--- /dev/null
+From d41886e1d65588cc669a92da39e84fafbc52a849 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Feb 2024 14:04:53 -0800
+Subject: af_unix: Fix task hung while purging oob_skb in GC.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 25236c91b5ab4a26a56ba2e79b8060cf4e047839 ]
+
+syzbot reported a task hung; at the same time, GC was looping infinitely
+in list_for_each_entry_safe() for OOB skb. [0]
+
+syzbot demonstrated that the list_for_each_entry_safe() was not actually
+safe in this case.
+
+A single skb could have references for multiple sockets. If we free such
+a skb in the list_for_each_entry_safe(), the current and next sockets could
+be unlinked in a single iteration.
+
+unix_notinflight() uses list_del_init() to unlink the socket, so the
+prefetched next socket forms a loop itself and list_for_each_entry_safe()
+never stops.
+
+Here, we must use while() and make sure we always fetch the first socket.
+
+[0]:
+Sending NMI from CPU 0 to CPUs 1:
+NMI backtrace for cpu 1
+CPU: 1 PID: 5065 Comm: syz-executor236 Not tainted 6.8.0-rc3-syzkaller-00136-g1f719a2f3fa6 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
+RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:26 [inline]
+RIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline]
+RIP: 0010:__sanitizer_cov_trace_pc+0xd/0x60 kernel/kcov.c:207
+Code: cc cc cc cc 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 48 8b 14 25 40 c2 03 00 <65> 8b 05 b4 7c 78 7e a9 00 01 ff 00 48 8b 34 24 74 0f f6 c4 01 74
+RSP: 0018:ffffc900033efa58 EFLAGS: 00000283
+RAX: ffff88807b077800 RBX: ffff88807b077800 RCX: 1ffffffff27b1189
+RDX: ffff88802a5a3b80 RSI: ffffffff8968488d RDI: ffff88807b077f70
+RBP: ffffc900033efbb0 R08: 0000000000000001 R09: fffffbfff27a900c
+R10: ffffffff93d48067 R11: ffffffff8ae000eb R12: ffff88807b077800
+R13: dffffc0000000000 R14: ffff88807b077e40 R15: 0000000000000001
+FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000564f4fc1e3a8 CR3: 000000000d57a000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <NMI>
+ </NMI>
+ <TASK>
+ unix_gc+0x563/0x13b0 net/unix/garbage.c:319
+ unix_release_sock+0xa93/0xf80 net/unix/af_unix.c:683
+ unix_release+0x91/0xf0 net/unix/af_unix.c:1064
+ __sock_release+0xb0/0x270 net/socket.c:659
+ sock_close+0x1c/0x30 net/socket.c:1421
+ __fput+0x270/0xb80 fs/file_table.c:376
+ task_work_run+0x14f/0x250 kernel/task_work.c:180
+ exit_task_work include/linux/task_work.h:38 [inline]
+ do_exit+0xa8a/0x2ad0 kernel/exit.c:871
+ do_group_exit+0xd4/0x2a0 kernel/exit.c:1020
+ __do_sys_exit_group kernel/exit.c:1031 [inline]
+ __se_sys_exit_group kernel/exit.c:1029 [inline]
+ __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1029
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x6f/0x77
+RIP: 0033:0x7f9d6cbdac09
+Code: Unable to access opcode bytes at 0x7f9d6cbdabdf.
+RSP: 002b:00007fff5952feb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9d6cbdac09
+RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
+RBP: 00007f9d6cc552b0 R08: ffffffffffffffb8 R09: 0000000000000006
+R10: 0000000000000006 R11: 0000000000000246 R12: 00007f9d6cc552b0
+R13: 0000000000000000 R14: 00007f9d6cc55d00 R15: 00007f9d6cbabe70
+ </TASK>
+
+Reported-by: syzbot+4fa4a2d1f5a5ee06f006@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=4fa4a2d1f5a5ee06f006
+Fixes: 1279f9d9dec2 ("af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC.")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://lore.kernel.org/r/20240209220453.96053-1-kuniyu@amazon.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/garbage.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/unix/garbage.c b/net/unix/garbage.c
+index 767b338a7a2d4..9e1bab97c05ba 100644
+--- a/net/unix/garbage.c
++++ b/net/unix/garbage.c
+@@ -315,10 +315,11 @@ void unix_gc(void)
+ __skb_queue_purge(&hitlist);
+
+ #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
+- list_for_each_entry_safe(u, next, &gc_candidates, link) {
+- struct sk_buff *skb = u->oob_skb;
++ while (!list_empty(&gc_candidates)) {
++ u = list_entry(gc_candidates.next, struct unix_sock, link);
++ if (u->oob_skb) {
++ struct sk_buff *skb = u->oob_skb;
+
+- if (skb) {
+ u->oob_skb = NULL;
+ kfree_skb(skb);
+ }
+--
+2.43.0
+
--- /dev/null
+From 4cec56b62381722cdde279ed0461e31806f4ca3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Apr 2023 11:19:46 +0200
+Subject: ARM: dts: imx: Adjust dma-apbh node name
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+[ Upstream commit e9f5cd85f1f931bb7b64031492f7051187ccaac7 ]
+
+Currently the dtbs_check generates warnings like this:
+
+$nodename:0: 'dma-apbh@110000' does not match '^dma-controller(@.*)?$'
+
+So fix all affected dma-apbh node names.
+
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx23.dtsi | 2 +-
+ arch/arm/boot/dts/imx28.dtsi | 2 +-
+ arch/arm/boot/dts/imx6qdl.dtsi | 2 +-
+ arch/arm/boot/dts/imx6sx.dtsi | 2 +-
+ arch/arm/boot/dts/imx6ul.dtsi | 2 +-
+ arch/arm/boot/dts/imx7s.dtsi | 2 +-
+ 6 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/arch/arm/boot/dts/imx23.dtsi b/arch/arm/boot/dts/imx23.dtsi
+index ec476b1596496..b236d23f80715 100644
+--- a/arch/arm/boot/dts/imx23.dtsi
++++ b/arch/arm/boot/dts/imx23.dtsi
+@@ -59,7 +59,7 @@ icoll: interrupt-controller@80000000 {
+ reg = <0x80000000 0x2000>;
+ };
+
+- dma_apbh: dma-apbh@80004000 {
++ dma_apbh: dma-controller@80004000 {
+ compatible = "fsl,imx23-dma-apbh";
+ reg = <0x80004000 0x2000>;
+ interrupts = <0 14 20 0
+diff --git a/arch/arm/boot/dts/imx28.dtsi b/arch/arm/boot/dts/imx28.dtsi
+index b15df16ecb01a..b81592a613112 100644
+--- a/arch/arm/boot/dts/imx28.dtsi
++++ b/arch/arm/boot/dts/imx28.dtsi
+@@ -78,7 +78,7 @@ hsadc: hsadc@80002000 {
+ status = "disabled";
+ };
+
+- dma_apbh: dma-apbh@80004000 {
++ dma_apbh: dma-controller@80004000 {
+ compatible = "fsl,imx28-dma-apbh";
+ reg = <0x80004000 0x2000>;
+ interrupts = <82 83 84 85
+diff --git a/arch/arm/boot/dts/imx6qdl.dtsi b/arch/arm/boot/dts/imx6qdl.dtsi
+index ff1e0173b39be..2c6eada01d792 100644
+--- a/arch/arm/boot/dts/imx6qdl.dtsi
++++ b/arch/arm/boot/dts/imx6qdl.dtsi
+@@ -150,7 +150,7 @@ soc: soc {
+ interrupt-parent = <&gpc>;
+ ranges;
+
+- dma_apbh: dma-apbh@110000 {
++ dma_apbh: dma-controller@110000 {
+ compatible = "fsl,imx6q-dma-apbh", "fsl,imx28-dma-apbh";
+ reg = <0x00110000 0x2000>;
+ interrupts = <0 13 IRQ_TYPE_LEVEL_HIGH>,
+diff --git a/arch/arm/boot/dts/imx6sx.dtsi b/arch/arm/boot/dts/imx6sx.dtsi
+index 1f1053a898fbf..67d344ae76b51 100644
+--- a/arch/arm/boot/dts/imx6sx.dtsi
++++ b/arch/arm/boot/dts/imx6sx.dtsi
+@@ -209,7 +209,7 @@ gpu: gpu@1800000 {
+ power-domains = <&pd_pu>;
+ };
+
+- dma_apbh: dma-apbh@1804000 {
++ dma_apbh: dma-controller@1804000 {
+ compatible = "fsl,imx6sx-dma-apbh", "fsl,imx28-dma-apbh";
+ reg = <0x01804000 0x2000>;
+ interrupts = <GIC_SPI 13 IRQ_TYPE_LEVEL_HIGH>,
+diff --git a/arch/arm/boot/dts/imx6ul.dtsi b/arch/arm/boot/dts/imx6ul.dtsi
+index 2b5996395701a..aac081b6daaac 100644
+--- a/arch/arm/boot/dts/imx6ul.dtsi
++++ b/arch/arm/boot/dts/imx6ul.dtsi
+@@ -164,7 +164,7 @@ intc: interrupt-controller@a01000 {
+ <0x00a06000 0x2000>;
+ };
+
+- dma_apbh: dma-apbh@1804000 {
++ dma_apbh: dma-controller@1804000 {
+ compatible = "fsl,imx6q-dma-apbh", "fsl,imx28-dma-apbh";
+ reg = <0x01804000 0x2000>;
+ interrupts = <0 13 IRQ_TYPE_LEVEL_HIGH>,
+diff --git a/arch/arm/boot/dts/imx7s.dtsi b/arch/arm/boot/dts/imx7s.dtsi
+index 4b23630fc738d..2940dacaa56fc 100644
+--- a/arch/arm/boot/dts/imx7s.dtsi
++++ b/arch/arm/boot/dts/imx7s.dtsi
+@@ -1267,7 +1267,7 @@ fec1: ethernet@30be0000 {
+ };
+ };
+
+- dma_apbh: dma-apbh@33000000 {
++ dma_apbh: dma-controller@33000000 {
+ compatible = "fsl,imx7d-dma-apbh", "fsl,imx28-dma-apbh";
+ reg = <0x33000000 0x2000>;
+ interrupts = <GIC_SPI 12 IRQ_TYPE_LEVEL_HIGH>,
+--
+2.43.0
+
--- /dev/null
+From 9a00a38a2bef39fb0c5917fda698100e25b50f56 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Dec 2022 02:08:53 +0100
+Subject: ARM: dts: imx7s: Drop dma-apb interrupt-names
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 9928f0a9e7c0cee3360ca1442b4001d34ad67556 ]
+
+Drop "interrupt-names" property, since it is broken. The drivers/dma/mxs-dma.c
+in Linux kernel does not use it, the property contains duplicate array entries
+in existing DTs, and even malformed entries (gmpi, should have been gpmi). Get
+rid of that optional property altogether.
+
+Signed-off-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx7s.dtsi | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/imx7s.dtsi b/arch/arm/boot/dts/imx7s.dtsi
+index 2940dacaa56fc..69aebc691526f 100644
+--- a/arch/arm/boot/dts/imx7s.dtsi
++++ b/arch/arm/boot/dts/imx7s.dtsi
+@@ -1274,7 +1274,6 @@ dma_apbh: dma-controller@33000000 {
+ <GIC_SPI 12 IRQ_TYPE_LEVEL_HIGH>,
+ <GIC_SPI 12 IRQ_TYPE_LEVEL_HIGH>,
+ <GIC_SPI 12 IRQ_TYPE_LEVEL_HIGH>;
+- interrupt-names = "gpmi0", "gpmi1", "gpmi2", "gpmi3";
+ #dma-cells = <1>;
+ dma-channels = <4>;
+ clocks = <&clks IMX7D_NAND_USDHC_BUS_RAWNAND_CLK>;
+--
+2.43.0
+
--- /dev/null
+From d36713c8efc0cb605b54bd6516006f43e303e52e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Feb 2023 09:59:10 +0100
+Subject: clk: tegra20: fix gcc-7 constant overflow warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit b4a2adbf3586efa12fe78b9dec047423e01f3010 ]
+
+Older gcc versions get confused by comparing a u32 value to a negative
+constant in a switch()/case block:
+
+drivers/clk/tegra/clk-tegra20.c: In function 'tegra20_clk_measure_input_freq':
+drivers/clk/tegra/clk-tegra20.c:581:2: error: case label does not reduce to an integer constant
+ case OSC_CTRL_OSC_FREQ_12MHZ:
+ ^~~~
+drivers/clk/tegra/clk-tegra20.c:593:2: error: case label does not reduce to an integer constant
+ case OSC_CTRL_OSC_FREQ_26MHZ:
+
+Make the constants unsigned instead.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20230227085914.2560984-1-arnd@kernel.org
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/tegra/clk-tegra20.c | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/clk/tegra/clk-tegra20.c b/drivers/clk/tegra/clk-tegra20.c
+index 422d782475532..dcacc5064d339 100644
+--- a/drivers/clk/tegra/clk-tegra20.c
++++ b/drivers/clk/tegra/clk-tegra20.c
+@@ -21,24 +21,24 @@
+ #define MISC_CLK_ENB 0x48
+
+ #define OSC_CTRL 0x50
+-#define OSC_CTRL_OSC_FREQ_MASK (3<<30)
+-#define OSC_CTRL_OSC_FREQ_13MHZ (0<<30)
+-#define OSC_CTRL_OSC_FREQ_19_2MHZ (1<<30)
+-#define OSC_CTRL_OSC_FREQ_12MHZ (2<<30)
+-#define OSC_CTRL_OSC_FREQ_26MHZ (3<<30)
+-#define OSC_CTRL_MASK (0x3f2 | OSC_CTRL_OSC_FREQ_MASK)
+-
+-#define OSC_CTRL_PLL_REF_DIV_MASK (3<<28)
+-#define OSC_CTRL_PLL_REF_DIV_1 (0<<28)
+-#define OSC_CTRL_PLL_REF_DIV_2 (1<<28)
+-#define OSC_CTRL_PLL_REF_DIV_4 (2<<28)
++#define OSC_CTRL_OSC_FREQ_MASK (3u<<30)
++#define OSC_CTRL_OSC_FREQ_13MHZ (0u<<30)
++#define OSC_CTRL_OSC_FREQ_19_2MHZ (1u<<30)
++#define OSC_CTRL_OSC_FREQ_12MHZ (2u<<30)
++#define OSC_CTRL_OSC_FREQ_26MHZ (3u<<30)
++#define OSC_CTRL_MASK (0x3f2u | OSC_CTRL_OSC_FREQ_MASK)
++
++#define OSC_CTRL_PLL_REF_DIV_MASK (3u<<28)
++#define OSC_CTRL_PLL_REF_DIV_1 (0u<<28)
++#define OSC_CTRL_PLL_REF_DIV_2 (1u<<28)
++#define OSC_CTRL_PLL_REF_DIV_4 (2u<<28)
+
+ #define OSC_FREQ_DET 0x58
+-#define OSC_FREQ_DET_TRIG (1<<31)
++#define OSC_FREQ_DET_TRIG (1u<<31)
+
+ #define OSC_FREQ_DET_STATUS 0x5c
+-#define OSC_FREQ_DET_BUSY (1<<31)
+-#define OSC_FREQ_DET_CNT_MASK 0xFFFF
++#define OSC_FREQ_DET_BUSYu (1<<31)
++#define OSC_FREQ_DET_CNT_MASK 0xFFFFu
+
+ #define TEGRA20_CLK_PERIPH_BANKS 3
+
+--
+2.43.0
+
--- /dev/null
+From 8570bba2179af0db25e4e55e97d9cc2dd15fa6f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Feb 2024 23:04:42 +0100
+Subject: drm/meson: Don't remove bridges which are created by other drivers
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+[ Upstream commit bd915ae73a2d78559b376ad2caf5e4ef51de2455 ]
+
+Stop calling drm_bridge_remove() for bridges allocated/managed by other
+drivers in the remove paths of meson_encoder_{cvbs,dsi,hdmi}.
+drm_bridge_remove() unregisters the bridge so it cannot be used
+anymore. Doing so for bridges we don't own can lead to the video
+pipeline not being able to come up after -EPROBE_DEFER of the VPU
+because we're unregistering a bridge that's managed by another driver.
+The other driver doesn't know that we have unregistered it's bridge
+and on subsequent .probe() we're not able to find those bridges anymore
+(since nobody re-creates them).
+
+This fixes probe errors on Meson8b boards with the CVBS outputs enabled.
+
+Fixes: 09847723c12f ("drm/meson: remove drm bridges at aggregate driver unbind time")
+Fixes: 42dcf15f901c ("drm/meson: add DSI encoder")
+Cc: <stable@vger.kernel.org>
+Reported-by: Steve Morvai <stevemorvai@hotmail.com>
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Tested-by: Steve Morvai <stevemorvai@hotmail.com>
+Link: https://lore.kernel.org/r/20240215220442.1343152-1-martin.blumenstingl@googlemail.com
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240215220442.1343152-1-martin.blumenstingl@googlemail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/meson/meson_encoder_cvbs.c | 1 -
+ drivers/gpu/drm/meson/meson_encoder_hdmi.c | 1 -
+ 2 files changed, 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/meson/meson_encoder_cvbs.c b/drivers/gpu/drm/meson/meson_encoder_cvbs.c
+index 3f73b211fa8e3..3407450435e20 100644
+--- a/drivers/gpu/drm/meson/meson_encoder_cvbs.c
++++ b/drivers/gpu/drm/meson/meson_encoder_cvbs.c
+@@ -294,6 +294,5 @@ void meson_encoder_cvbs_remove(struct meson_drm *priv)
+ if (priv->encoders[MESON_ENC_CVBS]) {
+ meson_encoder_cvbs = priv->encoders[MESON_ENC_CVBS];
+ drm_bridge_remove(&meson_encoder_cvbs->bridge);
+- drm_bridge_remove(meson_encoder_cvbs->next_bridge);
+ }
+ }
+diff --git a/drivers/gpu/drm/meson/meson_encoder_hdmi.c b/drivers/gpu/drm/meson/meson_encoder_hdmi.c
+index b14e6e507c61b..03062e7a02b64 100644
+--- a/drivers/gpu/drm/meson/meson_encoder_hdmi.c
++++ b/drivers/gpu/drm/meson/meson_encoder_hdmi.c
+@@ -472,6 +472,5 @@ void meson_encoder_hdmi_remove(struct meson_drm *priv)
+ if (priv->encoders[MESON_ENC_HDMI]) {
+ meson_encoder_hdmi = priv->encoders[MESON_ENC_HDMI];
+ drm_bridge_remove(&meson_encoder_hdmi->bridge);
+- drm_bridge_remove(meson_encoder_hdmi->next_bridge);
+ }
+ }
+--
+2.43.0
+
--- /dev/null
+From 3b5e3c1e7104ebd124f37def40b8e6c592afc258 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 May 2023 09:38:09 +0200
+Subject: drm/meson: fix unbind path if HDMI fails to bind
+
+From: Neil Armstrong <neil.armstrong@linaro.org>
+
+[ Upstream commit 6a044642988b5f8285f3173b8e88784bef2bc306 ]
+
+If the case the HDMI controller fails to bind, we try to unbind
+all components before calling drm_dev_put() which makes drm_bridge_detach()
+crash because unbinding the HDMI controller frees the bridge memory.
+
+The solution is the unbind all components at the end like in the remove
+path.
+
+Reviewed-by: Nicolas Belin <nbelin@baylibre.com>
+Tested-by: Nicolas Belin <nbelin@baylibre.com>
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230512-amlogic-v6-4-upstream-dsi-ccf-vim3-v5-8-56eb7a4d5b8e@linaro.org
+Stable-dep-of: bd915ae73a2d ("drm/meson: Don't remove bridges which are created by other drivers")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/meson/meson_drv.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/gpu/drm/meson/meson_drv.c b/drivers/gpu/drm/meson/meson_drv.c
+index 119544d88b586..fbac39aa38cc4 100644
+--- a/drivers/gpu/drm/meson/meson_drv.c
++++ b/drivers/gpu/drm/meson/meson_drv.c
+@@ -316,32 +316,34 @@ static int meson_drv_bind_master(struct device *dev, bool has_components)
+ goto exit_afbcd;
+
+ if (has_components) {
+- ret = component_bind_all(drm->dev, drm);
++ ret = component_bind_all(dev, drm);
+ if (ret) {
+ dev_err(drm->dev, "Couldn't bind all components\n");
++ /* Do not try to unbind */
++ has_components = false;
+ goto exit_afbcd;
+ }
+ }
+
+ ret = meson_encoder_hdmi_init(priv);
+ if (ret)
+- goto unbind_all;
++ goto exit_afbcd;
+
+ ret = meson_plane_create(priv);
+ if (ret)
+- goto unbind_all;
++ goto exit_afbcd;
+
+ ret = meson_overlay_create(priv);
+ if (ret)
+- goto unbind_all;
++ goto exit_afbcd;
+
+ ret = meson_crtc_create(priv);
+ if (ret)
+- goto unbind_all;
++ goto exit_afbcd;
+
+ ret = request_irq(priv->vsync_irq, meson_irq, 0, drm->driver->name, drm);
+ if (ret)
+- goto unbind_all;
++ goto exit_afbcd;
+
+ drm_mode_config_reset(drm);
+
+@@ -359,15 +361,18 @@ static int meson_drv_bind_master(struct device *dev, bool has_components)
+
+ uninstall_irq:
+ free_irq(priv->vsync_irq, drm);
+-unbind_all:
+- if (has_components)
+- component_unbind_all(drm->dev, drm);
+ exit_afbcd:
+ if (priv->afbcd.ops)
+ priv->afbcd.ops->exit(priv);
+ free_drm:
+ drm_dev_put(drm);
+
++ meson_encoder_hdmi_remove(priv);
++ meson_encoder_cvbs_remove(priv);
++
++ if (has_components)
++ component_unbind_all(dev, drm);
++
+ return ret;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 2ea9b26948d4d70c1ebfa1f54657b5ba66c2eddb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Oct 2022 23:15:06 +0800
+Subject: fs/ntfs3: Add length check in indx_get_root
+
+From: Edward Lo <edward.lo@ambergroup.io>
+
+[ Upstream commit 08e8cf5f2d9ec383a2e339a2711b62a54ff3fba0 ]
+
+This adds a length check to guarantee the retrieved index root is legit.
+
+[ 162.459513] BUG: KASAN: use-after-free in hdr_find_e.isra.0+0x10c/0x320
+[ 162.460176] Read of size 2 at addr ffff8880037bca99 by task mount/243
+[ 162.460851]
+[ 162.461252] CPU: 0 PID: 243 Comm: mount Not tainted 6.0.0-rc7 #42
+[ 162.461744] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
+[ 162.462609] Call Trace:
+[ 162.462954] <TASK>
+[ 162.463276] dump_stack_lvl+0x49/0x63
+[ 162.463822] print_report.cold+0xf5/0x689
+[ 162.464608] ? unwind_get_return_address+0x3a/0x60
+[ 162.465766] ? hdr_find_e.isra.0+0x10c/0x320
+[ 162.466975] kasan_report+0xa7/0x130
+[ 162.467506] ? _raw_spin_lock_irq+0xc0/0xf0
+[ 162.467998] ? hdr_find_e.isra.0+0x10c/0x320
+[ 162.468536] __asan_load2+0x68/0x90
+[ 162.468923] hdr_find_e.isra.0+0x10c/0x320
+[ 162.469282] ? cmp_uints+0xe0/0xe0
+[ 162.469557] ? cmp_sdh+0x90/0x90
+[ 162.469864] ? ni_find_attr+0x214/0x300
+[ 162.470217] ? ni_load_mi+0x80/0x80
+[ 162.470479] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[ 162.470931] ? ntfs_bread_run+0x190/0x190
+[ 162.471307] ? indx_get_root+0xe4/0x190
+[ 162.471556] ? indx_get_root+0x140/0x190
+[ 162.471833] ? indx_init+0x1e0/0x1e0
+[ 162.472069] ? fnd_clear+0x115/0x140
+[ 162.472363] ? _raw_spin_lock_irqsave+0x100/0x100
+[ 162.472731] indx_find+0x184/0x470
+[ 162.473461] ? sysvec_apic_timer_interrupt+0x57/0xc0
+[ 162.474429] ? indx_find_buffer+0x2d0/0x2d0
+[ 162.474704] ? do_syscall_64+0x3b/0x90
+[ 162.474962] dir_search_u+0x196/0x2f0
+[ 162.475381] ? ntfs_nls_to_utf16+0x450/0x450
+[ 162.475661] ? ntfs_security_init+0x3d6/0x440
+[ 162.475906] ? is_sd_valid+0x180/0x180
+[ 162.476191] ntfs_extend_init+0x13f/0x2c0
+[ 162.476496] ? ntfs_fix_post_read+0x130/0x130
+[ 162.476861] ? iput.part.0+0x286/0x320
+[ 162.477325] ntfs_fill_super+0x11e0/0x1b50
+[ 162.477709] ? put_ntfs+0x1d0/0x1d0
+[ 162.477970] ? vsprintf+0x20/0x20
+[ 162.478258] ? set_blocksize+0x95/0x150
+[ 162.478538] get_tree_bdev+0x232/0x370
+[ 162.478789] ? put_ntfs+0x1d0/0x1d0
+[ 162.479038] ntfs_fs_get_tree+0x15/0x20
+[ 162.479374] vfs_get_tree+0x4c/0x130
+[ 162.479729] path_mount+0x654/0xfe0
+[ 162.480124] ? putname+0x80/0xa0
+[ 162.480484] ? finish_automount+0x2e0/0x2e0
+[ 162.480894] ? putname+0x80/0xa0
+[ 162.481467] ? kmem_cache_free+0x1c4/0x440
+[ 162.482280] ? putname+0x80/0xa0
+[ 162.482714] do_mount+0xd6/0xf0
+[ 162.483264] ? path_mount+0xfe0/0xfe0
+[ 162.484782] ? __kasan_check_write+0x14/0x20
+[ 162.485593] __x64_sys_mount+0xca/0x110
+[ 162.486024] do_syscall_64+0x3b/0x90
+[ 162.486543] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[ 162.487141] RIP: 0033:0x7f9d374e948a
+[ 162.488324] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008
+[ 162.489728] RSP: 002b:00007ffe30e73d18 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
+[ 162.490971] RAX: ffffffffffffffda RBX: 0000561cdb43a060 RCX: 00007f9d374e948a
+[ 162.491669] RDX: 0000561cdb43a260 RSI: 0000561cdb43a2e0 RDI: 0000561cdb442af0
+[ 162.492050] RBP: 0000000000000000 R08: 0000561cdb43a280 R09: 0000000000000020
+[ 162.492459] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000561cdb442af0
+[ 162.493183] R13: 0000561cdb43a260 R14: 0000000000000000 R15: 00000000ffffffff
+[ 162.493644] </TASK>
+[ 162.493908]
+[ 162.494214] The buggy address belongs to the physical page:
+[ 162.494761] page:000000003e38a3d5 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x37bc
+[ 162.496064] flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff)
+[ 162.497278] raw: 000fffffc0000000 ffffea00000df1c8 ffffea00000df008 0000000000000000
+[ 162.498928] raw: 0000000000000000 0000000000240000 00000000ffffffff 0000000000000000
+[ 162.500542] page dumped because: kasan: bad access detected
+[ 162.501057]
+[ 162.501242] Memory state around the buggy address:
+[ 162.502230] ffff8880037bc980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 162.502977] ffff8880037bca00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 162.503522] >ffff8880037bca80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 162.503963] ^
+[ 162.504370] ffff8880037bcb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 162.504766] ffff8880037bcb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+
+Signed-off-by: Edward Lo <edward.lo@ambergroup.io>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/index.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c
+index 7371f7855e4c4..eee01db6e0cc5 100644
+--- a/fs/ntfs3/index.c
++++ b/fs/ntfs3/index.c
+@@ -998,6 +998,7 @@ struct INDEX_ROOT *indx_get_root(struct ntfs_index *indx, struct ntfs_inode *ni,
+ struct ATTR_LIST_ENTRY *le = NULL;
+ struct ATTRIB *a;
+ const struct INDEX_NAMES *in = &s_index_names[indx->type];
++ struct INDEX_ROOT *root = NULL;
+
+ a = ni_find_attr(ni, NULL, &le, ATTR_ROOT, in->name, in->name_len, NULL,
+ mi);
+@@ -1007,7 +1008,15 @@ struct INDEX_ROOT *indx_get_root(struct ntfs_index *indx, struct ntfs_inode *ni,
+ if (attr)
+ *attr = a;
+
+- return resident_data_ex(a, sizeof(struct INDEX_ROOT));
++ root = resident_data_ex(a, sizeof(struct INDEX_ROOT));
++
++ /* length check */
++ if (root && offsetof(struct INDEX_ROOT, ihdr) + le32_to_cpu(root->ihdr.used) >
++ le32_to_cpu(a->res.data_size)) {
++ return NULL;
++ }
++
++ return root;
+ }
+
+ static int indx_write(struct ntfs_index *indx, struct ntfs_inode *ni,
+--
+2.43.0
+
--- /dev/null
+From f8f15d8d060ea5d23f22b377ab438cdeb846ed04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jan 2023 16:59:43 +0800
+Subject: fs/ntfs3: Fix a possible null-pointer dereference in ni_clear()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit ec275bf9693d19cc0fdce8436f4c425ced86f6e7 ]
+
+In a previous commit c1006bd13146, ni->mi.mrec in ni_write_inode()
+could be NULL, and thus a NULL check is added for this variable.
+
+However, in the same call stack, ni->mi.mrec can be also dereferenced
+in ni_clear():
+
+ntfs_evict_inode(inode)
+ ni_write_inode(inode, ...)
+ ni = ntfs_i(inode);
+ is_rec_inuse(ni->mi.mrec) -> Add a NULL check by previous commit
+ ni_clear(ntfs_i(inode))
+ is_rec_inuse(ni->mi.mrec) -> No check
+
+Thus, a possible null-pointer dereference may exist in ni_clear().
+To fix it, a NULL check is added in this function.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/frecord.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c
+index bb7e33c240737..1f0e230ec9e2c 100644
+--- a/fs/ntfs3/frecord.c
++++ b/fs/ntfs3/frecord.c
+@@ -102,7 +102,7 @@ void ni_clear(struct ntfs_inode *ni)
+ {
+ struct rb_node *node;
+
+- if (!ni->vfs_inode.i_nlink && is_rec_inuse(ni->mi.mrec))
++ if (!ni->vfs_inode.i_nlink && ni->mi.mrec && is_rec_inuse(ni->mi.mrec))
+ ni_delete_all(ni);
+
+ al_destroy(ni);
+--
+2.43.0
+
--- /dev/null
+From 63d7078b2a30d58c5fd46c6290de2eb73314d423 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 Oct 2022 12:32:51 +0530
+Subject: fs/ntfs3: Fix NULL dereference in ni_write_inode
+
+From: Abdun Nihaal <abdun.nihaal@gmail.com>
+
+[ Upstream commit 8dae4f6341e335a09575be60b4fdf697c732a470 ]
+
+Syzbot reports a NULL dereference in ni_write_inode.
+When creating a new inode, if allocation fails in mi_init function
+(called in mi_format_new function), mi->mrec is set to NULL.
+In the error path of this inode creation, mi->mrec is later
+dereferenced in ni_write_inode.
+
+Add a NULL check to prevent NULL dereference.
+
+Link: https://syzkaller.appspot.com/bug?extid=f45957555ed4a808cc7a
+Reported-and-tested-by: syzbot+f45957555ed4a808cc7a@syzkaller.appspotmail.com
+Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/frecord.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c
+index 1f0e230ec9e2c..d260260900241 100644
+--- a/fs/ntfs3/frecord.c
++++ b/fs/ntfs3/frecord.c
+@@ -3255,6 +3255,9 @@ int ni_write_inode(struct inode *inode, int sync, const char *hint)
+ return 0;
+ }
+
++ if (!ni->mi.mrec)
++ goto out;
++
+ if (is_rec_inuse(ni->mi.mrec) &&
+ !(sbi->flags & NTFS_FLAGS_LOG_REPLAYING) && inode->i_nlink) {
+ bool modified = false;
+--
+2.43.0
+
--- /dev/null
+From 90423707156da032e551b29f264967cc543c9569 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 17:19:12 +0800
+Subject: fs/ntfs3: Fix NULL pointer dereference in 'ni_write_inode'
+
+From: Ye Bin <yebin10@huawei.com>
+
+[ Upstream commit db2a3cc6a3481076da6344cc62a80a4e2525f36f ]
+
+Syzbot found the following issue:
+Unable to handle kernel NULL pointer dereference at virtual address 0000000000000016
+Mem abort info:
+ ESR = 0x0000000096000006
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ FSC = 0x06: level 2 translation fault
+Data abort info:
+ ISV = 0, ISS = 0x00000006
+ CM = 0, WnR = 0
+user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af56000
+[0000000000000016] pgd=08000001090da003, p4d=08000001090da003, pud=08000001090ce003, pmd=0000000000000000
+Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
+Modules linked in:
+CPU: 1 PID: 3036 Comm: syz-executor206 Not tainted 6.0.0-rc6-syzkaller-17739-g16c9f284e746 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
+pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : is_rec_inuse fs/ntfs3/ntfs.h:313 [inline]
+pc : ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232
+lr : ni_write_inode+0xa0/0x798 fs/ntfs3/frecord.c:3226
+sp : ffff8000126c3800
+x29: ffff8000126c3860 x28: 0000000000000000 x27: ffff0000c8b02000
+x26: ffff0000c7502320 x25: ffff0000c7502288 x24: 0000000000000000
+x23: ffff80000cbec91c x22: ffff0000c8b03000 x21: ffff0000c8b02000
+x20: 0000000000000001 x19: ffff0000c75024d8 x18: 00000000000000c0
+x17: ffff80000dd1b198 x16: ffff80000db59158 x15: ffff0000c4b6b500
+x14: 00000000000000b8 x13: 0000000000000000 x12: ffff0000c4b6b500
+x11: ff80800008be1b60 x10: 0000000000000000 x9 : ffff0000c4b6b500
+x8 : 0000000000000000 x7 : ffff800008be1b50 x6 : 0000000000000000
+x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000
+x2 : 0000000000000008 x1 : 0000000000000001 x0 : 0000000000000000
+Call trace:
+ is_rec_inuse fs/ntfs3/ntfs.h:313 [inline]
+ ni_write_inode+0xac/0x798 fs/ntfs3/frecord.c:3232
+ ntfs_evict_inode+0x54/0x84 fs/ntfs3/inode.c:1744
+ evict+0xec/0x334 fs/inode.c:665
+ iput_final fs/inode.c:1748 [inline]
+ iput+0x2c4/0x324 fs/inode.c:1774
+ ntfs_new_inode+0x7c/0xe0 fs/ntfs3/fsntfs.c:1660
+ ntfs_create_inode+0x20c/0xe78 fs/ntfs3/inode.c:1278
+ ntfs_create+0x54/0x74 fs/ntfs3/namei.c:100
+ lookup_open fs/namei.c:3413 [inline]
+ open_last_lookups fs/namei.c:3481 [inline]
+ path_openat+0x804/0x11c4 fs/namei.c:3688
+ do_filp_open+0xdc/0x1b8 fs/namei.c:3718
+ do_sys_openat2+0xb8/0x22c fs/open.c:1311
+ do_sys_open fs/open.c:1327 [inline]
+ __do_sys_openat fs/open.c:1343 [inline]
+ __se_sys_openat fs/open.c:1338 [inline]
+ __arm64_sys_openat+0xb0/0xe0 fs/open.c:1338
+ __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
+ invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
+ el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
+ do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206
+ el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636
+ el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654
+ el0t_64_sync+0x18c/0x190
+Code: 97dafee4 340001b4 f9401328 2a1f03e0 (79402d14)
+---[ end trace 0000000000000000 ]---
+
+Above issue may happens as follows:
+ntfs_new_inode
+ mi_init
+ mi->mrec = kmalloc(sbi->record_size, GFP_NOFS); -->failed to allocate memory
+ if (!mi->mrec)
+ return -ENOMEM;
+iput
+ iput_final
+ evict
+ ntfs_evict_inode
+ ni_write_inode
+ is_rec_inuse(ni->mi.mrec)-> As 'ni->mi.mrec' is NULL trigger NULL-ptr-deref
+
+To solve above issue if new inode failed make inode bad before call 'iput()' in
+'ntfs_new_inode()'.
+
+Reported-by: syzbot+f45957555ed4a808cc7a@syzkaller.appspotmail.com
+Signed-off-by: Ye Bin <yebin10@huawei.com>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/fsntfs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/ntfs3/fsntfs.c b/fs/ntfs3/fsntfs.c
+index 1eac80d55b554..4c2d079b3d49b 100644
+--- a/fs/ntfs3/fsntfs.c
++++ b/fs/ntfs3/fsntfs.c
+@@ -1674,6 +1674,7 @@ struct ntfs_inode *ntfs_new_inode(struct ntfs_sb_info *sbi, CLST rno, bool dir)
+
+ out:
+ if (err) {
++ make_bad_inode(inode);
+ iput(inode);
+ ni = ERR_PTR(err);
+ }
+--
+2.43.0
+
--- /dev/null
+From a440716c71c895bf58862eda211a423a6abdd233 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Apr 2023 23:57:42 -0700
+Subject: Input: xpad - add constants for GIP interface numbers
+
+From: Vicki Pfau <vi@endrift.com>
+
+[ Upstream commit f9b2e603c6216824e34dc9a67205d98ccc9a41ca ]
+
+Wired GIP devices present multiple interfaces with the same USB identification
+other than the interface number. This adds constants for differentiating two of
+them and uses them where appropriate
+
+Signed-off-by: Vicki Pfau <vi@endrift.com>
+Link: https://lore.kernel.org/r/20230411031650.960322-2-vi@endrift.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/joystick/xpad.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c
+index 02f3bc4e4895e..13c36f51b9353 100644
+--- a/drivers/input/joystick/xpad.c
++++ b/drivers/input/joystick/xpad.c
+@@ -564,6 +564,9 @@ struct xboxone_init_packet {
+ #define GIP_MOTOR_LT BIT(3)
+ #define GIP_MOTOR_ALL (GIP_MOTOR_R | GIP_MOTOR_L | GIP_MOTOR_RT | GIP_MOTOR_LT)
+
++#define GIP_WIRED_INTF_DATA 0
++#define GIP_WIRED_INTF_AUDIO 1
++
+ /*
+ * This packet is required for all Xbox One pads with 2015
+ * or later firmware installed (or present from the factory).
+@@ -2008,7 +2011,7 @@ static int xpad_probe(struct usb_interface *intf, const struct usb_device_id *id
+ }
+
+ if (xpad->xtype == XTYPE_XBOXONE &&
+- intf->cur_altsetting->desc.bInterfaceNumber != 0) {
++ intf->cur_altsetting->desc.bInterfaceNumber != GIP_WIRED_INTF_DATA) {
+ /*
+ * The Xbox One controller lists three interfaces all with the
+ * same interface class, subclass and protocol. Differentiate by
+--
+2.43.0
+
--- /dev/null
+From fcc184e92c49f8faacce09999edc6f666cf57e4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Mar 2023 13:30:29 +0530
+Subject: iommu/arm-smmu-qcom: Limit the SMR groups to 128
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+
+[ Upstream commit 12261134732689b7e30c59db9978f81230965181 ]
+
+Some platforms support more than 128 stream matching groups than what is
+defined by the ARM SMMU architecture specification. But due to some unknown
+reasons, those additional groups don't exhibit the same behavior as the
+architecture supported ones.
+
+For instance, the additional groups will not detect the quirky behavior of
+some firmware versions intercepting writes to S2CR register, thus skipping
+the quirk implemented in the driver and causing boot crash.
+
+So let's limit the groups to 128 for now until the issue with those groups
+are fixed and issue a notice to users in that case.
+
+Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
+Tested-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://lore.kernel.org/r/20230327080029.11584-1-manivannan.sadhasivam@linaro.org
+[will: Reworded the comment slightly]
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
+index d80065c8105af..f15dcb9e4175c 100644
+--- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
++++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
+@@ -267,12 +267,26 @@ static int qcom_smmu_init_context(struct arm_smmu_domain *smmu_domain,
+
+ static int qcom_smmu_cfg_probe(struct arm_smmu_device *smmu)
+ {
+- unsigned int last_s2cr = ARM_SMMU_GR0_S2CR(smmu->num_mapping_groups - 1);
+ struct qcom_smmu *qsmmu = to_qcom_smmu(smmu);
++ unsigned int last_s2cr;
+ u32 reg;
+ u32 smr;
+ int i;
+
++ /*
++ * Some platforms support more than the Arm SMMU architected maximum of
++ * 128 stream matching groups. For unknown reasons, the additional
++ * groups don't exhibit the same behavior as the architected registers,
++ * so limit the groups to 128 until the behavior is fixed for the other
++ * groups.
++ */
++ if (smmu->num_mapping_groups > 128) {
++ dev_notice(smmu->dev, "\tLimiting the stream matching groups to 128\n");
++ smmu->num_mapping_groups = 128;
++ }
++
++ last_s2cr = ARM_SMMU_GR0_S2CR(smmu->num_mapping_groups - 1);
++
+ /*
+ * With some firmware versions writes to S2CR of type FAULT are
+ * ignored, and writing BYPASS will end up written as FAULT in the
+--
+2.43.0
+
--- /dev/null
+From 6b7fa0b87d14d425d000378fd76d5a5073d23727 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Mar 2023 12:34:19 +0000
+Subject: iommu/arm-smmu-v3: Acknowledge pri/event queue overflow if any
+
+From: Tomas Krcka <krckatom@amazon.de>
+
+[ Upstream commit 67ea0b7ce41844eae7c10bb04dfe66a23318c224 ]
+
+When an overflow occurs in the PRI queue, the SMMU toggles the overflow
+flag in the PROD register. To exit the overflow condition, the PRI thread
+is supposed to acknowledge it by toggling this flag in the CONS register.
+Unacknowledged overflow causes the queue to stop adding anything new.
+
+Currently, the priq thread always writes the CONS register back to the
+SMMU after clearing the queue.
+
+The writeback is not necessary if the OVFLG in the PROD register has not
+been changed, no overflow has occured.
+
+This commit checks the difference of the overflow flag between CONS and
+PROD register. If it's different, toggles the OVACKFLG flag in the CONS
+register and write it to the SMMU.
+
+The situation is similar for the event queue.
+The acknowledge register is also toggled after clearing the event
+queue but never propagated to the hardware. This would only be done the
+next time when executing evtq thread.
+
+Unacknowledged event queue overflow doesn't affect the event
+queue, because the SMMU still adds elements to that queue when the
+overflow condition is active.
+But it feel nicer to keep SMMU in sync when possible, so use the same
+way here as well.
+
+Signed-off-by: Tomas Krcka <krckatom@amazon.de>
+Link: https://lore.kernel.org/r/20230329123420.34641-1-tomas.krcka@gmail.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
+index 8966f7d5aab61..82f100e591b5a 100644
+--- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
++++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
+@@ -152,6 +152,18 @@ static void queue_inc_cons(struct arm_smmu_ll_queue *q)
+ q->cons = Q_OVF(q->cons) | Q_WRP(q, cons) | Q_IDX(q, cons);
+ }
+
++static void queue_sync_cons_ovf(struct arm_smmu_queue *q)
++{
++ struct arm_smmu_ll_queue *llq = &q->llq;
++
++ if (likely(Q_OVF(llq->prod) == Q_OVF(llq->cons)))
++ return;
++
++ llq->cons = Q_OVF(llq->prod) | Q_WRP(llq, llq->cons) |
++ Q_IDX(llq, llq->cons);
++ queue_sync_cons_out(q);
++}
++
+ static int queue_sync_prod_in(struct arm_smmu_queue *q)
+ {
+ u32 prod;
+@@ -1583,8 +1595,7 @@ static irqreturn_t arm_smmu_evtq_thread(int irq, void *dev)
+ } while (!queue_empty(llq));
+
+ /* Sync our overflow flag, as we believe we're up to speed */
+- llq->cons = Q_OVF(llq->prod) | Q_WRP(llq, llq->cons) |
+- Q_IDX(llq, llq->cons);
++ queue_sync_cons_ovf(q);
+ return IRQ_HANDLED;
+ }
+
+@@ -1642,9 +1653,7 @@ static irqreturn_t arm_smmu_priq_thread(int irq, void *dev)
+ } while (!queue_empty(llq));
+
+ /* Sync our overflow flag, as we believe we're up to speed */
+- llq->cons = Q_OVF(llq->prod) | Q_WRP(llq, llq->cons) |
+- Q_IDX(llq, llq->cons);
+- queue_sync_cons_out(q);
++ queue_sync_cons_ovf(q);
+ return IRQ_HANDLED;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From eb96b4d3b6cc26ce373f857f13dfe579f45dc4f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 Mar 2023 11:31:23 +0800
+Subject: iommu/sprd: Release dma buffer to avoid memory leak
+
+From: Chunyan Zhang <chunyan.zhang@unisoc.com>
+
+[ Upstream commit 9afea57384d4ae7b2034593eac7fa76c7122762a ]
+
+When attaching to a domain, the driver would alloc a DMA buffer which
+is used to store address mapping table, and it need to be released
+when the IOMMU domain is freed.
+
+Signed-off-by: Chunyan Zhang <chunyan.zhang@unisoc.com>
+Link: https://lore.kernel.org/r/20230331033124.864691-2-zhang.lyra@gmail.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/sprd-iommu.c | 29 ++++++++++++++++++++++-------
+ 1 file changed, 22 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/iommu/sprd-iommu.c b/drivers/iommu/sprd-iommu.c
+index 8261066de07d7..e4358393fe378 100644
+--- a/drivers/iommu/sprd-iommu.c
++++ b/drivers/iommu/sprd-iommu.c
+@@ -152,13 +152,6 @@ static struct iommu_domain *sprd_iommu_domain_alloc(unsigned int domain_type)
+ return &dom->domain;
+ }
+
+-static void sprd_iommu_domain_free(struct iommu_domain *domain)
+-{
+- struct sprd_iommu_domain *dom = to_sprd_domain(domain);
+-
+- kfree(dom);
+-}
+-
+ static void sprd_iommu_first_vpn(struct sprd_iommu_domain *dom)
+ {
+ struct sprd_iommu_device *sdev = dom->sdev;
+@@ -231,6 +224,28 @@ static void sprd_iommu_hw_en(struct sprd_iommu_device *sdev, bool en)
+ sprd_iommu_update_bits(sdev, reg_cfg, mask, 0, val);
+ }
+
++static void sprd_iommu_cleanup(struct sprd_iommu_domain *dom)
++{
++ size_t pgt_size;
++
++ /* Nothing need to do if the domain hasn't been attached */
++ if (!dom->sdev)
++ return;
++
++ pgt_size = sprd_iommu_pgt_size(&dom->domain);
++ dma_free_coherent(dom->sdev->dev, pgt_size, dom->pgt_va, dom->pgt_pa);
++ dom->sdev = NULL;
++ sprd_iommu_hw_en(dom->sdev, false);
++}
++
++static void sprd_iommu_domain_free(struct iommu_domain *domain)
++{
++ struct sprd_iommu_domain *dom = to_sprd_domain(domain);
++
++ sprd_iommu_cleanup(dom);
++ kfree(dom);
++}
++
+ static int sprd_iommu_attach_device(struct iommu_domain *domain,
+ struct device *dev)
+ {
+--
+2.43.0
+
--- /dev/null
+From 49246922f8d56e82b23b8ef2b0c9e2421ecfdef3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Feb 2023 16:39:19 +0100
+Subject: mlxsw: spectrum_acl_tcam: Add missing mutex_destroy()
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit 65823e07b1e4055b6278725fd92f4d7e6f8d53fd ]
+
+Pair mutex_init() with a mutex_destroy() in the error path. Found during
+code review. No functional changes.
+
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: Petr Machata <petrm@nvidia.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c
+index 2107de4e9d99b..41eac7dfb67e7 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c
+@@ -52,8 +52,10 @@ int mlxsw_sp_acl_tcam_init(struct mlxsw_sp *mlxsw_sp,
+ max_regions = max_tcam_regions;
+
+ tcam->used_regions = bitmap_zalloc(max_regions, GFP_KERNEL);
+- if (!tcam->used_regions)
+- return -ENOMEM;
++ if (!tcam->used_regions) {
++ err = -ENOMEM;
++ goto err_alloc_used_regions;
++ }
+ tcam->max_regions = max_regions;
+
+ max_groups = MLXSW_CORE_RES_GET(mlxsw_sp->core, ACL_MAX_GROUPS);
+@@ -78,6 +80,8 @@ int mlxsw_sp_acl_tcam_init(struct mlxsw_sp *mlxsw_sp,
+ bitmap_free(tcam->used_groups);
+ err_alloc_used_groups:
+ bitmap_free(tcam->used_regions);
++err_alloc_used_regions:
++ mutex_destroy(&tcam->lock);
+ return err;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 7fc230bb132e9e5f1b4265c23d039143621983bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Feb 2023 16:39:20 +0100
+Subject: mlxsw: spectrum_acl_tcam: Make fini symmetric to init
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit 61fe3b9102ac84ba479ab84d8f5454af2e21e468 ]
+
+Move mutex_destroy() to the end to make the function symmetric with
+mlxsw_sp_acl_tcam_init(). No functional changes.
+
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: Petr Machata <petrm@nvidia.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c
+index dc2e204bcd727..2107de4e9d99b 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c
+@@ -86,10 +86,10 @@ void mlxsw_sp_acl_tcam_fini(struct mlxsw_sp *mlxsw_sp,
+ {
+ const struct mlxsw_sp_acl_tcam_ops *ops = mlxsw_sp->acl_tcam_ops;
+
+- mutex_destroy(&tcam->lock);
+ ops->fini(mlxsw_sp, tcam->priv);
+ bitmap_free(tcam->used_groups);
+ bitmap_free(tcam->used_regions);
++ mutex_destroy(&tcam->lock);
+ }
+
+ int mlxsw_sp_acl_tcam_priority_get(struct mlxsw_sp *mlxsw_sp,
+--
+2.43.0
+
--- /dev/null
+From db1cb1b3347989a7492fd5e33c9597da8cc5194c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Feb 2024 19:25:33 +0100
+Subject: mptcp: fix duplicate subflow creation
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 045e9d812868a2d80b7a57b224ce8009444b7bbc ]
+
+Fullmesh endpoints could end-up unexpectedly generating duplicate
+subflows - same local and remote addresses - when multiple incoming
+ADD_ADDR are processed before the PM creates the subflow for the local
+endpoints.
+
+Address the issue explicitly checking for duplicates at subflow
+creation time.
+
+To avoid a quadratic computational complexity, track the unavailable
+remote address ids in a temporary bitmap and initialize such bitmap
+with the remote ids of all the existing subflows matching the local
+address currently processed.
+
+The above allows additionally replacing the existing code checking
+for duplicate entry in the current set with a simple bit test
+operation.
+
+Fixes: 2843ff6f36db ("mptcp: remote addresses fullmesh")
+Cc: stable@vger.kernel.org
+Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/435
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/pm_netlink.c | 33 ++++++++++++++++++---------------
+ 1 file changed, 18 insertions(+), 15 deletions(-)
+
+diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c
+index beacea4d5da51..4f8f8c27a59e9 100644
+--- a/net/mptcp/pm_netlink.c
++++ b/net/mptcp/pm_netlink.c
+@@ -396,19 +396,6 @@ void mptcp_pm_free_anno_list(struct mptcp_sock *msk)
+ }
+ }
+
+-static bool lookup_address_in_vec(const struct mptcp_addr_info *addrs, unsigned int nr,
+- const struct mptcp_addr_info *addr)
+-{
+- int i;
+-
+- for (i = 0; i < nr; i++) {
+- if (addrs[i].id == addr->id)
+- return true;
+- }
+-
+- return false;
+-}
+-
+ /* Fill all the remote addresses into the array addrs[],
+ * and return the array size.
+ */
+@@ -440,6 +427,16 @@ static unsigned int fill_remote_addresses_vec(struct mptcp_sock *msk,
+ msk->pm.subflows++;
+ addrs[i++] = remote;
+ } else {
++ DECLARE_BITMAP(unavail_id, MPTCP_PM_MAX_ADDR_ID + 1);
++
++ /* Forbid creation of new subflows matching existing
++ * ones, possibly already created by incoming ADD_ADDR
++ */
++ bitmap_zero(unavail_id, MPTCP_PM_MAX_ADDR_ID + 1);
++ mptcp_for_each_subflow(msk, subflow)
++ if (READ_ONCE(subflow->local_id) == local->id)
++ __set_bit(subflow->remote_id, unavail_id);
++
+ mptcp_for_each_subflow(msk, subflow) {
+ ssk = mptcp_subflow_tcp_sock(subflow);
+ remote_address((struct sock_common *)ssk, &addrs[i]);
+@@ -447,11 +444,17 @@ static unsigned int fill_remote_addresses_vec(struct mptcp_sock *msk,
+ if (deny_id0 && !addrs[i].id)
+ continue;
+
++ if (test_bit(addrs[i].id, unavail_id))
++ continue;
++
+ if (!mptcp_pm_addr_families_match(sk, local, &addrs[i]))
+ continue;
+
+- if (!lookup_address_in_vec(addrs, i, &addrs[i]) &&
+- msk->pm.subflows < subflows_max) {
++ if (msk->pm.subflows < subflows_max) {
++ /* forbid creating multiple address towards
++ * this id
++ */
++ __set_bit(addrs[i].id, unavail_id);
+ msk->pm.subflows++;
+ i++;
+ }
+--
+2.43.0
+
--- /dev/null
+From e671d10ddf30b6bb0474802666f944919d001148 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jan 2023 11:47:21 +0100
+Subject: mptcp: let the in-kernel PM use mixed IPv4 and IPv6 addresses
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit b9d69db87fb77fc80997993d40f091b323b3651e ]
+
+Currently the in-kernel PM arbitrary enforces that created subflow's
+family must match the main MPTCP socket while the RFC allows mixing
+IPv4 and IPv6 subflows.
+
+This patch changes the in-kernel PM logic to create subflows matching
+the currently selected source (or destination) address. IPv4 sockets
+can pick only IPv4 addresses (and v4 mapped in v6), while IPv6 sockets
+not restricted to V6ONLY can pick either IPv4 and IPv6 addresses as
+long as the source and destination matches.
+
+A helper, previously introduced is used to ease family matching checks,
+taking care of IPv4 vs IPv4-mapped-IPv6 vs IPv6 only addresses.
+
+Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/269
+Co-developed-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: 045e9d812868 ("mptcp: fix duplicate subflow creation")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/pm_netlink.c | 58 ++++++++++++++++++++++--------------------
+ 1 file changed, 31 insertions(+), 27 deletions(-)
+
+diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c
+index 70a1025f093cf..beacea4d5da51 100644
+--- a/net/mptcp/pm_netlink.c
++++ b/net/mptcp/pm_netlink.c
+@@ -152,7 +152,6 @@ static struct mptcp_pm_addr_entry *
+ select_local_address(const struct pm_nl_pernet *pernet,
+ const struct mptcp_sock *msk)
+ {
+- const struct sock *sk = (const struct sock *)msk;
+ struct mptcp_pm_addr_entry *entry, *ret = NULL;
+
+ msk_owned_by_me(msk);
+@@ -165,16 +164,6 @@ select_local_address(const struct pm_nl_pernet *pernet,
+ if (!test_bit(entry->addr.id, msk->pm.id_avail_bitmap))
+ continue;
+
+- if (entry->addr.family != sk->sk_family) {
+-#if IS_ENABLED(CONFIG_MPTCP_IPV6)
+- if ((entry->addr.family == AF_INET &&
+- !ipv6_addr_v4mapped(&sk->sk_v6_daddr)) ||
+- (sk->sk_family == AF_INET &&
+- !ipv6_addr_v4mapped(&entry->addr.addr6)))
+-#endif
+- continue;
+- }
+-
+ ret = entry;
+ break;
+ }
+@@ -423,7 +412,9 @@ static bool lookup_address_in_vec(const struct mptcp_addr_info *addrs, unsigned
+ /* Fill all the remote addresses into the array addrs[],
+ * and return the array size.
+ */
+-static unsigned int fill_remote_addresses_vec(struct mptcp_sock *msk, bool fullmesh,
++static unsigned int fill_remote_addresses_vec(struct mptcp_sock *msk,
++ struct mptcp_addr_info *local,
++ bool fullmesh,
+ struct mptcp_addr_info *addrs)
+ {
+ bool deny_id0 = READ_ONCE(msk->pm.remote_deny_join_id0);
+@@ -443,6 +434,9 @@ static unsigned int fill_remote_addresses_vec(struct mptcp_sock *msk, bool fullm
+ if (deny_id0)
+ return 0;
+
++ if (!mptcp_pm_addr_families_match(sk, local, &remote))
++ return 0;
++
+ msk->pm.subflows++;
+ addrs[i++] = remote;
+ } else {
+@@ -453,6 +447,9 @@ static unsigned int fill_remote_addresses_vec(struct mptcp_sock *msk, bool fullm
+ if (deny_id0 && !addrs[i].id)
+ continue;
+
++ if (!mptcp_pm_addr_families_match(sk, local, &addrs[i]))
++ continue;
++
+ if (!lookup_address_in_vec(addrs, i, &addrs[i]) &&
+ msk->pm.subflows < subflows_max) {
+ msk->pm.subflows++;
+@@ -603,9 +600,11 @@ static void mptcp_pm_create_subflow_or_signal_addr(struct mptcp_sock *msk)
+ fullmesh = !!(local->flags & MPTCP_PM_ADDR_FLAG_FULLMESH);
+
+ msk->pm.local_addr_used++;
+- nr = fill_remote_addresses_vec(msk, fullmesh, addrs);
+- if (nr)
+- __clear_bit(local->addr.id, msk->pm.id_avail_bitmap);
++ __clear_bit(local->addr.id, msk->pm.id_avail_bitmap);
++ nr = fill_remote_addresses_vec(msk, &local->addr, fullmesh, addrs);
++ if (nr == 0)
++ continue;
++
+ spin_unlock_bh(&msk->pm.lock);
+ for (i = 0; i < nr; i++)
+ __mptcp_subflow_connect(sk, &local->addr, &addrs[i]);
+@@ -628,11 +627,11 @@ static void mptcp_pm_nl_subflow_established(struct mptcp_sock *msk)
+ * and return the array size.
+ */
+ static unsigned int fill_local_addresses_vec(struct mptcp_sock *msk,
++ struct mptcp_addr_info *remote,
+ struct mptcp_addr_info *addrs)
+ {
+ struct sock *sk = (struct sock *)msk;
+ struct mptcp_pm_addr_entry *entry;
+- struct mptcp_addr_info local;
+ struct pm_nl_pernet *pernet;
+ unsigned int subflows_max;
+ int i = 0;
+@@ -645,15 +644,8 @@ static unsigned int fill_local_addresses_vec(struct mptcp_sock *msk,
+ if (!(entry->flags & MPTCP_PM_ADDR_FLAG_FULLMESH))
+ continue;
+
+- if (entry->addr.family != sk->sk_family) {
+-#if IS_ENABLED(CONFIG_MPTCP_IPV6)
+- if ((entry->addr.family == AF_INET &&
+- !ipv6_addr_v4mapped(&sk->sk_v6_daddr)) ||
+- (sk->sk_family == AF_INET &&
+- !ipv6_addr_v4mapped(&entry->addr.addr6)))
+-#endif
+- continue;
+- }
++ if (!mptcp_pm_addr_families_match(sk, &entry->addr, remote))
++ continue;
+
+ if (msk->pm.subflows < subflows_max) {
+ msk->pm.subflows++;
+@@ -666,8 +658,18 @@ static unsigned int fill_local_addresses_vec(struct mptcp_sock *msk,
+ * 'IPADDRANY' local address
+ */
+ if (!i) {
++ struct mptcp_addr_info local;
++
+ memset(&local, 0, sizeof(local));
+- local.family = msk->pm.remote.family;
++ local.family =
++#if IS_ENABLED(CONFIG_MPTCP_IPV6)
++ remote->family == AF_INET6 &&
++ ipv6_addr_v4mapped(&remote->addr6) ? AF_INET :
++#endif
++ remote->family;
++
++ if (!mptcp_pm_addr_families_match(sk, &local, remote))
++ return 0;
+
+ msk->pm.subflows++;
+ addrs[i++] = local;
+@@ -706,7 +708,9 @@ static void mptcp_pm_nl_add_addr_received(struct mptcp_sock *msk)
+ /* connect to the specified remote address, using whatever
+ * local address the routing configuration will pick.
+ */
+- nr = fill_local_addresses_vec(msk, addrs);
++ nr = fill_local_addresses_vec(msk, &remote, addrs);
++ if (nr == 0)
++ return;
+
+ msk->pm.add_addr_accepted++;
+ if (msk->pm.add_addr_accepted >= add_addr_accept_max ||
+--
+2.43.0
+
--- /dev/null
+From 08f9c679444ff15a84464cdf61462156f8ae13b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 16:10:51 -0600
+Subject: net: restore alpha order to Ethernet devices in config
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+[ Upstream commit a1331535aeb41b08fe0c2c78af51885edc93615b ]
+
+The filename "wangxun" sorts between "intel" and "xscale", but
+xscale/Kconfig contains "Intel XScale" prompts, so Wangxun ends up in the
+wrong place in the config front-ends.
+
+Move wangxun/Kconfig so the Wangxun devices appear in order in the user
+interface.
+
+Fixes: 3ce7547e5b71 ("net: txgbe: Add build support for txgbe")
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Link: https://lore.kernel.org/r/20230307221051.890135-1-helgaas@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/Kconfig b/drivers/net/ethernet/Kconfig
+index 1917da7841919..5a274b99f2992 100644
+--- a/drivers/net/ethernet/Kconfig
++++ b/drivers/net/ethernet/Kconfig
+@@ -84,7 +84,6 @@ source "drivers/net/ethernet/huawei/Kconfig"
+ source "drivers/net/ethernet/i825xx/Kconfig"
+ source "drivers/net/ethernet/ibm/Kconfig"
+ source "drivers/net/ethernet/intel/Kconfig"
+-source "drivers/net/ethernet/wangxun/Kconfig"
+ source "drivers/net/ethernet/xscale/Kconfig"
+
+ config JME
+@@ -189,6 +188,7 @@ source "drivers/net/ethernet/toshiba/Kconfig"
+ source "drivers/net/ethernet/tundra/Kconfig"
+ source "drivers/net/ethernet/vertexcom/Kconfig"
+ source "drivers/net/ethernet/via/Kconfig"
++source "drivers/net/ethernet/wangxun/Kconfig"
+ source "drivers/net/ethernet/wiznet/Kconfig"
+ source "drivers/net/ethernet/xilinx/Kconfig"
+ source "drivers/net/ethernet/xircom/Kconfig"
+--
+2.43.0
+
--- /dev/null
+From daeff512c17e05cda1e0b8597eb08104e21a3946 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Sep 2023 11:35:39 +0200
+Subject: of: overlay: Reorder struct fragment fields kerneldoc
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 5d007ffdf6025fe83e497c44ed7c8aa8f150c4d1 ]
+
+The fields of the fragment structure were reordered, but the kerneldoc
+was not updated.
+
+Fixes: 81225ea682f45629 ("of: overlay: reorder fields in struct fragment")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/cfa36d2bb95e3c399c415dbf58057302c70ef375.1695893695.git.geert+renesas@glider.be
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/overlay.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/of/overlay.c b/drivers/of/overlay.c
+index 4402871b5c0c0..e663d5585a057 100644
+--- a/drivers/of/overlay.c
++++ b/drivers/of/overlay.c
+@@ -45,8 +45,8 @@ struct target {
+
+ /**
+ * struct fragment - info about fragment nodes in overlay expanded device tree
+- * @target: target of the overlay operation
+ * @overlay: pointer to the __overlay__ node
++ * @target: target of the overlay operation
+ */
+ struct fragment {
+ struct device_node *overlay;
+--
+2.43.0
+
--- /dev/null
+From 34cfc536b52a6ef58b607ff6714ce307618338a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 May 2023 11:10:49 -0400
+Subject: PCI: layerscape: Add the endpoint linkup notifier support
+
+From: Frank Li <Frank.Li@nxp.com>
+
+[ Upstream commit 061cbfab09fb35898f2907d42f936cf9ae271d93 ]
+
+Layerscape has PME interrupt, which can be used as linkup notifier. Set
+CFG_READY bit of PEX_PF0_CONFIG to enable accesses from root complex when
+linkup detected.
+
+Link: https://lore.kernel.org/r/20230515151049.2797105-1-Frank.Li@nxp.com
+Signed-off-by: Xiaowei Bao <xiaowei.bao@nxp.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Acked-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../pci/controller/dwc/pci-layerscape-ep.c | 100 +++++++++++++++++-
+ 1 file changed, 99 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pci/controller/dwc/pci-layerscape-ep.c b/drivers/pci/controller/dwc/pci-layerscape-ep.c
+index ad99707b3b994..5b27554e071a1 100644
+--- a/drivers/pci/controller/dwc/pci-layerscape-ep.c
++++ b/drivers/pci/controller/dwc/pci-layerscape-ep.c
+@@ -18,6 +18,20 @@
+
+ #include "pcie-designware.h"
+
++#define PEX_PF0_CONFIG 0xC0014
++#define PEX_PF0_CFG_READY BIT(0)
++
++/* PEX PFa PCIE PME and message interrupt registers*/
++#define PEX_PF0_PME_MES_DR 0xC0020
++#define PEX_PF0_PME_MES_DR_LUD BIT(7)
++#define PEX_PF0_PME_MES_DR_LDD BIT(9)
++#define PEX_PF0_PME_MES_DR_HRD BIT(10)
++
++#define PEX_PF0_PME_MES_IER 0xC0028
++#define PEX_PF0_PME_MES_IER_LUDIE BIT(7)
++#define PEX_PF0_PME_MES_IER_LDDIE BIT(9)
++#define PEX_PF0_PME_MES_IER_HRDIE BIT(10)
++
+ #define to_ls_pcie_ep(x) dev_get_drvdata((x)->dev)
+
+ struct ls_pcie_ep_drvdata {
+@@ -30,8 +44,84 @@ struct ls_pcie_ep {
+ struct dw_pcie *pci;
+ struct pci_epc_features *ls_epc;
+ const struct ls_pcie_ep_drvdata *drvdata;
++ int irq;
++ bool big_endian;
+ };
+
++static u32 ls_lut_readl(struct ls_pcie_ep *pcie, u32 offset)
++{
++ struct dw_pcie *pci = pcie->pci;
++
++ if (pcie->big_endian)
++ return ioread32be(pci->dbi_base + offset);
++ else
++ return ioread32(pci->dbi_base + offset);
++}
++
++static void ls_lut_writel(struct ls_pcie_ep *pcie, u32 offset, u32 value)
++{
++ struct dw_pcie *pci = pcie->pci;
++
++ if (pcie->big_endian)
++ iowrite32be(value, pci->dbi_base + offset);
++ else
++ iowrite32(value, pci->dbi_base + offset);
++}
++
++static irqreturn_t ls_pcie_ep_event_handler(int irq, void *dev_id)
++{
++ struct ls_pcie_ep *pcie = dev_id;
++ struct dw_pcie *pci = pcie->pci;
++ u32 val, cfg;
++
++ val = ls_lut_readl(pcie, PEX_PF0_PME_MES_DR);
++ ls_lut_writel(pcie, PEX_PF0_PME_MES_DR, val);
++
++ if (!val)
++ return IRQ_NONE;
++
++ if (val & PEX_PF0_PME_MES_DR_LUD) {
++ cfg = ls_lut_readl(pcie, PEX_PF0_CONFIG);
++ cfg |= PEX_PF0_CFG_READY;
++ ls_lut_writel(pcie, PEX_PF0_CONFIG, cfg);
++ dw_pcie_ep_linkup(&pci->ep);
++
++ dev_dbg(pci->dev, "Link up\n");
++ } else if (val & PEX_PF0_PME_MES_DR_LDD) {
++ dev_dbg(pci->dev, "Link down\n");
++ } else if (val & PEX_PF0_PME_MES_DR_HRD) {
++ dev_dbg(pci->dev, "Hot reset\n");
++ }
++
++ return IRQ_HANDLED;
++}
++
++static int ls_pcie_ep_interrupt_init(struct ls_pcie_ep *pcie,
++ struct platform_device *pdev)
++{
++ u32 val;
++ int ret;
++
++ pcie->irq = platform_get_irq_byname(pdev, "pme");
++ if (pcie->irq < 0)
++ return pcie->irq;
++
++ ret = devm_request_irq(&pdev->dev, pcie->irq, ls_pcie_ep_event_handler,
++ IRQF_SHARED, pdev->name, pcie);
++ if (ret) {
++ dev_err(&pdev->dev, "Can't register PCIe IRQ\n");
++ return ret;
++ }
++
++ /* Enable interrupts */
++ val = ls_lut_readl(pcie, PEX_PF0_PME_MES_IER);
++ val |= PEX_PF0_PME_MES_IER_LDDIE | PEX_PF0_PME_MES_IER_HRDIE |
++ PEX_PF0_PME_MES_IER_LUDIE;
++ ls_lut_writel(pcie, PEX_PF0_PME_MES_IER, val);
++
++ return 0;
++}
++
+ static const struct pci_epc_features*
+ ls_pcie_ep_get_features(struct dw_pcie_ep *ep)
+ {
+@@ -124,6 +214,7 @@ static int __init ls_pcie_ep_probe(struct platform_device *pdev)
+ struct ls_pcie_ep *pcie;
+ struct pci_epc_features *ls_epc;
+ struct resource *dbi_base;
++ int ret;
+
+ pcie = devm_kzalloc(dev, sizeof(*pcie), GFP_KERNEL);
+ if (!pcie)
+@@ -143,6 +234,7 @@ static int __init ls_pcie_ep_probe(struct platform_device *pdev)
+ pci->ops = pcie->drvdata->dw_pcie_ops;
+
+ ls_epc->bar_fixed_64bit = (1 << BAR_2) | (1 << BAR_4);
++ ls_epc->linkup_notifier = true;
+
+ pcie->pci = pci;
+ pcie->ls_epc = ls_epc;
+@@ -154,9 +246,15 @@ static int __init ls_pcie_ep_probe(struct platform_device *pdev)
+
+ pci->ep.ops = &ls_pcie_ep_ops;
+
++ pcie->big_endian = of_property_read_bool(dev->of_node, "big-endian");
++
+ platform_set_drvdata(pdev, pcie);
+
+- return dw_pcie_ep_init(&pci->ep);
++ ret = dw_pcie_ep_init(&pci->ep);
++ if (ret)
++ return ret;
++
++ return ls_pcie_ep_interrupt_init(pcie, pdev);
+ }
+
+ static struct platform_driver ls_pcie_ep_driver = {
+--
+2.43.0
+
--- /dev/null
+From e0f7193cdd401fde177ba46dc8ece2c802956182 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Jul 2023 09:58:34 -0400
+Subject: PCI: layerscape: Add workaround for lost link capabilities during
+ reset
+
+From: Xiaowei Bao <xiaowei.bao@nxp.com>
+
+[ Upstream commit 17cf8661ee0f065c08152e611a568dd1fb0285f1 ]
+
+The endpoint controller loses the Maximum Link Width and Supported Link Speed
+value from the Link Capabilities Register - initially configured by the Reset
+Configuration Word (RCW) - during a link-down or hot reset event.
+
+Address this issue in the endpoint event handler.
+
+Link: https://lore.kernel.org/r/20230720135834.1977616-2-Frank.Li@nxp.com
+Fixes: a805770d8a22 ("PCI: layerscape: Add EP mode support")
+Signed-off-by: Xiaowei Bao <xiaowei.bao@nxp.com>
+Signed-off-by: Hou Zhiqiang <Zhiqiang.Hou@nxp.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
+Acked-by: Manivannan Sadhasivam <mani@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../pci/controller/dwc/pci-layerscape-ep.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/drivers/pci/controller/dwc/pci-layerscape-ep.c b/drivers/pci/controller/dwc/pci-layerscape-ep.c
+index 5b27554e071a1..dd7d74fecc48e 100644
+--- a/drivers/pci/controller/dwc/pci-layerscape-ep.c
++++ b/drivers/pci/controller/dwc/pci-layerscape-ep.c
+@@ -45,6 +45,7 @@ struct ls_pcie_ep {
+ struct pci_epc_features *ls_epc;
+ const struct ls_pcie_ep_drvdata *drvdata;
+ int irq;
++ u32 lnkcap;
+ bool big_endian;
+ };
+
+@@ -73,6 +74,7 @@ static irqreturn_t ls_pcie_ep_event_handler(int irq, void *dev_id)
+ struct ls_pcie_ep *pcie = dev_id;
+ struct dw_pcie *pci = pcie->pci;
+ u32 val, cfg;
++ u8 offset;
+
+ val = ls_lut_readl(pcie, PEX_PF0_PME_MES_DR);
+ ls_lut_writel(pcie, PEX_PF0_PME_MES_DR, val);
+@@ -81,6 +83,19 @@ static irqreturn_t ls_pcie_ep_event_handler(int irq, void *dev_id)
+ return IRQ_NONE;
+
+ if (val & PEX_PF0_PME_MES_DR_LUD) {
++
++ offset = dw_pcie_find_capability(pci, PCI_CAP_ID_EXP);
++
++ /*
++ * The values of the Maximum Link Width and Supported Link
++ * Speed from the Link Capabilities Register will be lost
++ * during link down or hot reset. Restore initial value
++ * that configured by the Reset Configuration Word (RCW).
++ */
++ dw_pcie_dbi_ro_wr_en(pci);
++ dw_pcie_writel_dbi(pci, offset + PCI_EXP_LNKCAP, pcie->lnkcap);
++ dw_pcie_dbi_ro_wr_dis(pci);
++
+ cfg = ls_lut_readl(pcie, PEX_PF0_CONFIG);
+ cfg |= PEX_PF0_CFG_READY;
+ ls_lut_writel(pcie, PEX_PF0_CONFIG, cfg);
+@@ -214,6 +229,7 @@ static int __init ls_pcie_ep_probe(struct platform_device *pdev)
+ struct ls_pcie_ep *pcie;
+ struct pci_epc_features *ls_epc;
+ struct resource *dbi_base;
++ u8 offset;
+ int ret;
+
+ pcie = devm_kzalloc(dev, sizeof(*pcie), GFP_KERNEL);
+@@ -250,6 +266,9 @@ static int __init ls_pcie_ep_probe(struct platform_device *pdev)
+
+ platform_set_drvdata(pdev, pcie);
+
++ offset = dw_pcie_find_capability(pci, PCI_CAP_ID_EXP);
++ pcie->lnkcap = dw_pcie_readl_dbi(pci, offset + PCI_EXP_LNKCAP);
++
+ ret = dw_pcie_ep_init(&pci->ep);
+ if (ret)
+ return ret;
+--
+2.43.0
+
--- /dev/null
+From 37b204d5fbd6d579a5f2526bc675439ae406a4f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Mar 2023 17:47:03 -0600
+Subject: RDMA/core: Fix multiple -Warray-bounds warnings
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+[ Upstream commit aa4d540b4150052ae3b36d286b9c833a961ce291 ]
+
+GCC-13 (and Clang)[1] does not like to access a partially allocated
+object, since it cannot reason about it for bounds checking.
+
+In this case 140 bytes are allocated for an object of type struct
+ib_umad_packet:
+
+ packet = kzalloc(sizeof(*packet) + IB_MGMT_RMPP_HDR, GFP_KERNEL);
+
+However, notice that sizeof(*packet) is only 104 bytes:
+
+struct ib_umad_packet {
+ struct ib_mad_send_buf * msg; /* 0 8 */
+ struct ib_mad_recv_wc * recv_wc; /* 8 8 */
+ struct list_head list; /* 16 16 */
+ int length; /* 32 4 */
+
+ /* XXX 4 bytes hole, try to pack */
+
+ struct ib_user_mad mad __attribute__((__aligned__(8))); /* 40 64 */
+
+ /* size: 104, cachelines: 2, members: 5 */
+ /* sum members: 100, holes: 1, sum holes: 4 */
+ /* forced alignments: 1, forced holes: 1, sum forced holes: 4 */
+ /* last cacheline: 40 bytes */
+} __attribute__((__aligned__(8)));
+
+and 36 bytes extra bytes are allocated for a flexible-array member in
+struct ib_user_mad:
+
+include/rdma/ib_mad.h:
+120 enum {
+...
+123 IB_MGMT_RMPP_HDR = 36,
+... }
+
+struct ib_user_mad {
+ struct ib_user_mad_hdr hdr; /* 0 64 */
+ /* --- cacheline 1 boundary (64 bytes) --- */
+ __u64 data[] __attribute__((__aligned__(8))); /* 64 0 */
+
+ /* size: 64, cachelines: 1, members: 2 */
+ /* forced alignments: 1 */
+} __attribute__((__aligned__(8)));
+
+So we have sizeof(*packet) + IB_MGMT_RMPP_HDR == 140 bytes
+
+Then the address of the flex-array member (for which only 36 bytes were
+allocated) is casted and copied into a pointer to struct ib_rmpp_mad,
+which, in turn, is of size 256 bytes:
+
+ rmpp_mad = (struct ib_rmpp_mad *) packet->mad.data;
+
+struct ib_rmpp_mad {
+ struct ib_mad_hdr mad_hdr; /* 0 24 */
+ struct ib_rmpp_hdr rmpp_hdr; /* 24 12 */
+ u8 data[220]; /* 36 220 */
+
+ /* size: 256, cachelines: 4, members: 3 */
+};
+
+The thing is that those 36 bytes allocated for flex-array member data
+in struct ib_user_mad onlly account for the size of both struct ib_mad_hdr
+and struct ib_rmpp_hdr, but nothing is left for array u8 data[220].
+So, the compiler is legitimately complaining about accessing an object
+for which not enough memory was allocated.
+
+Apparently, the only members of struct ib_rmpp_mad that are relevant
+(that are actually being used) in function ib_umad_write() are mad_hdr
+and rmpp_hdr. So, instead of casting packet->mad.data to
+(struct ib_rmpp_mad *) create a new structure
+
+struct ib_rmpp_mad_hdr {
+ struct ib_mad_hdr mad_hdr;
+ struct ib_rmpp_hdr rmpp_hdr;
+} __packed;
+
+and cast packet->mad.data to (struct ib_rmpp_mad_hdr *).
+
+Notice that
+
+ IB_MGMT_RMPP_HDR == sizeof(struct ib_rmpp_mad_hdr) == 36 bytes
+
+Refactor the rest of the code, accordingly.
+
+Fix the following warnings seen under GCC-13 and -Warray-bounds:
+drivers/infiniband/core/user_mad.c:564:50: warning: array subscript ‘struct ib_rmpp_mad[0]’ is partly outside array bounds of ‘unsigned char[140]’ [-Warray-bounds=]
+drivers/infiniband/core/user_mad.c:566:42: warning: array subscript ‘struct ib_rmpp_mad[0]’ is partly outside array bounds of ‘unsigned char[140]’ [-Warray-bounds=]
+drivers/infiniband/core/user_mad.c:618:25: warning: array subscript ‘struct ib_rmpp_mad[0]’ is partly outside array bounds of ‘unsigned char[140]’ [-Warray-bounds=]
+drivers/infiniband/core/user_mad.c:622:44: warning: array subscript ‘struct ib_rmpp_mad[0]’ is partly outside array bounds of ‘unsigned char[140]’ [-Warray-bounds=]
+
+Link: https://github.com/KSPP/linux/issues/273
+Link: https://godbolt.org/z/oYWaGM4Yb [1]
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Link: https://lore.kernel.org/r/ZBpB91qQcB10m3Fw@work
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/user_mad.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c
+index d96c78e436f98..5c284dfbe6923 100644
+--- a/drivers/infiniband/core/user_mad.c
++++ b/drivers/infiniband/core/user_mad.c
+@@ -131,6 +131,11 @@ struct ib_umad_packet {
+ struct ib_user_mad mad;
+ };
+
++struct ib_rmpp_mad_hdr {
++ struct ib_mad_hdr mad_hdr;
++ struct ib_rmpp_hdr rmpp_hdr;
++} __packed;
++
+ #define CREATE_TRACE_POINTS
+ #include <trace/events/ib_umad.h>
+
+@@ -494,11 +499,11 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf,
+ size_t count, loff_t *pos)
+ {
+ struct ib_umad_file *file = filp->private_data;
++ struct ib_rmpp_mad_hdr *rmpp_mad_hdr;
+ struct ib_umad_packet *packet;
+ struct ib_mad_agent *agent;
+ struct rdma_ah_attr ah_attr;
+ struct ib_ah *ah;
+- struct ib_rmpp_mad *rmpp_mad;
+ __be64 *tid;
+ int ret, data_len, hdr_len, copy_offset, rmpp_active;
+ u8 base_version;
+@@ -506,7 +511,7 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf,
+ if (count < hdr_size(file) + IB_MGMT_RMPP_HDR)
+ return -EINVAL;
+
+- packet = kzalloc(sizeof *packet + IB_MGMT_RMPP_HDR, GFP_KERNEL);
++ packet = kzalloc(sizeof(*packet) + IB_MGMT_RMPP_HDR, GFP_KERNEL);
+ if (!packet)
+ return -ENOMEM;
+
+@@ -560,13 +565,13 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf,
+ goto err_up;
+ }
+
+- rmpp_mad = (struct ib_rmpp_mad *) packet->mad.data;
+- hdr_len = ib_get_mad_data_offset(rmpp_mad->mad_hdr.mgmt_class);
++ rmpp_mad_hdr = (struct ib_rmpp_mad_hdr *)packet->mad.data;
++ hdr_len = ib_get_mad_data_offset(rmpp_mad_hdr->mad_hdr.mgmt_class);
+
+- if (ib_is_mad_class_rmpp(rmpp_mad->mad_hdr.mgmt_class)
++ if (ib_is_mad_class_rmpp(rmpp_mad_hdr->mad_hdr.mgmt_class)
+ && ib_mad_kernel_rmpp_agent(agent)) {
+ copy_offset = IB_MGMT_RMPP_HDR;
+- rmpp_active = ib_get_rmpp_flags(&rmpp_mad->rmpp_hdr) &
++ rmpp_active = ib_get_rmpp_flags(&rmpp_mad_hdr->rmpp_hdr) &
+ IB_MGMT_RMPP_FLAG_ACTIVE;
+ } else {
+ copy_offset = IB_MGMT_MAD_HDR;
+@@ -615,12 +620,12 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf,
+ tid = &((struct ib_mad_hdr *) packet->msg->mad)->tid;
+ *tid = cpu_to_be64(((u64) agent->hi_tid) << 32 |
+ (be64_to_cpup(tid) & 0xffffffff));
+- rmpp_mad->mad_hdr.tid = *tid;
++ rmpp_mad_hdr->mad_hdr.tid = *tid;
+ }
+
+ if (!ib_mad_kernel_rmpp_agent(agent)
+- && ib_is_mad_class_rmpp(rmpp_mad->mad_hdr.mgmt_class)
+- && (ib_get_rmpp_flags(&rmpp_mad->rmpp_hdr) & IB_MGMT_RMPP_FLAG_ACTIVE)) {
++ && ib_is_mad_class_rmpp(rmpp_mad_hdr->mad_hdr.mgmt_class)
++ && (ib_get_rmpp_flags(&rmpp_mad_hdr->rmpp_hdr) & IB_MGMT_RMPP_FLAG_ACTIVE)) {
+ spin_lock_irq(&file->send_lock);
+ list_add_tail(&packet->list, &file->send_list);
+ spin_unlock_irq(&file->send_lock);
+--
+2.43.0
+
--- /dev/null
+From 547a47c0b62517e7054bf9fd97a3d82ead3e0313 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Dec 2022 13:01:40 -0600
+Subject: scsi: core: Add struct for args to execution functions
+
+From: Mike Christie <michael.christie@oracle.com>
+
+[ Upstream commit d0949565811f0896c1c7e781ab2ad99d34273fdf ]
+
+Move the SCSI execution functions to use a struct for passing in optional
+args. This commit adds the new struct, temporarily converts scsi_execute()
+and scsi_execute_req() ands a new helper, scsi_execute_cmd(), which takes
+the scsi_exec_args struct.
+
+There should be no change in behavior. We no longer allow users to pass in
+any request->rq_flags value, but they were only passing in RQF_PM which we
+do support by allowing users to pass in the BLK_MQ_REQ flags used by
+blk_mq_alloc_request().
+
+Subsequent commits will convert scsi_execute() and scsi_execute_req() users
+to the new helpers then remove scsi_execute() and scsi_execute_req().
+
+Signed-off-by: Mike Christie <michael.christie@oracle.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: John Garry <john.g.garry@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Stable-dep-of: 321da3dc1f3c ("scsi: sd: usb_storage: uas: Access media prior to querying device properties")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_lib.c | 52 ++++++++++++++++++--------------------
+ include/scsi/scsi_device.h | 51 +++++++++++++++++++++++++++----------
+ 2 files changed, 62 insertions(+), 41 deletions(-)
+
+diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
+index 5c5954b78585e..edd296f950a33 100644
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -185,39 +185,37 @@ void scsi_queue_insert(struct scsi_cmnd *cmd, int reason)
+ __scsi_queue_insert(cmd, reason, true);
+ }
+
+-
+ /**
+- * __scsi_execute - insert request and wait for the result
+- * @sdev: scsi device
++ * scsi_execute_cmd - insert request and wait for the result
++ * @sdev: scsi_device
+ * @cmd: scsi command
+- * @data_direction: data direction
++ * @opf: block layer request cmd_flags
+ * @buffer: data buffer
+ * @bufflen: len of buffer
+- * @sense: optional sense buffer
+- * @sshdr: optional decoded sense header
+ * @timeout: request timeout in HZ
+ * @retries: number of times to retry request
+- * @flags: flags for ->cmd_flags
+- * @rq_flags: flags for ->rq_flags
+- * @resid: optional residual length
++ * @args: Optional args. See struct definition for field descriptions
+ *
+ * Returns the scsi_cmnd result field if a command was executed, or a negative
+ * Linux error code if we didn't get that far.
+ */
+-int __scsi_execute(struct scsi_device *sdev, const unsigned char *cmd,
+- int data_direction, void *buffer, unsigned bufflen,
+- unsigned char *sense, struct scsi_sense_hdr *sshdr,
+- int timeout, int retries, blk_opf_t flags,
+- req_flags_t rq_flags, int *resid)
++int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd,
++ blk_opf_t opf, void *buffer, unsigned int bufflen,
++ int timeout, int retries,
++ const struct scsi_exec_args *args)
+ {
++ static const struct scsi_exec_args default_args;
+ struct request *req;
+ struct scsi_cmnd *scmd;
+ int ret;
+
+- req = scsi_alloc_request(sdev->request_queue,
+- data_direction == DMA_TO_DEVICE ?
+- REQ_OP_DRV_OUT : REQ_OP_DRV_IN,
+- rq_flags & RQF_PM ? BLK_MQ_REQ_PM : 0);
++ if (!args)
++ args = &default_args;
++ else if (WARN_ON_ONCE(args->sense &&
++ args->sense_len != SCSI_SENSE_BUFFERSIZE))
++ return -EINVAL;
++
++ req = scsi_alloc_request(sdev->request_queue, opf, args->req_flags);
+ if (IS_ERR(req))
+ return PTR_ERR(req);
+
+@@ -232,8 +230,7 @@ int __scsi_execute(struct scsi_device *sdev, const unsigned char *cmd,
+ memcpy(scmd->cmnd, cmd, scmd->cmd_len);
+ scmd->allowed = retries;
+ req->timeout = timeout;
+- req->cmd_flags |= flags;
+- req->rq_flags |= rq_flags | RQF_QUIET;
++ req->rq_flags |= RQF_QUIET;
+
+ /*
+ * head injection *required* here otherwise quiesce won't work
+@@ -249,20 +246,21 @@ int __scsi_execute(struct scsi_device *sdev, const unsigned char *cmd,
+ if (unlikely(scmd->resid_len > 0 && scmd->resid_len <= bufflen))
+ memset(buffer + bufflen - scmd->resid_len, 0, scmd->resid_len);
+
+- if (resid)
+- *resid = scmd->resid_len;
+- if (sense && scmd->sense_len)
+- memcpy(sense, scmd->sense_buffer, SCSI_SENSE_BUFFERSIZE);
+- if (sshdr)
++ if (args->resid)
++ *args->resid = scmd->resid_len;
++ if (args->sense)
++ memcpy(args->sense, scmd->sense_buffer, SCSI_SENSE_BUFFERSIZE);
++ if (args->sshdr)
+ scsi_normalize_sense(scmd->sense_buffer, scmd->sense_len,
+- sshdr);
++ args->sshdr);
++
+ ret = scmd->result;
+ out:
+ blk_mq_free_request(req);
+
+ return ret;
+ }
+-EXPORT_SYMBOL(__scsi_execute);
++EXPORT_SYMBOL(scsi_execute_cmd);
+
+ /*
+ * Wake up the error handler if necessary. Avoid as follows that the error
+diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h
+index d2751ed536df2..b407807cc6695 100644
+--- a/include/scsi/scsi_device.h
++++ b/include/scsi/scsi_device.h
+@@ -479,28 +479,51 @@ extern const char *scsi_device_state_name(enum scsi_device_state);
+ extern int scsi_is_sdev_device(const struct device *);
+ extern int scsi_is_target_device(const struct device *);
+ extern void scsi_sanitize_inquiry_string(unsigned char *s, int len);
+-extern int __scsi_execute(struct scsi_device *sdev, const unsigned char *cmd,
+- int data_direction, void *buffer, unsigned bufflen,
+- unsigned char *sense, struct scsi_sense_hdr *sshdr,
+- int timeout, int retries, blk_opf_t flags,
+- req_flags_t rq_flags, int *resid);
++
++/* Optional arguments to scsi_execute_cmd */
++struct scsi_exec_args {
++ unsigned char *sense; /* sense buffer */
++ unsigned int sense_len; /* sense buffer len */
++ struct scsi_sense_hdr *sshdr; /* decoded sense header */
++ blk_mq_req_flags_t req_flags; /* BLK_MQ_REQ flags */
++ int *resid; /* residual length */
++};
++
++int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd,
++ blk_opf_t opf, void *buffer, unsigned int bufflen,
++ int timeout, int retries,
++ const struct scsi_exec_args *args);
++
+ /* Make sure any sense buffer is the correct size. */
+-#define scsi_execute(sdev, cmd, data_direction, buffer, bufflen, sense, \
+- sshdr, timeout, retries, flags, rq_flags, resid) \
++#define scsi_execute(_sdev, _cmd, _data_dir, _buffer, _bufflen, _sense, \
++ _sshdr, _timeout, _retries, _flags, _rq_flags, \
++ _resid) \
+ ({ \
+- BUILD_BUG_ON((sense) != NULL && \
+- sizeof(sense) != SCSI_SENSE_BUFFERSIZE); \
+- __scsi_execute(sdev, cmd, data_direction, buffer, bufflen, \
+- sense, sshdr, timeout, retries, flags, rq_flags, \
+- resid); \
++ scsi_execute_cmd(_sdev, _cmd, (_data_dir == DMA_TO_DEVICE ? \
++ REQ_OP_DRV_OUT : REQ_OP_DRV_IN) | _flags, \
++ _buffer, _bufflen, _timeout, _retries, \
++ &(struct scsi_exec_args) { \
++ .sense = _sense, \
++ .sshdr = _sshdr, \
++ .req_flags = _rq_flags & RQF_PM ? \
++ BLK_MQ_REQ_PM : 0, \
++ .resid = _resid, \
++ }); \
+ })
++
+ static inline int scsi_execute_req(struct scsi_device *sdev,
+ const unsigned char *cmd, int data_direction, void *buffer,
+ unsigned bufflen, struct scsi_sense_hdr *sshdr, int timeout,
+ int retries, int *resid)
+ {
+- return scsi_execute(sdev, cmd, data_direction, buffer,
+- bufflen, NULL, sshdr, timeout, retries, 0, 0, resid);
++ return scsi_execute_cmd(sdev, cmd,
++ data_direction == DMA_TO_DEVICE ?
++ REQ_OP_DRV_OUT : REQ_OP_DRV_IN, buffer,
++ bufflen, timeout, retries,
++ &(struct scsi_exec_args) {
++ .sshdr = sshdr,
++ .resid = resid,
++ });
+ }
+ extern void sdev_disable_disk_events(struct scsi_device *sdev);
+ extern void sdev_enable_disk_events(struct scsi_device *sdev);
+--
+2.43.0
+
--- /dev/null
+From c3a450f19d741d9a79f5e41aa39e16c25076a093 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Feb 2024 09:33:06 -0500
+Subject: scsi: sd: usb_storage: uas: Access media prior to querying device
+ properties
+
+From: Martin K. Petersen <martin.petersen@oracle.com>
+
+[ Upstream commit 321da3dc1f3c92a12e3c5da934090d2992a8814c ]
+
+It has been observed that some USB/UAS devices return generic properties
+hardcoded in firmware for mode pages for a period of time after a device
+has been discovered. The reported properties are either garbage or they do
+not accurately reflect the characteristics of the physical storage device
+attached in the case of a bridge.
+
+Prior to commit 1e029397d12f ("scsi: sd: Reorganize DIF/DIX code to
+avoid calling revalidate twice") we would call revalidate several
+times during device discovery. As a result, incorrect values would
+eventually get replaced with ones accurately describing the attached
+storage. When we did away with the redundant revalidate pass, several
+cases were reported where devices reported nonsensical values or would
+end up in write-protected state.
+
+An initial attempt at addressing this issue involved introducing a
+delayed second revalidate invocation. However, this approach still
+left some devices reporting incorrect characteristics.
+
+Tasos Sahanidis debugged the problem further and identified that
+introducing a READ operation prior to MODE SENSE fixed the problem and that
+it wasn't a timing issue. Issuing a READ appears to cause the devices to
+update their state to reflect the actual properties of the storage
+media. Device properties like vendor, model, and storage capacity appear to
+be correctly reported from the get-go. It is unclear why these devices
+defer populating the remaining characteristics.
+
+Match the behavior of a well known commercial operating system and
+trigger a READ operation prior to querying device characteristics to
+force the device to populate the mode pages.
+
+The additional READ is triggered by a flag set in the USB storage and
+UAS drivers. We avoid issuing the READ for other transport classes
+since some storage devices identify Linux through our particular
+discovery command sequence.
+
+Link: https://lore.kernel.org/r/20240213143306.2194237-1-martin.petersen@oracle.com
+Fixes: 1e029397d12f ("scsi: sd: Reorganize DIF/DIX code to avoid calling revalidate twice")
+Cc: stable@vger.kernel.org
+Reported-by: Tasos Sahanidis <tasos@tasossah.com>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Tested-by: Tasos Sahanidis <tasos@tasossah.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/sd.c | 26 +++++++++++++++++++++++++-
+ drivers/usb/storage/scsiglue.c | 7 +++++++
+ drivers/usb/storage/uas.c | 7 +++++++
+ include/scsi/scsi_device.h | 1 +
+ 4 files changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
+index 31b5273f43a71..4433b02c8935f 100644
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -3284,6 +3284,24 @@ static bool sd_validate_opt_xfer_size(struct scsi_disk *sdkp,
+ return true;
+ }
+
++static void sd_read_block_zero(struct scsi_disk *sdkp)
++{
++ unsigned int buf_len = sdkp->device->sector_size;
++ char *buffer, cmd[10] = { };
++
++ buffer = kmalloc(buf_len, GFP_KERNEL);
++ if (!buffer)
++ return;
++
++ cmd[0] = READ_10;
++ put_unaligned_be32(0, &cmd[2]); /* Logical block address 0 */
++ put_unaligned_be16(1, &cmd[7]); /* Transfer 1 logical block */
++
++ scsi_execute_cmd(sdkp->device, cmd, REQ_OP_DRV_IN, buffer, buf_len,
++ SD_TIMEOUT, sdkp->max_retries, NULL);
++ kfree(buffer);
++}
++
+ /**
+ * sd_revalidate_disk - called the first time a new disk is seen,
+ * performs disk spin up, read_capacity, etc.
+@@ -3323,7 +3341,13 @@ static int sd_revalidate_disk(struct gendisk *disk)
+ */
+ if (sdkp->media_present) {
+ sd_read_capacity(sdkp, buffer);
+-
++ /*
++ * Some USB/UAS devices return generic values for mode pages
++ * until the media has been accessed. Trigger a READ operation
++ * to force the device to populate mode pages.
++ */
++ if (sdp->read_before_ms)
++ sd_read_block_zero(sdkp);
+ /*
+ * set the default to rotational. All non-rotational devices
+ * support the block characteristics VPD page, which will
+diff --git a/drivers/usb/storage/scsiglue.c b/drivers/usb/storage/scsiglue.c
+index c54e9805da536..12cf9940e5b67 100644
+--- a/drivers/usb/storage/scsiglue.c
++++ b/drivers/usb/storage/scsiglue.c
+@@ -179,6 +179,13 @@ static int slave_configure(struct scsi_device *sdev)
+ */
+ sdev->use_192_bytes_for_3f = 1;
+
++ /*
++ * Some devices report generic values until the media has been
++ * accessed. Force a READ(10) prior to querying device
++ * characteristics.
++ */
++ sdev->read_before_ms = 1;
++
+ /*
+ * Some devices don't like MODE SENSE with page=0x3f,
+ * which is the command used for checking if a device
+diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c
+index de3836412bf32..ed22053b3252f 100644
+--- a/drivers/usb/storage/uas.c
++++ b/drivers/usb/storage/uas.c
+@@ -878,6 +878,13 @@ static int uas_slave_configure(struct scsi_device *sdev)
+ if (devinfo->flags & US_FL_CAPACITY_HEURISTICS)
+ sdev->guess_capacity = 1;
+
++ /*
++ * Some devices report generic values until the media has been
++ * accessed. Force a READ(10) prior to querying device
++ * characteristics.
++ */
++ sdev->read_before_ms = 1;
++
+ /*
+ * Some devices don't like MODE SENSE with page=0x3f,
+ * which is the command used for checking if a device
+diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h
+index b407807cc6695..a64713fe52640 100644
+--- a/include/scsi/scsi_device.h
++++ b/include/scsi/scsi_device.h
+@@ -204,6 +204,7 @@ struct scsi_device {
+ unsigned use_10_for_rw:1; /* first try 10-byte read / write */
+ unsigned use_10_for_ms:1; /* first try 10-byte mode sense/select */
+ unsigned set_dbd_for_ms:1; /* Set "DBD" field in mode sense */
++ unsigned read_before_ms:1; /* perform a READ before MODE SENSE */
+ unsigned no_report_opcodes:1; /* no REPORT SUPPORTED OPERATION CODES */
+ unsigned no_write_same:1; /* no WRITE SAME command */
+ unsigned use_16_for_rw:1; /* Use read/write(16) over read/write(10) */
+--
+2.43.0
+
--- /dev/null
+drm-meson-fix-unbind-path-if-hdmi-fails-to-bind.patch
+drm-meson-don-t-remove-bridges-which-are-created-by-.patch
+scsi-core-add-struct-for-args-to-execution-functions.patch
+scsi-sd-usb_storage-uas-access-media-prior-to-queryi.patch
+mptcp-let-the-in-kernel-pm-use-mixed-ipv4-and-ipv6-a.patch
+mptcp-fix-duplicate-subflow-creation.patch
+af_unix-fix-task-hung-while-purging-oob_skb-in-gc.patch
+of-overlay-reorder-struct-fragment-fields-kerneldoc.patch
+net-restore-alpha-order-to-ethernet-devices-in-confi.patch
+mlxsw-spectrum_acl_tcam-make-fini-symmetric-to-init.patch
+mlxsw-spectrum_acl_tcam-add-missing-mutex_destroy.patch
+pci-layerscape-add-the-endpoint-linkup-notifier-supp.patch
+pci-layerscape-add-workaround-for-lost-link-capabili.patch
+arm-dts-imx-adjust-dma-apbh-node-name.patch
+arm-dts-imx7s-drop-dma-apb-interrupt-names.patch
+usb-gadget-properly-configure-the-device-for-remote-.patch
+input-xpad-add-constants-for-gip-interface-numbers.patch
+iommu-sprd-release-dma-buffer-to-avoid-memory-leak.patch
+iommu-arm-smmu-v3-acknowledge-pri-event-queue-overfl.patch
+fs-ntfs3-fix-a-possible-null-pointer-dereference-in-.patch
+clk-tegra20-fix-gcc-7-constant-overflow-warning.patch
+fs-ntfs3-add-length-check-in-indx_get_root.patch
+fs-ntfs3-fix-null-dereference-in-ni_write_inode.patch
+fs-ntfs3-fix-null-pointer-dereference-in-ni_write_in.patch
+iommu-arm-smmu-qcom-limit-the-smr-groups-to-128.patch
+rdma-core-fix-multiple-warray-bounds-warnings.patch
--- /dev/null
+From 1d72f159248029e9c044071234a4d7980e02aa09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Mar 2023 14:47:57 -0700
+Subject: usb: gadget: Properly configure the device for remote wakeup
+
+From: Elson Roy Serrao <quic_eserrao@quicinc.com>
+
+[ Upstream commit b93c2a68f3d9dc98ec30dcb342ae47c1c8d09d18 ]
+
+The wakeup bit in the bmAttributes field indicates whether the device
+is configured for remote wakeup. But this field should be allowed to
+set only if the UDC supports such wakeup mechanism. So configure this
+field based on UDC capability. Also inform the UDC whether the device
+is configured for remote wakeup by implementing a gadget op.
+
+Reviewed-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Signed-off-by: Elson Roy Serrao <quic_eserrao@quicinc.com>
+Link: https://lore.kernel.org/r/1679694482-16430-2-git-send-email-quic_eserrao@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/composite.c | 18 ++++++++++++++++++
+ drivers/usb/gadget/configfs.c | 3 +++
+ drivers/usb/gadget/udc/core.c | 27 +++++++++++++++++++++++++++
+ drivers/usb/gadget/udc/trace.h | 5 +++++
+ include/linux/usb/composite.h | 2 ++
+ include/linux/usb/gadget.h | 8 ++++++++
+ 6 files changed, 63 insertions(+)
+
+diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
+index cb0a4e2cdbb73..247cca46cdfae 100644
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -511,6 +511,19 @@ static u8 encode_bMaxPower(enum usb_device_speed speed,
+ return min(val, 900U) / 8;
+ }
+
++void check_remote_wakeup_config(struct usb_gadget *g,
++ struct usb_configuration *c)
++{
++ if (USB_CONFIG_ATT_WAKEUP & c->bmAttributes) {
++ /* Reset the rw bit if gadget is not capable of it */
++ if (!g->wakeup_capable && g->ops->set_remote_wakeup) {
++ WARN(c->cdev, "Clearing wakeup bit for config c.%d\n",
++ c->bConfigurationValue);
++ c->bmAttributes &= ~USB_CONFIG_ATT_WAKEUP;
++ }
++ }
++}
++
+ static int config_buf(struct usb_configuration *config,
+ enum usb_device_speed speed, void *buf, u8 type)
+ {
+@@ -959,6 +972,11 @@ static int set_config(struct usb_composite_dev *cdev,
+ power = min(power, 500U);
+ else
+ power = min(power, 900U);
++
++ if (USB_CONFIG_ATT_WAKEUP & c->bmAttributes)
++ usb_gadget_set_remote_wakeup(gadget, 1);
++ else
++ usb_gadget_set_remote_wakeup(gadget, 0);
+ done:
+ if (power <= USB_SELF_POWER_VBUS_MAX_DRAW)
+ usb_gadget_set_selfpowered(gadget);
+diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c
+index 4dcf29577f8f1..b94aec6227c51 100644
+--- a/drivers/usb/gadget/configfs.c
++++ b/drivers/usb/gadget/configfs.c
+@@ -1376,6 +1376,9 @@ static int configfs_composite_bind(struct usb_gadget *gadget,
+ if (gadget_is_otg(gadget))
+ c->descriptors = otg_desc;
+
++ /* Properly configure the bmAttributes wakeup bit */
++ check_remote_wakeup_config(gadget, c);
++
+ cfg = container_of(c, struct config_usb_cfg, c);
+ if (!list_empty(&cfg->string_list)) {
+ i = 0;
+diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c
+index c40f2ecbe1b8c..0edd9e53fc5a1 100644
+--- a/drivers/usb/gadget/udc/core.c
++++ b/drivers/usb/gadget/udc/core.c
+@@ -525,6 +525,33 @@ int usb_gadget_wakeup(struct usb_gadget *gadget)
+ }
+ EXPORT_SYMBOL_GPL(usb_gadget_wakeup);
+
++/**
++ * usb_gadget_set_remote_wakeup - configures the device remote wakeup feature.
++ * @gadget:the device being configured for remote wakeup
++ * @set:value to be configured.
++ *
++ * set to one to enable remote wakeup feature and zero to disable it.
++ *
++ * returns zero on success, else negative errno.
++ */
++int usb_gadget_set_remote_wakeup(struct usb_gadget *gadget, int set)
++{
++ int ret = 0;
++
++ if (!gadget->ops->set_remote_wakeup) {
++ ret = -EOPNOTSUPP;
++ goto out;
++ }
++
++ ret = gadget->ops->set_remote_wakeup(gadget, set);
++
++out:
++ trace_usb_gadget_set_remote_wakeup(gadget, ret);
++
++ return ret;
++}
++EXPORT_SYMBOL_GPL(usb_gadget_set_remote_wakeup);
++
+ /**
+ * usb_gadget_set_selfpowered - sets the device selfpowered feature.
+ * @gadget:the device being declared as self-powered
+diff --git a/drivers/usb/gadget/udc/trace.h b/drivers/usb/gadget/udc/trace.h
+index abdbcb1bacb0b..a5ed26fbc2dad 100644
+--- a/drivers/usb/gadget/udc/trace.h
++++ b/drivers/usb/gadget/udc/trace.h
+@@ -91,6 +91,11 @@ DEFINE_EVENT(udc_log_gadget, usb_gadget_wakeup,
+ TP_ARGS(g, ret)
+ );
+
++DEFINE_EVENT(udc_log_gadget, usb_gadget_set_remote_wakeup,
++ TP_PROTO(struct usb_gadget *g, int ret),
++ TP_ARGS(g, ret)
++);
++
+ DEFINE_EVENT(udc_log_gadget, usb_gadget_set_selfpowered,
+ TP_PROTO(struct usb_gadget *g, int ret),
+ TP_ARGS(g, ret)
+diff --git a/include/linux/usb/composite.h b/include/linux/usb/composite.h
+index 43ac3fa760dbe..9783b9107d76b 100644
+--- a/include/linux/usb/composite.h
++++ b/include/linux/usb/composite.h
+@@ -412,6 +412,8 @@ extern int composite_dev_prepare(struct usb_composite_driver *composite,
+ extern int composite_os_desc_req_prepare(struct usb_composite_dev *cdev,
+ struct usb_ep *ep0);
+ void composite_dev_cleanup(struct usb_composite_dev *cdev);
++void check_remote_wakeup_config(struct usb_gadget *g,
++ struct usb_configuration *c);
+
+ static inline struct usb_composite_driver *to_cdriver(
+ struct usb_gadget_driver *gdrv)
+diff --git a/include/linux/usb/gadget.h b/include/linux/usb/gadget.h
+index dc3092cea99e9..5bec668b41dcd 100644
+--- a/include/linux/usb/gadget.h
++++ b/include/linux/usb/gadget.h
+@@ -309,6 +309,7 @@ struct usb_udc;
+ struct usb_gadget_ops {
+ int (*get_frame)(struct usb_gadget *);
+ int (*wakeup)(struct usb_gadget *);
++ int (*set_remote_wakeup)(struct usb_gadget *, int set);
+ int (*set_selfpowered) (struct usb_gadget *, int is_selfpowered);
+ int (*vbus_session) (struct usb_gadget *, int is_active);
+ int (*vbus_draw) (struct usb_gadget *, unsigned mA);
+@@ -383,6 +384,8 @@ struct usb_gadget_ops {
+ * @connected: True if gadget is connected.
+ * @lpm_capable: If the gadget max_speed is FULL or HIGH, this flag
+ * indicates that it supports LPM as per the LPM ECN & errata.
++ * @wakeup_capable: True if gadget is capable of sending remote wakeup.
++ * @wakeup_armed: True if gadget is armed by the host for remote wakeup.
+ * @irq: the interrupt number for device controller.
+ * @id_number: a unique ID number for ensuring that gadget names are distinct
+ *
+@@ -444,6 +447,8 @@ struct usb_gadget {
+ unsigned deactivated:1;
+ unsigned connected:1;
+ unsigned lpm_capable:1;
++ unsigned wakeup_capable:1;
++ unsigned wakeup_armed:1;
+ int irq;
+ int id_number;
+ };
+@@ -600,6 +605,7 @@ static inline int gadget_is_otg(struct usb_gadget *g)
+ #if IS_ENABLED(CONFIG_USB_GADGET)
+ int usb_gadget_frame_number(struct usb_gadget *gadget);
+ int usb_gadget_wakeup(struct usb_gadget *gadget);
++int usb_gadget_set_remote_wakeup(struct usb_gadget *gadget, int set);
+ int usb_gadget_set_selfpowered(struct usb_gadget *gadget);
+ int usb_gadget_clear_selfpowered(struct usb_gadget *gadget);
+ int usb_gadget_vbus_connect(struct usb_gadget *gadget);
+@@ -615,6 +621,8 @@ static inline int usb_gadget_frame_number(struct usb_gadget *gadget)
+ { return 0; }
+ static inline int usb_gadget_wakeup(struct usb_gadget *gadget)
+ { return 0; }
++static inline int usb_gadget_set_remote_wakeup(struct usb_gadget *gadget, int set)
++{ return 0; }
+ static inline int usb_gadget_set_selfpowered(struct usb_gadget *gadget)
+ { return 0; }
+ static inline int usb_gadget_clear_selfpowered(struct usb_gadget *gadget)
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
