--- /dev/null
+From 0d446fe5d0bac32128dfe72232cfdb62b50d3ac1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 22:43:25 +0800
+Subject: 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race
+ condition
+
+From: Zheng Wang <zyytlz.wz@163.com>
+
+[ Upstream commit ea4f1009408efb4989a0f139b70fb338e7f687d0 ]
+
+In xen_9pfs_front_probe, it calls xen_9pfs_front_alloc_dataring
+to init priv->rings and bound &ring->work with p9_xen_response.
+
+When it calls xen_9pfs_front_event_handler to handle IRQ requests,
+it will finally call schedule_work to start the work.
+
+When we call xen_9pfs_front_remove to remove the driver, there
+may be a sequence as follows:
+
+Fix it by finishing the work before cleanup in xen_9pfs_front_free.
+
+Note that, this bug is found by static analysis, which might be
+false positive.
+
+CPU0 CPU1
+
+ |p9_xen_response
+xen_9pfs_front_remove|
+ xen_9pfs_front_free|
+kfree(priv) |
+//free priv |
+ |p9_tag_lookup
+ |//use priv->client
+
+Fixes: 71ebd71921e4 ("xen/9pfs: connect to the backend")
+Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Signed-off-by: Eric Van Hensbergen <ericvh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/9p/trans_xen.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
+index 9e4da8c1b907e..99e6b2483311c 100644
+--- a/net/9p/trans_xen.c
++++ b/net/9p/trans_xen.c
+@@ -300,6 +300,10 @@ static void xen_9pfs_front_free(struct xen_9pfs_front_priv *priv)
+ write_unlock(&xen_9pfs_lock);
+
+ for (i = 0; i < priv->num_rings; i++) {
++ struct xen_9pfs_dataring *ring = &priv->rings[i];
++
++ cancel_work_sync(&ring->work);
++
+ if (!priv->rings[i].intf)
+ break;
+ if (priv->rings[i].irq > 0)
+--
+2.39.2
+
--- /dev/null
+From 6a49bff222317c320777134c6057cd85ff280f4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Mar 2023 03:12:05 +0100
+Subject: ACPI: resource: Add Medion S17413 to IRQ override quirk
+
+From: Aymeric Wibo <obiwac@gmail.com>
+
+[ Upstream commit 2d0ab14634a26e54f8d6d231b47b7ef233e84599 ]
+
+Add DMI info of the Medion S17413 (board M1xA) to the IRQ override
+quirk table. This fixes the keyboard not working on these laptops.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=213031
+Signed-off-by: Aymeric Wibo <obiwac@gmail.com>
+[ rjw: Fixed up white space ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/resource.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c
+index 3b9f894873365..803dc6afa6d69 100644
+--- a/drivers/acpi/resource.c
++++ b/drivers/acpi/resource.c
+@@ -396,6 +396,13 @@ static const struct dmi_system_id medion_laptop[] = {
+ DMI_MATCH(DMI_BOARD_NAME, "M17T"),
+ },
+ },
++ {
++ .ident = "MEDION S17413",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "MEDION"),
++ DMI_MATCH(DMI_BOARD_NAME, "M1xA"),
++ },
++ },
+ { }
+ };
+
+--
+2.39.2
+
--- /dev/null
+From 1491930f5a70f80697dc40b33848e4b601444e02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Feb 2023 00:10:14 +0100
+Subject: ARM: 9290/1: uaccess: Fix KASAN false-positives
+
+From: Andrew Jeffery <andrew@aj.id.au>
+
+[ Upstream commit ceac10c83b330680cc01ceaaab86cd49f4f30d81 ]
+
+__copy_to_user_memcpy() and __clear_user_memset() had been calling
+memcpy() and memset() respectively, leading to false-positive KASAN
+reports when starting userspace:
+
+ [ 10.707901] Run /init as init process
+ [ 10.731892] process '/bin/busybox' started with executable stack
+ [ 10.745234] ==================================================================
+ [ 10.745796] BUG: KASAN: user-memory-access in __clear_user_memset+0x258/0x3ac
+ [ 10.747260] Write of size 2687 at addr 000de581 by task init/1
+
+Use __memcpy() and __memset() instead to allow userspace access, which
+is of course the intent of these functions.
+
+Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
+Signed-off-by: Zev Weiss <zev@bewilderbeest.net>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/lib/uaccess_with_memcpy.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/lib/uaccess_with_memcpy.c b/arch/arm/lib/uaccess_with_memcpy.c
+index 106f83a5ea6d2..35e03f6a62127 100644
+--- a/arch/arm/lib/uaccess_with_memcpy.c
++++ b/arch/arm/lib/uaccess_with_memcpy.c
+@@ -121,7 +121,7 @@ __copy_to_user_memcpy(void __user *to, const void *from, unsigned long n)
+ tocopy = n;
+
+ ua_flags = uaccess_save_and_enable();
+- memcpy((void *)to, from, tocopy);
++ __memcpy((void *)to, from, tocopy);
+ uaccess_restore(ua_flags);
+ to += tocopy;
+ from += tocopy;
+@@ -188,7 +188,7 @@ __clear_user_memset(void __user *addr, unsigned long n)
+ tocopy = n;
+
+ ua_flags = uaccess_save_and_enable();
+- memset((void *)addr, 0, tocopy);
++ __memset((void *)addr, 0, tocopy);
+ uaccess_restore(ua_flags);
+ addr += tocopy;
+ n -= tocopy;
+--
+2.39.2
+
--- /dev/null
+From d124b0f283b3b68a4f7ddf7741506688b7373333 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Feb 2023 12:12:54 -0500
+Subject: asymmetric_keys: log on fatal failures in PE/pkcs7
+
+From: Robbie Harwood <rharwood@redhat.com>
+
+[ Upstream commit 3584c1dbfffdabf8e3dc1dd25748bb38dd01cd43 ]
+
+These particular errors can be encountered while trying to kexec when
+secureboot lockdown is in place. Without this change, even with a
+signed debug build, one still needs to reboot the machine to add the
+appropriate dyndbg parameters (since lockdown blocks debugfs).
+
+Accordingly, upgrade all pr_debug() before fatal error into pr_warn().
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Jarkko Sakkinen <jarkko@kernel.org>
+cc: Eric Biederman <ebiederm@xmission.com>
+cc: Herbert Xu <herbert@gondor.apana.org.au>
+cc: keyrings@vger.kernel.org
+cc: linux-crypto@vger.kernel.org
+cc: kexec@lists.infradead.org
+Link: https://lore.kernel.org/r/20230220171254.592347-3-rharwood@redhat.com/ # v2
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/asymmetric_keys/pkcs7_verify.c | 10 +++++-----
+ crypto/asymmetric_keys/verify_pefile.c | 24 ++++++++++++------------
+ 2 files changed, 17 insertions(+), 17 deletions(-)
+
+diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c
+index f94a1d1ad3a6c..df279538cead3 100644
+--- a/crypto/asymmetric_keys/pkcs7_verify.c
++++ b/crypto/asymmetric_keys/pkcs7_verify.c
+@@ -79,16 +79,16 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7,
+ }
+
+ if (sinfo->msgdigest_len != sig->digest_size) {
+- pr_debug("Sig %u: Invalid digest size (%u)\n",
+- sinfo->index, sinfo->msgdigest_len);
++ pr_warn("Sig %u: Invalid digest size (%u)\n",
++ sinfo->index, sinfo->msgdigest_len);
+ ret = -EBADMSG;
+ goto error;
+ }
+
+ if (memcmp(sig->digest, sinfo->msgdigest,
+ sinfo->msgdigest_len) != 0) {
+- pr_debug("Sig %u: Message digest doesn't match\n",
+- sinfo->index);
++ pr_warn("Sig %u: Message digest doesn't match\n",
++ sinfo->index);
+ ret = -EKEYREJECTED;
+ goto error;
+ }
+@@ -481,7 +481,7 @@ int pkcs7_supply_detached_data(struct pkcs7_message *pkcs7,
+ const void *data, size_t datalen)
+ {
+ if (pkcs7->data) {
+- pr_debug("Data already supplied\n");
++ pr_warn("Data already supplied\n");
+ return -EINVAL;
+ }
+ pkcs7->data = data;
+diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c
+index fe1bb374239d7..22beaf2213a22 100644
+--- a/crypto/asymmetric_keys/verify_pefile.c
++++ b/crypto/asymmetric_keys/verify_pefile.c
+@@ -74,7 +74,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen,
+ break;
+
+ default:
+- pr_debug("Unknown PEOPT magic = %04hx\n", pe32->magic);
++ pr_warn("Unknown PEOPT magic = %04hx\n", pe32->magic);
+ return -ELIBBAD;
+ }
+
+@@ -95,7 +95,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen,
+ ctx->certs_size = ddir->certs.size;
+
+ if (!ddir->certs.virtual_address || !ddir->certs.size) {
+- pr_debug("Unsigned PE binary\n");
++ pr_warn("Unsigned PE binary\n");
+ return -ENODATA;
+ }
+
+@@ -127,7 +127,7 @@ static int pefile_strip_sig_wrapper(const void *pebuf,
+ unsigned len;
+
+ if (ctx->sig_len < sizeof(wrapper)) {
+- pr_debug("Signature wrapper too short\n");
++ pr_warn("Signature wrapper too short\n");
+ return -ELIBBAD;
+ }
+
+@@ -142,16 +142,16 @@ static int pefile_strip_sig_wrapper(const void *pebuf,
+ * rounded up since 0.110.
+ */
+ if (wrapper.length > ctx->sig_len) {
+- pr_debug("Signature wrapper bigger than sig len (%x > %x)\n",
+- ctx->sig_len, wrapper.length);
++ pr_warn("Signature wrapper bigger than sig len (%x > %x)\n",
++ ctx->sig_len, wrapper.length);
+ return -ELIBBAD;
+ }
+ if (wrapper.revision != WIN_CERT_REVISION_2_0) {
+- pr_debug("Signature is not revision 2.0\n");
++ pr_warn("Signature is not revision 2.0\n");
+ return -ENOTSUPP;
+ }
+ if (wrapper.cert_type != WIN_CERT_TYPE_PKCS_SIGNED_DATA) {
+- pr_debug("Signature certificate type is not PKCS\n");
++ pr_warn("Signature certificate type is not PKCS\n");
+ return -ENOTSUPP;
+ }
+
+@@ -164,7 +164,7 @@ static int pefile_strip_sig_wrapper(const void *pebuf,
+ ctx->sig_offset += sizeof(wrapper);
+ ctx->sig_len -= sizeof(wrapper);
+ if (ctx->sig_len < 4) {
+- pr_debug("Signature data missing\n");
++ pr_warn("Signature data missing\n");
+ return -EKEYREJECTED;
+ }
+
+@@ -198,7 +198,7 @@ static int pefile_strip_sig_wrapper(const void *pebuf,
+ return 0;
+ }
+ not_pkcs7:
+- pr_debug("Signature data not PKCS#7\n");
++ pr_warn("Signature data not PKCS#7\n");
+ return -ELIBBAD;
+ }
+
+@@ -341,8 +341,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen,
+ digest_size = crypto_shash_digestsize(tfm);
+
+ if (digest_size != ctx->digest_len) {
+- pr_debug("Digest size mismatch (%zx != %x)\n",
+- digest_size, ctx->digest_len);
++ pr_warn("Digest size mismatch (%zx != %x)\n",
++ digest_size, ctx->digest_len);
+ ret = -EBADMSG;
+ goto error_no_desc;
+ }
+@@ -373,7 +373,7 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen,
+ * PKCS#7 certificate.
+ */
+ if (memcmp(digest, ctx->digest, ctx->digest_len) != 0) {
+- pr_debug("Digest mismatch\n");
++ pr_warn("Digest mismatch\n");
+ ret = -EKEYREJECTED;
+ } else {
+ pr_debug("The digests match!\n");
+--
+2.39.2
+
--- /dev/null
+From fe4164618d58c5853b10a90f8fb57f78c05beb71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Mar 2023 17:42:32 -0700
+Subject: bpf: tcp: Use sock_gen_put instead of sock_put in bpf_iter_tcp
+
+From: Martin KaFai Lau <martin.lau@kernel.org>
+
+[ Upstream commit 580031ff9952b7dbf48dedba6b56a100ae002bef ]
+
+While reviewing the udp-iter batching patches, noticed the bpf_iter_tcp
+calling sock_put() is incorrect. It should call sock_gen_put instead
+because bpf_iter_tcp is iterating the ehash table which has the req sk
+and tw sk. This patch replaces all sock_put with sock_gen_put in the
+bpf_iter_tcp codepath.
+
+Fixes: 04c7820b776f ("bpf: tcp: Bpf iter batching and lock_sock")
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20230328004232.2134233-1-martin.lau@linux.dev
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_ipv4.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index 0e1fbad17dbe3..63472c9b39ae4 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -2760,7 +2760,7 @@ static int tcp_prog_seq_show(struct bpf_prog *prog, struct bpf_iter_meta *meta,
+ static void bpf_iter_tcp_put_batch(struct bpf_tcp_iter_state *iter)
+ {
+ while (iter->cur_sk < iter->end_sk)
+- sock_put(iter->batch[iter->cur_sk++]);
++ sock_gen_put(iter->batch[iter->cur_sk++]);
+ }
+
+ static int bpf_iter_tcp_realloc_batch(struct bpf_tcp_iter_state *iter,
+@@ -2919,7 +2919,7 @@ static void *bpf_iter_tcp_seq_next(struct seq_file *seq, void *v, loff_t *pos)
+ * st->bucket. See tcp_seek_last_pos().
+ */
+ st->offset++;
+- sock_put(iter->batch[iter->cur_sk++]);
++ sock_gen_put(iter->batch[iter->cur_sk++]);
+ }
+
+ if (iter->cur_sk < iter->end_sk)
+--
+2.39.2
+
--- /dev/null
+From 2a5aea8af62c3827fc188a7842aa5904e6247e72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Mar 2023 10:36:24 +0800
+Subject: clk: sprd: set max_register according to mapping range
+
+From: Chunyan Zhang <chunyan.zhang@unisoc.com>
+
+[ Upstream commit 47d43086531f10539470a63e8ad92803e686a3dd ]
+
+In sprd clock driver, regmap_config.max_register was set to a fixed value
+which is likely larger than the address range configured in device tree,
+when reading registers through debugfs it would cause access violation.
+
+Fixes: d41f59fd92f2 ("clk: sprd: Add common infrastructure")
+Signed-off-by: Chunyan Zhang <chunyan.zhang@unisoc.com>
+Link: https://lore.kernel.org/r/20230316023624.758204-1-chunyan.zhang@unisoc.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/sprd/common.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/clk/sprd/common.c b/drivers/clk/sprd/common.c
+index ce81e4087a8fc..2bfbab8db94bf 100644
+--- a/drivers/clk/sprd/common.c
++++ b/drivers/clk/sprd/common.c
+@@ -17,7 +17,6 @@ static const struct regmap_config sprdclk_regmap_config = {
+ .reg_bits = 32,
+ .reg_stride = 4,
+ .val_bits = 32,
+- .max_register = 0xffff,
+ .fast_io = true,
+ };
+
+@@ -43,6 +42,8 @@ int sprd_clk_regmap_init(struct platform_device *pdev,
+ struct device *dev = &pdev->dev;
+ struct device_node *node = dev->of_node, *np;
+ struct regmap *regmap;
++ struct resource *res;
++ struct regmap_config reg_config = sprdclk_regmap_config;
+
+ if (of_find_property(node, "sprd,syscon", NULL)) {
+ regmap = syscon_regmap_lookup_by_phandle(node, "sprd,syscon");
+@@ -59,12 +60,14 @@ int sprd_clk_regmap_init(struct platform_device *pdev,
+ return PTR_ERR(regmap);
+ }
+ } else {
+- base = devm_platform_ioremap_resource(pdev, 0);
++ base = devm_platform_get_and_ioremap_resource(pdev, 0, &res);
+ if (IS_ERR(base))
+ return PTR_ERR(base);
+
++ reg_config.max_register = resource_size(res) - reg_config.reg_stride;
++
+ regmap = devm_regmap_init_mmio(&pdev->dev, base,
+- &sprdclk_regmap_config);
++ ®_config);
+ if (IS_ERR(regmap)) {
+ pr_err("failed to init regmap\n");
+ return PTR_ERR(regmap);
+--
+2.39.2
+
--- /dev/null
+From fb2814076096fa6feb6bb5a5d5ed12472b9dece8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Dec 2021 17:34:16 +0100
+Subject: drm/armada: Fix a potential double free in an error handling path
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit b89ce1177d42d5c124e83f3858818cd4e6a2c46f ]
+
+'priv' is a managed resource, so there is no need to free it explicitly or
+there will be a double free().
+
+Fixes: 90ad200b4cbc ("drm/armada: Use devm_drm_dev_alloc")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/c4f3c9207a9fce35cb6dd2cc60e755275961588a.1640536364.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/armada/armada_drv.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/armada/armada_drv.c b/drivers/gpu/drm/armada/armada_drv.c
+index 8e3e98f13db49..54168134d9b93 100644
+--- a/drivers/gpu/drm/armada/armada_drv.c
++++ b/drivers/gpu/drm/armada/armada_drv.c
+@@ -99,7 +99,6 @@ static int armada_drm_bind(struct device *dev)
+ if (ret) {
+ dev_err(dev, "[" DRM_NAME ":%s] can't kick out simple-fb: %d\n",
+ __func__, ret);
+- kfree(priv);
+ return ret;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 95a131185e3d0a02ebb3745f33ab775643a583f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Mar 2023 10:52:18 +0100
+Subject: drm: panel-orientation-quirks: Add quirk for Lenovo Yoga Book X90F
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 03aecb1acbcd7a660f97d645ca6c09d9de27ff9d ]
+
+Like the Windows Lenovo Yoga Book X91F/L the Android Lenovo Yoga Book
+X90F/L has a portrait 1200x1920 screen used in landscape mode,
+add a quirk for this.
+
+When the quirk for the X91F/L was initially added it was written to
+also apply to the X90F/L but this does not work because the Android
+version of the Yoga Book uses completely different DMI strings.
+Also adjust the X91F/L quirk to reflect that it only applies to
+the X91F/L models.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230301095218.28457-1-hdegoede@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_panel_orientation_quirks.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+index 8768073794fbf..6106fa7c43028 100644
+--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+@@ -284,10 +284,17 @@ static const struct dmi_system_id orientation_data[] = {
+ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "IdeaPad Duet 3 10IGL5"),
+ },
+ .driver_data = (void *)&lcd1200x1920_rightside_up,
+- }, { /* Lenovo Yoga Book X90F / X91F / X91L */
++ }, { /* Lenovo Yoga Book X90F / X90L */
+ .matches = {
+- /* Non exact match to match all versions */
+- DMI_MATCH(DMI_PRODUCT_NAME, "Lenovo YB1-X9"),
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Intel Corporation"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "CHERRYVIEW D1 PLATFORM"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "YETI-11"),
++ },
++ .driver_data = (void *)&lcd1200x1920_rightside_up,
++ }, { /* Lenovo Yoga Book X91F / X91L */
++ .matches = {
++ /* Non exact match to match F + L versions */
++ DMI_MATCH(DMI_PRODUCT_NAME, "Lenovo YB1-X91"),
+ },
+ .driver_data = (void *)&lcd1200x1920_rightside_up,
+ }, { /* OneGX1 Pro */
+--
+2.39.2
+
--- /dev/null
+From 9040f6b29fea35c9e57d14d9aafcc266b196e5c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Mar 2023 13:31:03 +0100
+Subject: efi: sysfb_efi: Add quirk for Lenovo Yoga Book X91F/L
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 5ed213dd64681f84a01ceaa82fb336cf7d59ddcf ]
+
+Another Lenovo convertable which reports a landscape resolution of
+1920x1200 with a pitch of (1920 * 4) bytes, while the actual framebuffer
+has a resolution of 1200x1920 with a pitch of (1200 * 4) bytes.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/sysfb_efi.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/firmware/efi/sysfb_efi.c b/drivers/firmware/efi/sysfb_efi.c
+index 7ac757843dcfe..24d6f6e08df8b 100644
+--- a/drivers/firmware/efi/sysfb_efi.c
++++ b/drivers/firmware/efi/sysfb_efi.c
+@@ -274,6 +274,14 @@ static const struct dmi_system_id efifb_dmi_swap_width_height[] __initconst = {
+ "IdeaPad Duet 3 10IGL5"),
+ },
+ },
++ {
++ /* Lenovo Yoga Book X91F / X91L */
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ /* Non exact match to match F + L versions */
++ DMI_MATCH(DMI_PRODUCT_NAME, "Lenovo YB1-X91"),
++ },
++ },
+ {},
+ };
+
+--
+2.39.2
+
--- /dev/null
+From e823e0028fbd44622350ee0bfc63a03ca35f6c0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 15:45:51 +0800
+Subject: i2c: hisi: Avoid redundant interrupts
+
+From: Yicong Yang <yangyicong@hisilicon.com>
+
+[ Upstream commit cc9812a3096d1986caca9a23bee99effc45c08df ]
+
+After issuing all the messages we can disable the TX_EMPTY interrupts
+to avoid handling redundant interrupts. For doing a sinlge bus
+detection (i2cdetect -y -r 0) we can reduce ~97% interrupts (before
+~12000 after ~400).
+
+Signed-off-by: Sheng Feng <fengsheng5@huawei.com>
+Signed-off-by: Yicong Yang <yangyicong@hisilicon.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-hisi.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/i2c/busses/i2c-hisi.c b/drivers/i2c/busses/i2c-hisi.c
+index 72e43ecaff133..1f406e6f4ece3 100644
+--- a/drivers/i2c/busses/i2c-hisi.c
++++ b/drivers/i2c/busses/i2c-hisi.c
+@@ -315,6 +315,13 @@ static void hisi_i2c_xfer_msg(struct hisi_i2c_controller *ctlr)
+ max_write == 0)
+ break;
+ }
++
++ /*
++ * Disable the TX_EMPTY interrupt after finishing all the messages to
++ * avoid overwhelming the CPU.
++ */
++ if (ctlr->msg_tx_idx == ctlr->msg_num)
++ hisi_i2c_disable_int(ctlr, HISI_I2C_INT_TX_EMPTY);
+ }
+
+ static irqreturn_t hisi_i2c_irq(int irq, void *context)
+--
+2.39.2
+
--- /dev/null
+From 4572fec111fa23d5463455a7fda497a18afe9acb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jan 2023 16:32:46 +0100
+Subject: i2c: imx-lpi2c: clean rx/tx buffers upon new message
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+[ Upstream commit 987dd36c0141f6ab9f0fbf14d6b2ec3342dedb2f ]
+
+When start sending a new message clear the Rx & Tx buffer pointers in
+order to avoid using stale pointers.
+
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Tested-by: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-imx-lpi2c.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/i2c/busses/i2c-imx-lpi2c.c b/drivers/i2c/busses/i2c-imx-lpi2c.c
+index 2018dbcf241e9..d45ec26d51cb9 100644
+--- a/drivers/i2c/busses/i2c-imx-lpi2c.c
++++ b/drivers/i2c/busses/i2c-imx-lpi2c.c
+@@ -462,6 +462,8 @@ static int lpi2c_imx_xfer(struct i2c_adapter *adapter,
+ if (num == 1 && msgs[0].len == 0)
+ goto stop;
+
++ lpi2c_imx->rx_buf = NULL;
++ lpi2c_imx->tx_buf = NULL;
+ lpi2c_imx->delivered = 0;
+ lpi2c_imx->msglen = msgs[i].len;
+ init_completion(&lpi2c_imx->complete);
+--
+2.39.2
+
--- /dev/null
+From d7f5dac1bbcf39662a933402d88f66414bc7d7c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Mar 2023 15:40:49 +0200
+Subject: IB/mlx5: Add support for 400G_8X lane speed
+
+From: Maher Sanalla <msanalla@nvidia.com>
+
+[ Upstream commit 88c9483faf15ada14eca82714114656893063458 ]
+
+Currently, when driver queries PTYS to report which link speed is being
+used on its RoCE ports, it does not check the case of having 400Gbps
+transmitted over 8 lanes. Thus it fails to report the said speed and
+instead it defaults to report 10G over 4 lanes.
+
+Add a check for the said speed when querying PTYS and report it back
+correctly when needed.
+
+Fixes: 08e8676f1607 ("IB/mlx5: Add support for 50Gbps per lane link modes")
+Signed-off-by: Maher Sanalla <msanalla@nvidia.com>
+Reviewed-by: Aya Levin <ayal@nvidia.com>
+Reviewed-by: Saeed Mahameed <saeedm@nvidia.com>
+Link: https://lore.kernel.org/r/ec9040548d119d22557d6a4b4070d6f421701fd4.1678973994.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
+index 827ee3040bea2..2361caa385471 100644
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -443,6 +443,10 @@ static int translate_eth_ext_proto_oper(u32 eth_proto_oper, u16 *active_speed,
+ *active_width = IB_WIDTH_2X;
+ *active_speed = IB_SPEED_NDR;
+ break;
++ case MLX5E_PROT_MASK(MLX5E_400GAUI_8):
++ *active_width = IB_WIDTH_8X;
++ *active_speed = IB_SPEED_HDR;
++ break;
+ case MLX5E_PROT_MASK(MLX5E_400GAUI_4_400GBASE_CR4_KR4):
+ *active_width = IB_WIDTH_4X;
+ *active_speed = IB_SPEED_NDR;
+--
+2.39.2
+
--- /dev/null
+From 8db187d8f61c6ac2422410347a29f04e2fa68a4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Dec 2022 13:15:00 -0800
+Subject: libbpf: Fix single-line struct definition output in btf_dump
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 872aec4b5f635d94111d48ec3c57fbe078d64e7d ]
+
+btf_dump APIs emit unnecessary tabs when emitting struct/union
+definition that fits on the single line. Before this patch we'd get:
+
+struct blah {<tab>};
+
+This patch fixes this and makes sure that we get more natural:
+
+struct blah {};
+
+Fixes: 44a726c3f23c ("bpftool: Print newline before '}' for struct with padding only fields")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20221212211505.558851-2-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/btf_dump.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/tools/lib/bpf/btf_dump.c b/tools/lib/bpf/btf_dump.c
+index a9f974e5fb856..98cb3831aa18c 100644
+--- a/tools/lib/bpf/btf_dump.c
++++ b/tools/lib/bpf/btf_dump.c
+@@ -1003,9 +1003,12 @@ static void btf_dump_emit_struct_def(struct btf_dump *d,
+ * Keep `struct empty {}` on a single line,
+ * only print newline when there are regular or padding fields.
+ */
+- if (vlen || t->size)
++ if (vlen || t->size) {
+ btf_dump_printf(d, "\n");
+- btf_dump_printf(d, "%s}", pfx(lvl));
++ btf_dump_printf(d, "%s}", pfx(lvl));
++ } else {
++ btf_dump_printf(d, "}");
++ }
+ if (packed)
+ btf_dump_printf(d, " __attribute__((packed))");
+ }
+--
+2.39.2
+
--- /dev/null
+From 727f0c503da9f6e27705bf4cef287f91733c069e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Apr 2023 16:21:44 -0700
+Subject: net: macb: fix a memory corruption in extended buffer descriptor mode
+
+From: Roman Gushchin <roman.gushchin@linux.dev>
+
+[ Upstream commit e8b74453555872851bdd7ea43a7c0ec39659834f ]
+
+For quite some time we were chasing a bug which looked like a sudden
+permanent failure of networking and mmc on some of our devices.
+The bug was very sensitive to any software changes and even more to
+any kernel debug options.
+
+Finally we got a setup where the problem was reproducible with
+CONFIG_DMA_API_DEBUG=y and it revealed the issue with the rx dma:
+
+[ 16.992082] ------------[ cut here ]------------
+[ 16.996779] DMA-API: macb ff0b0000.ethernet: device driver tries to free DMA memory it has not allocated [device address=0x0000000875e3e244] [size=1536 bytes]
+[ 17.011049] WARNING: CPU: 0 PID: 85 at kernel/dma/debug.c:1011 check_unmap+0x6a0/0x900
+[ 17.018977] Modules linked in: xxxxx
+[ 17.038823] CPU: 0 PID: 85 Comm: irq/55-8000f000 Not tainted 5.4.0 #28
+[ 17.045345] Hardware name: xxxxx
+[ 17.049528] pstate: 60000005 (nZCv daif -PAN -UAO)
+[ 17.054322] pc : check_unmap+0x6a0/0x900
+[ 17.058243] lr : check_unmap+0x6a0/0x900
+[ 17.062163] sp : ffffffc010003c40
+[ 17.065470] x29: ffffffc010003c40 x28: 000000004000c03c
+[ 17.070783] x27: ffffffc010da7048 x26: ffffff8878e38800
+[ 17.076095] x25: ffffff8879d22810 x24: ffffffc010003cc8
+[ 17.081407] x23: 0000000000000000 x22: ffffffc010a08750
+[ 17.086719] x21: ffffff8878e3c7c0 x20: ffffffc010acb000
+[ 17.092032] x19: 0000000875e3e244 x18: 0000000000000010
+[ 17.097343] x17: 0000000000000000 x16: 0000000000000000
+[ 17.102647] x15: ffffff8879e4a988 x14: 0720072007200720
+[ 17.107959] x13: 0720072007200720 x12: 0720072007200720
+[ 17.113261] x11: 0720072007200720 x10: 0720072007200720
+[ 17.118565] x9 : 0720072007200720 x8 : 000000000000022d
+[ 17.123869] x7 : 0000000000000015 x6 : 0000000000000098
+[ 17.129173] x5 : 0000000000000000 x4 : 0000000000000000
+[ 17.134475] x3 : 00000000ffffffff x2 : ffffffc010a1d370
+[ 17.139778] x1 : b420c9d75d27bb00 x0 : 0000000000000000
+[ 17.145082] Call trace:
+[ 17.147524] check_unmap+0x6a0/0x900
+[ 17.151091] debug_dma_unmap_page+0x88/0x90
+[ 17.155266] gem_rx+0x114/0x2f0
+[ 17.158396] macb_poll+0x58/0x100
+[ 17.161705] net_rx_action+0x118/0x400
+[ 17.165445] __do_softirq+0x138/0x36c
+[ 17.169100] irq_exit+0x98/0xc0
+[ 17.172234] __handle_domain_irq+0x64/0xc0
+[ 17.176320] gic_handle_irq+0x5c/0xc0
+[ 17.179974] el1_irq+0xb8/0x140
+[ 17.183109] xiic_process+0x5c/0xe30
+[ 17.186677] irq_thread_fn+0x28/0x90
+[ 17.190244] irq_thread+0x208/0x2a0
+[ 17.193724] kthread+0x130/0x140
+[ 17.196945] ret_from_fork+0x10/0x20
+[ 17.200510] ---[ end trace 7240980785f81d6f ]---
+
+[ 237.021490] ------------[ cut here ]------------
+[ 237.026129] DMA-API: exceeded 7 overlapping mappings of cacheline 0x0000000021d79e7b
+[ 237.033886] WARNING: CPU: 0 PID: 0 at kernel/dma/debug.c:499 add_dma_entry+0x214/0x240
+[ 237.041802] Modules linked in: xxxxx
+[ 237.061637] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 5.4.0 #28
+[ 237.068941] Hardware name: xxxxx
+[ 237.073116] pstate: 80000085 (Nzcv daIf -PAN -UAO)
+[ 237.077900] pc : add_dma_entry+0x214/0x240
+[ 237.081986] lr : add_dma_entry+0x214/0x240
+[ 237.086072] sp : ffffffc010003c30
+[ 237.089379] x29: ffffffc010003c30 x28: ffffff8878a0be00
+[ 237.094683] x27: 0000000000000180 x26: ffffff8878e387c0
+[ 237.099987] x25: 0000000000000002 x24: 0000000000000000
+[ 237.105290] x23: 000000000000003b x22: ffffffc010a0fa00
+[ 237.110594] x21: 0000000021d79e7b x20: ffffffc010abe600
+[ 237.115897] x19: 00000000ffffffef x18: 0000000000000010
+[ 237.121201] x17: 0000000000000000 x16: 0000000000000000
+[ 237.126504] x15: ffffffc010a0fdc8 x14: 0720072007200720
+[ 237.131807] x13: 0720072007200720 x12: 0720072007200720
+[ 237.137111] x11: 0720072007200720 x10: 0720072007200720
+[ 237.142415] x9 : 0720072007200720 x8 : 0000000000000259
+[ 237.147718] x7 : 0000000000000001 x6 : 0000000000000000
+[ 237.153022] x5 : ffffffc010003a20 x4 : 0000000000000001
+[ 237.158325] x3 : 0000000000000006 x2 : 0000000000000007
+[ 237.163628] x1 : 8ac721b3a7dc1c00 x0 : 0000000000000000
+[ 237.168932] Call trace:
+[ 237.171373] add_dma_entry+0x214/0x240
+[ 237.175115] debug_dma_map_page+0xf8/0x120
+[ 237.179203] gem_rx_refill+0x190/0x280
+[ 237.182942] gem_rx+0x224/0x2f0
+[ 237.186075] macb_poll+0x58/0x100
+[ 237.189384] net_rx_action+0x118/0x400
+[ 237.193125] __do_softirq+0x138/0x36c
+[ 237.196780] irq_exit+0x98/0xc0
+[ 237.199914] __handle_domain_irq+0x64/0xc0
+[ 237.204000] gic_handle_irq+0x5c/0xc0
+[ 237.207654] el1_irq+0xb8/0x140
+[ 237.210789] arch_cpu_idle+0x40/0x200
+[ 237.214444] default_idle_call+0x18/0x30
+[ 237.218359] do_idle+0x200/0x280
+[ 237.221578] cpu_startup_entry+0x20/0x30
+[ 237.225493] rest_init+0xe4/0xf0
+[ 237.228713] arch_call_rest_init+0xc/0x14
+[ 237.232714] start_kernel+0x47c/0x4a8
+[ 237.236367] ---[ end trace 7240980785f81d70 ]---
+
+Lars was fast to find an explanation: according to the datasheet
+bit 2 of the rx buffer descriptor entry has a different meaning in the
+extended mode:
+ Address [2] of beginning of buffer, or
+ in extended buffer descriptor mode (DMA configuration register [28] = 1),
+ indicates a valid timestamp in the buffer descriptor entry.
+
+The macb driver didn't mask this bit while getting an address and it
+eventually caused a memory corruption and a dma failure.
+
+The problem is resolved by explicitly clearing the problematic bit
+if hw timestamping is used.
+
+Fixes: 7b4296148066 ("net: macb: Add support for PTP timestamps in DMA descriptors")
+Signed-off-by: Roman Gushchin <roman.gushchin@linux.dev>
+Co-developed-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://lore.kernel.org/r/20230412232144.770336-1-roman.gushchin@linux.dev
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index 906c5bbefaac9..ddadb1822d897 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -1044,6 +1044,10 @@ static dma_addr_t macb_get_addr(struct macb *bp, struct macb_dma_desc *desc)
+ }
+ #endif
+ addr |= MACB_BF(RX_WADDR, MACB_BFEXT(RX_WADDR, desc->addr));
++#ifdef CONFIG_MACB_USE_HWSTAMP
++ if (bp->hw_dma_cap & HW_DMA_CAP_PTP)
++ addr &= ~GEM_BIT(DMA_RXVALID);
++#endif
+ return addr;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 2de260dddcba2e002cdb68dbcd23541a70f0c8e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Apr 2023 09:23:52 +0800
+Subject: net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume()
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit 6417070918de3bcdbe0646e7256dae58fd8083ba ]
+
+Syzbot reported a bug as following:
+
+=====================================================
+BUG: KMSAN: uninit-value in qrtr_tx_resume+0x185/0x1f0 net/qrtr/af_qrtr.c:230
+ qrtr_tx_resume+0x185/0x1f0 net/qrtr/af_qrtr.c:230
+ qrtr_endpoint_post+0xf85/0x11b0 net/qrtr/af_qrtr.c:519
+ qrtr_tun_write_iter+0x270/0x400 net/qrtr/tun.c:108
+ call_write_iter include/linux/fs.h:2189 [inline]
+ aio_write+0x63a/0x950 fs/aio.c:1600
+ io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019
+ __do_sys_io_submit fs/aio.c:2078 [inline]
+ __se_sys_io_submit+0x293/0x770 fs/aio.c:2048
+ __x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slab.h:766 [inline]
+ slab_alloc_node mm/slub.c:3452 [inline]
+ __kmem_cache_alloc_node+0x71f/0xce0 mm/slub.c:3491
+ __do_kmalloc_node mm/slab_common.c:967 [inline]
+ __kmalloc_node_track_caller+0x114/0x3b0 mm/slab_common.c:988
+ kmalloc_reserve net/core/skbuff.c:492 [inline]
+ __alloc_skb+0x3af/0x8f0 net/core/skbuff.c:565
+ __netdev_alloc_skb+0x120/0x7d0 net/core/skbuff.c:630
+ qrtr_endpoint_post+0xbd/0x11b0 net/qrtr/af_qrtr.c:446
+ qrtr_tun_write_iter+0x270/0x400 net/qrtr/tun.c:108
+ call_write_iter include/linux/fs.h:2189 [inline]
+ aio_write+0x63a/0x950 fs/aio.c:1600
+ io_submit_one+0x1d1c/0x3bf0 fs/aio.c:2019
+ __do_sys_io_submit fs/aio.c:2078 [inline]
+ __se_sys_io_submit+0x293/0x770 fs/aio.c:2048
+ __x64_sys_io_submit+0x92/0xd0 fs/aio.c:2048
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+It is because that skb->len requires at least sizeof(struct qrtr_ctrl_pkt)
+in qrtr_tx_resume(). And skb->len equals to size in qrtr_endpoint_post().
+But size is less than sizeof(struct qrtr_ctrl_pkt) when qrtr_cb->type
+equals to QRTR_TYPE_RESUME_TX in qrtr_endpoint_post() under the syzbot
+scenario. This triggers the uninit variable access bug.
+
+Add size check when qrtr_cb->type equals to QRTR_TYPE_RESUME_TX in
+qrtr_endpoint_post() to fix the bug.
+
+Fixes: 5fdeb0d372ab ("net: qrtr: Implement outgoing flow control")
+Reported-by: syzbot+4436c9630a45820fda76@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?id=c14607f0963d27d5a3d5f4c8639b500909e43540
+Suggested-by: Manivannan Sadhasivam <mani@kernel.org>
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230410012352.3997823-1-william.xuanziyang@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/qrtr/af_qrtr.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/net/qrtr/af_qrtr.c b/net/qrtr/af_qrtr.c
+index 6e88ba812d2a2..e0a27a404404f 100644
+--- a/net/qrtr/af_qrtr.c
++++ b/net/qrtr/af_qrtr.c
+@@ -498,6 +498,11 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len)
+ if (!size || len != ALIGN(size, 4) + hdrlen)
+ goto err;
+
++ if ((cb->type == QRTR_TYPE_NEW_SERVER ||
++ cb->type == QRTR_TYPE_RESUME_TX) &&
++ size < sizeof(struct qrtr_ctrl_pkt))
++ goto err;
++
+ if (cb->dst_port != QRTR_PORT_CTRL && cb->type != QRTR_TYPE_DATA &&
+ cb->type != QRTR_TYPE_RESUME_TX)
+ goto err;
+@@ -510,9 +515,6 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len)
+ /* Remote node endpoint can bridge other distant nodes */
+ const struct qrtr_ctrl_pkt *pkt;
+
+- if (size < sizeof(*pkt))
+- goto err;
+-
+ pkt = data + hdrlen;
+ qrtr_node_assign(node, le32_to_cpu(pkt->server.node));
+ }
+--
+2.39.2
+
--- /dev/null
+From 5876cb02a0473973d74327fd189cd51584372ac1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Apr 2023 23:31:18 -0700
+Subject: niu: Fix missing unwind goto in niu_alloc_channels()
+
+From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+
+[ Upstream commit 8ce07be703456acb00e83d99f3b8036252c33b02 ]
+
+Smatch reports: drivers/net/ethernet/sun/niu.c:4525
+ niu_alloc_channels() warn: missing unwind goto?
+
+If niu_rbr_fill() fails, then we are directly returning 'err' without
+freeing the channels.
+
+Fix this by changing direct return to a goto 'out_err'.
+
+Fixes: a3138df9f20e ("[NIU]: Add Sun Neptune ethernet driver.")
+Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sun/niu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/sun/niu.c b/drivers/net/ethernet/sun/niu.c
+index a68a01d1b2b10..3fdc7c9824a39 100644
+--- a/drivers/net/ethernet/sun/niu.c
++++ b/drivers/net/ethernet/sun/niu.c
+@@ -4503,7 +4503,7 @@ static int niu_alloc_channels(struct niu *np)
+
+ err = niu_rbr_fill(np, rp, GFP_KERNEL);
+ if (err)
+- return err;
++ goto out_err;
+ }
+
+ tx_rings = kcalloc(num_tx_rings, sizeof(struct tx_ring_info),
+--
+2.39.2
+
--- /dev/null
+From 4ac05b075b911ea0f2402b9b24e21ab1b6ec1f0c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Dec 2022 13:38:57 -0800
+Subject: power: supply: cros_usbpd: reclassify "default case!" as debug
+
+From: Grant Grundler <grundler@chromium.org>
+
+[ Upstream commit 14c76b2e75bca4d96e2b85a0c12aa43e84fe3f74 ]
+
+This doesn't need to be printed every second as an error:
+...
+<3>[17438.628385] cros-usbpd-charger cros-usbpd-charger.3.auto: Port 1: default case!
+<3>[17439.634176] cros-usbpd-charger cros-usbpd-charger.3.auto: Port 1: default case!
+<3>[17440.640298] cros-usbpd-charger cros-usbpd-charger.3.auto: Port 1: default case!
+...
+
+Reduce priority from ERROR to DEBUG.
+
+Signed-off-by: Grant Grundler <grundler@chromium.org>
+Reviewed-by: Guenter Roeck <groeck@chromium.org>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/cros_usbpd-charger.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/power/supply/cros_usbpd-charger.c b/drivers/power/supply/cros_usbpd-charger.c
+index d89e08efd2ad0..0a4f02e4ae7ba 100644
+--- a/drivers/power/supply/cros_usbpd-charger.c
++++ b/drivers/power/supply/cros_usbpd-charger.c
+@@ -276,7 +276,7 @@ static int cros_usbpd_charger_get_power_info(struct port_data *port)
+ port->psy_current_max = 0;
+ break;
+ default:
+- dev_err(dev, "Port %d: default case!\n", port->port_number);
++ dev_dbg(dev, "Port %d: default case!\n", port->port_number);
+ port->psy_usb_type = POWER_SUPPLY_USB_TYPE_SDP;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 5e2229e8b323c3df7f0465eb23963753bc13067b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Apr 2023 10:18:49 +0300
+Subject: qlcnic: check pci_reset_function result
+
+From: Denis Plotnikov <den-plotnikov@yandex-team.ru>
+
+[ Upstream commit 7573099e10ca69c3be33995c1fcd0d241226816d ]
+
+Static code analyzer complains to unchecked return value.
+The result of pci_reset_function() is unchecked.
+Despite, the issue is on the FLR supported code path and in that
+case reset can be done with pcie_flr(), the patch uses less invasive
+approach by adding the result check of pci_reset_function().
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 7e2cf4feba05 ("qlcnic: change driver hardware interface mechanism")
+Signed-off-by: Denis Plotnikov <den-plotnikov@yandex-team.ru>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Reviewed-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c
+index 87f76bac2e463..eb827b86ecae8 100644
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c
+@@ -628,7 +628,13 @@ int qlcnic_fw_create_ctx(struct qlcnic_adapter *dev)
+ int i, err, ring;
+
+ if (dev->flags & QLCNIC_NEED_FLR) {
+- pci_reset_function(dev->pdev);
++ err = pci_reset_function(dev->pdev);
++ if (err) {
++ dev_err(&dev->pdev->dev,
++ "Adapter reset failed (%d). Please reboot\n",
++ err);
++ return err;
++ }
+ dev->flags &= ~QLCNIC_NEED_FLR;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 313ab8f5b0c1079d388dd2b66c4af187849d9441 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Mar 2023 12:59:55 +0200
+Subject: RDMA/cma: Allow UD qp_type to join multicast only
+
+From: Mark Zhang <markzhang@nvidia.com>
+
+[ Upstream commit 58e84f6b3e84e46524b7e5a916b53c1ad798bc8f ]
+
+As for multicast:
+- The SIDR is the only mode that makes sense;
+- Besides PS_UDP, other port spaces like PS_IB is also allowed, as it is
+ UD compatible. In this case qkey also needs to be set [1].
+
+This patch allows only UD qp_type to join multicast, and set qkey to
+default if it's not set, to fix an uninit-value error: the ib->rec.qkey
+field is accessed without being initialized.
+
+=====================================================
+BUG: KMSAN: uninit-value in cma_set_qkey drivers/infiniband/core/cma.c:510 [inline]
+BUG: KMSAN: uninit-value in cma_make_mc_event+0xb73/0xe00 drivers/infiniband/core/cma.c:4570
+ cma_set_qkey drivers/infiniband/core/cma.c:510 [inline]
+ cma_make_mc_event+0xb73/0xe00 drivers/infiniband/core/cma.c:4570
+ cma_iboe_join_multicast drivers/infiniband/core/cma.c:4782 [inline]
+ rdma_join_multicast+0x2b83/0x30a0 drivers/infiniband/core/cma.c:4814
+ ucma_process_join+0xa76/0xf60 drivers/infiniband/core/ucma.c:1479
+ ucma_join_multicast+0x1e3/0x250 drivers/infiniband/core/ucma.c:1546
+ ucma_write+0x639/0x6d0 drivers/infiniband/core/ucma.c:1732
+ vfs_write+0x8ce/0x2030 fs/read_write.c:588
+ ksys_write+0x28c/0x520 fs/read_write.c:643
+ __do_sys_write fs/read_write.c:655 [inline]
+ __se_sys_write fs/read_write.c:652 [inline]
+ __ia32_sys_write+0xdb/0x120 fs/read_write.c:652
+ do_syscall_32_irqs_on arch/x86/entry/common.c:114 [inline]
+ __do_fast_syscall_32+0x96/0xf0 arch/x86/entry/common.c:180
+ do_fast_syscall_32+0x34/0x70 arch/x86/entry/common.c:205
+ do_SYSENTER_32+0x1b/0x20 arch/x86/entry/common.c:248
+ entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
+
+Local variable ib.i created at:
+cma_iboe_join_multicast drivers/infiniband/core/cma.c:4737 [inline]
+rdma_join_multicast+0x586/0x30a0 drivers/infiniband/core/cma.c:4814
+ucma_process_join+0xa76/0xf60 drivers/infiniband/core/ucma.c:1479
+
+CPU: 0 PID: 29874 Comm: syz-executor.3 Not tainted 5.16.0-rc3-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+=====================================================
+
+[1] https://lore.kernel.org/linux-rdma/20220117183832.GD84788@nvidia.com/
+
+Fixes: b5de0c60cc30 ("RDMA/cma: Fix use after free race in roce multicast join")
+Reported-by: syzbot+8fcbb77276d43cc8b693@syzkaller.appspotmail.com
+Signed-off-by: Mark Zhang <markzhang@nvidia.com>
+Link: https://lore.kernel.org/r/58a4a98323b5e6b1282e83f6b76960d06e43b9fa.1679309909.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cma.c | 60 ++++++++++++++++++++---------------
+ 1 file changed, 34 insertions(+), 26 deletions(-)
+
+diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
+index fd192104fd8d3..c66d8bf405854 100644
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -496,22 +496,11 @@ static inline unsigned short cma_family(struct rdma_id_private *id_priv)
+ return id_priv->id.route.addr.src_addr.ss_family;
+ }
+
+-static int cma_set_qkey(struct rdma_id_private *id_priv, u32 qkey)
++static int cma_set_default_qkey(struct rdma_id_private *id_priv)
+ {
+ struct ib_sa_mcmember_rec rec;
+ int ret = 0;
+
+- if (id_priv->qkey) {
+- if (qkey && id_priv->qkey != qkey)
+- return -EINVAL;
+- return 0;
+- }
+-
+- if (qkey) {
+- id_priv->qkey = qkey;
+- return 0;
+- }
+-
+ switch (id_priv->id.ps) {
+ case RDMA_PS_UDP:
+ case RDMA_PS_IB:
+@@ -531,6 +520,16 @@ static int cma_set_qkey(struct rdma_id_private *id_priv, u32 qkey)
+ return ret;
+ }
+
++static int cma_set_qkey(struct rdma_id_private *id_priv, u32 qkey)
++{
++ if (!qkey ||
++ (id_priv->qkey && (id_priv->qkey != qkey)))
++ return -EINVAL;
++
++ id_priv->qkey = qkey;
++ return 0;
++}
++
+ static void cma_translate_ib(struct sockaddr_ib *sib, struct rdma_dev_addr *dev_addr)
+ {
+ dev_addr->dev_type = ARPHRD_INFINIBAND;
+@@ -1099,7 +1098,7 @@ static int cma_ib_init_qp_attr(struct rdma_id_private *id_priv,
+ *qp_attr_mask = IB_QP_STATE | IB_QP_PKEY_INDEX | IB_QP_PORT;
+
+ if (id_priv->id.qp_type == IB_QPT_UD) {
+- ret = cma_set_qkey(id_priv, 0);
++ ret = cma_set_default_qkey(id_priv);
+ if (ret)
+ return ret;
+
+@@ -4373,7 +4372,10 @@ static int cma_send_sidr_rep(struct rdma_id_private *id_priv,
+ memset(&rep, 0, sizeof rep);
+ rep.status = status;
+ if (status == IB_SIDR_SUCCESS) {
+- ret = cma_set_qkey(id_priv, qkey);
++ if (qkey)
++ ret = cma_set_qkey(id_priv, qkey);
++ else
++ ret = cma_set_default_qkey(id_priv);
+ if (ret)
+ return ret;
+ rep.qp_num = id_priv->qp_num;
+@@ -4578,9 +4580,7 @@ static void cma_make_mc_event(int status, struct rdma_id_private *id_priv,
+ enum ib_gid_type gid_type;
+ struct net_device *ndev;
+
+- if (!status)
+- status = cma_set_qkey(id_priv, be32_to_cpu(multicast->rec.qkey));
+- else
++ if (status)
+ pr_debug_ratelimited("RDMA CM: MULTICAST_ERROR: failed to join multicast. status %d\n",
+ status);
+
+@@ -4608,7 +4608,7 @@ static void cma_make_mc_event(int status, struct rdma_id_private *id_priv,
+ }
+
+ event->param.ud.qp_num = 0xFFFFFF;
+- event->param.ud.qkey = be32_to_cpu(multicast->rec.qkey);
++ event->param.ud.qkey = id_priv->qkey;
+
+ out:
+ if (ndev)
+@@ -4627,8 +4627,11 @@ static int cma_ib_mc_handler(int status, struct ib_sa_multicast *multicast)
+ READ_ONCE(id_priv->state) == RDMA_CM_DESTROYING)
+ goto out;
+
+- cma_make_mc_event(status, id_priv, multicast, &event, mc);
+- ret = cma_cm_event_handler(id_priv, &event);
++ ret = cma_set_qkey(id_priv, be32_to_cpu(multicast->rec.qkey));
++ if (!ret) {
++ cma_make_mc_event(status, id_priv, multicast, &event, mc);
++ ret = cma_cm_event_handler(id_priv, &event);
++ }
+ rdma_destroy_ah_attr(&event.param.ud.ah_attr);
+ WARN_ON(ret);
+
+@@ -4681,9 +4684,11 @@ static int cma_join_ib_multicast(struct rdma_id_private *id_priv,
+ if (ret)
+ return ret;
+
+- ret = cma_set_qkey(id_priv, 0);
+- if (ret)
+- return ret;
++ if (!id_priv->qkey) {
++ ret = cma_set_default_qkey(id_priv);
++ if (ret)
++ return ret;
++ }
+
+ cma_set_mgid(id_priv, (struct sockaddr *) &mc->addr, &rec.mgid);
+ rec.qkey = cpu_to_be32(id_priv->qkey);
+@@ -4760,9 +4765,6 @@ static int cma_iboe_join_multicast(struct rdma_id_private *id_priv,
+ cma_iboe_set_mgid(addr, &ib.rec.mgid, gid_type);
+
+ ib.rec.pkey = cpu_to_be16(0xffff);
+- if (id_priv->id.ps == RDMA_PS_UDP)
+- ib.rec.qkey = cpu_to_be32(RDMA_UDP_QKEY);
+-
+ if (dev_addr->bound_dev_if)
+ ndev = dev_get_by_index(dev_addr->net, dev_addr->bound_dev_if);
+ if (!ndev)
+@@ -4788,6 +4790,9 @@ static int cma_iboe_join_multicast(struct rdma_id_private *id_priv,
+ if (err || !ib.rec.mtu)
+ return err ?: -EINVAL;
+
++ if (!id_priv->qkey)
++ cma_set_default_qkey(id_priv);
++
+ rdma_ip2gid((struct sockaddr *)&id_priv->id.route.addr.src_addr,
+ &ib.rec.port_gid);
+ INIT_WORK(&mc->iboe_join.work, cma_iboe_join_work_handler);
+@@ -4813,6 +4818,9 @@ int rdma_join_multicast(struct rdma_cm_id *id, struct sockaddr *addr,
+ READ_ONCE(id_priv->state) != RDMA_CM_ADDR_RESOLVED))
+ return -EINVAL;
+
++ if (id_priv->id.qp_type != IB_QPT_UD)
++ return -EINVAL;
++
+ mc = kzalloc(sizeof(*mc), GFP_KERNEL);
+ if (!mc)
+ return -ENOMEM;
+--
+2.39.2
+
--- /dev/null
+From 1b517dbd246fd34dce7a261ee2239635c99e57ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 Mar 2023 23:34:24 -0700
+Subject: RDMA/core: Fix GID entry ref leak when create_ah fails
+
+From: Saravanan Vajravel <saravanan.vajravel@broadcom.com>
+
+[ Upstream commit aca3b0fa3d04b40c96934d86cc224cccfa7ea8e0 ]
+
+If AH create request fails, release sgid_attr to avoid GID entry
+referrence leak reported while releasing GID table
+
+Fixes: 1a1f460ff151 ("RDMA: Hold the sgid_attr inside the struct ib_ah/qp")
+Link: https://lore.kernel.org/r/20230401063424.342204-1-saravanan.vajravel@broadcom.com
+Reviewed-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Saravanan Vajravel <saravanan.vajravel@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/verbs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c
+index f0c07e4ba4388..cae013130eb1d 100644
+--- a/drivers/infiniband/core/verbs.c
++++ b/drivers/infiniband/core/verbs.c
+@@ -540,6 +540,8 @@ static struct ib_ah *_rdma_create_ah(struct ib_pd *pd,
+ else
+ ret = device->ops.create_ah(ah, &init_attr, NULL);
+ if (ret) {
++ if (ah->sgid_attr)
++ rdma_put_gid_attr(ah->sgid_attr);
+ kfree(ah);
+ return ERR_PTR(ret);
+ }
+--
+2.39.2
+
--- /dev/null
+From 56e17378079311385ae1fd8ca16d39d80ecd77d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 09:52:31 -0500
+Subject: RDMA/irdma: Add ipv4 check to irdma_find_listener()
+
+From: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
+
+[ Upstream commit e4522c097ec10f23ea0933e9e69d4fa9d8ae9441 ]
+
+Add ipv4 check to irdma_find_listener(). Otherwise the function
+incorrectly finds and returns a listener with a different addr family for
+the zero IP addr, if a listener with a zero IP addr and the same port as
+the one searched for has already been created.
+
+Fixes: 146b9756f14c ("RDMA/irdma: Add connection manager")
+Signed-off-by: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Link: https://lore.kernel.org/r/20230315145231.931-5-shiraz.saleem@intel.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/cm.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/infiniband/hw/irdma/cm.c b/drivers/infiniband/hw/irdma/cm.c
+index a8ec3d8f6e465..64d4bb0e9a12f 100644
+--- a/drivers/infiniband/hw/irdma/cm.c
++++ b/drivers/infiniband/hw/irdma/cm.c
+@@ -1458,13 +1458,15 @@ static int irdma_send_fin(struct irdma_cm_node *cm_node)
+ * irdma_find_listener - find a cm node listening on this addr-port pair
+ * @cm_core: cm's core
+ * @dst_addr: listener ip addr
++ * @ipv4: flag indicating IPv4 when true
+ * @dst_port: listener tcp port num
+ * @vlan_id: virtual LAN ID
+ * @listener_state: state to match with listen node's
+ */
+ static struct irdma_cm_listener *
+-irdma_find_listener(struct irdma_cm_core *cm_core, u32 *dst_addr, u16 dst_port,
+- u16 vlan_id, enum irdma_cm_listener_state listener_state)
++irdma_find_listener(struct irdma_cm_core *cm_core, u32 *dst_addr, bool ipv4,
++ u16 dst_port, u16 vlan_id,
++ enum irdma_cm_listener_state listener_state)
+ {
+ struct irdma_cm_listener *listen_node;
+ static const u32 ip_zero[4] = { 0, 0, 0, 0 };
+@@ -1477,7 +1479,7 @@ irdma_find_listener(struct irdma_cm_core *cm_core, u32 *dst_addr, u16 dst_port,
+ list_for_each_entry (listen_node, &cm_core->listen_list, list) {
+ memcpy(listen_addr, listen_node->loc_addr, sizeof(listen_addr));
+ listen_port = listen_node->loc_port;
+- if (listen_port != dst_port ||
++ if (listen_node->ipv4 != ipv4 || listen_port != dst_port ||
+ !(listener_state & listen_node->listener_state))
+ continue;
+ /* compare node pair, return node handle if a match */
+@@ -2899,9 +2901,10 @@ irdma_make_listen_node(struct irdma_cm_core *cm_core,
+ unsigned long flags;
+
+ /* cannot have multiple matching listeners */
+- listener = irdma_find_listener(cm_core, cm_info->loc_addr,
+- cm_info->loc_port, cm_info->vlan_id,
+- IRDMA_CM_LISTENER_EITHER_STATE);
++ listener =
++ irdma_find_listener(cm_core, cm_info->loc_addr, cm_info->ipv4,
++ cm_info->loc_port, cm_info->vlan_id,
++ IRDMA_CM_LISTENER_EITHER_STATE);
+ if (listener &&
+ listener->listener_state == IRDMA_CM_LISTENER_ACTIVE_STATE) {
+ refcount_dec(&listener->refcnt);
+@@ -3150,6 +3153,7 @@ void irdma_receive_ilq(struct irdma_sc_vsi *vsi, struct irdma_puda_buf *rbuf)
+
+ listener = irdma_find_listener(cm_core,
+ cm_info.loc_addr,
++ cm_info.ipv4,
+ cm_info.loc_port,
+ cm_info.vlan_id,
+ IRDMA_CM_LISTENER_ACTIVE_STATE);
+--
+2.39.2
+
--- /dev/null
+From 5b1cb3a003b3a5f323ccfd12b5b99e6e0ad4db0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 09:52:29 -0500
+Subject: RDMA/irdma: Fix memory leak of PBLE objects
+
+From: Mustafa Ismail <mustafa.ismail@intel.com>
+
+[ Upstream commit b69a6979dbaa2453675fe9c71bdc2497fedb11f9 ]
+
+On rmmod of irdma, the PBLE object memory is not being freed. PBLE object
+memory are not statically pre-allocated at function initialization time
+unlike other HMC objects. PBLEs objects and the Segment Descriptors (SD)
+for it can be dynamically allocated during scale up and SD's remain
+allocated till function deinitialization.
+
+Fix this leak by adding IRDMA_HMC_IW_PBLE to the iw_hmc_obj_types[] table
+and skip pbles in irdma_create_hmc_obj but not in irdma_del_hmc_objects().
+
+Fixes: 44d9e52977a1 ("RDMA/irdma: Implement device initialization definitions")
+Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Link: https://lore.kernel.org/r/20230315145231.931-3-shiraz.saleem@intel.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/hw.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/infiniband/hw/irdma/hw.c b/drivers/infiniband/hw/irdma/hw.c
+index b918f80d2e2c6..3b070cb3c4da7 100644
+--- a/drivers/infiniband/hw/irdma/hw.c
++++ b/drivers/infiniband/hw/irdma/hw.c
+@@ -41,6 +41,7 @@ static enum irdma_hmc_rsrc_type iw_hmc_obj_types[] = {
+ IRDMA_HMC_IW_XFFL,
+ IRDMA_HMC_IW_Q1,
+ IRDMA_HMC_IW_Q1FL,
++ IRDMA_HMC_IW_PBLE,
+ IRDMA_HMC_IW_TIMER,
+ IRDMA_HMC_IW_FSIMC,
+ IRDMA_HMC_IW_FSIAV,
+@@ -829,6 +830,8 @@ irdma_create_hmc_objs(struct irdma_pci_f *rf, bool privileged, enum irdma_vers v
+ info.entry_type = rf->sd_type;
+
+ for (i = 0; i < IW_HMC_OBJ_TYPE_NUM; i++) {
++ if (iw_hmc_obj_types[i] == IRDMA_HMC_IW_PBLE)
++ continue;
+ if (dev->hmc_info->hmc_obj[iw_hmc_obj_types[i]].cnt) {
+ info.rsrc_type = iw_hmc_obj_types[i];
+ info.count = dev->hmc_info->hmc_obj[info.rsrc_type].cnt;
+--
+2.39.2
+
--- /dev/null
+From 5b27b71ee7ca4c7928939e66de4175d3fe61c4c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 09:52:30 -0500
+Subject: RDMA/irdma: Increase iWARP CM default rexmit count
+
+From: Mustafa Ismail <mustafa.ismail@intel.com>
+
+[ Upstream commit 8385a875c9eecc429b2f72970efcbb0e5cb5b547 ]
+
+When running perftest with large number of connections in iWARP mode, the
+passive side could be slow to respond. Increase the rexmit counter default
+to allow scaling connections.
+
+Fixes: 146b9756f14c ("RDMA/irdma: Add connection manager")
+Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Link: https://lore.kernel.org/r/20230315145231.931-4-shiraz.saleem@intel.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/irdma/cm.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/irdma/cm.h b/drivers/infiniband/hw/irdma/cm.h
+index d03cd29333eab..2b0fb5a6b3001 100644
+--- a/drivers/infiniband/hw/irdma/cm.h
++++ b/drivers/infiniband/hw/irdma/cm.h
+@@ -41,7 +41,7 @@
+ #define TCP_OPTIONS_PADDING 3
+
+ #define IRDMA_DEFAULT_RETRYS 64
+-#define IRDMA_DEFAULT_RETRANS 8
++#define IRDMA_DEFAULT_RETRANS 32
+ #define IRDMA_DEFAULT_TTL 0x40
+ #define IRDMA_DEFAULT_RTT_VAR 6
+ #define IRDMA_DEFAULT_SS_THRESH 0x3fffffff
+--
+2.39.2
+
--- /dev/null
+From 65cbe99f081d93526561cb8d0e25677fc9c2863e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Apr 2023 15:43:30 -0400
+Subject: sctp: fix a potential overflow in sctp_ifwdtsn_skip
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 32832a2caf82663870126c5186cf8f86c8b2a649 ]
+
+Currently, when traversing ifwdtsn skips with _sctp_walk_ifwdtsn, it only
+checks the pos against the end of the chunk. However, the data left for
+the last pos may be < sizeof(struct sctp_ifwdtsn_skip), and dereference
+it as struct sctp_ifwdtsn_skip may cause coverflow.
+
+This patch fixes it by checking the pos against "the end of the chunk -
+sizeof(struct sctp_ifwdtsn_skip)" in sctp_ifwdtsn_skip, similar to
+sctp_fwdtsn_skip.
+
+Fixes: 0fc2ea922c8a ("sctp: implement validate_ftsn for sctp_stream_interleave")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Link: https://lore.kernel.org/r/2a71bffcd80b4f2c61fac6d344bb2f11c8fd74f7.1681155810.git.lucien.xin@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/stream_interleave.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/sctp/stream_interleave.c b/net/sctp/stream_interleave.c
+index 6b13f737ebf2e..e3aad75cb11d9 100644
+--- a/net/sctp/stream_interleave.c
++++ b/net/sctp/stream_interleave.c
+@@ -1162,7 +1162,8 @@ static void sctp_generate_iftsn(struct sctp_outq *q, __u32 ctsn)
+
+ #define _sctp_walk_ifwdtsn(pos, chunk, end) \
+ for (pos = chunk->subh.ifwdtsn_hdr->skip; \
+- (void *)pos < (void *)chunk->subh.ifwdtsn_hdr->skip + (end); pos++)
++ (void *)pos <= (void *)chunk->subh.ifwdtsn_hdr->skip + (end) - \
++ sizeof(struct sctp_ifwdtsn_skip); pos++)
+
+ #define sctp_walk_ifwdtsn(pos, ch) \
+ _sctp_walk_ifwdtsn((pos), (ch), ntohs((ch)->chunk_hdr->length) - \
+--
+2.39.2
+
mtd-rawnand-stm32_fmc2-use-timings.mode-instead-of-checking-trc_min.patch
kvm-arm64-pmu-restore-the-guest-s-el0-event-counting-after-migration.patch
drm-i915-dsi-fix-dss-ctl-register-offsets-for-tgl.patch
+clk-sprd-set-max_register-according-to-mapping-range.patch
+rdma-irdma-fix-memory-leak-of-pble-objects.patch
+rdma-irdma-increase-iwarp-cm-default-rexmit-count.patch
+rdma-irdma-add-ipv4-check-to-irdma_find_listener.patch
+ib-mlx5-add-support-for-400g_8x-lane-speed.patch
+rdma-cma-allow-ud-qp_type-to-join-multicast-only.patch
+bpf-tcp-use-sock_gen_put-instead-of-sock_put-in-bpf_.patch
+9p-xen-fix-use-after-free-bug-in-xen_9pfs_front_remo.patch
+niu-fix-missing-unwind-goto-in-niu_alloc_channels.patch
+tcp-restrict-net.ipv4.tcp_app_win.patch
+drm-armada-fix-a-potential-double-free-in-an-error-h.patch
+qlcnic-check-pci_reset_function-result.patch
+net-qrtr-fix-an-uninit-variable-access-bug-in-qrtr_t.patch
+sctp-fix-a-potential-overflow-in-sctp_ifwdtsn_skip.patch
+rdma-core-fix-gid-entry-ref-leak-when-create_ah-fail.patch
+udp6-fix-potential-access-to-stale-information.patch
+net-macb-fix-a-memory-corruption-in-extended-buffer-.patch
+skbuff-fix-a-race-between-coalescing-and-releasing-s.patch
+libbpf-fix-single-line-struct-definition-output-in-b.patch
+arm-9290-1-uaccess-fix-kasan-false-positives.patch
+power-supply-cros_usbpd-reclassify-default-case-as-d.patch
+wifi-mwifiex-mark-of-related-data-as-maybe-unused.patch
+i2c-imx-lpi2c-clean-rx-tx-buffers-upon-new-message.patch
+i2c-hisi-avoid-redundant-interrupts.patch
+efi-sysfb_efi-add-quirk-for-lenovo-yoga-book-x91f-l.patch
+drm-panel-orientation-quirks-add-quirk-for-lenovo-yo.patch
+verify_pefile-relax-wrapper-length-check.patch
+asymmetric_keys-log-on-fatal-failures-in-pe-pkcs7.patch
+wifi-iwlwifi-mvm-fix-mvmtxq-stopped-handling.patch
+acpi-resource-add-medion-s17413-to-irq-override-quir.patch
--- /dev/null
+From 5a5c6517194ba30599087ac5a090d9771b94d495 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Apr 2023 17:03:53 +0800
+Subject: skbuff: Fix a race between coalescing and releasing SKBs
+
+From: Liang Chen <liangchen.linux@gmail.com>
+
+[ Upstream commit 0646dc31ca886693274df5749cd0c8c1eaaeb5ca ]
+
+Commit 1effe8ca4e34 ("skbuff: fix coalescing for page_pool fragment
+recycling") allowed coalescing to proceed with non page pool page and page
+pool page when @from is cloned, i.e.
+
+to->pp_recycle --> false
+from->pp_recycle --> true
+skb_cloned(from) --> true
+
+However, it actually requires skb_cloned(@from) to hold true until
+coalescing finishes in this situation. If the other cloned SKB is
+released while the merging is in process, from_shinfo->nr_frags will be
+set to 0 toward the end of the function, causing the increment of frag
+page _refcount to be unexpectedly skipped resulting in inconsistent
+reference counts. Later when SKB(@to) is released, it frees the page
+directly even though the page pool page is still in use, leading to
+use-after-free or double-free errors. So it should be prohibited.
+
+The double-free error message below prompted us to investigate:
+BUG: Bad page state in process swapper/1 pfn:0e0d1
+page:00000000c6548b28 refcount:-1 mapcount:0 mapping:0000000000000000
+index:0x2 pfn:0xe0d1
+flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff)
+raw: 000fffffc0000000 0000000000000000 ffffffff00000101 0000000000000000
+raw: 0000000000000002 0000000000000000 ffffffffffffffff 0000000000000000
+page dumped because: nonzero _refcount
+
+CPU: 1 PID: 0 Comm: swapper/1 Tainted: G E 6.2.0+
+Call Trace:
+ <IRQ>
+dump_stack_lvl+0x32/0x50
+bad_page+0x69/0xf0
+free_pcp_prepare+0x260/0x2f0
+free_unref_page+0x20/0x1c0
+skb_release_data+0x10b/0x1a0
+napi_consume_skb+0x56/0x150
+net_rx_action+0xf0/0x350
+? __napi_schedule+0x79/0x90
+__do_softirq+0xc8/0x2b1
+__irq_exit_rcu+0xb9/0xf0
+common_interrupt+0x82/0xa0
+</IRQ>
+<TASK>
+asm_common_interrupt+0x22/0x40
+RIP: 0010:default_idle+0xb/0x20
+
+Fixes: 53e0961da1c7 ("page_pool: add frag page recycling support in page pool")
+Signed-off-by: Liang Chen <liangchen.linux@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20230413090353.14448-1-liangchen.linux@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skbuff.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index 2d3f82b622366..46cc3a7632f79 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -5397,18 +5397,18 @@ bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from,
+ if (skb_cloned(to))
+ return false;
+
+- /* In general, avoid mixing slab allocated and page_pool allocated
+- * pages within the same SKB. However when @to is not pp_recycle and
+- * @from is cloned, we can transition frag pages from page_pool to
+- * reference counted.
+- *
+- * On the other hand, don't allow coalescing two pp_recycle SKBs if
+- * @from is cloned, in case the SKB is using page_pool fragment
++ /* In general, avoid mixing page_pool and non-page_pool allocated
++ * pages within the same SKB. Additionally avoid dealing with clones
++ * with page_pool pages, in case the SKB is using page_pool fragment
+ * references (PP_FLAG_PAGE_FRAG). Since we only take full page
+ * references for cloned SKBs at the moment that would result in
+ * inconsistent reference counts.
++ * In theory we could take full references if @from is cloned and
++ * !@to->pp_recycle but its tricky (due to potential race with
++ * the clone disappearing) and rare, so not worth dealing with.
+ */
+- if (to->pp_recycle != (from->pp_recycle && !skb_cloned(from)))
++ if (to->pp_recycle != from->pp_recycle ||
++ (from->pp_recycle && skb_cloned(from)))
+ return false;
+
+ if (len <= skb_tailroom(to)) {
+--
+2.39.2
+
--- /dev/null
+From 98e43c75284e4ef314dd8ffcdc67e654d48f18c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Apr 2023 14:34:50 +0800
+Subject: tcp: restrict net.ipv4.tcp_app_win
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit dc5110c2d959c1707e12df5f792f41d90614adaa ]
+
+UBSAN: shift-out-of-bounds in net/ipv4/tcp_input.c:555:23
+shift exponent 255 is too large for 32-bit type 'int'
+CPU: 1 PID: 7907 Comm: ssh Not tainted 6.3.0-rc4-00161-g62bad54b26db-dirty #206
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x136/0x150
+ __ubsan_handle_shift_out_of_bounds+0x21f/0x5a0
+ tcp_init_transfer.cold+0x3a/0xb9
+ tcp_finish_connect+0x1d0/0x620
+ tcp_rcv_state_process+0xd78/0x4d60
+ tcp_v4_do_rcv+0x33d/0x9d0
+ __release_sock+0x133/0x3b0
+ release_sock+0x58/0x1b0
+
+'maxwin' is int, shifting int for 32 or more bits is undefined behaviour.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/networking/ip-sysctl.rst | 2 ++
+ net/ipv4/sysctl_net_ipv4.c | 3 +++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst
+index ba0e8e6337c0a..7890b395e629b 100644
+--- a/Documentation/networking/ip-sysctl.rst
++++ b/Documentation/networking/ip-sysctl.rst
+@@ -322,6 +322,8 @@ tcp_app_win - INTEGER
+ Reserve max(window/2^tcp_app_win, mss) of window for application
+ buffer. Value 0 is special, it means that nothing is reserved.
+
++ Possible values are [0, 31], inclusive.
++
+ Default: 31
+
+ tcp_autocorking - BOOLEAN
+diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
+index 495c58e442e2a..1f22e72074fdc 100644
+--- a/net/ipv4/sysctl_net_ipv4.c
++++ b/net/ipv4/sysctl_net_ipv4.c
+@@ -38,6 +38,7 @@ static int ip_local_port_range_min[] = { 1, 1 };
+ static int ip_local_port_range_max[] = { 65535, 65535 };
+ static int tcp_adv_win_scale_min = -31;
+ static int tcp_adv_win_scale_max = 31;
++static int tcp_app_win_max = 31;
+ static int tcp_min_snd_mss_min = TCP_MIN_SND_MSS;
+ static int tcp_min_snd_mss_max = 65535;
+ static int ip_privileged_port_min;
+@@ -1168,6 +1169,8 @@ static struct ctl_table ipv4_net_table[] = {
+ .maxlen = sizeof(u8),
+ .mode = 0644,
+ .proc_handler = proc_dou8vec_minmax,
++ .extra1 = SYSCTL_ZERO,
++ .extra2 = &tcp_app_win_max,
+ },
+ {
+ .procname = "tcp_adv_win_scale",
+--
+2.39.2
+
--- /dev/null
+From 6f9f1ec01cacd407756d805c12e11e8dccd024a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Apr 2023 13:03:08 +0000
+Subject: udp6: fix potential access to stale information
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 1c5950fc6fe996235f1d18539b9c6b64b597f50f ]
+
+lena wang reported an issue caused by udpv6_sendmsg()
+mangling msg->msg_name and msg->msg_namelen, which
+are later read from ____sys_sendmsg() :
+
+ /*
+ * If this is sendmmsg() and sending to current destination address was
+ * successful, remember it.
+ */
+ if (used_address && err >= 0) {
+ used_address->name_len = msg_sys->msg_namelen;
+ if (msg_sys->msg_name)
+ memcpy(&used_address->name, msg_sys->msg_name,
+ used_address->name_len);
+ }
+
+udpv6_sendmsg() wants to pretend the remote address family
+is AF_INET in order to call udp_sendmsg().
+
+A fix would be to modify the address in-place, instead
+of using a local variable, but this could have other side effects.
+
+Instead, restore initial values before we return from udpv6_sendmsg().
+
+Fixes: c71d8ebe7a44 ("net: Fix security_socket_sendmsg() bypass problem.")
+Reported-by: lena wang <lena.wang@mediatek.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Maciej Żenczykowski <maze@google.com>
+Link: https://lore.kernel.org/r/20230412130308.1202254-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/udp.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index 9dfb4bb54344b..921129c3df8ad 100644
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -1359,9 +1359,11 @@ int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
+ msg->msg_name = &sin;
+ msg->msg_namelen = sizeof(sin);
+ do_udp_sendmsg:
+- if (__ipv6_only_sock(sk))
+- return -ENETUNREACH;
+- return udp_sendmsg(sk, msg, len);
++ err = __ipv6_only_sock(sk) ?
++ -ENETUNREACH : udp_sendmsg(sk, msg, len);
++ msg->msg_name = sin6;
++ msg->msg_namelen = addr_len;
++ return err;
+ }
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 6a7aa16f271601d48daeedc97b744b0ab86a0d05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Feb 2023 12:12:53 -0500
+Subject: verify_pefile: relax wrapper length check
+
+From: Robbie Harwood <rharwood@redhat.com>
+
+[ Upstream commit 4fc5c74dde69a7eda172514aaeb5a7df3600adb3 ]
+
+The PE Format Specification (section "The Attribute Certificate Table
+(Image Only)") states that `dwLength` is to be rounded up to 8-byte
+alignment when used for traversal. Therefore, the field is not required
+to be an 8-byte multiple in the first place.
+
+Accordingly, pesign has not performed this alignment since version
+0.110. This causes kexec failure on pesign'd binaries with "PEFILE:
+Signature wrapper len wrong". Update the comment and relax the check.
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Jarkko Sakkinen <jarkko@kernel.org>
+cc: Eric Biederman <ebiederm@xmission.com>
+cc: Herbert Xu <herbert@gondor.apana.org.au>
+cc: keyrings@vger.kernel.org
+cc: linux-crypto@vger.kernel.org
+cc: kexec@lists.infradead.org
+Link: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#the-attribute-certificate-table-image-only
+Link: https://github.com/rhboot/pesign
+Link: https://lore.kernel.org/r/20230220171254.592347-2-rharwood@redhat.com/ # v2
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/asymmetric_keys/verify_pefile.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c
+index 7553ab18db898..fe1bb374239d7 100644
+--- a/crypto/asymmetric_keys/verify_pefile.c
++++ b/crypto/asymmetric_keys/verify_pefile.c
+@@ -135,11 +135,15 @@ static int pefile_strip_sig_wrapper(const void *pebuf,
+ pr_debug("sig wrapper = { %x, %x, %x }\n",
+ wrapper.length, wrapper.revision, wrapper.cert_type);
+
+- /* Both pesign and sbsign round up the length of certificate table
+- * (in optional header data directories) to 8 byte alignment.
++ /* sbsign rounds up the length of certificate table (in optional
++ * header data directories) to 8 byte alignment. However, the PE
++ * specification states that while entries are 8-byte aligned, this is
++ * not included in their length, and as a result, pesign has not
++ * rounded up since 0.110.
+ */
+- if (round_up(wrapper.length, 8) != ctx->sig_len) {
+- pr_debug("Signature wrapper len wrong\n");
++ if (wrapper.length > ctx->sig_len) {
++ pr_debug("Signature wrapper bigger than sig len (%x > %x)\n",
++ ctx->sig_len, wrapper.length);
+ return -ELIBBAD;
+ }
+ if (wrapper.revision != WIN_CERT_REVISION_2_0) {
+--
+2.39.2
+
--- /dev/null
+From 82c7798f3036663f48fbf900d38e9375b658401d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Mar 2023 10:53:24 +0100
+Subject: wifi: iwlwifi: mvm: fix mvmtxq->stopped handling
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit b58e3d4311b54b6dd0e37165277965da0c9eb21d ]
+
+This could race if the queue is redirected while full, then
+the flushing internally would start it while it's not yet
+usable again. Fix it by using two state bits instead of just
+one.
+
+Reviewed-by: Benjamin Berg <benjamin.berg@intel.com>
+Tested-by: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 5 ++++-
+ drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 4 +++-
+ drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 5 ++++-
+ drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 4 ++--
+ 4 files changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+index 56c7a68a6491c..fa7de3e47b8cc 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+@@ -820,7 +820,10 @@ void iwl_mvm_mac_itxq_xmit(struct ieee80211_hw *hw, struct ieee80211_txq *txq)
+
+ rcu_read_lock();
+ do {
+- while (likely(!mvmtxq->stopped &&
++ while (likely(!test_bit(IWL_MVM_TXQ_STATE_STOP_FULL,
++ &mvmtxq->state) &&
++ !test_bit(IWL_MVM_TXQ_STATE_STOP_REDIRECT,
++ &mvmtxq->state) &&
+ !test_bit(IWL_MVM_STATUS_IN_D3, &mvm->status))) {
+ skb = ieee80211_tx_dequeue(hw, txq);
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
+index 46af8dd2dc930..6b59425dbdb19 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
+@@ -727,7 +727,9 @@ struct iwl_mvm_txq {
+ struct list_head list;
+ u16 txq_id;
+ atomic_t tx_request;
+- bool stopped;
++#define IWL_MVM_TXQ_STATE_STOP_FULL 0
++#define IWL_MVM_TXQ_STATE_STOP_REDIRECT 1
++ unsigned long state;
+ };
+
+ static inline struct iwl_mvm_txq *
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+index eeb81808db088..3ee4b3ecd0c82 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+@@ -1304,7 +1304,10 @@ static void iwl_mvm_queue_state_change(struct iwl_op_mode *op_mode,
+
+ txq = sta->txq[tid];
+ mvmtxq = iwl_mvm_txq_from_mac80211(txq);
+- mvmtxq->stopped = !start;
++ if (start)
++ clear_bit(IWL_MVM_TXQ_STATE_STOP_FULL, &mvmtxq->state);
++ else
++ set_bit(IWL_MVM_TXQ_STATE_STOP_FULL, &mvmtxq->state);
+
+ if (start && mvmsta->sta_state != IEEE80211_STA_NOTEXIST)
+ iwl_mvm_mac_itxq_xmit(mvm->hw, txq);
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+index 1bb456daff9e9..45dfee3ad8c60 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+@@ -640,7 +640,7 @@ static int iwl_mvm_redirect_queue(struct iwl_mvm *mvm, int queue, int tid,
+ queue, iwl_mvm_ac_to_tx_fifo[ac]);
+
+ /* Stop the queue and wait for it to empty */
+- txq->stopped = true;
++ set_bit(IWL_MVM_TXQ_STATE_STOP_REDIRECT, &txq->state);
+
+ ret = iwl_trans_wait_tx_queues_empty(mvm->trans, BIT(queue));
+ if (ret) {
+@@ -683,7 +683,7 @@ static int iwl_mvm_redirect_queue(struct iwl_mvm *mvm, int queue, int tid,
+
+ out:
+ /* Continue using the queue */
+- txq->stopped = false;
++ clear_bit(IWL_MVM_TXQ_STATE_STOP_REDIRECT, &txq->state);
+
+ return ret;
+ }
+--
+2.39.2
+
--- /dev/null
+From 2a1b9b411a72a30d18e053abf3b234698ea40239 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Mar 2023 14:25:23 +0100
+Subject: wifi: mwifiex: mark OF related data as maybe unused
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 139f6973bf140c65d4d1d4bde5485badb4454d7a ]
+
+The driver can be compile tested with !CONFIG_OF making certain data
+unused:
+
+ drivers/net/wireless/marvell/mwifiex/sdio.c:498:34: error: ‘mwifiex_sdio_of_match_table’ defined but not used [-Werror=unused-const-variable=]
+ drivers/net/wireless/marvell/mwifiex/pcie.c:175:34: error: ‘mwifiex_pcie_of_match_table’ defined but not used [-Werror=unused-const-variable=]
+
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20230312132523.352182-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/pcie.c | 2 +-
+ drivers/net/wireless/marvell/mwifiex/sdio.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/pcie.c b/drivers/net/wireless/marvell/mwifiex/pcie.c
+index d5fb29400bad5..94a6bbcae2d38 100644
+--- a/drivers/net/wireless/marvell/mwifiex/pcie.c
++++ b/drivers/net/wireless/marvell/mwifiex/pcie.c
+@@ -184,7 +184,7 @@ static const struct mwifiex_pcie_device mwifiex_pcie8997 = {
+ .can_ext_scan = true,
+ };
+
+-static const struct of_device_id mwifiex_pcie_of_match_table[] = {
++static const struct of_device_id mwifiex_pcie_of_match_table[] __maybe_unused = {
+ { .compatible = "pci11ab,2b42" },
+ { .compatible = "pci1b4b,2b42" },
+ { }
+diff --git a/drivers/net/wireless/marvell/mwifiex/sdio.c b/drivers/net/wireless/marvell/mwifiex/sdio.c
+index 7fb6eef409285..b09e60fedeb16 100644
+--- a/drivers/net/wireless/marvell/mwifiex/sdio.c
++++ b/drivers/net/wireless/marvell/mwifiex/sdio.c
+@@ -484,7 +484,7 @@ static struct memory_type_mapping mem_type_mapping_tbl[] = {
+ {"EXTLAST", NULL, 0, 0xFE},
+ };
+
+-static const struct of_device_id mwifiex_sdio_of_match_table[] = {
++static const struct of_device_id mwifiex_sdio_of_match_table[] __maybe_unused = {
+ { .compatible = "marvell,sd8787" },
+ { .compatible = "marvell,sd8897" },
+ { .compatible = "marvell,sd8997" },
+--
+2.39.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
