--- /dev/null
+From 32f86da7c86b27ebed31c24453a0713f612e43fb Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Fri, 17 Feb 2023 16:06:26 +0100
+Subject: arm64: dts: imx8mm-nitrogen-r2: fix WM8960 clock name
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit 32f86da7c86b27ebed31c24453a0713f612e43fb upstream.
+
+The WM8960 Linux driver expects the clock to be named "mclk". Otherwise
+the clock will be ignored and not prepared/enabled by the driver.
+
+Fixes: 40ba2eda0a7b ("arm64: dts: imx8mm-nitrogen-r2: add audio")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mm-nitrogen-r2.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mm-nitrogen-r2.dts b/arch/arm64/boot/dts/freescale/imx8mm-nitrogen-r2.dts
+index 6357078185ed..0e8f0d7161ad 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mm-nitrogen-r2.dts
++++ b/arch/arm64/boot/dts/freescale/imx8mm-nitrogen-r2.dts
+@@ -247,7 +247,7 @@ wm8960: codec@1a {
+ compatible = "wlf,wm8960";
+ reg = <0x1a>;
+ clocks = <&clk IMX8MM_CLK_SAI1_ROOT>;
+- clock-names = "mclk1";
++ clock-names = "mclk";
+ wlf,shared-lrclk;
+ #sound-dai-cells = <0>;
+ };
+--
+2.40.0
+
--- /dev/null
+From 9bbf5feecc7eab2c370496c1c161bbfe62084028 Mon Sep 17 00:00:00 2001
+From: Coly Li <colyli@suse.de>
+Date: Mon, 27 Feb 2023 23:23:17 +0800
+Subject: dm thin: fix deadlock when swapping to thin device
+
+From: Coly Li <colyli@suse.de>
+
+commit 9bbf5feecc7eab2c370496c1c161bbfe62084028 upstream.
+
+This is an already known issue that dm-thin volume cannot be used as
+swap, otherwise a deadlock may happen when dm-thin internal memory
+demand triggers swap I/O on the dm-thin volume itself.
+
+But thanks to commit a666e5c05e7c ("dm: fix deadlock when swapping to
+encrypted device"), the limit_swap_bios target flag can also be used
+for dm-thin to avoid the recursive I/O when it is used as swap.
+
+Fix is to simply set ti->limit_swap_bios to true in both pool_ctr()
+and thin_ctr().
+
+In my test, I create a dm-thin volume /dev/vg/swap and use it as swap
+device. Then I run fio on another dm-thin volume /dev/vg/main and use
+large --blocksize to trigger swap I/O onto /dev/vg/swap.
+
+The following fio command line is used in my test,
+ fio --name recursive-swap-io --lockmem 1 --iodepth 128 \
+ --ioengine libaio --filename /dev/vg/main --rw randrw \
+ --blocksize 1M --numjobs 32 --time_based --runtime=12h
+
+Without this fix, the whole system can be locked up within 15 seconds.
+
+With this fix, there is no any deadlock or hung task observed after
+2 hours of running fio.
+
+Furthermore, if blocksize is changed from 1M to 128M, after around 30
+seconds fio has no visible I/O, and the out-of-memory killer message
+shows up in kernel message. After around 20 minutes all fio processes
+are killed and the whole system is back to being alive.
+
+This is exactly what is expected when recursive I/O happens on dm-thin
+volume when it is used as swap.
+
+Depends-on: a666e5c05e7c ("dm: fix deadlock when swapping to encrypted device")
+Cc: stable@vger.kernel.org
+Signed-off-by: Coly Li <colyli@suse.de>
+Acked-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-thin.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/md/dm-thin.c
++++ b/drivers/md/dm-thin.c
+@@ -3383,6 +3383,7 @@ static int pool_ctr(struct dm_target *ti
+ pt->low_water_blocks = low_water_blocks;
+ pt->adjusted_pf = pt->requested_pf = pf;
+ ti->num_flush_bios = 1;
++ ti->limit_swap_bios = true;
+
+ /*
+ * Only need to enable discards if the pool should pass
+@@ -4263,6 +4264,7 @@ static int thin_ctr(struct dm_target *ti
+ goto bad;
+
+ ti->num_flush_bios = 1;
++ ti->limit_swap_bios = true;
+ ti->flush_supported = true;
+ ti->per_io_data_size = sizeof(struct dm_thin_endio_hook);
+
--- /dev/null
+From 3615c78673c332b69aaacefbcde5937c5c706686 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Tue, 14 Mar 2023 13:31:02 +0100
+Subject: efi: sysfb_efi: Fix DMI quirks not working for simpledrm
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 3615c78673c332b69aaacefbcde5937c5c706686 upstream.
+
+Commit 8633ef82f101 ("drivers/firmware: consolidate EFI framebuffer setup
+for all arches") moved the sysfb_apply_efi_quirks() call in sysfb_init()
+from before the [sysfb_]parse_mode() call to after it.
+But sysfb_apply_efi_quirks() modifies the global screen_info struct which
+[sysfb_]parse_mode() parses, so doing it later is too late.
+
+This has broken all DMI based quirks for correcting wrong firmware efifb
+settings when simpledrm is used.
+
+To fix this move the sysfb_apply_efi_quirks() call back to its old place
+and split the new setup of the efifb_fwnode (which requires
+the platform_device) into its own function and call that at
+the place of the moved sysfb_apply_efi_quirks(pd) calls.
+
+Fixes: 8633ef82f101 ("drivers/firmware: consolidate EFI framebuffer setup for all arches")
+Cc: stable@vger.kernel.org
+Cc: Javier Martinez Canillas <javierm@redhat.com>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/efi/sysfb_efi.c | 5 ++++-
+ drivers/firmware/sysfb.c | 4 +++-
+ drivers/firmware/sysfb_simplefb.c | 2 +-
+ include/linux/sysfb.h | 9 +++++++--
+ 4 files changed, 15 insertions(+), 5 deletions(-)
+
+--- a/drivers/firmware/efi/sysfb_efi.c
++++ b/drivers/firmware/efi/sysfb_efi.c
+@@ -343,7 +343,7 @@ static const struct fwnode_operations ef
+ #ifdef CONFIG_EFI
+ static struct fwnode_handle efifb_fwnode;
+
+-__init void sysfb_apply_efi_quirks(struct platform_device *pd)
++__init void sysfb_apply_efi_quirks(void)
+ {
+ if (screen_info.orig_video_isVGA != VIDEO_TYPE_EFI ||
+ !(screen_info.capabilities & VIDEO_CAPABILITY_SKIP_QUIRKS))
+@@ -357,7 +357,10 @@ __init void sysfb_apply_efi_quirks(struc
+ screen_info.lfb_height = temp;
+ screen_info.lfb_linelength = 4 * screen_info.lfb_width;
+ }
++}
+
++__init void sysfb_set_efifb_fwnode(struct platform_device *pd)
++{
+ if (screen_info.orig_video_isVGA == VIDEO_TYPE_EFI && IS_ENABLED(CONFIG_PCI)) {
+ fwnode_init(&efifb_fwnode, &efifb_fwnode_ops);
+ pd->dev.fwnode = &efifb_fwnode;
+--- a/drivers/firmware/sysfb.c
++++ b/drivers/firmware/sysfb.c
+@@ -81,6 +81,8 @@ static __init int sysfb_init(void)
+ if (disabled)
+ goto unlock_mutex;
+
++ sysfb_apply_efi_quirks();
++
+ /* try to create a simple-framebuffer device */
+ compatible = sysfb_parse_mode(si, &mode);
+ if (compatible) {
+@@ -103,7 +105,7 @@ static __init int sysfb_init(void)
+ goto unlock_mutex;
+ }
+
+- sysfb_apply_efi_quirks(pd);
++ sysfb_set_efifb_fwnode(pd);
+
+ ret = platform_device_add_data(pd, si, sizeof(*si));
+ if (ret)
+--- a/drivers/firmware/sysfb_simplefb.c
++++ b/drivers/firmware/sysfb_simplefb.c
+@@ -110,7 +110,7 @@ __init struct platform_device *sysfb_cre
+ if (!pd)
+ return ERR_PTR(-ENOMEM);
+
+- sysfb_apply_efi_quirks(pd);
++ sysfb_set_efifb_fwnode(pd);
+
+ ret = platform_device_add_resources(pd, &res, 1);
+ if (ret)
+--- a/include/linux/sysfb.h
++++ b/include/linux/sysfb.h
+@@ -70,11 +70,16 @@ static inline void sysfb_disable(void)
+ #ifdef CONFIG_EFI
+
+ extern struct efifb_dmi_info efifb_dmi_list[];
+-void sysfb_apply_efi_quirks(struct platform_device *pd);
++void sysfb_apply_efi_quirks(void);
++void sysfb_set_efifb_fwnode(struct platform_device *pd);
+
+ #else /* CONFIG_EFI */
+
+-static inline void sysfb_apply_efi_quirks(struct platform_device *pd)
++static inline void sysfb_apply_efi_quirks(void)
++{
++}
++
++static inline void sysfb_set_efifb_fwnode(struct platform_device *pd)
+ {
+ }
+
--- /dev/null
+From ccb820dc7d2236b1af0d54ae038a27b5b6d5ae5a Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 13 Mar 2023 15:12:29 -0700
+Subject: fscrypt: destroy keyring after security_sb_delete()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit ccb820dc7d2236b1af0d54ae038a27b5b6d5ae5a upstream.
+
+fscrypt_destroy_keyring() must be called after all potentially-encrypted
+inodes were evicted; otherwise it cannot safely destroy the keyring.
+Since inodes that are in-use by the Landlock LSM don't get evicted until
+security_sb_delete(), this means that fscrypt_destroy_keyring() must be
+called *after* security_sb_delete().
+
+This fixes a WARN_ON followed by a NULL dereference, only possible if
+Landlock was being used on encrypted files.
+
+Fixes: d7e7b9af104c ("fscrypt: stop using keyrings subsystem for fscrypt_master_key")
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+93e495f6a4f748827c88@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/00000000000044651705f6ca1e30@google.com
+Reviewed-by: Christian Brauner <brauner@kernel.org>
+Link: https://lore.kernel.org/r/20230313221231.272498-2-ebiggers@kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/super.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/fs/super.c
++++ b/fs/super.c
+@@ -450,13 +450,22 @@ void generic_shutdown_super(struct super
+
+ cgroup_writeback_umount();
+
+- /* evict all inodes with zero refcount */
++ /* Evict all inodes with zero refcount. */
+ evict_inodes(sb);
+- /* only nonzero refcount inodes can have marks */
++
++ /*
++ * Clean up and evict any inodes that still have references due
++ * to fsnotify or the security policy.
++ */
+ fsnotify_sb_delete(sb);
+- fscrypt_destroy_keyring(sb);
+ security_sb_delete(sb);
+
++ /*
++ * Now that all potentially-encrypted inodes have been evicted,
++ * the fscrypt keyring can be destroyed.
++ */
++ fscrypt_destroy_keyring(sb);
++
+ if (sb->s_dio_done_wq) {
+ destroy_workqueue(sb->s_dio_done_wq);
+ sb->s_dio_done_wq = NULL;
--- /dev/null
+From f959325e6ac3f499450088b8d9c626d1177be160 Mon Sep 17 00:00:00 2001
+From: Nathan Huckleberry <nhuck@google.com>
+Date: Fri, 10 Mar 2023 11:33:25 -0800
+Subject: fsverity: Remove WQ_UNBOUND from fsverity read workqueue
+
+From: Nathan Huckleberry <nhuck@google.com>
+
+commit f959325e6ac3f499450088b8d9c626d1177be160 upstream.
+
+WQ_UNBOUND causes significant scheduler latency on ARM64/Android. This
+is problematic for latency sensitive workloads, like I/O
+post-processing.
+
+Removing WQ_UNBOUND gives a 96% reduction in fsverity workqueue related
+scheduler latency and improves app cold startup times by ~30ms.
+WQ_UNBOUND was also removed from the dm-verity workqueue for the same
+reason [1].
+
+This code was tested by running Android app startup benchmarks and
+measuring how long the fsverity workqueue spent in the runnable state.
+
+Before
+Total workqueue scheduler latency: 553800us
+After
+Total workqueue scheduler latency: 18962us
+
+[1]: https://lore.kernel.org/all/20230202012348.885402-1-nhuck@google.com/
+
+Signed-off-by: Nathan Huckleberry <nhuck@google.com>
+Fixes: 8a1d0f9cacc9 ("fs-verity: add data verification hooks for ->readpages()")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230310193325.620493-1-nhuck@google.com
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/verity/verify.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/fs/verity/verify.c
++++ b/fs/verity/verify.c
+@@ -279,15 +279,15 @@ EXPORT_SYMBOL_GPL(fsverity_enqueue_verif
+ int __init fsverity_init_workqueue(void)
+ {
+ /*
+- * Use an unbound workqueue to allow bios to be verified in parallel
+- * even when they happen to complete on the same CPU. This sacrifices
+- * locality, but it's worthwhile since hashing is CPU-intensive.
++ * Use a high-priority workqueue to prioritize verification work, which
++ * blocks reads from completing, over regular application tasks.
+ *
+- * Also use a high-priority workqueue to prioritize verification work,
+- * which blocks reads from completing, over regular application tasks.
++ * For performance reasons, don't use an unbound workqueue. Using an
++ * unbound workqueue for crypto operations causes excessive scheduler
++ * latency on ARM64.
+ */
+ fsverity_read_workqueue = alloc_workqueue("fsverity_read_queue",
+- WQ_UNBOUND | WQ_HIGHPRI,
++ WQ_HIGHPRI,
+ num_online_cpus());
+ if (!fsverity_read_workqueue)
+ return -ENOMEM;
--- /dev/null
+From 65f69851e44d71248b952a687e44759a7abb5016 Mon Sep 17 00:00:00 2001
+From: Lin Ma <linma@zju.edu.cn>
+Date: Tue, 7 Mar 2023 23:29:17 +0800
+Subject: igb: revert rtnl_lock() that causes deadlock
+
+From: Lin Ma <linma@zju.edu.cn>
+
+commit 65f69851e44d71248b952a687e44759a7abb5016 upstream.
+
+The commit 6faee3d4ee8b ("igb: Add lock to avoid data race") adds
+rtnl_lock to eliminate a false data race shown below
+
+ (FREE from device detaching) | (USE from netdev core)
+igb_remove | igb_ndo_get_vf_config
+ igb_disable_sriov | vf >= adapter->vfs_allocated_count?
+ kfree(adapter->vf_data) |
+ adapter->vfs_allocated_count = 0 |
+ | memcpy(... adapter->vf_data[vf]
+
+The above race will never happen and the extra rtnl_lock causes deadlock
+below
+
+[ 141.420169] <TASK>
+[ 141.420672] __schedule+0x2dd/0x840
+[ 141.421427] schedule+0x50/0xc0
+[ 141.422041] schedule_preempt_disabled+0x11/0x20
+[ 141.422678] __mutex_lock.isra.13+0x431/0x6b0
+[ 141.423324] unregister_netdev+0xe/0x20
+[ 141.423578] igbvf_remove+0x45/0xe0 [igbvf]
+[ 141.423791] pci_device_remove+0x36/0xb0
+[ 141.423990] device_release_driver_internal+0xc1/0x160
+[ 141.424270] pci_stop_bus_device+0x6d/0x90
+[ 141.424507] pci_stop_and_remove_bus_device+0xe/0x20
+[ 141.424789] pci_iov_remove_virtfn+0xba/0x120
+[ 141.425452] sriov_disable+0x2f/0xf0
+[ 141.425679] igb_disable_sriov+0x4e/0x100 [igb]
+[ 141.426353] igb_remove+0xa0/0x130 [igb]
+[ 141.426599] pci_device_remove+0x36/0xb0
+[ 141.426796] device_release_driver_internal+0xc1/0x160
+[ 141.427060] driver_detach+0x44/0x90
+[ 141.427253] bus_remove_driver+0x55/0xe0
+[ 141.427477] pci_unregister_driver+0x2a/0xa0
+[ 141.428296] __x64_sys_delete_module+0x141/0x2b0
+[ 141.429126] ? mntput_no_expire+0x4a/0x240
+[ 141.429363] ? syscall_trace_enter.isra.19+0x126/0x1a0
+[ 141.429653] do_syscall_64+0x5b/0x80
+[ 141.429847] ? exit_to_user_mode_prepare+0x14d/0x1c0
+[ 141.430109] ? syscall_exit_to_user_mode+0x12/0x30
+[ 141.430849] ? do_syscall_64+0x67/0x80
+[ 141.431083] ? syscall_exit_to_user_mode_prepare+0x183/0x1b0
+[ 141.431770] ? syscall_exit_to_user_mode+0x12/0x30
+[ 141.432482] ? do_syscall_64+0x67/0x80
+[ 141.432714] ? exc_page_fault+0x64/0x140
+[ 141.432911] entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+Since the igb_disable_sriov() will call pci_disable_sriov() before
+releasing any resources, the netdev core will synchronize the cleanup to
+avoid any races. This patch removes the useless rtnl_(un)lock to guarantee
+correctness.
+
+CC: stable@vger.kernel.org
+Fixes: 6faee3d4ee8b ("igb: Add lock to avoid data race")
+Reported-by: Corinna Vinschen <vinschen@redhat.com>
+Link: https://lore.kernel.org/intel-wired-lan/ZAcJvkEPqWeJHO2r@calimero.vinschen.de/
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Tested-by: Corinna Vinschen <vinschen@redhat.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -3820,9 +3820,7 @@ static void igb_remove(struct pci_dev *p
+ igb_release_hw_control(adapter);
+
+ #ifdef CONFIG_PCI_IOV
+- rtnl_lock();
+ igb_disable_sriov(pdev);
+- rtnl_unlock();
+ #endif
+
+ unregister_netdev(netdev);
--- /dev/null
+From 2e08ca1802441224f5b7cc6bffbb687f7406de95 Mon Sep 17 00:00:00 2001
+From: Marco Elver <elver@google.com>
+Date: Thu, 16 Mar 2023 23:47:04 +0100
+Subject: kfence: avoid passing -g for test
+
+From: Marco Elver <elver@google.com>
+
+commit 2e08ca1802441224f5b7cc6bffbb687f7406de95 upstream.
+
+Nathan reported that when building with GNU as and a version of clang that
+defaults to DWARF5:
+
+ $ make -skj"$(nproc)" ARCH=riscv CROSS_COMPILE=riscv64-linux-gnu- \
+ LLVM=1 LLVM_IAS=0 O=build \
+ mrproper allmodconfig mm/kfence/kfence_test.o
+ /tmp/kfence_test-08a0a0.s: Assembler messages:
+ /tmp/kfence_test-08a0a0.s:14627: Error: non-constant .uleb128 is not supported
+ /tmp/kfence_test-08a0a0.s:14628: Error: non-constant .uleb128 is not supported
+ /tmp/kfence_test-08a0a0.s:14632: Error: non-constant .uleb128 is not supported
+ /tmp/kfence_test-08a0a0.s:14633: Error: non-constant .uleb128 is not supported
+ /tmp/kfence_test-08a0a0.s:14639: Error: non-constant .uleb128 is not supported
+ ...
+
+This is because `-g` defaults to the compiler debug info default. If the
+assembler does not support some of the directives used, the above errors
+occur. To fix, remove the explicit passing of `-g`.
+
+All the test wants is that stack traces print valid function names, and
+debug info is not required for that. (I currently cannot recall why I
+added the explicit `-g`.)
+
+Link: https://lkml.kernel.org/r/20230316224705.709984-1-elver@google.com
+Fixes: bc8fbc5f305a ("kfence: add test suite")
+Signed-off-by: Marco Elver <elver@google.com>
+Reported-by: Nathan Chancellor <nathan@kernel.org>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/kfence/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/kfence/Makefile
++++ b/mm/kfence/Makefile
+@@ -2,5 +2,5 @@
+
+ obj-$(CONFIG_KFENCE) := core.o report.o
+
+-CFLAGS_kfence_test.o := -g -fno-omit-frame-pointer -fno-optimize-sibling-calls
++CFLAGS_kfence_test.o := -fno-omit-frame-pointer -fno-optimize-sibling-calls
+ obj-$(CONFIG_KFENCE_KUNIT_TEST) += kfence_test.o
--- /dev/null
+From 7ff84910c66c9144cc0de9d9deed9fb84c03aff0 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@kernel.org>
+Date: Tue, 14 Mar 2023 06:20:58 -0400
+Subject: lockd: set file_lock start and end when decoding nlm4 testargs
+
+From: Jeff Layton <jlayton@kernel.org>
+
+commit 7ff84910c66c9144cc0de9d9deed9fb84c03aff0 upstream.
+
+Commit 6930bcbfb6ce dropped the setting of the file_lock range when
+decoding a nlm_lock off the wire. This causes the client side grant
+callback to miss matching blocks and reject the lock, only to rerequest
+it 30s later.
+
+Add a helper function to set the file_lock range from the start and end
+values that the protocol uses, and have the nlm_lock decoder call that to
+set up the file_lock args properly.
+
+Fixes: 6930bcbfb6ce ("lockd: detect and reject lock arguments that overflow")
+Reported-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Tested-by: Amir Goldstein <amir73il@gmail.com>
+Cc: stable@vger.kernel.org #6.0
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/lockd/clnt4xdr.c | 9 +--------
+ fs/lockd/xdr4.c | 13 ++++++++++++-
+ include/linux/lockd/xdr4.h | 1 +
+ 3 files changed, 14 insertions(+), 9 deletions(-)
+
+--- a/fs/lockd/clnt4xdr.c
++++ b/fs/lockd/clnt4xdr.c
+@@ -261,7 +261,6 @@ static int decode_nlm4_holder(struct xdr
+ u32 exclusive;
+ int error;
+ __be32 *p;
+- s32 end;
+
+ memset(lock, 0, sizeof(*lock));
+ locks_init_lock(fl);
+@@ -285,13 +284,7 @@ static int decode_nlm4_holder(struct xdr
+ fl->fl_type = exclusive != 0 ? F_WRLCK : F_RDLCK;
+ p = xdr_decode_hyper(p, &l_offset);
+ xdr_decode_hyper(p, &l_len);
+- end = l_offset + l_len - 1;
+-
+- fl->fl_start = (loff_t)l_offset;
+- if (l_len == 0 || end < 0)
+- fl->fl_end = OFFSET_MAX;
+- else
+- fl->fl_end = (loff_t)end;
++ nlm4svc_set_file_lock_range(fl, l_offset, l_len);
+ error = 0;
+ out:
+ return error;
+--- a/fs/lockd/xdr4.c
++++ b/fs/lockd/xdr4.c
+@@ -33,6 +33,17 @@ loff_t_to_s64(loff_t offset)
+ return res;
+ }
+
++void nlm4svc_set_file_lock_range(struct file_lock *fl, u64 off, u64 len)
++{
++ s64 end = off + len - 1;
++
++ fl->fl_start = off;
++ if (len == 0 || end < 0)
++ fl->fl_end = OFFSET_MAX;
++ else
++ fl->fl_end = end;
++}
++
+ /*
+ * NLM file handles are defined by specification to be a variable-length
+ * XDR opaque no longer than 1024 bytes. However, this implementation
+@@ -80,7 +91,7 @@ svcxdr_decode_lock(struct xdr_stream *xd
+ locks_init_lock(fl);
+ fl->fl_flags = FL_POSIX;
+ fl->fl_type = F_RDLCK;
+-
++ nlm4svc_set_file_lock_range(fl, lock->lock_start, lock->lock_len);
+ return true;
+ }
+
+--- a/include/linux/lockd/xdr4.h
++++ b/include/linux/lockd/xdr4.h
+@@ -24,6 +24,7 @@
+
+
+
++void nlm4svc_set_file_lock_range(struct file_lock *fl, u64 off, u64 len);
+ int nlm4svc_decode_testargs(struct svc_rqst *, __be32 *);
+ int nlm4svc_encode_testres(struct svc_rqst *, __be32 *);
+ int nlm4svc_decode_lockargs(struct svc_rqst *, __be32 *);
--- /dev/null
+From 66a1c22b709178e7b823d44465d0c2e5ed7492fb Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Tue, 21 Mar 2023 09:30:59 +0100
+Subject: mm/slab: Fix undefined init_cache_node_node() for NUMA and !SMP
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit 66a1c22b709178e7b823d44465d0c2e5ed7492fb upstream.
+
+sh/migor_defconfig:
+
+ mm/slab.c: In function ‘slab_memory_callback’:
+ mm/slab.c:1127:23: error: implicit declaration of function ‘init_cache_node_node’; did you mean ‘drain_cache_node_node’? [-Werror=implicit-function-declaration]
+ 1127 | ret = init_cache_node_node(nid);
+ | ^~~~~~~~~~~~~~~~~~~~
+ | drain_cache_node_node
+
+The #ifdef condition protecting the definition of init_cache_node_node()
+no longer matches the conditions protecting the (multiple) users.
+
+Fix this by syncing the conditions.
+
+Fixes: 76af6a054da40553 ("mm/migrate: add CPU hotplug to demotion #ifdef")
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Link: https://lore.kernel.org/r/b5bdea22-ed2f-3187-6efe-0c72330270a4@infradead.org
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Acked-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/slab.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/slab.c
++++ b/mm/slab.c
+@@ -855,7 +855,7 @@ static int init_cache_node(struct kmem_c
+ return 0;
+ }
+
+-#if (defined(CONFIG_NUMA) && defined(CONFIG_MEMORY_HOTPLUG)) || defined(CONFIG_SMP)
++#if defined(CONFIG_NUMA) || defined(CONFIG_SMP)
+ /*
+ * Allocates and initializes node for a node on each slab cache, used for
+ * either memory or cpu hotplug. If memory is being hot-added, the kmem_cache_node
scsi-core-add-blist_skip_vpd_pages-for-skhynix-h28u74301amr.patch
usb-dwc2-fix-a-devres-leak-in-hw_enable-upon-suspend-resume.patch
usb-gadget-u_audio-don-t-let-userspace-block-driver-unbind.patch
+efi-sysfb_efi-fix-dmi-quirks-not-working-for-simpledrm.patch
+mm-slab-fix-undefined-init_cache_node_node-for-numa-and-smp.patch
+fscrypt-destroy-keyring-after-security_sb_delete.patch
+fsverity-remove-wq_unbound-from-fsverity-read-workqueue.patch
+lockd-set-file_lock-start-and-end-when-decoding-nlm4-testargs.patch
+arm64-dts-imx8mm-nitrogen-r2-fix-wm8960-clock-name.patch
+igb-revert-rtnl_lock-that-causes-deadlock.patch
+dm-thin-fix-deadlock-when-swapping-to-thin-device.patch
+usb-typec-tcpm-fix-warning-when-handle-discover_identity-message.patch
+usb-cdns3-fix-issue-with-using-incorrect-pci-device-function.patch
+usb-cdnsp-fixes-issue-with-redundant-status-stage.patch
+usb-cdnsp-changes-pci-device-id-to-fix-conflict-with-cnds3-driver.patch
+usb-chipdea-core-fix-return-einval-if-request-role-is-the-same-with-current-role.patch
+usb-chipidea-core-fix-possible-concurrent-when-switch-role.patch
+usb-ucsi-fix-null-pointer-deref-in-ucsi_connector_change.patch
+kfence-avoid-passing-g-for-test.patch
--- /dev/null
+From 1272fd652a226ccb34e9f47371b6121948048438 Mon Sep 17 00:00:00 2001
+From: Pawel Laszczak <pawell@cadence.com>
+Date: Wed, 8 Mar 2023 07:44:27 -0500
+Subject: usb: cdns3: Fix issue with using incorrect PCI device function
+
+From: Pawel Laszczak <pawell@cadence.com>
+
+commit 1272fd652a226ccb34e9f47371b6121948048438 upstream.
+
+PCI based platform can have more than two PCI functions.
+USBSS PCI Glue driver during initialization should
+consider only DRD/HOST/DEVICE PCI functions and
+all other should be ignored. This patch adds additional
+condition which causes that only DRD and HOST/DEVICE
+function will be accepted.
+
+cc: <stable@vger.kernel.org>
+Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver")
+Signed-off-by: Pawel Laszczak <pawell@cadence.com>
+Link: https://lore.kernel.org/r/20230308124427.311245-1-pawell@cadence.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/cdns3/cdns3-pci-wrap.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/cdns3/cdns3-pci-wrap.c
++++ b/drivers/usb/cdns3/cdns3-pci-wrap.c
+@@ -60,6 +60,11 @@ static struct pci_dev *cdns3_get_second_
+ return NULL;
+ }
+
++ if (func->devfn != PCI_DEV_FN_HOST_DEVICE &&
++ func->devfn != PCI_DEV_FN_OTG) {
++ return NULL;
++ }
++
+ return func;
+ }
+
--- /dev/null
+From 96b96b2a567fb34dd41c87e6cf01f6902ce8cae4 Mon Sep 17 00:00:00 2001
+From: Pawel Laszczak <pawell@cadence.com>
+Date: Thu, 9 Mar 2023 01:30:48 -0500
+Subject: usb: cdnsp: changes PCI Device ID to fix conflict with CNDS3 driver
+
+From: Pawel Laszczak <pawell@cadence.com>
+
+commit 96b96b2a567fb34dd41c87e6cf01f6902ce8cae4 upstream.
+
+Patch changes CDNS_DEVICE_ID in USBSSP PCI Glue driver to remove
+the conflict with Cadence USBSS driver.
+
+cc: <stable@vger.kernel.org>
+Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
+Signed-off-by: Pawel Laszczak <pawell@cadence.com>
+Link: https://lore.kernel.org/r/20230309063048.299378-1-pawell@cadence.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/cdns3/cdnsp-pci.c | 27 +++++++++++----------------
+ 1 file changed, 11 insertions(+), 16 deletions(-)
+
+--- a/drivers/usb/cdns3/cdnsp-pci.c
++++ b/drivers/usb/cdns3/cdnsp-pci.c
+@@ -29,30 +29,23 @@
+ #define PLAT_DRIVER_NAME "cdns-usbssp"
+
+ #define CDNS_VENDOR_ID 0x17cd
+-#define CDNS_DEVICE_ID 0x0100
++#define CDNS_DEVICE_ID 0x0200
++#define CDNS_DRD_ID 0x0100
+ #define CDNS_DRD_IF (PCI_CLASS_SERIAL_USB << 8 | 0x80)
+
+ static struct pci_dev *cdnsp_get_second_fun(struct pci_dev *pdev)
+ {
+- struct pci_dev *func;
+-
+ /*
+ * Gets the second function.
+- * It's little tricky, but this platform has two function.
+- * The fist keeps resources for Host/Device while the second
+- * keeps resources for DRD/OTG.
++ * Platform has two function. The fist keeps resources for
++ * Host/Device while the secon keeps resources for DRD/OTG.
+ */
+- func = pci_get_device(pdev->vendor, pdev->device, NULL);
+- if (!func)
+- return NULL;
++ if (pdev->device == CDNS_DEVICE_ID)
++ return pci_get_device(pdev->vendor, CDNS_DRD_ID, NULL);
++ else if (pdev->device == CDNS_DRD_ID)
++ return pci_get_device(pdev->vendor, CDNS_DEVICE_ID, NULL);
+
+- if (func->devfn == pdev->devfn) {
+- func = pci_get_device(pdev->vendor, pdev->device, func);
+- if (!func)
+- return NULL;
+- }
+-
+- return func;
++ return NULL;
+ }
+
+ static int cdnsp_pci_probe(struct pci_dev *pdev,
+@@ -232,6 +225,8 @@ static const struct pci_device_id cdnsp_
+ PCI_CLASS_SERIAL_USB_DEVICE, PCI_ANY_ID },
+ { PCI_VENDOR_ID_CDNS, CDNS_DEVICE_ID, PCI_ANY_ID, PCI_ANY_ID,
+ CDNS_DRD_IF, PCI_ANY_ID },
++ { PCI_VENDOR_ID_CDNS, CDNS_DRD_ID, PCI_ANY_ID, PCI_ANY_ID,
++ CDNS_DRD_IF, PCI_ANY_ID },
+ { 0, }
+ };
+
--- /dev/null
+From 5bc38d33a5a1209fd4de65101d1ae8255ea12c6e Mon Sep 17 00:00:00 2001
+From: Pawel Laszczak <pawell@cadence.com>
+Date: Tue, 7 Mar 2023 06:14:20 -0500
+Subject: usb: cdnsp: Fixes issue with redundant Status Stage
+
+From: Pawel Laszczak <pawell@cadence.com>
+
+commit 5bc38d33a5a1209fd4de65101d1ae8255ea12c6e upstream.
+
+In some cases, driver trees to send Status Stage twice.
+The first one from upper layer of gadget usb subsystem and
+second time from controller driver.
+This patch fixes this issue and remove tricky handling of
+SET_INTERFACE from controller driver which is no longer
+needed.
+
+cc: <stable@vger.kernel.org>
+Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
+Signed-off-by: Pawel Laszczak <pawell@cadence.com>
+Link: https://lore.kernel.org/r/20230307111420.376056-1-pawell@cadence.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/cdns3/cdnsp-ep0.c | 19 +------------------
+ 1 file changed, 1 insertion(+), 18 deletions(-)
+
+--- a/drivers/usb/cdns3/cdnsp-ep0.c
++++ b/drivers/usb/cdns3/cdnsp-ep0.c
+@@ -403,20 +403,6 @@ static int cdnsp_ep0_std_request(struct
+ case USB_REQ_SET_ISOCH_DELAY:
+ ret = cdnsp_ep0_set_isoch_delay(pdev, ctrl);
+ break;
+- case USB_REQ_SET_INTERFACE:
+- /*
+- * Add request into pending list to block sending status stage
+- * by libcomposite.
+- */
+- list_add_tail(&pdev->ep0_preq.list,
+- &pdev->ep0_preq.pep->pending_list);
+-
+- ret = cdnsp_ep0_delegate_req(pdev, ctrl);
+- if (ret == -EBUSY)
+- ret = 0;
+-
+- list_del(&pdev->ep0_preq.list);
+- break;
+ default:
+ ret = cdnsp_ep0_delegate_req(pdev, ctrl);
+ break;
+@@ -474,9 +460,6 @@ void cdnsp_setup_analyze(struct cdnsp_de
+ else
+ ret = cdnsp_ep0_delegate_req(pdev, ctrl);
+
+- if (!len)
+- pdev->ep0_stage = CDNSP_STATUS_STAGE;
+-
+ if (ret == USB_GADGET_DELAYED_STATUS) {
+ trace_cdnsp_ep0_status_stage("delayed");
+ return;
+@@ -484,6 +467,6 @@ void cdnsp_setup_analyze(struct cdnsp_de
+ out:
+ if (ret < 0)
+ cdnsp_ep0_stall(pdev);
+- else if (pdev->ep0_stage == CDNSP_STATUS_STAGE)
++ else if (!len && pdev->ep0_stage != CDNSP_STATUS_STAGE)
+ cdnsp_status_stage(pdev);
+ }
--- /dev/null
+From 3670de80678961eda7fa2220883fc77c16868951 Mon Sep 17 00:00:00 2001
+From: Xu Yang <xu.yang_2@nxp.com>
+Date: Fri, 17 Mar 2023 14:15:15 +0800
+Subject: usb: chipdea: core: fix return -EINVAL if request role is the same with current role
+
+From: Xu Yang <xu.yang_2@nxp.com>
+
+commit 3670de80678961eda7fa2220883fc77c16868951 upstream.
+
+It should not return -EINVAL if the request role is the same with current
+role, return non-error and without do anything instead.
+
+Fixes: a932a8041ff9 ("usb: chipidea: core: add sysfs group")
+cc: <stable@vger.kernel.org>
+Acked-by: Peter Chen <peter.chen@kernel.org>
+Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
+Link: https://lore.kernel.org/r/20230317061516.2451728-1-xu.yang_2@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/chipidea/core.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/chipidea/core.c
++++ b/drivers/usb/chipidea/core.c
+@@ -974,9 +974,12 @@ static ssize_t role_store(struct device
+ strlen(ci->roles[role]->name)))
+ break;
+
+- if (role == CI_ROLE_END || role == ci->role)
++ if (role == CI_ROLE_END)
+ return -EINVAL;
+
++ if (role == ci->role)
++ return n;
++
+ pm_runtime_get_sync(dev);
+ disable_irq(ci->irq);
+ ci_role_stop(ci);
--- /dev/null
+From 451b15ed138ec15bffbebb58a00ebdd884c3e659 Mon Sep 17 00:00:00 2001
+From: Xu Yang <xu.yang_2@nxp.com>
+Date: Fri, 17 Mar 2023 14:15:16 +0800
+Subject: usb: chipidea: core: fix possible concurrent when switch role
+
+From: Xu Yang <xu.yang_2@nxp.com>
+
+commit 451b15ed138ec15bffbebb58a00ebdd884c3e659 upstream.
+
+The user may call role_store() when driver is handling
+ci_handle_id_switch() which is triggerred by otg event or power lost
+event. Unfortunately, the controller may go into chaos in this case.
+Fix this by protecting it with mutex lock.
+
+Fixes: a932a8041ff9 ("usb: chipidea: core: add sysfs group")
+cc: <stable@vger.kernel.org>
+Acked-by: Peter Chen <peter.chen@kernel.org>
+Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
+Link: https://lore.kernel.org/r/20230317061516.2451728-2-xu.yang_2@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/chipidea/ci.h | 2 ++
+ drivers/usb/chipidea/core.c | 8 +++++++-
+ drivers/usb/chipidea/otg.c | 5 ++++-
+ 3 files changed, 13 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/chipidea/ci.h
++++ b/drivers/usb/chipidea/ci.h
+@@ -203,6 +203,7 @@ struct hw_bank {
+ * @in_lpm: if the core in low power mode
+ * @wakeup_int: if wakeup interrupt occur
+ * @rev: The revision number for controller
++ * @mutex: protect code from concorrent running when doing role switch
+ */
+ struct ci_hdrc {
+ struct device *dev;
+@@ -255,6 +256,7 @@ struct ci_hdrc {
+ bool in_lpm;
+ bool wakeup_int;
+ enum ci_revision rev;
++ struct mutex mutex;
+ };
+
+ static inline struct ci_role_driver *ci_role(struct ci_hdrc *ci)
+--- a/drivers/usb/chipidea/core.c
++++ b/drivers/usb/chipidea/core.c
+@@ -977,8 +977,12 @@ static ssize_t role_store(struct device
+ if (role == CI_ROLE_END)
+ return -EINVAL;
+
+- if (role == ci->role)
++ mutex_lock(&ci->mutex);
++
++ if (role == ci->role) {
++ mutex_unlock(&ci->mutex);
+ return n;
++ }
+
+ pm_runtime_get_sync(dev);
+ disable_irq(ci->irq);
+@@ -988,6 +992,7 @@ static ssize_t role_store(struct device
+ ci_handle_vbus_change(ci);
+ enable_irq(ci->irq);
+ pm_runtime_put_sync(dev);
++ mutex_unlock(&ci->mutex);
+
+ return (ret == 0) ? n : ret;
+ }
+@@ -1023,6 +1028,7 @@ static int ci_hdrc_probe(struct platform
+ return -ENOMEM;
+
+ spin_lock_init(&ci->lock);
++ mutex_init(&ci->mutex);
+ ci->dev = dev;
+ ci->platdata = dev_get_platdata(dev);
+ ci->imx28_write_fix = !!(ci->platdata->flags &
+--- a/drivers/usb/chipidea/otg.c
++++ b/drivers/usb/chipidea/otg.c
+@@ -167,8 +167,10 @@ static int hw_wait_vbus_lower_bsv(struct
+
+ static void ci_handle_id_switch(struct ci_hdrc *ci)
+ {
+- enum ci_role role = ci_otg_role(ci);
++ enum ci_role role;
+
++ mutex_lock(&ci->mutex);
++ role = ci_otg_role(ci);
+ if (role != ci->role) {
+ dev_dbg(ci->dev, "switching from %s to %s\n",
+ ci_role(ci)->name, ci->roles[role]->name);
+@@ -198,6 +200,7 @@ static void ci_handle_id_switch(struct c
+ if (role == CI_ROLE_GADGET)
+ ci_handle_vbus_change(ci);
+ }
++ mutex_unlock(&ci->mutex);
+ }
+ /**
+ * ci_otg_work - perform otg (vbus/id) event handle
--- /dev/null
+From abfc4fa28f0160df61c7149567da4f6494dfb488 Mon Sep 17 00:00:00 2001
+From: Xu Yang <xu.yang_2@nxp.com>
+Date: Thu, 16 Feb 2023 11:15:15 +0800
+Subject: usb: typec: tcpm: fix warning when handle discover_identity message
+
+From: Xu Yang <xu.yang_2@nxp.com>
+
+commit abfc4fa28f0160df61c7149567da4f6494dfb488 upstream.
+
+Since both source and sink device can send discover_identity message in
+PD3, kernel may dump below warning:
+
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 169 at drivers/usb/typec/tcpm/tcpm.c:1446 tcpm_queue_vdm+0xe0/0xf0
+Modules linked in:
+CPU: 0 PID: 169 Comm: 1-0050 Not tainted 6.1.1-00038-g6a3c36cf1da2-dirty #567
+Hardware name: NXP i.MX8MPlus EVK board (DT)
+pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : tcpm_queue_vdm+0xe0/0xf0
+lr : tcpm_queue_vdm+0x2c/0xf0
+sp : ffff80000c19bcd0
+x29: ffff80000c19bcd0 x28: 0000000000000001 x27: ffff0000d11c8ab8
+x26: ffff0000d11cc000 x25: 0000000000000000 x24: 00000000ff008081
+x23: 0000000000000001 x22: 00000000ff00a081 x21: ffff80000c19bdbc
+x20: 0000000000000000 x19: ffff0000d11c8080 x18: ffffffffffffffff
+x17: 0000000000000000 x16: 0000000000000000 x15: ffff0000d716f580
+x14: 0000000000000001 x13: ffff0000d716f507 x12: 0000000000000001
+x11: 0000000000000000 x10: 0000000000000020 x9 : 00000000000ee098
+x8 : 00000000ffffffff x7 : 000000000000001c x6 : ffff0000d716f580
+x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
+x2 : ffff80000c19bdbc x1 : 00000000ff00a081 x0 : 0000000000000004
+Call trace:
+tcpm_queue_vdm+0xe0/0xf0
+tcpm_pd_rx_handler+0x340/0x1ab0
+kthread_worker_fn+0xcc/0x18c
+kthread+0x10c/0x110
+ret_from_fork+0x10/0x20
+---[ end trace 0000000000000000 ]---
+
+Below sequences may trigger this warning:
+
+tcpm_send_discover_work(work)
+ tcpm_send_vdm(port, USB_SID_PD, CMD_DISCOVER_IDENT, NULL, 0);
+ tcpm_queue_vdm(port, header, data, count);
+ port->vdm_state = VDM_STATE_READY;
+
+vdm_state_machine_work(work);
+ <-- received discover_identity from partner
+ vdm_run_state_machine(port);
+ port->vdm_state = VDM_STATE_SEND_MESSAGE;
+ mod_vdm_delayed_work(port, x);
+
+tcpm_pd_rx_handler(work);
+ tcpm_pd_data_request(port, msg);
+ tcpm_handle_vdm_request(port, msg->payload, cnt);
+ tcpm_queue_vdm(port, response[0], &response[1], rlen - 1);
+--> WARN_ON(port->vdm_state > VDM_STATE_DONE);
+
+For this case, the state machine could still send out discover
+identity message later if we skip current discover_identity message.
+So we should handle the received message firstly and override the pending
+discover_identity message without warning in this case. Then, a delayed
+send_discover work will send discover_identity message again.
+
+Fixes: e00943e91678 ("usb: typec: tcpm: PD3.0 sinks can send Discover Identity even in device mode")
+cc: <stable@vger.kernel.org>
+Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20230216031515.4151117-1-xu.yang_2@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tcpm/tcpm.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/typec/tcpm/tcpm.c
++++ b/drivers/usb/typec/tcpm/tcpm.c
+@@ -1428,10 +1428,18 @@ static int tcpm_ams_start(struct tcpm_po
+ static void tcpm_queue_vdm(struct tcpm_port *port, const u32 header,
+ const u32 *data, int cnt)
+ {
++ u32 vdo_hdr = port->vdo_data[0];
++
+ WARN_ON(!mutex_is_locked(&port->lock));
+
+- /* Make sure we are not still processing a previous VDM packet */
+- WARN_ON(port->vdm_state > VDM_STATE_DONE);
++ /* If is sending discover_identity, handle received message first */
++ if (PD_VDO_SVDM(vdo_hdr) && PD_VDO_CMD(vdo_hdr) == CMD_DISCOVER_IDENT) {
++ port->send_discover = true;
++ mod_send_discover_delayed_work(port, SEND_DISCOVER_RETRY_MS);
++ } else {
++ /* Make sure we are not still processing a previous VDM packet */
++ WARN_ON(port->vdm_state > VDM_STATE_DONE);
++ }
+
+ port->vdo_count = cnt + 1;
+ port->vdo_data[0] = header;
+@@ -1934,11 +1942,13 @@ static void vdm_run_state_machine(struct
+ switch (PD_VDO_CMD(vdo_hdr)) {
+ case CMD_DISCOVER_IDENT:
+ res = tcpm_ams_start(port, DISCOVER_IDENTITY);
+- if (res == 0)
++ if (res == 0) {
+ port->send_discover = false;
+- else if (res == -EAGAIN)
++ } else if (res == -EAGAIN) {
++ port->vdo_data[0] = 0;
+ mod_send_discover_delayed_work(port,
+ SEND_DISCOVER_RETRY_MS);
++ }
+ break;
+ case CMD_DISCOVER_SVID:
+ res = tcpm_ams_start(port, DISCOVER_SVIDS);
+@@ -2021,6 +2031,7 @@ static void vdm_run_state_machine(struct
+ unsigned long timeout;
+
+ port->vdm_retries = 0;
++ port->vdo_data[0] = 0;
+ port->vdm_state = VDM_STATE_BUSY;
+ timeout = vdm_ready_timeout(vdo_hdr);
+ mod_vdm_delayed_work(port, timeout);
--- /dev/null
+From f87fb985452ab2083967103ac00bfd68fb182764 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 8 Mar 2023 16:42:42 +0100
+Subject: usb: ucsi: Fix NULL pointer deref in ucsi_connector_change()
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit f87fb985452ab2083967103ac00bfd68fb182764 upstream.
+
+When ucsi_init() fails, ucsi->connector is NULL, yet in case of
+ucsi_acpi we may still get events which cause the ucs_acpi code to call
+ucsi_connector_change(), which then derefs the NULL ucsi->connector
+pointer.
+
+Fix this by not setting ucsi->ntfy inside ucsi_init() until ucsi_init()
+has succeeded, so that ucsi_connector_change() ignores the events
+because UCSI_ENABLE_NTFY_CONNECTOR_CHANGE is not set in the ntfy mask.
+
+Fixes: bdc62f2bae8f ("usb: typec: ucsi: Simplified registration and I/O API")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=217106
+Cc: stable@vger.kernel.org
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20230308154244.722337-2-hdegoede@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/ucsi/ucsi.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/typec/ucsi/ucsi.c
++++ b/drivers/usb/typec/ucsi/ucsi.c
+@@ -1202,7 +1202,7 @@ out_unlock:
+ static int ucsi_init(struct ucsi *ucsi)
+ {
+ struct ucsi_connector *con;
+- u64 command;
++ u64 command, ntfy;
+ int ret;
+ int i;
+
+@@ -1214,8 +1214,8 @@ static int ucsi_init(struct ucsi *ucsi)
+ }
+
+ /* Enable basic notifications */
+- ucsi->ntfy = UCSI_ENABLE_NTFY_CMD_COMPLETE | UCSI_ENABLE_NTFY_ERROR;
+- command = UCSI_SET_NOTIFICATION_ENABLE | ucsi->ntfy;
++ ntfy = UCSI_ENABLE_NTFY_CMD_COMPLETE | UCSI_ENABLE_NTFY_ERROR;
++ command = UCSI_SET_NOTIFICATION_ENABLE | ntfy;
+ ret = ucsi_send_command(ucsi, command, NULL, 0);
+ if (ret < 0)
+ goto err_reset;
+@@ -1247,12 +1247,13 @@ static int ucsi_init(struct ucsi *ucsi)
+ }
+
+ /* Enable all notifications */
+- ucsi->ntfy = UCSI_ENABLE_NTFY_ALL;
+- command = UCSI_SET_NOTIFICATION_ENABLE | ucsi->ntfy;
++ ntfy = UCSI_ENABLE_NTFY_ALL;
++ command = UCSI_SET_NOTIFICATION_ENABLE | ntfy;
+ ret = ucsi_send_command(ucsi, command, NULL, 0);
+ if (ret < 0)
+ goto err_unregister;
+
++ ucsi->ntfy = ntfy;
+ return 0;
+
+ err_unregister:
projects / thirdparty / kernel / stable-queue.git / commitdiff
