--- /dev/null
+From c94f13691b0983a2b24feefeaa91935108e327ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jan 2023 13:49:30 +0100
+Subject: affs: initialize fsdata in affs_truncate()
+
+From: Alexander Potapenko <glider@google.com>
+
+[ Upstream commit eef034ac6690118c88f357b00e2b3239c9d8575d ]
+
+When aops->write_begin() does not initialize fsdata, KMSAN may report
+an error passing the latter to aops->write_end().
+
+Fix this by unconditionally initializing fsdata.
+
+Fixes: f2b6a16eb8f5 ("fs: affs convert to new aops")
+Suggested-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/affs/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/affs/file.c b/fs/affs/file.c
+index d91b0133d95d..c3d89fa1bab7 100644
+--- a/fs/affs/file.c
++++ b/fs/affs/file.c
+@@ -879,7 +879,7 @@ affs_truncate(struct inode *inode)
+ if (inode->i_size > AFFS_I(inode)->mmu_private) {
+ struct address_space *mapping = inode->i_mapping;
+ struct page *page;
+- void *fsdata;
++ void *fsdata = NULL;
+ loff_t isize = inode->i_size;
+ int res;
+
+--
+2.39.0
+
--- /dev/null
+From 0fd492ffbb3d31582b30ff7e02a96e493241f8e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jan 2023 22:58:52 +0530
+Subject: amd-xgbe: Delay AN timeout during KR training
+
+From: Raju Rangoju <Raju.Rangoju@amd.com>
+
+[ Upstream commit 926446ae24c03311a480fb96eb78f0ce7ea6d091 ]
+
+AN restart triggered during KR training not only aborts the KR training
+process but also move the HW to unstable state. Driver has to wait upto
+500ms or until the KR training is completed before restarting AN cycle.
+
+Fixes: 7c12aa08779c ("amd-xgbe: Move the PHY support into amd-xgbe")
+Co-developed-by: Sudheesh Mavila <sudheesh.mavila@amd.com>
+Signed-off-by: Sudheesh Mavila <sudheesh.mavila@amd.com>
+Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
+Acked-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 24 +++++++++++++++++++++++
+ drivers/net/ethernet/amd/xgbe/xgbe.h | 2 ++
+ 2 files changed, 26 insertions(+)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+index 0c5c1b155683..43fdd111235a 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+@@ -496,6 +496,7 @@ static enum xgbe_an xgbe_an73_tx_training(struct xgbe_prv_data *pdata,
+ reg |= XGBE_KR_TRAINING_ENABLE;
+ reg |= XGBE_KR_TRAINING_START;
+ XMDIO_WRITE(pdata, MDIO_MMD_PMAPMD, MDIO_PMA_10GBR_PMD_CTRL, reg);
++ pdata->kr_start_time = jiffies;
+
+ netif_dbg(pdata, link, pdata->netdev,
+ "KR training initiated\n");
+@@ -632,6 +633,8 @@ static enum xgbe_an xgbe_an73_incompat_link(struct xgbe_prv_data *pdata)
+
+ xgbe_switch_mode(pdata);
+
++ pdata->an_result = XGBE_AN_READY;
++
+ xgbe_an_restart(pdata);
+
+ return XGBE_AN_INCOMPAT_LINK;
+@@ -1275,9 +1278,30 @@ static bool xgbe_phy_aneg_done(struct xgbe_prv_data *pdata)
+ static void xgbe_check_link_timeout(struct xgbe_prv_data *pdata)
+ {
+ unsigned long link_timeout;
++ unsigned long kr_time;
++ int wait;
+
+ link_timeout = pdata->link_check + (XGBE_LINK_TIMEOUT * HZ);
+ if (time_after(jiffies, link_timeout)) {
++ if ((xgbe_cur_mode(pdata) == XGBE_MODE_KR) &&
++ pdata->phy.autoneg == AUTONEG_ENABLE) {
++ /* AN restart should not happen while KR training is in progress.
++ * The while loop ensures no AN restart during KR training,
++ * waits up to 500ms and AN restart is triggered only if KR
++ * training is failed.
++ */
++ wait = XGBE_KR_TRAINING_WAIT_ITER;
++ while (wait--) {
++ kr_time = pdata->kr_start_time +
++ msecs_to_jiffies(XGBE_AN_MS_TIMEOUT);
++ if (time_after(jiffies, kr_time))
++ break;
++ /* AN restart is not required, if AN result is COMPLETE */
++ if (pdata->an_result == XGBE_AN_COMPLETE)
++ return;
++ usleep_range(10000, 11000);
++ }
++ }
+ netif_dbg(pdata, link, pdata->netdev, "AN link timeout\n");
+ xgbe_phy_config_aneg(pdata);
+ }
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe.h b/drivers/net/ethernet/amd/xgbe/xgbe.h
+index 3305979a9f7c..e0b8f3c4cc0b 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe.h
++++ b/drivers/net/ethernet/amd/xgbe/xgbe.h
+@@ -289,6 +289,7 @@
+ /* Auto-negotiation */
+ #define XGBE_AN_MS_TIMEOUT 500
+ #define XGBE_LINK_TIMEOUT 5
++#define XGBE_KR_TRAINING_WAIT_ITER 50
+
+ #define XGBE_SGMII_AN_LINK_STATUS BIT(1)
+ #define XGBE_SGMII_AN_LINK_SPEED (BIT(2) | BIT(3))
+@@ -1253,6 +1254,7 @@ struct xgbe_prv_data {
+ unsigned int parallel_detect;
+ unsigned int fec_ability;
+ unsigned long an_start;
++ unsigned long kr_start_time;
+ enum xgbe_an_mode an_mode;
+
+ /* I2C support */
+--
+2.39.0
+
--- /dev/null
+From 351c106e48c48fc570a82bcf93b0a8bff239ee33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jan 2023 22:58:51 +0530
+Subject: amd-xgbe: TX Flow Ctrl Registers are h/w ver dependent
+
+From: Raju Rangoju <Raju.Rangoju@amd.com>
+
+[ Upstream commit 579923d84b04abb6cd4cd1fd9974096a2dd1832b ]
+
+There is difference in the TX Flow Control registers (TFCR) between the
+revisions of the hardware. The older revisions of hardware used to have
+single register per queue. Whereas, the newer revision of hardware (from
+ver 30H onwards) have one register per priority.
+
+Update the driver to use the TFCR based on the reported version of the
+hardware.
+
+Fixes: c5aa9e3b8156 ("amd-xgbe: Initial AMD 10GbE platform driver")
+Co-developed-by: Ajith Nayak <Ajith.Nayak@amd.com>
+Signed-off-by: Ajith Nayak <Ajith.Nayak@amd.com>
+Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
+Acked-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
+index d5fd49dd25f3..decc1c09a031 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
+@@ -524,19 +524,28 @@ static void xgbe_disable_vxlan(struct xgbe_prv_data *pdata)
+ netif_dbg(pdata, drv, pdata->netdev, "VXLAN acceleration disabled\n");
+ }
+
++static unsigned int xgbe_get_fc_queue_count(struct xgbe_prv_data *pdata)
++{
++ unsigned int max_q_count = XGMAC_MAX_FLOW_CONTROL_QUEUES;
++
++ /* From MAC ver 30H the TFCR is per priority, instead of per queue */
++ if (XGMAC_GET_BITS(pdata->hw_feat.version, MAC_VR, SNPSVER) >= 0x30)
++ return max_q_count;
++ else
++ return min_t(unsigned int, pdata->tx_q_count, max_q_count);
++}
++
+ static int xgbe_disable_tx_flow_control(struct xgbe_prv_data *pdata)
+ {
+- unsigned int max_q_count, q_count;
+ unsigned int reg, reg_val;
+- unsigned int i;
++ unsigned int i, q_count;
+
+ /* Clear MTL flow control */
+ for (i = 0; i < pdata->rx_q_count; i++)
+ XGMAC_MTL_IOWRITE_BITS(pdata, i, MTL_Q_RQOMR, EHFC, 0);
+
+ /* Clear MAC flow control */
+- max_q_count = XGMAC_MAX_FLOW_CONTROL_QUEUES;
+- q_count = min_t(unsigned int, pdata->tx_q_count, max_q_count);
++ q_count = xgbe_get_fc_queue_count(pdata);
+ reg = MAC_Q0TFCR;
+ for (i = 0; i < q_count; i++) {
+ reg_val = XGMAC_IOREAD(pdata, reg);
+@@ -553,9 +562,8 @@ static int xgbe_enable_tx_flow_control(struct xgbe_prv_data *pdata)
+ {
+ struct ieee_pfc *pfc = pdata->pfc;
+ struct ieee_ets *ets = pdata->ets;
+- unsigned int max_q_count, q_count;
+ unsigned int reg, reg_val;
+- unsigned int i;
++ unsigned int i, q_count;
+
+ /* Set MTL flow control */
+ for (i = 0; i < pdata->rx_q_count; i++) {
+@@ -579,8 +587,7 @@ static int xgbe_enable_tx_flow_control(struct xgbe_prv_data *pdata)
+ }
+
+ /* Set MAC flow control */
+- max_q_count = XGMAC_MAX_FLOW_CONTROL_QUEUES;
+- q_count = min_t(unsigned int, pdata->tx_q_count, max_q_count);
++ q_count = xgbe_get_fc_queue_count(pdata);
+ reg = MAC_Q0TFCR;
+ for (i = 0; i < q_count; i++) {
+ reg_val = XGMAC_IOREAD(pdata, reg);
+--
+2.39.0
+
--- /dev/null
+From aeb1c727acac1d1a36b804b2f09b855d00825fff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Dec 2022 13:52:41 +0200
+Subject: ARM: dts: at91: sam9x60: fix the ddr clock for sam9x60
+
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+
+[ Upstream commit 9bfa2544dbd1133f0b0af4e967de3bb9c1e3a497 ]
+
+The 2nd DDR clock for sam9x60 DDR controller is peripheral clock with
+id 49.
+
+Fixes: 1e5f532c2737 ("ARM: dts: at91: sam9x60: add device tree for soc and board")
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Link: https://lore.kernel.org/r/20221208115241.36312-1-claudiu.beznea@microchip.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/sam9x60.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/sam9x60.dtsi b/arch/arm/boot/dts/sam9x60.dtsi
+index ec45ced3cde6..e1e0dec8cc1f 100644
+--- a/arch/arm/boot/dts/sam9x60.dtsi
++++ b/arch/arm/boot/dts/sam9x60.dtsi
+@@ -567,7 +567,7 @@ pmecc: ecc-engine@ffffe000 {
+ mpddrc: mpddrc@ffffe800 {
+ compatible = "microchip,sam9x60-ddramc", "atmel,sama5d3-ddramc";
+ reg = <0xffffe800 0x200>;
+- clocks = <&pmc PMC_TYPE_SYSTEM 2>, <&pmc PMC_TYPE_CORE PMC_MCK>;
++ clocks = <&pmc PMC_TYPE_SYSTEM 2>, <&pmc PMC_TYPE_PERIPHERAL 49>;
+ clock-names = "ddrck", "mpddr";
+ };
+
+--
+2.39.0
+
--- /dev/null
+From 133f5e516716fc01ca08b6a874e28324997686ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 17:22:59 -0300
+Subject: ARM: dts: imx6qdl-gw560x: Remove incorrect 'uart-has-rtscts'
+
+From: Fabio Estevam <festevam@denx.de>
+
+[ Upstream commit 9dfbc72256b5de608ad10989bcbafdbbd1ac8d4e ]
+
+The following build warning is seen when running:
+
+make dtbs_check DT_SCHEMA_FILES=fsl-imx-uart.yaml
+
+arch/arm/boot/dts/imx6dl-gw560x.dtb: serial@2020000: rts-gpios: False schema does not allow [[20, 1, 0]]
+ From schema: Documentation/devicetree/bindings/serial/fsl-imx-uart.yaml
+
+The imx6qdl-gw560x board does not expose the UART RTS and CTS
+as native UART pins, so 'uart-has-rtscts' should not be used.
+
+Using 'uart-has-rtscts' with 'rts-gpios' is an invalid combination
+detected by serial.yaml.
+
+Fix the problem by removing the incorrect 'uart-has-rtscts' property.
+
+Fixes: b8a559feffb2 ("ARM: dts: imx: add Gateworks Ventana GW5600 support")
+Signed-off-by: Fabio Estevam <festevam@denx.de>
+Acked-by: Tim Harvey <tharvey@gateworks.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6qdl-gw560x.dtsi | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/imx6qdl-gw560x.dtsi b/arch/arm/boot/dts/imx6qdl-gw560x.dtsi
+index 093a219a77ae..f520e337698a 100644
+--- a/arch/arm/boot/dts/imx6qdl-gw560x.dtsi
++++ b/arch/arm/boot/dts/imx6qdl-gw560x.dtsi
+@@ -634,7 +634,6 @@ &ssi1 {
+ &uart1 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_uart1>;
+- uart-has-rtscts;
+ rts-gpios = <&gpio7 1 GPIO_ACTIVE_HIGH>;
+ status = "okay";
+ };
+--
+2.39.0
+
--- /dev/null
+From eeb381fa528913e79c3b4f3cad3db246381ebe1c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 13:31:23 -0300
+Subject: ARM: dts: imx6ul-pico-dwarf: Use 'clock-frequency'
+
+From: Fabio Estevam <festevam@denx.de>
+
+[ Upstream commit 94e2cf1e0db5b06c7a6ae0878c5cbec925819a8a ]
+
+'clock_frequency' is not a valid property.
+
+Use the correct 'clock-frequency' instead.
+
+Fixes: 47246fafef84 ("ARM: dts: imx6ul-pico: Add support for the dwarf baseboard")
+Signed-off-by: Fabio Estevam <festevam@denx.de>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6ul-pico-dwarf.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/imx6ul-pico-dwarf.dts b/arch/arm/boot/dts/imx6ul-pico-dwarf.dts
+index 162dc259edc8..5a74c7f68eb6 100644
+--- a/arch/arm/boot/dts/imx6ul-pico-dwarf.dts
++++ b/arch/arm/boot/dts/imx6ul-pico-dwarf.dts
+@@ -32,7 +32,7 @@ sys_mclk: clock-sys-mclk {
+ };
+
+ &i2c2 {
+- clock_frequency = <100000>;
++ clock-frequency = <100000>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_i2c2>;
+ status = "okay";
+--
+2.39.0
+
--- /dev/null
+From 51941977c24d7f85ed96ae7f9e1cd7ca65e691d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 13:31:24 -0300
+Subject: ARM: dts: imx7d-pico: Use 'clock-frequency'
+
+From: Fabio Estevam <festevam@denx.de>
+
+[ Upstream commit f4dd0845c4f1f5371f1e06fef0e4a1734a2db964 ]
+
+'clock_frequency' is not a valid property.
+
+Use the correct 'clock-frequency' instead.
+
+Fixes: 8b646cfb84c3 ("ARM: dts: imx7d-pico: Add support for the dwarf baseboard")
+Fixes: 6418fd92417f ("ARM: dts: imx7d-pico: Add support for the nymph baseboard")
+Signed-off-by: Fabio Estevam <festevam@denx.de>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx7d-pico-dwarf.dts | 4 ++--
+ arch/arm/boot/dts/imx7d-pico-nymph.dts | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm/boot/dts/imx7d-pico-dwarf.dts b/arch/arm/boot/dts/imx7d-pico-dwarf.dts
+index 5162fe227d1e..fdc10563f147 100644
+--- a/arch/arm/boot/dts/imx7d-pico-dwarf.dts
++++ b/arch/arm/boot/dts/imx7d-pico-dwarf.dts
+@@ -32,7 +32,7 @@ sys_mclk: clock-sys-mclk {
+ };
+
+ &i2c1 {
+- clock_frequency = <100000>;
++ clock-frequency = <100000>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_i2c1>;
+ status = "okay";
+@@ -52,7 +52,7 @@ pressure-sensor@60 {
+ };
+
+ &i2c4 {
+- clock_frequency = <100000>;
++ clock-frequency = <100000>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_i2c1>;
+ status = "okay";
+diff --git a/arch/arm/boot/dts/imx7d-pico-nymph.dts b/arch/arm/boot/dts/imx7d-pico-nymph.dts
+index 104a85254adb..5afb1674e012 100644
+--- a/arch/arm/boot/dts/imx7d-pico-nymph.dts
++++ b/arch/arm/boot/dts/imx7d-pico-nymph.dts
+@@ -43,7 +43,7 @@ sys_mclk: clock-sys-mclk {
+ };
+
+ &i2c1 {
+- clock_frequency = <100000>;
++ clock-frequency = <100000>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_i2c1>;
+ status = "okay";
+@@ -64,7 +64,7 @@ adc@52 {
+ };
+
+ &i2c2 {
+- clock_frequency = <100000>;
++ clock-frequency = <100000>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_i2c2>;
+ status = "okay";
+--
+2.39.0
+
--- /dev/null
+From 4f2eef13b03537b599e54f5a4c9a9763837e5862 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Dec 2022 17:54:03 +0100
+Subject: ARM: imx: add missing of_node_put()
+
+From: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+
+[ Upstream commit 87b30c4b0efb6a194a7b8eac2568a3da520d905f ]
+
+Calling of_find_compatible_node() returns a node pointer with refcount
+incremented. Use of_node_put() on it when done.
+The patch fixes the same problem on different i.MX platforms.
+
+Fixes: 8b88f7ef31dde ("ARM: mx25: Retrieve IIM base from dt")
+Fixes: 94b2bec1b0e05 ("ARM: imx27: Retrieve the SYSCTRL base address from devicetree")
+Fixes: 3172225d45bd9 ("ARM: imx31: Retrieve the IIM base address from devicetree")
+Fixes: f68ea682d1da7 ("ARM: imx35: Retrieve the IIM base address from devicetree")
+Fixes: ee18a7154ee08 ("ARM: imx5: retrieve iim base from device tree")
+Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Reviewed-by: Martin Kaiser <martin@kaiser.cx>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-imx/cpu-imx25.c | 1 +
+ arch/arm/mach-imx/cpu-imx27.c | 1 +
+ arch/arm/mach-imx/cpu-imx31.c | 1 +
+ arch/arm/mach-imx/cpu-imx35.c | 1 +
+ arch/arm/mach-imx/cpu-imx5.c | 1 +
+ 5 files changed, 5 insertions(+)
+
+diff --git a/arch/arm/mach-imx/cpu-imx25.c b/arch/arm/mach-imx/cpu-imx25.c
+index b2e1963f473d..2ee2d2813d57 100644
+--- a/arch/arm/mach-imx/cpu-imx25.c
++++ b/arch/arm/mach-imx/cpu-imx25.c
+@@ -23,6 +23,7 @@ static int mx25_read_cpu_rev(void)
+
+ np = of_find_compatible_node(NULL, NULL, "fsl,imx25-iim");
+ iim_base = of_iomap(np, 0);
++ of_node_put(np);
+ BUG_ON(!iim_base);
+ rev = readl(iim_base + MXC_IIMSREV);
+ iounmap(iim_base);
+diff --git a/arch/arm/mach-imx/cpu-imx27.c b/arch/arm/mach-imx/cpu-imx27.c
+index bf70e13bbe9e..1d2893908368 100644
+--- a/arch/arm/mach-imx/cpu-imx27.c
++++ b/arch/arm/mach-imx/cpu-imx27.c
+@@ -28,6 +28,7 @@ static int mx27_read_cpu_rev(void)
+
+ np = of_find_compatible_node(NULL, NULL, "fsl,imx27-ccm");
+ ccm_base = of_iomap(np, 0);
++ of_node_put(np);
+ BUG_ON(!ccm_base);
+ /*
+ * now we have access to the IO registers. As we need
+diff --git a/arch/arm/mach-imx/cpu-imx31.c b/arch/arm/mach-imx/cpu-imx31.c
+index b9c24b851d1a..35c544924e50 100644
+--- a/arch/arm/mach-imx/cpu-imx31.c
++++ b/arch/arm/mach-imx/cpu-imx31.c
+@@ -39,6 +39,7 @@ static int mx31_read_cpu_rev(void)
+
+ np = of_find_compatible_node(NULL, NULL, "fsl,imx31-iim");
+ iim_base = of_iomap(np, 0);
++ of_node_put(np);
+ BUG_ON(!iim_base);
+
+ /* read SREV register from IIM module */
+diff --git a/arch/arm/mach-imx/cpu-imx35.c b/arch/arm/mach-imx/cpu-imx35.c
+index 80e7d8ab9f1b..1fe75b39c2d9 100644
+--- a/arch/arm/mach-imx/cpu-imx35.c
++++ b/arch/arm/mach-imx/cpu-imx35.c
+@@ -21,6 +21,7 @@ static int mx35_read_cpu_rev(void)
+
+ np = of_find_compatible_node(NULL, NULL, "fsl,imx35-iim");
+ iim_base = of_iomap(np, 0);
++ of_node_put(np);
+ BUG_ON(!iim_base);
+
+ rev = imx_readl(iim_base + MXC_IIMSREV);
+diff --git a/arch/arm/mach-imx/cpu-imx5.c b/arch/arm/mach-imx/cpu-imx5.c
+index ad56263778f9..a67c89bf155d 100644
+--- a/arch/arm/mach-imx/cpu-imx5.c
++++ b/arch/arm/mach-imx/cpu-imx5.c
+@@ -28,6 +28,7 @@ static u32 imx5_read_srev_reg(const char *compat)
+
+ np = of_find_compatible_node(NULL, NULL, compat);
+ iim_base = of_iomap(np, 0);
++ of_node_put(np);
+ WARN_ON(!iim_base);
+
+ srev = readl(iim_base + IIM_SREV) & 0xff;
+--
+2.39.0
+
--- /dev/null
+From 1a3b4a99d51770c8d19d9adebeb1d2cf281fbb31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 13:10:37 -0600
+Subject: arm64: dts: imx8mm-beacon: Fix ecspi2 pinmux
+
+From: Adam Ford <aford173@gmail.com>
+
+[ Upstream commit 5225ba9db112ec4ed67da5e4d8b72e618573955e ]
+
+Early hardware did not support hardware handshaking on the UART, but
+final production hardware did. When the hardware was updated the chip
+select was changed to facilitate hardware handshaking on UART3. Fix the
+ecspi2 pin mux to eliminate a pin conflict with UART3 and allow the
+EEPROM to operate again.
+
+Fixes: 4ce01ce36d77 ("arm64: dts: imx8mm-beacon: Enable RTS-CTS on UART3")
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mm-beacon-baseboard.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mm-beacon-baseboard.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-beacon-baseboard.dtsi
+index 5667009aae13..674a0ab8a539 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mm-beacon-baseboard.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mm-beacon-baseboard.dtsi
+@@ -70,7 +70,7 @@ sound {
+ &ecspi2 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_espi2>;
+- cs-gpios = <&gpio5 9 GPIO_ACTIVE_LOW>;
++ cs-gpios = <&gpio5 13 GPIO_ACTIVE_LOW>;
+ status = "okay";
+
+ eeprom@0 {
+@@ -187,7 +187,7 @@ pinctrl_espi2: espi2grp {
+ MX8MM_IOMUXC_ECSPI2_SCLK_ECSPI2_SCLK 0x82
+ MX8MM_IOMUXC_ECSPI2_MOSI_ECSPI2_MOSI 0x82
+ MX8MM_IOMUXC_ECSPI2_MISO_ECSPI2_MISO 0x82
+- MX8MM_IOMUXC_ECSPI1_SS0_GPIO5_IO9 0x41
++ MX8MM_IOMUXC_ECSPI2_SS0_GPIO5_IO13 0x41
+ >;
+ };
+
+--
+2.39.0
+
--- /dev/null
+From edfcb5f39b1951b8ec22c098af602026e17270da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jan 2023 23:15:07 +0000
+Subject: ASoC: fsl-asoc-card: Fix naming of AC'97 CODEC widgets
+
+From: Mark Brown <broonie@kernel.org>
+
+[ Upstream commit 242fc66ae6e1e2b8519daacc7590a73cd0e8a6e4 ]
+
+The fsl-asoc-card AC'97 support currently tries to route to Playback and
+Capture widgets provided by the AC'97 CODEC. This doesn't work since the
+generic AC'97 driver registers with an "AC97" at the front of the stream
+and hence widget names, update to reflect reality. It's not clear to me
+if or how this ever worked.
+
+Acked-by: Shengjiu Wang <shengjiu.wang@gmail.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20230106-asoc-udoo-probe-v1-2-a5d7469d4f67@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl-asoc-card.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/fsl/fsl-asoc-card.c b/sound/soc/fsl/fsl-asoc-card.c
+index 8c976fde44f0..9a756d0a6032 100644
+--- a/sound/soc/fsl/fsl-asoc-card.c
++++ b/sound/soc/fsl/fsl-asoc-card.c
+@@ -117,8 +117,8 @@ static const struct snd_soc_dapm_route audio_map[] = {
+
+ static const struct snd_soc_dapm_route audio_map_ac97[] = {
+ /* 1st half -- Normal DAPM routes */
+- {"Playback", NULL, "CPU AC97 Playback"},
+- {"CPU AC97 Capture", NULL, "Capture"},
++ {"AC97 Playback", NULL, "CPU AC97 Playback"},
++ {"CPU AC97 Capture", NULL, "AC97 Capture"},
+ /* 2nd half -- ASRC DAPM routes */
+ {"CPU AC97 Playback", NULL, "ASRC-Playback"},
+ {"ASRC-Capture", NULL, "CPU AC97 Capture"},
+--
+2.39.0
+
--- /dev/null
+From 3ba9804508fb8d01240595a6a89360e08643f72b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jan 2023 10:57:54 +0800
+Subject: ASoC: fsl_micfil: Correct the number of steps on SX controls
+
+From: Chancel Liu <chancel.liu@nxp.com>
+
+[ Upstream commit cdfa92eb90f5770b26a79824ef213ebdbbd988b1 ]
+
+The parameter "max" of SOC_SINGLE_SX_TLV() means the number of steps
+rather than maximum value. This patch corrects the minimum value to -8
+and the number of steps to 15.
+
+Signed-off-by: Chancel Liu <chancel.liu@nxp.com>
+Acked-by: Shengjiu Wang <shengjiu.wang@gmail.com>
+Link: https://lore.kernel.org/r/20230104025754.3019235-1-chancel.liu@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_micfil.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/sound/soc/fsl/fsl_micfil.c b/sound/soc/fsl/fsl_micfil.c
+index 6c794605e33c..97f83c63e765 100644
+--- a/sound/soc/fsl/fsl_micfil.c
++++ b/sound/soc/fsl/fsl_micfil.c
+@@ -87,21 +87,21 @@ static DECLARE_TLV_DB_SCALE(gain_tlv, 0, 100, 0);
+
+ static const struct snd_kcontrol_new fsl_micfil_snd_controls[] = {
+ SOC_SINGLE_SX_TLV("CH0 Volume", REG_MICFIL_OUT_CTRL,
+- MICFIL_OUTGAIN_CHX_SHIFT(0), 0xF, 0x7, gain_tlv),
++ MICFIL_OUTGAIN_CHX_SHIFT(0), 0x8, 0xF, gain_tlv),
+ SOC_SINGLE_SX_TLV("CH1 Volume", REG_MICFIL_OUT_CTRL,
+- MICFIL_OUTGAIN_CHX_SHIFT(1), 0xF, 0x7, gain_tlv),
++ MICFIL_OUTGAIN_CHX_SHIFT(1), 0x8, 0xF, gain_tlv),
+ SOC_SINGLE_SX_TLV("CH2 Volume", REG_MICFIL_OUT_CTRL,
+- MICFIL_OUTGAIN_CHX_SHIFT(2), 0xF, 0x7, gain_tlv),
++ MICFIL_OUTGAIN_CHX_SHIFT(2), 0x8, 0xF, gain_tlv),
+ SOC_SINGLE_SX_TLV("CH3 Volume", REG_MICFIL_OUT_CTRL,
+- MICFIL_OUTGAIN_CHX_SHIFT(3), 0xF, 0x7, gain_tlv),
++ MICFIL_OUTGAIN_CHX_SHIFT(3), 0x8, 0xF, gain_tlv),
+ SOC_SINGLE_SX_TLV("CH4 Volume", REG_MICFIL_OUT_CTRL,
+- MICFIL_OUTGAIN_CHX_SHIFT(4), 0xF, 0x7, gain_tlv),
++ MICFIL_OUTGAIN_CHX_SHIFT(4), 0x8, 0xF, gain_tlv),
+ SOC_SINGLE_SX_TLV("CH5 Volume", REG_MICFIL_OUT_CTRL,
+- MICFIL_OUTGAIN_CHX_SHIFT(5), 0xF, 0x7, gain_tlv),
++ MICFIL_OUTGAIN_CHX_SHIFT(5), 0x8, 0xF, gain_tlv),
+ SOC_SINGLE_SX_TLV("CH6 Volume", REG_MICFIL_OUT_CTRL,
+- MICFIL_OUTGAIN_CHX_SHIFT(6), 0xF, 0x7, gain_tlv),
++ MICFIL_OUTGAIN_CHX_SHIFT(6), 0x8, 0xF, gain_tlv),
+ SOC_SINGLE_SX_TLV("CH7 Volume", REG_MICFIL_OUT_CTRL,
+- MICFIL_OUTGAIN_CHX_SHIFT(7), 0xF, 0x7, gain_tlv),
++ MICFIL_OUTGAIN_CHX_SHIFT(7), 0x8, 0xF, gain_tlv),
+ SOC_ENUM_EXT("MICFIL Quality Select",
+ fsl_micfil_quality_enum,
+ snd_soc_get_enum_double, snd_soc_put_enum_double),
+--
+2.39.0
+
--- /dev/null
+From 3d996a5a33d5c8f921cddc453f0e32a2c55fca4f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jan 2023 23:15:06 +0000
+Subject: ASoC: fsl_ssi: Rename AC'97 streams to avoid collisions with AC'97
+ CODEC
+
+From: Mark Brown <broonie@kernel.org>
+
+[ Upstream commit 8c6a42b5b0ed6f96624f56954e93eeae107440a6 ]
+
+The SSI driver calls the AC'97 playback and transmit streams "AC97 Playback"
+and "AC97 Capture" respectively. This is the same name used by the generic
+AC'97 CODEC driver in ASoC, creating confusion for the Freescale ASoC card
+when it attempts to use these widgets in routing. Add a "CPU" in the name
+like the regular DAIs registered by the driver to disambiguate.
+
+Acked-by: Shengjiu Wang <shengjiu.wang@gmail.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20230106-asoc-udoo-probe-v1-1-a5d7469d4f67@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl-asoc-card.c | 8 ++++----
+ sound/soc/fsl/fsl_ssi.c | 4 ++--
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/sound/soc/fsl/fsl-asoc-card.c b/sound/soc/fsl/fsl-asoc-card.c
+index 7cd14d6b9436..8c976fde44f0 100644
+--- a/sound/soc/fsl/fsl-asoc-card.c
++++ b/sound/soc/fsl/fsl-asoc-card.c
+@@ -117,11 +117,11 @@ static const struct snd_soc_dapm_route audio_map[] = {
+
+ static const struct snd_soc_dapm_route audio_map_ac97[] = {
+ /* 1st half -- Normal DAPM routes */
+- {"Playback", NULL, "AC97 Playback"},
+- {"AC97 Capture", NULL, "Capture"},
++ {"Playback", NULL, "CPU AC97 Playback"},
++ {"CPU AC97 Capture", NULL, "Capture"},
+ /* 2nd half -- ASRC DAPM routes */
+- {"AC97 Playback", NULL, "ASRC-Playback"},
+- {"ASRC-Capture", NULL, "AC97 Capture"},
++ {"CPU AC97 Playback", NULL, "ASRC-Playback"},
++ {"ASRC-Capture", NULL, "CPU AC97 Capture"},
+ };
+
+ static const struct snd_soc_dapm_route audio_map_tx[] = {
+diff --git a/sound/soc/fsl/fsl_ssi.c b/sound/soc/fsl/fsl_ssi.c
+index 1d774c876c52..94229ce1a30e 100644
+--- a/sound/soc/fsl/fsl_ssi.c
++++ b/sound/soc/fsl/fsl_ssi.c
+@@ -1161,14 +1161,14 @@ static struct snd_soc_dai_driver fsl_ssi_ac97_dai = {
+ .symmetric_channels = 1,
+ .probe = fsl_ssi_dai_probe,
+ .playback = {
+- .stream_name = "AC97 Playback",
++ .stream_name = "CPU AC97 Playback",
+ .channels_min = 2,
+ .channels_max = 2,
+ .rates = SNDRV_PCM_RATE_8000_48000,
+ .formats = SNDRV_PCM_FMTBIT_S16 | SNDRV_PCM_FMTBIT_S20,
+ },
+ .capture = {
+- .stream_name = "AC97 Capture",
++ .stream_name = "CPU AC97 Capture",
+ .channels_min = 2,
+ .channels_max = 2,
+ .rates = SNDRV_PCM_RATE_48000,
+--
+2.39.0
+
--- /dev/null
+From e4da9b93e3c92fb6e546cbe1f4ee03674bd44fd0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jan 2023 16:05:46 +0100
+Subject: bpf: Fix pointer-leak due to insufficient speculative store bypass
+ mitigation
+
+From: Luis Gerhorst <gerhorst@cs.fau.de>
+
+[ Upstream commit e4f4db47794c9f474b184ee1418f42e6a07412b6 ]
+
+To mitigate Spectre v4, 2039f26f3aca ("bpf: Fix leakage due to
+insufficient speculative store bypass mitigation") inserts lfence
+instructions after 1) initializing a stack slot and 2) spilling a
+pointer to the stack.
+
+However, this does not cover cases where a stack slot is first
+initialized with a pointer (subject to sanitization) but then
+overwritten with a scalar (not subject to sanitization because
+the slot was already initialized). In this case, the second write
+may be subject to speculative store bypass (SSB) creating a
+speculative pointer-as-scalar type confusion. This allows the
+program to subsequently leak the numerical pointer value using,
+for example, a branch-based cache side channel.
+
+To fix this, also sanitize scalars if they write a stack slot
+that previously contained a pointer. Assuming that pointer-spills
+are only generated by LLVM on register-pressure, the performance
+impact on most real-world BPF programs should be small.
+
+The following unprivileged BPF bytecode drafts a minimal exploit
+and the mitigation:
+
+ [...]
+ // r6 = 0 or 1 (skalar, unknown user input)
+ // r7 = accessible ptr for side channel
+ // r10 = frame pointer (fp), to be leaked
+ //
+ r9 = r10 # fp alias to encourage ssb
+ *(u64 *)(r9 - 8) = r10 // fp[-8] = ptr, to be leaked
+ // lfence added here because of pointer spill to stack.
+ //
+ // Ommitted: Dummy bpf_ringbuf_output() here to train alias predictor
+ // for no r9-r10 dependency.
+ //
+ *(u64 *)(r10 - 8) = r6 // fp[-8] = scalar, overwrites ptr
+ // 2039f26f3aca: no lfence added because stack slot was not STACK_INVALID,
+ // store may be subject to SSB
+ //
+ // fix: also add an lfence when the slot contained a ptr
+ //
+ r8 = *(u64 *)(r9 - 8)
+ // r8 = architecturally a scalar, speculatively a ptr
+ //
+ // leak ptr using branch-based cache side channel:
+ r8 &= 1 // choose bit to leak
+ if r8 == 0 goto SLOW // no mispredict
+ // architecturally dead code if input r6 is 0,
+ // only executes speculatively iff ptr bit is 1
+ r8 = *(u64 *)(r7 + 0) # encode bit in cache (0: slow, 1: fast)
+SLOW:
+ [...]
+
+After running this, the program can time the access to *(r7 + 0) to
+determine whether the chosen pointer bit was 0 or 1. Repeat this 64
+times to recover the whole address on amd64.
+
+In summary, sanitization can only be skipped if one scalar is
+overwritten with another scalar. Scalar-confusion due to speculative
+store bypass can not lead to invalid accesses because the pointer
+bounds deducted during verification are enforced using branchless
+logic. See 979d63d50c0c ("bpf: prevent out of bounds speculation on
+pointer arithmetic") for details.
+
+Do not make the mitigation depend on !env->allow_{uninit_stack,ptr_leaks}
+because speculative leaks are likely unexpected if these were enabled.
+For example, leaking the address to a protected log file may be acceptable
+while disabling the mitigation might unintentionally leak the address
+into the cached-state of a map that is accessible to unprivileged
+processes.
+
+Fixes: 2039f26f3aca ("bpf: Fix leakage due to insufficient speculative store bypass mitigation")
+Signed-off-by: Luis Gerhorst <gerhorst@cs.fau.de>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Henriette Hofmeier <henriette.hofmeier@rub.de>
+Link: https://lore.kernel.org/bpf/edc95bad-aada-9cfc-ffe2-fa9bb206583c@cs.fau.de
+Link: https://lore.kernel.org/bpf/20230109150544.41465-1-gerhorst@cs.fau.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 232c93357b90..a6c931fed39b 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2319,7 +2319,9 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
+ bool sanitize = reg && is_spillable_regtype(reg->type);
+
+ for (i = 0; i < size; i++) {
+- if (state->stack[spi].slot_type[i] == STACK_INVALID) {
++ u8 type = state->stack[spi].slot_type[i];
++
++ if (type != STACK_MISC && type != STACK_ZERO) {
+ sanitize = true;
+ break;
+ }
+--
+2.39.0
+
--- /dev/null
+From f201f3bcfbc211423ff996cd2cf2ee194194220d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 May 2022 09:57:35 +0200
+Subject: clk: generalize devm_clk_get() a bit
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit abae8e57e49aa75f6db76aa866c775721523908f ]
+
+Allow to add an exit hook to devm managed clocks. Also use
+clk_get_optional() in devm_clk_get_optional instead of open coding it.
+The generalisation will be used in the next commit to add some more
+devm_clk helpers.
+
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Alexandru Ardelean <aardelean@deviqon.com>
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Link: https://lore.kernel.org/r/20220520075737.758761-3-u.kleine-koenig@pengutronix.de
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Stable-dep-of: 340cb392a038 ("memory: atmel-sdramc: Fix missing clk_disable_unprepare in atmel_ramc_probe()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk-devres.c | 66 +++++++++++++++++++++++++++++-----------
+ 1 file changed, 49 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/clk/clk-devres.c b/drivers/clk/clk-devres.c
+index f9d5b7334341..c822f4ef1584 100644
+--- a/drivers/clk/clk-devres.c
++++ b/drivers/clk/clk-devres.c
+@@ -4,39 +4,71 @@
+ #include <linux/export.h>
+ #include <linux/gfp.h>
+
++struct devm_clk_state {
++ struct clk *clk;
++ void (*exit)(struct clk *clk);
++};
++
+ static void devm_clk_release(struct device *dev, void *res)
+ {
+- clk_put(*(struct clk **)res);
++ struct devm_clk_state *state = *(struct devm_clk_state **)res;
++
++ if (state->exit)
++ state->exit(state->clk);
++
++ clk_put(state->clk);
+ }
+
+-struct clk *devm_clk_get(struct device *dev, const char *id)
++static struct clk *__devm_clk_get(struct device *dev, const char *id,
++ struct clk *(*get)(struct device *dev, const char *id),
++ int (*init)(struct clk *clk),
++ void (*exit)(struct clk *clk))
+ {
+- struct clk **ptr, *clk;
++ struct devm_clk_state *state;
++ struct clk *clk;
++ int ret;
+
+- ptr = devres_alloc(devm_clk_release, sizeof(*ptr), GFP_KERNEL);
+- if (!ptr)
++ state = devres_alloc(devm_clk_release, sizeof(*state), GFP_KERNEL);
++ if (!state)
+ return ERR_PTR(-ENOMEM);
+
+- clk = clk_get(dev, id);
+- if (!IS_ERR(clk)) {
+- *ptr = clk;
+- devres_add(dev, ptr);
+- } else {
+- devres_free(ptr);
++ clk = get(dev, id);
++ if (IS_ERR(clk)) {
++ ret = PTR_ERR(clk);
++ goto err_clk_get;
+ }
+
++ if (init) {
++ ret = init(clk);
++ if (ret)
++ goto err_clk_init;
++ }
++
++ state->clk = clk;
++ state->exit = exit;
++
++ devres_add(dev, state);
++
+ return clk;
++
++err_clk_init:
++
++ clk_put(clk);
++err_clk_get:
++
++ devres_free(state);
++ return ERR_PTR(ret);
++}
++
++struct clk *devm_clk_get(struct device *dev, const char *id)
++{
++ return __devm_clk_get(dev, id, clk_get, NULL, NULL);
+ }
+ EXPORT_SYMBOL(devm_clk_get);
+
+ struct clk *devm_clk_get_optional(struct device *dev, const char *id)
+ {
+- struct clk *clk = devm_clk_get(dev, id);
+-
+- if (clk == ERR_PTR(-ENOENT))
+- return NULL;
+-
+- return clk;
++ return __devm_clk_get(dev, id, clk_get_optional, NULL, NULL);
+ }
+ EXPORT_SYMBOL(devm_clk_get_optional);
+
+--
+2.39.0
+
--- /dev/null
+From 2bb94184fe6c21fb66ca91cf054740580aab55c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 May 2022 09:57:36 +0200
+Subject: clk: Provide new devm_clk helpers for prepared and enabled clocks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 7ef9651e9792b08eb310c6beb202cbc947f43cab ]
+
+When a driver keeps a clock prepared (or enabled) during the whole
+lifetime of the driver, these helpers allow to simplify the drivers.
+
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Alexandru Ardelean <aardelean@deviqon.com>
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Link: https://lore.kernel.org/r/20220520075737.758761-4-u.kleine-koenig@pengutronix.de
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Stable-dep-of: 340cb392a038 ("memory: atmel-sdramc: Fix missing clk_disable_unprepare in atmel_ramc_probe()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk-devres.c | 27 ++++++++++
+ include/linux/clk.h | 109 +++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 136 insertions(+)
+
+diff --git a/drivers/clk/clk-devres.c b/drivers/clk/clk-devres.c
+index c822f4ef1584..43ccd20e0298 100644
+--- a/drivers/clk/clk-devres.c
++++ b/drivers/clk/clk-devres.c
+@@ -66,12 +66,39 @@ struct clk *devm_clk_get(struct device *dev, const char *id)
+ }
+ EXPORT_SYMBOL(devm_clk_get);
+
++struct clk *devm_clk_get_prepared(struct device *dev, const char *id)
++{
++ return __devm_clk_get(dev, id, clk_get, clk_prepare, clk_unprepare);
++}
++EXPORT_SYMBOL_GPL(devm_clk_get_prepared);
++
++struct clk *devm_clk_get_enabled(struct device *dev, const char *id)
++{
++ return __devm_clk_get(dev, id, clk_get,
++ clk_prepare_enable, clk_disable_unprepare);
++}
++EXPORT_SYMBOL_GPL(devm_clk_get_enabled);
++
+ struct clk *devm_clk_get_optional(struct device *dev, const char *id)
+ {
+ return __devm_clk_get(dev, id, clk_get_optional, NULL, NULL);
+ }
+ EXPORT_SYMBOL(devm_clk_get_optional);
+
++struct clk *devm_clk_get_optional_prepared(struct device *dev, const char *id)
++{
++ return __devm_clk_get(dev, id, clk_get_optional,
++ clk_prepare, clk_unprepare);
++}
++EXPORT_SYMBOL_GPL(devm_clk_get_optional_prepared);
++
++struct clk *devm_clk_get_optional_enabled(struct device *dev, const char *id)
++{
++ return __devm_clk_get(dev, id, clk_get_optional,
++ clk_prepare_enable, clk_disable_unprepare);
++}
++EXPORT_SYMBOL_GPL(devm_clk_get_optional_enabled);
++
+ struct clk_bulk_devres {
+ struct clk_bulk_data *clks;
+ int num_clks;
+diff --git a/include/linux/clk.h b/include/linux/clk.h
+index 7fd6a1febcf4..1814eabb7c20 100644
+--- a/include/linux/clk.h
++++ b/include/linux/clk.h
+@@ -418,6 +418,47 @@ int __must_check devm_clk_bulk_get_all(struct device *dev,
+ */
+ struct clk *devm_clk_get(struct device *dev, const char *id);
+
++/**
++ * devm_clk_get_prepared - devm_clk_get() + clk_prepare()
++ * @dev: device for clock "consumer"
++ * @id: clock consumer ID
++ *
++ * Context: May sleep.
++ *
++ * Return: a struct clk corresponding to the clock producer, or
++ * valid IS_ERR() condition containing errno. The implementation
++ * uses @dev and @id to determine the clock consumer, and thereby
++ * the clock producer. (IOW, @id may be identical strings, but
++ * clk_get may return different clock producers depending on @dev.)
++ *
++ * The returned clk (if valid) is prepared. Drivers must however assume
++ * that the clock is not enabled.
++ *
++ * The clock will automatically be unprepared and freed when the device
++ * is unbound from the bus.
++ */
++struct clk *devm_clk_get_prepared(struct device *dev, const char *id);
++
++/**
++ * devm_clk_get_enabled - devm_clk_get() + clk_prepare_enable()
++ * @dev: device for clock "consumer"
++ * @id: clock consumer ID
++ *
++ * Context: May sleep.
++ *
++ * Return: a struct clk corresponding to the clock producer, or
++ * valid IS_ERR() condition containing errno. The implementation
++ * uses @dev and @id to determine the clock consumer, and thereby
++ * the clock producer. (IOW, @id may be identical strings, but
++ * clk_get may return different clock producers depending on @dev.)
++ *
++ * The returned clk (if valid) is prepared and enabled.
++ *
++ * The clock will automatically be disabled, unprepared and freed
++ * when the device is unbound from the bus.
++ */
++struct clk *devm_clk_get_enabled(struct device *dev, const char *id);
++
+ /**
+ * devm_clk_get_optional - lookup and obtain a managed reference to an optional
+ * clock producer.
+@@ -429,6 +470,50 @@ struct clk *devm_clk_get(struct device *dev, const char *id);
+ */
+ struct clk *devm_clk_get_optional(struct device *dev, const char *id);
+
++/**
++ * devm_clk_get_optional_prepared - devm_clk_get_optional() + clk_prepare()
++ * @dev: device for clock "consumer"
++ * @id: clock consumer ID
++ *
++ * Context: May sleep.
++ *
++ * Return: a struct clk corresponding to the clock producer, or
++ * valid IS_ERR() condition containing errno. The implementation
++ * uses @dev and @id to determine the clock consumer, and thereby
++ * the clock producer. If no such clk is found, it returns NULL
++ * which serves as a dummy clk. That's the only difference compared
++ * to devm_clk_get_prepared().
++ *
++ * The returned clk (if valid) is prepared. Drivers must however
++ * assume that the clock is not enabled.
++ *
++ * The clock will automatically be unprepared and freed when the
++ * device is unbound from the bus.
++ */
++struct clk *devm_clk_get_optional_prepared(struct device *dev, const char *id);
++
++/**
++ * devm_clk_get_optional_enabled - devm_clk_get_optional() +
++ * clk_prepare_enable()
++ * @dev: device for clock "consumer"
++ * @id: clock consumer ID
++ *
++ * Context: May sleep.
++ *
++ * Return: a struct clk corresponding to the clock producer, or
++ * valid IS_ERR() condition containing errno. The implementation
++ * uses @dev and @id to determine the clock consumer, and thereby
++ * the clock producer. If no such clk is found, it returns NULL
++ * which serves as a dummy clk. That's the only difference compared
++ * to devm_clk_get_enabled().
++ *
++ * The returned clk (if valid) is prepared and enabled.
++ *
++ * The clock will automatically be disabled, unprepared and freed
++ * when the device is unbound from the bus.
++ */
++struct clk *devm_clk_get_optional_enabled(struct device *dev, const char *id);
++
+ /**
+ * devm_get_clk_from_child - lookup and obtain a managed reference to a
+ * clock producer from child node.
+@@ -773,12 +858,36 @@ static inline struct clk *devm_clk_get(struct device *dev, const char *id)
+ return NULL;
+ }
+
++static inline struct clk *devm_clk_get_prepared(struct device *dev,
++ const char *id)
++{
++ return NULL;
++}
++
++static inline struct clk *devm_clk_get_enabled(struct device *dev,
++ const char *id)
++{
++ return NULL;
++}
++
+ static inline struct clk *devm_clk_get_optional(struct device *dev,
+ const char *id)
+ {
+ return NULL;
+ }
+
++static inline struct clk *devm_clk_get_optional_prepared(struct device *dev,
++ const char *id)
++{
++ return NULL;
++}
++
++static inline struct clk *devm_clk_get_optional_enabled(struct device *dev,
++ const char *id)
++{
++ return NULL;
++}
++
+ static inline int __must_check devm_clk_bulk_get(struct device *dev, int num_clks,
+ struct clk_bulk_data *clks)
+ {
+--
+2.39.0
+
--- /dev/null
+From 11eceb38c8063644b558c445131ae8bc948844ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Dec 2022 21:32:37 +0530
+Subject: cpufreq: Add Tegra234 to cpufreq-dt-platdev blocklist
+
+From: Sumit Gupta <sumitg@nvidia.com>
+
+[ Upstream commit 01c5bb0cc2a39fbc56ff9a5ef28b79447f0c2351 ]
+
+Tegra234 platform uses the tegra194-cpufreq driver, so add it
+to the blocklist in cpufreq-dt-platdev driver to avoid the cpufreq
+driver registration from there.
+
+Signed-off-by: Sumit Gupta <sumitg@nvidia.com>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/cpufreq-dt-platdev.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/cpufreq/cpufreq-dt-platdev.c b/drivers/cpufreq/cpufreq-dt-platdev.c
+index a3734014db47..aea285651fba 100644
+--- a/drivers/cpufreq/cpufreq-dt-platdev.c
++++ b/drivers/cpufreq/cpufreq-dt-platdev.c
+@@ -130,6 +130,7 @@ static const struct of_device_id blacklist[] __initconst = {
+ { .compatible = "nvidia,tegra30", },
+ { .compatible = "nvidia,tegra124", },
+ { .compatible = "nvidia,tegra210", },
++ { .compatible = "nvidia,tegra234", },
+
+ { .compatible = "qcom,apq8096", },
+ { .compatible = "qcom,msm8996", },
+--
+2.39.0
+
--- /dev/null
+From 46b7d9ddcf679f964809754ffde4cb327bb83f5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jan 2023 11:12:52 +0800
+Subject: cpufreq: armada-37xx: stop using 0 as NULL pointer
+
+From: Miles Chen <miles.chen@mediatek.com>
+
+[ Upstream commit 08f0adb193c008de640fde34a2e00a666c01d77c ]
+
+Use NULL for NULL pointer to fix the following sparse warning:
+drivers/cpufreq/armada-37xx-cpufreq.c:448:32: sparse: warning: Using plain integer as NULL pointer
+
+Signed-off-by: Miles Chen <miles.chen@mediatek.com>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/armada-37xx-cpufreq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/cpufreq/armada-37xx-cpufreq.c b/drivers/cpufreq/armada-37xx-cpufreq.c
+index 2de7fd18f66a..f0be8a43ec49 100644
+--- a/drivers/cpufreq/armada-37xx-cpufreq.c
++++ b/drivers/cpufreq/armada-37xx-cpufreq.c
+@@ -443,7 +443,7 @@ static int __init armada37xx_cpufreq_driver_init(void)
+ return -ENODEV;
+ }
+
+- clk = clk_get(cpu_dev, 0);
++ clk = clk_get(cpu_dev, NULL);
+ if (IS_ERR(clk)) {
+ dev_err(cpu_dev, "Cannot get clock for CPU0\n");
+ return PTR_ERR(clk);
+--
+2.39.0
+
--- /dev/null
+From 8f262c55f923380518e5f484b9ae5a7e2f227f9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Dec 2022 11:00:50 +0800
+Subject: dmaengine: Fix double increment of client_count in dma_chan_get()
+
+From: Koba Ko <koba.ko@canonical.com>
+
+[ Upstream commit f3dc1b3b4750851a94212dba249703dd0e50bb20 ]
+
+The first time dma_chan_get() is called for a channel the channel
+client_count is incorrectly incremented twice for public channels,
+first in balance_ref_count(), and again prior to returning. This
+results in an incorrect client count which will lead to the
+channel resources not being freed when they should be. A simple
+ test of repeated module load and unload of async_tx on a Dell
+ Power Edge R7425 also shows this resulting in a kref underflow
+ warning.
+
+[ 124.329662] async_tx: api initialized (async)
+[ 129.000627] async_tx: api initialized (async)
+[ 130.047839] ------------[ cut here ]------------
+[ 130.052472] refcount_t: underflow; use-after-free.
+[ 130.057279] WARNING: CPU: 3 PID: 19364 at lib/refcount.c:28
+refcount_warn_saturate+0xba/0x110
+[ 130.065811] Modules linked in: async_tx(-) rfkill intel_rapl_msr
+intel_rapl_common amd64_edac edac_mce_amd ipmi_ssif kvm_amd dcdbas kvm
+mgag200 drm_shmem_helper acpi_ipmi irqbypass drm_kms_helper ipmi_si
+syscopyarea sysfillrect rapl pcspkr ipmi_devintf sysimgblt fb_sys_fops
+k10temp i2c_piix4 ipmi_msghandler acpi_power_meter acpi_cpufreq vfat
+fat drm fuse xfs libcrc32c sd_mod t10_pi sg ahci crct10dif_pclmul
+libahci crc32_pclmul crc32c_intel ghash_clmulni_intel igb megaraid_sas
+i40e libata i2c_algo_bit ccp sp5100_tco dca dm_mirror dm_region_hash
+dm_log dm_mod [last unloaded: async_tx]
+[ 130.117361] CPU: 3 PID: 19364 Comm: modprobe Kdump: loaded Not
+tainted 5.14.0-185.el9.x86_64 #1
+[ 130.126091] Hardware name: Dell Inc. PowerEdge R7425/02MJ3T, BIOS
+1.18.0 01/17/2022
+[ 130.133806] RIP: 0010:refcount_warn_saturate+0xba/0x110
+[ 130.139041] Code: 01 01 e8 6d bd 55 00 0f 0b e9 72 9d 8a 00 80 3d
+26 18 9c 01 00 75 85 48 c7 c7 f8 a3 03 9d c6 05 16 18 9c 01 01 e8 4a
+bd 55 00 <0f> 0b e9 4f 9d 8a 00 80 3d 01 18 9c 01 00 0f 85 5e ff ff ff
+48 c7
+[ 130.157807] RSP: 0018:ffffbf98898afe68 EFLAGS: 00010286
+[ 130.163036] RAX: 0000000000000000 RBX: ffff9da06028e598 RCX: 0000000000000000
+[ 130.170172] RDX: ffff9daf9de26480 RSI: ffff9daf9de198a0 RDI: ffff9daf9de198a0
+[ 130.177316] RBP: ffff9da7cddf3970 R08: 0000000000000000 R09: 00000000ffff7fff
+[ 130.184459] R10: ffffbf98898afd00 R11: ffffffff9d9e8c28 R12: ffff9da7cddf1970
+[ 130.191596] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[ 130.198739] FS: 00007f646435c740(0000) GS:ffff9daf9de00000(0000)
+knlGS:0000000000000000
+[ 130.206832] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 130.212586] CR2: 00007f6463b214f0 CR3: 00000008ab98c000 CR4: 00000000003506e0
+[ 130.219729] Call Trace:
+[ 130.222192] <TASK>
+[ 130.224305] dma_chan_put+0x10d/0x110
+[ 130.227988] dmaengine_put+0x7a/0xa0
+[ 130.231575] __do_sys_delete_module.constprop.0+0x178/0x280
+[ 130.237157] ? syscall_trace_enter.constprop.0+0x145/0x1d0
+[ 130.242652] do_syscall_64+0x5c/0x90
+[ 130.246240] ? exc_page_fault+0x62/0x150
+[ 130.250178] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[ 130.255243] RIP: 0033:0x7f6463a3f5ab
+[ 130.258830] Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48
+83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00
+00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89
+01 48
+[ 130.277591] RSP: 002b:00007fff22f972c8 EFLAGS: 00000206 ORIG_RAX:
+00000000000000b0
+[ 130.285164] RAX: ffffffffffffffda RBX: 000055b6786edd40 RCX: 00007f6463a3f5ab
+[ 130.292303] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055b6786edda8
+[ 130.299443] RBP: 000055b6786edd40 R08: 0000000000000000 R09: 0000000000000000
+[ 130.306584] R10: 00007f6463b9eac0 R11: 0000000000000206 R12: 000055b6786edda8
+[ 130.313731] R13: 0000000000000000 R14: 000055b6786edda8 R15: 00007fff22f995f8
+[ 130.320875] </TASK>
+[ 130.323081] ---[ end trace eff7156d56b5cf25 ]---
+
+cat /sys/class/dma/dma0chan*/in_use would get the wrong result.
+2
+2
+2
+
+Fixes: d2f4f99db3e9 ("dmaengine: Rework dma_chan_get")
+Signed-off-by: Koba Ko <koba.ko@canonical.com>
+Reviewed-by: Jie Hai <haijie1@huawei.com>
+Test-by: Jie Hai <haijie1@huawei.com>
+Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Tested-by: Joel Savitz <jsavitz@redhat.com>
+Link: https://lore.kernel.org/r/20221201030050.978595-1-koba.ko@canonical.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/dmaengine.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/dma/dmaengine.c b/drivers/dma/dmaengine.c
+index af3ee288bc11..4ec7bb58c195 100644
+--- a/drivers/dma/dmaengine.c
++++ b/drivers/dma/dmaengine.c
+@@ -451,7 +451,8 @@ static int dma_chan_get(struct dma_chan *chan)
+ /* The channel is already in use, update client count */
+ if (chan->client_count) {
+ __module_get(owner);
+- goto out;
++ chan->client_count++;
++ return 0;
+ }
+
+ if (!try_module_get(owner))
+@@ -470,11 +471,11 @@ static int dma_chan_get(struct dma_chan *chan)
+ goto err_out;
+ }
+
++ chan->client_count++;
++
+ if (!dma_has_cap(DMA_PRIVATE, chan->device->cap_mask))
+ balance_ref_count(chan);
+
+-out:
+- chan->client_count++;
+ return 0;
+
+ err_out:
+--
+2.39.0
+
--- /dev/null
+From a1a9d2c9e7b2adf0afdc796d7b1b1fa23c21e81b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 10:16:12 +0800
+Subject: dmaengine: xilinx_dma: call of_node_put() when breaking out of
+ for_each_child_of_node()
+
+From: Liu Shixin <liushixin2@huawei.com>
+
+[ Upstream commit 596b53ccc36a546ab28e8897315c5b4d1d5a0200 ]
+
+Since for_each_child_of_node() will increase the refcount of node, we need
+to call of_node_put() manually when breaking out of the iteration.
+
+Fixes: 9cd4360de609 ("dma: Add Xilinx AXI Video Direct Memory Access Engine driver support")
+Signed-off-by: Liu Shixin <liushixin2@huawei.com>
+Acked-by: Peter Korsgaard <peter@korsgaard.com>
+Link: https://lore.kernel.org/r/20221122021612.1908866-1-liushixin2@huawei.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/xilinx/xilinx_dma.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c
+index e76adc31ab66..12ad4bb3c5f2 100644
+--- a/drivers/dma/xilinx/xilinx_dma.c
++++ b/drivers/dma/xilinx/xilinx_dma.c
+@@ -3119,8 +3119,10 @@ static int xilinx_dma_probe(struct platform_device *pdev)
+ /* Initialize the channels */
+ for_each_child_of_node(node, child) {
+ err = xilinx_dma_child_probe(xdev, child);
+- if (err < 0)
++ if (err < 0) {
++ of_node_put(child);
+ goto error;
++ }
+ }
+
+ if (xdev->dma_config->dmatype == XDMA_TYPE_VDMA) {
+--
+2.39.0
+
--- /dev/null
+From cf0b8a5b8af0b23655a9b9fef7caf6f29d3847ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 14:35:41 +0800
+Subject: driver core: Fix test_async_probe_init saves device in wrong array
+
+From: Chen Zhongjin <chenzhongjin@huawei.com>
+
+[ Upstream commit 9be182da0a7526f1b9a3777a336f83baa2e64d23 ]
+
+In test_async_probe_init, second set of asynchronous devices are saved
+in sync_dev[sync_id], which should be async_dev[async_id].
+This makes these devices not unregistered when exit.
+
+> modprobe test_async_driver_probe && \
+> modprobe -r test_async_driver_probe && \
+> modprobe test_async_driver_probe
+ ...
+> sysfs: cannot create duplicate filename '/devices/platform/test_async_driver.4'
+> kobject_add_internal failed for test_async_driver.4 with -EEXIST,
+ don't try to register things with the same name in the same directory.
+
+Fixes: 57ea974fb871 ("driver core: Rewrite test_async_driver_probe to cover serialization and NUMA affinity")
+Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
+Link: https://lore.kernel.org/r/20221125063541.241328-1-chenzhongjin@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/test/test_async_driver_probe.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/base/test/test_async_driver_probe.c b/drivers/base/test/test_async_driver_probe.c
+index 3bb7beb127a9..c157a912d673 100644
+--- a/drivers/base/test/test_async_driver_probe.c
++++ b/drivers/base/test/test_async_driver_probe.c
+@@ -146,7 +146,7 @@ static int __init test_async_probe_init(void)
+ calltime = ktime_get();
+ for_each_online_cpu(cpu) {
+ nid = cpu_to_node(cpu);
+- pdev = &sync_dev[sync_id];
++ pdev = &async_dev[async_id];
+
+ *pdev = test_platform_device_register_node("test_async_driver",
+ async_id,
+--
+2.39.0
+
--- /dev/null
+From 0ce4b7411ee8d9a09bbfe14f43fdcd5d2616680b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Dec 2022 15:58:26 -0500
+Subject: drm: Add orientation quirk for Lenovo ideapad D330-10IGL
+
+From: Patrick Thompson <ptf@google.com>
+
+[ Upstream commit 0688773f0710528e1ab302c3d6317e269f2e2e6e ]
+
+Panel is 800x1280 but mounted on a detachable form factor sideways.
+
+Signed-off-by: Patrick Thompson <ptf@google.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221220205826.178008-1-ptf@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_panel_orientation_quirks.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+index ca0fefeaab20..ce739ba45c55 100644
+--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+@@ -272,6 +272,12 @@ static const struct dmi_system_id orientation_data[] = {
+ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad D330-10IGM"),
+ },
+ .driver_data = (void *)&lcd1200x1920_rightside_up,
++ }, { /* Lenovo Ideapad D330-10IGL (HD) */
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad D330-10IGL"),
++ },
++ .driver_data = (void *)&lcd800x1280_rightside_up,
+ }, { /* Lenovo Yoga Book X90F / X91F / X91L */
+ .matches = {
+ /* Non exact match to match all versions */
+--
+2.39.0
+
--- /dev/null
+From 9b454168c443f0545dc0cdb8d9ea6394c53fa41f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jan 2023 17:44:43 +0100
+Subject: drm/panfrost: fix GENERIC_ATOMIC64 dependency
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 6437a549ae178a3f5a5c03e983f291ebcdc2bbc7 ]
+
+On ARMv5 and earlier, a randconfig build can still run into
+
+WARNING: unmet direct dependencies detected for IOMMU_IO_PGTABLE_LPAE
+ Depends on [n]: IOMMU_SUPPORT [=y] && (ARM [=y] || ARM64 || COMPILE_TEST [=y]) && !GENERIC_ATOMIC64 [=y]
+ Selected by [y]:
+ - DRM_PANFROST [=y] && HAS_IOMEM [=y] && DRM [=y] && (ARM [=y] || ARM64 || COMPILE_TEST [=y] && !GENERIC_ATOMIC64 [=y]) && MMU [=y]
+
+Rework the dependencies to always require a working cmpxchg64.
+
+Fixes: db594ba3fcf9 ("drm/panfrost: depend on !GENERIC_ATOMIC64 when using COMPILE_TEST")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Steven Price <steven.price@arm.com>
+Signed-off-by: Steven Price <steven.price@arm.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230117164456.1591901-1-arnd@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panfrost/Kconfig | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/panfrost/Kconfig b/drivers/gpu/drm/panfrost/Kconfig
+index 86cdc0ce79e6..77f4d32e5204 100644
+--- a/drivers/gpu/drm/panfrost/Kconfig
++++ b/drivers/gpu/drm/panfrost/Kconfig
+@@ -3,7 +3,8 @@
+ config DRM_PANFROST
+ tristate "Panfrost (DRM support for ARM Mali Midgard/Bifrost GPUs)"
+ depends on DRM
+- depends on ARM || ARM64 || (COMPILE_TEST && !GENERIC_ATOMIC64)
++ depends on ARM || ARM64 || COMPILE_TEST
++ depends on !GENERIC_ATOMIC64 # for IOMMU_IO_PGTABLE_LPAE
+ depends on MMU
+ select DRM_SCHED
+ select IOMMU_SUPPORT
+--
+2.39.0
+
--- /dev/null
+From dcb71b03bff436843c2315b2fa6816bc7ff9c940 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Dec 2022 09:48:24 +0400
+Subject: EDAC/highbank: Fix memory leak in highbank_mc_probe()
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit e7a293658c20a7945014570e1921bf7d25d68a36 ]
+
+When devres_open_group() fails, it returns -ENOMEM without freeing memory
+allocated by edac_mc_alloc().
+
+Call edac_mc_free() on the error handling path to avoid a memory leak.
+
+ [ bp: Massage commit message. ]
+
+Fixes: a1b01edb2745 ("edac: add support for Calxeda highbank memory controller")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Andre Przywara <andre.przywara@arm.com>
+Link: https://lore.kernel.org/r/20221229054825.1361993-1-linmq006@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/highbank_mc_edac.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/edac/highbank_mc_edac.c b/drivers/edac/highbank_mc_edac.c
+index 61b76ec226af..19fba258ae10 100644
+--- a/drivers/edac/highbank_mc_edac.c
++++ b/drivers/edac/highbank_mc_edac.c
+@@ -174,8 +174,10 @@ static int highbank_mc_probe(struct platform_device *pdev)
+ drvdata = mci->pvt_info;
+ platform_set_drvdata(pdev, mci);
+
+- if (!devres_open_group(&pdev->dev, NULL, GFP_KERNEL))
+- return -ENOMEM;
++ if (!devres_open_group(&pdev->dev, NULL, GFP_KERNEL)) {
++ res = -ENOMEM;
++ goto free;
++ }
+
+ r = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ if (!r) {
+@@ -243,6 +245,7 @@ static int highbank_mc_probe(struct platform_device *pdev)
+ edac_mc_del_mc(&pdev->dev);
+ err:
+ devres_release_group(&pdev->dev, NULL);
++free:
+ edac_mc_free(mci);
+ return res;
+ }
+--
+2.39.0
+
--- /dev/null
+From 73341820606bd442352a3189342d3c60c86955e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Dec 2022 18:38:20 +0000
+Subject: firmware: arm_scmi: Harden shared memory access in fetch_response
+
+From: Cristian Marussi <cristian.marussi@arm.com>
+
+[ Upstream commit ad78b81a1077f7d956952cd8bdfe1e61504e3eb8 ]
+
+A misbheaving SCMI platform firmware could reply with out-of-spec messages,
+shorter than the mimimum size comprising a header and a status field.
+
+Harden shmem_fetch_response to properly truncate such a bad messages.
+
+Fixes: 5c8a47a5a91d ("firmware: arm_scmi: Make scmi core independent of the transport type")
+Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
+Link: https://lore.kernel.org/r/20221222183823.518856-3-cristian.marussi@arm.com
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_scmi/shmem.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/firmware/arm_scmi/shmem.c b/drivers/firmware/arm_scmi/shmem.c
+index 0e3eaea5d852..415ef7df8fc3 100644
+--- a/drivers/firmware/arm_scmi/shmem.c
++++ b/drivers/firmware/arm_scmi/shmem.c
+@@ -58,10 +58,11 @@ u32 shmem_read_header(struct scmi_shared_mem __iomem *shmem)
+ void shmem_fetch_response(struct scmi_shared_mem __iomem *shmem,
+ struct scmi_xfer *xfer)
+ {
++ size_t len = ioread32(&shmem->length);
++
+ xfer->hdr.status = ioread32(shmem->msg_payload);
+ /* Skip the length of header and status in shmem area i.e 8 bytes */
+- xfer->rx.len = min_t(size_t, xfer->rx.len,
+- ioread32(&shmem->length) - 8);
++ xfer->rx.len = min_t(size_t, xfer->rx.len, len > 8 ? len - 8 : 0);
+
+ /* Take a copy to the rx buffer.. */
+ memcpy_fromio(xfer->rx.buf, shmem->msg_payload + 4, xfer->rx.len);
+--
+2.39.0
+
--- /dev/null
+From caab395e24b60ec6fc95a5d78f68f730457d7d7f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Dec 2022 18:38:21 +0000
+Subject: firmware: arm_scmi: Harden shared memory access in fetch_notification
+
+From: Cristian Marussi <cristian.marussi@arm.com>
+
+[ Upstream commit 9bae076cd4e3e3c3dc185cae829d80b2dddec86e ]
+
+A misbheaving SCMI platform firmware could reply with out-of-spec
+notifications, shorter than the mimimum size comprising a header.
+
+Fixes: d5141f37c42e ("firmware: arm_scmi: Add notifications support in transport layer")
+Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
+Link: https://lore.kernel.org/r/20221222183823.518856-4-cristian.marussi@arm.com
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_scmi/shmem.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/firmware/arm_scmi/shmem.c b/drivers/firmware/arm_scmi/shmem.c
+index 415ef7df8fc3..56a1f61aa3ff 100644
+--- a/drivers/firmware/arm_scmi/shmem.c
++++ b/drivers/firmware/arm_scmi/shmem.c
+@@ -71,8 +71,10 @@ void shmem_fetch_response(struct scmi_shared_mem __iomem *shmem,
+ void shmem_fetch_notification(struct scmi_shared_mem __iomem *shmem,
+ size_t max_len, struct scmi_xfer *xfer)
+ {
++ size_t len = ioread32(&shmem->length);
++
+ /* Skip only the length of header in shmem area i.e 4 bytes */
+- xfer->rx.len = min_t(size_t, max_len, ioread32(&shmem->length) - 4);
++ xfer->rx.len = min_t(size_t, max_len, len > 4 ? len - 4 : 0);
+
+ /* Take a copy to the rx buffer.. */
+ memcpy_fromio(xfer->rx.buf, shmem->msg_payload, xfer->rx.len);
+--
+2.39.0
+
--- /dev/null
+From 508fe8e67230529ec41daf5ec0e41bceb733e9c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jan 2023 10:49:57 +0100
+Subject: gpio: mxc: Always set GPIOs used as interrupt source to INPUT mode
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 8e88a0feebb241cab0253698b2f7358b6ebec802 ]
+
+Always configure GPIO pins which are used as interrupt source as INPUTs.
+In case the default pin configuration is OUTPUT, or the prior stage does
+configure the pins as OUTPUT, then Linux will not reconfigure the pin as
+INPUT and no interrupts are received.
+
+Always configure the interrupt source GPIO pin as input to fix the above case.
+
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Fixes: 07bd1a6cc7cbb ("MXC arch: Add gpio support for the whole platform")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-mxc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpio/gpio-mxc.c b/drivers/gpio/gpio-mxc.c
+index ba6ed2a413f5..0d5a9fee3c70 100644
+--- a/drivers/gpio/gpio-mxc.c
++++ b/drivers/gpio/gpio-mxc.c
+@@ -231,7 +231,7 @@ static int gpio_set_irq_type(struct irq_data *d, u32 type)
+
+ writel(1 << gpio_idx, port->base + GPIO_ISR);
+
+- return 0;
++ return port->gc.direction_input(&port->gc, gpio_idx);
+ }
+
+ static void mxc_flip_edge(struct mxc_gpio_port *port, u32 gpio)
+--
+2.39.0
+
--- /dev/null
+From ec87bec9f327297b83a9270e01a18562dcbc4711 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jan 2023 18:12:16 +0000
+Subject: HID: betop: check shape of output reports
+
+From: Pietro Borrello <borrello@diag.uniroma1.it>
+
+[ Upstream commit 3782c0d6edf658b71354a64d60aa7a296188fc90 ]
+
+betopff_init() only checks the total sum of the report counts for each
+report field to be at least 4, but hid_betopff_play() expects 4 report
+fields.
+A device advertising an output report with one field and 4 report counts
+would pass the check but crash the kernel with a NULL pointer dereference
+in hid_betopff_play().
+
+Fixes: 52cd7785f3cd ("HID: betop: add drivers/hid/hid-betopff.c")
+Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-betopff.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/hid/hid-betopff.c b/drivers/hid/hid-betopff.c
+index 467d789f9bc2..25ed7b9a917e 100644
+--- a/drivers/hid/hid-betopff.c
++++ b/drivers/hid/hid-betopff.c
+@@ -60,7 +60,6 @@ static int betopff_init(struct hid_device *hid)
+ struct list_head *report_list =
+ &hid->report_enum[HID_OUTPUT_REPORT].report_list;
+ struct input_dev *dev;
+- int field_count = 0;
+ int error;
+ int i, j;
+
+@@ -86,19 +85,21 @@ static int betopff_init(struct hid_device *hid)
+ * -----------------------------------------
+ * Do init them with default value.
+ */
++ if (report->maxfield < 4) {
++ hid_err(hid, "not enough fields in the report: %d\n",
++ report->maxfield);
++ return -ENODEV;
++ }
+ for (i = 0; i < report->maxfield; i++) {
++ if (report->field[i]->report_count < 1) {
++ hid_err(hid, "no values in the field\n");
++ return -ENODEV;
++ }
+ for (j = 0; j < report->field[i]->report_count; j++) {
+ report->field[i]->value[j] = 0x00;
+- field_count++;
+ }
+ }
+
+- if (field_count < 4) {
+- hid_err(hid, "not enough fields in the report: %d\n",
+- field_count);
+- return -ENODEV;
+- }
+-
+ betopff = kzalloc(sizeof(*betopff), GFP_KERNEL);
+ if (!betopff)
+ return -ENOMEM;
+--
+2.39.0
+
--- /dev/null
+From 118522b7ead4720e091fb90614512d4872540623 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jan 2023 11:11:25 +0000
+Subject: HID: check empty report_list in bigben_probe()
+
+From: Pietro Borrello <borrello@diag.uniroma1.it>
+
+[ Upstream commit c7bf714f875531f227f2ef1fdcc8f4d44e7c7d9d ]
+
+Add a check for empty report_list in bigben_probe().
+The missing check causes a type confusion when issuing a list_entry()
+on an empty report_list.
+The problem is caused by the assumption that the device must
+have valid report_list. While this will be true for all normal HID
+devices, a suitably malicious device can violate the assumption.
+
+Fixes: 256a90ed9e46 ("HID: hid-bigbenff: driver for BigBen Interactive PS3OFMINIPAD gamepad")
+Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-bigbenff.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c
+index e8c5e3ac9fff..e8b16665860d 100644
+--- a/drivers/hid/hid-bigbenff.c
++++ b/drivers/hid/hid-bigbenff.c
+@@ -344,6 +344,11 @@ static int bigben_probe(struct hid_device *hid,
+ }
+
+ report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list;
++ if (list_empty(report_list)) {
++ hid_err(hid, "no output report found\n");
++ error = -ENODEV;
++ goto error_hw_stop;
++ }
+ bigben->report = list_entry(report_list->next,
+ struct hid_report, list);
+
+--
+2.39.0
+
--- /dev/null
+From ed4aa7fa3321c6e74d85d81d55a7ef706bd7aa99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jan 2023 11:11:24 +0000
+Subject: HID: check empty report_list in hid_validate_values()
+
+From: Pietro Borrello <borrello@diag.uniroma1.it>
+
+[ Upstream commit b12fece4c64857e5fab4290bf01b2e0317a88456 ]
+
+Add a check for empty report_list in hid_validate_values().
+The missing check causes a type confusion when issuing a list_entry()
+on an empty report_list.
+The problem is caused by the assumption that the device must
+have valid report_list. While this will be true for all normal HID
+devices, a suitably malicious device can violate the assumption.
+
+Fixes: 1b15d2e5b807 ("HID: core: fix validation of report id 0")
+Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
+index eaaf732f0630..baadead947c8 100644
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -988,8 +988,8 @@ struct hid_report *hid_validate_values(struct hid_device *hid,
+ * Validating on id 0 means we should examine the first
+ * report in the list.
+ */
+- report = list_entry(
+- hid->report_enum[type].report_list.next,
++ report = list_first_entry_or_null(
++ &hid->report_enum[type].report_list,
+ struct hid_report, list);
+ } else {
+ report = hid->report_enum[type].report_id_hash[id];
+--
+2.39.0
+
--- /dev/null
+From df1fda87f067c1646b29911c84ad80eb24524663 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 21:48:23 +0800
+Subject: HID: intel_ish-hid: Add check for ishtp_dma_tx_map
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit b3d40c3ec3dc4ad78017de6c3a38979f57aaaab8 ]
+
+As the kcalloc may return NULL pointer,
+it should be better to check the ishtp_dma_tx_map
+before use in order to avoid NULL pointer dereference.
+
+Fixes: 3703f53b99e4 ("HID: intel_ish-hid: ISH Transport layer")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/intel-ish-hid/ishtp/dma-if.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/hid/intel-ish-hid/ishtp/dma-if.c b/drivers/hid/intel-ish-hid/ishtp/dma-if.c
+index 40554c8daca0..00046cbfd4ed 100644
+--- a/drivers/hid/intel-ish-hid/ishtp/dma-if.c
++++ b/drivers/hid/intel-ish-hid/ishtp/dma-if.c
+@@ -104,6 +104,11 @@ void *ishtp_cl_get_dma_send_buf(struct ishtp_device *dev,
+ int required_slots = (size / DMA_SLOT_SIZE)
+ + 1 * (size % DMA_SLOT_SIZE != 0);
+
++ if (!dev->ishtp_dma_tx_map) {
++ dev_err(dev->devc, "Fail to allocate Tx map\n");
++ return NULL;
++ }
++
+ spin_lock_irqsave(&dev->ishtp_dma_tx_lock, flags);
+ for (i = 0; i <= (dev->ishtp_dma_num_slots - required_slots); i++) {
+ free = 1;
+@@ -150,6 +155,11 @@ void ishtp_cl_release_dma_acked_mem(struct ishtp_device *dev,
+ return;
+ }
+
++ if (!dev->ishtp_dma_tx_map) {
++ dev_err(dev->devc, "Fail to allocate Tx map\n");
++ return;
++ }
++
+ i = (msg_addr - dev->ishtp_host_dma_tx_buf) / DMA_SLOT_SIZE;
+ spin_lock_irqsave(&dev->ishtp_dma_tx_lock, flags);
+ for (j = 0; j < acked_slots; j++) {
+--
+2.39.0
+
--- /dev/null
+From 0e31253b67426ab8e23335ad8824df168ce1b5f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jan 2023 15:41:40 +0100
+Subject: HID: revert CHERRY_MOUSE_000C quirk
+
+From: Jiri Kosina <jkosina@suse.cz>
+
+[ Upstream commit cbf44580ce6b310272a73e3e794233fd064330bd ]
+
+This partially reverts commit f6d910a89a2391 ("HID: usbhid: Add ALWAYS_POLL quirk
+for some mice"), as it turns out to break reboot on some platforms for reason
+yet to be understood.
+
+Fixes: f6d910a89a2391 ("HID: usbhid: Add ALWAYS_POLL quirk for some mice")
+Reported-by: Christian Zigotzky <chzigotzky@xenosoft.de>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-ids.h | 1 -
+ drivers/hid/hid-quirks.c | 1 -
+ 2 files changed, 2 deletions(-)
+
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index 09c3f30f10d3..1d1306a6004e 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -257,7 +257,6 @@
+ #define USB_DEVICE_ID_CH_AXIS_295 0x001c
+
+ #define USB_VENDOR_ID_CHERRY 0x046a
+-#define USB_DEVICE_ID_CHERRY_MOUSE_000C 0x000c
+ #define USB_DEVICE_ID_CHERRY_CYMOTION 0x0023
+ #define USB_DEVICE_ID_CHERRY_CYMOTION_SOLAR 0x0027
+
+diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c
+index 1efde40e5136..9f1fcbea19eb 100644
+--- a/drivers/hid/hid-quirks.c
++++ b/drivers/hid/hid-quirks.c
+@@ -54,7 +54,6 @@ static const struct hid_device_id hid_quirks[] = {
+ { HID_USB_DEVICE(USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_FLIGHT_SIM_YOKE), HID_QUIRK_NOGET },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_PRO_PEDALS), HID_QUIRK_NOGET },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_PRO_THROTTLE), HID_QUIRK_NOGET },
+- { HID_USB_DEVICE(USB_VENDOR_ID_CHERRY, USB_DEVICE_ID_CHERRY_MOUSE_000C), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K65RGB), HID_QUIRK_NO_INIT_REPORTS },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K65RGB_RAPIDFIRE), HID_QUIRK_NO_INIT_REPORTS | HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K70RGB), HID_QUIRK_NO_INIT_REPORTS },
+--
+2.39.0
+
--- /dev/null
+From da51beabd99d536cc651f36cefc499419fcf4195 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jan 2023 12:31:21 -0500
+Subject: IB/hfi1: Fix expected receive setup error exit issues
+
+From: Dean Luick <dean.luick@cornelisnetworks.com>
+
+[ Upstream commit e0c4a422f5246abefbf7c178ef99a1f2dc3c5f62 ]
+
+Fix three error exit issues in expected receive setup.
+Re-arrange error exits to increase readability.
+
+Issues and fixes:
+1. Possible missed page unpin if tidlist copyout fails and
+ not all pinned pages where made part of a TID.
+ Fix: Unpin the unused pages.
+
+2. Return success with unset return values tidcnt and length
+ when no pages were pinned.
+ Fix: Return -ENOSPC if no pages were pinned.
+
+3. Return success with unset return values tidcnt and length when
+ no rcvarray entries available.
+ Fix: Return -ENOSPC if no rcvarray entries are available.
+
+Fixes: 7e7a436ecb6e ("staging/hfi1: Add TID entry program function body")
+Fixes: 97736f36dbeb ("IB/hfi1: Validate page aligned for a given virtual addres")
+Fixes: f404ca4c7ea8 ("IB/hfi1: Refactor hfi_user_exp_rcv_setup() IOCTL")
+Signed-off-by: Dean Luick <dean.luick@cornelisnetworks.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
+Link: https://lore.kernel.org/r/167328548150.1472310.1492305874804187634.stgit@awfm-02.cornelisnetworks.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/user_exp_rcv.c | 83 ++++++++++++++---------
+ 1 file changed, 50 insertions(+), 33 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+index 1278cd55a480..ba61d327a85d 100644
+--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c
++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+@@ -310,15 +310,14 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd,
+ tidbuf->psets = kcalloc(uctxt->expected_count, sizeof(*tidbuf->psets),
+ GFP_KERNEL);
+ if (!tidbuf->psets) {
+- kfree(tidbuf);
+- return -ENOMEM;
++ ret = -ENOMEM;
++ goto fail_release_mem;
+ }
+
+ pinned = pin_rcv_pages(fd, tidbuf);
+ if (pinned <= 0) {
+- kfree(tidbuf->psets);
+- kfree(tidbuf);
+- return pinned;
++ ret = (pinned < 0) ? pinned : -ENOSPC;
++ goto fail_unpin;
+ }
+
+ /* Find sets of physically contiguous pages */
+@@ -333,14 +332,16 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd,
+ fd->tid_used += pageset_count;
+ spin_unlock(&fd->tid_lock);
+
+- if (!pageset_count)
+- goto bail;
++ if (!pageset_count) {
++ ret = -ENOSPC;
++ goto fail_unreserve;
++ }
+
+ ngroups = pageset_count / dd->rcv_entries.group_size;
+ tidlist = kcalloc(pageset_count, sizeof(*tidlist), GFP_KERNEL);
+ if (!tidlist) {
+ ret = -ENOMEM;
+- goto nomem;
++ goto fail_unreserve;
+ }
+
+ tididx = 0;
+@@ -436,44 +437,60 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd,
+ }
+ unlock:
+ mutex_unlock(&uctxt->exp_mutex);
+-nomem:
+ hfi1_cdbg(TID, "total mapped: tidpairs:%u pages:%u (%d)", tididx,
+ mapped_pages, ret);
++
++ /* fail if nothing was programmed, set error if none provided */
++ if (tididx == 0) {
++ if (ret >= 0)
++ ret = -ENOSPC;
++ goto fail_unreserve;
++ }
++
+ /* adjust reserved tid_used to actual count */
+ spin_lock(&fd->tid_lock);
+ fd->tid_used -= pageset_count - tididx;
+ spin_unlock(&fd->tid_lock);
+- if (tididx) {
+- tinfo->tidcnt = tididx;
+- tinfo->length = mapped_pages * PAGE_SIZE;
+
+- if (copy_to_user(u64_to_user_ptr(tinfo->tidlist),
+- tidlist, sizeof(tidlist[0]) * tididx)) {
+- /*
+- * On failure to copy to the user level, we need to undo
+- * everything done so far so we don't leak resources.
+- */
+- tinfo->tidlist = (unsigned long)&tidlist;
+- hfi1_user_exp_rcv_clear(fd, tinfo);
+- tinfo->tidlist = 0;
+- ret = -EFAULT;
+- goto bail;
+- }
++ /* unpin all pages not covered by a TID */
++ unpin_rcv_pages(fd, tidbuf, NULL, mapped_pages, pinned - mapped_pages,
++ false);
++
++ tinfo->tidcnt = tididx;
++ tinfo->length = mapped_pages * PAGE_SIZE;
++
++ if (copy_to_user(u64_to_user_ptr(tinfo->tidlist),
++ tidlist, sizeof(tidlist[0]) * tididx)) {
++ ret = -EFAULT;
++ goto fail_unprogram;
+ }
+
+- /*
+- * If not everything was mapped (due to insufficient RcvArray entries,
+- * for example), unpin all unmapped pages so we can pin them nex time.
+- */
+- if (mapped_pages != pinned)
+- unpin_rcv_pages(fd, tidbuf, NULL, mapped_pages,
+- (pinned - mapped_pages), false);
+-bail:
++ kfree(tidbuf->pages);
+ kfree(tidbuf->psets);
++ kfree(tidbuf);
+ kfree(tidlist);
++ return 0;
++
++fail_unprogram:
++ /* unprogram, unmap, and unpin all allocated TIDs */
++ tinfo->tidlist = (unsigned long)tidlist;
++ hfi1_user_exp_rcv_clear(fd, tinfo);
++ tinfo->tidlist = 0;
++ pinned = 0; /* nothing left to unpin */
++ pageset_count = 0; /* nothing left reserved */
++fail_unreserve:
++ spin_lock(&fd->tid_lock);
++ fd->tid_used -= pageset_count;
++ spin_unlock(&fd->tid_lock);
++fail_unpin:
++ if (pinned > 0)
++ unpin_rcv_pages(fd, tidbuf, NULL, 0, pinned, false);
++fail_release_mem:
+ kfree(tidbuf->pages);
++ kfree(tidbuf->psets);
+ kfree(tidbuf);
+- return ret > 0 ? 0 : ret;
++ kfree(tidlist);
++ return ret;
+ }
+
+ int hfi1_user_exp_rcv_clear(struct hfi1_filedata *fd,
+--
+2.39.0
+
--- /dev/null
+From b407826bb231de5a02028add9639a7baa3385297 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jan 2023 12:31:26 -0500
+Subject: IB/hfi1: Immediately remove invalid memory from hardware
+
+From: Dean Luick <dean.luick@cornelisnetworks.com>
+
+[ Upstream commit 1c7edde1b5720ddb0aff5ca8c7f605a0f92526eb ]
+
+When a user expected receive page is unmapped, it should be
+immediately removed from hardware rather than depend on a
+reaction from user space.
+
+Fixes: 2677a7680e77 ("IB/hfi1: Fix memory leak during unexpected shutdown")
+Signed-off-by: Dean Luick <dean.luick@cornelisnetworks.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
+Link: https://lore.kernel.org/r/167328548663.1472310.7871808081861622659.stgit@awfm-02.cornelisnetworks.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/user_exp_rcv.c | 43 +++++++++++++++--------
+ drivers/infiniband/hw/hfi1/user_exp_rcv.h | 1 +
+ 2 files changed, 30 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+index ba61d327a85d..b70d1b135ee4 100644
+--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c
++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+@@ -70,8 +70,9 @@ static int program_rcvarray(struct hfi1_filedata *fd, struct tid_user_buf *,
+ unsigned int start, u16 count,
+ u32 *tidlist, unsigned int *tididx,
+ unsigned int *pmapped);
+-static int unprogram_rcvarray(struct hfi1_filedata *fd, u32 tidinfo,
+- struct tid_group **grp);
++static int unprogram_rcvarray(struct hfi1_filedata *fd, u32 tidinfo);
++static void __clear_tid_node(struct hfi1_filedata *fd,
++ struct tid_rb_node *node);
+ static void clear_tid_node(struct hfi1_filedata *fd, struct tid_rb_node *node);
+
+ static const struct mmu_interval_notifier_ops tid_mn_ops = {
+@@ -511,7 +512,7 @@ int hfi1_user_exp_rcv_clear(struct hfi1_filedata *fd,
+
+ mutex_lock(&uctxt->exp_mutex);
+ for (tididx = 0; tididx < tinfo->tidcnt; tididx++) {
+- ret = unprogram_rcvarray(fd, tidinfo[tididx], NULL);
++ ret = unprogram_rcvarray(fd, tidinfo[tididx]);
+ if (ret) {
+ hfi1_cdbg(TID, "Failed to unprogram rcv array %d",
+ ret);
+@@ -767,6 +768,7 @@ static int set_rcvarray_entry(struct hfi1_filedata *fd,
+ }
+
+ node->fdata = fd;
++ mutex_init(&node->invalidate_mutex);
+ node->phys = page_to_phys(pages[0]);
+ node->npages = npages;
+ node->rcventry = rcventry;
+@@ -806,8 +808,7 @@ static int set_rcvarray_entry(struct hfi1_filedata *fd,
+ return -EFAULT;
+ }
+
+-static int unprogram_rcvarray(struct hfi1_filedata *fd, u32 tidinfo,
+- struct tid_group **grp)
++static int unprogram_rcvarray(struct hfi1_filedata *fd, u32 tidinfo)
+ {
+ struct hfi1_ctxtdata *uctxt = fd->uctxt;
+ struct hfi1_devdata *dd = uctxt->dd;
+@@ -830,9 +831,6 @@ static int unprogram_rcvarray(struct hfi1_filedata *fd, u32 tidinfo,
+ if (!node || node->rcventry != (uctxt->expected_base + rcventry))
+ return -EBADF;
+
+- if (grp)
+- *grp = node->grp;
+-
+ if (fd->use_mn)
+ mmu_interval_notifier_remove(&node->notifier);
+ cacheless_tid_rb_remove(fd, node);
+@@ -840,23 +838,34 @@ static int unprogram_rcvarray(struct hfi1_filedata *fd, u32 tidinfo,
+ return 0;
+ }
+
+-static void clear_tid_node(struct hfi1_filedata *fd, struct tid_rb_node *node)
++static void __clear_tid_node(struct hfi1_filedata *fd, struct tid_rb_node *node)
+ {
+ struct hfi1_ctxtdata *uctxt = fd->uctxt;
+ struct hfi1_devdata *dd = uctxt->dd;
+
++ mutex_lock(&node->invalidate_mutex);
++ if (node->freed)
++ goto done;
++ node->freed = true;
++
+ trace_hfi1_exp_tid_unreg(uctxt->ctxt, fd->subctxt, node->rcventry,
+ node->npages,
+ node->notifier.interval_tree.start, node->phys,
+ node->dma_addr);
+
+- /*
+- * Make sure device has seen the write before we unpin the
+- * pages.
+- */
++ /* Make sure device has seen the write before pages are unpinned */
+ hfi1_put_tid(dd, node->rcventry, PT_INVALID_FLUSH, 0, 0);
+
+ unpin_rcv_pages(fd, NULL, node, 0, node->npages, true);
++done:
++ mutex_unlock(&node->invalidate_mutex);
++}
++
++static void clear_tid_node(struct hfi1_filedata *fd, struct tid_rb_node *node)
++{
++ struct hfi1_ctxtdata *uctxt = fd->uctxt;
++
++ __clear_tid_node(fd, node);
+
+ node->grp->used--;
+ node->grp->map &= ~(1 << (node->rcventry - node->grp->base));
+@@ -915,10 +924,16 @@ static bool tid_rb_invalidate(struct mmu_interval_notifier *mni,
+ if (node->freed)
+ return true;
+
++ /* take action only if unmapping */
++ if (range->event != MMU_NOTIFY_UNMAP)
++ return true;
++
+ trace_hfi1_exp_tid_inval(uctxt->ctxt, fdata->subctxt,
+ node->notifier.interval_tree.start,
+ node->rcventry, node->npages, node->dma_addr);
+- node->freed = true;
++
++ /* clear the hardware rcvarray entry */
++ __clear_tid_node(fdata, node);
+
+ spin_lock(&fdata->invalid_lock);
+ if (fdata->invalid_tid_idx < uctxt->expected_count) {
+diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.h b/drivers/infiniband/hw/hfi1/user_exp_rcv.h
+index d45c7b6988d4..ba06ab3b4769 100644
+--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.h
++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.h
+@@ -68,6 +68,7 @@ struct tid_user_buf {
+ struct tid_rb_node {
+ struct mmu_interval_notifier notifier;
+ struct hfi1_filedata *fdata;
++ struct mutex invalidate_mutex; /* covers hw removal */
+ unsigned long phys;
+ struct tid_group *grp;
+ u32 rcventry;
+--
+2.39.0
+
--- /dev/null
+From 6b04c057774d3db8ebce88a14d61e0422cfce126 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jan 2023 12:31:11 -0500
+Subject: IB/hfi1: Reject a zero-length user expected buffer
+
+From: Dean Luick <dean.luick@cornelisnetworks.com>
+
+[ Upstream commit 0a0a6e80472c98947d73c3d13bcd7d101895f55d ]
+
+A zero length user buffer makes no sense and the code
+does not handle it correctly. Instead, reject a
+zero length as invalid.
+
+Fixes: 97736f36dbeb ("IB/hfi1: Validate page aligned for a given virtual addres")
+Signed-off-by: Dean Luick <dean.luick@cornelisnetworks.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
+Link: https://lore.kernel.org/r/167328547120.1472310.6362802432127399257.stgit@awfm-02.cornelisnetworks.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/user_exp_rcv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+index b94fc7fd75a9..dd8ce2a62d2b 100644
+--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c
++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+@@ -298,6 +298,8 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd,
+
+ if (!PAGE_ALIGNED(tinfo->vaddr))
+ return -EINVAL;
++ if (tinfo->length == 0)
++ return -EINVAL;
+
+ tidbuf = kzalloc(sizeof(*tidbuf), GFP_KERNEL);
+ if (!tidbuf)
+--
+2.39.0
+
--- /dev/null
+From 111a62e955d0ef9812f09f8da401f84735756e5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jan 2023 12:31:31 -0500
+Subject: IB/hfi1: Remove user expected buffer invalidate race
+
+From: Dean Luick <dean.luick@cornelisnetworks.com>
+
+[ Upstream commit b3deec25847bda34e34d5d7be02f633caf000bd8 ]
+
+During setup, there is a possible race between a page invalidate
+and hardware programming. Add a covering invalidate over the user
+target range during setup. If anything within that range is
+invalidated during setup, fail the setup. Once set up, each
+TID will have its own invalidate callback and invalidate.
+
+Fixes: 3889551db212 ("RDMA/hfi1: Use mmu_interval_notifier_insert for user_exp_rcv")
+Signed-off-by: Dean Luick <dean.luick@cornelisnetworks.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
+Link: https://lore.kernel.org/r/167328549178.1472310.9867497376936699488.stgit@awfm-02.cornelisnetworks.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/user_exp_rcv.c | 58 +++++++++++++++++++++--
+ drivers/infiniband/hw/hfi1/user_exp_rcv.h | 2 +
+ 2 files changed, 55 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+index b70d1b135ee4..897923981855 100644
+--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c
++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+@@ -65,6 +65,9 @@ static void cacheless_tid_rb_remove(struct hfi1_filedata *fdata,
+ static bool tid_rb_invalidate(struct mmu_interval_notifier *mni,
+ const struct mmu_notifier_range *range,
+ unsigned long cur_seq);
++static bool tid_cover_invalidate(struct mmu_interval_notifier *mni,
++ const struct mmu_notifier_range *range,
++ unsigned long cur_seq);
+ static int program_rcvarray(struct hfi1_filedata *fd, struct tid_user_buf *,
+ struct tid_group *grp,
+ unsigned int start, u16 count,
+@@ -78,6 +81,9 @@ static void clear_tid_node(struct hfi1_filedata *fd, struct tid_rb_node *node);
+ static const struct mmu_interval_notifier_ops tid_mn_ops = {
+ .invalidate = tid_rb_invalidate,
+ };
++static const struct mmu_interval_notifier_ops tid_cover_ops = {
++ .invalidate = tid_cover_invalidate,
++};
+
+ /*
+ * Initialize context and file private data needed for Expected
+@@ -296,6 +302,7 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd,
+ tididx = 0, mapped, mapped_pages = 0;
+ u32 *tidlist = NULL;
+ struct tid_user_buf *tidbuf;
++ unsigned long mmu_seq = 0;
+
+ if (!PAGE_ALIGNED(tinfo->vaddr))
+ return -EINVAL;
+@@ -306,6 +313,7 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd,
+ if (!tidbuf)
+ return -ENOMEM;
+
++ mutex_init(&tidbuf->cover_mutex);
+ tidbuf->vaddr = tinfo->vaddr;
+ tidbuf->length = tinfo->length;
+ tidbuf->psets = kcalloc(uctxt->expected_count, sizeof(*tidbuf->psets),
+@@ -315,6 +323,16 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd,
+ goto fail_release_mem;
+ }
+
++ if (fd->use_mn) {
++ ret = mmu_interval_notifier_insert(
++ &tidbuf->notifier, current->mm,
++ tidbuf->vaddr, tidbuf->npages * PAGE_SIZE,
++ &tid_cover_ops);
++ if (ret)
++ goto fail_release_mem;
++ mmu_seq = mmu_interval_read_begin(&tidbuf->notifier);
++ }
++
+ pinned = pin_rcv_pages(fd, tidbuf);
+ if (pinned <= 0) {
+ ret = (pinned < 0) ? pinned : -ENOSPC;
+@@ -457,6 +475,20 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd,
+ unpin_rcv_pages(fd, tidbuf, NULL, mapped_pages, pinned - mapped_pages,
+ false);
+
++ if (fd->use_mn) {
++ /* check for an invalidate during setup */
++ bool fail = false;
++
++ mutex_lock(&tidbuf->cover_mutex);
++ fail = mmu_interval_read_retry(&tidbuf->notifier, mmu_seq);
++ mutex_unlock(&tidbuf->cover_mutex);
++
++ if (fail) {
++ ret = -EBUSY;
++ goto fail_unprogram;
++ }
++ }
++
+ tinfo->tidcnt = tididx;
+ tinfo->length = mapped_pages * PAGE_SIZE;
+
+@@ -466,6 +498,8 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd,
+ goto fail_unprogram;
+ }
+
++ if (fd->use_mn)
++ mmu_interval_notifier_remove(&tidbuf->notifier);
+ kfree(tidbuf->pages);
+ kfree(tidbuf->psets);
+ kfree(tidbuf);
+@@ -484,6 +518,8 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd,
+ fd->tid_used -= pageset_count;
+ spin_unlock(&fd->tid_lock);
+ fail_unpin:
++ if (fd->use_mn)
++ mmu_interval_notifier_remove(&tidbuf->notifier);
+ if (pinned > 0)
+ unpin_rcv_pages(fd, tidbuf, NULL, 0, pinned, false);
+ fail_release_mem:
+@@ -784,11 +820,6 @@ static int set_rcvarray_entry(struct hfi1_filedata *fd,
+ &tid_mn_ops);
+ if (ret)
+ goto out_unmap;
+- /*
+- * FIXME: This is in the wrong order, the notifier should be
+- * established before the pages are pinned by pin_rcv_pages.
+- */
+- mmu_interval_read_begin(&node->notifier);
+ }
+ fd->entry_to_rb[node->rcventry - uctxt->expected_base] = node;
+
+@@ -963,6 +994,23 @@ static bool tid_rb_invalidate(struct mmu_interval_notifier *mni,
+ return true;
+ }
+
++static bool tid_cover_invalidate(struct mmu_interval_notifier *mni,
++ const struct mmu_notifier_range *range,
++ unsigned long cur_seq)
++{
++ struct tid_user_buf *tidbuf =
++ container_of(mni, struct tid_user_buf, notifier);
++
++ /* take action only if unmapping */
++ if (range->event == MMU_NOTIFY_UNMAP) {
++ mutex_lock(&tidbuf->cover_mutex);
++ mmu_interval_set_seq(mni, cur_seq);
++ mutex_unlock(&tidbuf->cover_mutex);
++ }
++
++ return true;
++}
++
+ static void cacheless_tid_rb_remove(struct hfi1_filedata *fdata,
+ struct tid_rb_node *tnode)
+ {
+diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.h b/drivers/infiniband/hw/hfi1/user_exp_rcv.h
+index ba06ab3b4769..849f265f2f11 100644
+--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.h
++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.h
+@@ -57,6 +57,8 @@ struct tid_pageset {
+ };
+
+ struct tid_user_buf {
++ struct mmu_interval_notifier notifier;
++ struct mutex cover_mutex;
+ unsigned long vaddr;
+ unsigned long length;
+ unsigned int npages;
+--
+2.39.0
+
--- /dev/null
+From 5fc25f511c716f4a8a91570328a0901622e0edc2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jan 2023 12:31:16 -0500
+Subject: IB/hfi1: Reserve user expected TIDs
+
+From: Dean Luick <dean.luick@cornelisnetworks.com>
+
+[ Upstream commit ecf91551cdd2925ed6d9a9d99074fa5f67b90596 ]
+
+To avoid a race, reserve the number of user expected
+TIDs before setup.
+
+Fixes: 7e7a436ecb6e ("staging/hfi1: Add TID entry program function body")
+Signed-off-by: Dean Luick <dean.luick@cornelisnetworks.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
+Link: https://lore.kernel.org/r/167328547636.1472310.7419712824785353905.stgit@awfm-02.cornelisnetworks.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/user_exp_rcv.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+index dd8ce2a62d2b..1278cd55a480 100644
+--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c
++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+@@ -324,16 +324,13 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd,
+ /* Find sets of physically contiguous pages */
+ tidbuf->n_psets = find_phys_blocks(tidbuf, pinned);
+
+- /*
+- * We don't need to access this under a lock since tid_used is per
+- * process and the same process cannot be in hfi1_user_exp_rcv_clear()
+- * and hfi1_user_exp_rcv_setup() at the same time.
+- */
++ /* Reserve the number of expected tids to be used. */
+ spin_lock(&fd->tid_lock);
+ if (fd->tid_used + tidbuf->n_psets > fd->tid_limit)
+ pageset_count = fd->tid_limit - fd->tid_used;
+ else
+ pageset_count = tidbuf->n_psets;
++ fd->tid_used += pageset_count;
+ spin_unlock(&fd->tid_lock);
+
+ if (!pageset_count)
+@@ -442,10 +439,11 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd,
+ nomem:
+ hfi1_cdbg(TID, "total mapped: tidpairs:%u pages:%u (%d)", tididx,
+ mapped_pages, ret);
++ /* adjust reserved tid_used to actual count */
++ spin_lock(&fd->tid_lock);
++ fd->tid_used -= pageset_count - tididx;
++ spin_unlock(&fd->tid_lock);
+ if (tididx) {
+- spin_lock(&fd->tid_lock);
+- fd->tid_used += tididx;
+- spin_unlock(&fd->tid_lock);
+ tinfo->tidcnt = tididx;
+ tinfo->length = mapped_pages * PAGE_SIZE;
+
+--
+2.39.0
+
--- /dev/null
+From 90d8adcb6d7c4a3817008ee44fc0f28db2922b89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Dec 2022 23:28:21 -0800
+Subject: kcsan: test: don't put the expect array on the stack
+
+From: Max Filippov <jcmvbkbc@gmail.com>
+
+[ Upstream commit 5b24ac2dfd3eb3e36f794af3aa7f2828b19035bd ]
+
+Size of the 'expect' array in the __report_matches is 1536 bytes, which
+is exactly the default frame size warning limit of the xtensa
+architecture.
+As a result allmodconfig xtensa kernel builds with the gcc that does not
+support the compiler plugins (which otherwise would push the said
+warning limit to 2K) fail with the following message:
+
+ kernel/kcsan/kcsan_test.c:257:1: error: the frame size of 1680 bytes
+ is larger than 1536 bytes
+
+Fix it by dynamically allocating the 'expect' array.
+
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Reviewed-by: Marco Elver <elver@google.com>
+Tested-by: Marco Elver <elver@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/kcsan/kcsan-test.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/kcsan/kcsan-test.c b/kernel/kcsan/kcsan-test.c
+index ebe7fd245104..8a8ccaf4f38f 100644
+--- a/kernel/kcsan/kcsan-test.c
++++ b/kernel/kcsan/kcsan-test.c
+@@ -149,7 +149,7 @@ static bool report_matches(const struct expect_report *r)
+ const bool is_assert = (r->access[0].type | r->access[1].type) & KCSAN_ACCESS_ASSERT;
+ bool ret = false;
+ unsigned long flags;
+- typeof(observed.lines) expect;
++ typeof(*observed.lines) *expect;
+ const char *end;
+ char *cur;
+ int i;
+@@ -158,6 +158,10 @@ static bool report_matches(const struct expect_report *r)
+ if (!report_available())
+ return false;
+
++ expect = kmalloc(sizeof(observed.lines), GFP_KERNEL);
++ if (WARN_ON(!expect))
++ return false;
++
+ /* Generate expected report contents. */
+
+ /* Title */
+@@ -241,6 +245,7 @@ static bool report_matches(const struct expect_report *r)
+ strstr(observed.lines[2], expect[1])));
+ out:
+ spin_unlock_irqrestore(&observed.lock, flags);
++ kfree(expect);
+ return ret;
+ }
+
+--
+2.39.0
+
--- /dev/null
+From 78d3dbe76783d3d7c4069b546dfae9f1c5c83e8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jan 2023 15:54:56 +0100
+Subject: KVM: s390: interrupt: use READ_ONCE() before cmpxchg()
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit 42400d99e9f0728c17240edb9645637ead40f6b9 ]
+
+Use READ_ONCE() before cmpxchg() to prevent that the compiler generates
+code that fetches the to be compared old value several times from memory.
+
+Reviewed-by: Christian Borntraeger <borntraeger@linux.ibm.com>
+Acked-by: Christian Borntraeger <borntraeger@linux.ibm.com>
+Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Link: https://lore.kernel.org/r/20230109145456.2895385-1-hca@linux.ibm.com
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kvm/interrupt.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c
+index b51ab19eb972..64d1dfe6dca5 100644
+--- a/arch/s390/kvm/interrupt.c
++++ b/arch/s390/kvm/interrupt.c
+@@ -81,8 +81,9 @@ static int sca_inject_ext_call(struct kvm_vcpu *vcpu, int src_id)
+ struct esca_block *sca = vcpu->kvm->arch.sca;
+ union esca_sigp_ctrl *sigp_ctrl =
+ &(sca->cpu[vcpu->vcpu_id].sigp_ctrl);
+- union esca_sigp_ctrl new_val = {0}, old_val = *sigp_ctrl;
++ union esca_sigp_ctrl new_val = {0}, old_val;
+
++ old_val = READ_ONCE(*sigp_ctrl);
+ new_val.scn = src_id;
+ new_val.c = 1;
+ old_val.c = 0;
+@@ -93,8 +94,9 @@ static int sca_inject_ext_call(struct kvm_vcpu *vcpu, int src_id)
+ struct bsca_block *sca = vcpu->kvm->arch.sca;
+ union bsca_sigp_ctrl *sigp_ctrl =
+ &(sca->cpu[vcpu->vcpu_id].sigp_ctrl);
+- union bsca_sigp_ctrl new_val = {0}, old_val = *sigp_ctrl;
++ union bsca_sigp_ctrl new_val = {0}, old_val;
+
++ old_val = READ_ONCE(*sigp_ctrl);
+ new_val.scn = src_id;
+ new_val.c = 1;
+ old_val.c = 0;
+@@ -124,16 +126,18 @@ static void sca_clear_ext_call(struct kvm_vcpu *vcpu)
+ struct esca_block *sca = vcpu->kvm->arch.sca;
+ union esca_sigp_ctrl *sigp_ctrl =
+ &(sca->cpu[vcpu->vcpu_id].sigp_ctrl);
+- union esca_sigp_ctrl old = *sigp_ctrl;
++ union esca_sigp_ctrl old;
+
++ old = READ_ONCE(*sigp_ctrl);
+ expect = old.value;
+ rc = cmpxchg(&sigp_ctrl->value, old.value, 0);
+ } else {
+ struct bsca_block *sca = vcpu->kvm->arch.sca;
+ union bsca_sigp_ctrl *sigp_ctrl =
+ &(sca->cpu[vcpu->vcpu_id].sigp_ctrl);
+- union bsca_sigp_ctrl old = *sigp_ctrl;
++ union bsca_sigp_ctrl old;
+
++ old = READ_ONCE(*sigp_ctrl);
+ expect = old.value;
+ rc = cmpxchg(&sigp_ctrl->value, old.value, 0);
+ }
+--
+2.39.0
+
--- /dev/null
+From b952250f0eee00e0b6b10b4a840d2e9bc87e344c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jan 2023 19:01:37 -0800
+Subject: l2tp: close all race conditions in l2tp_tunnel_register()
+
+From: Cong Wang <cong.wang@bytedance.com>
+
+[ Upstream commit 0b2c59720e65885a394a017d0cf9cab118914682 ]
+
+The code in l2tp_tunnel_register() is racy in several ways:
+
+1. It modifies the tunnel socket _after_ publishing it.
+
+2. It calls setup_udp_tunnel_sock() on an existing socket without
+ locking.
+
+3. It changes sock lock class on fly, which triggers many syzbot
+ reports.
+
+This patch amends all of them by moving socket initialization code
+before publishing and under sock lock. As suggested by Jakub, the
+l2tp lockdep class is not necessary as we can just switch to
+bh_lock_sock_nested().
+
+Fixes: 37159ef2c1ae ("l2tp: fix a lockdep splat")
+Fixes: 6b9f34239b00 ("l2tp: fix races in tunnel creation")
+Reported-by: syzbot+52866e24647f9a23403f@syzkaller.appspotmail.com
+Reported-by: syzbot+94cc2a66fc228b23f360@syzkaller.appspotmail.com
+Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Cc: Guillaume Nault <gnault@redhat.com>
+Cc: Jakub Sitnicki <jakub@cloudflare.com>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Tom Parkin <tparkin@katalix.com>
+Signed-off-by: Cong Wang <cong.wang@bytedance.com>
+Reviewed-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/l2tp/l2tp_core.c | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index 1bd52b8bb29f..386510a93696 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1041,7 +1041,7 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, uns
+ IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED | IPSKB_REROUTED);
+ nf_reset_ct(skb);
+
+- bh_lock_sock(sk);
++ bh_lock_sock_nested(sk);
+ if (sock_owned_by_user(sk)) {
+ kfree_skb(skb);
+ ret = NET_XMIT_DROP;
+@@ -1387,8 +1387,6 @@ static int l2tp_tunnel_sock_create(struct net *net,
+ return err;
+ }
+
+-static struct lock_class_key l2tp_socket_class;
+-
+ int l2tp_tunnel_create(int fd, int version, u32 tunnel_id, u32 peer_tunnel_id,
+ struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel **tunnelp)
+ {
+@@ -1484,21 +1482,16 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
+ }
+
+ sk = sock->sk;
++ lock_sock(sk);
+ write_lock_bh(&sk->sk_callback_lock);
+ ret = l2tp_validate_socket(sk, net, tunnel->encap);
+- if (ret < 0)
++ if (ret < 0) {
++ release_sock(sk);
+ goto err_inval_sock;
++ }
+ rcu_assign_sk_user_data(sk, tunnel);
+ write_unlock_bh(&sk->sk_callback_lock);
+
+- sock_hold(sk);
+- tunnel->sock = sk;
+- tunnel->l2tp_net = net;
+-
+- spin_lock_bh(&pn->l2tp_tunnel_idr_lock);
+- idr_replace(&pn->l2tp_tunnel_idr, tunnel, tunnel->tunnel_id);
+- spin_unlock_bh(&pn->l2tp_tunnel_idr_lock);
+-
+ if (tunnel->encap == L2TP_ENCAPTYPE_UDP) {
+ struct udp_tunnel_sock_cfg udp_cfg = {
+ .sk_user_data = tunnel,
+@@ -1512,9 +1505,16 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
+
+ tunnel->old_sk_destruct = sk->sk_destruct;
+ sk->sk_destruct = &l2tp_tunnel_destruct;
+- lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class,
+- "l2tp_sock");
+ sk->sk_allocation = GFP_ATOMIC;
++ release_sock(sk);
++
++ sock_hold(sk);
++ tunnel->sock = sk;
++ tunnel->l2tp_net = net;
++
++ spin_lock_bh(&pn->l2tp_tunnel_idr_lock);
++ idr_replace(&pn->l2tp_tunnel_idr, tunnel, tunnel->tunnel_id);
++ spin_unlock_bh(&pn->l2tp_tunnel_idr_lock);
+
+ trace_register_tunnel(tunnel);
+
+--
+2.39.0
+
--- /dev/null
+From 9e0cfc6551532ec494dfa9d607869c3274c6ba35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jan 2023 19:01:36 -0800
+Subject: l2tp: convert l2tp_tunnel_list to idr
+
+From: Cong Wang <cong.wang@bytedance.com>
+
+[ Upstream commit c4d48a58f32c5972174a1d01c33b296fe378cce0 ]
+
+l2tp uses l2tp_tunnel_list to track all registered tunnels and
+to allocate tunnel ID's. IDR can do the same job.
+
+More importantly, with IDR we can hold the ID before a successful
+registration so that we don't need to worry about late error
+handling, it is not easy to rollback socket changes.
+
+This is a preparation for the following fix.
+
+Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Cc: Guillaume Nault <gnault@redhat.com>
+Cc: Jakub Sitnicki <jakub@cloudflare.com>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Tom Parkin <tparkin@katalix.com>
+Signed-off-by: Cong Wang <cong.wang@bytedance.com>
+Reviewed-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 0b2c59720e65 ("l2tp: close all race conditions in l2tp_tunnel_register()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/l2tp/l2tp_core.c | 85 ++++++++++++++++++++++----------------------
+ 1 file changed, 42 insertions(+), 43 deletions(-)
+
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index d6bb1795329a..1bd52b8bb29f 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -104,9 +104,9 @@ static struct workqueue_struct *l2tp_wq;
+ /* per-net private data for this module */
+ static unsigned int l2tp_net_id;
+ struct l2tp_net {
+- struct list_head l2tp_tunnel_list;
+- /* Lock for write access to l2tp_tunnel_list */
+- spinlock_t l2tp_tunnel_list_lock;
++ /* Lock for write access to l2tp_tunnel_idr */
++ spinlock_t l2tp_tunnel_idr_lock;
++ struct idr l2tp_tunnel_idr;
+ struct hlist_head l2tp_session_hlist[L2TP_HASH_SIZE_2];
+ /* Lock for write access to l2tp_session_hlist */
+ spinlock_t l2tp_session_hlist_lock;
+@@ -208,13 +208,10 @@ struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id)
+ struct l2tp_tunnel *tunnel;
+
+ rcu_read_lock_bh();
+- list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
+- if (tunnel->tunnel_id == tunnel_id &&
+- refcount_inc_not_zero(&tunnel->ref_count)) {
+- rcu_read_unlock_bh();
+-
+- return tunnel;
+- }
++ tunnel = idr_find(&pn->l2tp_tunnel_idr, tunnel_id);
++ if (tunnel && refcount_inc_not_zero(&tunnel->ref_count)) {
++ rcu_read_unlock_bh();
++ return tunnel;
+ }
+ rcu_read_unlock_bh();
+
+@@ -224,13 +221,14 @@ EXPORT_SYMBOL_GPL(l2tp_tunnel_get);
+
+ struct l2tp_tunnel *l2tp_tunnel_get_nth(const struct net *net, int nth)
+ {
+- const struct l2tp_net *pn = l2tp_pernet(net);
++ struct l2tp_net *pn = l2tp_pernet(net);
++ unsigned long tunnel_id, tmp;
+ struct l2tp_tunnel *tunnel;
+ int count = 0;
+
+ rcu_read_lock_bh();
+- list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
+- if (++count > nth &&
++ idr_for_each_entry_ul(&pn->l2tp_tunnel_idr, tunnel, tmp, tunnel_id) {
++ if (tunnel && ++count > nth &&
+ refcount_inc_not_zero(&tunnel->ref_count)) {
+ rcu_read_unlock_bh();
+ return tunnel;
+@@ -1229,6 +1227,15 @@ static void l2tp_udp_encap_destroy(struct sock *sk)
+ l2tp_tunnel_delete(tunnel);
+ }
+
++static void l2tp_tunnel_remove(struct net *net, struct l2tp_tunnel *tunnel)
++{
++ struct l2tp_net *pn = l2tp_pernet(net);
++
++ spin_lock_bh(&pn->l2tp_tunnel_idr_lock);
++ idr_remove(&pn->l2tp_tunnel_idr, tunnel->tunnel_id);
++ spin_unlock_bh(&pn->l2tp_tunnel_idr_lock);
++}
++
+ /* Workqueue tunnel deletion function */
+ static void l2tp_tunnel_del_work(struct work_struct *work)
+ {
+@@ -1236,7 +1243,6 @@ static void l2tp_tunnel_del_work(struct work_struct *work)
+ del_work);
+ struct sock *sk = tunnel->sock;
+ struct socket *sock = sk->sk_socket;
+- struct l2tp_net *pn;
+
+ l2tp_tunnel_closeall(tunnel);
+
+@@ -1250,12 +1256,7 @@ static void l2tp_tunnel_del_work(struct work_struct *work)
+ }
+ }
+
+- /* Remove the tunnel struct from the tunnel list */
+- pn = l2tp_pernet(tunnel->l2tp_net);
+- spin_lock_bh(&pn->l2tp_tunnel_list_lock);
+- list_del_rcu(&tunnel->list);
+- spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
+-
++ l2tp_tunnel_remove(tunnel->l2tp_net, tunnel);
+ /* drop initial ref */
+ l2tp_tunnel_dec_refcount(tunnel);
+
+@@ -1457,12 +1458,19 @@ static int l2tp_validate_socket(const struct sock *sk, const struct net *net,
+ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
+ struct l2tp_tunnel_cfg *cfg)
+ {
+- struct l2tp_tunnel *tunnel_walk;
+- struct l2tp_net *pn;
++ struct l2tp_net *pn = l2tp_pernet(net);
++ u32 tunnel_id = tunnel->tunnel_id;
+ struct socket *sock;
+ struct sock *sk;
+ int ret;
+
++ spin_lock_bh(&pn->l2tp_tunnel_idr_lock);
++ ret = idr_alloc_u32(&pn->l2tp_tunnel_idr, NULL, &tunnel_id, tunnel_id,
++ GFP_ATOMIC);
++ spin_unlock_bh(&pn->l2tp_tunnel_idr_lock);
++ if (ret)
++ return ret == -ENOSPC ? -EEXIST : ret;
++
+ if (tunnel->fd < 0) {
+ ret = l2tp_tunnel_sock_create(net, tunnel->tunnel_id,
+ tunnel->peer_tunnel_id, cfg,
+@@ -1483,23 +1491,13 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
+ rcu_assign_sk_user_data(sk, tunnel);
+ write_unlock_bh(&sk->sk_callback_lock);
+
+- tunnel->l2tp_net = net;
+- pn = l2tp_pernet(net);
+-
+ sock_hold(sk);
+ tunnel->sock = sk;
++ tunnel->l2tp_net = net;
+
+- spin_lock_bh(&pn->l2tp_tunnel_list_lock);
+- list_for_each_entry(tunnel_walk, &pn->l2tp_tunnel_list, list) {
+- if (tunnel_walk->tunnel_id == tunnel->tunnel_id) {
+- spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
+- sock_put(sk);
+- ret = -EEXIST;
+- goto err_sock;
+- }
+- }
+- list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list);
+- spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
++ spin_lock_bh(&pn->l2tp_tunnel_idr_lock);
++ idr_replace(&pn->l2tp_tunnel_idr, tunnel, tunnel->tunnel_id);
++ spin_unlock_bh(&pn->l2tp_tunnel_idr_lock);
+
+ if (tunnel->encap == L2TP_ENCAPTYPE_UDP) {
+ struct udp_tunnel_sock_cfg udp_cfg = {
+@@ -1525,9 +1523,6 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
+
+ return 0;
+
+-err_sock:
+- write_lock_bh(&sk->sk_callback_lock);
+- rcu_assign_sk_user_data(sk, NULL);
+ err_inval_sock:
+ write_unlock_bh(&sk->sk_callback_lock);
+
+@@ -1536,6 +1531,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
+ else
+ sockfd_put(sock);
+ err:
++ l2tp_tunnel_remove(net, tunnel);
+ return ret;
+ }
+ EXPORT_SYMBOL_GPL(l2tp_tunnel_register);
+@@ -1649,8 +1645,8 @@ static __net_init int l2tp_init_net(struct net *net)
+ struct l2tp_net *pn = net_generic(net, l2tp_net_id);
+ int hash;
+
+- INIT_LIST_HEAD(&pn->l2tp_tunnel_list);
+- spin_lock_init(&pn->l2tp_tunnel_list_lock);
++ idr_init(&pn->l2tp_tunnel_idr);
++ spin_lock_init(&pn->l2tp_tunnel_idr_lock);
+
+ for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++)
+ INIT_HLIST_HEAD(&pn->l2tp_session_hlist[hash]);
+@@ -1664,11 +1660,13 @@ static __net_exit void l2tp_exit_net(struct net *net)
+ {
+ struct l2tp_net *pn = l2tp_pernet(net);
+ struct l2tp_tunnel *tunnel = NULL;
++ unsigned long tunnel_id, tmp;
+ int hash;
+
+ rcu_read_lock_bh();
+- list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
+- l2tp_tunnel_delete(tunnel);
++ idr_for_each_entry_ul(&pn->l2tp_tunnel_idr, tunnel, tmp, tunnel_id) {
++ if (tunnel)
++ l2tp_tunnel_delete(tunnel);
+ }
+ rcu_read_unlock_bh();
+
+@@ -1678,6 +1676,7 @@ static __net_exit void l2tp_exit_net(struct net *net)
+
+ for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++)
+ WARN_ON_ONCE(!hlist_empty(&pn->l2tp_session_hlist[hash]));
++ idr_destroy(&pn->l2tp_tunnel_idr);
+ }
+
+ static struct pernet_operations l2tp_net_ops = {
+--
+2.39.0
+
--- /dev/null
+From 016acade1391e025922cd0eb5dfc7c9e45f478e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 09:54:26 +0100
+Subject: l2tp: Don't sleep and disable BH under writer-side sk_callback_lock
+
+From: Jakub Sitnicki <jakub@cloudflare.com>
+
+[ Upstream commit af295e854a4e3813ffbdef26dbb6a4d6226c3ea1 ]
+
+When holding a reader-writer spin lock we cannot sleep. Calling
+setup_udp_tunnel_sock() with write lock held violates this rule, because we
+end up calling percpu_down_read(), which might sleep, as syzbot reports
+[1]:
+
+ __might_resched.cold+0x222/0x26b kernel/sched/core.c:9890
+ percpu_down_read include/linux/percpu-rwsem.h:49 [inline]
+ cpus_read_lock+0x1b/0x140 kernel/cpu.c:310
+ static_key_slow_inc+0x12/0x20 kernel/jump_label.c:158
+ udp_tunnel_encap_enable include/net/udp_tunnel.h:187 [inline]
+ setup_udp_tunnel_sock+0x43d/0x550 net/ipv4/udp_tunnel_core.c:81
+ l2tp_tunnel_register+0xc51/0x1210 net/l2tp/l2tp_core.c:1509
+ pppol2tp_connect+0xcdc/0x1a10 net/l2tp/l2tp_ppp.c:723
+
+Trim the writer-side critical section for sk_callback_lock down to the
+minimum, so that it covers only operations on sk_user_data.
+
+Also, when grabbing the sk_callback_lock, we always need to disable BH, as
+Eric points out. Failing to do so leads to deadlocks because we acquire
+sk_callback_lock in softirq context, which can get stuck waiting on us if:
+
+1) it runs on the same CPU, or
+
+ CPU0
+ ----
+ lock(clock-AF_INET6);
+ <Interrupt>
+ lock(clock-AF_INET6);
+
+2) lock ordering leads to priority inversion
+
+ CPU0 CPU1
+ ---- ----
+ lock(clock-AF_INET6);
+ local_irq_disable();
+ lock(&tcp_hashinfo.bhash[i].lock);
+ lock(clock-AF_INET6);
+ <Interrupt>
+ lock(&tcp_hashinfo.bhash[i].lock);
+
+... as syzbot reports [2,3]. Use the _bh variants for write_(un)lock.
+
+[1] https://lore.kernel.org/netdev/0000000000004e78ec05eda79749@google.com/
+[2] https://lore.kernel.org/netdev/000000000000e38b6605eda76f98@google.com/
+[3] https://lore.kernel.org/netdev/000000000000dfa31e05eda76f75@google.com/
+
+v2:
+- Check and set sk_user_data while holding sk_callback_lock for both
+ L2TP encapsulation types (IP and UDP) (Tetsuo)
+
+Cc: Tom Parkin <tparkin@katalix.com>
+Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Fixes: b68777d54fac ("l2tp: Serialize access to sk_user_data with sk_callback_lock")
+Reported-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot+703d9e154b3b58277261@syzkaller.appspotmail.com
+Reported-by: syzbot+50680ced9e98a61f7698@syzkaller.appspotmail.com
+Reported-by: syzbot+de987172bb74a381879b@syzkaller.appspotmail.com
+Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 0b2c59720e65 ("l2tp: close all race conditions in l2tp_tunnel_register()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/l2tp/l2tp_core.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index e89852bc5309..d6bb1795329a 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1476,11 +1476,12 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
+ }
+
+ sk = sock->sk;
+- write_lock(&sk->sk_callback_lock);
+-
++ write_lock_bh(&sk->sk_callback_lock);
+ ret = l2tp_validate_socket(sk, net, tunnel->encap);
+ if (ret < 0)
+- goto err_sock;
++ goto err_inval_sock;
++ rcu_assign_sk_user_data(sk, tunnel);
++ write_unlock_bh(&sk->sk_callback_lock);
+
+ tunnel->l2tp_net = net;
+ pn = l2tp_pernet(net);
+@@ -1509,8 +1510,6 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
+ };
+
+ setup_udp_tunnel_sock(net, sock, &udp_cfg);
+- } else {
+- rcu_assign_sk_user_data(sk, tunnel);
+ }
+
+ tunnel->old_sk_destruct = sk->sk_destruct;
+@@ -1524,16 +1523,18 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
+ if (tunnel->fd >= 0)
+ sockfd_put(sock);
+
+- write_unlock(&sk->sk_callback_lock);
+ return 0;
+
+ err_sock:
++ write_lock_bh(&sk->sk_callback_lock);
++ rcu_assign_sk_user_data(sk, NULL);
++err_inval_sock:
++ write_unlock_bh(&sk->sk_callback_lock);
++
+ if (tunnel->fd < 0)
+ sock_release(sock);
+ else
+ sockfd_put(sock);
+-
+- write_unlock(&sk->sk_callback_lock);
+ err:
+ return ret;
+ }
+--
+2.39.0
+
--- /dev/null
+From 75231560895eb461bf7d18b2f5657553f2600453 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jan 2023 11:01:31 +0000
+Subject: l2tp: prevent lockdep issue in l2tp_tunnel_register()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b9fb10d131b8c84af9bb14e2078d5c63600c7dea ]
+
+lockdep complains with the following lock/unlock sequence:
+
+ lock_sock(sk);
+ write_lock_bh(&sk->sk_callback_lock);
+[1] release_sock(sk);
+[2] write_unlock_bh(&sk->sk_callback_lock);
+
+We need to swap [1] and [2] to fix this issue.
+
+Fixes: 0b2c59720e65 ("l2tp: close all race conditions in l2tp_tunnel_register()")
+Reported-by: syzbot+bbd35b345c7cab0d9a08@syzkaller.appspotmail.com
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/netdev/20230114030137.672706-1-xiyou.wangcong@gmail.com/T/#m1164ff20628671b0f326a24cb106ab3239c70ce3
+Cc: Cong Wang <cong.wang@bytedance.com>
+Cc: Guillaume Nault <gnault@redhat.com>
+Reviewed-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/l2tp/l2tp_core.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index 386510a93696..a4b793d1b7d7 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1485,10 +1485,8 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
+ lock_sock(sk);
+ write_lock_bh(&sk->sk_callback_lock);
+ ret = l2tp_validate_socket(sk, net, tunnel->encap);
+- if (ret < 0) {
+- release_sock(sk);
++ if (ret < 0)
+ goto err_inval_sock;
+- }
+ rcu_assign_sk_user_data(sk, tunnel);
+ write_unlock_bh(&sk->sk_callback_lock);
+
+@@ -1525,6 +1523,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
+
+ err_inval_sock:
+ write_unlock_bh(&sk->sk_callback_lock);
++ release_sock(sk);
+
+ if (tunnel->fd < 0)
+ sock_release(sock);
+--
+2.39.0
+
--- /dev/null
+From c5d4db521618e699d0cfb54a344b3094c414e813 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 20:16:19 +0100
+Subject: l2tp: Serialize access to sk_user_data with sk_callback_lock
+
+From: Jakub Sitnicki <jakub@cloudflare.com>
+
+[ Upstream commit b68777d54fac21fc833ec26ea1a2a84f975ab035 ]
+
+sk->sk_user_data has multiple users, which are not compatible with each
+other. Writers must synchronize by grabbing the sk->sk_callback_lock.
+
+l2tp currently fails to grab the lock when modifying the underlying tunnel
+socket fields. Fix it by adding appropriate locking.
+
+We err on the side of safety and grab the sk_callback_lock also inside the
+sk_destruct callback overridden by l2tp, even though there should be no
+refs allowing access to the sock at the time when sk_destruct gets called.
+
+v4:
+- serialize write to sk_user_data in l2tp sk_destruct
+
+v3:
+- switch from sock lock to sk_callback_lock
+- document write-protection for sk_user_data
+
+v2:
+- update Fixes to point to origin of the bug
+- use real names in Reported/Tested-by tags
+
+Cc: Tom Parkin <tparkin@katalix.com>
+Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core")
+Reported-by: Haowei Yan <g1042620637@gmail.com>
+Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 0b2c59720e65 ("l2tp: close all race conditions in l2tp_tunnel_register()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sock.h | 2 +-
+ net/l2tp/l2tp_core.c | 19 +++++++++++++------
+ 2 files changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index 90a8b8b26a20..69bbbe8bbf34 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -315,7 +315,7 @@ struct bpf_local_storage;
+ * @sk_tskey: counter to disambiguate concurrent tstamp requests
+ * @sk_zckey: counter to order MSG_ZEROCOPY notifications
+ * @sk_socket: Identd and reporting IO signals
+- * @sk_user_data: RPC layer private data
++ * @sk_user_data: RPC layer private data. Write-protected by @sk_callback_lock.
+ * @sk_frag: cached page frag
+ * @sk_peek_off: current peek_offset value
+ * @sk_send_head: front of stuff to transmit
+diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
+index dc8987ed08ad..e89852bc5309 100644
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1150,8 +1150,10 @@ static void l2tp_tunnel_destruct(struct sock *sk)
+ }
+
+ /* Remove hooks into tunnel socket */
++ write_lock_bh(&sk->sk_callback_lock);
+ sk->sk_destruct = tunnel->old_sk_destruct;
+ sk->sk_user_data = NULL;
++ write_unlock_bh(&sk->sk_callback_lock);
+
+ /* Call the original destructor */
+ if (sk->sk_destruct)
+@@ -1471,16 +1473,18 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
+ sock = sockfd_lookup(tunnel->fd, &ret);
+ if (!sock)
+ goto err;
+-
+- ret = l2tp_validate_socket(sock->sk, net, tunnel->encap);
+- if (ret < 0)
+- goto err_sock;
+ }
+
++ sk = sock->sk;
++ write_lock(&sk->sk_callback_lock);
++
++ ret = l2tp_validate_socket(sk, net, tunnel->encap);
++ if (ret < 0)
++ goto err_sock;
++
+ tunnel->l2tp_net = net;
+ pn = l2tp_pernet(net);
+
+- sk = sock->sk;
+ sock_hold(sk);
+ tunnel->sock = sk;
+
+@@ -1506,7 +1510,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
+
+ setup_udp_tunnel_sock(net, sock, &udp_cfg);
+ } else {
+- sk->sk_user_data = tunnel;
++ rcu_assign_sk_user_data(sk, tunnel);
+ }
+
+ tunnel->old_sk_destruct = sk->sk_destruct;
+@@ -1520,6 +1524,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
+ if (tunnel->fd >= 0)
+ sockfd_put(sock);
+
++ write_unlock(&sk->sk_callback_lock);
+ return 0;
+
+ err_sock:
+@@ -1527,6 +1532,8 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
+ sock_release(sock);
+ else
+ sockfd_put(sock);
++
++ write_unlock(&sk->sk_callback_lock);
+ err:
+ return ret;
+ }
+--
+2.39.0
+
--- /dev/null
+From 7475019defa26e4bd1b49b5e9b8c0b8fbe800a0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jan 2023 19:44:47 +0100
+Subject: lockref: stop doing cpu_relax in the cmpxchg loop
+
+From: Mateusz Guzik <mjguzik@gmail.com>
+
+[ Upstream commit f5fe24ef17b5fbe6db49534163e77499fb10ae8c ]
+
+On the x86-64 architecture even a failing cmpxchg grants exclusive
+access to the cacheline, making it preferable to retry the failed op
+immediately instead of stalling with the pause instruction.
+
+To illustrate the impact, below are benchmark results obtained by
+running various will-it-scale tests on top of the 6.2-rc3 kernel and
+Cascade Lake (2 sockets * 24 cores * 2 threads) CPU.
+
+All results in ops/s. Note there is some variance in re-runs, but the
+code is consistently faster when contention is present.
+
+ open3 ("Same file open/close"):
+ proc stock no-pause
+ 1 805603 814942 (+%1)
+ 2 1054980 1054781 (-0%)
+ 8 1544802 1822858 (+18%)
+ 24 1191064 2199665 (+84%)
+ 48 851582 1469860 (+72%)
+ 96 609481 1427170 (+134%)
+
+ fstat2 ("Same file fstat"):
+ proc stock no-pause
+ 1 3013872 3047636 (+1%)
+ 2 4284687 4400421 (+2%)
+ 8 3257721 5530156 (+69%)
+ 24 2239819 5466127 (+144%)
+ 48 1701072 5256609 (+209%)
+ 96 1269157 6649326 (+423%)
+
+Additionally, a kernel with a private patch to help access() scalability:
+access2 ("Same file access"):
+
+ proc stock patched patched
+ +nopause
+ 24 2378041 2005501 5370335 (-15% / +125%)
+
+That is, fixing the problems in access itself *reduces* scalability
+after the cacheline ping-pong only happens in lockref with the pause
+instruction.
+
+Note that fstat and access benchmarks are not currently integrated into
+will-it-scale, but interested parties can find them in pull requests to
+said project.
+
+Code at hand has a rather tortured history. First modification showed
+up in commit d472d9d98b46 ("lockref: Relax in cmpxchg loop"), written
+with Itanium in mind. Later it got patched up to use an arch-dependent
+macro to stop doing it on s390 where it caused a significant regression.
+Said macro had undergone revisions and was ultimately eliminated later,
+going back to cpu_relax.
+
+While I intended to only remove cpu_relax for x86-64, I got the
+following comment from Linus:
+
+ I would actually prefer just removing it entirely and see if
+ somebody else hollers. You have the numbers to prove it hurts on
+ real hardware, and I don't think we have any numbers to the
+ contrary.
+
+ So I think it's better to trust the numbers and remove it as a
+ failure, than say "let's just remove it on x86-64 and leave
+ everybody else with the potentially broken code"
+
+Additionally, Will Deacon (maintainer of the arm64 port, one of the
+architectures previously benchmarked):
+
+ So, from the arm64 side of the fence, I'm perfectly happy just
+ removing the cpu_relax() calls from lockref.
+
+As such, come back full circle in history and whack it altogether.
+
+Signed-off-by: Mateusz Guzik <mjguzik@gmail.com>
+Link: https://lore.kernel.org/all/CAGudoHHx0Nqg6DE70zAVA75eV-HXfWyhVMWZ-aSeOofkA_=WdA@mail.gmail.com/
+Acked-by: Tony Luck <tony.luck@intel.com> # ia64
+Acked-by: Nicholas Piggin <npiggin@gmail.com> # powerpc
+Acked-by: Will Deacon <will@kernel.org> # arm64
+Acked-by: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/lockref.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/lib/lockref.c b/lib/lockref.c
+index 5b34bbd3eba8..81ac5f355242 100644
+--- a/lib/lockref.c
++++ b/lib/lockref.c
+@@ -24,7 +24,6 @@
+ } \
+ if (!--retry) \
+ break; \
+- cpu_relax(); \
+ } \
+ } while (0)
+
+--
+2.39.0
+
--- /dev/null
+From 2ddca0ad733da32c6de3bf5c37c0a6b08de01d91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 15:37:57 +0800
+Subject: memory: atmel-sdramc: Fix missing clk_disable_unprepare in
+ atmel_ramc_probe()
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit 340cb392a038cf70540a4cdf2e98a247c66b6df4 ]
+
+The clk_disable_unprepare() should be called in the error handling
+of caps->has_mpddr_clk, fix it by replacing devm_clk_get and
+clk_prepare_enable by devm_clk_get_enabled.
+
+Fixes: e81b6abebc87 ("memory: add a driver for atmel ram controllers")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Link: https://lore.kernel.org/r/20221125073757.3535219-1-cuigaosheng1@huawei.com
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/atmel-sdramc.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/memory/atmel-sdramc.c b/drivers/memory/atmel-sdramc.c
+index 9c49d00c2a96..ea6e9e1eaf04 100644
+--- a/drivers/memory/atmel-sdramc.c
++++ b/drivers/memory/atmel-sdramc.c
+@@ -47,19 +47,17 @@ static int atmel_ramc_probe(struct platform_device *pdev)
+ caps = of_device_get_match_data(&pdev->dev);
+
+ if (caps->has_ddrck) {
+- clk = devm_clk_get(&pdev->dev, "ddrck");
++ clk = devm_clk_get_enabled(&pdev->dev, "ddrck");
+ if (IS_ERR(clk))
+ return PTR_ERR(clk);
+- clk_prepare_enable(clk);
+ }
+
+ if (caps->has_mpddr_clk) {
+- clk = devm_clk_get(&pdev->dev, "mpddr");
++ clk = devm_clk_get_enabled(&pdev->dev, "mpddr");
+ if (IS_ERR(clk)) {
+ pr_err("AT91 RAMC: couldn't get mpddr clock\n");
+ return PTR_ERR(clk);
+ }
+- clk_prepare_enable(clk);
+ }
+
+ return 0;
+--
+2.39.0
+
--- /dev/null
+From 6ea8d35280697c84c2173773a64695195643a5c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Nov 2022 12:49:11 +0800
+Subject: memory: mvebu-devbus: Fix missing clk_disable_unprepare in
+ mvebu_devbus_probe()
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit cb8fd6f75775165390ededea8799b60d93d9fe3e ]
+
+The clk_disable_unprepare() should be called in the error handling
+of devbus_get_timing_params() and of_platform_populate(), fix it by
+replacing devm_clk_get and clk_prepare_enable by devm_clk_get_enabled.
+
+Fixes: e81b6abebc87 ("memory: add a driver for atmel ram controllers")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Link: https://lore.kernel.org/r/20221126044911.7226-1-cuigaosheng1@huawei.com
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/mvebu-devbus.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/memory/mvebu-devbus.c b/drivers/memory/mvebu-devbus.c
+index 8450638e8670..efc6c08db2b7 100644
+--- a/drivers/memory/mvebu-devbus.c
++++ b/drivers/memory/mvebu-devbus.c
+@@ -280,10 +280,9 @@ static int mvebu_devbus_probe(struct platform_device *pdev)
+ if (IS_ERR(devbus->base))
+ return PTR_ERR(devbus->base);
+
+- clk = devm_clk_get(&pdev->dev, NULL);
++ clk = devm_clk_get_enabled(&pdev->dev, NULL);
+ if (IS_ERR(clk))
+ return PTR_ERR(clk);
+- clk_prepare_enable(clk);
+
+ /*
+ * Obtain clock period in picoseconds,
+--
+2.39.0
+
--- /dev/null
+From e242385f8cdb358ec4c70576b948d0f27a316cd1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jan 2023 23:17:35 +0530
+Subject: net: dsa: microchip: ksz9477: port map correction in ALU table entry
+ register
+
+From: Rakesh Sankaranarayanan <rakesh.sankaranarayanan@microchip.com>
+
+[ Upstream commit 6c977c5c2e4c5d8ad1b604724cc344e38f96fe9b ]
+
+ALU table entry 2 register in KSZ9477 have bit positions reserved for
+forwarding port map. This field is referred in ksz9477_fdb_del() for
+clearing forward port map and alu table.
+
+But current fdb_del refer ALU table entry 3 register for accessing forward
+port map. Update ksz9477_fdb_del() to get forward port map from correct
+alu table entry register.
+
+With this bug, issue can be observed while deleting static MAC entries.
+Delete any specific MAC entry using "bridge fdb del" command. This should
+clear all the specified MAC entries. But it is observed that entries with
+self static alone are retained.
+
+Tested on LAN9370 EVB since ksz9477_fdb_del() is used common across
+LAN937x and KSZ series.
+
+Fixes: b987e98e50ab ("dsa: add DSA switch driver for Microchip KSZ9477")
+Signed-off-by: Rakesh Sankaranarayanan <rakesh.sankaranarayanan@microchip.com>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Link: https://lore.kernel.org/r/20230118174735.702377-1-rakesh.sankaranarayanan@microchip.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/microchip/ksz9477.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/dsa/microchip/ksz9477.c b/drivers/net/dsa/microchip/ksz9477.c
+index ece4c0512ee2..f42f2f4e4b60 100644
+--- a/drivers/net/dsa/microchip/ksz9477.c
++++ b/drivers/net/dsa/microchip/ksz9477.c
+@@ -678,10 +678,10 @@ static int ksz9477_port_fdb_del(struct dsa_switch *ds, int port,
+ ksz_read32(dev, REG_SW_ALU_VAL_D, &alu_table[3]);
+
+ /* clear forwarding port */
+- alu_table[2] &= ~BIT(port);
++ alu_table[1] &= ~BIT(port);
+
+ /* if there is no port to forward, clear table */
+- if ((alu_table[2] & ALU_V_PORT_MAP) == 0) {
++ if ((alu_table[1] & ALU_V_PORT_MAP) == 0) {
+ alu_table[0] = 0;
+ alu_table[1] = 0;
+ alu_table[2] = 0;
+--
+2.39.0
+
--- /dev/null
+From ffc74250d3112d08bcc3632d17b1a96eb6df7905 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jan 2023 15:41:33 -0600
+Subject: net: macb: fix PTP TX timestamp failure due to packet padding
+
+From: Robert Hancock <robert.hancock@calian.com>
+
+[ Upstream commit 7b90f5a665acd46efbbfa677a3a3a18d01ad6487 ]
+
+PTP TX timestamp handling was observed to be broken with this driver
+when using the raw Layer 2 PTP encapsulation. ptp4l was not receiving
+the expected TX timestamp after transmitting a packet, causing it to
+enter a failure state.
+
+The problem appears to be due to the way that the driver pads packets
+which are smaller than the Ethernet minimum of 60 bytes. If headroom
+space was available in the SKB, this caused the driver to move the data
+back to utilize it. However, this appears to cause other data references
+in the SKB to become inconsistent. In particular, this caused the
+ptp_one_step_sync function to later (in the TX completion path) falsely
+detect the packet as a one-step SYNC packet, even when it was not, which
+caused the TX timestamp to not be processed when it should be.
+
+Using the headroom for this purpose seems like an unnecessary complexity
+as this is not a hot path in the driver, and in most cases it appears
+that there is sufficient tailroom to not require using the headroom
+anyway. Remove this usage of headroom to prevent this inconsistency from
+occurring and causing other problems.
+
+Fixes: 653e92a9175e ("net: macb: add support for padding and fcs computation")
+Signed-off-by: Robert Hancock <robert.hancock@calian.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Claudiu Beznea <claudiu.beznea@microchip.com> # on SAMA7G5
+Reviewed-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index 792c8147c2c4..e0d62e251387 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -1963,7 +1963,6 @@ static int macb_pad_and_fcs(struct sk_buff **skb, struct net_device *ndev)
+ bool cloned = skb_cloned(*skb) || skb_header_cloned(*skb) ||
+ skb_is_nonlinear(*skb);
+ int padlen = ETH_ZLEN - (*skb)->len;
+- int headroom = skb_headroom(*skb);
+ int tailroom = skb_tailroom(*skb);
+ struct sk_buff *nskb;
+ u32 fcs;
+@@ -1977,9 +1976,6 @@ static int macb_pad_and_fcs(struct sk_buff **skb, struct net_device *ndev)
+ /* FCS could be appeded to tailroom. */
+ if (tailroom >= ETH_FCS_LEN)
+ goto add_fcs;
+- /* FCS could be appeded by moving data to headroom. */
+- else if (!cloned && headroom + tailroom >= ETH_FCS_LEN)
+- padlen = 0;
+ /* No room for FCS, need to reallocate skb. */
+ else
+ padlen = ETH_FCS_LEN;
+@@ -1988,10 +1984,7 @@ static int macb_pad_and_fcs(struct sk_buff **skb, struct net_device *ndev)
+ padlen += ETH_FCS_LEN;
+ }
+
+- if (!cloned && headroom + tailroom >= padlen) {
+- (*skb)->data = memmove((*skb)->head, (*skb)->data, (*skb)->len);
+- skb_set_tail_pointer(*skb, (*skb)->len);
+- } else {
++ if (cloned || tailroom < padlen) {
+ nskb = skb_copy_expand(*skb, 0, padlen, GFP_ATOMIC);
+ if (!nskb)
+ return -ENOMEM;
+--
+2.39.0
+
--- /dev/null
+From bd79dcbde0345ec2a1799b65107414903fe0120f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Jan 2023 11:54:06 +0100
+Subject: net: mdio: validate parameter addr in mdiobus_get_phy()
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit 867dbe784c5010a466f00a7d1467c1c5ea569c75 ]
+
+The caller may pass any value as addr, what may result in an out-of-bounds
+access to array mdio_map. One existing case is stmmac_init_phy() that
+may pass -1 as addr. Therefore validate addr before using it.
+
+Fixes: 7f854420fbfe ("phy: Add API for {un}registering an mdio device to a bus.")
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/cdf664ea-3312-e915-73f8-021678d08887@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/mdio_bus.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
+index 77ba6c3c7a09..e9303be48655 100644
+--- a/drivers/net/phy/mdio_bus.c
++++ b/drivers/net/phy/mdio_bus.c
+@@ -108,7 +108,12 @@ EXPORT_SYMBOL(mdiobus_unregister_device);
+
+ struct phy_device *mdiobus_get_phy(struct mii_bus *bus, int addr)
+ {
+- struct mdio_device *mdiodev = bus->mdio_map[addr];
++ struct mdio_device *mdiodev;
++
++ if (addr < 0 || addr >= ARRAY_SIZE(bus->mdio_map))
++ return NULL;
++
++ mdiodev = bus->mdio_map[addr];
+
+ if (!mdiodev)
+ return NULL;
+--
+2.39.0
+
--- /dev/null
+From 7a8b5aaa830963c666974c61b536284551af17c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Aug 2022 20:12:29 -0700
+Subject: net: mlx5: eliminate anonymous module_init & module_exit
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 2c1e1b949024989e20907b84e11a731a50778416 ]
+
+Eliminate anonymous module_init() and module_exit(), which can lead to
+confusion or ambiguity when reading System.map, crashes/oops/bugs,
+or an initcall_debug log.
+
+Give each of these init and exit functions unique driver-specific
+names to eliminate the anonymous names.
+
+Example 1: (System.map)
+ ffffffff832fc78c t init
+ ffffffff832fc79e t init
+ ffffffff832fc8f8 t init
+
+Example 2: (initcall_debug log)
+ calling init+0x0/0x12 @ 1
+ initcall init+0x0/0x12 returned 0 after 15 usecs
+ calling init+0x0/0x60 @ 1
+ initcall init+0x0/0x60 returned 0 after 2 usecs
+ calling init+0x0/0x9a @ 1
+ initcall init+0x0/0x9a returned 0 after 74 usecs
+
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Eli Cohen <eli@mellanox.com>
+Cc: Saeed Mahameed <saeedm@nvidia.com>
+Cc: Leon Romanovsky <leon@kernel.org>
+Cc: linux-rdma@vger.kernel.org
+Reviewed-by: Ira Weiny <ira.weiny@intel.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/main.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+index 29bc1df28aeb..112eaef186e1 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -1642,7 +1642,7 @@ static void mlx5_core_verify_params(void)
+ }
+ }
+
+-static int __init init(void)
++static int __init mlx5_init(void)
+ {
+ int err;
+
+@@ -1667,7 +1667,7 @@ static int __init init(void)
+ return err;
+ }
+
+-static void __exit cleanup(void)
++static void __exit mlx5_cleanup(void)
+ {
+ #ifdef CONFIG_MLX5_CORE_EN
+ mlx5e_cleanup();
+@@ -1676,5 +1676,5 @@ static void __exit cleanup(void)
+ mlx5_unregister_debugfs();
+ }
+
+-module_init(init);
+-module_exit(cleanup);
++module_init(mlx5_init);
++module_exit(mlx5_cleanup);
+--
+2.39.0
+
--- /dev/null
+From 6b090b4d3907d3b6c325ae1dc1e846bba7d69891 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jan 2023 22:19:14 +0900
+Subject: net: nfc: Fix use-after-free in local_cleanup()
+
+From: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
+
+[ Upstream commit 4bb4db7f3187c6e3de6b229ffc87cdb30a2d22b6 ]
+
+Fix a use-after-free that occurs in kfree_skb() called from
+local_cleanup(). This could happen when killing nfc daemon (e.g. neard)
+after detaching an nfc device.
+When detaching an nfc device, local_cleanup() called from
+nfc_llcp_unregister_device() frees local->rx_pending and decreases
+local->ref by kref_put() in nfc_llcp_local_put().
+In the terminating process, nfc daemon releases all sockets and it leads
+to decreasing local->ref. After the last release of local->ref,
+local_cleanup() called from local_release() frees local->rx_pending
+again, which leads to the bug.
+
+Setting local->rx_pending to NULL in local_cleanup() could prevent
+use-after-free when local_cleanup() is called twice.
+
+Found by a modified version of syzkaller.
+
+BUG: KASAN: use-after-free in kfree_skb()
+
+Call Trace:
+dump_stack_lvl (lib/dump_stack.c:106)
+print_address_description.constprop.0.cold (mm/kasan/report.c:306)
+kasan_check_range (mm/kasan/generic.c:189)
+kfree_skb (net/core/skbuff.c:955)
+local_cleanup (net/nfc/llcp_core.c:159)
+nfc_llcp_local_put.part.0 (net/nfc/llcp_core.c:172)
+nfc_llcp_local_put (net/nfc/llcp_core.c:181)
+llcp_sock_destruct (net/nfc/llcp_sock.c:959)
+__sk_destruct (net/core/sock.c:2133)
+sk_destruct (net/core/sock.c:2181)
+__sk_free (net/core/sock.c:2192)
+sk_free (net/core/sock.c:2203)
+llcp_sock_release (net/nfc/llcp_sock.c:646)
+__sock_release (net/socket.c:650)
+sock_close (net/socket.c:1365)
+__fput (fs/file_table.c:306)
+task_work_run (kernel/task_work.c:179)
+ptrace_notify (kernel/signal.c:2354)
+syscall_exit_to_user_mode_prepare (kernel/entry/common.c:278)
+syscall_exit_to_user_mode (kernel/entry/common.c:296)
+do_syscall_64 (arch/x86/entry/common.c:86)
+entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:106)
+
+Allocated by task 4719:
+kasan_save_stack (mm/kasan/common.c:45)
+__kasan_slab_alloc (mm/kasan/common.c:325)
+slab_post_alloc_hook (mm/slab.h:766)
+kmem_cache_alloc_node (mm/slub.c:3497)
+__alloc_skb (net/core/skbuff.c:552)
+pn533_recv_response (drivers/nfc/pn533/usb.c:65)
+__usb_hcd_giveback_urb (drivers/usb/core/hcd.c:1671)
+usb_giveback_urb_bh (drivers/usb/core/hcd.c:1704)
+tasklet_action_common.isra.0 (kernel/softirq.c:797)
+__do_softirq (kernel/softirq.c:571)
+
+Freed by task 1901:
+kasan_save_stack (mm/kasan/common.c:45)
+kasan_set_track (mm/kasan/common.c:52)
+kasan_save_free_info (mm/kasan/genericdd.c:518)
+__kasan_slab_free (mm/kasan/common.c:236)
+kmem_cache_free (mm/slub.c:3809)
+kfree_skbmem (net/core/skbuff.c:874)
+kfree_skb (net/core/skbuff.c:931)
+local_cleanup (net/nfc/llcp_core.c:159)
+nfc_llcp_unregister_device (net/nfc/llcp_core.c:1617)
+nfc_unregister_device (net/nfc/core.c:1179)
+pn53x_unregister_nfc (drivers/nfc/pn533/pn533.c:2846)
+pn533_usb_disconnect (drivers/nfc/pn533/usb.c:579)
+usb_unbind_interface (drivers/usb/core/driver.c:458)
+device_release_driver_internal (drivers/base/dd.c:1279)
+bus_remove_device (drivers/base/bus.c:529)
+device_del (drivers/base/core.c:3665)
+usb_disable_device (drivers/usb/core/message.c:1420)
+usb_disconnect (drivers/usb/core.c:2261)
+hub_event (drivers/usb/core/hub.c:5833)
+process_one_work (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/workqueue.h:108 kernel/workqueue.c:2281)
+worker_thread (include/linux/list.h:282 kernel/workqueue.c:2423)
+kthread (kernel/kthread.c:319)
+ret_from_fork (arch/x86/entry/entry_64.S:301)
+
+Fixes: 3536da06db0b ("NFC: llcp: Clean local timers and works when removing a device")
+Signed-off-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
+Link: https://lore.kernel.org/r/20230111131914.3338838-1-jisoo.jang@yonsei.ac.kr
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/llcp_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
+index cc997518f79d..edadebb3efd2 100644
+--- a/net/nfc/llcp_core.c
++++ b/net/nfc/llcp_core.c
+@@ -159,6 +159,7 @@ static void local_cleanup(struct nfc_llcp_local *local)
+ cancel_work_sync(&local->rx_work);
+ cancel_work_sync(&local->timeout_work);
+ kfree_skb(local->rx_pending);
++ local->rx_pending = NULL;
+ del_timer_sync(&local->sdreq_timer);
+ cancel_work_sync(&local->sdreq_timeout_work);
+ nfc_llcp_free_sdp_tlv_list(&local->pending_sdreqs);
+--
+2.39.0
+
--- /dev/null
+From 13ab9e2969f9d139039a1240b4dea6b20f0c5c91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jan 2023 16:48:49 +0000
+Subject: net/sched: sch_taprio: fix possible use-after-free
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 3a415d59c1dbec9d772dbfab2d2520d98360caae ]
+
+syzbot reported a nasty crash [1] in net_tx_action() which
+made little sense until we got a repro.
+
+This repro installs a taprio qdisc, but providing an
+invalid TCA_RATE attribute.
+
+qdisc_create() has to destroy the just initialized
+taprio qdisc, and taprio_destroy() is called.
+
+However, the hrtimer used by taprio had already fired,
+therefore advance_sched() called __netif_schedule().
+
+Then net_tx_action was trying to use a destroyed qdisc.
+
+We can not undo the __netif_schedule(), so we must wait
+until one cpu serviced the qdisc before we can proceed.
+
+Many thanks to Alexander Potapenko for his help.
+
+[1]
+BUG: KMSAN: uninit-value in queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline]
+BUG: KMSAN: uninit-value in do_raw_spin_trylock include/linux/spinlock.h:191 [inline]
+BUG: KMSAN: uninit-value in __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline]
+BUG: KMSAN: uninit-value in _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138
+ queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline]
+ do_raw_spin_trylock include/linux/spinlock.h:191 [inline]
+ __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline]
+ _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138
+ spin_trylock include/linux/spinlock.h:359 [inline]
+ qdisc_run_begin include/net/sch_generic.h:187 [inline]
+ qdisc_run+0xee/0x540 include/net/pkt_sched.h:125
+ net_tx_action+0x77c/0x9a0 net/core/dev.c:5086
+ __do_softirq+0x1cc/0x7fb kernel/softirq.c:571
+ run_ksoftirqd+0x2c/0x50 kernel/softirq.c:934
+ smpboot_thread_fn+0x554/0x9f0 kernel/smpboot.c:164
+ kthread+0x31b/0x430 kernel/kthread.c:376
+ ret_from_fork+0x1f/0x30
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slab.h:732 [inline]
+ slab_alloc_node mm/slub.c:3258 [inline]
+ __kmalloc_node_track_caller+0x814/0x1250 mm/slub.c:4970
+ kmalloc_reserve net/core/skbuff.c:358 [inline]
+ __alloc_skb+0x346/0xcf0 net/core/skbuff.c:430
+ alloc_skb include/linux/skbuff.h:1257 [inline]
+ nlmsg_new include/net/netlink.h:953 [inline]
+ netlink_ack+0x5f3/0x12b0 net/netlink/af_netlink.c:2436
+ netlink_rcv_skb+0x55d/0x6c0 net/netlink/af_netlink.c:2507
+ rtnetlink_rcv+0x30/0x40 net/core/rtnetlink.c:6108
+ netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
+ netlink_unicast+0xf3b/0x1270 net/netlink/af_netlink.c:1345
+ netlink_sendmsg+0x1288/0x1440 net/netlink/af_netlink.c:1921
+ sock_sendmsg_nosec net/socket.c:714 [inline]
+ sock_sendmsg net/socket.c:734 [inline]
+ ____sys_sendmsg+0xabc/0xe90 net/socket.c:2482
+ ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2536
+ __sys_sendmsg net/socket.c:2565 [inline]
+ __do_sys_sendmsg net/socket.c:2574 [inline]
+ __se_sys_sendmsg net/socket.c:2572 [inline]
+ __x64_sys_sendmsg+0x367/0x540 net/socket.c:2572
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+CPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 6.0.0-rc2-syzkaller-47461-gac3859c02d7f #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
+
+Fixes: 5a781ccbd19e ("tc: Add support for configuring the taprio scheduler")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sch_generic.h | 7 +++++++
+ net/sched/sch_taprio.c | 3 +++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
+index e7e8c318925d..61cd19ee51f4 100644
+--- a/include/net/sch_generic.h
++++ b/include/net/sch_generic.h
+@@ -1325,4 +1325,11 @@ static inline int skb_tc_reinsert(struct sk_buff *skb, struct tcf_result *res)
+ return res->ingress ? netif_receive_skb(skb) : dev_queue_xmit(skb);
+ }
+
++/* Make sure qdisc is no longer in SCHED state. */
++static inline void qdisc_synchronize(const struct Qdisc *q)
++{
++ while (test_bit(__QDISC_STATE_SCHED, &q->state))
++ msleep(1);
++}
++
+ #endif
+diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c
+index 7f33b31c7b8b..5411bb4cdfc8 100644
+--- a/net/sched/sch_taprio.c
++++ b/net/sched/sch_taprio.c
+@@ -1621,6 +1621,8 @@ static void taprio_reset(struct Qdisc *sch)
+ int i;
+
+ hrtimer_cancel(&q->advance_timer);
++ qdisc_synchronize(sch);
++
+ if (q->qdiscs) {
+ for (i = 0; i < dev->num_tx_queues; i++)
+ if (q->qdiscs[i])
+@@ -1642,6 +1644,7 @@ static void taprio_destroy(struct Qdisc *sch)
+ * happens in qdisc_create(), after taprio_init() has been called.
+ */
+ hrtimer_cancel(&q->advance_timer);
++ qdisc_synchronize(sch);
+
+ taprio_disable_offload(dev, q, NULL);
+
+--
+2.39.0
+
--- /dev/null
+From 06efcd076ef508c2fc357307c6ab8f04f8e14ef7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Jan 2023 18:24:08 +0100
+Subject: net: stmmac: fix invalid call to mdiobus_get_phy()
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit 1f3bd64ad921f051254591fbed04fd30b306cde6 ]
+
+In a number of cases the driver assigns a default value of -1 to
+priv->plat->phy_addr. This may result in calling mdiobus_get_phy()
+with addr parameter being -1. Therefore check for this scenario and
+bail out before calling mdiobus_get_phy().
+
+Fixes: 42e87024f727 ("net: stmmac: Fix case when PHY handle is not present")
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Link: https://lore.kernel.org/r/669f9671-ecd1-a41b-2727-7b73e3003985@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 14ea0168b548..b52ca2fe04d8 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -1125,6 +1125,11 @@ static int stmmac_init_phy(struct net_device *dev)
+ int addr = priv->plat->phy_addr;
+ struct phy_device *phydev;
+
++ if (addr < 0) {
++ netdev_err(priv->dev, "no phy found\n");
++ return -ENODEV;
++ }
++
+ phydev = mdiobus_get_phy(priv->mii, addr);
+ if (!phydev) {
+ netdev_err(priv->dev, "no phy at addr %d\n", addr);
+--
+2.39.0
+
--- /dev/null
+From 8f8332ec8383f5273bed0f435b57a4c44e7a98c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Jan 2023 19:23:26 +0100
+Subject: net: usb: sr9700: Handle negative len
+
+From: Szymon Heidrich <szymon.heidrich@gmail.com>
+
+[ Upstream commit ecf7cf8efb59789e2b21d2f9ab926142579092b2 ]
+
+Packet len computed as difference of length word extracted from
+skb data and four may result in a negative value. In such case
+processing of the buffer should be interrupted rather than
+setting sr_skb->len to an unexpectedly large value (due to cast
+from signed to unsigned integer) and passing sr_skb to
+usbnet_skb_return.
+
+Fixes: e9da0b56fe27 ("sr9700: sanity check for packet length")
+Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
+Link: https://lore.kernel.org/r/20230114182326.30479-1-szymon.heidrich@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/sr9700.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c
+index fce6713e970b..811c8751308c 100644
+--- a/drivers/net/usb/sr9700.c
++++ b/drivers/net/usb/sr9700.c
+@@ -410,7 +410,7 @@ static int sr9700_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
+ /* ignore the CRC length */
+ len = (skb->data[1] | (skb->data[2] << 8)) - 4;
+
+- if (len > ETH_FRAME_LEN || len > skb->len)
++ if (len > ETH_FRAME_LEN || len > skb->len || len < 0)
+ return 0;
+
+ /* the last packet of current skb */
+--
+2.39.0
+
--- /dev/null
+From 5b926926da3b94c24afa369f2d2d67abe8c5d2cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jan 2023 10:47:03 +0300
+Subject: net: wan: Add checks for NULL for utdm in undo_uhdlc_init and
+ unmap_si_regs
+
+From: Esina Ekaterina <eesina@astralinux.ru>
+
+[ Upstream commit 488e0bf7f34af3d42d1d5e56f7a5a7beaff188a3 ]
+
+If uhdlc_priv_tsa != 1 then utdm is not initialized.
+And if ret != NULL then goto undo_uhdlc_init, where
+utdm is dereferenced. Same if dev == NULL.
+
+Found by Astra Linux on behalf of Linux Verification Center
+(linuxtesting.org) with SVACE.
+
+Fixes: 8d68100ab4ad ("soc/fsl/qe: fix err handling of ucc_of_parse_tdm")
+Signed-off-by: Esina Ekaterina <eesina@astralinux.ru>
+Link: https://lore.kernel.org/r/20230112074703.13558-1-eesina@astralinux.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wan/fsl_ucc_hdlc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wan/fsl_ucc_hdlc.c b/drivers/net/wan/fsl_ucc_hdlc.c
+index 7eac6a3e1cde..ae1ae65e7f90 100644
+--- a/drivers/net/wan/fsl_ucc_hdlc.c
++++ b/drivers/net/wan/fsl_ucc_hdlc.c
+@@ -1245,9 +1245,11 @@ static int ucc_hdlc_probe(struct platform_device *pdev)
+ free_dev:
+ free_netdev(dev);
+ undo_uhdlc_init:
+- iounmap(utdm->siram);
++ if (utdm)
++ iounmap(utdm->siram);
+ unmap_si_regs:
+- iounmap(utdm->si_regs);
++ if (utdm)
++ iounmap(utdm->si_regs);
+ free_utdm:
+ if (uhdlc_priv->tsa)
+ kfree(utdm);
+--
+2.39.0
+
--- /dev/null
+From 21fbad7630a1eb3d13c1043c82816b61501bc6c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jan 2023 08:44:16 -0800
+Subject: nvme-pci: fix timeout request state check
+
+From: Keith Busch <kbusch@kernel.org>
+
+[ Upstream commit 1c5842085851f786eba24a39ecd02650ad892064 ]
+
+Polling the completion can progress the request state to IDLE, either
+inline with the completion, or through softirq. Either way, the state
+may not be COMPLETED, so don't check for that. We only care if the state
+isn't IN_FLIGHT.
+
+This is fixing an issue where the driver aborts an IO that we just
+completed. Seeing the "aborting" message instead of "polled" is very
+misleading as to where the timeout problem resides.
+
+Fixes: bf392a5dc02a9b ("nvme-pci: Remove tag from process cq")
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 67dd68462b81..c47512da9872 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -1292,7 +1292,7 @@ static enum blk_eh_timer_return nvme_timeout(struct request *req, bool reserved)
+ else
+ nvme_poll_irqdisable(nvmeq);
+
+- if (blk_mq_request_completed(req)) {
++ if (blk_mq_rq_state(req) != MQ_RQ_IN_FLIGHT) {
+ dev_warn(dev->ctrl.device,
+ "I/O %d QID %d timeout, completion polled\n",
+ req->tag, nvmeq->qid);
+--
+2.39.0
+
--- /dev/null
+From ff26ea4a9690c743d99a81e3619c23e478d4c3de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Dec 2022 19:58:23 +0800
+Subject: phy: rockchip-inno-usb2: Fix missing clk_disable_unprepare() in
+ rockchip_usb2phy_power_on()
+
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+
+[ Upstream commit 5daba914da0e48950e9407ea4d75fa57029c9adc ]
+
+The clk_disable_unprepare() should be called in the error handling of
+rockchip_usb2phy_power_on().
+
+Fixes: 0e08d2a727e6 ("phy: rockchip-inno-usb2: add a new driver for Rockchip usb2phy")
+Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
+Link: https://lore.kernel.org/r/20221205115823.16957-1-shangxiaojing@huawei.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/rockchip/phy-rockchip-inno-usb2.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/phy/rockchip/phy-rockchip-inno-usb2.c b/drivers/phy/rockchip/phy-rockchip-inno-usb2.c
+index 46ebdb1460a3..cab6a94bf161 100644
+--- a/drivers/phy/rockchip/phy-rockchip-inno-usb2.c
++++ b/drivers/phy/rockchip/phy-rockchip-inno-usb2.c
+@@ -467,8 +467,10 @@ static int rockchip_usb2phy_power_on(struct phy *phy)
+ return ret;
+
+ ret = property_enable(base, &rport->port_cfg->phy_sus, false);
+- if (ret)
++ if (ret) {
++ clk_disable_unprepare(rphy->clk480m);
+ return ret;
++ }
+
+ /* waiting for the utmi_clk to become stable */
+ usleep_range(1500, 2000);
+--
+2.39.0
+
--- /dev/null
+From 9d09a2527ab655ce650ce09add2b0bc04a140f1d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jan 2023 22:25:29 -0800
+Subject: phy: ti: fix Kconfig warning and operator precedence
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 7124c93887cc4e6c5b48920f83115e4a5892e870 ]
+
+Fix Kconfig depends operator precedence to prevent a Kconfig warning:
+
+WARNING: unmet direct dependencies detected for MUX_MMIO
+ Depends on [n]: MULTIPLEXER [=m] && OF [=n]
+ Selected by [m]:
+ - PHY_AM654_SERDES [=m] && (OF [=n] && ARCH_K3 || COMPILE_TEST [=y]) && COMMON_CLK [=y]
+
+Fixes: 71e2f5c5c224 ("phy: ti: Add a new SERDES driver for TI's AM654x SoC")
+Fixes: 091876cc355d ("phy: ti: j721e-wiz: Add support for WIZ module present in TI J721E SoC")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Vinod Koul <vkoul@kernel.org>
+Cc: Kishon Vijay Abraham I <kishon@kernel.org>
+Cc: linux-phy@lists.infradead.org
+Cc: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20230110062529.22668-1-rdunlap@infradead.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/ti/Kconfig | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/phy/ti/Kconfig b/drivers/phy/ti/Kconfig
+index 15a3bcf32308..b905902d5750 100644
+--- a/drivers/phy/ti/Kconfig
++++ b/drivers/phy/ti/Kconfig
+@@ -23,7 +23,7 @@ config PHY_DM816X_USB
+
+ config PHY_AM654_SERDES
+ tristate "TI AM654 SERDES support"
+- depends on OF && ARCH_K3 || COMPILE_TEST
++ depends on OF && (ARCH_K3 || COMPILE_TEST)
+ depends on COMMON_CLK
+ select GENERIC_PHY
+ select MULTIPLEXER
+@@ -35,7 +35,7 @@ config PHY_AM654_SERDES
+
+ config PHY_J721E_WIZ
+ tristate "TI J721E WIZ (SERDES Wrapper) support"
+- depends on OF && ARCH_K3 || COMPILE_TEST
++ depends on OF && (ARCH_K3 || COMPILE_TEST)
+ depends on HAS_IOMEM && OF_ADDRESS
+ depends on COMMON_CLK
+ select GENERIC_PHY
+--
+2.39.0
+
--- /dev/null
+From 24cf678e7605eaa61aed3cafe8fa556297b574fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jan 2023 19:18:41 +0100
+Subject: platform/x86: asus-nb-wmi: Add alternate mapping for KEY_SCREENLOCK
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit db9494895b405bf318dc7e563dee6daa51b3b6ed ]
+
+The 0x33 keycode is emitted by Fn + F6 on a ASUS FX705GE laptop.
+
+Reported-by: Nemcev Aleksey <Nemcev_Aleksey@inbox.ru>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20230112181841.84652-1-hdegoede@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/asus-nb-wmi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/platform/x86/asus-nb-wmi.c b/drivers/platform/x86/asus-nb-wmi.c
+index 949ddeb673bc..74637bd0433e 100644
+--- a/drivers/platform/x86/asus-nb-wmi.c
++++ b/drivers/platform/x86/asus-nb-wmi.c
+@@ -478,6 +478,7 @@ static const struct key_entry asus_nb_wmi_keymap[] = {
+ { KE_KEY, 0x30, { KEY_VOLUMEUP } },
+ { KE_KEY, 0x31, { KEY_VOLUMEDOWN } },
+ { KE_KEY, 0x32, { KEY_MUTE } },
++ { KE_KEY, 0x33, { KEY_SCREENLOCK } },
+ { KE_KEY, 0x35, { KEY_SCREENLOCK } },
+ { KE_KEY, 0x40, { KEY_PREVIOUSSONG } },
+ { KE_KEY, 0x41, { KEY_NEXTSONG } },
+--
+2.39.0
+
--- /dev/null
+From 43404424ac07c25e0dbb510e3a3af915ebee5ee7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Dec 2022 13:11:03 +0100
+Subject: platform/x86: touchscreen_dmi: Add info for the CSL Panther Tab HD
+
+From: Michael Klein <m.klein@mvz-labor-lb.de>
+
+[ Upstream commit 36c2b9d6710427f802494ba070621cb415198293 ]
+
+Add touchscreen info for the CSL Panther Tab HD.
+
+Signed-off-by: Michael Klein <m.klein@mvz-labor-lb.de>
+Link: https://lore.kernel.org/r/20221220121103.uiwn5l7fii2iggct@LLGMVZLB-0037
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/touchscreen_dmi.c | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+diff --git a/drivers/platform/x86/touchscreen_dmi.c b/drivers/platform/x86/touchscreen_dmi.c
+index 110ff1e6ef81..bc26acace2c3 100644
+--- a/drivers/platform/x86/touchscreen_dmi.c
++++ b/drivers/platform/x86/touchscreen_dmi.c
+@@ -255,6 +255,23 @@ static const struct ts_dmi_data connect_tablet9_data = {
+ .properties = connect_tablet9_props,
+ };
+
++static const struct property_entry csl_panther_tab_hd_props[] = {
++ PROPERTY_ENTRY_U32("touchscreen-min-x", 1),
++ PROPERTY_ENTRY_U32("touchscreen-min-y", 20),
++ PROPERTY_ENTRY_U32("touchscreen-size-x", 1980),
++ PROPERTY_ENTRY_U32("touchscreen-size-y", 1526),
++ PROPERTY_ENTRY_BOOL("touchscreen-inverted-y"),
++ PROPERTY_ENTRY_BOOL("touchscreen-swapped-x-y"),
++ PROPERTY_ENTRY_STRING("firmware-name", "gsl1680-csl-panther-tab-hd.fw"),
++ PROPERTY_ENTRY_U32("silead,max-fingers", 10),
++ { }
++};
++
++static const struct ts_dmi_data csl_panther_tab_hd_data = {
++ .acpi_name = "MSSL1680:00",
++ .properties = csl_panther_tab_hd_props,
++};
++
+ static const struct property_entry cube_iwork8_air_props[] = {
+ PROPERTY_ENTRY_U32("touchscreen-min-x", 1),
+ PROPERTY_ENTRY_U32("touchscreen-min-y", 3),
+@@ -1057,6 +1074,14 @@ const struct dmi_system_id touchscreen_dmi_table[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "Tablet 9"),
+ },
+ },
++ {
++ /* CSL Panther Tab HD */
++ .driver_data = (void *)&csl_panther_tab_hd_data,
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "CSL Computer GmbH & Co. KG"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "CSL Panther Tab HD"),
++ },
++ },
+ {
+ /* CUBE iwork8 Air */
+ .driver_data = (void *)&cube_iwork8_air_data,
+--
+2.39.0
+
--- /dev/null
+From d8e9984c3d0ff410761a2284d4ead9f9fc45c4be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Dec 2022 17:05:41 +0100
+Subject: PM: AVS: qcom-cpr: Fix an error handling path in cpr_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 6049aae52392539e505bfb8ccbcff3c26f1d2f0b ]
+
+If an error occurs after a successful pm_genpd_init() call, it should be
+undone by a corresponding pm_genpd_remove().
+
+Add the missing call in the error handling path, as already done in the
+remove function.
+
+Fixes: bf6910abf548 ("power: avs: Add support for CPR (Core Power Reduction)")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/0f520597dbad89ab99c217c8986912fa53eaf5f9.1671293108.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/qcom/cpr.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/soc/qcom/cpr.c b/drivers/soc/qcom/cpr.c
+index 6298561bc29c..fac0414c3731 100644
+--- a/drivers/soc/qcom/cpr.c
++++ b/drivers/soc/qcom/cpr.c
+@@ -1743,12 +1743,16 @@ static int cpr_probe(struct platform_device *pdev)
+
+ ret = of_genpd_add_provider_simple(dev->of_node, &drv->pd);
+ if (ret)
+- return ret;
++ goto err_remove_genpd;
+
+ platform_set_drvdata(pdev, drv);
+ cpr_debugfs_init(drv);
+
+ return 0;
++
++err_remove_genpd:
++ pm_genpd_remove(&drv->pd);
++ return ret;
+ }
+
+ static int cpr_remove(struct platform_device *pdev)
+--
+2.39.0
+
--- /dev/null
+From f53e4667348046d4088b015594acf35e07689bab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jan 2023 13:37:11 +0000
+Subject: RDMA/core: Fix ib block iterator counter overflow
+
+From: Yonatan Nachum <ynachum@amazon.com>
+
+[ Upstream commit 0afec5e9cea732cb47014655685a2a47fb180c31 ]
+
+When registering a new DMA MR after selecting the best aligned page size
+for it, we iterate over the given sglist to split each entry to smaller,
+aligned to the selected page size, DMA blocks.
+
+In given circumstances where the sg entry and page size fit certain
+sizes and the sg entry is not aligned to the selected page size, the
+total size of the aligned pages we need to cover the sg entry is >= 4GB.
+Under this circumstances, while iterating page aligned blocks, the
+counter responsible for counting how much we advanced from the start of
+the sg entry is overflowed because its type is u32 and we pass 4GB in
+size. This can lead to an infinite loop inside the iterator function
+because the overflow prevents the counter to be larger
+than the size of the sg entry.
+
+Fix the presented problem by changing the advancement condition to
+eliminate overflow.
+
+Backtrace:
+[ 192.374329] efa_reg_user_mr_dmabuf
+[ 192.376783] efa_register_mr
+[ 192.382579] pgsz_bitmap 0xfffff000 rounddown 0x80000000
+[ 192.386423] pg_sz [0x80000000] umem_length[0xc0000000]
+[ 192.392657] start 0x0 length 0xc0000000 params.page_shift 31 params.page_num 3
+[ 192.399559] hp_cnt[3], pages_in_hp[524288]
+[ 192.403690] umem->sgt_append.sgt.nents[1]
+[ 192.407905] number entries: [1], pg_bit: [31]
+[ 192.411397] biter->__sg_nents [1] biter->__sg [0000000008b0c5d8]
+[ 192.415601] biter->__sg_advance [665837568] sg_dma_len[3221225472]
+[ 192.419823] biter->__sg_nents [1] biter->__sg [0000000008b0c5d8]
+[ 192.423976] biter->__sg_advance [2813321216] sg_dma_len[3221225472]
+[ 192.428243] biter->__sg_nents [1] biter->__sg [0000000008b0c5d8]
+[ 192.432397] biter->__sg_advance [665837568] sg_dma_len[3221225472]
+
+Fixes: a808273a495c ("RDMA/verbs: Add a DMA iterator to return aligned contiguous memory blocks")
+Signed-off-by: Yonatan Nachum <ynachum@amazon.com>
+Link: https://lore.kernel.org/r/20230109133711.13678-1-ynachum@amazon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/verbs.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c
+index 5889639e90a1..5123be0ab02f 100644
+--- a/drivers/infiniband/core/verbs.c
++++ b/drivers/infiniband/core/verbs.c
+@@ -2911,15 +2911,18 @@ EXPORT_SYMBOL(__rdma_block_iter_start);
+ bool __rdma_block_iter_next(struct ib_block_iter *biter)
+ {
+ unsigned int block_offset;
++ unsigned int sg_delta;
+
+ if (!biter->__sg_nents || !biter->__sg)
+ return false;
+
+ biter->__dma_addr = sg_dma_address(biter->__sg) + biter->__sg_advance;
+ block_offset = biter->__dma_addr & (BIT_ULL(biter->__pg_bit) - 1);
+- biter->__sg_advance += BIT_ULL(biter->__pg_bit) - block_offset;
++ sg_delta = BIT_ULL(biter->__pg_bit) - block_offset;
+
+- if (biter->__sg_advance >= sg_dma_len(biter->__sg)) {
++ if (sg_dma_len(biter->__sg) - biter->__sg_advance > sg_delta) {
++ biter->__sg_advance += sg_delta;
++ } else {
+ biter->__sg_advance = 0;
+ biter->__sg = sg_next(biter->__sg);
+ biter->__sg_nents--;
+--
+2.39.0
+
--- /dev/null
+From cba512813f5481ac1c91a9b18d2adae3a79359f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Jan 2023 15:11:07 +0100
+Subject: s390/debug: add _ASM_S390_ prefix to header guard
+
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+
+[ Upstream commit 0d4d52361b6c29bf771acd4fa461f06d78fb2fac ]
+
+Using DEBUG_H without a prefix is very generic and inconsistent with
+other header guards in arch/s390/include/asm. In fact it collides with
+the same name in the ath9k wireless driver though that depends on !S390
+via disabled wireless support. Let's just use a consistent header guard
+name and prevent possible future trouble.
+
+Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/include/asm/debug.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/s390/include/asm/debug.h b/arch/s390/include/asm/debug.h
+index c1b82bcc017c..29a1badbe2f5 100644
+--- a/arch/s390/include/asm/debug.h
++++ b/arch/s390/include/asm/debug.h
+@@ -4,8 +4,8 @@
+ *
+ * Copyright IBM Corp. 1999, 2020
+ */
+-#ifndef DEBUG_H
+-#define DEBUG_H
++#ifndef _ASM_S390_DEBUG_H
++#define _ASM_S390_DEBUG_H
+
+ #include <linux/string.h>
+ #include <linux/spinlock.h>
+@@ -425,4 +425,4 @@ int debug_unregister_view(debug_info_t *id, struct debug_view *view);
+ #define PRINT_FATAL(x...) printk(KERN_DEBUG PRINTK_HEADER x)
+ #endif /* DASD_DEBUG */
+
+-#endif /* DEBUG_H */
++#endif /* _ASM_S390_DEBUG_H */
+--
+2.39.0
+
--- /dev/null
+From 1d635cd3c65eb3f9cc365785454c8d0d71984ab9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jan 2023 12:03:20 +0800
+Subject: scsi: hisi_sas: Set a port invalid only if there are no devices
+ attached when refreshing port id
+
+From: Yihang Li <liyihang9@huawei.com>
+
+[ Upstream commit f58c89700630da6554b24fd3df293a24874c10c1 ]
+
+Currently the driver sets the port invalid if one phy in the port is not
+enabled, which may cause issues in expander situation. In directly attached
+situation, if phy up doesn't occur in time when refreshing port id, the
+port is incorrectly set to invalid which will also cause disk lost.
+
+Therefore set a port invalid only if there are no devices attached to the
+port.
+
+Signed-off-by: Yihang Li <liyihang9@huawei.com>
+Signed-off-by: Xiang Chen <chenxiang66@hisilicon.com>
+Link: https://lore.kernel.org/r/1672805000-141102-3-git-send-email-chenxiang66@hisilicon.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hisi_sas/hisi_sas_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
+index 1feca45384c7..e5b9229310a0 100644
+--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
++++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
+@@ -1408,7 +1408,7 @@ static void hisi_sas_refresh_port_id(struct hisi_hba *hisi_hba)
+ device->linkrate = phy->sas_phy.linkrate;
+
+ hisi_hba->hw->setup_itct(hisi_hba, sas_dev);
+- } else
++ } else if (!port->port_attached)
+ port->id = 0xff;
+ }
+ }
+--
+2.39.0
+
--- /dev/null
+From 3ca95f7be972a4db56be040d3d2ce76c749c3d1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Nov 2022 09:07:52 +0800
+Subject: scsi: iscsi: Fix multiple iSCSI session unbind events sent to
+ userspace
+
+From: Wenchao Hao <haowenchao@huawei.com>
+
+[ Upstream commit a3be19b91ea7121d388084e8c07f5b1b982eb40c ]
+
+It was observed that the kernel would potentially send
+ISCSI_KEVENT_UNBIND_SESSION multiple times. Introduce 'target_state' in
+iscsi_cls_session() to make sure session will send only one unbind session
+event.
+
+This introduces a regression wrt. the issue fixed in commit 13e60d3ba287
+("scsi: iscsi: Report unbind session event when the target has been
+removed"). If iscsid dies for any reason after sending an unbind session to
+kernel, once iscsid is restarted, the kernel's ISCSI_KEVENT_UNBIND_SESSION
+event is lost and userspace is then unable to logout. However, the session
+is actually in invalid state (its target_id is INVALID) so iscsid should
+not sync this session during restart.
+
+Consequently we need to check the session's target state during iscsid
+restart. If session is in unbound state, do not sync this session and
+perform session teardown. This is OK because once a session is unbound, we
+can not recover it any more (mainly because its target id is INVALID).
+
+Signed-off-by: Wenchao Hao <haowenchao@huawei.com>
+Link: https://lore.kernel.org/r/20221126010752.231917-1-haowenchao@huawei.com
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Reviewed-by: Wu Bo <wubo40@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_transport_iscsi.c | 50 ++++++++++++++++++++++++++---
+ include/scsi/scsi_transport_iscsi.h | 9 ++++++
+ 2 files changed, 54 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
+index ef7cd7520e7c..092bd6a3d64a 100644
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -1674,6 +1674,13 @@ static const char *iscsi_session_state_name(int state)
+ return name;
+ }
+
++static char *iscsi_session_target_state_name[] = {
++ [ISCSI_SESSION_TARGET_UNBOUND] = "UNBOUND",
++ [ISCSI_SESSION_TARGET_ALLOCATED] = "ALLOCATED",
++ [ISCSI_SESSION_TARGET_SCANNED] = "SCANNED",
++ [ISCSI_SESSION_TARGET_UNBINDING] = "UNBINDING",
++};
++
+ int iscsi_session_chkready(struct iscsi_cls_session *session)
+ {
+ unsigned long flags;
+@@ -1805,9 +1812,13 @@ static int iscsi_user_scan_session(struct device *dev, void *data)
+ if ((scan_data->channel == SCAN_WILD_CARD ||
+ scan_data->channel == 0) &&
+ (scan_data->id == SCAN_WILD_CARD ||
+- scan_data->id == id))
++ scan_data->id == id)) {
+ scsi_scan_target(&session->dev, 0, id,
+ scan_data->lun, scan_data->rescan);
++ spin_lock_irqsave(&session->lock, flags);
++ session->target_state = ISCSI_SESSION_TARGET_SCANNED;
++ spin_unlock_irqrestore(&session->lock, flags);
++ }
+ }
+
+ user_scan_exit:
+@@ -1996,31 +2007,41 @@ static void __iscsi_unbind_session(struct work_struct *work)
+ struct iscsi_cls_host *ihost = shost->shost_data;
+ unsigned long flags;
+ unsigned int target_id;
++ bool remove_target = true;
+
+ ISCSI_DBG_TRANS_SESSION(session, "Unbinding session\n");
+
+ /* Prevent new scans and make sure scanning is not in progress */
+ mutex_lock(&ihost->mutex);
+ spin_lock_irqsave(&session->lock, flags);
+- if (session->target_id == ISCSI_MAX_TARGET) {
++ if (session->target_state == ISCSI_SESSION_TARGET_ALLOCATED) {
++ remove_target = false;
++ } else if (session->target_state != ISCSI_SESSION_TARGET_SCANNED) {
+ spin_unlock_irqrestore(&session->lock, flags);
+ mutex_unlock(&ihost->mutex);
+- goto unbind_session_exit;
++ ISCSI_DBG_TRANS_SESSION(session,
++ "Skipping target unbinding: Session is unbound/unbinding.\n");
++ return;
+ }
+
++ session->target_state = ISCSI_SESSION_TARGET_UNBINDING;
+ target_id = session->target_id;
+ session->target_id = ISCSI_MAX_TARGET;
+ spin_unlock_irqrestore(&session->lock, flags);
+ mutex_unlock(&ihost->mutex);
+
+- scsi_remove_target(&session->dev);
++ if (remove_target)
++ scsi_remove_target(&session->dev);
+
+ if (session->ida_used)
+ ida_simple_remove(&iscsi_sess_ida, target_id);
+
+-unbind_session_exit:
+ iscsi_session_event(session, ISCSI_KEVENT_UNBIND_SESSION);
+ ISCSI_DBG_TRANS_SESSION(session, "Completed target removal\n");
++
++ spin_lock_irqsave(&session->lock, flags);
++ session->target_state = ISCSI_SESSION_TARGET_UNBOUND;
++ spin_unlock_irqrestore(&session->lock, flags);
+ }
+
+ static void __iscsi_destroy_session(struct work_struct *work)
+@@ -2089,6 +2110,9 @@ int iscsi_add_session(struct iscsi_cls_session *session, unsigned int target_id)
+ session->ida_used = true;
+ } else
+ session->target_id = target_id;
++ spin_lock_irqsave(&session->lock, flags);
++ session->target_state = ISCSI_SESSION_TARGET_ALLOCATED;
++ spin_unlock_irqrestore(&session->lock, flags);
+
+ dev_set_name(&session->dev, "session%u", session->sid);
+ err = device_add(&session->dev);
+@@ -4343,6 +4367,19 @@ iscsi_session_attr(def_taskmgmt_tmo, ISCSI_PARAM_DEF_TASKMGMT_TMO, 0);
+ iscsi_session_attr(discovery_parent_idx, ISCSI_PARAM_DISCOVERY_PARENT_IDX, 0);
+ iscsi_session_attr(discovery_parent_type, ISCSI_PARAM_DISCOVERY_PARENT_TYPE, 0);
+
++static ssize_t
++show_priv_session_target_state(struct device *dev, struct device_attribute *attr,
++ char *buf)
++{
++ struct iscsi_cls_session *session = iscsi_dev_to_session(dev->parent);
++
++ return sysfs_emit(buf, "%s\n",
++ iscsi_session_target_state_name[session->target_state]);
++}
++
++static ISCSI_CLASS_ATTR(priv_sess, target_state, S_IRUGO,
++ show_priv_session_target_state, NULL);
++
+ static ssize_t
+ show_priv_session_state(struct device *dev, struct device_attribute *attr,
+ char *buf)
+@@ -4445,6 +4482,7 @@ static struct attribute *iscsi_session_attrs[] = {
+ &dev_attr_sess_boot_target.attr,
+ &dev_attr_priv_sess_recovery_tmo.attr,
+ &dev_attr_priv_sess_state.attr,
++ &dev_attr_priv_sess_target_state.attr,
+ &dev_attr_priv_sess_creator.attr,
+ &dev_attr_sess_chap_out_idx.attr,
+ &dev_attr_sess_chap_in_idx.attr,
+@@ -4558,6 +4596,8 @@ static umode_t iscsi_session_attr_is_visible(struct kobject *kobj,
+ return S_IRUGO | S_IWUSR;
+ else if (attr == &dev_attr_priv_sess_state.attr)
+ return S_IRUGO;
++ else if (attr == &dev_attr_priv_sess_target_state.attr)
++ return S_IRUGO;
+ else if (attr == &dev_attr_priv_sess_creator.attr)
+ return S_IRUGO;
+ else if (attr == &dev_attr_priv_sess_target_id.attr)
+diff --git a/include/scsi/scsi_transport_iscsi.h b/include/scsi/scsi_transport_iscsi.h
+index 037c77fb5dc5..c4de15f7a0a5 100644
+--- a/include/scsi/scsi_transport_iscsi.h
++++ b/include/scsi/scsi_transport_iscsi.h
+@@ -236,6 +236,14 @@ enum {
+ ISCSI_SESSION_FREE,
+ };
+
++enum {
++ ISCSI_SESSION_TARGET_UNBOUND,
++ ISCSI_SESSION_TARGET_ALLOCATED,
++ ISCSI_SESSION_TARGET_SCANNED,
++ ISCSI_SESSION_TARGET_UNBINDING,
++ ISCSI_SESSION_TARGET_MAX,
++};
++
+ #define ISCSI_MAX_TARGET -1
+
+ struct iscsi_cls_session {
+@@ -262,6 +270,7 @@ struct iscsi_cls_session {
+ */
+ pid_t creator;
+ int state;
++ int target_state; /* session target bind state */
+ int sid; /* session id */
+ void *dd_data; /* LLD private data */
+ struct device dev; /* sysfs transport/container device */
+--
+2.39.0
+
--- /dev/null
+clk-generalize-devm_clk_get-a-bit.patch
+clk-provide-new-devm_clk-helpers-for-prepared-and-en.patch
+memory-atmel-sdramc-fix-missing-clk_disable_unprepar.patch
+memory-mvebu-devbus-fix-missing-clk_disable_unprepar.patch
+arm-dts-imx6ul-pico-dwarf-use-clock-frequency.patch
+arm-dts-imx7d-pico-use-clock-frequency.patch
+arm-dts-imx6qdl-gw560x-remove-incorrect-uart-has-rts.patch
+arm64-dts-imx8mm-beacon-fix-ecspi2-pinmux.patch
+arm-imx-add-missing-of_node_put.patch
+hid-intel_ish-hid-add-check-for-ishtp_dma_tx_map.patch
+edac-highbank-fix-memory-leak-in-highbank_mc_probe.patch
+firmware-arm_scmi-harden-shared-memory-access-in-fet.patch
+firmware-arm_scmi-harden-shared-memory-access-in-fet.patch-17789
+tomoyo-fix-broken-dependency-on-.conf.default.patch
+rdma-core-fix-ib-block-iterator-counter-overflow.patch
+ib-hfi1-reject-a-zero-length-user-expected-buffer.patch
+ib-hfi1-reserve-user-expected-tids.patch
+ib-hfi1-fix-expected-receive-setup-error-exit-issues.patch
+ib-hfi1-immediately-remove-invalid-memory-from-hardw.patch
+ib-hfi1-remove-user-expected-buffer-invalidate-race.patch
+affs-initialize-fsdata-in-affs_truncate.patch
+pm-avs-qcom-cpr-fix-an-error-handling-path-in-cpr_pr.patch
+phy-ti-fix-kconfig-warning-and-operator-precedence.patch
+arm-dts-at91-sam9x60-fix-the-ddr-clock-for-sam9x60.patch
+amd-xgbe-tx-flow-ctrl-registers-are-h-w-ver-dependen.patch
+amd-xgbe-delay-an-timeout-during-kr-training.patch
+bpf-fix-pointer-leak-due-to-insufficient-speculative.patch
+phy-rockchip-inno-usb2-fix-missing-clk_disable_unpre.patch
+net-nfc-fix-use-after-free-in-local_cleanup.patch
+net-wan-add-checks-for-null-for-utdm-in-undo_uhdlc_i.patch
+gpio-mxc-always-set-gpios-used-as-interrupt-source-t.patch
+wifi-rndis_wlan-prevent-buffer-overflow-in-rndis_que.patch
+net-sched-sch_taprio-fix-possible-use-after-free.patch
+l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch
+l2tp-don-t-sleep-and-disable-bh-under-writer-side-sk.patch
+l2tp-convert-l2tp_tunnel_list-to-idr.patch
+l2tp-close-all-race-conditions-in-l2tp_tunnel_regist.patch
+net-usb-sr9700-handle-negative-len.patch
+net-mdio-validate-parameter-addr-in-mdiobus_get_phy.patch
+hid-check-empty-report_list-in-hid_validate_values.patch
+hid-check-empty-report_list-in-bigben_probe.patch
+net-stmmac-fix-invalid-call-to-mdiobus_get_phy.patch
+hid-revert-cherry_mouse_000c-quirk.patch
+usb-gadget-f_fs-prevent-race-during-ffs_ep0_queue_wa.patch
+usb-gadget-f_fs-ensure-ep0req-is-dequeued-before-fre.patch
+net-mlx5-eliminate-anonymous-module_init-module_exit.patch
+drm-panfrost-fix-generic_atomic64-dependency.patch
+dmaengine-fix-double-increment-of-client_count-in-dm.patch
+net-macb-fix-ptp-tx-timestamp-failure-due-to-packet-.patch
+l2tp-prevent-lockdep-issue-in-l2tp_tunnel_register.patch
+hid-betop-check-shape-of-output-reports.patch
+dmaengine-xilinx_dma-call-of_node_put-when-breaking-.patch
+nvme-pci-fix-timeout-request-state-check.patch
+tcp-avoid-the-lookup-process-failing-to-get-sk-in-eh.patch
+w1-fix-deadloop-in-__w1_remove_master_device.patch
+w1-fix-warning-after-calling-w1_process.patch
+driver-core-fix-test_async_probe_init-saves-device-i.patch
+net-dsa-microchip-ksz9477-port-map-correction-in-alu.patch
+tcp-fix-rate_app_limited-to-default-to-1.patch
+scsi-iscsi-fix-multiple-iscsi-session-unbind-events-.patch
+cpufreq-add-tegra234-to-cpufreq-dt-platdev-blocklist.patch
+kcsan-test-don-t-put-the-expect-array-on-the-stack.patch
+asoc-fsl_micfil-correct-the-number-of-steps-on-sx-co.patch
+drm-add-orientation-quirk-for-lenovo-ideapad-d330-10.patch
+s390-debug-add-_asm_s390_-prefix-to-header-guard.patch
+cpufreq-armada-37xx-stop-using-0-as-null-pointer.patch
+asoc-fsl_ssi-rename-ac-97-streams-to-avoid-collision.patch
+asoc-fsl-asoc-card-fix-naming-of-ac-97-codec-widgets.patch
+spi-spidev-remove-debug-messages-that-access-spidev-.patch
+kvm-s390-interrupt-use-read_once-before-cmpxchg.patch
+scsi-hisi_sas-set-a-port-invalid-only-if-there-are-n.patch
+platform-x86-touchscreen_dmi-add-info-for-the-csl-pa.patch
+platform-x86-asus-nb-wmi-add-alternate-mapping-for-k.patch
+lockref-stop-doing-cpu_relax-in-the-cmpxchg-loop.patch
--- /dev/null
+From 8cc9c4aa924c5c587121ab35c3eb3cb6477c770d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jan 2023 11:07:19 +0100
+Subject: spi: spidev: remove debug messages that access spidev->spi without
+ locking
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+[ Upstream commit 6b35b173dbc1711f8d272e3f322d2ad697015919 ]
+
+The two debug messages in spidev_open() dereference spidev->spi without
+taking the lock and without checking if it's not null. This can lead to
+a crash. Drop the messages as they're not needed - the user-space will
+get informed about ENOMEM with the syscall return value.
+
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Link: https://lore.kernel.org/r/20230106100719.196243-2-brgl@bgdev.pl
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spidev.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c
+index 9c5ec99431d2..aee960a7d7f9 100644
+--- a/drivers/spi/spidev.c
++++ b/drivers/spi/spidev.c
+@@ -592,7 +592,6 @@ static int spidev_open(struct inode *inode, struct file *filp)
+ if (!spidev->tx_buffer) {
+ spidev->tx_buffer = kmalloc(bufsiz, GFP_KERNEL);
+ if (!spidev->tx_buffer) {
+- dev_dbg(&spidev->spi->dev, "open/ENOMEM\n");
+ status = -ENOMEM;
+ goto err_find_dev;
+ }
+@@ -601,7 +600,6 @@ static int spidev_open(struct inode *inode, struct file *filp)
+ if (!spidev->rx_buffer) {
+ spidev->rx_buffer = kmalloc(bufsiz, GFP_KERNEL);
+ if (!spidev->rx_buffer) {
+- dev_dbg(&spidev->spi->dev, "open/ENOMEM\n");
+ status = -ENOMEM;
+ goto err_alloc_rx_buf;
+ }
+--
+2.39.0
+
--- /dev/null
+From ba9b39bdaae3c46edd96dfc6bdbd7f4ac43cf43e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jan 2023 09:59:41 +0800
+Subject: tcp: avoid the lookup process failing to get sk in ehash table
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit 3f4ca5fafc08881d7a57daa20449d171f2887043 ]
+
+While one cpu is working on looking up the right socket from ehash
+table, another cpu is done deleting the request socket and is about
+to add (or is adding) the big socket from the table. It means that
+we could miss both of them, even though it has little chance.
+
+Let me draw a call trace map of the server side.
+ CPU 0 CPU 1
+ ----- -----
+tcp_v4_rcv() syn_recv_sock()
+ inet_ehash_insert()
+ -> sk_nulls_del_node_init_rcu(osk)
+__inet_lookup_established()
+ -> __sk_nulls_add_node_rcu(sk, list)
+
+Notice that the CPU 0 is receiving the data after the final ack
+during 3-way shakehands and CPU 1 is still handling the final ack.
+
+Why could this be a real problem?
+This case is happening only when the final ack and the first data
+receiving by different CPUs. Then the server receiving data with
+ACK flag tries to search one proper established socket from ehash
+table, but apparently it fails as my map shows above. After that,
+the server fetches a listener socket and then sends a RST because
+it finds a ACK flag in the skb (data), which obeys RST definition
+in RFC 793.
+
+Besides, Eric pointed out there's one more race condition where it
+handles tw socket hashdance. Only by adding to the tail of the list
+before deleting the old one can we avoid the race if the reader has
+already begun the bucket traversal and it would possibly miss the head.
+
+Many thanks to Eric for great help from beginning to end.
+
+Fixes: 5e0724d027f0 ("tcp/dccp: fix hashdance race for passive sessions")
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://lore.kernel.org/lkml/20230112065336.41034-1-kerneljasonxing@gmail.com/
+Link: https://lore.kernel.org/r/20230118015941.1313-1-kerneljasonxing@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/inet_hashtables.c | 17 +++++++++++++++--
+ net/ipv4/inet_timewait_sock.c | 8 ++++----
+ 2 files changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
+index c68a1dae25ca..2615b72118d1 100644
+--- a/net/ipv4/inet_hashtables.c
++++ b/net/ipv4/inet_hashtables.c
+@@ -571,8 +571,20 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk)
+ spin_lock(lock);
+ if (osk) {
+ WARN_ON_ONCE(sk->sk_hash != osk->sk_hash);
+- ret = sk_nulls_del_node_init_rcu(osk);
+- } else if (found_dup_sk) {
++ ret = sk_hashed(osk);
++ if (ret) {
++ /* Before deleting the node, we insert a new one to make
++ * sure that the look-up-sk process would not miss either
++ * of them and that at least one node would exist in ehash
++ * table all the time. Otherwise there's a tiny chance
++ * that lookup process could find nothing in ehash table.
++ */
++ __sk_nulls_add_node_tail_rcu(sk, list);
++ sk_nulls_del_node_init_rcu(osk);
++ }
++ goto unlock;
++ }
++ if (found_dup_sk) {
+ *found_dup_sk = inet_ehash_lookup_by_sk(sk, list);
+ if (*found_dup_sk)
+ ret = false;
+@@ -581,6 +593,7 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk)
+ if (ret)
+ __sk_nulls_add_node_rcu(sk, list);
+
++unlock:
+ spin_unlock(lock);
+
+ return ret;
+diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c
+index c411c87ae865..a00102d7c7fd 100644
+--- a/net/ipv4/inet_timewait_sock.c
++++ b/net/ipv4/inet_timewait_sock.c
+@@ -81,10 +81,10 @@ void inet_twsk_put(struct inet_timewait_sock *tw)
+ }
+ EXPORT_SYMBOL_GPL(inet_twsk_put);
+
+-static void inet_twsk_add_node_rcu(struct inet_timewait_sock *tw,
+- struct hlist_nulls_head *list)
++static void inet_twsk_add_node_tail_rcu(struct inet_timewait_sock *tw,
++ struct hlist_nulls_head *list)
+ {
+- hlist_nulls_add_head_rcu(&tw->tw_node, list);
++ hlist_nulls_add_tail_rcu(&tw->tw_node, list);
+ }
+
+ static void inet_twsk_add_bind_node(struct inet_timewait_sock *tw,
+@@ -120,7 +120,7 @@ void inet_twsk_hashdance(struct inet_timewait_sock *tw, struct sock *sk,
+
+ spin_lock(lock);
+
+- inet_twsk_add_node_rcu(tw, &ehead->chain);
++ inet_twsk_add_node_tail_rcu(tw, &ehead->chain);
+
+ /* Step 3: Remove SK from hash chain */
+ if (__sk_nulls_del_node_init_rcu(sk))
+--
+2.39.0
+
--- /dev/null
+From 3ecfe23819c32c3550df19f94bf935d1980dcf07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jan 2023 19:00:28 +0000
+Subject: tcp: fix rate_app_limited to default to 1
+
+From: David Morley <morleyd@google.com>
+
+[ Upstream commit 300b655db1b5152d6101bcb6801d50899b20c2d6 ]
+
+The initial default value of 0 for tp->rate_app_limited was incorrect,
+since a flow is indeed application-limited until it first sends
+data. Fixing the default to be 1 is generally correct but also
+specifically will help user-space applications avoid using the initial
+tcpi_delivery_rate value of 0 that persists until the connection has
+some non-zero bandwidth sample.
+
+Fixes: eb8329e0a04d ("tcp: export data delivery rate")
+Suggested-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: David Morley <morleyd@google.com>
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Tested-by: David Morley <morleyd@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index cc588bc2b11d..6a0560a735ce 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -432,6 +432,7 @@ void tcp_init_sock(struct sock *sk)
+
+ /* There's a bubble in the pipe until at least the first ACK. */
+ tp->app_limited = ~0U;
++ tp->rate_app_limited = 1;
+
+ /* See draft-stevens-tcpca-spec-01 for discussion of the
+ * initialization of these values.
+@@ -2837,6 +2838,7 @@ int tcp_disconnect(struct sock *sk, int flags)
+ tp->last_oow_ack_time = 0;
+ /* There's a bubble in the pipe until at least the first ACK. */
+ tp->app_limited = ~0U;
++ tp->rate_app_limited = 1;
+ tp->rack.mstamp = 0;
+ tp->rack.advanced = 0;
+ tp->rack.reo_wnd_steps = 1;
+--
+2.39.0
+
--- /dev/null
+From 0225760079aca8b169bd22295d34b18ff33b0fc5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Jan 2023 16:47:41 +0900
+Subject: tomoyo: fix broken dependency on *.conf.default
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit eaf2213ba563b2d74a1f2c13a6b258273f689802 ]
+
+If *.conf.default is updated, builtin-policy.h should be rebuilt,
+but this does not work when compiled with O= option.
+
+[Without this commit]
+
+ $ touch security/tomoyo/policy/exception_policy.conf.default
+ $ make O=/tmp security/tomoyo/
+ make[1]: Entering directory '/tmp'
+ GEN Makefile
+ CALL /home/masahiro/ref/linux/scripts/checksyscalls.sh
+ DESCEND objtool
+ make[1]: Leaving directory '/tmp'
+
+[With this commit]
+
+ $ touch security/tomoyo/policy/exception_policy.conf.default
+ $ make O=/tmp security/tomoyo/
+ make[1]: Entering directory '/tmp'
+ GEN Makefile
+ CALL /home/masahiro/ref/linux/scripts/checksyscalls.sh
+ DESCEND objtool
+ POLICY security/tomoyo/builtin-policy.h
+ CC security/tomoyo/common.o
+ AR security/tomoyo/built-in.a
+ make[1]: Leaving directory '/tmp'
+
+$(srctree)/ is essential because $(wildcard ) does not follow VPATH.
+
+Fixes: f02dee2d148b ("tomoyo: Do not generate empty policy files")
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/tomoyo/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/tomoyo/Makefile b/security/tomoyo/Makefile
+index cca5a3012fee..221eaadffb09 100644
+--- a/security/tomoyo/Makefile
++++ b/security/tomoyo/Makefile
+@@ -10,7 +10,7 @@ endef
+ quiet_cmd_policy = POLICY $@
+ cmd_policy = ($(call do_policy,profile); $(call do_policy,exception_policy); $(call do_policy,domain_policy); $(call do_policy,manager); $(call do_policy,stat)) >$@
+
+-$(obj)/builtin-policy.h: $(wildcard $(obj)/policy/*.conf $(src)/policy/*.conf.default) FORCE
++$(obj)/builtin-policy.h: $(wildcard $(obj)/policy/*.conf $(srctree)/$(src)/policy/*.conf.default) FORCE
+ $(call if_changed,policy)
+
+ $(obj)/common.o: $(obj)/builtin-policy.h
+--
+2.39.0
+
--- /dev/null
+From 2253700fced61ed546332d6fece8a20c0f041a77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Dec 2022 10:59:06 +0530
+Subject: usb: gadget: f_fs: Ensure ep0req is dequeued before free_request
+
+From: Udipto Goswami <quic_ugoswami@quicinc.com>
+
+[ Upstream commit ce405d561b020e5a46340eb5146805a625dcacee ]
+
+As per the documentation, function usb_ep_free_request guarantees
+the request will not be queued or no longer be re-queued (or
+otherwise used). However, with the current implementation it
+doesn't make sure that the request in ep0 isn't reused.
+
+Fix this by dequeuing the ep0req on functionfs_unbind before
+freeing the request to align with the definition.
+
+Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver")
+Signed-off-by: Udipto Goswami <quic_ugoswami@quicinc.com>
+Tested-by: Krishna Kurapati <quic_kriskura@quicinc.com>
+Link: https://lore.kernel.org/r/20221215052906.8993-3-quic_ugoswami@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_fs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
+index 38942c6d3019..94000fd190e5 100644
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -1884,6 +1884,8 @@ static void functionfs_unbind(struct ffs_data *ffs)
+ ENTER();
+
+ if (!WARN_ON(!ffs->gadget)) {
++ /* dequeue before freeing ep0req */
++ usb_ep_dequeue(ffs->gadget->ep0, ffs->ep0req);
+ mutex_lock(&ffs->mutex);
+ usb_ep_free_request(ffs->gadget->ep0, ffs->ep0req);
+ ffs->ep0req = NULL;
+--
+2.39.0
+
--- /dev/null
+From 4a9f62c20dcaf7a6b215eba7bf61c6589ad6f861 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Dec 2022 10:59:05 +0530
+Subject: usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait
+
+From: Udipto Goswami <quic_ugoswami@quicinc.com>
+
+[ Upstream commit 6a19da111057f69214b97c62fb0ac59023970850 ]
+
+While performing fast composition switch, there is a possibility that the
+process of ffs_ep0_write/ffs_ep0_read get into a race condition
+due to ep0req being freed up from functionfs_unbind.
+
+Consider the scenario that the ffs_ep0_write calls the ffs_ep0_queue_wait
+by taking a lock &ffs->ev.waitq.lock. However, the functionfs_unbind isn't
+bounded so it can go ahead and mark the ep0req to NULL, and since there
+is no NULL check in ffs_ep0_queue_wait we will end up in use-after-free.
+
+Fix this by making a serialized execution between the two functions using
+a mutex_lock(ffs->mutex).
+
+Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver")
+Signed-off-by: Udipto Goswami <quic_ugoswami@quicinc.com>
+Tested-by: Krishna Kurapati <quic_kriskura@quicinc.com>
+Link: https://lore.kernel.org/r/20221215052906.8993-2-quic_ugoswami@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_fs.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
+index bb0d92837f67..38942c6d3019 100644
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -278,6 +278,9 @@ static int __ffs_ep0_queue_wait(struct ffs_data *ffs, char *data, size_t len)
+ struct usb_request *req = ffs->ep0req;
+ int ret;
+
++ if (!req)
++ return -EINVAL;
++
+ req->zero = len < le16_to_cpu(ffs->ev.setup.wLength);
+
+ spin_unlock_irq(&ffs->ev.waitq.lock);
+@@ -1881,10 +1884,12 @@ static void functionfs_unbind(struct ffs_data *ffs)
+ ENTER();
+
+ if (!WARN_ON(!ffs->gadget)) {
++ mutex_lock(&ffs->mutex);
+ usb_ep_free_request(ffs->gadget->ep0, ffs->ep0req);
+ ffs->ep0req = NULL;
+ ffs->gadget = NULL;
+ clear_bit(FFS_FL_BOUND, &ffs->flags);
++ mutex_unlock(&ffs->mutex);
+ ffs_data_put(ffs);
+ }
+ }
+--
+2.39.0
+
--- /dev/null
+From ebae289e0872fb1fb6dbaf71b43ff0bc45b4e6b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Dec 2022 16:04:34 +0800
+Subject: w1: fix deadloop in __w1_remove_master_device()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 25d5648802f12ae486076ceca5d7ddf1fef792b2 ]
+
+I got a deadloop report while doing device(ds2482) add/remove test:
+
+ [ 162.241881] w1_master_driver w1_bus_master1: Waiting for w1_bus_master1 to become free: refcnt=1.
+ [ 163.272251] w1_master_driver w1_bus_master1: Waiting for w1_bus_master1 to become free: refcnt=1.
+ [ 164.296157] w1_master_driver w1_bus_master1: Waiting for w1_bus_master1 to become free: refcnt=1.
+ ...
+
+__w1_remove_master_device() can't return, because the dev->refcnt is not zero.
+
+w1_add_master_device() |
+ w1_alloc_dev() |
+ atomic_set(&dev->refcnt, 2) |
+ kthread_run() |
+ |__w1_remove_master_device()
+ | kthread_stop()
+ // KTHREAD_SHOULD_STOP is set, |
+ // threadfn(w1_process) won't be |
+ // called. |
+ kthread() |
+ | // refcnt will never be 0, it's deadloop.
+ | while (atomic_read(&dev->refcnt)) {...}
+
+After calling w1_add_master_device(), w1_process() is not really
+invoked, before w1_process() starting, if kthread_stop() is called
+in __w1_remove_master_device(), w1_process() will never be called,
+the refcnt can not be decreased, then it causes deadloop in remove
+function because of non-zero refcnt.
+
+We need to make sure w1_process() is really started, so move the
+set refcnt into w1_process() to fix this problem.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221205080434.3149205-1-yangyingliang@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/w1/w1.c | 2 ++
+ drivers/w1/w1_int.c | 5 ++---
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/w1/w1.c b/drivers/w1/w1.c
+index 15a2ee32f116..6e9f3569971d 100644
+--- a/drivers/w1/w1.c
++++ b/drivers/w1/w1.c
+@@ -1131,6 +1131,8 @@ int w1_process(void *data)
+ /* remainder if it woke up early */
+ unsigned long jremain = 0;
+
++ atomic_inc(&dev->refcnt);
++
+ for (;;) {
+
+ if (!jremain && dev->search_count) {
+diff --git a/drivers/w1/w1_int.c b/drivers/w1/w1_int.c
+index b3e1792d9c49..3a71c5eb2f83 100644
+--- a/drivers/w1/w1_int.c
++++ b/drivers/w1/w1_int.c
+@@ -51,10 +51,9 @@ static struct w1_master *w1_alloc_dev(u32 id, int slave_count, int slave_ttl,
+ dev->search_count = w1_search_count;
+ dev->enable_pullup = w1_enable_pullup;
+
+- /* 1 for w1_process to decrement
+- * 1 for __w1_remove_master_device to decrement
++ /* For __w1_remove_master_device to decrement
+ */
+- atomic_set(&dev->refcnt, 2);
++ atomic_set(&dev->refcnt, 1);
+
+ INIT_LIST_HEAD(&dev->slist);
+ INIT_LIST_HEAD(&dev->async_list);
+--
+2.39.0
+
--- /dev/null
+From 20140d5e6ba85a3ffaa111e2984a660eaba9a010 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Dec 2022 18:15:58 +0800
+Subject: w1: fix WARNING after calling w1_process()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 36225a7c72e9e3e1ce4001b6ce72849f5c9a2d3b ]
+
+I got the following WARNING message while removing driver(ds2482):
+
+------------[ cut here ]------------
+do not call blocking ops when !TASK_RUNNING; state=1 set at [<000000002d50bfb6>] w1_process+0x9e/0x1d0 [wire]
+WARNING: CPU: 0 PID: 262 at kernel/sched/core.c:9817 __might_sleep+0x98/0xa0
+CPU: 0 PID: 262 Comm: w1_bus_master1 Tainted: G N 6.1.0-rc3+ #307
+RIP: 0010:__might_sleep+0x98/0xa0
+Call Trace:
+ exit_signals+0x6c/0x550
+ do_exit+0x2b4/0x17e0
+ kthread_exit+0x52/0x60
+ kthread+0x16d/0x1e0
+ ret_from_fork+0x1f/0x30
+
+The state of task is set to TASK_INTERRUPTIBLE in loop in w1_process(),
+set it to TASK_RUNNING when it breaks out of the loop to avoid the
+warning.
+
+Fixes: 3c52e4e62789 ("W1: w1_process, block or sleep")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221205101558.3599162-1-yangyingliang@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/w1/w1.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/w1/w1.c b/drivers/w1/w1.c
+index 6e9f3569971d..15842377c8d2 100644
+--- a/drivers/w1/w1.c
++++ b/drivers/w1/w1.c
+@@ -1160,8 +1160,10 @@ int w1_process(void *data)
+ */
+ mutex_unlock(&dev->list_mutex);
+
+- if (kthread_should_stop())
++ if (kthread_should_stop()) {
++ __set_current_state(TASK_RUNNING);
+ break;
++ }
+
+ /* Only sleep when the search is active. */
+ if (dev->search_count) {
+--
+2.39.0
+
--- /dev/null
+From 66681253cf245cd2af43b4896974c82583916c61 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jan 2023 18:50:31 +0100
+Subject: wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid
+
+From: Szymon Heidrich <szymon.heidrich@gmail.com>
+
+[ Upstream commit b870e73a56c4cccbec33224233eaf295839f228c ]
+
+Since resplen and respoffs are signed integers sufficiently
+large values of unsigned int len and offset members of RNDIS
+response will result in negative values of prior variables.
+This may be utilized to bypass implemented security checks
+to either extract memory contents by manipulating offset or
+overflow the data buffer via memcpy by manipulating both
+offset and len.
+
+Additionally assure that sum of resplen and respoffs does not
+overflow so buffer boundaries are kept.
+
+Fixes: 80f8c5b434f9 ("rndis_wlan: copy only useful data from rndis_command respond")
+Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
+Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20230111175031.7049-1-szymon.heidrich@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/rndis_wlan.c | 19 ++++++-------------
+ 1 file changed, 6 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c
+index 75b5d545b49e..dc076d844868 100644
+--- a/drivers/net/wireless/rndis_wlan.c
++++ b/drivers/net/wireless/rndis_wlan.c
+@@ -694,8 +694,8 @@ static int rndis_query_oid(struct usbnet *dev, u32 oid, void *data, int *len)
+ struct rndis_query *get;
+ struct rndis_query_c *get_c;
+ } u;
+- int ret, buflen;
+- int resplen, respoffs, copylen;
++ int ret;
++ size_t buflen, resplen, respoffs, copylen;
+
+ buflen = *len + sizeof(*u.get);
+ if (buflen < CONTROL_BUFFER_SIZE)
+@@ -730,22 +730,15 @@ static int rndis_query_oid(struct usbnet *dev, u32 oid, void *data, int *len)
+
+ if (respoffs > buflen) {
+ /* Device returned data offset outside buffer, error. */
+- netdev_dbg(dev->net, "%s(%s): received invalid "
+- "data offset: %d > %d\n", __func__,
+- oid_to_string(oid), respoffs, buflen);
++ netdev_dbg(dev->net,
++ "%s(%s): received invalid data offset: %zu > %zu\n",
++ __func__, oid_to_string(oid), respoffs, buflen);
+
+ ret = -EINVAL;
+ goto exit_unlock;
+ }
+
+- if ((resplen + respoffs) > buflen) {
+- /* Device would have returned more data if buffer would
+- * have been big enough. Copy just the bits that we got.
+- */
+- copylen = buflen - respoffs;
+- } else {
+- copylen = resplen;
+- }
++ copylen = min(resplen, buflen - respoffs);
+
+ if (copylen > *len)
+ copylen = *len;
+--
+2.39.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
