--- /dev/null
+From d61d1d1df2520ff573f188a52b7454c5da6cf90f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 May 2023 12:51:56 +0200
+Subject: ARM: dts: Fix erroneous ADS touchscreen polarities
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit 4a672d500bfd6bb87092c33d5a2572c3d0a1cf83 ]
+
+Several device tree files get the polarity of the pendown-gpios
+wrong: this signal is active low. Fix up all incorrect flags, so
+that operating systems can rely on the flag being correctly set.
+
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20230510105156.1134320-1-linus.walleij@linaro.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/am57xx-cl-som-am57x.dts | 2 +-
+ arch/arm/boot/dts/at91sam9261ek.dts | 2 +-
+ arch/arm/boot/dts/imx7d-pico-hobbit.dts | 2 +-
+ arch/arm/boot/dts/imx7d-sdb.dts | 2 +-
+ arch/arm/boot/dts/omap3-cm-t3x.dtsi | 2 +-
+ arch/arm/boot/dts/omap3-devkit8000-lcd-common.dtsi | 2 +-
+ arch/arm/boot/dts/omap3-lilly-a83x.dtsi | 2 +-
+ arch/arm/boot/dts/omap3-overo-common-lcd35.dtsi | 2 +-
+ arch/arm/boot/dts/omap3-overo-common-lcd43.dtsi | 2 +-
+ arch/arm/boot/dts/omap3-pandora-common.dtsi | 2 +-
+ arch/arm/boot/dts/omap5-cm-t54.dts | 2 +-
+ 11 files changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/arch/arm/boot/dts/am57xx-cl-som-am57x.dts b/arch/arm/boot/dts/am57xx-cl-som-am57x.dts
+index aed81568a297d..d783d1f6950be 100644
+--- a/arch/arm/boot/dts/am57xx-cl-som-am57x.dts
++++ b/arch/arm/boot/dts/am57xx-cl-som-am57x.dts
+@@ -527,7 +527,7 @@
+
+ interrupt-parent = <&gpio1>;
+ interrupts = <31 0>;
+- pendown-gpio = <&gpio1 31 0>;
++ pendown-gpio = <&gpio1 31 GPIO_ACTIVE_LOW>;
+
+
+ ti,x-min = /bits/ 16 <0x0>;
+diff --git a/arch/arm/boot/dts/at91sam9261ek.dts b/arch/arm/boot/dts/at91sam9261ek.dts
+index beed819609e8d..8f3b483bb64dd 100644
+--- a/arch/arm/boot/dts/at91sam9261ek.dts
++++ b/arch/arm/boot/dts/at91sam9261ek.dts
+@@ -156,7 +156,7 @@
+ compatible = "ti,ads7843";
+ interrupts-extended = <&pioC 2 IRQ_TYPE_EDGE_BOTH>;
+ spi-max-frequency = <3000000>;
+- pendown-gpio = <&pioC 2 GPIO_ACTIVE_HIGH>;
++ pendown-gpio = <&pioC 2 GPIO_ACTIVE_LOW>;
+
+ ti,x-min = /bits/ 16 <150>;
+ ti,x-max = /bits/ 16 <3830>;
+diff --git a/arch/arm/boot/dts/imx7d-pico-hobbit.dts b/arch/arm/boot/dts/imx7d-pico-hobbit.dts
+index d917dc4f2f227..6ad39dca70096 100644
+--- a/arch/arm/boot/dts/imx7d-pico-hobbit.dts
++++ b/arch/arm/boot/dts/imx7d-pico-hobbit.dts
+@@ -64,7 +64,7 @@
+ interrupt-parent = <&gpio2>;
+ interrupts = <7 0>;
+ spi-max-frequency = <1000000>;
+- pendown-gpio = <&gpio2 7 0>;
++ pendown-gpio = <&gpio2 7 GPIO_ACTIVE_LOW>;
+ vcc-supply = <®_3p3v>;
+ ti,x-min = /bits/ 16 <0>;
+ ti,x-max = /bits/ 16 <4095>;
+diff --git a/arch/arm/boot/dts/imx7d-sdb.dts b/arch/arm/boot/dts/imx7d-sdb.dts
+index 6d562ebe90295..d3b49a5b30b72 100644
+--- a/arch/arm/boot/dts/imx7d-sdb.dts
++++ b/arch/arm/boot/dts/imx7d-sdb.dts
+@@ -198,7 +198,7 @@
+ pinctrl-0 = <&pinctrl_tsc2046_pendown>;
+ interrupt-parent = <&gpio2>;
+ interrupts = <29 0>;
+- pendown-gpio = <&gpio2 29 GPIO_ACTIVE_HIGH>;
++ pendown-gpio = <&gpio2 29 GPIO_ACTIVE_LOW>;
+ touchscreen-max-pressure = <255>;
+ wakeup-source;
+ };
+diff --git a/arch/arm/boot/dts/omap3-cm-t3x.dtsi b/arch/arm/boot/dts/omap3-cm-t3x.dtsi
+index e61b8a2bfb7de..51baedf1603bd 100644
+--- a/arch/arm/boot/dts/omap3-cm-t3x.dtsi
++++ b/arch/arm/boot/dts/omap3-cm-t3x.dtsi
+@@ -227,7 +227,7 @@
+
+ interrupt-parent = <&gpio2>;
+ interrupts = <25 0>; /* gpio_57 */
+- pendown-gpio = <&gpio2 25 GPIO_ACTIVE_HIGH>;
++ pendown-gpio = <&gpio2 25 GPIO_ACTIVE_LOW>;
+
+ ti,x-min = /bits/ 16 <0x0>;
+ ti,x-max = /bits/ 16 <0x0fff>;
+diff --git a/arch/arm/boot/dts/omap3-devkit8000-lcd-common.dtsi b/arch/arm/boot/dts/omap3-devkit8000-lcd-common.dtsi
+index 3decc2d78a6ca..a7f99ae0c1fe9 100644
+--- a/arch/arm/boot/dts/omap3-devkit8000-lcd-common.dtsi
++++ b/arch/arm/boot/dts/omap3-devkit8000-lcd-common.dtsi
+@@ -54,7 +54,7 @@
+
+ interrupt-parent = <&gpio1>;
+ interrupts = <27 0>; /* gpio_27 */
+- pendown-gpio = <&gpio1 27 GPIO_ACTIVE_HIGH>;
++ pendown-gpio = <&gpio1 27 GPIO_ACTIVE_LOW>;
+
+ ti,x-min = /bits/ 16 <0x0>;
+ ti,x-max = /bits/ 16 <0x0fff>;
+diff --git a/arch/arm/boot/dts/omap3-lilly-a83x.dtsi b/arch/arm/boot/dts/omap3-lilly-a83x.dtsi
+index 73d477898ec2a..06e7cf96c6639 100644
+--- a/arch/arm/boot/dts/omap3-lilly-a83x.dtsi
++++ b/arch/arm/boot/dts/omap3-lilly-a83x.dtsi
+@@ -311,7 +311,7 @@
+ interrupt-parent = <&gpio1>;
+ interrupts = <8 0>; /* boot6 / gpio_8 */
+ spi-max-frequency = <1000000>;
+- pendown-gpio = <&gpio1 8 GPIO_ACTIVE_HIGH>;
++ pendown-gpio = <&gpio1 8 GPIO_ACTIVE_LOW>;
+ vcc-supply = <®_vcc3>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&tsc2048_pins>;
+diff --git a/arch/arm/boot/dts/omap3-overo-common-lcd35.dtsi b/arch/arm/boot/dts/omap3-overo-common-lcd35.dtsi
+index 1d6e88f99eb31..c3570acc35fad 100644
+--- a/arch/arm/boot/dts/omap3-overo-common-lcd35.dtsi
++++ b/arch/arm/boot/dts/omap3-overo-common-lcd35.dtsi
+@@ -149,7 +149,7 @@
+
+ interrupt-parent = <&gpio4>;
+ interrupts = <18 0>; /* gpio_114 */
+- pendown-gpio = <&gpio4 18 GPIO_ACTIVE_HIGH>;
++ pendown-gpio = <&gpio4 18 GPIO_ACTIVE_LOW>;
+
+ ti,x-min = /bits/ 16 <0x0>;
+ ti,x-max = /bits/ 16 <0x0fff>;
+diff --git a/arch/arm/boot/dts/omap3-overo-common-lcd43.dtsi b/arch/arm/boot/dts/omap3-overo-common-lcd43.dtsi
+index 7e30f9d45790e..d95a0e130058c 100644
+--- a/arch/arm/boot/dts/omap3-overo-common-lcd43.dtsi
++++ b/arch/arm/boot/dts/omap3-overo-common-lcd43.dtsi
+@@ -160,7 +160,7 @@
+
+ interrupt-parent = <&gpio4>;
+ interrupts = <18 0>; /* gpio_114 */
+- pendown-gpio = <&gpio4 18 GPIO_ACTIVE_HIGH>;
++ pendown-gpio = <&gpio4 18 GPIO_ACTIVE_LOW>;
+
+ ti,x-min = /bits/ 16 <0x0>;
+ ti,x-max = /bits/ 16 <0x0fff>;
+diff --git a/arch/arm/boot/dts/omap3-pandora-common.dtsi b/arch/arm/boot/dts/omap3-pandora-common.dtsi
+index 37608af6c07f5..ca6d777ebf843 100644
+--- a/arch/arm/boot/dts/omap3-pandora-common.dtsi
++++ b/arch/arm/boot/dts/omap3-pandora-common.dtsi
+@@ -651,7 +651,7 @@
+ pinctrl-0 = <&penirq_pins>;
+ interrupt-parent = <&gpio3>;
+ interrupts = <30 IRQ_TYPE_NONE>; /* GPIO_94 */
+- pendown-gpio = <&gpio3 30 GPIO_ACTIVE_HIGH>;
++ pendown-gpio = <&gpio3 30 GPIO_ACTIVE_LOW>;
+ vcc-supply = <&vaux4>;
+
+ ti,x-min = /bits/ 16 <0>;
+diff --git a/arch/arm/boot/dts/omap5-cm-t54.dts b/arch/arm/boot/dts/omap5-cm-t54.dts
+index ca759b7b8a580..e62ea8b6d53fd 100644
+--- a/arch/arm/boot/dts/omap5-cm-t54.dts
++++ b/arch/arm/boot/dts/omap5-cm-t54.dts
+@@ -354,7 +354,7 @@
+
+ interrupt-parent = <&gpio1>;
+ interrupts = <15 0>; /* gpio1_wk15 */
+- pendown-gpio = <&gpio1 15 GPIO_ACTIVE_HIGH>;
++ pendown-gpio = <&gpio1 15 GPIO_ACTIVE_LOW>;
+
+
+ ti,x-min = /bits/ 16 <0x0>;
+--
+2.39.2
+
--- /dev/null
+From 6914a13ae5957d364333d6f904250276b047b98f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 May 2023 21:46:00 +0100
+Subject: arm64: Add missing Set/Way CMO encodings
+
+From: Marc Zyngier <maz@kernel.org>
+
+[ Upstream commit 8d0f019e4c4f2ee2de81efd9bf1c27e9fb3c0460 ]
+
+Add the missing Set/Way CMOs that apply to tagged memory.
+
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Reviewed-by: Steven Price <steven.price@arm.com>
+Reviewed-by: Oliver Upton <oliver.upton@linux.dev>
+Link: https://lore.kernel.org/r/20230515204601.1270428-2-maz@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/sysreg.h | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/arch/arm64/include/asm/sysreg.h b/arch/arm64/include/asm/sysreg.h
+index 06755fad38304..9fea6e9768096 100644
+--- a/arch/arm64/include/asm/sysreg.h
++++ b/arch/arm64/include/asm/sysreg.h
+@@ -104,8 +104,14 @@
+ #define SB_BARRIER_INSN __SYS_BARRIER_INSN(0, 7, 31)
+
+ #define SYS_DC_ISW sys_insn(1, 0, 7, 6, 2)
++#define SYS_DC_IGSW sys_insn(1, 0, 7, 6, 4)
++#define SYS_DC_IGDSW sys_insn(1, 0, 7, 6, 6)
+ #define SYS_DC_CSW sys_insn(1, 0, 7, 10, 2)
++#define SYS_DC_CGSW sys_insn(1, 0, 7, 10, 4)
++#define SYS_DC_CGDSW sys_insn(1, 0, 7, 10, 6)
+ #define SYS_DC_CISW sys_insn(1, 0, 7, 14, 2)
++#define SYS_DC_CIGSW sys_insn(1, 0, 7, 14, 4)
++#define SYS_DC_CIGDSW sys_insn(1, 0, 7, 14, 6)
+
+ /*
+ * System registers, organised loosely by encoding but grouped together
+--
+2.39.2
+
--- /dev/null
+From 32cedacaa9f1bc66470946b29763d286b9cbb086 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 May 2023 15:19:11 -0300
+Subject: ASoC: nau8824: Add quirk to active-high jack-detect
+
+From: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
+
+[ Upstream commit e384dba03e3294ce7ea69e4da558e9bf8f0e8946 ]
+
+Add entries for Positivo laptops: CW14Q01P, K1424G, N14ZP74G to the
+DMI table, so that active-high jack-detect will work properly on
+these laptops.
+
+Signed-off-by: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
+Link: https://lore.kernel.org/r/20230529181911.632851-1-edson.drosdeck@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/nau8824.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/sound/soc/codecs/nau8824.c b/sound/soc/codecs/nau8824.c
+index a95fe3fff1db8..9b22219a76937 100644
+--- a/sound/soc/codecs/nau8824.c
++++ b/sound/soc/codecs/nau8824.c
+@@ -1896,6 +1896,30 @@ static const struct dmi_system_id nau8824_quirk_table[] = {
+ },
+ .driver_data = (void *)(NAU8824_JD_ACTIVE_HIGH),
+ },
++ {
++ /* Positivo CW14Q01P */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Positivo Tecnologia SA"),
++ DMI_MATCH(DMI_BOARD_NAME, "CW14Q01P"),
++ },
++ .driver_data = (void *)(NAU8824_JD_ACTIVE_HIGH),
++ },
++ {
++ /* Positivo K1424G */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Positivo Tecnologia SA"),
++ DMI_MATCH(DMI_BOARD_NAME, "K1424G"),
++ },
++ .driver_data = (void *)(NAU8824_JD_ACTIVE_HIGH),
++ },
++ {
++ /* Positivo N14ZP74G */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Positivo Tecnologia SA"),
++ DMI_MATCH(DMI_BOARD_NAME, "N14ZP74G"),
++ },
++ .driver_data = (void *)(NAU8824_JD_ACTIVE_HIGH),
++ },
+ {}
+ };
+
+--
+2.39.2
+
--- /dev/null
+From dad06a49a045078bffeaea8cb9f682949fd82c36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 May 2023 17:12:22 +0200
+Subject: ASoC: simple-card: Add missing of_node_put() in case of error
+
+From: Herve Codina <herve.codina@bootlin.com>
+
+[ Upstream commit 8938f75a5e35c597a647c28984a0304da7a33d63 ]
+
+In the error path, a of_node_put() for platform is missing.
+Just add it.
+
+Signed-off-by: Herve Codina <herve.codina@bootlin.com>
+Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://lore.kernel.org/r/20230523151223.109551-9-herve.codina@bootlin.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/generic/simple-card.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/generic/simple-card.c b/sound/soc/generic/simple-card.c
+index d916ec69c24ff..ac97e8b7978c7 100644
+--- a/sound/soc/generic/simple-card.c
++++ b/sound/soc/generic/simple-card.c
+@@ -410,6 +410,7 @@ static int simple_for_each_link(struct asoc_simple_priv *priv,
+
+ if (ret < 0) {
+ of_node_put(codec);
++ of_node_put(plat);
+ of_node_put(np);
+ goto error;
+ }
+--
+2.39.2
+
--- /dev/null
+From c9491b8969a7d5b451ffda03fd5b9e9b2e06a1b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jun 2023 17:45:49 +0100
+Subject: be2net: Extend xmit workaround to BE3 chip
+
+From: Ross Lagerwall <ross.lagerwall@citrix.com>
+
+[ Upstream commit 7580e0a78eb29e7bb1a772eba4088250bbb70d41 ]
+
+We have seen a bug where the NIC incorrectly changes the length in the
+IP header of a padded packet to include the padding bytes. The driver
+already has a workaround for this so do the workaround for this NIC too.
+This resolves the issue.
+
+The NIC in question identifies itself as follows:
+
+[ 8.828494] be2net 0000:02:00.0: FW version is 10.7.110.31
+[ 8.834759] be2net 0000:02:00.0: Emulex OneConnect(be3): PF FLEX10 port 1
+
+02:00.0 Ethernet controller: Emulex Corporation OneConnect 10Gb NIC (be3) (rev 01)
+
+Fixes: ca34fe38f06d ("be2net: fix wrong usage of adapter->generation")
+Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Link: https://lore.kernel.org/r/20230616164549.2863037-1-ross.lagerwall@citrix.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/emulex/benet/be_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
+index 89697cb09d1c0..81be560a26431 100644
+--- a/drivers/net/ethernet/emulex/benet/be_main.c
++++ b/drivers/net/ethernet/emulex/benet/be_main.c
+@@ -1136,8 +1136,8 @@ static struct sk_buff *be_lancer_xmit_workarounds(struct be_adapter *adapter,
+ eth_hdr_len = ntohs(skb->protocol) == ETH_P_8021Q ?
+ VLAN_ETH_HLEN : ETH_HLEN;
+ if (skb->len <= 60 &&
+- (lancer_chip(adapter) || skb_vlan_tag_present(skb)) &&
+- is_ipv4_pkt(skb)) {
++ (lancer_chip(adapter) || BE3_chip(adapter) ||
++ skb_vlan_tag_present(skb)) && is_ipv4_pkt(skb)) {
+ ip = (struct iphdr *)ip_hdr(skb);
+ pskb_trim(skb, eth_hdr_len + ntohs(ip->tot_len));
+ }
+--
+2.39.2
+
--- /dev/null
+From 177fe17da9380381bc66144e1a930c75e00f75a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jun 2023 15:39:50 +0300
+Subject: bpf: Fix verifier id tracking of scalars on spill
+
+From: Maxim Mikityanskiy <maxim@isovalent.com>
+
+[ Upstream commit 713274f1f2c896d37017efee333fd44149710119 ]
+
+The following scenario describes a bug in the verifier where it
+incorrectly concludes about equivalent scalar IDs which could lead to
+verifier bypass in privileged mode:
+
+1. Prepare a 32-bit rogue number.
+2. Put the rogue number into the upper half of a 64-bit register, and
+ roll a random (unknown to the verifier) bit in the lower half. The
+ rest of the bits should be zero (although variations are possible).
+3. Assign an ID to the register by MOVing it to another arbitrary
+ register.
+4. Perform a 32-bit spill of the register, then perform a 32-bit fill to
+ another register. Due to a bug in the verifier, the ID will be
+ preserved, although the new register will contain only the lower 32
+ bits, i.e. all zeros except one random bit.
+
+At this point there are two registers with different values but the same
+ID, which means the integrity of the verifier state has been corrupted.
+
+5. Compare the new 32-bit register with 0. In the branch where it's
+ equal to 0, the verifier will believe that the original 64-bit
+ register is also 0, because it has the same ID, but its actual value
+ still contains the rogue number in the upper half.
+ Some optimizations of the verifier prevent the actual bypass, so
+ extra care is needed: the comparison must be between two registers,
+ and both branches must be reachable (this is why one random bit is
+ needed). Both branches are still suitable for the bypass.
+6. Right shift the original register by 32 bits to pop the rogue number.
+7. Use the rogue number as an offset with any pointer. The verifier will
+ believe that the offset is 0, while in reality it's the given number.
+
+The fix is similar to the 32-bit BPF_MOV handling in check_alu_op for
+SCALAR_VALUE. If the spill is narrowing the actual register value, don't
+keep the ID, make sure it's reset to 0.
+
+Fixes: 354e8f1970f8 ("bpf: Support <8-byte scalar spill and refill")
+Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Tested-by: Andrii Nakryiko <andrii@kernel.org> # Checked veristat delta
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/bpf/20230607123951.558971-2-maxtram95@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 4fca456ba27a9..edb19ada0405d 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2385,6 +2385,9 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
+ return err;
+ }
+ save_register_state(state, spi, reg, size);
++ /* Break the relation on a narrowing spill. */
++ if (fls64(reg->umax_value) > BITS_PER_BYTE * size)
++ state->stack[spi].spilled_ptr.id = 0;
+ } else if (!reg && !(off % BPF_REG_SIZE) && is_bpf_st_mem(insn) &&
+ insn->imm != 0 && env->bpf_capable) {
+ struct bpf_reg_state fake_reg = {};
+--
+2.39.2
+
--- /dev/null
+From ecd5625d868820205a5fba0896354dcac3e18601 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Feb 2023 01:20:27 +0200
+Subject: bpf: track immediate values written to stack by BPF_ST instruction
+
+From: Eduard Zingerman <eddyz87@gmail.com>
+
+[ Upstream commit ecdf985d7615356b78241fdb159c091830ed0380 ]
+
+For aligned stack writes using BPF_ST instruction track stored values
+in a same way BPF_STX is handled, e.g. make sure that the following
+commands produce similar verifier knowledge:
+
+ fp[-8] = 42; r1 = 42;
+ fp[-8] = r1;
+
+This covers two cases:
+ - non-null values written to stack are stored as spill of fake
+ registers;
+ - null values written to stack are stored as STACK_ZERO marks.
+
+Previously both cases above used STACK_MISC marks instead.
+
+Some verifier test cases relied on the old logic to obtain STACK_MISC
+marks for some stack values. These test cases are updated in the same
+commit to avoid failures during bisect.
+
+Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20230214232030.1502829-2-eddyz87@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Stable-dep-of: 713274f1f2c8 ("bpf: Fix verifier id tracking of scalars on spill")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 18 ++-
+ .../bpf/verifier/bounds_mix_sign_unsign.c | 110 ++++++++++--------
+ 2 files changed, 80 insertions(+), 48 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index fd2082a9bf81b..4fca456ba27a9 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2318,6 +2318,11 @@ static void save_register_state(struct bpf_func_state *state,
+ scrub_spilled_slot(&state->stack[spi].slot_type[i - 1]);
+ }
+
++static bool is_bpf_st_mem(struct bpf_insn *insn)
++{
++ return BPF_CLASS(insn->code) == BPF_ST && BPF_MODE(insn->code) == BPF_MEM;
++}
++
+ /* check_stack_{read,write}_fixed_off functions track spill/fill of registers,
+ * stack boundary and alignment are checked in check_mem_access()
+ */
+@@ -2329,8 +2334,9 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
+ {
+ struct bpf_func_state *cur; /* state of the current function */
+ int i, slot = -off - 1, spi = slot / BPF_REG_SIZE, err;
+- u32 dst_reg = env->prog->insnsi[insn_idx].dst_reg;
++ struct bpf_insn *insn = &env->prog->insnsi[insn_idx];
+ struct bpf_reg_state *reg = NULL;
++ u32 dst_reg = insn->dst_reg;
+
+ err = realloc_func_state(state, round_up(slot + 1, BPF_REG_SIZE),
+ state->acquired_refs, true);
+@@ -2379,6 +2385,13 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
+ return err;
+ }
+ save_register_state(state, spi, reg, size);
++ } else if (!reg && !(off % BPF_REG_SIZE) && is_bpf_st_mem(insn) &&
++ insn->imm != 0 && env->bpf_capable) {
++ struct bpf_reg_state fake_reg = {};
++
++ __mark_reg_known(&fake_reg, (u32)insn->imm);
++ fake_reg.type = SCALAR_VALUE;
++ save_register_state(state, spi, &fake_reg, size);
+ } else if (reg && is_spillable_regtype(reg->type)) {
+ /* register containing pointer is being spilled into stack */
+ if (size != BPF_REG_SIZE) {
+@@ -2413,7 +2426,8 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
+ state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN;
+
+ /* when we zero initialize stack slots mark them as such */
+- if (reg && register_is_null(reg)) {
++ if ((reg && register_is_null(reg)) ||
++ (!reg && is_bpf_st_mem(insn) && insn->imm == 0)) {
+ /* backtracking doesn't work for STACK_ZERO yet. */
+ err = mark_chain_precision(env, value_regno);
+ if (err)
+diff --git a/tools/testing/selftests/bpf/verifier/bounds_mix_sign_unsign.c b/tools/testing/selftests/bpf/verifier/bounds_mix_sign_unsign.c
+index c2aa6f26738b4..bf82b923c5fe5 100644
+--- a/tools/testing/selftests/bpf/verifier/bounds_mix_sign_unsign.c
++++ b/tools/testing/selftests/bpf/verifier/bounds_mix_sign_unsign.c
+@@ -1,13 +1,14 @@
+ {
+ "bounds checks mixing signed and unsigned, positive bounds",
+ .insns = {
++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
+ BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+ BPF_LD_MAP_FD(BPF_REG_1, 0),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
+- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
+ BPF_MOV64_IMM(BPF_REG_2, 2),
+ BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
+@@ -17,20 +18,21 @@
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
+- .fixup_map_hash_8b = { 3 },
++ .fixup_map_hash_8b = { 5 },
+ .errstr = "unbounded min value",
+ .result = REJECT,
+ },
+ {
+ "bounds checks mixing signed and unsigned",
+ .insns = {
++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
+ BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+ BPF_LD_MAP_FD(BPF_REG_1, 0),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
+- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
+ BPF_MOV64_IMM(BPF_REG_2, -1),
+ BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
+@@ -40,20 +42,21 @@
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
+- .fixup_map_hash_8b = { 3 },
++ .fixup_map_hash_8b = { 5 },
+ .errstr = "unbounded min value",
+ .result = REJECT,
+ },
+ {
+ "bounds checks mixing signed and unsigned, variant 2",
+ .insns = {
++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
+ BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+ BPF_LD_MAP_FD(BPF_REG_1, 0),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
+- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
+ BPF_MOV64_IMM(BPF_REG_2, -1),
+ BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
+@@ -65,20 +68,21 @@
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
+- .fixup_map_hash_8b = { 3 },
++ .fixup_map_hash_8b = { 5 },
+ .errstr = "unbounded min value",
+ .result = REJECT,
+ },
+ {
+ "bounds checks mixing signed and unsigned, variant 3",
+ .insns = {
++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
+ BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+ BPF_LD_MAP_FD(BPF_REG_1, 0),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
+- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
+ BPF_MOV64_IMM(BPF_REG_2, -1),
+ BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
+@@ -89,20 +93,21 @@
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
+- .fixup_map_hash_8b = { 3 },
++ .fixup_map_hash_8b = { 5 },
+ .errstr = "unbounded min value",
+ .result = REJECT,
+ },
+ {
+ "bounds checks mixing signed and unsigned, variant 4",
+ .insns = {
++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
+ BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+ BPF_LD_MAP_FD(BPF_REG_1, 0),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
+- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
+ BPF_MOV64_IMM(BPF_REG_2, 1),
+ BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
+@@ -112,19 +117,20 @@
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
+- .fixup_map_hash_8b = { 3 },
++ .fixup_map_hash_8b = { 5 },
+ .result = ACCEPT,
+ },
+ {
+ "bounds checks mixing signed and unsigned, variant 5",
+ .insns = {
++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
+ BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+ BPF_LD_MAP_FD(BPF_REG_1, 0),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
+- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
+ BPF_MOV64_IMM(BPF_REG_2, -1),
+ BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
+@@ -135,17 +141,20 @@
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
+- .fixup_map_hash_8b = { 3 },
++ .fixup_map_hash_8b = { 5 },
+ .errstr = "unbounded min value",
+ .result = REJECT,
+ },
+ {
+ "bounds checks mixing signed and unsigned, variant 6",
+ .insns = {
++ BPF_MOV64_REG(BPF_REG_9, BPF_REG_1),
++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
++ BPF_MOV64_REG(BPF_REG_1, BPF_REG_9),
+ BPF_MOV64_IMM(BPF_REG_2, 0),
+ BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
+- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
+ BPF_MOV64_IMM(BPF_REG_6, -1),
+ BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
+@@ -163,13 +172,14 @@
+ {
+ "bounds checks mixing signed and unsigned, variant 7",
+ .insns = {
++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
+ BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+ BPF_LD_MAP_FD(BPF_REG_1, 0),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
+- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
+ BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
+ BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
+@@ -179,19 +189,20 @@
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
+- .fixup_map_hash_8b = { 3 },
++ .fixup_map_hash_8b = { 5 },
+ .result = ACCEPT,
+ },
+ {
+ "bounds checks mixing signed and unsigned, variant 8",
+ .insns = {
++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
+ BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+ BPF_LD_MAP_FD(BPF_REG_1, 0),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
+- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
+ BPF_MOV64_IMM(BPF_REG_2, -1),
+ BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
+@@ -203,20 +214,21 @@
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
+- .fixup_map_hash_8b = { 3 },
++ .fixup_map_hash_8b = { 5 },
+ .errstr = "unbounded min value",
+ .result = REJECT,
+ },
+ {
+ "bounds checks mixing signed and unsigned, variant 9",
+ .insns = {
++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
+ BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+ BPF_LD_MAP_FD(BPF_REG_1, 0),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
+- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
+ BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
+ BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
+@@ -228,19 +240,20 @@
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
+- .fixup_map_hash_8b = { 3 },
++ .fixup_map_hash_8b = { 5 },
+ .result = ACCEPT,
+ },
+ {
+ "bounds checks mixing signed and unsigned, variant 10",
+ .insns = {
++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
+ BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+ BPF_LD_MAP_FD(BPF_REG_1, 0),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
+- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
+ BPF_MOV64_IMM(BPF_REG_2, 0),
+ BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
+@@ -252,20 +265,21 @@
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
+- .fixup_map_hash_8b = { 3 },
++ .fixup_map_hash_8b = { 5 },
+ .errstr = "unbounded min value",
+ .result = REJECT,
+ },
+ {
+ "bounds checks mixing signed and unsigned, variant 11",
+ .insns = {
++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
+ BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+ BPF_LD_MAP_FD(BPF_REG_1, 0),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
+- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
+ BPF_MOV64_IMM(BPF_REG_2, -1),
+ BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
+@@ -278,20 +292,21 @@
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
+- .fixup_map_hash_8b = { 3 },
++ .fixup_map_hash_8b = { 5 },
+ .errstr = "unbounded min value",
+ .result = REJECT,
+ },
+ {
+ "bounds checks mixing signed and unsigned, variant 12",
+ .insns = {
++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
+ BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+ BPF_LD_MAP_FD(BPF_REG_1, 0),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
+- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
+ BPF_MOV64_IMM(BPF_REG_2, -6),
+ BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
+@@ -303,20 +318,21 @@
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
+- .fixup_map_hash_8b = { 3 },
++ .fixup_map_hash_8b = { 5 },
+ .errstr = "unbounded min value",
+ .result = REJECT,
+ },
+ {
+ "bounds checks mixing signed and unsigned, variant 13",
+ .insns = {
++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
+ BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+ BPF_LD_MAP_FD(BPF_REG_1, 0),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
+- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
+ BPF_MOV64_IMM(BPF_REG_2, 2),
+ BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
+@@ -331,7 +347,7 @@
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
+- .fixup_map_hash_8b = { 3 },
++ .fixup_map_hash_8b = { 5 },
+ .errstr = "unbounded min value",
+ .result = REJECT,
+ },
+@@ -340,13 +356,14 @@
+ .insns = {
+ BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
+ offsetof(struct __sk_buff, mark)),
++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
+ BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+ BPF_LD_MAP_FD(BPF_REG_1, 0),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
+- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
+ BPF_MOV64_IMM(BPF_REG_2, -1),
+ BPF_MOV64_IMM(BPF_REG_8, 2),
+@@ -360,20 +377,21 @@
+ BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
+ BPF_JMP_IMM(BPF_JA, 0, 0, -7),
+ },
+- .fixup_map_hash_8b = { 4 },
++ .fixup_map_hash_8b = { 6 },
+ .errstr = "unbounded min value",
+ .result = REJECT,
+ },
+ {
+ "bounds checks mixing signed and unsigned, variant 15",
+ .insns = {
++ BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
++ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
+ BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+ BPF_LD_MAP_FD(BPF_REG_1, 0),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+- BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
+- BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
+ BPF_MOV64_IMM(BPF_REG_2, -6),
+ BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
+@@ -387,7 +405,7 @@
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
+- .fixup_map_hash_8b = { 3 },
++ .fixup_map_hash_8b = { 5 },
+ .errstr = "unbounded min value",
+ .result = REJECT,
+ },
+--
+2.39.2
+
--- /dev/null
+From 39c51d8b3c355065521bb106843d08bd774563ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 May 2023 21:01:31 +0800
+Subject: drm/exynos: fix race condition UAF in exynos_g2d_exec_ioctl
+
+From: Min Li <lm0963hack@gmail.com>
+
+[ Upstream commit 48bfd02569f5db49cc033f259e66d57aa6efc9a3 ]
+
+If it is async, runqueue_node is freed in g2d_runqueue_worker on another
+worker thread. So in extreme cases, if g2d_runqueue_worker runs first, and
+then executes the following if statement, there will be use-after-free.
+
+Signed-off-by: Min Li <lm0963hack@gmail.com>
+Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/exynos/exynos_drm_g2d.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/exynos/exynos_drm_g2d.c b/drivers/gpu/drm/exynos/exynos_drm_g2d.c
+index 967a5cdc120e3..81211a9d9d0a9 100644
+--- a/drivers/gpu/drm/exynos/exynos_drm_g2d.c
++++ b/drivers/gpu/drm/exynos/exynos_drm_g2d.c
+@@ -1332,7 +1332,7 @@ int exynos_g2d_exec_ioctl(struct drm_device *drm_dev, void *data,
+ /* Let the runqueue know that there is work to do. */
+ queue_work(g2d->g2d_workq, &g2d->runqueue_work);
+
+- if (runqueue_node->async)
++ if (req->async)
+ goto out;
+
+ wait_for_completion(&runqueue_node->complete);
+--
+2.39.2
+
--- /dev/null
+From ee4e773ed5297e3deeb5093280609ac200763efe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 May 2023 08:55:05 +0900
+Subject: drm/exynos: vidi: fix a wrong error return
+
+From: Inki Dae <inki.dae@samsung.com>
+
+[ Upstream commit 4a059559809fd1ddbf16f847c4d2237309c08edf ]
+
+Fix a wrong error return by dropping an error return.
+
+When vidi driver is remvoed, if ctx->raw_edid isn't same as fake_edid_info
+then only what we have to is to free ctx->raw_edid so that driver removing
+can work correctly - it's not an error case.
+
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/exynos/exynos_drm_vidi.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exynos/exynos_drm_vidi.c
+index e5662bdcbbde3..e96436e11a36c 100644
+--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c
++++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c
+@@ -468,8 +468,6 @@ static int vidi_remove(struct platform_device *pdev)
+ if (ctx->raw_edid != (struct edid *)fake_edid_info) {
+ kfree(ctx->raw_edid);
+ ctx->raw_edid = NULL;
+-
+- return -EINVAL;
+ }
+
+ component_del(&pdev->dev, &vidi_component_ops);
+--
+2.39.2
+
--- /dev/null
+From 56f9d6f8d67c2480d93a7e3ea84cbfe05bc67f5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Jun 2023 15:43:45 +0800
+Subject: drm/radeon: fix race condition UAF in radeon_gem_set_domain_ioctl
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Min Li <lm0963hack@gmail.com>
+
+[ Upstream commit 982b173a6c6d9472730c3116051977e05d17c8c5 ]
+
+Userspace can race to free the gobj(robj converted from), robj should not
+be accessed again after drm_gem_object_put, otherwith it will result in
+use-after-free.
+
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Min Li <lm0963hack@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/radeon_gem.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon/radeon_gem.c
+index e5c4271e64ede..75053917d2137 100644
+--- a/drivers/gpu/drm/radeon/radeon_gem.c
++++ b/drivers/gpu/drm/radeon/radeon_gem.c
+@@ -385,7 +385,6 @@ int radeon_gem_set_domain_ioctl(struct drm_device *dev, void *data,
+ struct radeon_device *rdev = dev->dev_private;
+ struct drm_radeon_gem_set_domain *args = data;
+ struct drm_gem_object *gobj;
+- struct radeon_bo *robj;
+ int r;
+
+ /* for now if someone requests domain CPU -
+@@ -398,13 +397,12 @@ int radeon_gem_set_domain_ioctl(struct drm_device *dev, void *data,
+ up_read(&rdev->exclusive_lock);
+ return -ENOENT;
+ }
+- robj = gem_to_radeon_bo(gobj);
+
+ r = radeon_gem_set_domain(gobj, args->read_domains, args->write_domain);
+
+ drm_gem_object_put(gobj);
+ up_read(&rdev->exclusive_lock);
+- r = radeon_gem_handle_lockup(robj->rdev, r);
++ r = radeon_gem_handle_lockup(rdev, r);
+ return r;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 0d6a76bcddd62de6c792555b2726641d4062b1f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Oct 2021 18:58:11 +0100
+Subject: gpio: Allow per-parent interrupt data
+
+From: Marc Zyngier <maz@kernel.org>
+
+[ Upstream commit cfe6807d82e97e81c3209dca9448f091e1448a57 ]
+
+The core gpiolib code is able to deal with multiple interrupt parents
+for a single gpio irqchip. It however only allows a single piece
+of data to be conveyed to all flow handlers (either the gpio_chip
+or some other, driver-specific data).
+
+This means that drivers have to go through some interesting dance
+to find the correct context, something that isn't great in interrupt
+context (see aebdc8abc9db86e2bd33070fc2f961012fff74b4 for a prime
+example).
+
+Instead, offer an optional way for a pinctrl/gpio driver to provide
+an array of pointers which gets used to provide the correct context
+to the flow handler.
+
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Joey Gouly <joey.gouly@arm.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20211026175815.52703-2-joey.gouly@arm.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Stable-dep-of: 8c00914e5438 ("gpiolib: Fix GPIO chip IRQ initialization restriction")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpiolib.c | 9 +++++++--
+ include/linux/gpio/driver.h | 19 +++++++++++++++++--
+ 2 files changed, 24 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
+index 3e01a3ac652d1..7ac86037a4191 100644
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -1595,9 +1595,14 @@ static int gpiochip_add_irqchip(struct gpio_chip *gc,
+ }
+
+ if (gc->irq.parent_handler) {
+- void *data = gc->irq.parent_handler_data ?: gc;
+-
+ for (i = 0; i < gc->irq.num_parents; i++) {
++ void *data;
++
++ if (gc->irq.per_parent_data)
++ data = gc->irq.parent_handler_data_array[i];
++ else
++ data = gc->irq.parent_handler_data ?: gc;
++
+ /*
+ * The parent IRQ chip is already using the chip_data
+ * for this IRQ chip, so our callbacks simply use the
+diff --git a/include/linux/gpio/driver.h b/include/linux/gpio/driver.h
+index 0552a9859a01e..64c93a36a3a92 100644
+--- a/include/linux/gpio/driver.h
++++ b/include/linux/gpio/driver.h
+@@ -168,11 +168,18 @@ struct gpio_irq_chip {
+
+ /**
+ * @parent_handler_data:
++ * @parent_handler_data_array:
+ *
+ * Data associated, and passed to, the handler for the parent
+- * interrupt.
++ * interrupt. Can either be a single pointer if @per_parent_data
++ * is false, or an array of @num_parents pointers otherwise. If
++ * @per_parent_data is true, @parent_handler_data_array cannot be
++ * NULL.
+ */
+- void *parent_handler_data;
++ union {
++ void *parent_handler_data;
++ void **parent_handler_data_array;
++ };
+
+ /**
+ * @num_parents:
+@@ -203,6 +210,14 @@ struct gpio_irq_chip {
+ */
+ bool threaded;
+
++ /**
++ * @per_parent_data:
++ *
++ * True if parent_handler_data_array describes a @num_parents
++ * sized array to be used as parent data.
++ */
++ bool per_parent_data;
++
+ /**
+ * @init_hw: optional routine to initialize hardware before
+ * an IRQ chip will be added. This is quite useful when
+--
+2.39.2
+
--- /dev/null
+From 62525cd8e5a4760c199bf3e382b1447d2854927c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jun 2023 16:18:03 +0800
+Subject: gpiolib: Fix GPIO chip IRQ initialization restriction
+
+From: Jiawen Wu <jiawenwu@trustnetic.com>
+
+[ Upstream commit 8c00914e5438e3636f26b4f814b3297ae2a1b9ee ]
+
+In case of gpio-regmap, IRQ chip is added by regmap-irq and associated with
+GPIO chip by gpiochip_irqchip_add_domain(). The initialization flag was not
+added in gpiochip_irqchip_add_domain(), causing gpiochip_to_irq() to return
+-EPROBE_DEFER.
+
+Fixes: 5467801f1fcb ("gpio: Restrict usage of GPIO chip irq members before initialization")
+Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpiolib.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
+index 7ac86037a4191..d10f621085e2e 100644
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -1792,6 +1792,14 @@ int gpiochip_irqchip_add_domain(struct gpio_chip *gc,
+ gc->to_irq = gpiochip_to_irq;
+ gc->irq.domain = domain;
+
++ /*
++ * Using barrier() here to prevent compiler from reordering
++ * gc->irq.initialized before adding irqdomain.
++ */
++ barrier();
++
++ gc->irq.initialized = true;
++
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(gpiochip_irqchip_add_domain);
+--
+2.39.2
+
--- /dev/null
+From 4ab506f967106b6c5aac91e673d168b7435e95b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Apr 2023 14:47:45 +0300
+Subject: HID: wacom: Add error check to wacom_parse_and_register()
+
+From: Denis Arefev <arefev@swemel.ru>
+
+[ Upstream commit 16a9c24f24fbe4564284eb575b18cc20586b9270 ]
+
+ Added a variable check and
+ transition in case of an error
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Signed-off-by: Denis Arefev <arefev@swemel.ru>
+Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/wacom_sys.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c
+index a93070f5b214c..36cb456709ed7 100644
+--- a/drivers/hid/wacom_sys.c
++++ b/drivers/hid/wacom_sys.c
+@@ -2419,8 +2419,13 @@ static int wacom_parse_and_register(struct wacom *wacom, bool wireless)
+ goto fail_quirks;
+ }
+
+- if (features->device_type & WACOM_DEVICETYPE_WL_MONITOR)
++ if (features->device_type & WACOM_DEVICETYPE_WL_MONITOR) {
+ error = hid_hw_open(hdev);
++ if (error) {
++ hid_err(hdev, "hw open failed\n");
++ goto fail_quirks;
++ }
++ }
+
+ wacom_set_shared_values(wacom_wac);
+ devres_close_group(&hdev->dev, wacom);
+--
+2.39.2
+
--- /dev/null
+From 4d05d6fe42777db4650d08aa73d64c665d1ec546 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 Apr 2023 10:20:48 +0800
+Subject: ieee802154: hwsim: Fix possible memory leaks
+
+From: Chen Aotian <chenaotian2@163.com>
+
+[ Upstream commit a61675294735570daca3779bd1dbb3715f7232bd ]
+
+After replacing e->info, it is necessary to free the old einfo.
+
+Fixes: f25da51fdc38 ("ieee802154: hwsim: add replacement for fakelb")
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Reviewed-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: Chen Aotian <chenaotian2@163.com>
+Link: https://lore.kernel.org/r/20230409022048.61223-1-chenaotian2@163.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/mac802154_hwsim.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c
+index 97981cf7661ad..344f63bc94a21 100644
+--- a/drivers/net/ieee802154/mac802154_hwsim.c
++++ b/drivers/net/ieee802154/mac802154_hwsim.c
+@@ -522,7 +522,7 @@ static int hwsim_del_edge_nl(struct sk_buff *msg, struct genl_info *info)
+ static int hwsim_set_edge_lqi(struct sk_buff *msg, struct genl_info *info)
+ {
+ struct nlattr *edge_attrs[MAC802154_HWSIM_EDGE_ATTR_MAX + 1];
+- struct hwsim_edge_info *einfo;
++ struct hwsim_edge_info *einfo, *einfo_old;
+ struct hwsim_phy *phy_v0;
+ struct hwsim_edge *e;
+ u32 v0, v1;
+@@ -560,8 +560,10 @@ static int hwsim_set_edge_lqi(struct sk_buff *msg, struct genl_info *info)
+ list_for_each_entry_rcu(e, &phy_v0->edges, list) {
+ if (e->endpoint->idx == v1) {
+ einfo->lqi = lqi;
+- rcu_assign_pointer(e->info, einfo);
++ einfo_old = rcu_replace_pointer(e->info, einfo,
++ lockdep_is_held(&hwsim_phys_lock));
+ rcu_read_unlock();
++ kfree_rcu(einfo_old, rcu);
+ mutex_unlock(&hwsim_phys_lock);
+ return 0;
+ }
+--
+2.39.2
+
--- /dev/null
+From fdbeb81ec47c9dfd834ca849914c7de3e1eb76e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 May 2023 11:57:04 -0700
+Subject: Input: soc_button_array - add invalid acpi_index DMI quirk handling
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 20a99a291d564a559cc2fd013b4824a3bb3f1db7 ]
+
+Some devices have a wrong entry in their button array which points to
+a GPIO which is required in another driver, so soc_button_array must
+not claim it.
+
+A specific example of this is the Lenovo Yoga Book X90F / X90L,
+where the PNP0C40 home button entry points to a GPIO which is not
+a home button and which is required by the lenovo-yogabook driver.
+
+Add a DMI quirk table which can specify an ACPI GPIO resource index which
+should be skipped; and add an entry for the Lenovo Yoga Book X90F / X90L
+to this new DMI quirk table.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20230414072116.4497-1-hdegoede@redhat.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/misc/soc_button_array.c | 30 +++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+diff --git a/drivers/input/misc/soc_button_array.c b/drivers/input/misc/soc_button_array.c
+index 31c02c2019c1c..67a134c8448d2 100644
+--- a/drivers/input/misc/soc_button_array.c
++++ b/drivers/input/misc/soc_button_array.c
+@@ -108,6 +108,27 @@ static const struct dmi_system_id dmi_use_low_level_irq[] = {
+ {} /* Terminating entry */
+ };
+
++/*
++ * Some devices have a wrong entry which points to a GPIO which is
++ * required in another driver, so this driver must not claim it.
++ */
++static const struct dmi_system_id dmi_invalid_acpi_index[] = {
++ {
++ /*
++ * Lenovo Yoga Book X90F / X90L, the PNP0C40 home button entry
++ * points to a GPIO which is not a home button and which is
++ * required by the lenovo-yogabook driver.
++ */
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Intel Corporation"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "CHERRYVIEW D1 PLATFORM"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "YETI-11"),
++ },
++ .driver_data = (void *)1l,
++ },
++ {} /* Terminating entry */
++};
++
+ /*
+ * Get the Nth GPIO number from the ACPI object.
+ */
+@@ -137,6 +158,8 @@ soc_button_device_create(struct platform_device *pdev,
+ struct platform_device *pd;
+ struct gpio_keys_button *gpio_keys;
+ struct gpio_keys_platform_data *gpio_keys_pdata;
++ const struct dmi_system_id *dmi_id;
++ int invalid_acpi_index = -1;
+ int error, gpio, irq;
+ int n_buttons = 0;
+
+@@ -154,10 +177,17 @@ soc_button_device_create(struct platform_device *pdev,
+ gpio_keys = (void *)(gpio_keys_pdata + 1);
+ n_buttons = 0;
+
++ dmi_id = dmi_first_match(dmi_invalid_acpi_index);
++ if (dmi_id)
++ invalid_acpi_index = (long)dmi_id->driver_data;
++
+ for (info = button_info; info->name; info++) {
+ if (info->autorepeat != autorepeat)
+ continue;
+
++ if (info->acpi_index == invalid_acpi_index)
++ continue;
++
+ error = soc_button_lookup_gpio(&pdev->dev, info->acpi_index, &gpio, &irq);
+ if (error || irq < 0) {
+ /*
+--
+2.39.2
+
--- /dev/null
+From 800d187a4d2027067061ca5e67e0163c84a26faf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Jun 2023 22:58:42 +0200
+Subject: ipvs: align inner_mac_header for encapsulation
+
+From: Terin Stock <terin@cloudflare.com>
+
+[ Upstream commit d7fce52fdf96663ddc2eb21afecff3775588612a ]
+
+When using encapsulation the original packet's headers are copied to the
+inner headers. This preserves the space for an inner mac header, which
+is not used by the inner payloads for the encapsulation types supported
+by IPVS. If a packet is using GUE or GRE encapsulation and needs to be
+segmented, flow can be passed to __skb_udp_tunnel_segment() which
+calculates a negative tunnel header length. A negative tunnel header
+length causes pskb_may_pull() to fail, dropping the packet.
+
+This can be observed by attaching probes to ip_vs_in_hook(),
+__dev_queue_xmit(), and __skb_udp_tunnel_segment():
+
+ perf probe --add '__dev_queue_xmit skb->inner_mac_header \
+ skb->inner_network_header skb->mac_header skb->network_header'
+ perf probe --add '__skb_udp_tunnel_segment:7 tnl_hlen'
+ perf probe -m ip_vs --add 'ip_vs_in_hook skb->inner_mac_header \
+ skb->inner_network_header skb->mac_header skb->network_header'
+
+These probes the headers and tunnel header length for packets which
+traverse the IPVS encapsulation path. A TCP packet can be forced into
+the segmentation path by being smaller than a calculated clamped MSS,
+but larger than the advertised MSS.
+
+ probe:ip_vs_in_hook: inner_mac_header=0x0 inner_network_header=0x0 mac_header=0x44 network_header=0x52
+ probe:ip_vs_in_hook: inner_mac_header=0x44 inner_network_header=0x52 mac_header=0x44 network_header=0x32
+ probe:dev_queue_xmit: inner_mac_header=0x44 inner_network_header=0x52 mac_header=0x44 network_header=0x32
+ probe:__skb_udp_tunnel_segment_L7: tnl_hlen=-2
+
+When using veth-based encapsulation, the interfaces are set to be
+mac-less, which does not preserve space for an inner mac header. This
+prevents this issue from occurring.
+
+In our real-world testing of sending a 32KB file we observed operation
+time increasing from ~75ms for veth-based encapsulation to over 1.5s
+using IPVS encapsulation due to retries from dropped packets.
+
+This changeset modifies the packet on the encapsulation path in
+ip_vs_tunnel_xmit() and ip_vs_tunnel_xmit_v6() to remove the inner mac
+header offset. This fixes UDP segmentation for both encapsulation types,
+and corrects the inner headers for any IPIP flows that may use it.
+
+Fixes: 84c0d5e96f3a ("ipvs: allow tunneling with gue encapsulation")
+Signed-off-by: Terin Stock <terin@cloudflare.com>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipvs/ip_vs_xmit.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
+index d2e5a8f644b80..cd2130e98836b 100644
+--- a/net/netfilter/ipvs/ip_vs_xmit.c
++++ b/net/netfilter/ipvs/ip_vs_xmit.c
+@@ -1225,6 +1225,7 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
+ skb->transport_header = skb->network_header;
+
+ skb_set_inner_ipproto(skb, next_protocol);
++ skb_set_inner_mac_header(skb, skb_inner_network_offset(skb));
+
+ if (tun_type == IP_VS_CONN_F_TUNNEL_TYPE_GUE) {
+ bool check = false;
+@@ -1373,6 +1374,7 @@ ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
+ skb->transport_header = skb->network_header;
+
+ skb_set_inner_ipproto(skb, next_protocol);
++ skb_set_inner_mac_header(skb, skb_inner_network_offset(skb));
+
+ if (tun_type == IP_VS_CONN_F_TUNNEL_TYPE_GUE) {
+ bool check = false;
+--
+2.39.2
+
--- /dev/null
+From 9b4615bba48c44707b5f95d0af79a7fcbfa63822 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Apr 2023 16:07:28 +0100
+Subject: media: cec: core: don't set last_initiator if tx in progress
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 73af6c7511038249cad3d5f3b44bf8d78ac0f499 ]
+
+When a message was received the last_initiator is set to 0xff.
+This will force the signal free time for the next transmit
+to that for a new initiator. However, if a new transmit is
+already in progress, then don't set last_initiator, since
+that's the initiator of the current transmit. Overwriting
+this would cause the signal free time of a following transmit
+to be that of the new initiator instead of a next transmit.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/cec/core/cec-adap.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/cec/core/cec-adap.c b/drivers/media/cec/core/cec-adap.c
+index e23aa608f66f6..97b479223fe52 100644
+--- a/drivers/media/cec/core/cec-adap.c
++++ b/drivers/media/cec/core/cec-adap.c
+@@ -1085,7 +1085,8 @@ void cec_received_msg_ts(struct cec_adapter *adap,
+ mutex_lock(&adap->lock);
+ dprintk(2, "%s: %*ph\n", __func__, msg->len, msg->msg);
+
+- adap->last_initiator = 0xff;
++ if (!adap->transmit_in_progress)
++ adap->last_initiator = 0xff;
+
+ /* Check if this message was for us (directed or broadcast). */
+ if (!cec_msg_is_broadcast(msg))
+--
+2.39.2
+
--- /dev/null
+From f1dc8c1fa0e9052ad2559aba3a6395ca0251dc98 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jun 2023 15:24:27 +0200
+Subject: memfd: check for non-NULL file_seals in memfd_create() syscall
+
+From: Roberto Sassu <roberto.sassu@huawei.com>
+
+[ Upstream commit 935d44acf621aa0688fef8312dec3e5940f38f4e ]
+
+Ensure that file_seals is non-NULL before using it in the memfd_create()
+syscall. One situation in which memfd_file_seals_ptr() could return a
+NULL pointer when CONFIG_SHMEM=n, oopsing the kernel.
+
+Link: https://lkml.kernel.org/r/20230607132427.2867435-1-roberto.sassu@huaweicloud.com
+Fixes: 47b9012ecdc7 ("shmem: add sealing support to hugetlb-backed memfd")
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Cc: Marc-Andr Lureau <marcandre.lureau@redhat.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/memfd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/mm/memfd.c b/mm/memfd.c
+index fae4142f7d254..278e5636623e6 100644
+--- a/mm/memfd.c
++++ b/mm/memfd.c
+@@ -330,7 +330,8 @@ SYSCALL_DEFINE2(memfd_create,
+
+ if (flags & MFD_ALLOW_SEALING) {
+ file_seals = memfd_file_seals_ptr(file);
+- *file_seals &= ~F_SEAL_SEAL;
++ if (file_seals)
++ *file_seals &= ~F_SEAL_SEAL;
+ }
+
+ fd_install(fd, file);
+--
+2.39.2
+
--- /dev/null
+From 57588851e09927798f7a9a96a70b1bb134015075 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Jan 2022 14:07:17 -0800
+Subject: mm/pagealloc: sysctl: change watermark_scale_factor max limit to 30%
+
+From: Suren Baghdasaryan <surenb@google.com>
+
+[ Upstream commit 39c65a94cd9661532be150e88f8b02f4a6844a35 ]
+
+For embedded systems with low total memory, having to run applications
+with relatively large memory requirements, 10% max limitation for
+watermark_scale_factor poses an issue of triggering direct reclaim every
+time such application is started. This results in slow application
+startup times and bad end-user experience.
+
+By increasing watermark_scale_factor max limit we allow vendors more
+flexibility to choose the right level of kswapd aggressiveness for their
+device and workload requirements.
+
+Link: https://lkml.kernel.org/r/20211124193604.2758863-1-surenb@google.com
+Signed-off-by: Suren Baghdasaryan <surenb@google.com>
+Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Lukas Middendorf <kernel@tuxforce.de>
+Cc: Antti Palosaari <crope@iki.fi>
+Cc: Luis Chamberlain <mcgrof@kernel.org>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Iurii Zaikin <yzaikin@google.com>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Zhang Yi <yi.zhang@huawei.com>
+Cc: Fengfei Xi <xi.fengfei@h3c.com>
+Cc: Mike Rapoport <rppt@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Stable-dep-of: 935d44acf621 ("memfd: check for non-NULL file_seals in memfd_create() syscall")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/admin-guide/sysctl/vm.rst | 2 +-
+ kernel/sysctl.c | 3 ++-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/Documentation/admin-guide/sysctl/vm.rst b/Documentation/admin-guide/sysctl/vm.rst
+index 06027c6a233ab..ac852f93f8da5 100644
+--- a/Documentation/admin-guide/sysctl/vm.rst
++++ b/Documentation/admin-guide/sysctl/vm.rst
+@@ -948,7 +948,7 @@ how much memory needs to be free before kswapd goes back to sleep.
+
+ The unit is in fractions of 10,000. The default value of 10 means the
+ distances between watermarks are 0.1% of the available memory in the
+-node/system. The maximum value is 1000, or 10% of memory.
++node/system. The maximum value is 3000, or 30% of memory.
+
+ A high rate of threads entering direct reclaim (allocstall) or kswapd
+ going to sleep prematurely (kswapd_low_wmark_hit_quickly) can indicate
+diff --git a/kernel/sysctl.c b/kernel/sysctl.c
+index d981abea0358d..953c021039704 100644
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -120,6 +120,7 @@ static unsigned long long_max = LONG_MAX;
+ static int one_hundred = 100;
+ static int two_hundred = 200;
+ static int one_thousand = 1000;
++static int three_thousand = 3000;
+ #ifdef CONFIG_PRINTK
+ static int ten_thousand = 10000;
+ #endif
+@@ -2987,7 +2988,7 @@ static struct ctl_table vm_table[] = {
+ .mode = 0644,
+ .proc_handler = watermark_scale_factor_sysctl_handler,
+ .extra1 = SYSCTL_ONE,
+- .extra2 = &one_thousand,
++ .extra2 = &three_thousand,
+ },
+ {
+ .procname = "percpu_pagelist_fraction",
+--
+2.39.2
+
--- /dev/null
+From edff9ac2b1de8498f96dbd9eec2878dc2f45cb1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jun 2023 23:36:13 +0300
+Subject: mmc: mtk-sd: fix deferred probing
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit 0c4dc0f054891a2cbde0426b0c0fdf232d89f47f ]
+
+The driver overrides the error codes returned by platform_get_irq() to
+-EINVAL, so if it returns -EPROBE_DEFER, the driver will fail the probe
+permanently instead of the deferred probing. Switch to propagating the
+error codes upstream.
+
+Fixes: 208489032bdd ("mmc: mediatek: Add Mediatek MMC driver")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/20230617203622.6812-4-s.shtylyov@omp.ru
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/mtk-sd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/mtk-sd.c b/drivers/mmc/host/mtk-sd.c
+index d71c113f428f6..2c9ea5ed0b2fc 100644
+--- a/drivers/mmc/host/mtk-sd.c
++++ b/drivers/mmc/host/mtk-sd.c
+@@ -2443,7 +2443,7 @@ static int msdc_drv_probe(struct platform_device *pdev)
+
+ host->irq = platform_get_irq(pdev, 0);
+ if (host->irq < 0) {
+- ret = -EINVAL;
++ ret = host->irq;
+ goto host_free;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From e783c4dedb086ab813d6090487eb06eb600c3093 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jun 2023 23:36:14 +0300
+Subject: mmc: mvsdio: fix deferred probing
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit 8d84064da0d4672e74f984e8710f27881137472c ]
+
+The driver overrides the error codes returned by platform_get_irq() to
+-ENXIO, so if it returns -EPROBE_DEFER, the driver will fail the probe
+permanently instead of the deferred probing. Switch to propagating the
+error codes upstream.
+
+Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/20230617203622.6812-5-s.shtylyov@omp.ru
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/mvsdio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/mvsdio.c b/drivers/mmc/host/mvsdio.c
+index 629efbe639c4f..b4f6a0a2fcb51 100644
+--- a/drivers/mmc/host/mvsdio.c
++++ b/drivers/mmc/host/mvsdio.c
+@@ -704,7 +704,7 @@ static int mvsd_probe(struct platform_device *pdev)
+ }
+ irq = platform_get_irq(pdev, 0);
+ if (irq < 0)
+- return -ENXIO;
++ return irq;
+
+ mmc = mmc_alloc_host(sizeof(struct mvsd_host), &pdev->dev);
+ if (!mmc) {
+--
+2.39.2
+
--- /dev/null
+From b2cfd676962ede6d328c1a2f6987f5dfb5114b32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jun 2023 23:36:15 +0300
+Subject: mmc: omap: fix deferred probing
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit aedf4ba1ad00aaa94c1b66c73ecaae95e2564b95 ]
+
+The driver overrides the error codes returned by platform_get_irq() to
+-ENXIO, so if it returns -EPROBE_DEFER, the driver will fail the probe
+permanently instead of the deferred probing. Switch to propagating the
+error codes upstream.
+
+Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/20230617203622.6812-6-s.shtylyov@omp.ru
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/omap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/omap.c b/drivers/mmc/host/omap.c
+index 6aa0537f1f847..eb978b75d8e78 100644
+--- a/drivers/mmc/host/omap.c
++++ b/drivers/mmc/host/omap.c
+@@ -1344,7 +1344,7 @@ static int mmc_omap_probe(struct platform_device *pdev)
+
+ irq = platform_get_irq(pdev, 0);
+ if (irq < 0)
+- return -ENXIO;
++ return irq;
+
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ host->virt_base = devm_ioremap_resource(&pdev->dev, res);
+--
+2.39.2
+
--- /dev/null
+From 1ddf15d63ea7193c084dcf1f432cc801c7b2cb41 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jun 2023 23:36:16 +0300
+Subject: mmc: omap_hsmmc: fix deferred probing
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit fb51b74a57859b707c3e8055ed0c25a7ca4f6a29 ]
+
+The driver overrides the error codes returned by platform_get_irq() to
+-ENXIO, so if it returns -EPROBE_DEFER, the driver will fail the probe
+permanently instead of the deferred probing. Switch to propagating the
+error codes upstream.
+
+Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/20230617203622.6812-7-s.shtylyov@omp.ru
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/omap_hsmmc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mmc/host/omap_hsmmc.c b/drivers/mmc/host/omap_hsmmc.c
+index 5b6ede81fc9f2..098075449ccd0 100644
+--- a/drivers/mmc/host/omap_hsmmc.c
++++ b/drivers/mmc/host/omap_hsmmc.c
+@@ -1832,9 +1832,11 @@ static int omap_hsmmc_probe(struct platform_device *pdev)
+ }
+
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+- irq = platform_get_irq(pdev, 0);
+- if (res == NULL || irq < 0)
++ if (!res)
+ return -ENXIO;
++ irq = platform_get_irq(pdev, 0);
++ if (irq < 0)
++ return irq;
+
+ base = devm_ioremap_resource(&pdev->dev, res);
+ if (IS_ERR(base))
+--
+2.39.2
+
--- /dev/null
+From 4a4e148d4049242bab918449d4aec2e1e1f57557 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jun 2023 23:36:17 +0300
+Subject: mmc: owl: fix deferred probing
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit 3c482e1e830d79b9be8afb900a965135c01f7893 ]
+
+The driver overrides the error codes returned by platform_get_irq() to
+-EINVAL, so if it returns -EPROBE_DEFER, the driver will fail the probe
+permanently instead of the deferred probing. Switch to propagating the
+error codes upstream.
+
+Fixes: ff65ffe46d28 ("mmc: Add Actions Semi Owl SoCs SD/MMC driver")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/20230617203622.6812-8-s.shtylyov@omp.ru
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/owl-mmc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/owl-mmc.c b/drivers/mmc/host/owl-mmc.c
+index 3d4abf175b1d8..8a40cf8a92db7 100644
+--- a/drivers/mmc/host/owl-mmc.c
++++ b/drivers/mmc/host/owl-mmc.c
+@@ -640,7 +640,7 @@ static int owl_mmc_probe(struct platform_device *pdev)
+
+ owl_host->irq = platform_get_irq(pdev, 0);
+ if (owl_host->irq < 0) {
+- ret = -EINVAL;
++ ret = owl_host->irq;
+ goto err_release_channel;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 36b0f36085a99625c7dad5e5b24350f07033d90b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jun 2023 23:36:18 +0300
+Subject: mmc: sdhci-acpi: fix deferred probing
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit b465dea5e1540c7d7b5211adaf94926980d3014b ]
+
+The driver overrides the error codes returned by platform_get_irq() to
+-EINVAL, so if it returns -EPROBE_DEFER, the driver will fail the probe
+permanently instead of the deferred probing. Switch to propagating the
+error codes upstream.
+
+Fixes: 1b7ba57ecc86 ("mmc: sdhci-acpi: Handle return value of platform_get_irq")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/20230617203622.6812-9-s.shtylyov@omp.ru
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-acpi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/sdhci-acpi.c b/drivers/mmc/host/sdhci-acpi.c
+index a2cdb37fcbbec..2a28101777c6f 100644
+--- a/drivers/mmc/host/sdhci-acpi.c
++++ b/drivers/mmc/host/sdhci-acpi.c
+@@ -876,7 +876,7 @@ static int sdhci_acpi_probe(struct platform_device *pdev)
+ host->ops = &sdhci_acpi_ops_dflt;
+ host->irq = platform_get_irq(pdev, 0);
+ if (host->irq < 0) {
+- err = -EINVAL;
++ err = host->irq;
+ goto err_free;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 6a95ae790cfaa7288f052344bbbe388c6c862b17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jun 2023 23:36:20 +0300
+Subject: mmc: sh_mmcif: fix deferred probing
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit 5b067d7f855c61df7f8e2e8ccbcee133c282415e ]
+
+The driver overrides the error codes returned by platform_get_irq() to
+-ENXIO, so if it returns -EPROBE_DEFER, the driver will fail the probe
+permanently instead of the deferred probing. Switch to propagating the
+error codes upstream.
+
+Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/20230617203622.6812-11-s.shtylyov@omp.ru
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sh_mmcif.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/sh_mmcif.c b/drivers/mmc/host/sh_mmcif.c
+index e5e457037235a..5dec9e239c9bf 100644
+--- a/drivers/mmc/host/sh_mmcif.c
++++ b/drivers/mmc/host/sh_mmcif.c
+@@ -1398,7 +1398,7 @@ static int sh_mmcif_probe(struct platform_device *pdev)
+ irq[0] = platform_get_irq(pdev, 0);
+ irq[1] = platform_get_irq_optional(pdev, 1);
+ if (irq[0] < 0)
+- return -ENXIO;
++ return irq[0];
+
+ reg = devm_platform_ioremap_resource(pdev, 0);
+ if (IS_ERR(reg))
+--
+2.39.2
+
--- /dev/null
+From 71c36ce2474dd10817b51c6edffe62de0dc64015 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jun 2023 23:36:22 +0300
+Subject: mmc: usdhi60rol0: fix deferred probing
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit 413db499730248431c1005b392e8ed82c4fa19bf ]
+
+The driver overrides the error codes returned by platform_get_irq_byname()
+to -ENODEV, so if it returns -EPROBE_DEFER, the driver will fail the probe
+permanently instead of the deferred probing. Switch to propagating error
+codes upstream.
+
+Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/20230617203622.6812-13-s.shtylyov@omp.ru
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/usdhi6rol0.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mmc/host/usdhi6rol0.c b/drivers/mmc/host/usdhi6rol0.c
+index b9b79b1089a00..4f22ecef9be50 100644
+--- a/drivers/mmc/host/usdhi6rol0.c
++++ b/drivers/mmc/host/usdhi6rol0.c
+@@ -1747,8 +1747,10 @@ static int usdhi6_probe(struct platform_device *pdev)
+ irq_cd = platform_get_irq_byname(pdev, "card detect");
+ irq_sd = platform_get_irq_byname(pdev, "data");
+ irq_sdio = platform_get_irq_byname(pdev, "SDIO");
+- if (irq_sd < 0 || irq_sdio < 0)
+- return -ENODEV;
++ if (irq_sd < 0)
++ return irq_sd;
++ if (irq_sdio < 0)
++ return irq_sdio;
+
+ mmc = mmc_alloc_host(sizeof(struct usdhi6_host), dev);
+ if (!mmc)
+--
+2.39.2
+
--- /dev/null
+From f0276405aa08dc63474233bb10c0df719aa035dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jun 2023 09:26:45 +0300
+Subject: net: dsa: mt7530: fix trapping frames on non-MT7621 SoC MT7530 switch
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arınç ÜNAL <arinc.unal@arinc9.com>
+
+[ Upstream commit 4ae90f90e4909e3014e2dc6a0627964617a7b824 ]
+
+All MT7530 switch IP variants share the MT7530_MFC register, but the
+current driver only writes it for the switch variant that is integrated in
+the MT7621 SoC. Modify the code to include all MT7530 derivatives.
+
+Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch")
+Suggested-by: Vladimir Oltean <olteanv@gmail.com>
+Signed-off-by: Arınç ÜNAL <arinc.unal@arinc9.com>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mt7530.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c
+index d3b42adef057b..4056ca4255be7 100644
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -966,7 +966,7 @@ mt753x_cpu_port_enable(struct dsa_switch *ds, int port)
+ mt7530_rmw(priv, MT7530_MFC, UNM_FFP_MASK, UNM_FFP(BIT(port)));
+
+ /* Set CPU port number */
+- if (priv->id == ID_MT7621)
++ if (priv->id == ID_MT7530 || priv->id == ID_MT7621)
+ mt7530_rmw(priv, MT7530_MFC, CPU_MASK, CPU_EN | CPU_PORT(port));
+
+ /* CPU port gets connected to all user ports of
+--
+2.39.2
+
--- /dev/null
+From e4c928687a7bbd9b1f3b253c46596740c63818f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jun 2023 23:06:56 +0200
+Subject: net: qca_spi: Avoid high load if QCA7000 is not available
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+[ Upstream commit 92717c2356cb62c89e8a3dc37cbbab2502562524 ]
+
+In case the QCA7000 is not available via SPI (e.g. in reset),
+the driver will cause a high load. The reason for this is
+that the synchronization is never finished and schedule()
+is never called. Since the synchronization is not timing
+critical, it's safe to drop this from the scheduling condition.
+
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qualcomm/qca_spi.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c
+index 36bcb5db3be97..44fa959ebcaa5 100644
+--- a/drivers/net/ethernet/qualcomm/qca_spi.c
++++ b/drivers/net/ethernet/qualcomm/qca_spi.c
+@@ -574,8 +574,7 @@ qcaspi_spi_thread(void *data)
+ while (!kthread_should_stop()) {
+ set_current_state(TASK_INTERRUPTIBLE);
+ if ((qca->intr_req == qca->intr_svc) &&
+- (qca->txr.skb[qca->txr.head] == NULL) &&
+- (qca->sync == QCASPI_SYNC_READY))
++ !qca->txr.skb[qca->txr.head])
+ schedule();
+
+ set_current_state(TASK_RUNNING);
+--
+2.39.2
+
--- /dev/null
+From f4e03773fb8e81a6be7e0ef8153e27ccc70cf49c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jun 2023 15:20:16 +0200
+Subject: netfilter: nf_tables: disallow element updates of bound anonymous
+ sets
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit c88c535b592d3baeee74009f3eceeeaf0fdd5e1b ]
+
+Anonymous sets come with NFT_SET_CONSTANT from userspace. Although API
+allows to create anonymous sets without NFT_SET_CONSTANT, it makes no
+sense to allow to add and to delete elements for bound anonymous sets.
+
+Fixes: 96518518cc41 ("netfilter: add nftables")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index fe51cedd9cc3c..92ea3332cdda3 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -5460,7 +5460,8 @@ static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
+ if (IS_ERR(set))
+ return PTR_ERR(set);
+
+- if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
++ if (!list_empty(&set->bindings) &&
++ (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS)))
+ return -EBUSY;
+
+ nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) {
+@@ -5666,7 +5667,9 @@ static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
+ set = nft_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
+ if (IS_ERR(set))
+ return PTR_ERR(set);
+- if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
++
++ if (!list_empty(&set->bindings) &&
++ (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS)))
+ return -EBUSY;
+
+ if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {
+--
+2.39.2
+
--- /dev/null
+From 7517d0a9d5e9b5bbaac458fdcb3a8e0f440d247d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jun 2023 10:14:25 +0200
+Subject: netfilter: nfnetlink_osf: fix module autoload
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 62f9a68a36d4441a6c412b81faed102594bc6670 ]
+
+Move the alias from xt_osf to nfnetlink_osf.
+
+Fixes: f9324952088f ("netfilter: nfnetlink_osf: extract nfnetlink_subsystem code from xt_osf.c")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_osf.c | 1 +
+ net/netfilter/xt_osf.c | 1 -
+ 2 files changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
+index 51e3953b414c0..9dbaa5ce24e51 100644
+--- a/net/netfilter/nfnetlink_osf.c
++++ b/net/netfilter/nfnetlink_osf.c
+@@ -440,3 +440,4 @@ module_init(nfnl_osf_init);
+ module_exit(nfnl_osf_fini);
+
+ MODULE_LICENSE("GPL");
++MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_OSF);
+diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
+index e1990baf3a3b7..dc9485854002a 100644
+--- a/net/netfilter/xt_osf.c
++++ b/net/netfilter/xt_osf.c
+@@ -71,4 +71,3 @@ MODULE_AUTHOR("Evgeniy Polyakov <zbr@ioremap.net>");
+ MODULE_DESCRIPTION("Passive OS fingerprint matching.");
+ MODULE_ALIAS("ipt_osf");
+ MODULE_ALIAS("ip6t_osf");
+-MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_OSF);
+--
+2.39.2
+
--- /dev/null
+From 6a3bea5a6b6c4a5978f46d005e26f9889b65ca43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jun 2023 15:20:04 +0200
+Subject: netfilter: nft_set_pipapo: .walk does not deal with generations
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 2b84e215f87443c74ac0aa7f76bb172d43a87033 ]
+
+The .walk callback iterates over the current active set, but it might be
+useful to iterate over the next generation set. Use the generation mask
+to determine what set view (either current or next generation) is use
+for the walk iteration.
+
+Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_set_pipapo.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
+index 30cf0673d6c19..eb5934eb3adfc 100644
+--- a/net/netfilter/nft_set_pipapo.c
++++ b/net/netfilter/nft_set_pipapo.c
+@@ -1949,12 +1949,16 @@ static void nft_pipapo_walk(const struct nft_ctx *ctx, struct nft_set *set,
+ struct nft_set_iter *iter)
+ {
+ struct nft_pipapo *priv = nft_set_priv(set);
++ struct net *net = read_pnet(&set->net);
+ struct nft_pipapo_match *m;
+ struct nft_pipapo_field *f;
+ int i, r;
+
+ rcu_read_lock();
+- m = rcu_dereference(priv->match);
++ if (iter->genmask == nft_genmask_cur(net))
++ m = rcu_dereference(priv->match);
++ else
++ m = priv->clone;
+
+ if (unlikely(!m))
+ goto out;
+--
+2.39.2
+
--- /dev/null
+From 1c15d3d13826edafa0d16b82cbb62a167b91f968 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 May 2023 22:27:46 +0500
+Subject: nfcsim.c: Fix error checking for debugfs_create_dir
+
+From: Osama Muhammad <osmtendev@gmail.com>
+
+[ Upstream commit 9b9e46aa07273ceb96866b2e812b46f1ee0b8d2f ]
+
+This patch fixes the error checking in nfcsim.c.
+The DebugFS kernel API is developed in
+a way that the caller can safely ignore the errors that
+occur during the creation of DebugFS nodes.
+
+Signed-off-by: Osama Muhammad <osmtendev@gmail.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/nfcsim.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/nfc/nfcsim.c b/drivers/nfc/nfcsim.c
+index dd27c85190d34..b42d386350b72 100644
+--- a/drivers/nfc/nfcsim.c
++++ b/drivers/nfc/nfcsim.c
+@@ -336,10 +336,6 @@ static struct dentry *nfcsim_debugfs_root;
+ static void nfcsim_debugfs_init(void)
+ {
+ nfcsim_debugfs_root = debugfs_create_dir("nfcsim", NULL);
+-
+- if (!nfcsim_debugfs_root)
+- pr_err("Could not create debugfs entry\n");
+-
+ }
+
+ static void nfcsim_debugfs_remove(void)
+--
+2.39.2
+
--- /dev/null
+From 17c619b16ae5d781be156e819e1283d9023b37c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Jun 2023 17:44:35 +0200
+Subject: Revert "net: phy: dp83867: perform soft reset and retain established
+ link"
+
+From: Francesco Dolcini <francesco.dolcini@toradex.com>
+
+[ Upstream commit a129b41fe0a8b4da828c46b10f5244ca07a3fec3 ]
+
+This reverts commit da9ef50f545f86ffe6ff786174d26500c4db737a.
+
+This fixes a regression in which the link would come up, but no
+communication was possible.
+
+The reverted commit was also removing a comment about
+DP83867_PHYCR_FORCE_LINK_GOOD, this is not added back in this commits
+since it seems that this is unrelated to the original code change.
+
+Closes: https://lore.kernel.org/all/ZGuDJos8D7N0J6Z2@francesco-nb.int.toradex.com/
+Fixes: da9ef50f545f ("net: phy: dp83867: perform soft reset and retain established link")
+Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Praneeth Bajjuri <praneeth@ti.com>
+Link: https://lore.kernel.org/r/20230619154435.355485-1-francesco@dolcini.it
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/dp83867.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/dp83867.c b/drivers/net/phy/dp83867.c
+index 5fabcd15ef77a..834bf63dc2009 100644
+--- a/drivers/net/phy/dp83867.c
++++ b/drivers/net/phy/dp83867.c
+@@ -802,7 +802,7 @@ static int dp83867_phy_reset(struct phy_device *phydev)
+ {
+ int err;
+
+- err = phy_write(phydev, DP83867_CTRL, DP83867_SW_RESTART);
++ err = phy_write(phydev, DP83867_CTRL, DP83867_SW_RESET);
+ if (err < 0)
+ return err;
+
+--
+2.39.2
+
--- /dev/null
+From dc009e024471c08c02428057cdea32e47c8b04d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 May 2023 20:53:20 +0200
+Subject: s390/cio: unregister device when the only path is gone
+
+From: Vineeth Vijayan <vneethv@linux.ibm.com>
+
+[ Upstream commit 89c0c62e947a01e7a36b54582fd9c9e346170255 ]
+
+Currently, if the device is offline and all the channel paths are
+either configured or varied offline, the associated subchannel gets
+unregistered. Don't unregister the subchannel, instead unregister
+offline device.
+
+Signed-off-by: Vineeth Vijayan <vneethv@linux.ibm.com>
+Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/cio/device.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c
+index 33280ca181e95..6f9c81db6e429 100644
+--- a/drivers/s390/cio/device.c
++++ b/drivers/s390/cio/device.c
+@@ -1385,6 +1385,7 @@ void ccw_device_set_notoper(struct ccw_device *cdev)
+ enum io_sch_action {
+ IO_SCH_UNREG,
+ IO_SCH_ORPH_UNREG,
++ IO_SCH_UNREG_CDEV,
+ IO_SCH_ATTACH,
+ IO_SCH_UNREG_ATTACH,
+ IO_SCH_ORPH_ATTACH,
+@@ -1417,7 +1418,7 @@ static enum io_sch_action sch_get_action(struct subchannel *sch)
+ }
+ if ((sch->schib.pmcw.pam & sch->opm) == 0) {
+ if (ccw_device_notify(cdev, CIO_NO_PATH) != NOTIFY_OK)
+- return IO_SCH_UNREG;
++ return IO_SCH_UNREG_CDEV;
+ return IO_SCH_DISC;
+ }
+ if (device_is_disconnected(cdev))
+@@ -1479,6 +1480,7 @@ static int io_subchannel_sch_event(struct subchannel *sch, int process)
+ case IO_SCH_ORPH_ATTACH:
+ ccw_device_set_disconnected(cdev);
+ break;
++ case IO_SCH_UNREG_CDEV:
+ case IO_SCH_UNREG_ATTACH:
+ case IO_SCH_UNREG:
+ if (!cdev)
+@@ -1512,6 +1514,7 @@ static int io_subchannel_sch_event(struct subchannel *sch, int process)
+ if (rc)
+ goto out;
+ break;
++ case IO_SCH_UNREG_CDEV:
+ case IO_SCH_UNREG_ATTACH:
+ spin_lock_irqsave(sch->lock, flags);
+ if (cdev->private->flags.resuming) {
+--
+2.39.2
+
--- /dev/null
+From 94bf7e3fafd177d3710fde03363235319d83f8f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 May 2023 19:41:45 +0200
+Subject: s390/purgatory: disable branch profiling
+
+From: Alexander Gordeev <agordeev@linux.ibm.com>
+
+[ Upstream commit 03c5c83b70dca3729a3eb488e668e5044bd9a5ea ]
+
+Avoid linker error for randomly generated config file that
+has CONFIG_BRANCH_PROFILE_NONE enabled and make it similar
+to riscv, x86 and also to commit 4bf3ec384edf ("s390: disable
+branch profiling for vdso").
+
+Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/purgatory/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/s390/purgatory/Makefile b/arch/s390/purgatory/Makefile
+index 21c4ebe29b9a2..a93c9aba834be 100644
+--- a/arch/s390/purgatory/Makefile
++++ b/arch/s390/purgatory/Makefile
+@@ -25,6 +25,7 @@ KBUILD_CFLAGS += -Wno-pointer-sign -Wno-sign-compare
+ KBUILD_CFLAGS += -fno-zero-initialized-in-bss -fno-builtin -ffreestanding
+ KBUILD_CFLAGS += -c -MD -Os -m64 -msoft-float -fno-common
+ KBUILD_CFLAGS += -fno-stack-protector
++KBUILD_CFLAGS += -DDISABLE_BRANCH_PROFILING
+ KBUILD_CFLAGS += $(CLANG_FLAGS)
+ KBUILD_CFLAGS += $(call cc-option,-fno-PIE)
+ KBUILD_AFLAGS := $(filter-out -DCC_USING_EXPOLINE,$(KBUILD_AFLAGS))
+--
+2.39.2
+
--- /dev/null
+From 3bddd9deb91c67ca66ccc90fb73d2431dfd884fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jun 2023 18:44:25 +0000
+Subject: sch_netem: acquire qdisc lock in netem_change()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 2174a08db80d1efeea382e25ac41c4e7511eb6d6 ]
+
+syzbot managed to trigger a divide error [1] in netem.
+
+It could happen if q->rate changes while netem_enqueue()
+is running, since q->rate is read twice.
+
+It turns out netem_change() always lacked proper synchronization.
+
+[1]
+divide error: 0000 [#1] SMP KASAN
+CPU: 1 PID: 7867 Comm: syz-executor.1 Not tainted 6.1.30-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
+RIP: 0010:div64_u64 include/linux/math64.h:69 [inline]
+RIP: 0010:packet_time_ns net/sched/sch_netem.c:357 [inline]
+RIP: 0010:netem_enqueue+0x2067/0x36d0 net/sched/sch_netem.c:576
+Code: 89 e2 48 69 da 00 ca 9a 3b 42 80 3c 28 00 4c 8b a4 24 88 00 00 00 74 0d 4c 89 e7 e8 c3 4f 3b fd 48 8b 4c 24 18 48 89 d8 31 d2 <49> f7 34 24 49 01 c7 4c 8b 64 24 48 4d 01 f7 4c 89 e3 48 c1 eb 03
+RSP: 0018:ffffc9000dccea60 EFLAGS: 00010246
+RAX: 000001a442624200 RBX: 000001a442624200 RCX: ffff888108a4f000
+RDX: 0000000000000000 RSI: 000000000000070d RDI: 000000000000070d
+RBP: ffffc9000dcceb90 R08: ffffffff849c5e26 R09: fffffbfff10e1297
+R10: 0000000000000000 R11: dffffc0000000001 R12: ffff888108a4f358
+R13: dffffc0000000000 R14: 0000001a8cd9a7ec R15: 0000000000000000
+FS: 00007fa73fe18700(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fa73fdf7718 CR3: 000000011d36e000 CR4: 0000000000350ee0
+Call Trace:
+<TASK>
+[<ffffffff84714385>] __dev_xmit_skb net/core/dev.c:3931 [inline]
+[<ffffffff84714385>] __dev_queue_xmit+0xcf5/0x3370 net/core/dev.c:4290
+[<ffffffff84d22df2>] dev_queue_xmit include/linux/netdevice.h:3030 [inline]
+[<ffffffff84d22df2>] neigh_hh_output include/net/neighbour.h:531 [inline]
+[<ffffffff84d22df2>] neigh_output include/net/neighbour.h:545 [inline]
+[<ffffffff84d22df2>] ip_finish_output2+0xb92/0x10d0 net/ipv4/ip_output.c:235
+[<ffffffff84d21e63>] __ip_finish_output+0xc3/0x2b0
+[<ffffffff84d10a81>] ip_finish_output+0x31/0x2a0 net/ipv4/ip_output.c:323
+[<ffffffff84d10f14>] NF_HOOK_COND include/linux/netfilter.h:298 [inline]
+[<ffffffff84d10f14>] ip_output+0x224/0x2a0 net/ipv4/ip_output.c:437
+[<ffffffff84d123b5>] dst_output include/net/dst.h:444 [inline]
+[<ffffffff84d123b5>] ip_local_out net/ipv4/ip_output.c:127 [inline]
+[<ffffffff84d123b5>] __ip_queue_xmit+0x1425/0x2000 net/ipv4/ip_output.c:542
+[<ffffffff84d12fdc>] ip_queue_xmit+0x4c/0x70 net/ipv4/ip_output.c:556
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Stephen Hemminger <stephen@networkplumber.org>
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Cc: Cong Wang <xiyou.wangcong@gmail.com>
+Cc: Jiri Pirko <jiri@resnulli.us>
+Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230620184425.1179809-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_netem.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
+index adc5407fd5d58..be42b1196786b 100644
+--- a/net/sched/sch_netem.c
++++ b/net/sched/sch_netem.c
+@@ -969,6 +969,7 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
+ if (ret < 0)
+ return ret;
+
++ sch_tree_lock(sch);
+ /* backup q->clg and q->loss_model */
+ old_clg = q->clg;
+ old_loss_model = q->loss_model;
+@@ -977,7 +978,7 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
+ ret = get_loss_clg(q, tb[TCA_NETEM_LOSS]);
+ if (ret) {
+ q->loss_model = old_loss_model;
+- return ret;
++ goto unlock;
+ }
+ } else {
+ q->loss_model = CLG_RANDOM;
+@@ -1044,6 +1045,8 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
+ /* capping jitter to the range acceptable by tabledist() */
+ q->jitter = min_t(s64, abs(q->jitter), INT_MAX);
+
++unlock:
++ sch_tree_unlock(sch);
+ return ret;
+
+ get_table_failure:
+@@ -1053,7 +1056,8 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
+ */
+ q->clg = old_clg;
+ q->loss_model = old_loss_model;
+- return ret;
++
++ goto unlock;
+ }
+
+ static int netem_init(struct Qdisc *sch, struct nlattr *opt,
+--
+2.39.2
+
--- /dev/null
+From 3acee911146c0f644806c0f04cdb28b1827e3f65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 May 2023 18:22:19 +0200
+Subject: scsi: target: iscsi: Prevent login threads from racing between each
+ other
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit 2a737d3b8c792400118d6cf94958f559de9c5e59 ]
+
+The tpg->np_login_sem is a semaphore that is used to serialize the login
+process when multiple login threads run concurrently against the same
+target portal group.
+
+The iscsi_target_locate_portal() function finds the tpg, calls
+iscsit_access_np() against the np_login_sem semaphore and saves the tpg
+pointer in conn->tpg;
+
+If iscsi_target_locate_portal() fails, the caller will check for the
+conn->tpg pointer and, if it's not NULL, then it will assume that
+iscsi_target_locate_portal() called iscsit_access_np() on the semaphore.
+
+Make sure that conn->tpg gets initialized only if iscsit_access_np() was
+successful, otherwise iscsit_deaccess_np() may end up being called against
+a semaphore we never took, allowing more than one thread to access the same
+tpg.
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Link: https://lore.kernel.org/r/20230508162219.1731964-4-mlombard@redhat.com
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/iscsi/iscsi_target_nego.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c
+index 8b40f10976ff8..3931565018880 100644
+--- a/drivers/target/iscsi/iscsi_target_nego.c
++++ b/drivers/target/iscsi/iscsi_target_nego.c
+@@ -1079,6 +1079,7 @@ int iscsi_target_locate_portal(
+ iscsi_target_set_sock_callbacks(conn);
+
+ login->np = np;
++ conn->tpg = NULL;
+
+ login_req = (struct iscsi_login_req *) login->req;
+ payload_length = ntoh24(login_req->dlength);
+@@ -1148,7 +1149,6 @@ int iscsi_target_locate_portal(
+ */
+ sessiontype = strncmp(s_buf, DISCOVERY, 9);
+ if (!sessiontype) {
+- conn->tpg = iscsit_global->discovery_tpg;
+ if (!login->leading_connection)
+ goto get_target;
+
+@@ -1165,9 +1165,11 @@ int iscsi_target_locate_portal(
+ * Serialize access across the discovery struct iscsi_portal_group to
+ * process login attempt.
+ */
++ conn->tpg = iscsit_global->discovery_tpg;
+ if (iscsit_access_np(np, conn->tpg) < 0) {
+ iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR,
+ ISCSI_LOGIN_STATUS_SVC_UNAVAILABLE);
++ conn->tpg = NULL;
+ ret = -1;
+ goto out;
+ }
+--
+2.39.2
+
--- /dev/null
+From 94a9915e29ec31bb250ee49843f2a93da30a3f78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jun 2023 09:32:22 -0300
+Subject: selftests: net: fcnal-test: check if FIPS mode is enabled
+
+From: Magali Lemes <magali.lemes@canonical.com>
+
+[ Upstream commit d7a2fc1437f71cb058c7b11bc33dfc19e4bf277a ]
+
+There are some MD5 tests which fail when the kernel is in FIPS mode,
+since MD5 is not FIPS compliant. Add a check and only run those tests
+if FIPS mode is not enabled.
+
+Fixes: f0bee1ebb5594 ("fcnal-test: Add TCP MD5 tests")
+Fixes: 5cad8bce26e01 ("fcnal-test: Add TCP MD5 tests for VRF")
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/fcnal-test.sh | 27 ++++++++++++++++-------
+ 1 file changed, 19 insertions(+), 8 deletions(-)
+
+diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/selftests/net/fcnal-test.sh
+index 4a11ea2261cbe..e13b0fb63333f 100755
+--- a/tools/testing/selftests/net/fcnal-test.sh
++++ b/tools/testing/selftests/net/fcnal-test.sh
+@@ -81,6 +81,13 @@ NSC_CMD="ip netns exec ${NSC}"
+
+ which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping)
+
++# Check if FIPS mode is enabled
++if [ -f /proc/sys/crypto/fips_enabled ]; then
++ fips_enabled=`cat /proc/sys/crypto/fips_enabled`
++else
++ fips_enabled=0
++fi
++
+ ################################################################################
+ # utilities
+
+@@ -1139,7 +1146,7 @@ ipv4_tcp_novrf()
+ run_cmd nettest -d ${NSA_DEV} -r ${a}
+ log_test_addr ${a} $? 1 "No server, device client, local conn"
+
+- ipv4_tcp_md5_novrf
++ [ "$fips_enabled" = "1" ] || ipv4_tcp_md5_novrf
+ }
+
+ ipv4_tcp_vrf()
+@@ -1193,9 +1200,11 @@ ipv4_tcp_vrf()
+ log_test_addr ${a} $? 1 "Global server, local connection"
+
+ # run MD5 tests
+- setup_vrf_dup
+- ipv4_tcp_md5
+- cleanup_vrf_dup
++ if [ "$fips_enabled" = "0" ]; then
++ setup_vrf_dup
++ ipv4_tcp_md5
++ cleanup_vrf_dup
++ fi
+
+ #
+ # enable VRF global server
+@@ -2611,7 +2620,7 @@ ipv6_tcp_novrf()
+ log_test_addr ${a} $? 1 "No server, device client, local conn"
+ done
+
+- ipv6_tcp_md5_novrf
++ [ "$fips_enabled" = "1" ] || ipv6_tcp_md5_novrf
+ }
+
+ ipv6_tcp_vrf()
+@@ -2681,9 +2690,11 @@ ipv6_tcp_vrf()
+ log_test_addr ${a} $? 1 "Global server, local connection"
+
+ # run MD5 tests
+- setup_vrf_dup
+- ipv6_tcp_md5
+- cleanup_vrf_dup
++ if [ "$fips_enabled" = "0" ]; then
++ setup_vrf_dup
++ ipv6_tcp_md5
++ cleanup_vrf_dup
++ fi
+
+ #
+ # enable VRF global server
+--
+2.39.2
+
--- /dev/null
+From 381170e408f8e4572d29212928907c12859b228d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jun 2023 09:32:21 -0300
+Subject: selftests: net: vrf-xfrm-tests: change authentication and encryption
+ algos
+
+From: Magali Lemes <magali.lemes@canonical.com>
+
+[ Upstream commit cb43c60e64ca67fcc9d23bd08f51d2ab8209d9d7 ]
+
+The vrf-xfrm-tests tests use the hmac(md5) and cbc(des3_ede)
+algorithms for performing authentication and encryption, respectively.
+This causes the tests to fail when fips=1 is set, since these algorithms
+are not allowed in FIPS mode. Therefore, switch from hmac(md5) and
+cbc(des3_ede) to hmac(sha1) and cbc(aes), which are FIPS compliant.
+
+Fixes: 3f251d741150 ("selftests: Add tests for vrf and xfrms")
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/vrf-xfrm-tests.sh | 32 +++++++++----------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/tools/testing/selftests/net/vrf-xfrm-tests.sh b/tools/testing/selftests/net/vrf-xfrm-tests.sh
+index 184da81f554ff..452638ae8aed8 100755
+--- a/tools/testing/selftests/net/vrf-xfrm-tests.sh
++++ b/tools/testing/selftests/net/vrf-xfrm-tests.sh
+@@ -264,60 +264,60 @@ setup_xfrm()
+ ip -netns host1 xfrm state add src ${HOST1_4} dst ${HOST2_4} \
+ proto esp spi ${SPI_1} reqid 0 mode tunnel \
+ replay-window 4 replay-oseq 0x4 \
+- auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
+- enc 'cbc(des3_ede)' ${ENC_1} \
++ auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
++ enc 'cbc(aes)' ${ENC_1} \
+ sel src ${h1_4} dst ${h2_4} ${devarg}
+
+ ip -netns host2 xfrm state add src ${HOST1_4} dst ${HOST2_4} \
+ proto esp spi ${SPI_1} reqid 0 mode tunnel \
+ replay-window 4 replay-oseq 0x4 \
+- auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
+- enc 'cbc(des3_ede)' ${ENC_1} \
++ auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
++ enc 'cbc(aes)' ${ENC_1} \
+ sel src ${h1_4} dst ${h2_4}
+
+
+ ip -netns host1 xfrm state add src ${HOST2_4} dst ${HOST1_4} \
+ proto esp spi ${SPI_2} reqid 0 mode tunnel \
+ replay-window 4 replay-oseq 0x4 \
+- auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
+- enc 'cbc(des3_ede)' ${ENC_2} \
++ auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
++ enc 'cbc(aes)' ${ENC_2} \
+ sel src ${h2_4} dst ${h1_4} ${devarg}
+
+ ip -netns host2 xfrm state add src ${HOST2_4} dst ${HOST1_4} \
+ proto esp spi ${SPI_2} reqid 0 mode tunnel \
+ replay-window 4 replay-oseq 0x4 \
+- auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
+- enc 'cbc(des3_ede)' ${ENC_2} \
++ auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
++ enc 'cbc(aes)' ${ENC_2} \
+ sel src ${h2_4} dst ${h1_4}
+
+
+ ip -6 -netns host1 xfrm state add src ${HOST1_6} dst ${HOST2_6} \
+ proto esp spi ${SPI_1} reqid 0 mode tunnel \
+ replay-window 4 replay-oseq 0x4 \
+- auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
+- enc 'cbc(des3_ede)' ${ENC_1} \
++ auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
++ enc 'cbc(aes)' ${ENC_1} \
+ sel src ${h1_6} dst ${h2_6} ${devarg}
+
+ ip -6 -netns host2 xfrm state add src ${HOST1_6} dst ${HOST2_6} \
+ proto esp spi ${SPI_1} reqid 0 mode tunnel \
+ replay-window 4 replay-oseq 0x4 \
+- auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
+- enc 'cbc(des3_ede)' ${ENC_1} \
++ auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
++ enc 'cbc(aes)' ${ENC_1} \
+ sel src ${h1_6} dst ${h2_6}
+
+
+ ip -6 -netns host1 xfrm state add src ${HOST2_6} dst ${HOST1_6} \
+ proto esp spi ${SPI_2} reqid 0 mode tunnel \
+ replay-window 4 replay-oseq 0x4 \
+- auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
+- enc 'cbc(des3_ede)' ${ENC_2} \
++ auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
++ enc 'cbc(aes)' ${ENC_2} \
+ sel src ${h2_6} dst ${h1_6} ${devarg}
+
+ ip -6 -netns host2 xfrm state add src ${HOST2_6} dst ${HOST1_6} \
+ proto esp spi ${SPI_2} reqid 0 mode tunnel \
+ replay-window 4 replay-oseq 0x4 \
+- auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
+- enc 'cbc(des3_ede)' ${ENC_2} \
++ auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
++ enc 'cbc(aes)' ${ENC_2} \
+ sel src ${h2_6} dst ${h1_6}
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 9962e90152e5c0e33b72e397a9f68f2886ed063b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Apr 2021 19:43:12 +0200
+Subject: seq_file: Add a seq_bprintf function
+
+From: Florent Revest <revest@chromium.org>
+
+[ Upstream commit 76d6a13383b8e3ff20a9cf52aa9c3de39e485632 ]
+
+Similarly to seq_buf_bprintf in lib/seq_buf.c, this function writes a
+printf formatted string with arguments provided in a "binary
+representation" built by functions such as vbin_printf.
+
+Signed-off-by: Florent Revest <revest@chromium.org>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20210427174313.860948-2-revest@chromium.org
+Stable-dep-of: 935d44acf621 ("memfd: check for non-NULL file_seals in memfd_create() syscall")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/seq_file.c | 18 ++++++++++++++++++
+ include/linux/seq_file.h | 4 ++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/fs/seq_file.c b/fs/seq_file.c
+index 472714716be69..ad2120d9f038d 100644
+--- a/fs/seq_file.c
++++ b/fs/seq_file.c
+@@ -415,6 +415,24 @@ void seq_printf(struct seq_file *m, const char *f, ...)
+ }
+ EXPORT_SYMBOL(seq_printf);
+
++#ifdef CONFIG_BINARY_PRINTF
++void seq_bprintf(struct seq_file *m, const char *f, const u32 *binary)
++{
++ int len;
++
++ if (m->count < m->size) {
++ len = bstr_printf(m->buf + m->count, m->size - m->count, f,
++ binary);
++ if (m->count + len < m->size) {
++ m->count += len;
++ return;
++ }
++ }
++ seq_set_overflow(m);
++}
++EXPORT_SYMBOL(seq_bprintf);
++#endif /* CONFIG_BINARY_PRINTF */
++
+ /**
+ * mangle_path - mangle and copy path to buffer beginning
+ * @s: buffer start
+diff --git a/include/linux/seq_file.h b/include/linux/seq_file.h
+index 662a8cfa1bcd3..6b80d0a3985a4 100644
+--- a/include/linux/seq_file.h
++++ b/include/linux/seq_file.h
+@@ -146,6 +146,10 @@ void *__seq_open_private(struct file *, const struct seq_operations *, int);
+ int seq_open_private(struct file *, const struct seq_operations *, int);
+ int seq_release_private(struct inode *, struct file *);
+
++#ifdef CONFIG_BINARY_PRINTF
++void seq_bprintf(struct seq_file *m, const char *f, const u32 *binary);
++#endif
++
+ #define DEFINE_SEQ_ATTRIBUTE(__name) \
+ static int __name ## _open(struct inode *inode, struct file *file) \
+ { \
+--
+2.39.2
+
io_uring-net-disable-partial-retries-for-recvmsg-with-cmsg.patch
nilfs2-prevent-general-protection-fault-in-nilfs_clear_dirty_page.patch
x86-mm-avoid-using-set_pgd-outside-of-real-pgd-pages.patch
+seq_file-add-a-seq_bprintf-function.patch
+mm-pagealloc-sysctl-change-watermark_scale_factor-ma.patch
+sysctl-move-some-boundary-constants-from-sysctl.c-to.patch
+memfd-check-for-non-null-file_seals-in-memfd_create-.patch
+ieee802154-hwsim-fix-possible-memory-leaks.patch
+xfrm-treat-already-verified-secpath-entries-as-optio.patch
+xfrm-interface-rename-xfrm_interface.c-to-xfrm_inter.patch
+xfrm-ensure-policies-always-checked-on-xfrm-i-input-.patch
+bpf-track-immediate-values-written-to-stack-by-bpf_s.patch
+bpf-fix-verifier-id-tracking-of-scalars-on-spill.patch
+xfrm-fix-inbound-ipv4-udp-esp-packets-to-udpv6-duals.patch
+selftests-net-vrf-xfrm-tests-change-authentication-a.patch
+selftests-net-fcnal-test-check-if-fips-mode-is-enabl.patch
+xfrm-linearize-the-skb-after-offloading-if-needed.patch
+net-qca_spi-avoid-high-load-if-qca7000-is-not-availa.patch
+mmc-mtk-sd-fix-deferred-probing.patch
+mmc-mvsdio-fix-deferred-probing.patch
+mmc-omap-fix-deferred-probing.patch
+mmc-omap_hsmmc-fix-deferred-probing.patch
+mmc-owl-fix-deferred-probing.patch
+mmc-sdhci-acpi-fix-deferred-probing.patch
+mmc-sh_mmcif-fix-deferred-probing.patch
+mmc-usdhi60rol0-fix-deferred-probing.patch
+ipvs-align-inner_mac_header-for-encapsulation.patch
+net-dsa-mt7530-fix-trapping-frames-on-non-mt7621-soc.patch
+be2net-extend-xmit-workaround-to-be3-chip.patch
+netfilter-nft_set_pipapo-.walk-does-not-deal-with-ge.patch
+netfilter-nf_tables-disallow-element-updates-of-boun.patch
+netfilter-nfnetlink_osf-fix-module-autoload.patch
+revert-net-phy-dp83867-perform-soft-reset-and-retain.patch
+sch_netem-acquire-qdisc-lock-in-netem_change.patch
+gpio-allow-per-parent-interrupt-data.patch
+gpiolib-fix-gpio-chip-irq-initialization-restriction.patch
+scsi-target-iscsi-prevent-login-threads-from-racing-.patch
+hid-wacom-add-error-check-to-wacom_parse_and_registe.patch
+arm64-add-missing-set-way-cmo-encodings.patch
+media-cec-core-don-t-set-last_initiator-if-tx-in-pro.patch
+nfcsim.c-fix-error-checking-for-debugfs_create_dir.patch
+usb-gadget-udc-fix-null-dereference-in-remove.patch
+input-soc_button_array-add-invalid-acpi_index-dmi-qu.patch
+s390-cio-unregister-device-when-the-only-path-is-gon.patch
+spi-lpspi-disable-lpspi-module-irq-in-dma-mode.patch
+asoc-simple-card-add-missing-of_node_put-in-case-of-.patch
+asoc-nau8824-add-quirk-to-active-high-jack-detect.patch
+s390-purgatory-disable-branch-profiling.patch
+arm-dts-fix-erroneous-ads-touchscreen-polarities.patch
+drm-exynos-vidi-fix-a-wrong-error-return.patch
+drm-exynos-fix-race-condition-uaf-in-exynos_g2d_exec.patch
+drm-radeon-fix-race-condition-uaf-in-radeon_gem_set_.patch
--- /dev/null
+From 3220d471aa008f91ebfcee25fd90f928161295a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 May 2023 14:35:57 +0800
+Subject: spi: lpspi: disable lpspi module irq in DMA mode
+
+From: Clark Wang <xiaoning.wang@nxp.com>
+
+[ Upstream commit 9728fb3ce11729aa8c276825ddf504edeb00611d ]
+
+When all bits of IER are set to 0, we still can observe the lpspi irq events
+when using DMA mode to transfer data.
+
+So disable irq to avoid the too much irq events.
+
+Signed-off-by: Clark Wang <xiaoning.wang@nxp.com>
+Link: https://lore.kernel.org/r/20230505063557.3962220-1-xiaoning.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-fsl-lpspi.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-fsl-lpspi.c b/drivers/spi/spi-fsl-lpspi.c
+index 5d98611dd999d..c5ff6e8c45be0 100644
+--- a/drivers/spi/spi-fsl-lpspi.c
++++ b/drivers/spi/spi-fsl-lpspi.c
+@@ -906,9 +906,14 @@ static int fsl_lpspi_probe(struct platform_device *pdev)
+ ret = fsl_lpspi_dma_init(&pdev->dev, fsl_lpspi, controller);
+ if (ret == -EPROBE_DEFER)
+ goto out_pm_get;
+-
+ if (ret < 0)
+ dev_err(&pdev->dev, "dma setup error %d, use pio\n", ret);
++ else
++ /*
++ * disable LPSPI module IRQ when enable DMA mode successfully,
++ * to prevent the unexpected LPSPI module IRQ events.
++ */
++ disable_irq(irq);
+
+ ret = devm_spi_register_controller(&pdev->dev, controller);
+ if (ret < 0) {
+--
+2.39.2
+
--- /dev/null
+From ab90e7d8017ff59bd57b90e2a3b1ab0460b23bd4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Jan 2022 22:10:55 -0800
+Subject: sysctl: move some boundary constants from sysctl.c to sysctl_vals
+
+From: Xiaoming Ni <nixiaoming@huawei.com>
+
+[ Upstream commit 78e36f3b0dae586f623c4a37ec5eb5496f5abbe1 ]
+
+sysctl has helpers which let us specify boundary values for a min or max
+int value. Since these are used for a boundary check only they don't
+change, so move these variables to sysctl_vals to avoid adding duplicate
+variables. This will help with our cleanup of kernel/sysctl.c.
+
+[akpm@linux-foundation.org: update it for "mm/pagealloc: sysctl: change watermark_scale_factor max limit to 30%"]
+[mcgrof@kernel.org: major rebase]
+
+Link: https://lkml.kernel.org/r/20211123202347.818157-3-mcgrof@kernel.org
+Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
+Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Amir Goldstein <amir73il@gmail.com>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Benjamin LaHaise <bcrl@kvack.org>
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Iurii Zaikin <yzaikin@google.com>
+Cc: Jan Kara <jack@suse.cz>
+Cc: Paul Turner <pjt@google.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Petr Mladek <pmladek@suse.com>
+Cc: Qing Wang <wangqing@vivo.com>
+Cc: Sebastian Reichel <sre@kernel.org>
+Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
+Cc: Stephen Kitt <steve@sk2.org>
+Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Cc: Antti Palosaari <crope@iki.fi>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Clemens Ladisch <clemens@ladisch.de>
+Cc: David Airlie <airlied@linux.ie>
+Cc: Jani Nikula <jani.nikula@linux.intel.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Cc: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Julia Lawall <julia.lawall@inria.fr>
+Cc: Lukas Middendorf <kernel@tuxforce.de>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Phillip Potter <phil@philpotter.co.uk>
+Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Cc: Douglas Gilbert <dgilbert@interlog.com>
+Cc: James E.J. Bottomley <jejb@linux.ibm.com>
+Cc: Jani Nikula <jani.nikula@intel.com>
+Cc: John Ogness <john.ogness@linutronix.de>
+Cc: Martin K. Petersen <martin.petersen@oracle.com>
+Cc: "Rafael J. Wysocki" <rafael@kernel.org>
+Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Cc: Suren Baghdasaryan <surenb@google.com>
+Cc: "Theodore Ts'o" <tytso@mit.edu>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Stable-dep-of: 935d44acf621 ("memfd: check for non-NULL file_seals in memfd_create() syscall")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/proc/proc_sysctl.c | 2 +-
+ include/linux/sysctl.h | 13 +++++++++---
+ kernel/sysctl.c | 45 ++++++++++++++++++------------------------
+ 3 files changed, 30 insertions(+), 30 deletions(-)
+
+diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
+index 1655b7b2a5abe..682f2bf2e5259 100644
+--- a/fs/proc/proc_sysctl.c
++++ b/fs/proc/proc_sysctl.c
+@@ -26,7 +26,7 @@ static const struct file_operations proc_sys_dir_file_operations;
+ static const struct inode_operations proc_sys_dir_operations;
+
+ /* shared constants to be used in various sysctls */
+-const int sysctl_vals[] = { 0, 1, INT_MAX };
++const int sysctl_vals[] = { -1, 0, 1, 2, 4, 100, 200, 1000, 3000, INT_MAX };
+ EXPORT_SYMBOL(sysctl_vals);
+
+ /* Support for permanently empty directories */
+diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
+index 4393de94cb32d..c202a72e16906 100644
+--- a/include/linux/sysctl.h
++++ b/include/linux/sysctl.h
+@@ -38,9 +38,16 @@ struct ctl_table_header;
+ struct ctl_dir;
+
+ /* Keep the same order as in fs/proc/proc_sysctl.c */
+-#define SYSCTL_ZERO ((void *)&sysctl_vals[0])
+-#define SYSCTL_ONE ((void *)&sysctl_vals[1])
+-#define SYSCTL_INT_MAX ((void *)&sysctl_vals[2])
++#define SYSCTL_NEG_ONE ((void *)&sysctl_vals[0])
++#define SYSCTL_ZERO ((void *)&sysctl_vals[1])
++#define SYSCTL_ONE ((void *)&sysctl_vals[2])
++#define SYSCTL_TWO ((void *)&sysctl_vals[3])
++#define SYSCTL_FOUR ((void *)&sysctl_vals[4])
++#define SYSCTL_ONE_HUNDRED ((void *)&sysctl_vals[5])
++#define SYSCTL_TWO_HUNDRED ((void *)&sysctl_vals[6])
++#define SYSCTL_ONE_THOUSAND ((void *)&sysctl_vals[7])
++#define SYSCTL_THREE_THOUSAND ((void *)&sysctl_vals[8])
++#define SYSCTL_INT_MAX ((void *)&sysctl_vals[9])
+
+ extern const int sysctl_vals[];
+
+diff --git a/kernel/sysctl.c b/kernel/sysctl.c
+index 953c021039704..a45f0dd10b9a3 100644
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -111,16 +111,9 @@
+ static int sixty = 60;
+ #endif
+
+-static int __maybe_unused neg_one = -1;
+-static int __maybe_unused two = 2;
+-static int __maybe_unused four = 4;
+ static unsigned long zero_ul;
+ static unsigned long one_ul = 1;
+ static unsigned long long_max = LONG_MAX;
+-static int one_hundred = 100;
+-static int two_hundred = 200;
+-static int one_thousand = 1000;
+-static int three_thousand = 3000;
+ #ifdef CONFIG_PRINTK
+ static int ten_thousand = 10000;
+ #endif
+@@ -2011,7 +2004,7 @@ static struct ctl_table kern_table[] = {
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+- .extra1 = &neg_one,
++ .extra1 = SYSCTL_NEG_ONE,
+ .extra2 = SYSCTL_ONE,
+ },
+ #endif
+@@ -2342,7 +2335,7 @@ static struct ctl_table kern_table[] = {
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax_sysadmin,
+ .extra1 = SYSCTL_ZERO,
+- .extra2 = &two,
++ .extra2 = SYSCTL_TWO,
+ },
+ #endif
+ {
+@@ -2602,7 +2595,7 @@ static struct ctl_table kern_table[] = {
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+- .extra1 = &neg_one,
++ .extra1 = SYSCTL_NEG_ONE,
+ },
+ #endif
+ #ifdef CONFIG_RT_MUTEXES
+@@ -2664,7 +2657,7 @@ static struct ctl_table kern_table[] = {
+ .mode = 0644,
+ .proc_handler = perf_cpu_time_max_percent_handler,
+ .extra1 = SYSCTL_ZERO,
+- .extra2 = &one_hundred,
++ .extra2 = SYSCTL_ONE_HUNDRED,
+ },
+ {
+ .procname = "perf_event_max_stack",
+@@ -2682,7 +2675,7 @@ static struct ctl_table kern_table[] = {
+ .mode = 0644,
+ .proc_handler = perf_event_max_stack_handler,
+ .extra1 = SYSCTL_ZERO,
+- .extra2 = &one_thousand,
++ .extra2 = SYSCTL_ONE_THOUSAND,
+ },
+ #endif
+ {
+@@ -2713,7 +2706,7 @@ static struct ctl_table kern_table[] = {
+ .mode = 0644,
+ .proc_handler = bpf_unpriv_handler,
+ .extra1 = SYSCTL_ZERO,
+- .extra2 = &two,
++ .extra2 = SYSCTL_TWO,
+ },
+ {
+ .procname = "bpf_stats_enabled",
+@@ -2756,7 +2749,7 @@ static struct ctl_table vm_table[] = {
+ .mode = 0644,
+ .proc_handler = overcommit_policy_handler,
+ .extra1 = SYSCTL_ZERO,
+- .extra2 = &two,
++ .extra2 = SYSCTL_TWO,
+ },
+ {
+ .procname = "panic_on_oom",
+@@ -2765,7 +2758,7 @@ static struct ctl_table vm_table[] = {
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = SYSCTL_ZERO,
+- .extra2 = &two,
++ .extra2 = SYSCTL_TWO,
+ },
+ {
+ .procname = "oom_kill_allocating_task",
+@@ -2810,7 +2803,7 @@ static struct ctl_table vm_table[] = {
+ .mode = 0644,
+ .proc_handler = dirty_background_ratio_handler,
+ .extra1 = SYSCTL_ZERO,
+- .extra2 = &one_hundred,
++ .extra2 = SYSCTL_ONE_HUNDRED,
+ },
+ {
+ .procname = "dirty_background_bytes",
+@@ -2827,7 +2820,7 @@ static struct ctl_table vm_table[] = {
+ .mode = 0644,
+ .proc_handler = dirty_ratio_handler,
+ .extra1 = SYSCTL_ZERO,
+- .extra2 = &one_hundred,
++ .extra2 = SYSCTL_ONE_HUNDRED,
+ },
+ {
+ .procname = "dirty_bytes",
+@@ -2867,7 +2860,7 @@ static struct ctl_table vm_table[] = {
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = SYSCTL_ZERO,
+- .extra2 = &two_hundred,
++ .extra2 = SYSCTL_TWO_HUNDRED,
+ },
+ #ifdef CONFIG_NUMA
+ {
+@@ -2926,7 +2919,7 @@ static struct ctl_table vm_table[] = {
+ .mode = 0200,
+ .proc_handler = drop_caches_sysctl_handler,
+ .extra1 = SYSCTL_ONE,
+- .extra2 = &four,
++ .extra2 = SYSCTL_FOUR,
+ },
+ #ifdef CONFIG_COMPACTION
+ {
+@@ -2943,7 +2936,7 @@ static struct ctl_table vm_table[] = {
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = SYSCTL_ZERO,
+- .extra2 = &one_hundred,
++ .extra2 = SYSCTL_ONE_HUNDRED,
+ },
+ {
+ .procname = "extfrag_threshold",
+@@ -2988,7 +2981,7 @@ static struct ctl_table vm_table[] = {
+ .mode = 0644,
+ .proc_handler = watermark_scale_factor_sysctl_handler,
+ .extra1 = SYSCTL_ONE,
+- .extra2 = &three_thousand,
++ .extra2 = SYSCTL_THREE_THOUSAND,
+ },
+ {
+ .procname = "percpu_pagelist_fraction",
+@@ -3075,7 +3068,7 @@ static struct ctl_table vm_table[] = {
+ .mode = 0644,
+ .proc_handler = sysctl_min_unmapped_ratio_sysctl_handler,
+ .extra1 = SYSCTL_ZERO,
+- .extra2 = &one_hundred,
++ .extra2 = SYSCTL_ONE_HUNDRED,
+ },
+ {
+ .procname = "min_slab_ratio",
+@@ -3084,7 +3077,7 @@ static struct ctl_table vm_table[] = {
+ .mode = 0644,
+ .proc_handler = sysctl_min_slab_ratio_sysctl_handler,
+ .extra1 = SYSCTL_ZERO,
+- .extra2 = &one_hundred,
++ .extra2 = SYSCTL_ONE_HUNDRED,
+ },
+ #endif
+ #ifdef CONFIG_SMP
+@@ -3367,7 +3360,7 @@ static struct ctl_table fs_table[] = {
+ .mode = 0600,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = SYSCTL_ZERO,
+- .extra2 = &two,
++ .extra2 = SYSCTL_TWO,
+ },
+ {
+ .procname = "protected_regular",
+@@ -3376,7 +3369,7 @@ static struct ctl_table fs_table[] = {
+ .mode = 0600,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = SYSCTL_ZERO,
+- .extra2 = &two,
++ .extra2 = SYSCTL_TWO,
+ },
+ {
+ .procname = "suid_dumpable",
+@@ -3385,7 +3378,7 @@ static struct ctl_table fs_table[] = {
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax_coredump,
+ .extra1 = SYSCTL_ZERO,
+- .extra2 = &two,
++ .extra2 = SYSCTL_TWO,
+ },
+ #if defined(CONFIG_BINFMT_MISC) || defined(CONFIG_BINFMT_MISC_MODULE)
+ {
+--
+2.39.2
+
--- /dev/null
+From d8a73433a639b34e121ccb393e3035f3aefb2ec3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 May 2023 18:38:37 +0300
+Subject: usb: gadget: udc: fix NULL dereference in remove()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 016da9c65fec9f0e78c4909ed9a0f2d567af6775 ]
+
+The "udc" pointer was never set in the probe() function so it will
+lead to a NULL dereference in udc_pci_remove() when we do:
+
+ usb_del_gadget_udc(&udc->gadget);
+
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/ZG+A/dNpFWAlCChk@kili
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/amd5536udc_pci.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/usb/gadget/udc/amd5536udc_pci.c b/drivers/usb/gadget/udc/amd5536udc_pci.c
+index c80f9bd51b750..a36913ae31f9e 100644
+--- a/drivers/usb/gadget/udc/amd5536udc_pci.c
++++ b/drivers/usb/gadget/udc/amd5536udc_pci.c
+@@ -170,6 +170,9 @@ static int udc_pci_probe(
+ retval = -ENODEV;
+ goto err_probe;
+ }
++
++ udc = dev;
++
+ return 0;
+
+ err_probe:
+--
+2.39.2
+
--- /dev/null
+From 0c582104e6035aa959041fdcd6b160335abd535c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 May 2023 01:30:22 +0000
+Subject: xfrm: Ensure policies always checked on XFRM-I input path
+
+From: Benedict Wong <benedictwong@google.com>
+
+[ Upstream commit a287f5b0cfc6804c5b12a4be13c7c9fe27869e90 ]
+
+This change adds methods in the XFRM-I input path that ensures that
+policies are checked prior to processing of the subsequent decapsulated
+packet, after which the relevant policies may no longer be resolvable
+(due to changing src/dst/proto/etc).
+
+Notably, raw ESP/AH packets did not perform policy checks inherently,
+whereas all other encapsulated packets (UDP, TCP encapsulated) do policy
+checks after calling xfrm_input handling in the respective encapsulation
+layer.
+
+Fixes: b0355dbbf13c ("Fix XFRM-I support for nested ESP tunnels")
+Test: Verified with additional Android Kernel Unit tests
+Test: Verified against Android CTS
+Signed-off-by: Benedict Wong <benedictwong@google.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_interface_core.c | 54 +++++++++++++++++++++++++++++++---
+ 1 file changed, 50 insertions(+), 4 deletions(-)
+
+diff --git a/net/xfrm/xfrm_interface_core.c b/net/xfrm/xfrm_interface_core.c
+index da518b4ca84c6..e4f21a6924153 100644
+--- a/net/xfrm/xfrm_interface_core.c
++++ b/net/xfrm/xfrm_interface_core.c
+@@ -207,6 +207,52 @@ static void xfrmi_scrub_packet(struct sk_buff *skb, bool xnet)
+ skb->mark = 0;
+ }
+
++static int xfrmi_input(struct sk_buff *skb, int nexthdr, __be32 spi,
++ int encap_type, unsigned short family)
++{
++ struct sec_path *sp;
++
++ sp = skb_sec_path(skb);
++ if (sp && (sp->len || sp->olen) &&
++ !xfrm_policy_check(NULL, XFRM_POLICY_IN, skb, family))
++ goto discard;
++
++ XFRM_SPI_SKB_CB(skb)->family = family;
++ if (family == AF_INET) {
++ XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
++ XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL;
++ } else {
++ XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct ipv6hdr, daddr);
++ XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = NULL;
++ }
++
++ return xfrm_input(skb, nexthdr, spi, encap_type);
++discard:
++ kfree_skb(skb);
++ return 0;
++}
++
++static int xfrmi4_rcv(struct sk_buff *skb)
++{
++ return xfrmi_input(skb, ip_hdr(skb)->protocol, 0, 0, AF_INET);
++}
++
++static int xfrmi6_rcv(struct sk_buff *skb)
++{
++ return xfrmi_input(skb, skb_network_header(skb)[IP6CB(skb)->nhoff],
++ 0, 0, AF_INET6);
++}
++
++static int xfrmi4_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
++{
++ return xfrmi_input(skb, nexthdr, spi, encap_type, AF_INET);
++}
++
++static int xfrmi6_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
++{
++ return xfrmi_input(skb, nexthdr, spi, encap_type, AF_INET6);
++}
++
+ static int xfrmi_rcv_cb(struct sk_buff *skb, int err)
+ {
+ const struct xfrm_mode *inner_mode;
+@@ -780,8 +826,8 @@ static struct pernet_operations xfrmi_net_ops = {
+ };
+
+ static struct xfrm6_protocol xfrmi_esp6_protocol __read_mostly = {
+- .handler = xfrm6_rcv,
+- .input_handler = xfrm_input,
++ .handler = xfrmi6_rcv,
++ .input_handler = xfrmi6_input,
+ .cb_handler = xfrmi_rcv_cb,
+ .err_handler = xfrmi6_err,
+ .priority = 10,
+@@ -831,8 +877,8 @@ static struct xfrm6_tunnel xfrmi_ip6ip_handler __read_mostly = {
+ #endif
+
+ static struct xfrm4_protocol xfrmi_esp4_protocol __read_mostly = {
+- .handler = xfrm4_rcv,
+- .input_handler = xfrm_input,
++ .handler = xfrmi4_rcv,
++ .input_handler = xfrmi4_input,
+ .cb_handler = xfrmi_rcv_cb,
+ .err_handler = xfrmi4_err,
+ .priority = 10,
+--
+2.39.2
+
--- /dev/null
+From 42b015bb6eae556b45b23719a701b71a9eba5775 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jun 2023 04:06:54 -0700
+Subject: xfrm: fix inbound ipv4/udp/esp packets to UDPv6 dualstack sockets
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Żenczykowski <maze@google.com>
+
+[ Upstream commit 1166a530a84758bb9e6b448fc8c195ed413f5ded ]
+
+Before Linux v5.8 an AF_INET6 SOCK_DGRAM (udp/udplite) socket
+with SOL_UDP, UDP_ENCAP, UDP_ENCAP_ESPINUDP{,_NON_IKE} enabled
+would just unconditionally use xfrm4_udp_encap_rcv(), afterwards
+such a socket would use the newly added xfrm6_udp_encap_rcv()
+which only handles IPv6 packets.
+
+Cc: Sabrina Dubroca <sd@queasysnail.net>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Benedict Wong <benedictwong@google.com>
+Cc: Yan Yan <evitayan@google.com>
+Fixes: 0146dca70b87 ("xfrm: add support for UDPv6 encapsulation of ESP")
+Signed-off-by: Maciej Żenczykowski <maze@google.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/xfrm4_input.c | 1 +
+ net/ipv6/xfrm6_input.c | 3 +++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c
+index ad2afeef4f106..eac206a290d05 100644
+--- a/net/ipv4/xfrm4_input.c
++++ b/net/ipv4/xfrm4_input.c
+@@ -164,6 +164,7 @@ int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
+ kfree_skb(skb);
+ return 0;
+ }
++EXPORT_SYMBOL(xfrm4_udp_encap_rcv);
+
+ int xfrm4_rcv(struct sk_buff *skb)
+ {
+diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c
+index 04cbeefd89828..4907ab241d6be 100644
+--- a/net/ipv6/xfrm6_input.c
++++ b/net/ipv6/xfrm6_input.c
+@@ -86,6 +86,9 @@ int xfrm6_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
+ __be32 *udpdata32;
+ __u16 encap_type = up->encap_type;
+
++ if (skb->protocol == htons(ETH_P_IP))
++ return xfrm4_udp_encap_rcv(sk, skb);
++
+ /* if this is not encapsulated socket, then just return now */
+ if (!encap_type)
+ return 1;
+--
+2.39.2
+
--- /dev/null
+From 0a6589a46a076208564c5ccb68b534d33bff749e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Dec 2022 10:46:56 +0200
+Subject: xfrm: interface: rename xfrm_interface.c to xfrm_interface_core.c
+
+From: Eyal Birger <eyal.birger@gmail.com>
+
+[ Upstream commit ee9a113ab63468137802898bcd2c598998c96938 ]
+
+This change allows adding additional files to the xfrm_interface module.
+
+Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
+Link: https://lore.kernel.org/r/20221203084659.1837829-2-eyal.birger@gmail.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Stable-dep-of: a287f5b0cfc6 ("xfrm: Ensure policies always checked on XFRM-I input path")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/Makefile | 2 ++
+ net/xfrm/{xfrm_interface.c => xfrm_interface_core.c} | 0
+ 2 files changed, 2 insertions(+)
+ rename net/xfrm/{xfrm_interface.c => xfrm_interface_core.c} (100%)
+
+diff --git a/net/xfrm/Makefile b/net/xfrm/Makefile
+index 494aa744bfb9a..08a2870fdd36f 100644
+--- a/net/xfrm/Makefile
++++ b/net/xfrm/Makefile
+@@ -3,6 +3,8 @@
+ # Makefile for the XFRM subsystem.
+ #
+
++xfrm_interface-$(CONFIG_XFRM_INTERFACE) += xfrm_interface_core.o
++
+ obj-$(CONFIG_XFRM) := xfrm_policy.o xfrm_state.o xfrm_hash.o \
+ xfrm_input.o xfrm_output.o \
+ xfrm_sysctl.o xfrm_replay.o xfrm_device.o
+diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface_core.c
+similarity index 100%
+rename from net/xfrm/xfrm_interface.c
+rename to net/xfrm/xfrm_interface_core.c
+--
+2.39.2
+
--- /dev/null
+From 9038c4e29c9715a6d71ac0c1ba5887b5a09850f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jun 2023 12:02:02 +0200
+Subject: xfrm: Linearize the skb after offloading if needed.
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit f015b900bc3285322029b4a7d132d6aeb0e51857 ]
+
+With offloading enabled, esp_xmit() gets invoked very late, from within
+validate_xmit_xfrm() which is after validate_xmit_skb() validates and
+linearizes the skb if the underlying device does not support fragments.
+
+esp_output_tail() may add a fragment to the skb while adding the auth
+tag/ IV. Devices without the proper support will then send skb->data
+points to with the correct length so the packet will have garbage at the
+end. A pcap sniffer will claim that the proper data has been sent since
+it parses the skb properly.
+
+It is not affected with INET_ESP_OFFLOAD disabled.
+
+Linearize the skb after offloading if the sending hardware requires it.
+It was tested on v4, v6 has been adopted.
+
+Fixes: 7785bba299a8d ("esp: Add a software GRO codepath")
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/esp4_offload.c | 3 +++
+ net/ipv6/esp6_offload.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c
+index 84257678160a3..dc50764b01807 100644
+--- a/net/ipv4/esp4_offload.c
++++ b/net/ipv4/esp4_offload.c
+@@ -338,6 +338,9 @@ static int esp_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features_
+
+ secpath_reset(skb);
+
++ if (skb_needs_linearize(skb, skb->dev->features) &&
++ __skb_linearize(skb))
++ return -ENOMEM;
+ return 0;
+ }
+
+diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
+index 7608be04d0f58..87dbd53c29a6e 100644
+--- a/net/ipv6/esp6_offload.c
++++ b/net/ipv6/esp6_offload.c
+@@ -372,6 +372,9 @@ static int esp6_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features
+
+ secpath_reset(skb);
+
++ if (skb_needs_linearize(skb, skb->dev->features) &&
++ __skb_linearize(skb))
++ return -ENOMEM;
+ return 0;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 45c4f8c2f47fddd534c22e894c851c662097151c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 May 2023 01:30:21 +0000
+Subject: xfrm: Treat already-verified secpath entries as optional
+
+From: Benedict Wong <benedictwong@google.com>
+
+[ Upstream commit 1f8b6df6a997a430b0c48b504638154b520781ad ]
+
+This change allows inbound traffic through nested IPsec tunnels to
+successfully match policies and templates, while retaining the secpath
+stack trace as necessary for netfilter policies.
+
+Specifically, this patch marks secpath entries that have already matched
+against a relevant policy as having been verified, allowing it to be
+treated as optional and skipped after a tunnel decapsulation (during
+which the src/dst/proto/etc may have changed, and the correct policy
+chain no long be resolvable).
+
+This approach is taken as opposed to the iteration in b0355dbbf13c,
+where the secpath was cleared, since that breaks subsequent validations
+that rely on the existence of the secpath entries (netfilter policies, or
+transport-in-tunnel mode, where policies remain resolvable).
+
+Fixes: b0355dbbf13c ("Fix XFRM-I support for nested ESP tunnels")
+Test: Tested against Android Kernel Unit Tests
+Test: Tested against Android CTS
+Signed-off-by: Benedict Wong <benedictwong@google.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/xfrm.h | 1 +
+ net/xfrm/xfrm_input.c | 1 +
+ net/xfrm/xfrm_policy.c | 12 ++++++++++++
+ 3 files changed, 14 insertions(+)
+
+diff --git a/include/net/xfrm.h b/include/net/xfrm.h
+index 726a2dbb407f1..7865db2f827e6 100644
+--- a/include/net/xfrm.h
++++ b/include/net/xfrm.h
+@@ -1034,6 +1034,7 @@ struct xfrm_offload {
+ struct sec_path {
+ int len;
+ int olen;
++ int verified_cnt;
+
+ struct xfrm_state *xvec[XFRM_MAX_DEPTH];
+ struct xfrm_offload ovec[XFRM_MAX_OFFLOAD_DEPTH];
+diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
+index fef99a1c5df10..f3bccab983f05 100644
+--- a/net/xfrm/xfrm_input.c
++++ b/net/xfrm/xfrm_input.c
+@@ -129,6 +129,7 @@ struct sec_path *secpath_set(struct sk_buff *skb)
+ memset(sp->ovec, 0, sizeof(sp->ovec));
+ sp->olen = 0;
+ sp->len = 0;
++ sp->verified_cnt = 0;
+
+ return sp;
+ }
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index d3b128b74a382..465d28341ed6d 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -3277,6 +3277,13 @@ xfrm_policy_ok(const struct xfrm_tmpl *tmpl, const struct sec_path *sp, int star
+ if (xfrm_state_ok(tmpl, sp->xvec[idx], family, if_id))
+ return ++idx;
+ if (sp->xvec[idx]->props.mode != XFRM_MODE_TRANSPORT) {
++ if (idx < sp->verified_cnt) {
++ /* Secpath entry previously verified, consider optional and
++ * continue searching
++ */
++ continue;
++ }
++
+ if (start == -1)
+ start = -2-idx;
+ break;
+@@ -3688,6 +3695,9 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
+ * Order is _important_. Later we will implement
+ * some barriers, but at the moment barriers
+ * are implied between each two transformations.
++ * Upon success, marks secpath entries as having been
++ * verified to allow them to be skipped in future policy
++ * checks (e.g. nested tunnels).
+ */
+ for (i = xfrm_nr-1, k = 0; i >= 0; i--) {
+ k = xfrm_policy_ok(tpp[i], sp, k, family, if_id);
+@@ -3706,6 +3716,8 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
+ }
+
+ xfrm_pols_put(pols, npols);
++ sp->verified_cnt = k;
++
+ return 1;
+ }
+ XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLBLOCK);
+--
+2.39.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
