--- /dev/null
+From 3a3830859ff29d240c6bf25fb09c91292f1fb816 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Feb 2023 17:14:11 +0800
+Subject: ARM: dts: rockchip: fix a typo error for rk3288 spdif node
+
+From: Jianqun Xu <jay.xu@rock-chips.com>
+
+[ Upstream commit 02c84f91adb9a64b75ec97d772675c02a3e65ed7 ]
+
+Fix the address in the spdif node name.
+
+Fixes: 874e568e500a ("ARM: dts: rockchip: Add SPDIF transceiver for RK3288")
+Signed-off-by: Jianqun Xu <jay.xu@rock-chips.com>
+Reviewed-by: Sjoerd Simons <sjoerd@collabora.com>
+Link: https://lore.kernel.org/r/20230208091411.1603142-1-jay.xu@rock-chips.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/rk3288.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/rk3288.dtsi b/arch/arm/boot/dts/rk3288.dtsi
+index 402b5e0fd616c..4de88ded6d9a1 100644
+--- a/arch/arm/boot/dts/rk3288.dtsi
++++ b/arch/arm/boot/dts/rk3288.dtsi
+@@ -924,7 +924,7 @@
+ status = "disabled";
+ };
+
+- spdif: sound@ff88b0000 {
++ spdif: sound@ff8b0000 {
+ compatible = "rockchip,rk3288-spdif", "rockchip,rk3066-spdif";
+ reg = <0x0 0xff8b0000 0x0 0x10000>;
+ #sound-dai-cells = <0>;
+--
+2.39.2
+
--- /dev/null
+From 1578d77b0c94d6980cea6e3fe7481340e8f70944 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Apr 2023 13:53:45 -0700
+Subject: e1000e: Disable TSO on i219-LM card to increase speed
+
+From: Sebastian Basierski <sebastianx.basierski@intel.com>
+
+[ Upstream commit 67d47b95119ad589b0a0b16b88b1dd9a04061ced ]
+
+While using i219-LM card currently it was only possible to achieve
+about 60% of maximum speed due to regression introduced in Linux 5.8.
+This was caused by TSO not being disabled by default despite commit
+f29801030ac6 ("e1000e: Disable TSO for buffer overrun workaround").
+Fix that by disabling TSO during driver probe.
+
+Fixes: f29801030ac6 ("e1000e: Disable TSO for buffer overrun workaround")
+Signed-off-by: Sebastian Basierski <sebastianx.basierski@intel.com>
+Signed-off-by: Mateusz Palczewski <mateusz.palczewski@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230417205345.1030801-1-anthony.l.nguyen@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e1000e/netdev.c | 51 +++++++++++-----------
+ 1 file changed, 26 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c
+index 0629f87a20be7..202f734f8733b 100644
+--- a/drivers/net/ethernet/intel/e1000e/netdev.c
++++ b/drivers/net/ethernet/intel/e1000e/netdev.c
+@@ -5230,31 +5230,6 @@ static void e1000_watchdog_task(struct work_struct *work)
+ ew32(TARC(0), tarc0);
+ }
+
+- /* disable TSO for pcie and 10/100 speeds, to avoid
+- * some hardware issues
+- */
+- if (!(adapter->flags & FLAG_TSO_FORCE)) {
+- switch (adapter->link_speed) {
+- case SPEED_10:
+- case SPEED_100:
+- e_info("10/100 speed: disabling TSO\n");
+- netdev->features &= ~NETIF_F_TSO;
+- netdev->features &= ~NETIF_F_TSO6;
+- break;
+- case SPEED_1000:
+- netdev->features |= NETIF_F_TSO;
+- netdev->features |= NETIF_F_TSO6;
+- break;
+- default:
+- /* oops */
+- break;
+- }
+- if (hw->mac.type == e1000_pch_spt) {
+- netdev->features &= ~NETIF_F_TSO;
+- netdev->features &= ~NETIF_F_TSO6;
+- }
+- }
+-
+ /* enable transmits in the hardware, need to do this
+ * after setting TARC(0)
+ */
+@@ -7191,6 +7166,32 @@ static int e1000_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ NETIF_F_RXCSUM |
+ NETIF_F_HW_CSUM);
+
++ /* disable TSO for pcie and 10/100 speeds to avoid
++ * some hardware issues and for i219 to fix transfer
++ * speed being capped at 60%
++ */
++ if (!(adapter->flags & FLAG_TSO_FORCE)) {
++ switch (adapter->link_speed) {
++ case SPEED_10:
++ case SPEED_100:
++ e_info("10/100 speed: disabling TSO\n");
++ netdev->features &= ~NETIF_F_TSO;
++ netdev->features &= ~NETIF_F_TSO6;
++ break;
++ case SPEED_1000:
++ netdev->features |= NETIF_F_TSO;
++ netdev->features |= NETIF_F_TSO6;
++ break;
++ default:
++ /* oops */
++ break;
++ }
++ if (hw->mac.type == e1000_pch_spt) {
++ netdev->features &= ~NETIF_F_TSO;
++ netdev->features &= ~NETIF_F_TSO6;
++ }
++ }
++
+ /* Set user-changeable features (subset of all device features) */
+ netdev->hw_features = netdev->features;
+ netdev->hw_features |= NETIF_F_RXFCS;
+--
+2.39.2
+
--- /dev/null
+From c86e99ef159492ca661478d5787d00e1e3a53569 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Mar 2023 12:25:49 +0000
+Subject: f2fs: Fix f2fs_truncate_partial_nodes ftrace event
+
+From: Douglas Raillard <douglas.raillard@arm.com>
+
+[ Upstream commit 0b04d4c0542e8573a837b1d81b94209e48723b25 ]
+
+Fix the nid_t field so that its size is correctly reported in the text
+format embedded in trace.dat files. As it stands, it is reported as
+being of size 4:
+
+ field:nid_t nid[3]; offset:24; size:4; signed:0;
+
+Instead of 12:
+
+ field:nid_t nid[3]; offset:24; size:12; signed:0;
+
+This also fixes the reported offset of subsequent fields so that they
+match with the actual struct layout.
+
+Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
+Reviewed-by: Mukesh Ojha <quic_mojha@quicinc.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/f2fs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/trace/events/f2fs.h b/include/trace/events/f2fs.h
+index 52e6456bdb922..098d6dff20bef 100644
+--- a/include/trace/events/f2fs.h
++++ b/include/trace/events/f2fs.h
+@@ -498,7 +498,7 @@ TRACE_EVENT(f2fs_truncate_partial_nodes,
+ TP_STRUCT__entry(
+ __field(dev_t, dev)
+ __field(ino_t, ino)
+- __field(nid_t, nid[3])
++ __array(nid_t, nid, 3)
+ __field(int, depth)
+ __field(int, err)
+ ),
+--
+2.39.2
+
--- /dev/null
+From 52bfe236441163191a3c3787bb86897bbd118b8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Mar 2023 18:16:38 +0100
+Subject: i40e: fix accessing vsi->active_filters without holding lock
+
+From: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+
+[ Upstream commit 8485d093b076e59baff424552e8aecfc5bd2d261 ]
+
+Fix accessing vsi->active_filters without holding the mac_filter_hash_lock.
+Move vsi->active_filters = 0 inside critical section and
+move clear_bit(__I40E_VSI_OVERFLOW_PROMISC, vsi->state) after the critical
+section to ensure the new filters from other threads can be added only after
+filters cleaning in the critical section is finished.
+
+Fixes: 278e7d0b9d68 ("i40e: store MAC/VLAN filters in a hash with the MAC Address as key")
+Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 795f8fe2570e4..3f8c37660e860 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -12484,15 +12484,15 @@ static int i40e_add_vsi(struct i40e_vsi *vsi)
+ vsi->id = ctxt.vsi_number;
+ }
+
+- vsi->active_filters = 0;
+- clear_bit(__I40E_VSI_OVERFLOW_PROMISC, vsi->state);
+ spin_lock_bh(&vsi->mac_filter_hash_lock);
++ vsi->active_filters = 0;
+ /* If macvlan filters already exist, force them to get loaded */
+ hash_for_each_safe(vsi->mac_filter_hash, bkt, h, f, hlist) {
+ f->state = I40E_FILTER_NEW;
+ f_count++;
+ }
+ spin_unlock_bh(&vsi->mac_filter_hash_lock);
++ clear_bit(__I40E_VSI_OVERFLOW_PROMISC, vsi->state);
+
+ if (f_count) {
+ vsi->flags |= I40E_VSI_FLAG_FILTER_CHANGED;
+--
+2.39.2
+
--- /dev/null
+From 54587212b392217c96a8e4c976ae094b1ff26d6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Apr 2023 07:13:18 +0200
+Subject: i40e: fix i40e_setup_misc_vector() error handling
+
+From: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+
+[ Upstream commit c86c00c6935505929cc9adb29ddb85e48c71f828 ]
+
+Add error handling of i40e_setup_misc_vector() in i40e_rebuild().
+In case interrupt vectors setup fails do not re-open vsi-s and
+do not bring up vf-s, we have no interrupts to serve a traffic
+anyway.
+
+Fixes: 41c445ff0f48 ("i40e: main driver core")
+Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 3f8c37660e860..a908720535ceb 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -9702,8 +9702,11 @@ static void i40e_rebuild(struct i40e_pf *pf, bool reinit, bool lock_acquired)
+ pf->hw.aq.asq_last_status));
+ }
+ /* reinit the misc interrupt */
+- if (pf->flags & I40E_FLAG_MSIX_ENABLED)
++ if (pf->flags & I40E_FLAG_MSIX_ENABLED) {
+ ret = i40e_setup_misc_vector(pf);
++ if (ret)
++ goto end_unlock;
++ }
+
+ /* Add a filter to drop all Flow control frames from any VSI from being
+ * transmitted. By doing so we stop a malicious VF from sending out
+--
+2.39.2
+
--- /dev/null
+From e56a419eab766bd7d45476197d2e63e5ffe1a1a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Mar 2023 03:19:51 -0700
+Subject: Input: i8042 - add quirk for Fujitsu Lifebook A574/H
+
+From: Jonathan Denose <jdenose@chromium.org>
+
+[ Upstream commit f5bad62f9107b701a6def7cac1f5f65862219b83 ]
+
+Fujitsu Lifebook A574/H requires the nomux option to properly
+probe the touchpad, especially when waking from sleep.
+
+Signed-off-by: Jonathan Denose <jdenose@google.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20230303152623.45859-1-jdenose@google.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/serio/i8042-x86ia64io.h | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/input/serio/i8042-x86ia64io.h b/drivers/input/serio/i8042-x86ia64io.h
+index b2ab20c16cc77..da2bf8259330e 100644
+--- a/drivers/input/serio/i8042-x86ia64io.h
++++ b/drivers/input/serio/i8042-x86ia64io.h
+@@ -605,6 +605,14 @@ static const struct dmi_system_id i8042_dmi_quirk_table[] __initconst = {
+ },
+ .driver_data = (void *)(SERIO_QUIRK_NOMUX)
+ },
++ {
++ /* Fujitsu Lifebook A574/H */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "FUJITSU"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "FMVA0501PZ"),
++ },
++ .driver_data = (void *)(SERIO_QUIRK_NOMUX)
++ },
+ {
+ /* Gigabyte M912 */
+ .matches = {
+--
+2.39.2
+
--- /dev/null
+From 7eaab0b4d874b86f840207750b6fe301e6bb464f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Apr 2023 05:07:18 -0700
+Subject: mlxfw: fix null-ptr-deref in mlxfw_mfa2_tlv_next()
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+[ Upstream commit c0e73276f0fcbbd3d4736ba975d7dc7a48791b0c ]
+
+Function mlxfw_mfa2_tlv_multi_get() returns NULL if 'tlv' in
+question does not pass checks in mlxfw_mfa2_tlv_payload_get(). This
+behaviour may lead to NULL pointer dereference in 'multi->total_len'.
+Fix this issue by testing mlxfw_mfa2_tlv_multi_get()'s return value
+against NULL.
+
+Found by Linux Verification Center (linuxtesting.org) with static
+analysis tool SVACE.
+
+Fixes: 410ed13cae39 ("Add the mlxfw module for Mellanox firmware flash process")
+Co-developed-by: Natalia Petrova <n.petrova@fintech.ru>
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://lore.kernel.org/r/20230417120718.52325-1-n.zhandarovich@fintech.ru
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxfw/mlxfw_mfa2_tlv_multi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxfw/mlxfw_mfa2_tlv_multi.c b/drivers/net/ethernet/mellanox/mlxfw/mlxfw_mfa2_tlv_multi.c
+index 0094b92a233ba..31c0d6ee81b16 100644
+--- a/drivers/net/ethernet/mellanox/mlxfw/mlxfw_mfa2_tlv_multi.c
++++ b/drivers/net/ethernet/mellanox/mlxfw/mlxfw_mfa2_tlv_multi.c
+@@ -62,6 +62,8 @@ mlxfw_mfa2_tlv_next(const struct mlxfw_mfa2_file *mfa2_file,
+
+ if (tlv->type == MLXFW_MFA2_TLV_MULTI_PART) {
+ multi = mlxfw_mfa2_tlv_multi_get(mfa2_file, tlv);
++ if (!multi)
++ return NULL;
+ tlv_len = NLA_ALIGN(tlv_len + be16_to_cpu(multi->total_len));
+ }
+
+--
+2.39.2
+
--- /dev/null
+From c5a75cadabb0d434491e1201b36227bdc1101b94 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Mar 2023 20:48:41 +0100
+Subject: net: dsa: b53: mmap: add phy ops
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Álvaro Fernández Rojas <noltari@gmail.com>
+
+[ Upstream commit 45977e58ce65ed0459edc9a0466d9dfea09463f5 ]
+
+Implement phy_read16() and phy_write16() ops for B53 MMAP to avoid accessing
+B53_PORT_MII_PAGE registers which hangs the device.
+This access should be done through the MDIO Mux bus controller.
+
+Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_mmap.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/net/dsa/b53/b53_mmap.c b/drivers/net/dsa/b53/b53_mmap.c
+index c628d0980c0b1..1d52cb3e46d52 100644
+--- a/drivers/net/dsa/b53/b53_mmap.c
++++ b/drivers/net/dsa/b53/b53_mmap.c
+@@ -215,6 +215,18 @@ static int b53_mmap_write64(struct b53_device *dev, u8 page, u8 reg,
+ return 0;
+ }
+
++static int b53_mmap_phy_read16(struct b53_device *dev, int addr, int reg,
++ u16 *value)
++{
++ return -EIO;
++}
++
++static int b53_mmap_phy_write16(struct b53_device *dev, int addr, int reg,
++ u16 value)
++{
++ return -EIO;
++}
++
+ static const struct b53_io_ops b53_mmap_ops = {
+ .read8 = b53_mmap_read8,
+ .read16 = b53_mmap_read16,
+@@ -226,6 +238,8 @@ static const struct b53_io_ops b53_mmap_ops = {
+ .write32 = b53_mmap_write32,
+ .write48 = b53_mmap_write48,
+ .write64 = b53_mmap_write64,
++ .phy_read16 = b53_mmap_phy_read16,
++ .phy_write16 = b53_mmap_phy_write16,
+ };
+
+ static int b53_mmap_probe(struct platform_device *pdev)
+--
+2.39.2
+
--- /dev/null
+From 59aedad9a246bffe340cf6df22ff2c669f2b4275 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Apr 2023 19:35:54 +0900
+Subject: net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg
+
+From: Gwangun Jung <exsociety@gmail.com>
+
+[ Upstream commit 3037933448f60f9acb705997eae62013ecb81e0d ]
+
+If the TCA_QFQ_LMAX value is not offered through nlattr, lmax is determined by the MTU value of the network device.
+The MTU of the loopback device can be set up to 2^31-1.
+As a result, it is possible to have an lmax value that exceeds QFQ_MIN_LMAX.
+
+Due to the invalid lmax value, an index is generated that exceeds the QFQ_MAX_INDEX(=24) value, causing out-of-bounds read/write errors.
+
+The following reports a oob access:
+
+[ 84.582666] BUG: KASAN: slab-out-of-bounds in qfq_activate_agg.constprop.0 (net/sched/sch_qfq.c:1027 net/sched/sch_qfq.c:1060 net/sched/sch_qfq.c:1313)
+[ 84.583267] Read of size 4 at addr ffff88810f676948 by task ping/301
+[ 84.583686]
+[ 84.583797] CPU: 3 PID: 301 Comm: ping Not tainted 6.3.0-rc5 #1
+[ 84.584164] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
+[ 84.584644] Call Trace:
+[ 84.584787] <TASK>
+[ 84.584906] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))
+[ 84.585108] print_report (mm/kasan/report.c:320 mm/kasan/report.c:430)
+[ 84.585570] kasan_report (mm/kasan/report.c:538)
+[ 84.585988] qfq_activate_agg.constprop.0 (net/sched/sch_qfq.c:1027 net/sched/sch_qfq.c:1060 net/sched/sch_qfq.c:1313)
+[ 84.586599] qfq_enqueue (net/sched/sch_qfq.c:1255)
+[ 84.587607] dev_qdisc_enqueue (net/core/dev.c:3776)
+[ 84.587749] __dev_queue_xmit (./include/net/sch_generic.h:186 net/core/dev.c:3865 net/core/dev.c:4212)
+[ 84.588763] ip_finish_output2 (./include/net/neighbour.h:546 net/ipv4/ip_output.c:228)
+[ 84.589460] ip_output (net/ipv4/ip_output.c:430)
+[ 84.590132] ip_push_pending_frames (./include/net/dst.h:444 net/ipv4/ip_output.c:126 net/ipv4/ip_output.c:1586 net/ipv4/ip_output.c:1606)
+[ 84.590285] raw_sendmsg (net/ipv4/raw.c:649)
+[ 84.591960] sock_sendmsg (net/socket.c:724 net/socket.c:747)
+[ 84.592084] __sys_sendto (net/socket.c:2142)
+[ 84.593306] __x64_sys_sendto (net/socket.c:2150)
+[ 84.593779] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
+[ 84.593902] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
+[ 84.594070] RIP: 0033:0x7fe568032066
+[ 84.594192] Code: 0e 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c09[ 84.594796] RSP: 002b:00007ffce388b4e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+
+Code starting with the faulting instruction
+===========================================
+[ 84.595047] RAX: ffffffffffffffda RBX: 00007ffce388cc70 RCX: 00007fe568032066
+[ 84.595281] RDX: 0000000000000040 RSI: 00005605fdad6d10 RDI: 0000000000000003
+[ 84.595515] RBP: 00005605fdad6d10 R08: 00007ffce388eeec R09: 0000000000000010
+[ 84.595749] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040
+[ 84.595984] R13: 00007ffce388cc30 R14: 00007ffce388b4f0 R15: 0000001d00000001
+[ 84.596218] </TASK>
+[ 84.596295]
+[ 84.596351] Allocated by task 291:
+[ 84.596467] kasan_save_stack (mm/kasan/common.c:46)
+[ 84.596597] kasan_set_track (mm/kasan/common.c:52)
+[ 84.596725] __kasan_kmalloc (mm/kasan/common.c:384)
+[ 84.596852] __kmalloc_node (./include/linux/kasan.h:196 mm/slab_common.c:967 mm/slab_common.c:974)
+[ 84.596979] qdisc_alloc (./include/linux/slab.h:610 ./include/linux/slab.h:731 net/sched/sch_generic.c:938)
+[ 84.597100] qdisc_create (net/sched/sch_api.c:1244)
+[ 84.597222] tc_modify_qdisc (net/sched/sch_api.c:1680)
+[ 84.597357] rtnetlink_rcv_msg (net/core/rtnetlink.c:6174)
+[ 84.597495] netlink_rcv_skb (net/netlink/af_netlink.c:2574)
+[ 84.597627] netlink_unicast (net/netlink/af_netlink.c:1340 net/netlink/af_netlink.c:1365)
+[ 84.597759] netlink_sendmsg (net/netlink/af_netlink.c:1942)
+[ 84.597891] sock_sendmsg (net/socket.c:724 net/socket.c:747)
+[ 84.598016] ____sys_sendmsg (net/socket.c:2501)
+[ 84.598147] ___sys_sendmsg (net/socket.c:2557)
+[ 84.598275] __sys_sendmsg (./include/linux/file.h:31 net/socket.c:2586)
+[ 84.598399] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
+[ 84.598520] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
+[ 84.598688]
+[ 84.598744] The buggy address belongs to the object at ffff88810f674000
+[ 84.598744] which belongs to the cache kmalloc-8k of size 8192
+[ 84.599135] The buggy address is located 2664 bytes to the right of
+[ 84.599135] allocated 7904-byte region [ffff88810f674000, ffff88810f675ee0)
+[ 84.599544]
+[ 84.599598] The buggy address belongs to the physical page:
+[ 84.599777] page:00000000e638567f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10f670
+[ 84.600074] head:00000000e638567f order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+[ 84.600330] flags: 0x200000000010200(slab|head|node=0|zone=2)
+[ 84.600517] raw: 0200000000010200 ffff888100043180 dead000000000122 0000000000000000
+[ 84.600764] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
+[ 84.601009] page dumped because: kasan: bad access detected
+[ 84.601187]
+[ 84.601241] Memory state around the buggy address:
+[ 84.601396] ffff88810f676800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 84.601620] ffff88810f676880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 84.601845] >ffff88810f676900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 84.602069] ^
+[ 84.602243] ffff88810f676980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 84.602468] ffff88810f676a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 84.602693] ==================================================================
+[ 84.602924] Disabling lock debugging due to kernel taint
+
+Fixes: 3015f3d2a3cd ("pkt_sched: enable QFQ to support TSO/GSO")
+Reported-by: Gwangun Jung <exsociety@gmail.com>
+Signed-off-by: Gwangun Jung <exsociety@gmail.com>
+Acked-by: Jamal Hadi Salim<jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_qfq.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
+index 20dc1851d4ffe..c2a68f6e427ed 100644
+--- a/net/sched/sch_qfq.c
++++ b/net/sched/sch_qfq.c
+@@ -433,15 +433,16 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
+ } else
+ weight = 1;
+
+- if (tb[TCA_QFQ_LMAX]) {
++ if (tb[TCA_QFQ_LMAX])
+ lmax = nla_get_u32(tb[TCA_QFQ_LMAX]);
+- if (lmax < QFQ_MIN_LMAX || lmax > (1UL << QFQ_MTU_SHIFT)) {
+- pr_notice("qfq: invalid max length %u\n", lmax);
+- return -EINVAL;
+- }
+- } else
++ else
+ lmax = psched_mtu(qdisc_dev(sch));
+
++ if (lmax < QFQ_MIN_LMAX || lmax > (1UL << QFQ_MTU_SHIFT)) {
++ pr_notice("qfq: invalid max length %u\n", lmax);
++ return -EINVAL;
++ }
++
+ inv_w = ONE_FP / weight;
+ weight = ONE_FP / inv_w;
+
+--
+2.39.2
+
--- /dev/null
+From 5e3ac0544b1695b0cfd3e9ac7c57bba6d40bb6b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Mar 2023 12:31:30 +0100
+Subject: s390/ptrace: fix PTRACE_GET_LAST_BREAK error handling
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit f9bbf25e7b2b74b52b2f269216a92657774f239c ]
+
+Return -EFAULT if put_user() for the PTRACE_GET_LAST_BREAK
+request fails, instead of silently ignoring it.
+
+Reviewed-by: Sven Schnelle <svens@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/ptrace.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c
+index 3ffa2847c110b..c36289a3ad500 100644
+--- a/arch/s390/kernel/ptrace.c
++++ b/arch/s390/kernel/ptrace.c
+@@ -503,9 +503,7 @@ long arch_ptrace(struct task_struct *child, long request,
+ }
+ return 0;
+ case PTRACE_GET_LAST_BREAK:
+- put_user(child->thread.last_break,
+- (unsigned long __user *) data);
+- return 0;
++ return put_user(child->thread.last_break, (unsigned long __user *)data);
+ case PTRACE_ENABLE_TE:
+ if (!MACHINE_HAS_TE)
+ return -EIO;
+@@ -857,9 +855,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
+ }
+ return 0;
+ case PTRACE_GET_LAST_BREAK:
+- put_user(child->thread.last_break,
+- (unsigned int __user *) data);
+- return 0;
++ return put_user(child->thread.last_break, (unsigned int __user *)data);
+ }
+ return compat_ptrace_request(child, request, addr, data);
+ }
+--
+2.39.2
+
--- /dev/null
+From 5fbc8ecc566960947ee69825110ca8ad6866664e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Mar 2023 11:22:11 +0900
+Subject: scsi: core: Improve scsi_vpd_inquiry() checks
+
+From: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+
+[ Upstream commit f0aa59a33d2ac2267d260fe21eaf92500df8e7b4 ]
+
+Some USB-SATA adapters have broken behavior when an unsupported VPD page is
+probed: Depending on the VPD page number, a 4-byte header with a valid VPD
+page number but with a 0 length is returned. Currently, scsi_vpd_inquiry()
+only checks that the page number is valid to determine if the page is
+valid, which results in receiving only the 4-byte header for the
+non-existent page. This error manifests itself very often with page 0xb9
+for the Concurrent Positioning Ranges detection done by sd_read_cpr(),
+resulting in the following error message:
+
+sd 0:0:0:0: [sda] Invalid Concurrent Positioning Ranges VPD page
+
+Prevent such misleading error message by adding a check in
+scsi_vpd_inquiry() to verify that the page length is not 0.
+
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Link: https://lore.kernel.org/r/20230322022211.116327-1-damien.lemoal@opensource.wdc.com
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c
+index febe29a9b8b06..acd118da88bfb 100644
+--- a/drivers/scsi/scsi.c
++++ b/drivers/scsi/scsi.c
+@@ -351,11 +351,18 @@ static int scsi_vpd_inquiry(struct scsi_device *sdev, unsigned char *buffer,
+ if (result)
+ return -EIO;
+
+- /* Sanity check that we got the page back that we asked for */
++ /*
++ * Sanity check that we got the page back that we asked for and that
++ * the page size is not 0.
++ */
+ if (buffer[1] != page)
+ return -EIO;
+
+- return get_unaligned_be16(&buffer[2]) + 4;
++ result = get_unaligned_be16(&buffer[2]);
++ if (!result)
++ return -EIO;
++
++ return result + 4;
+ }
+
+ /**
+--
+2.39.2
+
--- /dev/null
+From 6a1020830ae7ffeb16af3f8ab11f3076a2529b7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Mar 2023 14:52:49 +0100
+Subject: scsi: megaraid_sas: Fix fw_crash_buffer_show()
+
+From: Tomas Henzl <thenzl@redhat.com>
+
+[ Upstream commit 0808ed6ebbc292222ca069d339744870f6d801da ]
+
+If crash_dump_buf is not allocated then crash dump can't be available.
+Replace logical 'and' with 'or'.
+
+Signed-off-by: Tomas Henzl <thenzl@redhat.com>
+Link: https://lore.kernel.org/r/20230324135249.9733-1-thenzl@redhat.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/megaraid/megaraid_sas_base.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
+index 8877a21102f1d..8d1df03386b4f 100644
+--- a/drivers/scsi/megaraid/megaraid_sas_base.c
++++ b/drivers/scsi/megaraid/megaraid_sas_base.c
+@@ -3032,7 +3032,7 @@ megasas_fw_crash_buffer_show(struct device *cdev,
+
+ spin_lock_irqsave(&instance->crashdump_lock, flags);
+ buff_offset = instance->fw_crash_buffer_offset;
+- if (!instance->crash_dump_buf &&
++ if (!instance->crash_dump_buf ||
+ !((instance->fw_crash_state == AVAILABLE) ||
+ (instance->fw_crash_state == COPYING))) {
+ dev_err(&instance->pdev->dev,
+--
+2.39.2
+
--- /dev/null
+From 30de889cab2b57d636a26f3537f819955c022315 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Mar 2023 11:59:33 -0800
+Subject: selftests: sigaltstack: fix -Wuninitialized
+
+From: Nick Desaulniers <ndesaulniers@google.com>
+
+[ Upstream commit 05107edc910135d27fe557267dc45be9630bf3dd ]
+
+Building sigaltstack with clang via:
+$ ARCH=x86 make LLVM=1 -C tools/testing/selftests/sigaltstack/
+
+produces the following warning:
+ warning: variable 'sp' is uninitialized when used here [-Wuninitialized]
+ if (sp < (unsigned long)sstack ||
+ ^~
+
+Clang expects these to be declared at global scope; we've fixed this in
+the kernel proper by using the macro `current_stack_pointer`. This is
+defined in different headers for different target architectures, so just
+create a new header that defines the arch-specific register names for
+the stack pointer register, and define it for more targets (at least the
+ones that support current_stack_pointer/ARCH_HAS_CURRENT_STACK_POINTER).
+
+Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
+Link: https://lore.kernel.org/lkml/CA+G9fYsi3OOu7yCsMutpzKDnBMAzJBCPimBp86LhGBa0eCnEpA@mail.gmail.com/
+Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
+Tested-by: Anders Roxell <anders.roxell@linaro.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../sigaltstack/current_stack_pointer.h | 23 +++++++++++++++++++
+ tools/testing/selftests/sigaltstack/sas.c | 7 +-----
+ 2 files changed, 24 insertions(+), 6 deletions(-)
+ create mode 100644 tools/testing/selftests/sigaltstack/current_stack_pointer.h
+
+diff --git a/tools/testing/selftests/sigaltstack/current_stack_pointer.h b/tools/testing/selftests/sigaltstack/current_stack_pointer.h
+new file mode 100644
+index 0000000000000..ea9bdf3a90b16
+--- /dev/null
++++ b/tools/testing/selftests/sigaltstack/current_stack_pointer.h
+@@ -0,0 +1,23 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++
++#if __alpha__
++register unsigned long sp asm("$30");
++#elif __arm__ || __aarch64__ || __csky__ || __m68k__ || __mips__ || __riscv
++register unsigned long sp asm("sp");
++#elif __i386__
++register unsigned long sp asm("esp");
++#elif __loongarch64
++register unsigned long sp asm("$sp");
++#elif __ppc__
++register unsigned long sp asm("r1");
++#elif __s390x__
++register unsigned long sp asm("%15");
++#elif __sh__
++register unsigned long sp asm("r15");
++#elif __x86_64__
++register unsigned long sp asm("rsp");
++#elif __XTENSA__
++register unsigned long sp asm("a1");
++#else
++#error "implement current_stack_pointer equivalent"
++#endif
+diff --git a/tools/testing/selftests/sigaltstack/sas.c b/tools/testing/selftests/sigaltstack/sas.c
+index 228c2ae47687d..6069d97bf5063 100644
+--- a/tools/testing/selftests/sigaltstack/sas.c
++++ b/tools/testing/selftests/sigaltstack/sas.c
+@@ -19,6 +19,7 @@
+ #include <errno.h>
+
+ #include "../kselftest.h"
++#include "current_stack_pointer.h"
+
+ #ifndef SS_AUTODISARM
+ #define SS_AUTODISARM (1U << 31)
+@@ -40,12 +41,6 @@ void my_usr1(int sig, siginfo_t *si, void *u)
+ stack_t stk;
+ struct stk_data *p;
+
+-#if __s390x__
+- register unsigned long sp asm("%15");
+-#else
+- register unsigned long sp asm("sp");
+-#endif
+-
+ if (sp < (unsigned long)sstack ||
+ sp >= (unsigned long)sstack + SIGSTKSZ) {
+ ksft_exit_fail_msg("SP is not on sigaltstack\n");
+--
+2.39.2
+
--- /dev/null
+arm-dts-rockchip-fix-a-typo-error-for-rk3288-spdif-n.patch
+net-sched-sch_qfq-prevent-slab-out-of-bounds-in-qfq_.patch
+virtio_net-bugfix-overflow-inside-xdp_linearize_page.patch
+i40e-fix-accessing-vsi-active_filters-without-holdin.patch
+i40e-fix-i40e_setup_misc_vector-error-handling.patch
+mlxfw-fix-null-ptr-deref-in-mlxfw_mfa2_tlv_next.patch
+e1000e-disable-tso-on-i219-lm-card-to-increase-speed.patch
+f2fs-fix-f2fs_truncate_partial_nodes-ftrace-event.patch
+input-i8042-add-quirk-for-fujitsu-lifebook-a574-h.patch
+selftests-sigaltstack-fix-wuninitialized.patch
+scsi-megaraid_sas-fix-fw_crash_buffer_show.patch
+scsi-core-improve-scsi_vpd_inquiry-checks.patch
+net-dsa-b53-mmap-add-phy-ops.patch
+s390-ptrace-fix-ptrace_get_last_break-error-handling.patch
+xen-netback-use-same-error-messages-for-same-errors.patch
--- /dev/null
+From 46a3039044303d3c88462422e0eace667fc53650 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Apr 2023 14:08:35 +0800
+Subject: virtio_net: bugfix overflow inside xdp_linearize_page()
+
+From: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+
+[ Upstream commit 853618d5886bf94812f31228091cd37d308230f7 ]
+
+Here we copy the data from the original buf to the new page. But we
+not check that it may be overflow.
+
+As long as the size received(including vnethdr) is greater than 3840
+(PAGE_SIZE -VIRTIO_XDP_HEADROOM). Then the memcpy will overflow.
+
+And this is completely possible, as long as the MTU is large, such
+as 4096. In our test environment, this will cause crash. Since crash is
+caused by the written memory, it is meaningless, so I do not include it.
+
+Fixes: 72979a6c3590 ("virtio_net: xdp, add slowpath case for non contiguous buffers")
+Signed-off-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/virtio_net.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index 406ef4cc636d4..0cd46735e3950 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -600,8 +600,13 @@ static struct page *xdp_linearize_page(struct receive_queue *rq,
+ int page_off,
+ unsigned int *len)
+ {
+- struct page *page = alloc_page(GFP_ATOMIC);
++ int tailroom = SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
++ struct page *page;
+
++ if (page_off + *len + tailroom > PAGE_SIZE)
++ return NULL;
++
++ page = alloc_page(GFP_ATOMIC);
+ if (!page)
+ return NULL;
+
+@@ -609,7 +614,6 @@ static struct page *xdp_linearize_page(struct receive_queue *rq,
+ page_off += *len;
+
+ while (--*num_buf) {
+- int tailroom = SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
+ unsigned int buflen;
+ void *buf;
+ int off;
+--
+2.39.2
+
--- /dev/null
+From 1ca1fcaae90d995a61faacd48ca61912cfa5f966 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Mar 2023 10:02:59 +0200
+Subject: xen/netback: use same error messages for same errors
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit 2eca98e5b24d01c02b46c67be05a5f98cc9789b1 ]
+
+Issue the same error message in case an illegal page boundary crossing
+has been detected in both cases where this is tested.
+
+Suggested-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Link: https://lore.kernel.org/r/20230329080259.14823-1-jgross@suse.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/xen-netback/netback.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c
+index ed644b6824cef..d2b79d7c0b881 100644
+--- a/drivers/net/xen-netback/netback.c
++++ b/drivers/net/xen-netback/netback.c
+@@ -989,10 +989,8 @@ static void xenvif_tx_build_gops(struct xenvif_queue *queue,
+
+ /* No crossing a page as the payload mustn't fragment. */
+ if (unlikely((txreq.offset + txreq.size) > XEN_PAGE_SIZE)) {
+- netdev_err(queue->vif->dev,
+- "txreq.offset: %u, size: %u, end: %lu\n",
+- txreq.offset, txreq.size,
+- (unsigned long)(txreq.offset&~XEN_PAGE_MASK) + txreq.size);
++ netdev_err(queue->vif->dev, "Cross page boundary, txreq.offset: %u, size: %u\n",
++ txreq.offset, txreq.size);
+ xenvif_fatal_tx_err(queue->vif);
+ break;
+ }
+--
+2.39.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
