--- /dev/null
+From 252092ca007480f9aaff279630d1c21e826583d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Jun 2023 14:38:12 -0500
+Subject: ALSA: hda/realtek: Add "Intel Reference board" and "NUC 13" SSID in
+ the ALC256
+
+From: Sayed, Karimuddin <karimuddin.sayed@intel.com>
+
+[ Upstream commit 1a93f10c5b12bd766a537b24a50fca5373467303 ]
+
+Add "Intel Reference boad" and "Intel NUC 13" SSID in the alc256.
+ Enable jack headset volume buttons
+
+Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Signed-off-by: Sayed, Karimuddin <karimuddin.sayed@intel.com>
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20230602193812.66768-1-pierre-louis.bossart@linux.intel.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 920e44ba998a5..eb049014f87ac 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9594,6 +9594,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x10ec, 0x124c, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK),
+ SND_PCI_QUIRK(0x10ec, 0x1252, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK),
+ SND_PCI_QUIRK(0x10ec, 0x1254, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK),
++ SND_PCI_QUIRK(0x10ec, 0x12cc, "Intel Reference board", ALC225_FIXUP_HEADSET_JACK),
+ SND_PCI_QUIRK(0x10f7, 0x8338, "Panasonic CF-SZ6", ALC269_FIXUP_HEADSET_MODE),
+ SND_PCI_QUIRK(0x144d, 0xc109, "Samsung Ativ book 9 (NP900X3G)", ALC269_FIXUP_INV_DMIC),
+ SND_PCI_QUIRK(0x144d, 0xc169, "Samsung Notebook 9 Pen (NP930SBE-K01US)", ALC298_FIXUP_SAMSUNG_AMP),
+@@ -9814,6 +9815,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x8086, 0x2074, "Intel NUC 8", ALC233_FIXUP_INTEL_NUC8_DMIC),
+ SND_PCI_QUIRK(0x8086, 0x2080, "Intel NUC 8 Rugged", ALC256_FIXUP_INTEL_NUC8_RUGGED),
+ SND_PCI_QUIRK(0x8086, 0x2081, "Intel NUC 10", ALC256_FIXUP_INTEL_NUC10),
++ SND_PCI_QUIRK(0x8086, 0x3038, "Intel NUC 13", ALC225_FIXUP_HEADSET_JACK),
+ SND_PCI_QUIRK(0xf111, 0x0001, "Framework Laptop", ALC295_FIXUP_FRAMEWORK_LAPTOP_MIC_NO_PRESENCE),
+
+ #if 0
+--
+2.39.2
+
--- /dev/null
+From 394ba3b0f9985a9c0cd7b8267b12e91953e820ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 May 2023 12:51:56 +0200
+Subject: ARM: dts: Fix erroneous ADS touchscreen polarities
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit 4a672d500bfd6bb87092c33d5a2572c3d0a1cf83 ]
+
+Several device tree files get the polarity of the pendown-gpios
+wrong: this signal is active low. Fix up all incorrect flags, so
+that operating systems can rely on the flag being correctly set.
+
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20230510105156.1134320-1-linus.walleij@linaro.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/am57xx-cl-som-am57x.dts | 2 +-
+ arch/arm/boot/dts/at91sam9261ek.dts | 2 +-
+ arch/arm/boot/dts/imx7d-pico-hobbit.dts | 2 +-
+ arch/arm/boot/dts/imx7d-sdb.dts | 2 +-
+ arch/arm/boot/dts/omap3-cm-t3x.dtsi | 2 +-
+ arch/arm/boot/dts/omap3-devkit8000-lcd-common.dtsi | 2 +-
+ arch/arm/boot/dts/omap3-lilly-a83x.dtsi | 2 +-
+ arch/arm/boot/dts/omap3-overo-common-lcd35.dtsi | 2 +-
+ arch/arm/boot/dts/omap3-overo-common-lcd43.dtsi | 2 +-
+ arch/arm/boot/dts/omap3-pandora-common.dtsi | 2 +-
+ arch/arm/boot/dts/omap5-cm-t54.dts | 2 +-
+ 11 files changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/arch/arm/boot/dts/am57xx-cl-som-am57x.dts b/arch/arm/boot/dts/am57xx-cl-som-am57x.dts
+index 2fc9a5d5e0c0d..625b9b311b49d 100644
+--- a/arch/arm/boot/dts/am57xx-cl-som-am57x.dts
++++ b/arch/arm/boot/dts/am57xx-cl-som-am57x.dts
+@@ -527,7 +527,7 @@
+
+ interrupt-parent = <&gpio1>;
+ interrupts = <31 0>;
+- pendown-gpio = <&gpio1 31 0>;
++ pendown-gpio = <&gpio1 31 GPIO_ACTIVE_LOW>;
+
+
+ ti,x-min = /bits/ 16 <0x0>;
+diff --git a/arch/arm/boot/dts/at91sam9261ek.dts b/arch/arm/boot/dts/at91sam9261ek.dts
+index 88869ca874d1a..045cb253f23a6 100644
+--- a/arch/arm/boot/dts/at91sam9261ek.dts
++++ b/arch/arm/boot/dts/at91sam9261ek.dts
+@@ -156,7 +156,7 @@
+ compatible = "ti,ads7843";
+ interrupts-extended = <&pioC 2 IRQ_TYPE_EDGE_BOTH>;
+ spi-max-frequency = <3000000>;
+- pendown-gpio = <&pioC 2 GPIO_ACTIVE_HIGH>;
++ pendown-gpio = <&pioC 2 GPIO_ACTIVE_LOW>;
+
+ ti,x-min = /bits/ 16 <150>;
+ ti,x-max = /bits/ 16 <3830>;
+diff --git a/arch/arm/boot/dts/imx7d-pico-hobbit.dts b/arch/arm/boot/dts/imx7d-pico-hobbit.dts
+index d917dc4f2f227..6ad39dca70096 100644
+--- a/arch/arm/boot/dts/imx7d-pico-hobbit.dts
++++ b/arch/arm/boot/dts/imx7d-pico-hobbit.dts
+@@ -64,7 +64,7 @@
+ interrupt-parent = <&gpio2>;
+ interrupts = <7 0>;
+ spi-max-frequency = <1000000>;
+- pendown-gpio = <&gpio2 7 0>;
++ pendown-gpio = <&gpio2 7 GPIO_ACTIVE_LOW>;
+ vcc-supply = <®_3p3v>;
+ ti,x-min = /bits/ 16 <0>;
+ ti,x-max = /bits/ 16 <4095>;
+diff --git a/arch/arm/boot/dts/imx7d-sdb.dts b/arch/arm/boot/dts/imx7d-sdb.dts
+index f483bc0afe5ea..234e5fc647b22 100644
+--- a/arch/arm/boot/dts/imx7d-sdb.dts
++++ b/arch/arm/boot/dts/imx7d-sdb.dts
+@@ -205,7 +205,7 @@
+ pinctrl-0 = <&pinctrl_tsc2046_pendown>;
+ interrupt-parent = <&gpio2>;
+ interrupts = <29 0>;
+- pendown-gpio = <&gpio2 29 GPIO_ACTIVE_HIGH>;
++ pendown-gpio = <&gpio2 29 GPIO_ACTIVE_LOW>;
+ touchscreen-max-pressure = <255>;
+ wakeup-source;
+ };
+diff --git a/arch/arm/boot/dts/omap3-cm-t3x.dtsi b/arch/arm/boot/dts/omap3-cm-t3x.dtsi
+index e61b8a2bfb7de..51baedf1603bd 100644
+--- a/arch/arm/boot/dts/omap3-cm-t3x.dtsi
++++ b/arch/arm/boot/dts/omap3-cm-t3x.dtsi
+@@ -227,7 +227,7 @@
+
+ interrupt-parent = <&gpio2>;
+ interrupts = <25 0>; /* gpio_57 */
+- pendown-gpio = <&gpio2 25 GPIO_ACTIVE_HIGH>;
++ pendown-gpio = <&gpio2 25 GPIO_ACTIVE_LOW>;
+
+ ti,x-min = /bits/ 16 <0x0>;
+ ti,x-max = /bits/ 16 <0x0fff>;
+diff --git a/arch/arm/boot/dts/omap3-devkit8000-lcd-common.dtsi b/arch/arm/boot/dts/omap3-devkit8000-lcd-common.dtsi
+index 3decc2d78a6ca..a7f99ae0c1fe9 100644
+--- a/arch/arm/boot/dts/omap3-devkit8000-lcd-common.dtsi
++++ b/arch/arm/boot/dts/omap3-devkit8000-lcd-common.dtsi
+@@ -54,7 +54,7 @@
+
+ interrupt-parent = <&gpio1>;
+ interrupts = <27 0>; /* gpio_27 */
+- pendown-gpio = <&gpio1 27 GPIO_ACTIVE_HIGH>;
++ pendown-gpio = <&gpio1 27 GPIO_ACTIVE_LOW>;
+
+ ti,x-min = /bits/ 16 <0x0>;
+ ti,x-max = /bits/ 16 <0x0fff>;
+diff --git a/arch/arm/boot/dts/omap3-lilly-a83x.dtsi b/arch/arm/boot/dts/omap3-lilly-a83x.dtsi
+index c595afe4181d7..d310b5c7bac36 100644
+--- a/arch/arm/boot/dts/omap3-lilly-a83x.dtsi
++++ b/arch/arm/boot/dts/omap3-lilly-a83x.dtsi
+@@ -311,7 +311,7 @@
+ interrupt-parent = <&gpio1>;
+ interrupts = <8 0>; /* boot6 / gpio_8 */
+ spi-max-frequency = <1000000>;
+- pendown-gpio = <&gpio1 8 GPIO_ACTIVE_HIGH>;
++ pendown-gpio = <&gpio1 8 GPIO_ACTIVE_LOW>;
+ vcc-supply = <®_vcc3>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&tsc2048_pins>;
+diff --git a/arch/arm/boot/dts/omap3-overo-common-lcd35.dtsi b/arch/arm/boot/dts/omap3-overo-common-lcd35.dtsi
+index 1d6e88f99eb31..c3570acc35fad 100644
+--- a/arch/arm/boot/dts/omap3-overo-common-lcd35.dtsi
++++ b/arch/arm/boot/dts/omap3-overo-common-lcd35.dtsi
+@@ -149,7 +149,7 @@
+
+ interrupt-parent = <&gpio4>;
+ interrupts = <18 0>; /* gpio_114 */
+- pendown-gpio = <&gpio4 18 GPIO_ACTIVE_HIGH>;
++ pendown-gpio = <&gpio4 18 GPIO_ACTIVE_LOW>;
+
+ ti,x-min = /bits/ 16 <0x0>;
+ ti,x-max = /bits/ 16 <0x0fff>;
+diff --git a/arch/arm/boot/dts/omap3-overo-common-lcd43.dtsi b/arch/arm/boot/dts/omap3-overo-common-lcd43.dtsi
+index 7e30f9d45790e..d95a0e130058c 100644
+--- a/arch/arm/boot/dts/omap3-overo-common-lcd43.dtsi
++++ b/arch/arm/boot/dts/omap3-overo-common-lcd43.dtsi
+@@ -160,7 +160,7 @@
+
+ interrupt-parent = <&gpio4>;
+ interrupts = <18 0>; /* gpio_114 */
+- pendown-gpio = <&gpio4 18 GPIO_ACTIVE_HIGH>;
++ pendown-gpio = <&gpio4 18 GPIO_ACTIVE_LOW>;
+
+ ti,x-min = /bits/ 16 <0x0>;
+ ti,x-max = /bits/ 16 <0x0fff>;
+diff --git a/arch/arm/boot/dts/omap3-pandora-common.dtsi b/arch/arm/boot/dts/omap3-pandora-common.dtsi
+index 559853764487f..4c3b6bab179cc 100644
+--- a/arch/arm/boot/dts/omap3-pandora-common.dtsi
++++ b/arch/arm/boot/dts/omap3-pandora-common.dtsi
+@@ -651,7 +651,7 @@
+ pinctrl-0 = <&penirq_pins>;
+ interrupt-parent = <&gpio3>;
+ interrupts = <30 IRQ_TYPE_NONE>; /* GPIO_94 */
+- pendown-gpio = <&gpio3 30 GPIO_ACTIVE_HIGH>;
++ pendown-gpio = <&gpio3 30 GPIO_ACTIVE_LOW>;
+ vcc-supply = <&vaux4>;
+
+ ti,x-min = /bits/ 16 <0>;
+diff --git a/arch/arm/boot/dts/omap5-cm-t54.dts b/arch/arm/boot/dts/omap5-cm-t54.dts
+index 2d87b9fc230ee..af288d63a26a4 100644
+--- a/arch/arm/boot/dts/omap5-cm-t54.dts
++++ b/arch/arm/boot/dts/omap5-cm-t54.dts
+@@ -354,7 +354,7 @@
+
+ interrupt-parent = <&gpio1>;
+ interrupts = <15 0>; /* gpio1_wk15 */
+- pendown-gpio = <&gpio1 15 GPIO_ACTIVE_HIGH>;
++ pendown-gpio = <&gpio1 15 GPIO_ACTIVE_LOW>;
+
+
+ ti,x-min = /bits/ 16 <0x0>;
+--
+2.39.2
+
--- /dev/null
+From 26bd36809afe37fd1d01c51c77c3785e8195871e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 May 2023 21:46:00 +0100
+Subject: arm64: Add missing Set/Way CMO encodings
+
+From: Marc Zyngier <maz@kernel.org>
+
+[ Upstream commit 8d0f019e4c4f2ee2de81efd9bf1c27e9fb3c0460 ]
+
+Add the missing Set/Way CMOs that apply to tagged memory.
+
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Reviewed-by: Steven Price <steven.price@arm.com>
+Reviewed-by: Oliver Upton <oliver.upton@linux.dev>
+Link: https://lore.kernel.org/r/20230515204601.1270428-2-maz@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/sysreg.h | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/arch/arm64/include/asm/sysreg.h b/arch/arm64/include/asm/sysreg.h
+index 9e3ecba3c4e67..d4a85c1db2e2a 100644
+--- a/arch/arm64/include/asm/sysreg.h
++++ b/arch/arm64/include/asm/sysreg.h
+@@ -115,8 +115,14 @@
+ #define SB_BARRIER_INSN __SYS_BARRIER_INSN(0, 7, 31)
+
+ #define SYS_DC_ISW sys_insn(1, 0, 7, 6, 2)
++#define SYS_DC_IGSW sys_insn(1, 0, 7, 6, 4)
++#define SYS_DC_IGDSW sys_insn(1, 0, 7, 6, 6)
+ #define SYS_DC_CSW sys_insn(1, 0, 7, 10, 2)
++#define SYS_DC_CGSW sys_insn(1, 0, 7, 10, 4)
++#define SYS_DC_CGDSW sys_insn(1, 0, 7, 10, 6)
+ #define SYS_DC_CISW sys_insn(1, 0, 7, 14, 2)
++#define SYS_DC_CIGSW sys_insn(1, 0, 7, 14, 4)
++#define SYS_DC_CIGDSW sys_insn(1, 0, 7, 14, 6)
+
+ /*
+ * Automatically generated definitions for system registers, the
+--
+2.39.2
+
--- /dev/null
+From 8bcedc23817f0b92989264809628f90d6937d06c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Feb 2023 10:54:00 +0100
+Subject: arm64: dts: qcom: sc7280-idp: drop incorrect dai-cells from WCD938x
+ SDW
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit ca8fc6814844d8787e7fec61b2544a871ea8b675 ]
+
+The WCD938x audio codec Soundwire interface part is not a DAI and does
+not allow sound-dai-cells:
+
+ sc7280-idp.dtb: codec@0,4: '#sound-dai-cells' does not match any of the regexes: 'pinctrl-[0-9]+'
+
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20230220095401.64196-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sc7280-idp.dtsi | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sc7280-idp.dtsi b/arch/arm64/boot/dts/qcom/sc7280-idp.dtsi
+index 8b5293e7fd2a3..a0e767ff252c5 100644
+--- a/arch/arm64/boot/dts/qcom/sc7280-idp.dtsi
++++ b/arch/arm64/boot/dts/qcom/sc7280-idp.dtsi
+@@ -480,7 +480,6 @@
+ wcd_rx: codec@0,4 {
+ compatible = "sdw20217010d00";
+ reg = <0 4>;
+- #sound-dai-cells = <1>;
+ qcom,rx-port-mapping = <1 2 3 4 5>;
+ };
+ };
+@@ -491,7 +490,6 @@
+ wcd_tx: codec@0,3 {
+ compatible = "sdw20217010d00";
+ reg = <0 3>;
+- #sound-dai-cells = <1>;
+ qcom,tx-port-mapping = <1 2 3 4>;
+ };
+ };
+--
+2.39.2
+
--- /dev/null
+From 2d2b50f84c9d5764a9ac7611558459c64cbddc73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Feb 2023 10:54:01 +0100
+Subject: arm64: dts: qcom: sc7280-qcard: drop incorrect dai-cells from WCD938x
+ SDW
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 16bd455d0897d1b8b7a9aee2ed51d75b14a34563 ]
+
+The WCD938x audio codec Soundwire interface part is not a DAI and does
+not allow sound-dai-cells:
+
+ sc7280-herobrine-crd.dtb: codec@0,4: '#sound-dai-cells' does not match any of the regexes: 'pinctrl-[0-9]+'
+
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20230220095401.64196-2-krzysztof.kozlowski@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sc7280-qcard.dtsi | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sc7280-qcard.dtsi b/arch/arm64/boot/dts/qcom/sc7280-qcard.dtsi
+index 88204f794ccb7..1080d701d45a2 100644
+--- a/arch/arm64/boot/dts/qcom/sc7280-qcard.dtsi
++++ b/arch/arm64/boot/dts/qcom/sc7280-qcard.dtsi
+@@ -419,7 +419,6 @@
+ wcd_rx: codec@0,4 {
+ compatible = "sdw20217010d00";
+ reg = <0 4>;
+- #sound-dai-cells = <1>;
+ qcom,rx-port-mapping = <1 2 3 4 5>;
+ };
+ };
+@@ -428,7 +427,6 @@
+ wcd_tx: codec@0,3 {
+ compatible = "sdw20217010d00";
+ reg = <0 3>;
+- #sound-dai-cells = <1>;
+ qcom,tx-port-mapping = <1 2 3 4>;
+ };
+ };
+--
+2.39.2
+
--- /dev/null
+From 6f4553ab65f1579fc9a89cd49e9ba80176ecbfd7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Apr 2023 17:26:10 +0200
+Subject: arm64: dts: rockchip: fix nEXTRST on SOQuartz
+
+From: Nicolas Frattaroli <frattaroli.nicolas@gmail.com>
+
+[ Upstream commit cf9ae4a0077496e8224d68fc88e3df13dd7e5f37 ]
+
+In pre-production prototypes (of which I only know one person
+having one, Peter Geis), GPIO0 pin A5 was tied to the SDMMC
+power enable pin on the CM4 connector. On all production models,
+this is not the case; instead, this pin is used for the nEXTRST
+signal, and the SDMMC power enable pin is always pulled high.
+
+Since everyone currently using the SOQuartz device trees will
+want this change, it is made to the tree without splitting the
+trees into two separate ones of which users will then inevitably
+choose the wrong one.
+
+This fixes USB and PCIe on a wide variety of CM4IO-compatible
+boards which use the nEXTRST signal.
+
+Fixes: 5859b5a9c3ac ("arm64: dts: rockchip: add SoQuartz CM4IO dts")
+Signed-off-by: Nicolas Frattaroli <frattaroli.nicolas@gmail.com>
+Link: https://lore.kernel.org/r/20230421152610.21688-1-frattaroli.nicolas@gmail.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../boot/dts/rockchip/rk3566-soquartz-cm4.dts | 18 +++++++-----
+ .../boot/dts/rockchip/rk3566-soquartz.dtsi | 29 +++++++++----------
+ 2 files changed, 24 insertions(+), 23 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3566-soquartz-cm4.dts b/arch/arm64/boot/dts/rockchip/rk3566-soquartz-cm4.dts
+index 263ce40770dde..cddf6cd2fecb1 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3566-soquartz-cm4.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3566-soquartz-cm4.dts
+@@ -28,6 +28,16 @@
+ regulator-max-microvolt = <5000000>;
+ vin-supply = <&vcc12v_dcin>;
+ };
++
++ vcc_sd_pwr: vcc-sd-pwr-regulator {
++ compatible = "regulator-fixed";
++ regulator-name = "vcc_sd_pwr";
++ regulator-always-on;
++ regulator-boot-on;
++ regulator-min-microvolt = <3300000>;
++ regulator-max-microvolt = <3300000>;
++ vin-supply = <&vcc3v3_sys>;
++ };
+ };
+
+ /* phy for pcie */
+@@ -130,13 +140,7 @@
+ };
+
+ &sdmmc0 {
+- vmmc-supply = <&sdmmc_pwr>;
+- status = "okay";
+-};
+-
+-&sdmmc_pwr {
+- regulator-min-microvolt = <3300000>;
+- regulator-max-microvolt = <3300000>;
++ vmmc-supply = <&vcc_sd_pwr>;
+ status = "okay";
+ };
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3566-soquartz.dtsi b/arch/arm64/boot/dts/rockchip/rk3566-soquartz.dtsi
+index 102e448bc026a..31aa2b8efe393 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3566-soquartz.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3566-soquartz.dtsi
+@@ -104,16 +104,6 @@
+ regulator-max-microvolt = <3300000>;
+ vin-supply = <&vcc5v0_sys>;
+ };
+-
+- sdmmc_pwr: sdmmc-pwr-regulator {
+- compatible = "regulator-fixed";
+- enable-active-high;
+- gpio = <&gpio0 RK_PA5 GPIO_ACTIVE_HIGH>;
+- pinctrl-names = "default";
+- pinctrl-0 = <&sdmmc_pwr_h>;
+- regulator-name = "sdmmc_pwr";
+- status = "disabled";
+- };
+ };
+
+ &cpu0 {
+@@ -155,6 +145,19 @@
+ status = "disabled";
+ };
+
++&gpio0 {
++ nextrst-hog {
++ gpio-hog;
++ /*
++ * GPIO_ACTIVE_LOW + output-low here means that the pin is set
++ * to high, because output-low decides the value pre-inversion.
++ */
++ gpios = <RK_PA5 GPIO_ACTIVE_LOW>;
++ line-name = "nEXTRST";
++ output-low;
++ };
++};
++
+ &gpu {
+ mali-supply = <&vdd_gpu>;
+ status = "okay";
+@@ -538,12 +541,6 @@
+ rockchip,pins = <2 RK_PC2 RK_FUNC_GPIO &pcfg_pull_none>;
+ };
+ };
+-
+- sdmmc-pwr {
+- sdmmc_pwr_h: sdmmc-pwr-h {
+- rockchip,pins = <0 RK_PA5 RK_FUNC_GPIO &pcfg_pull_none>;
+- };
+- };
+ };
+
+ &pmu_io_domains {
+--
+2.39.2
+
--- /dev/null
+From 8f5806907213cd804daacfcf4dec3e0b88f269d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 May 2023 21:06:35 +1200
+Subject: ASoC: amd: yc: Add Thinkpad Neo14 to quirks list for acp6x
+
+From: Sicong Jiang <kevin.jiangsc@gmail.com>
+
+[ Upstream commit 57d1e8900495cf1751cec74db16fe1a0fe47efbb ]
+
+Thinkpad Neo14 Ryzen Edition uses Ryzen 6800H processor, and adding to
+quirks list for acp6x will enable internal mic.
+
+Signed-off-by: Sicong Jiang <kevin.jiangsc@gmail.com>
+Link: https://lore.kernel.org/r/20230531090635.89565-1-kevin.jiangsc@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
+index 84b401b685f7f..c1ca3ceac5f2f 100644
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -171,6 +171,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "21CL"),
+ }
+ },
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "21EF"),
++ }
++ },
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
+--
+2.39.2
+
--- /dev/null
+From 30051d5d8f727d0991362b1762b89311e7cc4754 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 May 2023 17:54:14 +0100
+Subject: ASoC: codecs: wcd938x-sdw: do not set can_multi_write flag
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit 2d7c2f9272de6347a9cec0fc07708913692c0ae3 ]
+
+regmap-sdw does not support multi register writes, so there is
+no point in setting this flag. This also leads to incorrect
+programming of WSA codecs with regmap_multi_reg_write() call.
+
+This invalid configuration should have been rejected by regmap-sdw.
+
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20230523165414.14560-1-srinivas.kandagatla@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wcd938x-sdw.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/sound/soc/codecs/wcd938x-sdw.c b/sound/soc/codecs/wcd938x-sdw.c
+index 402286dfaea44..9c10200ff34b2 100644
+--- a/sound/soc/codecs/wcd938x-sdw.c
++++ b/sound/soc/codecs/wcd938x-sdw.c
+@@ -1190,7 +1190,6 @@ static const struct regmap_config wcd938x_regmap_config = {
+ .readable_reg = wcd938x_readable_register,
+ .writeable_reg = wcd938x_writeable_register,
+ .volatile_reg = wcd938x_volatile_register,
+- .can_multi_write = true,
+ };
+
+ static const struct sdw_slave_ops wcd9380_slave_ops = {
+--
+2.39.2
+
--- /dev/null
+From 67f85bc0d79cf7c63e8913d09855609229a07237 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 May 2023 18:30:12 +0800
+Subject: ASoC: fsl_sai: Enable BCI bit if SAI works on synchronous mode with
+ BYP asserted
+
+From: Chancel Liu <chancel.liu@nxp.com>
+
+[ Upstream commit 32cf0046a652116d6a216d575f3049a9ff9dd80d ]
+
+There's an issue on SAI synchronous mode that TX/RX side can't get BCLK
+from RX/TX it sync with if BYP bit is asserted. It's a workaround to
+fix it that enable SION of IOMUX pad control and assert BCI.
+
+For example if TX sync with RX which means both TX and RX are using clk
+form RX and BYP=1. TX can get BCLK only if the following two conditions
+are valid:
+1. SION of RX BCLK IOMUX pad is set to 1
+2. BCI of TX is set to 1
+
+Signed-off-by: Chancel Liu <chancel.liu@nxp.com>
+Acked-by: Shengjiu Wang <shengjiu.wang@gmail.com>
+Link: https://lore.kernel.org/r/20230530103012.3448838-1-chancel.liu@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_sai.c | 11 +++++++++--
+ sound/soc/fsl/fsl_sai.h | 1 +
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c
+index 990bba0be1fb1..8a64f3c1d1556 100644
+--- a/sound/soc/fsl/fsl_sai.c
++++ b/sound/soc/fsl/fsl_sai.c
+@@ -491,14 +491,21 @@ static int fsl_sai_set_bclk(struct snd_soc_dai *dai, bool tx, u32 freq)
+ regmap_update_bits(sai->regmap, reg, FSL_SAI_CR2_MSEL_MASK,
+ FSL_SAI_CR2_MSEL(sai->mclk_id[tx]));
+
+- if (savediv == 1)
++ if (savediv == 1) {
+ regmap_update_bits(sai->regmap, reg,
+ FSL_SAI_CR2_DIV_MASK | FSL_SAI_CR2_BYP,
+ FSL_SAI_CR2_BYP);
+- else
++ if (fsl_sai_dir_is_synced(sai, adir))
++ regmap_update_bits(sai->regmap, FSL_SAI_xCR2(tx, ofs),
++ FSL_SAI_CR2_BCI, FSL_SAI_CR2_BCI);
++ else
++ regmap_update_bits(sai->regmap, FSL_SAI_xCR2(tx, ofs),
++ FSL_SAI_CR2_BCI, 0);
++ } else {
+ regmap_update_bits(sai->regmap, reg,
+ FSL_SAI_CR2_DIV_MASK | FSL_SAI_CR2_BYP,
+ savediv / 2 - 1);
++ }
+
+ if (sai->soc_data->max_register >= FSL_SAI_MCTL) {
+ /* SAI is in master mode at this point, so enable MCLK */
+diff --git a/sound/soc/fsl/fsl_sai.h b/sound/soc/fsl/fsl_sai.h
+index 197748a888d5f..a53c4f0e25faf 100644
+--- a/sound/soc/fsl/fsl_sai.h
++++ b/sound/soc/fsl/fsl_sai.h
+@@ -116,6 +116,7 @@
+
+ /* SAI Transmit and Receive Configuration 2 Register */
+ #define FSL_SAI_CR2_SYNC BIT(30)
++#define FSL_SAI_CR2_BCI BIT(28)
+ #define FSL_SAI_CR2_MSEL_MASK (0x3 << 26)
+ #define FSL_SAI_CR2_MSEL_BUS 0
+ #define FSL_SAI_CR2_MSEL_MCLK1 BIT(26)
+--
+2.39.2
+
--- /dev/null
+From 5357f61d6e02b609a1d13eba95a25f83332af038 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 May 2023 15:19:11 -0300
+Subject: ASoC: nau8824: Add quirk to active-high jack-detect
+
+From: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
+
+[ Upstream commit e384dba03e3294ce7ea69e4da558e9bf8f0e8946 ]
+
+Add entries for Positivo laptops: CW14Q01P, K1424G, N14ZP74G to the
+DMI table, so that active-high jack-detect will work properly on
+these laptops.
+
+Signed-off-by: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
+Link: https://lore.kernel.org/r/20230529181911.632851-1-edson.drosdeck@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/nau8824.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/sound/soc/codecs/nau8824.c b/sound/soc/codecs/nau8824.c
+index 4f19fd9b65d11..5a4db8944d06a 100644
+--- a/sound/soc/codecs/nau8824.c
++++ b/sound/soc/codecs/nau8824.c
+@@ -1903,6 +1903,30 @@ static const struct dmi_system_id nau8824_quirk_table[] = {
+ },
+ .driver_data = (void *)(NAU8824_MONO_SPEAKER),
+ },
++ {
++ /* Positivo CW14Q01P */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Positivo Tecnologia SA"),
++ DMI_MATCH(DMI_BOARD_NAME, "CW14Q01P"),
++ },
++ .driver_data = (void *)(NAU8824_JD_ACTIVE_HIGH),
++ },
++ {
++ /* Positivo K1424G */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Positivo Tecnologia SA"),
++ DMI_MATCH(DMI_BOARD_NAME, "K1424G"),
++ },
++ .driver_data = (void *)(NAU8824_JD_ACTIVE_HIGH),
++ },
++ {
++ /* Positivo N14ZP74G */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Positivo Tecnologia SA"),
++ DMI_MATCH(DMI_BOARD_NAME, "N14ZP74G"),
++ },
++ .driver_data = (void *)(NAU8824_JD_ACTIVE_HIGH),
++ },
+ {}
+ };
+
+--
+2.39.2
+
--- /dev/null
+From bdc45c8a1a7d713891480df4e883b04da098684a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 May 2023 17:12:22 +0200
+Subject: ASoC: simple-card: Add missing of_node_put() in case of error
+
+From: Herve Codina <herve.codina@bootlin.com>
+
+[ Upstream commit 8938f75a5e35c597a647c28984a0304da7a33d63 ]
+
+In the error path, a of_node_put() for platform is missing.
+Just add it.
+
+Signed-off-by: Herve Codina <herve.codina@bootlin.com>
+Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://lore.kernel.org/r/20230523151223.109551-9-herve.codina@bootlin.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/generic/simple-card.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/generic/simple-card.c b/sound/soc/generic/simple-card.c
+index e98932c167542..5f8468ff36562 100644
+--- a/sound/soc/generic/simple-card.c
++++ b/sound/soc/generic/simple-card.c
+@@ -416,6 +416,7 @@ static int __simple_for_each_link(struct asoc_simple_priv *priv,
+
+ if (ret < 0) {
+ of_node_put(codec);
++ of_node_put(plat);
+ of_node_put(np);
+ goto error;
+ }
+--
+2.39.2
+
--- /dev/null
+From 9f1155381f7d0334c3b988545ba2496d8dfa040e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jun 2023 17:45:49 +0100
+Subject: be2net: Extend xmit workaround to BE3 chip
+
+From: Ross Lagerwall <ross.lagerwall@citrix.com>
+
+[ Upstream commit 7580e0a78eb29e7bb1a772eba4088250bbb70d41 ]
+
+We have seen a bug where the NIC incorrectly changes the length in the
+IP header of a padded packet to include the padding bytes. The driver
+already has a workaround for this so do the workaround for this NIC too.
+This resolves the issue.
+
+The NIC in question identifies itself as follows:
+
+[ 8.828494] be2net 0000:02:00.0: FW version is 10.7.110.31
+[ 8.834759] be2net 0000:02:00.0: Emulex OneConnect(be3): PF FLEX10 port 1
+
+02:00.0 Ethernet controller: Emulex Corporation OneConnect 10Gb NIC (be3) (rev 01)
+
+Fixes: ca34fe38f06d ("be2net: fix wrong usage of adapter->generation")
+Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Link: https://lore.kernel.org/r/20230616164549.2863037-1-ross.lagerwall@citrix.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/emulex/benet/be_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
+index 46fe3d74e2e98..7236c4f70cf51 100644
+--- a/drivers/net/ethernet/emulex/benet/be_main.c
++++ b/drivers/net/ethernet/emulex/benet/be_main.c
+@@ -1136,8 +1136,8 @@ static struct sk_buff *be_lancer_xmit_workarounds(struct be_adapter *adapter,
+ eth_hdr_len = ntohs(skb->protocol) == ETH_P_8021Q ?
+ VLAN_ETH_HLEN : ETH_HLEN;
+ if (skb->len <= 60 &&
+- (lancer_chip(adapter) || skb_vlan_tag_present(skb)) &&
+- is_ipv4_pkt(skb)) {
++ (lancer_chip(adapter) || BE3_chip(adapter) ||
++ skb_vlan_tag_present(skb)) && is_ipv4_pkt(skb)) {
+ ip = (struct iphdr *)ip_hdr(skb);
+ pskb_trim(skb, eth_hdr_len + ntohs(ip->tot_len));
+ }
+--
+2.39.2
+
--- /dev/null
+From 357830e328bb59bb1f1fbde138d8b6cb9ec622c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jun 2023 16:56:07 +0200
+Subject: bpf/btf: Accept function names that contain dots
+
+From: Florent Revest <revest@chromium.org>
+
+[ Upstream commit 9724160b3942b0a967b91a59f81da5593f28b8ba ]
+
+When building a kernel with LLVM=1, LLVM_IAS=0 and CONFIG_KASAN=y, LLVM
+leaves DWARF tags for the "asan.module_ctor" & co symbols. In turn,
+pahole creates BTF_KIND_FUNC entries for these and this makes the BTF
+metadata validation fail because they contain a dot.
+
+In a dramatic turn of event, this BTF verification failure can cause
+the netfilter_bpf initialization to fail, causing netfilter_core to
+free the netfilter_helper hashmap and netfilter_ftp to trigger a
+use-after-free. The risk of u-a-f in netfilter will be addressed
+separately but the existence of "asan.module_ctor" debug info under some
+build conditions sounds like a good enough reason to accept functions
+that contain dots in BTF.
+
+Although using only LLVM=1 is the recommended way to compile clang-based
+kernels, users can certainly do LLVM=1, LLVM_IAS=0 as well and we still
+try to support that combination according to Nick. To clarify:
+
+ - > v5.10 kernel, LLVM=1 (LLVM_IAS=0 is not the default) is recommended,
+ but user can still have LLVM=1, LLVM_IAS=0 to trigger the issue
+
+ - <= 5.10 kernel, LLVM=1 (LLVM_IAS=0 is the default) is recommended in
+ which case GNU as will be used
+
+Fixes: 1dc92851849c ("bpf: kernel side support for BTF Var and DataSec")
+Signed-off-by: Florent Revest <revest@chromium.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Cc: Yonghong Song <yhs@meta.com>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Link: https://lore.kernel.org/bpf/20230615145607.3469985-1-revest@chromium.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/btf.c | 20 ++++++++------------
+ 1 file changed, 8 insertions(+), 12 deletions(-)
+
+diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
+index 46bce5577fb48..3cc3232f8c334 100644
+--- a/kernel/bpf/btf.c
++++ b/kernel/bpf/btf.c
+@@ -735,13 +735,12 @@ static bool btf_name_offset_valid(const struct btf *btf, u32 offset)
+ return offset < btf->hdr.str_len;
+ }
+
+-static bool __btf_name_char_ok(char c, bool first, bool dot_ok)
++static bool __btf_name_char_ok(char c, bool first)
+ {
+ if ((first ? !isalpha(c) :
+ !isalnum(c)) &&
+ c != '_' &&
+- ((c == '.' && !dot_ok) ||
+- c != '.'))
++ c != '.')
+ return false;
+ return true;
+ }
+@@ -758,20 +757,20 @@ static const char *btf_str_by_offset(const struct btf *btf, u32 offset)
+ return NULL;
+ }
+
+-static bool __btf_name_valid(const struct btf *btf, u32 offset, bool dot_ok)
++static bool __btf_name_valid(const struct btf *btf, u32 offset)
+ {
+ /* offset must be valid */
+ const char *src = btf_str_by_offset(btf, offset);
+ const char *src_limit;
+
+- if (!__btf_name_char_ok(*src, true, dot_ok))
++ if (!__btf_name_char_ok(*src, true))
+ return false;
+
+ /* set a limit on identifier length */
+ src_limit = src + KSYM_NAME_LEN;
+ src++;
+ while (*src && src < src_limit) {
+- if (!__btf_name_char_ok(*src, false, dot_ok))
++ if (!__btf_name_char_ok(*src, false))
+ return false;
+ src++;
+ }
+@@ -779,17 +778,14 @@ static bool __btf_name_valid(const struct btf *btf, u32 offset, bool dot_ok)
+ return !*src;
+ }
+
+-/* Only C-style identifier is permitted. This can be relaxed if
+- * necessary.
+- */
+ static bool btf_name_valid_identifier(const struct btf *btf, u32 offset)
+ {
+- return __btf_name_valid(btf, offset, false);
++ return __btf_name_valid(btf, offset);
+ }
+
+ static bool btf_name_valid_section(const struct btf *btf, u32 offset)
+ {
+- return __btf_name_valid(btf, offset, true);
++ return __btf_name_valid(btf, offset);
+ }
+
+ static const char *__btf_name_by_offset(const struct btf *btf, u32 offset)
+@@ -4450,7 +4446,7 @@ static s32 btf_var_check_meta(struct btf_verifier_env *env,
+ }
+
+ if (!t->name_off ||
+- !__btf_name_valid(env->btf, t->name_off, true)) {
++ !__btf_name_valid(env->btf, t->name_off)) {
+ btf_verifier_log_type(env, t, "Invalid name");
+ return -EINVAL;
+ }
+--
+2.39.2
+
--- /dev/null
+From 49acc1c91e4fb91c343601cd2676a1cb5a54573d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jun 2023 17:54:39 -0700
+Subject: bpf: Fix a bpf_jit_dump issue for x86_64 with sysctl bpf_jit_enable.
+
+From: Yonghong Song <yhs@fb.com>
+
+[ Upstream commit ad96f1c9138e0897bee7f7c5e54b3e24f8b62f57 ]
+
+The sysctl net/core/bpf_jit_enable does not work now due to commit
+1022a5498f6f ("bpf, x86_64: Use bpf_jit_binary_pack_alloc"). The
+commit saved the jitted insns into 'rw_image' instead of 'image'
+which caused bpf_jit_dump not dumping proper content.
+
+With 'echo 2 > /proc/sys/net/core/bpf_jit_enable', run
+'./test_progs -t fentry_test'. Without this patch, one of jitted
+image for one particular prog is:
+
+ flen=17 proglen=92 pass=4 image=0000000014c64883 from=test_progs pid=1807
+ 00000000: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
+ 00000010: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
+ 00000020: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
+ 00000030: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
+ 00000040: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
+ 00000050: cc cc cc cc cc cc cc cc cc cc cc cc
+
+With this patch, the jitte image for the same prog is:
+
+ flen=17 proglen=92 pass=4 image=00000000b90254b7 from=test_progs pid=1809
+ 00000000: f3 0f 1e fa 0f 1f 44 00 00 66 90 55 48 89 e5 f3
+ 00000010: 0f 1e fa 31 f6 48 8b 57 00 48 83 fa 07 75 2b 48
+ 00000020: 8b 57 10 83 fa 09 75 22 48 8b 57 08 48 81 e2 ff
+ 00000030: 00 00 00 48 83 fa 08 75 11 48 8b 7f 18 be 01 00
+ 00000040: 00 00 48 83 ff 0a 74 02 31 f6 48 bf 18 d0 14 00
+ 00000050: 00 c9 ff ff 48 89 77 00 31 c0 c9 c3
+
+Fixes: 1022a5498f6f ("bpf, x86_64: Use bpf_jit_binary_pack_alloc")
+Signed-off-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/bpf/20230609005439.3173569-1-yhs@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/net/bpf_jit_comp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
+index 1056bbf55b172..438adb695daab 100644
+--- a/arch/x86/net/bpf_jit_comp.c
++++ b/arch/x86/net/bpf_jit_comp.c
+@@ -2570,7 +2570,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
+ }
+
+ if (bpf_jit_enable > 1)
+- bpf_jit_dump(prog->len, proglen, pass + 1, image);
++ bpf_jit_dump(prog->len, proglen, pass + 1, rw_image);
+
+ if (image) {
+ if (!prog->is_func || extra_pass) {
+--
+2.39.2
+
--- /dev/null
+From 76c406594b0e4080b2ddd94aff6c8ea1522dfd60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jun 2023 15:39:50 +0300
+Subject: bpf: Fix verifier id tracking of scalars on spill
+
+From: Maxim Mikityanskiy <maxim@isovalent.com>
+
+[ Upstream commit 713274f1f2c896d37017efee333fd44149710119 ]
+
+The following scenario describes a bug in the verifier where it
+incorrectly concludes about equivalent scalar IDs which could lead to
+verifier bypass in privileged mode:
+
+1. Prepare a 32-bit rogue number.
+2. Put the rogue number into the upper half of a 64-bit register, and
+ roll a random (unknown to the verifier) bit in the lower half. The
+ rest of the bits should be zero (although variations are possible).
+3. Assign an ID to the register by MOVing it to another arbitrary
+ register.
+4. Perform a 32-bit spill of the register, then perform a 32-bit fill to
+ another register. Due to a bug in the verifier, the ID will be
+ preserved, although the new register will contain only the lower 32
+ bits, i.e. all zeros except one random bit.
+
+At this point there are two registers with different values but the same
+ID, which means the integrity of the verifier state has been corrupted.
+
+5. Compare the new 32-bit register with 0. In the branch where it's
+ equal to 0, the verifier will believe that the original 64-bit
+ register is also 0, because it has the same ID, but its actual value
+ still contains the rogue number in the upper half.
+ Some optimizations of the verifier prevent the actual bypass, so
+ extra care is needed: the comparison must be between two registers,
+ and both branches must be reachable (this is why one random bit is
+ needed). Both branches are still suitable for the bypass.
+6. Right shift the original register by 32 bits to pop the rogue number.
+7. Use the rogue number as an offset with any pointer. The verifier will
+ believe that the offset is 0, while in reality it's the given number.
+
+The fix is similar to the 32-bit BPF_MOV handling in check_alu_op for
+SCALAR_VALUE. If the spill is narrowing the actual register value, don't
+keep the ID, make sure it's reset to 0.
+
+Fixes: 354e8f1970f8 ("bpf: Support <8-byte scalar spill and refill")
+Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Tested-by: Andrii Nakryiko <andrii@kernel.org> # Checked veristat delta
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/bpf/20230607123951.558971-2-maxtram95@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 1f6c0c5a1741d..b039990137444 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -3559,6 +3559,9 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
+ return err;
+ }
+ save_register_state(state, spi, reg, size);
++ /* Break the relation on a narrowing spill. */
++ if (fls64(reg->umax_value) > BITS_PER_BYTE * size)
++ state->stack[spi].spilled_ptr.id = 0;
+ } else if (!reg && !(off % BPF_REG_SIZE) && is_bpf_st_mem(insn) &&
+ insn->imm != 0 && env->bpf_capable) {
+ struct bpf_reg_state fake_reg = {};
+--
+2.39.2
+
--- /dev/null
+From caaf1703bc16c21f4c2fda232d115ab094f445be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jun 2023 15:14:14 +0200
+Subject: bpf: Force kprobe multi expected_attach_type for kprobe_multi link
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+[ Upstream commit db8eae6bc5c702d8e3ab2d0c6bb5976c131576eb ]
+
+We currently allow to create perf link for program with
+expected_attach_type == BPF_TRACE_KPROBE_MULTI.
+
+This will cause crash when we call helpers like get_attach_cookie or
+get_func_ip in such program, because it will call the kprobe_multi's
+version (current->bpf_ctx context setup) of those helpers while it
+expects perf_link's current->bpf_ctx context setup.
+
+Making sure that we use BPF_TRACE_KPROBE_MULTI expected_attach_type
+only for programs attaching through kprobe_multi link.
+
+Fixes: ca74823c6e16 ("bpf: Add cookie support to programs attached with kprobe multi link")
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20230618131414.75649-1-jolsa@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/syscall.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index adc83cb82f379..8bd5e3741d418 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -3412,6 +3412,11 @@ static int bpf_prog_attach_check_attach_type(const struct bpf_prog *prog,
+ return prog->enforce_expected_attach_type &&
+ prog->expected_attach_type != attach_type ?
+ -EINVAL : 0;
++ case BPF_PROG_TYPE_KPROBE:
++ if (prog->expected_attach_type == BPF_TRACE_KPROBE_MULTI &&
++ attach_type != BPF_TRACE_KPROBE_MULTI)
++ return -EINVAL;
++ return 0;
+ default:
+ return 0;
+ }
+--
+2.39.2
+
--- /dev/null
+From 1b8b3c219fb6ec8de8111c5429c0d628c608a6ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 May 2023 09:34:30 +0800
+Subject: btrfs: fix an uninitialized variable warning in btrfs_log_inode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Shida Zhang <zhangshida@kylinos.cn>
+
+[ Upstream commit 8fd9f4232d8152c650fd15127f533a0f6d0a4b2b ]
+
+This fixes the following warning reported by gcc 10.2.1 under x86_64:
+
+../fs/btrfs/tree-log.c: In function ‘btrfs_log_inode’:
+../fs/btrfs/tree-log.c:6211:9: error: ‘last_range_start’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
+ 6211 | ret = insert_dir_log_key(trans, log, path, key.objectid,
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ 6212 | first_dir_index, last_dir_index);
+ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+../fs/btrfs/tree-log.c:6161:6: note: ‘last_range_start’ was declared here
+ 6161 | u64 last_range_start;
+ | ^~~~~~~~~~~~~~~~
+
+This might be a false positive fixed in later compiler versions but we
+want to have it fixed.
+
+Reported-by: k2ci <kernel-bot@kylinos.cn>
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: Shida Zhang <zhangshida@kylinos.cn>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tree-log.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index 200cea6e49e51..b91fa398b8141 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -6163,7 +6163,7 @@ static int log_delayed_deletions_incremental(struct btrfs_trans_handle *trans,
+ {
+ struct btrfs_root *log = inode->root->log_root;
+ const struct btrfs_delayed_item *curr;
+- u64 last_range_start;
++ u64 last_range_start = 0;
+ u64 last_range_end = 0;
+ struct btrfs_key key;
+
+--
+2.39.2
+
--- /dev/null
+From 6c852b716821a9acf6e364d564e50953a227d0ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 May 2023 21:01:31 +0800
+Subject: drm/exynos: fix race condition UAF in exynos_g2d_exec_ioctl
+
+From: Min Li <lm0963hack@gmail.com>
+
+[ Upstream commit 48bfd02569f5db49cc033f259e66d57aa6efc9a3 ]
+
+If it is async, runqueue_node is freed in g2d_runqueue_worker on another
+worker thread. So in extreme cases, if g2d_runqueue_worker runs first, and
+then executes the following if statement, there will be use-after-free.
+
+Signed-off-by: Min Li <lm0963hack@gmail.com>
+Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/exynos/exynos_drm_g2d.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/exynos/exynos_drm_g2d.c b/drivers/gpu/drm/exynos/exynos_drm_g2d.c
+index ec784e58da5c1..414e585ec7dd0 100644
+--- a/drivers/gpu/drm/exynos/exynos_drm_g2d.c
++++ b/drivers/gpu/drm/exynos/exynos_drm_g2d.c
+@@ -1335,7 +1335,7 @@ int exynos_g2d_exec_ioctl(struct drm_device *drm_dev, void *data,
+ /* Let the runqueue know that there is work to do. */
+ queue_work(g2d->g2d_workq, &g2d->runqueue_work);
+
+- if (runqueue_node->async)
++ if (req->async)
+ goto out;
+
+ wait_for_completion(&runqueue_node->complete);
+--
+2.39.2
+
--- /dev/null
+From 1beafc942510145cafa26af71a885777462433c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 May 2023 08:55:05 +0900
+Subject: drm/exynos: vidi: fix a wrong error return
+
+From: Inki Dae <inki.dae@samsung.com>
+
+[ Upstream commit 4a059559809fd1ddbf16f847c4d2237309c08edf ]
+
+Fix a wrong error return by dropping an error return.
+
+When vidi driver is remvoed, if ctx->raw_edid isn't same as fake_edid_info
+then only what we have to is to free ctx->raw_edid so that driver removing
+can work correctly - it's not an error case.
+
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/exynos/exynos_drm_vidi.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/exynos/exynos_drm_vidi.c b/drivers/gpu/drm/exynos/exynos_drm_vidi.c
+index 4d56c8c799c5a..f5e1adfcaa514 100644
+--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c
++++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c
+@@ -469,8 +469,6 @@ static int vidi_remove(struct platform_device *pdev)
+ if (ctx->raw_edid != (struct edid *)fake_edid_info) {
+ kfree(ctx->raw_edid);
+ ctx->raw_edid = NULL;
+-
+- return -EINVAL;
+ }
+
+ component_del(&pdev->dev, &vidi_component_ops);
+--
+2.39.2
+
--- /dev/null
+From a9ecb0926849bdfe9ae968960164c8f0bf62c667 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Jun 2023 15:43:45 +0800
+Subject: drm/radeon: fix race condition UAF in radeon_gem_set_domain_ioctl
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Min Li <lm0963hack@gmail.com>
+
+[ Upstream commit 982b173a6c6d9472730c3116051977e05d17c8c5 ]
+
+Userspace can race to free the gobj(robj converted from), robj should not
+be accessed again after drm_gem_object_put, otherwith it will result in
+use-after-free.
+
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Min Li <lm0963hack@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/radeon_gem.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon/radeon_gem.c
+index 261fcbae88d78..75d79c3110389 100644
+--- a/drivers/gpu/drm/radeon/radeon_gem.c
++++ b/drivers/gpu/drm/radeon/radeon_gem.c
+@@ -459,7 +459,6 @@ int radeon_gem_set_domain_ioctl(struct drm_device *dev, void *data,
+ struct radeon_device *rdev = dev->dev_private;
+ struct drm_radeon_gem_set_domain *args = data;
+ struct drm_gem_object *gobj;
+- struct radeon_bo *robj;
+ int r;
+
+ /* for now if someone requests domain CPU -
+@@ -472,13 +471,12 @@ int radeon_gem_set_domain_ioctl(struct drm_device *dev, void *data,
+ up_read(&rdev->exclusive_lock);
+ return -ENOENT;
+ }
+- robj = gem_to_radeon_bo(gobj);
+
+ r = radeon_gem_set_domain(gobj, args->read_domains, args->write_domain);
+
+ drm_gem_object_put(gobj);
+ up_read(&rdev->exclusive_lock);
+- r = radeon_gem_handle_lockup(robj->rdev, r);
++ r = radeon_gem_handle_lockup(rdev, r);
+ return r;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 11f3922ee083480a0ed00cf3dacb4bfd8e3589e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 May 2023 21:08:26 +0200
+Subject: gfs2: Don't get stuck writing page onto itself under direct I/O
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+[ Upstream commit fa58cc888d67e640e354d8b3ceef877ea167b0cf ]
+
+When a direct I/O write is performed, iomap_dio_rw() invalidates the
+part of the page cache which the write is going to before carrying out
+the write. In the odd case, the direct I/O write will be reading from
+the same page it is writing to. gfs2 carries out writes with page
+faults disabled, so it should have been obvious that this page
+invalidation can cause iomap_dio_rw() to never make any progress.
+Currently, gfs2 will end up in an endless retry loop in
+gfs2_file_direct_write() instead, though.
+
+Break this endless loop by limiting the number of retries and falling
+back to buffered I/O after that.
+
+Also simplify should_fault_in_pages() sightly and add a comment to make
+the above case easier to understand.
+
+Reported-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/file.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/fs/gfs2/file.c b/fs/gfs2/file.c
+index 300844f50dcd2..cb62c8f07d1e7 100644
+--- a/fs/gfs2/file.c
++++ b/fs/gfs2/file.c
+@@ -784,9 +784,13 @@ static inline bool should_fault_in_pages(struct iov_iter *i,
+ if (!user_backed_iter(i))
+ return false;
+
++ /*
++ * Try to fault in multiple pages initially. When that doesn't result
++ * in any progress, fall back to a single page.
++ */
+ size = PAGE_SIZE;
+ offs = offset_in_page(iocb->ki_pos);
+- if (*prev_count != count || !*window_size) {
++ if (*prev_count != count) {
+ size_t nr_dirtied;
+
+ nr_dirtied = max(current->nr_dirtied_pause -
+@@ -870,6 +874,7 @@ static ssize_t gfs2_file_direct_write(struct kiocb *iocb, struct iov_iter *from,
+ struct gfs2_inode *ip = GFS2_I(inode);
+ size_t prev_count = 0, window_size = 0;
+ size_t written = 0;
++ bool enough_retries;
+ ssize_t ret;
+
+ /*
+@@ -913,11 +918,17 @@ static ssize_t gfs2_file_direct_write(struct kiocb *iocb, struct iov_iter *from,
+ if (ret > 0)
+ written = ret;
+
++ enough_retries = prev_count == iov_iter_count(from) &&
++ window_size <= PAGE_SIZE;
+ if (should_fault_in_pages(from, iocb, &prev_count, &window_size)) {
+ gfs2_glock_dq(gh);
+ window_size -= fault_in_iov_iter_readable(from, window_size);
+- if (window_size)
+- goto retry;
++ if (window_size) {
++ if (!enough_retries)
++ goto retry;
++ /* fall back to buffered I/O */
++ ret = 0;
++ }
+ }
+ out_unlock:
+ if (gfs2_holder_queued(gh))
+--
+2.39.2
+
--- /dev/null
+From d20402d6a14ef2dedd00b77772435289a7c68c2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Jun 2023 11:11:59 +0800
+Subject: gpio: sifive: add missing check for platform_get_irq
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit c1bcb976d8feb107ff2c12caaf12ac5e70f44d5f ]
+
+Add the missing check for platform_get_irq() and return error code
+if it fails.
+
+The returned error code will be dealed with in
+builtin_platform_driver(sifive_gpio_driver) and the driver will not
+be registered.
+
+Fixes: f52d6d8b43e5 ("gpio: sifive: To get gpio irq offset from device tree data")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-sifive.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpio/gpio-sifive.c b/drivers/gpio/gpio-sifive.c
+index bc5660f61c570..0f1e1226ebbe8 100644
+--- a/drivers/gpio/gpio-sifive.c
++++ b/drivers/gpio/gpio-sifive.c
+@@ -221,8 +221,12 @@ static int sifive_gpio_probe(struct platform_device *pdev)
+ return -ENODEV;
+ }
+
+- for (i = 0; i < ngpio; i++)
+- chip->irq_number[i] = platform_get_irq(pdev, i);
++ for (i = 0; i < ngpio; i++) {
++ ret = platform_get_irq(pdev, i);
++ if (ret < 0)
++ return ret;
++ chip->irq_number[i] = ret;
++ }
+
+ ret = bgpio_init(&chip->gc, dev, 4,
+ chip->base + SIFIVE_GPIO_INPUT_VAL,
+--
+2.39.2
+
--- /dev/null
+From bf8d2af8b0e71f6f0970f43f9cfb61fec09bcdf0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jun 2023 16:18:03 +0800
+Subject: gpiolib: Fix GPIO chip IRQ initialization restriction
+
+From: Jiawen Wu <jiawenwu@trustnetic.com>
+
+[ Upstream commit 8c00914e5438e3636f26b4f814b3297ae2a1b9ee ]
+
+In case of gpio-regmap, IRQ chip is added by regmap-irq and associated with
+GPIO chip by gpiochip_irqchip_add_domain(). The initialization flag was not
+added in gpiochip_irqchip_add_domain(), causing gpiochip_to_irq() to return
+-EPROBE_DEFER.
+
+Fixes: 5467801f1fcb ("gpio: Restrict usage of GPIO chip irq members before initialization")
+Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpiolib.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
+index 4472214fcd43a..1cfddbb3443d0 100644
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -1763,6 +1763,14 @@ int gpiochip_irqchip_add_domain(struct gpio_chip *gc,
+ gc->to_irq = gpiochip_to_irq;
+ gc->irq.domain = domain;
+
++ /*
++ * Using barrier() here to prevent compiler from reordering
++ * gc->irq.initialized before adding irqdomain.
++ */
++ barrier();
++
++ gc->irq.initialized = true;
++
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(gpiochip_irqchip_add_domain);
+--
+2.39.2
+
--- /dev/null
+From 2e36626e2c45ebb599b000fb08254ddb8cfc60ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Jun 2023 10:56:07 +0200
+Subject: gpiolib: Fix irq_domain resource tracking for
+ gpiochip_irqchip_add_domain()
+
+From: Michael Walle <mwalle@kernel.org>
+
+[ Upstream commit ff7a1790fbf92f1bdd0966d3f0da3ea808ede876 ]
+
+Up until commit 6a45b0e2589f ("gpiolib: Introduce
+gpiochip_irqchip_add_domain()") all irq_domains were allocated
+by gpiolib itself and thus gpiolib also takes care of freeing it.
+
+With gpiochip_irqchip_add_domain() a user of gpiolib can associate an
+irq_domain with the gpio_chip. This irq_domain is not managed by
+gpiolib and therefore must not be freed by gpiolib.
+
+Fixes: 6a45b0e2589f ("gpiolib: Introduce gpiochip_irqchip_add_domain()")
+Reported-by: Jiawen Wu <jiawenwu@trustnetic.com>
+Signed-off-by: Michael Walle <mwalle@kernel.org>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Reviewed-by: Andy Shevchenko <andy@kernel.org>
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpiolib.c | 3 ++-
+ include/linux/gpio/driver.h | 8 ++++++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
+index 1cfddbb3443d0..ce8f71e06eb62 100644
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -1716,7 +1716,7 @@ static void gpiochip_irqchip_remove(struct gpio_chip *gc)
+ }
+
+ /* Remove all IRQ mappings and delete the domain */
+- if (gc->irq.domain) {
++ if (!gc->irq.domain_is_allocated_externally && gc->irq.domain) {
+ unsigned int irq;
+
+ for (offset = 0; offset < gc->ngpio; offset++) {
+@@ -1762,6 +1762,7 @@ int gpiochip_irqchip_add_domain(struct gpio_chip *gc,
+
+ gc->to_irq = gpiochip_to_irq;
+ gc->irq.domain = domain;
++ gc->irq.domain_is_allocated_externally = true;
+
+ /*
+ * Using barrier() here to prevent compiler from reordering
+diff --git a/include/linux/gpio/driver.h b/include/linux/gpio/driver.h
+index ccd8a512d8546..b769ff6b00fdd 100644
+--- a/include/linux/gpio/driver.h
++++ b/include/linux/gpio/driver.h
+@@ -244,6 +244,14 @@ struct gpio_irq_chip {
+ */
+ bool initialized;
+
++ /**
++ * @domain_is_allocated_externally:
++ *
++ * True it the irq_domain was allocated outside of gpiolib, in which
++ * case gpiolib won't free the irq_domain itself.
++ */
++ bool domain_is_allocated_externally;
++
+ /**
+ * @init_hw: optional routine to initialize hardware before
+ * an IRQ chip will be added. This is quite useful when
+--
+2.39.2
+
--- /dev/null
+From 648694657f98b98949f9ed6caabdbd40cbbe3018 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Apr 2023 14:47:45 +0300
+Subject: HID: wacom: Add error check to wacom_parse_and_register()
+
+From: Denis Arefev <arefev@swemel.ru>
+
+[ Upstream commit 16a9c24f24fbe4564284eb575b18cc20586b9270 ]
+
+ Added a variable check and
+ transition in case of an error
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Signed-off-by: Denis Arefev <arefev@swemel.ru>
+Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/wacom_sys.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hid/wacom_sys.c b/drivers/hid/wacom_sys.c
+index fb538a6c4add8..aff4a21a46b6a 100644
+--- a/drivers/hid/wacom_sys.c
++++ b/drivers/hid/wacom_sys.c
+@@ -2417,8 +2417,13 @@ static int wacom_parse_and_register(struct wacom *wacom, bool wireless)
+ goto fail_quirks;
+ }
+
+- if (features->device_type & WACOM_DEVICETYPE_WL_MONITOR)
++ if (features->device_type & WACOM_DEVICETYPE_WL_MONITOR) {
+ error = hid_hw_open(hdev);
++ if (error) {
++ hid_err(hdev, "hw open failed\n");
++ goto fail_quirks;
++ }
++ }
+
+ wacom_set_shared_values(wacom_wac);
+ devres_close_group(&hdev->dev, wacom);
+--
+2.39.2
+
--- /dev/null
+From f297e2720e4d8c8978593e34150a99f5d6467a70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 May 2023 11:14:59 -0700
+Subject: i2c: designware: fix idx_write_cnt in read loop
+
+From: David Zheng <david.zheng@intel.com>
+
+[ Upstream commit 1acfc6e753ed978b36d722f54e57fe4d1e8a6ffa ]
+
+With IC_INTR_RX_FULL slave interrupt handler reads data in a loop until
+RX FIFO is empty. When testing with the slave-eeprom, each transaction
+has 2 bytes for address/index and 1 byte for value, the address byte
+can be written as data byte due to dropping STOP condition.
+
+In the test below, the master continuously writes to the slave, first 2
+bytes are index, 3rd byte is value and follow by a STOP condition.
+
+ i2c_write: i2c-3 #0 a=04b f=0000 l=3 [00-D1-D1]
+ i2c_write: i2c-3 #0 a=04b f=0000 l=3 [00-D2-D2]
+ i2c_write: i2c-3 #0 a=04b f=0000 l=3 [00-D3-D3]
+
+Upon receiving STOP condition slave eeprom would reset `idx_write_cnt` so
+next 2 bytes can be treated as buffer index for upcoming transaction.
+Supposedly the slave eeprom buffer would be written as
+
+ EEPROM[0x00D1] = 0xD1
+ EEPROM[0x00D2] = 0xD2
+ EEPROM[0x00D3] = 0xD3
+
+When CPU load is high the slave irq handler may not read fast enough,
+the interrupt status can be seen as 0x204 with both DW_IC_INTR_STOP_DET
+(0x200) and DW_IC_INTR_RX_FULL (0x4) bits. The slave device may see
+the transactions below.
+
+ 0x1 STATUS SLAVE_ACTIVITY=0x1 : RAW_INTR_STAT=0x1594 : INTR_STAT=0x4
+ 0x1 STATUS SLAVE_ACTIVITY=0x1 : RAW_INTR_STAT=0x1594 : INTR_STAT=0x4
+ 0x1 STATUS SLAVE_ACTIVITY=0x1 : RAW_INTR_STAT=0x1594 : INTR_STAT=0x4
+ 0x1 STATUS SLAVE_ACTIVITY=0x1 : RAW_INTR_STAT=0x1794 : INTR_STAT=0x204
+ 0x1 STATUS SLAVE_ACTIVITY=0x0 : RAW_INTR_STAT=0x1790 : INTR_STAT=0x200
+ 0x1 STATUS SLAVE_ACTIVITY=0x1 : RAW_INTR_STAT=0x1594 : INTR_STAT=0x4
+ 0x1 STATUS SLAVE_ACTIVITY=0x1 : RAW_INTR_STAT=0x1594 : INTR_STAT=0x4
+ 0x1 STATUS SLAVE_ACTIVITY=0x1 : RAW_INTR_STAT=0x1594 : INTR_STAT=0x4
+
+After `D1` is received, read loop continues to read `00` which is the
+first bype of next index. Since STOP condition is ignored by the loop,
+eeprom buffer index increased to `D2` and `00` is written as value.
+
+So the slave eeprom buffer becomes
+
+ EEPROM[0x00D1] = 0xD1
+ EEPROM[0x00D2] = 0x00
+ EEPROM[0x00D3] = 0xD3
+
+The fix is to use `FIRST_DATA_BYTE` (bit 11) in `IC_DATA_CMD` to split
+the transactions. The first index byte in this case would have bit 11
+set. Check this indication to inject I2C_SLAVE_WRITE_REQUESTED event
+which will reset `idx_write_cnt` in slave eeprom.
+
+Signed-off-by: David Zheng <david.zheng@intel.com>
+Acked-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-designware-core.h | 1 +
+ drivers/i2c/busses/i2c-designware-slave.c | 4 ++++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/drivers/i2c/busses/i2c-designware-core.h b/drivers/i2c/busses/i2c-designware-core.h
+index 050d8c63ad3c5..0164d92163308 100644
+--- a/drivers/i2c/busses/i2c-designware-core.h
++++ b/drivers/i2c/busses/i2c-designware-core.h
+@@ -40,6 +40,7 @@
+ #define DW_IC_CON_BUS_CLEAR_CTRL BIT(11)
+
+ #define DW_IC_DATA_CMD_DAT GENMASK(7, 0)
++#define DW_IC_DATA_CMD_FIRST_DATA_BYTE BIT(11)
+
+ /*
+ * Registers offset
+diff --git a/drivers/i2c/busses/i2c-designware-slave.c b/drivers/i2c/busses/i2c-designware-slave.c
+index cec25054bb244..2e079cf20bb5b 100644
+--- a/drivers/i2c/busses/i2c-designware-slave.c
++++ b/drivers/i2c/busses/i2c-designware-slave.c
+@@ -176,6 +176,10 @@ static irqreturn_t i2c_dw_isr_slave(int this_irq, void *dev_id)
+
+ do {
+ regmap_read(dev->map, DW_IC_DATA_CMD, &tmp);
++ if (tmp & DW_IC_DATA_CMD_FIRST_DATA_BYTE)
++ i2c_slave_event(dev->slave,
++ I2C_SLAVE_WRITE_REQUESTED,
++ &val);
+ val = tmp;
+ i2c_slave_event(dev->slave, I2C_SLAVE_WRITE_RECEIVED,
+ &val);
+--
+2.39.2
+
--- /dev/null
+From c7e7021f6b03c463e363757c0a6dc47158f79985 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 May 2023 14:32:17 +0200
+Subject: i2c: mchp-pci1xxxx: Avoid cast to incompatible function type
+
+From: Simon Horman <horms@kernel.org>
+
+[ Upstream commit 7ebfd881abe9e0ea9557b29dab6aa28d294fabb4 ]
+
+Rather than casting pci1xxxx_i2c_shutdown to an incompatible function type,
+update the type to match that expected by __devm_add_action.
+
+Reported by clang-16 with W-1:
+
+ .../i2c-mchp-pci1xxxx.c:1159:29: error: cast from 'void (*)(struct pci1xxxx_i2c *)' to 'void (*)(void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict]
+ ret = devm_add_action(dev, (void (*)(void *))pci1xxxx_i2c_shutdown, i2c);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ./include/linux/device.h:251:29: note: expanded from macro 'devm_add_action'
+ __devm_add_action(release, action, data, #action)
+ ^~~~~~
+
+No functional change intended.
+Compile tested only.
+
+Signed-off-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Horatiu Vultur <horatiu.vultur@microchip.com>
+Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
+Reviewed-by: Tharun Kumar P<tharunkumar.pasumarthi@microchip.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-mchp-pci1xxxx.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-mchp-pci1xxxx.c b/drivers/i2c/busses/i2c-mchp-pci1xxxx.c
+index b21ffd6df9276..5ef136c3ecb12 100644
+--- a/drivers/i2c/busses/i2c-mchp-pci1xxxx.c
++++ b/drivers/i2c/busses/i2c-mchp-pci1xxxx.c
+@@ -1118,8 +1118,10 @@ static int pci1xxxx_i2c_resume(struct device *dev)
+ static DEFINE_SIMPLE_DEV_PM_OPS(pci1xxxx_i2c_pm_ops, pci1xxxx_i2c_suspend,
+ pci1xxxx_i2c_resume);
+
+-static void pci1xxxx_i2c_shutdown(struct pci1xxxx_i2c *i2c)
++static void pci1xxxx_i2c_shutdown(void *data)
+ {
++ struct pci1xxxx_i2c *i2c = data;
++
+ pci1xxxx_i2c_config_padctrl(i2c, false);
+ pci1xxxx_i2c_configure_core_reg(i2c, false);
+ }
+@@ -1156,7 +1158,7 @@ static int pci1xxxx_i2c_probe_pci(struct pci_dev *pdev,
+ init_completion(&i2c->i2c_xfer_done);
+ pci1xxxx_i2c_init(i2c);
+
+- ret = devm_add_action(dev, (void (*)(void *))pci1xxxx_i2c_shutdown, i2c);
++ ret = devm_add_action(dev, pci1xxxx_i2c_shutdown, i2c);
+ if (ret)
+ return ret;
+
+--
+2.39.2
+
--- /dev/null
+From 379bc4edcd671ba8c8110871e9e6b603f64e770d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 Apr 2023 10:20:48 +0800
+Subject: ieee802154: hwsim: Fix possible memory leaks
+
+From: Chen Aotian <chenaotian2@163.com>
+
+[ Upstream commit a61675294735570daca3779bd1dbb3715f7232bd ]
+
+After replacing e->info, it is necessary to free the old einfo.
+
+Fixes: f25da51fdc38 ("ieee802154: hwsim: add replacement for fakelb")
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Reviewed-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: Chen Aotian <chenaotian2@163.com>
+Link: https://lore.kernel.org/r/20230409022048.61223-1-chenaotian2@163.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/mac802154_hwsim.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c
+index 8445c2189d116..31cba9aa76366 100644
+--- a/drivers/net/ieee802154/mac802154_hwsim.c
++++ b/drivers/net/ieee802154/mac802154_hwsim.c
+@@ -685,7 +685,7 @@ static int hwsim_del_edge_nl(struct sk_buff *msg, struct genl_info *info)
+ static int hwsim_set_edge_lqi(struct sk_buff *msg, struct genl_info *info)
+ {
+ struct nlattr *edge_attrs[MAC802154_HWSIM_EDGE_ATTR_MAX + 1];
+- struct hwsim_edge_info *einfo;
++ struct hwsim_edge_info *einfo, *einfo_old;
+ struct hwsim_phy *phy_v0;
+ struct hwsim_edge *e;
+ u32 v0, v1;
+@@ -723,8 +723,10 @@ static int hwsim_set_edge_lqi(struct sk_buff *msg, struct genl_info *info)
+ list_for_each_entry_rcu(e, &phy_v0->edges, list) {
+ if (e->endpoint->idx == v1) {
+ einfo->lqi = lqi;
+- rcu_assign_pointer(e->info, einfo);
++ einfo_old = rcu_replace_pointer(e->info, einfo,
++ lockdep_is_held(&hwsim_phys_lock));
+ rcu_read_unlock();
++ kfree_rcu(einfo_old, rcu);
+ mutex_unlock(&hwsim_phys_lock);
+ return 0;
+ }
+--
+2.39.2
+
--- /dev/null
+From e812451f7d9a2cf9f1a94e9f55f5481cd0e6891a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 May 2023 11:57:04 -0700
+Subject: Input: soc_button_array - add invalid acpi_index DMI quirk handling
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 20a99a291d564a559cc2fd013b4824a3bb3f1db7 ]
+
+Some devices have a wrong entry in their button array which points to
+a GPIO which is required in another driver, so soc_button_array must
+not claim it.
+
+A specific example of this is the Lenovo Yoga Book X90F / X90L,
+where the PNP0C40 home button entry points to a GPIO which is not
+a home button and which is required by the lenovo-yogabook driver.
+
+Add a DMI quirk table which can specify an ACPI GPIO resource index which
+should be skipped; and add an entry for the Lenovo Yoga Book X90F / X90L
+to this new DMI quirk table.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20230414072116.4497-1-hdegoede@redhat.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/misc/soc_button_array.c | 30 +++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+diff --git a/drivers/input/misc/soc_button_array.c b/drivers/input/misc/soc_button_array.c
+index 09489380afda7..e79f5497948b8 100644
+--- a/drivers/input/misc/soc_button_array.c
++++ b/drivers/input/misc/soc_button_array.c
+@@ -108,6 +108,27 @@ static const struct dmi_system_id dmi_use_low_level_irq[] = {
+ {} /* Terminating entry */
+ };
+
++/*
++ * Some devices have a wrong entry which points to a GPIO which is
++ * required in another driver, so this driver must not claim it.
++ */
++static const struct dmi_system_id dmi_invalid_acpi_index[] = {
++ {
++ /*
++ * Lenovo Yoga Book X90F / X90L, the PNP0C40 home button entry
++ * points to a GPIO which is not a home button and which is
++ * required by the lenovo-yogabook driver.
++ */
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Intel Corporation"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "CHERRYVIEW D1 PLATFORM"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "YETI-11"),
++ },
++ .driver_data = (void *)1l,
++ },
++ {} /* Terminating entry */
++};
++
+ /*
+ * Get the Nth GPIO number from the ACPI object.
+ */
+@@ -137,6 +158,8 @@ soc_button_device_create(struct platform_device *pdev,
+ struct platform_device *pd;
+ struct gpio_keys_button *gpio_keys;
+ struct gpio_keys_platform_data *gpio_keys_pdata;
++ const struct dmi_system_id *dmi_id;
++ int invalid_acpi_index = -1;
+ int error, gpio, irq;
+ int n_buttons = 0;
+
+@@ -154,10 +177,17 @@ soc_button_device_create(struct platform_device *pdev,
+ gpio_keys = (void *)(gpio_keys_pdata + 1);
+ n_buttons = 0;
+
++ dmi_id = dmi_first_match(dmi_invalid_acpi_index);
++ if (dmi_id)
++ invalid_acpi_index = (long)dmi_id->driver_data;
++
+ for (info = button_info; info->name; info++) {
+ if (info->autorepeat != autorepeat)
+ continue;
+
++ if (info->acpi_index == invalid_acpi_index)
++ continue;
++
+ error = soc_button_lookup_gpio(&pdev->dev, info->acpi_index, &gpio, &irq);
+ if (error || irq < 0) {
+ /*
+--
+2.39.2
+
--- /dev/null
+From 97fa88debe02e86b51586bc5afb15ed61a2f463e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jun 2023 16:11:51 -0600
+Subject: io_uring/net: use the correct msghdr union member in
+ io_sendmsg_copy_hdr
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ Upstream commit 26fed83653d0154704cadb7afc418f315c7ac1f0 ]
+
+Rather than assign the user pointer to msghdr->msg_control, assign it
+to msghdr->msg_control_user to make sparse happy. They are in a union
+so the end result is the same, but let's avoid new sparse warnings and
+squash this one.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202306210654.mDMcyMuB-lkp@intel.com/
+Fixes: cac9e4418f4c ("io_uring/net: save msghdr->msg_control for retries")
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ io_uring/net.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/io_uring/net.c b/io_uring/net.c
+index 49dc43d1d9fd5..2cf671cef0b61 100644
+--- a/io_uring/net.c
++++ b/io_uring/net.c
+@@ -203,7 +203,7 @@ static int io_sendmsg_copy_hdr(struct io_kiocb *req,
+ ret = sendmsg_copy_msghdr(&iomsg->msg, sr->umsg, sr->msg_flags,
+ &iomsg->free_iov);
+ /* save msg_control as sys_sendmsg() overwrites it */
+- sr->msg_control = iomsg->msg.msg_control;
++ sr->msg_control = iomsg->msg.msg_control_user;
+ return ret;
+ }
+
+@@ -302,7 +302,7 @@ int io_sendmsg(struct io_kiocb *req, unsigned int issue_flags)
+
+ if (req_has_async_data(req)) {
+ kmsg = req->async_data;
+- kmsg->msg.msg_control = sr->msg_control;
++ kmsg->msg.msg_control_user = sr->msg_control;
+ } else {
+ ret = io_sendmsg_copy_hdr(req, &iomsg);
+ if (ret)
+--
+2.39.2
+
--- /dev/null
+From 39d93a807ffd55dfd37a176f8b45924f92e315f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jun 2023 10:19:34 +0800
+Subject: iommu/amd: Fix possible memory leak of 'domain'
+
+From: Su Hui <suhui@nfschina.com>
+
+[ Upstream commit 5b00369fcf6d1ff9050b94800dc596925ff3623f ]
+
+Move allocation code down to avoid memory leak.
+
+Fixes: 29f54745f245 ("iommu/amd: Add missing domain type checks")
+Signed-off-by: Su Hui <suhui@nfschina.com>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
+Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
+Link: https://lore.kernel.org/r/20230608021933.856045-1-suhui@nfschina.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd/iommu.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
+index cd0e3fb78c3ff..e9eac86cddbd2 100644
+--- a/drivers/iommu/amd/iommu.c
++++ b/drivers/iommu/amd/iommu.c
+@@ -2069,10 +2069,6 @@ static struct protection_domain *protection_domain_alloc(unsigned int type)
+ int mode = DEFAULT_PGTABLE_LEVEL;
+ int ret;
+
+- domain = kzalloc(sizeof(*domain), GFP_KERNEL);
+- if (!domain)
+- return NULL;
+-
+ /*
+ * Force IOMMU v1 page table when iommu=pt and
+ * when allocating domain for pass-through devices.
+@@ -2088,6 +2084,10 @@ static struct protection_domain *protection_domain_alloc(unsigned int type)
+ return NULL;
+ }
+
++ domain = kzalloc(sizeof(*domain), GFP_KERNEL);
++ if (!domain)
++ return NULL;
++
+ switch (pgtable) {
+ case AMD_IOMMU_V1:
+ ret = protection_domain_init_v1(domain, mode);
+--
+2.39.2
+
--- /dev/null
+From e2b7c1b195f96b3f9b6bd78670d3d938bd170544 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Jun 2023 22:58:42 +0200
+Subject: ipvs: align inner_mac_header for encapsulation
+
+From: Terin Stock <terin@cloudflare.com>
+
+[ Upstream commit d7fce52fdf96663ddc2eb21afecff3775588612a ]
+
+When using encapsulation the original packet's headers are copied to the
+inner headers. This preserves the space for an inner mac header, which
+is not used by the inner payloads for the encapsulation types supported
+by IPVS. If a packet is using GUE or GRE encapsulation and needs to be
+segmented, flow can be passed to __skb_udp_tunnel_segment() which
+calculates a negative tunnel header length. A negative tunnel header
+length causes pskb_may_pull() to fail, dropping the packet.
+
+This can be observed by attaching probes to ip_vs_in_hook(),
+__dev_queue_xmit(), and __skb_udp_tunnel_segment():
+
+ perf probe --add '__dev_queue_xmit skb->inner_mac_header \
+ skb->inner_network_header skb->mac_header skb->network_header'
+ perf probe --add '__skb_udp_tunnel_segment:7 tnl_hlen'
+ perf probe -m ip_vs --add 'ip_vs_in_hook skb->inner_mac_header \
+ skb->inner_network_header skb->mac_header skb->network_header'
+
+These probes the headers and tunnel header length for packets which
+traverse the IPVS encapsulation path. A TCP packet can be forced into
+the segmentation path by being smaller than a calculated clamped MSS,
+but larger than the advertised MSS.
+
+ probe:ip_vs_in_hook: inner_mac_header=0x0 inner_network_header=0x0 mac_header=0x44 network_header=0x52
+ probe:ip_vs_in_hook: inner_mac_header=0x44 inner_network_header=0x52 mac_header=0x44 network_header=0x32
+ probe:dev_queue_xmit: inner_mac_header=0x44 inner_network_header=0x52 mac_header=0x44 network_header=0x32
+ probe:__skb_udp_tunnel_segment_L7: tnl_hlen=-2
+
+When using veth-based encapsulation, the interfaces are set to be
+mac-less, which does not preserve space for an inner mac header. This
+prevents this issue from occurring.
+
+In our real-world testing of sending a 32KB file we observed operation
+time increasing from ~75ms for veth-based encapsulation to over 1.5s
+using IPVS encapsulation due to retries from dropped packets.
+
+This changeset modifies the packet on the encapsulation path in
+ip_vs_tunnel_xmit() and ip_vs_tunnel_xmit_v6() to remove the inner mac
+header offset. This fixes UDP segmentation for both encapsulation types,
+and corrects the inner headers for any IPIP flows that may use it.
+
+Fixes: 84c0d5e96f3a ("ipvs: allow tunneling with gue encapsulation")
+Signed-off-by: Terin Stock <terin@cloudflare.com>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipvs/ip_vs_xmit.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
+index 80448885c3d71..b452eb3ddcecb 100644
+--- a/net/netfilter/ipvs/ip_vs_xmit.c
++++ b/net/netfilter/ipvs/ip_vs_xmit.c
+@@ -1225,6 +1225,7 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
+ skb->transport_header = skb->network_header;
+
+ skb_set_inner_ipproto(skb, next_protocol);
++ skb_set_inner_mac_header(skb, skb_inner_network_offset(skb));
+
+ if (tun_type == IP_VS_CONN_F_TUNNEL_TYPE_GUE) {
+ bool check = false;
+@@ -1373,6 +1374,7 @@ ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
+ skb->transport_header = skb->network_header;
+
+ skb_set_inner_ipproto(skb, next_protocol);
++ skb_set_inner_mac_header(skb, skb_inner_network_offset(skb));
+
+ if (tun_type == IP_VS_CONN_F_TUNNEL_TYPE_GUE) {
+ bool check = false;
+--
+2.39.2
+
--- /dev/null
+From 388bff17adb51eb7d4d32a60526dcbb59e32a8c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Jun 2023 19:50:34 -0700
+Subject: KVM: arm64: PMU: Restore the host's PMUSERENR_EL0
+
+From: Reiji Watanabe <reijiw@google.com>
+
+[ Upstream commit 8681f71759010503892f9e3ddb05f65c0f21b690 ]
+
+Restore the host's PMUSERENR_EL0 value instead of clearing it,
+before returning back to userspace, as the host's EL0 might have
+a direct access to PMU registers (some bits of PMUSERENR_EL0 for
+might not be zero for the host EL0).
+
+Fixes: 83a7a4d643d3 ("arm64: perf: Enable PMU counter userspace access for perf event")
+Signed-off-by: Reiji Watanabe <reijiw@google.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20230603025035.3781797-2-reijiw@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kvm/hyp/include/hyp/switch.h | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/kvm/hyp/include/hyp/switch.h b/arch/arm64/kvm/hyp/include/hyp/switch.h
+index 33f4d42003296..168365167a137 100644
+--- a/arch/arm64/kvm/hyp/include/hyp/switch.h
++++ b/arch/arm64/kvm/hyp/include/hyp/switch.h
+@@ -81,7 +81,12 @@ static inline void __activate_traps_common(struct kvm_vcpu *vcpu)
+ * EL1 instead of being trapped to EL2.
+ */
+ if (kvm_arm_support_pmu_v3()) {
++ struct kvm_cpu_context *hctxt;
++
+ write_sysreg(0, pmselr_el0);
++
++ hctxt = &this_cpu_ptr(&kvm_host_data)->host_ctxt;
++ ctxt_sys_reg(hctxt, PMUSERENR_EL0) = read_sysreg(pmuserenr_el0);
+ write_sysreg(ARMV8_PMU_USERENR_MASK, pmuserenr_el0);
+ }
+
+@@ -105,8 +110,12 @@ static inline void __deactivate_traps_common(struct kvm_vcpu *vcpu)
+ write_sysreg(vcpu->arch.mdcr_el2_host, mdcr_el2);
+
+ write_sysreg(0, hstr_el2);
+- if (kvm_arm_support_pmu_v3())
+- write_sysreg(0, pmuserenr_el0);
++ if (kvm_arm_support_pmu_v3()) {
++ struct kvm_cpu_context *hctxt;
++
++ hctxt = &this_cpu_ptr(&kvm_host_data)->host_ctxt;
++ write_sysreg(ctxt_sys_reg(hctxt, PMUSERENR_EL0), pmuserenr_el0);
++ }
+
+ if (cpus_have_final_cap(ARM64_SME)) {
+ sysreg_clear_set_s(SYS_HFGRTR_EL2, 0,
+--
+2.39.2
+
--- /dev/null
+From c16b8a1d1d312d919735fb7f931dbc4abafaefa6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Apr 2023 08:26:53 +0100
+Subject: media: cec: core: disable adapter in cec_devnode_unregister
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit fe4526d99e2e06b08bb80316c3a596ea6a807b75 ]
+
+Explicitly disable the CEC adapter in cec_devnode_unregister()
+
+Usually this does not really do anything important, but for drivers
+that use the CEC pin framework this is needed to properly stop the
+hrtimer. Without this a crash would happen when such a driver is
+unloaded with rmmod.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/cec/core/cec-adap.c | 5 ++++-
+ drivers/media/cec/core/cec-core.c | 2 ++
+ drivers/media/cec/core/cec-priv.h | 1 +
+ 3 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/cec/core/cec-adap.c b/drivers/media/cec/core/cec-adap.c
+index 4f5ab3cae8a71..ac18707fddcd2 100644
+--- a/drivers/media/cec/core/cec-adap.c
++++ b/drivers/media/cec/core/cec-adap.c
+@@ -1582,7 +1582,7 @@ static void cec_claim_log_addrs(struct cec_adapter *adap, bool block)
+ *
+ * This function is called with adap->lock held.
+ */
+-static int cec_adap_enable(struct cec_adapter *adap)
++int cec_adap_enable(struct cec_adapter *adap)
+ {
+ bool enable;
+ int ret = 0;
+@@ -1592,6 +1592,9 @@ static int cec_adap_enable(struct cec_adapter *adap)
+ if (adap->needs_hpd)
+ enable = enable && adap->phys_addr != CEC_PHYS_ADDR_INVALID;
+
++ if (adap->devnode.unregistered)
++ enable = false;
++
+ if (enable == adap->is_enabled)
+ return 0;
+
+diff --git a/drivers/media/cec/core/cec-core.c b/drivers/media/cec/core/cec-core.c
+index af358e901b5f3..7e153c5cad04f 100644
+--- a/drivers/media/cec/core/cec-core.c
++++ b/drivers/media/cec/core/cec-core.c
+@@ -191,6 +191,8 @@ static void cec_devnode_unregister(struct cec_adapter *adap)
+ mutex_lock(&adap->lock);
+ __cec_s_phys_addr(adap, CEC_PHYS_ADDR_INVALID, false);
+ __cec_s_log_addrs(adap, NULL, false);
++ // Disable the adapter (since adap->devnode.unregistered is true)
++ cec_adap_enable(adap);
+ mutex_unlock(&adap->lock);
+
+ cdev_device_del(&devnode->cdev, &devnode->dev);
+diff --git a/drivers/media/cec/core/cec-priv.h b/drivers/media/cec/core/cec-priv.h
+index b78df931aa74b..ed1f8c67626bf 100644
+--- a/drivers/media/cec/core/cec-priv.h
++++ b/drivers/media/cec/core/cec-priv.h
+@@ -47,6 +47,7 @@ int cec_monitor_pin_cnt_inc(struct cec_adapter *adap);
+ void cec_monitor_pin_cnt_dec(struct cec_adapter *adap);
+ int cec_adap_status(struct seq_file *file, void *priv);
+ int cec_thread_func(void *_adap);
++int cec_adap_enable(struct cec_adapter *adap);
+ void __cec_s_phys_addr(struct cec_adapter *adap, u16 phys_addr, bool block);
+ int __cec_s_log_addrs(struct cec_adapter *adap,
+ struct cec_log_addrs *log_addrs, bool block);
+--
+2.39.2
+
--- /dev/null
+From 57e5bea0528852bab564fd42d3526c60146d8734 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Apr 2023 16:07:28 +0100
+Subject: media: cec: core: don't set last_initiator if tx in progress
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 73af6c7511038249cad3d5f3b44bf8d78ac0f499 ]
+
+When a message was received the last_initiator is set to 0xff.
+This will force the signal free time for the next transmit
+to that for a new initiator. However, if a new transmit is
+already in progress, then don't set last_initiator, since
+that's the initiator of the current transmit. Overwriting
+this would cause the signal free time of a following transmit
+to be that of the new initiator instead of a next transmit.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/cec/core/cec-adap.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/cec/core/cec-adap.c b/drivers/media/cec/core/cec-adap.c
+index ac18707fddcd2..b1512f9c5895c 100644
+--- a/drivers/media/cec/core/cec-adap.c
++++ b/drivers/media/cec/core/cec-adap.c
+@@ -1090,7 +1090,8 @@ void cec_received_msg_ts(struct cec_adapter *adap,
+ mutex_lock(&adap->lock);
+ dprintk(2, "%s: %*ph\n", __func__, msg->len, msg->msg);
+
+- adap->last_initiator = 0xff;
++ if (!adap->transmit_in_progress)
++ adap->last_initiator = 0xff;
+
+ /* Check if this message was for us (directed or broadcast). */
+ if (!cec_msg_is_broadcast(msg))
+--
+2.39.2
+
--- /dev/null
+From 844d08cf0bdb30cf30fcc2393ea5eff638731047 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jun 2023 23:36:13 +0300
+Subject: mmc: mtk-sd: fix deferred probing
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit 0c4dc0f054891a2cbde0426b0c0fdf232d89f47f ]
+
+The driver overrides the error codes returned by platform_get_irq() to
+-EINVAL, so if it returns -EPROBE_DEFER, the driver will fail the probe
+permanently instead of the deferred probing. Switch to propagating the
+error codes upstream.
+
+Fixes: 208489032bdd ("mmc: mediatek: Add Mediatek MMC driver")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/20230617203622.6812-4-s.shtylyov@omp.ru
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/mtk-sd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/mtk-sd.c b/drivers/mmc/host/mtk-sd.c
+index edade0e54a0c2..9785ec91654f7 100644
+--- a/drivers/mmc/host/mtk-sd.c
++++ b/drivers/mmc/host/mtk-sd.c
+@@ -2680,7 +2680,7 @@ static int msdc_drv_probe(struct platform_device *pdev)
+
+ host->irq = platform_get_irq(pdev, 0);
+ if (host->irq < 0) {
+- ret = -EINVAL;
++ ret = host->irq;
+ goto host_free;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 361ffe1bc41ea5c7a73ac35b7aee9149a79f0482 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jun 2023 23:36:14 +0300
+Subject: mmc: mvsdio: fix deferred probing
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit 8d84064da0d4672e74f984e8710f27881137472c ]
+
+The driver overrides the error codes returned by platform_get_irq() to
+-ENXIO, so if it returns -EPROBE_DEFER, the driver will fail the probe
+permanently instead of the deferred probing. Switch to propagating the
+error codes upstream.
+
+Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/20230617203622.6812-5-s.shtylyov@omp.ru
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/mvsdio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/mvsdio.c b/drivers/mmc/host/mvsdio.c
+index 629efbe639c4f..b4f6a0a2fcb51 100644
+--- a/drivers/mmc/host/mvsdio.c
++++ b/drivers/mmc/host/mvsdio.c
+@@ -704,7 +704,7 @@ static int mvsd_probe(struct platform_device *pdev)
+ }
+ irq = platform_get_irq(pdev, 0);
+ if (irq < 0)
+- return -ENXIO;
++ return irq;
+
+ mmc = mmc_alloc_host(sizeof(struct mvsd_host), &pdev->dev);
+ if (!mmc) {
+--
+2.39.2
+
--- /dev/null
+From b372966dc2fbfc46169728373b07fce930ca2470 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jun 2023 23:36:15 +0300
+Subject: mmc: omap: fix deferred probing
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit aedf4ba1ad00aaa94c1b66c73ecaae95e2564b95 ]
+
+The driver overrides the error codes returned by platform_get_irq() to
+-ENXIO, so if it returns -EPROBE_DEFER, the driver will fail the probe
+permanently instead of the deferred probing. Switch to propagating the
+error codes upstream.
+
+Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/20230617203622.6812-6-s.shtylyov@omp.ru
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/omap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/omap.c b/drivers/mmc/host/omap.c
+index 57d39283924da..cc2213ea324f1 100644
+--- a/drivers/mmc/host/omap.c
++++ b/drivers/mmc/host/omap.c
+@@ -1343,7 +1343,7 @@ static int mmc_omap_probe(struct platform_device *pdev)
+
+ irq = platform_get_irq(pdev, 0);
+ if (irq < 0)
+- return -ENXIO;
++ return irq;
+
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ host->virt_base = devm_ioremap_resource(&pdev->dev, res);
+--
+2.39.2
+
--- /dev/null
+From a8ebfeaa0ae0d1f42a57a536461e428936a89ce2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jun 2023 23:36:16 +0300
+Subject: mmc: omap_hsmmc: fix deferred probing
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit fb51b74a57859b707c3e8055ed0c25a7ca4f6a29 ]
+
+The driver overrides the error codes returned by platform_get_irq() to
+-ENXIO, so if it returns -EPROBE_DEFER, the driver will fail the probe
+permanently instead of the deferred probing. Switch to propagating the
+error codes upstream.
+
+Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/20230617203622.6812-7-s.shtylyov@omp.ru
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/omap_hsmmc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mmc/host/omap_hsmmc.c b/drivers/mmc/host/omap_hsmmc.c
+index 4bd7447552055..2db3a16e63c48 100644
+--- a/drivers/mmc/host/omap_hsmmc.c
++++ b/drivers/mmc/host/omap_hsmmc.c
+@@ -1791,9 +1791,11 @@ static int omap_hsmmc_probe(struct platform_device *pdev)
+ }
+
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+- irq = platform_get_irq(pdev, 0);
+- if (res == NULL || irq < 0)
++ if (!res)
+ return -ENXIO;
++ irq = platform_get_irq(pdev, 0);
++ if (irq < 0)
++ return irq;
+
+ base = devm_ioremap_resource(&pdev->dev, res);
+ if (IS_ERR(base))
+--
+2.39.2
+
--- /dev/null
+From a0148a930956e6e28b1c648ba442ec6f3823ed41 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jun 2023 23:36:17 +0300
+Subject: mmc: owl: fix deferred probing
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit 3c482e1e830d79b9be8afb900a965135c01f7893 ]
+
+The driver overrides the error codes returned by platform_get_irq() to
+-EINVAL, so if it returns -EPROBE_DEFER, the driver will fail the probe
+permanently instead of the deferred probing. Switch to propagating the
+error codes upstream.
+
+Fixes: ff65ffe46d28 ("mmc: Add Actions Semi Owl SoCs SD/MMC driver")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/20230617203622.6812-8-s.shtylyov@omp.ru
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/owl-mmc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/owl-mmc.c b/drivers/mmc/host/owl-mmc.c
+index 3dc143b039397..679b8b0b310e5 100644
+--- a/drivers/mmc/host/owl-mmc.c
++++ b/drivers/mmc/host/owl-mmc.c
+@@ -638,7 +638,7 @@ static int owl_mmc_probe(struct platform_device *pdev)
+
+ owl_host->irq = platform_get_irq(pdev, 0);
+ if (owl_host->irq < 0) {
+- ret = -EINVAL;
++ ret = owl_host->irq;
+ goto err_release_channel;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 93d46ac87054adc6fd4c3231537bd6e28b5b0df1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jun 2023 23:36:18 +0300
+Subject: mmc: sdhci-acpi: fix deferred probing
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit b465dea5e1540c7d7b5211adaf94926980d3014b ]
+
+The driver overrides the error codes returned by platform_get_irq() to
+-EINVAL, so if it returns -EPROBE_DEFER, the driver will fail the probe
+permanently instead of the deferred probing. Switch to propagating the
+error codes upstream.
+
+Fixes: 1b7ba57ecc86 ("mmc: sdhci-acpi: Handle return value of platform_get_irq")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/20230617203622.6812-9-s.shtylyov@omp.ru
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-acpi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/sdhci-acpi.c b/drivers/mmc/host/sdhci-acpi.c
+index 8f0e639236b15..edf2e6c14dc6f 100644
+--- a/drivers/mmc/host/sdhci-acpi.c
++++ b/drivers/mmc/host/sdhci-acpi.c
+@@ -829,7 +829,7 @@ static int sdhci_acpi_probe(struct platform_device *pdev)
+ host->ops = &sdhci_acpi_ops_dflt;
+ host->irq = platform_get_irq(pdev, 0);
+ if (host->irq < 0) {
+- err = -EINVAL;
++ err = host->irq;
+ goto err_free;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From cea15de5526077e5e46a1b82fae72b6835a29306 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jun 2023 23:36:20 +0300
+Subject: mmc: sh_mmcif: fix deferred probing
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit 5b067d7f855c61df7f8e2e8ccbcee133c282415e ]
+
+The driver overrides the error codes returned by platform_get_irq() to
+-ENXIO, so if it returns -EPROBE_DEFER, the driver will fail the probe
+permanently instead of the deferred probing. Switch to propagating the
+error codes upstream.
+
+Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/20230617203622.6812-11-s.shtylyov@omp.ru
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sh_mmcif.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/sh_mmcif.c b/drivers/mmc/host/sh_mmcif.c
+index 0fd4c9d644dd5..5cf53348372a4 100644
+--- a/drivers/mmc/host/sh_mmcif.c
++++ b/drivers/mmc/host/sh_mmcif.c
+@@ -1400,7 +1400,7 @@ static int sh_mmcif_probe(struct platform_device *pdev)
+ irq[0] = platform_get_irq(pdev, 0);
+ irq[1] = platform_get_irq_optional(pdev, 1);
+ if (irq[0] < 0)
+- return -ENXIO;
++ return irq[0];
+
+ reg = devm_platform_ioremap_resource(pdev, 0);
+ if (IS_ERR(reg))
+--
+2.39.2
+
--- /dev/null
+From c346653cc0306f66d3f6c5201d814b6fc152bfbf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jun 2023 23:36:22 +0300
+Subject: mmc: usdhi60rol0: fix deferred probing
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit 413db499730248431c1005b392e8ed82c4fa19bf ]
+
+The driver overrides the error codes returned by platform_get_irq_byname()
+to -ENODEV, so if it returns -EPROBE_DEFER, the driver will fail the probe
+permanently instead of the deferred probing. Switch to propagating error
+codes upstream.
+
+Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/20230617203622.6812-13-s.shtylyov@omp.ru
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/usdhi6rol0.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mmc/host/usdhi6rol0.c b/drivers/mmc/host/usdhi6rol0.c
+index 99515be6e5e57..2032e4e1ee68b 100644
+--- a/drivers/mmc/host/usdhi6rol0.c
++++ b/drivers/mmc/host/usdhi6rol0.c
+@@ -1757,8 +1757,10 @@ static int usdhi6_probe(struct platform_device *pdev)
+ irq_cd = platform_get_irq_byname(pdev, "card detect");
+ irq_sd = platform_get_irq_byname(pdev, "data");
+ irq_sdio = platform_get_irq_byname(pdev, "SDIO");
+- if (irq_sd < 0 || irq_sdio < 0)
+- return -ENODEV;
++ if (irq_sd < 0)
++ return irq_sd;
++ if (irq_sdio < 0)
++ return irq_sdio;
+
+ mmc = mmc_alloc_host(sizeof(struct usdhi6_host), dev);
+ if (!mmc)
+--
+2.39.2
+
--- /dev/null
+From d773c6244c1ab56cb53e9648bb823fa3b905b323 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jun 2023 09:26:48 +0300
+Subject: net: dsa: introduce preferred_default_local_cpu_port and use on
+ MT7530
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Vladimir Oltean <olteanv@gmail.com>
+
+[ Upstream commit b79d7c14f48083abb3fb061370c0c64a569edf4c ]
+
+Since the introduction of the OF bindings, DSA has always had a policy that
+in case multiple CPU ports are present in the device tree, the numerically
+smallest one is always chosen.
+
+The MT7530 switch family, except the switch on the MT7988 SoC, has 2 CPU
+ports, 5 and 6, where port 6 is preferable on the MT7531BE switch because
+it has higher bandwidth.
+
+The MT7530 driver developers had 3 options:
+- to modify DSA when the MT7531 switch support was introduced, such as to
+ prefer the better port
+- to declare both CPU ports in device trees as CPU ports, and live with the
+ sub-optimal performance resulting from not preferring the better port
+- to declare just port 6 in the device tree as a CPU port
+
+Of course they chose the path of least resistance (3rd option), kicking the
+can down the road. The hardware description in the device tree is supposed
+to be stable - developers are not supposed to adopt the strategy of
+piecemeal hardware description, where the device tree is updated in
+lockstep with the features that the kernel currently supports.
+
+Now, as a result of the fact that they did that, any attempts to modify the
+device tree and describe both CPU ports as CPU ports would make DSA change
+its default selection from port 6 to 5, effectively resulting in a
+performance degradation visible to users with the MT7531BE switch as can be
+seen below.
+
+Without preferring port 6:
+
+[ ID][Role] Interval Transfer Bitrate Retr
+[ 5][TX-C] 0.00-20.00 sec 374 MBytes 157 Mbits/sec 734 sender
+[ 5][TX-C] 0.00-20.00 sec 373 MBytes 156 Mbits/sec receiver
+[ 7][RX-C] 0.00-20.00 sec 1.81 GBytes 778 Mbits/sec 0 sender
+[ 7][RX-C] 0.00-20.00 sec 1.81 GBytes 777 Mbits/sec receiver
+
+With preferring port 6:
+
+[ ID][Role] Interval Transfer Bitrate Retr
+[ 5][TX-C] 0.00-20.00 sec 1.99 GBytes 856 Mbits/sec 273 sender
+[ 5][TX-C] 0.00-20.00 sec 1.99 GBytes 855 Mbits/sec receiver
+[ 7][RX-C] 0.00-20.00 sec 1.72 GBytes 737 Mbits/sec 15 sender
+[ 7][RX-C] 0.00-20.00 sec 1.71 GBytes 736 Mbits/sec receiver
+
+Using one port for WAN and the other ports for LAN is a very popular use
+case which is what this test emulates.
+
+As such, this change proposes that we retroactively modify stable kernels
+(which don't support the modification of the CPU port assignments, so as to
+let user space fix the problem and restore the throughput) to keep the
+mt7530 driver preferring port 6 even with device trees where the hardware
+is more fully described.
+
+Fixes: c288575f7810 ("net: dsa: mt7530: Add the support of MT7531 switch")
+Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
+Signed-off-by: Arınç ÜNAL <arinc.unal@arinc9.com>
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mt7530.c | 15 +++++++++++++++
+ include/net/dsa.h | 8 ++++++++
+ net/dsa/dsa.c | 24 +++++++++++++++++++++++-
+ 3 files changed, 46 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c
+index e542f5dbe5831..566545b6554ba 100644
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -419,6 +419,20 @@ static void mt7530_pll_setup(struct mt7530_priv *priv)
+ core_set(priv, CORE_TRGMII_GSW_CLK_CG, REG_GSWCK_EN);
+ }
+
++/* If port 6 is available as a CPU port, always prefer that as the default,
++ * otherwise don't care.
++ */
++static struct dsa_port *
++mt753x_preferred_default_local_cpu_port(struct dsa_switch *ds)
++{
++ struct dsa_port *cpu_dp = dsa_to_port(ds, 6);
++
++ if (dsa_port_is_cpu(cpu_dp))
++ return cpu_dp;
++
++ return NULL;
++}
++
+ /* Setup port 6 interface mode and TRGMII TX circuit */
+ static int
+ mt7530_pad_clk_setup(struct dsa_switch *ds, phy_interface_t interface)
+@@ -3191,6 +3205,7 @@ static int mt753x_set_mac_eee(struct dsa_switch *ds, int port,
+ static const struct dsa_switch_ops mt7530_switch_ops = {
+ .get_tag_protocol = mtk_get_tag_protocol,
+ .setup = mt753x_setup,
++ .preferred_default_local_cpu_port = mt753x_preferred_default_local_cpu_port,
+ .get_strings = mt7530_get_strings,
+ .get_ethtool_stats = mt7530_get_ethtool_stats,
+ .get_sset_count = mt7530_get_sset_count,
+diff --git a/include/net/dsa.h b/include/net/dsa.h
+index a15f17a38eca6..def06ef676dd8 100644
+--- a/include/net/dsa.h
++++ b/include/net/dsa.h
+@@ -973,6 +973,14 @@ struct dsa_switch_ops {
+ struct phy_device *phy);
+ void (*port_disable)(struct dsa_switch *ds, int port);
+
++ /*
++ * Compatibility between device trees defining multiple CPU ports and
++ * drivers which are not OK to use by default the numerically smallest
++ * CPU port of a switch for its local ports. This can return NULL,
++ * meaning "don't know/don't care".
++ */
++ struct dsa_port *(*preferred_default_local_cpu_port)(struct dsa_switch *ds);
++
+ /*
+ * Port's MAC EEE settings
+ */
+diff --git a/net/dsa/dsa.c b/net/dsa/dsa.c
+index e5f156940c671..6cd8607a3928f 100644
+--- a/net/dsa/dsa.c
++++ b/net/dsa/dsa.c
+@@ -402,6 +402,24 @@ static int dsa_tree_setup_default_cpu(struct dsa_switch_tree *dst)
+ return 0;
+ }
+
++static struct dsa_port *
++dsa_switch_preferred_default_local_cpu_port(struct dsa_switch *ds)
++{
++ struct dsa_port *cpu_dp;
++
++ if (!ds->ops->preferred_default_local_cpu_port)
++ return NULL;
++
++ cpu_dp = ds->ops->preferred_default_local_cpu_port(ds);
++ if (!cpu_dp)
++ return NULL;
++
++ if (WARN_ON(!dsa_port_is_cpu(cpu_dp) || cpu_dp->ds != ds))
++ return NULL;
++
++ return cpu_dp;
++}
++
+ /* Perform initial assignment of CPU ports to user ports and DSA links in the
+ * fabric, giving preference to CPU ports local to each switch. Default to
+ * using the first CPU port in the switch tree if the port does not have a CPU
+@@ -409,12 +427,16 @@ static int dsa_tree_setup_default_cpu(struct dsa_switch_tree *dst)
+ */
+ static int dsa_tree_setup_cpu_ports(struct dsa_switch_tree *dst)
+ {
+- struct dsa_port *cpu_dp, *dp;
++ struct dsa_port *preferred_cpu_dp, *cpu_dp, *dp;
+
+ list_for_each_entry(cpu_dp, &dst->ports, list) {
+ if (!dsa_port_is_cpu(cpu_dp))
+ continue;
+
++ preferred_cpu_dp = dsa_switch_preferred_default_local_cpu_port(cpu_dp->ds);
++ if (preferred_cpu_dp && preferred_cpu_dp != cpu_dp)
++ continue;
++
+ /* Prefer a local CPU port */
+ dsa_switch_for_each_port(dp, cpu_dp->ds) {
+ /* Prefer the first local CPU port found */
+--
+2.39.2
+
--- /dev/null
+From 81e31ef82ce1699cd4ee6ff6d4b171681f0eb465 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jun 2023 09:26:46 +0300
+Subject: net: dsa: mt7530: fix handling of BPDUs on MT7530 switch
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arınç ÜNAL <arinc.unal@arinc9.com>
+
+[ Upstream commit d7c66073559386b836bded7cdc8b66ee5c049129 ]
+
+BPDUs are link-local frames, therefore they must be trapped to the CPU
+port. Currently, the MT7530 switch treats BPDUs as regular multicast
+frames, therefore flooding them to user ports. To fix this, set BPDUs to be
+trapped to the CPU port. Group this on mt7530_setup() and
+mt7531_setup_common() into mt753x_trap_frames() and call that.
+
+Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch")
+Signed-off-by: Arınç ÜNAL <arinc.unal@arinc9.com>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mt7530.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c
+index 7dbbd5e509d3b..40be635d2ecc9 100644
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -991,6 +991,14 @@ static void mt7530_setup_port5(struct dsa_switch *ds, phy_interface_t interface)
+ mutex_unlock(&priv->reg_mutex);
+ }
+
++static void
++mt753x_trap_frames(struct mt7530_priv *priv)
++{
++ /* Trap BPDUs to the CPU port(s) */
++ mt7530_rmw(priv, MT753X_BPC, MT753X_BPDU_PORT_FW_MASK,
++ MT753X_BPDU_CPU_ONLY);
++}
++
+ static int
+ mt753x_cpu_port_enable(struct dsa_switch *ds, int port)
+ {
+@@ -2214,6 +2222,8 @@ mt7530_setup(struct dsa_switch *ds)
+
+ priv->p6_interface = PHY_INTERFACE_MODE_NA;
+
++ mt753x_trap_frames(priv);
++
+ /* Enable and reset MIB counters */
+ mt7530_mib_reset(ds);
+
+@@ -2320,8 +2330,8 @@ mt7531_setup_common(struct dsa_switch *ds)
+ BIT(cpu_dp->index));
+ break;
+ }
+- mt7530_rmw(priv, MT753X_BPC, MT753X_BPDU_PORT_FW_MASK,
+- MT753X_BPDU_CPU_ONLY);
++
++ mt753x_trap_frames(priv);
+
+ /* Enable and reset MIB counters */
+ mt7530_mib_reset(ds);
+--
+2.39.2
+
--- /dev/null
+From 4107d9cc3e741b1a96027af792fcbb70ad1268e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jun 2023 09:26:47 +0300
+Subject: net: dsa: mt7530: fix handling of LLDP frames
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arınç ÜNAL <arinc.unal@arinc9.com>
+
+[ Upstream commit 8332cf6fd7c7087dbc2067115b33979c9851bbc4 ]
+
+LLDP frames are link-local frames, therefore they must be trapped to the
+CPU port. Currently, the MT753X switches treat LLDP frames as regular
+multicast frames, therefore flooding them to user ports. To fix this, set
+LLDP frames to be trapped to the CPU port(s).
+
+Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch")
+Signed-off-by: Arınç ÜNAL <arinc.unal@arinc9.com>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mt7530.c | 4 ++++
+ drivers/net/dsa/mt7530.h | 5 +++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c
+index 40be635d2ecc9..e542f5dbe5831 100644
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -997,6 +997,10 @@ mt753x_trap_frames(struct mt7530_priv *priv)
+ /* Trap BPDUs to the CPU port(s) */
+ mt7530_rmw(priv, MT753X_BPC, MT753X_BPDU_PORT_FW_MASK,
+ MT753X_BPDU_CPU_ONLY);
++
++ /* Trap LLDP frames with :0E MAC DA to the CPU port(s) */
++ mt7530_rmw(priv, MT753X_RGAC2, MT753X_R0E_PORT_FW_MASK,
++ MT753X_R0E_PORT_FW(MT753X_BPDU_CPU_ONLY));
+ }
+
+ static int
+diff --git a/drivers/net/dsa/mt7530.h b/drivers/net/dsa/mt7530.h
+index 6b2fc6290ea84..31c0f7156b699 100644
+--- a/drivers/net/dsa/mt7530.h
++++ b/drivers/net/dsa/mt7530.h
+@@ -65,6 +65,11 @@ enum mt753x_id {
+ #define MT753X_BPC 0x24
+ #define MT753X_BPDU_PORT_FW_MASK GENMASK(2, 0)
+
++/* Register for :03 and :0E MAC DA frame control */
++#define MT753X_RGAC2 0x2c
++#define MT753X_R0E_PORT_FW_MASK GENMASK(18, 16)
++#define MT753X_R0E_PORT_FW(x) FIELD_PREP(MT753X_R0E_PORT_FW_MASK, x)
++
+ enum mt753x_bpdu_port_fw {
+ MT753X_BPDU_FOLLOW_MFC,
+ MT753X_BPDU_CPU_EXCLUDE = 4,
+--
+2.39.2
+
--- /dev/null
+From 2e90bd6106cb71f59e7246b6c69a0efbbbf5efdc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jun 2023 09:26:45 +0300
+Subject: net: dsa: mt7530: fix trapping frames on non-MT7621 SoC MT7530 switch
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arınç ÜNAL <arinc.unal@arinc9.com>
+
+[ Upstream commit 4ae90f90e4909e3014e2dc6a0627964617a7b824 ]
+
+All MT7530 switch IP variants share the MT7530_MFC register, but the
+current driver only writes it for the switch variant that is integrated in
+the MT7621 SoC. Modify the code to include all MT7530 derivatives.
+
+Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch")
+Suggested-by: Vladimir Oltean <olteanv@gmail.com>
+Signed-off-by: Arınç ÜNAL <arinc.unal@arinc9.com>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mt7530.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c
+index 0c81f5830b90a..7dbbd5e509d3b 100644
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -1013,7 +1013,7 @@ mt753x_cpu_port_enable(struct dsa_switch *ds, int port)
+ UNU_FFP(BIT(port)));
+
+ /* Set CPU port number */
+- if (priv->id == ID_MT7621)
++ if (priv->id == ID_MT7530 || priv->id == ID_MT7621)
+ mt7530_rmw(priv, MT7530_MFC, CPU_MASK, CPU_EN | CPU_PORT(port));
+
+ /* CPU port gets connected to all user ports of
+--
+2.39.2
+
--- /dev/null
+From 8ace522ad0548715f7828b8d13895d31a7faa89c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Jun 2023 21:07:04 +0300
+Subject: net/mlx5: DR, Fix wrong action data allocation in decap action
+
+From: Yevgeny Kliteynik <kliteyn@nvidia.com>
+
+[ Upstream commit ef4c5afc783dc3d47640270a9b94713229c697e8 ]
+
+When TUNNEL_L3_TO_L2 decap action was created, a pointer to a local
+variable was passed as its HW action data, resulting in attempt to
+free invalid address:
+
+ BUG: KASAN: invalid-free in mlx5dr_action_destroy+0x318/0x410 [mlx5_core]
+
+Fixes: 4781df92f4da ("net/mlx5: DR, Move STEv0 modify header logic")
+Signed-off-by: Yevgeny Kliteynik <kliteyn@nvidia.com>
+Reviewed-by: Alex Vesker <valex@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/steering/dr_action.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c
+index ee104cf04392f..438c3bfae762a 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c
+@@ -1403,9 +1403,13 @@ dr_action_create_reformat_action(struct mlx5dr_domain *dmn,
+ }
+ case DR_ACTION_TYP_TNL_L3_TO_L2:
+ {
+- u8 hw_actions[ACTION_CACHE_LINE_SIZE] = {};
++ u8 *hw_actions;
+ int ret;
+
++ hw_actions = kzalloc(ACTION_CACHE_LINE_SIZE, GFP_KERNEL);
++ if (!hw_actions)
++ return -ENOMEM;
++
+ ret = mlx5dr_ste_set_action_decap_l3_list(dmn->ste_ctx,
+ data, data_sz,
+ hw_actions,
+@@ -1413,6 +1417,7 @@ dr_action_create_reformat_action(struct mlx5dr_domain *dmn,
+ &action->rewrite->num_of_actions);
+ if (ret) {
+ mlx5dr_dbg(dmn, "Failed creating decap l3 action list\n");
++ kfree(hw_actions);
+ return ret;
+ }
+
+@@ -1420,6 +1425,7 @@ dr_action_create_reformat_action(struct mlx5dr_domain *dmn,
+ DR_CHUNK_SIZE_8);
+ if (!action->rewrite->chunk) {
+ mlx5dr_dbg(dmn, "Failed allocating modify header chunk\n");
++ kfree(hw_actions);
+ return -ENOMEM;
+ }
+
+@@ -1433,6 +1439,7 @@ dr_action_create_reformat_action(struct mlx5dr_domain *dmn,
+ if (ret) {
+ mlx5dr_dbg(dmn, "Writing decap l3 actions to ICM failed\n");
+ mlx5dr_icm_free_chunk(action->rewrite->chunk);
++ kfree(hw_actions);
+ return ret;
+ }
+ return 0;
+--
+2.39.2
+
--- /dev/null
+From ed5e70e8ad98598d2e64e248d70039f321162d25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jun 2023 23:06:56 +0200
+Subject: net: qca_spi: Avoid high load if QCA7000 is not available
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+[ Upstream commit 92717c2356cb62c89e8a3dc37cbbab2502562524 ]
+
+In case the QCA7000 is not available via SPI (e.g. in reset),
+the driver will cause a high load. The reason for this is
+that the synchronization is never finished and schedule()
+is never called. Since the synchronization is not timing
+critical, it's safe to drop this from the scheduling condition.
+
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qualcomm/qca_spi.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c
+index c865a4be05eec..4a1b94e5a8ea9 100644
+--- a/drivers/net/ethernet/qualcomm/qca_spi.c
++++ b/drivers/net/ethernet/qualcomm/qca_spi.c
+@@ -582,8 +582,7 @@ qcaspi_spi_thread(void *data)
+ while (!kthread_should_stop()) {
+ set_current_state(TASK_INTERRUPTIBLE);
+ if ((qca->intr_req == qca->intr_svc) &&
+- (qca->txr.skb[qca->txr.head] == NULL) &&
+- (qca->sync == QCASPI_SYNC_READY))
++ !qca->txr.skb[qca->txr.head])
+ schedule();
+
+ set_current_state(TASK_RUNNING);
+--
+2.39.2
+
--- /dev/null
+From 7f0542786bfc5d389600be0c16f07e9bf322a8bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Jun 2023 07:52:09 +0800
+Subject: net: sched: wrap tc_skip_wrapper with CONFIG_RETPOLINE
+
+From: Min-Hua Chen <minhuadotchen@gmail.com>
+
+[ Upstream commit 8cde87b007dad2e461015ff70352af56ceb02c75 ]
+
+This patch fixes the following sparse warning:
+
+net/sched/sch_api.c:2305:1: sparse: warning: symbol 'tc_skip_wrapper' was not declared. Should it be static?
+
+No functional change intended.
+
+Signed-off-by: Min-Hua Chen <minhuadotchen@gmail.com>
+Acked-by: Pedro Tammela <pctammela@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_api.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
+index 3f7311529cc00..34c90c9c2fcad 100644
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -2324,7 +2324,9 @@ static struct pernet_operations psched_net_ops = {
+ .exit = psched_net_exit,
+ };
+
++#if IS_ENABLED(CONFIG_RETPOLINE)
+ DEFINE_STATIC_KEY_FALSE(tc_skip_wrapper);
++#endif
+
+ static int __init pktsched_init(void)
+ {
+--
+2.39.2
+
--- /dev/null
+From 56400779e81fc21609463e6c18e03f1d620f454a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jun 2023 14:45:26 +0200
+Subject: netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound
+ set/chain
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 26b5a5712eb85e253724e56a54c17f8519bd8e4e ]
+
+Add a new state to deal with rule expressions deactivation from the
+newrule error path, otherwise the anonymous set remains in the list in
+inactive state for the next generation. Mark the set/chain transaction
+as unbound so the abort path releases this object, set it as inactive in
+the next generation so it is not reachable anymore from this transaction
+and reference counter is dropped.
+
+Fixes: 1240eb93f061 ("netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netfilter/nf_tables.h | 2 ++
+ net/netfilter/nf_tables_api.c | 45 ++++++++++++++++++++++++++-----
+ net/netfilter/nft_immediate.c | 3 +++
+ 3 files changed, 43 insertions(+), 7 deletions(-)
+
+diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
+index 91bf88dab245f..55c14754e5e4e 100644
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -901,6 +901,7 @@ struct nft_expr_type {
+
+ enum nft_trans_phase {
+ NFT_TRANS_PREPARE,
++ NFT_TRANS_PREPARE_ERROR,
+ NFT_TRANS_ABORT,
+ NFT_TRANS_COMMIT,
+ NFT_TRANS_RELEASE
+@@ -1096,6 +1097,7 @@ int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set,
+ struct nft_set_elem *elem);
+ int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set);
+ int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain);
++void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain);
+
+ enum nft_chain_types {
+ NFT_CHAIN_T_DEFAULT = 0,
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 281ee688128ab..837925cf0b848 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -171,7 +171,8 @@ static void nft_trans_destroy(struct nft_trans *trans)
+ kfree(trans);
+ }
+
+-static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
++static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set,
++ bool bind)
+ {
+ struct nftables_pernet *nft_net;
+ struct net *net = ctx->net;
+@@ -185,17 +186,28 @@ static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
+ switch (trans->msg_type) {
+ case NFT_MSG_NEWSET:
+ if (nft_trans_set(trans) == set)
+- nft_trans_set_bound(trans) = true;
++ nft_trans_set_bound(trans) = bind;
+ break;
+ case NFT_MSG_NEWSETELEM:
+ if (nft_trans_elem_set(trans) == set)
+- nft_trans_elem_set_bound(trans) = true;
++ nft_trans_elem_set_bound(trans) = bind;
+ break;
+ }
+ }
+ }
+
+-static void nft_chain_trans_bind(const struct nft_ctx *ctx, struct nft_chain *chain)
++static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
++{
++ return __nft_set_trans_bind(ctx, set, true);
++}
++
++static void nft_set_trans_unbind(const struct nft_ctx *ctx, struct nft_set *set)
++{
++ return __nft_set_trans_bind(ctx, set, false);
++}
++
++static void __nft_chain_trans_bind(const struct nft_ctx *ctx,
++ struct nft_chain *chain, bool bind)
+ {
+ struct nftables_pernet *nft_net;
+ struct net *net = ctx->net;
+@@ -209,16 +221,22 @@ static void nft_chain_trans_bind(const struct nft_ctx *ctx, struct nft_chain *ch
+ switch (trans->msg_type) {
+ case NFT_MSG_NEWCHAIN:
+ if (nft_trans_chain(trans) == chain)
+- nft_trans_chain_bound(trans) = true;
++ nft_trans_chain_bound(trans) = bind;
+ break;
+ case NFT_MSG_NEWRULE:
+ if (trans->ctx.chain == chain)
+- nft_trans_rule_bound(trans) = true;
++ nft_trans_rule_bound(trans) = bind;
+ break;
+ }
+ }
+ }
+
++static void nft_chain_trans_bind(const struct nft_ctx *ctx,
++ struct nft_chain *chain)
++{
++ __nft_chain_trans_bind(ctx, chain, true);
++}
++
+ int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
+ {
+ if (!nft_chain_binding(chain))
+@@ -237,6 +255,11 @@ int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
+ return 0;
+ }
+
++void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
++{
++ __nft_chain_trans_bind(ctx, chain, false);
++}
++
+ static int nft_netdev_register_hooks(struct net *net,
+ struct list_head *hook_list)
+ {
+@@ -3821,7 +3844,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
+ if (flow)
+ nft_flow_rule_destroy(flow);
+ err_release_rule:
+- nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE);
++ nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE_ERROR);
+ nf_tables_rule_destroy(&ctx, rule);
+ err_release_expr:
+ for (i = 0; i < n; i++) {
+@@ -5114,6 +5137,13 @@ void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
+ enum nft_trans_phase phase)
+ {
+ switch (phase) {
++ case NFT_TRANS_PREPARE_ERROR:
++ nft_set_trans_unbind(ctx, set);
++ if (nft_set_is_anonymous(set))
++ nft_deactivate_next(ctx->net, set);
++
++ set->use--;
++ break;
+ case NFT_TRANS_PREPARE:
+ if (nft_set_is_anonymous(set))
+ nft_deactivate_next(ctx->net, set);
+@@ -7626,6 +7656,7 @@ void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
+ enum nft_trans_phase phase)
+ {
+ switch (phase) {
++ case NFT_TRANS_PREPARE_ERROR:
+ case NFT_TRANS_PREPARE:
+ case NFT_TRANS_ABORT:
+ case NFT_TRANS_RELEASE:
+diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c
+index 0492a04064f11..3d76ebfe8939b 100644
+--- a/net/netfilter/nft_immediate.c
++++ b/net/netfilter/nft_immediate.c
+@@ -150,6 +150,9 @@ static void nft_immediate_deactivate(const struct nft_ctx *ctx,
+ nft_rule_expr_deactivate(&chain_ctx, rule, phase);
+
+ switch (phase) {
++ case NFT_TRANS_PREPARE_ERROR:
++ nf_tables_unbind_chain(ctx, chain);
++ fallthrough;
+ case NFT_TRANS_PREPARE:
+ nft_deactivate_next(ctx->net, chain);
+ break;
+--
+2.39.2
+
--- /dev/null
+From 89600200fbcb74e0d070fc67f216bffd7f447eaa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jun 2023 15:20:16 +0200
+Subject: netfilter: nf_tables: disallow element updates of bound anonymous
+ sets
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit c88c535b592d3baeee74009f3eceeeaf0fdd5e1b ]
+
+Anonymous sets come with NFT_SET_CONSTANT from userspace. Although API
+allows to create anonymous sets without NFT_SET_CONSTANT, it makes no
+sense to allow to add and to delete elements for bound anonymous sets.
+
+Fixes: 96518518cc41 ("netfilter: add nftables")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index dee60bad5c198..4bf532a2a60b9 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -6714,7 +6714,8 @@ static int nf_tables_newsetelem(struct sk_buff *skb,
+ if (IS_ERR(set))
+ return PTR_ERR(set);
+
+- if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
++ if (!list_empty(&set->bindings) &&
++ (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS)))
+ return -EBUSY;
+
+ nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
+@@ -6988,7 +6989,9 @@ static int nf_tables_delsetelem(struct sk_buff *skb,
+ set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
+ if (IS_ERR(set))
+ return PTR_ERR(set);
+- if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
++
++ if (!list_empty(&set->bindings) &&
++ (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS)))
+ return -EBUSY;
+
+ nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
+--
+2.39.2
+
--- /dev/null
+From 85c738388ad8140718213cb85bde77d93d6fc8a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jun 2023 15:22:01 +0200
+Subject: netfilter: nf_tables: disallow updates of anonymous sets
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit b770283c98e0eee9133c47bc03b6cc625dc94723 ]
+
+Disallow updates of set timeout and garbage collection parameters for
+anonymous sets.
+
+Fixes: 123b99619cca ("netfilter: nf_tables: honor set timeout and garbage collection updates")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index f065542750376..b9e276820c722 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -4894,6 +4894,9 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
+ if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
+ return -EOPNOTSUPP;
+
++ if (nft_set_is_anonymous(set))
++ return -EOPNOTSUPP;
++
+ err = nft_set_expr_alloc(&ctx, set, nla, exprs, &num_exprs, flags);
+ if (err < 0)
+ return err;
+--
+2.39.2
+
--- /dev/null
+From 3a4453f9a176c18fd79002fd5ee802a429907ddc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jun 2023 14:51:49 +0200
+Subject: netfilter: nf_tables: drop map element references from preparation
+ phase
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 628bd3e49cba1c066228e23d71a852c23e26da73 ]
+
+set .destroy callback releases the references to other objects in maps.
+This is very late and it results in spurious EBUSY errors. Drop refcount
+from the preparation phase instead, update set backend not to drop
+reference counter from set .destroy path.
+
+Exceptions: NFT_TRANS_PREPARE_ERROR does not require to drop the
+reference counter because the transaction abort path releases the map
+references for each element since the set is unbound. The abort path
+also deals with releasing reference counter for new elements added to
+unbound sets.
+
+Fixes: 591054469b3e ("netfilter: nf_tables: revisit chain/object refcounting from elements")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netfilter/nf_tables.h | 5 +-
+ net/netfilter/nf_tables_api.c | 147 ++++++++++++++++++++++++++----
+ net/netfilter/nft_set_bitmap.c | 5 +-
+ net/netfilter/nft_set_hash.c | 23 ++++-
+ net/netfilter/nft_set_pipapo.c | 14 ++-
+ net/netfilter/nft_set_rbtree.c | 5 +-
+ 6 files changed, 167 insertions(+), 32 deletions(-)
+
+diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
+index 55c14754e5e4e..a0f63c7d1d687 100644
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -472,7 +472,8 @@ struct nft_set_ops {
+ int (*init)(const struct nft_set *set,
+ const struct nft_set_desc *desc,
+ const struct nlattr * const nla[]);
+- void (*destroy)(const struct nft_set *set);
++ void (*destroy)(const struct nft_ctx *ctx,
++ const struct nft_set *set);
+ void (*gc_init)(const struct nft_set *set);
+
+ unsigned int elemsize;
+@@ -809,6 +810,8 @@ int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
+ struct nft_expr *expr_array[]);
+ void nft_set_elem_destroy(const struct nft_set *set, void *elem,
+ bool destroy_expr);
++void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
++ const struct nft_set *set, void *elem);
+
+ /**
+ * struct nft_set_gc_batch_head - nf_tables set garbage collection batch
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 837925cf0b848..dee60bad5c198 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -561,6 +561,58 @@ static int nft_trans_set_add(const struct nft_ctx *ctx, int msg_type,
+ return __nft_trans_set_add(ctx, msg_type, set, NULL);
+ }
+
++static void nft_setelem_data_deactivate(const struct net *net,
++ const struct nft_set *set,
++ struct nft_set_elem *elem);
++
++static int nft_mapelem_deactivate(const struct nft_ctx *ctx,
++ struct nft_set *set,
++ const struct nft_set_iter *iter,
++ struct nft_set_elem *elem)
++{
++ nft_setelem_data_deactivate(ctx->net, set, elem);
++
++ return 0;
++}
++
++struct nft_set_elem_catchall {
++ struct list_head list;
++ struct rcu_head rcu;
++ void *elem;
++};
++
++static void nft_map_catchall_deactivate(const struct nft_ctx *ctx,
++ struct nft_set *set)
++{
++ u8 genmask = nft_genmask_next(ctx->net);
++ struct nft_set_elem_catchall *catchall;
++ struct nft_set_elem elem;
++ struct nft_set_ext *ext;
++
++ list_for_each_entry(catchall, &set->catchall_list, list) {
++ ext = nft_set_elem_ext(set, catchall->elem);
++ if (!nft_set_elem_active(ext, genmask))
++ continue;
++
++ elem.priv = catchall->elem;
++ nft_setelem_data_deactivate(ctx->net, set, &elem);
++ break;
++ }
++}
++
++static void nft_map_deactivate(const struct nft_ctx *ctx, struct nft_set *set)
++{
++ struct nft_set_iter iter = {
++ .genmask = nft_genmask_next(ctx->net),
++ .fn = nft_mapelem_deactivate,
++ };
++
++ set->ops->walk(ctx, set, &iter);
++ WARN_ON_ONCE(iter.err);
++
++ nft_map_catchall_deactivate(ctx, set);
++}
++
+ static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
+ {
+ int err;
+@@ -569,6 +621,9 @@ static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
+ if (err < 0)
+ return err;
+
++ if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
++ nft_map_deactivate(ctx, set);
++
+ nft_deactivate_next(ctx->net, set);
+ ctx->table->use--;
+
+@@ -3596,12 +3651,6 @@ int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set,
+ return 0;
+ }
+
+-struct nft_set_elem_catchall {
+- struct list_head list;
+- struct rcu_head rcu;
+- void *elem;
+-};
+-
+ int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set)
+ {
+ u8 genmask = nft_genmask_next(ctx->net);
+@@ -4928,7 +4977,7 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
+ for (i = 0; i < set->num_exprs; i++)
+ nft_expr_destroy(&ctx, set->exprs[i]);
+ err_set_destroy:
+- ops->destroy(set);
++ ops->destroy(&ctx, set);
+ err_set_init:
+ kfree(set->name);
+ err_set_name:
+@@ -4943,7 +4992,7 @@ static void nft_set_catchall_destroy(const struct nft_ctx *ctx,
+
+ list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
+ list_del_rcu(&catchall->list);
+- nft_set_elem_destroy(set, catchall->elem, true);
++ nf_tables_set_elem_destroy(ctx, set, catchall->elem);
+ kfree_rcu(catchall, rcu);
+ }
+ }
+@@ -4958,7 +5007,7 @@ static void nft_set_destroy(const struct nft_ctx *ctx, struct nft_set *set)
+ for (i = 0; i < set->num_exprs; i++)
+ nft_expr_destroy(ctx, set->exprs[i]);
+
+- set->ops->destroy(set);
++ set->ops->destroy(ctx, set);
+ nft_set_catchall_destroy(ctx, set);
+ kfree(set->name);
+ kvfree(set);
+@@ -5123,10 +5172,60 @@ static void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
+ }
+ }
+
++static void nft_setelem_data_activate(const struct net *net,
++ const struct nft_set *set,
++ struct nft_set_elem *elem);
++
++static int nft_mapelem_activate(const struct nft_ctx *ctx,
++ struct nft_set *set,
++ const struct nft_set_iter *iter,
++ struct nft_set_elem *elem)
++{
++ nft_setelem_data_activate(ctx->net, set, elem);
++
++ return 0;
++}
++
++static void nft_map_catchall_activate(const struct nft_ctx *ctx,
++ struct nft_set *set)
++{
++ u8 genmask = nft_genmask_next(ctx->net);
++ struct nft_set_elem_catchall *catchall;
++ struct nft_set_elem elem;
++ struct nft_set_ext *ext;
++
++ list_for_each_entry(catchall, &set->catchall_list, list) {
++ ext = nft_set_elem_ext(set, catchall->elem);
++ if (!nft_set_elem_active(ext, genmask))
++ continue;
++
++ elem.priv = catchall->elem;
++ nft_setelem_data_activate(ctx->net, set, &elem);
++ break;
++ }
++}
++
++static void nft_map_activate(const struct nft_ctx *ctx, struct nft_set *set)
++{
++ struct nft_set_iter iter = {
++ .genmask = nft_genmask_next(ctx->net),
++ .fn = nft_mapelem_activate,
++ };
++
++ set->ops->walk(ctx, set, &iter);
++ WARN_ON_ONCE(iter.err);
++
++ nft_map_catchall_activate(ctx, set);
++}
++
+ void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set)
+ {
+- if (nft_set_is_anonymous(set))
++ if (nft_set_is_anonymous(set)) {
++ if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
++ nft_map_activate(ctx, set);
++
+ nft_clear(ctx->net, set);
++ }
+
+ set->use++;
+ }
+@@ -5145,13 +5244,20 @@ void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
+ set->use--;
+ break;
+ case NFT_TRANS_PREPARE:
+- if (nft_set_is_anonymous(set))
+- nft_deactivate_next(ctx->net, set);
++ if (nft_set_is_anonymous(set)) {
++ if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
++ nft_map_deactivate(ctx, set);
+
++ nft_deactivate_next(ctx->net, set);
++ }
+ set->use--;
+ return;
+ case NFT_TRANS_ABORT:
+ case NFT_TRANS_RELEASE:
++ if (nft_set_is_anonymous(set) &&
++ set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
++ nft_map_deactivate(ctx, set);
++
+ set->use--;
+ fallthrough;
+ default:
+@@ -5904,6 +6010,7 @@ static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
+ __nft_set_elem_expr_destroy(ctx, expr);
+ }
+
++/* Drop references and destroy. Called from gc, dynset and abort path. */
+ void nft_set_elem_destroy(const struct nft_set *set, void *elem,
+ bool destroy_expr)
+ {
+@@ -5925,11 +6032,11 @@ void nft_set_elem_destroy(const struct nft_set *set, void *elem,
+ }
+ EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
+
+-/* Only called from commit path, nft_setelem_data_deactivate() already deals
+- * with the refcounting from the preparation phase.
++/* Destroy element. References have been already dropped in the preparation
++ * path via nft_setelem_data_deactivate().
+ */
+-static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
+- const struct nft_set *set, void *elem)
++void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
++ const struct nft_set *set, void *elem)
+ {
+ struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
+
+@@ -6562,7 +6669,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
+ if (obj)
+ obj->use--;
+ err_elem_userdata:
+- nf_tables_set_elem_destroy(ctx, set, elem.priv);
++ nft_set_elem_destroy(set, elem.priv, true);
+ err_parse_data:
+ if (nla[NFTA_SET_ELEM_DATA] != NULL)
+ nft_data_release(&elem.data.val, desc.type);
+@@ -9700,6 +9807,9 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
+ case NFT_MSG_DESTROYSET:
+ trans->ctx.table->use++;
+ nft_clear(trans->ctx.net, nft_trans_set(trans));
++ if (nft_trans_set(trans)->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
++ nft_map_activate(&trans->ctx, nft_trans_set(trans));
++
+ nft_trans_destroy(trans);
+ break;
+ case NFT_MSG_NEWSETELEM:
+@@ -10469,6 +10579,9 @@ static void __nft_release_table(struct net *net, struct nft_table *table)
+ list_for_each_entry_safe(set, ns, &table->sets, list) {
+ list_del(&set->list);
+ table->use--;
++ if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
++ nft_map_deactivate(&ctx, set);
++
+ nft_set_destroy(&ctx, set);
+ }
+ list_for_each_entry_safe(obj, ne, &table->objects, list) {
+diff --git a/net/netfilter/nft_set_bitmap.c b/net/netfilter/nft_set_bitmap.c
+index 96081ac8d2b4c..1e5e7a181e0bc 100644
+--- a/net/netfilter/nft_set_bitmap.c
++++ b/net/netfilter/nft_set_bitmap.c
+@@ -271,13 +271,14 @@ static int nft_bitmap_init(const struct nft_set *set,
+ return 0;
+ }
+
+-static void nft_bitmap_destroy(const struct nft_set *set)
++static void nft_bitmap_destroy(const struct nft_ctx *ctx,
++ const struct nft_set *set)
+ {
+ struct nft_bitmap *priv = nft_set_priv(set);
+ struct nft_bitmap_elem *be, *n;
+
+ list_for_each_entry_safe(be, n, &priv->list, head)
+- nft_set_elem_destroy(set, be, true);
++ nf_tables_set_elem_destroy(ctx, set, be);
+ }
+
+ static bool nft_bitmap_estimate(const struct nft_set_desc *desc, u32 features,
+diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
+index 76de6c8d98655..0b73cb0e752f7 100644
+--- a/net/netfilter/nft_set_hash.c
++++ b/net/netfilter/nft_set_hash.c
+@@ -400,19 +400,31 @@ static int nft_rhash_init(const struct nft_set *set,
+ return 0;
+ }
+
++struct nft_rhash_ctx {
++ const struct nft_ctx ctx;
++ const struct nft_set *set;
++};
++
+ static void nft_rhash_elem_destroy(void *ptr, void *arg)
+ {
+- nft_set_elem_destroy(arg, ptr, true);
++ struct nft_rhash_ctx *rhash_ctx = arg;
++
++ nf_tables_set_elem_destroy(&rhash_ctx->ctx, rhash_ctx->set, ptr);
+ }
+
+-static void nft_rhash_destroy(const struct nft_set *set)
++static void nft_rhash_destroy(const struct nft_ctx *ctx,
++ const struct nft_set *set)
+ {
+ struct nft_rhash *priv = nft_set_priv(set);
++ struct nft_rhash_ctx rhash_ctx = {
++ .ctx = *ctx,
++ .set = set,
++ };
+
+ cancel_delayed_work_sync(&priv->gc_work);
+ rcu_barrier();
+ rhashtable_free_and_destroy(&priv->ht, nft_rhash_elem_destroy,
+- (void *)set);
++ (void *)&rhash_ctx);
+ }
+
+ /* Number of buckets is stored in u32, so cap our result to 1U<<31 */
+@@ -643,7 +655,8 @@ static int nft_hash_init(const struct nft_set *set,
+ return 0;
+ }
+
+-static void nft_hash_destroy(const struct nft_set *set)
++static void nft_hash_destroy(const struct nft_ctx *ctx,
++ const struct nft_set *set)
+ {
+ struct nft_hash *priv = nft_set_priv(set);
+ struct nft_hash_elem *he;
+@@ -653,7 +666,7 @@ static void nft_hash_destroy(const struct nft_set *set)
+ for (i = 0; i < priv->buckets; i++) {
+ hlist_for_each_entry_safe(he, next, &priv->table[i], node) {
+ hlist_del_rcu(&he->node);
+- nft_set_elem_destroy(set, he, true);
++ nf_tables_set_elem_destroy(ctx, set, he);
+ }
+ }
+ }
+diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
+index 15e451dc3fc46..c867b5b772e86 100644
+--- a/net/netfilter/nft_set_pipapo.c
++++ b/net/netfilter/nft_set_pipapo.c
+@@ -2148,10 +2148,12 @@ static int nft_pipapo_init(const struct nft_set *set,
+
+ /**
+ * nft_set_pipapo_match_destroy() - Destroy elements from key mapping array
++ * @ctx: context
+ * @set: nftables API set representation
+ * @m: matching data pointing to key mapping array
+ */
+-static void nft_set_pipapo_match_destroy(const struct nft_set *set,
++static void nft_set_pipapo_match_destroy(const struct nft_ctx *ctx,
++ const struct nft_set *set,
+ struct nft_pipapo_match *m)
+ {
+ struct nft_pipapo_field *f;
+@@ -2168,15 +2170,17 @@ static void nft_set_pipapo_match_destroy(const struct nft_set *set,
+
+ e = f->mt[r].e;
+
+- nft_set_elem_destroy(set, e, true);
++ nf_tables_set_elem_destroy(ctx, set, e);
+ }
+ }
+
+ /**
+ * nft_pipapo_destroy() - Free private data for set and all committed elements
++ * @ctx: context
+ * @set: nftables API set representation
+ */
+-static void nft_pipapo_destroy(const struct nft_set *set)
++static void nft_pipapo_destroy(const struct nft_ctx *ctx,
++ const struct nft_set *set)
+ {
+ struct nft_pipapo *priv = nft_set_priv(set);
+ struct nft_pipapo_match *m;
+@@ -2186,7 +2190,7 @@ static void nft_pipapo_destroy(const struct nft_set *set)
+ if (m) {
+ rcu_barrier();
+
+- nft_set_pipapo_match_destroy(set, m);
++ nft_set_pipapo_match_destroy(ctx, set, m);
+
+ #ifdef NFT_PIPAPO_ALIGN
+ free_percpu(m->scratch_aligned);
+@@ -2203,7 +2207,7 @@ static void nft_pipapo_destroy(const struct nft_set *set)
+ m = priv->clone;
+
+ if (priv->dirty)
+- nft_set_pipapo_match_destroy(set, m);
++ nft_set_pipapo_match_destroy(ctx, set, m);
+
+ #ifdef NFT_PIPAPO_ALIGN
+ free_percpu(priv->clone->scratch_aligned);
+diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
+index 2f114aa10f1a7..5c05c9b990fba 100644
+--- a/net/netfilter/nft_set_rbtree.c
++++ b/net/netfilter/nft_set_rbtree.c
+@@ -664,7 +664,8 @@ static int nft_rbtree_init(const struct nft_set *set,
+ return 0;
+ }
+
+-static void nft_rbtree_destroy(const struct nft_set *set)
++static void nft_rbtree_destroy(const struct nft_ctx *ctx,
++ const struct nft_set *set)
+ {
+ struct nft_rbtree *priv = nft_set_priv(set);
+ struct nft_rbtree_elem *rbe;
+@@ -675,7 +676,7 @@ static void nft_rbtree_destroy(const struct nft_set *set)
+ while ((node = priv->root.rb_node) != NULL) {
+ rb_erase(node, &priv->root);
+ rbe = rb_entry(node, struct nft_rbtree_elem, node);
+- nft_set_elem_destroy(set, rbe, true);
++ nf_tables_set_elem_destroy(ctx, set, rbe);
+ }
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 2573dce88643c979e74f9edbcd4c8a333392d445 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jun 2023 14:45:22 +0200
+Subject: netfilter: nf_tables: fix chain binding transaction logic
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 4bedf9eee016286c835e3d8fa981ddece5338795 ]
+
+Add bound flag to rule and chain transactions as in 6a0a8d10a366
+("netfilter: nf_tables: use-after-free in failing rule with bound set")
+to skip them in case that the chain is already bound from the abort
+path.
+
+This patch fixes an imbalance in the chain use refcnt that triggers a
+WARN_ON on the table and chain destroy path.
+
+This patch also disallows nested chain bindings, which is not
+supported from userspace.
+
+The logic to deal with chain binding in nft_data_hold() and
+nft_data_release() is not correct. The NFT_TRANS_PREPARE state needs a
+special handling in case a chain is bound but next expressions in the
+same rule fail to initialize as described by 1240eb93f061 ("netfilter:
+nf_tables: incorrect error path handling with NFT_MSG_NEWRULE").
+
+The chain is left bound if rule construction fails, so the objects
+stored in this chain (and the chain itself) are released by the
+transaction records from the abort path, follow up patch ("netfilter:
+nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain")
+completes this error handling.
+
+When deleting an existing rule, chain bound flag is set off so the
+rule expression .destroy path releases the objects.
+
+Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netfilter/nf_tables.h | 21 +++++++-
+ net/netfilter/nf_tables_api.c | 86 +++++++++++++++++++-----------
+ net/netfilter/nft_immediate.c | 87 +++++++++++++++++++++++++++----
+ 3 files changed, 153 insertions(+), 41 deletions(-)
+
+diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
+index 300bce4d67cec..91bf88dab245f 100644
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -1009,7 +1009,10 @@ static inline struct nft_userdata *nft_userdata(const struct nft_rule *rule)
+ return (void *)&rule->data[rule->dlen];
+ }
+
+-void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule);
++void nft_rule_expr_activate(const struct nft_ctx *ctx, struct nft_rule *rule);
++void nft_rule_expr_deactivate(const struct nft_ctx *ctx, struct nft_rule *rule,
++ enum nft_trans_phase phase);
++void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule);
+
+ static inline void nft_set_elem_update_expr(const struct nft_set_ext *ext,
+ struct nft_regs *regs,
+@@ -1092,6 +1095,7 @@ int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set,
+ const struct nft_set_iter *iter,
+ struct nft_set_elem *elem);
+ int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set);
++int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain);
+
+ enum nft_chain_types {
+ NFT_CHAIN_T_DEFAULT = 0,
+@@ -1128,11 +1132,17 @@ int nft_chain_validate_dependency(const struct nft_chain *chain,
+ int nft_chain_validate_hooks(const struct nft_chain *chain,
+ unsigned int hook_flags);
+
++static inline bool nft_chain_binding(const struct nft_chain *chain)
++{
++ return chain->flags & NFT_CHAIN_BINDING;
++}
++
+ static inline bool nft_chain_is_bound(struct nft_chain *chain)
+ {
+ return (chain->flags & NFT_CHAIN_BINDING) && chain->bound;
+ }
+
++int nft_chain_add(struct nft_table *table, struct nft_chain *chain);
+ void nft_chain_del(struct nft_chain *chain);
+ void nf_tables_chain_destroy(struct nft_ctx *ctx);
+
+@@ -1567,6 +1577,7 @@ struct nft_trans_rule {
+ struct nft_rule *rule;
+ struct nft_flow_rule *flow;
+ u32 rule_id;
++ bool bound;
+ };
+
+ #define nft_trans_rule(trans) \
+@@ -1575,6 +1586,8 @@ struct nft_trans_rule {
+ (((struct nft_trans_rule *)trans->data)->flow)
+ #define nft_trans_rule_id(trans) \
+ (((struct nft_trans_rule *)trans->data)->rule_id)
++#define nft_trans_rule_bound(trans) \
++ (((struct nft_trans_rule *)trans->data)->bound)
+
+ struct nft_trans_set {
+ struct nft_set *set;
+@@ -1599,15 +1612,19 @@ struct nft_trans_set {
+ (((struct nft_trans_set *)trans->data)->gc_int)
+
+ struct nft_trans_chain {
++ struct nft_chain *chain;
+ bool update;
+ char *name;
+ struct nft_stats __percpu *stats;
+ u8 policy;
++ bool bound;
+ u32 chain_id;
+ struct nft_base_chain *basechain;
+ struct list_head hook_list;
+ };
+
++#define nft_trans_chain(trans) \
++ (((struct nft_trans_chain *)trans->data)->chain)
+ #define nft_trans_chain_update(trans) \
+ (((struct nft_trans_chain *)trans->data)->update)
+ #define nft_trans_chain_name(trans) \
+@@ -1616,6 +1633,8 @@ struct nft_trans_chain {
+ (((struct nft_trans_chain *)trans->data)->stats)
+ #define nft_trans_chain_policy(trans) \
+ (((struct nft_trans_chain *)trans->data)->policy)
++#define nft_trans_chain_bound(trans) \
++ (((struct nft_trans_chain *)trans->data)->bound)
+ #define nft_trans_chain_id(trans) \
+ (((struct nft_trans_chain *)trans->data)->chain_id)
+ #define nft_trans_basechain(trans) \
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 8f63514656a17..281ee688128ab 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -195,6 +195,48 @@ static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
+ }
+ }
+
++static void nft_chain_trans_bind(const struct nft_ctx *ctx, struct nft_chain *chain)
++{
++ struct nftables_pernet *nft_net;
++ struct net *net = ctx->net;
++ struct nft_trans *trans;
++
++ if (!nft_chain_binding(chain))
++ return;
++
++ nft_net = nft_pernet(net);
++ list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
++ switch (trans->msg_type) {
++ case NFT_MSG_NEWCHAIN:
++ if (nft_trans_chain(trans) == chain)
++ nft_trans_chain_bound(trans) = true;
++ break;
++ case NFT_MSG_NEWRULE:
++ if (trans->ctx.chain == chain)
++ nft_trans_rule_bound(trans) = true;
++ break;
++ }
++ }
++}
++
++int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
++{
++ if (!nft_chain_binding(chain))
++ return 0;
++
++ if (nft_chain_binding(ctx->chain))
++ return -EOPNOTSUPP;
++
++ if (chain->bound)
++ return -EBUSY;
++
++ chain->bound = true;
++ chain->use++;
++ nft_chain_trans_bind(ctx, chain);
++
++ return 0;
++}
++
+ static int nft_netdev_register_hooks(struct net *net,
+ struct list_head *hook_list)
+ {
+@@ -340,8 +382,9 @@ static struct nft_trans *nft_trans_chain_add(struct nft_ctx *ctx, int msg_type)
+ ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
+ }
+ }
+-
++ nft_trans_chain(trans) = ctx->chain;
+ nft_trans_commit_list_add_tail(ctx->net, trans);
++
+ return trans;
+ }
+
+@@ -359,8 +402,7 @@ static int nft_delchain(struct nft_ctx *ctx)
+ return 0;
+ }
+
+-static void nft_rule_expr_activate(const struct nft_ctx *ctx,
+- struct nft_rule *rule)
++void nft_rule_expr_activate(const struct nft_ctx *ctx, struct nft_rule *rule)
+ {
+ struct nft_expr *expr;
+
+@@ -373,9 +415,8 @@ static void nft_rule_expr_activate(const struct nft_ctx *ctx,
+ }
+ }
+
+-static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
+- struct nft_rule *rule,
+- enum nft_trans_phase phase)
++void nft_rule_expr_deactivate(const struct nft_ctx *ctx, struct nft_rule *rule,
++ enum nft_trans_phase phase)
+ {
+ struct nft_expr *expr;
+
+@@ -2221,7 +2262,7 @@ static int nft_basechain_init(struct nft_base_chain *basechain, u8 family,
+ return 0;
+ }
+
+-static int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
++int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
+ {
+ int err;
+
+@@ -3427,8 +3468,7 @@ static int nf_tables_getrule(struct sk_buff *skb, const struct nfnl_info *info,
+ return err;
+ }
+
+-static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
+- struct nft_rule *rule)
++void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule)
+ {
+ struct nft_expr *expr, *next;
+
+@@ -3445,7 +3485,7 @@ static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
+ kfree(rule);
+ }
+
+-void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
++static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
+ {
+ nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
+ nf_tables_rule_destroy(ctx, rule);
+@@ -6570,7 +6610,6 @@ static int nf_tables_newsetelem(struct sk_buff *skb,
+ void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
+ {
+ struct nft_chain *chain;
+- struct nft_rule *rule;
+
+ if (type == NFT_DATA_VERDICT) {
+ switch (data->verdict.code) {
+@@ -6578,15 +6617,6 @@ void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
+ case NFT_GOTO:
+ chain = data->verdict.chain;
+ chain->use++;
+-
+- if (!nft_chain_is_bound(chain))
+- break;
+-
+- chain->table->use++;
+- list_for_each_entry(rule, &chain->rules, list)
+- chain->use++;
+-
+- nft_chain_add(chain->table, chain);
+ break;
+ }
+ }
+@@ -9583,7 +9613,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
+ kfree(nft_trans_chain_name(trans));
+ nft_trans_destroy(trans);
+ } else {
+- if (nft_chain_is_bound(trans->ctx.chain)) {
++ if (nft_trans_chain_bound(trans)) {
+ nft_trans_destroy(trans);
+ break;
+ }
+@@ -9601,6 +9631,10 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
+ nft_trans_destroy(trans);
+ break;
+ case NFT_MSG_NEWRULE:
++ if (nft_trans_rule_bound(trans)) {
++ nft_trans_destroy(trans);
++ break;
++ }
+ trans->ctx.chain->use--;
+ list_del_rcu(&nft_trans_rule(trans)->list);
+ nft_rule_expr_deactivate(&trans->ctx,
+@@ -10164,22 +10198,12 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
+ static void nft_verdict_uninit(const struct nft_data *data)
+ {
+ struct nft_chain *chain;
+- struct nft_rule *rule;
+
+ switch (data->verdict.code) {
+ case NFT_JUMP:
+ case NFT_GOTO:
+ chain = data->verdict.chain;
+ chain->use--;
+-
+- if (!nft_chain_is_bound(chain))
+- break;
+-
+- chain->table->use--;
+- list_for_each_entry(rule, &chain->rules, list)
+- chain->use--;
+-
+- nft_chain_del(chain);
+ break;
+ }
+ }
+diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c
+index c9d2f7c29f530..0492a04064f11 100644
+--- a/net/netfilter/nft_immediate.c
++++ b/net/netfilter/nft_immediate.c
+@@ -76,11 +76,9 @@ static int nft_immediate_init(const struct nft_ctx *ctx,
+ switch (priv->data.verdict.code) {
+ case NFT_JUMP:
+ case NFT_GOTO:
+- if (nft_chain_is_bound(chain)) {
+- err = -EBUSY;
+- goto err1;
+- }
+- chain->bound = true;
++ err = nf_tables_bind_chain(ctx, chain);
++ if (err < 0)
++ return err;
+ break;
+ default:
+ break;
+@@ -98,6 +96,31 @@ static void nft_immediate_activate(const struct nft_ctx *ctx,
+ const struct nft_expr *expr)
+ {
+ const struct nft_immediate_expr *priv = nft_expr_priv(expr);
++ const struct nft_data *data = &priv->data;
++ struct nft_ctx chain_ctx;
++ struct nft_chain *chain;
++ struct nft_rule *rule;
++
++ if (priv->dreg == NFT_REG_VERDICT) {
++ switch (data->verdict.code) {
++ case NFT_JUMP:
++ case NFT_GOTO:
++ chain = data->verdict.chain;
++ if (!nft_chain_binding(chain))
++ break;
++
++ chain_ctx = *ctx;
++ chain_ctx.chain = chain;
++
++ list_for_each_entry(rule, &chain->rules, list)
++ nft_rule_expr_activate(&chain_ctx, rule);
++
++ nft_clear(ctx->net, chain);
++ break;
++ default:
++ break;
++ }
++ }
+
+ return nft_data_hold(&priv->data, nft_dreg_to_type(priv->dreg));
+ }
+@@ -107,6 +130,40 @@ static void nft_immediate_deactivate(const struct nft_ctx *ctx,
+ enum nft_trans_phase phase)
+ {
+ const struct nft_immediate_expr *priv = nft_expr_priv(expr);
++ const struct nft_data *data = &priv->data;
++ struct nft_ctx chain_ctx;
++ struct nft_chain *chain;
++ struct nft_rule *rule;
++
++ if (priv->dreg == NFT_REG_VERDICT) {
++ switch (data->verdict.code) {
++ case NFT_JUMP:
++ case NFT_GOTO:
++ chain = data->verdict.chain;
++ if (!nft_chain_binding(chain))
++ break;
++
++ chain_ctx = *ctx;
++ chain_ctx.chain = chain;
++
++ list_for_each_entry(rule, &chain->rules, list)
++ nft_rule_expr_deactivate(&chain_ctx, rule, phase);
++
++ switch (phase) {
++ case NFT_TRANS_PREPARE:
++ nft_deactivate_next(ctx->net, chain);
++ break;
++ default:
++ nft_chain_del(chain);
++ chain->bound = false;
++ chain->table->use--;
++ break;
++ }
++ break;
++ default:
++ break;
++ }
++ }
+
+ if (phase == NFT_TRANS_COMMIT)
+ return;
+@@ -131,15 +188,27 @@ static void nft_immediate_destroy(const struct nft_ctx *ctx,
+ case NFT_GOTO:
+ chain = data->verdict.chain;
+
+- if (!nft_chain_is_bound(chain))
++ if (!nft_chain_binding(chain))
++ break;
++
++ /* Rule construction failed, but chain is already bound:
++ * let the transaction records release this chain and its rules.
++ */
++ if (chain->bound) {
++ chain->use--;
+ break;
++ }
+
++ /* Rule has been deleted, release chain and its rules. */
+ chain_ctx = *ctx;
+ chain_ctx.chain = chain;
+
+- list_for_each_entry_safe(rule, n, &chain->rules, list)
+- nf_tables_rule_release(&chain_ctx, rule);
+-
++ chain->use--;
++ list_for_each_entry_safe(rule, n, &chain->rules, list) {
++ chain->use--;
++ list_del(&rule->list);
++ nf_tables_rule_destroy(&chain_ctx, rule);
++ }
+ nf_tables_chain_destroy(&chain_ctx);
+ break;
+ default:
+--
+2.39.2
+
--- /dev/null
+From ebe7866ae2d380bb07b15ec501eb763f6f28664b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jun 2023 15:21:33 +0200
+Subject: netfilter: nf_tables: reject unbound anonymous set before commit
+ phase
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 938154b93be8cd611ddfd7bafc1849f3c4355201 ]
+
+Add a new list to track set transaction and to check for unbound
+anonymous sets before entering the commit phase.
+
+Bail out at the end of the transaction handling if an anonymous set
+remains unbound.
+
+Fixes: 96518518cc41 ("netfilter: add nftables")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netfilter/nf_tables.h | 3 +++
+ net/netfilter/nf_tables_api.c | 35 ++++++++++++++++++++++++++++---
+ 2 files changed, 35 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
+index a0f63c7d1d687..730c63ceee567 100644
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -1565,6 +1565,7 @@ static inline void nft_set_elem_clear_busy(struct nft_set_ext *ext)
+ * struct nft_trans - nf_tables object update in transaction
+ *
+ * @list: used internally
++ * @binding_list: list of objects with possible bindings
+ * @msg_type: message type
+ * @put_net: ctx->net needs to be put
+ * @ctx: transaction context
+@@ -1572,6 +1573,7 @@ static inline void nft_set_elem_clear_busy(struct nft_set_ext *ext)
+ */
+ struct nft_trans {
+ struct list_head list;
++ struct list_head binding_list;
+ int msg_type;
+ bool put_net;
+ struct nft_ctx ctx;
+@@ -1716,6 +1718,7 @@ static inline int nft_request_module(struct net *net, const char *fmt, ...) { re
+ struct nftables_pernet {
+ struct list_head tables;
+ struct list_head commit_list;
++ struct list_head binding_list;
+ struct list_head module_list;
+ struct list_head notify_list;
+ struct mutex commit_mutex;
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 4bf532a2a60b9..2e3a374db1b9f 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -153,6 +153,7 @@ static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
+ return NULL;
+
+ INIT_LIST_HEAD(&trans->list);
++ INIT_LIST_HEAD(&trans->binding_list);
+ trans->msg_type = msg_type;
+ trans->ctx = *ctx;
+
+@@ -165,9 +166,15 @@ static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
+ return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
+ }
+
+-static void nft_trans_destroy(struct nft_trans *trans)
++static void nft_trans_list_del(struct nft_trans *trans)
+ {
+ list_del(&trans->list);
++ list_del(&trans->binding_list);
++}
++
++static void nft_trans_destroy(struct nft_trans *trans)
++{
++ nft_trans_list_del(trans);
+ kfree(trans);
+ }
+
+@@ -359,6 +366,14 @@ static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *tr
+ {
+ struct nftables_pernet *nft_net = nft_pernet(net);
+
++ switch (trans->msg_type) {
++ case NFT_MSG_NEWSET:
++ if (!nft_trans_set_update(trans) &&
++ nft_set_is_anonymous(nft_trans_set(trans)))
++ list_add_tail(&trans->binding_list, &nft_net->binding_list);
++ break;
++ }
++
+ list_add_tail(&trans->list, &nft_net->commit_list);
+ }
+
+@@ -9027,7 +9042,7 @@ static void nf_tables_trans_destroy_work(struct work_struct *w)
+ synchronize_rcu();
+
+ list_for_each_entry_safe(trans, next, &head, list) {
+- list_del(&trans->list);
++ nft_trans_list_del(trans);
+ nft_commit_release(trans);
+ }
+ }
+@@ -9394,6 +9409,19 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
+ return 0;
+ }
+
++ list_for_each_entry(trans, &nft_net->binding_list, binding_list) {
++ switch (trans->msg_type) {
++ case NFT_MSG_NEWSET:
++ if (!nft_trans_set_update(trans) &&
++ nft_set_is_anonymous(nft_trans_set(trans)) &&
++ !nft_trans_set_bound(trans)) {
++ pr_warn_once("nftables ruleset with unbound set\n");
++ return -EINVAL;
++ }
++ break;
++ }
++ }
++
+ /* 0. Validate ruleset, otherwise roll back for error reporting. */
+ if (nf_tables_validate(net) < 0)
+ return -EAGAIN;
+@@ -9893,7 +9921,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
+
+ list_for_each_entry_safe_reverse(trans, next,
+ &nft_net->commit_list, list) {
+- list_del(&trans->list);
++ nft_trans_list_del(trans);
+ nf_tables_abort_release(trans);
+ }
+
+@@ -10669,6 +10697,7 @@ static int __net_init nf_tables_init_net(struct net *net)
+
+ INIT_LIST_HEAD(&nft_net->tables);
+ INIT_LIST_HEAD(&nft_net->commit_list);
++ INIT_LIST_HEAD(&nft_net->binding_list);
+ INIT_LIST_HEAD(&nft_net->module_list);
+ INIT_LIST_HEAD(&nft_net->notify_list);
+ mutex_init(&nft_net->commit_mutex);
+--
+2.39.2
+
--- /dev/null
+From 4a33577f598b4a39f41ffcaefdcee32b69c4df86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jun 2023 15:21:39 +0200
+Subject: netfilter: nf_tables: reject unbound chain set before commit phase
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 62e1e94b246e685d89c3163aaef4b160e42ceb02 ]
+
+Use binding list to track set transaction and to check for unbound
+chains before entering the commit phase.
+
+Bail out if chain binding remain unused before entering the commit
+step.
+
+Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 2e3a374db1b9f..f065542750376 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -372,6 +372,11 @@ static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *tr
+ nft_set_is_anonymous(nft_trans_set(trans)))
+ list_add_tail(&trans->binding_list, &nft_net->binding_list);
+ break;
++ case NFT_MSG_NEWCHAIN:
++ if (!nft_trans_chain_update(trans) &&
++ nft_chain_binding(nft_trans_chain(trans)))
++ list_add_tail(&trans->binding_list, &nft_net->binding_list);
++ break;
+ }
+
+ list_add_tail(&trans->list, &nft_net->commit_list);
+@@ -9419,6 +9424,14 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
+ return -EINVAL;
+ }
+ break;
++ case NFT_MSG_NEWCHAIN:
++ if (!nft_trans_chain_update(trans) &&
++ nft_chain_binding(nft_trans_chain(trans)) &&
++ !nft_trans_chain_bound(trans)) {
++ pr_warn_once("nftables ruleset with unbound chain\n");
++ return -EINVAL;
++ }
++ break;
+ }
+ }
+
+--
+2.39.2
+
--- /dev/null
+From d60f79c47afd29feb25db8f6c9242b3f2d7f08cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jun 2023 10:14:25 +0200
+Subject: netfilter: nfnetlink_osf: fix module autoload
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 62f9a68a36d4441a6c412b81faed102594bc6670 ]
+
+Move the alias from xt_osf to nfnetlink_osf.
+
+Fixes: f9324952088f ("netfilter: nfnetlink_osf: extract nfnetlink_subsystem code from xt_osf.c")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_osf.c | 1 +
+ net/netfilter/xt_osf.c | 1 -
+ 2 files changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
+index ee6840bd59337..8f1bfa6ccc2d9 100644
+--- a/net/netfilter/nfnetlink_osf.c
++++ b/net/netfilter/nfnetlink_osf.c
+@@ -439,3 +439,4 @@ module_init(nfnl_osf_init);
+ module_exit(nfnl_osf_fini);
+
+ MODULE_LICENSE("GPL");
++MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_OSF);
+diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
+index e1990baf3a3b7..dc9485854002a 100644
+--- a/net/netfilter/xt_osf.c
++++ b/net/netfilter/xt_osf.c
+@@ -71,4 +71,3 @@ MODULE_AUTHOR("Evgeniy Polyakov <zbr@ioremap.net>");
+ MODULE_DESCRIPTION("Passive OS fingerprint matching.");
+ MODULE_ALIAS("ipt_osf");
+ MODULE_ALIAS("ip6t_osf");
+-MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_OSF);
+--
+2.39.2
+
--- /dev/null
+From c47f22109ab09d7aa52f534e258a197df7f583b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jun 2023 15:20:04 +0200
+Subject: netfilter: nft_set_pipapo: .walk does not deal with generations
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 2b84e215f87443c74ac0aa7f76bb172d43a87033 ]
+
+The .walk callback iterates over the current active set, but it might be
+useful to iterate over the next generation set. Use the generation mask
+to determine what set view (either current or next generation) is use
+for the walk iteration.
+
+Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_set_pipapo.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
+index c867b5b772e86..0452ee586c1cc 100644
+--- a/net/netfilter/nft_set_pipapo.c
++++ b/net/netfilter/nft_set_pipapo.c
+@@ -1974,12 +1974,16 @@ static void nft_pipapo_walk(const struct nft_ctx *ctx, struct nft_set *set,
+ struct nft_set_iter *iter)
+ {
+ struct nft_pipapo *priv = nft_set_priv(set);
++ struct net *net = read_pnet(&set->net);
+ struct nft_pipapo_match *m;
+ struct nft_pipapo_field *f;
+ int i, r;
+
+ rcu_read_lock();
+- m = rcu_dereference(priv->match);
++ if (iter->genmask == nft_genmask_cur(net))
++ m = rcu_dereference(priv->match);
++ else
++ m = priv->clone;
+
+ if (unlikely(!m))
+ goto out;
+--
+2.39.2
+
--- /dev/null
+From 3ce2d0925a452c64359ad508ebb8d065bbe05303 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 May 2023 22:27:46 +0500
+Subject: nfcsim.c: Fix error checking for debugfs_create_dir
+
+From: Osama Muhammad <osmtendev@gmail.com>
+
+[ Upstream commit 9b9e46aa07273ceb96866b2e812b46f1ee0b8d2f ]
+
+This patch fixes the error checking in nfcsim.c.
+The DebugFS kernel API is developed in
+a way that the caller can safely ignore the errors that
+occur during the creation of DebugFS nodes.
+
+Signed-off-by: Osama Muhammad <osmtendev@gmail.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/nfcsim.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/nfc/nfcsim.c b/drivers/nfc/nfcsim.c
+index 85bf8d586c707..0f6befe8be1e2 100644
+--- a/drivers/nfc/nfcsim.c
++++ b/drivers/nfc/nfcsim.c
+@@ -336,10 +336,6 @@ static struct dentry *nfcsim_debugfs_root;
+ static void nfcsim_debugfs_init(void)
+ {
+ nfcsim_debugfs_root = debugfs_create_dir("nfcsim", NULL);
+-
+- if (!nfcsim_debugfs_root)
+- pr_err("Could not create debugfs entry\n");
+-
+ }
+
+ static void nfcsim_debugfs_remove(void)
+--
+2.39.2
+
--- /dev/null
+From b2a9b2793036dd9e8b7e3dcb0d8d0ce014cb3f91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jun 2023 11:53:53 +0530
+Subject: null_blk: Fix: memory release when memory_backed=1
+
+From: Nitesh Shetty <nj.shetty@samsung.com>
+
+[ Upstream commit 8cfb98196cceec35416041c6b91212d2b99392e4 ]
+
+Memory/pages are not freed, when unloading nullblk driver.
+
+Steps to reproduce issue
+ 1.free -h
+ total used free shared buff/cache available
+Mem: 7.8Gi 260Mi 7.1Gi 3.0Mi 395Mi 7.3Gi
+Swap: 0B 0B 0B
+ 2.modprobe null_blk memory_backed=1
+ 3.dd if=/dev/urandom of=/dev/nullb0 oflag=direct bs=1M count=1000
+ 4.modprobe -r null_blk
+ 5.free -h
+ total used free shared buff/cache available
+Mem: 7.8Gi 1.2Gi 6.1Gi 3.0Mi 398Mi 6.3Gi
+Swap: 0B 0B 0B
+
+Signed-off-by: Anuj Gupta <anuj20.g@samsung.com>
+Signed-off-by: Nitesh Shetty <nj.shetty@samsung.com>
+Link: https://lore.kernel.org/r/20230605062354.24785-1-nj.shetty@samsung.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/null_blk/main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/block/null_blk/main.c b/drivers/block/null_blk/main.c
+index 14491952047f5..3b6b4cb400f42 100644
+--- a/drivers/block/null_blk/main.c
++++ b/drivers/block/null_blk/main.c
+@@ -2212,6 +2212,7 @@ static void null_destroy_dev(struct nullb *nullb)
+ struct nullb_device *dev = nullb->dev;
+
+ null_del_dev(nullb);
++ null_free_device_storage(dev, false);
+ null_free_dev(dev);
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 4b8656ba98c919c219e0469f55c78e42b5f1b498 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 May 2023 12:22:03 -0600
+Subject: nvme: check IO start time when deciding to defer KA
+
+From: Uday Shankar <ushankar@purestorage.com>
+
+[ Upstream commit 774a9636514764ddc0d072ae0d1d1c01a47e6ddd ]
+
+When a command completes, we set a flag which will skip sending a
+keep alive at the next run of nvme_keep_alive_work when TBKAS is on.
+However, if the command was submitted long ago, it's possible that
+the controller may have also restarted its keep alive timer (as a
+result of receiving the command) long ago. The following trace
+demonstrates the issue, assuming TBKAS is on and KATO = 8 for
+simplicity:
+
+1. t = 0: submit I/O commands A, B, C, D, E
+2. t = 0.5: commands A, B, C, D, E reach controller, restart its keep
+ alive timer
+3. t = 1: A completes
+4. t = 2: run nvme_keep_alive_work, see recent completion, do nothing
+5. t = 3: B completes
+6. t = 4: run nvme_keep_alive_work, see recent completion, do nothing
+7. t = 5: C completes
+8. t = 6: run nvme_keep_alive_work, see recent completion, do nothing
+9. t = 7: D completes
+10. t = 8: run nvme_keep_alive_work, see recent completion, do nothing
+11. t = 9: E completes
+
+At this point, 8.5 seconds have passed without restarting the
+controller's keep alive timer, so the controller will detect a keep
+alive timeout.
+
+Fix this by checking the IO start time when deciding to defer sending a
+keep alive command. Only set comp_seen if the command started after the
+most recent run of nvme_keep_alive_work. With this change, the
+completions of B, C, and D will not set comp_seen and the run of
+nvme_keep_alive_work at t = 4 will send a keep alive.
+
+Reported-by: Costa Sapuntzakis <costa@purestorage.com>
+Reported-by: Randy Jennings <randyj@purestorage.com>
+Signed-off-by: Uday Shankar <ushankar@purestorage.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 14 +++++++++++++-
+ drivers/nvme/host/nvme.h | 1 +
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 3838a6622c34b..d87b8dfda622a 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -397,7 +397,16 @@ void nvme_complete_rq(struct request *req)
+ trace_nvme_complete_rq(req);
+ nvme_cleanup_cmd(req);
+
+- if (ctrl->kas)
++ /*
++ * Completions of long-running commands should not be able to
++ * defer sending of periodic keep alives, since the controller
++ * may have completed processing such commands a long time ago
++ * (arbitrarily close to command submission time).
++ * req->deadline - req->timeout is the command submission time
++ * in jiffies.
++ */
++ if (ctrl->kas &&
++ req->deadline - req->timeout >= ctrl->ka_last_check_time)
+ ctrl->comp_seen = true;
+
+ switch (nvme_decide_disposition(req)) {
+@@ -1200,6 +1209,7 @@ static enum rq_end_io_ret nvme_keep_alive_end_io(struct request *rq,
+ return RQ_END_IO_NONE;
+ }
+
++ ctrl->ka_last_check_time = jiffies;
+ ctrl->comp_seen = false;
+ spin_lock_irqsave(&ctrl->lock, flags);
+ if (ctrl->state == NVME_CTRL_LIVE ||
+@@ -1218,6 +1228,8 @@ static void nvme_keep_alive_work(struct work_struct *work)
+ bool comp_seen = ctrl->comp_seen;
+ struct request *rq;
+
++ ctrl->ka_last_check_time = jiffies;
++
+ if ((ctrl->ctratt & NVME_CTRL_ATTR_TBKAS) && comp_seen) {
+ dev_dbg(ctrl->device,
+ "reschedule traffic based keep-alive timer\n");
+diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h
+index 2dd52739236e1..8657811f8b887 100644
+--- a/drivers/nvme/host/nvme.h
++++ b/drivers/nvme/host/nvme.h
+@@ -328,6 +328,7 @@ struct nvme_ctrl {
+ struct delayed_work ka_work;
+ struct delayed_work failfast_work;
+ struct nvme_command ka_cmd;
++ unsigned long ka_last_check_time;
+ struct work_struct fw_act_work;
+ unsigned long events;
+
+--
+2.39.2
+
--- /dev/null
+From eea549472e554aed5d6c31d952c36d1620b21d9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 May 2023 12:22:02 -0600
+Subject: nvme: double KA polling frequency to avoid KATO with TBKAS on
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uday Shankar <ushankar@purestorage.com>
+
+[ Upstream commit ea4d453b9ec9ea279c39744cd0ecb47ef48ede35 ]
+
+With TBKAS on, the completion of one command can defer sending a
+keep alive for up to twice the delay between successive runs of
+nvme_keep_alive_work. The current delay of KATO / 2 thus makes it
+possible for one command to defer sending a keep alive for up to
+KATO, which can result in the controller detecting a KATO. The following
+trace demonstrates the issue, taking KATO = 8 for simplicity:
+
+1. t = 0: run nvme_keep_alive_work, no keep-alive sent
+2. t = ε: I/O completion seen, set comp_seen = true
+3. t = 4: run nvme_keep_alive_work, see comp_seen == true,
+ skip sending keep-alive, set comp_seen = false
+4. t = 8: run nvme_keep_alive_work, see comp_seen == false,
+ send a keep-alive command.
+
+Here, there is a delay of 8 - ε between receiving a command completion
+and sending the next command. With ε small, the controller is likely to
+detect a keep alive timeout.
+
+Fix this by running nvme_keep_alive_work with a delay of KATO / 4
+whenever TBKAS is on. Going through the above trace now gives us a
+worst-case delay of 4 - ε, which is in line with the recommendation of
+sending a command every KATO / 2 in the NVMe specification.
+
+Reported-by: Costa Sapuntzakis <costa@purestorage.com>
+Reported-by: Randy Jennings <randyj@purestorage.com>
+Signed-off-by: Uday Shankar <ushankar@purestorage.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index f12109230dc8d..3838a6622c34b 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -1163,9 +1163,25 @@ EXPORT_SYMBOL_NS_GPL(nvme_passthru_end, NVME_TARGET_PASSTHRU);
+ * The host should send Keep Alive commands at half of the Keep Alive Timeout
+ * accounting for transport roundtrip times [..].
+ */
++static unsigned long nvme_keep_alive_work_period(struct nvme_ctrl *ctrl)
++{
++ unsigned long delay = ctrl->kato * HZ / 2;
++
++ /*
++ * When using Traffic Based Keep Alive, we need to run
++ * nvme_keep_alive_work at twice the normal frequency, as one
++ * command completion can postpone sending a keep alive command
++ * by up to twice the delay between runs.
++ */
++ if (ctrl->ctratt & NVME_CTRL_ATTR_TBKAS)
++ delay /= 2;
++ return delay;
++}
++
+ static void nvme_queue_keep_alive_work(struct nvme_ctrl *ctrl)
+ {
+- queue_delayed_work(nvme_wq, &ctrl->ka_work, ctrl->kato * HZ / 2);
++ queue_delayed_work(nvme_wq, &ctrl->ka_work,
++ nvme_keep_alive_work_period(ctrl));
+ }
+
+ static enum rq_end_io_ret nvme_keep_alive_end_io(struct request *rq,
+--
+2.39.2
+
--- /dev/null
+From 16524f603f071eb6aece80664458f536270dad6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 May 2023 17:06:56 +0000
+Subject: nvme: fix miss command type check
+
+From: min15.li <min15.li@samsung.com>
+
+[ Upstream commit 31a5978243d24d77be4bacca56c78a0fbc43b00d ]
+
+In the function nvme_passthru_end(), only the value of the command
+opcode is checked, without checking the command type (IO command or
+Admin command). When we send a Dataset Management command (The opcode
+of the Dataset Management command is the same as the Set Feature
+command), kernel thinks it is a set feature command, then sets the
+controller's keep alive interval, and calls nvme_keep_alive_work().
+
+Signed-off-by: min15.li <min15.li@samsung.com>
+Reviewed-by: Kanchan Joshi <joshi.k@samsung.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 4 +++-
+ drivers/nvme/host/ioctl.c | 2 +-
+ drivers/nvme/host/nvme.h | 2 +-
+ drivers/nvme/target/passthru.c | 2 +-
+ 4 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index c015393beeee8..f12109230dc8d 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -1115,7 +1115,7 @@ u32 nvme_passthru_start(struct nvme_ctrl *ctrl, struct nvme_ns *ns, u8 opcode)
+ }
+ EXPORT_SYMBOL_NS_GPL(nvme_passthru_start, NVME_TARGET_PASSTHRU);
+
+-void nvme_passthru_end(struct nvme_ctrl *ctrl, u32 effects,
++void nvme_passthru_end(struct nvme_ctrl *ctrl, struct nvme_ns *ns, u32 effects,
+ struct nvme_command *cmd, int status)
+ {
+ if (effects & NVME_CMD_EFFECTS_CSE_MASK) {
+@@ -1132,6 +1132,8 @@ void nvme_passthru_end(struct nvme_ctrl *ctrl, u32 effects,
+ nvme_queue_scan(ctrl);
+ flush_work(&ctrl->scan_work);
+ }
++ if (ns)
++ return;
+
+ switch (cmd->common.opcode) {
+ case nvme_admin_set_features:
+diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c
+index d24ea2e051564..0264ec74a4361 100644
+--- a/drivers/nvme/host/ioctl.c
++++ b/drivers/nvme/host/ioctl.c
+@@ -254,7 +254,7 @@ static int nvme_submit_user_cmd(struct request_queue *q,
+ blk_mq_free_request(req);
+
+ if (effects)
+- nvme_passthru_end(ctrl, effects, cmd, ret);
++ nvme_passthru_end(ctrl, ns, effects, cmd, ret);
+
+ return ret;
+ }
+diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h
+index a2d4f59e0535a..2dd52739236e1 100644
+--- a/drivers/nvme/host/nvme.h
++++ b/drivers/nvme/host/nvme.h
+@@ -1077,7 +1077,7 @@ u32 nvme_command_effects(struct nvme_ctrl *ctrl, struct nvme_ns *ns,
+ u8 opcode);
+ u32 nvme_passthru_start(struct nvme_ctrl *ctrl, struct nvme_ns *ns, u8 opcode);
+ int nvme_execute_rq(struct request *rq, bool at_head);
+-void nvme_passthru_end(struct nvme_ctrl *ctrl, u32 effects,
++void nvme_passthru_end(struct nvme_ctrl *ctrl, struct nvme_ns *ns, u32 effects,
+ struct nvme_command *cmd, int status);
+ struct nvme_ctrl *nvme_ctrl_from_file(struct file *file);
+ struct nvme_ns *nvme_find_get_ns(struct nvme_ctrl *ctrl, unsigned nsid);
+diff --git a/drivers/nvme/target/passthru.c b/drivers/nvme/target/passthru.c
+index 511c980d538df..71a9c1cc57f59 100644
+--- a/drivers/nvme/target/passthru.c
++++ b/drivers/nvme/target/passthru.c
+@@ -243,7 +243,7 @@ static void nvmet_passthru_execute_cmd_work(struct work_struct *w)
+ blk_mq_free_request(rq);
+
+ if (effects)
+- nvme_passthru_end(ctrl, effects, req->cmd, status);
++ nvme_passthru_end(ctrl, ns, effects, req->cmd, status);
+ }
+
+ static enum rq_end_io_ret nvmet_passthru_req_done(struct request *rq,
+--
+2.39.2
+
--- /dev/null
+From ddb9bf3451586e0fe95ea6302002dcc35e2007cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 May 2023 12:22:04 -0600
+Subject: nvme: improve handling of long keep alives
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uday Shankar <ushankar@purestorage.com>
+
+[ Upstream commit c7275ce6a5fd32ca9f5a6294ed89cf0523181af9 ]
+
+Upon keep alive completion, nvme_keep_alive_work is scheduled with the
+same delay every time. If keep alive commands are completing slowly,
+this may cause a keep alive timeout. The following trace illustrates the
+issue, taking KATO = 8 and TBKAS off for simplicity:
+
+1. t = 0: run nvme_keep_alive_work, send keep alive
+2. t = ε: keep alive reaches controller, controller restarts its keep
+ alive timer
+3. t = 4: host receives keep alive completion, schedules
+ nvme_keep_alive_work with delay 4
+4. t = 8: run nvme_keep_alive_work, send keep alive
+
+Here, a keep alive having RTT of 4 causes a delay of at least 8 - ε
+between the controller receiving successive keep alives. With ε small,
+the controller is likely to detect a keep alive timeout.
+
+Fix this by calculating the RTT of the keep alive command, and adjusting
+the scheduling delay of the next keep alive work accordingly.
+
+Reported-by: Costa Sapuntzakis <costa@purestorage.com>
+Reported-by: Randy Jennings <randyj@purestorage.com>
+Signed-off-by: Uday Shankar <ushankar@purestorage.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index d87b8dfda622a..8a632bf7f5a8f 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -1199,6 +1199,20 @@ static enum rq_end_io_ret nvme_keep_alive_end_io(struct request *rq,
+ struct nvme_ctrl *ctrl = rq->end_io_data;
+ unsigned long flags;
+ bool startka = false;
++ unsigned long rtt = jiffies - (rq->deadline - rq->timeout);
++ unsigned long delay = nvme_keep_alive_work_period(ctrl);
++
++ /*
++ * Subtract off the keepalive RTT so nvme_keep_alive_work runs
++ * at the desired frequency.
++ */
++ if (rtt <= delay) {
++ delay -= rtt;
++ } else {
++ dev_warn(ctrl->device, "long keepalive RTT (%u ms)\n",
++ jiffies_to_msecs(rtt));
++ delay = 0;
++ }
+
+ blk_mq_free_request(rq);
+
+@@ -1217,7 +1231,7 @@ static enum rq_end_io_ret nvme_keep_alive_end_io(struct request *rq,
+ startka = true;
+ spin_unlock_irqrestore(&ctrl->lock, flags);
+ if (startka)
+- nvme_queue_keep_alive_work(ctrl);
++ queue_delayed_work(nvme_wq, &ctrl->ka_work, delay);
+ return RQ_END_IO_NONE;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From f993000acce1f791ee5405d873a4099092cded00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jun 2023 11:33:09 +0530
+Subject: platform/x86/amd/pmf: Register notify handler only if SPS is enabled
+
+From: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
+
+[ Upstream commit 146b6f6855e7656e8329910606595220c761daac ]
+
+Power source notify handler is getting registered even when none of the
+PMF feature in enabled leading to a crash.
+
+...
+[ 22.592162] Call Trace:
+[ 22.592164] <TASK>
+[ 22.592164] ? rcu_note_context_switch+0x5e0/0x660
+[ 22.592166] ? __warn+0x81/0x130
+[ 22.592171] ? rcu_note_context_switch+0x5e0/0x660
+[ 22.592172] ? report_bug+0x171/0x1a0
+[ 22.592175] ? prb_read_valid+0x1b/0x30
+[ 22.592177] ? handle_bug+0x3c/0x80
+[ 22.592178] ? exc_invalid_op+0x17/0x70
+[ 22.592179] ? asm_exc_invalid_op+0x1a/0x20
+[ 22.592182] ? rcu_note_context_switch+0x5e0/0x660
+[ 22.592183] ? acpi_ut_delete_object_desc+0x86/0xb0
+[ 22.592186] ? acpi_ut_update_ref_count.part.0+0x22d/0x930
+[ 22.592187] __schedule+0xc0/0x1410
+[ 22.592189] ? ktime_get+0x3c/0xa0
+[ 22.592191] ? lapic_next_event+0x1d/0x30
+[ 22.592193] ? hrtimer_start_range_ns+0x25b/0x350
+[ 22.592196] schedule+0x5e/0xd0
+[ 22.592197] schedule_hrtimeout_range_clock+0xbe/0x140
+[ 22.592199] ? __pfx_hrtimer_wakeup+0x10/0x10
+[ 22.592200] usleep_range_state+0x64/0x90
+[ 22.592203] amd_pmf_send_cmd+0x106/0x2a0 [amd_pmf bddfe0fe3712aaa99acce3d5487405c5213c6616]
+[ 22.592207] amd_pmf_update_slider+0x56/0x1b0 [amd_pmf bddfe0fe3712aaa99acce3d5487405c5213c6616]
+[ 22.592210] amd_pmf_set_sps_power_limits+0x72/0x80 [amd_pmf bddfe0fe3712aaa99acce3d5487405c5213c6616]
+[ 22.592213] amd_pmf_pwr_src_notify_call+0x49/0x90 [amd_pmf bddfe0fe3712aaa99acce3d5487405c5213c6616]
+[ 22.592216] notifier_call_chain+0x5a/0xd0
+[ 22.592218] atomic_notifier_call_chain+0x32/0x50
+...
+
+Fix this by moving the registration of source change notify handler only
+when SPS(Static Slider) is advertised as supported.
+
+Reported-by: Allen Zhong <allen@atr.me>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217571
+Fixes: 4c71ae414474 ("platform/x86/amd/pmf: Add support SPS PMF feature")
+Tested-by: Patil Rajesh Reddy <Patil.Reddy@amd.com>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
+Link: https://lore.kernel.org/r/20230622060309.310001-1-Shyam-sundar.S-k@amd.com
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/amd/pmf/core.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/platform/x86/amd/pmf/core.c b/drivers/platform/x86/amd/pmf/core.c
+index dc9803e1a4b9b..73d2357e32f8e 100644
+--- a/drivers/platform/x86/amd/pmf/core.c
++++ b/drivers/platform/x86/amd/pmf/core.c
+@@ -297,6 +297,8 @@ static void amd_pmf_init_features(struct amd_pmf_dev *dev)
+ /* Enable Static Slider */
+ if (is_apmf_func_supported(dev, APMF_FUNC_STATIC_SLIDER_GRANULAR)) {
+ amd_pmf_init_sps(dev);
++ dev->pwr_src_notifier.notifier_call = amd_pmf_pwr_src_notify_call;
++ power_supply_reg_notifier(&dev->pwr_src_notifier);
+ dev_dbg(dev->dev, "SPS enabled and Platform Profiles registered\n");
+ }
+
+@@ -315,8 +317,10 @@ static void amd_pmf_init_features(struct amd_pmf_dev *dev)
+
+ static void amd_pmf_deinit_features(struct amd_pmf_dev *dev)
+ {
+- if (is_apmf_func_supported(dev, APMF_FUNC_STATIC_SLIDER_GRANULAR))
++ if (is_apmf_func_supported(dev, APMF_FUNC_STATIC_SLIDER_GRANULAR)) {
++ power_supply_unreg_notifier(&dev->pwr_src_notifier);
+ amd_pmf_deinit_sps(dev);
++ }
+
+ if (is_apmf_func_supported(dev, APMF_FUNC_AUTO_MODE)) {
+ amd_pmf_deinit_auto_mode(dev);
+@@ -399,9 +403,6 @@ static int amd_pmf_probe(struct platform_device *pdev)
+ apmf_install_handler(dev);
+ amd_pmf_dbgfs_register(dev);
+
+- dev->pwr_src_notifier.notifier_call = amd_pmf_pwr_src_notify_call;
+- power_supply_reg_notifier(&dev->pwr_src_notifier);
+-
+ dev_info(dev->dev, "registered PMF device successfully\n");
+
+ return 0;
+@@ -411,7 +412,6 @@ static int amd_pmf_remove(struct platform_device *pdev)
+ {
+ struct amd_pmf_dev *dev = platform_get_drvdata(pdev);
+
+- power_supply_unreg_notifier(&dev->pwr_src_notifier);
+ amd_pmf_deinit_features(dev);
+ apmf_acpi_deinit(dev);
+ amd_pmf_dbgfs_unregister(dev);
+--
+2.39.2
+
--- /dev/null
+From 57498591a7ccb5df785b16e81b9c8a89eb53f7b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 May 2023 11:51:33 +0800
+Subject: platform/x86: int3472: Avoid crash in unregistering regulator gpio
+
+From: Hao Yao <hao.yao@intel.com>
+
+[ Upstream commit fb109fba728407fa4a84d659b5cb87cd8399d7b3 ]
+
+When int3472 is loaded before GPIO driver, acpi_get_and_request_gpiod()
+failed but the returned gpio descriptor is not NULL, it will cause panic
+in later gpiod_put(), so set the gpio_desc to NULL in register error
+handling to avoid such crash.
+
+Signed-off-by: Hao Yao <hao.yao@intel.com>
+Signed-off-by: Bingbu Cao <bingbu.cao@intel.com>
+Link: https://lore.kernel.org/r/20230524035135.90315-1-bingbu.cao@intel.com
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../platform/x86/intel/int3472/clk_and_regulator.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/platform/x86/intel/int3472/clk_and_regulator.c b/drivers/platform/x86/intel/int3472/clk_and_regulator.c
+index 1086c3d834945..399f0623ca1b5 100644
+--- a/drivers/platform/x86/intel/int3472/clk_and_regulator.c
++++ b/drivers/platform/x86/intel/int3472/clk_and_regulator.c
+@@ -101,9 +101,11 @@ int skl_int3472_register_clock(struct int3472_discrete_device *int3472,
+
+ int3472->clock.ena_gpio = acpi_get_and_request_gpiod(path, agpio->pin_table[0],
+ "int3472,clk-enable");
+- if (IS_ERR(int3472->clock.ena_gpio))
+- return dev_err_probe(int3472->dev, PTR_ERR(int3472->clock.ena_gpio),
+- "getting clk-enable GPIO\n");
++ if (IS_ERR(int3472->clock.ena_gpio)) {
++ ret = PTR_ERR(int3472->clock.ena_gpio);
++ int3472->clock.ena_gpio = NULL;
++ return dev_err_probe(int3472->dev, ret, "getting clk-enable GPIO\n");
++ }
+
+ if (polarity == GPIO_ACTIVE_LOW)
+ gpiod_toggle_active_low(int3472->clock.ena_gpio);
+@@ -199,8 +201,9 @@ int skl_int3472_register_regulator(struct int3472_discrete_device *int3472,
+ int3472->regulator.gpio = acpi_get_and_request_gpiod(path, agpio->pin_table[0],
+ "int3472,regulator");
+ if (IS_ERR(int3472->regulator.gpio)) {
+- dev_err(int3472->dev, "Failed to get regulator GPIO line\n");
+- return PTR_ERR(int3472->regulator.gpio);
++ ret = PTR_ERR(int3472->regulator.gpio);
++ int3472->regulator.gpio = NULL;
++ return dev_err_probe(int3472->dev, ret, "getting regulator GPIO\n");
+ }
+
+ /* Ensure the pin is in output mode and non-active state */
+--
+2.39.2
+
--- /dev/null
+From e20ac44401d36051cb27663d902b7d3d2219182a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jun 2023 03:31:30 -0700
+Subject: revert "net: align SO_RCVMARK required privileges with SO_MARK"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Żenczykowski <maze@google.com>
+
+[ Upstream commit a9628e88776eb7d045cf46467f1afdd0f7fe72ea ]
+
+This reverts commit 1f86123b9749 ("net: align SO_RCVMARK required
+privileges with SO_MARK") because the reasoning in the commit message
+is not really correct:
+ SO_RCVMARK is used for 'reading' incoming skb mark (via cmsg), as such
+ it is more equivalent to 'getsockopt(SO_MARK)' which has no priv check
+ and retrieves the socket mark, rather than 'setsockopt(SO_MARK) which
+ sets the socket mark and does require privs.
+
+ Additionally incoming skb->mark may already be visible if
+ sysctl_fwmark_reflect and/or sysctl_tcp_fwmark_accept are enabled.
+
+ Furthermore, it is easier to block the getsockopt via bpf
+ (either cgroup setsockopt hook, or via syscall filters)
+ then to unblock it if it requires CAP_NET_RAW/ADMIN.
+
+On Android the socket mark is (among other things) used to store
+the network identifier a socket is bound to. Setting it is privileged,
+but retrieving it is not. We'd like unprivileged userspace to be able
+to read the network id of incoming packets (where mark is set via
+iptables [to be moved to bpf])...
+
+An alternative would be to add another sysctl to control whether
+setting SO_RCVMARK is privilged or not.
+(or even a MASK of which bits in the mark can be exposed)
+But this seems like over-engineering...
+
+Note: This is a non-trivial revert, due to later merged commit e42c7beee71d
+("bpf: net: Consider has_current_bpf_ctx() when testing capable() in sk_setsockopt()")
+which changed both 'ns_capable' into 'sockopt_ns_capable' calls.
+
+Fixes: 1f86123b9749 ("net: align SO_RCVMARK required privileges with SO_MARK")
+Cc: Larysa Zaremba <larysa.zaremba@intel.com>
+Cc: Simon Horman <simon.horman@corigine.com>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: Eyal Birger <eyal.birger@gmail.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Patrick Rohr <prohr@google.com>
+Signed-off-by: Maciej Żenczykowski <maze@google.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://lore.kernel.org/r/20230618103130.51628-1-maze@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 3fd71f343c9f2..b34c48f802e98 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1362,12 +1362,6 @@ int sk_setsockopt(struct sock *sk, int level, int optname,
+ __sock_set_mark(sk, val);
+ break;
+ case SO_RCVMARK:
+- if (!sockopt_ns_capable(sock_net(sk)->user_ns, CAP_NET_RAW) &&
+- !sockopt_ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) {
+- ret = -EPERM;
+- break;
+- }
+-
+ sock_valbool_flag(sk, SOCK_RCVMARK, valbool);
+ break;
+
+--
+2.39.2
+
--- /dev/null
+From 4b49ccd6a4d413fa001432b034e1f28b7bdb184c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Jun 2023 17:44:35 +0200
+Subject: Revert "net: phy: dp83867: perform soft reset and retain established
+ link"
+
+From: Francesco Dolcini <francesco.dolcini@toradex.com>
+
+[ Upstream commit a129b41fe0a8b4da828c46b10f5244ca07a3fec3 ]
+
+This reverts commit da9ef50f545f86ffe6ff786174d26500c4db737a.
+
+This fixes a regression in which the link would come up, but no
+communication was possible.
+
+The reverted commit was also removing a comment about
+DP83867_PHYCR_FORCE_LINK_GOOD, this is not added back in this commits
+since it seems that this is unrelated to the original code change.
+
+Closes: https://lore.kernel.org/all/ZGuDJos8D7N0J6Z2@francesco-nb.int.toradex.com/
+Fixes: da9ef50f545f ("net: phy: dp83867: perform soft reset and retain established link")
+Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Praneeth Bajjuri <praneeth@ti.com>
+Link: https://lore.kernel.org/r/20230619154435.355485-1-francesco@dolcini.it
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/dp83867.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/dp83867.c b/drivers/net/phy/dp83867.c
+index 9f7ff88200484..76fe7e7d9ac91 100644
+--- a/drivers/net/phy/dp83867.c
++++ b/drivers/net/phy/dp83867.c
+@@ -905,7 +905,7 @@ static int dp83867_phy_reset(struct phy_device *phydev)
+ {
+ int err;
+
+- err = phy_write(phydev, DP83867_CTRL, DP83867_SW_RESTART);
++ err = phy_write(phydev, DP83867_CTRL, DP83867_SW_RESET);
+ if (err < 0)
+ return err;
+
+--
+2.39.2
+
--- /dev/null
+From 970d88e55088a168f0af5bf7378d38056d5d84b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 May 2023 20:53:20 +0200
+Subject: s390/cio: unregister device when the only path is gone
+
+From: Vineeth Vijayan <vneethv@linux.ibm.com>
+
+[ Upstream commit 89c0c62e947a01e7a36b54582fd9c9e346170255 ]
+
+Currently, if the device is offline and all the channel paths are
+either configured or varied offline, the associated subchannel gets
+unregistered. Don't unregister the subchannel, instead unregister
+offline device.
+
+Signed-off-by: Vineeth Vijayan <vneethv@linux.ibm.com>
+Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/cio/device.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c
+index d5c43e9b51289..c0d620ffea618 100644
+--- a/drivers/s390/cio/device.c
++++ b/drivers/s390/cio/device.c
+@@ -1376,6 +1376,7 @@ void ccw_device_set_notoper(struct ccw_device *cdev)
+ enum io_sch_action {
+ IO_SCH_UNREG,
+ IO_SCH_ORPH_UNREG,
++ IO_SCH_UNREG_CDEV,
+ IO_SCH_ATTACH,
+ IO_SCH_UNREG_ATTACH,
+ IO_SCH_ORPH_ATTACH,
+@@ -1408,7 +1409,7 @@ static enum io_sch_action sch_get_action(struct subchannel *sch)
+ }
+ if ((sch->schib.pmcw.pam & sch->opm) == 0) {
+ if (ccw_device_notify(cdev, CIO_NO_PATH) != NOTIFY_OK)
+- return IO_SCH_UNREG;
++ return IO_SCH_UNREG_CDEV;
+ return IO_SCH_DISC;
+ }
+ if (device_is_disconnected(cdev))
+@@ -1470,6 +1471,7 @@ static int io_subchannel_sch_event(struct subchannel *sch, int process)
+ case IO_SCH_ORPH_ATTACH:
+ ccw_device_set_disconnected(cdev);
+ break;
++ case IO_SCH_UNREG_CDEV:
+ case IO_SCH_UNREG_ATTACH:
+ case IO_SCH_UNREG:
+ if (!cdev)
+@@ -1503,6 +1505,7 @@ static int io_subchannel_sch_event(struct subchannel *sch, int process)
+ if (rc)
+ goto out;
+ break;
++ case IO_SCH_UNREG_CDEV:
+ case IO_SCH_UNREG_ATTACH:
+ spin_lock_irqsave(sch->lock, flags);
+ sch_set_cdev(sch, NULL);
+--
+2.39.2
+
--- /dev/null
+From 9b9760911ff8e0587691587ca1e1e0b76c67e27f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 May 2023 19:41:45 +0200
+Subject: s390/purgatory: disable branch profiling
+
+From: Alexander Gordeev <agordeev@linux.ibm.com>
+
+[ Upstream commit 03c5c83b70dca3729a3eb488e668e5044bd9a5ea ]
+
+Avoid linker error for randomly generated config file that
+has CONFIG_BRANCH_PROFILE_NONE enabled and make it similar
+to riscv, x86 and also to commit 4bf3ec384edf ("s390: disable
+branch profiling for vdso").
+
+Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/purgatory/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/s390/purgatory/Makefile b/arch/s390/purgatory/Makefile
+index 32573b4f9bd20..cc8cf5abea158 100644
+--- a/arch/s390/purgatory/Makefile
++++ b/arch/s390/purgatory/Makefile
+@@ -26,6 +26,7 @@ KBUILD_CFLAGS += -Wno-pointer-sign -Wno-sign-compare
+ KBUILD_CFLAGS += -fno-zero-initialized-in-bss -fno-builtin -ffreestanding
+ KBUILD_CFLAGS += -Os -m64 -msoft-float -fno-common
+ KBUILD_CFLAGS += -fno-stack-protector
++KBUILD_CFLAGS += -DDISABLE_BRANCH_PROFILING
+ KBUILD_CFLAGS += $(CLANG_FLAGS)
+ KBUILD_CFLAGS += $(call cc-option,-fno-PIE)
+ KBUILD_AFLAGS := $(filter-out -DCC_USING_EXPOLINE,$(KBUILD_AFLAGS))
+--
+2.39.2
+
--- /dev/null
+From 124b49f5d2bc0e66eee7b9858ba37657d6b8b34a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jun 2023 18:44:25 +0000
+Subject: sch_netem: acquire qdisc lock in netem_change()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 2174a08db80d1efeea382e25ac41c4e7511eb6d6 ]
+
+syzbot managed to trigger a divide error [1] in netem.
+
+It could happen if q->rate changes while netem_enqueue()
+is running, since q->rate is read twice.
+
+It turns out netem_change() always lacked proper synchronization.
+
+[1]
+divide error: 0000 [#1] SMP KASAN
+CPU: 1 PID: 7867 Comm: syz-executor.1 Not tainted 6.1.30-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
+RIP: 0010:div64_u64 include/linux/math64.h:69 [inline]
+RIP: 0010:packet_time_ns net/sched/sch_netem.c:357 [inline]
+RIP: 0010:netem_enqueue+0x2067/0x36d0 net/sched/sch_netem.c:576
+Code: 89 e2 48 69 da 00 ca 9a 3b 42 80 3c 28 00 4c 8b a4 24 88 00 00 00 74 0d 4c 89 e7 e8 c3 4f 3b fd 48 8b 4c 24 18 48 89 d8 31 d2 <49> f7 34 24 49 01 c7 4c 8b 64 24 48 4d 01 f7 4c 89 e3 48 c1 eb 03
+RSP: 0018:ffffc9000dccea60 EFLAGS: 00010246
+RAX: 000001a442624200 RBX: 000001a442624200 RCX: ffff888108a4f000
+RDX: 0000000000000000 RSI: 000000000000070d RDI: 000000000000070d
+RBP: ffffc9000dcceb90 R08: ffffffff849c5e26 R09: fffffbfff10e1297
+R10: 0000000000000000 R11: dffffc0000000001 R12: ffff888108a4f358
+R13: dffffc0000000000 R14: 0000001a8cd9a7ec R15: 0000000000000000
+FS: 00007fa73fe18700(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fa73fdf7718 CR3: 000000011d36e000 CR4: 0000000000350ee0
+Call Trace:
+<TASK>
+[<ffffffff84714385>] __dev_xmit_skb net/core/dev.c:3931 [inline]
+[<ffffffff84714385>] __dev_queue_xmit+0xcf5/0x3370 net/core/dev.c:4290
+[<ffffffff84d22df2>] dev_queue_xmit include/linux/netdevice.h:3030 [inline]
+[<ffffffff84d22df2>] neigh_hh_output include/net/neighbour.h:531 [inline]
+[<ffffffff84d22df2>] neigh_output include/net/neighbour.h:545 [inline]
+[<ffffffff84d22df2>] ip_finish_output2+0xb92/0x10d0 net/ipv4/ip_output.c:235
+[<ffffffff84d21e63>] __ip_finish_output+0xc3/0x2b0
+[<ffffffff84d10a81>] ip_finish_output+0x31/0x2a0 net/ipv4/ip_output.c:323
+[<ffffffff84d10f14>] NF_HOOK_COND include/linux/netfilter.h:298 [inline]
+[<ffffffff84d10f14>] ip_output+0x224/0x2a0 net/ipv4/ip_output.c:437
+[<ffffffff84d123b5>] dst_output include/net/dst.h:444 [inline]
+[<ffffffff84d123b5>] ip_local_out net/ipv4/ip_output.c:127 [inline]
+[<ffffffff84d123b5>] __ip_queue_xmit+0x1425/0x2000 net/ipv4/ip_output.c:542
+[<ffffffff84d12fdc>] ip_queue_xmit+0x4c/0x70 net/ipv4/ip_output.c:556
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Stephen Hemminger <stephen@networkplumber.org>
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Cc: Cong Wang <xiyou.wangcong@gmail.com>
+Cc: Jiri Pirko <jiri@resnulli.us>
+Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230620184425.1179809-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_netem.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
+index 6ef3021e1169a..e79be1b3e74da 100644
+--- a/net/sched/sch_netem.c
++++ b/net/sched/sch_netem.c
+@@ -966,6 +966,7 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
+ if (ret < 0)
+ return ret;
+
++ sch_tree_lock(sch);
+ /* backup q->clg and q->loss_model */
+ old_clg = q->clg;
+ old_loss_model = q->loss_model;
+@@ -974,7 +975,7 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
+ ret = get_loss_clg(q, tb[TCA_NETEM_LOSS]);
+ if (ret) {
+ q->loss_model = old_loss_model;
+- return ret;
++ goto unlock;
+ }
+ } else {
+ q->loss_model = CLG_RANDOM;
+@@ -1041,6 +1042,8 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
+ /* capping jitter to the range acceptable by tabledist() */
+ q->jitter = min_t(s64, abs(q->jitter), INT_MAX);
+
++unlock:
++ sch_tree_unlock(sch);
+ return ret;
+
+ get_table_failure:
+@@ -1050,7 +1053,8 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt,
+ */
+ q->clg = old_clg;
+ q->loss_model = old_loss_model;
+- return ret;
++
++ goto unlock;
+ }
+
+ static int netem_init(struct Qdisc *sch, struct nlattr *opt,
+--
+2.39.2
+
--- /dev/null
+From 8a02422b21d4eaf89157b4ebe70c504fb8119d8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 May 2023 18:22:17 +0200
+Subject: scsi: target: iscsi: Fix hang in the iSCSI login code
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit 13247018d68f21e7132924b9853f7e2c423588b6 ]
+
+If the initiator suddenly stops sending data during a login while keeping
+the TCP connection open, the login_work won't be scheduled and will never
+release the login semaphore; concurrent login operations will therefore get
+stuck and fail.
+
+The bug is due to the inability of the login timeout code to properly
+handle this particular case.
+
+Fix the problem by replacing the old per-NP login timer with a new
+per-connection timer.
+
+The timer is started when an initiator connects to the target; if it
+expires, it sends a SIGINT signal to the thread pointed at by the
+conn->login_kworker pointer.
+
+conn->login_kworker is set by calling the iscsit_set_login_timer_kworker()
+helper, initially it will point to the np thread; When the login
+operation's control is in the process of being passed from the NP-thread to
+login_work, the conn->login_worker pointer is set to NULL. Finally,
+login_kworker will be changed to point to the worker thread executing the
+login_work job.
+
+If conn->login_kworker is NULL when the timer expires, it means that the
+login operation hasn't been completed yet but login_work isn't running, in
+this case the timer will mark the login process as failed and will schedule
+login_work so the latter will be forced to free the resources it holds.
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Link: https://lore.kernel.org/r/20230508162219.1731964-2-mlombard@redhat.com
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/iscsi/iscsi_target.c | 2 -
+ drivers/target/iscsi/iscsi_target_login.c | 63 ++------------------
+ drivers/target/iscsi/iscsi_target_nego.c | 70 +++++++++++++----------
+ drivers/target/iscsi/iscsi_target_util.c | 51 +++++++++++++++++
+ drivers/target/iscsi/iscsi_target_util.h | 4 ++
+ include/target/iscsi/iscsi_target_core.h | 6 +-
+ 6 files changed, 103 insertions(+), 93 deletions(-)
+
+diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
+index 07e196b44b91d..c70ce1fa399f8 100644
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -363,8 +363,6 @@ struct iscsi_np *iscsit_add_np(
+ init_completion(&np->np_restart_comp);
+ INIT_LIST_HEAD(&np->np_list);
+
+- timer_setup(&np->np_login_timer, iscsi_handle_login_thread_timeout, 0);
+-
+ ret = iscsi_target_setup_login_socket(np, sockaddr);
+ if (ret != 0) {
+ kfree(np);
+diff --git a/drivers/target/iscsi/iscsi_target_login.c b/drivers/target/iscsi/iscsi_target_login.c
+index 274bdd7845ca9..90b870f234f03 100644
+--- a/drivers/target/iscsi/iscsi_target_login.c
++++ b/drivers/target/iscsi/iscsi_target_login.c
+@@ -811,59 +811,6 @@ void iscsi_post_login_handler(
+ iscsit_dec_conn_usage_count(conn);
+ }
+
+-void iscsi_handle_login_thread_timeout(struct timer_list *t)
+-{
+- struct iscsi_np *np = from_timer(np, t, np_login_timer);
+-
+- spin_lock_bh(&np->np_thread_lock);
+- pr_err("iSCSI Login timeout on Network Portal %pISpc\n",
+- &np->np_sockaddr);
+-
+- if (np->np_login_timer_flags & ISCSI_TF_STOP) {
+- spin_unlock_bh(&np->np_thread_lock);
+- return;
+- }
+-
+- if (np->np_thread)
+- send_sig(SIGINT, np->np_thread, 1);
+-
+- np->np_login_timer_flags &= ~ISCSI_TF_RUNNING;
+- spin_unlock_bh(&np->np_thread_lock);
+-}
+-
+-static void iscsi_start_login_thread_timer(struct iscsi_np *np)
+-{
+- /*
+- * This used the TA_LOGIN_TIMEOUT constant because at this
+- * point we do not have access to ISCSI_TPG_ATTRIB(tpg)->login_timeout
+- */
+- spin_lock_bh(&np->np_thread_lock);
+- np->np_login_timer_flags &= ~ISCSI_TF_STOP;
+- np->np_login_timer_flags |= ISCSI_TF_RUNNING;
+- mod_timer(&np->np_login_timer, jiffies + TA_LOGIN_TIMEOUT * HZ);
+-
+- pr_debug("Added timeout timer to iSCSI login request for"
+- " %u seconds.\n", TA_LOGIN_TIMEOUT);
+- spin_unlock_bh(&np->np_thread_lock);
+-}
+-
+-static void iscsi_stop_login_thread_timer(struct iscsi_np *np)
+-{
+- spin_lock_bh(&np->np_thread_lock);
+- if (!(np->np_login_timer_flags & ISCSI_TF_RUNNING)) {
+- spin_unlock_bh(&np->np_thread_lock);
+- return;
+- }
+- np->np_login_timer_flags |= ISCSI_TF_STOP;
+- spin_unlock_bh(&np->np_thread_lock);
+-
+- del_timer_sync(&np->np_login_timer);
+-
+- spin_lock_bh(&np->np_thread_lock);
+- np->np_login_timer_flags &= ~ISCSI_TF_RUNNING;
+- spin_unlock_bh(&np->np_thread_lock);
+-}
+-
+ int iscsit_setup_np(
+ struct iscsi_np *np,
+ struct sockaddr_storage *sockaddr)
+@@ -1123,10 +1070,13 @@ static struct iscsit_conn *iscsit_alloc_conn(struct iscsi_np *np)
+ spin_lock_init(&conn->nopin_timer_lock);
+ spin_lock_init(&conn->response_queue_lock);
+ spin_lock_init(&conn->state_lock);
++ spin_lock_init(&conn->login_worker_lock);
++ spin_lock_init(&conn->login_timer_lock);
+
+ timer_setup(&conn->nopin_response_timer,
+ iscsit_handle_nopin_response_timeout, 0);
+ timer_setup(&conn->nopin_timer, iscsit_handle_nopin_timeout, 0);
++ timer_setup(&conn->login_timer, iscsit_login_timeout, 0);
+
+ if (iscsit_conn_set_transport(conn, np->np_transport) < 0)
+ goto free_conn;
+@@ -1304,7 +1254,7 @@ static int __iscsi_target_login_thread(struct iscsi_np *np)
+ goto new_sess_out;
+ }
+
+- iscsi_start_login_thread_timer(np);
++ iscsit_start_login_timer(conn, current);
+
+ pr_debug("Moving to TARG_CONN_STATE_XPT_UP.\n");
+ conn->conn_state = TARG_CONN_STATE_XPT_UP;
+@@ -1417,8 +1367,6 @@ static int __iscsi_target_login_thread(struct iscsi_np *np)
+ if (ret < 0)
+ goto new_sess_out;
+
+- iscsi_stop_login_thread_timer(np);
+-
+ if (ret == 1) {
+ tpg_np = conn->tpg_np;
+
+@@ -1434,7 +1382,7 @@ static int __iscsi_target_login_thread(struct iscsi_np *np)
+ new_sess_out:
+ new_sess = true;
+ old_sess_out:
+- iscsi_stop_login_thread_timer(np);
++ iscsit_stop_login_timer(conn);
+ tpg_np = conn->tpg_np;
+ iscsi_target_login_sess_out(conn, zero_tsih, new_sess);
+ new_sess = false;
+@@ -1448,7 +1396,6 @@ static int __iscsi_target_login_thread(struct iscsi_np *np)
+ return 1;
+
+ exit:
+- iscsi_stop_login_thread_timer(np);
+ spin_lock_bh(&np->np_thread_lock);
+ np->np_thread_state = ISCSI_NP_THREAD_EXIT;
+ spin_unlock_bh(&np->np_thread_lock);
+diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c
+index 24040c118e49d..e3a5644a70b36 100644
+--- a/drivers/target/iscsi/iscsi_target_nego.c
++++ b/drivers/target/iscsi/iscsi_target_nego.c
+@@ -535,25 +535,6 @@ static void iscsi_target_login_drop(struct iscsit_conn *conn, struct iscsi_login
+ iscsi_target_login_sess_out(conn, zero_tsih, true);
+ }
+
+-struct conn_timeout {
+- struct timer_list timer;
+- struct iscsit_conn *conn;
+-};
+-
+-static void iscsi_target_login_timeout(struct timer_list *t)
+-{
+- struct conn_timeout *timeout = from_timer(timeout, t, timer);
+- struct iscsit_conn *conn = timeout->conn;
+-
+- pr_debug("Entering iscsi_target_login_timeout >>>>>>>>>>>>>>>>>>>\n");
+-
+- if (conn->login_kworker) {
+- pr_debug("Sending SIGINT to conn->login_kworker %s/%d\n",
+- conn->login_kworker->comm, conn->login_kworker->pid);
+- send_sig(SIGINT, conn->login_kworker, 1);
+- }
+-}
+-
+ static void iscsi_target_do_login_rx(struct work_struct *work)
+ {
+ struct iscsit_conn *conn = container_of(work,
+@@ -562,12 +543,15 @@ static void iscsi_target_do_login_rx(struct work_struct *work)
+ struct iscsi_np *np = login->np;
+ struct iscsi_portal_group *tpg = conn->tpg;
+ struct iscsi_tpg_np *tpg_np = conn->tpg_np;
+- struct conn_timeout timeout;
+ int rc, zero_tsih = login->zero_tsih;
+ bool state;
+
+ pr_debug("entering iscsi_target_do_login_rx, conn: %p, %s:%d\n",
+ conn, current->comm, current->pid);
++
++ spin_lock(&conn->login_worker_lock);
++ set_bit(LOGIN_FLAGS_WORKER_RUNNING, &conn->login_flags);
++ spin_unlock(&conn->login_worker_lock);
+ /*
+ * If iscsi_target_do_login_rx() has been invoked by ->sk_data_ready()
+ * before initial PDU processing in iscsi_target_start_negotiation()
+@@ -597,19 +581,16 @@ static void iscsi_target_do_login_rx(struct work_struct *work)
+ goto err;
+ }
+
+- conn->login_kworker = current;
+ allow_signal(SIGINT);
+-
+- timeout.conn = conn;
+- timer_setup_on_stack(&timeout.timer, iscsi_target_login_timeout, 0);
+- mod_timer(&timeout.timer, jiffies + TA_LOGIN_TIMEOUT * HZ);
+- pr_debug("Starting login timer for %s/%d\n", current->comm, current->pid);
++ rc = iscsit_set_login_timer_kworker(conn, current);
++ if (rc < 0) {
++ /* The login timer has already expired */
++ pr_debug("iscsi_target_do_login_rx, login failed\n");
++ goto err;
++ }
+
+ rc = conn->conn_transport->iscsit_get_login_rx(conn, login);
+- del_timer_sync(&timeout.timer);
+- destroy_timer_on_stack(&timeout.timer);
+ flush_signals(current);
+- conn->login_kworker = NULL;
+
+ if (rc < 0)
+ goto err;
+@@ -646,7 +627,17 @@ static void iscsi_target_do_login_rx(struct work_struct *work)
+ if (iscsi_target_sk_check_and_clear(conn,
+ LOGIN_FLAGS_WRITE_ACTIVE))
+ goto err;
++
++ /*
++ * Set the login timer thread pointer to NULL to prevent the
++ * login process from getting stuck if the initiator
++ * stops sending data.
++ */
++ rc = iscsit_set_login_timer_kworker(conn, NULL);
++ if (rc < 0)
++ goto err;
+ } else if (rc == 1) {
++ iscsit_stop_login_timer(conn);
+ cancel_delayed_work(&conn->login_work);
+ iscsi_target_nego_release(conn);
+ iscsi_post_login_handler(np, conn, zero_tsih);
+@@ -656,6 +647,7 @@ static void iscsi_target_do_login_rx(struct work_struct *work)
+
+ err:
+ iscsi_target_restore_sock_callbacks(conn);
++ iscsit_stop_login_timer(conn);
+ cancel_delayed_work(&conn->login_work);
+ iscsi_target_login_drop(conn, login);
+ iscsit_deaccess_np(np, tpg, tpg_np);
+@@ -1368,14 +1360,30 @@ int iscsi_target_start_negotiation(
+ * and perform connection cleanup now.
+ */
+ ret = iscsi_target_do_login(conn, login);
+- if (!ret && iscsi_target_sk_check_and_clear(conn, LOGIN_FLAGS_INITIAL_PDU))
+- ret = -1;
++ if (!ret) {
++ spin_lock(&conn->login_worker_lock);
++
++ if (iscsi_target_sk_check_and_clear(conn, LOGIN_FLAGS_INITIAL_PDU))
++ ret = -1;
++ else if (!test_bit(LOGIN_FLAGS_WORKER_RUNNING, &conn->login_flags)) {
++ if (iscsit_set_login_timer_kworker(conn, NULL) < 0) {
++ /*
++ * The timeout has expired already.
++ * Schedule login_work to perform the cleanup.
++ */
++ schedule_delayed_work(&conn->login_work, 0);
++ }
++ }
++
++ spin_unlock(&conn->login_worker_lock);
++ }
+
+ if (ret < 0) {
+ iscsi_target_restore_sock_callbacks(conn);
+ iscsi_remove_failed_auth_entry(conn);
+ }
+ if (ret != 0) {
++ iscsit_stop_login_timer(conn);
+ cancel_delayed_work_sync(&conn->login_work);
+ iscsi_target_nego_release(conn);
+ }
+diff --git a/drivers/target/iscsi/iscsi_target_util.c b/drivers/target/iscsi/iscsi_target_util.c
+index 26dc8ed3045b6..b14835fcb0334 100644
+--- a/drivers/target/iscsi/iscsi_target_util.c
++++ b/drivers/target/iscsi/iscsi_target_util.c
+@@ -1040,6 +1040,57 @@ void iscsit_stop_nopin_timer(struct iscsit_conn *conn)
+ spin_unlock_bh(&conn->nopin_timer_lock);
+ }
+
++void iscsit_login_timeout(struct timer_list *t)
++{
++ struct iscsit_conn *conn = from_timer(conn, t, login_timer);
++ struct iscsi_login *login = conn->login;
++
++ pr_debug("Entering iscsi_target_login_timeout >>>>>>>>>>>>>>>>>>>\n");
++
++ spin_lock_bh(&conn->login_timer_lock);
++ login->login_failed = 1;
++
++ if (conn->login_kworker) {
++ pr_debug("Sending SIGINT to conn->login_kworker %s/%d\n",
++ conn->login_kworker->comm, conn->login_kworker->pid);
++ send_sig(SIGINT, conn->login_kworker, 1);
++ } else {
++ schedule_delayed_work(&conn->login_work, 0);
++ }
++ spin_unlock_bh(&conn->login_timer_lock);
++}
++
++void iscsit_start_login_timer(struct iscsit_conn *conn, struct task_struct *kthr)
++{
++ pr_debug("Login timer started\n");
++
++ conn->login_kworker = kthr;
++ mod_timer(&conn->login_timer, jiffies + TA_LOGIN_TIMEOUT * HZ);
++}
++
++int iscsit_set_login_timer_kworker(struct iscsit_conn *conn, struct task_struct *kthr)
++{
++ struct iscsi_login *login = conn->login;
++ int ret = 0;
++
++ spin_lock_bh(&conn->login_timer_lock);
++ if (login->login_failed) {
++ /* The timer has already expired */
++ ret = -1;
++ } else {
++ conn->login_kworker = kthr;
++ }
++ spin_unlock_bh(&conn->login_timer_lock);
++
++ return ret;
++}
++
++void iscsit_stop_login_timer(struct iscsit_conn *conn)
++{
++ pr_debug("Login timer stopped\n");
++ timer_delete_sync(&conn->login_timer);
++}
++
+ int iscsit_send_tx_data(
+ struct iscsit_cmd *cmd,
+ struct iscsit_conn *conn,
+diff --git a/drivers/target/iscsi/iscsi_target_util.h b/drivers/target/iscsi/iscsi_target_util.h
+index 33ea799a08508..24b8e577575a6 100644
+--- a/drivers/target/iscsi/iscsi_target_util.h
++++ b/drivers/target/iscsi/iscsi_target_util.h
+@@ -56,6 +56,10 @@ extern void iscsit_handle_nopin_timeout(struct timer_list *t);
+ extern void __iscsit_start_nopin_timer(struct iscsit_conn *);
+ extern void iscsit_start_nopin_timer(struct iscsit_conn *);
+ extern void iscsit_stop_nopin_timer(struct iscsit_conn *);
++extern void iscsit_login_timeout(struct timer_list *t);
++extern void iscsit_start_login_timer(struct iscsit_conn *, struct task_struct *kthr);
++extern void iscsit_stop_login_timer(struct iscsit_conn *);
++extern int iscsit_set_login_timer_kworker(struct iscsit_conn *, struct task_struct *kthr);
+ extern int iscsit_send_tx_data(struct iscsit_cmd *, struct iscsit_conn *, int);
+ extern int iscsit_fe_sendpage_sg(struct iscsit_cmd *, struct iscsit_conn *);
+ extern int iscsit_tx_login_rsp(struct iscsit_conn *, u8, u8);
+diff --git a/include/target/iscsi/iscsi_target_core.h b/include/target/iscsi/iscsi_target_core.h
+index 229118156a1f6..42f4a4c0c1003 100644
+--- a/include/target/iscsi/iscsi_target_core.h
++++ b/include/target/iscsi/iscsi_target_core.h
+@@ -562,12 +562,14 @@ struct iscsit_conn {
+ #define LOGIN_FLAGS_READ_ACTIVE 2
+ #define LOGIN_FLAGS_WRITE_ACTIVE 3
+ #define LOGIN_FLAGS_CLOSED 4
++#define LOGIN_FLAGS_WORKER_RUNNING 5
+ unsigned long login_flags;
+ struct delayed_work login_work;
+ struct iscsi_login *login;
+ struct timer_list nopin_timer;
+ struct timer_list nopin_response_timer;
+ struct timer_list transport_timer;
++ struct timer_list login_timer;
+ struct task_struct *login_kworker;
+ /* Spinlock used for add/deleting cmd's from conn_cmd_list */
+ spinlock_t cmd_lock;
+@@ -576,6 +578,8 @@ struct iscsit_conn {
+ spinlock_t nopin_timer_lock;
+ spinlock_t response_queue_lock;
+ spinlock_t state_lock;
++ spinlock_t login_timer_lock;
++ spinlock_t login_worker_lock;
+ /* libcrypto RX and TX contexts for crc32c */
+ struct ahash_request *conn_rx_hash;
+ struct ahash_request *conn_tx_hash;
+@@ -792,7 +796,6 @@ struct iscsi_np {
+ enum np_thread_state_table np_thread_state;
+ bool enabled;
+ atomic_t np_reset_count;
+- enum iscsi_timer_flags_table np_login_timer_flags;
+ u32 np_exports;
+ enum np_flags_table np_flags;
+ spinlock_t np_thread_lock;
+@@ -800,7 +803,6 @@ struct iscsi_np {
+ struct socket *np_socket;
+ struct sockaddr_storage np_sockaddr;
+ struct task_struct *np_thread;
+- struct timer_list np_login_timer;
+ void *np_context;
+ struct iscsit_transport *np_transport;
+ struct list_head np_list;
+--
+2.39.2
+
--- /dev/null
+From e03845be7bca4ef0495555a2c3ce7a3891fdbbbb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 May 2023 18:22:19 +0200
+Subject: scsi: target: iscsi: Prevent login threads from racing between each
+ other
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit 2a737d3b8c792400118d6cf94958f559de9c5e59 ]
+
+The tpg->np_login_sem is a semaphore that is used to serialize the login
+process when multiple login threads run concurrently against the same
+target portal group.
+
+The iscsi_target_locate_portal() function finds the tpg, calls
+iscsit_access_np() against the np_login_sem semaphore and saves the tpg
+pointer in conn->tpg;
+
+If iscsi_target_locate_portal() fails, the caller will check for the
+conn->tpg pointer and, if it's not NULL, then it will assume that
+iscsi_target_locate_portal() called iscsit_access_np() on the semaphore.
+
+Make sure that conn->tpg gets initialized only if iscsit_access_np() was
+successful, otherwise iscsit_deaccess_np() may end up being called against
+a semaphore we never took, allowing more than one thread to access the same
+tpg.
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Link: https://lore.kernel.org/r/20230508162219.1731964-4-mlombard@redhat.com
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/iscsi/iscsi_target_nego.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c
+index e3a5644a70b36..fa3fb5f4e6bc4 100644
+--- a/drivers/target/iscsi/iscsi_target_nego.c
++++ b/drivers/target/iscsi/iscsi_target_nego.c
+@@ -1122,6 +1122,7 @@ int iscsi_target_locate_portal(
+ iscsi_target_set_sock_callbacks(conn);
+
+ login->np = np;
++ conn->tpg = NULL;
+
+ login_req = (struct iscsi_login_req *) login->req;
+ payload_length = ntoh24(login_req->dlength);
+@@ -1189,7 +1190,6 @@ int iscsi_target_locate_portal(
+ */
+ sessiontype = strncmp(s_buf, DISCOVERY, 9);
+ if (!sessiontype) {
+- conn->tpg = iscsit_global->discovery_tpg;
+ if (!login->leading_connection)
+ goto get_target;
+
+@@ -1206,9 +1206,11 @@ int iscsi_target_locate_portal(
+ * Serialize access across the discovery struct iscsi_portal_group to
+ * process login attempt.
+ */
++ conn->tpg = iscsit_global->discovery_tpg;
+ if (iscsit_access_np(np, conn->tpg) < 0) {
+ iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR,
+ ISCSI_LOGIN_STATUS_SVC_UNAVAILABLE);
++ conn->tpg = NULL;
+ ret = -1;
+ goto out;
+ }
+--
+2.39.2
+
--- /dev/null
+From 72d413ddd3cda495dff388ddb4ba46f9c6c5494a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 May 2023 18:22:18 +0200
+Subject: scsi: target: iscsi: Remove unused transport_timer
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit 98a8c2bf938a5973716f280da618077a3d255976 ]
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Link: https://lore.kernel.org/r/20230508162219.1731964-3-mlombard@redhat.com
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/target/iscsi/iscsi_target_core.h | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/include/target/iscsi/iscsi_target_core.h b/include/target/iscsi/iscsi_target_core.h
+index 42f4a4c0c1003..4c15420e8965d 100644
+--- a/include/target/iscsi/iscsi_target_core.h
++++ b/include/target/iscsi/iscsi_target_core.h
+@@ -568,7 +568,6 @@ struct iscsit_conn {
+ struct iscsi_login *login;
+ struct timer_list nopin_timer;
+ struct timer_list nopin_response_timer;
+- struct timer_list transport_timer;
+ struct timer_list login_timer;
+ struct task_struct *login_kworker;
+ /* Spinlock used for add/deleting cmd's from conn_cmd_list */
+--
+2.39.2
+
--- /dev/null
+From 3796238831e85149d51d7a1f04cbb037ea2ce694 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jun 2023 14:45:15 +0200
+Subject: selftests: forwarding: Fix race condition in mirror installation
+
+From: Danielle Ratson <danieller@nvidia.com>
+
+[ Upstream commit c7c059fba6fb19c3bc924925c984772e733cb594 ]
+
+When mirroring to a gretap in hardware the device expects to be
+programmed with the egress port and all the encapsulating headers. This
+requires the driver to resolve the path the packet will take in the
+software data path and program the device accordingly.
+
+If the path cannot be resolved (in this case because of an unresolved
+neighbor), then mirror installation fails until the path is resolved.
+This results in a race that causes the test to sometimes fail.
+
+Fix this by setting the neighbor's state to permanent in a couple of
+tests, so that it is always valid.
+
+Fixes: 35c31d5c323f ("selftests: forwarding: Test mirror-to-gretap w/ UL 802.1d")
+Fixes: 239e754af854 ("selftests: forwarding: Test mirror-to-gretap w/ UL 802.1q")
+Signed-off-by: Danielle Ratson <danieller@nvidia.com>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Signed-off-by: Petr Machata <petrm@nvidia.com>
+Link: https://lore.kernel.org/r/268816ac729cb6028c7a34d4dda6f4ec7af55333.1687264607.git.petrm@nvidia.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../testing/selftests/net/forwarding/mirror_gre_bridge_1d.sh | 4 ++++
+ .../testing/selftests/net/forwarding/mirror_gre_bridge_1q.sh | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/tools/testing/selftests/net/forwarding/mirror_gre_bridge_1d.sh b/tools/testing/selftests/net/forwarding/mirror_gre_bridge_1d.sh
+index c5095da7f6bf8..aec752a22e9ec 100755
+--- a/tools/testing/selftests/net/forwarding/mirror_gre_bridge_1d.sh
++++ b/tools/testing/selftests/net/forwarding/mirror_gre_bridge_1d.sh
+@@ -93,12 +93,16 @@ cleanup()
+
+ test_gretap()
+ {
++ ip neigh replace 192.0.2.130 lladdr $(mac_get $h3) \
++ nud permanent dev br2
+ full_test_span_gre_dir gt4 ingress 8 0 "mirror to gretap"
+ full_test_span_gre_dir gt4 egress 0 8 "mirror to gretap"
+ }
+
+ test_ip6gretap()
+ {
++ ip neigh replace 2001:db8:2::2 lladdr $(mac_get $h3) \
++ nud permanent dev br2
+ full_test_span_gre_dir gt6 ingress 8 0 "mirror to ip6gretap"
+ full_test_span_gre_dir gt6 egress 0 8 "mirror to ip6gretap"
+ }
+diff --git a/tools/testing/selftests/net/forwarding/mirror_gre_bridge_1q.sh b/tools/testing/selftests/net/forwarding/mirror_gre_bridge_1q.sh
+index 9ff22f28032dd..0cf4c47a46f9b 100755
+--- a/tools/testing/selftests/net/forwarding/mirror_gre_bridge_1q.sh
++++ b/tools/testing/selftests/net/forwarding/mirror_gre_bridge_1q.sh
+@@ -90,12 +90,16 @@ cleanup()
+
+ test_gretap()
+ {
++ ip neigh replace 192.0.2.130 lladdr $(mac_get $h3) \
++ nud permanent dev br1
+ full_test_span_gre_dir gt4 ingress 8 0 "mirror to gretap"
+ full_test_span_gre_dir gt4 egress 0 8 "mirror to gretap"
+ }
+
+ test_ip6gretap()
+ {
++ ip neigh replace 2001:db8:2::2 lladdr $(mac_get $h3) \
++ nud permanent dev br1
+ full_test_span_gre_dir gt6 ingress 8 0 "mirror to ip6gretap"
+ full_test_span_gre_dir gt6 egress 0 8 "mirror to ip6gretap"
+ }
+--
+2.39.2
+
--- /dev/null
+From c79d9718adc87e653473680131771b3f4cfdb866 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jun 2023 09:32:22 -0300
+Subject: selftests: net: fcnal-test: check if FIPS mode is enabled
+
+From: Magali Lemes <magali.lemes@canonical.com>
+
+[ Upstream commit d7a2fc1437f71cb058c7b11bc33dfc19e4bf277a ]
+
+There are some MD5 tests which fail when the kernel is in FIPS mode,
+since MD5 is not FIPS compliant. Add a check and only run those tests
+if FIPS mode is not enabled.
+
+Fixes: f0bee1ebb5594 ("fcnal-test: Add TCP MD5 tests")
+Fixes: 5cad8bce26e01 ("fcnal-test: Add TCP MD5 tests for VRF")
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/fcnal-test.sh | 27 ++++++++++++++++-------
+ 1 file changed, 19 insertions(+), 8 deletions(-)
+
+diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/selftests/net/fcnal-test.sh
+index 21ca91473c095..ee6880ac3e5ed 100755
+--- a/tools/testing/selftests/net/fcnal-test.sh
++++ b/tools/testing/selftests/net/fcnal-test.sh
+@@ -92,6 +92,13 @@ NSC_CMD="ip netns exec ${NSC}"
+
+ which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping)
+
++# Check if FIPS mode is enabled
++if [ -f /proc/sys/crypto/fips_enabled ]; then
++ fips_enabled=`cat /proc/sys/crypto/fips_enabled`
++else
++ fips_enabled=0
++fi
++
+ ################################################################################
+ # utilities
+
+@@ -1216,7 +1223,7 @@ ipv4_tcp_novrf()
+ run_cmd nettest -d ${NSA_DEV} -r ${a}
+ log_test_addr ${a} $? 1 "No server, device client, local conn"
+
+- ipv4_tcp_md5_novrf
++ [ "$fips_enabled" = "1" ] || ipv4_tcp_md5_novrf
+ }
+
+ ipv4_tcp_vrf()
+@@ -1270,9 +1277,11 @@ ipv4_tcp_vrf()
+ log_test_addr ${a} $? 1 "Global server, local connection"
+
+ # run MD5 tests
+- setup_vrf_dup
+- ipv4_tcp_md5
+- cleanup_vrf_dup
++ if [ "$fips_enabled" = "0" ]; then
++ setup_vrf_dup
++ ipv4_tcp_md5
++ cleanup_vrf_dup
++ fi
+
+ #
+ # enable VRF global server
+@@ -2772,7 +2781,7 @@ ipv6_tcp_novrf()
+ log_test_addr ${a} $? 1 "No server, device client, local conn"
+ done
+
+- ipv6_tcp_md5_novrf
++ [ "$fips_enabled" = "1" ] || ipv6_tcp_md5_novrf
+ }
+
+ ipv6_tcp_vrf()
+@@ -2842,9 +2851,11 @@ ipv6_tcp_vrf()
+ log_test_addr ${a} $? 1 "Global server, local connection"
+
+ # run MD5 tests
+- setup_vrf_dup
+- ipv6_tcp_md5
+- cleanup_vrf_dup
++ if [ "$fips_enabled" = "0" ]; then
++ setup_vrf_dup
++ ipv6_tcp_md5
++ cleanup_vrf_dup
++ fi
+
+ #
+ # enable VRF global server
+--
+2.39.2
+
--- /dev/null
+From 224639403d65e68265f989a8aae96eed2ebfaeb5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jun 2023 09:32:20 -0300
+Subject: selftests: net: tls: check if FIPS mode is enabled
+
+From: Magali Lemes <magali.lemes@canonical.com>
+
+[ Upstream commit d113c395c67b62fc0d3f2004c0afc406aca0a2b7 ]
+
+TLS selftests use the ChaCha20-Poly1305 and SM4 algorithms, which are not
+FIPS compliant. When fips=1, this set of tests fails. Add a check and only
+run these tests if not in FIPS mode.
+
+Fixes: 4f336e88a870 ("selftests/tls: add CHACHA20-POLY1305 to tls selftests")
+Fixes: e506342a03c7 ("selftests/tls: add SM4 GCM/CCM to tls selftests")
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/tls.c | 24 +++++++++++++++++++++++-
+ 1 file changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/tls.c b/tools/testing/selftests/net/tls.c
+index 2cbb12736596d..c0ad8385441f2 100644
+--- a/tools/testing/selftests/net/tls.c
++++ b/tools/testing/selftests/net/tls.c
+@@ -25,6 +25,8 @@
+ #define TLS_PAYLOAD_MAX_LEN 16384
+ #define SOL_TLS 282
+
++static int fips_enabled;
++
+ struct tls_crypto_info_keys {
+ union {
+ struct tls12_crypto_info_aes_gcm_128 aes128;
+@@ -235,7 +237,7 @@ FIXTURE_VARIANT(tls)
+ {
+ uint16_t tls_version;
+ uint16_t cipher_type;
+- bool nopad;
++ bool nopad, fips_non_compliant;
+ };
+
+ FIXTURE_VARIANT_ADD(tls, 12_aes_gcm)
+@@ -254,24 +256,28 @@ FIXTURE_VARIANT_ADD(tls, 12_chacha)
+ {
+ .tls_version = TLS_1_2_VERSION,
+ .cipher_type = TLS_CIPHER_CHACHA20_POLY1305,
++ .fips_non_compliant = true,
+ };
+
+ FIXTURE_VARIANT_ADD(tls, 13_chacha)
+ {
+ .tls_version = TLS_1_3_VERSION,
+ .cipher_type = TLS_CIPHER_CHACHA20_POLY1305,
++ .fips_non_compliant = true,
+ };
+
+ FIXTURE_VARIANT_ADD(tls, 13_sm4_gcm)
+ {
+ .tls_version = TLS_1_3_VERSION,
+ .cipher_type = TLS_CIPHER_SM4_GCM,
++ .fips_non_compliant = true,
+ };
+
+ FIXTURE_VARIANT_ADD(tls, 13_sm4_ccm)
+ {
+ .tls_version = TLS_1_3_VERSION,
+ .cipher_type = TLS_CIPHER_SM4_CCM,
++ .fips_non_compliant = true,
+ };
+
+ FIXTURE_VARIANT_ADD(tls, 12_aes_ccm)
+@@ -311,6 +317,9 @@ FIXTURE_SETUP(tls)
+ int one = 1;
+ int ret;
+
++ if (fips_enabled && variant->fips_non_compliant)
++ SKIP(return, "Unsupported cipher in FIPS mode");
++
+ tls_crypto_info_init(variant->tls_version, variant->cipher_type,
+ &tls12);
+
+@@ -1820,4 +1829,17 @@ TEST(tls_v6ops) {
+ close(sfd);
+ }
+
++static void __attribute__((constructor)) fips_check(void) {
++ int res;
++ FILE *f;
++
++ f = fopen("/proc/sys/crypto/fips_enabled", "r");
++ if (f) {
++ res = fscanf(f, "%d", &fips_enabled);
++ if (res != 1)
++ ksft_print_msg("ERROR: Couldn't read /proc/sys/crypto/fips_enabled\n");
++ fclose(f);
++ }
++}
++
+ TEST_HARNESS_MAIN
+--
+2.39.2
+
--- /dev/null
+From 78c4b16cee16752c3f6cfda4ad684f009fccfbe9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jun 2023 09:32:21 -0300
+Subject: selftests: net: vrf-xfrm-tests: change authentication and encryption
+ algos
+
+From: Magali Lemes <magali.lemes@canonical.com>
+
+[ Upstream commit cb43c60e64ca67fcc9d23bd08f51d2ab8209d9d7 ]
+
+The vrf-xfrm-tests tests use the hmac(md5) and cbc(des3_ede)
+algorithms for performing authentication and encryption, respectively.
+This causes the tests to fail when fips=1 is set, since these algorithms
+are not allowed in FIPS mode. Therefore, switch from hmac(md5) and
+cbc(des3_ede) to hmac(sha1) and cbc(aes), which are FIPS compliant.
+
+Fixes: 3f251d741150 ("selftests: Add tests for vrf and xfrms")
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/vrf-xfrm-tests.sh | 32 +++++++++----------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/tools/testing/selftests/net/vrf-xfrm-tests.sh b/tools/testing/selftests/net/vrf-xfrm-tests.sh
+index 184da81f554ff..452638ae8aed8 100755
+--- a/tools/testing/selftests/net/vrf-xfrm-tests.sh
++++ b/tools/testing/selftests/net/vrf-xfrm-tests.sh
+@@ -264,60 +264,60 @@ setup_xfrm()
+ ip -netns host1 xfrm state add src ${HOST1_4} dst ${HOST2_4} \
+ proto esp spi ${SPI_1} reqid 0 mode tunnel \
+ replay-window 4 replay-oseq 0x4 \
+- auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
+- enc 'cbc(des3_ede)' ${ENC_1} \
++ auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
++ enc 'cbc(aes)' ${ENC_1} \
+ sel src ${h1_4} dst ${h2_4} ${devarg}
+
+ ip -netns host2 xfrm state add src ${HOST1_4} dst ${HOST2_4} \
+ proto esp spi ${SPI_1} reqid 0 mode tunnel \
+ replay-window 4 replay-oseq 0x4 \
+- auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
+- enc 'cbc(des3_ede)' ${ENC_1} \
++ auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
++ enc 'cbc(aes)' ${ENC_1} \
+ sel src ${h1_4} dst ${h2_4}
+
+
+ ip -netns host1 xfrm state add src ${HOST2_4} dst ${HOST1_4} \
+ proto esp spi ${SPI_2} reqid 0 mode tunnel \
+ replay-window 4 replay-oseq 0x4 \
+- auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
+- enc 'cbc(des3_ede)' ${ENC_2} \
++ auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
++ enc 'cbc(aes)' ${ENC_2} \
+ sel src ${h2_4} dst ${h1_4} ${devarg}
+
+ ip -netns host2 xfrm state add src ${HOST2_4} dst ${HOST1_4} \
+ proto esp spi ${SPI_2} reqid 0 mode tunnel \
+ replay-window 4 replay-oseq 0x4 \
+- auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
+- enc 'cbc(des3_ede)' ${ENC_2} \
++ auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
++ enc 'cbc(aes)' ${ENC_2} \
+ sel src ${h2_4} dst ${h1_4}
+
+
+ ip -6 -netns host1 xfrm state add src ${HOST1_6} dst ${HOST2_6} \
+ proto esp spi ${SPI_1} reqid 0 mode tunnel \
+ replay-window 4 replay-oseq 0x4 \
+- auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
+- enc 'cbc(des3_ede)' ${ENC_1} \
++ auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
++ enc 'cbc(aes)' ${ENC_1} \
+ sel src ${h1_6} dst ${h2_6} ${devarg}
+
+ ip -6 -netns host2 xfrm state add src ${HOST1_6} dst ${HOST2_6} \
+ proto esp spi ${SPI_1} reqid 0 mode tunnel \
+ replay-window 4 replay-oseq 0x4 \
+- auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
+- enc 'cbc(des3_ede)' ${ENC_1} \
++ auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
++ enc 'cbc(aes)' ${ENC_1} \
+ sel src ${h1_6} dst ${h2_6}
+
+
+ ip -6 -netns host1 xfrm state add src ${HOST2_6} dst ${HOST1_6} \
+ proto esp spi ${SPI_2} reqid 0 mode tunnel \
+ replay-window 4 replay-oseq 0x4 \
+- auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
+- enc 'cbc(des3_ede)' ${ENC_2} \
++ auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
++ enc 'cbc(aes)' ${ENC_2} \
+ sel src ${h2_6} dst ${h1_6} ${devarg}
+
+ ip -6 -netns host2 xfrm state add src ${HOST2_6} dst ${HOST1_6} \
+ proto esp spi ${SPI_2} reqid 0 mode tunnel \
+ replay-window 4 replay-oseq 0x4 \
+- auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
+- enc 'cbc(des3_ede)' ${ENC_2} \
++ auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
++ enc 'cbc(aes)' ${ENC_2} \
+ sel src ${h2_6} dst ${h1_6}
+ }
+
+--
+2.39.2
+
block-make-sure-local-irq-is-disabled-when-calling-__blkcg_rstat_flush.patch
io_uring-poll-serialize-poll-linked-timer-start-with-poll-removal.patch
x86-mm-avoid-using-set_pgd-outside-of-real-pgd-pages.patch
+ieee802154-hwsim-fix-possible-memory-leaks.patch
+xfrm-treat-already-verified-secpath-entries-as-optio.patch
+xfrm-ensure-policies-always-checked-on-xfrm-i-input-.patch
+kvm-arm64-pmu-restore-the-host-s-pmuserenr_el0.patch
+xfrm-add-missed-call-to-delete-offloaded-policies.patch
+bpf-fix-verifier-id-tracking-of-scalars-on-spill.patch
+xfrm-fix-inbound-ipv4-udp-esp-packets-to-udpv6-duals.patch
+bpf-fix-a-bpf_jit_dump-issue-for-x86_64-with-sysctl-.patch
+selftests-net-tls-check-if-fips-mode-is-enabled.patch
+selftests-net-vrf-xfrm-tests-change-authentication-a.patch
+selftests-net-fcnal-test-check-if-fips-mode-is-enabl.patch
+xfrm-linearize-the-skb-after-offloading-if-needed.patch
+net-mlx5-dr-fix-wrong-action-data-allocation-in-deca.patch
+sfc-use-budget-for-tx-completions.patch
+net-qca_spi-avoid-high-load-if-qca7000-is-not-availa.patch
+mmc-mtk-sd-fix-deferred-probing.patch
+mmc-mvsdio-fix-deferred-probing.patch
+mmc-omap-fix-deferred-probing.patch
+mmc-omap_hsmmc-fix-deferred-probing.patch
+mmc-owl-fix-deferred-probing.patch
+mmc-sdhci-acpi-fix-deferred-probing.patch
+mmc-sh_mmcif-fix-deferred-probing.patch
+mmc-usdhi60rol0-fix-deferred-probing.patch
+ipvs-align-inner_mac_header-for-encapsulation.patch
+net-dsa-mt7530-fix-trapping-frames-on-non-mt7621-soc.patch
+net-dsa-mt7530-fix-handling-of-bpdus-on-mt7530-switc.patch
+net-dsa-mt7530-fix-handling-of-lldp-frames.patch
+net-dsa-introduce-preferred_default_local_cpu_port-a.patch
+be2net-extend-xmit-workaround-to-be3-chip.patch
+netfilter-nf_tables-fix-chain-binding-transaction-lo.patch
+netfilter-nf_tables-add-nft_trans_prepare_error-to-d.patch
+netfilter-nf_tables-drop-map-element-references-from.patch
+netfilter-nft_set_pipapo-.walk-does-not-deal-with-ge.patch
+netfilter-nf_tables-disallow-element-updates-of-boun.patch
+netfilter-nf_tables-reject-unbound-anonymous-set-bef.patch
+netfilter-nf_tables-reject-unbound-chain-set-before-.patch
+netfilter-nf_tables-disallow-updates-of-anonymous-se.patch
+netfilter-nfnetlink_osf-fix-module-autoload.patch
+revert-net-phy-dp83867-perform-soft-reset-and-retain.patch
+bpf-btf-accept-function-names-that-contain-dots.patch
+bpf-force-kprobe-multi-expected_attach_type-for-kpro.patch
+io_uring-net-use-the-correct-msghdr-union-member-in-.patch
+selftests-forwarding-fix-race-condition-in-mirror-in.patch
+platform-x86-amd-pmf-register-notify-handler-only-if.patch
+sch_netem-acquire-qdisc-lock-in-netem_change.patch
+revert-net-align-so_rcvmark-required-privileges-with.patch
+arm64-dts-rockchip-fix-nextrst-on-soquartz.patch
+gpiolib-fix-gpio-chip-irq-initialization-restriction.patch
+gpio-sifive-add-missing-check-for-platform_get_irq.patch
+iommu-amd-fix-possible-memory-leak-of-domain.patch
+gpiolib-fix-irq_domain-resource-tracking-for-gpiochi.patch
+scsi-target-iscsi-fix-hang-in-the-iscsi-login-code.patch
+scsi-target-iscsi-remove-unused-transport_timer.patch
+scsi-target-iscsi-prevent-login-threads-from-racing-.patch
+hid-wacom-add-error-check-to-wacom_parse_and_registe.patch
+arm64-add-missing-set-way-cmo-encodings.patch
+smb3-missing-null-check-in-smb2_change_notify.patch
+media-cec-core-disable-adapter-in-cec_devnode_unregi.patch
+media-cec-core-don-t-set-last_initiator-if-tx-in-pro.patch
+nfcsim.c-fix-error-checking-for-debugfs_create_dir.patch
+btrfs-fix-an-uninitialized-variable-warning-in-btrfs.patch
+usb-gadget-udc-fix-null-dereference-in-remove.patch
+nvme-fix-miss-command-type-check.patch
+nvme-double-ka-polling-frequency-to-avoid-kato-with-.patch
+nvme-check-io-start-time-when-deciding-to-defer-ka.patch
+nvme-improve-handling-of-long-keep-alives.patch
+input-soc_button_array-add-invalid-acpi_index-dmi-qu.patch
+arm64-dts-qcom-sc7280-idp-drop-incorrect-dai-cells-f.patch
+arm64-dts-qcom-sc7280-qcard-drop-incorrect-dai-cells.patch
+s390-cio-unregister-device-when-the-only-path-is-gon.patch
+spi-lpspi-disable-lpspi-module-irq-in-dma-mode.patch
+asoc-codecs-wcd938x-sdw-do-not-set-can_multi_write-f.patch
+asoc-simple-card-add-missing-of_node_put-in-case-of-.patch
+soundwire-dmi-quirks-add-new-mapping-for-hp-spectre-.patch
+soundwire-qcom-add-proper-error-paths-in-qcom_swrm_s.patch
+platform-x86-int3472-avoid-crash-in-unregistering-re.patch
+asoc-nau8824-add-quirk-to-active-high-jack-detect.patch
+asoc-amd-yc-add-thinkpad-neo14-to-quirks-list-for-ac.patch
+gfs2-don-t-get-stuck-writing-page-onto-itself-under-.patch
+s390-purgatory-disable-branch-profiling.patch
+asoc-fsl_sai-enable-bci-bit-if-sai-works-on-synchron.patch
+net-sched-wrap-tc_skip_wrapper-with-config_retpoline.patch
+alsa-hda-realtek-add-intel-reference-board-and-nuc-1.patch
+i2c-mchp-pci1xxxx-avoid-cast-to-incompatible-functio.patch
+i2c-designware-fix-idx_write_cnt-in-read-loop.patch
+arm-dts-fix-erroneous-ads-touchscreen-polarities.patch
+null_blk-fix-memory-release-when-memory_backed-1.patch
+drm-exynos-vidi-fix-a-wrong-error-return.patch
+drm-exynos-fix-race-condition-uaf-in-exynos_g2d_exec.patch
+drm-radeon-fix-race-condition-uaf-in-radeon_gem_set_.patch
+tools-virtio-fix-arm64-ringtest-compilation-error.patch
+vhost_vdpa-tell-vqs-about-the-negotiated.patch
+vhost_net-revert-upend_idx-only-on-retriable-error.patch
--- /dev/null
+From 95dc35f4a2be2083cdd74c1b76617c6f1a7e3c1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jun 2023 10:49:29 +0200
+Subject: sfc: use budget for TX completions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Íñigo Huguet <ihuguet@redhat.com>
+
+[ Upstream commit 4aaf2c52834b7f95acdf9fb0211a1b60adbf421b ]
+
+When running workloads heavy unbalanced towards TX (high TX, low RX
+traffic), sfc driver can retain the CPU during too long times. Although
+in many cases this is not enough to be visible, it can affect
+performance and system responsiveness.
+
+A way to reproduce it is to use a debug kernel and run some parallel
+netperf TX tests. In some systems, this will lead to this message being
+logged:
+ kernel:watchdog: BUG: soft lockup - CPU#12 stuck for 22s!
+
+The reason is that sfc driver doesn't account any NAPI budget for the TX
+completion events work. With high-TX/low-RX traffic, this makes that the
+CPU is held for long time for NAPI poll.
+
+Documentations says "drivers can process completions for any number of Tx
+packets but should only process up to budget number of Rx packets".
+However, many drivers do limit the amount of TX completions that they
+process in a single NAPI poll.
+
+In the same way, this patch adds a limit for the TX work in sfc. With
+the patch applied, the watchdog warning never appears.
+
+Tested with netperf in different combinations: single process / parallel
+processes, TCP / UDP and different sizes of UDP messages. Repeated the
+tests before and after the patch, without any noticeable difference in
+network or CPU performance.
+
+Test hardware:
+Intel(R) Xeon(R) CPU E5-1620 v4 @ 3.50GHz (4 cores, 2 threads/core)
+Solarflare Communications XtremeScale X2522-25G Network Adapter
+
+Fixes: 5227ecccea2d ("sfc: remove tx and MCDI handling from NAPI budget consideration")
+Fixes: d19a53721863 ("sfc_ef100: TX path for EF100 NICs")
+Reported-by: Fei Liu <feliu@redhat.com>
+Signed-off-by: Íñigo Huguet <ihuguet@redhat.com>
+Acked-by: Martin Habets <habetsm.xilinx@gmail.com>
+Link: https://lore.kernel.org/r/20230615084929.10506-1-ihuguet@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sfc/ef10.c | 25 ++++++++++++++++++-------
+ drivers/net/ethernet/sfc/ef100_nic.c | 7 ++++++-
+ drivers/net/ethernet/sfc/ef100_tx.c | 4 ++--
+ drivers/net/ethernet/sfc/ef100_tx.h | 2 +-
+ drivers/net/ethernet/sfc/tx_common.c | 4 +++-
+ drivers/net/ethernet/sfc/tx_common.h | 2 +-
+ 6 files changed, 31 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/sfc/ef10.c b/drivers/net/ethernet/sfc/ef10.c
+index d30459dbfe8f8..b63e47af63655 100644
+--- a/drivers/net/ethernet/sfc/ef10.c
++++ b/drivers/net/ethernet/sfc/ef10.c
+@@ -2950,7 +2950,7 @@ static u32 efx_ef10_extract_event_ts(efx_qword_t *event)
+ return tstamp;
+ }
+
+-static void
++static int
+ efx_ef10_handle_tx_event(struct efx_channel *channel, efx_qword_t *event)
+ {
+ struct efx_nic *efx = channel->efx;
+@@ -2958,13 +2958,14 @@ efx_ef10_handle_tx_event(struct efx_channel *channel, efx_qword_t *event)
+ unsigned int tx_ev_desc_ptr;
+ unsigned int tx_ev_q_label;
+ unsigned int tx_ev_type;
++ int work_done;
+ u64 ts_part;
+
+ if (unlikely(READ_ONCE(efx->reset_pending)))
+- return;
++ return 0;
+
+ if (unlikely(EFX_QWORD_FIELD(*event, ESF_DZ_TX_DROP_EVENT)))
+- return;
++ return 0;
+
+ /* Get the transmit queue */
+ tx_ev_q_label = EFX_QWORD_FIELD(*event, ESF_DZ_TX_QLABEL);
+@@ -2973,8 +2974,7 @@ efx_ef10_handle_tx_event(struct efx_channel *channel, efx_qword_t *event)
+ if (!tx_queue->timestamping) {
+ /* Transmit completion */
+ tx_ev_desc_ptr = EFX_QWORD_FIELD(*event, ESF_DZ_TX_DESCR_INDX);
+- efx_xmit_done(tx_queue, tx_ev_desc_ptr & tx_queue->ptr_mask);
+- return;
++ return efx_xmit_done(tx_queue, tx_ev_desc_ptr & tx_queue->ptr_mask);
+ }
+
+ /* Transmit timestamps are only available for 8XXX series. They result
+@@ -3000,6 +3000,7 @@ efx_ef10_handle_tx_event(struct efx_channel *channel, efx_qword_t *event)
+ * fields in the event.
+ */
+ tx_ev_type = EFX_QWORD_FIELD(*event, ESF_EZ_TX_SOFT1);
++ work_done = 0;
+
+ switch (tx_ev_type) {
+ case TX_TIMESTAMP_EVENT_TX_EV_COMPLETION:
+@@ -3016,6 +3017,7 @@ efx_ef10_handle_tx_event(struct efx_channel *channel, efx_qword_t *event)
+ tx_queue->completed_timestamp_major = ts_part;
+
+ efx_xmit_done_single(tx_queue);
++ work_done = 1;
+ break;
+
+ default:
+@@ -3026,6 +3028,8 @@ efx_ef10_handle_tx_event(struct efx_channel *channel, efx_qword_t *event)
+ EFX_QWORD_VAL(*event));
+ break;
+ }
++
++ return work_done;
+ }
+
+ static void
+@@ -3081,13 +3085,16 @@ static void efx_ef10_handle_driver_generated_event(struct efx_channel *channel,
+ }
+ }
+
++#define EFX_NAPI_MAX_TX 512
++
+ static int efx_ef10_ev_process(struct efx_channel *channel, int quota)
+ {
+ struct efx_nic *efx = channel->efx;
+ efx_qword_t event, *p_event;
+ unsigned int read_ptr;
+- int ev_code;
++ int spent_tx = 0;
+ int spent = 0;
++ int ev_code;
+
+ if (quota <= 0)
+ return spent;
+@@ -3126,7 +3133,11 @@ static int efx_ef10_ev_process(struct efx_channel *channel, int quota)
+ }
+ break;
+ case ESE_DZ_EV_CODE_TX_EV:
+- efx_ef10_handle_tx_event(channel, &event);
++ spent_tx += efx_ef10_handle_tx_event(channel, &event);
++ if (spent_tx >= EFX_NAPI_MAX_TX) {
++ spent = quota;
++ goto out;
++ }
+ break;
+ case ESE_DZ_EV_CODE_DRIVER_EV:
+ efx_ef10_handle_driver_event(channel, &event);
+diff --git a/drivers/net/ethernet/sfc/ef100_nic.c b/drivers/net/ethernet/sfc/ef100_nic.c
+index 4dc643b0d2db4..7adde9639c8ab 100644
+--- a/drivers/net/ethernet/sfc/ef100_nic.c
++++ b/drivers/net/ethernet/sfc/ef100_nic.c
+@@ -253,6 +253,8 @@ static void ef100_ev_read_ack(struct efx_channel *channel)
+ efx_reg(channel->efx, ER_GZ_EVQ_INT_PRIME));
+ }
+
++#define EFX_NAPI_MAX_TX 512
++
+ static int ef100_ev_process(struct efx_channel *channel, int quota)
+ {
+ struct efx_nic *efx = channel->efx;
+@@ -260,6 +262,7 @@ static int ef100_ev_process(struct efx_channel *channel, int quota)
+ bool evq_phase, old_evq_phase;
+ unsigned int read_ptr;
+ efx_qword_t *p_event;
++ int spent_tx = 0;
+ int spent = 0;
+ bool ev_phase;
+ int ev_type;
+@@ -295,7 +298,9 @@ static int ef100_ev_process(struct efx_channel *channel, int quota)
+ efx_mcdi_process_event(channel, p_event);
+ break;
+ case ESE_GZ_EF100_EV_TX_COMPLETION:
+- ef100_ev_tx(channel, p_event);
++ spent_tx += ef100_ev_tx(channel, p_event);
++ if (spent_tx >= EFX_NAPI_MAX_TX)
++ spent = quota;
+ break;
+ case ESE_GZ_EF100_EV_DRIVER:
+ netif_info(efx, drv, efx->net_dev,
+diff --git a/drivers/net/ethernet/sfc/ef100_tx.c b/drivers/net/ethernet/sfc/ef100_tx.c
+index 29ffaf35559d6..849e5555bd128 100644
+--- a/drivers/net/ethernet/sfc/ef100_tx.c
++++ b/drivers/net/ethernet/sfc/ef100_tx.c
+@@ -346,7 +346,7 @@ void ef100_tx_write(struct efx_tx_queue *tx_queue)
+ ef100_tx_push_buffers(tx_queue);
+ }
+
+-void ef100_ev_tx(struct efx_channel *channel, const efx_qword_t *p_event)
++int ef100_ev_tx(struct efx_channel *channel, const efx_qword_t *p_event)
+ {
+ unsigned int tx_done =
+ EFX_QWORD_FIELD(*p_event, ESF_GZ_EV_TXCMPL_NUM_DESC);
+@@ -357,7 +357,7 @@ void ef100_ev_tx(struct efx_channel *channel, const efx_qword_t *p_event)
+ unsigned int tx_index = (tx_queue->read_count + tx_done - 1) &
+ tx_queue->ptr_mask;
+
+- efx_xmit_done(tx_queue, tx_index);
++ return efx_xmit_done(tx_queue, tx_index);
+ }
+
+ /* Add a socket buffer to a TX queue
+diff --git a/drivers/net/ethernet/sfc/ef100_tx.h b/drivers/net/ethernet/sfc/ef100_tx.h
+index e9e11540fcdea..d9a0819c5a72c 100644
+--- a/drivers/net/ethernet/sfc/ef100_tx.h
++++ b/drivers/net/ethernet/sfc/ef100_tx.h
+@@ -20,7 +20,7 @@ void ef100_tx_init(struct efx_tx_queue *tx_queue);
+ void ef100_tx_write(struct efx_tx_queue *tx_queue);
+ unsigned int ef100_tx_max_skb_descs(struct efx_nic *efx);
+
+-void ef100_ev_tx(struct efx_channel *channel, const efx_qword_t *p_event);
++int ef100_ev_tx(struct efx_channel *channel, const efx_qword_t *p_event);
+
+ netdev_tx_t ef100_enqueue_skb(struct efx_tx_queue *tx_queue, struct sk_buff *skb);
+ int __ef100_enqueue_skb(struct efx_tx_queue *tx_queue, struct sk_buff *skb,
+diff --git a/drivers/net/ethernet/sfc/tx_common.c b/drivers/net/ethernet/sfc/tx_common.c
+index 67e789b96c437..755aa92bf8236 100644
+--- a/drivers/net/ethernet/sfc/tx_common.c
++++ b/drivers/net/ethernet/sfc/tx_common.c
+@@ -249,7 +249,7 @@ void efx_xmit_done_check_empty(struct efx_tx_queue *tx_queue)
+ }
+ }
+
+-void efx_xmit_done(struct efx_tx_queue *tx_queue, unsigned int index)
++int efx_xmit_done(struct efx_tx_queue *tx_queue, unsigned int index)
+ {
+ unsigned int fill_level, pkts_compl = 0, bytes_compl = 0;
+ unsigned int efv_pkts_compl = 0;
+@@ -279,6 +279,8 @@ void efx_xmit_done(struct efx_tx_queue *tx_queue, unsigned int index)
+ }
+
+ efx_xmit_done_check_empty(tx_queue);
++
++ return pkts_compl + efv_pkts_compl;
+ }
+
+ /* Remove buffers put into a tx_queue for the current packet.
+diff --git a/drivers/net/ethernet/sfc/tx_common.h b/drivers/net/ethernet/sfc/tx_common.h
+index d87aecbc7bf1a..1e9f42938aac9 100644
+--- a/drivers/net/ethernet/sfc/tx_common.h
++++ b/drivers/net/ethernet/sfc/tx_common.h
+@@ -28,7 +28,7 @@ static inline bool efx_tx_buffer_in_use(struct efx_tx_buffer *buffer)
+ }
+
+ void efx_xmit_done_check_empty(struct efx_tx_queue *tx_queue);
+-void efx_xmit_done(struct efx_tx_queue *tx_queue, unsigned int index);
++int efx_xmit_done(struct efx_tx_queue *tx_queue, unsigned int index);
+
+ void efx_enqueue_unwind(struct efx_tx_queue *tx_queue,
+ unsigned int insert_count);
+--
+2.39.2
+
--- /dev/null
+From 4d6071ca5adae54b3cc6555b104aeae819b16505 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 May 2023 18:53:28 -0500
+Subject: smb3: missing null check in SMB2_change_notify
+
+From: Steve French <stfrench@microsoft.com>
+
+[ Upstream commit b535cc796a4b4942cd189652588e8d37c1f5925a ]
+
+If plen is null when passed in, we only checked for null
+in one of the two places where it could be used. Although
+plen is always valid (not null) for current callers of the
+SMB2_change_notify function, this change makes it more consistent.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <error27@gmail.com>
+Closes: https://lore.kernel.org/all/202305251831.3V1gbbFs-lkp@intel.com/
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/smb2pdu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
+index 02228a590cd54..a2a95cd113df8 100644
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -3777,7 +3777,7 @@ SMB2_change_notify(const unsigned int xid, struct cifs_tcon *tcon,
+ if (*out_data == NULL) {
+ rc = -ENOMEM;
+ goto cnotify_exit;
+- } else
++ } else if (plen)
+ *plen = le32_to_cpu(smb_rsp->OutputBufferLength);
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 7b0ca60e8b3bbb3f86f6bee842122a91dea510de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 May 2023 15:48:59 +0800
+Subject: soundwire: dmi-quirks: add new mapping for HP Spectre x360
+
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+
+[ Upstream commit 700581ede41d029403feec935df4616309696fd7 ]
+
+A BIOS/DMI update seems to have broken some devices, let's add a new
+mapping.
+
+Link: https://github.com/thesofproject/linux/issues/4323
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Rander Wang <rander.wang@intel.com>
+Signed-off-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Link: https://lore.kernel.org/r/20230515074859.3097-1-yung-chuan.liao@linux.intel.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soundwire/dmi-quirks.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/soundwire/dmi-quirks.c b/drivers/soundwire/dmi-quirks.c
+index 58ea013fa918a..2a1096dab63d3 100644
+--- a/drivers/soundwire/dmi-quirks.c
++++ b/drivers/soundwire/dmi-quirks.c
+@@ -99,6 +99,13 @@ static const struct dmi_system_id adr_remap_quirk_table[] = {
+ },
+ .driver_data = (void *)intel_tgl_bios,
+ },
++ {
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "HP"),
++ DMI_MATCH(DMI_BOARD_NAME, "8709"),
++ },
++ .driver_data = (void *)intel_tgl_bios,
++ },
+ {
+ /* quirk used for NUC15 'Bishop County' LAPBC510 and LAPBC710 skews */
+ .matches = {
+--
+2.39.2
+
--- /dev/null
+From 14018e8e7cbb13a8a218f594291e4be80f586db0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 May 2023 18:37:36 +0200
+Subject: soundwire: qcom: add proper error paths in qcom_swrm_startup()
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 99e09b9c0ab43346c52f2787ca4e5c4b1798362e ]
+
+Reverse actions in qcom_swrm_startup() error paths to avoid leaking
+stream memory and keeping runtime PM unbalanced.
+
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20230517163736.997553-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soundwire/qcom.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/soundwire/qcom.c b/drivers/soundwire/qcom.c
+index 30575ed20947e..0dcdbd4e1ec3a 100644
+--- a/drivers/soundwire/qcom.c
++++ b/drivers/soundwire/qcom.c
+@@ -1098,8 +1098,10 @@ static int qcom_swrm_startup(struct snd_pcm_substream *substream,
+ }
+
+ sruntime = sdw_alloc_stream(dai->name);
+- if (!sruntime)
+- return -ENOMEM;
++ if (!sruntime) {
++ ret = -ENOMEM;
++ goto err_alloc;
++ }
+
+ ctrl->sruntime[dai->id] = sruntime;
+
+@@ -1109,12 +1111,19 @@ static int qcom_swrm_startup(struct snd_pcm_substream *substream,
+ if (ret < 0 && ret != -ENOTSUPP) {
+ dev_err(dai->dev, "Failed to set sdw stream on %s\n",
+ codec_dai->name);
+- sdw_release_stream(sruntime);
+- return ret;
++ goto err_set_stream;
+ }
+ }
+
+ return 0;
++
++err_set_stream:
++ sdw_release_stream(sruntime);
++err_alloc:
++ pm_runtime_mark_last_busy(ctrl->dev);
++ pm_runtime_put_autosuspend(ctrl->dev);
++
++ return ret;
+ }
+
+ static void qcom_swrm_shutdown(struct snd_pcm_substream *substream,
+--
+2.39.2
+
--- /dev/null
+From af00fc4cbefe3bf209a0b9e1f9f65acb2574da16 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 May 2023 14:35:57 +0800
+Subject: spi: lpspi: disable lpspi module irq in DMA mode
+
+From: Clark Wang <xiaoning.wang@nxp.com>
+
+[ Upstream commit 9728fb3ce11729aa8c276825ddf504edeb00611d ]
+
+When all bits of IER are set to 0, we still can observe the lpspi irq events
+when using DMA mode to transfer data.
+
+So disable irq to avoid the too much irq events.
+
+Signed-off-by: Clark Wang <xiaoning.wang@nxp.com>
+Link: https://lore.kernel.org/r/20230505063557.3962220-1-xiaoning.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-fsl-lpspi.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-fsl-lpspi.c b/drivers/spi/spi-fsl-lpspi.c
+index 34488de555871..457fe6bc7e41e 100644
+--- a/drivers/spi/spi-fsl-lpspi.c
++++ b/drivers/spi/spi-fsl-lpspi.c
+@@ -910,9 +910,14 @@ static int fsl_lpspi_probe(struct platform_device *pdev)
+ ret = fsl_lpspi_dma_init(&pdev->dev, fsl_lpspi, controller);
+ if (ret == -EPROBE_DEFER)
+ goto out_pm_get;
+-
+ if (ret < 0)
+ dev_err(&pdev->dev, "dma setup error %d, use pio\n", ret);
++ else
++ /*
++ * disable LPSPI module IRQ when enable DMA mode successfully,
++ * to prevent the unexpected LPSPI module IRQ events.
++ */
++ disable_irq(irq);
+
+ ret = devm_spi_register_controller(&pdev->dev, controller);
+ if (ret < 0) {
+--
+2.39.2
+
--- /dev/null
+From e71a553103f28963a75bbfdf331b97c3a43b44bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 May 2023 20:31:24 +0800
+Subject: tools/virtio: Fix arm64 ringtest compilation error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rong Tao <rongtao@cestc.cn>
+
+[ Upstream commit 57380fd1249b20ef772549af2c58ef57b21faba7 ]
+
+Add cpu_relax() for arm64 instead of directly assert(), and add assert.h
+header file. Also, add smp_wmb and smp_mb for arm64.
+
+Compilation error as follows, avoid __always_inline undefined.
+
+ $ make
+ cc -Wall -pthread -O2 -ggdb -flto -fwhole-program -c -o ring.o ring.c
+ In file included from ring.c:10:
+ main.h: In function ‘busy_wait’:
+ main.h:99:21: warning: implicit declaration of function ‘assert’
+ [-Wimplicit-function-declaration]
+ 99 | #define cpu_relax() assert(0)
+ | ^~~~~~
+ main.h:107:17: note: in expansion of macro ‘cpu_relax’
+ 107 | cpu_relax();
+ | ^~~~~~~~~
+ main.h:12:1: note: ‘assert’ is defined in header ‘<assert.h>’; did you
+ forget to ‘#include <assert.h>’?
+ 11 | #include <stdbool.h>
+ +++ |+#include <assert.h>
+ 12 |
+ main.h: At top level:
+ main.h:143:23: error: expected ‘;’ before ‘void’
+ 143 | static __always_inline
+ | ^
+ | ;
+ 144 | void __read_once_size(const volatile void *p, void *res, int
+ size)
+ | ~~~~
+ main.h:158:23: error: expected ‘;’ before ‘void’
+ 158 | static __always_inline void __write_once_size(volatile void *p,
+ void *res, int size)
+ | ^~~~~
+ | ;
+ make: *** [<builtin>: ring.o] Error 1
+
+Signed-off-by: Rong Tao <rongtao@cestc.cn>
+Message-Id: <tencent_F53E159DD7925174445D830DA19FACF44B07@qq.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/virtio/ringtest/main.h | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/tools/virtio/ringtest/main.h b/tools/virtio/ringtest/main.h
+index b68920d527503..d18dd317e27f9 100644
+--- a/tools/virtio/ringtest/main.h
++++ b/tools/virtio/ringtest/main.h
+@@ -8,6 +8,7 @@
+ #ifndef MAIN_H
+ #define MAIN_H
+
++#include <assert.h>
+ #include <stdbool.h>
+
+ extern int param;
+@@ -95,6 +96,8 @@ extern unsigned ring_size;
+ #define cpu_relax() asm ("rep; nop" ::: "memory")
+ #elif defined(__s390x__)
+ #define cpu_relax() barrier()
++#elif defined(__aarch64__)
++#define cpu_relax() asm ("yield" ::: "memory")
+ #else
+ #define cpu_relax() assert(0)
+ #endif
+@@ -112,6 +115,8 @@ static inline void busy_wait(void)
+
+ #if defined(__x86_64__) || defined(__i386__)
+ #define smp_mb() asm volatile("lock; addl $0,-132(%%rsp)" ::: "memory", "cc")
++#elif defined(__aarch64__)
++#define smp_mb() asm volatile("dmb ish" ::: "memory")
+ #else
+ /*
+ * Not using __ATOMIC_SEQ_CST since gcc docs say they are only synchronized
+@@ -136,10 +141,16 @@ static inline void busy_wait(void)
+
+ #if defined(__i386__) || defined(__x86_64__) || defined(__s390x__)
+ #define smp_wmb() barrier()
++#elif defined(__aarch64__)
++#define smp_wmb() asm volatile("dmb ishst" ::: "memory")
+ #else
+ #define smp_wmb() smp_release()
+ #endif
+
++#ifndef __always_inline
++#define __always_inline inline __attribute__((always_inline))
++#endif
++
+ static __always_inline
+ void __read_once_size(const volatile void *p, void *res, int size)
+ {
+--
+2.39.2
+
--- /dev/null
+From 849055ccbd1f09af58c36dea4c7befc70d80ffb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 May 2023 18:38:37 +0300
+Subject: usb: gadget: udc: fix NULL dereference in remove()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 016da9c65fec9f0e78c4909ed9a0f2d567af6775 ]
+
+The "udc" pointer was never set in the probe() function so it will
+lead to a NULL dereference in udc_pci_remove() when we do:
+
+ usb_del_gadget_udc(&udc->gadget);
+
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/ZG+A/dNpFWAlCChk@kili
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/amd5536udc_pci.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/usb/gadget/udc/amd5536udc_pci.c b/drivers/usb/gadget/udc/amd5536udc_pci.c
+index c80f9bd51b750..a36913ae31f9e 100644
+--- a/drivers/usb/gadget/udc/amd5536udc_pci.c
++++ b/drivers/usb/gadget/udc/amd5536udc_pci.c
+@@ -170,6 +170,9 @@ static int udc_pci_probe(
+ retval = -ENODEV;
+ goto err_probe;
+ }
++
++ udc = dev;
++
+ return 0;
+
+ err_probe:
+--
+2.39.2
+
--- /dev/null
+From efaa902396e0e0c6a35d6d758bf63ca4b2c3a0dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Apr 2023 23:44:11 +0300
+Subject: vhost_net: revert upend_idx only on retriable error
+
+From: Andrey Smetanin <asmetanin@yandex-team.ru>
+
+[ Upstream commit 1f5d2e3bab16369d5d4b4020a25db4ab1f4f082c ]
+
+Fix possible virtqueue used buffers leak and corresponding stuck
+in case of temporary -EIO from sendmsg() which is produced by
+tun driver while backend device is not up.
+
+In case of no-retriable error and zcopy do not revert upend_idx
+to pass packet data (that is update used_idx in corresponding
+vhost_zerocopy_signal_used()) as if packet data has been
+transferred successfully.
+
+v2: set vq->heads[ubuf->desc].len equal to VHOST_DMA_DONE_LEN
+in case of fake successful transmit.
+
+Signed-off-by: Andrey Smetanin <asmetanin@yandex-team.ru>
+Message-Id: <20230424204411.24888-1-asmetanin@yandex-team.ru>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Andrey Smetanin <asmetanin@yandex-team.ru>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/net.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
+index 07181cd8d52e6..ae2273196b0c9 100644
+--- a/drivers/vhost/net.c
++++ b/drivers/vhost/net.c
+@@ -935,13 +935,18 @@ static void handle_tx_zerocopy(struct vhost_net *net, struct socket *sock)
+
+ err = sock->ops->sendmsg(sock, &msg, len);
+ if (unlikely(err < 0)) {
++ bool retry = err == -EAGAIN || err == -ENOMEM || err == -ENOBUFS;
++
+ if (zcopy_used) {
+ if (vq->heads[ubuf->desc].len == VHOST_DMA_IN_PROGRESS)
+ vhost_net_ubuf_put(ubufs);
+- nvq->upend_idx = ((unsigned)nvq->upend_idx - 1)
+- % UIO_MAXIOV;
++ if (retry)
++ nvq->upend_idx = ((unsigned)nvq->upend_idx - 1)
++ % UIO_MAXIOV;
++ else
++ vq->heads[ubuf->desc].len = VHOST_DMA_DONE_LEN;
+ }
+- if (err == -EAGAIN || err == -ENOMEM || err == -ENOBUFS) {
++ if (retry) {
+ vhost_discard_vq_desc(vq, 1);
+ vhost_net_enable_vq(net, vq);
+ break;
+--
+2.39.2
+
--- /dev/null
+From 393f5963c3286c63710354c7aa502f3d43ac5d0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Apr 2023 15:50:29 -0700
+Subject: vhost_vdpa: tell vqs about the negotiated
+
+From: Shannon Nelson <shannon.nelson@amd.com>
+
+[ Upstream commit 376daf317753ccb6b1ecbdece66018f7f6313a7f ]
+
+As is done in the net, iscsi, and vsock vhost support, let the vdpa vqs
+know about the features that have been negotiated. This allows vhost
+to more safely make decisions based on the features, such as when using
+PACKED vs split queues.
+
+Signed-off-by: Shannon Nelson <shannon.nelson@amd.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Message-Id: <20230424225031.18947-2-shannon.nelson@amd.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/vdpa.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c
+index 779fc44677162..22e6b23ac96ff 100644
+--- a/drivers/vhost/vdpa.c
++++ b/drivers/vhost/vdpa.c
+@@ -385,7 +385,10 @@ static long vhost_vdpa_set_features(struct vhost_vdpa *v, u64 __user *featurep)
+ {
+ struct vdpa_device *vdpa = v->vdpa;
+ const struct vdpa_config_ops *ops = vdpa->config;
++ struct vhost_dev *d = &v->vdev;
++ u64 actual_features;
+ u64 features;
++ int i;
+
+ /*
+ * It's not allowed to change the features after they have
+@@ -400,6 +403,16 @@ static long vhost_vdpa_set_features(struct vhost_vdpa *v, u64 __user *featurep)
+ if (vdpa_set_features(vdpa, features))
+ return -EINVAL;
+
++ /* let the vqs know what has been configured */
++ actual_features = ops->get_driver_features(vdpa);
++ for (i = 0; i < d->nvqs; ++i) {
++ struct vhost_virtqueue *vq = d->vqs[i];
++
++ mutex_lock(&vq->mutex);
++ vq->acked_features = actual_features;
++ mutex_unlock(&vq->mutex);
++ }
++
+ return 0;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 2c8ac1aa7604be762196510b5204876864071b77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jun 2023 10:36:15 +0300
+Subject: xfrm: add missed call to delete offloaded policies
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit bf06fcf4be0feefebd27deb8b60ad262f4230489 ]
+
+Offloaded policies are deleted through two flows: netdev is going
+down and policy flush.
+
+In both cases, the code lacks relevant call to delete offloaded policy.
+
+Fixes: 919e43fad516 ("xfrm: add an interface to offload policy")
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_policy.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index ff58ce6c030ca..e7617c9959c31 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -1831,6 +1831,7 @@ int xfrm_policy_flush(struct net *net, u8 type, bool task_valid)
+
+ __xfrm_policy_unlink(pol, dir);
+ spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
++ xfrm_dev_policy_delete(pol);
+ cnt++;
+ xfrm_audit_policy_delete(pol, 1, task_valid);
+ xfrm_policy_kill(pol);
+@@ -1869,6 +1870,7 @@ int xfrm_dev_policy_flush(struct net *net, struct net_device *dev,
+
+ __xfrm_policy_unlink(pol, dir);
+ spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
++ xfrm_dev_policy_delete(pol);
+ cnt++;
+ xfrm_audit_policy_delete(pol, 1, task_valid);
+ xfrm_policy_kill(pol);
+--
+2.39.2
+
--- /dev/null
+From f9ac5a66cb72b7f2e111bd31ed54963557216515 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 May 2023 01:30:22 +0000
+Subject: xfrm: Ensure policies always checked on XFRM-I input path
+
+From: Benedict Wong <benedictwong@google.com>
+
+[ Upstream commit a287f5b0cfc6804c5b12a4be13c7c9fe27869e90 ]
+
+This change adds methods in the XFRM-I input path that ensures that
+policies are checked prior to processing of the subsequent decapsulated
+packet, after which the relevant policies may no longer be resolvable
+(due to changing src/dst/proto/etc).
+
+Notably, raw ESP/AH packets did not perform policy checks inherently,
+whereas all other encapsulated packets (UDP, TCP encapsulated) do policy
+checks after calling xfrm_input handling in the respective encapsulation
+layer.
+
+Fixes: b0355dbbf13c ("Fix XFRM-I support for nested ESP tunnels")
+Test: Verified with additional Android Kernel Unit tests
+Test: Verified against Android CTS
+Signed-off-by: Benedict Wong <benedictwong@google.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_interface_core.c | 54 +++++++++++++++++++++++++++++++---
+ 1 file changed, 50 insertions(+), 4 deletions(-)
+
+diff --git a/net/xfrm/xfrm_interface_core.c b/net/xfrm/xfrm_interface_core.c
+index 1f99dc4690271..35279c220bd78 100644
+--- a/net/xfrm/xfrm_interface_core.c
++++ b/net/xfrm/xfrm_interface_core.c
+@@ -310,6 +310,52 @@ static void xfrmi_scrub_packet(struct sk_buff *skb, bool xnet)
+ skb->mark = 0;
+ }
+
++static int xfrmi_input(struct sk_buff *skb, int nexthdr, __be32 spi,
++ int encap_type, unsigned short family)
++{
++ struct sec_path *sp;
++
++ sp = skb_sec_path(skb);
++ if (sp && (sp->len || sp->olen) &&
++ !xfrm_policy_check(NULL, XFRM_POLICY_IN, skb, family))
++ goto discard;
++
++ XFRM_SPI_SKB_CB(skb)->family = family;
++ if (family == AF_INET) {
++ XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
++ XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL;
++ } else {
++ XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct ipv6hdr, daddr);
++ XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = NULL;
++ }
++
++ return xfrm_input(skb, nexthdr, spi, encap_type);
++discard:
++ kfree_skb(skb);
++ return 0;
++}
++
++static int xfrmi4_rcv(struct sk_buff *skb)
++{
++ return xfrmi_input(skb, ip_hdr(skb)->protocol, 0, 0, AF_INET);
++}
++
++static int xfrmi6_rcv(struct sk_buff *skb)
++{
++ return xfrmi_input(skb, skb_network_header(skb)[IP6CB(skb)->nhoff],
++ 0, 0, AF_INET6);
++}
++
++static int xfrmi4_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
++{
++ return xfrmi_input(skb, nexthdr, spi, encap_type, AF_INET);
++}
++
++static int xfrmi6_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
++{
++ return xfrmi_input(skb, nexthdr, spi, encap_type, AF_INET6);
++}
++
+ static int xfrmi_rcv_cb(struct sk_buff *skb, int err)
+ {
+ const struct xfrm_mode *inner_mode;
+@@ -945,8 +991,8 @@ static struct pernet_operations xfrmi_net_ops = {
+ };
+
+ static struct xfrm6_protocol xfrmi_esp6_protocol __read_mostly = {
+- .handler = xfrm6_rcv,
+- .input_handler = xfrm_input,
++ .handler = xfrmi6_rcv,
++ .input_handler = xfrmi6_input,
+ .cb_handler = xfrmi_rcv_cb,
+ .err_handler = xfrmi6_err,
+ .priority = 10,
+@@ -996,8 +1042,8 @@ static struct xfrm6_tunnel xfrmi_ip6ip_handler __read_mostly = {
+ #endif
+
+ static struct xfrm4_protocol xfrmi_esp4_protocol __read_mostly = {
+- .handler = xfrm4_rcv,
+- .input_handler = xfrm_input,
++ .handler = xfrmi4_rcv,
++ .input_handler = xfrmi4_input,
+ .cb_handler = xfrmi_rcv_cb,
+ .err_handler = xfrmi4_err,
+ .priority = 10,
+--
+2.39.2
+
--- /dev/null
+From 45744754df9fd892fddd8c3ddf43817458df2095 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jun 2023 04:06:54 -0700
+Subject: xfrm: fix inbound ipv4/udp/esp packets to UDPv6 dualstack sockets
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Żenczykowski <maze@google.com>
+
+[ Upstream commit 1166a530a84758bb9e6b448fc8c195ed413f5ded ]
+
+Before Linux v5.8 an AF_INET6 SOCK_DGRAM (udp/udplite) socket
+with SOL_UDP, UDP_ENCAP, UDP_ENCAP_ESPINUDP{,_NON_IKE} enabled
+would just unconditionally use xfrm4_udp_encap_rcv(), afterwards
+such a socket would use the newly added xfrm6_udp_encap_rcv()
+which only handles IPv6 packets.
+
+Cc: Sabrina Dubroca <sd@queasysnail.net>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Benedict Wong <benedictwong@google.com>
+Cc: Yan Yan <evitayan@google.com>
+Fixes: 0146dca70b87 ("xfrm: add support for UDPv6 encapsulation of ESP")
+Signed-off-by: Maciej Żenczykowski <maze@google.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/xfrm4_input.c | 1 +
+ net/ipv6/xfrm6_input.c | 3 +++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c
+index ad2afeef4f106..eac206a290d05 100644
+--- a/net/ipv4/xfrm4_input.c
++++ b/net/ipv4/xfrm4_input.c
+@@ -164,6 +164,7 @@ int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
+ kfree_skb(skb);
+ return 0;
+ }
++EXPORT_SYMBOL(xfrm4_udp_encap_rcv);
+
+ int xfrm4_rcv(struct sk_buff *skb)
+ {
+diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c
+index 04cbeefd89828..4907ab241d6be 100644
+--- a/net/ipv6/xfrm6_input.c
++++ b/net/ipv6/xfrm6_input.c
+@@ -86,6 +86,9 @@ int xfrm6_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
+ __be32 *udpdata32;
+ __u16 encap_type = up->encap_type;
+
++ if (skb->protocol == htons(ETH_P_IP))
++ return xfrm4_udp_encap_rcv(sk, skb);
++
+ /* if this is not encapsulated socket, then just return now */
+ if (!encap_type)
+ return 1;
+--
+2.39.2
+
--- /dev/null
+From 7698f16bdef433cebb782e6316a14d45e04156f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jun 2023 12:02:02 +0200
+Subject: xfrm: Linearize the skb after offloading if needed.
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit f015b900bc3285322029b4a7d132d6aeb0e51857 ]
+
+With offloading enabled, esp_xmit() gets invoked very late, from within
+validate_xmit_xfrm() which is after validate_xmit_skb() validates and
+linearizes the skb if the underlying device does not support fragments.
+
+esp_output_tail() may add a fragment to the skb while adding the auth
+tag/ IV. Devices without the proper support will then send skb->data
+points to with the correct length so the packet will have garbage at the
+end. A pcap sniffer will claim that the proper data has been sent since
+it parses the skb properly.
+
+It is not affected with INET_ESP_OFFLOAD disabled.
+
+Linearize the skb after offloading if the sending hardware requires it.
+It was tested on v4, v6 has been adopted.
+
+Fixes: 7785bba299a8d ("esp: Add a software GRO codepath")
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/esp4_offload.c | 3 +++
+ net/ipv6/esp6_offload.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c
+index 3969fa805679c..ee848be59e65a 100644
+--- a/net/ipv4/esp4_offload.c
++++ b/net/ipv4/esp4_offload.c
+@@ -340,6 +340,9 @@ static int esp_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features_
+
+ secpath_reset(skb);
+
++ if (skb_needs_linearize(skb, skb->dev->features) &&
++ __skb_linearize(skb))
++ return -ENOMEM;
+ return 0;
+ }
+
+diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
+index 75c02992c520f..7723402689973 100644
+--- a/net/ipv6/esp6_offload.c
++++ b/net/ipv6/esp6_offload.c
+@@ -374,6 +374,9 @@ static int esp6_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features
+
+ secpath_reset(skb);
+
++ if (skb_needs_linearize(skb, skb->dev->features) &&
++ __skb_linearize(skb))
++ return -ENOMEM;
+ return 0;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 634b54216a8aeb5c3a3e07f18ada2ece04603051 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 May 2023 01:30:21 +0000
+Subject: xfrm: Treat already-verified secpath entries as optional
+
+From: Benedict Wong <benedictwong@google.com>
+
+[ Upstream commit 1f8b6df6a997a430b0c48b504638154b520781ad ]
+
+This change allows inbound traffic through nested IPsec tunnels to
+successfully match policies and templates, while retaining the secpath
+stack trace as necessary for netfilter policies.
+
+Specifically, this patch marks secpath entries that have already matched
+against a relevant policy as having been verified, allowing it to be
+treated as optional and skipped after a tunnel decapsulation (during
+which the src/dst/proto/etc may have changed, and the correct policy
+chain no long be resolvable).
+
+This approach is taken as opposed to the iteration in b0355dbbf13c,
+where the secpath was cleared, since that breaks subsequent validations
+that rely on the existence of the secpath entries (netfilter policies, or
+transport-in-tunnel mode, where policies remain resolvable).
+
+Fixes: b0355dbbf13c ("Fix XFRM-I support for nested ESP tunnels")
+Test: Tested against Android Kernel Unit Tests
+Test: Tested against Android CTS
+Signed-off-by: Benedict Wong <benedictwong@google.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/xfrm.h | 1 +
+ net/xfrm/xfrm_input.c | 1 +
+ net/xfrm/xfrm_policy.c | 12 ++++++++++++
+ 3 files changed, 14 insertions(+)
+
+diff --git a/include/net/xfrm.h b/include/net/xfrm.h
+index 3e1f70e8e4247..47ecf1d4719b0 100644
+--- a/include/net/xfrm.h
++++ b/include/net/xfrm.h
+@@ -1049,6 +1049,7 @@ struct xfrm_offload {
+ struct sec_path {
+ int len;
+ int olen;
++ int verified_cnt;
+
+ struct xfrm_state *xvec[XFRM_MAX_DEPTH];
+ struct xfrm_offload ovec[XFRM_MAX_OFFLOAD_DEPTH];
+diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
+index 436d29640ac2c..9f294a20dcece 100644
+--- a/net/xfrm/xfrm_input.c
++++ b/net/xfrm/xfrm_input.c
+@@ -131,6 +131,7 @@ struct sec_path *secpath_set(struct sk_buff *skb)
+ memset(sp->ovec, 0, sizeof(sp->ovec));
+ sp->olen = 0;
+ sp->len = 0;
++ sp->verified_cnt = 0;
+
+ return sp;
+ }
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index 6d15788b51231..ff58ce6c030ca 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -3349,6 +3349,13 @@ xfrm_policy_ok(const struct xfrm_tmpl *tmpl, const struct sec_path *sp, int star
+ if (xfrm_state_ok(tmpl, sp->xvec[idx], family, if_id))
+ return ++idx;
+ if (sp->xvec[idx]->props.mode != XFRM_MODE_TRANSPORT) {
++ if (idx < sp->verified_cnt) {
++ /* Secpath entry previously verified, consider optional and
++ * continue searching
++ */
++ continue;
++ }
++
+ if (start == -1)
+ start = -2-idx;
+ break;
+@@ -3723,6 +3730,9 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
+ * Order is _important_. Later we will implement
+ * some barriers, but at the moment barriers
+ * are implied between each two transformations.
++ * Upon success, marks secpath entries as having been
++ * verified to allow them to be skipped in future policy
++ * checks (e.g. nested tunnels).
+ */
+ for (i = xfrm_nr-1, k = 0; i >= 0; i--) {
+ k = xfrm_policy_ok(tpp[i], sp, k, family, if_id);
+@@ -3741,6 +3751,8 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
+ }
+
+ xfrm_pols_put(pols, npols);
++ sp->verified_cnt = k;
++
+ return 1;
+ }
+ XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLBLOCK);
+--
+2.39.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
