--- /dev/null
+From 3e9b614403380d27e7f4ea014c14ee55c8f49edf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 15:40:54 -0600
+Subject: ALSA: hda: Match only Intel devices with CONTROLLER_IN_GPU()
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+[ Upstream commit ff447886e675979d66b2bc01810035d3baea1b3a ]
+
+CONTROLLER_IN_GPU() is clearly intended to match only Intel devices, but
+previously it checked only the PCI Device ID, not the Vendor ID, so it
+could match devices from other vendors that happened to use the same Device
+ID.
+
+Update CONTROLLER_IN_GPU() so it matches only Intel devices.
+
+Fixes: 535115b5ff51 ("ALSA: hda - Abort the probe without i915 binding for HSW/B")
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Link: https://lore.kernel.org/r/20230307214054.886721-1-helgaas@kernel.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_intel.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index c8042eb703c34..5fce1ca8a393a 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -331,14 +331,15 @@ enum {
+ #define needs_eld_notify_link(chip) false
+ #endif
+
+-#define CONTROLLER_IN_GPU(pci) (((pci)->device == 0x0a0c) || \
++#define CONTROLLER_IN_GPU(pci) (((pci)->vendor == 0x8086) && \
++ (((pci)->device == 0x0a0c) || \
+ ((pci)->device == 0x0c0c) || \
+ ((pci)->device == 0x0d0c) || \
+ ((pci)->device == 0x160c) || \
+ ((pci)->device == 0x490d) || \
+ ((pci)->device == 0x4f90) || \
+ ((pci)->device == 0x4f91) || \
+- ((pci)->device == 0x4f92))
++ ((pci)->device == 0x4f92)))
+
+ #define IS_BXT(pci) ((pci)->vendor == 0x8086 && (pci)->device == 0x5a98)
+
+--
+2.39.2
+
--- /dev/null
+From e7605940a0fcd6bfc5348963133e59f683b1495b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Mar 2023 13:11:05 +0900
+Subject: block: null_blk: Fix handling of fake timeout request
+
+From: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+
+[ Upstream commit 63f886597085f346276e3b3c8974de0100d65f32 ]
+
+When injecting a fake timeout into the null_blk driver using
+fail_io_timeout, the request timeout handler does not execute
+blk_mq_complete_request(), so the complete callback is never executed
+for a timedout request.
+
+The null_blk driver also has a driver-specific fake timeout mechanism
+which does not have this problem. Fix the problem with fail_io_timeout
+by using the same meachanism as null_blk internal timeout feature, using
+the fake_timeout field of null_blk commands.
+
+Reported-by: Akinobu Mita <akinobu.mita@gmail.com>
+Fixes: de3510e52b0a ("null_blk: fix command timeout completion handling")
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Link: https://lore.kernel.org/r/20230314041106.19173-2-damien.lemoal@opensource.wdc.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/null_blk/main.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/block/null_blk/main.c b/drivers/block/null_blk/main.c
+index 4c8b4101516c3..033b0f64f2b9b 100644
+--- a/drivers/block/null_blk/main.c
++++ b/drivers/block/null_blk/main.c
+@@ -1314,8 +1314,7 @@ static inline void nullb_complete_cmd(struct nullb_cmd *cmd)
+ case NULL_IRQ_SOFTIRQ:
+ switch (cmd->nq->dev->queue_mode) {
+ case NULL_Q_MQ:
+- if (likely(!blk_should_fake_timeout(cmd->rq->q)))
+- blk_mq_complete_request(cmd->rq);
++ blk_mq_complete_request(cmd->rq);
+ break;
+ case NULL_Q_BIO:
+ /*
+@@ -1491,7 +1490,8 @@ static blk_status_t null_queue_rq(struct blk_mq_hw_ctx *hctx,
+ cmd->rq = bd->rq;
+ cmd->error = BLK_STS_OK;
+ cmd->nq = nq;
+- cmd->fake_timeout = should_timeout_request(bd->rq);
++ cmd->fake_timeout = should_timeout_request(bd->rq) ||
++ blk_should_fake_timeout(bd->rq->q);
+
+ blk_mq_start_request(bd->rq);
+
+--
+2.39.2
+
--- /dev/null
+From 055bca5c3b6b0a566364722a24cb090dd4771ac8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 14:20:32 +0800
+Subject: block: sunvdc: add check for mdesc_grab() returning NULL
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 6030363199e3a6341afb467ddddbed56640cbf6a ]
+
+In vdc_port_probe(), we should check the return value of mdesc_grab() as
+it may return NULL, which can cause potential NPD bug.
+
+Fixes: 43fdf27470b2 ("[SPARC64]: Abstract out mdesc accesses for better MD update handling.")
+Signed-off-by: Liang He <windhl@126.com>
+Link: https://lore.kernel.org/r/20230315062032.1741692-1-windhl@126.com
+[axboe: style cleanup]
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/sunvdc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/block/sunvdc.c b/drivers/block/sunvdc.c
+index 4d4bb810c2aea..656d99faf40a2 100644
+--- a/drivers/block/sunvdc.c
++++ b/drivers/block/sunvdc.c
+@@ -964,6 +964,8 @@ static int vdc_port_probe(struct vio_dev *vdev, const struct vio_device_id *id)
+ print_version();
+
+ hp = mdesc_grab();
++ if (!hp)
++ return -ENODEV;
+
+ err = -ENODEV;
+ if ((vdev->dev_no << PARTITION_SHIFT) & ~(u64)MINORMASK) {
+--
+2.39.2
+
--- /dev/null
+From 384930ade51ad1bbc1320e7379ad7fe3f43ba70c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 13:18:41 +0200
+Subject: bonding: restore bond's IFF_SLAVE flag if a non-eth dev enslave fails
+
+From: Nikolay Aleksandrov <razor@blackwall.org>
+
+[ Upstream commit e667d469098671261d558be0cd93dca4d285ce1e ]
+
+syzbot reported a warning[1] where the bond device itself is a slave and
+we try to enslave a non-ethernet device as the first slave which fails
+but then in the error path when ether_setup() restores the bond device
+it also clears all flags. In my previous fix[2] I restored the
+IFF_MASTER flag, but I didn't consider the case that the bond device
+itself might also be a slave with IFF_SLAVE set, so we need to restore
+that flag as well. Use the bond_ether_setup helper which does the right
+thing and restores the bond's flags properly.
+
+Steps to reproduce using a nlmon dev:
+ $ ip l add nlmon0 type nlmon
+ $ ip l add bond1 type bond
+ $ ip l add bond2 type bond
+ $ ip l set bond1 master bond2
+ $ ip l set dev nlmon0 master bond1
+ $ ip -d l sh dev bond1
+ 22: bond1: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noqueue master bond2 state DOWN mode DEFAULT group default qlen 1000
+ (now bond1's IFF_SLAVE flag is gone and we'll hit a warning[3] if we
+ try to delete it)
+
+[1] https://syzkaller.appspot.com/bug?id=391c7b1f6522182899efba27d891f1743e8eb3ef
+[2] commit 7d5cd2ce5292 ("bonding: correctly handle bonding type change on enslave failure")
+[3] example warning:
+ [ 27.008664] bond1: (slave nlmon0): The slave device specified does not support setting the MAC address
+ [ 27.008692] bond1: (slave nlmon0): Error -95 calling set_mac_address
+ [ 32.464639] bond1 (unregistering): Released all slaves
+ [ 32.464685] ------------[ cut here ]------------
+ [ 32.464686] WARNING: CPU: 1 PID: 2004 at net/core/dev.c:10829 unregister_netdevice_many+0x72a/0x780
+ [ 32.464694] Modules linked in: br_netfilter bridge bonding virtio_net
+ [ 32.464699] CPU: 1 PID: 2004 Comm: ip Kdump: loaded Not tainted 5.18.0-rc3+ #47
+ [ 32.464703] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.1-2.fc37 04/01/2014
+ [ 32.464704] RIP: 0010:unregister_netdevice_many+0x72a/0x780
+ [ 32.464707] Code: 99 fd ff ff ba 90 1a 00 00 48 c7 c6 f4 02 66 96 48 c7 c7 20 4d 35 96 c6 05 fa c7 2b 02 01 e8 be 6f 4a 00 0f 0b e9 73 fd ff ff <0f> 0b e9 5f fd ff ff 80 3d e3 c7 2b 02 00 0f 85 3b fd ff ff ba 59
+ [ 32.464710] RSP: 0018:ffffa006422d7820 EFLAGS: 00010206
+ [ 32.464712] RAX: ffff8f6e077140a0 RBX: ffffa006422d7888 RCX: 0000000000000000
+ [ 32.464714] RDX: ffff8f6e12edbe58 RSI: 0000000000000296 RDI: ffffffff96d4a520
+ [ 32.464716] RBP: ffff8f6e07714000 R08: ffffffff96d63600 R09: ffffa006422d7728
+ [ 32.464717] R10: 0000000000000ec0 R11: ffffffff9698c988 R12: ffff8f6e12edb140
+ [ 32.464719] R13: dead000000000122 R14: dead000000000100 R15: ffff8f6e12edb140
+ [ 32.464723] FS: 00007f297c2f1740(0000) GS:ffff8f6e5d900000(0000) knlGS:0000000000000000
+ [ 32.464725] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 32.464726] CR2: 00007f297bf1c800 CR3: 00000000115e8000 CR4: 0000000000350ee0
+ [ 32.464730] Call Trace:
+ [ 32.464763] <TASK>
+ [ 32.464767] rtnl_dellink+0x13e/0x380
+ [ 32.464776] ? cred_has_capability.isra.0+0x68/0x100
+ [ 32.464780] ? __rtnl_unlock+0x33/0x60
+ [ 32.464783] ? bpf_lsm_capset+0x10/0x10
+ [ 32.464786] ? security_capable+0x36/0x50
+ [ 32.464790] rtnetlink_rcv_msg+0x14e/0x3b0
+ [ 32.464792] ? _copy_to_iter+0xb1/0x790
+ [ 32.464796] ? post_alloc_hook+0xa0/0x160
+ [ 32.464799] ? rtnl_calcit.isra.0+0x110/0x110
+ [ 32.464802] netlink_rcv_skb+0x50/0xf0
+ [ 32.464806] netlink_unicast+0x216/0x340
+ [ 32.464809] netlink_sendmsg+0x23f/0x480
+ [ 32.464812] sock_sendmsg+0x5e/0x60
+ [ 32.464815] ____sys_sendmsg+0x22c/0x270
+ [ 32.464818] ? import_iovec+0x17/0x20
+ [ 32.464821] ? sendmsg_copy_msghdr+0x59/0x90
+ [ 32.464823] ? do_set_pte+0xa0/0xe0
+ [ 32.464828] ___sys_sendmsg+0x81/0xc0
+ [ 32.464832] ? mod_objcg_state+0xc6/0x300
+ [ 32.464835] ? refill_obj_stock+0xa9/0x160
+ [ 32.464838] ? memcg_slab_free_hook+0x1a5/0x1f0
+ [ 32.464842] __sys_sendmsg+0x49/0x80
+ [ 32.464847] do_syscall_64+0x3b/0x90
+ [ 32.464851] entry_SYSCALL_64_after_hwframe+0x44/0xae
+ [ 32.464865] RIP: 0033:0x7f297bf2e5e7
+ [ 32.464868] Code: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
+ [ 32.464869] RSP: 002b:00007ffd96c824c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+ [ 32.464872] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f297bf2e5e7
+ [ 32.464874] RDX: 0000000000000000 RSI: 00007ffd96c82540 RDI: 0000000000000003
+ [ 32.464875] RBP: 00000000640f19de R08: 0000000000000001 R09: 000000000000007c
+ [ 32.464876] R10: 00007f297bffabe0 R11: 0000000000000246 R12: 0000000000000001
+ [ 32.464877] R13: 00007ffd96c82d20 R14: 00007ffd96c82610 R15: 000055bfe38a7020
+ [ 32.464881] </TASK>
+ [ 32.464882] ---[ end trace 0000000000000000 ]---
+
+Fixes: 7d5cd2ce5292 ("bonding: correctly handle bonding type change on enslave failure")
+Reported-by: syzbot+9dfc3f3348729cc82277@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?id=391c7b1f6522182899efba27d891f1743e8eb3ef
+Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
+Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
+Acked-by: Jonathan Toppins <jtoppins@redhat.com>
+Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index b2db30d5f1f45..e1dc94f01cb5a 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -2267,9 +2267,7 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev,
+ eth_hw_addr_random(bond_dev);
+ if (bond_dev->type != ARPHRD_ETHER) {
+ dev_close(bond_dev);
+- ether_setup(bond_dev);
+- bond_dev->flags |= IFF_MASTER;
+- bond_dev->priv_flags &= ~IFF_TX_SKB_SHARING;
++ bond_ether_setup(bond_dev);
+ }
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 2cc9a79e26cbe8eb4384ce7fa36a23e9dda31d1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 13:18:40 +0200
+Subject: bonding: restore IFF_MASTER/SLAVE flags on bond enslave ether type
+ change
+
+From: Nikolay Aleksandrov <razor@blackwall.org>
+
+[ Upstream commit 9ec7eb60dcbcb6c41076defbc5df7bbd95ceaba5 ]
+
+Add bond_ether_setup helper which is used to fix ether_setup() calls in the
+bonding driver. It takes care of both IFF_MASTER and IFF_SLAVE flags, the
+former is always restored and the latter only if it was set.
+If the bond enslaves non-ARPHRD_ETHER device (changes its type), then
+releases it and enslaves ARPHRD_ETHER device (changes back) then we
+use ether_setup() to restore the bond device type but it also resets its
+flags and removes IFF_MASTER and IFF_SLAVE[1]. Use the bond_ether_setup
+helper to restore both after such transition.
+
+[1] reproduce (nlmon is non-ARPHRD_ETHER):
+ $ ip l add nlmon0 type nlmon
+ $ ip l add bond2 type bond mode active-backup
+ $ ip l set nlmon0 master bond2
+ $ ip l set nlmon0 nomaster
+ $ ip l add bond1 type bond
+ (we use bond1 as ARPHRD_ETHER device to restore bond2's mode)
+ $ ip l set bond1 master bond2
+ $ ip l sh dev bond2
+ 37: bond2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
+ link/ether be:d7:c5:40:5b:cc brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 1500
+ (notice bond2's IFF_MASTER is missing)
+
+Fixes: e36b9d16c6a6 ("bonding: clean muticast addresses when device changes type")
+Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 456298919d541..b2db30d5f1f45 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1744,6 +1744,19 @@ void bond_lower_state_changed(struct slave *slave)
+ slave_err(bond_dev, slave_dev, "Error: %s\n", errmsg); \
+ } while (0)
+
++/* The bonding driver uses ether_setup() to convert a master bond device
++ * to ARPHRD_ETHER, that resets the target netdevice's flags so we always
++ * have to restore the IFF_MASTER flag, and only restore IFF_SLAVE if it was set
++ */
++static void bond_ether_setup(struct net_device *bond_dev)
++{
++ unsigned int slave_flag = bond_dev->flags & IFF_SLAVE;
++
++ ether_setup(bond_dev);
++ bond_dev->flags |= IFF_MASTER | slave_flag;
++ bond_dev->priv_flags &= ~IFF_TX_SKB_SHARING;
++}
++
+ /* enslave device <slave> to bond device <master> */
+ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev,
+ struct netlink_ext_ack *extack)
+@@ -1835,10 +1848,8 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev,
+
+ if (slave_dev->type != ARPHRD_ETHER)
+ bond_setup_by_slave(bond_dev, slave_dev);
+- else {
+- ether_setup(bond_dev);
+- bond_dev->priv_flags &= ~IFF_TX_SKB_SHARING;
+- }
++ else
++ bond_ether_setup(bond_dev);
+
+ call_netdevice_notifiers(NETDEV_POST_TYPE_CHANGE,
+ bond_dev);
+--
+2.39.2
+
--- /dev/null
+From b8eaee2477d8271d7e694a215936eee4871a0d7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 11:11:36 +0800
+Subject: cifs: Move the in_send statistic to __smb_send_rqst()
+
+From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+
+[ Upstream commit d0dc41119905f740e8d5594adce277f7c0de8c92 ]
+
+When send SMB_COM_NT_CANCEL and RFC1002_SESSION_REQUEST, the
+in_send statistic was lost.
+
+Let's move the in_send statistic to the send function to avoid
+this scenario.
+
+Fixes: 7ee1af765dfa ("[CIFS]")
+Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/transport.c | 21 +++++++++------------
+ 1 file changed, 9 insertions(+), 12 deletions(-)
+
+diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c
+index 514056605fa7a..49b7edbe34975 100644
+--- a/fs/cifs/transport.c
++++ b/fs/cifs/transport.c
+@@ -299,7 +299,7 @@ static int
+ __smb_send_rqst(struct TCP_Server_Info *server, int num_rqst,
+ struct smb_rqst *rqst)
+ {
+- int rc = 0;
++ int rc;
+ struct kvec *iov;
+ int n_vec;
+ unsigned int send_length = 0;
+@@ -310,6 +310,7 @@ __smb_send_rqst(struct TCP_Server_Info *server, int num_rqst,
+ struct msghdr smb_msg = {};
+ __be32 rfc1002_marker;
+
++ cifs_in_send_inc(server);
+ if (cifs_rdma_enabled(server)) {
+ /* return -EAGAIN when connecting or reconnecting */
+ rc = -EAGAIN;
+@@ -318,14 +319,17 @@ __smb_send_rqst(struct TCP_Server_Info *server, int num_rqst,
+ goto smbd_done;
+ }
+
++ rc = -EAGAIN;
+ if (ssocket == NULL)
+- return -EAGAIN;
++ goto out;
+
++ rc = -ERESTARTSYS;
+ if (fatal_signal_pending(current)) {
+ cifs_dbg(FYI, "signal pending before send request\n");
+- return -ERESTARTSYS;
++ goto out;
+ }
+
++ rc = 0;
+ /* cork the socket */
+ tcp_sock_set_cork(ssocket->sk, true);
+
+@@ -438,7 +442,8 @@ __smb_send_rqst(struct TCP_Server_Info *server, int num_rqst,
+ rc);
+ else if (rc > 0)
+ rc = 0;
+-
++out:
++ cifs_in_send_dec(server);
+ return rc;
+ }
+
+@@ -855,9 +860,7 @@ cifs_call_async(struct TCP_Server_Info *server, struct smb_rqst *rqst,
+ * I/O response may come back and free the mid entry on another thread.
+ */
+ cifs_save_when_sent(mid);
+- cifs_in_send_inc(server);
+ rc = smb_send_rqst(server, 1, rqst, flags);
+- cifs_in_send_dec(server);
+
+ if (rc < 0) {
+ revert_current_mid(server, mid->credits);
+@@ -1149,9 +1152,7 @@ compound_send_recv(const unsigned int xid, struct cifs_ses *ses,
+ else
+ midQ[i]->callback = cifs_compound_last_callback;
+ }
+- cifs_in_send_inc(server);
+ rc = smb_send_rqst(server, num_rqst, rqst, flags);
+- cifs_in_send_dec(server);
+
+ for (i = 0; i < num_rqst; i++)
+ cifs_save_when_sent(midQ[i]);
+@@ -1388,9 +1389,7 @@ SendReceive(const unsigned int xid, struct cifs_ses *ses,
+
+ midQ->mid_state = MID_REQUEST_SUBMITTED;
+
+- cifs_in_send_inc(server);
+ rc = smb_send(server, in_buf, len);
+- cifs_in_send_dec(server);
+ cifs_save_when_sent(midQ);
+
+ if (rc < 0)
+@@ -1527,9 +1526,7 @@ SendReceiveBlockingLock(const unsigned int xid, struct cifs_tcon *tcon,
+ }
+
+ midQ->mid_state = MID_REQUEST_SUBMITTED;
+- cifs_in_send_inc(server);
+ rc = smb_send(server, in_buf, len);
+- cifs_in_send_dec(server);
+ cifs_save_when_sent(midQ);
+
+ if (rc < 0)
+--
+2.39.2
+
--- /dev/null
+From b7a62ee57a7489a0fa83a38b7af6ed6175f7d176 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Feb 2023 21:39:47 -0800
+Subject: clk: HI655X: select REGMAP instead of depending on it
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 0ffad67784a097beccf34d297ddd1b0773b3b8a3 ]
+
+REGMAP is a hidden (not user visible) symbol. Users cannot set it
+directly thru "make *config", so drivers should select it instead of
+depending on it if they need it.
+
+Consistently using "select" or "depends on" can also help reduce
+Kconfig circular dependency issues.
+
+Therefore, change the use of "depends on REGMAP" to "select REGMAP".
+
+Fixes: 3a49afb84ca0 ("clk: enable hi655x common clk automatically")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Riku Voipio <riku.voipio@linaro.org>
+Cc: Stephen Boyd <sboyd@kernel.org>
+Cc: Michael Turquette <mturquette@baylibre.com>
+Cc: linux-clk@vger.kernel.org
+Link: https://lore.kernel.org/r/20230226053953.4681-3-rdunlap@infradead.org
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/Kconfig b/drivers/clk/Kconfig
+index c5b3dc97396a6..100e474ff3dc5 100644
+--- a/drivers/clk/Kconfig
++++ b/drivers/clk/Kconfig
+@@ -83,7 +83,7 @@ config COMMON_CLK_RK808
+ config COMMON_CLK_HI655X
+ tristate "Clock driver for Hi655x" if EXPERT
+ depends on (MFD_HI655X_PMIC || COMPILE_TEST)
+- depends on REGMAP
++ select REGMAP
+ default MFD_HI655X_PMIC
+ help
+ This driver supports the hi655x PMIC clock. This
+--
+2.39.2
+
--- /dev/null
+From 85fc3fdc8511a1a83be1052f2cee59a9128e2414 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Feb 2023 12:40:42 -0600
+Subject: docs: Correct missing "d_" prefix for dentry_operations member
+ d_weak_revalidate
+
+From: Glenn Washburn <development@efficientek.com>
+
+[ Upstream commit 74596085796fae0cfce3e42ee46bf4f8acbdac55 ]
+
+The details for struct dentry_operations member d_weak_revalidate is
+missing a "d_" prefix.
+
+Fixes: af96c1e304f7 ("docs: filesystems: vfs: Convert vfs.txt to RST")
+Signed-off-by: Glenn Washburn <development@efficientek.com>
+Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Link: https://lore.kernel.org/r/20230227184042.2375235-1-development@efficientek.com
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/filesystems/vfs.rst | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Documentation/filesystems/vfs.rst b/Documentation/filesystems/vfs.rst
+index a99c1c338e8f4..a15527940b461 100644
+--- a/Documentation/filesystems/vfs.rst
++++ b/Documentation/filesystems/vfs.rst
+@@ -1210,7 +1210,7 @@ defined:
+ return
+ -ECHILD and it will be called again in ref-walk mode.
+
+-``_weak_revalidate``
++``d_weak_revalidate``
+ called when the VFS needs to revalidate a "jumped" dentry. This
+ is called when a path-walk ends at dentry that was not acquired
+ by doing a lookup in the parent directory. This includes "/",
+--
+2.39.2
+
--- /dev/null
+From 2ec24d01fefa76b8080a9723393c2a47251823d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Mar 2023 13:50:35 +0800
+Subject: drm/bridge: Fix returned array size name for
+ atomic_get_input_bus_fmts kdoc
+
+From: Liu Ying <victor.liu@nxp.com>
+
+[ Upstream commit 0d3c9333d976af41d7dbc6bf4d9d2e95fbdf9c89 ]
+
+The returned array size for input formats is set through
+atomic_get_input_bus_fmts()'s 'num_input_fmts' argument, so use
+'num_input_fmts' to represent the array size in the function's kdoc,
+not 'num_output_fmts'.
+
+Fixes: 91ea83306bfa ("drm/bridge: Fix the bridge kernel doc")
+Fixes: f32df58acc68 ("drm/bridge: Add the necessary bits to support bus format negotiation")
+Signed-off-by: Liu Ying <victor.liu@nxp.com>
+Reviewed-by: Robert Foss <rfoss@kernel.org>
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230314055035.3731179-1-victor.liu@nxp.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/drm/drm_bridge.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/drm/drm_bridge.h b/include/drm/drm_bridge.h
+index 1648ce265cba0..c84783cd5abd7 100644
+--- a/include/drm/drm_bridge.h
++++ b/include/drm/drm_bridge.h
+@@ -447,11 +447,11 @@ struct drm_bridge_funcs {
+ *
+ * The returned array must be allocated with kmalloc() and will be
+ * freed by the caller. If the allocation fails, NULL should be
+- * returned. num_output_fmts must be set to the returned array size.
++ * returned. num_input_fmts must be set to the returned array size.
+ * Formats listed in the returned array should be listed in decreasing
+ * preference order (the core will try all formats until it finds one
+ * that works). When the format is not supported NULL should be
+- * returned and num_output_fmts should be set to 0.
++ * returned and num_input_fmts should be set to 0.
+ *
+ * This method is called on all elements of the bridge chain as part of
+ * the bus format negotiation process that happens in
+--
+2.39.2
+
--- /dev/null
+From 97b6e403e95c739366197b7990e747b6b0cb53ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Jul 2022 16:32:36 -0400
+Subject: drm/i915/display: clean up comments
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 3461b040a90d723c93c9d1c7c11e3464f5cadc0e ]
+
+spelling changes
+resoluition -> resolution
+dont -> don't
+commmit -> commit
+Invalidade -> Invalidate
+
+Signed-off-by: Tom Rix <trix@redhat.com>
+Reviewed-by: Matt Roper <matthew.d.roper@intel.com>
+Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220701203236.1871668-1-trix@redhat.com
+Stable-dep-of: 71c602103c74 ("drm/i915/psr: Use calculated io and fast wake lines")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/display/intel_psr.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c
+index 21d58d22c82ee..5f9894e3c7aa7 100644
+--- a/drivers/gpu/drm/i915/display/intel_psr.c
++++ b/drivers/gpu/drm/i915/display/intel_psr.c
+@@ -580,7 +580,7 @@ static void hsw_activate_psr2(struct intel_dp *intel_dp)
+ /*
+ * TODO: 7 lines of IO_BUFFER_WAKE and FAST_WAKE are default
+ * values from BSpec. In order to setting an optimal power
+- * consumption, lower than 4k resoluition mode needs to decrese
++ * consumption, lower than 4k resolution mode needs to decrease
+ * IO_BUFFER_WAKE and FAST_WAKE. And higher than 4K resolution
+ * mode needs to increase IO_BUFFER_WAKE and FAST_WAKE.
+ */
+@@ -986,7 +986,7 @@ void intel_psr_compute_config(struct intel_dp *intel_dp,
+ int psr_setup_time;
+
+ /*
+- * Current PSR panels dont work reliably with VRR enabled
++ * Current PSR panels don't work reliably with VRR enabled
+ * So if VRR is enabled, do not enable PSR.
+ */
+ if (crtc_state->vrr.enable)
+@@ -1619,7 +1619,7 @@ static void cursor_area_workaround(const struct intel_plane_state *new_plane_sta
+ *
+ * Plane scaling and rotation is not supported by selective fetch and both
+ * properties can change without a modeset, so need to be check at every
+- * atomic commmit.
++ * atomic commit.
+ */
+ static bool psr2_sel_fetch_plane_state_supported(const struct intel_plane_state *plane_state)
+ {
+@@ -2067,7 +2067,7 @@ static void intel_psr_work(struct work_struct *work)
+ }
+
+ /**
+- * intel_psr_invalidate - Invalidade PSR
++ * intel_psr_invalidate - Invalidate PSR
+ * @dev_priv: i915 device
+ * @frontbuffer_bits: frontbuffer plane tracking bits
+ * @origin: which operation caused the invalidate
+--
+2.39.2
+
--- /dev/null
+From 974b629a68de59a80bd2e055be6df410d2c50ceb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Sep 2021 17:14:01 -0700
+Subject: drm/i915/display/psr: Handle plane and pipe restrictions at every
+ page flip
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Roberto de Souza <jose.souza@intel.com>
+
+[ Upstream commit ac220f5f754b1d2f4a69428f515c3f1b10d1fad0 ]
+
+PSR2 selective is not supported over rotated and scaled planes.
+We had the rotation check in intel_psr2_sel_fetch_config_valid()
+but that code path is only execute when a modeset is needed and
+those plane parameters can change without a modeset.
+
+Pipe selective fetch restrictions are also needed, it could be added
+in intel_psr_compute_config() but pippe scaling is computed after
+it is executed, so leaving as is for now.
+There is no much loss in this approach as it would cause selective
+fetch to not enabled as for alderlake-P and newer will cause it to
+switch to PSR1 that will have the same power-savings as do full pipe
+fetch.
+
+Also need to check those restricions in the second
+for_each_oldnew_intel_plane_in_state() loop because the state could
+only have a plane that is not affected by those restricitons but
+the damaged area intersect with planes that has those restrictions,
+so a full pipe fetch is required.
+
+v2:
+- also handling pipe restrictions
+
+BSpec: 55229
+Reviewed-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com> # v1
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
+Signed-off-by: José Roberto de Souza <jose.souza@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210930001409.254817-1-jose.souza@intel.com
+Stable-dep-of: 71c602103c74 ("drm/i915/psr: Use calculated io and fast wake lines")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/display/intel_psr.c | 65 +++++++++++++++++-------
+ 1 file changed, 46 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c
+index 5e7827b076028..21d58d22c82ee 100644
+--- a/drivers/gpu/drm/i915/display/intel_psr.c
++++ b/drivers/gpu/drm/i915/display/intel_psr.c
+@@ -756,11 +756,7 @@ tgl_dc3co_exitline_compute_config(struct intel_dp *intel_dp,
+ static bool intel_psr2_sel_fetch_config_valid(struct intel_dp *intel_dp,
+ struct intel_crtc_state *crtc_state)
+ {
+- struct intel_atomic_state *state = to_intel_atomic_state(crtc_state->uapi.state);
+ struct drm_i915_private *dev_priv = dp_to_i915(intel_dp);
+- struct intel_plane_state *plane_state;
+- struct intel_plane *plane;
+- int i;
+
+ if (!dev_priv->params.enable_psr2_sel_fetch &&
+ intel_dp->psr.debug != I915_PSR_DEBUG_ENABLE_SEL_FETCH) {
+@@ -775,14 +771,6 @@ static bool intel_psr2_sel_fetch_config_valid(struct intel_dp *intel_dp,
+ return false;
+ }
+
+- for_each_new_intel_plane_in_state(state, plane, plane_state, i) {
+- if (plane_state->uapi.rotation != DRM_MODE_ROTATE_0) {
+- drm_dbg_kms(&dev_priv->drm,
+- "PSR2 sel fetch not enabled, plane rotated\n");
+- return false;
+- }
+- }
+-
+ /* Wa_14010254185 Wa_14010103792 */
+ if (IS_TGL_DISPLAY_STEP(dev_priv, STEP_A0, STEP_C0)) {
+ drm_dbg_kms(&dev_priv->drm,
+@@ -1624,6 +1612,41 @@ static void cursor_area_workaround(const struct intel_plane_state *new_plane_sta
+ clip_area_update(pipe_clip, damaged_area);
+ }
+
++/*
++ * TODO: Not clear how to handle planes with negative position,
++ * also planes are not updated if they have a negative X
++ * position so for now doing a full update in this cases
++ *
++ * Plane scaling and rotation is not supported by selective fetch and both
++ * properties can change without a modeset, so need to be check at every
++ * atomic commmit.
++ */
++static bool psr2_sel_fetch_plane_state_supported(const struct intel_plane_state *plane_state)
++{
++ if (plane_state->uapi.dst.y1 < 0 ||
++ plane_state->uapi.dst.x1 < 0 ||
++ plane_state->scaler_id >= 0 ||
++ plane_state->uapi.rotation != DRM_MODE_ROTATE_0)
++ return false;
++
++ return true;
++}
++
++/*
++ * Check for pipe properties that is not supported by selective fetch.
++ *
++ * TODO: pipe scaling causes a modeset but skl_update_scaler_crtc() is executed
++ * after intel_psr_compute_config(), so for now keeping PSR2 selective fetch
++ * enabled and going to the full update path.
++ */
++static bool psr2_sel_fetch_pipe_state_supported(const struct intel_crtc_state *crtc_state)
++{
++ if (crtc_state->scaler_state.scaler_id >= 0)
++ return false;
++
++ return true;
++}
++
+ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state,
+ struct intel_crtc *crtc)
+ {
+@@ -1637,6 +1660,11 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state,
+ if (!crtc_state->enable_psr2_sel_fetch)
+ return 0;
+
++ if (!psr2_sel_fetch_pipe_state_supported(crtc_state)) {
++ full_update = true;
++ goto skip_sel_fetch_set_loop;
++ }
++
+ /*
+ * Calculate minimal selective fetch area of each plane and calculate
+ * the pipe damaged area.
+@@ -1656,13 +1684,7 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state,
+ !old_plane_state->uapi.visible)
+ continue;
+
+- /*
+- * TODO: Not clear how to handle planes with negative position,
+- * also planes are not updated if they have a negative X
+- * position so for now doing a full update in this cases
+- */
+- if (new_plane_state->uapi.dst.y1 < 0 ||
+- new_plane_state->uapi.dst.x1 < 0) {
++ if (!psr2_sel_fetch_plane_state_supported(new_plane_state)) {
+ full_update = true;
+ break;
+ }
+@@ -1741,6 +1763,11 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state,
+ if (!drm_rect_intersect(&inter, &new_plane_state->uapi.dst))
+ continue;
+
++ if (!psr2_sel_fetch_plane_state_supported(new_plane_state)) {
++ full_update = true;
++ break;
++ }
++
+ sel_fetch_area = &new_plane_state->psr2_sel_fetch_area;
+ sel_fetch_area->y1 = inter.y1 - new_plane_state->uapi.dst.y1;
+ sel_fetch_area->y2 = inter.y2 - new_plane_state->uapi.dst.y1;
+--
+2.39.2
+
--- /dev/null
+From 26b5e1c756413921e72ec159dd2c436489013791 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 14:25:06 -0700
+Subject: drm/i915/display/psr: Use drm damage helpers to calculate plane
+ damaged area
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Roberto de Souza <jose.souza@intel.com>
+
+[ Upstream commit af7ea1e22afc7ce7773b2e4562df4370c8c711ea ]
+
+drm_atomic_helper_damage_iter_init() + drm_atomic_for_each_plane_damage()
+returns the full plane area in case no damaged area was set by
+userspace or it was discarted by driver.
+
+This is important to fix the rendering of userspace applications that
+does frontbuffer rendering and notify driver about dirty areas but do
+not set any dirty clips.
+
+With this we don't need to worry about to check and mark the whole
+area as damaged in page flips.
+
+Another important change here is the move of
+drm_atomic_add_affected_planes() call, it needs to called late
+otherwise the area of all the planes would be added to pipe_clip and
+not saving power.
+
+Cc: Daniel Vetter <daniel@ffwll.ch>
+Cc: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
+Reviewed-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
+Signed-off-by: José Roberto de Souza <jose.souza@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210914212507.177511-4-jose.souza@intel.com
+Stable-dep-of: 71c602103c74 ("drm/i915/psr: Use calculated io and fast wake lines")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/display/intel_psr.c | 37 +++++++++---------------
+ 1 file changed, 13 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c
+index b4b193c2bc32e..5e7827b076028 100644
+--- a/drivers/gpu/drm/i915/display/intel_psr.c
++++ b/drivers/gpu/drm/i915/display/intel_psr.c
+@@ -22,6 +22,7 @@
+ */
+
+ #include <drm/drm_atomic_helper.h>
++#include <drm/drm_damage_helper.h>
+
+ #include "display/intel_dp.h"
+
+@@ -1636,10 +1637,6 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state,
+ if (!crtc_state->enable_psr2_sel_fetch)
+ return 0;
+
+- ret = drm_atomic_add_affected_planes(&state->base, &crtc->base);
+- if (ret)
+- return ret;
+-
+ /*
+ * Calculate minimal selective fetch area of each plane and calculate
+ * the pipe damaged area.
+@@ -1649,8 +1646,8 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state,
+ for_each_oldnew_intel_plane_in_state(state, plane, old_plane_state,
+ new_plane_state, i) {
+ struct drm_rect src, damaged_area = { .y1 = -1 };
+- struct drm_mode_rect *damaged_clips;
+- u32 num_clips, j;
++ struct drm_atomic_helper_damage_iter iter;
++ struct drm_rect clip;
+
+ if (new_plane_state->uapi.crtc != crtc_state->uapi.crtc)
+ continue;
+@@ -1670,8 +1667,6 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state,
+ break;
+ }
+
+- num_clips = drm_plane_get_damage_clips_count(&new_plane_state->uapi);
+-
+ /*
+ * If visibility or plane moved, mark the whole plane area as
+ * damaged as it needs to be complete redraw in the new and old
+@@ -1695,14 +1690,8 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state,
+ cursor_area_workaround(new_plane_state, &damaged_area,
+ &pipe_clip);
+ continue;
+- } else if (new_plane_state->uapi.alpha != old_plane_state->uapi.alpha ||
+- (!num_clips &&
+- new_plane_state->uapi.fb != old_plane_state->uapi.fb)) {
+- /*
+- * If the plane don't have damaged areas but the
+- * framebuffer changed or alpha changed, mark the whole
+- * plane area as damaged.
+- */
++ } else if (new_plane_state->uapi.alpha != old_plane_state->uapi.alpha) {
++ /* If alpha changed mark the whole plane area as damaged */
+ damaged_area.y1 = new_plane_state->uapi.dst.y1;
+ damaged_area.y2 = new_plane_state->uapi.dst.y2;
+ clip_area_update(&pipe_clip, &damaged_area);
+@@ -1710,15 +1699,11 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state,
+ }
+
+ drm_rect_fp_to_int(&src, &new_plane_state->uapi.src);
+- damaged_clips = drm_plane_get_damage_clips(&new_plane_state->uapi);
+-
+- for (j = 0; j < num_clips; j++) {
+- struct drm_rect clip;
+
+- clip.x1 = damaged_clips[j].x1;
+- clip.y1 = damaged_clips[j].y1;
+- clip.x2 = damaged_clips[j].x2;
+- clip.y2 = damaged_clips[j].y2;
++ drm_atomic_helper_damage_iter_init(&iter,
++ &old_plane_state->uapi,
++ &new_plane_state->uapi);
++ drm_atomic_for_each_plane_damage(&iter, &clip) {
+ if (drm_rect_intersect(&clip, &src))
+ clip_area_update(&damaged_area, &clip);
+ }
+@@ -1734,6 +1719,10 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state,
+ if (full_update)
+ goto skip_sel_fetch_set_loop;
+
++ ret = drm_atomic_add_affected_planes(&state->base, &crtc->base);
++ if (ret)
++ return ret;
++
+ intel_psr2_sel_fetch_pipe_alignment(crtc_state, &pipe_clip);
+
+ /*
+--
+2.39.2
+
--- /dev/null
+From 7a200aea2dbe8ef0d3517dc31bf25d4b72631075 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 14:25:05 -0700
+Subject: drm/i915/display: Workaround cursor left overs with PSR2 selective
+ fetch enabled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Roberto de Souza <jose.souza@intel.com>
+
+[ Upstream commit 1f3a11c341ab211d6ba55ef3d58026b7b5319945 ]
+
+Not sure why but when moving the cursor fast it causes some artifacts
+of the cursor to be left in the cursor path, adding some pixels above
+the cursor to the damaged area fixes the issue, so leaving this as a
+workaround until proper fix is found.
+
+This is reproducile on TGL and ADL-P.
+
+Cc: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
+Reviewed-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
+Signed-off-by: José Roberto de Souza <jose.souza@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210914212507.177511-3-jose.souza@intel.com
+Stable-dep-of: 71c602103c74 ("drm/i915/psr: Use calculated io and fast wake lines")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/display/intel_psr.c | 25 ++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c
+index a3d0c57ec0f0b..b4b193c2bc32e 100644
+--- a/drivers/gpu/drm/i915/display/intel_psr.c
++++ b/drivers/gpu/drm/i915/display/intel_psr.c
+@@ -1601,6 +1601,28 @@ static void intel_psr2_sel_fetch_pipe_alignment(const struct intel_crtc_state *c
+ drm_warn(&dev_priv->drm, "Missing PSR2 sel fetch alignment with DSC\n");
+ }
+
++/*
++ * FIXME: Not sure why but when moving the cursor fast it causes some artifacts
++ * of the cursor to be left in the cursor path, adding some pixels above the
++ * cursor to the damaged area fixes the issue.
++ */
++static void cursor_area_workaround(const struct intel_plane_state *new_plane_state,
++ struct drm_rect *damaged_area,
++ struct drm_rect *pipe_clip)
++{
++ const struct intel_plane *plane = to_intel_plane(new_plane_state->uapi.plane);
++ int height;
++
++ if (plane->id != PLANE_CURSOR)
++ return;
++
++ height = drm_rect_height(&new_plane_state->uapi.dst) / 2;
++ damaged_area->y1 -= height;
++ damaged_area->y1 = max(damaged_area->y1, 0);
++
++ clip_area_update(pipe_clip, damaged_area);
++}
++
+ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state,
+ struct intel_crtc *crtc)
+ {
+@@ -1669,6 +1691,9 @@ int intel_psr2_sel_fetch_update(struct intel_atomic_state *state,
+ damaged_area.y2 = new_plane_state->uapi.dst.y2;
+ clip_area_update(&pipe_clip, &damaged_area);
+ }
++
++ cursor_area_workaround(new_plane_state, &damaged_area,
++ &pipe_clip);
+ continue;
+ } else if (new_plane_state->uapi.alpha != old_plane_state->uapi.alpha ||
+ (!num_clips &&
+--
+2.39.2
+
--- /dev/null
+From 26e915179963c5cc6271e89e536367c960b5f875 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Feb 2023 10:53:04 +0200
+Subject: drm/i915/psr: Use calculated io and fast wake lines
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jouni Högander <jouni.hogander@intel.com>
+
+[ Upstream commit 71c602103c74b277bef3d20a308874a33ec8326d ]
+
+Currently we are using hardcoded 7 for io and fast wake lines.
+
+According to Bspec io and fast wake times are both 42us for
+DISPLAY_VER >= 12 and 50us and 32us for older platforms.
+
+Calculate line counts for these and configure them into PSR2_CTL
+accordingly
+
+Use 45 us for the fast wake calculation as 42 seems to be too
+tight based on testing.
+
+Bspec: 49274, 4289
+
+Cc: Mika Kahola <mika.kahola@intel.com>
+Cc: José Roberto de Souza <jose.souza@intel.com>
+Fixes: 64cf40a125ff ("drm/i915/psr: Program default IO buffer Wake and Fast Wake")
+Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/7725
+Signed-off-by: Jouni Högander <jouni.hogander@intel.com>
+Reviewed-by: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230221085304.3382297-1-jouni.hogander@intel.com
+(cherry picked from commit cb42e8ede5b475c096e473b86c356b1158b4bc3b)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../drm/i915/display/intel_display_types.h | 2 +
+ drivers/gpu/drm/i915/display/intel_psr.c | 78 +++++++++++++++----
+ 2 files changed, 63 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/display/intel_display_types.h b/drivers/gpu/drm/i915/display/intel_display_types.h
+index b56850d964919..90e055f056994 100644
+--- a/drivers/gpu/drm/i915/display/intel_display_types.h
++++ b/drivers/gpu/drm/i915/display/intel_display_types.h
+@@ -1520,6 +1520,8 @@ struct intel_psr {
+ bool psr2_sel_fetch_enabled;
+ bool req_psr2_sdp_prior_scanline;
+ u8 sink_sync_latency;
++ u8 io_wake_lines;
++ u8 fast_wake_lines;
+ ktime_t last_entry_attempt;
+ ktime_t last_exit;
+ bool sink_not_reliable;
+diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c
+index 5f9894e3c7aa7..cf1e92486cbc9 100644
+--- a/drivers/gpu/drm/i915/display/intel_psr.c
++++ b/drivers/gpu/drm/i915/display/intel_psr.c
+@@ -549,6 +549,14 @@ static void hsw_activate_psr2(struct intel_dp *intel_dp)
+ val |= EDP_PSR2_FRAME_BEFORE_SU(intel_dp->psr.sink_sync_latency + 1);
+ val |= intel_psr2_get_tp_time(intel_dp);
+
++ if (DISPLAY_VER(dev_priv) >= 12) {
++ if (intel_dp->psr.io_wake_lines < 9 &&
++ intel_dp->psr.fast_wake_lines < 9)
++ val |= TGL_EDP_PSR2_BLOCK_COUNT_NUM_2;
++ else
++ val |= TGL_EDP_PSR2_BLOCK_COUNT_NUM_3;
++ }
++
+ /* Wa_22012278275:adl-p */
+ if (IS_ADLP_DISPLAY_STEP(dev_priv, STEP_A0, STEP_E0)) {
+ static const u8 map[] = {
+@@ -565,31 +573,21 @@ static void hsw_activate_psr2(struct intel_dp *intel_dp)
+ * Still using the default IO_BUFFER_WAKE and FAST_WAKE, see
+ * comments bellow for more information
+ */
+- u32 tmp, lines = 7;
++ u32 tmp;
+
+- val |= TGL_EDP_PSR2_BLOCK_COUNT_NUM_2;
+-
+- tmp = map[lines - TGL_EDP_PSR2_IO_BUFFER_WAKE_MIN_LINES];
++ tmp = map[intel_dp->psr.io_wake_lines - TGL_EDP_PSR2_IO_BUFFER_WAKE_MIN_LINES];
+ tmp = tmp << TGL_EDP_PSR2_IO_BUFFER_WAKE_SHIFT;
+ val |= tmp;
+
+- tmp = map[lines - TGL_EDP_PSR2_FAST_WAKE_MIN_LINES];
++ tmp = map[intel_dp->psr.fast_wake_lines - TGL_EDP_PSR2_FAST_WAKE_MIN_LINES];
+ tmp = tmp << TGL_EDP_PSR2_FAST_WAKE_MIN_SHIFT;
+ val |= tmp;
+ } else if (DISPLAY_VER(dev_priv) >= 12) {
+- /*
+- * TODO: 7 lines of IO_BUFFER_WAKE and FAST_WAKE are default
+- * values from BSpec. In order to setting an optimal power
+- * consumption, lower than 4k resolution mode needs to decrease
+- * IO_BUFFER_WAKE and FAST_WAKE. And higher than 4K resolution
+- * mode needs to increase IO_BUFFER_WAKE and FAST_WAKE.
+- */
+- val |= TGL_EDP_PSR2_BLOCK_COUNT_NUM_2;
+- val |= TGL_EDP_PSR2_IO_BUFFER_WAKE(7);
+- val |= TGL_EDP_PSR2_FAST_WAKE(7);
++ val |= TGL_EDP_PSR2_IO_BUFFER_WAKE(intel_dp->psr.io_wake_lines);
++ val |= TGL_EDP_PSR2_FAST_WAKE(intel_dp->psr.fast_wake_lines);
+ } else if (DISPLAY_VER(dev_priv) >= 9) {
+- val |= EDP_PSR2_IO_BUFFER_WAKE(7);
+- val |= EDP_PSR2_FAST_WAKE(7);
++ val |= EDP_PSR2_IO_BUFFER_WAKE(intel_dp->psr.io_wake_lines);
++ val |= EDP_PSR2_FAST_WAKE(intel_dp->psr.fast_wake_lines);
+ }
+
+ if (intel_dp->psr.req_psr2_sdp_prior_scanline)
+@@ -842,6 +840,46 @@ static bool _compute_psr2_sdp_prior_scanline_indication(struct intel_dp *intel_d
+ return true;
+ }
+
++static bool _compute_psr2_wake_times(struct intel_dp *intel_dp,
++ struct intel_crtc_state *crtc_state)
++{
++ struct drm_i915_private *i915 = dp_to_i915(intel_dp);
++ int io_wake_lines, io_wake_time, fast_wake_lines, fast_wake_time;
++ u8 max_wake_lines;
++
++ if (DISPLAY_VER(i915) >= 12) {
++ io_wake_time = 42;
++ /*
++ * According to Bspec it's 42us, but based on testing
++ * it is not enough -> use 45 us.
++ */
++ fast_wake_time = 45;
++ max_wake_lines = 12;
++ } else {
++ io_wake_time = 50;
++ fast_wake_time = 32;
++ max_wake_lines = 8;
++ }
++
++ io_wake_lines = intel_usecs_to_scanlines(
++ &crtc_state->uapi.adjusted_mode, io_wake_time);
++ fast_wake_lines = intel_usecs_to_scanlines(
++ &crtc_state->uapi.adjusted_mode, fast_wake_time);
++
++ if (io_wake_lines > max_wake_lines ||
++ fast_wake_lines > max_wake_lines)
++ return false;
++
++ if (i915->params.psr_safest_params)
++ io_wake_lines = fast_wake_lines = max_wake_lines;
++
++ /* According to Bspec lower limit should be set as 7 lines. */
++ intel_dp->psr.io_wake_lines = max(io_wake_lines, 7);
++ intel_dp->psr.fast_wake_lines = max(fast_wake_lines, 7);
++
++ return true;
++}
++
+ static bool intel_psr2_config_valid(struct intel_dp *intel_dp,
+ struct intel_crtc_state *crtc_state)
+ {
+@@ -939,6 +977,12 @@ static bool intel_psr2_config_valid(struct intel_dp *intel_dp,
+ return false;
+ }
+
++ if (!_compute_psr2_wake_times(intel_dp, crtc_state)) {
++ drm_dbg_kms(&dev_priv->drm,
++ "PSR2 not enabled, Unable to use long enough wake times\n");
++ return false;
++ }
++
+ if (HAS_PSR2_SEL_FETCH(dev_priv)) {
+ if (!intel_psr2_sel_fetch_config_valid(intel_dp, crtc_state) &&
+ !HAS_PSR_HW_TRACKING(dev_priv)) {
+--
+2.39.2
+
--- /dev/null
+From 2664ebfbe23e8584288aa134c17d30fac7182b8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Mar 2023 12:33:12 +0000
+Subject: drm/meson: fix 1px pink line on GXM when scaling video overlay
+
+From: Christian Hewitt <christianshewitt@gmail.com>
+
+[ Upstream commit 5c8cf1664f288098a971a1d1e65716a2b6a279e1 ]
+
+Playing media with a resolution smaller than the crtc size requires the
+video overlay to be scaled for output and GXM boards display a 1px pink
+line on the bottom of the scaled overlay. Comparing with the downstream
+vendor driver revealed VPP_DUMMY_DATA not being set [0].
+
+Setting VPP_DUMMY_DATA prevents the 1px pink line from being seen.
+
+[0] https://github.com/endlessm/linux-s905x/blob/master/drivers/amlogic/amports/video.c#L7869
+
+Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller")
+Suggested-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Christian Hewitt <christianshewitt@gmail.com>
+Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230303123312.155164-1-christianshewitt@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/meson/meson_vpp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/meson/meson_vpp.c b/drivers/gpu/drm/meson/meson_vpp.c
+index 154837688ab0d..5df1957c8e41f 100644
+--- a/drivers/gpu/drm/meson/meson_vpp.c
++++ b/drivers/gpu/drm/meson/meson_vpp.c
+@@ -100,6 +100,8 @@ void meson_vpp_init(struct meson_drm *priv)
+ priv->io_base + _REG(VPP_DOLBY_CTRL));
+ writel_relaxed(0x1020080,
+ priv->io_base + _REG(VPP_DUMMY_DATA1));
++ writel_relaxed(0x42020,
++ priv->io_base + _REG(VPP_DUMMY_DATA));
+ } else if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_G12A))
+ writel_relaxed(0xf, priv->io_base + _REG(DOLBY_PATH_CTRL));
+
+--
+2.39.2
+
--- /dev/null
+From 05ffa1f61c56dc52a285ba349e6d32c26b501564 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 04:40:38 +0300
+Subject: drm/panfrost: Don't sync rpm suspension after mmu flushing
+
+From: Dmitry Osipenko <dmitry.osipenko@collabora.com>
+
+[ Upstream commit ba3be66f11c3c49afaa9f49b99e21d88756229ef ]
+
+Lockdep warns about potential circular locking dependency of devfreq
+with the fs_reclaim caused by immediate device suspension when mapping is
+released by shrinker. Fix it by doing the suspension asynchronously.
+
+Reviewed-by: Steven Price <steven.price@arm.com>
+Fixes: ec7eba47da86 ("drm/panfrost: Rework page table flushing and runtime PM interaction")
+Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
+Link: https://lore.kernel.org/all/20230108210445.3948344-3-dmitry.osipenko@collabora.com/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panfrost/panfrost_mmu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/panfrost/panfrost_mmu.c b/drivers/gpu/drm/panfrost/panfrost_mmu.c
+index c3292a6bd1ae8..d6dda97e2591d 100644
+--- a/drivers/gpu/drm/panfrost/panfrost_mmu.c
++++ b/drivers/gpu/drm/panfrost/panfrost_mmu.c
+@@ -253,7 +253,7 @@ static void panfrost_mmu_flush_range(struct panfrost_device *pfdev,
+ if (pm_runtime_active(pfdev->dev))
+ mmu_hw_do_operation(pfdev, mmu, iova, size, AS_COMMAND_FLUSH_PT);
+
+- pm_runtime_put_sync_autosuspend(pfdev->dev);
++ pm_runtime_put_autosuspend(pfdev->dev);
+ }
+
+ static int mmu_map_sg(struct panfrost_device *pfdev, struct panfrost_mmu *mmu,
+--
+2.39.2
+
--- /dev/null
+From ba0a2193a411e1160fcf7aca39f5e76bbfe5ec7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 14:00:21 +0800
+Subject: ethernet: sun: add check for the mdesc_grab()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 90de546d9a0b3c771667af18bb3f80567eabb89b ]
+
+In vnet_port_probe() and vsw_port_probe(), we should
+check the return value of mdesc_grab() as it may
+return NULL which can caused NPD bugs.
+
+Fixes: 5d01fa0c6bd8 ("ldmvsw: Add ldmvsw.c driver code")
+Fixes: 43fdf27470b2 ("[SPARC64]: Abstract out mdesc accesses for better MD update handling.")
+Signed-off-by: Liang He <windhl@126.com>
+Reviewed-by: Piotr Raczynski <piotr.raczynski@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sun/ldmvsw.c | 3 +++
+ drivers/net/ethernet/sun/sunvnet.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/drivers/net/ethernet/sun/ldmvsw.c b/drivers/net/ethernet/sun/ldmvsw.c
+index 50bd4e3b0af9d..cde65f76e5cef 100644
+--- a/drivers/net/ethernet/sun/ldmvsw.c
++++ b/drivers/net/ethernet/sun/ldmvsw.c
+@@ -290,6 +290,9 @@ static int vsw_port_probe(struct vio_dev *vdev, const struct vio_device_id *id)
+
+ hp = mdesc_grab();
+
++ if (!hp)
++ return -ENODEV;
++
+ rmac = mdesc_get_property(hp, vdev->mp, remote_macaddr_prop, &len);
+ err = -ENODEV;
+ if (!rmac) {
+diff --git a/drivers/net/ethernet/sun/sunvnet.c b/drivers/net/ethernet/sun/sunvnet.c
+index 58ee89223951e..dcdfc1fd3d2ca 100644
+--- a/drivers/net/ethernet/sun/sunvnet.c
++++ b/drivers/net/ethernet/sun/sunvnet.c
+@@ -431,6 +431,9 @@ static int vnet_port_probe(struct vio_dev *vdev, const struct vio_device_id *id)
+
+ hp = mdesc_grab();
+
++ if (!hp)
++ return -ENODEV;
++
+ vp = vnet_find_parent(hp, vdev->mp, vdev);
+ if (IS_ERR(vp)) {
+ pr_err("Cannot find port parent vnet\n");
+--
+2.39.2
+
--- /dev/null
+From 3ffc0514a93780183239801c62f8c6424a3f3c71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Mar 2023 10:45:09 -0800
+Subject: i40e: Fix kernel crash during reboot when adapter is in recovery mode
+
+From: Ivan Vecera <ivecera@redhat.com>
+
+[ Upstream commit 7e4f8a0c495413a50413e8c9f1032ce1bc633bae ]
+
+If the driver detects during probe that firmware is in recovery
+mode then i40e_init_recovery_mode() is called and the rest of
+probe function is skipped including pci_set_drvdata(). Subsequent
+i40e_shutdown() called during shutdown/reboot dereferences NULL
+pointer as pci_get_drvdata() returns NULL.
+
+To fix call pci_set_drvdata() also during entering to recovery mode.
+
+Reproducer:
+1) Lets have i40e NIC with firmware in recovery mode
+2) Run reboot
+
+Result:
+[ 139.084698] i40e: Intel(R) Ethernet Connection XL710 Network Driver
+[ 139.090959] i40e: Copyright (c) 2013 - 2019 Intel Corporation.
+[ 139.108438] i40e 0000:02:00.0: Firmware recovery mode detected. Limiting functionality.
+[ 139.116439] i40e 0000:02:00.0: Refer to the Intel(R) Ethernet Adapters and Devices User Guide for details on firmware recovery mode.
+[ 139.129499] i40e 0000:02:00.0: fw 8.3.64775 api 1.13 nvm 8.30 0x8000b78d 1.3106.0 [8086:1583] [15d9:084a]
+[ 139.215932] i40e 0000:02:00.0 enp2s0f0: renamed from eth0
+[ 139.223292] i40e 0000:02:00.1: Firmware recovery mode detected. Limiting functionality.
+[ 139.231292] i40e 0000:02:00.1: Refer to the Intel(R) Ethernet Adapters and Devices User Guide for details on firmware recovery mode.
+[ 139.244406] i40e 0000:02:00.1: fw 8.3.64775 api 1.13 nvm 8.30 0x8000b78d 1.3106.0 [8086:1583] [15d9:084a]
+[ 139.329209] i40e 0000:02:00.1 enp2s0f1: renamed from eth0
+...
+[ 156.311376] BUG: kernel NULL pointer dereference, address: 00000000000006c2
+[ 156.318330] #PF: supervisor write access in kernel mode
+[ 156.323546] #PF: error_code(0x0002) - not-present page
+[ 156.328679] PGD 0 P4D 0
+[ 156.331210] Oops: 0002 [#1] PREEMPT SMP NOPTI
+[ 156.335567] CPU: 26 PID: 15119 Comm: reboot Tainted: G E 6.2.0+ #1
+[ 156.343126] Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.4 04/13/2022
+[ 156.353369] RIP: 0010:i40e_shutdown+0x15/0x130 [i40e]
+[ 156.358430] Code: c1 fc ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 55 48 89 fd 53 48 8b 9f 48 01 00 00 <f0> 80 8b c2 06 00 00 04 f0 80 8b c0 06 00 00 08 48 8d bb 08 08 00
+[ 156.377168] RSP: 0018:ffffb223c8447d90 EFLAGS: 00010282
+[ 156.382384] RAX: ffffffffc073ee70 RBX: 0000000000000000 RCX: 0000000000000001
+[ 156.389510] RDX: 0000000080000001 RSI: 0000000000000246 RDI: ffff95db49988000
+[ 156.396634] RBP: ffff95db49988000 R08: ffffffffffffffff R09: ffffffff8bd17d40
+[ 156.403759] R10: 0000000000000001 R11: ffffffff8a5e3d28 R12: ffff95db49988000
+[ 156.410882] R13: ffffffff89a6fe17 R14: ffff95db49988150 R15: 0000000000000000
+[ 156.418007] FS: 00007fe7c0cc3980(0000) GS:ffff95ea8ee80000(0000) knlGS:0000000000000000
+[ 156.426083] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 156.431819] CR2: 00000000000006c2 CR3: 00000003092fc005 CR4: 0000000000770ee0
+[ 156.438944] PKRU: 55555554
+[ 156.441647] Call Trace:
+[ 156.444096] <TASK>
+[ 156.446199] pci_device_shutdown+0x38/0x60
+[ 156.450297] device_shutdown+0x163/0x210
+[ 156.454215] kernel_restart+0x12/0x70
+[ 156.457872] __do_sys_reboot+0x1ab/0x230
+[ 156.461789] ? vfs_writev+0xa6/0x1a0
+[ 156.465362] ? __pfx_file_free_rcu+0x10/0x10
+[ 156.469635] ? __call_rcu_common.constprop.85+0x109/0x5a0
+[ 156.475034] do_syscall_64+0x3e/0x90
+[ 156.478611] entry_SYSCALL_64_after_hwframe+0x72/0xdc
+[ 156.483658] RIP: 0033:0x7fe7bff37ab7
+
+Fixes: 4ff0ee1af016 ("i40e: Introduce recovery mode support")
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Tested-by: Arpana Arland <arpanax.arland@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Link: https://lore.kernel.org/r/20230309184509.984639-1-anthony.l.nguyen@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 5ffcd3cc989f7..85d48efce1d00 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -15338,6 +15338,7 @@ static int i40e_init_recovery_mode(struct i40e_pf *pf, struct i40e_hw *hw)
+ int err;
+ int v_idx;
+
++ pci_set_drvdata(pf->pdev, pf);
+ pci_save_state(pf->pdev);
+
+ /* set up periodic task facility */
+--
+2.39.2
+
--- /dev/null
+From 5642c9184dd48db3f110c542963624979ddf0310 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Mar 2023 10:45:43 -0700
+Subject: ice: xsk: disable txq irq before flushing hw
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit b830c9642386867863ac64295185f896ff2928ac ]
+
+ice_qp_dis() intends to stop a given queue pair that is a target of xsk
+pool attach/detach. One of the steps is to disable interrupts on these
+queues. It currently is broken in a way that txq irq is turned off
+*after* HW flush which in turn takes no effect.
+
+ice_qp_dis():
+-> ice_qvec_dis_irq()
+--> disable rxq irq
+--> flush hw
+-> ice_vsi_stop_tx_ring()
+-->disable txq irq
+
+Below splat can be triggered by following steps:
+- start xdpsock WITHOUT loading xdp prog
+- run xdp_rxq_info with XDP_TX action on this interface
+- start traffic
+- terminate xdpsock
+
+[ 256.312485] BUG: kernel NULL pointer dereference, address: 0000000000000018
+[ 256.319560] #PF: supervisor read access in kernel mode
+[ 256.324775] #PF: error_code(0x0000) - not-present page
+[ 256.329994] PGD 0 P4D 0
+[ 256.332574] Oops: 0000 [#1] PREEMPT SMP NOPTI
+[ 256.337006] CPU: 3 PID: 32 Comm: ksoftirqd/3 Tainted: G OE 6.2.0-rc5+ #51
+[ 256.345218] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019
+[ 256.355807] RIP: 0010:ice_clean_rx_irq_zc+0x9c/0x7d0 [ice]
+[ 256.361423] Code: b7 8f 8a 00 00 00 66 39 ca 0f 84 f1 04 00 00 49 8b 47 40 4c 8b 24 d0 41 0f b7 45 04 66 25 ff 3f 66 89 04 24 0f 84 85 02 00 00 <49> 8b 44 24 18 0f b7 14 24 48 05 00 01 00 00 49 89 04 24 49 89 44
+[ 256.380463] RSP: 0018:ffffc900088bfd20 EFLAGS: 00010206
+[ 256.385765] RAX: 000000000000003c RBX: 0000000000000035 RCX: 000000000000067f
+[ 256.393012] RDX: 0000000000000775 RSI: 0000000000000000 RDI: ffff8881deb3ac80
+[ 256.400256] RBP: 000000000000003c R08: ffff889847982710 R09: 0000000000010000
+[ 256.407500] R10: ffffffff82c060c0 R11: 0000000000000004 R12: 0000000000000000
+[ 256.414746] R13: ffff88811165eea0 R14: ffffc9000d255000 R15: ffff888119b37600
+[ 256.421990] FS: 0000000000000000(0000) GS:ffff8897e0cc0000(0000) knlGS:0000000000000000
+[ 256.430207] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 256.436036] CR2: 0000000000000018 CR3: 0000000005c0a006 CR4: 00000000007706e0
+[ 256.443283] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 256.450527] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 256.457770] PKRU: 55555554
+[ 256.460529] Call Trace:
+[ 256.463015] <TASK>
+[ 256.465157] ? ice_xmit_zc+0x6e/0x150 [ice]
+[ 256.469437] ice_napi_poll+0x46d/0x680 [ice]
+[ 256.473815] ? _raw_spin_unlock_irqrestore+0x1b/0x40
+[ 256.478863] __napi_poll+0x29/0x160
+[ 256.482409] net_rx_action+0x136/0x260
+[ 256.486222] __do_softirq+0xe8/0x2e5
+[ 256.489853] ? smpboot_thread_fn+0x2c/0x270
+[ 256.494108] run_ksoftirqd+0x2a/0x50
+[ 256.497747] smpboot_thread_fn+0x1c1/0x270
+[ 256.501907] ? __pfx_smpboot_thread_fn+0x10/0x10
+[ 256.506594] kthread+0xea/0x120
+[ 256.509785] ? __pfx_kthread+0x10/0x10
+[ 256.513597] ret_from_fork+0x29/0x50
+[ 256.517238] </TASK>
+
+In fact, irqs were not disabled and napi managed to be scheduled and run
+while xsk_pool pointer was still valid, but SW ring of xdp_buff pointers
+was already freed.
+
+To fix this, call ice_qvec_dis_irq() after ice_vsi_stop_tx_ring(). Also
+while at it, remove redundant ice_clean_rx_ring() call - this is handled
+in ice_qp_clean_rings().
+
+Fixes: 2d4238f55697 ("ice: Add support for AF_XDP")
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Reviewed-by: Larysa Zaremba <larysa.zaremba@intel.com>
+Tested-by: Chandan Kumar Rout <chandanx.rout@intel.com> (A Contingent Worker at Intel)
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_xsk.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_xsk.c b/drivers/net/ethernet/intel/ice/ice_xsk.c
+index 60d8ef0c88595..070be30cbaa91 100644
+--- a/drivers/net/ethernet/intel/ice/ice_xsk.c
++++ b/drivers/net/ethernet/intel/ice/ice_xsk.c
+@@ -166,8 +166,6 @@ static int ice_qp_dis(struct ice_vsi *vsi, u16 q_idx)
+ }
+ netif_tx_stop_queue(netdev_get_tx_queue(vsi->netdev, q_idx));
+
+- ice_qvec_dis_irq(vsi, rx_ring, q_vector);
+-
+ ice_fill_txq_meta(vsi, tx_ring, &txq_meta);
+ err = ice_vsi_stop_tx_ring(vsi, ICE_NO_RESET, 0, tx_ring, &txq_meta);
+ if (err)
+@@ -182,6 +180,8 @@ static int ice_qp_dis(struct ice_vsi *vsi, u16 q_idx)
+ if (err)
+ return err;
+ }
++ ice_qvec_dis_irq(vsi, rx_ring, q_vector);
++
+ err = ice_vsi_ctrl_one_rx_ring(vsi, false, q_idx, true);
+ if (err)
+ return err;
+--
+2.39.2
+
--- /dev/null
+From 0efda240afcb902b8ad61688b9b0878e0c5f0573 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 14:40:09 +0200
+Subject: ipv4: Fix incorrect table ID in IOCTL path
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit 8a2618e14f81604a9b6ad305d57e0c8da939cd65 ]
+
+Commit f96a3d74554d ("ipv4: Fix incorrect route flushing when source
+address is deleted") started to take the table ID field in the FIB info
+structure into account when determining if two structures are identical
+or not. This field is initialized using the 'fc_table' field in the
+route configuration structure, which is not set when adding a route via
+IOCTL.
+
+The above can result in user space being able to install two identical
+routes that only differ in the table ID field of their associated FIB
+info.
+
+Fix by initializing the table ID field in the route configuration
+structure in the IOCTL path.
+
+Before the fix:
+
+ # ip route add default via 192.0.2.2
+ # route add default gw 192.0.2.2
+ # ip -4 r show default
+ # default via 192.0.2.2 dev dummy10
+ # default via 192.0.2.2 dev dummy10
+
+After the fix:
+
+ # ip route add default via 192.0.2.2
+ # route add default gw 192.0.2.2
+ SIOCADDRT: File exists
+ # ip -4 r show default
+ default via 192.0.2.2 dev dummy10
+
+Audited the code paths to ensure there are no other paths that do not
+properly initialize the route configuration structure when installing a
+route.
+
+Fixes: 5a56a0b3a45d ("net: Don't delete routes in different VRFs")
+Fixes: f96a3d74554d ("ipv4: Fix incorrect route flushing when source address is deleted")
+Reported-by: gaoxingwang <gaoxingwang1@huawei.com>
+Link: https://lore.kernel.org/netdev/20230314144159.2354729-1-gaoxingwang1@huawei.com/
+Tested-by: gaoxingwang <gaoxingwang1@huawei.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://lore.kernel.org/r/20230315124009.4015212-1-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/fib_frontend.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
+index 75c88d4863276..c21d57f02c651 100644
+--- a/net/ipv4/fib_frontend.c
++++ b/net/ipv4/fib_frontend.c
+@@ -573,6 +573,9 @@ static int rtentry_to_fib_config(struct net *net, int cmd, struct rtentry *rt,
+ cfg->fc_scope = RT_SCOPE_UNIVERSE;
+ }
+
++ if (!cfg->fc_table)
++ cfg->fc_table = RT_TABLE_MAIN;
++
+ if (cmd == SIOCDELRT)
+ return 0;
+
+--
+2.39.2
+
--- /dev/null
+From f4767a66e606f8fd87fc953b3f1e372bb0d563e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Mar 2023 10:03:36 +0800
+Subject: ipvlan: Make skb->skb_iif track skb->dev for l3s mode
+
+From: Jianguo Wu <wujianguo@chinatelecom.cn>
+
+[ Upstream commit 59a0b022aa249e3f5735d93de0849341722c4754 ]
+
+For l3s mode, skb->dev is set to ipvlan interface in ipvlan_nf_input():
+ skb->dev = addr->master->dev
+but, skb->skb_iif remain unchanged, this will cause socket lookup failed
+if a target socket is bound to a interface, like the following example:
+
+ ip link add ipvlan0 link eth0 type ipvlan mode l3s
+ ip addr add dev ipvlan0 192.168.124.111/24
+ ip link set ipvlan0 up
+
+ ping -c 1 -I ipvlan0 8.8.8.8
+ 100% packet loss
+
+This is because there is no match sk in __raw_v4_lookup() as sk->sk_bound_dev_if != dif(skb->skb_iif).
+Fix this by make skb->skb_iif track skb->dev in ipvlan_nf_input().
+
+Fixes: c675e06a98a4 ("ipvlan: decouple l3s mode dependencies from other modes")
+Signed-off-by: Jianguo Wu <wujianguo@chinatelecom.cn>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Link: https://lore.kernel.org/r/29865b1f-6db7-c07a-de89-949d3721ea30@163.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipvlan/ipvlan_l3s.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ipvlan/ipvlan_l3s.c b/drivers/net/ipvlan/ipvlan_l3s.c
+index 943d26cbf39f5..71712ea25403d 100644
+--- a/drivers/net/ipvlan/ipvlan_l3s.c
++++ b/drivers/net/ipvlan/ipvlan_l3s.c
+@@ -101,6 +101,7 @@ static unsigned int ipvlan_nf_input(void *priv, struct sk_buff *skb,
+ goto out;
+
+ skb->dev = addr->master->dev;
++ skb->skb_iif = skb->dev->ifindex;
+ len = skb->len + ETH_HLEN;
+ ipvlan_count_rx(addr->master, len, true, false);
+ out:
+--
+2.39.2
+
--- /dev/null
+From a605e60e4aa62d5bcec4a4437feb790d8952d774 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Mar 2023 11:21:54 -0700
+Subject: loop: Fix use-after-free issues
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 9b0cb770f5d7b1ff40bea7ca385438ee94570eec ]
+
+do_req_filebacked() calls blk_mq_complete_request() synchronously or
+asynchronously when using asynchronous I/O unless memory allocation fails.
+Hence, modify loop_handle_cmd() such that it does not dereference 'cmd' nor
+'rq' after do_req_filebacked() finished unless we are sure that the request
+has not yet been completed. This patch fixes the following kernel crash:
+
+Unable to handle kernel NULL pointer dereference at virtual address 0000000000000054
+Call trace:
+ css_put.42938+0x1c/0x1ac
+ loop_process_work+0xc8c/0xfd4
+ loop_rootcg_workfn+0x24/0x34
+ process_one_work+0x244/0x558
+ worker_thread+0x400/0x8fc
+ kthread+0x16c/0x1e0
+ ret_from_fork+0x10/0x20
+
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Ming Lei <ming.lei@redhat.com>
+Cc: Jan Kara <jack@suse.cz>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Dan Schatzberg <schatzberg.dan@gmail.com>
+Fixes: c74d40e8b5e2 ("loop: charge i/o to mem and blk cg")
+Fixes: bc07c10a3603 ("block: loop: support DIO & AIO")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20230314182155.80625-1-bvanassche@acm.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/loop.c | 25 +++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/block/loop.c b/drivers/block/loop.c
+index 58a38e61de535..07cf7a35ae502 100644
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -2188,35 +2188,44 @@ static blk_status_t loop_queue_rq(struct blk_mq_hw_ctx *hctx,
+
+ static void loop_handle_cmd(struct loop_cmd *cmd)
+ {
++ struct cgroup_subsys_state *cmd_blkcg_css = cmd->blkcg_css;
++ struct cgroup_subsys_state *cmd_memcg_css = cmd->memcg_css;
+ struct request *rq = blk_mq_rq_from_pdu(cmd);
+ const bool write = op_is_write(req_op(rq));
+ struct loop_device *lo = rq->q->queuedata;
+ int ret = 0;
+ struct mem_cgroup *old_memcg = NULL;
++ const bool use_aio = cmd->use_aio;
+
+ if (write && (lo->lo_flags & LO_FLAGS_READ_ONLY)) {
+ ret = -EIO;
+ goto failed;
+ }
+
+- if (cmd->blkcg_css)
+- kthread_associate_blkcg(cmd->blkcg_css);
+- if (cmd->memcg_css)
++ if (cmd_blkcg_css)
++ kthread_associate_blkcg(cmd_blkcg_css);
++ if (cmd_memcg_css)
+ old_memcg = set_active_memcg(
+- mem_cgroup_from_css(cmd->memcg_css));
++ mem_cgroup_from_css(cmd_memcg_css));
+
++ /*
++ * do_req_filebacked() may call blk_mq_complete_request() synchronously
++ * or asynchronously if using aio. Hence, do not touch 'cmd' after
++ * do_req_filebacked() has returned unless we are sure that 'cmd' has
++ * not yet been completed.
++ */
+ ret = do_req_filebacked(lo, rq);
+
+- if (cmd->blkcg_css)
++ if (cmd_blkcg_css)
+ kthread_associate_blkcg(NULL);
+
+- if (cmd->memcg_css) {
++ if (cmd_memcg_css) {
+ set_active_memcg(old_memcg);
+- css_put(cmd->memcg_css);
++ css_put(cmd_memcg_css);
+ }
+ failed:
+ /* complete non-aio request */
+- if (!cmd->use_aio || ret) {
++ if (!use_aio || ret) {
+ if (ret == -EOPNOTSUPP)
+ cmd->ret = ret;
+ else
+--
+2.39.2
+
--- /dev/null
+From 696045c9575a5adc13a672c716ab966471868f27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Mar 2023 10:33:37 +0300
+Subject: net: dsa: mt7530: remove now incorrect comment regarding port 5
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arınç ÜNAL <arinc.unal@arinc9.com>
+
+[ Upstream commit feb03fd11c5616f3a47e4714d2f9917d0f1a2edd ]
+
+Remove now incorrect comment regarding port 5 as GMAC5. This is supposed to
+be supported since commit 38f790a80560 ("net: dsa: mt7530: Add support for
+port 5") under mt7530_setup_port5().
+
+Fixes: 38f790a80560 ("net: dsa: mt7530: Add support for port 5")
+Signed-off-by: Arınç ÜNAL <arinc.unal@arinc9.com>
+Link: https://lore.kernel.org/r/20230310073338.5836-1-arinc.unal@arinc9.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mt7530.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c
+index 7bcfa3be95e29..22a09a11d8749 100644
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -2168,7 +2168,7 @@ mt7530_setup(struct dsa_switch *ds)
+
+ mt7530_pll_setup(priv);
+
+- /* Enable Port 6 only; P5 as GMAC5 which currently is not supported */
++ /* Enable port 6 */
+ val = mt7530_read(priv, MT7530_MHWTRAP);
+ val &= ~MHWTRAP_P6_DIS & ~MHWTRAP_PHY_ACCESS;
+ val |= MHWTRAP_MANUAL;
+--
+2.39.2
+
--- /dev/null
+From 560642604e3e4fdfbc6109ce32ec30188384e96f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Mar 2023 10:33:38 +0300
+Subject: net: dsa: mt7530: set PLL frequency and trgmii only when trgmii is
+ used
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arınç ÜNAL <arinc.unal@arinc9.com>
+
+[ Upstream commit 0b086d76e7b011772b0ac214c6e5fd5816eff2df ]
+
+As my testing on the MCM MT7530 switch on MT7621 SoC shows, setting the PLL
+frequency does not affect MII modes other than trgmii on port 5 and port 6.
+So the assumption is that the operation here called "setting the PLL
+frequency" actually sets the frequency of the TRGMII TX clock.
+
+Make it so that it and the rest of the trgmii setup run only when the
+trgmii mode is used.
+
+Tested rgmii and trgmii modes of port 6 on MCM MT7530 on MT7621AT Unielec
+U7621-06 and standalone MT7530 on MT7623NI Bananapi BPI-R2.
+
+Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch")
+Tested-by: Arınç ÜNAL <arinc.unal@arinc9.com>
+Signed-off-by: Arınç ÜNAL <arinc.unal@arinc9.com>
+Link: https://lore.kernel.org/r/20230310073338.5836-2-arinc.unal@arinc9.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mt7530.c | 62 ++++++++++++++++++++--------------------
+ 1 file changed, 31 insertions(+), 31 deletions(-)
+
+diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c
+index 22a09a11d8749..793992c378559 100644
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -425,8 +425,6 @@ mt7530_pad_clk_setup(struct dsa_switch *ds, phy_interface_t interface)
+ switch (interface) {
+ case PHY_INTERFACE_MODE_RGMII:
+ trgint = 0;
+- /* PLL frequency: 125MHz */
+- ncpo1 = 0x0c80;
+ break;
+ case PHY_INTERFACE_MODE_TRGMII:
+ trgint = 1;
+@@ -457,38 +455,40 @@ mt7530_pad_clk_setup(struct dsa_switch *ds, phy_interface_t interface)
+ mt7530_rmw(priv, MT7530_P6ECR, P6_INTF_MODE_MASK,
+ P6_INTF_MODE(trgint));
+
+- /* Lower Tx Driving for TRGMII path */
+- for (i = 0 ; i < NUM_TRGMII_CTRL ; i++)
+- mt7530_write(priv, MT7530_TRGMII_TD_ODT(i),
+- TD_DM_DRVP(8) | TD_DM_DRVN(8));
+-
+- /* Disable MT7530 core and TRGMII Tx clocks */
+- core_clear(priv, CORE_TRGMII_GSW_CLK_CG,
+- REG_GSWCK_EN | REG_TRGMIICK_EN);
+-
+- /* Setup the MT7530 TRGMII Tx Clock */
+- core_write(priv, CORE_PLL_GROUP5, RG_LCDDS_PCW_NCPO1(ncpo1));
+- core_write(priv, CORE_PLL_GROUP6, RG_LCDDS_PCW_NCPO0(0));
+- core_write(priv, CORE_PLL_GROUP10, RG_LCDDS_SSC_DELTA(ssc_delta));
+- core_write(priv, CORE_PLL_GROUP11, RG_LCDDS_SSC_DELTA1(ssc_delta));
+- core_write(priv, CORE_PLL_GROUP4,
+- RG_SYSPLL_DDSFBK_EN | RG_SYSPLL_BIAS_EN |
+- RG_SYSPLL_BIAS_LPF_EN);
+- core_write(priv, CORE_PLL_GROUP2,
+- RG_SYSPLL_EN_NORMAL | RG_SYSPLL_VODEN |
+- RG_SYSPLL_POSDIV(1));
+- core_write(priv, CORE_PLL_GROUP7,
+- RG_LCDDS_PCW_NCPO_CHG | RG_LCCDS_C(3) |
+- RG_LCDDS_PWDB | RG_LCDDS_ISO_EN);
+-
+- /* Enable MT7530 core and TRGMII Tx clocks */
+- core_set(priv, CORE_TRGMII_GSW_CLK_CG,
+- REG_GSWCK_EN | REG_TRGMIICK_EN);
+-
+- if (!trgint)
++ if (trgint) {
++ /* Lower Tx Driving for TRGMII path */
++ for (i = 0 ; i < NUM_TRGMII_CTRL ; i++)
++ mt7530_write(priv, MT7530_TRGMII_TD_ODT(i),
++ TD_DM_DRVP(8) | TD_DM_DRVN(8));
++
++ /* Disable MT7530 core and TRGMII Tx clocks */
++ core_clear(priv, CORE_TRGMII_GSW_CLK_CG,
++ REG_GSWCK_EN | REG_TRGMIICK_EN);
++
++ /* Setup the MT7530 TRGMII Tx Clock */
++ core_write(priv, CORE_PLL_GROUP5, RG_LCDDS_PCW_NCPO1(ncpo1));
++ core_write(priv, CORE_PLL_GROUP6, RG_LCDDS_PCW_NCPO0(0));
++ core_write(priv, CORE_PLL_GROUP10, RG_LCDDS_SSC_DELTA(ssc_delta));
++ core_write(priv, CORE_PLL_GROUP11, RG_LCDDS_SSC_DELTA1(ssc_delta));
++ core_write(priv, CORE_PLL_GROUP4,
++ RG_SYSPLL_DDSFBK_EN | RG_SYSPLL_BIAS_EN |
++ RG_SYSPLL_BIAS_LPF_EN);
++ core_write(priv, CORE_PLL_GROUP2,
++ RG_SYSPLL_EN_NORMAL | RG_SYSPLL_VODEN |
++ RG_SYSPLL_POSDIV(1));
++ core_write(priv, CORE_PLL_GROUP7,
++ RG_LCDDS_PCW_NCPO_CHG | RG_LCCDS_C(3) |
++ RG_LCDDS_PWDB | RG_LCDDS_ISO_EN);
++
++ /* Enable MT7530 core and TRGMII Tx clocks */
++ core_set(priv, CORE_TRGMII_GSW_CLK_CG,
++ REG_GSWCK_EN | REG_TRGMIICK_EN);
++ } else {
+ for (i = 0 ; i < NUM_TRGMII_CTRL; i++)
+ mt7530_rmw(priv, MT7530_TRGMII_RD(i),
+ RD_TAP_MASK, RD_TAP(16));
++ }
++
+ return 0;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 8519a56f3475ddf9cf1f0cfe8223701105b59ed7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Mar 2023 20:24:05 +0200
+Subject: net: dsa: mv88e6xxx: fix max_mtu of 1492 on 6165, 6191, 6220, 6250,
+ 6290
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 7e9517375a14f44ee830ca1c3278076dd65fcc8f ]
+
+There are 3 classes of switch families that the driver is aware of, as
+far as mv88e6xxx_change_mtu() is concerned:
+
+- MTU configuration is available per port. Here, the
+ chip->info->ops->port_set_jumbo_size() method will be present.
+
+- MTU configuration is global to the switch. Here, the
+ chip->info->ops->set_max_frame_size() method will be present.
+
+- We don't know how to change the MTU. Here, none of the above methods
+ will be present.
+
+Switch families MV88E6165, MV88E6191, MV88E6220, MV88E6250 and MV88E6290
+fall in category 3.
+
+The blamed commit has adjusted the MTU for all 3 categories by EDSA_HLEN
+(8 bytes), resulting in a new maximum MTU of 1492 being reported by the
+driver for these switches.
+
+I don't have the hardware to test, but I do have a MV88E6390 switch on
+which I can simulate this by commenting out its .port_set_jumbo_size
+definition from mv88e6390_ops. The result is this set of messages at
+probe time:
+
+mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 1
+mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 2
+mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 3
+mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 4
+mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 5
+mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 6
+mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 7
+mv88e6085 d0032004.mdio-mii:10: nonfatal error -34 setting MTU to 1500 on port 8
+
+It is highly implausible that there exist Ethernet switches which don't
+support the standard MTU of 1500 octets, and this is what the DSA
+framework says as well - the error comes from dsa_slave_create() ->
+dsa_slave_change_mtu(slave_dev, ETH_DATA_LEN).
+
+But the error messages are alarming, and it would be good to suppress
+them.
+
+As a consequence of this unlikeliness, we reimplement mv88e6xxx_get_max_mtu()
+and mv88e6xxx_change_mtu() on switches from the 3rd category as follows:
+the maximum supported MTU is 1500, and any request to set the MTU to a
+value larger than that fails in dev_validate_mtu().
+
+Fixes: b9c587fed61c ("dsa: mv88e6xxx: Include tagger overhead when setting MTU for DSA and CPU ports")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
+index f9efd0c8bab8d..99c4e45c62e33 100644
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -3054,7 +3054,7 @@ static int mv88e6xxx_get_max_mtu(struct dsa_switch *ds, int port)
+ return 10240 - VLAN_ETH_HLEN - EDSA_HLEN - ETH_FCS_LEN;
+ else if (chip->info->ops->set_max_frame_size)
+ return 1632 - VLAN_ETH_HLEN - EDSA_HLEN - ETH_FCS_LEN;
+- return 1522 - VLAN_ETH_HLEN - EDSA_HLEN - ETH_FCS_LEN;
++ return ETH_DATA_LEN;
+ }
+
+ static int mv88e6xxx_change_mtu(struct dsa_switch *ds, int port, int new_mtu)
+@@ -3062,6 +3062,17 @@ static int mv88e6xxx_change_mtu(struct dsa_switch *ds, int port, int new_mtu)
+ struct mv88e6xxx_chip *chip = ds->priv;
+ int ret = 0;
+
++ /* For families where we don't know how to alter the MTU,
++ * just accept any value up to ETH_DATA_LEN
++ */
++ if (!chip->info->ops->port_set_jumbo_size &&
++ !chip->info->ops->set_max_frame_size) {
++ if (new_mtu > ETH_DATA_LEN)
++ return -EINVAL;
++
++ return 0;
++ }
++
+ if (dsa_is_dsa_port(ds, port) || dsa_is_cpu_port(ds, port))
+ new_mtu += EDSA_HLEN;
+
+@@ -3070,9 +3081,6 @@ static int mv88e6xxx_change_mtu(struct dsa_switch *ds, int port, int new_mtu)
+ ret = chip->info->ops->port_set_jumbo_size(chip, port, new_mtu);
+ else if (chip->info->ops->set_max_frame_size)
+ ret = chip->info->ops->set_max_frame_size(chip, new_mtu);
+- else
+- if (new_mtu > 1522)
+- ret = -EINVAL;
+ mv88e6xxx_reg_unlock(chip);
+
+ return ret;
+--
+2.39.2
+
--- /dev/null
+From 92dea5ece8b3ee5f1b03af9a229721e0f43d3cf7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 14:14:35 +0100
+Subject: net/iucv: Fix size of interrupt data
+
+From: Alexandra Winter <wintera@linux.ibm.com>
+
+[ Upstream commit 3d87debb8ed2649608ff432699e7c961c0c6f03b ]
+
+iucv_irq_data needs to be 4 bytes larger.
+These bytes are not used by the iucv module, but written by
+the z/VM hypervisor in case a CPU is deconfigured.
+
+Reported as:
+BUG dma-kmalloc-64 (Not tainted): kmalloc Redzone overwritten
+-----------------------------------------------------------------------------
+0x0000000000400564-0x0000000000400567 @offset=1380. First byte 0x80 instead of 0xcc
+Allocated in iucv_cpu_prepare+0x44/0xd0 age=167839 cpu=2 pid=1
+__kmem_cache_alloc_node+0x166/0x450
+kmalloc_node_trace+0x3a/0x70
+iucv_cpu_prepare+0x44/0xd0
+cpuhp_invoke_callback+0x156/0x2f0
+cpuhp_issue_call+0xf0/0x298
+__cpuhp_setup_state_cpuslocked+0x136/0x338
+__cpuhp_setup_state+0xf4/0x288
+iucv_init+0xf4/0x280
+do_one_initcall+0x78/0x390
+do_initcalls+0x11a/0x140
+kernel_init_freeable+0x25e/0x2a0
+kernel_init+0x2e/0x170
+__ret_from_fork+0x3c/0x58
+ret_from_fork+0xa/0x40
+Freed in iucv_init+0x92/0x280 age=167839 cpu=2 pid=1
+__kmem_cache_free+0x308/0x358
+iucv_init+0x92/0x280
+do_one_initcall+0x78/0x390
+do_initcalls+0x11a/0x140
+kernel_init_freeable+0x25e/0x2a0
+kernel_init+0x2e/0x170
+__ret_from_fork+0x3c/0x58
+ret_from_fork+0xa/0x40
+Slab 0x0000037200010000 objects=32 used=30 fp=0x0000000000400640 flags=0x1ffff00000010200(slab|head|node=0|zone=0|
+Object 0x0000000000400540 @offset=1344 fp=0x0000000000000000
+Redzone 0000000000400500: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
+Redzone 0000000000400510: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
+Redzone 0000000000400520: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
+Redzone 0000000000400530: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
+Object 0000000000400540: 00 01 00 03 00 00 00 00 00 00 00 00 00 00 00 00 ................
+Object 0000000000400550: f3 86 81 f2 f4 82 f8 82 f0 f0 f0 f0 f0 f0 f0 f2 ................
+Object 0000000000400560: 00 00 00 00 80 00 00 00 cc cc cc cc cc cc cc cc ................
+Object 0000000000400570: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
+Redzone 0000000000400580: cc cc cc cc cc cc cc cc ........
+Padding 00000000004005d4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
+Padding 00000000004005e4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
+Padding 00000000004005f4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ
+CPU: 6 PID: 121030 Comm: 116-pai-crypto. Not tainted 6.3.0-20230221.rc0.git4.99b8246b2d71.300.fc37.s390x+debug #1
+Hardware name: IBM 3931 A01 704 (z/VM 7.3.0)
+Call Trace:
+[<000000032aa034ec>] dump_stack_lvl+0xac/0x100
+[<0000000329f5a6cc>] check_bytes_and_report+0x104/0x140
+[<0000000329f5aa78>] check_object+0x370/0x3c0
+[<0000000329f5ede6>] free_debug_processing+0x15e/0x348
+[<0000000329f5f06a>] free_to_partial_list+0x9a/0x2f0
+[<0000000329f5f4a4>] __slab_free+0x1e4/0x3a8
+[<0000000329f61768>] __kmem_cache_free+0x308/0x358
+[<000000032a91465c>] iucv_cpu_dead+0x6c/0x88
+[<0000000329c2fc66>] cpuhp_invoke_callback+0x156/0x2f0
+[<000000032aa062da>] _cpu_down.constprop.0+0x22a/0x5e0
+[<0000000329c3243e>] cpu_device_down+0x4e/0x78
+[<000000032a61dee0>] device_offline+0xc8/0x118
+[<000000032a61e048>] online_store+0x60/0xe0
+[<000000032a08b6b0>] kernfs_fop_write_iter+0x150/0x1e8
+[<0000000329fab65c>] vfs_write+0x174/0x360
+[<0000000329fab9fc>] ksys_write+0x74/0x100
+[<000000032aa03a5a>] __do_syscall+0x1da/0x208
+[<000000032aa177b2>] system_call+0x82/0xb0
+INFO: lockdep is turned off.
+FIX dma-kmalloc-64: Restoring kmalloc Redzone 0x0000000000400564-0x0000000000400567=0xcc
+FIX dma-kmalloc-64: Object at 0x0000000000400540 not freed
+
+Fixes: 2356f4cb1911 ("[S390]: Rewrite of the IUCV base code, part 2")
+Signed-off-by: Alexandra Winter <wintera@linux.ibm.com>
+Link: https://lore.kernel.org/r/20230315131435.4113889-1-wintera@linux.ibm.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/iucv/iucv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c
+index f3343a8541a57..8efc369934fc7 100644
+--- a/net/iucv/iucv.c
++++ b/net/iucv/iucv.c
+@@ -83,7 +83,7 @@ struct iucv_irq_data {
+ u16 ippathid;
+ u8 ipflags1;
+ u8 iptype;
+- u32 res2[8];
++ u32 res2[9];
+ };
+
+ struct iucv_irq_list {
+--
+2.39.2
+
--- /dev/null
+From b2d9bee0367c8157ce73c72ac5288e5e8bbe839e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Mar 2023 19:34:45 +0100
+Subject: net: phy: smsc: bail out in lan87xx_read_status if genphy_read_status
+ fails
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit c22c3bbf351e4ce905f082649cffa1ff893ea8c1 ]
+
+If genphy_read_status fails then further access to the PHY may result
+in unpredictable behavior. To prevent this bail out immediately if
+genphy_read_status fails.
+
+Fixes: 4223dbffed9f ("net: phy: smsc: Re-enable EDPD mode for LAN87xx")
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/026aa4f2-36f5-1c10-ab9f-cdb17dda6ac4@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/smsc.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/smsc.c b/drivers/net/phy/smsc.c
+index 04e628788f1b5..36dcf6c7f445d 100644
+--- a/drivers/net/phy/smsc.c
++++ b/drivers/net/phy/smsc.c
+@@ -206,8 +206,11 @@ static int lan95xx_config_aneg_ext(struct phy_device *phydev)
+ static int lan87xx_read_status(struct phy_device *phydev)
+ {
+ struct smsc_phy_priv *priv = phydev->priv;
++ int err;
+
+- int err = genphy_read_status(phydev);
++ err = genphy_read_status(phydev);
++ if (err)
++ return err;
+
+ if (!phydev->link && priv->energy_enable && phydev->irq == PHY_POLL) {
+ /* Disable EDPD to wake up PHY */
+--
+2.39.2
+
--- /dev/null
+From 302552c7cceb5c40da15c2b73237e947ae5d061b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 11:08:28 +0100
+Subject: net/smc: fix deadlock triggered by cancel_delayed_work_syn()
+
+From: Wenjia Zhang <wenjia@linux.ibm.com>
+
+[ Upstream commit 13085e1b5cab8ad802904d72e6a6dae85ae0cd20 ]
+
+The following LOCKDEP was detected:
+ Workqueue: events smc_lgr_free_work [smc]
+ WARNING: possible circular locking dependency detected
+ 6.1.0-20221027.rc2.git8.56bc5b569087.300.fc36.s390x+debug #1 Not tainted
+ ------------------------------------------------------
+ kworker/3:0/176251 is trying to acquire lock:
+ 00000000f1467148 ((wq_completion)smc_tx_wq-00000000#2){+.+.}-{0:0},
+ at: __flush_workqueue+0x7a/0x4f0
+ but task is already holding lock:
+ 0000037fffe97dc8 ((work_completion)(&(&lgr->free_work)->work)){+.+.}-{0:0},
+ at: process_one_work+0x232/0x730
+ which lock already depends on the new lock.
+ the existing dependency chain (in reverse order) is:
+ -> #4 ((work_completion)(&(&lgr->free_work)->work)){+.+.}-{0:0}:
+ __lock_acquire+0x58e/0xbd8
+ lock_acquire.part.0+0xe2/0x248
+ lock_acquire+0xac/0x1c8
+ __flush_work+0x76/0xf0
+ __cancel_work_timer+0x170/0x220
+ __smc_lgr_terminate.part.0+0x34/0x1c0 [smc]
+ smc_connect_rdma+0x15e/0x418 [smc]
+ __smc_connect+0x234/0x480 [smc]
+ smc_connect+0x1d6/0x230 [smc]
+ __sys_connect+0x90/0xc0
+ __do_sys_socketcall+0x186/0x370
+ __do_syscall+0x1da/0x208
+ system_call+0x82/0xb0
+ -> #3 (smc_client_lgr_pending){+.+.}-{3:3}:
+ __lock_acquire+0x58e/0xbd8
+ lock_acquire.part.0+0xe2/0x248
+ lock_acquire+0xac/0x1c8
+ __mutex_lock+0x96/0x8e8
+ mutex_lock_nested+0x32/0x40
+ smc_connect_rdma+0xa4/0x418 [smc]
+ __smc_connect+0x234/0x480 [smc]
+ smc_connect+0x1d6/0x230 [smc]
+ __sys_connect+0x90/0xc0
+ __do_sys_socketcall+0x186/0x370
+ __do_syscall+0x1da/0x208
+ system_call+0x82/0xb0
+ -> #2 (sk_lock-AF_SMC){+.+.}-{0:0}:
+ __lock_acquire+0x58e/0xbd8
+ lock_acquire.part.0+0xe2/0x248
+ lock_acquire+0xac/0x1c8
+ lock_sock_nested+0x46/0xa8
+ smc_tx_work+0x34/0x50 [smc]
+ process_one_work+0x30c/0x730
+ worker_thread+0x62/0x420
+ kthread+0x138/0x150
+ __ret_from_fork+0x3c/0x58
+ ret_from_fork+0xa/0x40
+ -> #1 ((work_completion)(&(&smc->conn.tx_work)->work)){+.+.}-{0:0}:
+ __lock_acquire+0x58e/0xbd8
+ lock_acquire.part.0+0xe2/0x248
+ lock_acquire+0xac/0x1c8
+ process_one_work+0x2bc/0x730
+ worker_thread+0x62/0x420
+ kthread+0x138/0x150
+ __ret_from_fork+0x3c/0x58
+ ret_from_fork+0xa/0x40
+ -> #0 ((wq_completion)smc_tx_wq-00000000#2){+.+.}-{0:0}:
+ check_prev_add+0xd8/0xe88
+ validate_chain+0x70c/0xb20
+ __lock_acquire+0x58e/0xbd8
+ lock_acquire.part.0+0xe2/0x248
+ lock_acquire+0xac/0x1c8
+ __flush_workqueue+0xaa/0x4f0
+ drain_workqueue+0xaa/0x158
+ destroy_workqueue+0x44/0x2d8
+ smc_lgr_free+0x9e/0xf8 [smc]
+ process_one_work+0x30c/0x730
+ worker_thread+0x62/0x420
+ kthread+0x138/0x150
+ __ret_from_fork+0x3c/0x58
+ ret_from_fork+0xa/0x40
+ other info that might help us debug this:
+ Chain exists of:
+ (wq_completion)smc_tx_wq-00000000#2
+ --> smc_client_lgr_pending
+ --> (work_completion)(&(&lgr->free_work)->work)
+ Possible unsafe locking scenario:
+ CPU0 CPU1
+ ---- ----
+ lock((work_completion)(&(&lgr->free_work)->work));
+ lock(smc_client_lgr_pending);
+ lock((work_completion)
+ (&(&lgr->free_work)->work));
+ lock((wq_completion)smc_tx_wq-00000000#2);
+ *** DEADLOCK ***
+ 2 locks held by kworker/3:0/176251:
+ #0: 0000000080183548
+ ((wq_completion)events){+.+.}-{0:0},
+ at: process_one_work+0x232/0x730
+ #1: 0000037fffe97dc8
+ ((work_completion)
+ (&(&lgr->free_work)->work)){+.+.}-{0:0},
+ at: process_one_work+0x232/0x730
+ stack backtrace:
+ CPU: 3 PID: 176251 Comm: kworker/3:0 Not tainted
+ Hardware name: IBM 8561 T01 701 (z/VM 7.2.0)
+ Call Trace:
+ [<000000002983c3e4>] dump_stack_lvl+0xac/0x100
+ [<0000000028b477ae>] check_noncircular+0x13e/0x160
+ [<0000000028b48808>] check_prev_add+0xd8/0xe88
+ [<0000000028b49cc4>] validate_chain+0x70c/0xb20
+ [<0000000028b4bd26>] __lock_acquire+0x58e/0xbd8
+ [<0000000028b4cf6a>] lock_acquire.part.0+0xe2/0x248
+ [<0000000028b4d17c>] lock_acquire+0xac/0x1c8
+ [<0000000028addaaa>] __flush_workqueue+0xaa/0x4f0
+ [<0000000028addf9a>] drain_workqueue+0xaa/0x158
+ [<0000000028ae303c>] destroy_workqueue+0x44/0x2d8
+ [<000003ff8029af26>] smc_lgr_free+0x9e/0xf8 [smc]
+ [<0000000028adf3d4>] process_one_work+0x30c/0x730
+ [<0000000028adf85a>] worker_thread+0x62/0x420
+ [<0000000028aeac50>] kthread+0x138/0x150
+ [<0000000028a63914>] __ret_from_fork+0x3c/0x58
+ [<00000000298503da>] ret_from_fork+0xa/0x40
+ INFO: lockdep is turned off.
+===================================================================
+
+This deadlock occurs because cancel_delayed_work_sync() waits for
+the work(&lgr->free_work) to finish, while the &lgr->free_work
+waits for the work(lgr->tx_wq), which needs the sk_lock-AF_SMC, that
+is already used under the mutex_lock.
+
+The solution is to use cancel_delayed_work() instead, which kills
+off a pending work.
+
+Fixes: a52bcc919b14 ("net/smc: improve termination processing")
+Signed-off-by: Wenjia Zhang <wenjia@linux.ibm.com>
+Reviewed-by: Jan Karcher <jaka@linux.ibm.com>
+Reviewed-by: Karsten Graul <kgraul@linux.ibm.com>
+Reviewed-by: Tony Lu <tonylu@linux.alibaba.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/smc_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c
+index 2eafefa15a1ae..f08fcc50fad3c 100644
+--- a/net/smc/smc_core.c
++++ b/net/smc/smc_core.c
+@@ -1297,7 +1297,7 @@ static void __smc_lgr_terminate(struct smc_link_group *lgr, bool soft)
+ if (lgr->terminating)
+ return; /* lgr already terminating */
+ /* cancel free_work sync, will terminate when lgr->freeing is set */
+- cancel_delayed_work_sync(&lgr->free_work);
++ cancel_delayed_work(&lgr->free_work);
+ lgr->terminating = 1;
+
+ /* kill remaining link group connections */
+--
+2.39.2
+
--- /dev/null
+From c9107c3b0c19fe346f954558b96818295a64f466 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Mar 2023 16:17:12 +0800
+Subject: net/smc: fix NULL sndbuf_desc in smc_cdc_tx_handler()
+
+From: D. Wythe <alibuda@linux.alibaba.com>
+
+[ Upstream commit 22a825c541d775c1dbe7b2402786025acad6727b ]
+
+When performing a stress test on SMC-R by rmmod mlx5_ib driver
+during the wrk/nginx test, we found that there is a probability
+of triggering a panic while terminating all link groups.
+
+This issue dues to the race between smc_smcr_terminate_all()
+and smc_buf_create().
+
+ smc_smcr_terminate_all
+
+smc_buf_create
+/* init */
+conn->sndbuf_desc = NULL;
+...
+
+ __smc_lgr_terminate
+ smc_conn_kill
+ smc_close_abort
+ smc_cdc_get_slot_and_msg_send
+
+ __softirqentry_text_start
+ smc_wr_tx_process_cqe
+ smc_cdc_tx_handler
+ READ(conn->sndbuf_desc->len);
+ /* panic dues to NULL sndbuf_desc */
+
+conn->sndbuf_desc = xxx;
+
+This patch tries to fix the issue by always to check the sndbuf_desc
+before send any cdc msg, to make sure that no null pointer is
+seen during cqe processing.
+
+Fixes: 0b29ec643613 ("net/smc: immediate termination for SMCR link groups")
+Signed-off-by: D. Wythe <alibuda@linux.alibaba.com>
+Reviewed-by: Tony Lu <tonylu@linux.alibaba.com>
+Reviewed-by: Wenjia Zhang <wenjia@linux.ibm.com>
+Link: https://lore.kernel.org/r/1678263432-17329-1-git-send-email-alibuda@linux.alibaba.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/smc_cdc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/smc/smc_cdc.c b/net/smc/smc_cdc.c
+index 5d180d24cbf1c..41b23f71c29a2 100644
+--- a/net/smc/smc_cdc.c
++++ b/net/smc/smc_cdc.c
+@@ -104,6 +104,9 @@ int smc_cdc_msg_send(struct smc_connection *conn,
+ union smc_host_cursor cfed;
+ int rc;
+
++ if (unlikely(!READ_ONCE(conn->sndbuf_desc)))
++ return -ENOBUFS;
++
+ smc_cdc_add_pending_send(conn, pend);
+
+ conn->tx_cdc_seq++;
+--
+2.39.2
+
--- /dev/null
+From 49f1a26862cac23505f10d699a7561f170fa56da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Mar 2023 19:11:09 +0000
+Subject: net: tunnels: annotate lockless accesses to dev->needed_headroom
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 4b397c06cb987935b1b097336532aa6b4210e091 ]
+
+IP tunnels can apparently update dev->needed_headroom
+in their xmit path.
+
+This patch takes care of three tunnels xmit, and also the
+core LL_RESERVED_SPACE() and LL_RESERVED_SPACE_EXTRA()
+helpers.
+
+More changes might be needed for completeness.
+
+BUG: KCSAN: data-race in ip_tunnel_xmit / ip_tunnel_xmit
+
+read to 0xffff88815b9da0ec of 2 bytes by task 888 on cpu 1:
+ip_tunnel_xmit+0x1270/0x1730 net/ipv4/ip_tunnel.c:803
+__gre_xmit net/ipv4/ip_gre.c:469 [inline]
+ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661
+__netdev_start_xmit include/linux/netdevice.h:4881 [inline]
+netdev_start_xmit include/linux/netdevice.h:4895 [inline]
+xmit_one net/core/dev.c:3580 [inline]
+dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596
+__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246
+dev_queue_xmit include/linux/netdevice.h:3051 [inline]
+neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623
+neigh_output include/net/neighbour.h:546 [inline]
+ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228
+ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316
+NF_HOOK_COND include/linux/netfilter.h:291 [inline]
+ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430
+dst_output include/net/dst.h:444 [inline]
+ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126
+iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82
+ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813
+__gre_xmit net/ipv4/ip_gre.c:469 [inline]
+ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661
+__netdev_start_xmit include/linux/netdevice.h:4881 [inline]
+netdev_start_xmit include/linux/netdevice.h:4895 [inline]
+xmit_one net/core/dev.c:3580 [inline]
+dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596
+__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246
+dev_queue_xmit include/linux/netdevice.h:3051 [inline]
+neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623
+neigh_output include/net/neighbour.h:546 [inline]
+ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228
+ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316
+NF_HOOK_COND include/linux/netfilter.h:291 [inline]
+ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430
+dst_output include/net/dst.h:444 [inline]
+ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126
+iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82
+ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813
+__gre_xmit net/ipv4/ip_gre.c:469 [inline]
+ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661
+__netdev_start_xmit include/linux/netdevice.h:4881 [inline]
+netdev_start_xmit include/linux/netdevice.h:4895 [inline]
+xmit_one net/core/dev.c:3580 [inline]
+dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596
+__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246
+dev_queue_xmit include/linux/netdevice.h:3051 [inline]
+neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623
+neigh_output include/net/neighbour.h:546 [inline]
+ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228
+ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316
+NF_HOOK_COND include/linux/netfilter.h:291 [inline]
+ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430
+dst_output include/net/dst.h:444 [inline]
+ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126
+iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82
+ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813
+__gre_xmit net/ipv4/ip_gre.c:469 [inline]
+ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661
+__netdev_start_xmit include/linux/netdevice.h:4881 [inline]
+netdev_start_xmit include/linux/netdevice.h:4895 [inline]
+xmit_one net/core/dev.c:3580 [inline]
+dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596
+__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246
+dev_queue_xmit include/linux/netdevice.h:3051 [inline]
+neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623
+neigh_output include/net/neighbour.h:546 [inline]
+ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228
+ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316
+NF_HOOK_COND include/linux/netfilter.h:291 [inline]
+ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430
+dst_output include/net/dst.h:444 [inline]
+ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126
+iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82
+ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813
+__gre_xmit net/ipv4/ip_gre.c:469 [inline]
+ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661
+__netdev_start_xmit include/linux/netdevice.h:4881 [inline]
+netdev_start_xmit include/linux/netdevice.h:4895 [inline]
+xmit_one net/core/dev.c:3580 [inline]
+dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596
+__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246
+dev_queue_xmit include/linux/netdevice.h:3051 [inline]
+neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623
+neigh_output include/net/neighbour.h:546 [inline]
+ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228
+ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316
+NF_HOOK_COND include/linux/netfilter.h:291 [inline]
+ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430
+dst_output include/net/dst.h:444 [inline]
+ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126
+iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82
+ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813
+__gre_xmit net/ipv4/ip_gre.c:469 [inline]
+ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661
+__netdev_start_xmit include/linux/netdevice.h:4881 [inline]
+netdev_start_xmit include/linux/netdevice.h:4895 [inline]
+xmit_one net/core/dev.c:3580 [inline]
+dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596
+__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246
+dev_queue_xmit include/linux/netdevice.h:3051 [inline]
+neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623
+neigh_output include/net/neighbour.h:546 [inline]
+ip_finish_output2+0x740/0x840 net/ipv4/ip_output.c:228
+ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:316
+NF_HOOK_COND include/linux/netfilter.h:291 [inline]
+ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:430
+dst_output include/net/dst.h:444 [inline]
+ip_local_out+0x64/0x80 net/ipv4/ip_output.c:126
+iptunnel_xmit+0x34a/0x4b0 net/ipv4/ip_tunnel_core.c:82
+ip_tunnel_xmit+0x1451/0x1730 net/ipv4/ip_tunnel.c:813
+__gre_xmit net/ipv4/ip_gre.c:469 [inline]
+ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661
+__netdev_start_xmit include/linux/netdevice.h:4881 [inline]
+netdev_start_xmit include/linux/netdevice.h:4895 [inline]
+xmit_one net/core/dev.c:3580 [inline]
+dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596
+__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246
+
+write to 0xffff88815b9da0ec of 2 bytes by task 2379 on cpu 0:
+ip_tunnel_xmit+0x1294/0x1730 net/ipv4/ip_tunnel.c:804
+__gre_xmit net/ipv4/ip_gre.c:469 [inline]
+ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:661
+__netdev_start_xmit include/linux/netdevice.h:4881 [inline]
+netdev_start_xmit include/linux/netdevice.h:4895 [inline]
+xmit_one net/core/dev.c:3580 [inline]
+dev_hard_start_xmit+0x127/0x400 net/core/dev.c:3596
+__dev_queue_xmit+0x1007/0x1eb0 net/core/dev.c:4246
+dev_queue_xmit include/linux/netdevice.h:3051 [inline]
+neigh_direct_output+0x17/0x20 net/core/neighbour.c:1623
+neigh_output include/net/neighbour.h:546 [inline]
+ip6_finish_output2+0x9bc/0xc50 net/ipv6/ip6_output.c:134
+__ip6_finish_output net/ipv6/ip6_output.c:195 [inline]
+ip6_finish_output+0x39a/0x4e0 net/ipv6/ip6_output.c:206
+NF_HOOK_COND include/linux/netfilter.h:291 [inline]
+ip6_output+0xeb/0x220 net/ipv6/ip6_output.c:227
+dst_output include/net/dst.h:444 [inline]
+NF_HOOK include/linux/netfilter.h:302 [inline]
+mld_sendpack+0x438/0x6a0 net/ipv6/mcast.c:1820
+mld_send_cr net/ipv6/mcast.c:2121 [inline]
+mld_ifc_work+0x519/0x7b0 net/ipv6/mcast.c:2653
+process_one_work+0x3e6/0x750 kernel/workqueue.c:2390
+worker_thread+0x5f2/0xa10 kernel/workqueue.c:2537
+kthread+0x1ac/0x1e0 kernel/kthread.c:376
+ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
+
+value changed: 0x0dd4 -> 0x0e14
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 2379 Comm: kworker/0:0 Not tainted 6.3.0-rc1-syzkaller-00002-g8ca09d5fa354-dirty #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
+Workqueue: mld mld_ifc_work
+
+Fixes: 8eb30be0352d ("ipv6: Create ip6_tnl_xmit")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20230310191109.2384387-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/netdevice.h | 6 ++++--
+ net/ipv4/ip_tunnel.c | 12 ++++++------
+ net/ipv6/ip6_tunnel.c | 4 ++--
+ 3 files changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
+index 3a75d644a1204..5b6c38f748076 100644
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -275,9 +275,11 @@ struct hh_cache {
+ * relationship HH alignment <= LL alignment.
+ */
+ #define LL_RESERVED_SPACE(dev) \
+- ((((dev)->hard_header_len+(dev)->needed_headroom)&~(HH_DATA_MOD - 1)) + HH_DATA_MOD)
++ ((((dev)->hard_header_len + READ_ONCE((dev)->needed_headroom)) \
++ & ~(HH_DATA_MOD - 1)) + HH_DATA_MOD)
+ #define LL_RESERVED_SPACE_EXTRA(dev,extra) \
+- ((((dev)->hard_header_len+(dev)->needed_headroom+(extra))&~(HH_DATA_MOD - 1)) + HH_DATA_MOD)
++ ((((dev)->hard_header_len + READ_ONCE((dev)->needed_headroom) + (extra)) \
++ & ~(HH_DATA_MOD - 1)) + HH_DATA_MOD)
+
+ struct header_ops {
+ int (*create) (struct sk_buff *skb, struct net_device *dev,
+diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
+index fe9101d3d69e0..426dc910aaf87 100644
+--- a/net/ipv4/ip_tunnel.c
++++ b/net/ipv4/ip_tunnel.c
+@@ -613,10 +613,10 @@ void ip_md_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
+ }
+
+ headroom += LL_RESERVED_SPACE(rt->dst.dev) + rt->dst.header_len;
+- if (headroom > dev->needed_headroom)
+- dev->needed_headroom = headroom;
++ if (headroom > READ_ONCE(dev->needed_headroom))
++ WRITE_ONCE(dev->needed_headroom, headroom);
+
+- if (skb_cow_head(skb, dev->needed_headroom)) {
++ if (skb_cow_head(skb, READ_ONCE(dev->needed_headroom))) {
+ ip_rt_put(rt);
+ goto tx_dropped;
+ }
+@@ -797,10 +797,10 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
+
+ max_headroom = LL_RESERVED_SPACE(rt->dst.dev) + sizeof(struct iphdr)
+ + rt->dst.header_len + ip_encap_hlen(&tunnel->encap);
+- if (max_headroom > dev->needed_headroom)
+- dev->needed_headroom = max_headroom;
++ if (max_headroom > READ_ONCE(dev->needed_headroom))
++ WRITE_ONCE(dev->needed_headroom, max_headroom);
+
+- if (skb_cow_head(skb, dev->needed_headroom)) {
++ if (skb_cow_head(skb, READ_ONCE(dev->needed_headroom))) {
+ ip_rt_put(rt);
+ dev->stats.tx_dropped++;
+ kfree_skb(skb);
+diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
+index ea50779428711..bc5d3188454d0 100644
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -1237,8 +1237,8 @@ int ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev, __u8 dsfield,
+ */
+ max_headroom = LL_RESERVED_SPACE(dst->dev) + sizeof(struct ipv6hdr)
+ + dst->header_len + t->hlen;
+- if (max_headroom > dev->needed_headroom)
+- dev->needed_headroom = max_headroom;
++ if (max_headroom > READ_ONCE(dev->needed_headroom))
++ WRITE_ONCE(dev->needed_headroom, max_headroom);
+
+ err = ip6_tnl_encap(skb, t, &proto, fl6);
+ if (err)
+--
+2.39.2
+
--- /dev/null
+From 89246e4edc25d7362b4bb5389e75d3dfd416f695 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 23:00:45 +0100
+Subject: net: usb: smsc75xx: Limit packet length to skb->len
+
+From: Szymon Heidrich <szymon.heidrich@gmail.com>
+
+[ Upstream commit d8b228318935044dafe3a5bc07ee71a1f1424b8d ]
+
+Packet length retrieved from skb data may be larger than
+the actual socket buffer length (up to 9026 bytes). In such
+case the cloned skb passed up the network stack will leak
+kernel memory contents.
+
+Fixes: d0cad871703b ("smsc75xx: SMSC LAN75xx USB gigabit ethernet adapter driver")
+Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/smsc75xx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c
+index 76f7af1613139..705bd31b18787 100644
+--- a/drivers/net/usb/smsc75xx.c
++++ b/drivers/net/usb/smsc75xx.c
+@@ -2211,7 +2211,8 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
+ dev->net->stats.rx_frame_errors++;
+ } else {
+ /* MAX_SINGLE_PACKET_SIZE + 4(CRC) + 2(COE) + 4(Vlan) */
+- if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12))) {
++ if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12) ||
++ size > skb->len)) {
+ netif_dbg(dev, rx_err, dev->net,
+ "size err rx_cmd_a=0x%08x\n",
+ rx_cmd_a);
+--
+2.39.2
+
--- /dev/null
+From ed894f4fb0eb6bb4bc8b48ad0e199cccc36a1779 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Mar 2023 12:05:40 +0100
+Subject: net: usb: smsc75xx: Move packet length check to prevent kernel panic
+ in skb_pull
+
+From: Szymon Heidrich <szymon.heidrich@gmail.com>
+
+[ Upstream commit 43ffe6caccc7a1bb9d7442fbab521efbf6c1378c ]
+
+Packet length check needs to be located after size and align_count
+calculation to prevent kernel panic in skb_pull() in case
+rx_cmd_a & RX_CMD_A_RED evaluates to true.
+
+Fixes: d8b228318935 ("net: usb: smsc75xx: Limit packet length to skb->len")
+Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
+Link: https://lore.kernel.org/r/20230316110540.77531-1-szymon.heidrich@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/smsc75xx.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c
+index 705bd31b18787..7c3e866514199 100644
+--- a/drivers/net/usb/smsc75xx.c
++++ b/drivers/net/usb/smsc75xx.c
+@@ -2199,6 +2199,13 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
+ size = (rx_cmd_a & RX_CMD_A_LEN) - RXW_PADDING;
+ align_count = (4 - ((size + RXW_PADDING) % 4)) % 4;
+
++ if (unlikely(size > skb->len)) {
++ netif_dbg(dev, rx_err, dev->net,
++ "size err rx_cmd_a=0x%08x\n",
++ rx_cmd_a);
++ return 0;
++ }
++
+ if (unlikely(rx_cmd_a & RX_CMD_A_RED)) {
+ netif_dbg(dev, rx_err, dev->net,
+ "Error rx_cmd_a=0x%08x\n", rx_cmd_a);
+@@ -2211,8 +2218,7 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
+ dev->net->stats.rx_frame_errors++;
+ } else {
+ /* MAX_SINGLE_PACKET_SIZE + 4(CRC) + 2(COE) + 4(Vlan) */
+- if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12) ||
+- size > skb->len)) {
++ if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12))) {
+ netif_dbg(dev, rx_err, dev->net,
+ "size err rx_cmd_a=0x%08x\n",
+ rx_cmd_a);
+--
+2.39.2
+
--- /dev/null
+From 3ffb3eb0186ac6d2b3e70f1198a0e94eeaecb12d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 23:22:57 +0000
+Subject: netfilter: nft_masq: correct length for loading protocol registers
+
+From: Jeremy Sowden <jeremy@azazel.net>
+
+[ Upstream commit ec2c5917eb858428b2083d1c74f445aabbe8316b ]
+
+The values in the protocol registers are two bytes wide. However, when
+parsing the register loads, the code currently uses the larger 16-byte
+size of a `union nf_inet_addr`. Change it to use the (correct) size of
+a `union nf_conntrack_man_proto` instead.
+
+Fixes: 8a6bf5da1aef ("netfilter: nft_masq: support port range")
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_masq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_masq.c b/net/netfilter/nft_masq.c
+index 9953e80537536..1818dbf089cad 100644
+--- a/net/netfilter/nft_masq.c
++++ b/net/netfilter/nft_masq.c
+@@ -43,7 +43,7 @@ static int nft_masq_init(const struct nft_ctx *ctx,
+ const struct nft_expr *expr,
+ const struct nlattr * const tb[])
+ {
+- u32 plen = sizeof_field(struct nf_nat_range, min_addr.all);
++ u32 plen = sizeof_field(struct nf_nat_range, min_proto.all);
+ struct nft_masq *priv = nft_expr_priv(expr);
+ int err;
+
+--
+2.39.2
+
--- /dev/null
+From de0e0ace38b1709e899158563216e071d7458cef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 23:22:56 +0000
+Subject: netfilter: nft_nat: correct length for loading protocol registers
+
+From: Jeremy Sowden <jeremy@azazel.net>
+
+[ Upstream commit 068d82e75d537b444303b8c449a11e51ea659565 ]
+
+The values in the protocol registers are two bytes wide. However, when
+parsing the register loads, the code currently uses the larger 16-byte
+size of a `union nf_inet_addr`. Change it to use the (correct) size of
+a `union nf_conntrack_man_proto` instead.
+
+Fixes: d07db9884a5f ("netfilter: nf_tables: introduce nft_validate_register_load()")
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_nat.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
+index db8f9116eeb43..cd4eb4996aff3 100644
+--- a/net/netfilter/nft_nat.c
++++ b/net/netfilter/nft_nat.c
+@@ -226,7 +226,7 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
+ priv->flags |= NF_NAT_RANGE_MAP_IPS;
+ }
+
+- plen = sizeof_field(struct nf_nat_range, min_addr.all);
++ plen = sizeof_field(struct nf_nat_range, min_proto.all);
+ if (tb[NFTA_NAT_REG_PROTO_MIN]) {
+ err = nft_parse_register_load(tb[NFTA_NAT_REG_PROTO_MIN],
+ &priv->sreg_proto_min, plen);
+--
+2.39.2
+
--- /dev/null
+From a1d2c5520cea55d492003d519a0e52c9208be35d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 23:22:58 +0000
+Subject: netfilter: nft_redir: correct length for loading protocol registers
+
+From: Jeremy Sowden <jeremy@azazel.net>
+
+[ Upstream commit 1f617b6b4c7a3d5ea7a56abb83a4c27733b60c2f ]
+
+The values in the protocol registers are two bytes wide. However, when
+parsing the register loads, the code currently uses the larger 16-byte
+size of a `union nf_inet_addr`. Change it to use the (correct) size of
+a `union nf_conntrack_man_proto` instead.
+
+Fixes: d07db9884a5f ("netfilter: nf_tables: introduce nft_validate_register_load()")
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_redir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_redir.c b/net/netfilter/nft_redir.c
+index ba09890dddb50..deb7e65c8d82b 100644
+--- a/net/netfilter/nft_redir.c
++++ b/net/netfilter/nft_redir.c
+@@ -48,7 +48,7 @@ static int nft_redir_init(const struct nft_ctx *ctx,
+ unsigned int plen;
+ int err;
+
+- plen = sizeof_field(struct nf_nat_range, min_addr.all);
++ plen = sizeof_field(struct nf_nat_range, min_proto.all);
+ if (tb[NFTA_REDIR_REG_PROTO_MIN]) {
+ err = nft_parse_register_load(tb[NFTA_REDIR_REG_PROTO_MIN],
+ &priv->sreg_proto_min, plen);
+--
+2.39.2
+
--- /dev/null
+From c1aabe988cde5d881f400fd21f8180535151d966 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 23:22:59 +0000
+Subject: netfilter: nft_redir: correct value of inet type `.maxattrs`
+
+From: Jeremy Sowden <jeremy@azazel.net>
+
+[ Upstream commit 493924519b1fe3faab13ee621a43b0d0939abab1 ]
+
+`nft_redir_inet_type.maxattrs` was being set, presumably because of a
+cut-and-paste error, to `NFTA_MASQ_MAX`, instead of `NFTA_REDIR_MAX`.
+
+Fixes: 63ce3940f3ab ("netfilter: nft_redir: add inet support")
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_redir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_redir.c b/net/netfilter/nft_redir.c
+index deb7e65c8d82b..e64f531d66cfc 100644
+--- a/net/netfilter/nft_redir.c
++++ b/net/netfilter/nft_redir.c
+@@ -232,7 +232,7 @@ static struct nft_expr_type nft_redir_inet_type __read_mostly = {
+ .name = "redir",
+ .ops = &nft_redir_inet_ops,
+ .policy = nft_redir_policy,
+- .maxattr = NFTA_MASQ_MAX,
++ .maxattr = NFTA_REDIR_MAX,
+ .owner = THIS_MODULE,
+ };
+
+--
+2.39.2
+
--- /dev/null
+From 6177fa47ae5a51122b43d4a1776f68fa7eba7f7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Mar 2023 19:50:50 +0300
+Subject: nfc: pn533: initialize struct pn533_out_arg properly
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit 484b7059796e3bc1cb527caa61dfc60da649b4f6 ]
+
+struct pn533_out_arg used as a temporary context for out_urb is not
+initialized properly. Its uninitialized 'phy' field can be dereferenced in
+error cases inside pn533_out_complete() callback function. It causes the
+following failure:
+
+general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
+KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.2.0-rc3-next-20230110-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
+RIP: 0010:pn533_out_complete.cold+0x15/0x44 drivers/nfc/pn533/usb.c:441
+Call Trace:
+ <IRQ>
+ __usb_hcd_giveback_urb+0x2b6/0x5c0 drivers/usb/core/hcd.c:1671
+ usb_hcd_giveback_urb+0x384/0x430 drivers/usb/core/hcd.c:1754
+ dummy_timer+0x1203/0x32d0 drivers/usb/gadget/udc/dummy_hcd.c:1988
+ call_timer_fn+0x1da/0x800 kernel/time/timer.c:1700
+ expire_timers+0x234/0x330 kernel/time/timer.c:1751
+ __run_timers kernel/time/timer.c:2022 [inline]
+ __run_timers kernel/time/timer.c:1995 [inline]
+ run_timer_softirq+0x326/0x910 kernel/time/timer.c:2035
+ __do_softirq+0x1fb/0xaf6 kernel/softirq.c:571
+ invoke_softirq kernel/softirq.c:445 [inline]
+ __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650
+ irq_exit_rcu+0x9/0x20 kernel/softirq.c:662
+ sysvec_apic_timer_interrupt+0x97/0xc0 arch/x86/kernel/apic/apic.c:1107
+
+Initialize the field with the pn533_usb_phy currently used.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: 9dab880d675b ("nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame()")
+Reported-by: syzbot+1e608ba4217c96d1952f@syzkaller.appspotmail.com
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230309165050.207390-1-pchelkin@ispras.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/pn533/usb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/nfc/pn533/usb.c b/drivers/nfc/pn533/usb.c
+index 62ad26e4299d1..47d423cc26081 100644
+--- a/drivers/nfc/pn533/usb.c
++++ b/drivers/nfc/pn533/usb.c
+@@ -175,6 +175,7 @@ static int pn533_usb_send_frame(struct pn533 *dev,
+ print_hex_dump_debug("PN533 TX: ", DUMP_PREFIX_NONE, 16, 1,
+ out->data, out->len, false);
+
++ arg.phy = phy;
+ init_completion(&arg.done);
+ cntx = phy->out_urb->context;
+ phy->out_urb->context = &arg;
+--
+2.39.2
+
--- /dev/null
+From e8bc14d29826d4436853cf9782035202887e68bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 00:08:37 +0800
+Subject: nfc: st-nci: Fix use after free bug in ndlc_remove due to race
+ condition
+
+From: Zheng Wang <zyytlz.wz@163.com>
+
+[ Upstream commit 5000fe6c27827a61d8250a7e4a1d26c3298ef4f6 ]
+
+This bug influences both st_nci_i2c_remove and st_nci_spi_remove.
+Take st_nci_i2c_remove as an example.
+
+In st_nci_i2c_probe, it called ndlc_probe and bound &ndlc->sm_work
+with llt_ndlc_sm_work.
+
+When it calls ndlc_recv or timeout handler, it will finally call
+schedule_work to start the work.
+
+When we call st_nci_i2c_remove to remove the driver, there
+may be a sequence as follows:
+
+Fix it by finishing the work before cleanup in ndlc_remove
+
+CPU0 CPU1
+
+ |llt_ndlc_sm_work
+st_nci_i2c_remove |
+ ndlc_remove |
+ st_nci_remove |
+ nci_free_device|
+ kfree(ndev) |
+//free ndlc->ndev |
+ |llt_ndlc_rcv_queue
+ |nci_recv_frame
+ |//use ndlc->ndev
+
+Fixes: 35630df68d60 ("NFC: st21nfcb: Add driver for STMicroelectronics ST21NFCB NFC chip")
+Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20230312160837.2040857-1-zyytlz.wz@163.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/st-nci/ndlc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nfc/st-nci/ndlc.c b/drivers/nfc/st-nci/ndlc.c
+index e9dc313b333e2..3564e3335a988 100644
+--- a/drivers/nfc/st-nci/ndlc.c
++++ b/drivers/nfc/st-nci/ndlc.c
+@@ -286,13 +286,15 @@ EXPORT_SYMBOL(ndlc_probe);
+
+ void ndlc_remove(struct llt_ndlc *ndlc)
+ {
+- st_nci_remove(ndlc->ndev);
+-
+ /* cancel timers */
+ del_timer_sync(&ndlc->t1_timer);
+ del_timer_sync(&ndlc->t2_timer);
+ ndlc->t2_active = false;
+ ndlc->t1_active = false;
++ /* cancel work */
++ cancel_work_sync(&ndlc->sm_work);
++
++ st_nci_remove(ndlc->ndev);
+
+ skb_queue_purge(&ndlc->rcv_q);
+ skb_queue_purge(&ndlc->send_q);
+--
+2.39.2
+
--- /dev/null
+From fa961558b66be9d64fa53df3d52e06e8de04fce8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Mar 2023 07:13:45 +0800
+Subject: nvme: fix handling single range discard request
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit 37f0dc2ec78af0c3f35dd05578763de059f6fe77 ]
+
+When investigating one customer report on warning in nvme_setup_discard,
+we observed the controller(nvme/tcp) actually exposes
+queue_max_discard_segments(req->q) == 1.
+
+Obviously the current code can't handle this situation, since contiguity
+merge like normal RW request is taken.
+
+Fix the issue by building range from request sector/nr_sectors directly.
+
+Fixes: b35ba01ea697 ("nvme: support ranged discard requests")
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 28 +++++++++++++++++++---------
+ 1 file changed, 19 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 06750f3d52745..ef9d7a795b007 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -853,16 +853,26 @@ static blk_status_t nvme_setup_discard(struct nvme_ns *ns, struct request *req,
+ range = page_address(ns->ctrl->discard_page);
+ }
+
+- __rq_for_each_bio(bio, req) {
+- u64 slba = nvme_sect_to_lba(ns, bio->bi_iter.bi_sector);
+- u32 nlb = bio->bi_iter.bi_size >> ns->lba_shift;
+-
+- if (n < segments) {
+- range[n].cattr = cpu_to_le32(0);
+- range[n].nlb = cpu_to_le32(nlb);
+- range[n].slba = cpu_to_le64(slba);
++ if (queue_max_discard_segments(req->q) == 1) {
++ u64 slba = nvme_sect_to_lba(ns, blk_rq_pos(req));
++ u32 nlb = blk_rq_sectors(req) >> (ns->lba_shift - 9);
++
++ range[0].cattr = cpu_to_le32(0);
++ range[0].nlb = cpu_to_le32(nlb);
++ range[0].slba = cpu_to_le64(slba);
++ n = 1;
++ } else {
++ __rq_for_each_bio(bio, req) {
++ u64 slba = nvme_sect_to_lba(ns, bio->bi_iter.bi_sector);
++ u32 nlb = bio->bi_iter.bi_size >> ns->lba_shift;
++
++ if (n < segments) {
++ range[n].cattr = cpu_to_le32(0);
++ range[n].nlb = cpu_to_le32(nlb);
++ range[n].slba = cpu_to_le64(slba);
++ }
++ n++;
+ }
+- n++;
+ }
+
+ if (WARN_ON_ONCE(n != segments)) {
+--
+2.39.2
+
--- /dev/null
+From e5a7c801771882d6bf407cfe732688b9299f3099 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Mar 2023 10:13:13 +0900
+Subject: nvmet: avoid potential UAF in nvmet_req_complete()
+
+From: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+
+[ Upstream commit 6173a77b7e9d3e202bdb9897b23f2a8afe7bf286 ]
+
+An nvme target ->queue_response() operation implementation may free the
+request passed as argument. Such implementation potentially could result
+in a use after free of the request pointer when percpu_ref_put() is
+called in nvmet_req_complete().
+
+Avoid such problem by using a local variable to save the sq pointer
+before calling __nvmet_req_complete(), thus avoiding dereferencing the
+req pointer after that function call.
+
+Fixes: a07b4970f464 ("nvmet: add a generic NVMe target")
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
+index cfd0385511564..4c6d56dd29adc 100644
+--- a/drivers/nvme/target/core.c
++++ b/drivers/nvme/target/core.c
+@@ -756,8 +756,10 @@ static void __nvmet_req_complete(struct nvmet_req *req, u16 status)
+
+ void nvmet_req_complete(struct nvmet_req *req, u16 status)
+ {
++ struct nvmet_sq *sq = req->sq;
++
+ __nvmet_req_complete(req, status);
+- percpu_ref_put(&req->sq->ref);
++ percpu_ref_put(&sq->ref);
+ }
+ EXPORT_SYMBOL_GPL(nvmet_req_complete);
+
+--
+2.39.2
+
--- /dev/null
+From bfddf28ab03d2c30943f2e6acf3f45f9bc83e677 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Mar 2023 16:10:11 +0100
+Subject: PCI: s390: Fix use-after-free of PCI resources with per-function
+ hotplug
+
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+
+[ Upstream commit ab909509850b27fd39b8ba99e44cda39dbc3858c ]
+
+On s390 PCI functions may be hotplugged individually even when they
+belong to a multi-function device. In particular on an SR-IOV device VFs
+may be removed and later re-added.
+
+In commit a50297cf8235 ("s390/pci: separate zbus creation from
+scanning") it was missed however that struct pci_bus and struct
+zpci_bus's resource list retained a reference to the PCI functions MMIO
+resources even though those resources are released and freed on
+hot-unplug. These stale resources may subsequently be claimed when the
+PCI function re-appears resulting in use-after-free.
+
+One idea of fixing this use-after-free in s390 specific code that was
+investigated was to simply keep resources around from the moment a PCI
+function first appeared until the whole virtual PCI bus created for
+a multi-function device disappears. The problem with this however is
+that due to the requirement of artificial MMIO addreesses (address
+cookies) extra logic is then needed to keep the address cookies
+compatible on re-plug. At the same time the MMIO resources semantically
+belong to the PCI function so tying their lifecycle to the function
+seems more logical.
+
+Instead a simpler approach is to remove the resources of an individually
+hot-unplugged PCI function from the PCI bus's resource list while
+keeping the resources of other PCI functions on the PCI bus untouched.
+
+This is done by introducing pci_bus_remove_resource() to remove an
+individual resource. Similarly the resource also needs to be removed
+from the struct zpci_bus's resource list. It turns out however, that
+there is really no need to add the MMIO resources to the struct
+zpci_bus's resource list at all and instead we can simply use the
+zpci_bar_struct's resource pointer directly.
+
+Fixes: a50297cf8235 ("s390/pci: separate zbus creation from scanning")
+Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
+Acked-by: Bjorn Helgaas <bhelgaas@google.com>
+Link: https://lore.kernel.org/r/20230306151014.60913-2-schnelle@linux.ibm.com
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/pci/pci.c | 16 ++++++++++------
+ arch/s390/pci/pci_bus.c | 12 +++++-------
+ arch/s390/pci/pci_bus.h | 3 +--
+ drivers/pci/bus.c | 21 +++++++++++++++++++++
+ include/linux/pci.h | 1 +
+ 5 files changed, 38 insertions(+), 15 deletions(-)
+
+diff --git a/arch/s390/pci/pci.c b/arch/s390/pci/pci.c
+index 639924d983315..56c4cecdbbf9e 100644
+--- a/arch/s390/pci/pci.c
++++ b/arch/s390/pci/pci.c
+@@ -503,8 +503,7 @@ static struct resource *__alloc_res(struct zpci_dev *zdev, unsigned long start,
+ return r;
+ }
+
+-int zpci_setup_bus_resources(struct zpci_dev *zdev,
+- struct list_head *resources)
++int zpci_setup_bus_resources(struct zpci_dev *zdev)
+ {
+ unsigned long addr, size, flags;
+ struct resource *res;
+@@ -540,7 +539,6 @@ int zpci_setup_bus_resources(struct zpci_dev *zdev,
+ return -ENOMEM;
+ }
+ zdev->bars[i].res = res;
+- pci_add_resource(resources, res);
+ }
+ zdev->has_resources = 1;
+
+@@ -549,17 +547,23 @@ int zpci_setup_bus_resources(struct zpci_dev *zdev,
+
+ static void zpci_cleanup_bus_resources(struct zpci_dev *zdev)
+ {
++ struct resource *res;
+ int i;
+
++ pci_lock_rescan_remove();
+ for (i = 0; i < PCI_STD_NUM_BARS; i++) {
+- if (!zdev->bars[i].size || !zdev->bars[i].res)
++ res = zdev->bars[i].res;
++ if (!res)
+ continue;
+
++ release_resource(res);
++ pci_bus_remove_resource(zdev->zbus->bus, res);
+ zpci_free_iomap(zdev, zdev->bars[i].map_idx);
+- release_resource(zdev->bars[i].res);
+- kfree(zdev->bars[i].res);
++ zdev->bars[i].res = NULL;
++ kfree(res);
+ }
+ zdev->has_resources = 0;
++ pci_unlock_rescan_remove();
+ }
+
+ int pcibios_add_device(struct pci_dev *pdev)
+diff --git a/arch/s390/pci/pci_bus.c b/arch/s390/pci/pci_bus.c
+index 5d77acbd1c872..cc7e5b22ccfb3 100644
+--- a/arch/s390/pci/pci_bus.c
++++ b/arch/s390/pci/pci_bus.c
+@@ -41,9 +41,7 @@ static int zpci_nb_devices;
+ */
+ static int zpci_bus_prepare_device(struct zpci_dev *zdev)
+ {
+- struct resource_entry *window, *n;
+- struct resource *res;
+- int rc;
++ int rc, i;
+
+ if (!zdev_enabled(zdev)) {
+ rc = zpci_enable_device(zdev);
+@@ -57,10 +55,10 @@ static int zpci_bus_prepare_device(struct zpci_dev *zdev)
+ }
+
+ if (!zdev->has_resources) {
+- zpci_setup_bus_resources(zdev, &zdev->zbus->resources);
+- resource_list_for_each_entry_safe(window, n, &zdev->zbus->resources) {
+- res = window->res;
+- pci_bus_add_resource(zdev->zbus->bus, res, 0);
++ zpci_setup_bus_resources(zdev);
++ for (i = 0; i < PCI_STD_NUM_BARS; i++) {
++ if (zdev->bars[i].res)
++ pci_bus_add_resource(zdev->zbus->bus, zdev->bars[i].res, 0);
+ }
+ }
+
+diff --git a/arch/s390/pci/pci_bus.h b/arch/s390/pci/pci_bus.h
+index ecef3a9e16c00..c5aa9a2e5e3e5 100644
+--- a/arch/s390/pci/pci_bus.h
++++ b/arch/s390/pci/pci_bus.h
+@@ -30,8 +30,7 @@ static inline void zpci_zdev_get(struct zpci_dev *zdev)
+
+ int zpci_alloc_domain(int domain);
+ void zpci_free_domain(int domain);
+-int zpci_setup_bus_resources(struct zpci_dev *zdev,
+- struct list_head *resources);
++int zpci_setup_bus_resources(struct zpci_dev *zdev);
+
+ static inline struct zpci_dev *get_zdev_by_bus(struct pci_bus *bus,
+ unsigned int devfn)
+diff --git a/drivers/pci/bus.c b/drivers/pci/bus.c
+index 3cef835b375fd..feafa378bf8ea 100644
+--- a/drivers/pci/bus.c
++++ b/drivers/pci/bus.c
+@@ -76,6 +76,27 @@ struct resource *pci_bus_resource_n(const struct pci_bus *bus, int n)
+ }
+ EXPORT_SYMBOL_GPL(pci_bus_resource_n);
+
++void pci_bus_remove_resource(struct pci_bus *bus, struct resource *res)
++{
++ struct pci_bus_resource *bus_res, *tmp;
++ int i;
++
++ for (i = 0; i < PCI_BRIDGE_RESOURCE_NUM; i++) {
++ if (bus->resource[i] == res) {
++ bus->resource[i] = NULL;
++ return;
++ }
++ }
++
++ list_for_each_entry_safe(bus_res, tmp, &bus->resources, list) {
++ if (bus_res->res == res) {
++ list_del(&bus_res->list);
++ kfree(bus_res);
++ return;
++ }
++ }
++}
++
+ void pci_bus_remove_resources(struct pci_bus *bus)
+ {
+ int i;
+diff --git a/include/linux/pci.h b/include/linux/pci.h
+index 34dd24c991804..7e471432a998c 100644
+--- a/include/linux/pci.h
++++ b/include/linux/pci.h
+@@ -1390,6 +1390,7 @@ void pci_bus_add_resource(struct pci_bus *bus, struct resource *res,
+ unsigned int flags);
+ struct resource *pci_bus_resource_n(const struct pci_bus *bus, int n);
+ void pci_bus_remove_resources(struct pci_bus *bus);
++void pci_bus_remove_resource(struct pci_bus *bus, struct resource *res);
+ int devm_request_pci_bus_resources(struct device *dev,
+ struct list_head *resources);
+
+--
+2.39.2
+
--- /dev/null
+From 995ef4c5f49b3f9d8aaf1b698abfdc5881b81ec7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Mar 2023 23:15:56 +0300
+Subject: qed/qed_dev: guard against a possible division by zero
+
+From: Daniil Tatianin <d-tatianin@yandex-team.ru>
+
+[ Upstream commit 1a9dc5610ef89d807acdcfbff93a558f341a44da ]
+
+Previously we would divide total_left_rate by zero if num_vports
+happened to be 1 because non_requested_count is calculated as
+num_vports - req_count. Guard against this by validating num_vports at
+the beginning and returning an error otherwise.
+
+Found by Linux Verification Center (linuxtesting.org) with the SVACE
+static analysis tool.
+
+Fixes: bcd197c81f63 ("qed: Add vport WFQ configuration APIs")
+Signed-off-by: Daniil Tatianin <d-tatianin@yandex-team.ru>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230309201556.191392-1-d-tatianin@yandex-team.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_dev.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_dev.c b/drivers/net/ethernet/qlogic/qed/qed_dev.c
+index 0410c3604abdb..ba445724ee65e 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c
+@@ -5022,6 +5022,11 @@ static int qed_init_wfq_param(struct qed_hwfn *p_hwfn,
+
+ num_vports = p_hwfn->qm_info.num_vports;
+
++ if (num_vports < 2) {
++ DP_NOTICE(p_hwfn, "Unexpected num_vports: %d\n", num_vports);
++ return -EINVAL;
++ }
++
+ /* Accounting for the vports which are configured for WFQ explicitly */
+ for (i = 0; i < num_vports; i++) {
+ u32 tmp_speed;
+--
+2.39.2
+
--- /dev/null
+From cd123de902fcc2c5f4d4b15ccaba8761f521090c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 22:46:18 +0300
+Subject: qed/qed_mng_tlv: correctly zero out ->min instead of ->hour
+
+From: Daniil Tatianin <d-tatianin@yandex-team.ru>
+
+[ Upstream commit 470efd68a4653d9819d391489886432cd31bcd0b ]
+
+This fixes an issue where ->hour would erroneously get zeroed out
+instead of ->min because of a bad copy paste.
+
+Found by Linux Verification Center (linuxtesting.org) with the SVACE
+static analysis tool.
+
+Fixes: f240b6882211 ("qed: Add support for processing fcoe tlv request.")
+Signed-off-by: Daniil Tatianin <d-tatianin@yandex-team.ru>
+Link: https://lore.kernel.org/r/20230315194618.579286-1-d-tatianin@yandex-team.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_mng_tlv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_mng_tlv.c b/drivers/net/ethernet/qlogic/qed/qed_mng_tlv.c
+index 6190adf965bca..f55eed092f25d 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_mng_tlv.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_mng_tlv.c
+@@ -422,7 +422,7 @@ qed_mfw_get_tlv_time_value(struct qed_mfw_tlv_time *p_time,
+ if (p_time->hour > 23)
+ p_time->hour = 0;
+ if (p_time->min > 59)
+- p_time->hour = 0;
++ p_time->min = 0;
+ if (p_time->msec > 999)
+ p_time->msec = 0;
+ if (p_time->usec > 999)
+--
+2.39.2
+
--- /dev/null
+From af357035893cf088f95e0560d80123802ad58b58 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 08:41:14 +0100
+Subject: ravb: avoid PHY being resumed when interface is not up
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 7f5ebf5dae42e710162f1c481ebcf28ab7b741c7 ]
+
+RAVB doesn't need mdiobus suspend/resume, that's why it sets
+'mac_managed_pm'. However, setting it needs to be moved from init to
+probe, so mdiobus PM functions will really never be called (e.g. when
+the interface is not up yet during suspend/resume).
+
+Fixes: 4924c0cdce75 ("net: ravb: Fix PHY state warning splat during system resume")
+Suggested-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
+index c6fe1cda7b889..12548eeef4f8a 100644
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -1115,8 +1115,6 @@ static int ravb_phy_init(struct net_device *ndev)
+ phy_remove_link_mode(phydev, ETHTOOL_LINK_MODE_1000baseT_Half_BIT);
+ phy_remove_link_mode(phydev, ETHTOOL_LINK_MODE_100baseT_Half_BIT);
+
+- /* Indicate that the MAC is responsible for managing PHY PM */
+- phydev->mac_managed_pm = true;
+ phy_attached_info(phydev);
+
+ return 0;
+@@ -1961,6 +1959,8 @@ static int ravb_mdio_init(struct ravb_private *priv)
+ {
+ struct platform_device *pdev = priv->pdev;
+ struct device *dev = &pdev->dev;
++ struct phy_device *phydev;
++ struct device_node *pn;
+ int error;
+
+ /* Bitbang init */
+@@ -1982,6 +1982,14 @@ static int ravb_mdio_init(struct ravb_private *priv)
+ if (error)
+ goto out_free_bus;
+
++ pn = of_parse_phandle(dev->of_node, "phy-handle", 0);
++ phydev = of_phy_find_device(pn);
++ if (phydev) {
++ phydev->mac_managed_pm = true;
++ put_device(&phydev->mdio.dev);
++ }
++ of_node_put(pn);
++
+ return 0;
+
+ out_free_bus:
+--
+2.39.2
+
--- /dev/null
+From 707fe20fe0ab2d5f3e5a0e003aaad4fb6b092cb6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 13:44:28 -0800
+Subject: scsi: core: Fix a procfs host directory removal regression
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit be03df3d4bfe7e8866d4aa43d62e648ffe884f5f ]
+
+scsi_proc_hostdir_rm() decreases a reference counter and hence must only be
+called once per host that is removed. This change does not require a
+scsi_add_host_with_dma() change since scsi_add_host_with_dma() will return
+0 (success) if scsi_proc_host_add() is called.
+
+Fixes: fc663711b944 ("scsi: core: Remove the /proc/scsi/${proc_name} directory earlier")
+Cc: John Garry <john.g.garry@oracle.com>
+Reported-by: John Garry <john.g.garry@oracle.com>
+Link: https://lore.kernel.org/all/ed6b8027-a9d9-1b45-be8e-df4e8c6c4605@oracle.com/
+Reported-by: syzbot+645a4616b87a2f10e398@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/linux-scsi/000000000000890fab05f65342b6@google.com/
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://lore.kernel.org/r/20230307214428.3703498-1-bvanassche@acm.org
+Tested-by: John Garry <john.g.garry@oracle.com>
+Tested-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hosts.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
+index 28b201c443267..7dc42d0e2a0dd 100644
+--- a/drivers/scsi/hosts.c
++++ b/drivers/scsi/hosts.c
+@@ -322,9 +322,6 @@ static void scsi_host_dev_release(struct device *dev)
+ struct Scsi_Host *shost = dev_to_shost(dev);
+ struct device *parent = dev->parent;
+
+- /* In case scsi_remove_host() has not been called. */
+- scsi_proc_hostdir_rm(shost->hostt);
+-
+ /* Wait for functions invoked through call_rcu(&scmd->rcu, ...) */
+ rcu_barrier();
+
+--
+2.39.2
+
--- /dev/null
+From e6ccb893834cce9a2eb583a54a08e2c59535fb2f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Feb 2023 18:01:36 +0800
+Subject: scsi: mpt3sas: Fix NULL pointer access in
+ mpt3sas_transport_port_add()
+
+From: Wenchao Hao <haowenchao2@huawei.com>
+
+[ Upstream commit d3c57724f1569311e4b81e98fad0931028b9bdcd ]
+
+Port is allocated by sas_port_alloc_num() and rphy is allocated by either
+sas_end_device_alloc() or sas_expander_alloc(), all of which may return
+NULL. So we need to check the rphy to avoid possible NULL pointer access.
+
+If sas_rphy_add() returned with failure, rphy is set to NULL. We would
+access the rphy in the following lines which would also result NULL pointer
+access.
+
+Fixes: 78316e9dfc24 ("scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add()")
+Signed-off-by: Wenchao Hao <haowenchao2@huawei.com>
+Link: https://lore.kernel.org/r/20230225100135.2109330-1-haowenchao2@huawei.com
+Acked-by: Sathya Prakash Veerichetty <sathya.prakash@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_transport.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/mpt3sas/mpt3sas_transport.c b/drivers/scsi/mpt3sas/mpt3sas_transport.c
+index e5ecd6ada6cdd..e8a4750f6ec47 100644
+--- a/drivers/scsi/mpt3sas/mpt3sas_transport.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_transport.c
+@@ -785,7 +785,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle,
+ goto out_fail;
+ }
+ port = sas_port_alloc_num(sas_node->parent_dev);
+- if ((sas_port_add(port))) {
++ if (!port || (sas_port_add(port))) {
+ ioc_err(ioc, "failure at %s:%d/%s()!\n",
+ __FILE__, __LINE__, __func__);
+ goto out_fail;
+@@ -824,6 +824,12 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle,
+ mpt3sas_port->remote_identify.sas_address;
+ }
+
++ if (!rphy) {
++ ioc_err(ioc, "failure at %s:%d/%s()!\n",
++ __FILE__, __LINE__, __func__);
++ goto out_delete_port;
++ }
++
+ rphy->identify = mpt3sas_port->remote_identify;
+
+ if ((sas_rphy_add(rphy))) {
+@@ -831,6 +837,7 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle,
+ __FILE__, __LINE__, __func__);
+ sas_rphy_free(rphy);
+ rphy = NULL;
++ goto out_delete_port;
+ }
+
+ if (mpt3sas_port->remote_identify.device_type == SAS_END_DEVICE) {
+@@ -857,7 +864,10 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle,
+ rphy_to_expander_device(rphy), hba_port->port_id);
+ return mpt3sas_port;
+
+- out_fail:
++out_delete_port:
++ sas_port_delete(port);
++
++out_fail:
+ list_for_each_entry_safe(mpt3sas_phy, next, &mpt3sas_port->phy_list,
+ port_siblings)
+ list_del(&mpt3sas_phy->port_siblings);
+--
+2.39.2
+
--- /dev/null
+From 03e8d4d6d377ce04db6c79b0127dddcc46df737c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Mar 2023 00:53:53 +0800
+Subject: selftests: net: devlink_port_split.py: skip test if no suitable
+ device available
+
+From: Po-Hsu Lin <po-hsu.lin@canonical.com>
+
+[ Upstream commit 24994513ad13ff2c47ba91d2b5df82c3d496c370 ]
+
+The `devlink -j port show` command output may not contain the "flavour"
+key, an example from Ubuntu 22.10 s390x LPAR(5.19.0-37-generic), with
+mlx4 driver and iproute2-5.15.0:
+ {"port":{"pci/0001:00:00.0/1":{"type":"eth","netdev":"ens301"},
+ "pci/0001:00:00.0/2":{"type":"eth","netdev":"ens301d1"},
+ "pci/0002:00:00.0/1":{"type":"eth","netdev":"ens317"},
+ "pci/0002:00:00.0/2":{"type":"eth","netdev":"ens317d1"}}}
+
+This will cause a KeyError exception.
+
+Create a validate_devlink_output() to check for this "flavour" from
+devlink command output to avoid this KeyError exception. Also let
+it handle the check for `devlink -j dev show` output in main().
+
+Apart from this, if the test was not started because the max lanes of
+the designated device is 0. The script will still return 0 and thus
+causing a false-negative test result.
+
+Use a found_max_lanes flag to determine if these tests were skipped
+due to this reason and return KSFT_SKIP to make it more clear.
+
+Link: https://bugs.launchpad.net/bugs/1937133
+Fixes: f3348a82e727 ("selftests: net: Add port split test")
+Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
+Link: https://lore.kernel.org/r/20230315165353.229590-1-po-hsu.lin@canonical.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/net/devlink_port_split.py | 36 ++++++++++++++++---
+ 1 file changed, 31 insertions(+), 5 deletions(-)
+
+diff --git a/tools/testing/selftests/net/devlink_port_split.py b/tools/testing/selftests/net/devlink_port_split.py
+index 2b5d6ff873738..2d84c7a0be6b2 100755
+--- a/tools/testing/selftests/net/devlink_port_split.py
++++ b/tools/testing/selftests/net/devlink_port_split.py
+@@ -59,6 +59,8 @@ class devlink_ports(object):
+ assert stderr == ""
+ ports = json.loads(stdout)['port']
+
++ validate_devlink_output(ports, 'flavour')
++
+ for port in ports:
+ if dev in port:
+ if ports[port]['flavour'] == 'physical':
+@@ -220,6 +222,27 @@ def split_splittable_port(port, k, lanes, dev):
+ unsplit(port.bus_info)
+
+
++def validate_devlink_output(devlink_data, target_property=None):
++ """
++ Determine if test should be skipped by checking:
++ 1. devlink_data contains values
++ 2. The target_property exist in devlink_data
++ """
++ skip_reason = None
++ if any(devlink_data.values()):
++ if target_property:
++ skip_reason = "{} not found in devlink output, test skipped".format(target_property)
++ for key in devlink_data:
++ if target_property in devlink_data[key]:
++ skip_reason = None
++ else:
++ skip_reason = 'devlink output is empty, test skipped'
++
++ if skip_reason:
++ print(skip_reason)
++ sys.exit(KSFT_SKIP)
++
++
+ def make_parser():
+ parser = argparse.ArgumentParser(description='A test for port splitting.')
+ parser.add_argument('--dev',
+@@ -240,12 +263,9 @@ def main(cmdline=None):
+ stdout, stderr = run_command(cmd)
+ assert stderr == ""
+
++ validate_devlink_output(json.loads(stdout))
+ devs = json.loads(stdout)['dev']
+- if devs:
+- dev = list(devs.keys())[0]
+- else:
+- print("no devlink device was found, test skipped")
+- sys.exit(KSFT_SKIP)
++ dev = list(devs.keys())[0]
+
+ cmd = "devlink dev show %s" % dev
+ stdout, stderr = run_command(cmd)
+@@ -255,6 +275,7 @@ def main(cmdline=None):
+
+ ports = devlink_ports(dev)
+
++ found_max_lanes = False
+ for port in ports.if_names:
+ max_lanes = get_max_lanes(port.name)
+
+@@ -277,6 +298,11 @@ def main(cmdline=None):
+ split_splittable_port(port, lane, max_lanes, dev)
+
+ lane //= 2
++ found_max_lanes = True
++
++ if not found_max_lanes:
++ print(f"Test not started, no port of device {dev} reports max_lanes")
++ sys.exit(KSFT_SKIP)
+
+
+ if __name__ == "__main__":
+--
+2.39.2
+
--- /dev/null
+xfrm-allow-transport-mode-states-with-af_unspec-sele.patch
+drm-panfrost-don-t-sync-rpm-suspension-after-mmu-flu.patch
+cifs-move-the-in_send-statistic-to-__smb_send_rqst.patch
+drm-meson-fix-1px-pink-line-on-gxm-when-scaling-vide.patch
+clk-hi655x-select-regmap-instead-of-depending-on-it.patch
+docs-correct-missing-d_-prefix-for-dentry_operations.patch
+scsi-mpt3sas-fix-null-pointer-access-in-mpt3sas_tran.patch
+alsa-hda-match-only-intel-devices-with-controller_in.patch
+netfilter-nft_nat-correct-length-for-loading-protoco.patch
+netfilter-nft_masq-correct-length-for-loading-protoc.patch
+netfilter-nft_redir-correct-length-for-loading-proto.patch
+netfilter-nft_redir-correct-value-of-inet-type-.maxa.patch
+scsi-core-fix-a-procfs-host-directory-removal-regres.patch
+tcp-tcp_make_synack-can-be-called-from-process-conte.patch
+nfc-pn533-initialize-struct-pn533_out_arg-properly.patch
+ipvlan-make-skb-skb_iif-track-skb-dev-for-l3s-mode.patch
+i40e-fix-kernel-crash-during-reboot-when-adapter-is-.patch
+vdpa_sim-not-reset-state-in-vdpasim_queue_ready.patch
+vdpa_sim-set-last_used_idx-as-last_avail_idx-in-vdpa.patch
+pci-s390-fix-use-after-free-of-pci-resources-with-pe.patch
+drm-i915-display-workaround-cursor-left-overs-with-p.patch
+drm-i915-display-psr-use-drm-damage-helpers-to-calcu.patch
+drm-i915-display-psr-handle-plane-and-pipe-restricti.patch
+drm-i915-display-clean-up-comments.patch
+drm-i915-psr-use-calculated-io-and-fast-wake-lines.patch
+net-smc-fix-null-sndbuf_desc-in-smc_cdc_tx_handler.patch
+qed-qed_dev-guard-against-a-possible-division-by-zer.patch
+net-dsa-mt7530-remove-now-incorrect-comment-regardin.patch
+net-dsa-mt7530-set-pll-frequency-and-trgmii-only-whe.patch
+loop-fix-use-after-free-issues.patch
+net-tunnels-annotate-lockless-accesses-to-dev-needed.patch
+net-phy-smsc-bail-out-in-lan87xx_read_status-if-genp.patch
+nfc-st-nci-fix-use-after-free-bug-in-ndlc_remove-due.patch
+net-smc-fix-deadlock-triggered-by-cancel_delayed_wor.patch
+net-usb-smsc75xx-limit-packet-length-to-skb-len.patch
+drm-bridge-fix-returned-array-size-name-for-atomic_g.patch
+block-null_blk-fix-handling-of-fake-timeout-request.patch
+nvme-fix-handling-single-range-discard-request.patch
+nvmet-avoid-potential-uaf-in-nvmet_req_complete.patch
+block-sunvdc-add-check-for-mdesc_grab-returning-null.patch
+ice-xsk-disable-txq-irq-before-flushing-hw.patch
+net-dsa-mv88e6xxx-fix-max_mtu-of-1492-on-6165-6191-6.patch
+ravb-avoid-phy-being-resumed-when-interface-is-not-u.patch
+sh_eth-avoid-phy-being-resumed-when-interface-is-not.patch
+ipv4-fix-incorrect-table-id-in-ioctl-path.patch
+net-usb-smsc75xx-move-packet-length-check-to-prevent.patch
+net-iucv-fix-size-of-interrupt-data.patch
+selftests-net-devlink_port_split.py-skip-test-if-no-.patch
+qed-qed_mng_tlv-correctly-zero-out-min-instead-of-ho.patch
+ethernet-sun-add-check-for-the-mdesc_grab.patch
+bonding-restore-iff_master-slave-flags-on-bond-ensla.patch
+bonding-restore-bond-s-iff_slave-flag-if-a-non-eth-d.patch
--- /dev/null
+From 63d065306188ac77af896fc84973ac107714046d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 08:41:15 +0100
+Subject: sh_eth: avoid PHY being resumed when interface is not up
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit c6be7136afb224a01d4cde2983ddebac8da98693 ]
+
+SH_ETH doesn't need mdiobus suspend/resume, that's why it sets
+'mac_managed_pm'. However, setting it needs to be moved from init to
+probe, so mdiobus PM functions will really never be called (e.g. when
+the interface is not up yet during suspend/resume).
+
+Fixes: 6a1dbfefdae4 ("net: sh_eth: Fix PHY state warning splat during system resume")
+Suggested-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/sh_eth.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c
+index 4e190f5e32c3d..b6e426d8014d1 100644
+--- a/drivers/net/ethernet/renesas/sh_eth.c
++++ b/drivers/net/ethernet/renesas/sh_eth.c
+@@ -2033,8 +2033,6 @@ static int sh_eth_phy_init(struct net_device *ndev)
+ }
+ }
+
+- /* Indicate that the MAC is responsible for managing PHY PM */
+- phydev->mac_managed_pm = true;
+ phy_attached_info(phydev);
+
+ return 0;
+@@ -3074,6 +3072,8 @@ static int sh_mdio_init(struct sh_eth_private *mdp,
+ struct bb_info *bitbang;
+ struct platform_device *pdev = mdp->pdev;
+ struct device *dev = &mdp->pdev->dev;
++ struct phy_device *phydev;
++ struct device_node *pn;
+
+ /* create bit control struct for PHY */
+ bitbang = devm_kzalloc(dev, sizeof(struct bb_info), GFP_KERNEL);
+@@ -3108,6 +3108,14 @@ static int sh_mdio_init(struct sh_eth_private *mdp,
+ if (ret)
+ goto out_free_bus;
+
++ pn = of_parse_phandle(dev->of_node, "phy-handle", 0);
++ phydev = of_phy_find_device(pn);
++ if (phydev) {
++ phydev->mac_managed_pm = true;
++ put_device(&phydev->mdio.dev);
++ }
++ of_node_put(pn);
++
+ return 0;
+
+ out_free_bus:
+--
+2.39.2
+
--- /dev/null
+From 261a323db33a7860b21c974ca0c05a15a0561bf5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Mar 2023 11:07:45 -0800
+Subject: tcp: tcp_make_synack() can be called from process context
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit bced3f7db95ff2e6ca29dc4d1c9751ab5e736a09 ]
+
+tcp_rtx_synack() now could be called in process context as explained in
+0a375c822497 ("tcp: tcp_rtx_synack() can be called from process
+context").
+
+tcp_rtx_synack() might call tcp_make_synack(), which will touch per-CPU
+variables with preemption enabled. This causes the following BUG:
+
+ BUG: using __this_cpu_add() in preemptible [00000000] code: ThriftIO1/5464
+ caller is tcp_make_synack+0x841/0xac0
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x10d/0x1a0
+ check_preemption_disabled+0x104/0x110
+ tcp_make_synack+0x841/0xac0
+ tcp_v6_send_synack+0x5c/0x450
+ tcp_rtx_synack+0xeb/0x1f0
+ inet_rtx_syn_ack+0x34/0x60
+ tcp_check_req+0x3af/0x9e0
+ tcp_rcv_state_process+0x59b/0x2030
+ tcp_v6_do_rcv+0x5f5/0x700
+ release_sock+0x3a/0xf0
+ tcp_sendmsg+0x33/0x40
+ ____sys_sendmsg+0x2f2/0x490
+ __sys_sendmsg+0x184/0x230
+ do_syscall_64+0x3d/0x90
+
+Avoid calling __TCP_INC_STATS() with will touch per-cpu variables. Use
+TCP_INC_STATS() which is safe to be called from context switch.
+
+Fixes: 8336886f786f ("tcp: TCP Fast Open Server - support TFO listeners")
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20230308190745.780221-1-leitao@debian.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_output.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index 33ba1268a111f..1f39b56bbab32 100644
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -3610,7 +3610,7 @@ struct sk_buff *tcp_make_synack(const struct sock *sk, struct dst_entry *dst,
+ th->window = htons(min(req->rsk_rcv_wnd, 65535U));
+ tcp_options_write((__be32 *)(th + 1), NULL, &opts);
+ th->doff = (tcp_header_size >> 2);
+- __TCP_INC_STATS(sock_net(sk), TCP_MIB_OUTSEGS);
++ TCP_INC_STATS(sock_net(sk), TCP_MIB_OUTSEGS);
+
+ #ifdef CONFIG_TCP_MD5SIG
+ /* Okay, we have all we need - do the md5 hash if needed */
+--
+2.39.2
+
--- /dev/null
+From 08759aa26e261c88e56bdedd0da58c17c4b1e055 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jan 2023 17:43:58 +0100
+Subject: vdpa_sim: not reset state in vdpasim_queue_ready
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Eugenio Pérez <eperezma@redhat.com>
+
+[ Upstream commit 0e84f918fac8ae61dcb790534fad5e3555ca2930 ]
+
+vdpasim_queue_ready calls vringh_init_iotlb, which resets split indexes.
+But it can be called after setting a ring base with
+vdpasim_set_vq_state.
+
+Fix it by stashing them. They're still resetted in vdpasim_vq_reset.
+
+This was discovered and tested live migrating the vdpa_sim_net device.
+
+Fixes: 2c53d0f64c06 ("vdpasim: vDPA device simulator")
+Signed-off-by: Eugenio Pérez <eperezma@redhat.com>
+Message-Id: <20230118164359.1523760-2-eperezma@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Tested-by: Lei Yang <leiyang@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vdpa/vdpa_sim/vdpa_sim.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/vdpa/vdpa_sim/vdpa_sim.c b/drivers/vdpa/vdpa_sim/vdpa_sim.c
+index 4d9e3fdae5f6c..eeda45fbba258 100644
+--- a/drivers/vdpa/vdpa_sim/vdpa_sim.c
++++ b/drivers/vdpa/vdpa_sim/vdpa_sim.c
+@@ -65,6 +65,7 @@ static void vdpasim_vq_notify(struct vringh *vring)
+ static void vdpasim_queue_ready(struct vdpasim *vdpasim, unsigned int idx)
+ {
+ struct vdpasim_virtqueue *vq = &vdpasim->vqs[idx];
++ uint16_t last_avail_idx = vq->vring.last_avail_idx;
+
+ vringh_init_iotlb(&vq->vring, vdpasim->features, vq->num, false,
+ (struct vring_desc *)(uintptr_t)vq->desc_addr,
+@@ -73,6 +74,7 @@ static void vdpasim_queue_ready(struct vdpasim *vdpasim, unsigned int idx)
+ (struct vring_used *)
+ (uintptr_t)vq->device_addr);
+
++ vq->vring.last_avail_idx = last_avail_idx;
+ vq->vring.notify = vdpasim_vq_notify;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From c188aff218d15f8a3f9d24ab6f3b7dc7e08199a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Mar 2023 19:18:57 +0100
+Subject: vdpa_sim: set last_used_idx as last_avail_idx in vdpasim_queue_ready
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Eugenio Pérez <eperezma@redhat.com>
+
+[ Upstream commit b4cca6d48eb3fa6f0d9caba4329b1a2b0ff67a77 ]
+
+Starting from an used_idx different than 0 is needed in use cases like
+virtual machine migration. Not doing so and letting the caller set an
+avail idx different than 0 causes destination device to try to use old
+buffers that source driver already recover and are not available
+anymore.
+
+Since vdpa_sim does not support receive inflight descriptors as a
+destination of a migration, let's set both avail_idx and used_idx the
+same at vq start. This is how vhost-user works in a
+VHOST_SET_VRING_BASE call.
+
+Although the simple fix is to set last_used_idx at vdpasim_set_vq_state,
+it would be reset at vdpasim_queue_ready. The last_avail_idx case is
+fixed with commit 0e84f918fac8 ("vdpa_sim: not reset state in
+vdpasim_queue_ready"). Since the only option is to make it equal to
+last_avail_idx, adding the only change needed here.
+
+This was discovered and tested live migrating the vdpa_sim_net device.
+
+Fixes: 2c53d0f64c06 ("vdpasim: vDPA device simulator")
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Eugenio Pérez <eperezma@redhat.com>
+Message-Id: <20230302181857.925374-1-eperezma@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vdpa/vdpa_sim/vdpa_sim.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/drivers/vdpa/vdpa_sim/vdpa_sim.c b/drivers/vdpa/vdpa_sim/vdpa_sim.c
+index eeda45fbba258..3ccefa58e405c 100644
+--- a/drivers/vdpa/vdpa_sim/vdpa_sim.c
++++ b/drivers/vdpa/vdpa_sim/vdpa_sim.c
+@@ -75,6 +75,17 @@ static void vdpasim_queue_ready(struct vdpasim *vdpasim, unsigned int idx)
+ (uintptr_t)vq->device_addr);
+
+ vq->vring.last_avail_idx = last_avail_idx;
++
++ /*
++ * Since vdpa_sim does not support receive inflight descriptors as a
++ * destination of a migration, let's set both avail_idx and used_idx
++ * the same at vq start. This is how vhost-user works in a
++ * VHOST_SET_VRING_BASE call.
++ *
++ * Although the simple fix is to set last_used_idx at
++ * vdpasim_set_vq_state, it would be reset at vdpasim_queue_ready.
++ */
++ vq->vring.last_used_idx = last_avail_idx;
+ vq->vring.notify = vdpasim_vq_notify;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 159137983a8cd371cf2da5c16d485401e0dd9153 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Feb 2023 13:54:00 +0800
+Subject: xfrm: Allow transport-mode states with AF_UNSPEC selector
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit c276a706ea1f51cf9723ed8484feceaf961b8f89 ]
+
+xfrm state selectors are matched against the inner-most flow
+which can be of any address family. Therefore middle states
+in nested configurations need to carry a wildcard selector in
+order to work at all.
+
+However, this is currently forbidden for transport-mode states.
+
+Fix this by removing the unnecessary check.
+
+Fixes: 13996378e658 ("[IPSEC]: Rename mode to outer_mode and add inner_mode")
+Reported-by: David George <David.George@sophos.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_state.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index 15132b080614c..60f3ea5561ddf 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -2643,9 +2643,6 @@ int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload)
+ if (inner_mode == NULL)
+ goto error;
+
+- if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL))
+- goto error;
+-
+ x->inner_mode = *inner_mode;
+
+ if (x->props.family == AF_INET)
+--
+2.39.2
+