr(struct lpfc_hba *phba, uint32_t cfg_mode)
+ intr_mode = 0;
+
+ eqhdl = lpfc_get_eq_hdl(0);
+- eqhdl->irq = pci_irq_vector(phba->pcidev, 0);
++ retval = pci_irq_vector(phba->pcidev, 0);
++ if (retval < 0) {
++ lpfc_printf_log(phba, KERN_WARNING, LOG_INIT,
++ "0502 INTR pci_irq_vec failed (%d)\n",
++ retval);
++ return LPFC_INTR_ERROR;
++ }
++ eqhdl->irq = retval;
+
+ cpu = cpumask_first(cpu_present_mask);
+ lpfc_assign_eq_map_info(phba, 0, LPFC_CPU_FIRST_IRQ,
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index 55c9eb39ea19..03c21167fc85 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -6202,6 +6202,9 @@ lpfc_sli4_get_avail_extnt_rsrc(struct lpfc_hba *phba, uint16_t type,
+ struct lpfc_mbx_get_rsrc_extent_info *rsrc_info;
+ LPFC_MBOXQ_t *mbox;
+
++ *extnt_count = 0;
++ *extnt_size = 0;
++
+ mbox = (LPFC_MBOXQ_t *) mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL);
+ if (!mbox)
+ return -ENOMEM;
+diff --git a/drivers/scsi/lpfc/lpfc_sli4.h b/drivers/scsi/lpfc/lpfc_sli4.h
+index 1ddad5b170a6..cbb1aa1cf025 100644
+--- a/drivers/scsi/lpfc/lpfc_sli4.h
++++ b/drivers/scsi/lpfc/lpfc_sli4.h
+@@ -489,7 +489,7 @@ struct lpfc_hba;
+ #define LPFC_SLI4_HANDLER_NAME_SZ 16
+ struct lpfc_hba_eq_hdl {
+ uint32_t idx;
+- uint16_t irq;
++ int irq;
+ char handler_name[LPFC_SLI4_HANDLER_NAME_SZ];
+ struct lpfc_hba *phba;
+ struct lpfc_queue *eq;
+@@ -611,6 +611,8 @@ struct lpfc_vector_map_info {
+ };
+ #define LPFC_VECTOR_MAP_EMPTY 0xffff
+
++#define LPFC_IRQ_EMPTY 0xffffffff
++
+ /* Multi-XRI pool */
+ #define XRI_BATCH 8
+
+diff --git a/drivers/scsi/lpfc/lpfc_vmid.c b/drivers/scsi/lpfc/lpfc_vmid.c
+index f64ced04b912..ed1d7f7b88a3 100644
+--- a/drivers/scsi/lpfc/lpfc_vmid.c
++++ b/drivers/scsi/lpfc/lpfc_vmid.c
+@@ -245,9 +245,7 @@ int lpfc_vmid_get_appid(struct lpfc_vport *vport, char *uuid,
+ /* allocate the per cpu variable for holding */
+ /* the last access time stamp only if VMID is enabled */
+ if (!vmp->last_io_time)
+- vmp->last_io_time = __alloc_percpu(sizeof(u64),
+- __alignof__(struct
+- lpfc_vmid));
++ vmp->last_io_time = alloc_percpu_gfp(u64, GFP_ATOMIC);
+ if (!vmp->last_io_time) {
+ hash_del(&vmp->hnode);
+ vmp->flag = LPFC_VMID_SLOT_FREE;
+--
+2.35.1
+
--- /dev/null
+From 38ca8d5f01ce90c749aaf3d406508c6d14e54037 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Sep 2022 21:51:04 +0800
+Subject: scsi: pm8001: Fix running_req for internal abort commands
+
+From: John Garry <john.garry@huawei.com>
+
+[ Upstream commit d8c22c4697c11ed28062afe3c2b377025be11a23 ]
+
+Disabling the remote phy for a SATA disk causes a hang:
+
+root@(none)$ more /sys/class/sas_phy/phy-0:0:8/target_port_protocols
+sata
+root@(none)$ echo 0 > sys/class/sas_phy/phy-0:0:8/enable
+root@(none)$ [ 67.855950] sas: ex 500e004aaaaaaa1f phy08 change count has changed
+[ 67.920585] sd 0:0:2:0: [sdc] Synchronizing SCSI cache
+[ 67.925780] sd 0:0:2:0: [sdc] Synchronize Cache(10) failed: Result: hostbyte=0x04 driverbyte=DRIVER_OK
+[ 67.935094] sd 0:0:2:0: [sdc] Stopping disk
+[ 67.939305] sd 0:0:2:0: [sdc] Start/Stop Unit failed: Result: hostbyte=0x04 driverbyte=DRIVER_OK
+...
+[ 123.998998] INFO: task kworker/u192:1:642 blocked for more than 30 seconds.
+[ 124.005960] Not tainted 6.0.0-rc1-205202-gf26f8f761e83 #218
+[ 124.012049] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+[ 124.019872] task:kworker/u192:1 state:D stack:0 pid: 642 ppid: 2 flags:0x00000008
+[ 124.028223] Workqueue: 0000:04:00.0_event_q sas_port_event_worker
+[ 124.034319] Call trace:
+[ 124.036758] __switch_to+0x128/0x278
+[ 124.040333] __schedule+0x434/0xa58
+[ 124.043820] schedule+0x94/0x138
+[ 124.047045] schedule_timeout+0x2fc/0x368
+[ 124.051052] wait_for_completion+0xdc/0x200
+[ 124.055234] __flush_workqueue+0x1a8/0x708
+[ 124.059328] sas_porte_broadcast_rcvd+0xa8/0xc0
+[ 124.063858] sas_port_event_worker+0x60/0x98
+[ 124.068126] process_one_work+0x3f8/0x660
+[ 124.072134] worker_thread+0x70/0x700
+[ 124.075793] kthread+0x1a4/0x1b8
+[ 124.079014] ret_from_fork+0x10/0x20
+
+The issue is that the per-device running_req read in
+pm8001_dev_gone_notify() never goes to zero and we never make progress.
+This is caused by missing accounting for running_req for when an internal
+abort command completes.
+
+In commit 2cbbf489778e ("scsi: pm8001: Use libsas internal abort support")
+we started to send internal abort commands as a proper sas_task. In this
+when we deliver a sas_task to HW the per-device running_req is incremented
+in pm8001_queue_command(). However it is never decremented for internal
+abort commnds, so decrement in pm8001_mpi_task_abort_resp().
+
+Link: https://lore.kernel.org/r/1663854664-76165-1-git-send-email-john.garry@huawei.com
+Fixes: 2cbbf489778e ("scsi: pm8001: Use libsas internal abort support")
+Acked-by: Jack Wang <jinpu.wang@ionos.com>
+Signed-off-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/pm8001/pm8001_hwi.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/scsi/pm8001/pm8001_hwi.c b/drivers/scsi/pm8001/pm8001_hwi.c
+index 91d78d0a38fe..628b08ba6770 100644
+--- a/drivers/scsi/pm8001/pm8001_hwi.c
++++ b/drivers/scsi/pm8001/pm8001_hwi.c
+@@ -3612,6 +3612,10 @@ int pm8001_mpi_task_abort_resp(struct pm8001_hba_info *pm8001_ha, void *piomb)
+ pm8001_dbg(pm8001_ha, FAIL, " TASK NULL. RETURNING !!!\n");
+ return -1;
+ }
++
++ if (t->task_proto == SAS_PROTOCOL_INTERNAL_ABORT)
++ atomic_dec(&pm8001_dev->running_req);
++
+ ts = &t->task_status;
+ if (status != 0)
+ pm8001_dbg(pm8001_ha, FAIL, "task abort failed status 0x%x ,tag = 0x%x, scp= 0x%x\n",
+--
+2.35.1
+
--- /dev/null
+From 7c941da1629502ebb7a3b62955d954bd8d1c4bfd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Sep 2022 16:33:08 -0700
+Subject: scsi: tracing: Fix compile error in trace_array calls when TRACING is
+ disabled
+
+From: Arun Easi <aeasi@marvell.com>
+
+[ Upstream commit 1a77dd1c2bb5d4a58c16d198cf593720787c02e4 ]
+
+Fix this compilation error seen when CONFIG_TRACING is not enabled:
+
+drivers/scsi/qla2xxx/qla_os.c: In function 'qla_trace_init':
+drivers/scsi/qla2xxx/qla_os.c:2854:25: error: implicit declaration of function
+'trace_array_get_by_name'; did you mean 'trace_array_set_clr_event'?
+[-Werror=implicit-function-declaration]
+ 2854 | qla_trc_array = trace_array_get_by_name("qla2xxx");
+ | ^~~~~~~~~~~~~~~~~~~~~~~
+ | trace_array_set_clr_event
+
+drivers/scsi/qla2xxx/qla_os.c: In function 'qla_trace_uninit':
+drivers/scsi/qla2xxx/qla_os.c:2869:9: error: implicit declaration of function
+'trace_array_put' [-Werror=implicit-function-declaration]
+ 2869 | trace_array_put(qla_trc_array);
+ | ^~~~~~~~~~~~~~~
+
+Link: https://lore.kernel.org/r/20220907233308.4153-2-aeasi@marvell.com
+Reported-by: kernel test robot <lkp@intel.com>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Arun Easi <aeasi@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/trace.h | 36 ++++++++++++++++++++++++++++++++++--
+ 1 file changed, 34 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/trace.h b/include/linux/trace.h
+index bf169612ffe1..b5e16e438448 100644
+--- a/include/linux/trace.h
++++ b/include/linux/trace.h
+@@ -2,8 +2,6 @@
+ #ifndef _LINUX_TRACE_H
+ #define _LINUX_TRACE_H
+
+-#ifdef CONFIG_TRACING
+-
+ #define TRACE_EXPORT_FUNCTION BIT(0)
+ #define TRACE_EXPORT_EVENT BIT(1)
+ #define TRACE_EXPORT_MARKER BIT(2)
+@@ -28,6 +26,8 @@ struct trace_export {
+ int flags;
+ };
+
++#ifdef CONFIG_TRACING
++
+ int register_ftrace_export(struct trace_export *export);
+ int unregister_ftrace_export(struct trace_export *export);
+
+@@ -48,6 +48,38 @@ void osnoise_arch_unregister(void);
+ void osnoise_trace_irq_entry(int id);
+ void osnoise_trace_irq_exit(int id, const char *desc);
+
++#else /* CONFIG_TRACING */
++static inline int register_ftrace_export(struct trace_export *export)
++{
++ return -EINVAL;
++}
++static inline int unregister_ftrace_export(struct trace_export *export)
++{
++ return 0;
++}
++static inline void trace_printk_init_buffers(void)
++{
++}
++static inline int trace_array_printk(struct trace_array *tr, unsigned long ip,
++ const char *fmt, ...)
++{
++ return 0;
++}
++static inline int trace_array_init_printk(struct trace_array *tr)
++{
++ return -EINVAL;
++}
++static inline void trace_array_put(struct trace_array *tr)
++{
++}
++static inline struct trace_array *trace_array_get_by_name(const char *name)
++{
++ return NULL;
++}
++static inline int trace_array_destroy(struct trace_array *tr)
++{
++ return 0;
++}
+ #endif /* CONFIG_TRACING */
+
+ #endif /* _LINUX_TRACE_H */
+--
+2.35.1
+
--- /dev/null
+From 5ba0fd9222b646e08d75aa1af243f7d1f0f55e8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Sep 2022 14:10:13 -0400
+Subject: sctp: handle the error returned from sctp_auth_asoc_init_active_key
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 022152aaebe116a25c39818a07e175a8cd3c1e11 ]
+
+When it returns an error from sctp_auth_asoc_init_active_key(), the
+active_key is actually not updated. The old sh_key will be freeed
+while it's still used as active key in asoc. Then an use-after-free
+will be triggered when sending patckets, as found by syzbot:
+
+ sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112
+ sctp_set_owner_w net/sctp/socket.c:132 [inline]
+ sctp_sendmsg_to_asoc+0xbd5/0x1a20 net/sctp/socket.c:1863
+ sctp_sendmsg+0x1053/0x1d50 net/sctp/socket.c:2025
+ inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819
+ sock_sendmsg_nosec net/socket.c:714 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:734
+
+This patch is to fix it by not replacing the sh_key when it returns
+errors from sctp_auth_asoc_init_active_key() in sctp_auth_set_key().
+For sctp_auth_set_active_key(), old active_key_id will be set back
+to asoc->active_key_id when the same thing happens.
+
+Fixes: 58acd1009226 ("sctp: update active_key for asoc when old key is being replaced")
+Reported-by: syzbot+a236dd8e9622ed8954a3@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/auth.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/net/sctp/auth.c b/net/sctp/auth.c
+index db6b7373d16c..34964145514e 100644
+--- a/net/sctp/auth.c
++++ b/net/sctp/auth.c
+@@ -863,12 +863,17 @@ int sctp_auth_set_key(struct sctp_endpoint *ep,
+ }
+
+ list_del_init(&shkey->key_list);
+- sctp_auth_shkey_release(shkey);
+ list_add(&cur_key->key_list, sh_keys);
+
+- if (asoc && asoc->active_key_id == auth_key->sca_keynumber)
+- sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL);
++ if (asoc && asoc->active_key_id == auth_key->sca_keynumber &&
++ sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL)) {
++ list_del_init(&cur_key->key_list);
++ sctp_auth_shkey_release(cur_key);
++ list_add(&shkey->key_list, sh_keys);
++ return -ENOMEM;
++ }
+
++ sctp_auth_shkey_release(shkey);
+ return 0;
+ }
+
+@@ -902,8 +907,13 @@ int sctp_auth_set_active_key(struct sctp_endpoint *ep,
+ return -EINVAL;
+
+ if (asoc) {
++ __u16 active_key_id = asoc->active_key_id;
++
+ asoc->active_key_id = key_id;
+- sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL);
++ if (sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL)) {
++ asoc->active_key_id = active_key_id;
++ return -ENOMEM;
++ }
+ } else
+ ep->active_key_id = key_id;
+
+--
+2.35.1
+
--- /dev/null
+From fb9cc305a00a3aca92bd52434ab0b78accf0937f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 09:15:18 -0400
+Subject: selftest: tpm2: Add Client.__del__() to close /dev/tpm* handle
+
+From: Stefan Berger <stefanb@linux.ibm.com>
+
+[ Upstream commit 2d869f0b458547386fbcd8cf3004b271b7347b7f ]
+
+The following output can bee seen when the test is executed:
+
+ test_flush_context (tpm2_tests.SpaceTest) ... \
+ /usr/lib64/python3.6/unittest/case.py:605: ResourceWarning: \
+ unclosed file <_io.FileIO name='/dev/tpmrm0' mode='rb+' closefd=True>
+
+An instance of Client does not implicitly close /dev/tpm* handle, once it
+gets destroyed. Close the file handle in the class destructor
+Client.__del__().
+
+Fixes: 6ea3dfe1e0732 ("selftests: add TPM 2.0 tests")
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: linux-kselftest@vger.kernel.org
+Cc: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/tpm2/tpm2.py | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/tools/testing/selftests/tpm2/tpm2.py b/tools/testing/selftests/tpm2/tpm2.py
+index 057a4f49c79d..c7363c6764fc 100644
+--- a/tools/testing/selftests/tpm2/tpm2.py
++++ b/tools/testing/selftests/tpm2/tpm2.py
+@@ -371,6 +371,10 @@ class Client:
+ fcntl.fcntl(self.tpm, fcntl.F_SETFL, flags)
+ self.tpm_poll = select.poll()
+
++ def __del__(self):
++ if self.tpm:
++ self.tpm.close()
++
+ def close(self):
+ self.tpm.close()
+
+--
+2.35.1
+
--- /dev/null
+From bf4d2cb995fafcda7f5bca658be117d2dd835d0d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Sep 2022 10:46:04 +0000
+Subject: selftests/bpf: Adapt cgroup effective query uapi change
+
+From: Pu Lehui <pulehui@huawei.com>
+
+[ Upstream commit d2aa993b7d9de6deeb1df6c9a6b9b6193c337cc6 ]
+
+The attach flags is meaningless for effective query and
+its value will always be set as 0 during effective query.
+Root cg's effective progs is always its attached progs,
+so we use non-effective query to get its progs count and
+attach flags. And we don't need the remain attach flags
+check.
+
+Fixes: b79c9fc9551b ("bpf: implement BPF_PROG_QUERY for BPF_LSM_CGROUP")
+Signed-off-by: Pu Lehui <pulehui@huawei.com>
+Link: https://lore.kernel.org/r/20220921104604.2340580-4-pulehui@huaweicloud.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/cgroup_link.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/cgroup_link.c b/tools/testing/selftests/bpf/prog_tests/cgroup_link.c
+index 9e6e6aad347c..15093a69510e 100644
+--- a/tools/testing/selftests/bpf/prog_tests/cgroup_link.c
++++ b/tools/testing/selftests/bpf/prog_tests/cgroup_link.c
+@@ -71,10 +71,9 @@ void serial_test_cgroup_link(void)
+
+ ping_and_check(cg_nr, 0);
+
+- /* query the number of effective progs and attach flags in root cg */
++ /* query the number of attached progs and attach flags in root cg */
+ err = bpf_prog_query(cgs[0].fd, BPF_CGROUP_INET_EGRESS,
+- BPF_F_QUERY_EFFECTIVE, &attach_flags, NULL,
+- &prog_cnt);
++ 0, &attach_flags, NULL, &prog_cnt);
+ CHECK_FAIL(err);
+ CHECK_FAIL(attach_flags != BPF_F_ALLOW_MULTI);
+ if (CHECK(prog_cnt != 1, "effect_cnt", "exp %d, got %d\n", 1, prog_cnt))
+@@ -85,17 +84,15 @@ void serial_test_cgroup_link(void)
+ BPF_F_QUERY_EFFECTIVE, NULL, NULL,
+ &prog_cnt);
+ CHECK_FAIL(err);
+- CHECK_FAIL(attach_flags != BPF_F_ALLOW_MULTI);
+ if (CHECK(prog_cnt != cg_nr, "effect_cnt", "exp %d, got %d\n",
+ cg_nr, prog_cnt))
+ goto cleanup;
+
+ /* query the effective prog IDs in last cg */
+ err = bpf_prog_query(cgs[last_cg].fd, BPF_CGROUP_INET_EGRESS,
+- BPF_F_QUERY_EFFECTIVE, &attach_flags,
+- prog_ids, &prog_cnt);
++ BPF_F_QUERY_EFFECTIVE, NULL, prog_ids,
++ &prog_cnt);
+ CHECK_FAIL(err);
+- CHECK_FAIL(attach_flags != BPF_F_ALLOW_MULTI);
+ if (CHECK(prog_cnt != cg_nr, "effect_cnt", "exp %d, got %d\n",
+ cg_nr, prog_cnt))
+ goto cleanup;
+--
+2.35.1
+
--- /dev/null
+From 6ff592adc24a9b58e2b12520cef230f24d59d689 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Sep 2022 15:00:35 +0800
+Subject: selftests/bpf: Free the allocated resources after test case succeeds
+
+From: Hou Tao <houtao1@huawei.com>
+
+[ Upstream commit 103d002fb7d548fb1187e350f2b73788558128b9 ]
+
+Free the created fd or allocated bpf_object after test case succeeds,
+else there will be resource leaks.
+
+Spotted by using address sanitizer and checking the content of
+/proc/$pid/fd directory.
+
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Link: https://lore.kernel.org/r/20220921070035.2016413-3-houtao@huaweicloud.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../bpf/map_tests/array_map_batch_ops.c | 2 ++
+ .../bpf/map_tests/htab_map_batch_ops.c | 2 ++
+ .../bpf/map_tests/lpm_trie_map_batch_ops.c | 2 ++
+ tools/testing/selftests/bpf/test_maps.c | 24 ++++++++++++-------
+ 4 files changed, 21 insertions(+), 9 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/map_tests/array_map_batch_ops.c b/tools/testing/selftests/bpf/map_tests/array_map_batch_ops.c
+index 78c76496b14a..b595556315bc 100644
+--- a/tools/testing/selftests/bpf/map_tests/array_map_batch_ops.c
++++ b/tools/testing/selftests/bpf/map_tests/array_map_batch_ops.c
+@@ -3,6 +3,7 @@
+ #include <stdio.h>
+ #include <errno.h>
+ #include <string.h>
++#include <unistd.h>
+
+ #include <bpf/bpf.h>
+ #include <bpf/libbpf.h>
+@@ -137,6 +138,7 @@ static void __test_map_lookup_and_update_batch(bool is_pcpu)
+ free(keys);
+ free(values);
+ free(visited);
++ close(map_fd);
+ }
+
+ static void array_map_batch_ops(void)
+diff --git a/tools/testing/selftests/bpf/map_tests/htab_map_batch_ops.c b/tools/testing/selftests/bpf/map_tests/htab_map_batch_ops.c
+index f807d53fd8dd..1230ccf90128 100644
+--- a/tools/testing/selftests/bpf/map_tests/htab_map_batch_ops.c
++++ b/tools/testing/selftests/bpf/map_tests/htab_map_batch_ops.c
+@@ -3,6 +3,7 @@
+ #include <stdio.h>
+ #include <errno.h>
+ #include <string.h>
++#include <unistd.h>
+
+ #include <bpf/bpf.h>
+ #include <bpf/libbpf.h>
+@@ -255,6 +256,7 @@ void __test_map_lookup_and_delete_batch(bool is_pcpu)
+ free(visited);
+ if (!is_pcpu)
+ free(values);
++ close(map_fd);
+ }
+
+ void htab_map_batch_ops(void)
+diff --git a/tools/testing/selftests/bpf/map_tests/lpm_trie_map_batch_ops.c b/tools/testing/selftests/bpf/map_tests/lpm_trie_map_batch_ops.c
+index 87d07b596e17..b66d56ddb7ef 100644
+--- a/tools/testing/selftests/bpf/map_tests/lpm_trie_map_batch_ops.c
++++ b/tools/testing/selftests/bpf/map_tests/lpm_trie_map_batch_ops.c
+@@ -7,6 +7,7 @@
+ #include <errno.h>
+ #include <string.h>
+ #include <stdlib.h>
++#include <unistd.h>
+
+ #include <bpf/bpf.h>
+ #include <bpf/libbpf.h>
+@@ -150,4 +151,5 @@ void test_lpm_trie_map_batch_ops(void)
+ free(keys);
+ free(values);
+ free(visited);
++ close(map_fd);
+ }
+diff --git a/tools/testing/selftests/bpf/test_maps.c b/tools/testing/selftests/bpf/test_maps.c
+index cbebfaa7c1e8..4d42ffea0038 100644
+--- a/tools/testing/selftests/bpf/test_maps.c
++++ b/tools/testing/selftests/bpf/test_maps.c
+@@ -658,13 +658,13 @@ static void test_sockmap(unsigned int tasks, void *data)
+ {
+ struct bpf_map *bpf_map_rx, *bpf_map_tx, *bpf_map_msg, *bpf_map_break;
+ int map_fd_msg = 0, map_fd_rx = 0, map_fd_tx = 0, map_fd_break;
++ struct bpf_object *parse_obj, *verdict_obj, *msg_obj;
+ int ports[] = {50200, 50201, 50202, 50204};
+ int err, i, fd, udp, sfd[6] = {0xdeadbeef};
+ u8 buf[20] = {0x0, 0x5, 0x3, 0x2, 0x1, 0x0};
+ int parse_prog, verdict_prog, msg_prog;
+ struct sockaddr_in addr;
+ int one = 1, s, sc, rc;
+- struct bpf_object *obj;
+ struct timeval to;
+ __u32 key, value;
+ pid_t pid[tasks];
+@@ -760,6 +760,7 @@ static void test_sockmap(unsigned int tasks, void *data)
+ i, udp);
+ goto out_sockmap;
+ }
++ close(udp);
+
+ /* Test update without programs */
+ for (i = 0; i < 6; i++) {
+@@ -822,27 +823,27 @@ static void test_sockmap(unsigned int tasks, void *data)
+
+ /* Load SK_SKB program and Attach */
+ err = bpf_prog_test_load(SOCKMAP_PARSE_PROG,
+- BPF_PROG_TYPE_SK_SKB, &obj, &parse_prog);
++ BPF_PROG_TYPE_SK_SKB, &parse_obj, &parse_prog);
+ if (err) {
+ printf("Failed to load SK_SKB parse prog\n");
+ goto out_sockmap;
+ }
+
+ err = bpf_prog_test_load(SOCKMAP_TCP_MSG_PROG,
+- BPF_PROG_TYPE_SK_MSG, &obj, &msg_prog);
++ BPF_PROG_TYPE_SK_MSG, &msg_obj, &msg_prog);
+ if (err) {
+ printf("Failed to load SK_SKB msg prog\n");
+ goto out_sockmap;
+ }
+
+ err = bpf_prog_test_load(SOCKMAP_VERDICT_PROG,
+- BPF_PROG_TYPE_SK_SKB, &obj, &verdict_prog);
++ BPF_PROG_TYPE_SK_SKB, &verdict_obj, &verdict_prog);
+ if (err) {
+ printf("Failed to load SK_SKB verdict prog\n");
+ goto out_sockmap;
+ }
+
+- bpf_map_rx = bpf_object__find_map_by_name(obj, "sock_map_rx");
++ bpf_map_rx = bpf_object__find_map_by_name(verdict_obj, "sock_map_rx");
+ if (!bpf_map_rx) {
+ printf("Failed to load map rx from verdict prog\n");
+ goto out_sockmap;
+@@ -854,7 +855,7 @@ static void test_sockmap(unsigned int tasks, void *data)
+ goto out_sockmap;
+ }
+
+- bpf_map_tx = bpf_object__find_map_by_name(obj, "sock_map_tx");
++ bpf_map_tx = bpf_object__find_map_by_name(verdict_obj, "sock_map_tx");
+ if (!bpf_map_tx) {
+ printf("Failed to load map tx from verdict prog\n");
+ goto out_sockmap;
+@@ -866,7 +867,7 @@ static void test_sockmap(unsigned int tasks, void *data)
+ goto out_sockmap;
+ }
+
+- bpf_map_msg = bpf_object__find_map_by_name(obj, "sock_map_msg");
++ bpf_map_msg = bpf_object__find_map_by_name(verdict_obj, "sock_map_msg");
+ if (!bpf_map_msg) {
+ printf("Failed to load map msg from msg_verdict prog\n");
+ goto out_sockmap;
+@@ -878,7 +879,7 @@ static void test_sockmap(unsigned int tasks, void *data)
+ goto out_sockmap;
+ }
+
+- bpf_map_break = bpf_object__find_map_by_name(obj, "sock_map_break");
++ bpf_map_break = bpf_object__find_map_by_name(verdict_obj, "sock_map_break");
+ if (!bpf_map_break) {
+ printf("Failed to load map tx from verdict prog\n");
+ goto out_sockmap;
+@@ -1124,7 +1125,9 @@ static void test_sockmap(unsigned int tasks, void *data)
+ }
+ close(fd);
+ close(map_fd_rx);
+- bpf_object__close(obj);
++ bpf_object__close(parse_obj);
++ bpf_object__close(msg_obj);
++ bpf_object__close(verdict_obj);
+ return;
+ out:
+ for (i = 0; i < 6; i++)
+@@ -1282,8 +1285,11 @@ static void test_map_in_map(void)
+ printf("Inner map mim.inner was not destroyed\n");
+ goto out_map_in_map;
+ }
++
++ close(fd);
+ }
+
++ bpf_object__close(obj);
+ return;
+
+ out_map_in_map:
+--
+2.35.1
+
--- /dev/null
+From de533dd26d836c4341d8ed0c72a628d3f45764d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Sep 2022 21:36:13 +0800
+Subject: selftests/cpu-hotplug: Delete fault injection related code
+
+From: Zhao Gongyi <zhaogongyi@huawei.com>
+
+[ Upstream commit 195d74be717af14e5991f818f73f067367bfc1ed ]
+
+Delete fault injection related code since the module has been deleted.
+
+Signed-off-by: Zhao Gongyi <zhaogongyi@huawei.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Stable-dep-of: 51d4c851465c ("selftests/cpu-hotplug: Reserve one cpu online at least")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/cpu-hotplug/config | 1 -
+ .../selftests/cpu-hotplug/cpu-on-off-test.sh | 87 ++-----------------
+ 2 files changed, 6 insertions(+), 82 deletions(-)
+ delete mode 100644 tools/testing/selftests/cpu-hotplug/config
+
+diff --git a/tools/testing/selftests/cpu-hotplug/config b/tools/testing/selftests/cpu-hotplug/config
+deleted file mode 100644
+index d4aca2ad5069..000000000000
+--- a/tools/testing/selftests/cpu-hotplug/config
++++ /dev/null
+@@ -1 +0,0 @@
+-CONFIG_NOTIFIER_ERROR_INJECTION=y
+diff --git a/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh b/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh
+index 940b68c940bb..32ec7e4489ee 100755
+--- a/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh
++++ b/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh
+@@ -116,10 +116,10 @@ online_cpu_expect_fail()
+
+ if online_cpu $cpu 2> /dev/null; then
+ echo $FUNCNAME $cpu: unexpected success >&2
+- exit 1
++ retval=1
+ elif ! cpu_is_offline $cpu; then
+ echo $FUNCNAME $cpu: unexpected online >&2
+- exit 1
++ retval=1
+ fi
+ }
+
+@@ -142,16 +142,14 @@ offline_cpu_expect_fail()
+
+ if offline_cpu $cpu 2> /dev/null; then
+ echo $FUNCNAME $cpu: unexpected success >&2
+- exit 1
++ retval=1
+ elif ! cpu_is_online $cpu; then
+ echo $FUNCNAME $cpu: unexpected offline >&2
+- exit 1
++ retval=1
+ fi
+ }
+
+-error=-12
+ allcpus=0
+-priority=0
+ online_cpus=0
+ online_max=0
+ offline_cpus=0
+@@ -159,31 +157,20 @@ offline_max=0
+ present_cpus=0
+ present_max=0
+
+-while getopts e:ahp: opt; do
++while getopts ah opt; do
+ case $opt in
+- e)
+- error=$OPTARG
+- ;;
+ a)
+ allcpus=1
+ ;;
+ h)
+- echo "Usage $0 [ -a ] [ -e errno ] [ -p notifier-priority ]"
++ echo "Usage $0 [ -a ]"
+ echo -e "\t default offline one cpu"
+ echo -e "\t run with -a option to offline all cpus"
+ exit
+ ;;
+- p)
+- priority=$OPTARG
+- ;;
+ esac
+ done
+
+-if ! [ "$error" -ge -4095 -a "$error" -lt 0 ]; then
+- echo "error code must be -4095 <= errno < 0" >&2
+- exit 1
+-fi
+-
+ prerequisite
+
+ #
+@@ -231,66 +218,4 @@ for cpu in `hotplaggable_offline_cpus`; do
+ online_cpu_expect_success $cpu
+ done
+
+-#
+-# Test with cpu notifier error injection
+-#
+-
+-DEBUGFS=`mount -t debugfs | head -1 | awk '{ print $3 }'`
+-NOTIFIER_ERR_INJECT_DIR=$DEBUGFS/notifier-error-inject/cpu
+-
+-prerequisite_extra()
+-{
+- msg="skip extra tests:"
+-
+- /sbin/modprobe -q -r cpu-notifier-error-inject
+- /sbin/modprobe -q cpu-notifier-error-inject priority=$priority
+-
+- if [ ! -d "$DEBUGFS" ]; then
+- echo $msg debugfs is not mounted >&2
+- exit $ksft_skip
+- fi
+-
+- if [ ! -d $NOTIFIER_ERR_INJECT_DIR ]; then
+- echo $msg cpu-notifier-error-inject module is not available >&2
+- exit $ksft_skip
+- fi
+-}
+-
+-prerequisite_extra
+-
+-#
+-# Offline all hot-pluggable CPUs
+-#
+-echo 0 > $NOTIFIER_ERR_INJECT_DIR/actions/CPU_DOWN_PREPARE/error
+-for cpu in `hotpluggable_online_cpus`; do
+- offline_cpu_expect_success $cpu
+-done
+-
+-#
+-# Test CPU hot-add error handling (offline => online)
+-#
+-echo $error > $NOTIFIER_ERR_INJECT_DIR/actions/CPU_UP_PREPARE/error
+-for cpu in `hotplaggable_offline_cpus`; do
+- online_cpu_expect_fail $cpu
+-done
+-
+-#
+-# Online all hot-pluggable CPUs
+-#
+-echo 0 > $NOTIFIER_ERR_INJECT_DIR/actions/CPU_UP_PREPARE/error
+-for cpu in `hotplaggable_offline_cpus`; do
+- online_cpu_expect_success $cpu
+-done
+-
+-#
+-# Test CPU hot-remove error handling (online => offline)
+-#
+-echo $error > $NOTIFIER_ERR_INJECT_DIR/actions/CPU_DOWN_PREPARE/error
+-for cpu in `hotpluggable_online_cpus`; do
+- offline_cpu_expect_fail $cpu
+-done
+-
+-echo 0 > $NOTIFIER_ERR_INJECT_DIR/actions/CPU_DOWN_PREPARE/error
+-/sbin/modprobe -q -r cpu-notifier-error-inject
+-
+ exit $retval
+--
+2.35.1
+
--- /dev/null
+From 2a82b1166fcfd1a445e2a9afc5d6a1f498747df5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Sep 2022 21:36:14 +0800
+Subject: selftests/cpu-hotplug: Reserve one cpu online at least
+
+From: Zhao Gongyi <zhaogongyi@huawei.com>
+
+[ Upstream commit 51d4c851465c32143d9c7b1cfb46fc581922b116 ]
+
+Considering that we can not offline all cpus in any cases,
+we need to reserve one cpu online when the test offline all
+hotpluggable online cpus, otherwise the test will fail forever.
+
+Fixes: d89dffa976bc ("fault-injection: add selftests for cpu and memory hotplug")
+
+Signed-off-by: Zhao Gongyi <zhaogongyi@huawei.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/cpu-hotplug/cpu-on-off-test.sh | 40 ++++++++++---------
+ 1 file changed, 22 insertions(+), 18 deletions(-)
+
+diff --git a/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh b/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh
+index 32ec7e4489ee..4c1d6d9abecc 100755
+--- a/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh
++++ b/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh
+@@ -149,6 +149,25 @@ offline_cpu_expect_fail()
+ fi
+ }
+
++online_all_hot_pluggable_cpus()
++{
++ for cpu in `hotplaggable_offline_cpus`; do
++ online_cpu_expect_success $cpu
++ done
++}
++
++offline_all_hot_pluggable_cpus()
++{
++ local reserve_cpu=$online_max
++ for cpu in `hotpluggable_online_cpus`; do
++ # Reserve one cpu oneline at least.
++ if [ $cpu -eq $reserve_cpu ];then
++ continue
++ fi
++ offline_cpu_expect_success $cpu
++ done
++}
++
+ allcpus=0
+ online_cpus=0
+ online_max=0
+@@ -197,25 +216,10 @@ else
+ echo -e "\t online all offline cpus"
+ fi
+
+-#
+-# Online all hot-pluggable CPUs
+-#
+-for cpu in `hotplaggable_offline_cpus`; do
+- online_cpu_expect_success $cpu
+-done
++online_all_hot_pluggable_cpus
+
+-#
+-# Offline all hot-pluggable CPUs
+-#
+-for cpu in `hotpluggable_online_cpus`; do
+- offline_cpu_expect_success $cpu
+-done
++offline_all_hot_pluggable_cpus
+
+-#
+-# Online all hot-pluggable CPUs again
+-#
+-for cpu in `hotplaggable_offline_cpus`; do
+- online_cpu_expect_success $cpu
+-done
++online_all_hot_pluggable_cpus
+
+ exit $retval
+--
+2.35.1
+
--- /dev/null
+From 4a91b8f907ddb37984a66b44a8a6f20dfb155db7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Sep 2022 21:36:12 +0800
+Subject: selftests/cpu-hotplug: Use return instead of exit
+
+From: Zhao Gongyi <zhaogongyi@huawei.com>
+
+[ Upstream commit 972cf4ce51ef5532d56822af17defb148aac0ccb ]
+
+Some cpus will be left in offline state when online
+function exits in some error conditions. Use return
+instead of exit to fix it.
+
+Signed-off-by: Zhao Gongyi <zhaogongyi@huawei.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Stable-dep-of: 51d4c851465c ("selftests/cpu-hotplug: Reserve one cpu online at least")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/cpu-hotplug/cpu-on-off-test.sh | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh b/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh
+index 0d26b5e3f966..940b68c940bb 100755
+--- a/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh
++++ b/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh
+@@ -4,6 +4,7 @@
+ SYSFS=
+ # Kselftest framework requirement - SKIP code is 4.
+ ksft_skip=4
++retval=0
+
+ prerequisite()
+ {
+@@ -102,10 +103,10 @@ online_cpu_expect_success()
+
+ if ! online_cpu $cpu; then
+ echo $FUNCNAME $cpu: unexpected fail >&2
+- exit 1
++ retval=1
+ elif ! cpu_is_online $cpu; then
+ echo $FUNCNAME $cpu: unexpected offline >&2
+- exit 1
++ retval=1
+ fi
+ }
+
+@@ -128,10 +129,10 @@ offline_cpu_expect_success()
+
+ if ! offline_cpu $cpu; then
+ echo $FUNCNAME $cpu: unexpected fail >&2
+- exit 1
++ retval=1
+ elif ! cpu_is_offline $cpu; then
+ echo $FUNCNAME $cpu: unexpected offline >&2
+- exit 1
++ retval=1
+ fi
+ }
+
+@@ -201,7 +202,7 @@ if [ $allcpus -eq 0 ]; then
+ offline_cpu_expect_success $present_max
+ online_cpu $present_max
+ fi
+- exit 0
++ exit $retval
+ else
+ echo "Full scope test: all hotplug cpus"
+ echo -e "\t online all offline cpus"
+@@ -291,3 +292,5 @@ done
+
+ echo 0 > $NOTIFIER_ERR_INJECT_DIR/actions/CPU_DOWN_PREPARE/error
+ /sbin/modprobe -q -r cpu-notifier-error-inject
++
++exit $retval
+--
+2.35.1
+
--- /dev/null
+From 785bb909c3ea8e8a4e94cbf9c2a338ff0a31e6d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Aug 2022 12:19:29 -0700
+Subject: selftests/vm: use top_srcdir instead of recomputing relative paths
+
+From: Axel Rasmussen <axelrasmussen@google.com>
+
+[ Upstream commit 0e29bc0ebaabf4e5270a23fd5ccce06fac3e140d ]
+
+In various places both in t/t/s/v/Makefile as well as some of the test
+sources, we were referring to headers or directories using some fairly
+long relative paths.
+
+Since we have a working top_srcdir variable though, which refers to the
+root of the kernel tree, we can clean up all of these "up and over"
+relative paths, just relying on the single variable instead.
+
+Signed-off-by: Axel Rasmussen <axelrasmussen@google.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Stable-dep-of: 51d4c851465c ("selftests/cpu-hotplug: Reserve one cpu online at least")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/vm/Makefile | 2 +-
+ tools/testing/selftests/vm/gup_test.c | 2 +-
+ tools/testing/selftests/vm/hmm-tests.c | 4 ++--
+ tools/testing/selftests/vm/ksm_tests.c | 2 +-
+ 4 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/tools/testing/selftests/vm/Makefile b/tools/testing/selftests/vm/Makefile
+index d9fa6a9ea584..d516b8c38eed 100644
+--- a/tools/testing/selftests/vm/Makefile
++++ b/tools/testing/selftests/vm/Makefile
+@@ -25,7 +25,7 @@ MACHINE ?= $(shell echo $(uname_M) | sed -e 's/aarch64.*/arm64/' -e 's/ppc64.*/p
+ # LDLIBS.
+ MAKEFLAGS += --no-builtin-rules
+
+-CFLAGS = -Wall -I ../../../../usr/include $(EXTRA_CFLAGS) $(KHDR_INCLUDES)
++CFLAGS = -Wall -I $(top_srcdir) -I $(top_srcdir)/usr/include $(EXTRA_CFLAGS) $(KHDR_INCLUDES)
+ LDLIBS = -lrt -lpthread
+ TEST_GEN_FILES = compaction_test
+ TEST_GEN_FILES += gup_test
+diff --git a/tools/testing/selftests/vm/gup_test.c b/tools/testing/selftests/vm/gup_test.c
+index a309876d832f..e43879291dac 100644
+--- a/tools/testing/selftests/vm/gup_test.c
++++ b/tools/testing/selftests/vm/gup_test.c
+@@ -10,7 +10,7 @@
+ #include <sys/types.h>
+ #include <pthread.h>
+ #include <assert.h>
+-#include "../../../../mm/gup_test.h"
++#include <mm/gup_test.h>
+ #include "../kselftest.h"
+
+ #include "util.h"
+diff --git a/tools/testing/selftests/vm/hmm-tests.c b/tools/testing/selftests/vm/hmm-tests.c
+index 529f53b40296..98b949c279be 100644
+--- a/tools/testing/selftests/vm/hmm-tests.c
++++ b/tools/testing/selftests/vm/hmm-tests.c
+@@ -35,8 +35,8 @@
+ * This is a private UAPI to the kernel test module so it isn't exported
+ * in the usual include/uapi/... directory.
+ */
+-#include "../../../../lib/test_hmm_uapi.h"
+-#include "../../../../mm/gup_test.h"
++#include <lib/test_hmm_uapi.h>
++#include <mm/gup_test.h>
+
+ struct hmm_buffer {
+ void *ptr;
+diff --git a/tools/testing/selftests/vm/ksm_tests.c b/tools/testing/selftests/vm/ksm_tests.c
+index f5e4e0bbd081..0d85be2350fa 100644
+--- a/tools/testing/selftests/vm/ksm_tests.c
++++ b/tools/testing/selftests/vm/ksm_tests.c
+@@ -11,7 +11,7 @@
+ #include <err.h>
+
+ #include "../kselftest.h"
+-#include "../../../../include/vdso/time64.h"
++#include <include/vdso/time64.h>
+ #include "util.h"
+
+ #define KSM_SYSFS_PATH "/sys/kernel/mm/ksm/"
+--
+2.35.1
+
--- /dev/null
+From 5cc397acdb0bb8ad4f18bf8e1526cabd291e3085 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 15:39:05 +0200
+Subject: selftests/xsk: Add missing close() on netns fd
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit 8a7d61bdc2fac2c460a2f32a062f5c6dbd21a764 ]
+
+Commit 1034b03e54ac ("selftests: xsk: Simplify cleanup of ifobjects")
+removed close on netns fd, which is not correct, so let us restore it.
+
+Fixes: 1034b03e54ac ("selftests: xsk: Simplify cleanup of ifobjects")
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Link: https://lore.kernel.org/bpf/20220830133905.9945-1-maciej.fijalkowski@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/xskxceiver.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/tools/testing/selftests/bpf/xskxceiver.c b/tools/testing/selftests/bpf/xskxceiver.c
+index 74d56d971baf..091402dc5390 100644
+--- a/tools/testing/selftests/bpf/xskxceiver.c
++++ b/tools/testing/selftests/bpf/xskxceiver.c
+@@ -1606,6 +1606,8 @@ static struct ifobject *ifobject_create(void)
+ if (!ifobj->umem)
+ goto out_umem;
+
++ ifobj->ns_fd = -1;
++
+ return ifobj;
+
+ out_umem:
+@@ -1617,6 +1619,8 @@ static struct ifobject *ifobject_create(void)
+
+ static void ifobject_delete(struct ifobject *ifobj)
+ {
++ if (ifobj->ns_fd != -1)
++ close(ifobj->ns_fd);
+ free(ifobj->umem);
+ free(ifobj->xsk_arr);
+ free(ifobj);
+--
+2.35.1
+
--- /dev/null
+From a51727d28f1f646ecee1bdfd00a477cdf9f36952 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Sep 2022 13:26:45 -0700
+Subject: selftests/xsk: Avoid use-after-free on ctx
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit af515a5587b8f45f19e11657746e0c89411b0380 ]
+
+The put lowers the reference count to 0 and frees ctx, reading it
+afterwards is invalid. Move the put after the uses and determine the
+last use by the reference count being 1.
+
+Fixes: 39e940d4abfa ("selftests/xsk: Destroy BPF resources only when ctx refcount drops to 0")
+Signed-off-by: Ian Rogers <irogers@google.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Link: https://lore.kernel.org/bpf/20220901202645.1463552-1-irogers@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/xsk.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/xsk.c b/tools/testing/selftests/bpf/xsk.c
+index f2721a4ae7c5..0b3ff49c740d 100644
+--- a/tools/testing/selftests/bpf/xsk.c
++++ b/tools/testing/selftests/bpf/xsk.c
+@@ -1237,15 +1237,15 @@ void xsk_socket__delete(struct xsk_socket *xsk)
+ ctx = xsk->ctx;
+ umem = ctx->umem;
+
+- xsk_put_ctx(ctx, true);
+-
+- if (!ctx->refcount) {
++ if (ctx->refcount == 1) {
+ xsk_delete_bpf_maps(xsk);
+ close(ctx->prog_fd);
+ if (ctx->has_bpf_link)
+ close(ctx->link_fd);
+ }
+
++ xsk_put_ctx(ctx, true);
++
+ err = xsk_get_mmap_offsets(xsk->fd, &off);
+ if (!err) {
+ if (xsk->rx) {
+--
+2.35.1
+
--- /dev/null
+From 4cbe76b02ec6f46cb4bfd40391dc00f7dd7ca181 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Sep 2022 12:43:24 +0200
+Subject: serial: 8250: Fix restoring termios speed after suspend
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 379a33786d489ab81885ff0b3935cfeb36137fea ]
+
+Since commit edc6afc54968 ("tty: switch to ktermios and new framework")
+termios speed is no longer stored only in c_cflag member but also in new
+additional c_ispeed and c_ospeed members. If BOTHER flag is set in c_cflag
+then termios speed is stored only in these new members.
+
+Since commit 027b57170bf8 ("serial: core: Fix initializing and restoring
+termios speed") termios speed is available also in struct console.
+
+So properly restore also c_ispeed and c_ospeed members after suspend to fix
+restoring termios speed which is not represented by Bnnn constant.
+
+Fixes: 4516d50aabed ("serial: 8250: Use canary to restart console after suspend")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Link: https://lore.kernel.org/r/20220924104324.4035-1-pali@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_port.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c
+index ec7dca43619f..2030a92ac66e 100644
+--- a/drivers/tty/serial/8250/8250_port.c
++++ b/drivers/tty/serial/8250/8250_port.c
+@@ -3319,8 +3319,13 @@ static void serial8250_console_restore(struct uart_8250_port *up)
+ unsigned int baud, quot, frac = 0;
+
+ termios.c_cflag = port->cons->cflag;
+- if (port->state->port.tty && termios.c_cflag == 0)
++ termios.c_ispeed = port->cons->ispeed;
++ termios.c_ospeed = port->cons->ospeed;
++ if (port->state->port.tty && termios.c_cflag == 0) {
+ termios.c_cflag = port->state->port.tty->termios.c_cflag;
++ termios.c_ispeed = port->state->port.tty->termios.c_ispeed;
++ termios.c_ospeed = port->state->port.tty->termios.c_ospeed;
++ }
+
+ baud = serial8250_get_baud_rate(port, &termios, NULL);
+ quot = serial8250_get_divisor(port, baud, &frac);
+--
+2.35.1
+
--- /dev/null
+From 70fbb4f9862b8c4b6ce38ec20aba7420f6248e92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Sep 2022 10:00:05 +0300
+Subject: serial: 8250: Toggle IER bits on only after irq has been set up
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+[ Upstream commit 039d4926379b1d1c17b51cf21c500a5eed86899e ]
+
+Invoking TIOCVHANGUP on 8250_mid port on Ice Lake-D and then reopening
+the port triggers these faults during serial8250_do_startup():
+
+ DMAR: DRHD: handling fault status reg 3
+ DMAR: [DMA Write NO_PASID] Request device [00:1a.0] fault addr 0x0 [fault reason 0x05] PTE Write access is not set
+
+If the IRQ hasn't been set up yet, the UART will have zeroes in its MSI
+address/data registers. Disabling the IRQ at the interrupt controller
+won't stop the UART from performing a DMA write to the address programmed
+in its MSI address register (zero) when it wants to signal an interrupt.
+
+The UARTs (in Ice Lake-D) implement PCI 2.1 style MSI without masking
+capability, so there is no way to mask the interrupt at the source PCI
+function level, except disabling the MSI capability entirely, but that
+would cause it to fall back to INTx# assertion, and the PCI specification
+prohibits disabling the MSI capability as a way to mask a function's
+interrupt service request.
+
+The MSI address register is zeroed by the hangup as the irq is freed.
+The interrupt is signalled during serial8250_do_startup() performing a
+THRE test that temporarily toggles THRI in IER. The THRE test currently
+occurs before UART's irq (and MSI address) is properly set up.
+
+Refactor serial8250_do_startup() such that irq is set up before the
+THRE test. The current irq setup code is intermixed with the timer
+setup code. As THRE test must be performed prior to the timer setup,
+extract it into own function and call it only after the THRE test.
+
+The ->setup_timer() needs to be part of the struct uart_8250_ops in
+order to not create circular dependency between 8250 and 8250_base
+modules.
+
+Fixes: 40b36daad0ac ("[PATCH] 8250 UART backup timer")
+Reported-by: Lennert Buytenhek <buytenh@arista.com>
+Tested-by: Lennert Buytenhek <buytenh@arista.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Link: https://lore.kernel.org/r/20220922070005.2965-1-ilpo.jarvinen@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_core.c | 16 +++++++++++-----
+ drivers/tty/serial/8250/8250_port.c | 8 +++++---
+ include/linux/serial_8250.h | 1 +
+ 3 files changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/tty/serial/8250/8250_core.c b/drivers/tty/serial/8250/8250_core.c
+index 2e83e7367441..94fbf0add2ce 100644
+--- a/drivers/tty/serial/8250/8250_core.c
++++ b/drivers/tty/serial/8250/8250_core.c
+@@ -298,10 +298,9 @@ static void serial8250_backup_timeout(struct timer_list *t)
+ jiffies + uart_poll_timeout(&up->port) + HZ / 5);
+ }
+
+-static int univ8250_setup_irq(struct uart_8250_port *up)
++static void univ8250_setup_timer(struct uart_8250_port *up)
+ {
+ struct uart_port *port = &up->port;
+- int retval = 0;
+
+ /*
+ * The above check will only give an accurate result the first time
+@@ -322,10 +321,16 @@ static int univ8250_setup_irq(struct uart_8250_port *up)
+ */
+ if (!port->irq)
+ mod_timer(&up->timer, jiffies + uart_poll_timeout(port));
+- else
+- retval = serial_link_irq_chain(up);
++}
+
+- return retval;
++static int univ8250_setup_irq(struct uart_8250_port *up)
++{
++ struct uart_port *port = &up->port;
++
++ if (port->irq)
++ return serial_link_irq_chain(up);
++
++ return 0;
+ }
+
+ static void univ8250_release_irq(struct uart_8250_port *up)
+@@ -381,6 +386,7 @@ static struct uart_ops univ8250_port_ops;
+ static const struct uart_8250_ops univ8250_driver_ops = {
+ .setup_irq = univ8250_setup_irq,
+ .release_irq = univ8250_release_irq,
++ .setup_timer = univ8250_setup_timer,
+ };
+
+ static struct uart_8250_port serial8250_ports[UART_NR];
+diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c
+index 6a9d3c8ffa56..ec7dca43619f 100644
+--- a/drivers/tty/serial/8250/8250_port.c
++++ b/drivers/tty/serial/8250/8250_port.c
+@@ -2300,6 +2300,10 @@ int serial8250_do_startup(struct uart_port *port)
+ if (port->irq && (up->port.flags & UPF_SHARE_IRQ))
+ up->port.irqflags |= IRQF_SHARED;
+
++ retval = up->ops->setup_irq(up);
++ if (retval)
++ goto out;
++
+ if (port->irq && !(up->port.flags & UPF_NO_THRE_TEST)) {
+ unsigned char iir1;
+
+@@ -2342,9 +2346,7 @@ int serial8250_do_startup(struct uart_port *port)
+ }
+ }
+
+- retval = up->ops->setup_irq(up);
+- if (retval)
+- goto out;
++ up->ops->setup_timer(up);
+
+ /*
+ * Now, initialize the UART
+diff --git a/include/linux/serial_8250.h b/include/linux/serial_8250.h
+index 8c7b793aa4d7..16e3d75a324c 100644
+--- a/include/linux/serial_8250.h
++++ b/include/linux/serial_8250.h
+@@ -74,6 +74,7 @@ struct uart_8250_port;
+ struct uart_8250_ops {
+ int (*setup_irq)(struct uart_8250_port *);
+ void (*release_irq)(struct uart_8250_port *);
++ void (*setup_timer)(struct uart_8250_port *);
+ };
+
+ struct uart_8250_em485 {
+--
+2.35.1
+
drm-amdgpu-enable-f32_wptr_poll_enable-in-mqd.patch
smb3-must-initialize-two-acl-struct-fields-to-zero.patch
selinux-use-grep-e-instead-of-egrep.patch
+ima-fix-blocking-of-security.ima-xattrs-of-unsupport.patch
+userfaultfd-open-userfaultfds-with-o_rdonly.patch
+ntfs3-rework-xattr-handlers-and-switch-to-posix-acl-.patch
+acl-return-eopnotsupp-in-posix_acl_fix_xattr_common.patch
+thermal-cpufreq_cooling-check-the-policy-first-in-cp.patch
+cpufreq-amd-pstate-fix-initial-highest_perf-value.patch
+sh-machvec-use-char-for-section-boundaries.patch
+mips-sgi-ip30-fix-platform-device-leak-in-bridge_pla.patch
+mips-sgi-ip27-fix-platform-device-leak-in-bridge_pla.patch
+erofs-fix-order-max_order-warning-due-to-crafted-neg.patch
+erofs-use-kill_anon_super-to-kill-super-in-fscache-m.patch
+fscrypt-stop-using-keyrings-subsystem-for-fscrypt_ma.patch
+arm-9243-1-riscpc-unbreak-the-build.patch
+arm-9244-1-dump-fix-wrong-pg_level-in-walk_pmd.patch
+arm-9247-1-mm-set-readonly-for-mt_memory_ro-with-arm.patch
+acpi-pcc-release-resources-on-address-space-setup-fa.patch
+acpi-pcc-replace-wait_for_completion.patch
+acpi-pcc-fix-tx-acknowledge-in-the-pcc-address-space.patch
+objtool-preserve-special-st_shndx-indexes-in-elf_upd.patch
+nfsd-move-from-strlcpy-with-unused-retval-to-strscpy.patch
+nfsd-fix-a-memory-leak-in-an-error-handling-path.patch
+sunrpc-fix-svcxdr_init_decode-s-end-of-buffer-calcul.patch
+sunrpc-fix-svcxdr_init_encode-s-buflen-calculation.patch
+nfsd-protect-against-send-buffer-overflow-in-nfsv2-r.patch
+nfsd-fix-handling-of-oversized-nfsv4-compound-reques.patch
+x86-paravirt-add-extra-clobbers-with-zero_call_used_.patch
+m68k-process-bootinfo-records-before-saving-them.patch
+libbpf-skip-empty-sections-in-bpf_object__init_globa.patch
+libbpf-initialize-err-in-probe_map_create.patch
+wifi-rtw88-8822c-extend-supported-probe-request-size.patch
+wifi-rtlwifi-8192de-correct-checking-of-iqk-reload.patch
+wifi-ath10k-set-tx-credit-to-one-for-wcn3990-snoc-ba.patch
+wifi-ath10k-add-peer-map-clean-up-for-peer-delete-in.patch
+bpf-cleanup-check_refcount_ok.patch
+bpf-fix-ref_obj_id-for-dynptr-data-slices-in-verifie.patch
+spi-s3c64xx-correct-dma_chan-pointer-initialization.patch
+leds-lm3601x-don-t-use-mutex-after-it-was-destroyed.patch
+libbpf-fix-potential-null-dereference-when-parsing-e.patch
+tsnep-fix-tsnep_info_tx_time-register-define.patch
+net-prestera-cache-port-state-for-non-phylink-ports-.patch
+bpf-fix-reference-state-management-for-synchronous-c.patch
+wifi-mac80211-properly-set-old_links-when-removing-a.patch
+wifi-cfg80211-get-correct-ap-link-chandef.patch
+wifi-mac80211-fix-use-after-free.patch
+wifi-mac80211-mlme-don-t-add-empty-eml-capabilities.patch
+wifi-mac80211_hwsim-fix-link-change-handling.patch
+wifi-mac80211-allow-bw-change-during-channel-switch-.patch
+bpftool-fix-a-wrong-type-cast-in-btf_dumper_int.patch
+ice-set-tx_tstamps-when-creating-new-tx-rings-via-et.patch
+audit-explicitly-check-audit_context-context-enum-va.patch
+audit-free-audit_proctitle-only-on-task-exit.patch
+esp-choose-the-correct-inner-protocol-for-gso-on-int.patch
+spi-mt7621-fix-an-error-message-in-mt7621_spi_probe.patch
+x86-resctrl-fix-to-restore-to-original-value-when-re.patch
+xsk-fix-backpressure-mechanism-on-tx.patch
+selftests-xsk-add-missing-close-on-netns-fd.patch
+bpf-disable-preemption-when-increasing-per-cpu-map_l.patch
+bpf-propagate-error-from-htab_lock_bucket-to-userspa.patch
+wifi-ath11k-fix-incorrect-qmi-message-id-mappings.patch
+bpf-use-this_cpu_-inc-dec-inc_return-for-bpf_task_st.patch
+bpf-use-this_cpu_-inc_return-dec-for-prog-active.patch
+bluetooth-btusb-mediatek-fix-wmt-failure-during-runt.patch
+bpf-only-add-btf-ids-for-socket-security-hooks-when-.patch
+wifi-rtw89-pci-fix-interrupt-stuck-after-leaving-low.patch
+wifi-rtw89-pci-correct-tx-resource-checking-in-low-p.patch
+wifi-rtl8xxxu-tighten-bounds-checking-in-rtl8xxxu_re.patch
+wifi-wfx-prevent-underflow-in-wfx_send_pds.patch
+wifi-rtw88-add-missing-destroy_workqueue-on-error-pa.patch
+selftests-xsk-avoid-use-after-free-on-ctx.patch
+wifi-mac80211-mlme-assign-link-address-correctly.patch
+spi-qup-add-missing-clk_disable_unprepare-on-error-i.patch
+spi-qup-add-missing-clk_disable_unprepare-on-error-i.patch-31329
+can-rx-offload-can_rx_offload_init_queue-fix-typo.patch
+wifi-rtl8xxxu-fix-skb-misuse-in-tx-queue-selection.patch
+spi-meson-spicc-do-not-rely-on-busy-flag-in-pow2-clk.patch
+bpf-btf-fix-truncated-last_member_type_id-in-btf_str.patch
+wifi-rtl8xxxu-gen2-fix-mistake-in-path-b-iq-calibrat.patch
+wifi-rtl8xxxu-remove-copy-paste-leftover-in-gen2_upd.patch
+bluetooth-avoid-hci_dev_test_and_set_flag-in-mgmt_in.patch
+wifi-mt76-mt7921e-fix-race-issue-between-reset-and-s.patch
+wifi-mt76-mt7921s-fix-race-issue-between-reset-and-s.patch
+wifi-mt76-mt7921u-fix-race-issue-between-reset-and-s.patch
+wifi-mt76-sdio-fix-the-deadlock-caused-by-sdio-stat_.patch
+wifi-mt76-sdio-poll-sta-stat-when-device-transmits-d.patch
+wifi-mt76-mt7915-fix-an-uninitialized-variable-bug.patch
+wifi-mt76-mt7921-fix-use-after-free-in-mt7921_acpi_r.patch
+wifi-mt76-sdio-fix-transmitting-packet-hangs.patch
+wifi-mt76-mt7615-add-mt7615_mutex_acquire-release-in.patch
+wifi-mt76-mt7915-fix-possible-unaligned-access-in-mt.patch
+wifi-mt76-connac-fix-possible-unaligned-access-in-mt.patch
+wifi-mt76-mt7921-add-mt7921_mutex_acquire-at-mt7921_.patch
+wifi-mt76-mt7921-add-mt7921_mutex_acquire-at-mt7921_.patch-31950
+wifi-mt76-mt7921-fix-the-firmware-version-report.patch
+wifi-mt76-mt7915-fix-mcs-value-in-ht-mode.patch
+wifi-mt76-fix-uninitialized-pointer-in-mt7921_mac_fi.patch
+wifi-mt76-mt7915-do-not-check-state-before-configuri.patch
+wifi-mt76-mt7921e-fix-rmmod-crash-in-driver-reload-t.patch
+bluetooth-rfcomm-fix-possible-deadlock-on-socket-shu.patch
+net-fs_enet-fix-wrong-check-in-do_pd_setup.patch
+bpf-ensure-correct-locking-around-vulnerable-functio.patch
+libbpf-fix-crash-if-sec-freplace-programs-don-t-have.patch
+wifi-ath11k-include-sta_keepalive_arp_response-tlv-h.patch
+bluetooth-hci_-ldisc-serdev-check-percpu_init_rwsem-.patch
+libbpf-fix-null-pointer-exception-in-api-btf_dump__d.patch
+netfilter-conntrack-fix-the-gc-rescheduling-delay.patch
+netfilter-conntrack-revisit-the-gc-initial-reschedul.patch
+bpf-cgroup-reject-prog_attach_flags-array-when-effec.patch
+bpftool-fix-wrong-cgroup-attach-flags-being-assigned.patch
+selftests-bpf-adapt-cgroup-effective-query-uapi-chan.patch
+flow_dissector-do-not-count-vlan-tags-inside-tunnel-.patch
+mwifiex-fix-sleep-in-atomic-context-bugs-caused-by-d.patch
+wifi-ath11k-fix-failed-to-find-the-peer-with-peer_id.patch
+wifi-ath11k-fix-number-of-vht-beamformee-spatial-str.patch
+mips-dts-ralink-mt7621-fix-external-phy-on-gb-pc2.patch
+x86-microcode-amd-track-patch-allocation-size-explic.patch
+libbpf-restore-memory-layout-of-bpf_object_open_opts.patch
+wifi-ath11k-fix-peer-addition-deletion-error-on-sta-.patch
+x86-boot-remove-superfluous-type-casting-from-arch-x.patch
+x86-cpu-include-the-header-of-init_ia32_feat_ctl-s-p.patch
+spi-cadence-quadspi-fix-pm-disable-depth-imbalance-i.patch
+spi-dw-fix-pm-disable-depth-imbalance-in-dw_spi_bt1_.patch
+spi-omap100k-fix-pm-disable-depth-imbalance-in-omap1.patch
+skmsg-schedule-psock-work-if-the-cached-skb-exists-o.patch
+cw1200-fix-incorrect-check-to-determine-if-no-elemen.patch
+libbpf-don-t-require-full-struct-enum64-in-uapi-head.patch
+i2c-mlxbf-support-lock-mechanism.patch
+bluetooth-hci_core-fix-not-handling-link-timeouts-pr.patch
+xfrm-reinject-transport-mode-packets-through-workque.patch
+netfilter-nft_fib-fix-for-rpath-check-with-vrf-devic.patch
+spi-s3c64xx-fix-large-transfers-with-dma.patch
+bluetooth-prevent-double-register-of-suspend.patch
+wifi-rtl8xxxu-gen2-enable-40-mhz-channel-width.patch
+wifi-rtl8xxxu-fix-aifs-written-to-reg_edca_-_param.patch
+vhost-vsock-use-kvmalloc-kvfree-for-larger-packets.patch
+eth-alx-take-rtnl_lock-on-resume.patch
+misdn-fix-use-after-free-bugs-in-l1oip-timer-handler.patch
+sctp-handle-the-error-returned-from-sctp_auth_asoc_i.patch
+tcp-fix-tcp_cwnd_validate-to-not-forget-is_cwnd_limi.patch
+spi-ensure-that-sg_table-won-t-be-used-after-being-f.patch
+bluetooth-hci_sync-fix-not-indicating-power-state.patch
+hwmon-pmbus-mp2888-fix-sensors-readouts-for-mps-mult.patch
+net-rds-don-t-hold-sock-lock-when-cancelling-work-fr.patch
+af_unix-fix-memory-leaks-of-the-whole-sk-due-to-oob-.patch
+net-prestera-acl-add-check-for-kmemdup.patch
+eth-lan743x-reject-extts-for-non-pci11x1x-devices.patch
+bnx2x-fix-potential-memory-leak-in-bnx2x_tpa_stop.patch
+eth-sp7021-fix-use-after-free-bug-in-spl2sw_nvmem_ge.patch
+net-wwan-iosm-call-mutex_init-before-locking-it.patch
+net-ieee802154-reject-zero-sized-raw_sendmsg.patch
+once-add-do_once_slow-for-sleepable-contexts.patch
+net-mvpp2-fix-mvpp2-debugfs-leak.patch
+drm-bridge-adv7511-fix-cec-power-down-control-regist.patch
+drm-bridge-adv7511-unregister-cec-i2c-device-after-c.patch
+drm-bridge-avoid-uninitialized-variable-warning.patch
+drm-mipi-dsi-detach-devices-when-removing-the-host.patch
+drm-vc4-drv-call-component_unbind_all.patch
+drm-bridge-it6505-power-on-downstream-device-in-.ato.patch
+video-aperture-disable-and-unregister-sysfb-devices-.patch
+drm-virtio-correct-drm_gem_shmem_get_sg_table-error-.patch
+drm-bridge-anx7625-fix-refcount-bug-in-anx7625_parse.patch
+drm-bridge-tc358767-add-of_node_put-when-breaking-ou.patch
+drm-i915-reset-handle-reset-timeouts-under-unrelated.patch
+drm-bridge-parade-ps8640-fix-regulator-supply-order.patch
+drm-format-helper-fix-test-on-big-endian-architectur.patch
+drm-dp_mst-fix-drm_dp_dpcd_read-return-value-checks.patch
+drm-pl111-add-of_node_put-when-breaking-out-of-for_e.patch
+asoc-mt6359-fix-tests-for-platform_get_irq-failure.patch
+asoc-amd-acp-add-missing-platform_device_unregister-.patch
+drm-msm-make-.remove-and-.shutdown-hw-shutdown-consi.patch
+platform-chrome-fix-double-free-in-chromeos_laptop_p.patch
+platform-chrome-fix-memory-corruption-in-ioctl.patch
+drm-i915-dg2-bump-up-cdclk-for-dg2.patch
+drm-vc4-txp-protect-device-resources.patch
+drm-virtio-fix-same-context-optimization.patch
+asoc-soc-pcm.c-call-__soc_pcm_close-in-soc_pcm_close.patch
+asoc-tas2764-allow-mono-streams.patch
+asoc-tas2764-drop-conflicting-set_bias_level-power-s.patch
+asoc-tas2764-fix-mute-unmute.patch
+platform-x86-msi-laptop-fix-old-ec-check-for-backlig.patch
+platform-x86-msi-laptop-fix-resource-cleanup.patch
+drm-panel-use-select-for-ili9341-panel-driver-helper.patch
+drm-fix-drm_mipi_dbi-build-errors.patch
+platform-chrome-cros_ec_typec-add-bit-offset-for-dp-.patch
+platform-chrome-cros_ec_typec-correct-alt-mode-index.patch
+drm-amdgpu-add-missing-pci_disable_device-in-amdgpu_.patch
+drm-bridge-megachips-fix-a-null-pointer-dereference-.patch
+drm-bridge-it6505-fix-the-order-of-dp_set_power-comm.patch
+asoc-rsnd-add-check-for-rsnd_mod_power_on.patch
+asoc-wm_adsp-handle-optional-legacy-support.patch
+alsa-hda-beep-simplify-keep-power-at-enable-behavior.patch
+drm-virtio-set-fb_modifiers_not_supported.patch
+drm-bochs-fix-blanking.patch
+asoc-mediatek-mt8195-mt6359-properly-register-sound-.patch
+asoc-sof-mediatek-mt8195-import-namespace-snd_soc_so.patch
+drm-omap-dss-fix-refcount-leak-bugs.patch
+drm-amdgpu-fix-memory-leak-in-hpd_rx_irq_create_work.patch
+asoc-rockchip-i2s-use-regmap_read_poll_timeout-to-po.patch
+mmc-au1xmmc-fix-an-error-handling-path-in-au1xmmc_pr.patch
+asoc-eureka-tlv320-hold-reference-returned-from-of_f.patch
+drm-msm-lookup-the-icc-paths-in-both-mdp5-dpu-and-md.patch
+drm-msm-dpu-index-dpu_kms-hw_vbif-using-vbif_idx.patch
+drm-msm-dp-correct-1.62g-link-rate-at-dp_catalog_ctr.patch
+alsa-hda-hdmi-change-type-for-the-assigned-variable.patch
+alsa-hda-hdmi-fix-the-converter-allocation-for-the-s.patch
+alsa-usb-audio-split-endpoint-setups-for-hw_params-a.patch
+alsa-usb-audio-properly-refcounting-clock-rate.patch
+asoc-sof-ipc4-topology-free-the-ida-when-ipc-fails-i.patch
+drm-vmwgfx-fix-memory-leak-in-vmw_mksstat_add_ioctl.patch
+virtio-gpu-fix-shift-wrapping-bug-in-virtio_gpu_fenc.patch
+asoc-codecs-tx-macro-fix-kcontrol-put.patch
+asoc-da7219-fix-an-error-handling-path-in-da7219_reg.patch
+alsa-dmaengine-increment-buffer-pointer-atomically.patch
+mmc-wmt-sdmmc-fix-an-error-handling-path-in-wmt_mci_.patch
+asoc-stm32-dfsdm-fix-pm-disable-depth-imbalance-in-s.patch
+asoc-stm32-spdifrx-fix-pm-disable-depth-imbalance-in.patch
+asoc-stm-fix-pm-disable-depth-imbalance-in-stm32_i2s.patch
+asoc-es8316-fix-register-sync-error-in-suspend-resum.patch
+asoc-wcd-mbhc-v2-revert-asoc-wcd-mbhc-v2-use-pm_runt.patch
+asoc-wm8997-fix-pm-disable-depth-imbalance-in-wm8997.patch
+asoc-wm5110-fix-pm-disable-depth-imbalance-in-wm5110.patch
+asoc-wm5102-fix-pm-disable-depth-imbalance-in-wm5102.patch
+asoc-mt6660-fix-pm-disable-depth-imbalance-in-mt6660.patch
+asoc-rockchip-i2s-use-regmap_read_poll_timeout_atomi.patch
+alsa-hda-hdmi-don-t-skip-notification-handling-durin.patch
+memory-pl353-smc-fix-refcount-leak-bug-in-pl353_smc_.patch
+memory-of-fix-refcount-leak-bug-in-of_get_ddr_timing.patch
+memory-of-fix-refcount-leak-bug-in-of_lpddr3_get_ddr.patch
+locks-fix-toctou-race-when-granting-write-lease.patch
+soc-qcom-smsm-fix-refcount-leak-bugs-in-qcom_smsm_pr.patch
+soc-qcom-smem_state-add-refcounting-for-the-state-of.patch
+arm-dts-imx6dl-yapp4-bind-the-backlight-controller-t.patch
+arm-dts-imx6qdl-kontron-samx6i-hook-up-ddc-i2c-bus.patch
+arm64-dts-renesas-r9a07g044-fix-sci-rx-tx-interrupt-.patch
+arm64-dts-renesas-r9a07g054-fix-sci-rx-tx-interrupt-.patch
+arm64-dts-renesas-r9a07g043-fix-sci-rx-tx-interrupt-.patch
+dt-bindings-clock-exynosautov9-correct-clock-numberi.patch
+arm64-dts-qcom-sdm845-narrow-llcc-address-space.patch
+arm64-dts-qcom-sdm845-xiaomi-polaris-fix-sde_dsi_act.patch
+arm64-dts-qcom-sc7280-cleanup-the-lpasscc-node.patch
+arm64-dts-qcom-sc7280-update-lpasscore-node.patch
+arm64-dts-qcom-sc8280xp-crd-disallow-regulator-mode-.patch
+arm64-dts-qcom-sc8280xp-lenovo-thinkpad-x13s-disallo.patch
+arm64-dts-qcom-sa8295p-adp-disallow-regulator-mode-s.patch
+arm64-dts-qcom-pm8350c-drop-pwm-reg-declaration.patch
+arm64-dts-qcom-sc7180-trogdor-keep-pm6150_adc-enable.patch
+arm-dts-turris-omnia-fix-mpp26-pin-name-and-comment.patch
+arm-dts-kirkwood-lsxl-fix-serial-line.patch
+arm-dts-kirkwood-lsxl-remove-first-ethernet-port.patch
+arm64-dts-marvell-98dx25xx-use-correct-property-for-.patch
+arm64-dts-qcom-sc8280xp-pmics-remove-reg-entry-use-c.patch
+ia64-export-memory_add_physaddr_to_nid-to-fix-cxl-bu.patch
+arm64-dts-qcom-sm8350-sagami-correct-ts-pin-property.patch
+soc-tegra-fuse-add-missing-of_node_put-in-tegra_init.patch
+soc-tegra-fuse-drop-kconfig-dependency-on-tegra20_ap.patch
+arm64-dts-qcom-ipq8074-fix-pcie-phy-serdes-size.patch
+arm64-dts-qcom-sm8450-fix-ufs-phy-serdes-size.patch
+dt-bindings-arm-ti-k3-sort-the-am654-board-enums.patch
+arm64-dts-ti-k3-j7200-fix-main-pinmux-range.patch
+arm-dts-exynos-correct-s5k6a3-reset-polarity-on-mida.patch
+arm-drop-cmdline_-dependency-on-atags.patch
+ext4-continue-to-expand-file-system-when-the-target-.patch
+ext4-don-t-run-ext4lazyinit-for-read-only-filesystem.patch
+arm64-ftrace-fix-module-plts-with-mcount.patch
+arm64-dts-exynos-fix-polarity-of-enable-line-of-nfc-.patch
+arm-dts-exynos-fix-polarity-of-vbus-gpio-of-origen.patch
+iomap-iomap-fix-memory-corruption-when-recording-err.patch
+selftests-vm-use-top_srcdir-instead-of-recomputing-r.patch
+selftests-cpu-hotplug-use-return-instead-of-exit.patch
+selftests-cpu-hotplug-delete-fault-injection-related.patch
+selftests-cpu-hotplug-reserve-one-cpu-online-at-leas.patch
+iio-adc-at91-sama5d2_adc-fix-at91_sama5d2_mr_trackti.patch
+iio-adc-at91-sama5d2_adc-check-return-status-for-pre.patch
+iio-adc-at91-sama5d2_adc-lock-around-oversampling-an.patch
+iio-adc-at91-sama5d2_adc-disable-prepare-buffer-on-s.patch
+iio-inkern-only-release-the-device-node-when-done-wi.patch
+iio-inkern-fix-return-value-in-devm_of_iio_channel_g.patch
+iio-abi-fix-wrong-format-of-differential-capacitance.patch
+iio-magnetometer-yas530-change-data-type-of-hard_off.patch
+ib-mlx5-call-io_stop_wc-after-writing-to-wc-mmio.patch
+rdma-mlx5-don-t-compare-mkey-tags-in-devx-indirect-m.patch
+usb-common-usb-conn-gpio-simplify-some-error-message.patch
+usb-common-debug-check-non-standard-control-requests.patch
+clk-nomadik-add-missing-of_node_put.patch
+clk-meson-hold-reference-returned-by-of_get_parent.patch
+clk-st-hold-reference-returned-by-of_get_parent.patch
+clk-oxnas-hold-reference-returned-by-of_get_parent.patch
+clk-qoriq-hold-reference-returned-by-of_get_parent.patch
+clk-berlin-add-of_node_put-for-of_get_parent.patch
+clk-sprd-hold-reference-returned-by-of_get_parent.patch
+coresight-trbe-fix-kconfig-its-grammar.patch
+coresight-docs-fix-a-broken-reference.patch
+clk-tegra-fix-refcount-leak-in-tegra210_clock_init.patch
+clk-tegra-fix-refcount-leak-in-tegra114_clock_init.patch
+clk-tegra20-fix-refcount-leak-in-tegra20_clock_init.patch
+clk-samsung-exynosautov9-correct-register-offsets-of.patch
+block-sed-opal-add-ioctl-to-return-device-status.patch
+sbitmap-fix-possible-io-hung-due-to-lost-wakeup.patch
+remoteproc-imx_rproc-simplify-some-error-message.patch
+remoteproc-imx_dsp_rproc-fix-argument-2-of-rproc_mem.patch
+hid-uclogic-add-missing-suffix-for-digitalizers.patch
+hid-uclogic-fix-warning-in-uclogic_rdesc_template_ap.patch
+hsi-omap_ssi-fix-refcount-leak-in-ssi_probe.patch
+hsi-omap_ssi_port-fix-dma_map_sg-error-check.patch
+clk-gcc-sc8280xp-keep-pcie-power-domains-always-on.patch
+clk-qcom-gcc-sdm660-use-floor-ops-for-sdcc1-clock.patch
+media-v4l2-ctrls-allocate-space-for-arrays.patch
+media-exynos4-is-fimc-is-add-of_node_put-when-breaki.patch
+media-tm6000-fix-unused-value-in-vidioc_try_fmt_vid_.patch
+media-airspy-fix-memory-leak-in-airspy-probe.patch
+tty-xilinx_uartps-check-clk_enable-return-value.patch
+tty-xilinx_uartps-fix-the-ignore_status.patch
+media-mediatek-vcodec-skip-non-cbr-bitrate-mode.patch
+media-amphion-insert-picture-startcode-after-seek-fo.patch
+media-amphion-adjust-the-encoder-s-value-range-of-go.patch
+media-amphion-don-t-change-the-colorspace-reported-b.patch
+media-amphion-fix-a-bug-that-vpu-core-may-not-resume.patch
+media-meson-vdec-add-missing-clk_disable_unprepare-o.patch
+media-uvcvideo-fix-memory-leak-in-uvc_gpio_parse.patch
+media-uvcvideo-use-entity-get_cur-in-uvc_ctrl_set.patch
+media-xilinx-vipp-fix-refcount-leak-in-xvip_graph_dm.patch
+rdma-rxe-fix-kernel-null-pointer-dereference-error.patch
+rdma-rxe-fix-the-error-caused-by-qp-sk.patch
+clk-mediatek-clk-mt8195-vdo0-set-rate-on-vdo0_dp_int.patch
+clk-mediatek-clk-mt8195-vdo1-reparent-and-set-rate-o.patch
+clk-mediatek-mt8195-infra_ao-set-pwrmcu-clocks-as-cr.patch
+misc-ocxl-fix-possible-refcount-leak-in-afu_ioctl.patch
+fpga-dfl-pci-add-ids-for-intel-n6000-n6001-and-c6100.patch
+fpga-prevent-integer-overflow-in-dfl_feature_ioctl_s.patch
+phy-rockchip-inno-usb2-return-zero-after-otg-sync.patch
+dmaengine-idxd-avoid-deadlock-in-process_misc_interr.patch
+dmaengine-hisilicon-disable-channels-when-unregister.patch
+dmaengine-hisilicon-fix-cq-head-update.patch
+dmaengine-hisilicon-add-multi-thread-support-for-a-d.patch
+iio-use-per-device-lockdep-class-for-mlock.patch
+usb-gadget-f_fs-stricter-integer-overflow-checks.patch
+dyndbg-fix-static_branch-manipulation.patch
+dyndbg-fix-module.dyndbg-handling.patch
+dyndbg-let-query-modname-override-actual-module-name.patch
+dyndbg-drop-exported-dynamic_debug_exec_queries.patch
+sbitmap-avoid-leaving-waitqueue-in-invalid-state-in-.patch
+clk-qcom-sm6115-select-qcom_gdsc.patch
+scsi-lpfc-fix-various-issues-reported-by-tools.patch
+usb-serial-console-move-mutex_unlock-before-usb_seri.patch
+mtd-devices-docg3-check-the-return-value-of-devm_ior.patch
+remoteproc-harden-rproc_handle_vdev-against-integer-.patch
+phy-qcom-qmp-combo-disable-runtime-pm-on-unbind.patch
+phy-qcom-qmp-usb-disable-runtime-pm-on-unbind.patch
+phy-qcom-qmp-pcie-add-pcs_misc-sanity-check.patch
+phy-qcom-qmp-pcie-fix-memleak-on-probe-deferral.patch
+phy-qcom-qmp-pcie-msm8996-fix-memleak-on-probe-defer.patch
+phy-qcom-qmp-combo-fix-memleak-on-probe-deferral.patch
+phy-qcom-qmp-ufs-fix-memleak-on-probe-deferral.patch
+phy-qcom-qmp-usb-drop-pipe-clock-lane-suffix.patch
+phy-qcom-qmp-usb-fix-memleak-on-probe-deferral.patch
+phy-amlogic-phy-meson-axg-mipi-pcie-analog-hold-refe.patch
+phy-phy-mtk-tphy-fix-the-phy-type-setting-issue.patch
+mtd-rawnand-intel-read-the-chip-select-line-from-the.patch
+mtd-rawnand-intel-remove-undocumented-compatible-str.patch
+mtd-rawnand-intel-don-t-re-define-nand_data_iface_ch.patch
+mtd-rawnand-fsl_elbc-fix-none-ecc-mode.patch
+rdma-irdma-align-ae-id-codes-to-correct-flush-code-a.patch
+rdma-irdma-validate-udata-inlen-and-outlen.patch
+rdma-srp-fix-srp_abort.patch
+rdma-siw-always-consume-all-skbuf-data-in-sk_data_re.patch
+rdma-siw-fix-qp-destroy-to-wait-for-all-references-d.patch
+ata-fix-ata_id_sense_reporting_enabled-and-ata_id_ha.patch
+ata-fix-ata_id_has_devslp.patch
+ata-fix-ata_id_has_ncq_autosense.patch
+ata-fix-ata_id_has_dipm.patch
+mtd-rawnand-meson-fix-bit-map-use-in-meson_nfc_ecc_c.patch
+block-fix-the-enum-blk_eh_timer_return-documentation.patch
+eventfd-guard-wake_up-in-eventfd-fs-calls-as-well.patch
+io_uring-fdinfo-fix-sqe-dumping-for-ioring_setup_sqe.patch
+md-replace-snprintf-with-scnprintf.patch
+md-raid5-ensure-stripe_fill-happens-on-non-read-io-w.patch
+md-raid5-remove-unnecessary-bio_put-in-raid5_read_on.patch
+md-remove-extra-mddev_get-in-md_seq_start.patch
+rdma-cm-use-slid-in-the-work-completion-as-the-dlid-.patch
+ib-set-iova-length-on-ib_mr-in-core-uverbs-layers.patch
+rdma-srp-rework-the-srp_add_port-error-path.patch
+rdma-srp-handle-dev_set_name-failure.patch
+rdma-srp-use-the-attribute-group-mechanism-for-sysfs.patch
+rdma-srp-support-more-than-255-rdma-ports.patch
+xhci-don-t-show-warning-for-reinit-on-known-broken-s.patch
+usb-gadget-function-fix-dangling-pnp_string-in-f_pri.patch
+usb-typec-anx7411-use-of_get_child_by_name-instead-o.patch
+usb-dwc3-core-fix-some-leaks-in-probe.patch
+drivers-serial-jsm-fix-some-leaks-in-probe.patch
+serial-8250-toggle-ier-bits-on-only-after-irq-has-be.patch
+tty-serial-fsl_lpuart-disable-dma-rx-tx-use-flags-in.patch
+phy-qualcomm-call-clk_disable_unprepare-in-the-error.patch
+staging-vt6655-fix-some-erroneous-memory-clean-up-lo.patch
+slimbus-qcom-ngd-add-error-handling-in-of_qcom_slim_.patch
+firmware-google-test-spinlock-on-panic-path-to-avoid.patch
+serial-8250-fix-restoring-termios-speed-after-suspen.patch
+scsi-libsas-fix-use-after-free-bug-in-smp_execute_ta.patch
+scsi-pm8001-fix-running_req-for-internal-abort-comma.patch
+scsi-iscsi-iscsi_tcp-fix-null-ptr-deref-while-callin.patch
+clk-qcom-apss-ipq6018-mark-apcs_alias0_core_clk-as-c.patch
+clk-qcom-gcc-sm6115-override-default-alpha-pll-regs.patch
+nvmet-auth-don-t-try-to-cancel-a-non-initialized-wor.patch
+rdma-rxe-set-pd-early-in-mr-alloc-routines.patch
+rdma-rxe-fix-resize_finish-in-rxe_queue.c.patch
+ib-rdmavt-add-__init-__exit-annotations-to-module-in.patch
+fsi-core-check-error-number-after-calling-ida_simple.patch
+mfd-intel_soc_pmic-fix-an-error-handling-path-in-int.patch
+mfd-fsl-imx25-fix-an-error-handling-path-in-mx25_tsa.patch
+mfd-lp8788-fix-an-error-handling-path-in-lp8788_prob.patch
+mfd-lp8788-fix-an-error-handling-path-in-lp8788_irq_.patch
+mfd-fsl-imx25-fix-check-for-platform_get_irq-errors.patch
+mfd-sm501-add-check-for-platform_driver_register.patch
+mfd-da9061-fix-failed-to-set-two-wire-bus-mode.patch
+clk-mediatek-mt8183-mfgcfg-propagate-rate-changes-to.patch
+clk-mediatek-clk-mt8195-mfg-reparent-mfg_bg3d-and-pr.patch
+clk-mediatek-fix-unregister-function-in-mtk_clk_regi.patch
+clk-mediatek-migrate-remaining-clk_unregister_-to-cl.patch
+phy-qcom-qmp-pcie-fix-resource-mapping-for-sdm845-qh.patch
+io_uring-rw-defer-fsnotify-calls-to-task-context.patch
+dmaengine-ioat-stop-mod_timer-from-resurrecting-dele.patch
+hid-amd_sfh-change-dev_err-to-dev_dbg-for-additional.patch
+hid-amd_sfh-handle-condition-of-no-sensors-for-sfh1..patch
+usb-mtu3-fix-failed-runtime-suspend-in-host-only-mod.patch
+spmi-pmic-arb-correct-duplicate-apid-to-ppid-mapping.patch
+clk-vc5-fix-5p49v6901-outputs-disabling-when-enablin.patch
+clk-baikal-t1-fix-invalid-xgmac-ptp-clock-divider.patch
+clk-baikal-t1-add-shared-xgmac-ref-ptp-clocks-intern.patch
+clk-baikal-t1-add-sata-internal-ref-clock-buffer.patch
+clk-bcm2835-make-peripheral-pllc-critical.patch
+clk-bcm2835-fix-bcm2835_clock_rate_from_divisor-decl.patch
+clk-imx8mp-tune-the-order-of-enet_qos_root_clk.patch
+clk-imx-scu-fix-memleak-on-platform_device_add-fails.patch
+clk-ti-balance-of_node_get-calls-for-of_find_node_by.patch
+clk-move-from-strlcpy-with-unused-retval-to-strscpy.patch
+clk-ti-dra7-atl-fix-reference-leak-in-of_dra7_atl_cl.patch
+clk-ast2600-bclk-comes-from-epll.patch
+mailbox-imx-fix-rst-channel-support.patch
+mailbox-mpfs-fix-handling-of-the-reg-property.patch
+mailbox-mpfs-account-for-mbox-offsets-while-sending.patch
+mailbox-bcm-ferxrm-mailbox-fix-error-check-for-dma_m.patch
+ipc-mqueue-fix-possible-memory-leak-in-init_mqueue_f.patch
+kvm-x86-mmu-fix-memoryleak-in-kvm_mmu_vendor_module_.patch
+powerpc-configs-properly-enable-papr_scm-in-pseries_.patch
+powerpc-math_emu-efp-include-module.h.patch
+powerpc-sysdev-fsl_msi-add-missing-of_node_put.patch
+powerpc-pci_dn-add-missing-of_node_put.patch
+powerpc-powernv-add-missing-of_node_put-in-opal_expo.patch
+cpuidle-riscv-sbi-fix-cpu_pm_cpu_idle_enter_xyz-macr.patch
+powerpc-dts-turris1x.dts-fix-nor-partitions-labels.patch
+powerpc-dts-turris1x.dts-fix-labels-in-dsa-cpu-port-.patch
+powerpc-fix-fallocate-and-fadvise64_64-compat-parame.patch
+kvm-x86-do-proper-cleanup-if-kvm_x86_ops-vm_init-fai.patch
+kvm-fix-memoryleak-in-kvm_init.patch
+x86-hyperv-fix-struct-hv_enlightened_vmcs-definition.patch
+kvm-x86-zero-out-entire-hyper-v-cpuid-cache-before-p.patch
+kvm-x86-check-for-existing-hyper-v-vcpu-in-kvm_hv_vc.patch
+kvm-x86-report-error-when-setting-cpuid-if-hyper-v-a.patch
+kvm-nvmx-treat-general-detect-db-dr7.gd-1-as-fault-l.patch
+kvm-nvmx-prioritize-tss-t-flag-dbs-over-monitor-trap.patch
+kvm-nvmx-ignore-sipi-that-arrives-in-l2-when-vcpu-is.patch
+kvm-vmx-inject-pf-on-encls-as-emulated-pf.patch
+kvm-nvmx-unconditionally-clear-mtf_pending-on-nested.patch
+kvm-x86-make-kvm_queued_exception-a-properly-named-v.patch
+kvm-x86-formalize-blocking-of-nested-pending-excepti.patch
+kvm-x86-hoist-nested-event-checks-above-event-inject.patch
+kvm-x86-evaluate-ability-to-inject-smi-nmi-irq-after.patch
+kvm-nvmx-add-a-helper-to-identify-low-priority-db-tr.patch
+kvm-x86-morph-pending-exceptions-to-pending-vm-exits.patch
+kvm-ppc-book3s-hv-fix-decrementer-migration.patch
+kvm-ppc-book3s-hv-p9-fix-irq-disabling-in-tick-accou.patch
+kvm-ppc-book3s-hv-p9-clear-vcpu-cpu-fields-before-en.patch
+kvm-ppc-book3s-hv-p9-restore-stolen-time-logging-in-.patch
+powerpc-64s-fix-generic_cpu-build-flags-for-ppc970-g.patch
+powerpc-64-interrupt-fix-false-warning-in-context-tr.patch
+powerpc-64-mark-irqs-hard-disabled-in-boot-paca.patch
+powerpc-64-interrupt-fix-return-to-masked-context-af.patch
+powerpc-fix-spe-power-isa-properties-for-e500v1-plat.patch
+powerpc-kprobes-fix-null-pointer-reference-in-arch_p.patch
+powerpc-pseries-vas-pass-hw_cpu_id-to-node-associati.patch
+crypto-sahara-don-t-sleep-when-in-softirq.patch
+crypto-hisilicon-zip-fix-mismatch-in-get-set-sgl_sge.patch
+hwrng-arm-smccc-trng-fix-no_entropy-handling.patch
+crypto-ccp-fail-the-psp-initialization-when-writing-.patch
+cgroup-honor-caller-s-cgroup-ns-when-resolving-path.patch
+hwrng-imx-rngc-use-devm_clk_get_enabled.patch
+hwrng-imx-rngc-moving-irq-handler-registering-after-.patch
+crypto-qat-fix-default-value-of-wdt-timer.patch
+crypto-hisilicon-qm-fix-missing-put-dfx-access.patch
+cgroup-cpuset-enable-update_tasks_cpumask-on-top_cpu.patch
+iommu-omap-fix-buffer-overflow-in-debugfs.patch
+crypto-akcipher-default-implementation-for-setting-a.patch
+crypto-ccp-release-dma-channels-before-dmaengine-unr.patch
+crypto-inside-secure-change-swab-to-swab32.patch
+crypto-qat-fix-dma-transfer-direction.patch
+clocksource-drivers-arm_arch_timer-fix-handling-of-a.patch
+clocksource-drivers-timer-gxp-add-missing-error-hand.patch
+cifs-return-correct-error-in-calc_signature.patch
+iommu-iova-fix-module-config-properly.patch
+tracing-kprobe-fix-kprobe-event-gen-test-module-on-e.patch
+tracing-kprobe-make-gen-test-module-work-in-arm-and-.patch
+tracing-osnoise-fix-possible-recursive-locking-in-st.patch
+rv-monitor-add-__init-__exit-annotations-to-module-i.patch
+ftrace-fix-recursive-locking-direct_mutex-in-ftrace_.patch
+kbuild-remove-the-target-in-signal-traps-when-interr.patch
+linux-export-use-inline-assembler-to-populate-symbol.patch
+kbuild-rpm-pkg-fix-breakage-when-v-1-is-used.patch
+crypto-marvell-octeontx-prevent-integer-overflows.patch
+crypto-cavium-prevent-integer-overflow-loading-firmw.patch
+random-schedule-jitter-credit-for-next-jiffy-not-in-.patch
+thermal-drivers-qcom-tsens-v0_1-fix-msm8939-fourth-s.patch
+acpi-apei-do-not-add-task_work-to-kernel-thread-to-a.patch
+f2fs-fix-race-condition-on-setting-fi_no_extent-flag.patch
+f2fs-fix-to-account-fs_cp_data_io-correctly.patch
+tools-power-turbostat-use-standard-energy-unit-for-s.patch
+selftest-tpm2-add-client.__del__-to-close-dev-tpm-ha.patch
+arm-dma-mapp-ng-don-t-override-dma_coherent-when-set.patch
+module-tracking-keep-a-record-of-tainted-unloaded-mo.patch
+fs-dlm-fix-race-in-lowcomms.patch
+rcu-avoid-triggering-strict-gp-irq-work-when-rcu-is-.patch
+rcu-back-off-upon-fill_page_cache_func-allocation-fa.patch
+rcu-tasks-convert-rcu_lockdep_warn-to-warn_once.patch
+rcu-tasks-ensure-rcu-tasks-trace-loops-have-quiescen.patch
+cpufreq-amd_pstate-fix-wrong-lowest-perf-fetch.patch
+acpi-video-add-toshiba-satellite-portege-z830-quirk.patch
+fortify-fix-__compiletime_strlen-under-ubsan_bounds_.patch
+acpi-tables-fpdt-don-t-call-acpi_os_map_memory-on-in.patch
+cpufreq-intel_pstate-add-tigerlake-support-in-no-hwp.patch
+mips-bcm47xx-cast-memcmp-of-function-to-void.patch
+powercap-intel_rapl-fix-ubsan-shift-out-of-bounds-is.patch
+thermal-intel_powerclamp-use-get_cpu-instead-of-smp_.patch
+arm-decompressor-include-.data.rel.ro.local.patch
+acpi-x86-add-a-quirk-for-dell-inspiron-14-2-in-1-for.patch
+x86-entry-work-around-clang-__bdos-bug.patch
+nfsd-return-nfserr_serverfault-if-splice_ok-but-buf-.patch
+nfsd-fix-use-after-free-on-source-server-when-doing-.patch
+libbpf-ensure-functions-with-always_inline-attribute.patch
+libbpf-do-not-require-executable-permission-for-shar.patch
+wifi-rtw88-phy-fix-warning-of-possible-buffer-overfl.patch
+wifi-brcmfmac-fix-invalid-address-access-when-enabli.patch
+bpftool-clear-errno-after-libcap-s-checks.patch
+net-ethernet-ti-davinci_mdio-add-workaround-for-erra.patch
+openvswitch-fix-double-reporting-of-drops-in-dropwat.patch
+openvswitch-fix-overreporting-of-drops-in-dropwatch.patch
+tcp-annotate-data-race-around-tcp_md5sig_pool_popula.patch
+micrel-ksz8851-fixes-struct-pointer-issue.patch
+wifi-mac80211-accept-sta-changes-without-link-change.patch
+x86-mce-retrieve-poison-range-from-hardware.patch
+wifi-ath9k-avoid-uninit-memory-read-in-ath9k_htc_rx_.patch
+thunderbolt-add-back-intel-falcon-ridge-end-to-end-f.patch
+x86-apic-don-t-disable-x2apic-if-locked.patch
+net-axienet-switch-to-64-bit-rx-tx-statistics.patch
+net-next-fix-ip_unicast_if-option-behavior-for-conne.patch
+xfrm-update-ipcomp_scratches-with-null-when-freed.patch
+wifi-ath11k-register-shutdown-handler-for-wcn6750.patch
+rtw89-ser-leave-lps-with-mutex.patch
+net-broadcom-fix-return-type-for-implementation-of.patch
+net-xscale-fix-return-type-for-implementation-of-ndo.patch
+net-sunplus-fix-return-type-for-implementation-of-nd.patch
+net-lantiq_etop-fix-return-type-for-implementation-o.patch
+netlink-bounds-check-struct-nlmsgerr-creation.patch
+net-ftmac100-fix-endianness-related-issues-from-spar.patch
+iavf-fix-race-between-iavf_close-and-iavf_reset_task.patch
+wifi-brcmfmac-fix-use-after-free-bug-in-brcmf_netdev.patch
+net-sparx5-fix-function-return-type-to-match-actual-.patch
+bluetooth-btintel-mark-intel-controller-to-support-l.patch
+regulator-core-prevent-integer-underflow.patch
+wifi-ath11k-mhi-fix-potential-memory-leak-in-ath11k_.patch
+wifi-mt76-mt7921-reset-msta-airtime_ac-while-clearin.patch
+wifi-rtw89-free-unused-skb-to-prevent-memory-leak.patch
+wifi-rtw89-fix-rx-filter-after-scan.patch
+bluetooth-l2cap-initialize-delayed-works-at-l2cap_ch.patch
+net-ax88796c-fix-return-type-of-ax88796c_start_xmit.patch
+net-davicom-fix-return-type-of-dm9000_start_xmit.patch
+net-ethernet-ti-davinci_emac-fix-return-type-of-emac.patch
+net-ethernet-litex-fix-return-type-of-liteeth_start_.patch
+net-korina-fix-return-type-of-korina_send_packet.patch
+net-wwan-iosm-fix-return-type-of-ipc_wwan_link_trans.patch
+net-wwan-t7xx-fix-return-type-of-t7xx_ccmni_start_xm.patch
+bluetooth-hci_sysfs-fix-attempting-to-call-device_ad.patch
+bluetooth-hci_event-make-sure-iso-events-don-t-affec.patch
+wifi-ath10k-reset-pointer-after-memory-free-to-avoid.patch
+bnxt_en-replace-reset-with-config-timestamps.patch
+selftests-bpf-free-the-allocated-resources-after-tes.patch
+can-bcm-check-the-result-of-can_send-in-bcm_can_tx.patch
+wifi-rt2x00-don-t-run-rt5592-iq-calibration-on-mt762.patch
+wifi-rt2x00-set-correct-tx_sw_cfg1-mac-register-for-.patch
+wifi-rt2x00-set-vgc-gain-for-both-chains-of-mt7620.patch
+wifi-rt2x00-set-soc-wmac-clock-register.patch
+wifi-rt2x00-correctly-set-bbp-register-86-for-mt7620.patch
+hwmon-sht4x-do-not-overflow-clamping-operation-on-32.patch
+net-if-sock-is-dead-don-t-access-sock-s-sk_wq-in-sk_.patch
+bpf-adjust-kprobe_multi-entry_ip-for-config_x86_kern.patch
+bpf-use-bpf_prog_pack-for-bpf_dispatcher.patch
+bluetooth-l2cap-fix-user-after-free.patch
+net-sched-cls_u32-avoid-memcpy-false-positive-warnin.patch
+libbpf-fix-overrun-in-netlink-attribute-iteration.patch
+i2c-designware-pci-group-amd-navi-quirk-parts-togeth.patch
+r8152-rate-limit-overflow-messages.patch
+drm-nouveau-nouveau_bo-fix-potential-memory-leak-in-.patch
+drm-use-size_t-type-for-len-variable-in-drm_copy_fie.patch
+drm-prevent-drm_copy_field-to-attempt-copying-a-null.patch
+drm-komeda-fix-handling-of-atomic-commits-in-the-ato.patch
+gpu-lontium-lt9611-fix-null-pointer-dereference-in-l.patch
+drm-amd-display-fix-overflow-on-min_i64-definition.patch
+alsa-hda-fix-page-fault-in-snd_hda_codec_shutdown.patch
+alsa-usb-audio-add-quirk-to-enable-avid-mbox-3-suppo.patch
+udmabuf-set-ubuf-sg-null-if-the-creation-of-sg-table.patch
+platform-x86-pmc_atom-improve-quirk-message-to-be-le.patch
+drm-amd-fix-potential-memory-leak.patch
+drm-bridge-dw_hdmi-only-trigger-hotplug-event-on-lin.patch
+drm-amd-display-fix-variable-dereferenced-before-che.patch
+drm-amdgpu-skip-the-program-of-mmmc_vm_agp_-in-sriov.patch
+drm-admgpu-skip-cg-pg-on-soc21-under-sriov-vf.patch
+alsa-usb-audio-register-card-at-the-last-interface.patch
+drm-vc4-vec-fix-timings-for-vec-modes.patch
+drm-panel-orientation-quirks-add-quirk-for-anbernic-.patch
+drm-panel-orientation-quirks-add-quirk-for-aya-neo-a.patch
+platform-chrome-cros_ec-notify-the-pm-of-wake-events.patch
+platform-x86-hp-wmi-setting-thermal-profile-fails-wi.patch
+platform-x86-msi-laptop-change-dmi-match-alias-strin.patch
+alsa-intel-dspconfig-add-es8336-support-for-alderlak.patch
+asoc-sof-pci-change-dmi-match-info-to-support-all-ch.patch
+asoc-sunxi-sun4i-codec-set-debugfs_prefix-for-cpu-da.patch
+asoc-sof-add-quirk-to-override-topology-mclk_id.patch
+drm-amdgpu-sdma-update-use-unlocked-iterator.patch
+drm-amd-display-fix-urgent-latency-override-for-dcn3.patch
+drm-amd-display-correct-hostvm-flag.patch
+drm-amdgpu-fix-initial-connector-audio-value.patch
+asoc-amd-yc-add-asus-um5302ta-into-dmi-table.patch
+asoc-amd-yc-add-lenovo-yoga-slim-7-pro-x-to-quirks-t.patch
+drm-meson-reorder-driver-deinit-sequence-to-fix-use-.patch
+drm-meson-explicitly-remove-aggregate-driver-at-modu.patch
+drm-meson-remove-drm-bridges-at-aggregate-driver-unb.patch
+drm-exynos-fix-return-type-for-mixer_mode_valid-and-.patch
+mmc-sdhci-msm-add-compatible-string-check-for-sdm670.patch
+drm-dp-don-t-rewrite-link-config-when-setting-phy-te.patch
+drm-amd-display-remove-interface-for-periodic-interr.patch
+drm-amd-display-polling-vid-stream-status-in-hpo-dp-.patch
+drm-amd-display-fix-array-bounds-error-in-dc_stream_.patch
+drm-amdkfd-fix-ubsan-shift-out-of-bounds-warning.patch
+arm-dts-imx6-delete-interrupts-property-if-interrupt.patch
+arm-dts-imx7d-sdb-config-the-max-pressure-for-tsc204.patch
+arm64-dts-qcom-sc7280-idp-correct-adc-channel-node-n.patch
+arm-dts-imx6q-add-missing-properties-for-sram.patch
+arm-dts-imx6dl-add-missing-properties-for-sram.patch
+arm-dts-imx6qp-add-missing-properties-for-sram.patch
+arm-dts-imx6sl-add-missing-properties-for-sram.patch
+arm-dts-imx6sll-add-missing-properties-for-sram.patch
+arm-dts-imx6sx-add-missing-properties-for-sram.patch
+arm-dts-imx6sl-use-tabs-for-code-indent.patch
+arm-dts-imx6sx-udoo-neo-don-t-use-multiple-blank-lin.patch
+kselftest-arm64-fix-validatation-termination-record-.patch
+sparc-fix-the-generic-io-helpers.patch
+arm64-run-softirqs-on-the-per-cpu-irq-stack.patch
+arm64-dts-imx8mm-kontron-use-the-vselect-signal-to-s.patch
+arm64-dts-imx8ulp-no-executable-source-file-permissi.patch
+arm64-dts-imx8mq-librem5-add-bq25895-as-max17055-s-p.patch
+arm-orion-fix-include-path.patch
+btrfs-dump-extra-info-if-one-free-space-cache-has-mo.patch
+btrfs-add-macros-for-annotating-wait-events-with-loc.patch
+btrfs-add-lockdep-annotations-for-num_writers-wait-e.patch
+btrfs-add-lockdep-annotations-for-num_extwriters-wai.patch
+btrfs-add-lockdep-annotations-for-transaction-states.patch
+btrfs-add-lockdep-annotations-for-pending_ordered-wa.patch
+btrfs-change-the-lockdep-class-of-free-space-inode-s.patch
+btrfs-add-lockdep-annotations-for-the-ordered-extent.patch
+btrfs-scrub-properly-report-super-block-errors-in-sy.patch
+btrfs-scrub-try-to-fix-super-block-errors.patch
+btrfs-don-t-print-information-about-space-cache-or-t.patch
+btrfs-call-__btrfs_remove_free_space_cache_locked-on.patch
+btrfs-check-superblock-to-ensure-the-fs-was-not-modi.patch
+btrfs-add-kcsan-annotations-for-unlocked-access-to-b.patch
+btrfs-separate-out-the-eb-and-extent-state-leak-help.patch
+arm64-dts-uniphier-add-usb-device-support-for-pxs3-r.patch
+arm-9233-1-stacktrace-skip-frame-pointer-boundary-ch.patch
+arm-9234-1-stacktrace-avoid-duplicate-saving-of-exce.patch
+arm-9242-1-kasan-only-map-modules-if-config_kasan_vm.patch
+clk-zynqmp-fix-stack-out-of-bounds-in-strncpy.patch
+media-cx88-fix-a-null-ptr-deref-bug-in-buffer_prepar.patch
+media-platform-fix-some-double-free-in-meson-ge2d-an.patch
+clk-zynqmp-pll-rectify-rate-rounding-in-zynqmp_pll_r.patch
+rdma-rxe-delete-error-messages-triggered-by-incoming.patch
+usb-host-xhci-plat-suspend-and-resume-clocks.patch
+usb-host-xhci-plat-suspend-resume-clks-for-brcm.patch
+scsi-lpfc-fix-null-ndlp-ptr-dereference-in-abnormal-.patch
+dmaengine-ti-k3-udma-reset-udma_chan_rt-byte-counter.patch
+scsi-3w-9xxx-avoid-disabling-device-if-failing-to-en.patch
+nbd-fix-hung-when-signal-interrupts-nbd_start_device.patch
+iommu-arm-smmu-v3-make-default-domain-type-of-hisili.patch
+usb-gadget-uvc-increase-worker-prio-to-wq_highpri.patch
+power-supply-adp5061-fix-out-of-bounds-read-in-adp50.patch
+staging-vt6655-fix-potential-memory-leak.patch
+blk-throttle-prevent-overflow-while-calculating-wait.patch
+ata-libahci_platform-sanity-check-the-dt-child-nodes.patch
+habanalabs-ignore-eeprom-errors-during-boot.patch
+nvmet-auth-clean-up-with-done_kfree.patch
+bcache-fix-set_at_max_writeback_rate-for-multiple-at.patch
+soundwire-cadence-don-t-overwrite-msg-buf-during-wri.patch
+soundwire-intel-fix-error-handling-on-dai-registrati.patch
+hid-topre-add-driver-fixing-report-descriptor.patch
+habanalabs-remove-some-f-w-descriptor-validations.patch
+hid-roccat-fix-use-after-free-in-roccat_read.patch
+hsi-ssi_protocol-fix-potential-resource-leak-in-ssip.patch
+hid-nintendo-check-analog-user-calibration-for-plaus.patch
+md-raid5-wait-for-md_sb_change_pending-in-raid5d.patch
+usb-host-xhci-fix-potential-memory-leak-in-xhci_allo.patch
+usb-musb-fix-musb_gadget.c-rxstate-overflow-bug.patch
+usb-dwc3-core-add-gfladj_refclk_lpm_sel-quirk.patch
+arm64-dts-imx8mp-add-snps-gfladj-refclk-lpm-sel-quir.patch
+usb-dwc3-core-enable-guctl1-bit-10-for-fixing-termin.patch
+revert-usb-storage-add-quirk-for-samsung-fit-flash.patch
+io_uring-fix-cqe-reordering.patch
+staging-rtl8723bs-fix-potential-memory-leak-in-rtw_i.patch
+staging-rtl8723bs-fix-a-potential-memory-leak-in-rtw.patch
+scsi-tracing-fix-compile-error-in-trace_array-calls-.patch
+ext2-use-kvmalloc-for-group-descriptor-array.patch
+nvme-handle-effects-after-freeing-the-request.patch
+nvme-copy-firmware_rev-on-each-init.patch
+nvmet-tcp-add-bounds-check-on-transfer-tag.patch
+usb-idmouse-fix-an-uninit-value-in-idmouse_open.patch
+block-replace-blk_queue_nowait-with-bdev_nowait.patch
+blk-mq-use-quiesced-elevator-switch-when-reinitializ.patch
+nvmet-don-t-look-at-the-request_queue-in-nvmet_bdev_.patch
+nvmet-don-t-look-at-the-request_queue-in-nvmet_bdev_.patch-7526
+hwmon-occ-retry-for-checksum-failure.patch
+fsi-occ-prevent-use-after-free.patch
+fsi-master-ast-cf-fix-missing-of_node_put-in-fsi_mas.patch
+dmaengine-dw-edma-remove-runtime-pm-support.patch
+usb-typec-ucsi-don-t-warn-on-probe-deferral.patch
+clk-bcm2835-round-uart-input-clock-up.patch
+net-lan966x-fix-return-type-of-lan966x_port_xmit.patch
+net-sparx5-fix-return-type-of-sparx5_port_xmit_impl.patch
--- /dev/null
+From 20fb98b0d4d9d2794534ff407f1dff6df5d15903 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Sep 2022 16:40:44 -0700
+Subject: sh: machvec: Use char[] for section boundaries
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit c5783af354688b24abd359f7086c282ec74de993 ]
+
+As done for other sections, define the extern as a character array,
+which relaxes many of the compiler-time object size checks, which would
+otherwise assume it's a single long. Solves the following build error:
+
+arch/sh/kernel/machvec.c: error: array subscript 'struct sh_machine_vector[0]' is partly outside array bounds of 'long int[1]' [-Werror=array-bounds]: => 105:33
+
+Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
+Cc: Rich Felker <dalias@libc.org>
+Cc: linux-sh@vger.kernel.org
+Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/lkml/alpine.DEB.2.22.394.2209050944290.964530@ramsan.of.borg/
+Fixes: 9655ad03af2d ("sh: Fixup machvec support.")
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Acked-by: Rich Felker <dalias@libc.org>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sh/include/asm/sections.h | 2 +-
+ arch/sh/kernel/machvec.c | 10 +++++-----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/arch/sh/include/asm/sections.h b/arch/sh/include/asm/sections.h
+index 8edb824049b9..0cb0ca149ac3 100644
+--- a/arch/sh/include/asm/sections.h
++++ b/arch/sh/include/asm/sections.h
+@@ -4,7 +4,7 @@
+
+ #include <asm-generic/sections.h>
+
+-extern long __machvec_start, __machvec_end;
++extern char __machvec_start[], __machvec_end[];
+ extern char __uncached_start, __uncached_end;
+ extern char __start_eh_frame[], __stop_eh_frame[];
+
+diff --git a/arch/sh/kernel/machvec.c b/arch/sh/kernel/machvec.c
+index d606679a211e..57efaf5b82ae 100644
+--- a/arch/sh/kernel/machvec.c
++++ b/arch/sh/kernel/machvec.c
+@@ -20,8 +20,8 @@
+ #define MV_NAME_SIZE 32
+
+ #define for_each_mv(mv) \
+- for ((mv) = (struct sh_machine_vector *)&__machvec_start; \
+- (mv) && (unsigned long)(mv) < (unsigned long)&__machvec_end; \
++ for ((mv) = (struct sh_machine_vector *)__machvec_start; \
++ (mv) && (unsigned long)(mv) < (unsigned long)__machvec_end; \
+ (mv)++)
+
+ static struct sh_machine_vector * __init get_mv_byname(const char *name)
+@@ -87,8 +87,8 @@ void __init sh_mv_setup(void)
+ if (!machvec_selected) {
+ unsigned long machvec_size;
+
+- machvec_size = ((unsigned long)&__machvec_end -
+- (unsigned long)&__machvec_start);
++ machvec_size = ((unsigned long)__machvec_end -
++ (unsigned long)__machvec_start);
+
+ /*
+ * Sanity check for machvec section alignment. Ensure
+@@ -102,7 +102,7 @@ void __init sh_mv_setup(void)
+ * vector (usually the only one) from .machvec.init.
+ */
+ if (machvec_size >= sizeof(struct sh_machine_vector))
+- sh_mv = *(struct sh_machine_vector *)&__machvec_start;
++ sh_mv = *(struct sh_machine_vector *)__machvec_start;
+ }
+
+ pr_notice("Booting machvec: %s\n", get_system_type());
+--
+2.35.1
+
--- /dev/null
+From acd6eefaeec42e581ed618c690fb27e92f0ffccf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Sep 2022 15:13:11 +0800
+Subject: skmsg: Schedule psock work if the cached skb exists on the psock
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit bec217197b412d74168c6a42fc0f76d0cc9cad00 ]
+
+In sk_psock_backlog function, for ingress direction skb, if no new data
+packet arrives after the skb is cached, the cached skb does not have a
+chance to be added to the receive queue of psock. As a result, the cached
+skb cannot be received by the upper-layer application. Fix this by reschedule
+the psock work to dispose the cached skb in sk_msg_recvmsg function.
+
+Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface")
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/bpf/20220907071311.60534-1-liujian56@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skmsg.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index 188f8558d27d..ca70525621c7 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -434,8 +434,10 @@ int sk_msg_recvmsg(struct sock *sk, struct sk_psock *psock, struct msghdr *msg,
+ if (copied + copy > len)
+ copy = len - copied;
+ copy = copy_page_to_iter(page, sge->offset, copy, iter);
+- if (!copy)
+- return copied ? copied : -EFAULT;
++ if (!copy) {
++ copied = copied ? copied : -EFAULT;
++ goto out;
++ }
+
+ copied += copy;
+ if (likely(!peek)) {
+@@ -455,7 +457,7 @@ int sk_msg_recvmsg(struct sock *sk, struct sk_psock *psock, struct msghdr *msg,
+ * didn't copy the entire length lets just break.
+ */
+ if (copy != sge->length)
+- return copied;
++ goto out;
+ sk_msg_iter_var_next(i);
+ }
+
+@@ -477,7 +479,9 @@ int sk_msg_recvmsg(struct sock *sk, struct sk_psock *psock, struct msghdr *msg,
+ }
+ msg_rx = sk_psock_peek_msg(psock);
+ }
+-
++out:
++ if (psock->work_state.skb && copied > 0)
++ schedule_work(&psock->work);
+ return copied;
+ }
+ EXPORT_SYMBOL_GPL(sk_msg_recvmsg);
+--
+2.35.1
+
--- /dev/null
+From 563eee02ace07d4306ee43abbcbca85c4ca0e5b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Sep 2022 11:19:53 +0800
+Subject: slimbus: qcom-ngd: Add error handling in of_qcom_slim_ngd_register
+
+From: Lin Yujun <linyujun809@huawei.com>
+
+[ Upstream commit 42992cf187e4e4bcfe3c58f8fc7b1832c5652d9f ]
+
+No error handling is performed when platform_device_add()
+return fails. Refer to the error handling of driver_set_override(),
+add error handling for platform_device_add().
+
+Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver")
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Lin Yujun <linyujun809@huawei.com>
+Link: https://lore.kernel.org/r/20220914031953.94061-1-linyujun809@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/slimbus/qcom-ngd-ctrl.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/slimbus/qcom-ngd-ctrl.c b/drivers/slimbus/qcom-ngd-ctrl.c
+index bacc6af1d51e..d29a1a9cf12f 100644
+--- a/drivers/slimbus/qcom-ngd-ctrl.c
++++ b/drivers/slimbus/qcom-ngd-ctrl.c
+@@ -1470,7 +1470,13 @@ static int of_qcom_slim_ngd_register(struct device *parent,
+ ngd->pdev->dev.of_node = node;
+ ctrl->ngd = ngd;
+
+- platform_device_add(ngd->pdev);
++ ret = platform_device_add(ngd->pdev);
++ if (ret) {
++ platform_device_put(ngd->pdev);
++ kfree(ngd);
++ of_node_put(node);
++ return ret;
++ }
+ ngd->base = ctrl->base + ngd->id * data->offset +
+ (ngd->id - 1) * data->size;
+
+--
+2.35.1
+
--- /dev/null
+From 2d6a810b5caf8d3871558668715308523ba11e53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Jul 2022 21:52:17 +0800
+Subject: soc: qcom: smem_state: Add refcounting for the 'state->of_node'
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 90681f53b9381c23ff7762a3b13826d620c272de ]
+
+In qcom_smem_state_register() and qcom_smem_state_release(), we
+should better use of_node_get() and of_node_put() for the reference
+creation and destruction of 'device_node'.
+
+Fixes: 9460ae2ff308 ("soc: qcom: Introduce common SMEM state machine code")
+Signed-off-by: Liang He <windhl@126.com>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/20220721135217.1301039-2-windhl@126.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/qcom/smem_state.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/soc/qcom/smem_state.c b/drivers/soc/qcom/smem_state.c
+index 31faf4aa868e..e848cc9a3cf8 100644
+--- a/drivers/soc/qcom/smem_state.c
++++ b/drivers/soc/qcom/smem_state.c
+@@ -136,6 +136,7 @@ static void qcom_smem_state_release(struct kref *ref)
+ struct qcom_smem_state *state = container_of(ref, struct qcom_smem_state, refcount);
+
+ list_del(&state->list);
++ of_node_put(state->of_node);
+ kfree(state);
+ }
+
+@@ -205,7 +206,7 @@ struct qcom_smem_state *qcom_smem_state_register(struct device_node *of_node,
+
+ kref_init(&state->refcount);
+
+- state->of_node = of_node;
++ state->of_node = of_node_get(of_node);
+ state->ops = *ops;
+ state->priv = priv;
+
+--
+2.35.1
+
--- /dev/null
+From 79c3edd2f396a39560b92e1f9b84c7978cf7a091 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Jul 2022 21:52:16 +0800
+Subject: soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit af8f6f39b8afd772fda4f8e61823ef8c021bf382 ]
+
+There are two refcount leak bugs in qcom_smsm_probe():
+
+(1) The 'local_node' is escaped out from for_each_child_of_node() as
+the break of iteration, we should call of_node_put() for it in error
+path or when it is not used anymore.
+(2) The 'node' is escaped out from for_each_available_child_of_node()
+as the 'goto', we should call of_node_put() for it in goto target.
+
+Fixes: c97c4090ff72 ("soc: qcom: smsm: Add driver for Qualcomm SMSM")
+Signed-off-by: Liang He <windhl@126.com>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/20220721135217.1301039-1-windhl@126.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/qcom/smsm.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/soc/qcom/smsm.c b/drivers/soc/qcom/smsm.c
+index 9df9bba242f3..3e8994d6110e 100644
+--- a/drivers/soc/qcom/smsm.c
++++ b/drivers/soc/qcom/smsm.c
+@@ -526,7 +526,7 @@ static int qcom_smsm_probe(struct platform_device *pdev)
+ for (id = 0; id < smsm->num_hosts; id++) {
+ ret = smsm_parse_ipc(smsm, id);
+ if (ret < 0)
+- return ret;
++ goto out_put;
+ }
+
+ /* Acquire the main SMSM state vector */
+@@ -534,13 +534,14 @@ static int qcom_smsm_probe(struct platform_device *pdev)
+ smsm->num_entries * sizeof(u32));
+ if (ret < 0 && ret != -EEXIST) {
+ dev_err(&pdev->dev, "unable to allocate shared state entry\n");
+- return ret;
++ goto out_put;
+ }
+
+ states = qcom_smem_get(QCOM_SMEM_HOST_ANY, SMEM_SMSM_SHARED_STATE, NULL);
+ if (IS_ERR(states)) {
+ dev_err(&pdev->dev, "Unable to acquire shared state entry\n");
+- return PTR_ERR(states);
++ ret = PTR_ERR(states);
++ goto out_put;
+ }
+
+ /* Acquire the list of interrupt mask vectors */
+@@ -548,13 +549,14 @@ static int qcom_smsm_probe(struct platform_device *pdev)
+ ret = qcom_smem_alloc(QCOM_SMEM_HOST_ANY, SMEM_SMSM_CPU_INTR_MASK, size);
+ if (ret < 0 && ret != -EEXIST) {
+ dev_err(&pdev->dev, "unable to allocate smsm interrupt mask\n");
+- return ret;
++ goto out_put;
+ }
+
+ intr_mask = qcom_smem_get(QCOM_SMEM_HOST_ANY, SMEM_SMSM_CPU_INTR_MASK, NULL);
+ if (IS_ERR(intr_mask)) {
+ dev_err(&pdev->dev, "unable to acquire shared memory interrupt mask\n");
+- return PTR_ERR(intr_mask);
++ ret = PTR_ERR(intr_mask);
++ goto out_put;
+ }
+
+ /* Setup the reference to the local state bits */
+@@ -565,7 +567,8 @@ static int qcom_smsm_probe(struct platform_device *pdev)
+ smsm->state = qcom_smem_state_register(local_node, &smsm_state_ops, smsm);
+ if (IS_ERR(smsm->state)) {
+ dev_err(smsm->dev, "failed to register qcom_smem_state\n");
+- return PTR_ERR(smsm->state);
++ ret = PTR_ERR(smsm->state);
++ goto out_put;
+ }
+
+ /* Register handlers for remote processor entries of interest. */
+@@ -595,16 +598,19 @@ static int qcom_smsm_probe(struct platform_device *pdev)
+ }
+
+ platform_set_drvdata(pdev, smsm);
++ of_node_put(local_node);
+
+ return 0;
+
+ unwind_interfaces:
++ of_node_put(node);
+ for (id = 0; id < smsm->num_entries; id++)
+ if (smsm->entries[id].domain)
+ irq_domain_remove(smsm->entries[id].domain);
+
+ qcom_smem_state_unregister(smsm->state);
+-
++out_put:
++ of_node_put(local_node);
+ return ret;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From ea2d1487d35de1bfd699724457f26e2d1aaf349e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Jun 2022 09:46:36 +0800
+Subject: soc/tegra: fuse: Add missing of_node_put() in tegra_init_fuse()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit e941712cccab8a96f03b5d3274159c1ed338efee ]
+
+In this function, of_find_matching_node() will return a node pointer
+with refcount incremented. We should use of_node_put() when the "np"
+pointer is not used anymore.
+
+Signed-off-by: Liang He <windhl@126.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Stable-dep-of: 2254182807fc ("soc/tegra: fuse: Drop Kconfig dependency on TEGRA20_APB_DMA")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/tegra/fuse/fuse-tegra.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/soc/tegra/fuse/fuse-tegra.c b/drivers/soc/tegra/fuse/fuse-tegra.c
+index b0a8405dbdb1..6542267a224d 100644
+--- a/drivers/soc/tegra/fuse/fuse-tegra.c
++++ b/drivers/soc/tegra/fuse/fuse-tegra.c
+@@ -568,6 +568,7 @@ static int __init tegra_init_fuse(void)
+ np = of_find_matching_node(NULL, car_match);
+ if (np) {
+ void __iomem *base = of_iomap(np, 0);
++ of_node_put(np);
+ if (base) {
+ tegra_enable_fuse_clk(base);
+ iounmap(base);
+--
+2.35.1
+
--- /dev/null
+From 0ad403d70be3cace2365b70fd612a2208b0ef75f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Sep 2020 03:34:21 +0300
+Subject: soc/tegra: fuse: Drop Kconfig dependency on TEGRA20_APB_DMA
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+[ Upstream commit 2254182807fc09ba9dec9a42ef239e373796f1b2 ]
+
+The DMA subsystem could be entirely disabled in Kconfig and then the
+TEGRA20_APB_DMA option isn't available too. Hence kernel configuration
+fails if DMADEVICES Kconfig option is disabled due to the unsatisfiable
+dependency.
+
+The FUSE driver isn't a critical driver and currently it only provides
+NVMEM interface to userspace which isn't known to be widely used, and
+thus, it's fine if FUSE driver fails to load.
+
+Let's remove the erroneous Kconfig dependency and let the FUSE driver to
+fail the probing if DMA is unavailable.
+
+Fixes: 19d41e5e9c68 ("soc/tegra: fuse: Add APB DMA dependency for Tegra20")
+Reported-by: Necip Fazil Yildiran <fazilyildiran@gmail.com>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=209301
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/tegra/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/soc/tegra/Kconfig b/drivers/soc/tegra/Kconfig
+index 5725c8ef0406..6f601227da3c 100644
+--- a/drivers/soc/tegra/Kconfig
++++ b/drivers/soc/tegra/Kconfig
+@@ -136,7 +136,6 @@ config SOC_TEGRA_FUSE
+ def_bool y
+ depends on ARCH_TEGRA
+ select SOC_BUS
+- select TEGRA20_APB_DMA if ARCH_TEGRA_2x_SOC
+
+ config SOC_TEGRA_FLOWCTRL
+ bool
+--
+2.35.1
+
--- /dev/null
+From 0e9a227d22fdc333a5575693f496b56f483584a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Sep 2022 11:35:05 +0100
+Subject: soundwire: cadence: Don't overwrite msg->buf during write commands
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit ba05b39d265bdd16913f7684600d9d41e2796745 ]
+
+The buf passed in struct sdw_msg must only be written for a READ,
+in that case the RDATA part of the response is the data value of the
+register.
+
+For a write command there is no RDATA, and buf should be assumed to
+be const and unmodifable. The original caller should not expect its data
+buffer to be corrupted by an sdw_nwrite().
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20220916103505.1562210-1-rf@opensource.cirrus.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soundwire/cadence_master.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/soundwire/cadence_master.c b/drivers/soundwire/cadence_master.c
+index 4fbb19557f5e..42c5fae80efb 100644
+--- a/drivers/soundwire/cadence_master.c
++++ b/drivers/soundwire/cadence_master.c
+@@ -544,9 +544,12 @@ cdns_fill_msg_resp(struct sdw_cdns *cdns,
+ return SDW_CMD_IGNORED;
+ }
+
+- /* fill response */
+- for (i = 0; i < count; i++)
+- msg->buf[i + offset] = FIELD_GET(CDNS_MCP_RESP_RDATA, cdns->response_buf[i]);
++ if (msg->flags == SDW_MSG_FLAG_READ) {
++ /* fill response */
++ for (i = 0; i < count; i++)
++ msg->buf[i + offset] = FIELD_GET(CDNS_MCP_RESP_RDATA,
++ cdns->response_buf[i]);
++ }
+
+ return SDW_CMD_OK;
+ }
+--
+2.35.1
+
--- /dev/null
+From 4ae4fe2e8ac7c310d3ecef843e6f90bb0a8f9926 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 01:57:11 +0800
+Subject: soundwire: intel: fix error handling on dai registration issues
+
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+
+[ Upstream commit c6867cda906aadbce5e71efde9c78a26108b2bad ]
+
+The call to intel_register_dai() may fail because of memory allocation
+issues or problems reported by the ASoC core. In all cases, when a
+error is thrown the component is not registered, it's invalid to
+unregister it.
+
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Rander Wang <rander.wang@intel.com>
+Signed-off-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Link: https://lore.kernel.org/r/20220919175721.354679-2-yung-chuan.liao@linux.intel.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soundwire/intel.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/soundwire/intel.c b/drivers/soundwire/intel.c
+index 89d1d0d021fc..af6c1a93372d 100644
+--- a/drivers/soundwire/intel.c
++++ b/drivers/soundwire/intel.c
+@@ -1429,7 +1429,6 @@ int intel_link_startup(struct auxiliary_device *auxdev)
+ ret = intel_register_dai(sdw);
+ if (ret) {
+ dev_err(dev, "DAI registration failed: %d\n", ret);
+- snd_soc_unregister_component(dev);
+ goto err_interrupt;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 7c9150bb93734ff3ffe5ba2fd3970707a7431416 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Aug 2022 21:55:53 +0200
+Subject: sparc: Fix the generic IO helpers
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit 2c230431e1e809270178905974f57cf3878939f5 ]
+
+This enables the Sparc to use <asm-generic/io.h> to fill in the
+missing (undefined) [read|write]sq I/O accessor functions.
+
+This is needed if Sparc[64] ever wants to uses CONFIG_REGMAP_MMIO
+which has been patches to use accelerated _noinc accessors
+such as readsq/writesq that Sparc64, while being a 64bit platform,
+as of now not yet provide.
+
+This comes with the requirement that everything the architecture
+already provides needs to be defined, rather than just being,
+say, static inline functions.
+
+Bite the bullet and just provide the definitions and make it work.
+Compile-tested on sparc32 and sparc64.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: sparclinux@vger.kernel.org
+Cc: linux-arch@vger.kernel.org
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/linux-arm-kernel/202208201639.HXye3ke4-lkp@intel.com/
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sparc/include/asm/io.h | 2 ++
+ arch/sparc/include/asm/io_64.h | 22 ++++++++++++++++++++++
+ 2 files changed, 24 insertions(+)
+
+diff --git a/arch/sparc/include/asm/io.h b/arch/sparc/include/asm/io.h
+index 2eefa526b38f..2dad9be9ec75 100644
+--- a/arch/sparc/include/asm/io.h
++++ b/arch/sparc/include/asm/io.h
+@@ -19,4 +19,6 @@
+ #define writel_be(__w, __addr) __raw_writel(__w, __addr)
+ #define writew_be(__l, __addr) __raw_writew(__l, __addr)
+
++#include <asm-generic/io.h>
++
+ #endif
+diff --git a/arch/sparc/include/asm/io_64.h b/arch/sparc/include/asm/io_64.h
+index 5ffa820dcd4d..9303270b22f3 100644
+--- a/arch/sparc/include/asm/io_64.h
++++ b/arch/sparc/include/asm/io_64.h
+@@ -9,6 +9,7 @@
+ #include <asm/page.h> /* IO address mapping routines need this */
+ #include <asm/asi.h>
+ #include <asm-generic/pci_iomap.h>
++#define pci_iomap pci_iomap
+
+ /* BIO layer definitions. */
+ extern unsigned long kern_base, kern_size;
+@@ -239,38 +240,51 @@ static inline void outl(u32 l, unsigned long addr)
+ void outsb(unsigned long, const void *, unsigned long);
+ void outsw(unsigned long, const void *, unsigned long);
+ void outsl(unsigned long, const void *, unsigned long);
++#define outsb outsb
++#define outsw outsw
++#define outsl outsl
+ void insb(unsigned long, void *, unsigned long);
+ void insw(unsigned long, void *, unsigned long);
+ void insl(unsigned long, void *, unsigned long);
++#define insb insb
++#define insw insw
++#define insl insl
+
+ static inline void readsb(void __iomem *port, void *buf, unsigned long count)
+ {
+ insb((unsigned long __force)port, buf, count);
+ }
++#define readsb readsb
++
+ static inline void readsw(void __iomem *port, void *buf, unsigned long count)
+ {
+ insw((unsigned long __force)port, buf, count);
+ }
++#define readsw readsw
+
+ static inline void readsl(void __iomem *port, void *buf, unsigned long count)
+ {
+ insl((unsigned long __force)port, buf, count);
+ }
++#define readsl readsl
+
+ static inline void writesb(void __iomem *port, const void *buf, unsigned long count)
+ {
+ outsb((unsigned long __force)port, buf, count);
+ }
++#define writesb writesb
+
+ static inline void writesw(void __iomem *port, const void *buf, unsigned long count)
+ {
+ outsw((unsigned long __force)port, buf, count);
+ }
++#define writesw writesw
+
+ static inline void writesl(void __iomem *port, const void *buf, unsigned long count)
+ {
+ outsl((unsigned long __force)port, buf, count);
+ }
++#define writesl writesl
+
+ #define ioread8_rep(p,d,l) readsb(p,d,l)
+ #define ioread16_rep(p,d,l) readsw(p,d,l)
+@@ -344,6 +358,7 @@ static inline void memset_io(volatile void __iomem *dst, int c, __kernel_size_t
+ d++;
+ }
+ }
++#define memset_io memset_io
+
+ static inline void sbus_memcpy_fromio(void *dst, const volatile void __iomem *src,
+ __kernel_size_t n)
+@@ -369,6 +384,7 @@ static inline void memcpy_fromio(void *dst, const volatile void __iomem *src,
+ src++;
+ }
+ }
++#define memcpy_fromio memcpy_fromio
+
+ static inline void sbus_memcpy_toio(volatile void __iomem *dst, const void *src,
+ __kernel_size_t n)
+@@ -395,6 +411,7 @@ static inline void memcpy_toio(volatile void __iomem *dst, const void *src,
+ d++;
+ }
+ }
++#define memcpy_toio memcpy_toio
+
+ #ifdef __KERNEL__
+
+@@ -412,7 +429,9 @@ static inline void __iomem *ioremap(unsigned long offset, unsigned long size)
+ static inline void __iomem *ioremap_np(unsigned long offset, unsigned long size)
+ {
+ return NULL;
++
+ }
++#define ioremap_np ioremap_np
+
+ static inline void iounmap(volatile void __iomem *addr)
+ {
+@@ -432,10 +451,13 @@ static inline void iounmap(volatile void __iomem *addr)
+ /* Create a virtual mapping cookie for an IO port range */
+ void __iomem *ioport_map(unsigned long port, unsigned int nr);
+ void ioport_unmap(void __iomem *);
++#define ioport_map ioport_map
++#define ioport_unmap ioport_unmap
+
+ /* Create a virtual mapping cookie for a PCI BAR (memory or IO) */
+ struct pci_dev;
+ void pci_iounmap(struct pci_dev *dev, void __iomem *);
++#define pci_iounmap pci_iounmap
+
+ static inline int sbus_can_dma_64bit(void)
+ {
+--
+2.35.1
+
--- /dev/null
+From d108e8df36f6c9ac4fb6f21e3fd0b4bcf27353aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Sep 2022 20:13:07 +0800
+Subject: spi: cadence-quadspi: Fix PM disable depth imbalance in cqspi_probe
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+[ Upstream commit 4d0ef0a1c35189a6e8377d8ee8310ea5ef22c5f3 ]
+
+The pm_runtime_enable will increase power disable depth. Thus
+a pairing decrement is needed on the error handling path to
+keep it balanced according to context.
+
+Fixes:73d5fe0462702 ("spi: cadence-quadspi: Remove spi_master_put() in probe failure path")
+
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Link: https://lore.kernel.org/r/20220924121310.78331-2-zhangqilong3@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-cadence-quadspi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c
+index e12ab5b43f34..447230547945 100644
+--- a/drivers/spi/spi-cadence-quadspi.c
++++ b/drivers/spi/spi-cadence-quadspi.c
+@@ -1645,7 +1645,7 @@ static int cqspi_probe(struct platform_device *pdev)
+ pm_runtime_enable(dev);
+ ret = pm_runtime_resume_and_get(dev);
+ if (ret < 0)
+- return ret;
++ goto probe_pm_failed;
+
+ ret = clk_prepare_enable(cqspi->clk);
+ if (ret) {
+@@ -1740,6 +1740,7 @@ static int cqspi_probe(struct platform_device *pdev)
+ clk_disable_unprepare(cqspi->clk);
+ probe_clk_failed:
+ pm_runtime_put_sync(dev);
++probe_pm_failed:
+ pm_runtime_disable(dev);
+ return ret;
+ }
+--
+2.35.1
+
--- /dev/null
+From 3bcc980549ae16e55a22eb252aad00d57156de96 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Sep 2022 20:13:08 +0800
+Subject: spi: dw: Fix PM disable depth imbalance in dw_spi_bt1_probe
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+[ Upstream commit 618d815fc93477b1675878f3c04ff32657cc18b4 ]
+
+The pm_runtime_enable will increase power disable depth. Thus
+a pairing decrement is needed on the error handling path to
+keep it balanced according to context.
+
+Fixes:abf00907538e2 ("spi: dw: Add Baikal-T1 SPI Controller glue driver")
+
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Link: https://lore.kernel.org/r/20220924121310.78331-3-zhangqilong3@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-dw-bt1.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-dw-bt1.c b/drivers/spi/spi-dw-bt1.c
+index c06553416123..3fb89dee595e 100644
+--- a/drivers/spi/spi-dw-bt1.c
++++ b/drivers/spi/spi-dw-bt1.c
+@@ -293,8 +293,10 @@ static int dw_spi_bt1_probe(struct platform_device *pdev)
+ pm_runtime_enable(&pdev->dev);
+
+ ret = dw_spi_add_host(&pdev->dev, dws);
+- if (ret)
++ if (ret) {
++ pm_runtime_disable(&pdev->dev);
+ goto err_disable_clk;
++ }
+
+ platform_set_drvdata(pdev, dwsbt1);
+
+--
+2.35.1
+
--- /dev/null
+From b04beefde50774130c1122d7c291fcff35853338 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Sep 2022 13:34:08 +0200
+Subject: spi: Ensure that sg_table won't be used after being freed
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+[ Upstream commit 8e9204cddcc3fea9affcfa411715ba4f66e97587 ]
+
+SPI code checks for non-zero sgt->orig_nents to determine if the buffer
+has been DMA-mapped. Ensure that sg_table is really zeroed after free to
+avoid potential NULL pointer dereference if the given SPI xfer object is
+reused again without being DMA-mapped.
+
+Fixes: 0c17ba73c08f ("spi: Fix cache corruption due to DMA/PIO overlap")
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Link: https://lore.kernel.org/r/20220930113408.19720-1-m.szyprowski@samsung.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
+index 32c01e684af3..4b42f2302a8a 100644
+--- a/drivers/spi/spi.c
++++ b/drivers/spi/spi.c
+@@ -1097,6 +1097,8 @@ void spi_unmap_buf(struct spi_controller *ctlr, struct device *dev,
+ if (sgt->orig_nents) {
+ dma_unmap_sg(dev, sgt->sgl, sgt->orig_nents, dir);
+ sg_free_table(sgt);
++ sgt->orig_nents = 0;
++ sgt->nents = 0;
+ }
+ }
+
+--
+2.35.1
+
--- /dev/null
+From e6f5bae89f1da98e9e1c73763ffe5fb23b24d496 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Sep 2022 14:18:03 +0200
+Subject: spi: meson-spicc: do not rely on busy flag in pow2 clk ops
+
+From: Neil Armstrong <narmstrong@baylibre.com>
+
+[ Upstream commit 36acf80fc0c4b5ebe6fa010b524d442ee7f08fd3 ]
+
+Since [1], controller's busy flag isn't set anymore when the
+__spi_transfer_message_noqueue() is used instead of the
+__spi_pump_transfer_message() logic for spi_sync transfers.
+
+Since the pow2 clock ops were limited to only be available when a
+transfer is ongoing (between prepare_transfer_hardware and
+unprepare_transfer_hardware callbacks), the only way to track this
+down is to check for the controller cur_msg.
+
+[1] ae7d2346dc89 ("spi: Don't use the message queue if possible in spi_sync")
+
+Fixes: 09992025dacd ("spi: meson-spicc: add local pow2 clock ops to preserve rate between messages")
+Fixes: ae7d2346dc89 ("spi: Don't use the message queue if possible in spi_sync")
+Reported-by: Markus Schneider-Pargmann <msp@baylibre.com>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Tested-by: Markus Schneider-Pargmann <msp@baylibre.com>
+Link: https://lore.kernel.org/r/20220908121803.919943-1-narmstrong@baylibre.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-meson-spicc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/spi/spi-meson-spicc.c b/drivers/spi/spi-meson-spicc.c
+index e4cb52e1fe26..6974a1c947aa 100644
+--- a/drivers/spi/spi-meson-spicc.c
++++ b/drivers/spi/spi-meson-spicc.c
+@@ -537,7 +537,7 @@ static unsigned long meson_spicc_pow2_recalc_rate(struct clk_hw *hw,
+ struct clk_divider *divider = to_clk_divider(hw);
+ struct meson_spicc_device *spicc = pow2_clk_to_spicc(divider);
+
+- if (!spicc->master->cur_msg || !spicc->master->busy)
++ if (!spicc->master->cur_msg)
+ return 0;
+
+ return clk_divider_ops.recalc_rate(hw, parent_rate);
+@@ -549,7 +549,7 @@ static int meson_spicc_pow2_determine_rate(struct clk_hw *hw,
+ struct clk_divider *divider = to_clk_divider(hw);
+ struct meson_spicc_device *spicc = pow2_clk_to_spicc(divider);
+
+- if (!spicc->master->cur_msg || !spicc->master->busy)
++ if (!spicc->master->cur_msg)
+ return -EINVAL;
+
+ return clk_divider_ops.determine_rate(hw, req);
+@@ -561,7 +561,7 @@ static int meson_spicc_pow2_set_rate(struct clk_hw *hw, unsigned long rate,
+ struct clk_divider *divider = to_clk_divider(hw);
+ struct meson_spicc_device *spicc = pow2_clk_to_spicc(divider);
+
+- if (!spicc->master->cur_msg || !spicc->master->busy)
++ if (!spicc->master->cur_msg)
+ return -EINVAL;
+
+ return clk_divider_ops.set_rate(hw, rate, parent_rate);
+--
+2.35.1
+
--- /dev/null
+From efd1237ec9a857a18d4bfe22225443e181c034b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Aug 2022 13:42:07 +0200
+Subject: spi: mt7621: Fix an error message in mt7621_spi_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 2b2bf6b7faa9010fae10dc7de76627a3fdb525b3 ]
+
+'status' is known to be 0 at this point. The expected error code is
+PTR_ERR(clk).
+
+Switch to dev_err_probe() in order to display the expected error code (in a
+human readable way).
+This also filters -EPROBE_DEFER cases, should it happen.
+
+Fixes: 1ab7f2a43558 ("staging: mt7621-spi: add mt7621 support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
+Link: https://lore.kernel.org/r/928f3fb507d53ba0774df27cea0bbba4b055993b.1661599671.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-mt7621.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/spi/spi-mt7621.c b/drivers/spi/spi-mt7621.c
+index b4b9b7309b5e..351b0ef52bbc 100644
+--- a/drivers/spi/spi-mt7621.c
++++ b/drivers/spi/spi-mt7621.c
+@@ -340,11 +340,9 @@ static int mt7621_spi_probe(struct platform_device *pdev)
+ return PTR_ERR(base);
+
+ clk = devm_clk_get(&pdev->dev, NULL);
+- if (IS_ERR(clk)) {
+- dev_err(&pdev->dev, "unable to get SYS clock, err=%d\n",
+- status);
+- return PTR_ERR(clk);
+- }
++ if (IS_ERR(clk))
++ return dev_err_probe(&pdev->dev, PTR_ERR(clk),
++ "unable to get SYS clock\n");
+
+ status = clk_prepare_enable(clk);
+ if (status)
+--
+2.35.1
+
--- /dev/null
+From 8cabefc42979a1721e7066cf3372b600852c614e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Sep 2022 20:13:09 +0800
+Subject: spi/omap100k:Fix PM disable depth imbalance in omap1_spi100k_probe
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+[ Upstream commit 29f65f2171c85a9633daa380df14009a365f42f2 ]
+
+The pm_runtime_enable will increase power disable depth. Thus
+a pairing decrement is needed on the error handling path to
+keep it balanced according to context.
+
+Fixes:db91841b58f9a ("spi/omap100k: Convert to runtime PM")
+
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Link: https://lore.kernel.org/r/20220924121310.78331-4-zhangqilong3@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-omap-100k.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/spi/spi-omap-100k.c b/drivers/spi/spi-omap-100k.c
+index 20b047172965..061f7394e5b9 100644
+--- a/drivers/spi/spi-omap-100k.c
++++ b/drivers/spi/spi-omap-100k.c
+@@ -412,6 +412,7 @@ static int omap1_spi100k_probe(struct platform_device *pdev)
+ return status;
+
+ err_fck:
++ pm_runtime_disable(&pdev->dev);
+ clk_disable_unprepare(spi100k->fck);
+ err_ick:
+ clk_disable_unprepare(spi100k->ick);
+--
+2.35.1
+
--- /dev/null
+From ecc1c6665d0405f56358f77954e4944c42abf2d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 06:53:23 +0000
+Subject: spi: qup: add missing clk_disable_unprepare on error in
+ spi_qup_resume()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Xu Qiang <xuqiang36@huawei.com>
+
+[ Upstream commit 70034320fdc597b8f58b4a43bb547f17c4c5557a ]
+
+Add the missing clk_disable_unprepare() before return
+from spi_qup_resume() in the error handling case.
+
+Fixes: 64ff247a978f (“spi: Add Qualcomm QUP SPI controller support”)
+Signed-off-by: Xu Qiang <xuqiang36@huawei.com>
+Link: https://lore.kernel.org/r/20220825065324.68446-1-xuqiang36@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-qup.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/spi/spi-qup.c b/drivers/spi/spi-qup.c
+index 00d6084306b4..ae4e67f152ec 100644
+--- a/drivers/spi/spi-qup.c
++++ b/drivers/spi/spi-qup.c
+@@ -1245,14 +1245,25 @@ static int spi_qup_resume(struct device *device)
+ return ret;
+
+ ret = clk_prepare_enable(controller->cclk);
+- if (ret)
++ if (ret) {
++ clk_disable_unprepare(controller->iclk);
+ return ret;
++ }
+
+ ret = spi_qup_set_state(controller, QUP_STATE_RESET);
+ if (ret)
+- return ret;
++ goto disable_clk;
++
++ ret = spi_master_resume(master);
++ if (ret)
++ goto disable_clk;
+
+- return spi_master_resume(master);
++ return 0;
++
++disable_clk:
++ clk_disable_unprepare(controller->cclk);
++ clk_disable_unprepare(controller->iclk);
++ return ret;
+ }
+ #endif /* CONFIG_PM_SLEEP */
+
+--
+2.35.1
+
--- /dev/null
+From f1514e2afc452f93b5cced3d920d4e4c63bc89bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 06:53:24 +0000
+Subject: spi: qup: add missing clk_disable_unprepare on error in
+ spi_qup_pm_resume_runtime()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Xu Qiang <xuqiang36@huawei.com>
+
+[ Upstream commit 494a22765ce479c9f8ad181c5d24cffda9f534bb ]
+
+Add the missing clk_disable_unprepare() before return
+from spi_qup_pm_resume_runtime() in the error handling case.
+
+Fixes: dae1a7700b34 (“spi: qup: Handle clocks in pm_runtime suspend and resume”)
+Signed-off-by: Xu Qiang <xuqiang36@huawei.com>
+Link: https://lore.kernel.org/r/20220825065324.68446-2-xuqiang36@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-qup.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-qup.c b/drivers/spi/spi-qup.c
+index ae4e67f152ec..7d89510dc3f0 100644
+--- a/drivers/spi/spi-qup.c
++++ b/drivers/spi/spi-qup.c
+@@ -1198,8 +1198,10 @@ static int spi_qup_pm_resume_runtime(struct device *device)
+ return ret;
+
+ ret = clk_prepare_enable(controller->cclk);
+- if (ret)
++ if (ret) {
++ clk_disable_unprepare(controller->iclk);
+ return ret;
++ }
+
+ /* Disable clocks auto gaiting */
+ config = readl_relaxed(controller->base + QUP_CONFIG);
+--
+2.35.1
+
--- /dev/null
+From 2f0cd3195ee34088aea2f7664de5f06697523565 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Aug 2022 09:48:51 +0900
+Subject: spi: s3c64xx: correct dma_chan pointer initialization
+
+From: Chanho Park <chanho61.park@samsung.com>
+
+[ Upstream commit dad57a510db9423a4128ae6565854e999cebac51 ]
+
+Use NULL for dma channel pointer initialization instead of plain integer.
+
+sparse warnings: (new ones prefixed by >>)
+>> drivers/spi/spi-s3c64xx.c:387:34: sparse: sparse: Using plain integer as NULL pointer
+ drivers/spi/spi-s3c64xx.c:388:34: sparse: sparse: Using plain integer as NULL pointer
+
+Reported-by: kernel test robot <lkp@intel.com>
+Fixes: 82295bc0d192 ("spi: s3c64xx: move dma_release_channel to unprepare")
+Fixes: f52b03c70744 ("spi: s3c64xx: requests spi-dma channel only during data transfer")
+Signed-off-by: Chanho Park <chanho61.park@samsung.com>
+Reviewed-by: Andi Shyti <andi@etezian.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20220808004851.25122-1-chanho61.park@samsung.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-s3c64xx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c
+index 7f346866614a..651c35dd9124 100644
+--- a/drivers/spi/spi-s3c64xx.c
++++ b/drivers/spi/spi-s3c64xx.c
+@@ -389,8 +389,8 @@ static int s3c64xx_spi_unprepare_transfer(struct spi_master *spi)
+ if (sdd->rx_dma.ch && sdd->tx_dma.ch) {
+ dma_release_channel(sdd->rx_dma.ch);
+ dma_release_channel(sdd->tx_dma.ch);
+- sdd->rx_dma.ch = 0;
+- sdd->tx_dma.ch = 0;
++ sdd->rx_dma.ch = NULL;
++ sdd->tx_dma.ch = NULL;
+ }
+
+ return 0;
+--
+2.35.1
+
--- /dev/null
+From cde7e24cc4452eab5cee13d31e4829d76b19a519 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 13:21:17 +0200
+Subject: spi: s3c64xx: Fix large transfers with DMA
+
+From: Vincent Whitchurch <vincent.whitchurch@axis.com>
+
+[ Upstream commit 1224e29572f655facfcd850cf0f0a4784f36a903 ]
+
+The COUNT_VALUE in the PACKET_CNT register is 16-bit so the maximum
+value is 65535. Asking the driver to transfer a larger size currently
+leads to the DMA transfer timing out. Implement ->max_transfer_size()
+and have the core split the transfer as needed.
+
+Fixes: 230d42d422e7 ("spi: Add s3c64xx SPI Controller driver")
+Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Link: https://lore.kernel.org/r/20220927112117.77599-5-vincent.whitchurch@axis.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-s3c64xx.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c
+index 651c35dd9124..71d324ec9a70 100644
+--- a/drivers/spi/spi-s3c64xx.c
++++ b/drivers/spi/spi-s3c64xx.c
+@@ -84,6 +84,7 @@
+ #define S3C64XX_SPI_ST_TX_FIFORDY (1<<0)
+
+ #define S3C64XX_SPI_PACKET_CNT_EN (1<<16)
++#define S3C64XX_SPI_PACKET_CNT_MASK GENMASK(15, 0)
+
+ #define S3C64XX_SPI_PND_TX_UNDERRUN_CLR (1<<4)
+ #define S3C64XX_SPI_PND_TX_OVERRUN_CLR (1<<3)
+@@ -711,6 +712,13 @@ static int s3c64xx_spi_prepare_message(struct spi_master *master,
+ return 0;
+ }
+
++static size_t s3c64xx_spi_max_transfer_size(struct spi_device *spi)
++{
++ struct spi_controller *ctlr = spi->controller;
++
++ return ctlr->can_dma ? S3C64XX_SPI_PACKET_CNT_MASK : SIZE_MAX;
++}
++
+ static int s3c64xx_spi_transfer_one(struct spi_master *master,
+ struct spi_device *spi,
+ struct spi_transfer *xfer)
+@@ -1152,6 +1160,7 @@ static int s3c64xx_spi_probe(struct platform_device *pdev)
+ master->unprepare_transfer_hardware = s3c64xx_spi_unprepare_transfer;
+ master->prepare_message = s3c64xx_spi_prepare_message;
+ master->transfer_one = s3c64xx_spi_transfer_one;
++ master->max_transfer_size = s3c64xx_spi_max_transfer_size;
+ master->num_chipselect = sci->num_cs;
+ master->use_gpio_descriptors = true;
+ master->dma_alignment = 8;
+--
+2.35.1
+
--- /dev/null
+From e1bbad80860dcffa56423bd9fafb55d31adf6381 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Sep 2022 17:50:16 -0700
+Subject: spmi: pmic-arb: correct duplicate APID to PPID mapping logic
+
+From: David Collins <collinsd@codeaurora.org>
+
+[ Upstream commit 1f1693118c2476cb1666ad357edcf3cf48bf9b16 ]
+
+Correct the way that duplicate PPID mappings are handled for PMIC
+arbiter v5. The final APID mapped to a given PPID should be the
+one which has write owner = APPS EE, if it exists, or if not
+that, then the first APID mapped to the PPID, if it exists.
+
+Fixes: 40f318f0ed67 ("spmi: pmic-arb: add support for HW version 5")
+Signed-off-by: David Collins <collinsd@codeaurora.org>
+Signed-off-by: Fenglin Wu <quic_fenglinw@quicinc.com>
+Link: https://lore.kernel.org/r/1655004286-11493-7-git-send-email-quic_fenglinw@quicinc.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Link: https://lore.kernel.org/r/20220930005019.2663064-8-sboyd@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spmi/spmi-pmic-arb.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/spmi/spmi-pmic-arb.c b/drivers/spmi/spmi-pmic-arb.c
+index 2113be40b5a9..58f580e7aacc 100644
+--- a/drivers/spmi/spmi-pmic-arb.c
++++ b/drivers/spmi/spmi-pmic-arb.c
+@@ -992,7 +992,8 @@ static int pmic_arb_read_apid_map_v5(struct spmi_pmic_arb *pmic_arb)
+ * version 5, there is more than one APID mapped to each PPID.
+ * The owner field for each of these mappings specifies the EE which is
+ * allowed to write to the APID. The owner of the last (highest) APID
+- * for a given PPID will receive interrupts from the PPID.
++ * which has the IRQ owner bit set for a given PPID will receive
++ * interrupts from the PPID.
+ */
+ for (i = 0; ; i++, apidd++) {
+ offset = pmic_arb->ver_ops->apid_map_offset(i);
+@@ -1015,16 +1016,16 @@ static int pmic_arb_read_apid_map_v5(struct spmi_pmic_arb *pmic_arb)
+ apid = pmic_arb->ppid_to_apid[ppid] & ~PMIC_ARB_APID_VALID;
+ prev_apidd = &pmic_arb->apid_data[apid];
+
+- if (valid && is_irq_ee &&
+- prev_apidd->write_ee == pmic_arb->ee) {
++ if (!valid || apidd->write_ee == pmic_arb->ee) {
++ /* First PPID mapping or one for this EE */
++ pmic_arb->ppid_to_apid[ppid] = i | PMIC_ARB_APID_VALID;
++ } else if (valid && is_irq_ee &&
++ prev_apidd->write_ee == pmic_arb->ee) {
+ /*
+ * Duplicate PPID mapping after the one for this EE;
+ * override the irq owner
+ */
+ prev_apidd->irq_ee = apidd->irq_ee;
+- } else if (!valid || is_irq_ee) {
+- /* First PPID mapping or duplicate for another EE */
+- pmic_arb->ppid_to_apid[ppid] = i | PMIC_ARB_APID_VALID;
+ }
+
+ apidd->ppid = ppid;
+--
+2.35.1
+
--- /dev/null
+From bca877a24d78c72ef0431de3443a3cad87858df6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Sep 2022 19:27:21 +0800
+Subject: staging: rtl8723bs: fix a potential memory leak in
+ rtw_init_cmd_priv()
+
+From: Xiaoke Wang <xkernel.wang@foxmail.com>
+
+[ Upstream commit 708056fba733a73d926772ea4ce9a42d240345da ]
+
+In rtw_init_cmd_priv(), if `pcmdpriv->rsp_allocated_buf` is allocated
+in failure, then `pcmdpriv->cmd_allocated_buf` will be not properly
+released. Besides, considering there are only two error paths and the
+first one can directly return, so we do not need implicitly jump to the
+`exit` tag to execute the error handler.
+
+So this patch added `kfree(pcmdpriv->cmd_allocated_buf);` on the error
+path to release the resource and simplified the return logic of
+rtw_init_cmd_priv(). As there is no proper device to test with, no runtime
+testing was performed.
+
+Signed-off-by: Xiaoke Wang <xkernel.wang@foxmail.com>
+Link: https://lore.kernel.org/r/tencent_2B7931B79BA38E22205C5A09EFDF11E48805@qq.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/rtl8723bs/core/rtw_cmd.c | 16 ++++++----------
+ 1 file changed, 6 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/staging/rtl8723bs/core/rtw_cmd.c b/drivers/staging/rtl8723bs/core/rtw_cmd.c
+index b4170f64d118..03c2c66dbf66 100644
+--- a/drivers/staging/rtl8723bs/core/rtw_cmd.c
++++ b/drivers/staging/rtl8723bs/core/rtw_cmd.c
+@@ -161,8 +161,6 @@ static struct cmd_hdl wlancmds[] = {
+
+ int rtw_init_cmd_priv(struct cmd_priv *pcmdpriv)
+ {
+- int res = 0;
+-
+ init_completion(&pcmdpriv->cmd_queue_comp);
+ init_completion(&pcmdpriv->terminate_cmdthread_comp);
+
+@@ -175,18 +173,16 @@ int rtw_init_cmd_priv(struct cmd_priv *pcmdpriv)
+
+ pcmdpriv->cmd_allocated_buf = rtw_zmalloc(MAX_CMDSZ + CMDBUFF_ALIGN_SZ);
+
+- if (!pcmdpriv->cmd_allocated_buf) {
+- res = -ENOMEM;
+- goto exit;
+- }
++ if (!pcmdpriv->cmd_allocated_buf)
++ return -ENOMEM;
+
+ pcmdpriv->cmd_buf = pcmdpriv->cmd_allocated_buf + CMDBUFF_ALIGN_SZ - ((SIZE_PTR)(pcmdpriv->cmd_allocated_buf) & (CMDBUFF_ALIGN_SZ-1));
+
+ pcmdpriv->rsp_allocated_buf = rtw_zmalloc(MAX_RSPSZ + 4);
+
+ if (!pcmdpriv->rsp_allocated_buf) {
+- res = -ENOMEM;
+- goto exit;
++ kfree(pcmdpriv->cmd_allocated_buf);
++ return -ENOMEM;
+ }
+
+ pcmdpriv->rsp_buf = pcmdpriv->rsp_allocated_buf + 4 - ((SIZE_PTR)(pcmdpriv->rsp_allocated_buf) & 3);
+@@ -196,8 +192,8 @@ int rtw_init_cmd_priv(struct cmd_priv *pcmdpriv)
+ pcmdpriv->rsp_cnt = 0;
+
+ mutex_init(&pcmdpriv->sctx_mutex);
+-exit:
+- return res;
++
++ return 0;
+ }
+
+ static void c2h_wk_callback(struct work_struct *work);
+--
+2.35.1
+
--- /dev/null
+From 37f8f9c1f47be33ced5919367a8a0873104af028 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Sep 2022 18:39:35 +0800
+Subject: staging: rtl8723bs: fix potential memory leak in rtw_init_drv_sw()
+
+From: Xiaoke Wang <xkernel.wang@foxmail.com>
+
+[ Upstream commit 5a5aa9cce621e2c0e25a1e5d72d6be1749167cc0 ]
+
+In rtw_init_drv_sw(), there are various init functions are called to
+populate the padapter structure and some checks for their return value.
+However, except for the first one error path, the other five error paths
+do not properly release the previous allocated resources, which leads to
+various memory leaks.
+
+This patch fixes them and keeps the success and error separate.
+Note that these changes keep the form of `rtw_init_drv_sw()` in
+"drivers/staging/r8188eu/os_dep/os_intfs.c". As there is no proper device
+to test with, no runtime testing was performed.
+
+Signed-off-by: Xiaoke Wang <xkernel.wang@foxmail.com>
+Link: https://lore.kernel.org/r/tencent_C3B899D2FC3F1BC827F3552E0B0734056006@qq.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/rtl8723bs/os_dep/os_intfs.c | 60 +++++++++++----------
+ 1 file changed, 31 insertions(+), 29 deletions(-)
+
+diff --git a/drivers/staging/rtl8723bs/os_dep/os_intfs.c b/drivers/staging/rtl8723bs/os_dep/os_intfs.c
+index 380d8c9e1239..68bba3c0e757 100644
+--- a/drivers/staging/rtl8723bs/os_dep/os_intfs.c
++++ b/drivers/staging/rtl8723bs/os_dep/os_intfs.c
+@@ -664,51 +664,36 @@ void rtw_reset_drv_sw(struct adapter *padapter)
+
+ u8 rtw_init_drv_sw(struct adapter *padapter)
+ {
+- u8 ret8 = _SUCCESS;
+-
+ rtw_init_default_value(padapter);
+
+ rtw_init_hal_com_default_value(padapter);
+
+- if (rtw_init_cmd_priv(&padapter->cmdpriv)) {
+- ret8 = _FAIL;
+- goto exit;
+- }
++ if (rtw_init_cmd_priv(&padapter->cmdpriv))
++ return _FAIL;
+
+ padapter->cmdpriv.padapter = padapter;
+
+- if (rtw_init_evt_priv(&padapter->evtpriv)) {
+- ret8 = _FAIL;
+- goto exit;
+- }
++ if (rtw_init_evt_priv(&padapter->evtpriv))
++ goto free_cmd_priv;
+
+-
+- if (rtw_init_mlme_priv(padapter) == _FAIL) {
+- ret8 = _FAIL;
+- goto exit;
+- }
++ if (rtw_init_mlme_priv(padapter) == _FAIL)
++ goto free_evt_priv;
+
+ init_mlme_ext_priv(padapter);
+
+- if (_rtw_init_xmit_priv(&padapter->xmitpriv, padapter) == _FAIL) {
+- ret8 = _FAIL;
+- goto exit;
+- }
++ if (_rtw_init_xmit_priv(&padapter->xmitpriv, padapter) == _FAIL)
++ goto free_mlme_ext;
+
+- if (_rtw_init_recv_priv(&padapter->recvpriv, padapter) == _FAIL) {
+- ret8 = _FAIL;
+- goto exit;
+- }
++ if (_rtw_init_recv_priv(&padapter->recvpriv, padapter) == _FAIL)
++ goto free_xmit_priv;
+ /* add for CONFIG_IEEE80211W, none 11w also can use */
+ spin_lock_init(&padapter->security_key_mutex);
+
+ /* We don't need to memset padapter->XXX to zero, because adapter is allocated by vzalloc(). */
+ /* memset((unsigned char *)&padapter->securitypriv, 0, sizeof (struct security_priv)); */
+
+- if (_rtw_init_sta_priv(&padapter->stapriv) == _FAIL) {
+- ret8 = _FAIL;
+- goto exit;
+- }
++ if (_rtw_init_sta_priv(&padapter->stapriv) == _FAIL)
++ goto free_recv_priv;
+
+ padapter->stapriv.padapter = padapter;
+ padapter->setband = GHZ24_50;
+@@ -719,9 +704,26 @@ u8 rtw_init_drv_sw(struct adapter *padapter)
+
+ rtw_hal_dm_init(padapter);
+
+-exit:
++ return _SUCCESS;
++
++free_recv_priv:
++ _rtw_free_recv_priv(&padapter->recvpriv);
++
++free_xmit_priv:
++ _rtw_free_xmit_priv(&padapter->xmitpriv);
++
++free_mlme_ext:
++ free_mlme_ext_priv(&padapter->mlmeextpriv);
+
+- return ret8;
++ rtw_free_mlme_priv(&padapter->mlmepriv);
++
++free_evt_priv:
++ rtw_free_evt_priv(&padapter->evtpriv);
++
++free_cmd_priv:
++ rtw_free_cmd_priv(&padapter->cmdpriv);
++
++ return _FAIL;
+ }
+
+ void rtw_cancel_all_timer(struct adapter *padapter)
+--
+2.35.1
+
--- /dev/null
+From c8487920a6c54e9b05c223e704a5febdea1b9e0c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Sep 2022 16:13:39 +0200
+Subject: staging: vt6655: fix potential memory leak
+
+From: Nam Cao <namcaov@gmail.com>
+
+[ Upstream commit c8ff91535880d41b49699b3829fb6151942de29e ]
+
+In function device_init_td0_ring, memory is allocated for member
+td_info of priv->apTD0Rings[i], with i increasing from 0. In case of
+allocation failure, the memory is freed in reversed order, with i
+decreasing to 0. However, the case i=0 is left out and thus memory is
+leaked.
+
+Modify the memory freeing loop to include the case i=0.
+
+Tested-by: Philipp Hortmann <philipp.g.hortmann@gmail.com>
+Signed-off-by: Nam Cao <namcaov@gmail.com>
+Link: https://lore.kernel.org/r/20220909141338.19343-1-namcaov@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/vt6655/device_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c
+index d76f65756db8..ec7c991e745b 100644
+--- a/drivers/staging/vt6655/device_main.c
++++ b/drivers/staging/vt6655/device_main.c
+@@ -694,7 +694,7 @@ static int device_init_td0_ring(struct vnt_private *priv)
+ return 0;
+
+ err_free_desc:
+- while (--i) {
++ while (i--) {
+ desc = &priv->apTD0Rings[i];
+ kfree(desc->td_info);
+ }
+--
+2.35.1
+
--- /dev/null
+From 4c0af0c9600806b596fb5a2212ace4f3b0c551d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Sep 2022 19:04:31 +0200
+Subject: staging: vt6655: fix some erroneous memory clean-up loops
+
+From: Nam Cao <namcaov@gmail.com>
+
+[ Upstream commit 2a2db520e3ca5aafba7c211abfd397666c9b5f9d ]
+
+In some initialization functions of this driver, memory is allocated with
+'i' acting as an index variable and increasing from 0. The commit in
+"Fixes" introduces some clean-up codes in case of allocation failure,
+which free memory in reverse order with 'i' decreasing to 0. However,
+there are some problems:
+ - The case i=0 is left out. Thus memory is leaked.
+ - In case memory allocation fails right from the start, the memory
+ freeing loops will start with i=-1 and invalid memory locations will
+ be accessed.
+
+One of these loops has been fixed in commit c8ff91535880 ("staging:
+vt6655: fix potential memory leak"). Fix the remaining erroneous loops.
+
+Link: https://lore.kernel.org/linux-staging/Yx9H1zSpxmNqx6Xc@kadam/
+Fixes: 5341ee0adb17 ("staging: vt6655: check for memory allocation failures")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Tested-by: Philipp Hortmann <philipp.g.hortmann@gmail.com>
+Signed-off-by: Nam Cao <namcaov@gmail.com>
+Link: https://lore.kernel.org/r/20220912170429.29852-1-namcaov@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/vt6655/device_main.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c
+index bab08a40fe66..d76f65756db8 100644
+--- a/drivers/staging/vt6655/device_main.c
++++ b/drivers/staging/vt6655/device_main.c
+@@ -583,7 +583,7 @@ static int device_init_rd0_ring(struct vnt_private *priv)
+ kfree(desc->rd_info);
+
+ err_free_desc:
+- while (--i) {
++ while (i--) {
+ desc = &priv->aRD0Ring[i];
+ device_free_rx_buf(priv, desc);
+ kfree(desc->rd_info);
+@@ -629,7 +629,7 @@ static int device_init_rd1_ring(struct vnt_private *priv)
+ kfree(desc->rd_info);
+
+ err_free_desc:
+- while (--i) {
++ while (i--) {
+ desc = &priv->aRD1Ring[i];
+ device_free_rx_buf(priv, desc);
+ kfree(desc->rd_info);
+@@ -734,7 +734,7 @@ static int device_init_td1_ring(struct vnt_private *priv)
+ return 0;
+
+ err_free_desc:
+- while (--i) {
++ while (i--) {
+ desc = &priv->apTD1Rings[i];
+ kfree(desc->td_info);
+ }
+--
+2.35.1
+
--- /dev/null
+From f5388e33056c69ca851e75de0784d75bdbae9423 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Sep 2022 15:09:53 -0400
+Subject: SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit 90bfc37b5ab91c1a6165e3e5cfc49bf04571b762 ]
+
+Ensure that stream-based argument decoding can't go past the actual
+end of the receive buffer. xdr_init_decode's calculation of the
+value of xdr->end over-estimates the end of the buffer because the
+Linux kernel RPC server code does not remove the size of the RPC
+header from rqstp->rq_arg before calling the upper layer's
+dispatcher.
+
+The server-side still uses the svc_getnl() macros to decode the
+RPC call header. These macros reduce the length of the head iov
+but do not update the total length of the message in the buffer
+(buf->len).
+
+A proper fix for this would be to replace the use of svc_getnl() and
+friends in the RPC header decoder, but that would be a large and
+invasive change that would be difficult to backport.
+
+Fixes: 5191955d6fc6 ("SUNRPC: Prepare for xdr_stream-style decoding on the server-side")
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/sunrpc/svc.h | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h
+index daecb009c05b..5a830b66f059 100644
+--- a/include/linux/sunrpc/svc.h
++++ b/include/linux/sunrpc/svc.h
+@@ -544,16 +544,27 @@ static inline void svc_reserve_auth(struct svc_rqst *rqstp, int space)
+ }
+
+ /**
+- * svcxdr_init_decode - Prepare an xdr_stream for svc Call decoding
++ * svcxdr_init_decode - Prepare an xdr_stream for Call decoding
+ * @rqstp: controlling server RPC transaction context
+ *
++ * This function currently assumes the RPC header in rq_arg has
++ * already been decoded. Upon return, xdr->p points to the
++ * location of the upper layer header.
+ */
+ static inline void svcxdr_init_decode(struct svc_rqst *rqstp)
+ {
+ struct xdr_stream *xdr = &rqstp->rq_arg_stream;
+- struct kvec *argv = rqstp->rq_arg.head;
++ struct xdr_buf *buf = &rqstp->rq_arg;
++ struct kvec *argv = buf->head;
+
+- xdr_init_decode(xdr, &rqstp->rq_arg, argv->iov_base, NULL);
++ /*
++ * svc_getnl() and friends do not keep the xdr_buf's ::len
++ * field up to date. Refresh that field before initializing
++ * the argument decoding stream.
++ */
++ buf->len = buf->head->iov_len + buf->page_len + buf->tail->iov_len;
++
++ xdr_init_decode(xdr, buf, argv->iov_base, NULL);
+ xdr_set_scratch_page(xdr, rqstp->rq_scratch_page);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 1e3d4348aa0aedec145e2595135248563eee484f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Sep 2022 15:09:59 -0400
+Subject: SUNRPC: Fix svcxdr_init_encode's buflen calculation
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit 1242a87da0d8cd2a428e96ca68e7ea899b0f4624 ]
+
+Commit 2825a7f90753 ("nfsd4: allow encoding across page boundaries")
+added an explicit computation of the remaining length in the rq_res
+XDR buffer.
+
+The computation appears to suffer from an "off-by-one" bug. Because
+buflen is too large by one page, XDR encoding can run off the end of
+the send buffer by eventually trying to use the struct page address
+in rq_page_end, which always contains NULL.
+
+Fixes: bddfdbcddbe2 ("NFSD: Extract the svcxdr_init_encode() helper")
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/sunrpc/svc.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h
+index 5a830b66f059..0ca8a8ffb47e 100644
+--- a/include/linux/sunrpc/svc.h
++++ b/include/linux/sunrpc/svc.h
+@@ -587,7 +587,7 @@ static inline void svcxdr_init_encode(struct svc_rqst *rqstp)
+ xdr->end = resv->iov_base + PAGE_SIZE - rqstp->rq_auth_slack;
+ buf->len = resv->iov_len;
+ xdr->page_ptr = buf->pages - 1;
+- buf->buflen = PAGE_SIZE * (1 + rqstp->rq_page_end - buf->pages);
++ buf->buflen = PAGE_SIZE * (rqstp->rq_page_end - buf->pages);
+ buf->buflen -= rqstp->rq_auth_slack;
+ xdr->rqst = NULL;
+ }
+--
+2.35.1
+
--- /dev/null
+From 55d43b1ef1b92ffb59958359dd2fc03252cc62dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Aug 2022 21:15:28 +0000
+Subject: tcp: annotate data-race around tcp_md5sig_pool_populated
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit aacd467c0a576e5e44d2de4205855dc0fe43f6fb ]
+
+tcp_md5sig_pool_populated can be read while another thread
+changes its value.
+
+The race has no consequence because allocations
+are protected with tcp_md5sig_mutex.
+
+This patch adds READ_ONCE() and WRITE_ONCE() to document
+the race and silence KCSAN.
+
+Reported-by: Abhishek Shah <abhishek.shah@columbia.edu>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index 997a80ce1e13..5f1d84d901c7 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -4444,12 +4444,16 @@ static void __tcp_alloc_md5sig_pool(void)
+ * to memory. See smp_rmb() in tcp_get_md5sig_pool()
+ */
+ smp_wmb();
+- tcp_md5sig_pool_populated = true;
++ /* Paired with READ_ONCE() from tcp_alloc_md5sig_pool()
++ * and tcp_get_md5sig_pool().
++ */
++ WRITE_ONCE(tcp_md5sig_pool_populated, true);
+ }
+
+ bool tcp_alloc_md5sig_pool(void)
+ {
+- if (unlikely(!tcp_md5sig_pool_populated)) {
++ /* Paired with WRITE_ONCE() from __tcp_alloc_md5sig_pool() */
++ if (unlikely(!READ_ONCE(tcp_md5sig_pool_populated))) {
+ mutex_lock(&tcp_md5sig_mutex);
+
+ if (!tcp_md5sig_pool_populated) {
+@@ -4460,7 +4464,8 @@ bool tcp_alloc_md5sig_pool(void)
+
+ mutex_unlock(&tcp_md5sig_mutex);
+ }
+- return tcp_md5sig_pool_populated;
++ /* Paired with WRITE_ONCE() from __tcp_alloc_md5sig_pool() */
++ return READ_ONCE(tcp_md5sig_pool_populated);
+ }
+ EXPORT_SYMBOL(tcp_alloc_md5sig_pool);
+
+@@ -4476,7 +4481,8 @@ struct tcp_md5sig_pool *tcp_get_md5sig_pool(void)
+ {
+ local_bh_disable();
+
+- if (tcp_md5sig_pool_populated) {
++ /* Paired with WRITE_ONCE() from __tcp_alloc_md5sig_pool() */
++ if (READ_ONCE(tcp_md5sig_pool_populated)) {
+ /* coupled with smp_wmb() in __tcp_alloc_md5sig_pool() */
+ smp_rmb();
+ return this_cpu_ptr(&tcp_md5sig_pool);
+--
+2.35.1
+
--- /dev/null
+From 2f8affa4c0e724f0c05c3e212f4a0d2033428c33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Sep 2022 16:03:31 -0400
+Subject: tcp: fix tcp_cwnd_validate() to not forget is_cwnd_limited
+
+From: Neal Cardwell <ncardwell@google.com>
+
+[ Upstream commit f4ce91ce12a7c6ead19b128ffa8cff6e3ded2a14 ]
+
+This commit fixes a bug in the tracking of max_packets_out and
+is_cwnd_limited. This bug can cause the connection to fail to remember
+that is_cwnd_limited is true, causing the connection to fail to grow
+cwnd when it should, causing throughput to be lower than it should be.
+
+The following event sequence is an example that triggers the bug:
+
+ (a) The connection is cwnd_limited, but packets_out is not at its
+ peak due to TSO deferral deciding not to send another skb yet.
+ In such cases the connection can advance max_packets_seq and set
+ tp->is_cwnd_limited to true and max_packets_out to a small
+ number.
+
+(b) Then later in the round trip the connection is pacing-limited (not
+ cwnd-limited), and packets_out is larger. In such cases the
+ connection would raise max_packets_out to a bigger number but
+ (unexpectedly) flip tp->is_cwnd_limited from true to false.
+
+This commit fixes that bug.
+
+One straightforward fix would be to separately track (a) the next
+window after max_packets_out reaches a maximum, and (b) the next
+window after tp->is_cwnd_limited is set to true. But this would
+require consuming an extra u32 sequence number.
+
+Instead, to save space we track only the most important
+information. Specifically, we track the strongest available signal of
+the degree to which the cwnd is fully utilized:
+
+(1) If the connection is cwnd-limited then we remember that fact for
+the current window.
+
+(2) If the connection not cwnd-limited then we track the maximum
+number of outstanding packets in the current window.
+
+In particular, note that the new logic cannot trigger the buggy
+(a)/(b) sequence above because with the new logic a condition where
+tp->packets_out > tp->max_packets_out can only trigger an update of
+tp->is_cwnd_limited if tp->is_cwnd_limited is false.
+
+This first showed up in a testing of a BBRv2 dev branch, but this
+buggy behavior highlighted a general issue with the
+tcp_cwnd_validate() logic that can cause cwnd to fail to increase at
+the proper rate for any TCP congestion control, including Reno or
+CUBIC.
+
+Fixes: ca8a22634381 ("tcp: make cwnd-limited checks measurement-based, and gentler")
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Kevin(Yudong) Yang <yyd@google.com>
+Signed-off-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/tcp.h | 2 +-
+ include/net/tcp.h | 5 ++++-
+ net/ipv4/tcp.c | 2 ++
+ net/ipv4/tcp_output.c | 19 ++++++++++++-------
+ 4 files changed, 19 insertions(+), 9 deletions(-)
+
+diff --git a/include/linux/tcp.h b/include/linux/tcp.h
+index a9fbe22732c3..4791fd801945 100644
+--- a/include/linux/tcp.h
++++ b/include/linux/tcp.h
+@@ -295,7 +295,7 @@ struct tcp_sock {
+ u32 packets_out; /* Packets which are "in flight" */
+ u32 retrans_out; /* Retransmitted packets out */
+ u32 max_packets_out; /* max packets_out in last window */
+- u32 max_packets_seq; /* right edge of max_packets_out flight */
++ u32 cwnd_usage_seq; /* right edge of cwnd usage tracking flight */
+
+ u16 urg_data; /* Saved octet of OOB data and control flags */
+ u8 ecn_flags; /* ECN status bits. */
+diff --git a/include/net/tcp.h b/include/net/tcp.h
+index d10962b9f0d0..95c1d51393ac 100644
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -1295,11 +1295,14 @@ static inline bool tcp_is_cwnd_limited(const struct sock *sk)
+ {
+ const struct tcp_sock *tp = tcp_sk(sk);
+
++ if (tp->is_cwnd_limited)
++ return true;
++
+ /* If in slow start, ensure cwnd grows to twice what was ACKed. */
+ if (tcp_in_slow_start(tp))
+ return tcp_snd_cwnd(tp) < 2 * tp->max_packets_out;
+
+- return tp->is_cwnd_limited;
++ return false;
+ }
+
+ /* BBR congestion control needs pacing.
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index e373dde1f46f..997a80ce1e13 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -3137,6 +3137,8 @@ int tcp_disconnect(struct sock *sk, int flags)
+ tp->snd_ssthresh = TCP_INFINITE_SSTHRESH;
+ tcp_snd_cwnd_set(tp, TCP_INIT_CWND);
+ tp->snd_cwnd_cnt = 0;
++ tp->is_cwnd_limited = 0;
++ tp->max_packets_out = 0;
+ tp->window_clamp = 0;
+ tp->delivered = 0;
+ tp->delivered_ce = 0;
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index 290019de766d..c69f4d966024 100644
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -1875,15 +1875,20 @@ static void tcp_cwnd_validate(struct sock *sk, bool is_cwnd_limited)
+ const struct tcp_congestion_ops *ca_ops = inet_csk(sk)->icsk_ca_ops;
+ struct tcp_sock *tp = tcp_sk(sk);
+
+- /* Track the maximum number of outstanding packets in each
+- * window, and remember whether we were cwnd-limited then.
++ /* Track the strongest available signal of the degree to which the cwnd
++ * is fully utilized. If cwnd-limited then remember that fact for the
++ * current window. If not cwnd-limited then track the maximum number of
++ * outstanding packets in the current window. (If cwnd-limited then we
++ * chose to not update tp->max_packets_out to avoid an extra else
++ * clause with no functional impact.)
+ */
+- if (!before(tp->snd_una, tp->max_packets_seq) ||
+- tp->packets_out > tp->max_packets_out ||
+- is_cwnd_limited) {
+- tp->max_packets_out = tp->packets_out;
+- tp->max_packets_seq = tp->snd_nxt;
++ if (!before(tp->snd_una, tp->cwnd_usage_seq) ||
++ is_cwnd_limited ||
++ (!tp->is_cwnd_limited &&
++ tp->packets_out > tp->max_packets_out)) {
+ tp->is_cwnd_limited = is_cwnd_limited;
++ tp->max_packets_out = tp->packets_out;
++ tp->cwnd_usage_seq = tp->snd_nxt;
+ }
+
+ if (tcp_is_cwnd_limited(sk)) {
+--
+2.35.1
+
--- /dev/null
+From 2c543193aa13a5248682cc02278e9fbb51dee66a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Aug 2022 19:40:17 +0800
+Subject: thermal: cpufreq_cooling: Check the policy first in
+ cpufreq_cooling_register()
+
+From: Xuewen Yan <xuewen.yan@unisoc.com>
+
+[ Upstream commit cff895277c8558221ba180aefe26799dcb4eec86 ]
+
+Since the policy needs to be accessed first when obtaining cpu devices,
+first check whether the policy is legal before this.
+
+Fixes: 5130802ddbb1 ("thermal: cpu_cooling: Switch to QoS requests for freq limits")
+Signed-off-by: Xuewen Yan <xuewen.yan@unisoc.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/cpufreq_cooling.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/thermal/cpufreq_cooling.c b/drivers/thermal/cpufreq_cooling.c
+index b76293cc989c..7838b6e2dba5 100644
+--- a/drivers/thermal/cpufreq_cooling.c
++++ b/drivers/thermal/cpufreq_cooling.c
+@@ -501,17 +501,17 @@ __cpufreq_cooling_register(struct device_node *np,
+ struct thermal_cooling_device_ops *cooling_ops;
+ char *name;
+
++ if (IS_ERR_OR_NULL(policy)) {
++ pr_err("%s: cpufreq policy isn't valid: %p\n", __func__, policy);
++ return ERR_PTR(-EINVAL);
++ }
++
+ dev = get_cpu_device(policy->cpu);
+ if (unlikely(!dev)) {
+ pr_warn("No cpu device for cpu %d\n", policy->cpu);
+ return ERR_PTR(-ENODEV);
+ }
+
+- if (IS_ERR_OR_NULL(policy)) {
+- pr_err("%s: cpufreq policy isn't valid: %p\n", __func__, policy);
+- return ERR_PTR(-EINVAL);
+- }
+-
+ i = cpufreq_table_count_valid_entries(policy);
+ if (!i) {
+ pr_debug("%s: CPUFreq table not found or has no valid entries\n",
+--
+2.35.1
+
--- /dev/null
+From c8b73cbae1a06ac74603c19e69269b40607deec2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Aug 2022 12:50:14 +0200
+Subject: thermal/drivers/qcom/tsens-v0_1: Fix MSM8939 fourth sensor hw_id
+
+From: Vincent Knecht <vincent.knecht@mailoo.org>
+
+[ Upstream commit b0c883e900702f408d62cf92b0ef01303ed69be9 ]
+
+Reading temperature from this sensor fails with 'Invalid argument'.
+
+Looking at old vendor dts [1], its hw_id should be 3 instead of 4.
+Change this hw_id accordingly.
+
+[1] https://github.com/msm8916-mainline/android_kernel_qcom_msm8916/blob/master/arch/arm/boot/dts/qcom/msm8939-common.dtsi#L511
+
+Fixes: 332bc8ebab2c ("thermal: qcom: tsens-v0_1: Add support for MSM8939")
+Signed-off-by: Vincent Knecht <vincent.knecht@mailoo.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Bjorn Andersson <andersson@kernel.org>
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Link: https://lore.kernel.org/r/20220811105014.7194-1-vincent.knecht@mailoo.org
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/qcom/tsens-v0_1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/thermal/qcom/tsens-v0_1.c b/drivers/thermal/qcom/tsens-v0_1.c
+index f136cb350238..327f37202c69 100644
+--- a/drivers/thermal/qcom/tsens-v0_1.c
++++ b/drivers/thermal/qcom/tsens-v0_1.c
+@@ -604,7 +604,7 @@ static const struct tsens_ops ops_8939 = {
+ struct tsens_plat_data data_8939 = {
+ .num_sensors = 10,
+ .ops = &ops_8939,
+- .hw_ids = (unsigned int []){ 0, 1, 2, 4, 5, 6, 7, 8, 9, 10 },
++ .hw_ids = (unsigned int []){ 0, 1, 2, 3, 5, 6, 7, 8, 9, 10 },
+
+ .feat = &tsens_v0_1_feat,
+ .fields = tsens_v0_1_regfields,
+--
+2.35.1
+
--- /dev/null
+From 6a426b935640cefbc23dd425023ff1832cfc6c77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 04:06:57 -0700
+Subject: thermal: intel_powerclamp: Use get_cpu() instead of
+ smp_processor_id() to avoid crash
+
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+
+[ Upstream commit 68b99e94a4a2db6ba9b31fe0485e057b9354a640 ]
+
+When CPU 0 is offline and intel_powerclamp is used to inject
+idle, it generates kernel BUG:
+
+BUG: using smp_processor_id() in preemptible [00000000] code: bash/15687
+caller is debug_smp_processor_id+0x17/0x20
+CPU: 4 PID: 15687 Comm: bash Not tainted 5.19.0-rc7+ #57
+Call Trace:
+<TASK>
+dump_stack_lvl+0x49/0x63
+dump_stack+0x10/0x16
+check_preemption_disabled+0xdd/0xe0
+debug_smp_processor_id+0x17/0x20
+powerclamp_set_cur_state+0x7f/0xf9 [intel_powerclamp]
+...
+...
+
+Here CPU 0 is the control CPU by default and changed to the current CPU,
+if CPU 0 offlined. This check has to be performed under cpus_read_lock(),
+hence the above warning.
+
+Use get_cpu() instead of smp_processor_id() to avoid this BUG.
+
+Suggested-by: Chen Yu <yu.c.chen@intel.com>
+Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+[ rjw: Subject edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/intel/intel_powerclamp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/thermal/intel/intel_powerclamp.c b/drivers/thermal/intel/intel_powerclamp.c
+index c841ab37e7c6..46cd799af148 100644
+--- a/drivers/thermal/intel/intel_powerclamp.c
++++ b/drivers/thermal/intel/intel_powerclamp.c
+@@ -532,8 +532,10 @@ static int start_power_clamp(void)
+
+ /* prefer BSP */
+ control_cpu = 0;
+- if (!cpu_online(control_cpu))
+- control_cpu = smp_processor_id();
++ if (!cpu_online(control_cpu)) {
++ control_cpu = get_cpu();
++ put_cpu();
++ }
+
+ clamping = true;
+ schedule_delayed_work(&poll_pkg_cstate_work, 0);
+--
+2.35.1
+
--- /dev/null
+From 10bea513b4e205a07b4e5abf919e086269722fef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 18:32:48 +0300
+Subject: thunderbolt: Add back Intel Falcon Ridge end-to-end flow control
+ workaround
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+[ Upstream commit 54669e2f17cb5a4c41ade89427f074dc22cecb17 ]
+
+As we are now enabling full end-to-end flow control to the Thunderbolt
+networking driver, in order for it to work properly on second generation
+Thunderbolt hardware (Falcon Ridge), we need to add back the workaround
+that was removed with commit 53f13319d131 ("thunderbolt: Get rid of E2E
+workaround"). However, this time we only apply it for Falcon Ridge
+controllers as a form of an additional quirk. For non-Falcon Ridge this
+does nothing.
+
+While there fix a typo 'reqister' -> 'register' in the comment.
+
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thunderbolt/nhi.c | 49 +++++++++++++++++++++++++++++++++------
+ 1 file changed, 42 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/thunderbolt/nhi.c b/drivers/thunderbolt/nhi.c
+index cb8c9c4ae93a..b5cd9673e15d 100644
+--- a/drivers/thunderbolt/nhi.c
++++ b/drivers/thunderbolt/nhi.c
+@@ -28,7 +28,11 @@
+ #define RING_TYPE(ring) ((ring)->is_tx ? "TX ring" : "RX ring")
+
+ #define RING_FIRST_USABLE_HOPID 1
+-
++/*
++ * Used with QUIRK_E2E to specify an unused HopID the Rx credits are
++ * transferred.
++ */
++#define RING_E2E_RESERVED_HOPID RING_FIRST_USABLE_HOPID
+ /*
+ * Minimal number of vectors when we use MSI-X. Two for control channel
+ * Rx/Tx and the rest four are for cross domain DMA paths.
+@@ -38,7 +42,9 @@
+
+ #define NHI_MAILBOX_TIMEOUT 500 /* ms */
+
++/* Host interface quirks */
+ #define QUIRK_AUTO_CLEAR_INT BIT(0)
++#define QUIRK_E2E BIT(1)
+
+ static int ring_interrupt_index(struct tb_ring *ring)
+ {
+@@ -458,8 +464,18 @@ static void ring_release_msix(struct tb_ring *ring)
+
+ static int nhi_alloc_hop(struct tb_nhi *nhi, struct tb_ring *ring)
+ {
++ unsigned int start_hop = RING_FIRST_USABLE_HOPID;
+ int ret = 0;
+
++ if (nhi->quirks & QUIRK_E2E) {
++ start_hop = RING_FIRST_USABLE_HOPID + 1;
++ if (ring->flags & RING_FLAG_E2E && !ring->is_tx) {
++ dev_dbg(&nhi->pdev->dev, "quirking E2E TX HopID %u -> %u\n",
++ ring->e2e_tx_hop, RING_E2E_RESERVED_HOPID);
++ ring->e2e_tx_hop = RING_E2E_RESERVED_HOPID;
++ }
++ }
++
+ spin_lock_irq(&nhi->lock);
+
+ if (ring->hop < 0) {
+@@ -469,7 +485,7 @@ static int nhi_alloc_hop(struct tb_nhi *nhi, struct tb_ring *ring)
+ * Automatically allocate HopID from the non-reserved
+ * range 1 .. hop_count - 1.
+ */
+- for (i = RING_FIRST_USABLE_HOPID; i < nhi->hop_count; i++) {
++ for (i = start_hop; i < nhi->hop_count; i++) {
+ if (ring->is_tx) {
+ if (!nhi->tx_rings[i]) {
+ ring->hop = i;
+@@ -484,6 +500,11 @@ static int nhi_alloc_hop(struct tb_nhi *nhi, struct tb_ring *ring)
+ }
+ }
+
++ if (ring->hop > 0 && ring->hop < start_hop) {
++ dev_warn(&nhi->pdev->dev, "invalid hop: %d\n", ring->hop);
++ ret = -EINVAL;
++ goto err_unlock;
++ }
+ if (ring->hop < 0 || ring->hop >= nhi->hop_count) {
+ dev_warn(&nhi->pdev->dev, "invalid hop: %d\n", ring->hop);
+ ret = -EINVAL;
+@@ -1097,12 +1118,26 @@ static void nhi_shutdown(struct tb_nhi *nhi)
+
+ static void nhi_check_quirks(struct tb_nhi *nhi)
+ {
+- /*
+- * Intel hardware supports auto clear of the interrupt status
+- * reqister right after interrupt is being issued.
+- */
+- if (nhi->pdev->vendor == PCI_VENDOR_ID_INTEL)
++ if (nhi->pdev->vendor == PCI_VENDOR_ID_INTEL) {
++ /*
++ * Intel hardware supports auto clear of the interrupt
++ * status register right after interrupt is being
++ * issued.
++ */
+ nhi->quirks |= QUIRK_AUTO_CLEAR_INT;
++
++ switch (nhi->pdev->device) {
++ case PCI_DEVICE_ID_INTEL_FALCON_RIDGE_2C_NHI:
++ case PCI_DEVICE_ID_INTEL_FALCON_RIDGE_4C_NHI:
++ /*
++ * Falcon Ridge controller needs the end-to-end
++ * flow control workaround to avoid losing Rx
++ * packets when RING_FLAG_E2E is set.
++ */
++ nhi->quirks |= QUIRK_E2E;
++ break;
++ }
++ }
+ }
+
+ static int nhi_check_iommu_pdev(struct pci_dev *pdev, void *data)
+--
+2.35.1
+
--- /dev/null
+From 84866fd39ab744e2cfd96fac83a860c9ba641f3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Sep 2022 13:47:38 +0800
+Subject: tools/power turbostat: Use standard Energy Unit for SPR Dram RAPL
+ domain
+
+From: Zhang Rui <rui.zhang@intel.com>
+
+[ Upstream commit b2d433ae637626d44c9d4a75dd3330cf68fed9de ]
+
+Intel Xeon servers used to use a fixed energy resolution (15.3uj) for
+Dram RAPL domain. But on SPR, Dram RAPL domain follows the standard
+energy resolution as described in MSR_RAPL_POWER_UNIT.
+
+Remove the SPR rapl_dram_energy_units quirk.
+
+Fixes: e7af1ed3fa47 ("tools/power turbostat: Support additional CPU model numbers")
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Tested-by: Wang Wendy <wendy.wang@intel.com>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/x86/turbostat/turbostat.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c
+index 831dc32d45fa..b7d2a0cd0ac2 100644
+--- a/tools/power/x86/turbostat/turbostat.c
++++ b/tools/power/x86/turbostat/turbostat.c
+@@ -4560,7 +4560,6 @@ static double rapl_dram_energy_units_probe(int model, double rapl_energy_units)
+ case INTEL_FAM6_SKYLAKE_X: /* SKX */
+ case INTEL_FAM6_XEON_PHI_KNL: /* KNL */
+ case INTEL_FAM6_ICELAKE_X: /* ICX */
+- case INTEL_FAM6_SAPPHIRERAPIDS_X: /* SPR */
+ return (rapl_dram_energy_units = 15.3 / 1000000);
+ default:
+ return (rapl_energy_units);
+--
+2.35.1
+
--- /dev/null
+From 8818f3ba1ac28fe3739c3d46830116b634e4838e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Sep 2022 20:56:28 +0800
+Subject: tracing: kprobe: Fix kprobe event gen test module on exit
+
+From: Yipeng Zou <zouyipeng@huawei.com>
+
+[ Upstream commit ac48e189527fae87253ef2bf58892e782fb36874 ]
+
+Correct gen_kretprobe_test clr event para on module exit.
+This will make it can't to delete.
+
+Link: https://lkml.kernel.org/r/20220919125629.238242-2-zouyipeng@huawei.com
+
+Cc: <linux-riscv@lists.infradead.org>
+Cc: <mingo@redhat.com>
+Cc: <paul.walmsley@sifive.com>
+Cc: <palmer@dabbelt.com>
+Cc: <aou@eecs.berkeley.edu>
+Cc: <zanussi@kernel.org>
+Cc: <liaochang1@huawei.com>
+Cc: <chris.zjh@huawei.com>
+Fixes: 64836248dda2 ("tracing: Add kprobe event command generation test module")
+Signed-off-by: Yipeng Zou <zouyipeng@huawei.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/kprobe_event_gen_test.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/trace/kprobe_event_gen_test.c b/kernel/trace/kprobe_event_gen_test.c
+index 18b0f1cbb947..e023154be0f8 100644
+--- a/kernel/trace/kprobe_event_gen_test.c
++++ b/kernel/trace/kprobe_event_gen_test.c
+@@ -206,7 +206,7 @@ static void __exit kprobe_event_gen_test_exit(void)
+ WARN_ON(kprobe_event_delete("gen_kprobe_test"));
+
+ /* Disable the event or you can't remove it */
+- WARN_ON(trace_array_set_clr_event(gen_kprobe_test->tr,
++ WARN_ON(trace_array_set_clr_event(gen_kretprobe_test->tr,
+ "kprobes",
+ "gen_kretprobe_test", false));
+
+--
+2.35.1
+
--- /dev/null
+From 4259316a2ec24a2964c55e6d96172d4509282e9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Sep 2022 20:56:29 +0800
+Subject: tracing: kprobe: Make gen test module work in arm and riscv
+
+From: Yipeng Zou <zouyipeng@huawei.com>
+
+[ Upstream commit d8ef45d66c01425ff748e13ef7dd1da7a91cc93c ]
+
+For now, this selftest module can only work in x86 because of the
+kprobe cmd was fixed use of x86 registers.
+This patch adapted to register names under arm and riscv, So that
+this module can be worked on those platform.
+
+Link: https://lkml.kernel.org/r/20220919125629.238242-3-zouyipeng@huawei.com
+
+Cc: <linux-riscv@lists.infradead.org>
+Cc: <mingo@redhat.com>
+Cc: <paul.walmsley@sifive.com>
+Cc: <palmer@dabbelt.com>
+Cc: <aou@eecs.berkeley.edu>
+Cc: <zanussi@kernel.org>
+Cc: <liaochang1@huawei.com>
+Cc: <chris.zjh@huawei.com>
+Fixes: 64836248dda2 ("tracing: Add kprobe event command generation test module")
+Signed-off-by: Yipeng Zou <zouyipeng@huawei.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/kprobe_event_gen_test.c | 47 +++++++++++++++++++++++++---
+ 1 file changed, 43 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/trace/kprobe_event_gen_test.c b/kernel/trace/kprobe_event_gen_test.c
+index e023154be0f8..80e04a1e1977 100644
+--- a/kernel/trace/kprobe_event_gen_test.c
++++ b/kernel/trace/kprobe_event_gen_test.c
+@@ -35,6 +35,45 @@
+ static struct trace_event_file *gen_kprobe_test;
+ static struct trace_event_file *gen_kretprobe_test;
+
++#define KPROBE_GEN_TEST_FUNC "do_sys_open"
++
++/* X86 */
++#if defined(CONFIG_X86_64) || defined(CONFIG_X86_32)
++#define KPROBE_GEN_TEST_ARG0 "dfd=%ax"
++#define KPROBE_GEN_TEST_ARG1 "filename=%dx"
++#define KPROBE_GEN_TEST_ARG2 "flags=%cx"
++#define KPROBE_GEN_TEST_ARG3 "mode=+4($stack)"
++
++/* ARM64 */
++#elif defined(CONFIG_ARM64)
++#define KPROBE_GEN_TEST_ARG0 "dfd=%x0"
++#define KPROBE_GEN_TEST_ARG1 "filename=%x1"
++#define KPROBE_GEN_TEST_ARG2 "flags=%x2"
++#define KPROBE_GEN_TEST_ARG3 "mode=%x3"
++
++/* ARM */
++#elif defined(CONFIG_ARM)
++#define KPROBE_GEN_TEST_ARG0 "dfd=%r0"
++#define KPROBE_GEN_TEST_ARG1 "filename=%r1"
++#define KPROBE_GEN_TEST_ARG2 "flags=%r2"
++#define KPROBE_GEN_TEST_ARG3 "mode=%r3"
++
++/* RISCV */
++#elif defined(CONFIG_RISCV)
++#define KPROBE_GEN_TEST_ARG0 "dfd=%a0"
++#define KPROBE_GEN_TEST_ARG1 "filename=%a1"
++#define KPROBE_GEN_TEST_ARG2 "flags=%a2"
++#define KPROBE_GEN_TEST_ARG3 "mode=%a3"
++
++/* others */
++#else
++#define KPROBE_GEN_TEST_ARG0 NULL
++#define KPROBE_GEN_TEST_ARG1 NULL
++#define KPROBE_GEN_TEST_ARG2 NULL
++#define KPROBE_GEN_TEST_ARG3 NULL
++#endif
++
++
+ /*
+ * Test to make sure we can create a kprobe event, then add more
+ * fields.
+@@ -58,14 +97,14 @@ static int __init test_gen_kprobe_cmd(void)
+ * fields.
+ */
+ ret = kprobe_event_gen_cmd_start(&cmd, "gen_kprobe_test",
+- "do_sys_open",
+- "dfd=%ax", "filename=%dx");
++ KPROBE_GEN_TEST_FUNC,
++ KPROBE_GEN_TEST_ARG0, KPROBE_GEN_TEST_ARG1);
+ if (ret)
+ goto free;
+
+ /* Use kprobe_event_add_fields to add the rest of the fields */
+
+- ret = kprobe_event_add_fields(&cmd, "flags=%cx", "mode=+4($stack)");
++ ret = kprobe_event_add_fields(&cmd, KPROBE_GEN_TEST_ARG2, KPROBE_GEN_TEST_ARG3);
+ if (ret)
+ goto free;
+
+@@ -128,7 +167,7 @@ static int __init test_gen_kretprobe_cmd(void)
+ * Define the kretprobe event.
+ */
+ ret = kretprobe_event_gen_cmd_start(&cmd, "gen_kretprobe_test",
+- "do_sys_open",
++ KPROBE_GEN_TEST_FUNC,
+ "$retval");
+ if (ret)
+ goto free;
+--
+2.35.1
+
--- /dev/null
+From 8b5eefd720b128a14b6c5d65a3b4dbb59823ff10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Sep 2022 08:49:32 -0600
+Subject: tracing/osnoise: Fix possible recursive locking in
+ stop_per_cpu_kthreads
+
+From: Nico Pache <npache@redhat.com>
+
+[ Upstream commit 99ee9317a1305cd5626736785c8cb38b0e47686c ]
+
+There is a recursive lock on the cpu_hotplug_lock.
+
+In kernel/trace/trace_osnoise.c:<start/stop>_per_cpu_kthreads:
+ - start_per_cpu_kthreads calls cpus_read_lock() and if
+ start_kthreads returns a error it will call stop_per_cpu_kthreads.
+ - stop_per_cpu_kthreads then calls cpus_read_lock() again causing
+ deadlock.
+
+Fix this by calling cpus_read_unlock() before calling
+stop_per_cpu_kthreads. This behavior can also be seen in commit
+f46b16520a08 ("trace/hwlat: Implement the per-cpu mode").
+
+This error was noticed during the LTP ftrace-stress-test:
+
+WARNING: possible recursive locking detected
+--------------------------------------------
+sh/275006 is trying to acquire lock:
+ffffffffb02f5400 (cpu_hotplug_lock){++++}-{0:0}, at: stop_per_cpu_kthreads
+
+but task is already holding lock:
+ffffffffb02f5400 (cpu_hotplug_lock){++++}-{0:0}, at: start_per_cpu_kthreads
+
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(cpu_hotplug_lock);
+ lock(cpu_hotplug_lock);
+
+ *** DEADLOCK ***
+
+May be due to missing lock nesting notation
+
+3 locks held by sh/275006:
+ #0: ffff8881023f0470 (sb_writers#24){.+.+}-{0:0}, at: ksys_write
+ #1: ffffffffb084f430 (trace_types_lock){+.+.}-{3:3}, at: rb_simple_write
+ #2: ffffffffb02f5400 (cpu_hotplug_lock){++++}-{0:0}, at: start_per_cpu_kthreads
+
+Link: https://lkml.kernel.org/r/20220919144932.3064014-1-npache@redhat.com
+
+Fixes: c8895e271f79 ("trace/osnoise: Support hotplug operations")
+Signed-off-by: Nico Pache <npache@redhat.com>
+Acked-by: Daniel Bristot de Oliveira <bristot@kernel.org>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_osnoise.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/trace/trace_osnoise.c b/kernel/trace/trace_osnoise.c
+index 313439920a8c..78d536d3ff3d 100644
+--- a/kernel/trace/trace_osnoise.c
++++ b/kernel/trace/trace_osnoise.c
+@@ -1786,8 +1786,9 @@ static int start_per_cpu_kthreads(void)
+ for_each_cpu(cpu, current_mask) {
+ retval = start_kthread(cpu);
+ if (retval) {
++ cpus_read_unlock();
+ stop_per_cpu_kthreads();
+- break;
++ return retval;
+ }
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 41964b2285f98f8542908fe0147b4b63611d35d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Aug 2022 21:30:13 +0200
+Subject: tsnep: Fix TSNEP_INFO_TX_TIME register define
+
+From: Gerhard Engleder <gerhard@engleder-embedded.com>
+
+[ Upstream commit 7d8dd6b5cd1d67dd96c132f91d7ad29c49ed3c59 ]
+
+Fixed register define is not used, but register definition shall be kept
+in sync.
+
+Fixes: 403f69bbdbad ("tsnep: Add TSN endpoint Ethernet MAC driver")
+Signed-off-by: Gerhard Engleder <gerhard@engleder-embedded.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/engleder/tsnep_hw.h | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/engleder/tsnep_hw.h b/drivers/net/ethernet/engleder/tsnep_hw.h
+index 916ceac3ada2..e03aaafab559 100644
+--- a/drivers/net/ethernet/engleder/tsnep_hw.h
++++ b/drivers/net/ethernet/engleder/tsnep_hw.h
+@@ -92,8 +92,7 @@
+
+ /* tsnep register */
+ #define TSNEP_INFO 0x0100
+-#define TSNEP_INFO_RX_ASSIGN 0x00010000
+-#define TSNEP_INFO_TX_TIME 0x00020000
++#define TSNEP_INFO_TX_TIME 0x00010000
+ #define TSNEP_CONTROL 0x0108
+ #define TSNEP_CONTROL_TX_RESET 0x00000001
+ #define TSNEP_CONTROL_TX_ENABLE 0x00000002
+--
+2.35.1
+
--- /dev/null
+From 4a1e152b8fac0a99716ee38215e0d440096788f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 19:17:03 +0800
+Subject: tty: serial: fsl_lpuart: disable dma rx/tx use flags in
+ lpuart_dma_shutdown
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sherry Sun <sherry.sun@nxp.com>
+
+[ Upstream commit 316ae95c175a7d770d1bfe4c011192712f57aa4a ]
+
+lpuart_dma_shutdown tears down lpuart dma, but lpuart_flush_buffer can
+still occur which in turn tries to access dma apis if lpuart_dma_tx_use
+flag is true. At this point since dma is torn down, these dma apis can
+abort. Set lpuart_dma_tx_use and the corresponding rx flag
+lpuart_dma_rx_use to false in lpuart_dma_shutdown so that dmas are not
+accessed after they are relinquished.
+
+Otherwise, when try to kill btattach, kernel may panic. This patch may
+fix this issue.
+root@imx8ulpevk:~# btattach -B /dev/ttyLP2 -S 115200
+^C[ 90.182296] Internal error: synchronous external abort: 96000210 [#1] PREEMPT SMP
+[ 90.189806] Modules linked in: moal(O) mlan(O)
+[ 90.194258] CPU: 0 PID: 503 Comm: btattach Tainted: G O 5.15.32-06136-g34eecdf2f9e4 #37
+[ 90.203554] Hardware name: NXP i.MX8ULP 9X9 EVK (DT)
+[ 90.208513] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ 90.215470] pc : fsl_edma3_disable_request+0x8/0x60
+[ 90.220358] lr : fsl_edma3_terminate_all+0x34/0x20c
+[ 90.225237] sp : ffff800013f0bac0
+[ 90.228548] x29: ffff800013f0bac0 x28: 0000000000000001 x27: ffff000008404800
+[ 90.235681] x26: ffff000008404960 x25: ffff000008404a08 x24: ffff000008404a00
+[ 90.242813] x23: ffff000008404a60 x22: 0000000000000002 x21: 0000000000000000
+[ 90.249946] x20: ffff800013f0baf8 x19: ffff00000559c800 x18: 0000000000000000
+[ 90.257078] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
+[ 90.264211] x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000040
+[ 90.271344] x11: ffff00000600c248 x10: ffff800013f0bb10 x9 : ffff000057bcb090
+[ 90.278477] x8 : fffffc0000241a08 x7 : ffff00000534ee00 x6 : ffff000008404804
+[ 90.285609] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff0000055b3480
+[ 90.292742] x2 : ffff8000135c0000 x1 : ffff00000534ee00 x0 : ffff00000559c800
+[ 90.299876] Call trace:
+[ 90.302321] fsl_edma3_disable_request+0x8/0x60
+[ 90.306851] lpuart_flush_buffer+0x40/0x160
+[ 90.311037] uart_flush_buffer+0x88/0x120
+[ 90.315050] tty_driver_flush_buffer+0x20/0x30
+[ 90.319496] hci_uart_flush+0x44/0x90
+[ 90.323162] +0x34/0x12c
+[ 90.327253] tty_ldisc_close+0x38/0x70
+[ 90.331005] tty_ldisc_release+0xa8/0x190
+[ 90.335018] tty_release_struct+0x24/0x8c
+[ 90.339022] tty_release+0x3ec/0x4c0
+[ 90.342593] __fput+0x70/0x234
+[ 90.345652] ____fput+0x14/0x20
+[ 90.348790] task_work_run+0x84/0x17c
+[ 90.352455] do_exit+0x310/0x96c
+[ 90.355688] do_group_exit+0x3c/0xa0
+[ 90.359259] __arm64_sys_exit_group+0x1c/0x20
+[ 90.363609] invoke_syscall+0x48/0x114
+[ 90.367362] el0_svc_common.constprop.0+0xd4/0xfc
+[ 90.372068] do_el0_svc+0x2c/0x94
+[ 90.375379] el0_svc+0x28/0x80
+[ 90.378438] el0t_64_sync_handler+0xa8/0x130
+[ 90.382711] el0t_64_sync+0x1a0/0x1a4
+[ 90.386376] Code: 17ffffda d503201f d503233f f9409802 (b9400041)
+[ 90.392467] ---[ end trace 2f60524b4a43f1f6 ]---
+[ 90.397073] note: btattach[503] exited with preempt_count 1
+[ 90.402636] Fixing recursive fault but reboot is needed!
+
+Fixes: 6250cc30c4c4 ("tty: serial: fsl_lpuart: Use scatter/gather DMA for Tx")
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Thara Gopinath <tgopinath@microsoft.com>
+Signed-off-by: Sherry Sun <sherry.sun@nxp.com>
+Link: https://lore.kernel.org/r/20220920111703.1532-1-sherry.sun@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/fsl_lpuart.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c
+index 6eb3d6c62458..34990901c805 100644
+--- a/drivers/tty/serial/fsl_lpuart.c
++++ b/drivers/tty/serial/fsl_lpuart.c
+@@ -1776,6 +1776,7 @@ static void lpuart_dma_shutdown(struct lpuart_port *sport)
+ if (sport->lpuart_dma_rx_use) {
+ del_timer_sync(&sport->lpuart_timer);
+ lpuart_dma_rx_free(&sport->port);
++ sport->lpuart_dma_rx_use = false;
+ }
+
+ if (sport->lpuart_dma_tx_use) {
+@@ -1784,6 +1785,7 @@ static void lpuart_dma_shutdown(struct lpuart_port *sport)
+ sport->dma_tx_in_progress = false;
+ dmaengine_terminate_all(sport->dma_tx_chan);
+ }
++ sport->lpuart_dma_tx_use = false;
+ }
+
+ if (sport->dma_tx_chan)
+--
+2.35.1
+
--- /dev/null
+From 31fd5c63792320bddb19fe67ea3cbb4cf3c9391e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Jul 2022 17:17:42 +0530
+Subject: tty: xilinx_uartps: Check clk_enable return value
+
+From: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+
+[ Upstream commit 957e8c047bf25bd24271ab049f06dc47f382973f ]
+
+If clocks are not enabled the register access may hang the system.
+Check for the clock enable return value and bail out if not enabled.
+
+Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+Link: https://lore.kernel.org/r/20220729114748.18332-2-shubhrajyoti.datta@xilinx.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: b8a6c3b3d465 ("tty: xilinx_uartps: Fix the ignore_status")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/xilinx_uartps.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c
+index 9e01fe6c0ab8..51fd09e14eda 100644
+--- a/drivers/tty/serial/xilinx_uartps.c
++++ b/drivers/tty/serial/xilinx_uartps.c
+@@ -1329,12 +1329,20 @@ static int cdns_uart_resume(struct device *device)
+ unsigned long flags;
+ u32 ctrl_reg;
+ int may_wake;
++ int ret;
+
+ may_wake = device_may_wakeup(device);
+
+ if (console_suspend_enabled && uart_console(port) && !may_wake) {
+- clk_enable(cdns_uart->pclk);
+- clk_enable(cdns_uart->uartclk);
++ ret = clk_enable(cdns_uart->pclk);
++ if (ret)
++ return ret;
++
++ ret = clk_enable(cdns_uart->uartclk);
++ if (ret) {
++ clk_disable(cdns_uart->pclk);
++ return ret;
++ }
+
+ spin_lock_irqsave(&port->lock, flags);
+
+--
+2.35.1
+
--- /dev/null
+From d6d948bb8d03bbcaef9f26e7bf511dc7d15a2947 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Jul 2022 17:17:45 +0530
+Subject: tty: xilinx_uartps: Fix the ignore_status
+
+From: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+
+[ Upstream commit b8a6c3b3d4654fba19881cc77da61eac29f57cae ]
+
+Currently the ignore_status is not considered in the isr.
+Add a check to add the ignore_status.
+
+Fixes: 61ec9016988f ("tty/serial: add support for Xilinx PS UART")
+Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
+Link: https://lore.kernel.org/r/20220729114748.18332-5-shubhrajyoti.datta@xilinx.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/xilinx_uartps.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c
+index 51fd09e14eda..769044dfe990 100644
+--- a/drivers/tty/serial/xilinx_uartps.c
++++ b/drivers/tty/serial/xilinx_uartps.c
+@@ -361,6 +361,8 @@ static irqreturn_t cdns_uart_isr(int irq, void *dev_id)
+ isrstatus &= ~CDNS_UART_IXR_TXEMPTY;
+ }
+
++ isrstatus &= port->read_status_mask;
++ isrstatus &= ~port->ignore_status_mask;
+ /*
+ * Skip RX processing if RX is disabled as RXEMPTY will never be set
+ * as read bytes will not be removed from the FIFO.
+--
+2.35.1
+
--- /dev/null
+From ebdc8c91a21afd55cdd52fb3daf1199b1fa3f4a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Aug 2022 23:35:22 -0700
+Subject: udmabuf: Set ubuf->sg = NULL if the creation of sg table fails
+
+From: Vivek Kasireddy <vivek.kasireddy@intel.com>
+
+[ Upstream commit d9c04a1b7a15b5e74b2977461d9511e497f05d8f ]
+
+When userspace tries to map the dmabuf and if for some reason
+(e.g. OOM) the creation of the sg table fails, ubuf->sg needs to be
+set to NULL. Otherwise, when the userspace subsequently closes the
+dmabuf fd, we'd try to erroneously free the invalid sg table from
+release_udmabuf resulting in the following crash reported by syzbot:
+
+general protection fault, probably for non-canonical address
+0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
+KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+CPU: 0 PID: 3609 Comm: syz-executor487 Not tainted
+5.19.0-syzkaller-13930-g7ebfc85e2cd7 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 07/22/2022
+RIP: 0010:dma_unmap_sgtable include/linux/dma-mapping.h:378 [inline]
+RIP: 0010:put_sg_table drivers/dma-buf/udmabuf.c:89 [inline]
+RIP: 0010:release_udmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114
+Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 04 00 00 48 8d 7d 0c 4c
+8b 63 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14
+02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 e2
+RSP: 0018:ffffc900037efd30 EFLAGS: 00010246
+RAX: dffffc0000000000 RBX: ffffffff8cb67800 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: ffffffff84ad27e0 RDI: 0000000000000000
+RBP: fffffffffffffff4 R08: 0000000000000005 R09: 0000000000000000
+R10: 0000000000000000 R11: 000000000008c07c R12: ffff88801fa05000
+R13: ffff888073db07e8 R14: ffff888025c25440 R15: 0000000000000000
+FS: 0000555555fc4300(0000) GS:ffff8880b9a00000(0000)
+knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fc1c0ce06e4 CR3: 00000000715e6000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ dma_buf_release+0x157/0x2d0 drivers/dma-buf/dma-buf.c:78
+ __dentry_kill+0x42b/0x640 fs/dcache.c:612
+ dentry_kill fs/dcache.c:733 [inline]
+ dput+0x806/0xdb0 fs/dcache.c:913
+ __fput+0x39c/0x9d0 fs/file_table.c:333
+ task_work_run+0xdd/0x1a0 kernel/task_work.c:177
+ ptrace_notify+0x114/0x140 kernel/signal.c:2353
+ ptrace_report_syscall include/linux/ptrace.h:420 [inline]
+ ptrace_report_syscall_exit include/linux/ptrace.h:482 [inline]
+ syscall_exit_work kernel/entry/common.c:249 [inline]
+ syscall_exit_to_user_mode_prepare+0x129/0x280 kernel/entry/common.c:276
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:281 [inline]
+ syscall_exit_to_user_mode+0x9/0x50 kernel/entry/common.c:294
+ do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+RIP: 0033:0x7fc1c0c35b6b
+Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24
+0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00
+f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
+RSP: 002b:00007ffd78a06090 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
+RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007fc1c0c35b6b
+RDX: 0000000020000280 RSI: 0000000040086200 RDI: 0000000000000006
+RBP: 0000000000000007 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000000c
+R13: 0000000000000003 R14: 00007fc1c0cfe4a0 R15: 00007ffd78a06140
+ </TASK>
+Modules linked in:
+---[ end trace 0000000000000000 ]---
+RIP: 0010:dma_unmap_sgtable include/linux/dma-mapping.h:378 [inline]
+RIP: 0010:put_sg_table drivers/dma-buf/udmabuf.c:89 [inline]
+RIP: 0010:release_udmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114
+
+Reported-by: syzbot+c80e9ef5d8bb45894db0@syzkaller.appspotmail.com
+Cc: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20220825063522.801264-1-vivek.kasireddy@intel.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma-buf/udmabuf.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
+index 38e8767ec371..bf11d32205f3 100644
+--- a/drivers/dma-buf/udmabuf.c
++++ b/drivers/dma-buf/udmabuf.c
+@@ -124,17 +124,20 @@ static int begin_cpu_udmabuf(struct dma_buf *buf,
+ {
+ struct udmabuf *ubuf = buf->priv;
+ struct device *dev = ubuf->device->this_device;
++ int ret = 0;
+
+ if (!ubuf->sg) {
+ ubuf->sg = get_sg_table(dev, buf, direction);
+- if (IS_ERR(ubuf->sg))
+- return PTR_ERR(ubuf->sg);
++ if (IS_ERR(ubuf->sg)) {
++ ret = PTR_ERR(ubuf->sg);
++ ubuf->sg = NULL;
++ }
+ } else {
+ dma_sync_sg_for_cpu(dev, ubuf->sg->sgl, ubuf->sg->nents,
+ direction);
+ }
+
+- return 0;
++ return ret;
+ }
+
+ static int end_cpu_udmabuf(struct dma_buf *buf,
+--
+2.35.1
+
--- /dev/null
+From 1b944c30eadb91f89dc630dc0f6bc50b17503b62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Jul 2022 18:38:01 -0700
+Subject: usb: common: debug: Check non-standard control requests
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+[ Upstream commit b6155eaf6b05e558218b44b88a6cad03f15a586c ]
+
+Previously usb_decode_ctrl() only decodes standard control requests, but
+it was used for non-standard requests also. If it's non-standard or
+unknown standard bRequest, print the Setup data values.
+
+Fixes: af32423a2d86 ("usb: dwc3: trace: decode ctrl request")
+Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/8d6a30f2f2f953eff833a5bc5aac640a4cc2fc9f.1658971571.git.Thinh.Nguyen@synopsys.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/common/debug.c | 96 +++++++++++++++++++++++++-------------
+ 1 file changed, 64 insertions(+), 32 deletions(-)
+
+diff --git a/drivers/usb/common/debug.c b/drivers/usb/common/debug.c
+index 075f6b1b2a1a..f204cec8d380 100644
+--- a/drivers/usb/common/debug.c
++++ b/drivers/usb/common/debug.c
+@@ -208,30 +208,28 @@ static void usb_decode_set_isoch_delay(__u8 wValue, char *str, size_t size)
+ snprintf(str, size, "Set Isochronous Delay(Delay = %d ns)", wValue);
+ }
+
+-/**
+- * usb_decode_ctrl - Returns human readable representation of control request.
+- * @str: buffer to return a human-readable representation of control request.
+- * This buffer should have about 200 bytes.
+- * @size: size of str buffer.
+- * @bRequestType: matches the USB bmRequestType field
+- * @bRequest: matches the USB bRequest field
+- * @wValue: matches the USB wValue field (CPU byte order)
+- * @wIndex: matches the USB wIndex field (CPU byte order)
+- * @wLength: matches the USB wLength field (CPU byte order)
+- *
+- * Function returns decoded, formatted and human-readable description of
+- * control request packet.
+- *
+- * The usage scenario for this is for tracepoints, so function as a return
+- * use the same value as in parameters. This approach allows to use this
+- * function in TP_printk
+- *
+- * Important: wValue, wIndex, wLength parameters before invoking this function
+- * should be processed by le16_to_cpu macro.
+- */
+-const char *usb_decode_ctrl(char *str, size_t size, __u8 bRequestType,
+- __u8 bRequest, __u16 wValue, __u16 wIndex,
+- __u16 wLength)
++static void usb_decode_ctrl_generic(char *str, size_t size, __u8 bRequestType,
++ __u8 bRequest, __u16 wValue, __u16 wIndex,
++ __u16 wLength)
++{
++ u8 recip = bRequestType & USB_RECIP_MASK;
++ u8 type = bRequestType & USB_TYPE_MASK;
++
++ snprintf(str, size,
++ "Type=%s Recipient=%s Dir=%s bRequest=%u wValue=%u wIndex=%u wLength=%u",
++ (type == USB_TYPE_STANDARD) ? "Standard" :
++ (type == USB_TYPE_VENDOR) ? "Vendor" :
++ (type == USB_TYPE_CLASS) ? "Class" : "Unknown",
++ (recip == USB_RECIP_DEVICE) ? "Device" :
++ (recip == USB_RECIP_INTERFACE) ? "Interface" :
++ (recip == USB_RECIP_ENDPOINT) ? "Endpoint" : "Unknown",
++ (bRequestType & USB_DIR_IN) ? "IN" : "OUT",
++ bRequest, wValue, wIndex, wLength);
++}
++
++static void usb_decode_ctrl_standard(char *str, size_t size, __u8 bRequestType,
++ __u8 bRequest, __u16 wValue, __u16 wIndex,
++ __u16 wLength)
+ {
+ switch (bRequest) {
+ case USB_REQ_GET_STATUS:
+@@ -272,14 +270,48 @@ const char *usb_decode_ctrl(char *str, size_t size, __u8 bRequestType,
+ usb_decode_set_isoch_delay(wValue, str, size);
+ break;
+ default:
+- snprintf(str, size, "%02x %02x %02x %02x %02x %02x %02x %02x",
+- bRequestType, bRequest,
+- (u8)(cpu_to_le16(wValue) & 0xff),
+- (u8)(cpu_to_le16(wValue) >> 8),
+- (u8)(cpu_to_le16(wIndex) & 0xff),
+- (u8)(cpu_to_le16(wIndex) >> 8),
+- (u8)(cpu_to_le16(wLength) & 0xff),
+- (u8)(cpu_to_le16(wLength) >> 8));
++ usb_decode_ctrl_generic(str, size, bRequestType, bRequest,
++ wValue, wIndex, wLength);
++ break;
++ }
++}
++
++/**
++ * usb_decode_ctrl - Returns human readable representation of control request.
++ * @str: buffer to return a human-readable representation of control request.
++ * This buffer should have about 200 bytes.
++ * @size: size of str buffer.
++ * @bRequestType: matches the USB bmRequestType field
++ * @bRequest: matches the USB bRequest field
++ * @wValue: matches the USB wValue field (CPU byte order)
++ * @wIndex: matches the USB wIndex field (CPU byte order)
++ * @wLength: matches the USB wLength field (CPU byte order)
++ *
++ * Function returns decoded, formatted and human-readable description of
++ * control request packet.
++ *
++ * The usage scenario for this is for tracepoints, so function as a return
++ * use the same value as in parameters. This approach allows to use this
++ * function in TP_printk
++ *
++ * Important: wValue, wIndex, wLength parameters before invoking this function
++ * should be processed by le16_to_cpu macro.
++ */
++const char *usb_decode_ctrl(char *str, size_t size, __u8 bRequestType,
++ __u8 bRequest, __u16 wValue, __u16 wIndex,
++ __u16 wLength)
++{
++ switch (bRequestType & USB_TYPE_MASK) {
++ case USB_TYPE_STANDARD:
++ usb_decode_ctrl_standard(str, size, bRequestType, bRequest,
++ wValue, wIndex, wLength);
++ break;
++ case USB_TYPE_VENDOR:
++ case USB_TYPE_CLASS:
++ default:
++ usb_decode_ctrl_generic(str, size, bRequestType, bRequest,
++ wValue, wIndex, wLength);
++ break;
+ }
+
+ return str;
+--
+2.35.1
+
--- /dev/null
+From 44a19fe0f32b8c79eed67728c1a204499a5968e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Aug 2022 22:28:42 +0200
+Subject: usb: common: usb-conn-gpio: Simplify some error message
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit d80f4ecb95270d0ecd6646aca44f4c180d3140b0 ]
+
+dev_err_probe() already prints the error code in a human readable way, so
+there is no need to duplicate it as a numerical value at the end of the
+message.
+
+Reviewed-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/7505a9dfa1e097070c492d6f6f84afa2a490b040.1659763173.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: b6155eaf6b05 ("usb: common: debug: Check non-standard control requests")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/common/usb-conn-gpio.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/usb/common/usb-conn-gpio.c b/drivers/usb/common/usb-conn-gpio.c
+index b39c9f1c375d..e20874caba36 100644
+--- a/drivers/usb/common/usb-conn-gpio.c
++++ b/drivers/usb/common/usb-conn-gpio.c
+@@ -208,10 +208,8 @@ static int usb_conn_probe(struct platform_device *pdev)
+ if (PTR_ERR(info->vbus) == -ENODEV)
+ info->vbus = NULL;
+
+- if (IS_ERR(info->vbus)) {
+- ret = PTR_ERR(info->vbus);
+- return dev_err_probe(dev, ret, "failed to get vbus :%d\n", ret);
+- }
++ if (IS_ERR(info->vbus))
++ return dev_err_probe(dev, PTR_ERR(info->vbus), "failed to get vbus\n");
+
+ info->role_sw = usb_role_switch_get(dev);
+ if (IS_ERR(info->role_sw))
+--
+2.35.1
+
--- /dev/null
+From bb04be067cfc73f9448745e893f4da16984be4d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Sep 2022 08:28:53 +0200
+Subject: usb: dwc3: core: add gfladj_refclk_lpm_sel quirk
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+[ Upstream commit a6fc2f1b092787e9d7dbe472d720cede81680315 ]
+
+This selects the SOF/ITP counter be running on ref_clk. As documented
+U2_FREECLK_EXISTS has to be set to 0 as well.
+
+Reviewed-by: Li Jun <jun.li@nxp.com>
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Link: https://lore.kernel.org/r/20220915062855.751881-3-alexander.stein@ew.tq-group.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/core.c | 8 +++++++-
+ drivers/usb/dwc3/core.h | 2 ++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
+index 919d36fd0298..f7f1952b2901 100644
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -407,6 +407,10 @@ static void dwc3_ref_clk_period(struct dwc3 *dwc)
+ reg |= FIELD_PREP(DWC3_GFLADJ_REFCLK_FLADJ_MASK, fladj)
+ | FIELD_PREP(DWC3_GFLADJ_240MHZDECR, decr >> 1)
+ | FIELD_PREP(DWC3_GFLADJ_240MHZDECR_PLS1, decr & 1);
++
++ if (dwc->gfladj_refclk_lpm_sel)
++ reg |= DWC3_GFLADJ_REFCLK_LPM_SEL;
++
+ dwc3_writel(dwc->regs, DWC3_GFLADJ, reg);
+ }
+
+@@ -788,7 +792,7 @@ static int dwc3_phy_setup(struct dwc3 *dwc)
+ else
+ reg |= DWC3_GUSB2PHYCFG_ENBLSLPM;
+
+- if (dwc->dis_u2_freeclk_exists_quirk)
++ if (dwc->dis_u2_freeclk_exists_quirk || dwc->gfladj_refclk_lpm_sel)
+ reg &= ~DWC3_GUSB2PHYCFG_U2_FREECLK_EXISTS;
+
+ dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(0), reg);
+@@ -1524,6 +1528,8 @@ static void dwc3_get_properties(struct dwc3 *dwc)
+ "snps,dis-tx-ipgap-linecheck-quirk");
+ dwc->parkmode_disable_ss_quirk = device_property_read_bool(dev,
+ "snps,parkmode-disable-ss-quirk");
++ dwc->gfladj_refclk_lpm_sel = device_property_read_bool(dev,
++ "snps,gfladj-refclk-lpm-sel-quirk");
+
+ dwc->tx_de_emphasis_quirk = device_property_read_bool(dev,
+ "snps,tx_de_emphasis_quirk");
+diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h
+index 4fe4287dc934..11975a03316f 100644
+--- a/drivers/usb/dwc3/core.h
++++ b/drivers/usb/dwc3/core.h
+@@ -391,6 +391,7 @@
+ #define DWC3_GFLADJ_30MHZ_SDBND_SEL BIT(7)
+ #define DWC3_GFLADJ_30MHZ_MASK 0x3f
+ #define DWC3_GFLADJ_REFCLK_FLADJ_MASK GENMASK(21, 8)
++#define DWC3_GFLADJ_REFCLK_LPM_SEL BIT(23)
+ #define DWC3_GFLADJ_240MHZDECR GENMASK(30, 24)
+ #define DWC3_GFLADJ_240MHZDECR_PLS1 BIT(31)
+
+@@ -1312,6 +1313,7 @@ struct dwc3 {
+ unsigned dis_del_phy_power_chg_quirk:1;
+ unsigned dis_tx_ipgap_linecheck_quirk:1;
+ unsigned parkmode_disable_ss_quirk:1;
++ unsigned gfladj_refclk_lpm_sel:1;
+
+ unsigned tx_de_emphasis_quirk:1;
+ unsigned tx_de_emphasis:2;
+--
+2.35.1
+
--- /dev/null
+From 753ac3ad6d455fc5fb9aec351010d3cf699e6c8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 10:52:35 +0530
+Subject: usb: dwc3: core: Enable GUCTL1 bit 10 for fixing termination error
+ after resume bug
+
+From: Piyush Mehta <piyush.mehta@amd.com>
+
+[ Upstream commit 63d7f9810a38102cdb8cad214fac98682081e1a7 ]
+
+When configured in HOST mode, after issuing U3/L2 exit controller fails
+to send proper CRC checksum in CRC5 field. Because of this behavior
+Transaction Error is generated, resulting in reset and re-enumeration of
+usb device attached. Enabling chicken bit 10 of GUCTL1 will correct this
+problem.
+
+When this bit is set to '1', the UTMI/ULPI opmode will be changed to
+"normal" along with HS terminations, term, and xcvr signals after EOR.
+This option is to support certain legacy UTMI/ULPI PHYs.
+
+Added "snps,resume-hs-terminations" quirk to resolved the above issue.
+
+Signed-off-by: Piyush Mehta <piyush.mehta@amd.com>
+Link: https://lore.kernel.org/r/20220920052235.194272-3-piyush.mehta@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/core.c | 17 +++++++++++++++++
+ drivers/usb/dwc3/core.h | 4 ++++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
+index f7f1952b2901..68d986361c49 100644
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -1183,6 +1183,21 @@ static int dwc3_core_init(struct dwc3 *dwc)
+ dwc3_writel(dwc->regs, DWC3_GUCTL2, reg);
+ }
+
++ /*
++ * When configured in HOST mode, after issuing U3/L2 exit controller
++ * fails to send proper CRC checksum in CRC5 feild. Because of this
++ * behaviour Transaction Error is generated, resulting in reset and
++ * re-enumeration of usb device attached. All the termsel, xcvrsel,
++ * opmode becomes 0 during end of resume. Enabling bit 10 of GUCTL1
++ * will correct this problem. This option is to support certain
++ * legacy ULPI PHYs.
++ */
++ if (dwc->resume_hs_terminations) {
++ reg = dwc3_readl(dwc->regs, DWC3_GUCTL1);
++ reg |= DWC3_GUCTL1_RESUME_OPMODE_HS_HOST;
++ dwc3_writel(dwc->regs, DWC3_GUCTL1, reg);
++ }
++
+ if (!DWC3_VER_IS_PRIOR(DWC3, 250A)) {
+ reg = dwc3_readl(dwc->regs, DWC3_GUCTL1);
+
+@@ -1526,6 +1541,8 @@ static void dwc3_get_properties(struct dwc3 *dwc)
+ "snps,dis-del-phy-power-chg-quirk");
+ dwc->dis_tx_ipgap_linecheck_quirk = device_property_read_bool(dev,
+ "snps,dis-tx-ipgap-linecheck-quirk");
++ dwc->resume_hs_terminations = device_property_read_bool(dev,
++ "snps,resume-hs-terminations");
+ dwc->parkmode_disable_ss_quirk = device_property_read_bool(dev,
+ "snps,parkmode-disable-ss-quirk");
+ dwc->gfladj_refclk_lpm_sel = device_property_read_bool(dev,
+diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h
+index 11975a03316f..3ac9313e66f9 100644
+--- a/drivers/usb/dwc3/core.h
++++ b/drivers/usb/dwc3/core.h
+@@ -263,6 +263,7 @@
+ #define DWC3_GUCTL1_DEV_FORCE_20_CLK_FOR_30_CLK BIT(26)
+ #define DWC3_GUCTL1_DEV_L1_EXIT_BY_HW BIT(24)
+ #define DWC3_GUCTL1_PARKMODE_DISABLE_SS BIT(17)
++#define DWC3_GUCTL1_RESUME_OPMODE_HS_HOST BIT(10)
+
+ /* Global Status Register */
+ #define DWC3_GSTS_OTG_IP BIT(10)
+@@ -1097,6 +1098,8 @@ struct dwc3_scratchpad_array {
+ * change quirk.
+ * @dis_tx_ipgap_linecheck_quirk: set if we disable u2mac linestate
+ * check during HS transmit.
++ * @resume-hs-terminations: Set if we enable quirk for fixing improper crc
++ * generation after resume from suspend.
+ * @parkmode_disable_ss_quirk: set if we need to disable all SuperSpeed
+ * instances in park mode.
+ * @tx_de_emphasis_quirk: set if we enable Tx de-emphasis quirk
+@@ -1312,6 +1315,7 @@ struct dwc3 {
+ unsigned dis_u2_freeclk_exists_quirk:1;
+ unsigned dis_del_phy_power_chg_quirk:1;
+ unsigned dis_tx_ipgap_linecheck_quirk:1;
++ unsigned resume_hs_terminations:1;
+ unsigned parkmode_disable_ss_quirk:1;
+ unsigned gfladj_refclk_lpm_sel:1;
+
+--
+2.35.1
+
--- /dev/null
+From 79da24c1cf16cf64d85519846982486308b2a130 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Sep 2022 14:22:08 +0300
+Subject: usb: dwc3: core: fix some leaks in probe
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 2a735e4b5580a2a6bbd6572109b4c4f163c57462 ]
+
+The dwc3_get_properties() function calls:
+
+ dwc->usb_psy = power_supply_get_by_name(usb_psy_name);
+
+so there is some additional clean up required on these error paths.
+
+Fixes: 6f0764b5adea ("usb: dwc3: add a power supply for current control")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/YyxFYFnP53j9sCg+@kili
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/core.c | 58 +++++++++++++++++++++++++----------------
+ 1 file changed, 36 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
+index 219d797e2230..919d36fd0298 100644
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -1712,8 +1712,10 @@ static int dwc3_probe(struct platform_device *pdev)
+ dwc3_get_properties(dwc);
+
+ dwc->reset = devm_reset_control_array_get_optional_shared(dev);
+- if (IS_ERR(dwc->reset))
+- return PTR_ERR(dwc->reset);
++ if (IS_ERR(dwc->reset)) {
++ ret = PTR_ERR(dwc->reset);
++ goto put_usb_psy;
++ }
+
+ if (dev->of_node) {
+ /*
+@@ -1723,45 +1725,57 @@ static int dwc3_probe(struct platform_device *pdev)
+ * check for them to retain backwards compatibility.
+ */
+ dwc->bus_clk = devm_clk_get_optional(dev, "bus_early");
+- if (IS_ERR(dwc->bus_clk))
+- return dev_err_probe(dev, PTR_ERR(dwc->bus_clk),
+- "could not get bus clock\n");
++ if (IS_ERR(dwc->bus_clk)) {
++ ret = dev_err_probe(dev, PTR_ERR(dwc->bus_clk),
++ "could not get bus clock\n");
++ goto put_usb_psy;
++ }
+
+ if (dwc->bus_clk == NULL) {
+ dwc->bus_clk = devm_clk_get_optional(dev, "bus_clk");
+- if (IS_ERR(dwc->bus_clk))
+- return dev_err_probe(dev, PTR_ERR(dwc->bus_clk),
+- "could not get bus clock\n");
++ if (IS_ERR(dwc->bus_clk)) {
++ ret = dev_err_probe(dev, PTR_ERR(dwc->bus_clk),
++ "could not get bus clock\n");
++ goto put_usb_psy;
++ }
+ }
+
+ dwc->ref_clk = devm_clk_get_optional(dev, "ref");
+- if (IS_ERR(dwc->ref_clk))
+- return dev_err_probe(dev, PTR_ERR(dwc->ref_clk),
+- "could not get ref clock\n");
++ if (IS_ERR(dwc->ref_clk)) {
++ ret = dev_err_probe(dev, PTR_ERR(dwc->ref_clk),
++ "could not get ref clock\n");
++ goto put_usb_psy;
++ }
+
+ if (dwc->ref_clk == NULL) {
+ dwc->ref_clk = devm_clk_get_optional(dev, "ref_clk");
+- if (IS_ERR(dwc->ref_clk))
+- return dev_err_probe(dev, PTR_ERR(dwc->ref_clk),
+- "could not get ref clock\n");
++ if (IS_ERR(dwc->ref_clk)) {
++ ret = dev_err_probe(dev, PTR_ERR(dwc->ref_clk),
++ "could not get ref clock\n");
++ goto put_usb_psy;
++ }
+ }
+
+ dwc->susp_clk = devm_clk_get_optional(dev, "suspend");
+- if (IS_ERR(dwc->susp_clk))
+- return dev_err_probe(dev, PTR_ERR(dwc->susp_clk),
+- "could not get suspend clock\n");
++ if (IS_ERR(dwc->susp_clk)) {
++ ret = dev_err_probe(dev, PTR_ERR(dwc->susp_clk),
++ "could not get suspend clock\n");
++ goto put_usb_psy;
++ }
+
+ if (dwc->susp_clk == NULL) {
+ dwc->susp_clk = devm_clk_get_optional(dev, "suspend_clk");
+- if (IS_ERR(dwc->susp_clk))
+- return dev_err_probe(dev, PTR_ERR(dwc->susp_clk),
+- "could not get suspend clock\n");
++ if (IS_ERR(dwc->susp_clk)) {
++ ret = dev_err_probe(dev, PTR_ERR(dwc->susp_clk),
++ "could not get suspend clock\n");
++ goto put_usb_psy;
++ }
+ }
+ }
+
+ ret = reset_control_deassert(dwc->reset);
+ if (ret)
+- return ret;
++ goto put_usb_psy;
+
+ ret = dwc3_clk_enable(dwc);
+ if (ret)
+@@ -1861,7 +1875,7 @@ static int dwc3_probe(struct platform_device *pdev)
+ dwc3_clk_disable(dwc);
+ assert_reset:
+ reset_control_assert(dwc->reset);
+-
++put_usb_psy:
+ if (dwc->usb_psy)
+ power_supply_put(dwc->usb_psy);
+
+--
+2.35.1
+
--- /dev/null
+From 18be4ff72889aac6dbf973007463ab3752c0f680 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Sep 2022 17:59:42 +0300
+Subject: usb: gadget: f_fs: stricter integer overflow checks
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit f57004b9d96755cd6a243b51c267be4016b4563c ]
+
+This from static analysis. The vla_item() takes a size and adds it to
+the total. It has a built in integer overflow check so if it encounters
+an integer overflow anywhere then it records the total as SIZE_MAX.
+
+However there is an issue here because the "lang_count*(needed_count+1)"
+multiplication can overflow. Technically the "lang_count + 1" addition
+could overflow too, but that would be detected and is harmless. Fix
+both using the new size_add() and size_mul() functions.
+
+Fixes: e6f3862fa1ec ("usb: gadget: FunctionFS: Remove VLAIS usage from gadget code")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/YxDI3lMYomE7WCjn@kili
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_fs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
+index e0fa4b186ec6..36184a762527 100644
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -2645,10 +2645,10 @@ static int __ffs_data_got_strings(struct ffs_data *ffs,
+ unsigned i = 0;
+ vla_group(d);
+ vla_item(d, struct usb_gadget_strings *, stringtabs,
+- lang_count + 1);
++ size_add(lang_count, 1));
+ vla_item(d, struct usb_gadget_strings, stringtab, lang_count);
+ vla_item(d, struct usb_string, strings,
+- lang_count*(needed_count+1));
++ size_mul(lang_count, (needed_count + 1)));
+
+ char *vlabuf = kmalloc(vla_group_size(d), GFP_KERNEL);
+
+--
+2.35.1
+
--- /dev/null
+From 08bd3a5008b5a902f4167652503df541c5ecb0c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Sep 2022 15:37:55 -0700
+Subject: usb: gadget: function: fix dangling pnp_string in f_printer.c
+
+From: Albert Briscoe <albertsbriscoe@gmail.com>
+
+[ Upstream commit 24b7ba2f88e04800b54d462f376512e8c41b8a3c ]
+
+When opts->pnp_string is changed with configfs, new memory is allocated for
+the string. It does not, however, update dev->pnp_string, even though the
+memory is freed. When rquesting the string, the host then gets old or
+corrupted data rather than the new string. The ieee 1284 id string should
+be allowed to change while the device is connected.
+
+The bug was introduced in commit fdc01cc286be ("usb: gadget: printer:
+Remove pnp_string static buffer"), which changed opts->pnp_string from a
+char[] to a char*.
+This patch changes dev->pnp_string from a char* to a char** pointing to
+opts->pnp_string.
+
+Fixes: fdc01cc286be ("usb: gadget: printer: Remove pnp_string static buffer")
+Signed-off-by: Albert Briscoe <albertsbriscoe@gmail.com>
+Link: https://lore.kernel.org/r/20220911223753.20417-1-albertsbriscoe@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_printer.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/f_printer.c b/drivers/usb/gadget/function/f_printer.c
+index abec5c58f525..a881c69b1f2b 100644
+--- a/drivers/usb/gadget/function/f_printer.c
++++ b/drivers/usb/gadget/function/f_printer.c
+@@ -89,7 +89,7 @@ struct printer_dev {
+ u8 printer_cdev_open;
+ wait_queue_head_t wait;
+ unsigned q_len;
+- char *pnp_string; /* We don't own memory! */
++ char **pnp_string; /* We don't own memory! */
+ struct usb_function function;
+ };
+
+@@ -1000,16 +1000,16 @@ static int printer_func_setup(struct usb_function *f,
+ if ((wIndex>>8) != dev->interface)
+ break;
+
+- if (!dev->pnp_string) {
++ if (!*dev->pnp_string) {
+ value = 0;
+ break;
+ }
+- value = strlen(dev->pnp_string);
++ value = strlen(*dev->pnp_string);
+ buf[0] = (value >> 8) & 0xFF;
+ buf[1] = value & 0xFF;
+- memcpy(buf + 2, dev->pnp_string, value);
++ memcpy(buf + 2, *dev->pnp_string, value);
+ DBG(dev, "1284 PNP String: %x %s\n", value,
+- dev->pnp_string);
++ *dev->pnp_string);
+ break;
+
+ case GET_PORT_STATUS: /* Get Port Status */
+@@ -1475,7 +1475,7 @@ static struct usb_function *gprinter_alloc(struct usb_function_instance *fi)
+ kref_init(&dev->kref);
+ ++opts->refcnt;
+ dev->minor = opts->minor;
+- dev->pnp_string = opts->pnp_string;
++ dev->pnp_string = &opts->pnp_string;
+ dev->q_len = opts->q_len;
+ mutex_unlock(&opts->lock);
+
+--
+2.35.1
+
--- /dev/null
+From f669a688899690c90edc4056b2bfc41248324c72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Sep 2022 23:58:18 +0200
+Subject: usb: gadget: uvc: increase worker prio to WQ_HIGHPRI
+
+From: Michael Grzeschik <m.grzeschik@pengutronix.de>
+
+[ Upstream commit 9b91a65230784a9ef644b8bdbb82a79ba4ae9456 ]
+
+This patch is changing the simple workqueue in the gadget driver to be
+allocated as async_wq with a higher priority. The pump worker, that is
+filling the usb requests, will have a higher priority and will not be
+scheduled away so often while the video stream is handled. This will
+lead to fewer streaming underruns.
+
+Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
+Link: https://lore.kernel.org/r/20220907215818.2670097-1-m.grzeschik@pengutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_uvc.c | 4 ++++
+ drivers/usb/gadget/function/uvc.h | 1 +
+ drivers/usb/gadget/function/uvc_v4l2.c | 2 +-
+ drivers/usb/gadget/function/uvc_video.c | 9 +++++++--
+ 4 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c
+index 86bb0098fb66..7ec223849d94 100644
+--- a/drivers/usb/gadget/function/f_uvc.c
++++ b/drivers/usb/gadget/function/f_uvc.c
+@@ -897,10 +897,14 @@ static void uvc_function_unbind(struct usb_configuration *c,
+ {
+ struct usb_composite_dev *cdev = c->cdev;
+ struct uvc_device *uvc = to_uvc(f);
++ struct uvc_video *video = &uvc->video;
+ long wait_ret = 1;
+
+ uvcg_info(f, "%s()\n", __func__);
+
++ if (video->async_wq)
++ destroy_workqueue(video->async_wq);
++
+ /*
+ * If we know we're connected via v4l2, then there should be a cleanup
+ * of the device from userspace either via UVC_EVENT_DISCONNECT or
+diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h
+index 58e383afdd44..1a31e6c6a5ff 100644
+--- a/drivers/usb/gadget/function/uvc.h
++++ b/drivers/usb/gadget/function/uvc.h
+@@ -88,6 +88,7 @@ struct uvc_video {
+ struct usb_ep *ep;
+
+ struct work_struct pump;
++ struct workqueue_struct *async_wq;
+
+ /* Frame parameters */
+ u8 bpp;
+diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c
+index fd8f73bb726d..fddc392b8ab9 100644
+--- a/drivers/usb/gadget/function/uvc_v4l2.c
++++ b/drivers/usb/gadget/function/uvc_v4l2.c
+@@ -170,7 +170,7 @@ uvc_v4l2_qbuf(struct file *file, void *fh, struct v4l2_buffer *b)
+ return ret;
+
+ if (uvc->state == UVC_STATE_STREAMING)
+- schedule_work(&video->pump);
++ queue_work(video->async_wq, &video->pump);
+
+ return ret;
+ }
+diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c
+index c00ce0e91f5d..bb037fcc90e6 100644
+--- a/drivers/usb/gadget/function/uvc_video.c
++++ b/drivers/usb/gadget/function/uvc_video.c
+@@ -277,7 +277,7 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req)
+ spin_unlock_irqrestore(&video->req_lock, flags);
+
+ if (uvc->state == UVC_STATE_STREAMING)
+- schedule_work(&video->pump);
++ queue_work(video->async_wq, &video->pump);
+ }
+
+ static int
+@@ -485,7 +485,7 @@ int uvcg_video_enable(struct uvc_video *video, int enable)
+
+ video->req_int_count = 0;
+
+- schedule_work(&video->pump);
++ queue_work(video->async_wq, &video->pump);
+
+ return ret;
+ }
+@@ -499,6 +499,11 @@ int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc)
+ spin_lock_init(&video->req_lock);
+ INIT_WORK(&video->pump, uvcg_video_pump);
+
++ /* Allocate a work queue for asynchronous video pump handler. */
++ video->async_wq = alloc_workqueue("uvcgadget", WQ_UNBOUND | WQ_HIGHPRI, 0);
++ if (!video->async_wq)
++ return -EINVAL;
++
+ video->uvc = uvc;
+ video->fcc = V4L2_PIX_FMT_YUYV;
+ video->bpp = 16;
+--
+2.35.1
+
--- /dev/null
+From 84fc8643fc3e092c3a08ff50e671e6c3aa60b698 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Sep 2022 15:34:45 +0300
+Subject: usb: host: xhci: Fix potential memory leak in
+ xhci_alloc_stream_info()
+
+From: Jianglei Nie <niejianglei2021@163.com>
+
+[ Upstream commit 7e271f42a5cc3768cd2622b929ba66859ae21f97 ]
+
+xhci_alloc_stream_info() allocates stream context array for stream_info
+->stream_ctx_array with xhci_alloc_stream_ctx(). When some error occurs,
+stream_info->stream_ctx_array is not released, which will lead to a
+memory leak.
+
+We can fix it by releasing the stream_info->stream_ctx_array with
+xhci_free_stream_ctx() on the error path to avoid the potential memory
+leak.
+
+Signed-off-by: Jianglei Nie <niejianglei2021@163.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20220921123450.671459-2-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-mem.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
+index 8c19e151a945..9e56aa28efcd 100644
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -641,7 +641,7 @@ struct xhci_stream_info *xhci_alloc_stream_info(struct xhci_hcd *xhci,
+ num_stream_ctxs, &stream_info->ctx_array_dma,
+ mem_flags);
+ if (!stream_info->stream_ctx_array)
+- goto cleanup_ctx;
++ goto cleanup_ring_array;
+ memset(stream_info->stream_ctx_array, 0,
+ sizeof(struct xhci_stream_ctx)*num_stream_ctxs);
+
+@@ -702,6 +702,11 @@ struct xhci_stream_info *xhci_alloc_stream_info(struct xhci_hcd *xhci,
+ }
+ xhci_free_command(xhci, stream_info->free_streams_command);
+ cleanup_ctx:
++ xhci_free_stream_ctx(xhci,
++ stream_info->num_stream_ctxs,
++ stream_info->stream_ctx_array,
++ stream_info->ctx_array_dma);
++cleanup_ring_array:
+ kfree(stream_info->stream_rings);
+ cleanup_info:
+ kfree(stream_info);
+--
+2.35.1
+
--- /dev/null
+From 9958da207b8b5599c33a61510cc0efbd1acde3a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Aug 2022 15:27:34 -0700
+Subject: usb: host: xhci-plat: suspend and resume clocks
+
+From: Justin Chen <justinpopo6@gmail.com>
+
+[ Upstream commit 8bd954c56197caf5e3a804d989094bc3fe6329aa ]
+
+Introduce XHCI_SUSPEND_RESUME_CLKS quirk as a means to suspend and resume
+clocks if the hardware is capable of doing so. We assume that clocks will
+be needed if the device may wake.
+
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Justin Chen <justinpopo6@gmail.com>
+Link: https://lore.kernel.org/r/1660170455-15781-2-git-send-email-justinpopo6@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-plat.c | 16 +++++++++++++++-
+ drivers/usb/host/xhci.h | 1 +
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c
+index a8641b6536ee..ef10982ad482 100644
+--- a/drivers/usb/host/xhci-plat.c
++++ b/drivers/usb/host/xhci-plat.c
+@@ -437,7 +437,16 @@ static int __maybe_unused xhci_plat_suspend(struct device *dev)
+ * xhci_suspend() needs `do_wakeup` to know whether host is allowed
+ * to do wakeup during suspend.
+ */
+- return xhci_suspend(xhci, device_may_wakeup(dev));
++ ret = xhci_suspend(xhci, device_may_wakeup(dev));
++ if (ret)
++ return ret;
++
++ if (!device_may_wakeup(dev) && (xhci->quirks & XHCI_SUSPEND_RESUME_CLKS)) {
++ clk_disable_unprepare(xhci->clk);
++ clk_disable_unprepare(xhci->reg_clk);
++ }
++
++ return 0;
+ }
+
+ static int __maybe_unused xhci_plat_resume(struct device *dev)
+@@ -446,6 +455,11 @@ static int __maybe_unused xhci_plat_resume(struct device *dev)
+ struct xhci_hcd *xhci = hcd_to_xhci(hcd);
+ int ret;
+
++ if (!device_may_wakeup(dev) && (xhci->quirks & XHCI_SUSPEND_RESUME_CLKS)) {
++ clk_prepare_enable(xhci->clk);
++ clk_prepare_enable(xhci->reg_clk);
++ }
++
+ ret = xhci_priv_resume_quirk(hcd);
+ if (ret)
+ return ret;
+diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
+index 7caa0db5e826..6dfbf73ee840 100644
+--- a/drivers/usb/host/xhci.h
++++ b/drivers/usb/host/xhci.h
+@@ -1899,6 +1899,7 @@ struct xhci_hcd {
+ #define XHCI_NO_SOFT_RETRY BIT_ULL(40)
+ #define XHCI_BROKEN_D3COLD BIT_ULL(41)
+ #define XHCI_EP_CTX_BROKEN_DCS BIT_ULL(42)
++#define XHCI_SUSPEND_RESUME_CLKS BIT_ULL(43)
+
+ unsigned int num_active_eps;
+ unsigned int limit_active_eps;
+--
+2.35.1
+
--- /dev/null
+From 7b0faa3780c9c002b5387faf1b8e6a5bd19ce7cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Aug 2022 15:27:35 -0700
+Subject: usb: host: xhci-plat: suspend/resume clks for brcm
+
+From: Justin Chen <justinpopo6@gmail.com>
+
+[ Upstream commit c69400b09e471a3f1167adead55a808f0da6534a ]
+
+The xhci_plat_brcm xhci block can enter suspend with clock disabled to save
+power and re-enable them on resume. Make use of the XHCI_SUSPEND_RESUME_CLKS
+quirk to do so.
+
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Justin Chen <justinpopo6@gmail.com>
+Link: https://lore.kernel.org/r/1660170455-15781-3-git-send-email-justinpopo6@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-plat.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c
+index ef10982ad482..5fb55bf19493 100644
+--- a/drivers/usb/host/xhci-plat.c
++++ b/drivers/usb/host/xhci-plat.c
+@@ -123,7 +123,7 @@ static const struct xhci_plat_priv xhci_plat_renesas_rcar_gen3 = {
+ };
+
+ static const struct xhci_plat_priv xhci_plat_brcm = {
+- .quirks = XHCI_RESET_ON_RESUME,
++ .quirks = XHCI_RESET_ON_RESUME | XHCI_SUSPEND_RESUME_CLKS,
+ };
+
+ static const struct of_device_id usb_xhci_of_match[] = {
+--
+2.35.1
+
--- /dev/null
+From d007c87fdddb8f1d68b2f3035401aaeb979e5977 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Sep 2022 21:48:44 +0800
+Subject: usb: idmouse: fix an uninit-value in idmouse_open
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit bce2b0539933e485d22d6f6f076c0fcd6f185c4c ]
+
+In idmouse_create_image, if any ftip_command fails, it will
+go to the reset label. However, this leads to the data in
+bulk_in_buffer[HEADER..IMGSIZE] uninitialized. And the check
+for valid image incurs an uninitialized dereference.
+
+Fix this by moving the check before reset label since this
+check only be valid if the data after bulk_in_buffer[HEADER]
+has concrete data.
+
+Note that this is found by KMSAN, so only kernel compilation
+is tested.
+
+Reported-by: syzbot+79832d33eb89fb3cd092@syzkaller.appspotmail.com
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Link: https://lore.kernel.org/r/20220922134847.1101921-1-dzm91@hust.edu.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/misc/idmouse.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/usb/misc/idmouse.c b/drivers/usb/misc/idmouse.c
+index e9437a176518..ea39243efee3 100644
+--- a/drivers/usb/misc/idmouse.c
++++ b/drivers/usb/misc/idmouse.c
+@@ -177,10 +177,6 @@ static int idmouse_create_image(struct usb_idmouse *dev)
+ bytes_read += bulk_read;
+ }
+
+- /* reset the device */
+-reset:
+- ftip_command(dev, FTIP_RELEASE, 0, 0);
+-
+ /* check for valid image */
+ /* right border should be black (0x00) */
+ for (bytes_read = sizeof(HEADER)-1 + WIDTH-1; bytes_read < IMGSIZE; bytes_read += WIDTH)
+@@ -192,6 +188,10 @@ static int idmouse_create_image(struct usb_idmouse *dev)
+ if (dev->bulk_in_buffer[bytes_read] != 0xFF)
+ return -EAGAIN;
+
++ /* reset the device */
++reset:
++ ftip_command(dev, FTIP_RELEASE, 0, 0);
++
+ /* should be IMGSIZE == 65040 */
+ dev_dbg(&dev->interface->dev, "read %d bytes fingerprint data\n",
+ bytes_read);
+--
+2.35.1
+
--- /dev/null
+From d71b492dfe2411f8e8b21a17c6609f847ddc96cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Sep 2022 14:44:59 +0800
+Subject: usb: mtu3: fix failed runtime suspend in host only mode
+
+From: Chunfeng Yun <chunfeng.yun@mediatek.com>
+
+[ Upstream commit 1c703e29da5efac6180e4c189029fa34b7e48e97 ]
+
+When the dr_mode is "host", after the host enter runtime suspend,
+the mtu3 can't do it, because the mtu3's device wakeup function is
+not enabled, instead it's enabled in gadget init function, to fix
+the issue, init wakeup early in mtu3's probe()
+
+Fixes: 6b587394c65c ("usb: mtu3: support suspend/resume for dual-role mode")
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Reported-by: Tianping Fang <tianping.fang@mediatek.com>
+Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Link: https://lore.kernel.org/r/20220929064459.32522-1-chunfeng.yun@mediatek.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/mtu3/mtu3_core.c | 2 --
+ drivers/usb/mtu3/mtu3_plat.c | 2 ++
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/mtu3/mtu3_core.c b/drivers/usb/mtu3/mtu3_core.c
+index 0ca173af87bb..a3a6282893d0 100644
+--- a/drivers/usb/mtu3/mtu3_core.c
++++ b/drivers/usb/mtu3/mtu3_core.c
+@@ -978,8 +978,6 @@ int ssusb_gadget_init(struct ssusb_mtk *ssusb)
+ goto irq_err;
+ }
+
+- device_init_wakeup(dev, true);
+-
+ /* power down device IP for power saving by default */
+ mtu3_stop(mtu);
+
+diff --git a/drivers/usb/mtu3/mtu3_plat.c b/drivers/usb/mtu3/mtu3_plat.c
+index 4cb65346789d..d78ae52b4e26 100644
+--- a/drivers/usb/mtu3/mtu3_plat.c
++++ b/drivers/usb/mtu3/mtu3_plat.c
+@@ -356,6 +356,8 @@ static int mtu3_probe(struct platform_device *pdev)
+ pm_runtime_enable(dev);
+ pm_runtime_get_sync(dev);
+
++ device_init_wakeup(dev, true);
++
+ ret = ssusb_rscs_init(ssusb);
+ if (ret)
+ goto comm_init_err;
+--
+2.35.1
+
--- /dev/null
+From 2be5741f350b7c131469b1a703e30f872b96da2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Sep 2022 10:21:19 +0800
+Subject: usb: musb: Fix musb_gadget.c rxstate overflow bug
+
+From: Robin Guo <guoweibin@inspur.com>
+
+[ Upstream commit eea4c860c3b366369eff0489d94ee4f0571d467d ]
+
+The usb function device call musb_gadget_queue() adds the passed
+request to musb_ep::req_list,If the (request->length > musb_ep->packet_sz)
+and (is_buffer_mapped(req) return false),the rxstate() will copy all data
+in fifo to request->buf which may cause request->buf out of bounds.
+
+Fix it by add the length check :
+fifocnt = min_t(unsigned, request->length - request->actual, fifocnt);
+
+Signed-off-by: Robin Guo <guoweibin@inspur.com>
+Link: https://lore.kernel.org/r/20220906102119.1b071d07a8391ff115e6d1ef@inspur.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/musb/musb_gadget.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/usb/musb/musb_gadget.c b/drivers/usb/musb/musb_gadget.c
+index daada4b66a92..6704a62a1665 100644
+--- a/drivers/usb/musb/musb_gadget.c
++++ b/drivers/usb/musb/musb_gadget.c
+@@ -760,6 +760,9 @@ static void rxstate(struct musb *musb, struct musb_request *req)
+ musb_writew(epio, MUSB_RXCSR, csr);
+
+ buffer_aint_mapped:
++ fifo_count = min_t(unsigned int,
++ request->length - request->actual,
++ (unsigned int)fifo_count);
+ musb_read_fifo(musb_ep->hw_ep, fifo_count, (u8 *)
+ (request->buf + request->actual));
+ request->actual += fifo_count;
+--
+2.35.1
+
--- /dev/null
+From a6a2b086047b4f69ed056e84e9448502d96e3af7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Sep 2022 18:48:24 +0800
+Subject: USB: serial: console: move mutex_unlock() before usb_serial_put()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 61dfa797c731754642d1ac500a6ac42f9b47f920 ]
+
+While in current version there is no use-after-free as USB serial
+core holds another reference when the console is registered, we
+should better unlock before dropping the reference in
+usb_console_setup().
+
+Fixes: 7bd032dc2793 ("USB serial: update the console driver")
+Signed-off-by: Liang He <windhl@126.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/serial/console.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/serial/console.c b/drivers/usb/serial/console.c
+index b97aa40ca4d1..da19a5fa414f 100644
+--- a/drivers/usb/serial/console.c
++++ b/drivers/usb/serial/console.c
+@@ -189,8 +189,8 @@ static int usb_console_setup(struct console *co, char *options)
+ info->port = NULL;
+ usb_autopm_put_interface(serial->interface);
+ error_get_interface:
+- usb_serial_put(serial);
+ mutex_unlock(&serial->disc_mutex);
++ usb_serial_put(serial);
+ return retval;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From e64d7d945a5094c90201cefea3de272b2ccae657 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Sep 2022 17:22:09 +0800
+Subject: usb: typec: anx7411: Use of_get_child_by_name() instead of
+ of_find_node_by_name()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit e45d7337dc0e4f7f1c2876e1b22c71a544ad12fd ]
+
+In anx7411_typec_switch_probe(), we should call of_get_child_by_name()
+instead of of_find_node_by_name() as of_find_xxx API will decrease the
+refcount of the 'from' argument.
+
+Fixes: fe6d8a9c8e64 ("usb: typec: anx7411: Add Analogix PD ANX7411 support")
+Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Liang He <windhl@126.com>
+Link: https://lore.kernel.org/r/20220915092209.4009273-1-windhl@126.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/typec/anx7411.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/typec/anx7411.c b/drivers/usb/typec/anx7411.c
+index c0f0842d443c..f178d0eb47b1 100644
+--- a/drivers/usb/typec/anx7411.c
++++ b/drivers/usb/typec/anx7411.c
+@@ -1105,7 +1105,7 @@ static int anx7411_typec_switch_probe(struct anx7411_data *ctx,
+ int ret;
+ struct device_node *node;
+
+- node = of_find_node_by_name(dev->of_node, "orientation_switch");
++ node = of_get_child_by_name(dev->of_node, "orientation_switch");
+ if (!node)
+ return 0;
+
+@@ -1115,7 +1115,7 @@ static int anx7411_typec_switch_probe(struct anx7411_data *ctx,
+ return ret;
+ }
+
+- node = of_find_node_by_name(dev->of_node, "mode_switch");
++ node = of_get_child_by_name(dev->of_node, "mode_switch");
+ if (!node) {
+ dev_err(dev, "no typec mux exist");
+ ret = -ENODEV;
+--
+2.35.1
+
--- /dev/null
+From 18d701f246f3b9822e3f95eca78bdd5d9b887a4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 21:45:12 +0800
+Subject: usb: typec: ucsi: Don't warn on probe deferral
+
+From: Wayne Chang <waynec@nvidia.com>
+
+[ Upstream commit fce703a991b7e8c7e1371de95b9abaa832ecf9c3 ]
+
+Deferred probe is an expected return value for fwnode_usb_role_switch_get().
+Given that the driver deals with it properly, there's no need to output a
+warning that may potentially confuse users.
+
+--
+V2 -> V3: remove the Fixes and Cc
+V1 -> V2: adjust the coding style for better reading format.
+ drivers/usb/typec/ucsi/ucsi.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+Signed-off-by: Wayne Chang <waynec@nvidia.com>
+Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20220927134512.2651067-1-waynec@nvidia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/typec/ucsi/ucsi.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
+index 6364f0d467ea..74fb5a4c6f21 100644
+--- a/drivers/usb/typec/ucsi/ucsi.c
++++ b/drivers/usb/typec/ucsi/ucsi.c
+@@ -1067,11 +1067,9 @@ static int ucsi_register_port(struct ucsi *ucsi, int index)
+
+ cap->fwnode = ucsi_find_fwnode(con);
+ con->usb_role_sw = fwnode_usb_role_switch_get(cap->fwnode);
+- if (IS_ERR(con->usb_role_sw)) {
+- dev_err(ucsi->dev, "con%d: failed to get usb role switch\n",
+- con->num);
+- return PTR_ERR(con->usb_role_sw);
+- }
++ if (IS_ERR(con->usb_role_sw))
++ return dev_err_probe(ucsi->dev, PTR_ERR(con->usb_role_sw),
++ "con%d: failed to get usb role switch\n", con->num);
+
+ /* Delay other interactions with the con until registration is complete */
+ mutex_lock(&con->lock);
+--
+2.35.1
+
--- /dev/null
+From 89de16ed4de5d674bcc12d82ecc05e060ea1f1f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Jul 2022 11:34:51 +0200
+Subject: userfaultfd: open userfaultfds with O_RDONLY
+
+From: Ondrej Mosnacek <omosnace@redhat.com>
+
+[ Upstream commit abec3d015fdfb7c63105c7e1c956188bf381aa55 ]
+
+Since userfaultfd doesn't implement a write operation, it is more
+appropriate to open it read-only.
+
+When userfaultfds are opened read-write like it is now, and such fd is
+passed from one process to another, SELinux will check both read and
+write permissions for the target process, even though it can't actually
+do any write operation on the fd later.
+
+Inspired by the following bug report, which has hit the SELinux scenario
+described above:
+https://bugzilla.redhat.com/show_bug.cgi?id=1974559
+
+Reported-by: Robert O'Callahan <roc@ocallahan.org>
+Fixes: 86039bd3b4e6 ("userfaultfd: add new syscall to provide memory externalization")
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Acked-by: Peter Xu <peterx@redhat.com>
+Acked-by: Christian Brauner (Microsoft) <brauner@kernel.org>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/userfaultfd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
+index 175de70e3adf..0c1d33c4f74c 100644
+--- a/fs/userfaultfd.c
++++ b/fs/userfaultfd.c
+@@ -991,7 +991,7 @@ static int resolve_userfault_fork(struct userfaultfd_ctx *new,
+ int fd;
+
+ fd = anon_inode_getfd_secure("[userfaultfd]", &userfaultfd_fops, new,
+- O_RDWR | (new->flags & UFFD_SHARED_FCNTL_FLAGS), inode);
++ O_RDONLY | (new->flags & UFFD_SHARED_FCNTL_FLAGS), inode);
+ if (fd < 0)
+ return fd;
+
+@@ -2094,7 +2094,7 @@ SYSCALL_DEFINE1(userfaultfd, int, flags)
+ mmgrab(ctx->mm);
+
+ fd = anon_inode_getfd_secure("[userfaultfd]", &userfaultfd_fops, ctx,
+- O_RDWR | (flags & UFFD_SHARED_FCNTL_FLAGS), NULL);
++ O_RDONLY | (flags & UFFD_SHARED_FCNTL_FLAGS), NULL);
+ if (fd < 0) {
+ mmdrop(ctx->mm);
+ kmem_cache_free(userfaultfd_ctx_cachep, ctx);
+--
+2.35.1
+
--- /dev/null
+From 304ff12caade1f81acf2d5c2086750054fcaceb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Sep 2022 15:45:38 +0900
+Subject: vhost/vsock: Use kvmalloc/kvfree for larger packets.
+
+From: Junichi Uekawa <uekawa@chromium.org>
+
+[ Upstream commit 0e3f72931fc47bb81686020cc643cde5d9cd0bb8 ]
+
+When copying a large file over sftp over vsock, data size is usually 32kB,
+and kmalloc seems to fail to try to allocate 32 32kB regions.
+
+ vhost-5837: page allocation failure: order:4, mode:0x24040c0
+ Call Trace:
+ [<ffffffffb6a0df64>] dump_stack+0x97/0xdb
+ [<ffffffffb68d6aed>] warn_alloc_failed+0x10f/0x138
+ [<ffffffffb68d868a>] ? __alloc_pages_direct_compact+0x38/0xc8
+ [<ffffffffb664619f>] __alloc_pages_nodemask+0x84c/0x90d
+ [<ffffffffb6646e56>] alloc_kmem_pages+0x17/0x19
+ [<ffffffffb6653a26>] kmalloc_order_trace+0x2b/0xdb
+ [<ffffffffb66682f3>] __kmalloc+0x177/0x1f7
+ [<ffffffffb66e0d94>] ? copy_from_iter+0x8d/0x31d
+ [<ffffffffc0689ab7>] vhost_vsock_handle_tx_kick+0x1fa/0x301 [vhost_vsock]
+ [<ffffffffc06828d9>] vhost_worker+0xf7/0x157 [vhost]
+ [<ffffffffb683ddce>] kthread+0xfd/0x105
+ [<ffffffffc06827e2>] ? vhost_dev_set_owner+0x22e/0x22e [vhost]
+ [<ffffffffb683dcd1>] ? flush_kthread_worker+0xf3/0xf3
+ [<ffffffffb6eb332e>] ret_from_fork+0x4e/0x80
+ [<ffffffffb683dcd1>] ? flush_kthread_worker+0xf3/0xf3
+
+Work around by doing kvmalloc instead.
+
+Fixes: 433fc58e6bf2 ("VSOCK: Introduce vhost_vsock.ko")
+Signed-off-by: Junichi Uekawa <uekawa@chromium.org>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Link: https://lore.kernel.org/r/20220928064538.667678-1-uekawa@chromium.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/vsock.c | 2 +-
+ net/vmw_vsock/virtio_transport_common.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c
+index 368330417bde..5703775af129 100644
+--- a/drivers/vhost/vsock.c
++++ b/drivers/vhost/vsock.c
+@@ -393,7 +393,7 @@ vhost_vsock_alloc_pkt(struct vhost_virtqueue *vq,
+ return NULL;
+ }
+
+- pkt->buf = kmalloc(pkt->len, GFP_KERNEL);
++ pkt->buf = kvmalloc(pkt->len, GFP_KERNEL);
+ if (!pkt->buf) {
+ kfree(pkt);
+ return NULL;
+diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
+index ec2c2afbf0d0..3a12aee33e92 100644
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -1342,7 +1342,7 @@ EXPORT_SYMBOL_GPL(virtio_transport_recv_pkt);
+
+ void virtio_transport_free_pkt(struct virtio_vsock_pkt *pkt)
+ {
+- kfree(pkt->buf);
++ kvfree(pkt->buf);
+ kfree(pkt);
+ }
+ EXPORT_SYMBOL_GPL(virtio_transport_free_pkt);
+--
+2.35.1
+
--- /dev/null
+From d3e0d92fc3e193198a27b5248afc722a580443f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Jul 2022 09:23:18 +0200
+Subject: video/aperture: Disable and unregister sysfb devices via aperture
+ helpers
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+[ Upstream commit 5e01376124309b4dbd30d413f43c0d9c2f60edea ]
+
+Call sysfb_disable() before removing conflicting devices in aperture
+helpers. Fixes sysfb state if fbdev has been disabled.
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+Fixes: fb84efa28a48 ("drm/aperture: Run fbdev removal before internal helpers")
+Cc: Zack Rusin <zackr@vmware.com>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Javier Martinez Canillas <javierm@redhat.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Daniel Vetter <daniel@ffwll.ch>
+Cc: Sam Ravnborg <sam@ravnborg.org>
+Cc: Helge Deller <deller@gmx.de>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Cc: Zhen Lei <thunder.leizhen@huawei.com>
+Cc: Changcheng Deng <deng.changcheng@zte.com.cn>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Maxime Ripard <mripard@kernel.org>
+Cc: dri-devel@lists.freedesktop.org
+Link: https://patchwork.freedesktop.org/patch/msgid/20220718072322.8927-8-tzimmermann@suse.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/aperture.c | 14 ++++++++++++++
+ drivers/video/fbdev/core/fbmem.c | 12 ------------
+ 2 files changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/video/aperture.c b/drivers/video/aperture.c
+index 538f2d40acda..d245826a9324 100644
+--- a/drivers/video/aperture.c
++++ b/drivers/video/aperture.c
+@@ -8,6 +8,7 @@
+ #include <linux/pci.h>
+ #include <linux/platform_device.h>
+ #include <linux/slab.h>
++#include <linux/sysfb.h>
+ #include <linux/types.h>
+ #include <linux/vgaarb.h>
+
+@@ -286,7 +287,20 @@ int aperture_remove_conflicting_devices(resource_size_t base, resource_size_t si
+ #if IS_REACHABLE(CONFIG_FB)
+ struct apertures_struct *a;
+ int ret;
++#endif
++
++ /*
++ * If a driver asked to unregister a platform device registered by
++ * sysfb, then can be assumed that this is a driver for a display
++ * that is set up by the system firmware and has a generic driver.
++ *
++ * Drivers for devices that don't have a generic driver will never
++ * ask for this, so let's assume that a real driver for the display
++ * was already probed and prevent sysfb to register devices later.
++ */
++ sysfb_disable();
+
++#if IS_REACHABLE(CONFIG_FB)
+ a = alloc_apertures(1);
+ if (!a)
+ return -ENOMEM;
+diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
+index 02b0cf2cfafe..bda4d304feb6 100644
+--- a/drivers/video/fbdev/core/fbmem.c
++++ b/drivers/video/fbdev/core/fbmem.c
+@@ -19,7 +19,6 @@
+ #include <linux/kernel.h>
+ #include <linux/major.h>
+ #include <linux/slab.h>
+-#include <linux/sysfb.h>
+ #include <linux/mm.h>
+ #include <linux/mman.h>
+ #include <linux/vt.h>
+@@ -1777,17 +1776,6 @@ int remove_conflicting_framebuffers(struct apertures_struct *a,
+ do_free = true;
+ }
+
+- /*
+- * If a driver asked to unregister a platform device registered by
+- * sysfb, then can be assumed that this is a driver for a display
+- * that is set up by the system firmware and has a generic driver.
+- *
+- * Drivers for devices that don't have a generic driver will never
+- * ask for this, so let's assume that a real driver for the display
+- * was already probed and prevent sysfb to register devices later.
+- */
+- sysfb_disable();
+-
+ mutex_lock(®istration_lock);
+ do_remove_conflicting_framebuffers(a, name, primary);
+ mutex_unlock(®istration_lock);
+--
+2.35.1
+
--- /dev/null
+From e5c15f1eb76463cd6e82d028369d4298157f2ad9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Sep 2022 09:36:30 +0300
+Subject: virtio-gpu: fix shift wrapping bug in virtio_gpu_fence_event_create()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 37a78445763a5921bb54e9bad01937d0dfa521c1 ]
+
+The ->ring_idx_mask variable is a u64 so static checkers, Smatch in
+this case, complain if the BIT() is not also a u64.
+
+drivers/gpu/drm/virtio/virtgpu_ioctl.c:50 virtio_gpu_fence_event_create()
+warn: should '(1 << ring_idx)' be a 64 bit type?
+
+Fixes: cd7f5ca33585 ("drm/virtio: implement context init: add virtio_gpu_fence_event")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Chia-I Wu <olvaffe@gmail.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/YygN7jY0GdUSQSy0@kili
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/virtio/virtgpu_ioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/virtio/virtgpu_ioctl.c b/drivers/gpu/drm/virtio/virtgpu_ioctl.c
+index 3b1701607aae..5d05093014ac 100644
+--- a/drivers/gpu/drm/virtio/virtgpu_ioctl.c
++++ b/drivers/gpu/drm/virtio/virtgpu_ioctl.c
+@@ -47,7 +47,7 @@ static int virtio_gpu_fence_event_create(struct drm_device *dev,
+ struct virtio_gpu_fence_event *e = NULL;
+ int ret;
+
+- if (!(vfpriv->ring_idx_mask & (1 << ring_idx)))
++ if (!(vfpriv->ring_idx_mask & BIT_ULL(ring_idx)))
+ return 0;
+
+ e = kzalloc(sizeof(*e), GFP_KERNEL);
+--
+2.35.1
+
--- /dev/null
+From 06592ddb5a729956d0d0867d200261e541691a99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Aug 2022 10:19:30 -0400
+Subject: wifi: ath10k: add peer map clean up for peer delete in
+ ath10k_sta_state()
+
+From: Wen Gong <quic_wgong@quicinc.com>
+
+[ Upstream commit f020d9570a04df0762a2ac5c50cf1d8c511c9164 ]
+
+When peer delete failed in a disconnect operation, use-after-free
+detected by KFENCE in below log. It is because for each vdev_id and
+address, it has only one struct ath10k_peer, it is allocated in
+ath10k_peer_map_event(). When connected to an AP, it has more than
+one HTT_T2H_MSG_TYPE_PEER_MAP reported from firmware, then the
+array peer_map of struct ath10k will be set muti-elements to the
+same ath10k_peer in ath10k_peer_map_event(). When peer delete failed
+in ath10k_sta_state(), the ath10k_peer will be free for the 1st peer
+id in array peer_map of struct ath10k, and then use-after-free happened
+for the 2nd peer id because they map to the same ath10k_peer.
+
+And clean up all peers in array peer_map for the ath10k_peer, then
+user-after-free disappeared
+
+peer map event log:
+[ 306.911021] wlan0: authenticate with b0:2a:43:e6:75:0e
+[ 306.957187] ath10k_pci 0000:01:00.0: mac vdev 0 peer create b0:2a:43:e6:75:0e (new sta) sta 1 / 32 peer 1 / 33
+[ 306.957395] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 246
+[ 306.957404] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 198
+[ 306.986924] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 166
+
+peer unmap event log:
+[ 435.715691] wlan0: deauthenticating from b0:2a:43:e6:75:0e by local choice (Reason: 3=DEAUTH_LEAVING)
+[ 435.716802] ath10k_pci 0000:01:00.0: mac vdev 0 peer delete b0:2a:43:e6:75:0e sta ffff990e0e9c2b50 (sta gone)
+[ 435.717177] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 246
+[ 435.717186] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 198
+[ 435.717193] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 166
+
+use-after-free log:
+[21705.888627] wlan0: deauthenticating from d0:76:8f:82:be:75 by local choice (Reason: 3=DEAUTH_LEAVING)
+[21713.799910] ath10k_pci 0000:01:00.0: failed to delete peer d0:76:8f:82:be:75 for vdev 0: -110
+[21713.799925] ath10k_pci 0000:01:00.0: found sta peer d0:76:8f:82:be:75 (ptr 0000000000000000 id 102) entry on vdev 0 after it was supposedly removed
+[21713.799968] ==================================================================
+[21713.799991] BUG: KFENCE: use-after-free read in ath10k_sta_state+0x265/0xb8a [ath10k_core]
+[21713.799991]
+[21713.799997] Use-after-free read at 0x00000000abe1c75e (in kfence-#69):
+[21713.800010] ath10k_sta_state+0x265/0xb8a [ath10k_core]
+[21713.800041] drv_sta_state+0x115/0x677 [mac80211]
+[21713.800059] __sta_info_destroy_part2+0xb1/0x133 [mac80211]
+[21713.800076] __sta_info_flush+0x11d/0x162 [mac80211]
+[21713.800093] ieee80211_set_disassoc+0x12d/0x2f4 [mac80211]
+[21713.800110] ieee80211_mgd_deauth+0x26c/0x29b [mac80211]
+[21713.800137] cfg80211_mlme_deauth+0x13f/0x1bb [cfg80211]
+[21713.800153] nl80211_deauthenticate+0xf8/0x121 [cfg80211]
+[21713.800161] genl_rcv_msg+0x38e/0x3be
+[21713.800166] netlink_rcv_skb+0x89/0xf7
+[21713.800171] genl_rcv+0x28/0x36
+[21713.800176] netlink_unicast+0x179/0x24b
+[21713.800181] netlink_sendmsg+0x3a0/0x40e
+[21713.800187] sock_sendmsg+0x72/0x76
+[21713.800192] ____sys_sendmsg+0x16d/0x1e3
+[21713.800196] ___sys_sendmsg+0x95/0xd1
+[21713.800200] __sys_sendmsg+0x85/0xbf
+[21713.800205] do_syscall_64+0x43/0x55
+[21713.800210] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[21713.800213]
+[21713.800219] kfence-#69: 0x000000009149b0d5-0x000000004c0697fb, size=1064, cache=kmalloc-2k
+[21713.800219]
+[21713.800224] allocated by task 13 on cpu 0 at 21705.501373s:
+[21713.800241] ath10k_peer_map_event+0x7e/0x154 [ath10k_core]
+[21713.800254] ath10k_htt_t2h_msg_handler+0x586/0x1039 [ath10k_core]
+[21713.800265] ath10k_htt_htc_t2h_msg_handler+0x12/0x28 [ath10k_core]
+[21713.800277] ath10k_htc_rx_completion_handler+0x14c/0x1b5 [ath10k_core]
+[21713.800283] ath10k_pci_process_rx_cb+0x195/0x1df [ath10k_pci]
+[21713.800294] ath10k_ce_per_engine_service+0x55/0x74 [ath10k_core]
+[21713.800305] ath10k_ce_per_engine_service_any+0x76/0x84 [ath10k_core]
+[21713.800310] ath10k_pci_napi_poll+0x49/0x144 [ath10k_pci]
+[21713.800316] net_rx_action+0xdc/0x361
+[21713.800320] __do_softirq+0x163/0x29a
+[21713.800325] asm_call_irq_on_stack+0x12/0x20
+[21713.800331] do_softirq_own_stack+0x3c/0x48
+[21713.800337] __irq_exit_rcu+0x9b/0x9d
+[21713.800342] common_interrupt+0xc9/0x14d
+[21713.800346] asm_common_interrupt+0x1e/0x40
+[21713.800351] ksoftirqd_should_run+0x5/0x16
+[21713.800357] smpboot_thread_fn+0x148/0x211
+[21713.800362] kthread+0x150/0x15f
+[21713.800367] ret_from_fork+0x22/0x30
+[21713.800370]
+[21713.800374] freed by task 708 on cpu 1 at 21713.799953s:
+[21713.800498] ath10k_sta_state+0x2c6/0xb8a [ath10k_core]
+[21713.800515] drv_sta_state+0x115/0x677 [mac80211]
+[21713.800532] __sta_info_destroy_part2+0xb1/0x133 [mac80211]
+[21713.800548] __sta_info_flush+0x11d/0x162 [mac80211]
+[21713.800565] ieee80211_set_disassoc+0x12d/0x2f4 [mac80211]
+[21713.800581] ieee80211_mgd_deauth+0x26c/0x29b [mac80211]
+[21713.800598] cfg80211_mlme_deauth+0x13f/0x1bb [cfg80211]
+[21713.800614] nl80211_deauthenticate+0xf8/0x121 [cfg80211]
+[21713.800619] genl_rcv_msg+0x38e/0x3be
+[21713.800623] netlink_rcv_skb+0x89/0xf7
+[21713.800628] genl_rcv+0x28/0x36
+[21713.800632] netlink_unicast+0x179/0x24b
+[21713.800637] netlink_sendmsg+0x3a0/0x40e
+[21713.800642] sock_sendmsg+0x72/0x76
+[21713.800646] ____sys_sendmsg+0x16d/0x1e3
+[21713.800651] ___sys_sendmsg+0x95/0xd1
+[21713.800655] __sys_sendmsg+0x85/0xbf
+[21713.800659] do_syscall_64+0x43/0x55
+[21713.800663] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00288-QCARMSWPZ-1
+
+Fixes: d0eeafad1189 ("ath10k: Clean up peer when sta goes away.")
+Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20220801141930.16794-1-quic_wgong@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 54 ++++++++++++++-------------
+ 1 file changed, 29 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
+index 9dd3b8fba4b0..23381a9db6ae 100644
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -864,11 +864,36 @@ static int ath10k_peer_delete(struct ath10k *ar, u32 vdev_id, const u8 *addr)
+ return 0;
+ }
+
++static void ath10k_peer_map_cleanup(struct ath10k *ar, struct ath10k_peer *peer)
++{
++ int peer_id, i;
++
++ lockdep_assert_held(&ar->conf_mutex);
++
++ for_each_set_bit(peer_id, peer->peer_ids,
++ ATH10K_MAX_NUM_PEER_IDS) {
++ ar->peer_map[peer_id] = NULL;
++ }
++
++ /* Double check that peer is properly un-referenced from
++ * the peer_map
++ */
++ for (i = 0; i < ARRAY_SIZE(ar->peer_map); i++) {
++ if (ar->peer_map[i] == peer) {
++ ath10k_warn(ar, "removing stale peer_map entry for %pM (ptr %pK idx %d)\n",
++ peer->addr, peer, i);
++ ar->peer_map[i] = NULL;
++ }
++ }
++
++ list_del(&peer->list);
++ kfree(peer);
++ ar->num_peers--;
++}
++
+ static void ath10k_peer_cleanup(struct ath10k *ar, u32 vdev_id)
+ {
+ struct ath10k_peer *peer, *tmp;
+- int peer_id;
+- int i;
+
+ lockdep_assert_held(&ar->conf_mutex);
+
+@@ -880,25 +905,7 @@ static void ath10k_peer_cleanup(struct ath10k *ar, u32 vdev_id)
+ ath10k_warn(ar, "removing stale peer %pM from vdev_id %d\n",
+ peer->addr, vdev_id);
+
+- for_each_set_bit(peer_id, peer->peer_ids,
+- ATH10K_MAX_NUM_PEER_IDS) {
+- ar->peer_map[peer_id] = NULL;
+- }
+-
+- /* Double check that peer is properly un-referenced from
+- * the peer_map
+- */
+- for (i = 0; i < ARRAY_SIZE(ar->peer_map); i++) {
+- if (ar->peer_map[i] == peer) {
+- ath10k_warn(ar, "removing stale peer_map entry for %pM (ptr %pK idx %d)\n",
+- peer->addr, peer, i);
+- ar->peer_map[i] = NULL;
+- }
+- }
+-
+- list_del(&peer->list);
+- kfree(peer);
+- ar->num_peers--;
++ ath10k_peer_map_cleanup(ar, peer);
+ }
+ spin_unlock_bh(&ar->data_lock);
+ }
+@@ -7621,10 +7628,7 @@ static int ath10k_sta_state(struct ieee80211_hw *hw,
+ /* Clean up the peer object as well since we
+ * must have failed to do this above.
+ */
+- list_del(&peer->list);
+- ar->peer_map[i] = NULL;
+- kfree(peer);
+- ar->num_peers--;
++ ath10k_peer_map_cleanup(ar, peer);
+ }
+ }
+ spin_unlock_bh(&ar->data_lock);
+--
+2.35.1
+
--- /dev/null
+From 3c40c49b26b3d3270cda809d326aa0b2a82eef63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 18:23:54 +0300
+Subject: wifi: ath10k: reset pointer after memory free to avoid potential
+ use-after-free
+
+From: Wen Gong <quic_wgong@quicinc.com>
+
+[ Upstream commit 1e1cb8e0b73e6f39a9d4a7a15d940b1265387eb5 ]
+
+When running suspend test, kernel crash happened in ath10k, and it is
+fixed by commit b72a4aff947b ("ath10k: skip ath10k_halt during suspend
+for driver state RESTARTING").
+
+Currently the crash is fixed, but as a common code style, it is better
+to set the pointer to NULL after memory is free.
+
+This is to address the code style and it will avoid potential bug of
+use-after-free.
+
+Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1
+Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20220505092248.787-1-quic_wgong@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/htt_rx.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c
+index 8a075a711b71..f84f6c4c2a7a 100644
+--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
+@@ -301,12 +301,16 @@ void ath10k_htt_rx_free(struct ath10k_htt *htt)
+ ath10k_htt_get_vaddr_ring(htt),
+ htt->rx_ring.base_paddr);
+
++ ath10k_htt_config_paddrs_ring(htt, NULL);
++
+ dma_free_coherent(htt->ar->dev,
+ sizeof(*htt->rx_ring.alloc_idx.vaddr),
+ htt->rx_ring.alloc_idx.vaddr,
+ htt->rx_ring.alloc_idx.paddr);
++ htt->rx_ring.alloc_idx.vaddr = NULL;
+
+ kfree(htt->rx_ring.netbufs_ring);
++ htt->rx_ring.netbufs_ring = NULL;
+ }
+
+ static inline struct sk_buff *ath10k_htt_rx_netbuf_pop(struct ath10k_htt *htt)
+@@ -846,8 +850,10 @@ int ath10k_htt_rx_alloc(struct ath10k_htt *htt)
+ ath10k_htt_get_rx_ring_size(htt),
+ vaddr_ring,
+ htt->rx_ring.base_paddr);
++ ath10k_htt_config_paddrs_ring(htt, NULL);
+ err_dma_ring:
+ kfree(htt->rx_ring.netbufs_ring);
++ htt->rx_ring.netbufs_ring = NULL;
+ err_netbuf:
+ return -ENOMEM;
+ }
+--
+2.35.1
+
--- /dev/null
+From f46af31f230371153133c822311ab4d69d8bc1cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Aug 2022 19:19:41 +0530
+Subject: wifi: ath10k: Set tx credit to one for WCN3990 snoc based devices
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Youghandhar Chintala <quic_youghand@quicinc.com>
+
+[ Upstream commit d81bbb684c250a637186d9286d75b1cb04d2986c ]
+
+Currently host can send two WMI commands at once. There is possibility to
+cause SMMU issues or corruption, if host wants to initiate 2 DMA
+transfers, it is possible when copy complete interrupt for first DMA
+reaches host, CE has already updated SRRI (Source ring read index) for
+both DMA transfers and is in the middle of 2nd DMA. Host uses SRRI
+(Source ring read index) to interpret how many DMA’s have been completed
+and tries to unmap/free both the DMA entries. Hence now it is limiting to
+one.Because CE is still in the middle of 2nd DMA which can cause these
+issues when handling two DMA transfers.
+
+This change will not impact other targets, as it is only for WCN3990.
+
+Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1
+
+Signed-off-by: Youghandhar Chintala <quic_youghand@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20220801134941.15216-1-quic_youghand@quicinc.com
+Stable-dep-of: f020d9570a04 ("wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/core.c | 16 ++++++++++++++++
+ drivers/net/wireless/ath/ath10k/htc.c | 11 ++++++++---
+ drivers/net/wireless/ath/ath10k/hw.h | 2 ++
+ 3 files changed, 26 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/core.c b/drivers/net/wireless/ath/ath10k/core.c
+index 276954b70d63..d1ac64026cb3 100644
+--- a/drivers/net/wireless/ath/ath10k/core.c
++++ b/drivers/net/wireless/ath/ath10k/core.c
+@@ -98,6 +98,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .tx_stats_over_pktlog = true,
+ .dynamic_sar_support = false,
+ .hw_restart_disconnect = false,
++ .use_fw_tx_credits = true,
+ },
+ {
+ .id = QCA988X_HW_2_0_VERSION,
+@@ -136,6 +137,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .tx_stats_over_pktlog = true,
+ .dynamic_sar_support = false,
+ .hw_restart_disconnect = false,
++ .use_fw_tx_credits = true,
+ },
+ {
+ .id = QCA9887_HW_1_0_VERSION,
+@@ -175,6 +177,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .tx_stats_over_pktlog = false,
+ .dynamic_sar_support = false,
+ .hw_restart_disconnect = false,
++ .use_fw_tx_credits = true,
+ },
+ {
+ .id = QCA6174_HW_3_2_VERSION,
+@@ -209,6 +212,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .supports_peer_stats_info = true,
+ .dynamic_sar_support = true,
+ .hw_restart_disconnect = false,
++ .use_fw_tx_credits = true,
+ },
+ {
+ .id = QCA6174_HW_2_1_VERSION,
+@@ -247,6 +251,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .tx_stats_over_pktlog = false,
+ .dynamic_sar_support = false,
+ .hw_restart_disconnect = false,
++ .use_fw_tx_credits = true,
+ },
+ {
+ .id = QCA6174_HW_2_1_VERSION,
+@@ -285,6 +290,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .tx_stats_over_pktlog = false,
+ .dynamic_sar_support = false,
+ .hw_restart_disconnect = false,
++ .use_fw_tx_credits = true,
+ },
+ {
+ .id = QCA6174_HW_3_0_VERSION,
+@@ -323,6 +329,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .tx_stats_over_pktlog = false,
+ .dynamic_sar_support = false,
+ .hw_restart_disconnect = false,
++ .use_fw_tx_credits = true,
+ },
+ {
+ .id = QCA6174_HW_3_2_VERSION,
+@@ -365,6 +372,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .supports_peer_stats_info = true,
+ .dynamic_sar_support = true,
+ .hw_restart_disconnect = false,
++ .use_fw_tx_credits = true,
+ },
+ {
+ .id = QCA99X0_HW_2_0_DEV_VERSION,
+@@ -409,6 +417,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .tx_stats_over_pktlog = false,
+ .dynamic_sar_support = false,
+ .hw_restart_disconnect = false,
++ .use_fw_tx_credits = true,
+ },
+ {
+ .id = QCA9984_HW_1_0_DEV_VERSION,
+@@ -460,6 +469,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .tx_stats_over_pktlog = false,
+ .dynamic_sar_support = false,
+ .hw_restart_disconnect = false,
++ .use_fw_tx_credits = true,
+ },
+ {
+ .id = QCA9888_HW_2_0_DEV_VERSION,
+@@ -508,6 +518,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .tx_stats_over_pktlog = false,
+ .dynamic_sar_support = false,
+ .hw_restart_disconnect = false,
++ .use_fw_tx_credits = true,
+ },
+ {
+ .id = QCA9377_HW_1_0_DEV_VERSION,
+@@ -546,6 +557,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .tx_stats_over_pktlog = false,
+ .dynamic_sar_support = false,
+ .hw_restart_disconnect = false,
++ .use_fw_tx_credits = true,
+ },
+ {
+ .id = QCA9377_HW_1_1_DEV_VERSION,
+@@ -586,6 +598,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .tx_stats_over_pktlog = false,
+ .dynamic_sar_support = false,
+ .hw_restart_disconnect = false,
++ .use_fw_tx_credits = true,
+ },
+ {
+ .id = QCA9377_HW_1_1_DEV_VERSION,
+@@ -617,6 +630,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .credit_size_workaround = true,
+ .dynamic_sar_support = false,
+ .hw_restart_disconnect = false,
++ .use_fw_tx_credits = true,
+ },
+ {
+ .id = QCA4019_HW_1_0_DEV_VERSION,
+@@ -662,6 +676,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .tx_stats_over_pktlog = false,
+ .dynamic_sar_support = false,
+ .hw_restart_disconnect = false,
++ .use_fw_tx_credits = true,
+ },
+ {
+ .id = WCN3990_HW_1_0_DEV_VERSION,
+@@ -693,6 +708,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = {
+ .tx_stats_over_pktlog = false,
+ .dynamic_sar_support = true,
+ .hw_restart_disconnect = true,
++ .use_fw_tx_credits = false,
+ },
+ };
+
+diff --git a/drivers/net/wireless/ath/ath10k/htc.c b/drivers/net/wireless/ath/ath10k/htc.c
+index fab398046a3f..6d1784f74bea 100644
+--- a/drivers/net/wireless/ath/ath10k/htc.c
++++ b/drivers/net/wireless/ath/ath10k/htc.c
+@@ -947,13 +947,18 @@ int ath10k_htc_wait_target(struct ath10k_htc *htc)
+ return -ECOMM;
+ }
+
+- htc->total_transmit_credits = __le16_to_cpu(msg->ready.credit_count);
++ if (ar->hw_params.use_fw_tx_credits)
++ htc->total_transmit_credits = __le16_to_cpu(msg->ready.credit_count);
++ else
++ htc->total_transmit_credits = 1;
++
+ htc->target_credit_size = __le16_to_cpu(msg->ready.credit_size);
+
+ ath10k_dbg(ar, ATH10K_DBG_HTC,
+- "Target ready! transmit resources: %d size:%d\n",
++ "Target ready! transmit resources: %d size:%d actual credits:%d\n",
+ htc->total_transmit_credits,
+- htc->target_credit_size);
++ htc->target_credit_size,
++ msg->ready.credit_count);
+
+ if ((htc->total_transmit_credits == 0) ||
+ (htc->target_credit_size == 0)) {
+diff --git a/drivers/net/wireless/ath/ath10k/hw.h b/drivers/net/wireless/ath/ath10k/hw.h
+index 93acf0dd580a..1b99f3a39a11 100644
+--- a/drivers/net/wireless/ath/ath10k/hw.h
++++ b/drivers/net/wireless/ath/ath10k/hw.h
+@@ -635,6 +635,8 @@ struct ath10k_hw_params {
+ bool dynamic_sar_support;
+
+ bool hw_restart_disconnect;
++
++ bool use_fw_tx_credits;
+ };
+
+ struct htt_resp;
+--
+2.35.1
+
--- /dev/null
+From 6d59ad459497739b0d17be84e0a298dd75d8f8b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 18:23:41 +0300
+Subject: wifi: ath11k: fix failed to find the peer with peer_id 0 when
+ disconnected
+
+From: Wen Gong <quic_wgong@quicinc.com>
+
+[ Upstream commit a20ed60bb357776301c2dad7b4a4f0db97e143e9 ]
+
+It has a fail log which is ath11k_dbg in ath11k_dp_rx_process_mon_status(),
+as below, it will not print when debug_mask is not set ATH11K_DBG_DATA.
+ ath11k_dbg(ab, ATH11K_DBG_DATA,
+ "failed to find the peer with peer_id %d\n",
+ ppdu_info.peer_id);
+
+When run scan with station disconnected, the peer_id is 0 for case
+HAL_RX_MPDU_START in ath11k_hal_rx_parse_mon_status_tlv() which called
+from ath11k_dp_rx_process_mon_status(), and the peer_id of ppdu_info is
+reset to 0 in the while loop, so it does not match condition of the
+check "if (ppdu_info->peer_id == HAL_INVALID_PEERID" in the loop, and
+then the log "failed to find the peer with peer_id 0" print after the
+check in the loop, it is below call stack when debug_mask is set
+ATH11K_DBG_DATA.
+
+The reason is this commit 01d2f285e3e5 ("ath11k: decode HE status tlv")
+add "memset(ppdu_info, 0, sizeof(struct hal_rx_mon_ppdu_info))" in
+ath11k_dp_rx_process_mon_status(), but the commit does not initialize
+the peer_id to HAL_INVALID_PEERID, then lead the check mis-match.
+
+Callstack of the failed log:
+[12335.689072] RIP: 0010:ath11k_dp_rx_process_mon_status+0x9ea/0x1020 [ath11k]
+[12335.689157] Code: 89 ff e8 f9 10 00 00 be 01 00 00 00 4c 89 f7 e8 dc 4b 4e de 48 8b 85 38 ff ff ff c7 80 e4 07 00 00 01 00 00 00 e9 20 f8 ff ff <0f> 0b 41 0f b7 96 be 06 00 00 48 c7 c6 b8 50 44 c1 4c 89 ff e8 fd
+[12335.689180] RSP: 0018:ffffb874001a4ca0 EFLAGS: 00010246
+[12335.689210] RAX: 0000000000000000 RBX: ffff995642cbd100 RCX: 0000000000000000
+[12335.689229] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff99564212cd18
+[12335.689248] RBP: ffffb874001a4dc0 R08: 0000000000000001 R09: 0000000000000000
+[12335.689268] R10: 0000000000000220 R11: ffffb874001a48e8 R12: ffff995642473d40
+[12335.689286] R13: ffff99564212c5b8 R14: ffff9956424736a0 R15: ffff995642120000
+[12335.689303] FS: 0000000000000000(0000) GS:ffff995739000000(0000) knlGS:0000000000000000
+[12335.689323] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[12335.689341] CR2: 00007f43c5d5e039 CR3: 000000011c012005 CR4: 00000000000606e0
+[12335.689360] Call Trace:
+[12335.689377] <IRQ>
+[12335.689418] ? rcu_read_lock_held_common+0x12/0x50
+[12335.689447] ? rcu_read_lock_sched_held+0x25/0x80
+[12335.689471] ? rcu_read_lock_held_common+0x12/0x50
+[12335.689504] ath11k_dp_rx_process_mon_rings+0x8d/0x4f0 [ath11k]
+[12335.689578] ? ath11k_dp_rx_process_mon_rings+0x8d/0x4f0 [ath11k]
+[12335.689653] ? lock_acquire+0xef/0x360
+[12335.689681] ? rcu_read_lock_sched_held+0x25/0x80
+[12335.689713] ath11k_dp_service_mon_ring+0x38/0x60 [ath11k]
+[12335.689784] ? ath11k_dp_rx_process_mon_rings+0x4f0/0x4f0 [ath11k]
+[12335.689860] call_timer_fn+0xb2/0x2f0
+[12335.689897] ? ath11k_dp_rx_process_mon_rings+0x4f0/0x4f0 [ath11k]
+[12335.689970] run_timer_softirq+0x21f/0x540
+[12335.689999] ? ktime_get+0xad/0x160
+[12335.690025] ? lapic_next_deadline+0x2c/0x40
+[12335.690053] ? clockevents_program_event+0x82/0x100
+[12335.690093] __do_softirq+0x151/0x4a8
+[12335.690135] irq_exit_rcu+0xc9/0x100
+[12335.690165] sysvec_apic_timer_interrupt+0xa8/0xd0
+[12335.690189] </IRQ>
+[12335.690204] <TASK>
+[12335.690225] asm_sysvec_apic_timer_interrupt+0x12/0x20
+
+Reset the default value to HAL_INVALID_PEERID each time after memset
+of ppdu_info as well as others memset which existed in function
+ath11k_dp_rx_process_mon_status(), then the failed log disappeared.
+
+Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3
+
+Fixes: 01d2f285e3e5 ("ath11k: decode HE status tlv")
+Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20220518033556.31940-1-quic_wgong@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/dp_rx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
+index 2148acf37071..e9c56ad1ec9d 100644
+--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
+@@ -5197,7 +5197,8 @@ int ath11k_dp_rx_process_mon_status(struct ath11k_base *ab, int mac_id,
+ if (log_type != ATH11K_PKTLOG_TYPE_INVALID)
+ trace_ath11k_htt_rxdesc(ar, skb->data, log_type, rx_buf_sz);
+
+- memset(ppdu_info, 0, sizeof(struct hal_rx_mon_ppdu_info));
++ memset(ppdu_info, 0, sizeof(*ppdu_info));
++ ppdu_info->peer_id = HAL_INVALID_PEERID;
+ hal_status = ath11k_hal_rx_parse_mon_status(ab, ppdu_info, skb);
+
+ if (test_bit(ATH11K_FLAG_MONITOR_STARTED, &ar->monitor_flags) &&
+--
+2.35.1
+
--- /dev/null
+From 65b187c2c43c721d9084e7f3538b1e3aa664276e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Aug 2022 09:04:19 +0300
+Subject: wifi: ath11k: Fix incorrect QMI message ID mappings
+
+From: Manikanta Pubbisetty <quic_mpubbise@quicinc.com>
+
+[ Upstream commit b3ca32308e46b6384fdcb7e64b3fca4f61aff14b ]
+
+QMI message IDs for some of the QMI messages were incorrectly
+defined in the original implementation. These have to be corrected
+to enable cold boot support on WCN6750. These corrections are
+applicable for all chipsets and will not impact them. Refactor the
+code accordingly.
+
+Tested-on: WCN6750 hw1.0 AHB WLAN.MSL.1.0.1-00887-QCAMSLSWPLZ-1
+
+Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
+Signed-off-by: Manikanta Pubbisetty <quic_mpubbise@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20220720134909.15626-2-quic_mpubbise@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/qmi.c | 38 ++++++++++++++++++++++++---
+ drivers/net/wireless/ath/ath11k/qmi.h | 10 +++++--
+ 2 files changed, 43 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/qmi.c b/drivers/net/wireless/ath/ath11k/qmi.c
+index 00136601cb7d..e6ced8597e1d 100644
+--- a/drivers/net/wireless/ath/ath11k/qmi.c
++++ b/drivers/net/wireless/ath/ath11k/qmi.c
+@@ -1696,6 +1696,13 @@ static struct qmi_elem_info qmi_wlanfw_wlan_ini_resp_msg_v01_ei[] = {
+ },
+ };
+
++static struct qmi_elem_info qmi_wlfw_fw_init_done_ind_msg_v01_ei[] = {
++ {
++ .data_type = QMI_EOTI,
++ .array_type = NO_ARRAY,
++ },
++};
++
+ static int ath11k_qmi_host_cap_send(struct ath11k_base *ab)
+ {
+ struct qmi_wlanfw_host_cap_req_msg_v01 req;
+@@ -3006,6 +3013,10 @@ static void ath11k_qmi_msg_fw_ready_cb(struct qmi_handle *qmi_hdl,
+ struct ath11k_base *ab = qmi->ab;
+
+ ath11k_dbg(ab, ATH11K_DBG_QMI, "qmi firmware ready\n");
++
++ ab->qmi.cal_done = 1;
++ wake_up(&ab->qmi.cold_boot_waitq);
++
+ ath11k_qmi_driver_event_post(qmi, ATH11K_QMI_EVENT_FW_READY, NULL);
+ }
+
+@@ -3018,11 +3029,22 @@ static void ath11k_qmi_msg_cold_boot_cal_done_cb(struct qmi_handle *qmi_hdl,
+ struct ath11k_qmi, handle);
+ struct ath11k_base *ab = qmi->ab;
+
+- ab->qmi.cal_done = 1;
+- wake_up(&ab->qmi.cold_boot_waitq);
+ ath11k_dbg(ab, ATH11K_DBG_QMI, "qmi cold boot calibration done\n");
+ }
+
++static void ath11k_qmi_msg_fw_init_done_cb(struct qmi_handle *qmi_hdl,
++ struct sockaddr_qrtr *sq,
++ struct qmi_txn *txn,
++ const void *decoded)
++{
++ struct ath11k_qmi *qmi = container_of(qmi_hdl,
++ struct ath11k_qmi, handle);
++ struct ath11k_base *ab = qmi->ab;
++
++ ath11k_qmi_driver_event_post(qmi, ATH11K_QMI_EVENT_FW_INIT_DONE, NULL);
++ ath11k_dbg(ab, ATH11K_DBG_QMI, "qmi firmware init done\n");
++}
++
+ static const struct qmi_msg_handler ath11k_qmi_msg_handlers[] = {
+ {
+ .type = QMI_INDICATION,
+@@ -3053,6 +3075,14 @@ static const struct qmi_msg_handler ath11k_qmi_msg_handlers[] = {
+ sizeof(struct qmi_wlanfw_fw_cold_cal_done_ind_msg_v01),
+ .fn = ath11k_qmi_msg_cold_boot_cal_done_cb,
+ },
++ {
++ .type = QMI_INDICATION,
++ .msg_id = QMI_WLFW_FW_INIT_DONE_IND_V01,
++ .ei = qmi_wlfw_fw_init_done_ind_msg_v01_ei,
++ .decoded_size =
++ sizeof(struct qmi_wlfw_fw_init_done_ind_msg_v01),
++ .fn = ath11k_qmi_msg_fw_init_done_cb,
++ },
+ };
+
+ static int ath11k_qmi_ops_new_server(struct qmi_handle *qmi_hdl,
+@@ -3145,7 +3175,7 @@ static void ath11k_qmi_driver_event_work(struct work_struct *work)
+ }
+
+ break;
+- case ATH11K_QMI_EVENT_FW_READY:
++ case ATH11K_QMI_EVENT_FW_INIT_DONE:
+ clear_bit(ATH11K_FLAG_QMI_FAIL, &ab->dev_flags);
+ if (test_bit(ATH11K_FLAG_REGISTERED, &ab->dev_flags)) {
+ ath11k_hal_dump_srng_stats(ab);
+@@ -3168,6 +3198,8 @@ static void ath11k_qmi_driver_event_work(struct work_struct *work)
+ set_bit(ATH11K_FLAG_REGISTERED, &ab->dev_flags);
+ }
+
++ break;
++ case ATH11K_QMI_EVENT_FW_READY:
+ break;
+ case ATH11K_QMI_EVENT_COLD_BOOT_CAL_DONE:
+ break;
+diff --git a/drivers/net/wireless/ath/ath11k/qmi.h b/drivers/net/wireless/ath/ath11k/qmi.h
+index c83cf822be81..2ec56a34fa81 100644
+--- a/drivers/net/wireless/ath/ath11k/qmi.h
++++ b/drivers/net/wireless/ath/ath11k/qmi.h
+@@ -31,8 +31,9 @@
+
+ #define QMI_WLFW_REQUEST_MEM_IND_V01 0x0035
+ #define QMI_WLFW_FW_MEM_READY_IND_V01 0x0037
+-#define QMI_WLFW_COLD_BOOT_CAL_DONE_IND_V01 0x0021
+-#define QMI_WLFW_FW_READY_IND_V01 0x0038
++#define QMI_WLFW_COLD_BOOT_CAL_DONE_IND_V01 0x003E
++#define QMI_WLFW_FW_READY_IND_V01 0x0021
++#define QMI_WLFW_FW_INIT_DONE_IND_V01 0x0038
+
+ #define QMI_WLANFW_MAX_DATA_SIZE_V01 6144
+ #define ATH11K_FIRMWARE_MODE_OFF 4
+@@ -69,6 +70,7 @@ enum ath11k_qmi_event_type {
+ ATH11K_QMI_EVENT_FORCE_FW_ASSERT,
+ ATH11K_QMI_EVENT_POWER_UP,
+ ATH11K_QMI_EVENT_POWER_DOWN,
++ ATH11K_QMI_EVENT_FW_INIT_DONE,
+ ATH11K_QMI_EVENT_MAX,
+ };
+
+@@ -291,6 +293,10 @@ struct qmi_wlanfw_fw_cold_cal_done_ind_msg_v01 {
+ char placeholder;
+ };
+
++struct qmi_wlfw_fw_init_done_ind_msg_v01 {
++ char placeholder;
++};
++
+ #define QMI_WLANFW_CAP_REQ_MSG_V01_MAX_LEN 0
+ #define QMI_WLANFW_CAP_RESP_MSG_V01_MAX_LEN 235
+ #define QMI_WLANFW_CAP_REQ_V01 0x0024
+--
+2.35.1
+
--- /dev/null
+From da1e634a6f41104b5bee569bca27f16e6d1ae73d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Sep 2022 10:35:14 +0300
+Subject: wifi: ath11k: fix number of VHT beamformee spatial streams
+
+From: Jesus Fernandez Manzano <jesus.manzano@galgus.net>
+
+[ Upstream commit 55b5ee3357d7bb98ee578cf9b84a652e7a1bc199 ]
+
+The number of spatial streams used when acting as a beamformee in VHT
+mode are reported by the firmware as 7 (8 sts - 1) both in IPQ6018 and
+IPQ8074 which respectively have 2 and 4 sts each. So the firmware should
+report 1 (2 - 1) and 3 (4 - 1).
+
+Fix this by checking that the number of VHT beamformee sts reported by
+the firmware is not greater than the number of receiving antennas - 1.
+The fix is based on the same approach used in this same function for
+sanitizing the number of sounding dimensions reported by the firmware.
+
+Without this change, acting as a beamformee in VHT mode is not working
+properly.
+
+Tested-on: IPQ6018 hw1.0 AHB WLAN.HK.2.5.0.1-01208-QCAHKSWPL_SILICONZ-1
+Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-01208-QCAHKSWPL_SILICONZ-1
+
+Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
+Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.net>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20220616173947.21901-1-jesus.manzano@galgus.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/mac.c | 25 ++++++++++++++++++++-----
+ 1 file changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
+index 7e91e347c9ff..7f6521314b2d 100644
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -4954,6 +4954,8 @@ static int ath11k_mac_set_txbf_conf(struct ath11k_vif *arvif)
+ if (vht_cap & (IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE)) {
+ nsts = vht_cap & IEEE80211_VHT_CAP_BEAMFORMEE_STS_MASK;
+ nsts >>= IEEE80211_VHT_CAP_BEAMFORMEE_STS_SHIFT;
++ if (nsts > (ar->num_rx_chains - 1))
++ nsts = ar->num_rx_chains - 1;
+ value |= SM(nsts, WMI_TXBF_STS_CAP_OFFSET);
+ }
+
+@@ -4994,7 +4996,7 @@ static int ath11k_mac_set_txbf_conf(struct ath11k_vif *arvif)
+ static void ath11k_set_vht_txbf_cap(struct ath11k *ar, u32 *vht_cap)
+ {
+ bool subfer, subfee;
+- int sound_dim = 0;
++ int sound_dim = 0, nsts = 0;
+
+ subfer = !!(*vht_cap & (IEEE80211_VHT_CAP_SU_BEAMFORMER_CAPABLE));
+ subfee = !!(*vht_cap & (IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE));
+@@ -5004,6 +5006,11 @@ static void ath11k_set_vht_txbf_cap(struct ath11k *ar, u32 *vht_cap)
+ subfer = false;
+ }
+
++ if (ar->num_rx_chains < 2) {
++ *vht_cap &= ~(IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE);
++ subfee = false;
++ }
++
+ /* If SU Beaformer is not set, then disable MU Beamformer Capability */
+ if (!subfer)
+ *vht_cap &= ~(IEEE80211_VHT_CAP_MU_BEAMFORMER_CAPABLE);
+@@ -5016,7 +5023,9 @@ static void ath11k_set_vht_txbf_cap(struct ath11k *ar, u32 *vht_cap)
+ sound_dim >>= IEEE80211_VHT_CAP_SOUNDING_DIMENSIONS_SHIFT;
+ *vht_cap &= ~IEEE80211_VHT_CAP_SOUNDING_DIMENSIONS_MASK;
+
+- /* TODO: Need to check invalid STS and Sound_dim values set by FW? */
++ nsts = (*vht_cap & IEEE80211_VHT_CAP_BEAMFORMEE_STS_MASK);
++ nsts >>= IEEE80211_VHT_CAP_BEAMFORMEE_STS_SHIFT;
++ *vht_cap &= ~IEEE80211_VHT_CAP_BEAMFORMEE_STS_MASK;
+
+ /* Enable Sounding Dimension Field only if SU BF is enabled */
+ if (subfer) {
+@@ -5028,9 +5037,15 @@ static void ath11k_set_vht_txbf_cap(struct ath11k *ar, u32 *vht_cap)
+ *vht_cap |= sound_dim;
+ }
+
+- /* Use the STS advertised by FW unless SU Beamformee is not supported*/
+- if (!subfee)
+- *vht_cap &= ~(IEEE80211_VHT_CAP_BEAMFORMEE_STS_MASK);
++ /* Enable Beamformee STS Field only if SU BF is enabled */
++ if (subfee) {
++ if (nsts > (ar->num_rx_chains - 1))
++ nsts = ar->num_rx_chains - 1;
++
++ nsts <<= IEEE80211_VHT_CAP_BEAMFORMEE_STS_SHIFT;
++ nsts &= IEEE80211_VHT_CAP_BEAMFORMEE_STS_MASK;
++ *vht_cap |= nsts;
++ }
+ }
+
+ static struct ieee80211_sta_vht_cap
+--
+2.35.1
+
--- /dev/null
+From 3738b2b0a7b0b4153a0467768b2827fbedb2a531 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Sep 2022 10:35:14 +0300
+Subject: wifi: ath11k: fix peer addition/deletion error on sta band migration
+
+From: Christian 'Ansuel' Marangi <ansuelsmth@gmail.com>
+
+[ Upstream commit d673cb6fe6c03b2be157cc6c5db40481828d282d ]
+
+This patch try to fix the following error.
+
+Wed Jun 1 22:19:30 2022 kern.warn kernel: [ 119.561227] ath11k c000000.wifi: peer already added vdev id 0 req, vdev id 1 present
+Wed Jun 1 22:19:30 2022 kern.warn kernel: [ 119.561282] ath11k c000000.wifi: Failed to add peer: 28:c2:1f:xx:xx:xx for VDEV: 0
+Wed Jun 1 22:19:30 2022 kern.warn kernel: [ 119.568053] ath11k c000000.wifi: Failed to add station: 28:c2:1f:xx:xx:xx for VDEV: 0
+Wed Jun 1 22:19:31 2022 daemon.notice hostapd: wlan2: STA 28:c2:1f:xx:xx:xx IEEE 802.11: Could not add STA to kernel driver
+Wed Jun 1 22:19:31 2022 daemon.notice hostapd: wlan2: STA 28:c2:1f:xx:xx:xx IEEE 802.11: did not acknowledge authentication response
+Wed Jun 1 22:19:31 2022 daemon.notice hostapd: wlan1: AP-STA-DISCONNECTED 28:c2:1f:xx:xx:xx
+Wed Jun 1 22:19:31 2022 daemon.info hostapd: wlan1: STA 28:c2:1f:xx:xx:xx IEEE 802.11: disassociated due to inactivity
+Wed Jun 1 22:19:32 2022 daemon.info hostapd: wlan1: STA 28:c2:1f:xx:xx:xx IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
+
+To repro this:
+- Have 2 Wifi with the same bssid and pass on different band (2.4 and
+5GHz)
+- Enable 802.11r Fast Transaction with same mobility domain
+- FT Protocol: FT over the Air
+From a openwrt system issue the command (with the correct mac)
+ubus call hostapd.wlan1 wnm_disassoc_imminent '{"addr":"28:C2:1F:xx:xx:xx"}'
+Notice the log printing the errors.
+
+The cause of this error has been investigated and we found that this is
+related to the WiFi Fast Transaction feature. We observed that this is
+triggered when the router tells the device to change band. In this case
+the device first auth to the other band and then the disconnect path
+from the prev band is triggered.
+This is problematic with the current rhash implementation since the
+addrs is used as key and the logic of "adding first, delete later"
+conflicts with the rhash logic.
+In fact peer addition will fail since the peer is already added and with
+that fixed a peer deletion will cause unitended effect by removing the
+peer just added.
+
+Current solution to this is to add additional logic to the peer delete,
+make sure we are deleting the correct peer taken from the rhash
+table (and fallback to the peer list) and for the peer add logic delete
+the peer entry for the rhash list before adding the new one (counting as
+an error only when a peer with the same vlan_id is asked to be added).
+
+With this change, a sta can correctly transition from 2.4GHz and 5GHZ
+with no drop and no error are printed.
+
+Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-01208-QCAHKSWPL_SILICONZ-1
+
+Fixes: 7b0c70d92a43 ("ath11k: Add peer rhash table support")
+Signed-off-by: Christian 'Ansuel' Marangi <ansuelsmth@gmail.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20220603164559.27769-1-ansuelsmth@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/peer.c | 30 ++++++++++++++++++++++----
+ 1 file changed, 26 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/peer.c b/drivers/net/wireless/ath/ath11k/peer.c
+index 9e22aaf34b88..1ae7af02c364 100644
+--- a/drivers/net/wireless/ath/ath11k/peer.c
++++ b/drivers/net/wireless/ath/ath11k/peer.c
+@@ -302,6 +302,21 @@ static int __ath11k_peer_delete(struct ath11k *ar, u32 vdev_id, const u8 *addr)
+ spin_lock_bh(&ab->base_lock);
+
+ peer = ath11k_peer_find_by_addr(ab, addr);
++ /* Check if the found peer is what we want to remove.
++ * While the sta is transitioning to another band we may
++ * have 2 peer with the same addr assigned to different
++ * vdev_id. Make sure we are deleting the correct peer.
++ */
++ if (peer && peer->vdev_id == vdev_id)
++ ath11k_peer_rhash_delete(ab, peer);
++
++ /* Fallback to peer list search if the correct peer can't be found.
++ * Skip the deletion of the peer from the rhash since it has already
++ * been deleted in peer add.
++ */
++ if (!peer)
++ peer = ath11k_peer_find(ab, vdev_id, addr);
++
+ if (!peer) {
+ spin_unlock_bh(&ab->base_lock);
+ mutex_unlock(&ab->tbl_mtx_lock);
+@@ -312,8 +327,6 @@ static int __ath11k_peer_delete(struct ath11k *ar, u32 vdev_id, const u8 *addr)
+ return -EINVAL;
+ }
+
+- ath11k_peer_rhash_delete(ab, peer);
+-
+ spin_unlock_bh(&ab->base_lock);
+ mutex_unlock(&ab->tbl_mtx_lock);
+
+@@ -372,8 +385,17 @@ int ath11k_peer_create(struct ath11k *ar, struct ath11k_vif *arvif,
+ spin_lock_bh(&ar->ab->base_lock);
+ peer = ath11k_peer_find_by_addr(ar->ab, param->peer_addr);
+ if (peer) {
+- spin_unlock_bh(&ar->ab->base_lock);
+- return -EINVAL;
++ if (peer->vdev_id == param->vdev_id) {
++ spin_unlock_bh(&ar->ab->base_lock);
++ return -EINVAL;
++ }
++
++ /* Assume sta is transitioning to another band.
++ * Remove here the peer from rhash.
++ */
++ mutex_lock(&ar->ab->tbl_mtx_lock);
++ ath11k_peer_rhash_delete(ar->ab, peer);
++ mutex_unlock(&ar->ab->tbl_mtx_lock);
+ }
+ spin_unlock_bh(&ar->ab->base_lock);
+
+--
+2.35.1
+
--- /dev/null
+From 6bbc3c9483c3cc8e2200ce31e35ba0bed5cc6896 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Sep 2022 12:43:58 +0800
+Subject: wifi: ath11k: Include STA_KEEPALIVE_ARP_RESPONSE TLV header by
+ default
+
+From: Baochen Qiang <quic_bqiang@quicinc.com>
+
+[ Upstream commit b7b6f86149a7e06269d61a7a5206360f5b642f80 ]
+
+In current code STA_KEEPALIVE_ARP_RESPONSE TLV header is included only
+when ARP method is used, this causes firmware always to crash when wowlan
+is enabled because firmware needs it to be present no matter ARP method
+is used or not.
+
+Fix this issue by including STA_KEEPALIVE_ARP_RESPONSE TLV header by
+default.
+
+Also fix below typo:
+ s/WMI_TAG_STA_KEEPALVE_ARP_RESPONSE/WMI_TAG_STA_KEEPALIVE_ARP_RESPONSE/
+
+Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3
+
+Fixes: 0f84a156aa3b ("ath11k: Handle keepalive during WoWLAN suspend and resume")
+Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20220913044358.2037-1-quic_bqiang@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/wmi.c | 9 +++++----
+ drivers/net/wireless/ath/ath11k/wmi.h | 2 +-
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c
+index 88ee4f9d19da..b658ea60dcf7 100644
+--- a/drivers/net/wireless/ath/ath11k/wmi.c
++++ b/drivers/net/wireless/ath/ath11k/wmi.c
+@@ -8962,12 +8962,13 @@ int ath11k_wmi_sta_keepalive(struct ath11k *ar,
+ cmd->interval = arg->interval;
+ cmd->method = arg->method;
+
++ arp = (struct wmi_sta_keepalive_arp_resp *)(cmd + 1);
++ arp->tlv_header = FIELD_PREP(WMI_TLV_TAG,
++ WMI_TAG_STA_KEEPALIVE_ARP_RESPONSE) |
++ FIELD_PREP(WMI_TLV_LEN, sizeof(*arp) - TLV_HDR_SIZE);
++
+ if (arg->method == WMI_STA_KEEPALIVE_METHOD_UNSOLICITED_ARP_RESPONSE ||
+ arg->method == WMI_STA_KEEPALIVE_METHOD_GRATUITOUS_ARP_REQUEST) {
+- arp = (struct wmi_sta_keepalive_arp_resp *)(cmd + 1);
+- arp->tlv_header = FIELD_PREP(WMI_TLV_TAG,
+- WMI_TAG_STA_KEEPALVE_ARP_RESPONSE) |
+- FIELD_PREP(WMI_TLV_LEN, sizeof(*arp) - TLV_HDR_SIZE);
+ arp->src_ip4_addr = arg->src_ip4_addr;
+ arp->dest_ip4_addr = arg->dest_ip4_addr;
+ ether_addr_copy(arp->dest_mac_addr.addr, arg->dest_mac_addr);
+diff --git a/drivers/net/wireless/ath/ath11k/wmi.h b/drivers/net/wireless/ath/ath11k/wmi.h
+index 4da248ffa318..ba5343a3411f 100644
+--- a/drivers/net/wireless/ath/ath11k/wmi.h
++++ b/drivers/net/wireless/ath/ath11k/wmi.h
+@@ -1214,7 +1214,7 @@ enum wmi_tlv_tag {
+ WMI_TAG_NS_OFFLOAD_TUPLE,
+ WMI_TAG_FTM_INTG_CMD,
+ WMI_TAG_STA_KEEPALIVE_CMD,
+- WMI_TAG_STA_KEEPALVE_ARP_RESPONSE,
++ WMI_TAG_STA_KEEPALIVE_ARP_RESPONSE,
+ WMI_TAG_P2P_SET_VENDOR_IE_DATA_CMD,
+ WMI_TAG_AP_PS_PEER_CMD,
+ WMI_TAG_PEER_RATE_RETRY_SCHED_CMD,
+--
+2.35.1
+
--- /dev/null
+From 3fe6993dca341f3625a59ef548a931b4aa415e7c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Sep 2022 15:37:04 +0800
+Subject: wifi: ath11k: mhi: fix potential memory leak in ath11k_mhi_register()
+
+From: Jianglei Nie <niejianglei2021@163.com>
+
+[ Upstream commit 43e7c3505ec70db3d3c6458824d5fa40f62e3e7b ]
+
+mhi_alloc_controller() allocates a memory space for mhi_ctrl. When gets
+some error, mhi_ctrl should be freed with mhi_free_controller(). But
+when ath11k_mhi_read_addr_from_dt() fails, the function returns without
+calling mhi_free_controller(), which will lead to a memory leak.
+
+We can fix it by calling mhi_free_controller() when
+ath11k_mhi_read_addr_from_dt() fails.
+
+Signed-off-by: Jianglei Nie <niejianglei2021@163.com>
+Reviewed-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20220907073704.58806-1-niejianglei2021@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/mhi.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/mhi.c b/drivers/net/wireless/ath/ath11k/mhi.c
+index c44df17719f6..86995e8dc913 100644
+--- a/drivers/net/wireless/ath/ath11k/mhi.c
++++ b/drivers/net/wireless/ath/ath11k/mhi.c
+@@ -402,8 +402,7 @@ int ath11k_mhi_register(struct ath11k_pci *ab_pci)
+ ret = ath11k_mhi_get_msi(ab_pci);
+ if (ret) {
+ ath11k_err(ab, "failed to get msi for mhi\n");
+- mhi_free_controller(mhi_ctrl);
+- return ret;
++ goto free_controller;
+ }
+
+ if (!test_bit(ATH11K_FLAG_MULTI_MSI_VECTORS, &ab->dev_flags))
+@@ -412,7 +411,7 @@ int ath11k_mhi_register(struct ath11k_pci *ab_pci)
+ if (test_bit(ATH11K_FLAG_FIXED_MEM_RGN, &ab->dev_flags)) {
+ ret = ath11k_mhi_read_addr_from_dt(mhi_ctrl);
+ if (ret < 0)
+- return ret;
++ goto free_controller;
+ } else {
+ mhi_ctrl->iova_start = 0;
+ mhi_ctrl->iova_stop = 0xFFFFFFFF;
+@@ -440,18 +439,22 @@ int ath11k_mhi_register(struct ath11k_pci *ab_pci)
+ default:
+ ath11k_err(ab, "failed assign mhi_config for unknown hw rev %d\n",
+ ab->hw_rev);
+- mhi_free_controller(mhi_ctrl);
+- return -EINVAL;
++ ret = -EINVAL;
++ goto free_controller;
+ }
+
+ ret = mhi_register_controller(mhi_ctrl, ath11k_mhi_config);
+ if (ret) {
+ ath11k_err(ab, "failed to register to mhi bus, err = %d\n", ret);
+- mhi_free_controller(mhi_ctrl);
+- return ret;
++ goto free_controller;
+ }
+
+ return 0;
++
++free_controller:
++ mhi_free_controller(mhi_ctrl);
++ ab_pci->mhi_ctrl = NULL;
++ return ret;
+ }
+
+ void ath11k_mhi_unregister(struct ath11k_pci *ab_pci)
+--
+2.35.1
+
--- /dev/null
+From 7edf6c127b4246b92565e9f5040ca40108d998a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Aug 2022 09:04:19 +0300
+Subject: wifi: ath11k: Register shutdown handler for WCN6750
+
+From: Manikanta Pubbisetty <quic_mpubbise@quicinc.com>
+
+[ Upstream commit ac41c2b642b136a1e633379fcb87a9db0ee07f5b ]
+
+When the system shuts down, SMMU driver will be stopped and
+will not assist in IOVA translations. SMMU driver expects all
+of its consumers to shutdown before shutting down itself.
+WCN6750 being one of the consumer device should not perform any
+DMA operations after the SMMU has shutdown which will otherwise
+result in SMMU faults.
+
+SMMU driver will call the shutdown() callback of all its
+consumer devices and the consumers shall stop further DMA
+activity after the invocation of their respective shutdown()
+callbacks.
+
+Register the shutdown() callback to the platform core for WCN6750.
+Change will not impact other AHB ath11k devices.
+
+Tested-on: WCN6750 hw1.0 AHB WLAN.MSL.1.0.1-00887-QCAMSLSWPLZ-1
+
+Signed-off-by: Manikanta Pubbisetty <quic_mpubbise@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20220720134710.15523-1-quic_mpubbise@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/ahb.c | 58 ++++++++++++++++++++------
+ drivers/net/wireless/ath/ath11k/core.c | 2 +
+ 2 files changed, 47 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/ahb.c b/drivers/net/wireless/ath/ath11k/ahb.c
+index c47414710138..911eee9646a4 100644
+--- a/drivers/net/wireless/ath/ath11k/ahb.c
++++ b/drivers/net/wireless/ath/ath11k/ahb.c
+@@ -1088,20 +1088,10 @@ static int ath11k_ahb_probe(struct platform_device *pdev)
+ return ret;
+ }
+
+-static int ath11k_ahb_remove(struct platform_device *pdev)
++static void ath11k_ahb_remove_prepare(struct ath11k_base *ab)
+ {
+- struct ath11k_base *ab = platform_get_drvdata(pdev);
+ unsigned long left;
+
+- if (test_bit(ATH11K_FLAG_QMI_FAIL, &ab->dev_flags)) {
+- ath11k_ahb_power_down(ab);
+- ath11k_debugfs_soc_destroy(ab);
+- ath11k_qmi_deinit_service(ab);
+- goto qmi_fail;
+- }
+-
+- reinit_completion(&ab->driver_recovery);
+-
+ if (test_bit(ATH11K_FLAG_RECOVERY, &ab->dev_flags)) {
+ left = wait_for_completion_timeout(&ab->driver_recovery,
+ ATH11K_AHB_RECOVERY_TIMEOUT);
+@@ -1111,19 +1101,60 @@ static int ath11k_ahb_remove(struct platform_device *pdev)
+
+ set_bit(ATH11K_FLAG_UNREGISTERING, &ab->dev_flags);
+ cancel_work_sync(&ab->restart_work);
++ cancel_work_sync(&ab->qmi.event_work);
++}
++
++static void ath11k_ahb_free_resources(struct ath11k_base *ab)
++{
++ struct platform_device *pdev = ab->pdev;
+
+- ath11k_core_deinit(ab);
+-qmi_fail:
+ ath11k_ahb_free_irq(ab);
+ ath11k_hal_srng_deinit(ab);
+ ath11k_ahb_fw_resource_deinit(ab);
+ ath11k_ce_free_pipes(ab);
+ ath11k_core_free(ab);
+ platform_set_drvdata(pdev, NULL);
++}
++
++static int ath11k_ahb_remove(struct platform_device *pdev)
++{
++ struct ath11k_base *ab = platform_get_drvdata(pdev);
++
++ if (test_bit(ATH11K_FLAG_QMI_FAIL, &ab->dev_flags)) {
++ ath11k_ahb_power_down(ab);
++ ath11k_debugfs_soc_destroy(ab);
++ ath11k_qmi_deinit_service(ab);
++ goto qmi_fail;
++ }
++
++ ath11k_ahb_remove_prepare(ab);
++ ath11k_core_deinit(ab);
++
++qmi_fail:
++ ath11k_ahb_free_resources(ab);
+
+ return 0;
+ }
+
++static void ath11k_ahb_shutdown(struct platform_device *pdev)
++{
++ struct ath11k_base *ab = platform_get_drvdata(pdev);
++
++ /* platform shutdown() & remove() are mutually exclusive.
++ * remove() is invoked during rmmod & shutdown() during
++ * system reboot/shutdown.
++ */
++ ath11k_ahb_remove_prepare(ab);
++
++ if (!(test_bit(ATH11K_FLAG_REGISTERED, &ab->dev_flags)))
++ goto free_resources;
++
++ ath11k_core_deinit(ab);
++
++free_resources:
++ ath11k_ahb_free_resources(ab);
++}
++
+ static struct platform_driver ath11k_ahb_driver = {
+ .driver = {
+ .name = "ath11k",
+@@ -1131,6 +1162,7 @@ static struct platform_driver ath11k_ahb_driver = {
+ },
+ .probe = ath11k_ahb_probe,
+ .remove = ath11k_ahb_remove,
++ .shutdown = ath11k_ahb_shutdown,
+ };
+
+ static int ath11k_ahb_init(void)
+diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c
+index c3e9e4f7bc24..9df6aaae8a44 100644
+--- a/drivers/net/wireless/ath/ath11k/core.c
++++ b/drivers/net/wireless/ath/ath11k/core.c
+@@ -1563,6 +1563,8 @@ static void ath11k_core_pre_reconfigure_recovery(struct ath11k_base *ab)
+
+ wake_up(&ab->wmi_ab.tx_credits_wq);
+ wake_up(&ab->peer_mapping_wq);
++
++ reinit_completion(&ab->driver_recovery);
+ }
+
+ static void ath11k_core_post_reconfigure_recovery(struct ath11k_base *ab)
+--
+2.35.1
+
--- /dev/null
+From 830af93456cf13ac30145e210ea00e9813fac94b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Aug 2022 23:46:13 +0900
+Subject: wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit b383e8abed41cc6ff1a3b34de75df9397fa4878c ]
+
+syzbot is reporting uninit value at ath9k_htc_rx_msg() [1], for
+ioctl(USB_RAW_IOCTL_EP_WRITE) can call ath9k_hif_usb_rx_stream() with
+pkt_len = 0 but ath9k_hif_usb_rx_stream() uses
+__dev_alloc_skb(pkt_len + 32, GFP_ATOMIC) based on an assumption that
+pkt_len is valid. As a result, ath9k_hif_usb_rx_stream() allocates skb
+with uninitialized memory and ath9k_htc_rx_msg() is reading from
+uninitialized memory.
+
+Since bytes accessed by ath9k_htc_rx_msg() is not known until
+ath9k_htc_rx_msg() is called, it would be difficult to check minimal valid
+pkt_len at "if (pkt_len > 2 * MAX_RX_BUF_SIZE) {" line in
+ath9k_hif_usb_rx_stream().
+
+We have two choices. One is to workaround by adding __GFP_ZERO so that
+ath9k_htc_rx_msg() sees 0 if pkt_len is invalid. The other is to let
+ath9k_htc_rx_msg() validate pkt_len before accessing. This patch chose
+the latter.
+
+Note that I'm not sure threshold condition is correct, for I can't find
+details on possible packet length used by this protocol.
+
+Link: https://syzkaller.appspot.com/bug?extid=2ca247c2d60c7023de7f [1]
+Reported-by: syzbot <syzbot+2ca247c2d60c7023de7f@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/7acfa1be-4b5c-b2ce-de43-95b0593fb3e5@I-love.SAKURA.ne.jp
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/htc_hst.c | 43 +++++++++++++++---------
+ 1 file changed, 28 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
+index 994ec48b2f66..ca05b07a45e6 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
+@@ -364,33 +364,27 @@ void ath9k_htc_txcompletion_cb(struct htc_target *htc_handle,
+ }
+
+ static void ath9k_htc_fw_panic_report(struct htc_target *htc_handle,
+- struct sk_buff *skb)
++ struct sk_buff *skb, u32 len)
+ {
+ uint32_t *pattern = (uint32_t *)skb->data;
+
+- switch (*pattern) {
+- case 0x33221199:
+- {
++ if (*pattern == 0x33221199 && len >= sizeof(struct htc_panic_bad_vaddr)) {
+ struct htc_panic_bad_vaddr *htc_panic;
+ htc_panic = (struct htc_panic_bad_vaddr *) skb->data;
+ dev_err(htc_handle->dev, "ath: firmware panic! "
+ "exccause: 0x%08x; pc: 0x%08x; badvaddr: 0x%08x.\n",
+ htc_panic->exccause, htc_panic->pc,
+ htc_panic->badvaddr);
+- break;
+- }
+- case 0x33221299:
+- {
++ return;
++ }
++ if (*pattern == 0x33221299) {
+ struct htc_panic_bad_epid *htc_panic;
+ htc_panic = (struct htc_panic_bad_epid *) skb->data;
+ dev_err(htc_handle->dev, "ath: firmware panic! "
+ "bad epid: 0x%08x\n", htc_panic->epid);
+- break;
+- }
+- default:
+- dev_err(htc_handle->dev, "ath: unknown panic pattern!\n");
+- break;
++ return;
+ }
++ dev_err(htc_handle->dev, "ath: unknown panic pattern!\n");
+ }
+
+ /*
+@@ -411,16 +405,26 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle,
+ if (!htc_handle || !skb)
+ return;
+
++ /* A valid message requires len >= 8.
++ *
++ * sizeof(struct htc_frame_hdr) == 8
++ * sizeof(struct htc_ready_msg) == 8
++ * sizeof(struct htc_panic_bad_vaddr) == 16
++ * sizeof(struct htc_panic_bad_epid) == 8
++ */
++ if (unlikely(len < sizeof(struct htc_frame_hdr)))
++ goto invalid;
+ htc_hdr = (struct htc_frame_hdr *) skb->data;
+ epid = htc_hdr->endpoint_id;
+
+ if (epid == 0x99) {
+- ath9k_htc_fw_panic_report(htc_handle, skb);
++ ath9k_htc_fw_panic_report(htc_handle, skb, len);
+ kfree_skb(skb);
+ return;
+ }
+
+ if (epid < 0 || epid >= ENDPOINT_MAX) {
++invalid:
+ if (pipe_id != USB_REG_IN_PIPE)
+ dev_kfree_skb_any(skb);
+ else
+@@ -432,21 +436,30 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle,
+
+ /* Handle trailer */
+ if (htc_hdr->flags & HTC_FLAGS_RECV_TRAILER) {
+- if (be32_to_cpu(*(__be32 *) skb->data) == 0x00C60000)
++ if (be32_to_cpu(*(__be32 *) skb->data) == 0x00C60000) {
+ /* Move past the Watchdog pattern */
+ htc_hdr = (struct htc_frame_hdr *)(skb->data + 4);
++ len -= 4;
++ }
+ }
+
+ /* Get the message ID */
++ if (unlikely(len < sizeof(struct htc_frame_hdr) + sizeof(__be16)))
++ goto invalid;
+ msg_id = (__be16 *) ((void *) htc_hdr +
+ sizeof(struct htc_frame_hdr));
+
+ /* Now process HTC messages */
+ switch (be16_to_cpu(*msg_id)) {
+ case HTC_MSG_READY_ID:
++ if (unlikely(len < sizeof(struct htc_ready_msg)))
++ goto invalid;
+ htc_process_target_rdy(htc_handle, htc_hdr);
+ break;
+ case HTC_MSG_CONNECT_SERVICE_RESPONSE_ID:
++ if (unlikely(len < sizeof(struct htc_frame_hdr) +
++ sizeof(struct htc_conn_svc_rspmsg)))
++ goto invalid;
+ htc_process_conn_rsp(htc_handle, htc_hdr);
+ break;
+ default:
+--
+2.35.1
+
--- /dev/null
+From c288ce30690d1881d71f00d00f25f423e65dbe5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Jul 2022 13:56:28 +0200
+Subject: wifi: brcmfmac: fix invalid address access when enabling SCAN log
+ level
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wright Feng <wright.feng@cypress.com>
+
+[ Upstream commit aa666b68e73fc06d83c070d96180b9010cf5a960 ]
+
+The variable i is changed when setting random MAC address and causes
+invalid address access when printing the value of pi->reqs[i]->reqid.
+
+We replace reqs index with ri to fix the issue.
+
+[ 136.726473] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000
+[ 136.737365] Mem abort info:
+[ 136.740172] ESR = 0x96000004
+[ 136.743359] Exception class = DABT (current EL), IL = 32 bits
+[ 136.749294] SET = 0, FnV = 0
+[ 136.752481] EA = 0, S1PTW = 0
+[ 136.755635] Data abort info:
+[ 136.758514] ISV = 0, ISS = 0x00000004
+[ 136.762487] CM = 0, WnR = 0
+[ 136.765522] user pgtable: 4k pages, 48-bit VAs, pgdp = 000000005c4e2577
+[ 136.772265] [0000000000000000] pgd=0000000000000000
+[ 136.777160] Internal error: Oops: 96000004 [#1] PREEMPT SMP
+[ 136.782732] Modules linked in: brcmfmac(O) brcmutil(O) cfg80211(O) compat(O)
+[ 136.789788] Process wificond (pid: 3175, stack limit = 0x00000000053048fb)
+[ 136.796664] CPU: 3 PID: 3175 Comm: wificond Tainted: G O 4.19.42-00001-g531a5f5 #1
+[ 136.805532] Hardware name: Freescale i.MX8MQ EVK (DT)
+[ 136.810584] pstate: 60400005 (nZCv daif +PAN -UAO)
+[ 136.815429] pc : brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac]
+[ 136.821811] lr : brcmf_pno_config_sched_scans+0x67c/0xa80 [brcmfmac]
+[ 136.828162] sp : ffff00000e9a3880
+[ 136.831475] x29: ffff00000e9a3890 x28: ffff800020543400
+[ 136.836786] x27: ffff8000b1008880 x26: ffff0000012bf6a0
+[ 136.842098] x25: ffff80002054345c x24: ffff800088d22400
+[ 136.847409] x23: ffff0000012bf638 x22: ffff0000012bf6d8
+[ 136.852721] x21: ffff8000aced8fc0 x20: ffff8000ac164400
+[ 136.858032] x19: ffff00000e9a3946 x18: 0000000000000000
+[ 136.863343] x17: 0000000000000000 x16: 0000000000000000
+[ 136.868655] x15: ffff0000093f3b37 x14: 0000000000000050
+[ 136.873966] x13: 0000000000003135 x12: 0000000000000000
+[ 136.879277] x11: 0000000000000000 x10: ffff000009a61888
+[ 136.884589] x9 : 000000000000000f x8 : 0000000000000008
+[ 136.889900] x7 : 303a32303d726464 x6 : ffff00000a1f957d
+[ 136.895211] x5 : 0000000000000000 x4 : ffff00000e9a3942
+[ 136.900523] x3 : 0000000000000000 x2 : ffff0000012cead8
+[ 136.905834] x1 : ffff0000012bf6d8 x0 : 0000000000000000
+[ 136.911146] Call trace:
+[ 136.913623] brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac]
+[ 136.919658] brcmf_pno_start_sched_scan+0xa4/0x118 [brcmfmac]
+[ 136.925430] brcmf_cfg80211_sched_scan_start+0x80/0xe0 [brcmfmac]
+[ 136.931636] nl80211_start_sched_scan+0x140/0x308 [cfg80211]
+[ 136.937298] genl_rcv_msg+0x358/0x3f4
+[ 136.940960] netlink_rcv_skb+0xb4/0x118
+[ 136.944795] genl_rcv+0x34/0x48
+[ 136.947935] netlink_unicast+0x264/0x300
+[ 136.951856] netlink_sendmsg+0x2e4/0x33c
+[ 136.955781] __sys_sendto+0x120/0x19c
+
+Signed-off-by: Wright Feng <wright.feng@cypress.com>
+Signed-off-by: Chi-hsien Lin <chi-hsien.lin@cypress.com>
+Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Signed-off-by: Alvin Šipraga <alsi@bang-olufsen.dk>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20220722115632.620681-4-alvin@pqrs.dk
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmfmac/pno.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c
+index fabfbb0b40b0..d0a7465be586 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c
+@@ -158,12 +158,12 @@ static int brcmf_pno_set_random(struct brcmf_if *ifp, struct brcmf_pno_info *pi)
+ struct brcmf_pno_macaddr_le pfn_mac;
+ u8 *mac_addr = NULL;
+ u8 *mac_mask = NULL;
+- int err, i;
++ int err, i, ri;
+
+- for (i = 0; i < pi->n_reqs; i++)
+- if (pi->reqs[i]->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
+- mac_addr = pi->reqs[i]->mac_addr;
+- mac_mask = pi->reqs[i]->mac_addr_mask;
++ for (ri = 0; ri < pi->n_reqs; ri++)
++ if (pi->reqs[ri]->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
++ mac_addr = pi->reqs[ri]->mac_addr;
++ mac_mask = pi->reqs[ri]->mac_addr_mask;
+ break;
+ }
+
+@@ -185,7 +185,7 @@ static int brcmf_pno_set_random(struct brcmf_if *ifp, struct brcmf_pno_info *pi)
+ pfn_mac.mac[0] |= 0x02;
+
+ brcmf_dbg(SCAN, "enabling random mac: reqid=%llu mac=%pM\n",
+- pi->reqs[i]->reqid, pfn_mac.mac);
++ pi->reqs[ri]->reqid, pfn_mac.mac);
+ err = brcmf_fil_iovar_data_set(ifp, "pfn_macaddr", &pfn_mac,
+ sizeof(pfn_mac));
+ if (err)
+--
+2.35.1
+
--- /dev/null
+From fc59bf61a9371ab16ebbfcf22c960ea6ce10f2f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Aug 2022 10:49:26 -0700
+Subject: wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit()
+
+From: Alexander Coffin <alex.coffin@matician.com>
+
+[ Upstream commit 3f42faf6db431e04bf942d2ebe3ae88975723478 ]
+
+> ret = brcmf_proto_tx_queue_data(drvr, ifp->ifidx, skb);
+
+may be schedule, and then complete before the line
+
+> ndev->stats.tx_bytes += skb->len;
+
+[ 46.912801] ==================================================================
+[ 46.920552] BUG: KASAN: use-after-free in brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac]
+[ 46.928673] Read of size 4 at addr ffffff803f5882e8 by task systemd-resolve/328
+[ 46.935991]
+[ 46.937514] CPU: 1 PID: 328 Comm: systemd-resolve Tainted: G O 5.4.199-[REDACTED] #1
+[ 46.947255] Hardware name: [REDACTED]
+[ 46.954568] Call trace:
+[ 46.957037] dump_backtrace+0x0/0x2b8
+[ 46.960719] show_stack+0x24/0x30
+[ 46.964052] dump_stack+0x128/0x194
+[ 46.967557] print_address_description.isra.0+0x64/0x380
+[ 46.972877] __kasan_report+0x1d4/0x240
+[ 46.976723] kasan_report+0xc/0x18
+[ 46.980138] __asan_report_load4_noabort+0x18/0x20
+[ 46.985027] brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac]
+[ 46.990613] dev_hard_start_xmit+0x1bc/0xda0
+[ 46.994894] sch_direct_xmit+0x198/0xd08
+[ 46.998827] __qdisc_run+0x37c/0x1dc0
+[ 47.002500] __dev_queue_xmit+0x1528/0x21f8
+[ 47.006692] dev_queue_xmit+0x24/0x30
+[ 47.010366] neigh_resolve_output+0x37c/0x678
+[ 47.014734] ip_finish_output2+0x598/0x2458
+[ 47.018927] __ip_finish_output+0x300/0x730
+[ 47.023118] ip_output+0x2e0/0x430
+[ 47.026530] ip_local_out+0x90/0x140
+[ 47.030117] igmpv3_sendpack+0x14c/0x228
+[ 47.034049] igmpv3_send_cr+0x384/0x6b8
+[ 47.037895] igmp_ifc_timer_expire+0x4c/0x118
+[ 47.042262] call_timer_fn+0x1cc/0xbe8
+[ 47.046021] __run_timers+0x4d8/0xb28
+[ 47.049693] run_timer_softirq+0x24/0x40
+[ 47.053626] __do_softirq+0x2c0/0x117c
+[ 47.057387] irq_exit+0x2dc/0x388
+[ 47.060715] __handle_domain_irq+0xb4/0x158
+[ 47.064908] gic_handle_irq+0x58/0xb0
+[ 47.068581] el0_irq_naked+0x50/0x5c
+[ 47.072162]
+[ 47.073665] Allocated by task 328:
+[ 47.077083] save_stack+0x24/0xb0
+[ 47.080410] __kasan_kmalloc.isra.0+0xc0/0xe0
+[ 47.084776] kasan_slab_alloc+0x14/0x20
+[ 47.088622] kmem_cache_alloc+0x15c/0x468
+[ 47.092643] __alloc_skb+0xa4/0x498
+[ 47.096142] igmpv3_newpack+0x158/0xd78
+[ 47.099987] add_grhead+0x210/0x288
+[ 47.103485] add_grec+0x6b0/0xb70
+[ 47.106811] igmpv3_send_cr+0x2e0/0x6b8
+[ 47.110657] igmp_ifc_timer_expire+0x4c/0x118
+[ 47.115027] call_timer_fn+0x1cc/0xbe8
+[ 47.118785] __run_timers+0x4d8/0xb28
+[ 47.122457] run_timer_softirq+0x24/0x40
+[ 47.126389] __do_softirq+0x2c0/0x117c
+[ 47.130142]
+[ 47.131643] Freed by task 180:
+[ 47.134712] save_stack+0x24/0xb0
+[ 47.138041] __kasan_slab_free+0x108/0x180
+[ 47.142146] kasan_slab_free+0x10/0x18
+[ 47.145904] slab_free_freelist_hook+0xa4/0x1b0
+[ 47.150444] kmem_cache_free+0x8c/0x528
+[ 47.154292] kfree_skbmem+0x94/0x108
+[ 47.157880] consume_skb+0x10c/0x5a8
+[ 47.161466] __dev_kfree_skb_any+0x88/0xa0
+[ 47.165598] brcmu_pkt_buf_free_skb+0x44/0x68 [brcmutil]
+[ 47.171023] brcmf_txfinalize+0xec/0x190 [brcmfmac]
+[ 47.176016] brcmf_proto_bcdc_txcomplete+0x1c0/0x210 [brcmfmac]
+[ 47.182056] brcmf_sdio_sendfromq+0x8dc/0x1e80 [brcmfmac]
+[ 47.187568] brcmf_sdio_dpc+0xb48/0x2108 [brcmfmac]
+[ 47.192529] brcmf_sdio_dataworker+0xc8/0x238 [brcmfmac]
+[ 47.197859] process_one_work+0x7fc/0x1a80
+[ 47.201965] worker_thread+0x31c/0xc40
+[ 47.205726] kthread+0x2d8/0x370
+[ 47.208967] ret_from_fork+0x10/0x18
+[ 47.212546]
+[ 47.214051] The buggy address belongs to the object at ffffff803f588280
+[ 47.214051] which belongs to the cache skbuff_head_cache of size 208
+[ 47.227086] The buggy address is located 104 bytes inside of
+[ 47.227086] 208-byte region [ffffff803f588280, ffffff803f588350)
+[ 47.238814] The buggy address belongs to the page:
+[ 47.243618] page:ffffffff00dd6200 refcount:1 mapcount:0 mapping:ffffff804b6bf800 index:0xffffff803f589900 compound_mapcount: 0
+[ 47.255007] flags: 0x10200(slab|head)
+[ 47.258689] raw: 0000000000010200 ffffffff00dfa980 0000000200000002 ffffff804b6bf800
+[ 47.266439] raw: ffffff803f589900 0000000080190018 00000001ffffffff 0000000000000000
+[ 47.274180] page dumped because: kasan: bad access detected
+[ 47.279752]
+[ 47.281251] Memory state around the buggy address:
+[ 47.286051] ffffff803f588180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 47.293277] ffffff803f588200: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 47.300502] >ffffff803f588280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 47.307723] ^
+[ 47.314343] ffffff803f588300: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
+[ 47.321569] ffffff803f588380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
+[ 47.328789] ==================================================================
+
+Signed-off-by: Alexander Coffin <alex.coffin@matician.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20220808174925.3922558-1-alex.coffin@matician.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+index bd164a0821f9..ca95b02962ef 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -292,6 +292,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb,
+ struct brcmf_pub *drvr = ifp->drvr;
+ struct ethhdr *eh;
+ int head_delta;
++ unsigned int tx_bytes = skb->len;
+
+ brcmf_dbg(DATA, "Enter, bsscfgidx=%d\n", ifp->bsscfgidx);
+
+@@ -366,7 +367,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb,
+ ndev->stats.tx_dropped++;
+ } else {
+ ndev->stats.tx_packets++;
+- ndev->stats.tx_bytes += skb->len;
++ ndev->stats.tx_bytes += tx_bytes;
+ }
+
+ /* Return ok: we always eat the packet */
+--
+2.35.1
+
--- /dev/null
+From 8461960a390b586a16cb00d1b470120ce3982e92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Aug 2022 14:12:29 +0300
+Subject: wifi: cfg80211: get correct AP link chandef
+
+From: Shaul Triebitz <shaul.triebitz@intel.com>
+
+[ Upstream commit bc1857619cc7612117d2ee1ed05b5bfeb638614b ]
+
+When checking for channel regulatory validity, use the
+AP link chandef (and not mesh's chandef).
+
+Fixes: 7b0a0e3c3a88 ("wifi: cfg80211: do some rework towards MLO link APIs")
+Signed-off-by: Shaul Triebitz <shaul.triebitz@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/reg.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/wireless/reg.c b/net/wireless/reg.c
+index c7383ede794f..d5c7a5aa6853 100644
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -2389,6 +2389,10 @@ static bool reg_wdev_chan_valid(struct wiphy *wiphy, struct wireless_dev *wdev)
+ switch (iftype) {
+ case NL80211_IFTYPE_AP:
+ case NL80211_IFTYPE_P2P_GO:
++ if (!wdev->links[link].ap.beacon_interval)
++ continue;
++ chandef = wdev->links[link].ap.chandef;
++ break;
+ case NL80211_IFTYPE_MESH_POINT:
+ if (!wdev->u.mesh.beacon_interval)
+ continue;
+--
+2.35.1
+
--- /dev/null
+From 88ca627854dce49af679eb97d3f70fbcebcc6506 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Jul 2022 22:08:49 +0200
+Subject: wifi: mac80211: accept STA changes without link changes
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit b303835dabe0340f932ebb4e260d2229f79b0684 ]
+
+If there's no link ID, then check that there are no changes to
+the link, and if so accept them, unless a new link is created.
+While at it, reject creating a new link without an address.
+
+This fixes authorizing an MLD (peer) that has no link 0.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index e5239a17a875..65f34945a767 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1610,6 +1610,18 @@ static int sta_link_apply_parameters(struct ieee80211_local *local,
+ rcu_dereference_protected(sta->link[link_id],
+ lockdep_is_held(&local->sta_mtx));
+
++ /*
++ * If there are no changes, then accept a link that doesn't exist,
++ * unless it's a new link.
++ */
++ if (params->link_id < 0 && !new_link &&
++ !params->link_mac && !params->txpwr_set &&
++ !params->supported_rates_len &&
++ !params->ht_capa && !params->vht_capa &&
++ !params->he_capa && !params->eht_capa &&
++ !params->opmode_notif_used)
++ return 0;
++
+ if (!link || !link_sta)
+ return -EINVAL;
+
+@@ -1625,6 +1637,8 @@ static int sta_link_apply_parameters(struct ieee80211_local *local,
+ params->link_mac)) {
+ return -EINVAL;
+ }
++ } else if (new_link) {
++ return -EINVAL;
+ }
+
+ if (params->txpwr_set) {
+--
+2.35.1
+
--- /dev/null
+From a805fd59db4ce2bd04b319623a1b8cffbc8148cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Jul 2022 12:02:29 +0530
+Subject: wifi: mac80211: allow bw change during channel switch in mesh
+
+From: Hari Chandrakanthan <quic_haric@quicinc.com>
+
+[ Upstream commit 6b75f133fe05c36c52d691ff21545d5757fff721 ]
+
+From 'IEEE Std 802.11-2020 section 11.8.8.4.1':
+ The mesh channel switch may be triggered by the need to avoid
+ interference to a detected radar signal, or to reassign mesh STA
+ channels to ensure the MBSS connectivity.
+
+ A 20/40 MHz MBSS may be changed to a 20 MHz MBSS and a 20 MHz
+ MBSS may be changed to a 20/40 MHz MBSS.
+
+Since the standard allows the change of bandwidth during
+the channel switch in mesh, remove the bandwidth check present in
+ieee80211_set_csa_beacon.
+
+Fixes: c6da674aff94 ("{nl,cfg,mac}80211: enable the triggering of CSA frame in mesh")
+Signed-off-by: Hari Chandrakanthan <quic_haric@quicinc.com>
+Link: https://lore.kernel.org/r/1658903549-21218-1-git-send-email-quic_haric@quicinc.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index a4f6971b7a19..e5239a17a875 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -3597,9 +3597,6 @@ static int ieee80211_set_csa_beacon(struct ieee80211_sub_if_data *sdata,
+ case NL80211_IFTYPE_MESH_POINT: {
+ struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
+
+- if (params->chandef.width != sdata->vif.bss_conf.chandef.width)
+- return -EINVAL;
+-
+ /* changes into another band are not supported */
+ if (sdata->vif.bss_conf.chandef.chan->band !=
+ params->chandef.chan->band)
+--
+2.35.1
+
--- /dev/null
+From 8ea3b436eb75972d44ba5126a3a3833048119a94 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Aug 2022 10:44:05 +0200
+Subject: wifi: mac80211: fix use-after-free
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 40fb87129049ec5876dabf4a4d4aed6642b31f1a ]
+
+We've already freed the assoc_data at this point, so need
+to use another copy of the AP (MLD) address instead.
+
+Fixes: 81151ce462e5 ("wifi: mac80211: support MLO authentication/association with one link")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mlme.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index fc764984d687..1e9cb4be6ed3 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -5122,7 +5122,7 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
+ resp.req_ies = ifmgd->assoc_req_ies;
+ resp.req_ies_len = ifmgd->assoc_req_ies_len;
+ if (sdata->vif.valid_links)
+- resp.ap_mld_addr = assoc_data->ap_addr;
++ resp.ap_mld_addr = sdata->vif.cfg.ap_addr;
+ cfg80211_rx_assoc_resp(sdata->dev, &resp);
+ notify_driver:
+ drv_mgd_complete_tx(sdata->local, sdata, &info);
+--
+2.35.1
+
--- /dev/null
+From 66eed272ee2cec3f127486d798be4460e73fffd8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 16:12:38 +0200
+Subject: wifi: mac80211: mlme: assign link address correctly
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit acdc3e47881d86dc1cb89d4603e3fed90ab150db ]
+
+Right now, we assign the link address only after we add
+the link to the driver, which is quite obviously wrong.
+It happens to work in many cases because it gets updated
+immediately, and then link_conf updates may update it,
+but it's clearly not really right.
+
+Set the link address during ieee80211_mgd_setup_link()
+so it's set before telling the driver about the link.
+
+Fixes: 81151ce462e5 ("wifi: mac80211: support MLO authentication/association with one link")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mlme.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index 76ae6f03d77e..654414caeb71 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -6291,6 +6291,8 @@ void ieee80211_mgd_setup_link(struct ieee80211_link_data *link)
+ if (sdata->u.mgd.assoc_data)
+ ether_addr_copy(link->conf->addr,
+ sdata->u.mgd.assoc_data->link[link_id].addr);
++ else if (!is_valid_ether_addr(link->conf->addr))
++ eth_random_addr(link->conf->addr);
+ }
+
+ /* scan finished notification */
+@@ -6378,9 +6380,6 @@ static int ieee80211_prep_connection(struct ieee80211_sub_if_data *sdata,
+ goto out_err;
+ }
+
+- if (mlo && !is_valid_ether_addr(link->conf->addr))
+- eth_random_addr(link->conf->addr);
+-
+ if (WARN_ON(!ifmgd->auth_data && !ifmgd->assoc_data)) {
+ err = -EINVAL;
+ goto out_err;
+--
+2.35.1
+
--- /dev/null
+From 1edae81ab0bfff1e407804fae28f0ba0a4bbb9a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 Jul 2022 03:51:08 +0300
+Subject: wifi: mac80211: mlme: don't add empty EML capabilities
+
+From: Mordechay Goodstein <mordechay.goodstein@intel.com>
+
+[ Upstream commit 1cb3cf372abe4a0d16620d2b1201de0e291a6c58 ]
+
+Draft P802.11be_D2.1, section 35.3.17 states that the EML Capabilities
+Field shouldn't be included in case the device doesn't have support for
+EMLSR or EMLMR.
+
+Fixes: 81151ce462e5 ("wifi: mac80211: support MLO authentication/association with one link")
+Signed-off-by: Mordechay Goodstein <mordechay.goodstein@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mlme.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index 1e9cb4be6ed3..76ae6f03d77e 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -1220,14 +1220,21 @@ static void ieee80211_assoc_add_ml_elem(struct ieee80211_sub_if_data *sdata,
+ ml_elem = skb_put(skb, sizeof(*ml_elem));
+ ml_elem->control =
+ cpu_to_le16(IEEE80211_ML_CONTROL_TYPE_BASIC |
+- IEEE80211_MLC_BASIC_PRES_EML_CAPA |
+ IEEE80211_MLC_BASIC_PRES_MLD_CAPA_OP);
+ common = skb_put(skb, sizeof(*common));
+ common->len = sizeof(*common) +
+- 2 + /* EML capabilities */
+ 2; /* MLD capa/ops */
+ memcpy(common->mld_mac_addr, sdata->vif.addr, ETH_ALEN);
+- skb_put_data(skb, &eml_capa, sizeof(eml_capa));
++
++ /* add EML_CAPA only if needed, see Draft P802.11be_D2.1, 35.3.17 */
++ if (eml_capa &
++ cpu_to_le16((IEEE80211_EML_CAP_EMLSR_SUPP |
++ IEEE80211_EML_CAP_EMLMR_SUPPORT))) {
++ common->len += 2; /* EML capabilities */
++ ml_elem->control |=
++ cpu_to_le16(IEEE80211_MLC_BASIC_PRES_EML_CAPA);
++ skb_put_data(skb, &eml_capa, sizeof(eml_capa));
++ }
+ /* need indication from userspace to support this */
+ mld_capa_ops &= ~cpu_to_le16(IEEE80211_MLD_CAP_OP_TID_TO_LINK_MAP_NEG_SUPP);
+ skb_put_data(skb, &mld_capa_ops, sizeof(mld_capa_ops));
+--
+2.35.1
+
--- /dev/null
+From 71725a05f1988dc73636e9c685fb9ac549f82fda Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Jul 2022 11:07:32 +0300
+Subject: wifi: mac80211: properly set old_links when removing a link
+
+From: Shaul Triebitz <shaul.triebitz@intel.com>
+
+[ Upstream commit a8f62399daa6917e7f9efeb79bce4dd2cd494a1e ]
+
+In ieee80211_sta_remove_link, valid_links is set to
+the new_links before calling drv_change_sta_links, but
+is used for the old_links.
+
+Fixes: cb71f1d136a6 ("wifi: mac80211: add sta link addition/removal")
+Signed-off-by: Shaul Triebitz <shaul.triebitz@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/sta_info.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
+index 58998d821778..9d7b238a6737 100644
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -2799,6 +2799,7 @@ int ieee80211_sta_activate_link(struct sta_info *sta, unsigned int link_id)
+ void ieee80211_sta_remove_link(struct sta_info *sta, unsigned int link_id)
+ {
+ struct ieee80211_sub_if_data *sdata = sta->sdata;
++ u16 old_links = sta->sta.valid_links;
+
+ lockdep_assert_held(&sdata->local->sta_mtx);
+
+@@ -2806,8 +2807,7 @@ void ieee80211_sta_remove_link(struct sta_info *sta, unsigned int link_id)
+
+ if (test_sta_flag(sta, WLAN_STA_INSERTED))
+ drv_change_sta_links(sdata->local, sdata, &sta->sta,
+- sta->sta.valid_links,
+- sta->sta.valid_links & ~BIT(link_id));
++ old_links, sta->sta.valid_links);
+
+ sta_remove_link(sta, link_id, true);
+ }
+--
+2.35.1
+
--- /dev/null
+From 003854d4eac177f1914bf0ae4a171a3f346919b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Aug 2022 14:58:42 +0200
+Subject: wifi: mac80211_hwsim: fix link change handling
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 65f7052b6c38f767d95ebfa4ae4b389b6da6a421 ]
+
+The code for determining which links to update in wmediumd
+or virtio was wrong, fix it to remove the deflink only if
+there were no old links, and also add the deflink if there
+are no other new links.
+
+Fixes: c204d9df0202 ("wifi: mac80211_hwsim: handle links for wmediumd/virtio")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mac80211_hwsim.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
+index ee34814bd12b..a074552bcec3 100644
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -2995,10 +2995,15 @@ static int mac80211_hwsim_change_vif_links(struct ieee80211_hw *hw,
+ u16 old_links, u16 new_links,
+ struct ieee80211_bss_conf *old[IEEE80211_MLD_MAX_NUM_LINKS])
+ {
+- unsigned long rem = old_links & ~new_links ?: BIT(0);
++ unsigned long rem = old_links & ~new_links;
+ unsigned long add = new_links & ~old_links;
+ int i;
+
++ if (!old_links)
++ rem |= BIT(0);
++ if (!new_links)
++ add |= BIT(0);
++
+ for_each_set_bit(i, &rem, IEEE80211_MLD_MAX_NUM_LINKS)
+ mac80211_hwsim_config_mac_nl(hw, old[i]->addr, false);
+
+--
+2.35.1
+
--- /dev/null
+From b665a4648121042fc95533d75fc0509d527d47d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Jul 2022 16:12:06 +0200
+Subject: wifi: mt76: connac: fix possible unaligned access in
+ mt76_connac_mcu_add_nested_tlv
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 0a4860f627f1f2b2b777f54f993de1638a79da9f ]
+
+Fix possible unaligned pointer in mt76_connac_mcu_add_nested_tlv
+routine.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Fixes: 25702d9c55dc5 ("mt76: connac: rely on le16_add_cpu in mt76_connac_mcu_add_nested_tlv")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
+index 9b17bd97ec09..13d4722e4186 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
+@@ -260,8 +260,10 @@ mt76_connac_mcu_add_nested_tlv(struct sk_buff *skb, int tag, int len,
+ ntlv = le16_to_cpu(ntlv_hdr->tlv_num);
+ ntlv_hdr->tlv_num = cpu_to_le16(ntlv + 1);
+
+- if (sta_hdr)
+- le16_add_cpu(&sta_hdr->len, len);
++ if (sta_hdr) {
++ len += le16_to_cpu(sta_hdr->len);
++ sta_hdr->len = cpu_to_le16(len);
++ }
+
+ return ptlv;
+ }
+--
+2.35.1
+
--- /dev/null
+From 933d81365b4850a527d6e19166780328d41e19c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Aug 2022 12:32:12 +0200
+Subject: wifi: mt76: fix uninitialized pointer in mt7921_mac_fill_rx
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 9be57ad73984545d594ed359dac19457bcb9fc27 ]
+
+Initialize msta pointer to NULL in mt7921_mac_fill_rx() in order to not
+dereference a uninitialized pointer.
+
+Fixes: 0880d40871d1d ("mt76: connac: move mt76_connac2_reverse_frag0_hdr_trans in mt76-connac module")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7921/mac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
+index 6bd9fc9228a2..e8a7a5831782 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
+@@ -235,7 +235,7 @@ mt7921_mac_fill_rx(struct mt7921_dev *dev, struct sk_buff *skb)
+ u32 rxd2 = le32_to_cpu(rxd[2]);
+ u32 rxd3 = le32_to_cpu(rxd[3]);
+ u32 rxd4 = le32_to_cpu(rxd[4]);
+- struct mt7921_sta *msta;
++ struct mt7921_sta *msta = NULL;
+ u16 seq_ctrl = 0;
+ __le16 fc = 0;
+ u8 mode = 0;
+--
+2.35.1
+
--- /dev/null
+From 771d203235eb140d75693a37d3d152a8e93a8616 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Jul 2022 10:26:40 +0200
+Subject: wifi: mt76: mt7615: add mt7615_mutex_acquire/release in
+ mt7615_sta_set_decap_offload
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 765c69d477a44c088e5d19e7758dfa4db418e3ba ]
+
+Similar to mt7921 driver, introduce mt7615_mutex_acquire/release in
+mt7615_sta_set_decap_offload in order to avoid sending mcu commands
+while the device is in low-power state.
+
+Fixes: d4b98c63d7a77 ("mt76: mt7615: add support for rx decapsulation offload")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7615/main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/main.c b/drivers/net/wireless/mediatek/mt76/mt7615/main.c
+index 9bf8545c8c17..8d4733f87cda 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7615/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7615/main.c
+@@ -1195,12 +1195,16 @@ static void mt7615_sta_set_decap_offload(struct ieee80211_hw *hw,
+ struct mt7615_dev *dev = mt7615_hw_dev(hw);
+ struct mt7615_sta *msta = (struct mt7615_sta *)sta->drv_priv;
+
++ mt7615_mutex_acquire(dev);
++
+ if (enabled)
+ set_bit(MT_WCID_FLAG_HDR_TRANS, &msta->wcid.flags);
+ else
+ clear_bit(MT_WCID_FLAG_HDR_TRANS, &msta->wcid.flags);
+
+ mt7615_mcu_set_sta_decap_offload(dev, vif, sta);
++
++ mt7615_mutex_release(dev);
+ }
+
+ #ifdef CONFIG_PM
+--
+2.35.1
+
--- /dev/null
+From e8c216a396d04cde9ce36af7dc8d2557c6bb6d57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Aug 2022 10:44:07 +0800
+Subject: wifi: mt76: mt7915: do not check state before configuring implicit
+ beamform
+
+From: Howard Hsu <howard-yh.hsu@mediatek.com>
+
+[ Upstream commit d2b5bb6dfab29fe32bedefaade88dcd182c03a00 ]
+
+Do not need to check running state before configuring implicit Tx
+beamform. It is okay to configure implicit Tx beamform in run time.
+Noted that the existing connected stations will be applied for new
+configuration only if they reconnected to the interface.
+
+Fixes: 6d6dc980e07d ("mt76: mt7915: add implicit Tx beamforming support")
+Signed-off-by: Howard Hsu <howard-yh.hsu@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7915/debugfs.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/debugfs.c b/drivers/net/wireless/mediatek/mt76/mt7915/debugfs.c
+index fd76db8f5269..6ef3431cad64 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7915/debugfs.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7915/debugfs.c
+@@ -23,9 +23,9 @@ mt7915_implicit_txbf_set(void *data, u64 val)
+ {
+ struct mt7915_dev *dev = data;
+
+- if (test_bit(MT76_STATE_RUNNING, &dev->mphy.state))
+- return -EBUSY;
+-
++ /* The existing connected stations shall reconnect to apply
++ * new implicit txbf configuration.
++ */
+ dev->ibf = !!val;
+
+ return mt7915_mcu_set_txbf(dev, MT_BF_TYPE_UPDATE);
+--
+2.35.1
+
--- /dev/null
+From 45e38ab6f43c033ab661e5ea0941367e4417fe29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Jul 2022 09:34:55 +0300
+Subject: wifi: mt76: mt7915: fix an uninitialized variable bug
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit b5ee771c84082b4e54cc39d9d9a2dd239e4f6b86 ]
+
+Smatch complains that:
+
+ drivers/net/wireless/mediatek/mt76/mt7915/mac.c:428 mt7915_mac_fill_rx()
+ error: uninitialized symbol 'msta'.
+
+It looks like this was supposed to be initialized to NULL.
+
+Fixes: 0880d40871d1 ("mt76: connac: move mt76_connac2_reverse_frag0_hdr_trans in mt76-connac module")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
+index 60ae834d95a6..4ddcd3afa428 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
+@@ -232,7 +232,7 @@ mt7915_mac_fill_rx(struct mt7915_dev *dev, struct sk_buff *skb)
+ bool unicast, insert_ccmp_hdr = false;
+ u8 remove_pad, amsdu_info;
+ u8 mode = 0, qos_ctl = 0;
+- struct mt7915_sta *msta;
++ struct mt7915_sta *msta = NULL;
+ bool hdr_trans;
+ u16 hdr_gap;
+ u16 seq_ctrl = 0;
+--
+2.35.1
+
--- /dev/null
+From c7839fcb782b954b6213ff5e228aae2d487774af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Aug 2022 11:29:31 +0800
+Subject: wifi: mt76: mt7915: fix mcs value in ht mode
+
+From: Howard Hsu <howard-yh.hsu@mediatek.com>
+
+[ Upstream commit c6d3e16ad4362502e804a6ca01e955612f3b8222 ]
+
+Fix the error that mcs will be reduced to a range of 0 to 7 in ht mode.
+
+Fixes: 70fd1333cd32 ("mt76: mt7915: rework .set_bitrate_mask() to support more options")
+Signed-off-by: Howard Hsu <howard-yh.hsu@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
+index f83067961945..e99fdacc11ce 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
+@@ -1360,7 +1360,7 @@ mt7915_mcu_add_rate_ctrl_fixed(struct mt7915_dev *dev,
+ struct sta_phy phy = {};
+ int ret, nrates = 0;
+
+-#define __sta_phy_bitrate_mask_check(_mcs, _gi, _he) \
++#define __sta_phy_bitrate_mask_check(_mcs, _gi, _ht, _he) \
+ do { \
+ u8 i, gi = mask->control[band]._gi; \
+ gi = (_he) ? gi : gi == NL80211_TXRATE_FORCE_SGI; \
+@@ -1373,15 +1373,17 @@ mt7915_mcu_add_rate_ctrl_fixed(struct mt7915_dev *dev,
+ continue; \
+ nrates += hweight16(mask->control[band]._mcs[i]); \
+ phy.mcs = ffs(mask->control[band]._mcs[i]) - 1; \
++ if (_ht) \
++ phy.mcs += 8 * i; \
+ } \
+ } while (0)
+
+ if (sta->deflink.he_cap.has_he) {
+- __sta_phy_bitrate_mask_check(he_mcs, he_gi, 1);
++ __sta_phy_bitrate_mask_check(he_mcs, he_gi, 0, 1);
+ } else if (sta->deflink.vht_cap.vht_supported) {
+- __sta_phy_bitrate_mask_check(vht_mcs, gi, 0);
++ __sta_phy_bitrate_mask_check(vht_mcs, gi, 0, 0);
+ } else if (sta->deflink.ht_cap.ht_supported) {
+- __sta_phy_bitrate_mask_check(ht_mcs, gi, 0);
++ __sta_phy_bitrate_mask_check(ht_mcs, gi, 1, 0);
+ } else {
+ nrates = hweight32(mask->control[band].legacy);
+ phy.mcs = ffs(mask->control[band].legacy) - 1;
+--
+2.35.1
+
--- /dev/null
+From b42b38b5f635b92b370dbf546bf30f4986def847 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Jul 2022 11:50:03 +0200
+Subject: wifi: mt76: mt7915: fix possible unaligned access in
+ mt7915_mac_add_twt_setup
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 3d9aa54355d863e5412a7e08180f50a8f1827b7f ]
+
+Fix possible unaligned pointer in mt7915_mac_add_twt_setup routine.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Fixes: 3782b69d03e71 ("mt76: mt7915: introduce mt7915_mac_add_twt_setup routine")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
+index 4ddcd3afa428..49aa5c056063 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
+@@ -2071,8 +2071,9 @@ void mt7915_mac_add_twt_setup(struct ieee80211_hw *hw,
+ }
+
+ flowid = ffs(~msta->twt.flowid_mask) - 1;
+- le16p_replace_bits(&twt_agrt->req_type, flowid,
+- IEEE80211_TWT_REQTYPE_FLOWID);
++ twt_agrt->req_type &= ~cpu_to_le16(IEEE80211_TWT_REQTYPE_FLOWID);
++ twt_agrt->req_type |= le16_encode_bits(flowid,
++ IEEE80211_TWT_REQTYPE_FLOWID);
+
+ table_id = ffs(~dev->twt.table_mask) - 1;
+ exp = FIELD_GET(IEEE80211_TWT_REQTYPE_WAKE_INT_EXP, req_type);
+@@ -2122,8 +2123,9 @@ void mt7915_mac_add_twt_setup(struct ieee80211_hw *hw,
+ unlock:
+ mutex_unlock(&dev->mt76.mutex);
+ out:
+- le16p_replace_bits(&twt_agrt->req_type, setup_cmd,
+- IEEE80211_TWT_REQTYPE_SETUP_CMD);
++ twt_agrt->req_type &= ~cpu_to_le16(IEEE80211_TWT_REQTYPE_SETUP_CMD);
++ twt_agrt->req_type |=
++ le16_encode_bits(setup_cmd, IEEE80211_TWT_REQTYPE_SETUP_CMD);
+ twt->control = (twt->control & IEEE80211_TWT_CONTROL_WAKE_DUR_UNIT) |
+ (twt->control & IEEE80211_TWT_CONTROL_RX_DISABLED);
+ }
+--
+2.35.1
+
--- /dev/null
+From 89ebf9e2de0aa551a606ddb7e92703fc3019a142 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Jul 2022 22:44:56 +0800
+Subject: wifi: mt76: mt7921: add mt7921_mutex_acquire at mt7921_[start,
+ stop]_ap
+
+From: Sean Wang <sean.wang@mediatek.com>
+
+[ Upstream commit 52b44015f031f629f1ce1d73415a2017593c7ade ]
+
+Add mt7921_mutex_acquire at mt7921_[start, stop]_ap to fix the race
+with the context holding dev->muxtex and the driver might access the
+device in low power state.
+
+Fixes: 9d958b60ebc2 ("mt76: mt7921: fix command timeout in AP stop period")
+Tested-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/mediatek/mt76/mt7921/main.c | 21 ++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+index 1438a9f8d1fd..63fd33dcd3af 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+@@ -1526,17 +1526,23 @@ mt7921_start_ap(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
+ struct mt7921_dev *dev = mt7921_hw_dev(hw);
+ int err;
+
++ mt7921_mutex_acquire(dev);
++
+ err = mt76_connac_mcu_uni_add_bss(phy->mt76, vif, &mvif->sta.wcid,
+ true);
+ if (err)
+- return err;
++ goto out;
+
+ err = mt7921_mcu_set_bss_pm(dev, vif, true);
+ if (err)
+- return err;
++ goto out;
++
++ err = mt7921_mcu_sta_update(dev, NULL, vif, true,
++ MT76_STA_INFO_STATE_NONE);
++out:
++ mt7921_mutex_release(dev);
+
+- return mt7921_mcu_sta_update(dev, NULL, vif, true,
+- MT76_STA_INFO_STATE_NONE);
++ return err;
+ }
+
+ static void
+@@ -1548,11 +1554,16 @@ mt7921_stop_ap(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
+ struct mt7921_dev *dev = mt7921_hw_dev(hw);
+ int err;
+
++ mt7921_mutex_acquire(dev);
++
+ err = mt7921_mcu_set_bss_pm(dev, vif, false);
+ if (err)
+- return;
++ goto out;
+
+ mt76_connac_mcu_uni_add_bss(phy->mt76, vif, &mvif->sta.wcid, false);
++
++out:
++ mt7921_mutex_release(dev);
+ }
+
+ const struct ieee80211_ops mt7921_ops = {
+--
+2.35.1
+
--- /dev/null
+From 05c98abafd3fb7d442376f5f0e89a99c1a6c809b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Jul 2022 22:44:57 +0800
+Subject: wifi: mt76: mt7921: add mt7921_mutex_acquire at
+ mt7921_sta_set_decap_offload
+
+From: Sean Wang <sean.wang@mediatek.com>
+
+[ Upstream commit 59c20b91786d5f140ee7be2f24c242b5f8986046 ]
+
+Add mt7921_mutex_acquire at mt7921_[start, stop]_ap to fix the race
+with the context holding dev->muxtex and the driver might access the
+device in low power state.
+
+Fixes: 24299fc869f7 ("mt76: mt7921: enable rx header traslation offload")
+Tested-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7921/main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+index 63fd33dcd3af..7214735011d0 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+@@ -1404,6 +1404,8 @@ static void mt7921_sta_set_decap_offload(struct ieee80211_hw *hw,
+ struct mt7921_sta *msta = (struct mt7921_sta *)sta->drv_priv;
+ struct mt7921_dev *dev = mt7921_hw_dev(hw);
+
++ mt7921_mutex_acquire(dev);
++
+ if (enabled)
+ set_bit(MT_WCID_FLAG_HDR_TRANS, &msta->wcid.flags);
+ else
+@@ -1411,6 +1413,8 @@ static void mt7921_sta_set_decap_offload(struct ieee80211_hw *hw,
+
+ mt76_connac_mcu_sta_update_hdr_trans(&dev->mt76, vif, &msta->wcid,
+ MCU_UNI_CMD(STA_REC_UPDATE));
++
++ mt7921_mutex_release(dev);
+ }
+
+ #if IS_ENABLED(CONFIG_IPV6)
+--
+2.35.1
+
--- /dev/null
+From d2ce305bb06bb4cf81fed54a808b5a5db90e39ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Aug 2022 06:45:51 +0800
+Subject: wifi: mt76: mt7921: fix the firmware version report
+
+From: Sean Wang <sean.wang@mediatek.com>
+
+[ Upstream commit 00be84d6dfc8319ed1864d3ca8658569d36a1882 ]
+
+Fix the regression of the firmware version report since
+'b9ec27102ac0 ('mt76: connac: move mt76_connac2_load_ram in connac
+module')'.
+
+Fixes: b9ec27102ac0 ("mt76: connac: move mt76_connac2_load_ram in connac module")
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
+index 13d4722e4186..7cac7b126e59 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
+@@ -2888,6 +2888,10 @@ int mt76_connac2_load_ram(struct mt76_dev *dev, const char *fw_wm,
+ goto out;
+ }
+
++ snprintf(dev->hw->wiphy->fw_version,
++ sizeof(dev->hw->wiphy->fw_version),
++ "%.10s-%.15s", hdr->fw_ver, hdr->build_date);
++
+ release_firmware(fw);
+
+ if (!fw_wa)
+--
+2.35.1
+
--- /dev/null
+From 41f699b5355a8f0b978b8575f9339bbc085bb4a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Jul 2022 09:37:07 +0300
+Subject: wifi: mt76: mt7921: fix use after free in mt7921_acpi_read()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit e7de4b4979bd8d313ec837931dde936653ca82ea ]
+
+Don't dereference "sar_root" after it has been freed.
+
+Fixes: f965333e491e ("mt76: mt7921: introduce ACPI SAR support")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7921/acpi_sar.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/acpi_sar.c b/drivers/net/wireless/mediatek/mt76/mt7921/acpi_sar.c
+index be4f07ad3af9..47e034a9b003 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/acpi_sar.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/acpi_sar.c
+@@ -13,6 +13,7 @@ mt7921_acpi_read(struct mt7921_dev *dev, u8 *method, u8 **tbl, u32 *len)
+ acpi_handle root, handle;
+ acpi_status status;
+ u32 i = 0;
++ int ret;
+
+ root = ACPI_HANDLE(mdev->dev);
+ if (!root)
+@@ -52,9 +53,11 @@ mt7921_acpi_read(struct mt7921_dev *dev, u8 *method, u8 **tbl, u32 *len)
+ *(*tbl + i) = (u8)sar_unit->integer.value;
+ }
+ free:
++ ret = (i == sar_root->package.count) ? 0 : -EINVAL;
++
+ kfree(sar_root);
+
+- return (i == sar_root->package.count) ? 0 : -EINVAL;
++ return ret;
+ }
+
+ /* MTCL : Country List Table for 6G band */
+--
+2.35.1
+
--- /dev/null
+From 05f3ff4db54af1c4fa5e433d745504729af7e02c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 06:57:44 +0800
+Subject: wifi: mt76: mt7921: reset msta->airtime_ac while clearing up hw value
+
+From: Sean Wang <sean.wang@mediatek.com>
+
+[ Upstream commit 1bf66dc31032ff5292f4d5b76436653f269fcfbd ]
+
+We should reset mstat->airtime_ac along with clear up the entries in the
+hardware WLAN table for the Rx and Rx accumulative airtime. Otherwsie, the
+value msta->airtime_ac - [tx, rx]_last may be a negative and that is not
+the actual airtime the device took in the last run.
+
+Reported-by: YN Chen <YN.Chen@mediatek.com>
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7921/main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+index 7214735011d0..c9e9a533289f 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+@@ -752,6 +752,7 @@ void mt7921_mac_sta_assoc(struct mt76_dev *mdev, struct ieee80211_vif *vif,
+
+ mt7921_mac_wtbl_update(dev, msta->wcid.idx,
+ MT_WTBL_UPDATE_ADM_COUNT_CLEAR);
++ memset(msta->airtime_ac, 0, sizeof(msta->airtime_ac));
+
+ mt7921_mcu_sta_update(dev, sta, vif, true, MT76_STA_INFO_STATE_ASSOC);
+
+--
+2.35.1
+
--- /dev/null
+From 617fa5efdead03358f770598a3d7b46561f77de1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Jul 2022 06:25:37 +0800
+Subject: wifi: mt76: mt7921e: fix race issue between reset and suspend/resume
+
+From: Sean Wang <sean.wang@mediatek.com>
+
+[ Upstream commit ff6c4a6449793e9718ef2e9ad46864b63022648e ]
+
+It is unexpected that the reset work is running simultaneously with
+the suspend or resume context and it is possible that reset work is still
+running even after mt7921 is suspended if we don't fix the race issue.
+
+Thus, the suspend procedure should be waiting until the reset is completed
+at the beginning and ignore the subsequent the reset requests.
+
+In case there is an error that happens during either suspend or resume
+handler, we will schedule a reset task to recover the error before
+returning the error code to ensure we can immediately fix the error there.
+
+Fixes: 0c1ce9884607 ("mt76: mt7921: add wifi reset support")
+Co-developed-by: YN Chen <YN.Chen@mediatek.com>
+Signed-off-by: YN Chen <YN.Chen@mediatek.com>
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7921/mac.c | 5 +++++
+ drivers/net/wireless/mediatek/mt76/mt7921/pci.c | 13 +++++++++----
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
+index 47f0aa81ab02..6bd9fc9228a2 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
+@@ -780,6 +780,7 @@ void mt7921_mac_reset_work(struct work_struct *work)
+ void mt7921_reset(struct mt76_dev *mdev)
+ {
+ struct mt7921_dev *dev = container_of(mdev, struct mt7921_dev, mt76);
++ struct mt76_connac_pm *pm = &dev->pm;
+
+ if (!dev->hw_init_done)
+ return;
+@@ -787,8 +788,12 @@ void mt7921_reset(struct mt76_dev *mdev)
+ if (dev->hw_full_reset)
+ return;
+
++ if (pm->suspended)
++ return;
++
+ queue_work(dev->mt76.wq, &dev->reset_work);
+ }
++EXPORT_SYMBOL_GPL(mt7921_reset);
+
+ void mt7921_mac_update_mib_stats(struct mt7921_phy *phy)
+ {
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/pci.c b/drivers/net/wireless/mediatek/mt76/mt7921/pci.c
+index ea3069d18c35..2b015dacbba2 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/pci.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/pci.c
+@@ -367,6 +367,7 @@ static int mt7921_pci_suspend(struct device *device)
+ int i, err;
+
+ pm->suspended = true;
++ flush_work(&dev->reset_work);
+ cancel_delayed_work_sync(&pm->ps_work);
+ cancel_work_sync(&pm->wake_work);
+
+@@ -428,6 +429,9 @@ static int mt7921_pci_suspend(struct device *device)
+ restore_suspend:
+ pm->suspended = false;
+
++ if (err < 0)
++ mt7921_reset(&dev->mt76);
++
+ return err;
+ }
+
+@@ -441,7 +445,7 @@ static int mt7921_pci_resume(struct device *device)
+
+ err = mt7921_mcu_drv_pmctrl(dev);
+ if (err < 0)
+- return err;
++ goto failed;
+
+ mt7921_wpdma_reinit_cond(dev);
+
+@@ -471,11 +475,12 @@ static int mt7921_pci_resume(struct device *device)
+ mt76_connac_mcu_set_deep_sleep(&dev->mt76, false);
+
+ err = mt76_connac_mcu_set_hif_suspend(mdev, false);
+- if (err)
+- return err;
+-
++failed:
+ pm->suspended = false;
+
++ if (err < 0)
++ mt7921_reset(&dev->mt76);
++
+ return err;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From a2583aa12bd016c6ba736d599e5cf9b0ce841d5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Sep 2022 20:39:43 +0800
+Subject: wifi: mt76: mt7921e: fix rmmod crash in driver reload test
+
+From: Deren Wu <deren.wu@mediatek.com>
+
+[ Upstream commit b5a62d612b7baf6e09884e4de94decb6391d6a9d ]
+
+In insmod/rmmod stress test, the following crash dump shows up immediately.
+The problem is caused by missing mt76_dev in mt7921_pci_remove(). We
+should make sure the drvdata is ready before probe() finished.
+
+[168.862789] ==================================================================
+[168.862797] BUG: KASAN: user-memory-access in try_to_grab_pending+0x59/0x480
+[168.862805] Write of size 8 at addr 0000000000006df0 by task rmmod/5361
+[168.862812] CPU: 7 PID: 5361 Comm: rmmod Tainted: G OE 5.19.0-rc6 #1
+[168.862816] Hardware name: Intel(R) Client Systems NUC8i7BEH/NUC8BEB, 05/04/2020
+[168.862820] Call Trace:
+[168.862822] <TASK>
+[168.862825] dump_stack_lvl+0x49/0x63
+[168.862832] print_report.cold+0x493/0x6b7
+[168.862845] kasan_report+0xa7/0x120
+[168.862857] kasan_check_range+0x163/0x200
+[168.862861] __kasan_check_write+0x14/0x20
+[168.862866] try_to_grab_pending+0x59/0x480
+[168.862870] __cancel_work_timer+0xbb/0x340
+[168.862898] cancel_work_sync+0x10/0x20
+[168.862902] mt7921_pci_remove+0x61/0x1c0 [mt7921e]
+[168.862909] pci_device_remove+0xa3/0x1d0
+[168.862914] device_remove+0xc4/0x170
+[168.862920] device_release_driver_internal+0x163/0x300
+[168.862925] driver_detach+0xc7/0x1a0
+[168.862930] bus_remove_driver+0xeb/0x2d0
+[168.862935] driver_unregister+0x71/0xb0
+[168.862939] pci_unregister_driver+0x30/0x230
+[168.862944] mt7921_pci_driver_exit+0x10/0x1b [mt7921e]
+[168.862949] __x64_sys_delete_module+0x2f9/0x4b0
+[168.862968] do_syscall_64+0x38/0x90
+[168.862973] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Test steps:
+1. insmode
+2. do not ifup
+3. rmmod quickly (within 1 second)
+
+Fixes: 1c71e03afe4b ("mt76: mt7921: move mt7921_init_hw in a dedicated work")
+Signed-off-by: Deren Wu <deren.wu@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7921/pci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/pci.c b/drivers/net/wireless/mediatek/mt76/mt7921/pci.c
+index 2b015dacbba2..e5b1f6249763 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/pci.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/pci.c
+@@ -288,6 +288,8 @@ static int mt7921_pci_probe(struct pci_dev *pdev,
+ goto err_free_pci_vec;
+ }
+
++ pci_set_drvdata(pdev, mdev);
++
+ dev = container_of(mdev, struct mt7921_dev, mt76);
+ dev->hif_ops = &mt7921_pcie_ops;
+
+--
+2.35.1
+
--- /dev/null
+From 2489b930fc68b5d5d58bc07a968d70e80d7bf9ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Jul 2022 06:25:38 +0800
+Subject: wifi: mt76: mt7921s: fix race issue between reset and suspend/resume
+
+From: Sean Wang <sean.wang@mediatek.com>
+
+[ Upstream commit e86f10e6809add9132ecc2c6b3184ed59db7ca71 ]
+
+It is unexpected that the reset work is running simultaneously with
+the suspend or resume context and it is possible that reset work is still
+running even after mt7921 is suspended if we don't fix the race issue.
+
+Thus, the suspend procedure should be waiting until the reset is completed
+at the beginning and ignore the subsequent the reset requests.
+
+In case there is an error that happens during either suspend or resume
+handler, we will schedule a reset task to recover the error before
+returning the error code to ensure we can immediately fix the error there.
+
+Fixes: ca74b9b907f9 ("mt76: mt7921s: add reset support")
+Co-developed-by: YN Chen <YN.Chen@mediatek.com>
+Signed-off-by: YN Chen <YN.Chen@mediatek.com>
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7921/sdio.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c b/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c
+index 487acd6e2be8..2face849fb4f 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c
+@@ -206,6 +206,7 @@ static int mt7921s_suspend(struct device *__dev)
+ pm->suspended = true;
+ set_bit(MT76_STATE_SUSPEND, &mdev->phy.state);
+
++ flush_work(&dev->reset_work);
+ cancel_delayed_work_sync(&pm->ps_work);
+ cancel_work_sync(&pm->wake_work);
+
+@@ -261,6 +262,9 @@ static int mt7921s_suspend(struct device *__dev)
+ clear_bit(MT76_STATE_SUSPEND, &mdev->phy.state);
+ pm->suspended = false;
+
++ if (err < 0)
++ mt7921_reset(&dev->mt76);
++
+ return err;
+ }
+
+@@ -276,7 +280,7 @@ static int mt7921s_resume(struct device *__dev)
+
+ err = mt7921_mcu_drv_pmctrl(dev);
+ if (err < 0)
+- return err;
++ goto failed;
+
+ mt76_worker_enable(&mdev->tx_worker);
+ mt76_worker_enable(&mdev->sdio.txrx_worker);
+@@ -288,11 +292,12 @@ static int mt7921s_resume(struct device *__dev)
+ mt76_connac_mcu_set_deep_sleep(mdev, false);
+
+ err = mt76_connac_mcu_set_hif_suspend(mdev, false);
+- if (err)
+- return err;
+-
++failed:
+ pm->suspended = false;
+
++ if (err < 0)
++ mt7921_reset(&dev->mt76);
++
+ return err;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From a51ae5e7f75ea1db5f27504dc6c1e11bb55978e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Jul 2022 06:25:39 +0800
+Subject: wifi: mt76: mt7921u: fix race issue between reset and suspend/resume
+
+From: Sean Wang <sean.wang@mediatek.com>
+
+[ Upstream commit 86f15d043ba7f13211d5c3e41961c3381fb12880 ]
+
+It is unexpected that the reset work is running simultaneously with
+the suspend or resume context and it is possible that reset work is still
+running even after mt7921 is suspended if we don't fix the race issue.
+
+Thus, the suspend procedure should be waiting until the reset is completed
+at the beginning and ignore the subsequent the reset requests.
+
+In case there is an error that happens during either suspend or resume
+handler, we will schedule a reset task to recover the error before
+returning the error code to ensure we can immediately fix the error there.
+
+Fixes: df3e4143ba8a ("mt76: mt7921u: add suspend/resume support")
+Co-developed-by: YN Chen <YN.Chen@mediatek.com>
+Signed-off-by: YN Chen <YN.Chen@mediatek.com>
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/mediatek/mt76/mt7921/usb.c | 28 ++++++++++++++++---
+ 1 file changed, 24 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/usb.c b/drivers/net/wireless/mediatek/mt76/mt7921/usb.c
+index dd3b8884e162..613d5cefffc7 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/usb.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/usb.c
+@@ -300,11 +300,15 @@ static void mt7921u_disconnect(struct usb_interface *usb_intf)
+ static int mt7921u_suspend(struct usb_interface *intf, pm_message_t state)
+ {
+ struct mt7921_dev *dev = usb_get_intfdata(intf);
++ struct mt76_connac_pm *pm = &dev->pm;
+ int err;
+
++ pm->suspended = true;
++ flush_work(&dev->reset_work);
++
+ err = mt76_connac_mcu_set_hif_suspend(&dev->mt76, true);
+ if (err)
+- return err;
++ goto failed;
+
+ mt76u_stop_rx(&dev->mt76);
+ mt76u_stop_tx(&dev->mt76);
+@@ -312,11 +316,20 @@ static int mt7921u_suspend(struct usb_interface *intf, pm_message_t state)
+ set_bit(MT76_STATE_SUSPEND, &dev->mphy.state);
+
+ return 0;
++
++failed:
++ pm->suspended = false;
++
++ if (err < 0)
++ mt7921_reset(&dev->mt76);
++
++ return err;
+ }
+
+ static int mt7921u_resume(struct usb_interface *intf)
+ {
+ struct mt7921_dev *dev = usb_get_intfdata(intf);
++ struct mt76_connac_pm *pm = &dev->pm;
+ bool reinit = true;
+ int err, i;
+
+@@ -338,16 +351,23 @@ static int mt7921u_resume(struct usb_interface *intf)
+ if (reinit || mt7921_dma_need_reinit(dev)) {
+ err = mt7921u_dma_init(dev, true);
+ if (err)
+- return err;
++ goto failed;
+ }
+
+ clear_bit(MT76_STATE_SUSPEND, &dev->mphy.state);
+
+ err = mt76u_resume_rx(&dev->mt76);
+ if (err < 0)
+- return err;
++ goto failed;
++
++ err = mt76_connac_mcu_set_hif_suspend(&dev->mt76, false);
++failed:
++ pm->suspended = false;
++
++ if (err < 0)
++ mt7921_reset(&dev->mt76);
+
+- return mt76_connac_mcu_set_hif_suspend(&dev->mt76, false);
++ return err;
+ }
+ #endif /* CONFIG_PM */
+
+--
+2.35.1
+
--- /dev/null
+From cd1f9d0cebf0866328f784031fcc288a4043b7f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Jul 2022 06:39:35 +0800
+Subject: wifi: mt76: sdio: fix the deadlock caused by sdio->stat_work
+
+From: Sean Wang <sean.wang@mediatek.com>
+
+[ Upstream commit e5d78fd998be94fb459a3d625df7367849b997b8 ]
+
+Because wake_work and sdio->stat_work share the same workqueue mt76->wq,
+if sdio->stat_work cannot acquire the mutex lock such as that was possibly
+held up by [mt7615, mt7921]_mutex_acquire. Additionally, if
+[mt7615, mt7921]_mutex_acquire was called by sdio->stat_work self, the wake
+would be blocked by itself. Thus, we move the stat_work into
+ieee80211_workqueue instead to break the deadlock.
+
+Fixes: d39b52e31aa6 ("mt76: introduce mt76_sdio module")
+Co-developed-by: YN Chen <YN.Chen@mediatek.com>
+Signed-off-by: YN Chen <YN.Chen@mediatek.com>
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/sdio.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/sdio.c b/drivers/net/wireless/mediatek/mt76/sdio.c
+index aba2a9865821..fb2caeae6dba 100644
+--- a/drivers/net/wireless/mediatek/mt76/sdio.c
++++ b/drivers/net/wireless/mediatek/mt76/sdio.c
+@@ -481,7 +481,7 @@ static void mt76s_status_worker(struct mt76_worker *w)
+ if (dev->drv->tx_status_data &&
+ !test_and_set_bit(MT76_READING_STATS, &dev->phy.state) &&
+ !test_bit(MT76_STATE_SUSPEND, &dev->phy.state))
+- queue_work(dev->wq, &dev->sdio.stat_work);
++ ieee80211_queue_work(dev->hw, &dev->sdio.stat_work);
+ } while (nframes > 0);
+
+ if (resched)
+@@ -508,7 +508,7 @@ static void mt76s_tx_status_data(struct work_struct *work)
+ }
+
+ if (count && test_bit(MT76_STATE_RUNNING, &dev->phy.state))
+- queue_work(dev->wq, &sdio->stat_work);
++ ieee80211_queue_work(dev->hw, &sdio->stat_work);
+ else
+ clear_bit(MT76_READING_STATS, &dev->phy.state);
+ }
+--
+2.35.1
+
--- /dev/null
+From 26a99f125586ce5bc0b73b30f9b3c1f482fcbdc1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Jul 2022 05:59:23 +0800
+Subject: wifi: mt76: sdio: fix transmitting packet hangs
+
+From: YN Chen <yn.chen@mediatek.com>
+
+[ Upstream commit 250b1827205846ff346a76044955cb79d4963f70 ]
+
+Fix transmitting packets hangs with continuing to pull the pending packet
+from mac80211 queues when receiving Tx status notification from the device.
+
+Fixes: aac5104bf631 ("mt76: sdio: do not run mt76_txq_schedule directly")
+Acked-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: YN Chen <yn.chen@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/sdio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/sdio.c b/drivers/net/wireless/mediatek/mt76/sdio.c
+index ece4e4bb94a1..0ec308f99af5 100644
+--- a/drivers/net/wireless/mediatek/mt76/sdio.c
++++ b/drivers/net/wireless/mediatek/mt76/sdio.c
+@@ -485,7 +485,7 @@ static void mt76s_status_worker(struct mt76_worker *w)
+ } while (nframes > 0);
+
+ if (resched)
+- mt76_worker_schedule(&dev->sdio.txrx_worker);
++ mt76_worker_schedule(&dev->tx_worker);
+ }
+
+ static void mt76s_tx_status_data(struct work_struct *work)
+--
+2.35.1
+
--- /dev/null
+From f9f76db16aa67fbb851570f11ccef4ac1548f52e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Jul 2022 06:39:36 +0800
+Subject: wifi: mt76: sdio: poll sta stat when device transmits data
+
+From: Sean Wang <sean.wang@mediatek.com>
+
+[ Upstream commit a323e5f041dd11af5e3de19ed7ea95a97d588c11 ]
+
+It is not meaningful to poll sta stat when there is no data traffic.
+So polling sta stat when the device has transmitted data instead to save
+CPU power.
+
+That implies that it is unallowed the stat_work to work while MCU is being
+initialized in the really early stage to fix the possible time to time MCU
+initialization failure.
+
+Fixes: d39b52e31aa6 ("mt76: introduce mt76_sdio module")
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/sdio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/sdio.c b/drivers/net/wireless/mediatek/mt76/sdio.c
+index fb2caeae6dba..ece4e4bb94a1 100644
+--- a/drivers/net/wireless/mediatek/mt76/sdio.c
++++ b/drivers/net/wireless/mediatek/mt76/sdio.c
+@@ -478,7 +478,7 @@ static void mt76s_status_worker(struct mt76_worker *w)
+ if (ndata_frames > 0)
+ resched = true;
+
+- if (dev->drv->tx_status_data &&
++ if (dev->drv->tx_status_data && ndata_frames > 0 &&
+ !test_and_set_bit(MT76_READING_STATS, &dev->phy.state) &&
+ !test_bit(MT76_STATE_SUSPEND, &dev->phy.state))
+ ieee80211_queue_work(dev->hw, &dev->sdio.stat_work);
+--
+2.35.1
+
--- /dev/null
+From af89e09717e917d68b7bafcb6804643f1856711c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Sep 2022 21:30:09 +0100
+Subject: wifi: rt2x00: correctly set BBP register 86 for MT7620
+
+From: Daniel Golle <daniel@makrotopia.org>
+
+[ Upstream commit c9aada64fe6493461127f1522d7e2f01792d2424 ]
+
+Instead of 0 set the correct value for BBP register 86 for MT7620.
+
+Reported-by: Serge Vasilugin <vasilugin@yandex.ru>
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/257267247ee4fa7ebc6a5d0c4948b3f8119c0d77.1663445157.git.daniel@makrotopia.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+index b30b062243bb..1a9e27a6d636 100644
+--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+@@ -4164,7 +4164,10 @@ static void rt2800_config_channel(struct rt2x00_dev *rt2x00dev,
+ rt2800_bbp_write(rt2x00dev, 62, 0x37 - rt2x00dev->lna_gain);
+ rt2800_bbp_write(rt2x00dev, 63, 0x37 - rt2x00dev->lna_gain);
+ rt2800_bbp_write(rt2x00dev, 64, 0x37 - rt2x00dev->lna_gain);
+- rt2800_bbp_write(rt2x00dev, 86, 0);
++ if (rt2x00_rt(rt2x00dev, RT6352))
++ rt2800_bbp_write(rt2x00dev, 86, 0x38);
++ else
++ rt2800_bbp_write(rt2x00dev, 86, 0);
+ }
+
+ if (rf->channel <= 14) {
+--
+2.35.1
+
--- /dev/null
+From 483d060d8bc047be0de3361018c8ec5777f9e707 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Sep 2022 21:28:29 +0100
+Subject: wifi: rt2x00: don't run Rt5592 IQ calibration on MT7620
+
+From: Daniel Golle <daniel@makrotopia.org>
+
+[ Upstream commit d3aad83d05aec0cfd7670cf0028f2ad4b81de92e ]
+
+The function rt2800_iq_calibrate is intended for Rt5592 only.
+Don't call it for MT7620 which has it's own calibration functions.
+
+Reported-by: Serge Vasilugin <vasilugin@yandex.ru>
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/31a1c34ddbd296b82f38c18c9ae7339059215fdc.1663445157.git.daniel@makrotopia.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+index 18102fbe36d6..de81b6060359 100644
+--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+@@ -4365,7 +4365,8 @@ static void rt2800_config_channel(struct rt2x00_dev *rt2x00dev,
+ reg = (rf->channel <= 14 ? 0x1c : 0x24) + 2*rt2x00dev->lna_gain;
+ rt2800_bbp_write_with_rx_chain(rt2x00dev, 66, reg);
+
+- rt2800_iq_calibrate(rt2x00dev, rf->channel);
++ if (rt2x00_rt(rt2x00dev, RT5592))
++ rt2800_iq_calibrate(rt2x00dev, rf->channel);
+ }
+
+ bbp = rt2800_bbp_read(rt2x00dev, 4);
+--
+2.35.1
+
--- /dev/null
+From 120a1786799aafb72b2fd6cd718c10a8ba52ffba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Sep 2022 21:29:26 +0100
+Subject: wifi: rt2x00: set correct TX_SW_CFG1 MAC register for MT7620
+
+From: Daniel Golle <daniel@makrotopia.org>
+
+[ Upstream commit eeb50acf15762b61921f9df18663f839f387c054 ]
+
+Set correct TX_SW_CFG1 MAC register as it is done also in v3 of the
+vendor driver[1].
+
+[1]: https://gitlab.com/dm38/padavan-ng/-/blob/master/trunk/proprietary/rt_wifi/rtpci/3.0.X.X/mt76x2/chips/rt6352.c#L531
+Reported-by: Serge Vasilugin <vasilugin@yandex.ru>
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/4be38975ce600a34249e12d09a3cb758c6e71071.1663445157.git.daniel@makrotopia.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+index de81b6060359..5e7bca935dd4 100644
+--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+@@ -5868,7 +5868,7 @@ static int rt2800_init_registers(struct rt2x00_dev *rt2x00dev)
+ rt2800_register_write(rt2x00dev, TX_SW_CFG0, 0x00000404);
+ } else if (rt2x00_rt(rt2x00dev, RT6352)) {
+ rt2800_register_write(rt2x00dev, TX_SW_CFG0, 0x00000401);
+- rt2800_register_write(rt2x00dev, TX_SW_CFG1, 0x000C0000);
++ rt2800_register_write(rt2x00dev, TX_SW_CFG1, 0x000C0001);
+ rt2800_register_write(rt2x00dev, TX_SW_CFG2, 0x00000000);
+ rt2800_register_write(rt2x00dev, TX_ALC_VGA3, 0x00000000);
+ rt2800_register_write(rt2x00dev, TX0_BB_GAIN_ATTEN, 0x0);
+--
+2.35.1
+
--- /dev/null
+From 4e3cb2e6489e0b194793021af5f7a89b113cd8c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Sep 2022 21:29:55 +0100
+Subject: wifi: rt2x00: set SoC wmac clock register
+
+From: Daniel Golle <daniel@makrotopia.org>
+
+[ Upstream commit cbde6ed406a51092d9e8a2df058f5f8490f27443 ]
+
+Instead of using the default value 33 (pci), set US_CYC_CNT init based
+on Programming guide:
+If available, set chipset bus clock with fallback to cpu clock/3.
+
+Reported-by: Serge Vasilugin <vasilugin@yandex.ru>
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/3e275d259f476f597dab91a9c395015ef3fe3284.1663445157.git.daniel@makrotopia.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/ralink/rt2x00/rt2800lib.c | 21 +++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+index fec85db7dbc7..b30b062243bb 100644
+--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+@@ -6131,6 +6131,27 @@ static int rt2800_init_registers(struct rt2x00_dev *rt2x00dev)
+ reg = rt2800_register_read(rt2x00dev, US_CYC_CNT);
+ rt2x00_set_field32(®, US_CYC_CNT_CLOCK_CYCLE, 125);
+ rt2800_register_write(rt2x00dev, US_CYC_CNT, reg);
++ } else if (rt2x00_is_soc(rt2x00dev)) {
++ struct clk *clk = clk_get_sys("bus", NULL);
++ int rate;
++
++ if (IS_ERR(clk)) {
++ clk = clk_get_sys("cpu", NULL);
++
++ if (IS_ERR(clk)) {
++ rate = 125;
++ } else {
++ rate = clk_get_rate(clk) / 3000000;
++ clk_put(clk);
++ }
++ } else {
++ rate = clk_get_rate(clk) / 1000000;
++ clk_put(clk);
++ }
++
++ reg = rt2800_register_read(rt2x00dev, US_CYC_CNT);
++ rt2x00_set_field32(®, US_CYC_CNT_CLOCK_CYCLE, rate);
++ rt2800_register_write(rt2x00dev, US_CYC_CNT, reg);
+ }
+
+ reg = rt2800_register_read(rt2x00dev, HT_FBK_CFG0);
+--
+2.35.1
+
--- /dev/null
+From db8adef3052f568ca848b5c7e1a6eb7f52e52c7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Sep 2022 21:29:40 +0100
+Subject: wifi: rt2x00: set VGC gain for both chains of MT7620
+
+From: Daniel Golle <daniel@makrotopia.org>
+
+[ Upstream commit 0e09768c085709e10ece3b68f6ac921d3f6a9caa ]
+
+Set bbp66 for all chains of the MT7620.
+
+Reported-by: Serge Vasilugin <vasilugin@yandex.ru>
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/29e161397e5c9d9399da0fe87d44458aa2b90a78.1663445157.git.daniel@makrotopia.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+index 5e7bca935dd4..fec85db7dbc7 100644
+--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
+@@ -5645,7 +5645,8 @@ static inline void rt2800_set_vgc(struct rt2x00_dev *rt2x00dev,
+ if (qual->vgc_level != vgc_level) {
+ if (rt2x00_rt(rt2x00dev, RT3572) ||
+ rt2x00_rt(rt2x00dev, RT3593) ||
+- rt2x00_rt(rt2x00dev, RT3883)) {
++ rt2x00_rt(rt2x00dev, RT3883) ||
++ rt2x00_rt(rt2x00dev, RT6352)) {
+ rt2800_bbp_write_with_rx_chain(rt2x00dev, 66,
+ vgc_level);
+ } else if (rt2x00_rt(rt2x00dev, RT5592)) {
+--
+2.35.1
+
--- /dev/null
+From ed1fa85228fb956d8c3ae323ca9e8a78f1a647ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Sep 2022 15:42:25 +0300
+Subject: wifi: rtl8xxxu: Fix AIFS written to REG_EDCA_*_PARAM
+
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+
+[ Upstream commit 5574d3290449916397f3092dcd2bac92415498e1 ]
+
+ieee80211_tx_queue_params.aifs is not supposed to be written directly
+to the REG_EDCA_*_PARAM registers. Instead process it like the vendor
+drivers do. It's kinda hacky but it works.
+
+This change boosts the download speed and makes it more stable.
+
+Tested with RTL8188FU but all the other supported chips should also
+benefit.
+
+Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)")
+Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Acked-by: Jes Sorensen <jes@trained-monkey.org>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/038cc03f-3567-77ba-a7bd-c4930e3b2fad@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 49 +++++++++++++++++++
+ 1 file changed, 49 insertions(+)
+
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+index d8f5b4bb1fa9..08f9d17dce12 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+@@ -4560,6 +4560,53 @@ rtl8xxxu_wireless_mode(struct ieee80211_hw *hw, struct ieee80211_sta *sta)
+ return network_type;
+ }
+
++static void rtl8xxxu_set_aifs(struct rtl8xxxu_priv *priv, u8 slot_time)
++{
++ u32 reg_edca_param[IEEE80211_NUM_ACS] = {
++ [IEEE80211_AC_VO] = REG_EDCA_VO_PARAM,
++ [IEEE80211_AC_VI] = REG_EDCA_VI_PARAM,
++ [IEEE80211_AC_BE] = REG_EDCA_BE_PARAM,
++ [IEEE80211_AC_BK] = REG_EDCA_BK_PARAM,
++ };
++ u32 val32;
++ u16 wireless_mode = 0;
++ u8 aifs, aifsn, sifs;
++ int i;
++
++ if (priv->vif) {
++ struct ieee80211_sta *sta;
++
++ rcu_read_lock();
++ sta = ieee80211_find_sta(priv->vif, priv->vif->bss_conf.bssid);
++ if (sta)
++ wireless_mode = rtl8xxxu_wireless_mode(priv->hw, sta);
++ rcu_read_unlock();
++ }
++
++ if (priv->hw->conf.chandef.chan->band == NL80211_BAND_5GHZ ||
++ (wireless_mode & WIRELESS_MODE_N_24G))
++ sifs = 16;
++ else
++ sifs = 10;
++
++ for (i = 0; i < IEEE80211_NUM_ACS; i++) {
++ val32 = rtl8xxxu_read32(priv, reg_edca_param[i]);
++
++ /* It was set in conf_tx. */
++ aifsn = val32 & 0xff;
++
++ /* aifsn not set yet or already fixed */
++ if (aifsn < 2 || aifsn > 15)
++ continue;
++
++ aifs = aifsn * slot_time + sifs;
++
++ val32 &= ~0xff;
++ val32 |= aifs;
++ rtl8xxxu_write32(priv, reg_edca_param[i], val32);
++ }
++}
++
+ static void
+ rtl8xxxu_bss_info_changed(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
+ struct ieee80211_bss_conf *bss_conf, u64 changed)
+@@ -4679,6 +4726,8 @@ rtl8xxxu_bss_info_changed(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
+ else
+ val8 = 20;
+ rtl8xxxu_write8(priv, REG_SLOT, val8);
++
++ rtl8xxxu_set_aifs(priv, val8);
+ }
+
+ if (changed & BSS_CHANGED_BSSID) {
+--
+2.35.1
+
--- /dev/null
+From 74038ea74d58188139245ee85c7670c2af84b362 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Aug 2022 19:12:36 +0300
+Subject: wifi: rtl8xxxu: Fix skb misuse in TX queue selection
+
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+
+[ Upstream commit edd5747aa12ed61a5ecbfa58d3908623fddbf1e8 ]
+
+rtl8xxxu_queue_select() selects the wrong TX queues because it's
+reading memory from the wrong address. It expects to find ieee80211_hdr
+at skb->data, but that's not the case after skb_push(). Move the call
+to rtl8xxxu_queue_select() before the call to skb_push().
+
+Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)")
+Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/7fa4819a-4f20-b2af-b7a6-8ee01ac49295@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+index f3a107f19cf5..02b7bc57d217 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+@@ -5062,6 +5062,8 @@ static void rtl8xxxu_tx(struct ieee80211_hw *hw,
+ if (control && control->sta)
+ sta = control->sta;
+
++ queue = rtl8xxxu_queue_select(hw, skb);
++
+ tx_desc = skb_push(skb, tx_desc_size);
+
+ memset(tx_desc, 0, tx_desc_size);
+@@ -5074,7 +5076,6 @@ static void rtl8xxxu_tx(struct ieee80211_hw *hw,
+ is_broadcast_ether_addr(ieee80211_get_DA(hdr)))
+ tx_desc->txdw0 |= TXDESC_BROADMULTICAST;
+
+- queue = rtl8xxxu_queue_select(hw, skb);
+ tx_desc->txdw1 = cpu_to_le32(queue << TXDESC_QUEUE_SHIFT);
+
+ if (tx_info->control.hw_key) {
+--
+2.35.1
+
--- /dev/null
+From e872830a8c184cc567178ba2f08c63e9f74e91a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Sep 2022 15:40:56 +0300
+Subject: wifi: rtl8xxxu: gen2: Enable 40 MHz channel width
+
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+
+[ Upstream commit a8b5aef2cca15b7fa533421d462e4e0a3429bd6f ]
+
+The module parameter ht40_2g was supposed to enable 40 MHz operation,
+but it didn't.
+
+Tell the firmware about the channel width when updating the rate mask.
+This makes it work with my gen 2 chip RTL8188FU.
+
+I'm not sure if anything needs to be done for the gen 1 chips, if 40
+MHz channel width already works or not. They update the rate mask with
+a different structure which doesn't have a field for the channel width.
+
+Also set the channel width correctly for sta_statistics.
+
+Fixes: f653e69009c6 ("rtl8xxxu: Implement basic 8723b specific update_rate_mask() function")
+Fixes: bd917b3d28c9 ("rtl8xxxu: fill up txrate info for gen1 chips")
+Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Acked-by: Jes Sorensen <jes@trained-monkey.org>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/3a950997-7580-8a6b-97a0-e0a81a135456@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/realtek/rtl8xxxu/rtl8xxxu.h | 6 +++---
+ .../wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 21 +++++++++++++------
+ 2 files changed, 18 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
+index 7ddce3c3f0c4..782b089a2e1b 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
+@@ -1425,7 +1425,7 @@ struct rtl8xxxu_fileops {
+ void (*set_tx_power) (struct rtl8xxxu_priv *priv, int channel,
+ bool ht40);
+ void (*update_rate_mask) (struct rtl8xxxu_priv *priv,
+- u32 ramask, u8 rateid, int sgi);
++ u32 ramask, u8 rateid, int sgi, int txbw_40mhz);
+ void (*report_connect) (struct rtl8xxxu_priv *priv,
+ u8 macid, bool connect);
+ void (*fill_txdesc) (struct ieee80211_hw *hw, struct ieee80211_hdr *hdr,
+@@ -1511,9 +1511,9 @@ void rtl8xxxu_gen2_config_channel(struct ieee80211_hw *hw);
+ void rtl8xxxu_gen1_usb_quirks(struct rtl8xxxu_priv *priv);
+ void rtl8xxxu_gen2_usb_quirks(struct rtl8xxxu_priv *priv);
+ void rtl8xxxu_update_rate_mask(struct rtl8xxxu_priv *priv,
+- u32 ramask, u8 rateid, int sgi);
++ u32 ramask, u8 rateid, int sgi, int txbw_40mhz);
+ void rtl8xxxu_gen2_update_rate_mask(struct rtl8xxxu_priv *priv,
+- u32 ramask, u8 rateid, int sgi);
++ u32 ramask, u8 rateid, int sgi, int txbw_40mhz);
+ void rtl8xxxu_gen1_report_connect(struct rtl8xxxu_priv *priv,
+ u8 macid, bool connect);
+ void rtl8xxxu_gen2_report_connect(struct rtl8xxxu_priv *priv,
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+index 41d46c54444f..d8f5b4bb1fa9 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+@@ -4320,7 +4320,7 @@ static void rtl8xxxu_sw_scan_complete(struct ieee80211_hw *hw,
+ }
+
+ void rtl8xxxu_update_rate_mask(struct rtl8xxxu_priv *priv,
+- u32 ramask, u8 rateid, int sgi)
++ u32 ramask, u8 rateid, int sgi, int txbw_40mhz)
+ {
+ struct h2c_cmd h2c;
+
+@@ -4340,10 +4340,15 @@ void rtl8xxxu_update_rate_mask(struct rtl8xxxu_priv *priv,
+ }
+
+ void rtl8xxxu_gen2_update_rate_mask(struct rtl8xxxu_priv *priv,
+- u32 ramask, u8 rateid, int sgi)
++ u32 ramask, u8 rateid, int sgi, int txbw_40mhz)
+ {
+ struct h2c_cmd h2c;
+- u8 bw = RTL8XXXU_CHANNEL_WIDTH_20;
++ u8 bw;
++
++ if (txbw_40mhz)
++ bw = RTL8XXXU_CHANNEL_WIDTH_40;
++ else
++ bw = RTL8XXXU_CHANNEL_WIDTH_20;
+
+ memset(&h2c, 0, sizeof(struct h2c_cmd));
+
+@@ -4621,7 +4626,11 @@ rtl8xxxu_bss_info_changed(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
+ RATE_INFO_FLAGS_SHORT_GI;
+ }
+
+- rarpt->txrate.bw |= RATE_INFO_BW_20;
++ if (rtl8xxxu_ht40_2g &&
++ (sta->deflink.ht_cap.cap & IEEE80211_HT_CAP_SUP_WIDTH_20_40))
++ rarpt->txrate.bw = RATE_INFO_BW_40;
++ else
++ rarpt->txrate.bw = RATE_INFO_BW_20;
+ }
+ bit_rate = cfg80211_calculate_bitrate(&rarpt->txrate);
+ rarpt->bit_rate = bit_rate;
+@@ -4630,7 +4639,7 @@ rtl8xxxu_bss_info_changed(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
+ priv->vif = vif;
+ priv->rssi_level = RTL8XXXU_RATR_STA_INIT;
+
+- priv->fops->update_rate_mask(priv, ramask, 0, sgi);
++ priv->fops->update_rate_mask(priv, ramask, 0, sgi, rarpt->txrate.bw == RATE_INFO_BW_40);
+
+ rtl8xxxu_write8(priv, REG_BCN_MAX_ERR, 0xff);
+
+@@ -6344,7 +6353,7 @@ static void rtl8xxxu_refresh_rate_mask(struct rtl8xxxu_priv *priv,
+ }
+
+ priv->rssi_level = rssi_level;
+- priv->fops->update_rate_mask(priv, rate_bitmap, ratr_idx, sgi);
++ priv->fops->update_rate_mask(priv, rate_bitmap, ratr_idx, sgi, txbw_40mhz);
+ }
+ }
+
+--
+2.35.1
+
--- /dev/null
+From f08338a135c216d1353dab11d70e97711f674645 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 14:48:32 +0300
+Subject: wifi: rtl8xxxu: gen2: Fix mistake in path B IQ calibration
+
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+
+[ Upstream commit e963a19c64ac0d2f8785d36a27391abd91ac77aa ]
+
+Found by comparing with the vendor driver. Currently this affects
+only the RTL8192EU, which is the only gen2 chip with 2 TX paths
+supported by this driver. It's unclear what kind of effect the
+mistake had in practice, since I don't have any RTL8192EU devices
+to test it.
+
+Fixes: e1547c535ede ("rtl8xxxu: First stab at adding IQK calibration for 8723bu parts")
+Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/30a59f3a-cfa9-8379-7af0-78a8f4c77cfd@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+index 02b7bc57d217..7a1ea4a59569 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+@@ -2929,12 +2929,12 @@ bool rtl8xxxu_gen2_simularity_compare(struct rtl8xxxu_priv *priv,
+ }
+
+ if (!(simubitmap & 0x30) && priv->tx_paths > 1) {
+- /* path B RX OK */
++ /* path B TX OK */
+ for (i = 4; i < 6; i++)
+ result[3][i] = result[c1][i];
+ }
+
+- if (!(simubitmap & 0x30) && priv->tx_paths > 1) {
++ if (!(simubitmap & 0xc0) && priv->tx_paths > 1) {
+ /* path B RX OK */
+ for (i = 6; i < 8; i++)
+ result[3][i] = result[c1][i];
+--
+2.35.1
+
--- /dev/null
+From da0576df6efa52f31550560f25ef97e26690eeaf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 16:15:30 +0300
+Subject: wifi: rtl8xxxu: Remove copy-paste leftover in gen2_update_rate_mask
+
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+
+[ Upstream commit d5350756c03cdf18696295c6b11d7acc4dbf825c ]
+
+It looks like a leftover from copying rtl8xxxu_update_rate_mask,
+which is used with the gen1 chips.
+
+It wasn't causing any problems for my RTL8188FU test device, but it's
+clearly a mistake, so remove it.
+
+Fixes: f653e69009c6 ("rtl8xxxu: Implement basic 8723b specific update_rate_mask() function")
+Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/d5544fe8-9798-28f1-54bd-6839a1974b10@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+index 7a1ea4a59569..41d46c54444f 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+@@ -4353,15 +4353,14 @@ void rtl8xxxu_gen2_update_rate_mask(struct rtl8xxxu_priv *priv,
+ h2c.b_macid_cfg.ramask2 = (ramask >> 16) & 0xff;
+ h2c.b_macid_cfg.ramask3 = (ramask >> 24) & 0xff;
+
+- h2c.ramask.arg = 0x80;
+ h2c.b_macid_cfg.data1 = rateid;
+ if (sgi)
+ h2c.b_macid_cfg.data1 |= BIT(7);
+
+ h2c.b_macid_cfg.data2 = bw;
+
+- dev_dbg(&priv->udev->dev, "%s: rate mask %08x, arg %02x, size %zi\n",
+- __func__, ramask, h2c.ramask.arg, sizeof(h2c.b_macid_cfg));
++ dev_dbg(&priv->udev->dev, "%s: rate mask %08x, rateid %02x, sgi %d, size %zi\n",
++ __func__, ramask, rateid, sgi, sizeof(h2c.b_macid_cfg));
+ rtl8xxxu_gen2_h2c_cmd(priv, &h2c, sizeof(h2c.b_macid_cfg));
+ }
+
+--
+2.35.1
+
--- /dev/null
+From f9aefe877b8bfc82e0e45eacca953e624d45f3b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Aug 2022 08:22:32 +0300
+Subject: wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 620d5eaeb9059636864bda83ca1c68c20ede34a5 ]
+
+There some bounds checking to ensure that "map_addr" is not out of
+bounds before the start of the loop. But the checking needs to be
+done as we iterate through the loop because "map_addr" gets larger as
+we iterate.
+
+Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Jes Sorensen <Jes.Sorensen@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/Yv8eGLdBslLAk3Ct@kili
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+index c66f0726b253..f3a107f19cf5 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+@@ -1878,13 +1878,6 @@ static int rtl8xxxu_read_efuse(struct rtl8xxxu_priv *priv)
+
+ /* We have 8 bits to indicate validity */
+ map_addr = offset * 8;
+- if (map_addr >= EFUSE_MAP_LEN) {
+- dev_warn(dev, "%s: Illegal map_addr (%04x), "
+- "efuse corrupt!\n",
+- __func__, map_addr);
+- ret = -EINVAL;
+- goto exit;
+- }
+ for (i = 0; i < EFUSE_MAX_WORD_UNIT; i++) {
+ /* Check word enable condition in the section */
+ if (word_mask & BIT(i)) {
+@@ -1895,6 +1888,13 @@ static int rtl8xxxu_read_efuse(struct rtl8xxxu_priv *priv)
+ ret = rtl8xxxu_read_efuse8(priv, efuse_addr++, &val8);
+ if (ret)
+ goto exit;
++ if (map_addr >= EFUSE_MAP_LEN - 1) {
++ dev_warn(dev, "%s: Illegal map_addr (%04x), "
++ "efuse corrupt!\n",
++ __func__, map_addr);
++ ret = -EINVAL;
++ goto exit;
++ }
+ priv->efuse_wifi.raw[map_addr++] = val8;
+
+ ret = rtl8xxxu_read_efuse8(priv, efuse_addr++, &val8);
+--
+2.35.1
+
--- /dev/null
+From b2f2a1b602690f1ec6327441da1f192e92160647 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Aug 2022 19:33:45 +0800
+Subject: wifi: rtlwifi: 8192de: correct checking of IQK reload
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+[ Upstream commit 93fbc1ebd978cf408ef5765e9c1630fce9a8621b ]
+
+Since IQK could spend time, we make a cache of IQK result matrix that looks
+like iqk_matrix[channel_idx].val[x][y], and we can reload the matrix if we
+have made a cache. To determine a cache is made, we check
+iqk_matrix[channel_idx].val[0][0].
+
+The initial commit 7274a8c22980 ("rtlwifi: rtl8192de: Merge phy routines")
+make a mistake that checks incorrect iqk_matrix[channel_idx].val[0] that
+is always true, and this mistake is found by commit ee3db469dd31
+("wifi: rtlwifi: remove always-true condition pointed out by GCC 12"), so
+I recall the vendor driver to find fix and apply the correctness.
+
+Fixes: 7274a8c22980 ("rtlwifi: rtl8192de: Merge phy routines")
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20220801113345.42016-1-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c
+index 15e6a6aded31..d18c092b6142 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c
+@@ -2386,11 +2386,10 @@ void rtl92d_phy_reload_iqk_setting(struct ieee80211_hw *hw, u8 channel)
+ rtl_dbg(rtlpriv, COMP_SCAN, DBG_LOUD,
+ "Just Read IQK Matrix reg for channel:%d....\n",
+ channel);
+- _rtl92d_phy_patha_fill_iqk_matrix(hw, true,
+- rtlphy->iqk_matrix[
+- indexforchannel].value, 0,
+- (rtlphy->iqk_matrix[
+- indexforchannel].value[0][2] == 0));
++ if (rtlphy->iqk_matrix[indexforchannel].value[0][0] != 0)
++ _rtl92d_phy_patha_fill_iqk_matrix(hw, true,
++ rtlphy->iqk_matrix[indexforchannel].value, 0,
++ rtlphy->iqk_matrix[indexforchannel].value[0][2] == 0);
+ if (IS_92D_SINGLEPHY(rtlhal->version)) {
+ if ((rtlphy->iqk_matrix[
+ indexforchannel].value[0][4] != 0)
+--
+2.35.1
+
--- /dev/null
+From 76796c3a455019ab150b83d9eddbbc1a48611759 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Jul 2022 14:50:00 +0800
+Subject: wifi: rtw88: 8822c: extend supported probe request size
+
+From: Po-Hao Huang <phhuang@realtek.com>
+
+[ Upstream commit d2eb7cb97c7df25df3e3e0f590b5bbf00c66d4c9 ]
+
+Some WSC IEs require size larger than we current supports. Extend size
+to fit those demands. Separate the registered scan IE length by IC so
+settings can be independent.
+
+Since old firmware uses fewer page number, define a firmware feature to
+be compatible with various firmware version.
+
+Signed-off-by: Po-Hao Huang <phhuang@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20220727065003.28340-2-pkshih@realtek.com
+Stable-dep-of: 93fbc1ebd978 ("wifi: rtlwifi: 8192de: correct checking of IQK reload")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw88/fw.c | 15 +++++++++----
+ drivers/net/wireless/realtek/rtw88/fw.h | 18 +++++++++++++++-
+ drivers/net/wireless/realtek/rtw88/main.c | 21 ++++++++++++++++++-
+ drivers/net/wireless/realtek/rtw88/main.h | 4 +++-
+ drivers/net/wireless/realtek/rtw88/rtw8723d.c | 3 ++-
+ drivers/net/wireless/realtek/rtw88/rtw8821c.c | 3 ++-
+ drivers/net/wireless/realtek/rtw88/rtw8822b.c | 3 ++-
+ drivers/net/wireless/realtek/rtw88/rtw8822c.c | 3 ++-
+ 8 files changed, 59 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw88/fw.c b/drivers/net/wireless/realtek/rtw88/fw.c
+index 4fdab0329695..efa51b2f5302 100644
+--- a/drivers/net/wireless/realtek/rtw88/fw.c
++++ b/drivers/net/wireless/realtek/rtw88/fw.c
+@@ -1844,13 +1844,20 @@ static int _rtw_hw_scan_update_probe_req(struct rtw_dev *rtwdev, u8 num_probes,
+ struct rtw_chip_info *chip = rtwdev->chip;
+ struct sk_buff *skb, *tmp;
+ u8 page_offset = 1, *buf, page_size = chip->page_size;
+- u8 pages = page_offset + num_probes * RTW_PROBE_PG_CNT;
+ u16 pg_addr = rtwdev->fifo.rsvd_h2c_info_addr, loc;
+ u16 buf_offset = page_size * page_offset;
+ u8 tx_desc_sz = chip->tx_pkt_desc_sz;
++ u8 page_cnt, pages;
+ unsigned int pkt_len;
+ int ret;
+
++ if (rtw_fw_feature_ext_check(&rtwdev->fw, FW_FEATURE_EXT_OLD_PAGE_NUM))
++ page_cnt = RTW_OLD_PROBE_PG_CNT;
++ else
++ page_cnt = RTW_PROBE_PG_CNT;
++
++ pages = page_offset + num_probes * page_cnt;
++
+ buf = kzalloc(page_size * pages, GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
+@@ -1859,7 +1866,7 @@ static int _rtw_hw_scan_update_probe_req(struct rtw_dev *rtwdev, u8 num_probes,
+ skb_queue_walk_safe(probe_req_list, skb, tmp) {
+ skb_unlink(skb, probe_req_list);
+ rtw_fill_rsvd_page_desc(rtwdev, skb, RSVD_PROBE_REQ);
+- if (skb->len > page_size * RTW_PROBE_PG_CNT) {
++ if (skb->len > page_size * page_cnt) {
+ ret = -EINVAL;
+ goto out;
+ }
+@@ -1869,8 +1876,8 @@ static int _rtw_hw_scan_update_probe_req(struct rtw_dev *rtwdev, u8 num_probes,
+ loc = pg_addr - rtwdev->fifo.rsvd_boundary + page_offset;
+ __rtw_fw_update_pkt(rtwdev, RTW_PACKET_PROBE_REQ, pkt_len, loc);
+
+- buf_offset += RTW_PROBE_PG_CNT * page_size;
+- page_offset += RTW_PROBE_PG_CNT;
++ buf_offset += page_cnt * page_size;
++ page_offset += page_cnt;
+ kfree_skb(skb);
+ }
+
+diff --git a/drivers/net/wireless/realtek/rtw88/fw.h b/drivers/net/wireless/realtek/rtw88/fw.h
+index 7a37675c61e8..bd3b9318b243 100644
+--- a/drivers/net/wireless/realtek/rtw88/fw.h
++++ b/drivers/net/wireless/realtek/rtw88/fw.h
+@@ -41,7 +41,8 @@
+ #define RTW_EX_CH_INFO_HDR_SIZE 2
+ #define RTW_SCAN_WIDTH 0
+ #define RTW_PRI_CH_IDX 1
+-#define RTW_PROBE_PG_CNT 2
++#define RTW_OLD_PROBE_PG_CNT 2
++#define RTW_PROBE_PG_CNT 4
+
+ enum rtw_c2h_cmd_id {
+ C2H_CCX_TX_RPT = 0x03,
+@@ -120,6 +121,10 @@ enum rtw_fw_feature {
+ FW_FEATURE_MAX = BIT(31),
+ };
+
++enum rtw_fw_feature_ext {
++ FW_FEATURE_EXT_OLD_PAGE_NUM = BIT(0),
++};
++
+ enum rtw_beacon_filter_offload_mode {
+ BCN_FILTER_OFFLOAD_MODE_0 = 0,
+ BCN_FILTER_OFFLOAD_MODE_1,
+@@ -323,6 +328,11 @@ struct rtw_fw_hdr_legacy {
+ __le32 rsvd5;
+ } __packed;
+
++#define RTW_FW_VER_CODE(ver, sub_ver, idx) \
++ (((ver) << 16) | ((sub_ver) << 8) | (idx))
++#define RTW_FW_SUIT_VER_CODE(s) \
++ RTW_FW_VER_CODE((s).version, (s).sub_version, (s).sub_index)
++
+ /* C2H */
+ #define GET_CCX_REPORT_SEQNUM_V0(c2h_payload) (c2h_payload[6] & 0xfc)
+ #define GET_CCX_REPORT_STATUS_V0(c2h_payload) (c2h_payload[0] & 0xc0)
+@@ -770,6 +780,12 @@ static inline bool rtw_fw_feature_check(struct rtw_fw_state *fw,
+ return !!(fw->feature & feature);
+ }
+
++static inline bool rtw_fw_feature_ext_check(struct rtw_fw_state *fw,
++ enum rtw_fw_feature_ext feature)
++{
++ return !!(fw->feature_ext & feature);
++}
++
+ void rtw_fw_c2h_cmd_rx_irqsafe(struct rtw_dev *rtwdev, u32 pkt_offset,
+ struct sk_buff *skb);
+ void rtw_fw_c2h_cmd_handle(struct rtw_dev *rtwdev, struct sk_buff *skb);
+diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c
+index 76dc9da88f6c..41458dff5422 100644
+--- a/drivers/net/wireless/realtek/rtw88/main.c
++++ b/drivers/net/wireless/realtek/rtw88/main.c
+@@ -1552,6 +1552,21 @@ static void rtw_init_vht_cap(struct rtw_dev *rtwdev,
+ vht_cap->vht_mcs.tx_highest = highest;
+ }
+
++static u16 rtw_get_max_scan_ie_len(struct rtw_dev *rtwdev)
++{
++ u16 len;
++
++ len = rtwdev->chip->max_scan_ie_len;
++
++ if (!rtw_fw_feature_check(&rtwdev->fw, FW_FEATURE_SCAN_OFFLOAD) &&
++ rtwdev->chip->id == RTW_CHIP_TYPE_8822C)
++ len = IEEE80211_MAX_DATA_LEN;
++ else if (rtw_fw_feature_ext_check(&rtwdev->fw, FW_FEATURE_EXT_OLD_PAGE_NUM))
++ len -= RTW_OLD_PROBE_PG_CNT * TX_PAGE_SIZE;
++
++ return len;
++}
++
+ static void rtw_set_supported_band(struct ieee80211_hw *hw,
+ struct rtw_chip_info *chip)
+ {
+@@ -1631,6 +1646,10 @@ static void __update_firmware_feature(struct rtw_dev *rtwdev,
+
+ feature = le32_to_cpu(fw_hdr->feature);
+ fw->feature = feature & FW_FEATURE_SIG ? feature : 0;
++
++ if (rtwdev->chip->id == RTW_CHIP_TYPE_8822C &&
++ RTW_FW_SUIT_VER_CODE(rtwdev->fw) < RTW_FW_VER_CODE(9, 9, 13))
++ fw->feature_ext |= FW_FEATURE_EXT_OLD_PAGE_NUM;
+ }
+
+ static void __update_firmware_info(struct rtw_dev *rtwdev,
+@@ -2136,7 +2155,7 @@ int rtw_register_hw(struct rtw_dev *rtwdev, struct ieee80211_hw *hw)
+
+ hw->wiphy->features |= NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
+ hw->wiphy->max_scan_ssids = RTW_SCAN_MAX_SSIDS;
+- hw->wiphy->max_scan_ie_len = RTW_SCAN_MAX_IE_LEN;
++ hw->wiphy->max_scan_ie_len = rtw_get_max_scan_ie_len(rtwdev);
+
+ wiphy_ext_feature_set(hw->wiphy, NL80211_EXT_FEATURE_CAN_REPLACE_PTK0);
+ wiphy_ext_feature_set(hw->wiphy, NL80211_EXT_FEATURE_SCAN_RANDOM_SN);
+diff --git a/drivers/net/wireless/realtek/rtw88/main.h b/drivers/net/wireless/realtek/rtw88/main.h
+index 7db627fc26be..69d0a700c2ae 100644
+--- a/drivers/net/wireless/realtek/rtw88/main.h
++++ b/drivers/net/wireless/realtek/rtw88/main.h
+@@ -22,7 +22,6 @@
+ #define MAX_PG_CAM_BACKUP_NUM 8
+
+ #define RTW_SCAN_MAX_SSIDS 4
+-#define RTW_SCAN_MAX_IE_LEN 128
+
+ #define RTW_MAX_PATTERN_NUM 12
+ #define RTW_MAX_PATTERN_MASK_SIZE 16
+@@ -33,6 +32,7 @@
+ #define RFREG_MASK 0xfffff
+ #define INV_RF_DATA 0xffffffff
+ #define TX_PAGE_SIZE_SHIFT 7
++#define TX_PAGE_SIZE (1 << TX_PAGE_SIZE_SHIFT)
+
+ #define RTW_CHANNEL_WIDTH_MAX 3
+ #define RTW_RF_PATH_MAX 4
+@@ -1232,6 +1232,7 @@ struct rtw_chip_info {
+ const char *wow_fw_name;
+ const struct wiphy_wowlan_support *wowlan_stub;
+ const u8 max_sched_scan_ssids;
++ const u16 max_scan_ie_len;
+
+ /* coex paras */
+ u32 coex_para_ver;
+@@ -1853,6 +1854,7 @@ struct rtw_fw_state {
+ u8 sub_index;
+ u16 h2c_version;
+ u32 feature;
++ u32 feature_ext;
+ };
+
+ enum rtw_sar_sources {
+diff --git a/drivers/net/wireless/realtek/rtw88/rtw8723d.c b/drivers/net/wireless/realtek/rtw88/rtw8723d.c
+index 993bd6b1d723..0a4f770fcbb7 100644
+--- a/drivers/net/wireless/realtek/rtw88/rtw8723d.c
++++ b/drivers/net/wireless/realtek/rtw88/rtw8723d.c
+@@ -2720,7 +2720,7 @@ const struct rtw_chip_info rtw8723d_hw_spec = {
+ .max_power_index = 0x3f,
+ .csi_buf_pg_num = 0,
+ .band = RTW_BAND_2G,
+- .page_size = 128,
++ .page_size = TX_PAGE_SIZE,
+ .dig_min = 0x20,
+ .ht_supported = true,
+ .vht_supported = false,
+@@ -2748,6 +2748,7 @@ const struct rtw_chip_info rtw8723d_hw_spec = {
+ .pwr_track_tbl = &rtw8723d_rtw_pwr_track_tbl,
+ .iqk_threshold = 8,
+ .ampdu_density = IEEE80211_HT_MPDU_DENSITY_16,
++ .max_scan_ie_len = IEEE80211_MAX_DATA_LEN,
+
+ .coex_para_ver = 0x2007022f,
+ .bt_desired_ver = 0x2f,
+diff --git a/drivers/net/wireless/realtek/rtw88/rtw8821c.c b/drivers/net/wireless/realtek/rtw88/rtw8821c.c
+index 025262a8970e..9afdc5ce86b4 100644
+--- a/drivers/net/wireless/realtek/rtw88/rtw8821c.c
++++ b/drivers/net/wireless/realtek/rtw88/rtw8821c.c
+@@ -1898,7 +1898,7 @@ const struct rtw_chip_info rtw8821c_hw_spec = {
+ .max_power_index = 0x3f,
+ .csi_buf_pg_num = 0,
+ .band = RTW_BAND_2G | RTW_BAND_5G,
+- .page_size = 128,
++ .page_size = TX_PAGE_SIZE,
+ .dig_min = 0x1c,
+ .ht_supported = true,
+ .vht_supported = true,
+@@ -1926,6 +1926,7 @@ const struct rtw_chip_info rtw8821c_hw_spec = {
+ .bfer_su_max_num = 2,
+ .bfer_mu_max_num = 1,
+ .ampdu_density = IEEE80211_HT_MPDU_DENSITY_2,
++ .max_scan_ie_len = IEEE80211_MAX_DATA_LEN,
+
+ .coex_para_ver = 0x19092746,
+ .bt_desired_ver = 0x46,
+diff --git a/drivers/net/wireless/realtek/rtw88/rtw8822b.c b/drivers/net/wireless/realtek/rtw88/rtw8822b.c
+index 321848870561..690e35c98f6e 100644
+--- a/drivers/net/wireless/realtek/rtw88/rtw8822b.c
++++ b/drivers/net/wireless/realtek/rtw88/rtw8822b.c
+@@ -2517,7 +2517,7 @@ const struct rtw_chip_info rtw8822b_hw_spec = {
+ .max_power_index = 0x3f,
+ .csi_buf_pg_num = 0,
+ .band = RTW_BAND_2G | RTW_BAND_5G,
+- .page_size = 128,
++ .page_size = TX_PAGE_SIZE,
+ .dig_min = 0x1c,
+ .ht_supported = true,
+ .vht_supported = true,
+@@ -2549,6 +2549,7 @@ const struct rtw_chip_info rtw8822b_hw_spec = {
+ .l2h_th_ini_cs = 10 + EDCCA_IGI_BASE,
+ .l2h_th_ini_ad = -14 + EDCCA_IGI_BASE,
+ .ampdu_density = IEEE80211_HT_MPDU_DENSITY_2,
++ .max_scan_ie_len = IEEE80211_MAX_DATA_LEN,
+
+ .coex_para_ver = 0x20070206,
+ .bt_desired_ver = 0x6,
+diff --git a/drivers/net/wireless/realtek/rtw88/rtw8822c.c b/drivers/net/wireless/realtek/rtw88/rtw8822c.c
+index 09f9e4adcf34..fccb15dfb959 100644
+--- a/drivers/net/wireless/realtek/rtw88/rtw8822c.c
++++ b/drivers/net/wireless/realtek/rtw88/rtw8822c.c
+@@ -5330,7 +5330,7 @@ const struct rtw_chip_info rtw8822c_hw_spec = {
+ .max_power_index = 0x7f,
+ .csi_buf_pg_num = 50,
+ .band = RTW_BAND_2G | RTW_BAND_5G,
+- .page_size = 128,
++ .page_size = TX_PAGE_SIZE,
+ .dig_min = 0x20,
+ .default_1ss_tx_path = BB_PATH_A,
+ .path_div_supported = true,
+@@ -5375,6 +5375,7 @@ const struct rtw_chip_info rtw8822c_hw_spec = {
+ .wowlan_stub = &rtw_wowlan_stub_8822c,
+ .max_sched_scan_ssids = 4,
+ #endif
++ .max_scan_ie_len = (RTW_PROBE_PG_CNT - 1) * TX_PAGE_SIZE,
+ .coex_para_ver = 0x22020720,
+ .bt_desired_ver = 0x20,
+ .scbd_support = true,
+--
+2.35.1
+
--- /dev/null
+From 84a4efbfb4c0a1f51090a048d38287f912c36218 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 10:38:17 +0800
+Subject: wifi: rtw88: add missing destroy_workqueue() on error path in
+ rtw_core_init()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit b0ea758b30bbdf7c4323c78b7c50c05d2e1224d5 ]
+
+Add the missing destroy_workqueue() before return from rtw_core_init()
+in error path.
+
+Fixes: fe101716c7c9 ("rtw88: replace tx tasklet with work queue")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20220826023817.3908255-1-yangyingliang@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw88/main.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c
+index 41458dff5422..65897993e75d 100644
+--- a/drivers/net/wireless/realtek/rtw88/main.c
++++ b/drivers/net/wireless/realtek/rtw88/main.c
+@@ -2064,7 +2064,7 @@ int rtw_core_init(struct rtw_dev *rtwdev)
+ ret = rtw_load_firmware(rtwdev, RTW_NORMAL_FW);
+ if (ret) {
+ rtw_warn(rtwdev, "no firmware loaded\n");
+- return ret;
++ goto out;
+ }
+
+ if (chip->wow_fw_name) {
+@@ -2074,11 +2074,15 @@ int rtw_core_init(struct rtw_dev *rtwdev)
+ wait_for_completion(&rtwdev->fw.completion);
+ if (rtwdev->fw.firmware)
+ release_firmware(rtwdev->fw.firmware);
+- return ret;
++ goto out;
+ }
+ }
+
+ return 0;
++
++out:
++ destroy_workqueue(rtwdev->tx_wq);
++ return ret;
+ }
+ EXPORT_SYMBOL(rtw_core_init);
+
+--
+2.35.1
+
--- /dev/null
+From 2714944b5a876ccb56cd7ddd6462e949a4087a90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Jul 2022 14:50:03 +0800
+Subject: wifi: rtw88: phy: fix warning of possible buffer overflow
+
+From: Zong-Zhe Yang <kevin_yang@realtek.com>
+
+[ Upstream commit 86331c7e0cd819bf0c1d0dcf895e0c90b0aa9a6f ]
+
+reported by smatch
+
+phy.c:854 rtw_phy_linear_2_db() error: buffer overflow 'db_invert_table[i]'
+8 <= 8 (assuming for loop doesn't break)
+
+However, it seems to be a false alarm because we prevent it originally via
+ if (linear >= db_invert_table[11][7])
+ return 96; /* maximum 96 dB */
+
+Still, we adjust the code to be more readable and avoid smatch warning.
+
+Signed-off-by: Zong-Zhe Yang <kevin_yang@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20220727065003.28340-5-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw88/phy.c | 21 ++++++++-------------
+ 1 file changed, 8 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw88/phy.c b/drivers/net/wireless/realtek/rtw88/phy.c
+index 8982e0c98dac..da1efec0aa85 100644
+--- a/drivers/net/wireless/realtek/rtw88/phy.c
++++ b/drivers/net/wireless/realtek/rtw88/phy.c
+@@ -816,23 +816,18 @@ static u8 rtw_phy_linear_2_db(u64 linear)
+ u8 j;
+ u32 dB;
+
+- if (linear >= db_invert_table[11][7])
+- return 96; /* maximum 96 dB */
+-
+ for (i = 0; i < 12; i++) {
+- if (i <= 2 && (linear << FRAC_BITS) <= db_invert_table[i][7])
+- break;
+- else if (i > 2 && linear <= db_invert_table[i][7])
+- break;
++ for (j = 0; j < 8; j++) {
++ if (i <= 2 && (linear << FRAC_BITS) <= db_invert_table[i][j])
++ goto cnt;
++ else if (i > 2 && linear <= db_invert_table[i][j])
++ goto cnt;
++ }
+ }
+
+- for (j = 0; j < 8; j++) {
+- if (i <= 2 && (linear << FRAC_BITS) <= db_invert_table[i][j])
+- break;
+- else if (i > 2 && linear <= db_invert_table[i][j])
+- break;
+- }
++ return 96; /* maximum 96 dB */
+
++cnt:
+ if (j == 0 && i == 0)
+ goto end;
+
+--
+2.35.1
+
--- /dev/null
+From 47768720a8cd2146ab89d082738927720285be59 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Sep 2022 11:38:10 +0800
+Subject: wifi: rtw89: fix rx filter after scan
+
+From: Po-Hao Huang <phhuang@realtek.com>
+
+[ Upstream commit 812825c2b204c491f1a5586c602e4ac75060493a ]
+
+In monitor mode we should be able to received all packets even if it's not
+destined to us. But after scan, the configuration was wrongly set, so we
+fix it.
+
+Signed-off-by: Po-Hao Huang <phhuang@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20220916033811.13862-7-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw89/fw.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw89/fw.c b/drivers/net/wireless/realtek/rtw89/fw.c
+index 6473015a6b2a..c993fe9cf6b4 100644
+--- a/drivers/net/wireless/realtek/rtw89/fw.c
++++ b/drivers/net/wireless/realtek/rtw89/fw.c
+@@ -2289,6 +2289,7 @@ void rtw89_hw_scan_start(struct rtw89_dev *rtwdev, struct ieee80211_vif *vif,
+ {
+ struct rtw89_vif *rtwvif = (struct rtw89_vif *)vif->drv_priv;
+ struct cfg80211_scan_request *req = &scan_req->req;
++ u32 rx_fltr = rtwdev->hal.rx_fltr;
+ u8 mac_addr[ETH_ALEN];
+
+ rtwdev->scan_info.scanning_vif = vif;
+@@ -2303,13 +2304,13 @@ void rtw89_hw_scan_start(struct rtw89_dev *rtwdev, struct ieee80211_vif *vif,
+ ether_addr_copy(mac_addr, vif->addr);
+ rtw89_core_scan_start(rtwdev, rtwvif, mac_addr, true);
+
+- rtwdev->hal.rx_fltr &= ~B_AX_A_BCN_CHK_EN;
+- rtwdev->hal.rx_fltr &= ~B_AX_A_BC;
+- rtwdev->hal.rx_fltr &= ~B_AX_A_A1_MATCH;
++ rx_fltr &= ~B_AX_A_BCN_CHK_EN;
++ rx_fltr &= ~B_AX_A_BC;
++ rx_fltr &= ~B_AX_A_A1_MATCH;
+ rtw89_write32_mask(rtwdev,
+ rtw89_mac_reg_by_idx(R_AX_RX_FLTR_OPT, RTW89_MAC_0),
+ B_AX_RX_FLTR_CFG_MASK,
+- rtwdev->hal.rx_fltr);
++ rx_fltr);
+ }
+
+ void rtw89_hw_scan_complete(struct rtw89_dev *rtwdev, struct ieee80211_vif *vif,
+@@ -2323,9 +2324,6 @@ void rtw89_hw_scan_complete(struct rtw89_dev *rtwdev, struct ieee80211_vif *vif,
+ if (!vif)
+ return;
+
+- rtwdev->hal.rx_fltr |= B_AX_A_BCN_CHK_EN;
+- rtwdev->hal.rx_fltr |= B_AX_A_BC;
+- rtwdev->hal.rx_fltr |= B_AX_A_A1_MATCH;
+ rtw89_write32_mask(rtwdev,
+ rtw89_mac_reg_by_idx(R_AX_RX_FLTR_OPT, RTW89_MAC_0),
+ B_AX_RX_FLTR_CFG_MASK,
+--
+2.35.1
+
--- /dev/null
+From e6763722ccee86e9781f06e29abaafe893054529 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Sep 2022 11:38:09 +0800
+Subject: wifi: rtw89: free unused skb to prevent memory leak
+
+From: Po-Hao Huang <phhuang@realtek.com>
+
+[ Upstream commit eae672f386049146058b9e5d3d33e9e4af9dca1d ]
+
+This avoid potential memory leak under power saving mode.
+
+Signed-off-by: Po-Hao Huang <phhuang@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20220916033811.13862-6-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw89/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c
+index a5880a54812e..8b338e5ce364 100644
+--- a/drivers/net/wireless/realtek/rtw89/core.c
++++ b/drivers/net/wireless/realtek/rtw89/core.c
+@@ -872,6 +872,7 @@ int rtw89_h2c_tx(struct rtw89_dev *rtwdev,
+ rtw89_debug(rtwdev, RTW89_DBG_FW,
+ "ignore h2c due to power is off with firmware state=%d\n",
+ test_bit(RTW89_FLAG_FW_RDY, rtwdev->flags));
++ dev_kfree_skb(skb);
+ return 0;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 580b74c7195568f0103fdb5622505d63b04fdb83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Aug 2022 14:33:12 +0800
+Subject: wifi: rtw89: pci: correct TX resource checking in low power mode
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+[ Upstream commit 4a29213cd775cabcbe395229d175903accedbb9d ]
+
+Number of TX resource must be minimum of TX_BD and TX_WD. Only considering
+TX_BD could drop TX packets pulled from mac80211 if TX_WD is unavailable.
+
+Fixes: 52edbb9fb78a ("rtw89: ps: access TX/RX rings via another registers in low power mode")
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20220824063312.15784-2-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw89/pci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/realtek/rtw89/pci.c b/drivers/net/wireless/realtek/rtw89/pci.c
+index 8a093e1cb328..7bb1b494c5d1 100644
+--- a/drivers/net/wireless/realtek/rtw89/pci.c
++++ b/drivers/net/wireless/realtek/rtw89/pci.c
+@@ -926,10 +926,12 @@ u32 __rtw89_pci_check_and_reclaim_tx_resource_noio(struct rtw89_dev *rtwdev,
+ {
+ struct rtw89_pci *rtwpci = (struct rtw89_pci *)rtwdev->priv;
+ struct rtw89_pci_tx_ring *tx_ring = &rtwpci->tx_rings[txch];
++ struct rtw89_pci_tx_wd_ring *wd_ring = &tx_ring->wd_ring;
+ u32 cnt;
+
+ spin_lock_bh(&rtwpci->trx_lock);
+ cnt = rtw89_pci_get_avail_txbd_num(tx_ring);
++ cnt = min(cnt, wd_ring->curr_num);
+ spin_unlock_bh(&rtwpci->trx_lock);
+
+ return cnt;
+--
+2.35.1
+
--- /dev/null
+From 260653f7fb9228d7d844848220c7fb0af9dd4ac5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Aug 2022 14:33:11 +0800
+Subject: wifi: rtw89: pci: fix interrupt stuck after leaving low power mode
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+[ Upstream commit b7e715d3dcd2e9fa3a689ba0dd7ab85f8aaf6e9a ]
+
+We turn off interrupt in ISR, and re-enable interrupt in threadfn or
+napi_poll according to the mode it stays. If we are turning off interrupt,
+rtwpci->running flag is unset and interrupt handler stop processing even
+if it was called, so disallow to re-enable interrupt in this situation.
+Or, wifi chip doesn't trigger interrupt events anymore because interrupt
+status (ISR) isn't clear by interrupt handler anymore.
+
+Fixes: c83dcd0508e2 ("rtw89: pci: add a separate interrupt handler for low power mode")
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20220824063312.15784-1-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw89/pci.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw89/pci.c b/drivers/net/wireless/realtek/rtw89/pci.c
+index c68fec9eb5a6..8a093e1cb328 100644
+--- a/drivers/net/wireless/realtek/rtw89/pci.c
++++ b/drivers/net/wireless/realtek/rtw89/pci.c
+@@ -760,7 +760,8 @@ static irqreturn_t rtw89_pci_interrupt_threadfn(int irq, void *dev)
+
+ enable_intr:
+ spin_lock_irqsave(&rtwpci->irq_lock, flags);
+- rtw89_chip_enable_intr(rtwdev, rtwpci);
++ if (likely(rtwpci->running))
++ rtw89_chip_enable_intr(rtwdev, rtwpci);
+ spin_unlock_irqrestore(&rtwpci->irq_lock, flags);
+ return IRQ_HANDLED;
+ }
+--
+2.35.1
+
--- /dev/null
+From 64ac376757a3629154d7e6d06832ff6990c1eb43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Aug 2022 08:23:43 +0300
+Subject: wifi: wfx: prevent underflow in wfx_send_pds()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit f97c81f5b7f8047810b0d79a8f759a83951210a0 ]
+
+This does a "chunk_len - 4" subtraction later when it calls:
+
+ ret = wfx_hif_configuration(wdev, buf + 4, chunk_len - 4);
+
+so check for "chunk_len" is less than 4.
+
+Fixes: dcbecb497908 ("staging: wfx: allow new PDS format")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Jérôme Pouiller <jerome.pouiller@silabs.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/Yv8eX7Xv2ubUOvW7@kili
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/silabs/wfx/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/silabs/wfx/main.c b/drivers/net/wireless/silabs/wfx/main.c
+index e015bfb8d221..84d82ddded56 100644
+--- a/drivers/net/wireless/silabs/wfx/main.c
++++ b/drivers/net/wireless/silabs/wfx/main.c
+@@ -181,7 +181,7 @@ int wfx_send_pds(struct wfx_dev *wdev, u8 *buf, size_t len)
+ while (len > 0) {
+ chunk_type = get_unaligned_le16(buf + 0);
+ chunk_len = get_unaligned_le16(buf + 2);
+- if (chunk_len > len) {
++ if (chunk_len < 4 || chunk_len > len) {
+ dev_err(wdev->dev, "PDS:%d: corrupted file\n", chunk_num);
+ return -EINVAL;
+ }
+--
+2.35.1
+
--- /dev/null
+From 4e0757b5c11356b26506eb8f2743f856363dc66c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Aug 2022 16:19:42 -0700
+Subject: x86/apic: Don't disable x2APIC if locked
+
+From: Daniel Sneddon <daniel.sneddon@linux.intel.com>
+
+[ Upstream commit b8d1d163604bd1e600b062fb00de5dc42baa355f ]
+
+The APIC supports two modes, legacy APIC (or xAPIC), and Extended APIC
+(or x2APIC). X2APIC mode is mostly compatible with legacy APIC, but
+it disables the memory-mapped APIC interface in favor of one that uses
+MSRs. The APIC mode is controlled by the EXT bit in the APIC MSR.
+
+The MMIO/xAPIC interface has some problems, most notably the APIC LEAK
+[1]. This bug allows an attacker to use the APIC MMIO interface to
+extract data from the SGX enclave.
+
+Introduce support for a new feature that will allow the BIOS to lock
+the APIC in x2APIC mode. If the APIC is locked in x2APIC mode and the
+kernel tries to disable the APIC or revert to legacy APIC mode a GP
+fault will occur.
+
+Introduce support for a new MSR (IA32_XAPIC_DISABLE_STATUS) and handle
+the new locked mode when the LEGACY_XAPIC_DISABLED bit is set by
+preventing the kernel from trying to disable the x2APIC.
+
+On platforms with the IA32_XAPIC_DISABLE_STATUS MSR, if SGX or TDX are
+enabled the LEGACY_XAPIC_DISABLED will be set by the BIOS. If
+legacy APIC is required, then it SGX and TDX need to be disabled in the
+BIOS.
+
+[1]: https://aepicleak.com/aepicleak.pdf
+
+Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
+Tested-by: Neelima Krishnan <neelima.krishnan@intel.com>
+Link: https://lkml.kernel.org/r/20220816231943.1152579-1-daniel.sneddon@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../admin-guide/kernel-parameters.txt | 4 ++
+ arch/x86/Kconfig | 7 ++-
+ arch/x86/include/asm/cpu.h | 2 +
+ arch/x86/include/asm/msr-index.h | 13 ++++++
+ arch/x86/kernel/apic/apic.c | 44 +++++++++++++++++--
+ 5 files changed, 65 insertions(+), 5 deletions(-)
+
+diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
+index 426fa892d311..2bc11a61c4d0 100644
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -3805,6 +3805,10 @@
+
+ nox2apic [X86-64,APIC] Do not enable x2APIC mode.
+
++ NOTE: this parameter will be ignored on systems with the
++ LEGACY_XAPIC_DISABLED bit set in the
++ IA32_XAPIC_DISABLE_STATUS MSR.
++
+ nps_mtm_hs_ctr= [KNL,ARC]
+ This parameter sets the maximum duration, in
+ cycles, each HW thread of the CTOP can run
+diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
+index f9920f1341c8..159c025ebb03 100644
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -448,6 +448,11 @@ config X86_X2APIC
+ This allows 32-bit apic IDs (so it can support very large systems),
+ and accesses the local apic via MSRs not via mmio.
+
++ Some Intel systems circa 2022 and later are locked into x2APIC mode
++ and can not fall back to the legacy APIC modes if SGX or TDX are
++ enabled in the BIOS. They will be unable to boot without enabling
++ this option.
++
+ If you don't know what to do here, say N.
+
+ config X86_MPPARSE
+@@ -1919,7 +1924,7 @@ endchoice
+
+ config X86_SGX
+ bool "Software Guard eXtensions (SGX)"
+- depends on X86_64 && CPU_SUP_INTEL
++ depends on X86_64 && CPU_SUP_INTEL && X86_X2APIC
+ depends on CRYPTO=y
+ depends on CRYPTO_SHA256=y
+ select SRCU
+diff --git a/arch/x86/include/asm/cpu.h b/arch/x86/include/asm/cpu.h
+index 8cbf623f0ecf..b472ef76826a 100644
+--- a/arch/x86/include/asm/cpu.h
++++ b/arch/x86/include/asm/cpu.h
+@@ -94,4 +94,6 @@ static inline bool intel_cpu_signatures_match(unsigned int s1, unsigned int p1,
+ return p1 & p2;
+ }
+
++extern u64 x86_read_arch_cap_msr(void);
++
+ #endif /* _ASM_X86_CPU_H */
+diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
+index 6674bdb096f3..1e086b37a307 100644
+--- a/arch/x86/include/asm/msr-index.h
++++ b/arch/x86/include/asm/msr-index.h
+@@ -155,6 +155,11 @@
+ * Return Stack Buffer Predictions.
+ */
+
++#define ARCH_CAP_XAPIC_DISABLE BIT(21) /*
++ * IA32_XAPIC_DISABLE_STATUS MSR
++ * supported
++ */
++
+ #define MSR_IA32_FLUSH_CMD 0x0000010b
+ #define L1D_FLUSH BIT(0) /*
+ * Writeback and invalidate the
+@@ -1054,4 +1059,12 @@
+ #define MSR_IA32_HW_FEEDBACK_PTR 0x17d0
+ #define MSR_IA32_HW_FEEDBACK_CONFIG 0x17d1
+
++/* x2APIC locked status */
++#define MSR_IA32_XAPIC_DISABLE_STATUS 0xBD
++#define LEGACY_XAPIC_DISABLED BIT(0) /*
++ * x2APIC mode is locked and
++ * disabling x2APIC will cause
++ * a #GP
++ */
++
+ #endif /* _ASM_X86_MSR_INDEX_H */
+diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
+index 6d303d1d276c..c6876d3ea4b1 100644
+--- a/arch/x86/kernel/apic/apic.c
++++ b/arch/x86/kernel/apic/apic.c
+@@ -61,6 +61,7 @@
+ #include <asm/cpu_device_id.h>
+ #include <asm/intel-family.h>
+ #include <asm/irq_regs.h>
++#include <asm/cpu.h>
+
+ unsigned int num_processors;
+
+@@ -1751,11 +1752,26 @@ EXPORT_SYMBOL_GPL(x2apic_mode);
+
+ enum {
+ X2APIC_OFF,
+- X2APIC_ON,
+ X2APIC_DISABLED,
++ /* All states below here have X2APIC enabled */
++ X2APIC_ON,
++ X2APIC_ON_LOCKED
+ };
+ static int x2apic_state;
+
++static bool x2apic_hw_locked(void)
++{
++ u64 ia32_cap;
++ u64 msr;
++
++ ia32_cap = x86_read_arch_cap_msr();
++ if (ia32_cap & ARCH_CAP_XAPIC_DISABLE) {
++ rdmsrl(MSR_IA32_XAPIC_DISABLE_STATUS, msr);
++ return (msr & LEGACY_XAPIC_DISABLED);
++ }
++ return false;
++}
++
+ static void __x2apic_disable(void)
+ {
+ u64 msr;
+@@ -1793,6 +1809,10 @@ static int __init setup_nox2apic(char *str)
+ apicid);
+ return 0;
+ }
++ if (x2apic_hw_locked()) {
++ pr_warn("APIC locked in x2apic mode, can't disable\n");
++ return 0;
++ }
+ pr_warn("x2apic already enabled.\n");
+ __x2apic_disable();
+ }
+@@ -1807,10 +1827,18 @@ early_param("nox2apic", setup_nox2apic);
+ void x2apic_setup(void)
+ {
+ /*
+- * If x2apic is not in ON state, disable it if already enabled
++ * Try to make the AP's APIC state match that of the BSP, but if the
++ * BSP is unlocked and the AP is locked then there is a state mismatch.
++ * Warn about the mismatch in case a GP fault occurs due to a locked AP
++ * trying to be turned off.
++ */
++ if (x2apic_state != X2APIC_ON_LOCKED && x2apic_hw_locked())
++ pr_warn("x2apic lock mismatch between BSP and AP.\n");
++ /*
++ * If x2apic is not in ON or LOCKED state, disable it if already enabled
+ * from BIOS.
+ */
+- if (x2apic_state != X2APIC_ON) {
++ if (x2apic_state < X2APIC_ON) {
+ __x2apic_disable();
+ return;
+ }
+@@ -1831,6 +1859,11 @@ static __init void x2apic_disable(void)
+ if (x2apic_id >= 255)
+ panic("Cannot disable x2apic, id: %08x\n", x2apic_id);
+
++ if (x2apic_hw_locked()) {
++ pr_warn("Cannot disable locked x2apic, id: %08x\n", x2apic_id);
++ return;
++ }
++
+ __x2apic_disable();
+ register_lapic_address(mp_lapic_addr);
+ }
+@@ -1889,7 +1922,10 @@ void __init check_x2apic(void)
+ if (x2apic_enabled()) {
+ pr_info("x2apic: enabled by BIOS, switching to x2apic ops\n");
+ x2apic_mode = 1;
+- x2apic_state = X2APIC_ON;
++ if (x2apic_hw_locked())
++ x2apic_state = X2APIC_ON_LOCKED;
++ else
++ x2apic_state = X2APIC_ON;
+ } else if (!boot_cpu_has(X86_FEATURE_X2APIC)) {
+ x2apic_state = X2APIC_DISABLED;
+ }
+--
+2.35.1
+
--- /dev/null
+From a40bc07edf5c31315fcce431a19217799f69ec28 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Jul 2022 12:23:58 +0800
+Subject: x86/boot: Remove superfluous type casting from arch/x86/boot/bitops.h
+
+From: Li kunyu <kunyu@nfschina.com>
+
+[ Upstream commit 039f0e054a29d06970892240d70143150d2aaec2 ]
+
+'const void *' will auto-type-convert to just about any other const
+pointer type, no need to force it.
+
+ [ mingo: Rewrote the changelog. ]
+
+Signed-off-by: Li kunyu <kunyu@nfschina.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lore.kernel.org/r/20220725042358.3377-1-kunyu@nfschina.com
+Stable-dep-of: 30ea703a38ef ("x86/cpu: Include the header of init_ia32_feat_ctl()'s prototype")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/boot/bitops.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/boot/bitops.h b/arch/x86/boot/bitops.h
+index 02e1dea11d94..8518ae214c9b 100644
+--- a/arch/x86/boot/bitops.h
++++ b/arch/x86/boot/bitops.h
+@@ -19,13 +19,13 @@
+
+ static inline bool constant_test_bit(int nr, const void *addr)
+ {
+- const u32 *p = (const u32 *)addr;
++ const u32 *p = addr;
+ return ((1UL << (nr & 31)) & (p[nr >> 5])) != 0;
+ }
+ static inline bool variable_test_bit(int nr, const void *addr)
+ {
+ bool v;
+- const u32 *p = (const u32 *)addr;
++ const u32 *p = addr;
+
+ asm("btl %2,%1" CC_SET(c) : CC_OUT(c) (v) : "m" (*p), "Ir" (nr));
+ return v;
+--
+2.35.1
+
--- /dev/null
+From 4b1bb99504a8f5b4c69eef6739dc76a11e19b1eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Sep 2022 17:00:54 -0300
+Subject: x86/cpu: Include the header of init_ia32_feat_ctl()'s prototype
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Luciano Leão <lucianorsleao@gmail.com>
+
+[ Upstream commit 30ea703a38ef76ca119673cd8bdd05c6e068e2ac ]
+
+Include the header containing the prototype of init_ia32_feat_ctl(),
+solving the following warning:
+
+ $ make W=1 arch/x86/kernel/cpu/feat_ctl.o
+ arch/x86/kernel/cpu/feat_ctl.c:112:6: warning: no previous prototype for ‘init_ia32_feat_ctl’ [-Wmissing-prototypes]
+ 112 | void init_ia32_feat_ctl(struct cpuinfo_x86 *c)
+
+This warning appeared after commit
+
+ 5d5103595e9e5 ("x86/cpu: Reinitialize IA32_FEAT_CTL MSR on BSP during wakeup")
+
+had moved the function init_ia32_feat_ctl()'s prototype from
+arch/x86/kernel/cpu/cpu.h to arch/x86/include/asm/cpu.h.
+
+Note that, before the commit mentioned above, the header include "cpu.h"
+(arch/x86/kernel/cpu/cpu.h) was added by commit
+
+ 0e79ad863df43 ("x86/cpu: Fix a -Wmissing-prototypes warning for init_ia32_feat_ctl()")
+
+solely to fix init_ia32_feat_ctl()'s missing prototype. So, the header
+include "cpu.h" is no longer necessary.
+
+ [ bp: Massage commit message. ]
+
+Fixes: 5d5103595e9e5 ("x86/cpu: Reinitialize IA32_FEAT_CTL MSR on BSP during wakeup")
+Signed-off-by: Luciano Leão <lucianorsleao@gmail.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Nícolas F. R. A. Prado <n@nfraprado.net>
+Link: https://lore.kernel.org/r/20220922200053.1357470-1-lucianorsleao@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/feat_ctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/feat_ctl.c b/arch/x86/kernel/cpu/feat_ctl.c
+index 993697e71854..03851240c3e3 100644
+--- a/arch/x86/kernel/cpu/feat_ctl.c
++++ b/arch/x86/kernel/cpu/feat_ctl.c
+@@ -1,11 +1,11 @@
+ // SPDX-License-Identifier: GPL-2.0
+ #include <linux/tboot.h>
+
++#include <asm/cpu.h>
+ #include <asm/cpufeature.h>
+ #include <asm/msr-index.h>
+ #include <asm/processor.h>
+ #include <asm/vmx.h>
+-#include "cpu.h"
+
+ #undef pr_fmt
+ #define pr_fmt(fmt) "x86/cpu: " fmt
+--
+2.35.1
+
--- /dev/null
+From 6a2d2a27856a84f318e3b1aeead82ef1bc1c4f03 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Sep 2022 19:45:14 -0700
+Subject: x86/entry: Work around Clang __bdos() bug
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 3e1730842f142add55dc658929221521a9ea62b6 ]
+
+Clang produces a false positive when building with CONFIG_FORTIFY_SOURCE=y
+and CONFIG_UBSAN_BOUNDS=y when operating on an array with a dynamic
+offset. Work around this by using a direct assignment of an empty
+instance. Avoids this warning:
+
+../include/linux/fortify-string.h:309:4: warning: call to __write_overflow_field declared with 'warn
+ing' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wat
+tribute-warning]
+ __write_overflow_field(p_size_field, size);
+ ^
+
+which was isolated to the memset() call in xen_load_idt().
+
+Note that this looks very much like another bug that was worked around:
+https://github.com/ClangBuiltLinux/linux/issues/1592
+
+Cc: Juergen Gross <jgross@suse.com>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: x86@kernel.org
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: xen-devel@lists.xenproject.org
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Link: https://lore.kernel.org/lkml/41527d69-e8ab-3f86-ff37-6b298c01d5bc@oracle.com
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/enlighten_pv.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c
+index 0ed2e487a693..9b1a58dda935 100644
+--- a/arch/x86/xen/enlighten_pv.c
++++ b/arch/x86/xen/enlighten_pv.c
+@@ -765,6 +765,7 @@ static void xen_load_idt(const struct desc_ptr *desc)
+ {
+ static DEFINE_SPINLOCK(lock);
+ static struct trap_info traps[257];
++ static const struct trap_info zero = { };
+ unsigned out;
+
+ trace_xen_cpu_load_idt(desc);
+@@ -774,7 +775,7 @@ static void xen_load_idt(const struct desc_ptr *desc)
+ memcpy(this_cpu_ptr(&idt_desc), desc, sizeof(idt_desc));
+
+ out = xen_convert_trap_info(desc, traps, false);
+- memset(&traps[out], 0, sizeof(traps[0]));
++ traps[out] = zero;
+
+ xen_mc_flush();
+ if (HYPERVISOR_set_trap_table(traps))
+--
+2.35.1
+
--- /dev/null
+From a7e55ce6f57b985e84eef1de9895b13c9c3dd815 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 15:37:05 +0200
+Subject: x86/hyperv: Fix 'struct hv_enlightened_vmcs' definition
+
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+[ Upstream commit ea9da788a61e47e7ab9cbad397453e51cd82ac0d ]
+
+Section 1.9 of TLFS v6.0b says:
+
+"All structures are padded in such a way that fields are aligned
+naturally (that is, an 8-byte field is aligned to an offset of 8 bytes
+and so on)".
+
+'struct enlightened_vmcs' has a glitch:
+
+...
+ struct {
+ u32 nested_flush_hypercall:1; /* 836: 0 4 */
+ u32 msr_bitmap:1; /* 836: 1 4 */
+ u32 reserved:30; /* 836: 2 4 */
+ } hv_enlightenments_control; /* 836 4 */
+ u32 hv_vp_id; /* 840 4 */
+ u64 hv_vm_id; /* 844 8 */
+ u64 partition_assist_page; /* 852 8 */
+...
+
+And the observed values in 'partition_assist_page' make no sense at
+all. Fix the layout by padding the structure properly.
+
+Fixes: 68d1eb72ee99 ("x86/hyper-v: define struct hv_enlightened_vmcs and clean field bits")
+Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
+Reviewed-by: Michael Kelley <mikelley@microsoft.com>
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Link: https://lore.kernel.org/r/20220830133737.1539624-2-vkuznets@redhat.com
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/hyperv-tlfs.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/include/asm/hyperv-tlfs.h b/arch/x86/include/asm/hyperv-tlfs.h
+index 0a9407dc0859..6f0acc45e67a 100644
+--- a/arch/x86/include/asm/hyperv-tlfs.h
++++ b/arch/x86/include/asm/hyperv-tlfs.h
+@@ -546,7 +546,7 @@ struct hv_enlightened_vmcs {
+ u64 guest_rip;
+
+ u32 hv_clean_fields;
+- u32 hv_padding_32;
++ u32 padding32_1;
+ u32 hv_synthetic_controls;
+ struct {
+ u32 nested_flush_hypercall:1;
+@@ -554,7 +554,7 @@ struct hv_enlightened_vmcs {
+ u32 reserved:30;
+ } __packed hv_enlightenments_control;
+ u32 hv_vp_id;
+-
++ u32 padding32_2;
+ u64 hv_vm_id;
+ u64 partition_assist_page;
+ u64 padding64_4[4];
+--
+2.35.1
+
--- /dev/null
+From ea6e74d108bd1eef0d7d8b1ab7b60326e1e2e36b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Aug 2022 17:38:51 -0600
+Subject: x86/mce: Retrieve poison range from hardware
+
+From: Jane Chu <jane.chu@oracle.com>
+
+[ Upstream commit f9781bb18ed828e7b83b7bac4a4ad7cd497ee7d7 ]
+
+When memory poison consumption machine checks fire, MCE notifier
+handlers like nfit_handle_mce() record the impacted physical address
+range which is reported by the hardware in the MCi_MISC MSR. The error
+information includes data about blast radius, i.e. how many cachelines
+did the hardware determine are impacted. A recent change
+
+ 7917f9cdb503 ("acpi/nfit: rely on mce->misc to determine poison granularity")
+
+updated nfit_handle_mce() to stop hard coding the blast radius value of
+1 cacheline, and instead rely on the blast radius reported in 'struct
+mce' which can be up to 4K (64 cachelines).
+
+It turns out that apei_mce_report_mem_error() had a similar problem in
+that it hard coded a blast radius of 4K rather than reading the blast
+radius from the error information. Fix apei_mce_report_mem_error() to
+convey the proper poison granularity.
+
+Signed-off-by: Jane Chu <jane.chu@oracle.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Dan Williams <dan.j.williams@intel.com>
+Reviewed-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lore.kernel.org/r/7ed50fd8-521e-cade-77b1-738b8bfb8502@oracle.com
+Link: https://lore.kernel.org/r/20220826233851.1319100-1-jane.chu@oracle.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/mce/apei.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/mce/apei.c b/arch/x86/kernel/cpu/mce/apei.c
+index 717192915f28..8ed341714686 100644
+--- a/arch/x86/kernel/cpu/mce/apei.c
++++ b/arch/x86/kernel/cpu/mce/apei.c
+@@ -29,15 +29,26 @@
+ void apei_mce_report_mem_error(int severity, struct cper_sec_mem_err *mem_err)
+ {
+ struct mce m;
++ int lsb;
+
+ if (!(mem_err->validation_bits & CPER_MEM_VALID_PA))
+ return;
+
++ /*
++ * Even if the ->validation_bits are set for address mask,
++ * to be extra safe, check and reject an error radius '0',
++ * and fall back to the default page size.
++ */
++ if (mem_err->validation_bits & CPER_MEM_VALID_PA_MASK)
++ lsb = find_first_bit((void *)&mem_err->physical_addr_mask, PAGE_SHIFT);
++ else
++ lsb = PAGE_SHIFT;
++
+ mce_setup(&m);
+ m.bank = -1;
+ /* Fake a memory read error with unknown channel */
+ m.status = MCI_STATUS_VAL | MCI_STATUS_EN | MCI_STATUS_ADDRV | MCI_STATUS_MISCV | 0x9f;
+- m.misc = (MCI_MISC_ADDR_PHYS << 6) | PAGE_SHIFT;
++ m.misc = (MCI_MISC_ADDR_PHYS << 6) | lsb;
+
+ if (severity >= GHES_SEV_RECOVERABLE)
+ m.status |= MCI_STATUS_UC;
+--
+2.35.1
+
--- /dev/null
+From 79c6924938095a74bda7709fe9cc1b50492d8da9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Sep 2022 20:10:10 -0700
+Subject: x86/microcode/AMD: Track patch allocation size explicitly
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 712f210a457d9c32414df246a72781550bc23ef6 ]
+
+In preparation for reducing the use of ksize(), record the actual
+allocation size for later memcpy(). This avoids copying extra
+(uninitialized!) bytes into the patch buffer when the requested
+allocation size isn't exactly the size of a kmalloc bucket.
+Additionally, fix potential future issues where runtime bounds checking
+will notice that the buffer was allocated to a smaller value than
+returned by ksize().
+
+Fixes: 757885e94a22 ("x86, microcode, amd: Early microcode patch loading support for AMD")
+Suggested-by: Daniel Micay <danielmicay@gmail.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lore.kernel.org/lkml/CA+DvKQ+bp7Y7gmaVhacjv9uF6Ar-o4tet872h4Q8RPYPJjcJQA@mail.gmail.com/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/microcode.h | 1 +
+ arch/x86/kernel/cpu/microcode/amd.c | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/include/asm/microcode.h b/arch/x86/include/asm/microcode.h
+index 0c3d3440fe27..aa675783412f 100644
+--- a/arch/x86/include/asm/microcode.h
++++ b/arch/x86/include/asm/microcode.h
+@@ -9,6 +9,7 @@
+ struct ucode_patch {
+ struct list_head plist;
+ void *data; /* Intel uses only this one */
++ unsigned int size;
+ u32 patch_id;
+ u16 equiv_cpu;
+ };
+diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c
+index 8b2fcdfa6d31..615bc6efa1dd 100644
+--- a/arch/x86/kernel/cpu/microcode/amd.c
++++ b/arch/x86/kernel/cpu/microcode/amd.c
+@@ -788,6 +788,7 @@ static int verify_and_add_patch(u8 family, u8 *fw, unsigned int leftover,
+ kfree(patch);
+ return -EINVAL;
+ }
++ patch->size = *patch_size;
+
+ mc_hdr = (struct microcode_header_amd *)(fw + SECTION_HDR_SIZE);
+ proc_id = mc_hdr->processor_rev_id;
+@@ -869,7 +870,7 @@ load_microcode_amd(bool save, u8 family, const u8 *data, size_t size)
+ return ret;
+
+ memset(amd_ucode_patch, 0, PATCH_MAX_SIZE);
+- memcpy(amd_ucode_patch, p->data, min_t(u32, ksize(p->data), PATCH_MAX_SIZE));
++ memcpy(amd_ucode_patch, p->data, min_t(u32, p->size, PATCH_MAX_SIZE));
+
+ return ret;
+ }
+--
+2.35.1
+
--- /dev/null
+From fd0fc221ded82c1b2b8cc32bd577d681e01c5fec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 21:37:50 +0000
+Subject: x86/paravirt: add extra clobbers with ZERO_CALL_USED_REGS enabled
+
+From: Bill Wendling <morbo@google.com>
+
+[ Upstream commit 8c86f29bfb18465d15b05cfd26a6454ec787b793 ]
+
+The ZERO_CALL_USED_REGS feature may zero out caller-saved registers
+before returning.
+
+In spurious_kernel_fault(), the "pte_offset_kernel()" call results in
+this assembly code:
+
+.Ltmp151:
+ #APP
+ # ALT: oldnstr
+.Ltmp152:
+.Ltmp153:
+.Ltmp154:
+ .section .discard.retpoline_safe,"",@progbits
+ .quad .Ltmp154
+ .text
+
+ callq *pv_ops+536(%rip)
+
+.Ltmp155:
+ .section .parainstructions,"a",@progbits
+ .p2align 3, 0x0
+ .quad .Ltmp153
+ .byte 67
+ .byte .Ltmp155-.Ltmp153
+ .short 1
+ .text
+.Ltmp156:
+ # ALT: padding
+ .zero (-(((.Ltmp157-.Ltmp158)-(.Ltmp156-.Ltmp152))>0))*((.Ltmp157-.Ltmp158)-(.Ltmp156-.Ltmp152)),144
+.Ltmp159:
+ .section .altinstructions,"a",@progbits
+.Ltmp160:
+ .long .Ltmp152-.Ltmp160
+.Ltmp161:
+ .long .Ltmp158-.Ltmp161
+ .short 33040
+ .byte .Ltmp159-.Ltmp152
+ .byte .Ltmp157-.Ltmp158
+ .text
+
+ .section .altinstr_replacement,"ax",@progbits
+ # ALT: replacement 1
+.Ltmp158:
+ movq %rdi, %rax
+.Ltmp157:
+ .text
+ #NO_APP
+.Ltmp162:
+ testb $-128, %dil
+
+The "testb" here is using %dil, but the %rdi register was cleared before
+returning from "callq *pv_ops+536(%rip)". Adding the proper constraints
+results in the use of a different register:
+
+ movq %r11, %rdi
+
+ # Similar to above.
+
+ testb $-128, %r11b
+
+Link: https://github.com/KSPP/linux/issues/192
+Signed-off-by: Bill Wendling <morbo@google.com>
+Reported-and-tested-by: Nathan Chancellor <nathan@kernel.org>
+Fixes: 035f7f87b729 ("randstruct: Enable Clang support")
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Link: https://lore.kernel.org/lkml/fa6df43b-8a1a-8ad1-0236-94d2a0b588fa@suse.com/
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20220902213750.1124421-3-morbo@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/paravirt_types.h | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/include/asm/paravirt_types.h b/arch/x86/include/asm/paravirt_types.h
+index 89df6c6617f5..bc2e1b67319d 100644
+--- a/arch/x86/include/asm/paravirt_types.h
++++ b/arch/x86/include/asm/paravirt_types.h
+@@ -414,8 +414,17 @@ int paravirt_disable_iospace(void);
+ "=c" (__ecx)
+ #define PVOP_CALL_CLOBBERS PVOP_VCALL_CLOBBERS, "=a" (__eax)
+
+-/* void functions are still allowed [re]ax for scratch */
++/*
++ * void functions are still allowed [re]ax for scratch.
++ *
++ * The ZERO_CALL_USED REGS feature may end up zeroing out callee-saved
++ * registers. Make sure we model this with the appropriate clobbers.
++ */
++#ifdef CONFIG_ZERO_CALL_USED_REGS
++#define PVOP_VCALLEE_CLOBBERS "=a" (__eax), PVOP_VCALL_CLOBBERS
++#else
+ #define PVOP_VCALLEE_CLOBBERS "=a" (__eax)
++#endif
+ #define PVOP_CALLEE_CLOBBERS PVOP_VCALLEE_CLOBBERS
+
+ #define EXTRA_CLOBBERS , "r8", "r9", "r10", "r11"
+--
+2.35.1
+
--- /dev/null
+From c6345d8a0c91af37be7f27d8681facb0c94ac7f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Aug 2022 09:44:10 -0700
+Subject: x86/resctrl: Fix to restore to original value when re-enabling
+ hardware prefetch register
+
+From: Kohei Tarumizu <tarumizu.kohei@fujitsu.com>
+
+[ Upstream commit 499c8bb4693d1c8d8f3d6dd38e5bdde3ff5bd906 ]
+
+The current pseudo_lock.c code overwrites the value of the
+MSR_MISC_FEATURE_CONTROL to 0 even if the original value is not 0.
+Therefore, modify it to save and restore the original values.
+
+Fixes: 018961ae5579 ("x86/intel_rdt: Pseudo-lock region creation/removal core")
+Fixes: 443810fe6160 ("x86/intel_rdt: Create debugfs files for pseudo-locking testing")
+Fixes: 8a2fc0e1bc0c ("x86/intel_rdt: More precise L2 hit/miss measurements")
+Signed-off-by: Kohei Tarumizu <tarumizu.kohei@fujitsu.com>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Acked-by: Reinette Chatre <reinette.chatre@intel.com>
+Link: https://lkml.kernel.org/r/eb660f3c2010b79a792c573c02d01e8e841206ad.1661358182.git.reinette.chatre@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/resctrl/pseudo_lock.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/resctrl/pseudo_lock.c b/arch/x86/kernel/cpu/resctrl/pseudo_lock.c
+index db813f819ad6..4d8398986f78 100644
+--- a/arch/x86/kernel/cpu/resctrl/pseudo_lock.c
++++ b/arch/x86/kernel/cpu/resctrl/pseudo_lock.c
+@@ -420,6 +420,7 @@ static int pseudo_lock_fn(void *_rdtgrp)
+ struct pseudo_lock_region *plr = rdtgrp->plr;
+ u32 rmid_p, closid_p;
+ unsigned long i;
++ u64 saved_msr;
+ #ifdef CONFIG_KASAN
+ /*
+ * The registers used for local register variables are also used
+@@ -463,6 +464,7 @@ static int pseudo_lock_fn(void *_rdtgrp)
+ * the buffer and evict pseudo-locked memory read earlier from the
+ * cache.
+ */
++ saved_msr = __rdmsr(MSR_MISC_FEATURE_CONTROL);
+ __wrmsr(MSR_MISC_FEATURE_CONTROL, prefetch_disable_bits, 0x0);
+ closid_p = this_cpu_read(pqr_state.cur_closid);
+ rmid_p = this_cpu_read(pqr_state.cur_rmid);
+@@ -514,7 +516,7 @@ static int pseudo_lock_fn(void *_rdtgrp)
+ __wrmsr(IA32_PQR_ASSOC, rmid_p, closid_p);
+
+ /* Re-enable the hardware prefetcher(s) */
+- wrmsr(MSR_MISC_FEATURE_CONTROL, 0x0, 0x0);
++ wrmsrl(MSR_MISC_FEATURE_CONTROL, saved_msr);
+ local_irq_enable();
+
+ plr->thread_done = 1;
+@@ -871,6 +873,7 @@ bool rdtgroup_pseudo_locked_in_hierarchy(struct rdt_domain *d)
+ static int measure_cycles_lat_fn(void *_plr)
+ {
+ struct pseudo_lock_region *plr = _plr;
++ u32 saved_low, saved_high;
+ unsigned long i;
+ u64 start, end;
+ void *mem_r;
+@@ -879,6 +882,7 @@ static int measure_cycles_lat_fn(void *_plr)
+ /*
+ * Disable hardware prefetchers.
+ */
++ rdmsr(MSR_MISC_FEATURE_CONTROL, saved_low, saved_high);
+ wrmsr(MSR_MISC_FEATURE_CONTROL, prefetch_disable_bits, 0x0);
+ mem_r = READ_ONCE(plr->kmem);
+ /*
+@@ -895,7 +899,7 @@ static int measure_cycles_lat_fn(void *_plr)
+ end = rdtsc_ordered();
+ trace_pseudo_lock_mem_latency((u32)(end - start));
+ }
+- wrmsr(MSR_MISC_FEATURE_CONTROL, 0x0, 0x0);
++ wrmsr(MSR_MISC_FEATURE_CONTROL, saved_low, saved_high);
+ local_irq_enable();
+ plr->thread_done = 1;
+ wake_up_interruptible(&plr->lock_thread_wq);
+@@ -940,6 +944,7 @@ static int measure_residency_fn(struct perf_event_attr *miss_attr,
+ u64 hits_before = 0, hits_after = 0, miss_before = 0, miss_after = 0;
+ struct perf_event *miss_event, *hit_event;
+ int hit_pmcnum, miss_pmcnum;
++ u32 saved_low, saved_high;
+ unsigned int line_size;
+ unsigned int size;
+ unsigned long i;
+@@ -973,6 +978,7 @@ static int measure_residency_fn(struct perf_event_attr *miss_attr,
+ /*
+ * Disable hardware prefetchers.
+ */
++ rdmsr(MSR_MISC_FEATURE_CONTROL, saved_low, saved_high);
+ wrmsr(MSR_MISC_FEATURE_CONTROL, prefetch_disable_bits, 0x0);
+
+ /* Initialize rest of local variables */
+@@ -1031,7 +1037,7 @@ static int measure_residency_fn(struct perf_event_attr *miss_attr,
+ */
+ rmb();
+ /* Re-enable hardware prefetchers */
+- wrmsr(MSR_MISC_FEATURE_CONTROL, 0x0, 0x0);
++ wrmsr(MSR_MISC_FEATURE_CONTROL, saved_low, saved_high);
+ local_irq_enable();
+ out_hit:
+ perf_event_release_kernel(hit_event);
+--
+2.35.1
+
--- /dev/null
+From c44d3336c2e998ae6e8687cc23f54f327f81ee14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Sep 2022 16:01:57 +0800
+Subject: xfrm: Reinject transport-mode packets through workqueue
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit 4f4920669d21e1060b7243e5118dc3b71ced1276 ]
+
+The following warning is displayed when the tcp6-multi-diffip11 stress
+test case of the LTP test suite is tested:
+
+watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [ns-tcpserver:48198]
+CPU: 0 PID: 48198 Comm: ns-tcpserver Kdump: loaded Not tainted 6.0.0-rc6+ #39
+Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
+pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : des3_ede_encrypt+0x27c/0x460 [libdes]
+lr : 0x3f
+sp : ffff80000ceaa1b0
+x29: ffff80000ceaa1b0 x28: ffff0000df056100 x27: ffff0000e51e5280
+x26: ffff80004df75030 x25: ffff0000e51e4600 x24: 000000000000003b
+x23: 0000000000802080 x22: 000000000000003d x21: 0000000000000038
+x20: 0000000080000020 x19: 000000000000000a x18: 0000000000000033
+x17: ffff0000e51e4780 x16: ffff80004e2d1448 x15: ffff80004e2d1248
+x14: ffff0000e51e4680 x13: ffff80004e2d1348 x12: ffff80004e2d1548
+x11: ffff80004e2d1848 x10: ffff80004e2d1648 x9 : ffff80004e2d1748
+x8 : ffff80004e2d1948 x7 : 000000000bcaf83d x6 : 000000000000001b
+x5 : ffff80004e2d1048 x4 : 00000000761bf3bf x3 : 000000007f1dd0a3
+x2 : ffff0000e51e4780 x1 : ffff0000e3b9a2f8 x0 : 00000000db44e872
+Call trace:
+ des3_ede_encrypt+0x27c/0x460 [libdes]
+ crypto_des3_ede_encrypt+0x1c/0x30 [des_generic]
+ crypto_cbc_encrypt+0x148/0x190
+ crypto_skcipher_encrypt+0x2c/0x40
+ crypto_authenc_encrypt+0xc8/0xfc [authenc]
+ crypto_aead_encrypt+0x2c/0x40
+ echainiv_encrypt+0x144/0x1a0 [echainiv]
+ crypto_aead_encrypt+0x2c/0x40
+ esp6_output_tail+0x1c8/0x5d0 [esp6]
+ esp6_output+0x120/0x278 [esp6]
+ xfrm_output_one+0x458/0x4ec
+ xfrm_output_resume+0x6c/0x1f0
+ xfrm_output+0xac/0x4ac
+ __xfrm6_output+0x130/0x270
+ xfrm6_output+0x60/0xec
+ ip6_xmit+0x2ec/0x5bc
+ inet6_csk_xmit+0xbc/0x10c
+ __tcp_transmit_skb+0x460/0x8c0
+ tcp_write_xmit+0x348/0x890
+ __tcp_push_pending_frames+0x44/0x110
+ tcp_rcv_established+0x3c8/0x720
+ tcp_v6_do_rcv+0xdc/0x4a0
+ tcp_v6_rcv+0xc24/0xcb0
+ ip6_protocol_deliver_rcu+0xf0/0x574
+ ip6_input_finish+0x48/0x7c
+ ip6_input+0x48/0xc0
+ ip6_rcv_finish+0x80/0x9c
+ xfrm_trans_reinject+0xb0/0xf4
+ tasklet_action_common.constprop.0+0xf8/0x134
+ tasklet_action+0x30/0x3c
+ __do_softirq+0x128/0x368
+ do_softirq+0xb4/0xc0
+ __local_bh_enable_ip+0xb0/0xb4
+ put_cpu_fpsimd_context+0x40/0x70
+ kernel_neon_end+0x20/0x40
+ sha1_base_do_update.constprop.0.isra.0+0x11c/0x140 [sha1_ce]
+ sha1_ce_finup+0x94/0x110 [sha1_ce]
+ crypto_shash_finup+0x34/0xc0
+ hmac_finup+0x48/0xe0
+ crypto_shash_finup+0x34/0xc0
+ shash_digest_unaligned+0x74/0x90
+ crypto_shash_digest+0x4c/0x9c
+ shash_ahash_digest+0xc8/0xf0
+ shash_async_digest+0x28/0x34
+ crypto_ahash_digest+0x48/0xcc
+ crypto_authenc_genicv+0x88/0xcc [authenc]
+ crypto_authenc_encrypt+0xd8/0xfc [authenc]
+ crypto_aead_encrypt+0x2c/0x40
+ echainiv_encrypt+0x144/0x1a0 [echainiv]
+ crypto_aead_encrypt+0x2c/0x40
+ esp6_output_tail+0x1c8/0x5d0 [esp6]
+ esp6_output+0x120/0x278 [esp6]
+ xfrm_output_one+0x458/0x4ec
+ xfrm_output_resume+0x6c/0x1f0
+ xfrm_output+0xac/0x4ac
+ __xfrm6_output+0x130/0x270
+ xfrm6_output+0x60/0xec
+ ip6_xmit+0x2ec/0x5bc
+ inet6_csk_xmit+0xbc/0x10c
+ __tcp_transmit_skb+0x460/0x8c0
+ tcp_write_xmit+0x348/0x890
+ __tcp_push_pending_frames+0x44/0x110
+ tcp_push+0xb4/0x14c
+ tcp_sendmsg_locked+0x71c/0xb64
+ tcp_sendmsg+0x40/0x6c
+ inet6_sendmsg+0x4c/0x80
+ sock_sendmsg+0x5c/0x6c
+ __sys_sendto+0x128/0x15c
+ __arm64_sys_sendto+0x30/0x40
+ invoke_syscall+0x50/0x120
+ el0_svc_common.constprop.0+0x170/0x194
+ do_el0_svc+0x38/0x4c
+ el0_svc+0x28/0xe0
+ el0t_64_sync_handler+0xbc/0x13c
+ el0t_64_sync+0x180/0x184
+
+Get softirq info by bcc tool:
+./softirqs -NT 10
+Tracing soft irq event time... Hit Ctrl-C to end.
+
+15:34:34
+SOFTIRQ TOTAL_nsecs
+block 158990
+timer 20030920
+sched 46577080
+net_rx 676746820
+tasklet 9906067650
+
+15:34:45
+SOFTIRQ TOTAL_nsecs
+block 86100
+sched 38849790
+net_rx 676532470
+timer 1163848790
+tasklet 9409019620
+
+15:34:55
+SOFTIRQ TOTAL_nsecs
+sched 58078450
+net_rx 475156720
+timer 533832410
+tasklet 9431333300
+
+The tasklet software interrupt takes too much time. Therefore, the
+xfrm_trans_reinject executor is changed from tasklet to workqueue. Add add
+spin lock to protect the queue. This reduces the processing flow of the
+tcp_sendmsg function in this scenario.
+
+Fixes: acf568ee859f0 ("xfrm: Reinject transport-mode packets through tasklet")
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_input.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
+index b2f4ec9c537f..aa5220565763 100644
+--- a/net/xfrm/xfrm_input.c
++++ b/net/xfrm/xfrm_input.c
+@@ -24,7 +24,8 @@
+ #include "xfrm_inout.h"
+
+ struct xfrm_trans_tasklet {
+- struct tasklet_struct tasklet;
++ struct work_struct work;
++ spinlock_t queue_lock;
+ struct sk_buff_head queue;
+ };
+
+@@ -760,18 +761,22 @@ int xfrm_input_resume(struct sk_buff *skb, int nexthdr)
+ }
+ EXPORT_SYMBOL(xfrm_input_resume);
+
+-static void xfrm_trans_reinject(struct tasklet_struct *t)
++static void xfrm_trans_reinject(struct work_struct *work)
+ {
+- struct xfrm_trans_tasklet *trans = from_tasklet(trans, t, tasklet);
++ struct xfrm_trans_tasklet *trans = container_of(work, struct xfrm_trans_tasklet, work);
+ struct sk_buff_head queue;
+ struct sk_buff *skb;
+
+ __skb_queue_head_init(&queue);
++ spin_lock_bh(&trans->queue_lock);
+ skb_queue_splice_init(&trans->queue, &queue);
++ spin_unlock_bh(&trans->queue_lock);
+
++ local_bh_disable();
+ while ((skb = __skb_dequeue(&queue)))
+ XFRM_TRANS_SKB_CB(skb)->finish(XFRM_TRANS_SKB_CB(skb)->net,
+ NULL, skb);
++ local_bh_enable();
+ }
+
+ int xfrm_trans_queue_net(struct net *net, struct sk_buff *skb,
+@@ -789,8 +794,10 @@ int xfrm_trans_queue_net(struct net *net, struct sk_buff *skb,
+
+ XFRM_TRANS_SKB_CB(skb)->finish = finish;
+ XFRM_TRANS_SKB_CB(skb)->net = net;
++ spin_lock_bh(&trans->queue_lock);
+ __skb_queue_tail(&trans->queue, skb);
+- tasklet_schedule(&trans->tasklet);
++ spin_unlock_bh(&trans->queue_lock);
++ schedule_work(&trans->work);
+ return 0;
+ }
+ EXPORT_SYMBOL(xfrm_trans_queue_net);
+@@ -817,7 +824,8 @@ void __init xfrm_input_init(void)
+ struct xfrm_trans_tasklet *trans;
+
+ trans = &per_cpu(xfrm_trans_tasklet, i);
++ spin_lock_init(&trans->queue_lock);
+ __skb_queue_head_init(&trans->queue);
+- tasklet_setup(&trans->tasklet, xfrm_trans_reinject);
++ INIT_WORK(&trans->work, xfrm_trans_reinject);
+ }
+ }
+--
+2.35.1
+
--- /dev/null
+From 21ecfe6097ff8a0911a1bde8e94905d05c2640fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Sep 2022 13:12:10 +0600
+Subject: xfrm: Update ipcomp_scratches with NULL when freed
+
+From: Khalid Masum <khalid.masum.92@gmail.com>
+
+[ Upstream commit 8a04d2fc700f717104bfb95b0f6694e448a4537f ]
+
+Currently if ipcomp_alloc_scratches() fails to allocate memory
+ipcomp_scratches holds obsolete address. So when we try to free the
+percpu scratches using ipcomp_free_scratches() it tries to vfree non
+existent vm area. Described below:
+
+static void * __percpu *ipcomp_alloc_scratches(void)
+{
+ ...
+ scratches = alloc_percpu(void *);
+ if (!scratches)
+ return NULL;
+ipcomp_scratches does not know about this allocation failure.
+Therefore holding the old obsolete address.
+ ...
+}
+
+So when we free,
+
+static void ipcomp_free_scratches(void)
+{
+ ...
+ scratches = ipcomp_scratches;
+Assigning obsolete address from ipcomp_scratches
+
+ if (!scratches)
+ return;
+
+ for_each_possible_cpu(i)
+ vfree(*per_cpu_ptr(scratches, i));
+Trying to free non existent page, causing warning: trying to vfree
+existent vm area.
+ ...
+}
+
+Fix this breakage by updating ipcomp_scrtches with NULL when scratches
+is freed
+
+Suggested-by: Herbert Xu <herbert@gondor.apana.org.au>
+Reported-by: syzbot+5ec9bb042ddfe9644773@syzkaller.appspotmail.com
+Tested-by: syzbot+5ec9bb042ddfe9644773@syzkaller.appspotmail.com
+Signed-off-by: Khalid Masum <khalid.masum.92@gmail.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_ipcomp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c
+index cb40ff0ff28d..92ad336a83ab 100644
+--- a/net/xfrm/xfrm_ipcomp.c
++++ b/net/xfrm/xfrm_ipcomp.c
+@@ -203,6 +203,7 @@ static void ipcomp_free_scratches(void)
+ vfree(*per_cpu_ptr(scratches, i));
+
+ free_percpu(scratches);
++ ipcomp_scratches = NULL;
+ }
+
+ static void * __percpu *ipcomp_alloc_scratches(void)
+--
+2.35.1
+
--- /dev/null
+From 06eadc0e436a2e1e086329fd3081825fe728bea6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Sep 2022 15:34:47 +0300
+Subject: xhci: Don't show warning for reinit on known broken suspend
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 484d6f7aa3283d082c87654b7fe7a7f725423dfb ]
+
+commit 8b328f8002bc ("xhci: re-initialize the HC during resume if HCE was
+set") introduced a new warning message when the host controller error
+was set and re-initializing.
+
+This is expected behavior on some designs which already set
+`xhci->broken_suspend` so the new warning is alarming to some users.
+
+Modify the code to only show the warning if this was a surprising behavior
+to the XHCI driver.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216470
+Fixes: 8b328f8002bc ("xhci: re-initialize the HC during resume if HCE was set")
+Reported-by: Artem S. Tashkinov <aros@gmx.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20220921123450.671459-4-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
+index 38649284ff88..a7ef675f00fd 100644
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -1183,7 +1183,8 @@ int xhci_resume(struct xhci_hcd *xhci, bool hibernated)
+ /* re-initialize the HC on Restore Error, or Host Controller Error */
+ if (temp & (STS_SRE | STS_HCE)) {
+ reinit_xhc = true;
+- xhci_warn(xhci, "xHC error in resume, USBSTS 0x%x, Reinit\n", temp);
++ if (!xhci->broken_suspend)
++ xhci_warn(xhci, "xHC error in resume, USBSTS 0x%x, Reinit\n", temp);
+ }
+
+ if (reinit_xhc) {
+--
+2.35.1
+
--- /dev/null
+From 79e7b475017ae7f5742857b436a1a743505a88e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 14:17:05 +0200
+Subject: xsk: Fix backpressure mechanism on Tx
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit c00c4461689e15ac2cc3b9a595a54e4d8afd3d77 ]
+
+Commit d678cbd2f867 ("xsk: Fix handling of invalid descriptors in XSK TX
+batching API") fixed batch API usage against set of descriptors with
+invalid ones but introduced a problem when AF_XDP SW rings are smaller
+than HW ones. Mismatch of reported Tx'ed frames between HW generator and
+user space app was observed. It turned out that backpressure mechanism
+became a bottleneck when the amount of produced descriptors to CQ is
+lower than what we grabbed from XSK Tx ring.
+
+Say that 512 entries had been taken from XSK Tx ring but we had only 490
+free entries in CQ. Then callsite (ZC driver) will produce only 490
+entries onto HW Tx ring but 512 entries will be released from Tx ring
+and this is what will be seen by the user space.
+
+In order to fix this case, mix XSK Tx/CQ ring interractions by moving
+around internal functions and changing call order:
+
+* pull out xskq_prod_nb_free() from xskq_prod_reserve_addr_batch()
+ up to xsk_tx_peek_release_desc_batch();
+** move xskq_cons_release_n() into xskq_cons_read_desc_batch()
+
+After doing so, algorithm can be described as follows:
+
+1. lookup Tx entries
+2. use value from 1. to reserve space in CQ (*)
+3. Read from Tx ring as much descriptors as value from 2
+ 3a. release descriptors from XSK Tx ring (**)
+4. Finally produce addresses to CQ
+
+Fixes: d678cbd2f867 ("xsk: Fix handling of invalid descriptors in XSK TX batching API")
+Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20220830121705.8618-1-maciej.fijalkowski@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xdp/xsk.c | 22 +++++++++++-----------
+ net/xdp/xsk_queue.h | 22 ++++++++++------------
+ 2 files changed, 21 insertions(+), 23 deletions(-)
+
+diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
+index 7bada4e8460b..9f0561b67c12 100644
+--- a/net/xdp/xsk.c
++++ b/net/xdp/xsk.c
+@@ -355,16 +355,15 @@ static u32 xsk_tx_peek_release_fallback(struct xsk_buff_pool *pool, u32 max_entr
+ return nb_pkts;
+ }
+
+-u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, u32 max_entries)
++u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, u32 nb_pkts)
+ {
+ struct xdp_sock *xs;
+- u32 nb_pkts;
+
+ rcu_read_lock();
+ if (!list_is_singular(&pool->xsk_tx_list)) {
+ /* Fallback to the non-batched version */
+ rcu_read_unlock();
+- return xsk_tx_peek_release_fallback(pool, max_entries);
++ return xsk_tx_peek_release_fallback(pool, nb_pkts);
+ }
+
+ xs = list_first_or_null_rcu(&pool->xsk_tx_list, struct xdp_sock, tx_list);
+@@ -373,12 +372,7 @@ u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, u32 max_entries)
+ goto out;
+ }
+
+- max_entries = xskq_cons_nb_entries(xs->tx, max_entries);
+- nb_pkts = xskq_cons_read_desc_batch(xs->tx, pool, max_entries);
+- if (!nb_pkts) {
+- xs->tx->queue_empty_descs++;
+- goto out;
+- }
++ nb_pkts = xskq_cons_nb_entries(xs->tx, nb_pkts);
+
+ /* This is the backpressure mechanism for the Tx path. Try to
+ * reserve space in the completion queue for all packets, but
+@@ -386,12 +380,18 @@ u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, u32 max_entries)
+ * packets. This avoids having to implement any buffering in
+ * the Tx path.
+ */
+- nb_pkts = xskq_prod_reserve_addr_batch(pool->cq, pool->tx_descs, nb_pkts);
++ nb_pkts = xskq_prod_nb_free(pool->cq, nb_pkts);
+ if (!nb_pkts)
+ goto out;
+
+- xskq_cons_release_n(xs->tx, max_entries);
++ nb_pkts = xskq_cons_read_desc_batch(xs->tx, pool, nb_pkts);
++ if (!nb_pkts) {
++ xs->tx->queue_empty_descs++;
++ goto out;
++ }
++
+ __xskq_cons_release(xs->tx);
++ xskq_prod_write_addr_batch(pool->cq, pool->tx_descs, nb_pkts);
+ xs->sk.sk_write_space(&xs->sk);
+
+ out:
+diff --git a/net/xdp/xsk_queue.h b/net/xdp/xsk_queue.h
+index fb20bf7207cf..c6fb6b763658 100644
+--- a/net/xdp/xsk_queue.h
++++ b/net/xdp/xsk_queue.h
+@@ -205,6 +205,11 @@ static inline bool xskq_cons_read_desc(struct xsk_queue *q,
+ return false;
+ }
+
++static inline void xskq_cons_release_n(struct xsk_queue *q, u32 cnt)
++{
++ q->cached_cons += cnt;
++}
++
+ static inline u32 xskq_cons_read_desc_batch(struct xsk_queue *q, struct xsk_buff_pool *pool,
+ u32 max)
+ {
+@@ -226,6 +231,8 @@ static inline u32 xskq_cons_read_desc_batch(struct xsk_queue *q, struct xsk_buff
+ cached_cons++;
+ }
+
++ /* Release valid plus any invalid entries */
++ xskq_cons_release_n(q, cached_cons - q->cached_cons);
+ return nb_entries;
+ }
+
+@@ -291,11 +298,6 @@ static inline void xskq_cons_release(struct xsk_queue *q)
+ q->cached_cons++;
+ }
+
+-static inline void xskq_cons_release_n(struct xsk_queue *q, u32 cnt)
+-{
+- q->cached_cons += cnt;
+-}
+-
+ static inline u32 xskq_cons_present_entries(struct xsk_queue *q)
+ {
+ /* No barriers needed since data is not accessed */
+@@ -350,21 +352,17 @@ static inline int xskq_prod_reserve_addr(struct xsk_queue *q, u64 addr)
+ return 0;
+ }
+
+-static inline u32 xskq_prod_reserve_addr_batch(struct xsk_queue *q, struct xdp_desc *descs,
+- u32 max)
++static inline void xskq_prod_write_addr_batch(struct xsk_queue *q, struct xdp_desc *descs,
++ u32 nb_entries)
+ {
+ struct xdp_umem_ring *ring = (struct xdp_umem_ring *)q->ring;
+- u32 nb_entries, i, cached_prod;
+-
+- nb_entries = xskq_prod_nb_free(q, max);
++ u32 i, cached_prod;
+
+ /* A, matches D */
+ cached_prod = q->cached_prod;
+ for (i = 0; i < nb_entries; i++)
+ ring->desc[cached_prod++ & q->ring_mask] = descs[i].addr;
+ q->cached_prod = cached_prod;
+-
+- return nb_entries;
+ }
+
+ static inline int xskq_prod_reserve_desc(struct xsk_queue *q,
+--
+2.35.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
