--- /dev/null
+From 0613d8ca9ab382caabe9ed2dceb429e9781e443f Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Thu, 18 May 2023 11:25:28 +0100
+Subject: bpf: Fix mask generation for 32-bit narrow loads of 64-bit fields
+
+From: Will Deacon <will@kernel.org>
+
+commit 0613d8ca9ab382caabe9ed2dceb429e9781e443f upstream.
+
+A narrow load from a 64-bit context field results in a 64-bit load
+followed potentially by a 64-bit right-shift and then a bitwise AND
+operation to extract the relevant data.
+
+In the case of a 32-bit access, an immediate mask of 0xffffffff is used
+to construct a 64-bit BPP_AND operation which then sign-extends the mask
+value and effectively acts as a glorified no-op. For example:
+
+0: 61 10 00 00 00 00 00 00 r0 = *(u32 *)(r1 + 0)
+
+results in the following code generation for a 64-bit field:
+
+ ldr x7, [x7] // 64-bit load
+ mov x10, #0xffffffffffffffff
+ and x7, x7, x10
+
+Fix the mask generation so that narrow loads always perform a 32-bit AND
+operation:
+
+ ldr x7, [x7] // 64-bit load
+ mov w10, #0xffffffff
+ and w7, w7, w10
+
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: John Fastabend <john.fastabend@gmail.com>
+Cc: Krzesimir Nowak <krzesimir@kinvolk.io>
+Cc: Andrey Ignatov <rdna@fb.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Fixes: 31fd85816dbe ("bpf: permits narrower load from bpf program context fields")
+Signed-off-by: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20230518102528.1341-1-will@kernel.org
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/verifier.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -12391,7 +12391,7 @@ static int convert_ctx_accesses(struct b
+ insn_buf[cnt++] = BPF_ALU64_IMM(BPF_RSH,
+ insn->dst_reg,
+ shift);
+- insn_buf[cnt++] = BPF_ALU64_IMM(BPF_AND, insn->dst_reg,
++ insn_buf[cnt++] = BPF_ALU32_IMM(BPF_AND, insn->dst_reg,
+ (1ULL << size * 8) - 1);
+ }
+ }
--- /dev/null
+From cb8b02fd6343228966324528adf920bfb8b8e681 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Wed, 24 May 2023 03:26:19 -0500
+Subject: cifs: mapchars mount option ignored
+
+From: Steve French <stfrench@microsoft.com>
+
+commit cb8b02fd6343228966324528adf920bfb8b8e681 upstream.
+
+There are two ways that special characters (not allowed in some
+other operating systems like Windows, but allowed in POSIX) have
+been mapped in the past ("SFU" and "SFM" mappings) to allow them
+to be stored in a range reserved for special chars. The default
+for Linux has been to use "mapposix" (ie the SFM mapping) but
+the conversion to the new mount API in the 5.11 kernel broke
+the ability to override the default mapping of the reserved
+characters (like '?' and '*' and '\') via "mapchars" mount option.
+
+This patch fixes that - so can now mount with "mapchars"
+mount option to override the default ("mapposix" ie SFM) mapping.
+
+Reported-by: Tyler Spivey <tspivey8@gmail.com>
+Fixes: 24e0a1eff9e2 ("cifs: switch to new mount api")
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/fs_context.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/cifs/fs_context.c
++++ b/fs/cifs/fs_context.c
+@@ -884,6 +884,14 @@ static int smb3_fs_context_parse_param(s
+ ctx->sfu_remap = false; /* disable SFU mapping */
+ }
+ break;
++ case Opt_mapchars:
++ if (result.negated)
++ ctx->sfu_remap = false;
++ else {
++ ctx->sfu_remap = true;
++ ctx->remap = false; /* disable SFM (mapposix) mapping */
++ }
++ break;
+ case Opt_user_xattr:
+ if (result.negated)
+ ctx->no_xattr = 1;
--- /dev/null
+From f67bc15e526bb9920683ad6c1891ff9e08981335 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Fri, 21 Apr 2023 13:42:41 +0300
+Subject: coresight: Fix signedness bug in tmc_etr_buf_insert_barrier_packet()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit f67bc15e526bb9920683ad6c1891ff9e08981335 upstream.
+
+This code generates a Smatch warning:
+
+ drivers/hwtracing/coresight/coresight-tmc-etr.c:947 tmc_etr_buf_insert_barrier_packet()
+ error: uninitialized symbol 'bufp'.
+
+The problem is that if tmc_sg_table_get_data() returns -EINVAL, then
+when we test if "len < CORESIGHT_BARRIER_PKT_SIZE", the negative "len"
+value is type promoted to a high unsigned long value which is greater
+than CORESIGHT_BARRIER_PKT_SIZE. Fix this bug by adding an explicit
+check for error codes.
+
+Fixes: 75f4e3619fe2 ("coresight: tmc-etr: Add transparent buffer management")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Link: https://lore.kernel.org/r/7d33e244-d8b9-4c27-9653-883a13534b01@kili.mountain
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/coresight/coresight-tmc-etr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwtracing/coresight/coresight-tmc-etr.c
++++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c
+@@ -926,7 +926,7 @@ tmc_etr_buf_insert_barrier_packet(struct
+
+ len = tmc_etr_buf_get_data(etr_buf, offset,
+ CORESIGHT_BARRIER_PKT_SIZE, &bufp);
+- if (WARN_ON(len < CORESIGHT_BARRIER_PKT_SIZE))
++ if (WARN_ON(len < 0 || len < CORESIGHT_BARRIER_PKT_SIZE))
+ return -EINVAL;
+ coresight_insert_barrier_packet(bufp);
+ return offset + CORESIGHT_BARRIER_PKT_SIZE;
--- /dev/null
+From b71b55248a580e9c9befc4ae060539f1f8e477da Mon Sep 17 00:00:00 2001
+From: Sudeep Holla <sudeep.holla@arm.com>
+Date: Thu, 20 Apr 2023 16:06:01 +0100
+Subject: firmware: arm_ffa: Check if ffa_driver remove is present before executing
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+commit b71b55248a580e9c9befc4ae060539f1f8e477da upstream.
+
+Currently ffa_drv->remove() is called unconditionally from
+ffa_device_remove(). Since the driver registration doesn't check for it
+and allows it to be registered without .remove callback, we need to check
+for the presence of it before executing it from ffa_device_remove() to
+above a NULL pointer dereference like the one below:
+
+ | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
+ | Mem abort info:
+ | ESR = 0x0000000086000004
+ | EC = 0x21: IABT (current EL), IL = 32 bits
+ | SET = 0, FnV = 0
+ | EA = 0, S1PTW = 0
+ | FSC = 0x04: level 0 translation fault
+ | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881cc8000
+ | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
+ | Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP
+ | CPU: 3 PID: 130 Comm: rmmod Not tainted 6.3.0-rc7 #6
+ | Hardware name: FVP Base RevC (DT)
+ | pstate: 63402809 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=-c)
+ | pc : 0x0
+ | lr : ffa_device_remove+0x20/0x2c
+ | Call trace:
+ | 0x0
+ | device_release_driver_internal+0x16c/0x260
+ | driver_detach+0x90/0xd0
+ | bus_remove_driver+0xdc/0x11c
+ | driver_unregister+0x30/0x54
+ | ffa_driver_unregister+0x14/0x20
+ | cleanup_module+0x18/0xeec
+ | __arm64_sys_delete_module+0x234/0x378
+ | invoke_syscall+0x40/0x108
+ | el0_svc_common+0xb4/0xf0
+ | do_el0_svc+0x30/0xa4
+ | el0_svc+0x2c/0x7c
+ | el0t_64_sync_handler+0x84/0xf0
+ | el0t_64_sync+0x190/0x194
+
+Fixes: 244f5d597e1e ("firmware: arm_ffa: Add missing remove callback to ffa_bus_type")
+Link: https://lore.kernel.org/r/20230419-ffa_fixes_6-4-v2-1-d9108e43a176@arm.com
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/arm_ffa/bus.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/firmware/arm_ffa/bus.c
++++ b/drivers/firmware/arm_ffa/bus.c
+@@ -53,7 +53,8 @@ static void ffa_device_remove(struct dev
+ {
+ struct ffa_driver *ffa_drv = to_ffa_driver(dev->driver);
+
+- ffa_drv->remove(to_ffa_dev(dev));
++ if (ffa_drv->remove)
++ ffa_drv->remove(to_ffa_dev(dev));
+ }
+
+ static int ffa_device_uevent(struct device *dev, struct kobj_uevent_env *env)
--- /dev/null
+From 19b8766459c41c6f318f8a548cc1c66dffd18363 Mon Sep 17 00:00:00 2001
+From: Sudeep Holla <sudeep.holla@arm.com>
+Date: Thu, 20 Apr 2023 16:06:03 +0100
+Subject: firmware: arm_ffa: Fix FFA device names for logical partitions
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+commit 19b8766459c41c6f318f8a548cc1c66dffd18363 upstream.
+
+Each physical partition can provide multiple services each with UUID.
+Each such service can be presented as logical partition with a unique
+combination of VM ID and UUID. The number of distinct UUID in a system
+will be less than or equal to the number of logical partitions.
+
+However, currently it fails to register more than one logical partition
+or service within a physical partition as the device name contains only
+VM ID while both VM ID and UUID are maintained in the partition information.
+The kernel complains with the below message:
+
+ | sysfs: cannot create duplicate filename '/devices/arm-ffa-8001'
+ | CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.3.0-rc7 #8
+ | Hardware name: FVP Base RevC (DT)
+ | Call trace:
+ | dump_backtrace+0xf8/0x118
+ | show_stack+0x18/0x24
+ | dump_stack_lvl+0x50/0x68
+ | dump_stack+0x18/0x24
+ | sysfs_create_dir_ns+0xe0/0x13c
+ | kobject_add_internal+0x220/0x3d4
+ | kobject_add+0x94/0x100
+ | device_add+0x144/0x5d8
+ | device_register+0x20/0x30
+ | ffa_device_register+0x88/0xd8
+ | ffa_setup_partitions+0x108/0x1b8
+ | ffa_init+0x2ec/0x3a4
+ | do_one_initcall+0xcc/0x240
+ | do_initcall_level+0x8c/0xac
+ | do_initcalls+0x54/0x94
+ | do_basic_setup+0x1c/0x28
+ | kernel_init_freeable+0x100/0x16c
+ | kernel_init+0x20/0x1a0
+ | ret_from_fork+0x10/0x20
+ | kobject_add_internal failed for arm-ffa-8001 with -EEXIST, don't try to
+ | register things with the same name in the same directory.
+ | arm_ffa arm-ffa: unable to register device arm-ffa-8001 err=-17
+ | ARM FF-A: ffa_setup_partitions: failed to register partition ID 0x8001
+
+By virtue of being random enough to avoid collisions when generated in a
+distributed system, there is no way to compress UUID keys to the number
+of bits required to identify each. We can eliminate '-' in the name but
+it is not worth eliminating 4 bytes and add unnecessary logic for doing
+that. Also v1.0 doesn't provide the UUID of the partitions which makes
+it hard to use the same for the device name.
+
+So to keep it simple, let us alloc an ID using ida_alloc() and append the
+same to "arm-ffa" to make up a unique device name. Also stash the id value
+in ffa_dev to help freeing the ID later when the device is destroyed.
+
+Fixes: e781858488b9 ("firmware: arm_ffa: Add initial FFA bus support for device enumeration")
+Reported-by: Lucian Paul-Trifu <lucian.paul-trifu@arm.com>
+Link: https://lore.kernel.org/r/20230419-ffa_fixes_6-4-v2-3-d9108e43a176@arm.com
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/arm_ffa/bus.c | 16 +++++++++++++---
+ include/linux/arm_ffa.h | 1 +
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+--- a/drivers/firmware/arm_ffa/bus.c
++++ b/drivers/firmware/arm_ffa/bus.c
+@@ -15,6 +15,8 @@
+
+ #include "common.h"
+
++static DEFINE_IDA(ffa_bus_id);
++
+ static int ffa_device_match(struct device *dev, struct device_driver *drv)
+ {
+ const struct ffa_device_id *id_table;
+@@ -131,6 +133,7 @@ static void ffa_release_device(struct de
+ {
+ struct ffa_device *ffa_dev = to_ffa_dev(dev);
+
++ ida_free(&ffa_bus_id, ffa_dev->id);
+ kfree(ffa_dev);
+ }
+
+@@ -170,18 +173,24 @@ bool ffa_device_is_valid(struct ffa_devi
+
+ struct ffa_device *ffa_device_register(const uuid_t *uuid, int vm_id)
+ {
+- int ret;
++ int id, ret;
+ struct device *dev;
+ struct ffa_device *ffa_dev;
+
++ id = ida_alloc_min(&ffa_bus_id, 1, GFP_KERNEL);
++ if (id < 0)
++ return NULL;
++
+ ffa_dev = kzalloc(sizeof(*ffa_dev), GFP_KERNEL);
+- if (!ffa_dev)
++ if (!ffa_dev) {
++ ida_free(&ffa_bus_id, id);
+ return NULL;
++ }
+
+ dev = &ffa_dev->dev;
+ dev->bus = &ffa_bus_type;
+ dev->release = ffa_release_device;
+- dev_set_name(&ffa_dev->dev, "arm-ffa-%04x", vm_id);
++ dev_set_name(&ffa_dev->dev, "arm-ffa-%d", id);
+
+ ffa_dev->vm_id = vm_id;
+ uuid_copy(&ffa_dev->uuid, uuid);
+@@ -216,4 +225,5 @@ void arm_ffa_bus_exit(void)
+ {
+ ffa_devices_unregister();
+ bus_unregister(&ffa_bus_type);
++ ida_destroy(&ffa_bus_id);
+ }
+--- a/include/linux/arm_ffa.h
++++ b/include/linux/arm_ffa.h
+@@ -13,6 +13,7 @@
+
+ /* FFA Bus/Device/Driver related */
+ struct ffa_device {
++ u32 id;
+ int vm_id;
+ bool mode_32bit;
+ uuid_t uuid;
--- /dev/null
+From f15afbd34d8fadbd375f1212e97837e32bc170cc Mon Sep 17 00:00:00 2001
+From: Hao Ge <gehao@kylinos.cn>
+Date: Mon, 24 Apr 2023 13:18:35 +0800
+Subject: fs: fix undefined behavior in bit shift for SB_NOUSER
+
+From: Hao Ge <gehao@kylinos.cn>
+
+commit f15afbd34d8fadbd375f1212e97837e32bc170cc upstream.
+
+Shifting signed 32-bit value by 31 bits is undefined, so changing
+significant bit to unsigned. It was spotted by UBSAN.
+
+So let's just fix this by using the BIT() helper for all SB_* flags.
+
+Fixes: e462ec50cb5f ("VFS: Differentiate mount flags (MS_*) from internal superblock flags")
+Signed-off-by: Hao Ge <gehao@kylinos.cn>
+Message-Id: <20230424051835.374204-1-gehao@kylinos.cn>
+[brauner@kernel.org: use BIT() for all SB_* flags]
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/fs.h | 42 +++++++++++++++++++++---------------------
+ 1 file changed, 21 insertions(+), 21 deletions(-)
+
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -1398,29 +1398,29 @@ extern int send_sigurg(struct fown_struc
+ * sb->s_flags. Note that these mirror the equivalent MS_* flags where
+ * represented in both.
+ */
+-#define SB_RDONLY 1 /* Mount read-only */
+-#define SB_NOSUID 2 /* Ignore suid and sgid bits */
+-#define SB_NODEV 4 /* Disallow access to device special files */
+-#define SB_NOEXEC 8 /* Disallow program execution */
+-#define SB_SYNCHRONOUS 16 /* Writes are synced at once */
+-#define SB_MANDLOCK 64 /* Allow mandatory locks on an FS */
+-#define SB_DIRSYNC 128 /* Directory modifications are synchronous */
+-#define SB_NOATIME 1024 /* Do not update access times. */
+-#define SB_NODIRATIME 2048 /* Do not update directory access times */
+-#define SB_SILENT 32768
+-#define SB_POSIXACL (1<<16) /* VFS does not apply the umask */
+-#define SB_INLINECRYPT (1<<17) /* Use blk-crypto for encrypted files */
+-#define SB_KERNMOUNT (1<<22) /* this is a kern_mount call */
+-#define SB_I_VERSION (1<<23) /* Update inode I_version field */
+-#define SB_LAZYTIME (1<<25) /* Update the on-disk [acm]times lazily */
++#define SB_RDONLY BIT(0) /* Mount read-only */
++#define SB_NOSUID BIT(1) /* Ignore suid and sgid bits */
++#define SB_NODEV BIT(2) /* Disallow access to device special files */
++#define SB_NOEXEC BIT(3) /* Disallow program execution */
++#define SB_SYNCHRONOUS BIT(4) /* Writes are synced at once */
++#define SB_MANDLOCK BIT(6) /* Allow mandatory locks on an FS */
++#define SB_DIRSYNC BIT(7) /* Directory modifications are synchronous */
++#define SB_NOATIME BIT(10) /* Do not update access times. */
++#define SB_NODIRATIME BIT(11) /* Do not update directory access times */
++#define SB_SILENT BIT(15)
++#define SB_POSIXACL BIT(16) /* VFS does not apply the umask */
++#define SB_INLINECRYPT BIT(17) /* Use blk-crypto for encrypted files */
++#define SB_KERNMOUNT BIT(22) /* this is a kern_mount call */
++#define SB_I_VERSION BIT(23) /* Update inode I_version field */
++#define SB_LAZYTIME BIT(25) /* Update the on-disk [acm]times lazily */
+
+ /* These sb flags are internal to the kernel */
+-#define SB_SUBMOUNT (1<<26)
+-#define SB_FORCE (1<<27)
+-#define SB_NOSEC (1<<28)
+-#define SB_BORN (1<<29)
+-#define SB_ACTIVE (1<<30)
+-#define SB_NOUSER (1<<31)
++#define SB_SUBMOUNT BIT(26)
++#define SB_FORCE BIT(27)
++#define SB_NOSEC BIT(28)
++#define SB_BORN BIT(29)
++#define SB_ACTIVE BIT(30)
++#define SB_NOUSER BIT(31)
+
+ /* These flags relate to encoding and casefolding */
+ #define SB_ENC_STRICT_MODE_FL (1 << 0)
--- /dev/null
+From 878ecb0897f4737a4c9401f3523fd49589025671 Mon Sep 17 00:00:00 2001
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+Date: Tue, 23 May 2023 08:29:44 +0000
+Subject: ipv6: Fix out-of-bounds access in ipv6_find_tlv()
+
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+
+commit 878ecb0897f4737a4c9401f3523fd49589025671 upstream.
+
+optlen is fetched without checking whether there is more than one byte to parse.
+It can lead to out-of-bounds access.
+
+Found by InfoTeCS on behalf of Linux Verification Center
+(linuxtesting.org) with SVACE.
+
+Fixes: c61a40432509 ("[IPV6]: Find option offset by type.")
+Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/exthdrs_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv6/exthdrs_core.c
++++ b/net/ipv6/exthdrs_core.c
+@@ -143,6 +143,8 @@ int ipv6_find_tlv(const struct sk_buff *
+ optlen = 1;
+ break;
+ default:
++ if (len < 2)
++ goto bad;
+ optlen = nh[offset + 1] + 2;
+ if (optlen > len)
+ goto bad;
--- /dev/null
+From 8a02fb71d7192ff1a9a47c9d937624966c6e09af Mon Sep 17 00:00:00 2001
+From: Pratyush Yadav <ptyadav@amazon.de>
+Date: Mon, 22 May 2023 17:30:20 +0200
+Subject: net: fix skb leak in __skb_tstamp_tx()
+
+From: Pratyush Yadav <ptyadav@amazon.de>
+
+commit 8a02fb71d7192ff1a9a47c9d937624966c6e09af upstream.
+
+Commit 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with
+TX timestamp.") added a call to skb_orphan_frags_rx() to fix leaks with
+zerocopy skbs. But it ended up adding a leak of its own. When
+skb_orphan_frags_rx() fails, the function just returns, leaking the skb
+it just cloned. Free it before returning.
+
+This bug was discovered and resolved using Coverity Static Analysis
+Security Testing (SAST) by Synopsys, Inc.
+
+Fixes: 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.")
+Signed-off-by: Pratyush Yadav <ptyadav@amazon.de>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/20230522153020.32422-1-ptyadav@amazon.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -4961,8 +4961,10 @@ void __skb_tstamp_tx(struct sk_buff *ori
+ } else {
+ skb = skb_clone(orig_skb, GFP_ATOMIC);
+
+- if (skb_orphan_frags_rx(skb, GFP_ATOMIC))
++ if (skb_orphan_frags_rx(skb, GFP_ATOMIC)) {
++ kfree_skb(skb);
+ return;
++ }
+ }
+ if (!skb)
+ return;
--- /dev/null
+From de678ca38861f2eb58814048076dcf95ed1b5bf9 Mon Sep 17 00:00:00 2001
+From: Sunil Goutham <sgoutham@marvell.com>
+Date: Thu, 18 May 2023 12:10:42 +0530
+Subject: octeontx2-pf: Fix TSOv6 offload
+
+From: Sunil Goutham <sgoutham@marvell.com>
+
+commit de678ca38861f2eb58814048076dcf95ed1b5bf9 upstream.
+
+HW adds segment size to the payload length
+in the IPv6 header. Fix payload length to
+just TCP header length instead of 'TCP header
+size + IPv6 header size'.
+
+Fixes: 86d7476078b8 ("octeontx2-pf: TCP segmentation offload support")
+Signed-off-by: Sunil Goutham <sgoutham@marvell.com>
+Signed-off-by: Ratheesh Kannoth <rkannoth@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c
+@@ -574,9 +574,7 @@ static void otx2_sqe_add_ext(struct otx2
+ htons(ext->lso_sb - skb_network_offset(skb));
+ } else if (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6) {
+ ext->lso_format = pfvf->hw.lso_tsov6_idx;
+-
+- ipv6_hdr(skb)->payload_len =
+- htons(ext->lso_sb - skb_network_offset(skb));
++ ipv6_hdr(skb)->payload_len = htons(tcp_hdrlen(skb));
+ } else if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP_L4) {
+ __be16 l3_proto = vlan_get_protocol(skb);
+ struct udphdr *udph = udp_hdr(skb);
--- /dev/null
+From 35092c5819f8c5acc7bafe3fdbb13d6307c4f5e1 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 15 Apr 2023 20:23:35 +0200
+Subject: power: supply: bq27xxx: Add cache parameter to bq27xxx_battery_current_and_status()
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 35092c5819f8c5acc7bafe3fdbb13d6307c4f5e1 upstream.
+
+Add a cache parameter to bq27xxx_battery_current_and_status() so that
+it can optionally use cached flags instead of re-reading them itself.
+
+This is a preparation patch for making bq27xxx_battery_update() check
+the status and have it call power_supply_changed() on status changes.
+
+Fixes: 297a533b3e62 ("bq27x00: Cache battery registers")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/bq27xxx_battery.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/drivers/power/supply/bq27xxx_battery.c
++++ b/drivers/power/supply/bq27xxx_battery.c
+@@ -1846,7 +1846,8 @@ static bool bq27xxx_battery_is_full(stru
+ static int bq27xxx_battery_current_and_status(
+ struct bq27xxx_device_info *di,
+ union power_supply_propval *val_curr,
+- union power_supply_propval *val_status)
++ union power_supply_propval *val_status,
++ struct bq27xxx_reg_cache *cache)
+ {
+ bool single_flags = (di->opts & BQ27XXX_O_ZERO);
+ int curr;
+@@ -1858,10 +1859,14 @@ static int bq27xxx_battery_current_and_s
+ return curr;
+ }
+
+- flags = bq27xxx_read(di, BQ27XXX_REG_FLAGS, single_flags);
+- if (flags < 0) {
+- dev_err(di->dev, "error reading flags\n");
+- return flags;
++ if (cache) {
++ flags = cache->flags;
++ } else {
++ flags = bq27xxx_read(di, BQ27XXX_REG_FLAGS, single_flags);
++ if (flags < 0) {
++ dev_err(di->dev, "error reading flags\n");
++ return flags;
++ }
+ }
+
+ if (di->opts & BQ27XXX_O_ZERO) {
+@@ -2007,7 +2012,7 @@ static int bq27xxx_battery_get_property(
+
+ switch (psp) {
+ case POWER_SUPPLY_PROP_STATUS:
+- ret = bq27xxx_battery_current_and_status(di, NULL, val);
++ ret = bq27xxx_battery_current_and_status(di, NULL, val, NULL);
+ break;
+ case POWER_SUPPLY_PROP_VOLTAGE_NOW:
+ ret = bq27xxx_battery_voltage(di, val);
+@@ -2016,7 +2021,7 @@ static int bq27xxx_battery_get_property(
+ val->intval = di->cache.flags < 0 ? 0 : 1;
+ break;
+ case POWER_SUPPLY_PROP_CURRENT_NOW:
+- ret = bq27xxx_battery_current_and_status(di, val, NULL);
++ ret = bq27xxx_battery_current_and_status(di, val, NULL, NULL);
+ break;
+ case POWER_SUPPLY_PROP_CAPACITY:
+ ret = bq27xxx_simple_value(di->cache.capacity, val);
--- /dev/null
+From 5c34c0aef185dcd10881847b9ebf20046aa77cb4 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 15 Apr 2023 20:23:32 +0200
+Subject: power: supply: bq27xxx: Fix bq27xxx_battery_update() race condition
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 5c34c0aef185dcd10881847b9ebf20046aa77cb4 upstream.
+
+bq27xxx_battery_update() assumes / requires that it is only run once,
+not multiple times at the same time. But there are 3 possible callers:
+
+1. bq27xxx_battery_poll() delayed_work item handler
+2. bq27xxx_battery_irq_handler_thread() I2C IRQ handler
+3. bq27xxx_battery_setup()
+
+And there is no protection against these racing with each other,
+fix this race condition by making all callers take di->lock:
+
+- Rename bq27xxx_battery_update() to bq27xxx_battery_update_unlocked()
+
+- Add new bq27xxx_battery_update() which takes di->lock and then calls
+ bq27xxx_battery_update_unlocked()
+
+- Make stale cache check code in bq27xxx_battery_get_property(), which
+ already takes di->lock directly to check the jiffies, call
+ bq27xxx_battery_update_unlocked() instead of messing with
+ the delayed_work item
+
+- Make bq27xxx_battery_update_unlocked() mod the delayed-work item
+ so that the next poll is delayed to poll_interval milliseconds after
+ the last update independent of the source of the update
+
+Fixes: 740b755a3b34 ("bq27x00: Poll battery state")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/bq27xxx_battery.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+--- a/drivers/power/supply/bq27xxx_battery.c
++++ b/drivers/power/supply/bq27xxx_battery.c
+@@ -1755,7 +1755,7 @@ static int bq27xxx_battery_read_health(s
+ return POWER_SUPPLY_HEALTH_GOOD;
+ }
+
+-void bq27xxx_battery_update(struct bq27xxx_device_info *di)
++static void bq27xxx_battery_update_unlocked(struct bq27xxx_device_info *di)
+ {
+ struct bq27xxx_reg_cache cache = {0, };
+ bool has_ci_flag = di->opts & BQ27XXX_O_HAS_CI;
+@@ -1806,6 +1806,16 @@ void bq27xxx_battery_update(struct bq27x
+ di->cache = cache;
+
+ di->last_update = jiffies;
++
++ if (poll_interval > 0)
++ mod_delayed_work(system_wq, &di->work, poll_interval * HZ);
++}
++
++void bq27xxx_battery_update(struct bq27xxx_device_info *di)
++{
++ mutex_lock(&di->lock);
++ bq27xxx_battery_update_unlocked(di);
++ mutex_unlock(&di->lock);
+ }
+ EXPORT_SYMBOL_GPL(bq27xxx_battery_update);
+
+@@ -1816,9 +1826,6 @@ static void bq27xxx_battery_poll(struct
+ work.work);
+
+ bq27xxx_battery_update(di);
+-
+- if (poll_interval > 0)
+- schedule_delayed_work(&di->work, poll_interval * HZ);
+ }
+
+ static bool bq27xxx_battery_is_full(struct bq27xxx_device_info *di, int flags)
+@@ -1991,10 +1998,8 @@ static int bq27xxx_battery_get_property(
+ struct bq27xxx_device_info *di = power_supply_get_drvdata(psy);
+
+ mutex_lock(&di->lock);
+- if (time_is_before_jiffies(di->last_update + 5 * HZ)) {
+- cancel_delayed_work_sync(&di->work);
+- bq27xxx_battery_poll(&di->work.work);
+- }
++ if (time_is_before_jiffies(di->last_update + 5 * HZ))
++ bq27xxx_battery_update_unlocked(di);
+ mutex_unlock(&di->lock);
+
+ if (psp != POWER_SUPPLY_PROP_PRESENT && di->cache.flags < 0)
--- /dev/null
+From 444ff00734f3878cd54ddd1ed5e2e6dbea9326d5 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 15 Apr 2023 20:23:33 +0200
+Subject: power: supply: bq27xxx: Fix I2C IRQ race on remove
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 444ff00734f3878cd54ddd1ed5e2e6dbea9326d5 upstream.
+
+devm_request_threaded_irq() requested IRQs are only free-ed after
+the driver's remove function has ran. So the IRQ could trigger and
+call bq27xxx_battery_update() after bq27xxx_battery_teardown() has
+already run.
+
+Switch to explicitly free-ing the IRQ in bq27xxx_battery_i2c_remove()
+to fix this.
+
+Fixes: 8807feb91b76 ("power: bq27xxx_battery: Add interrupt handling support")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/bq27xxx_battery_i2c.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/power/supply/bq27xxx_battery_i2c.c
++++ b/drivers/power/supply/bq27xxx_battery_i2c.c
+@@ -179,7 +179,7 @@ static int bq27xxx_battery_i2c_probe(str
+ i2c_set_clientdata(client, di);
+
+ if (client->irq) {
+- ret = devm_request_threaded_irq(&client->dev, client->irq,
++ ret = request_threaded_irq(client->irq,
+ NULL, bq27xxx_battery_irq_handler_thread,
+ IRQF_ONESHOT,
+ di->name, di);
+@@ -209,6 +209,7 @@ static int bq27xxx_battery_i2c_remove(st
+ {
+ struct bq27xxx_device_info *di = i2c_get_clientdata(client);
+
++ free_irq(client->irq, di);
+ bq27xxx_battery_teardown(di);
+
+ mutex_lock(&battery_mutex);
--- /dev/null
+From c00bc80462afc7963f449d7f21d896d2f629cacc Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 15 Apr 2023 20:23:34 +0200
+Subject: power: supply: bq27xxx: Fix poll_interval handling and races on remove
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit c00bc80462afc7963f449d7f21d896d2f629cacc upstream.
+
+Before this patch bq27xxx_battery_teardown() was setting poll_interval = 0
+to avoid bq27xxx_battery_update() requeuing the delayed_work item.
+
+There are 2 problems with this:
+
+1. If the driver is unbound through sysfs, rather then the module being
+ rmmod-ed, this changes poll_interval unexpectedly
+
+2. This is racy, after it being set poll_interval could be changed
+ before bq27xxx_battery_update() checks it through
+ /sys/module/bq27xxx_battery/parameters/poll_interval
+
+Fix this by added a removed attribute to struct bq27xxx_device_info and
+using that instead of setting poll_interval to 0.
+
+There also is another poll_interval related race on remove(), writing
+/sys/module/bq27xxx_battery/parameters/poll_interval will requeue
+the delayed_work item for all devices on the bq27xxx_battery_devices
+list and the device being removed was only removed from that list
+after cancelling the delayed_work item.
+
+Fix this by moving the removal from the bq27xxx_battery_devices list
+to before cancelling the delayed_work item.
+
+Fixes: 8cfaaa811894 ("bq27x00_battery: Fix OOPS caused by unregistring bq27x00 driver")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/bq27xxx_battery.c | 22 +++++++++-------------
+ include/linux/power/bq27xxx_battery.h | 1 +
+ 2 files changed, 10 insertions(+), 13 deletions(-)
+
+--- a/drivers/power/supply/bq27xxx_battery.c
++++ b/drivers/power/supply/bq27xxx_battery.c
+@@ -1807,7 +1807,7 @@ static void bq27xxx_battery_update_unloc
+
+ di->last_update = jiffies;
+
+- if (poll_interval > 0)
++ if (!di->removed && poll_interval > 0)
+ mod_delayed_work(system_wq, &di->work, poll_interval * HZ);
+ }
+
+@@ -2138,22 +2138,18 @@ EXPORT_SYMBOL_GPL(bq27xxx_battery_setup)
+
+ void bq27xxx_battery_teardown(struct bq27xxx_device_info *di)
+ {
+- /*
+- * power_supply_unregister call bq27xxx_battery_get_property which
+- * call bq27xxx_battery_poll.
+- * Make sure that bq27xxx_battery_poll will not call
+- * schedule_delayed_work again after unregister (which cause OOPS).
+- */
+- poll_interval = 0;
+-
+- cancel_delayed_work_sync(&di->work);
+-
+- power_supply_unregister(di->bat);
+-
+ mutex_lock(&bq27xxx_list_lock);
+ list_del(&di->list);
+ mutex_unlock(&bq27xxx_list_lock);
+
++ /* Set removed to avoid bq27xxx_battery_update() re-queuing the work */
++ mutex_lock(&di->lock);
++ di->removed = true;
++ mutex_unlock(&di->lock);
++
++ cancel_delayed_work_sync(&di->work);
++
++ power_supply_unregister(di->bat);
+ mutex_destroy(&di->lock);
+ }
+ EXPORT_SYMBOL_GPL(bq27xxx_battery_teardown);
+--- a/include/linux/power/bq27xxx_battery.h
++++ b/include/linux/power/bq27xxx_battery.h
+@@ -68,6 +68,7 @@ struct bq27xxx_device_info {
+ struct bq27xxx_access_methods bus;
+ struct bq27xxx_reg_cache cache;
+ int charge_design_full;
++ bool removed;
+ unsigned long last_update;
+ struct delayed_work work;
+ struct power_supply *bat;
--- /dev/null
+From e4484643991e0f6b89060092563f0dbab9450cbb Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Thu, 13 Apr 2023 12:09:41 +0200
+Subject: power: supply: leds: Fix blink to LED on transition
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit e4484643991e0f6b89060092563f0dbab9450cbb upstream.
+
+When a battery's status changes from charging to full then
+the charging-blink-full-solid trigger tries to change
+the LED from blinking to solid/on.
+
+As is documented in include/linux/leds.h to deactivate blinking /
+to make the LED solid a LED_OFF must be send:
+
+"""
+ * Deactivate blinking again when the brightness is set to LED_OFF
+ * via the brightness_set() callback.
+"""
+
+led_set_brighness() calls with a brightness value other then 0 / LED_OFF
+merely change the brightness of the LED in its on state while it is
+blinking.
+
+So power_supply_update_bat_leds() must first send a LED_OFF event
+before the LED_FULL to disable blinking.
+
+Fixes: 6501f728c56f ("power_supply: Add new LED trigger charging-blink-solid-full")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Vasily Khoruzhick <anarsoul@gmail.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/power_supply_leds.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/power/supply/power_supply_leds.c
++++ b/drivers/power/supply/power_supply_leds.c
+@@ -34,8 +34,9 @@ static void power_supply_update_bat_leds
+ led_trigger_event(psy->charging_full_trig, LED_FULL);
+ led_trigger_event(psy->charging_trig, LED_OFF);
+ led_trigger_event(psy->full_trig, LED_FULL);
+- led_trigger_event(psy->charging_blink_full_solid_trig,
+- LED_FULL);
++ /* Going from blink to LED on requires a LED_OFF event to stop blink */
++ led_trigger_event(psy->charging_blink_full_solid_trig, LED_OFF);
++ led_trigger_event(psy->charging_blink_full_solid_trig, LED_FULL);
+ break;
+ case POWER_SUPPLY_STATUS_CHARGING:
+ led_trigger_event(psy->charging_full_trig, LED_FULL);
--- /dev/null
+From 4cbb0d358883a27e432714b5256f0362946f5e25 Mon Sep 17 00:00:00 2001
+From: Kang Chen <void0red@gmail.com>
+Date: Mon, 27 Feb 2023 11:14:10 +0800
+Subject: power: supply: mt6360: add a check of devm_work_autocancel in mt6360_charger_probe
+
+From: Kang Chen <void0red@gmail.com>
+
+commit 4cbb0d358883a27e432714b5256f0362946f5e25 upstream.
+
+devm_work_autocancel may fail, add a check and return early.
+
+Fixes: 0402e8ebb8b86 ("power: supply: mt6360_charger: add MT6360 charger support")
+Signed-off-by: Kang Chen <void0red@gmail.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/mt6360_charger.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/power/supply/mt6360_charger.c
++++ b/drivers/power/supply/mt6360_charger.c
+@@ -799,7 +799,9 @@ static int mt6360_charger_probe(struct p
+ mci->vinovp = 6500000;
+ mutex_init(&mci->chgdet_lock);
+ platform_set_drvdata(pdev, mci);
+- devm_work_autocancel(&pdev->dev, &mci->chrdet_work, mt6360_chrdet_work);
++ ret = devm_work_autocancel(&pdev->dev, &mci->chrdet_work, mt6360_chrdet_work);
++ if (ret)
++ return dev_err_probe(&pdev->dev, ret, "Failed to set delayed work\n");
+
+ ret = device_property_read_u32(&pdev->dev, "richtek,vinovp-microvolt", &mci->vinovp);
+ if (ret)
--- /dev/null
+From b2f2a3c9800208b0db2c2e34b05323757117faa2 Mon Sep 17 00:00:00 2001
+From: Daisuke Nojiri <dnojiri@chromium.org>
+Date: Mon, 24 Apr 2023 11:25:58 -0700
+Subject: power: supply: sbs-charger: Fix INHIBITED bit for Status reg
+
+From: Daisuke Nojiri <dnojiri@chromium.org>
+
+commit b2f2a3c9800208b0db2c2e34b05323757117faa2 upstream.
+
+CHARGE_INHIBITED bit position of the ChargerStatus register is actually
+0 not 1. This patch corrects it.
+
+Fixes: feb583e37f8a8 ("power: supply: add sbs-charger driver")
+Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/sbs-charger.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/power/supply/sbs-charger.c
++++ b/drivers/power/supply/sbs-charger.c
+@@ -24,7 +24,7 @@
+ #define SBS_CHARGER_REG_STATUS 0x13
+ #define SBS_CHARGER_REG_ALARM_WARNING 0x16
+
+-#define SBS_CHARGER_STATUS_CHARGE_INHIBITED BIT(1)
++#define SBS_CHARGER_STATUS_CHARGE_INHIBITED BIT(0)
+ #define SBS_CHARGER_STATUS_RES_COLD BIT(9)
+ #define SBS_CHARGER_STATUS_RES_HOT BIT(10)
+ #define SBS_CHARGER_STATUS_BATTERY_PRESENT BIT(14)
--- /dev/null
+From d67dada3e2524514b09496b9ee1df22d4507a280 Mon Sep 17 00:00:00 2001
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+Date: Fri, 12 May 2023 10:19:34 +0200
+Subject: regulator: pca9450: Fix BUCK2 enable_mask
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+commit d67dada3e2524514b09496b9ee1df22d4507a280 upstream.
+
+This fixes a copy & paste error.
+No functional change intended, BUCK1_ENMODE_MASK equals BUCK2_ENMODE_MASK.
+
+Fixes: 0935ff5f1f0a ("regulator: pca9450: add pca9450 pmic driver")
+Originally-from: Robin Gong <yibin.gong@nxp.com
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com
+Reviewed-by: Frieder Schrempf <frieder.schrempf@kontron.de
+Link: https://lore.kernel.org/r/20230512081935.2396180-1-alexander.stein@ew.tq-group.com
+Signed-off-by: Mark Brown <broonie@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/regulator/pca9450-regulator.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/regulator/pca9450-regulator.c
++++ b/drivers/regulator/pca9450-regulator.c
+@@ -256,7 +256,7 @@ static const struct pca9450_regulator_de
+ .vsel_reg = PCA9450_REG_BUCK2OUT_DVS0,
+ .vsel_mask = BUCK2OUT_DVS0_MASK,
+ .enable_reg = PCA9450_REG_BUCK2CTRL,
+- .enable_mask = BUCK1_ENMODE_MASK,
++ .enable_mask = BUCK2_ENMODE_MASK,
+ .ramp_reg = PCA9450_REG_BUCK2CTRL,
+ .ramp_mask = BUCK2_RAMP_MASK,
+ .ramp_delay_table = pca9450_dvs_buck_ramp_table,
+@@ -494,7 +494,7 @@ static const struct pca9450_regulator_de
+ .vsel_reg = PCA9450_REG_BUCK2OUT_DVS0,
+ .vsel_mask = BUCK2OUT_DVS0_MASK,
+ .enable_reg = PCA9450_REG_BUCK2CTRL,
+- .enable_mask = BUCK1_ENMODE_MASK,
++ .enable_mask = BUCK2_ENMODE_MASK,
+ .ramp_reg = PCA9450_REG_BUCK2CTRL,
+ .ramp_mask = BUCK2_RAMP_MASK,
+ .ramp_delay_table = pca9450_dvs_buck_ramp_table,
--- /dev/null
+From d226b1df361988f885c298737d6019c863a25f26 Mon Sep 17 00:00:00 2001
+From: Po-Hsu Lin <po-hsu.lin@canonical.com>
+Date: Thu, 18 May 2023 12:37:59 +0800
+Subject: selftests: fib_tests: mute cleanup error message
+
+From: Po-Hsu Lin <po-hsu.lin@canonical.com>
+
+commit d226b1df361988f885c298737d6019c863a25f26 upstream.
+
+In the end of the test, there will be an error message induced by the
+`ip netns del ns1` command in cleanup()
+
+ Tests passed: 201
+ Tests failed: 0
+ Cannot remove namespace file "/run/netns/ns1": No such file or directory
+
+This can even be reproduced with just `./fib_tests.sh -h` as we're
+calling cleanup() on exit.
+
+Redirect the error message to /dev/null to mute it.
+
+V2: Update commit message and fixes tag.
+V3: resubmit due to missing netdev ML in V2
+
+Fixes: b60417a9f2b8 ("selftest: fib_tests: Always cleanup before exit")
+Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/fib_tests.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/net/fib_tests.sh
++++ b/tools/testing/selftests/net/fib_tests.sh
+@@ -68,7 +68,7 @@ setup()
+ cleanup()
+ {
+ $IP link del dev dummy0 &> /dev/null
+- ip netns del ns1
++ ip netns del ns1 &> /dev/null
+ ip netns del ns2 &> /dev/null
+ }
+
usb-sisusbvga-add-endpoint-checks.patch
media-radio-shark-add-endpoint-checks.patch
asoc-lpass-fix-for-kasan-use_after_free-out-of-bounds.patch
+net-fix-skb-leak-in-__skb_tstamp_tx.patch
+selftests-fib_tests-mute-cleanup-error-message.patch
+octeontx2-pf-fix-tsov6-offload.patch
+bpf-fix-mask-generation-for-32-bit-narrow-loads-of-64-bit-fields.patch
+ipv6-fix-out-of-bounds-access-in-ipv6_find_tlv.patch
+cifs-mapchars-mount-option-ignored.patch
+power-supply-leds-fix-blink-to-led-on-transition.patch
+power-supply-mt6360-add-a-check-of-devm_work_autocancel-in-mt6360_charger_probe.patch
+power-supply-bq27xxx-fix-bq27xxx_battery_update-race-condition.patch
+power-supply-bq27xxx-fix-i2c-irq-race-on-remove.patch
+power-supply-bq27xxx-fix-poll_interval-handling-and-races-on-remove.patch
+power-supply-bq27xxx-add-cache-parameter-to-bq27xxx_battery_current_and_status.patch
+power-supply-sbs-charger-fix-inhibited-bit-for-status-reg.patch
+firmware-arm_ffa-check-if-ffa_driver-remove-is-present-before-executing.patch
+firmware-arm_ffa-fix-ffa-device-names-for-logical-partitions.patch
+fs-fix-undefined-behavior-in-bit-shift-for-sb_nouser.patch
+regulator-pca9450-fix-buck2-enable_mask.patch
+coresight-fix-signedness-bug-in-tmc_etr_buf_insert_barrier_packet.patch
+xen-pvcalls-back-fix-double-frees-with-pvcalls_new_active_socket.patch
--- /dev/null
+From 8fafac202d18230bb9926bda48e563fd2cce2a4f Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Wed, 3 May 2023 18:11:35 +0300
+Subject: xen/pvcalls-back: fix double frees with pvcalls_new_active_socket()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit 8fafac202d18230bb9926bda48e563fd2cce2a4f upstream.
+
+In the pvcalls_new_active_socket() function, most error paths call
+pvcalls_back_release_active(fedata->dev, fedata, map) which calls
+sock_release() on "sock". The bug is that the caller also frees sock.
+
+Fix this by making every error path in pvcalls_new_active_socket()
+release the sock, and don't free it in the caller.
+
+Fixes: 5db4d286a8ef ("xen/pvcalls: implement connect command")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Link: https://lore.kernel.org/r/e5f98dc2-0305-491f-a860-71bbd1398a2f@kili.mountain
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/xen/pvcalls-back.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/drivers/xen/pvcalls-back.c
++++ b/drivers/xen/pvcalls-back.c
+@@ -321,8 +321,10 @@ static struct sock_mapping *pvcalls_new_
+ void *page;
+
+ map = kzalloc(sizeof(*map), GFP_KERNEL);
+- if (map == NULL)
++ if (map == NULL) {
++ sock_release(sock);
+ return NULL;
++ }
+
+ map->fedata = fedata;
+ map->sock = sock;
+@@ -414,10 +416,8 @@ static int pvcalls_back_connect(struct x
+ req->u.connect.ref,
+ req->u.connect.evtchn,
+ sock);
+- if (!map) {
++ if (!map)
+ ret = -EFAULT;
+- sock_release(sock);
+- }
+
+ out:
+ rsp = RING_GET_RESPONSE(&fedata->ring, fedata->ring.rsp_prod_pvt++);
+@@ -558,7 +558,6 @@ static void __pvcalls_back_accept(struct
+ sock);
+ if (!map) {
+ ret = -EFAULT;
+- sock_release(sock);
+ goto out_error;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
