--- /dev/null
+From b08b4a33e6309e23bcd1ac2fc8065df57d21338c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Feb 2023 16:11:28 -0600
+Subject: ACPI: x86: utils: Add Cezanne to the list for forcing StorageD3Enable
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit e2a56364485e7789e7b8f342637c7f3a219f7ede ]
+
+commit 018d6711c26e4 ("ACPI: x86: Add a quirk for Dell Inspiron 14 2-in-1
+for StorageD3Enable") introduced a quirk to allow a system with ambiguous
+use of _ADR 0 to force StorageD3Enable.
+
+It was reported that several more Dell systems suffered the same symptoms.
+As the list is continuing to grow but these are all Cezanne systems,
+instead add Cezanne to the CPU list to apply the StorageD3Enable property
+and remove the whole list.
+
+It was also reported that an HP system only has StorageD3Enable on the ACPI
+device for the first NVME disk, not the second.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=217003
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216773
+Reported-by: David Alvarez Lombardi <dqalombardi@proton.me>
+Reported-by: dbilios@stdio.gr
+Reported-and-tested-by: Elvis Angelaccio <elvis.angelaccio@kde.org>
+Tested-by: victor.bonnelle@proton.me
+Tested-by: hurricanepootis@protonmail.com
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/x86/utils.c | 37 +++++++++++++------------------------
+ 1 file changed, 13 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/acpi/x86/utils.c b/drivers/acpi/x86/utils.c
+index 222b951ff56ae..f1dd086d0b87d 100644
+--- a/drivers/acpi/x86/utils.c
++++ b/drivers/acpi/x86/utils.c
+@@ -191,37 +191,26 @@ bool acpi_device_override_status(struct acpi_device *adev, unsigned long long *s
+ * a hardcoded allowlist for D3 support, which was used for these platforms.
+ *
+ * This allows quirking on Linux in a similar fashion.
++ *
++ * Cezanne systems shouldn't *normally* need this as the BIOS includes
++ * StorageD3Enable. But for two reasons we have added it.
++ * 1) The BIOS on a number of Dell systems have ambiguity
++ * between the same value used for _ADR on ACPI nodes GPP1.DEV0 and GPP1.NVME.
++ * GPP1.NVME is needed to get StorageD3Enable node set properly.
++ * https://bugzilla.kernel.org/show_bug.cgi?id=216440
++ * https://bugzilla.kernel.org/show_bug.cgi?id=216773
++ * https://bugzilla.kernel.org/show_bug.cgi?id=217003
++ * 2) On at least one HP system StorageD3Enable is missing on the second NVME
++ disk in the system.
+ */
+ static const struct x86_cpu_id storage_d3_cpu_ids[] = {
+ X86_MATCH_VENDOR_FAM_MODEL(AMD, 23, 96, NULL), /* Renoir */
+ X86_MATCH_VENDOR_FAM_MODEL(AMD, 23, 104, NULL), /* Lucienne */
+- {}
+-};
+-
+-static const struct dmi_system_id force_storage_d3_dmi[] = {
+- {
+- /*
+- * _ADR is ambiguous between GPP1.DEV0 and GPP1.NVME
+- * but .NVME is needed to get StorageD3Enable node
+- * https://bugzilla.kernel.org/show_bug.cgi?id=216440
+- */
+- .matches = {
+- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 14 7425 2-in-1"),
+- }
+- },
+- {
+- .matches = {
+- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 16 5625"),
+- }
+- },
++ X86_MATCH_VENDOR_FAM_MODEL(AMD, 25, 80, NULL), /* Cezanne */
+ {}
+ };
+
+ bool force_storage_d3(void)
+ {
+- const struct dmi_system_id *dmi_id = dmi_first_match(force_storage_d3_dmi);
+-
+- return dmi_id || x86_match_cpu(storage_d3_cpu_ids);
++ return x86_match_cpu(storage_d3_cpu_ids);
+ }
+--
+2.39.2
+
--- /dev/null
+From e89b91d7b28620c5d3b01f8acd94b4b8bbb53004 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jan 2023 18:01:40 +0100
+Subject: act_mirred: use the backlog for nested calls to mirred ingress
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit ca22da2fbd693b54dc8e3b7b54ccc9f7e9ba3640 ]
+
+William reports kernel soft-lockups on some OVS topologies when TC mirred
+egress->ingress action is hit by local TCP traffic [1].
+The same can also be reproduced with SCTP (thanks Xin for verifying), when
+client and server reach themselves through mirred egress to ingress, and
+one of the two peers sends a "heartbeat" packet (from within a timer).
+
+Enqueueing to backlog proved to fix this soft lockup; however, as Cong
+noticed [2], we should preserve - when possible - the current mirred
+behavior that counts as "overlimits" any eventual packet drop subsequent to
+the mirred forwarding action [3]. A compromise solution might use the
+backlog only when tcf_mirred_act() has a nest level greater than one:
+change tcf_mirred_forward() accordingly.
+
+Also, add a kselftest that can reproduce the lockup and verifies TC mirred
+ability to account for further packet drops after TC mirred egress->ingress
+(when the nest level is 1).
+
+ [1] https://lore.kernel.org/netdev/33dc43f587ec1388ba456b4915c75f02a8aae226.1663945716.git.dcaratti@redhat.com/
+ [2] https://lore.kernel.org/netdev/Y0w%2FWWY60gqrtGLp@pop-os.localdomain/
+ [3] such behavior is not guaranteed: for example, if RPS or skb RX
+ timestamping is enabled on the mirred target device, the kernel
+ can defer receiving the skb and return NET_RX_SUCCESS inside
+ tcf_mirred_forward().
+
+Reported-by: William Zhao <wizhao@redhat.com>
+CC: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_mirred.c | 7 +++
+ .../selftests/net/forwarding/tc_actions.sh | 49 ++++++++++++++++++-
+ 2 files changed, 55 insertions(+), 1 deletion(-)
+
+diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
+index b28d49495de09..6f39789d9d14b 100644
+--- a/net/sched/act_mirred.c
++++ b/net/sched/act_mirred.c
+@@ -204,12 +204,19 @@ static int tcf_mirred_init(struct net *net, struct nlattr *nla,
+ return err;
+ }
+
++static bool is_mirred_nested(void)
++{
++ return unlikely(__this_cpu_read(mirred_nest_level) > 1);
++}
++
+ static int tcf_mirred_forward(bool want_ingress, struct sk_buff *skb)
+ {
+ int err;
+
+ if (!want_ingress)
+ err = tcf_dev_queue_xmit(skb, dev_queue_xmit);
++ else if (is_mirred_nested())
++ err = netif_rx(skb);
+ else
+ err = netif_receive_skb(skb);
+
+diff --git a/tools/testing/selftests/net/forwarding/tc_actions.sh b/tools/testing/selftests/net/forwarding/tc_actions.sh
+index d9eca227136bb..22a1e4c9553a3 100755
+--- a/tools/testing/selftests/net/forwarding/tc_actions.sh
++++ b/tools/testing/selftests/net/forwarding/tc_actions.sh
+@@ -3,7 +3,7 @@
+
+ ALL_TESTS="gact_drop_and_ok_test mirred_egress_redirect_test \
+ mirred_egress_mirror_test matchall_mirred_egress_mirror_test \
+- gact_trap_test"
++ gact_trap_test mirred_egress_to_ingress_tcp_test"
+ NUM_NETIFS=4
+ source tc_common.sh
+ source lib.sh
+@@ -153,6 +153,53 @@ gact_trap_test()
+ log_test "trap ($tcflags)"
+ }
+
++mirred_egress_to_ingress_tcp_test()
++{
++ local tmpfile=$(mktemp) tmpfile1=$(mktemp)
++
++ RET=0
++ dd conv=sparse status=none if=/dev/zero bs=1M count=2 of=$tmpfile
++ tc filter add dev $h1 protocol ip pref 100 handle 100 egress flower \
++ $tcflags ip_proto tcp src_ip 192.0.2.1 dst_ip 192.0.2.2 \
++ action ct commit nat src addr 192.0.2.2 pipe \
++ action ct clear pipe \
++ action ct commit nat dst addr 192.0.2.1 pipe \
++ action ct clear pipe \
++ action skbedit ptype host pipe \
++ action mirred ingress redirect dev $h1
++ tc filter add dev $h1 protocol ip pref 101 handle 101 egress flower \
++ $tcflags ip_proto icmp \
++ action mirred ingress redirect dev $h1
++ tc filter add dev $h1 protocol ip pref 102 handle 102 ingress flower \
++ ip_proto icmp \
++ action drop
++
++ ip vrf exec v$h1 nc --recv-only -w10 -l -p 12345 -o $tmpfile1 &
++ local rpid=$!
++ ip vrf exec v$h1 nc -w1 --send-only 192.0.2.2 12345 <$tmpfile
++ wait -n $rpid
++ cmp -s $tmpfile $tmpfile1
++ check_err $? "server output check failed"
++
++ $MZ $h1 -c 10 -p 64 -a $h1mac -b $h1mac -A 192.0.2.1 -B 192.0.2.1 \
++ -t icmp "ping,id=42,seq=5" -q
++ tc_check_packets "dev $h1 egress" 101 10
++ check_err $? "didn't mirred redirect ICMP"
++ tc_check_packets "dev $h1 ingress" 102 10
++ check_err $? "didn't drop mirred ICMP"
++ local overlimits=$(tc_rule_stats_get ${h1} 101 egress .overlimits)
++ test ${overlimits} = 10
++ check_err $? "wrong overlimits, expected 10 got ${overlimits}"
++
++ tc filter del dev $h1 egress protocol ip pref 100 handle 100 flower
++ tc filter del dev $h1 egress protocol ip pref 101 handle 101 flower
++ tc filter del dev $h1 ingress protocol ip pref 102 handle 102 flower
++
++ rm -f $tmpfile $tmpfile1
++ log_test "mirred_egress_to_ingress_tcp ($tcflags)"
++}
++
++>>>>>>> e921d05033293 (act_mirred: use the backlog for nested calls to mirred ingress)
+ setup_prepare()
+ {
+ h1=${NETIFS[p1]}
+--
+2.39.2
+
--- /dev/null
+From 141ee3b03517b66735866b49de89f9b2ad98a36f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Feb 2023 23:25:04 -0500
+Subject: ca8210: fix mac_len negative array access
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 6c993779ea1d0cccdb3a5d7d45446dd229e610a3 ]
+
+This patch fixes a buffer overflow access of skb->data if
+ieee802154_hdr_peek_addrs() fails.
+
+Reported-by: lianhui tang <bluetlh@gmail.com>
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20230217042504.3303396-1-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/ca8210.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c
+index 0362917fce7a9..e2322bc3a4e9a 100644
+--- a/drivers/net/ieee802154/ca8210.c
++++ b/drivers/net/ieee802154/ca8210.c
+@@ -1956,6 +1956,8 @@ static int ca8210_skb_tx(
+ * packet
+ */
+ mac_len = ieee802154_hdr_peek_addrs(skb, &header);
++ if (mac_len < 0)
++ return mac_len;
+
+ secspec.security_level = header.sec.level;
+ secspec.key_id_mode = header.sec.key_id_mode;
+--
+2.39.2
+
--- /dev/null
+From b2c6125609d61ad5672650df492ce984bfa3a6c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Feb 2023 20:15:49 +0300
+Subject: drm/cirrus: NULL-check pipe->plane.state->fb in cirrus_pipe_update()
+
+From: Alexandr Sapozhnikov <alsp705@gmail.com>
+
+[ Upstream commit 7245e629dcaaf308f1868aeffa218e9849c77893 ]
+
+After having been compared to NULL value at cirrus.c:455, pointer
+'pipe->plane.state->fb' is passed as 1st parameter in call to function
+'cirrus_fb_blit_rect' at cirrus.c:461, where it is dereferenced at
+cirrus.c:316.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+v2:
+ * aligned commit message to line-length limits
+
+Signed-off-by: Alexandr Sapozhnikov <alsp705@gmail.com>
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230215171549.16305-1-alsp705@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/tiny/cirrus.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/tiny/cirrus.c b/drivers/gpu/drm/tiny/cirrus.c
+index 4611ec408506b..2a81311b22172 100644
+--- a/drivers/gpu/drm/tiny/cirrus.c
++++ b/drivers/gpu/drm/tiny/cirrus.c
+@@ -450,7 +450,7 @@ static void cirrus_pipe_update(struct drm_simple_display_pipe *pipe,
+ if (state->fb && cirrus->cpp != cirrus_cpp(state->fb))
+ cirrus_mode_set(cirrus, &crtc->mode, state->fb);
+
+- if (drm_atomic_helper_damage_merged(old_state, state, &rect))
++ if (state->fb && drm_atomic_helper_damage_merged(old_state, state, &rect))
+ cirrus_fb_blit_rect(state->fb, &shadow_plane_state->data[0], &rect);
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 8a62cb8329a685689db0326d57e6a5987b3ce70b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Feb 2023 11:00:44 -0600
+Subject: HID: cp2112: Fix driver not registering GPIO IRQ chip as threaded
+
+From: Danny Kaehn <kaehndan@gmail.com>
+
+[ Upstream commit 37f5b858a66543b2b67c0288280af623985abc29 ]
+
+The CP2112 generates interrupts from a polling routine on a thread,
+and can only support threaded interrupts. This patch configures the
+gpiochip irq chip with this flag, disallowing consumers to request
+a hard IRQ from this driver, which resulted in a segfault previously.
+
+Signed-off-by: Danny Kaehn <kaehndan@gmail.com>
+Link: https://lore.kernel.org/r/20230210170044.11835-1-kaehndan@gmail.com
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-cp2112.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/hid/hid-cp2112.c b/drivers/hid/hid-cp2112.c
+index 172f20e88c6c9..d902fe43cb818 100644
+--- a/drivers/hid/hid-cp2112.c
++++ b/drivers/hid/hid-cp2112.c
+@@ -1352,6 +1352,7 @@ static int cp2112_probe(struct hid_device *hdev, const struct hid_device_id *id)
+ girq->parents = NULL;
+ girq->default_type = IRQ_TYPE_NONE;
+ girq->handler = handle_simple_irq;
++ girq->threaded = true;
+
+ ret = gpiochip_add_data(&dev->gc, dev);
+ if (ret < 0) {
+--
+2.39.2
+
--- /dev/null
+From 241b3355d1736c5edc3147ce20cb8901e4609a77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Feb 2023 13:49:38 +1100
+Subject: HID: intel-ish-hid: ipc: Fix potential use-after-free in work
+ function
+
+From: Reka Norman <rekanorman@chromium.org>
+
+[ Upstream commit 8ae2f2b0a28416ed2f6d8478ac8b9f7862f36785 ]
+
+When a reset notify IPC message is received, the ISR schedules a work
+function and passes the ISHTP device to it via a global pointer
+ishtp_dev. If ish_probe() fails, the devm-managed device resources
+including ishtp_dev are freed, but the work is not cancelled, causing a
+use-after-free when the work function tries to access ishtp_dev. Use
+devm_work_autocancel() instead, so that the work is automatically
+cancelled if probe fails.
+
+Signed-off-by: Reka Norman <rekanorman@chromium.org>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/intel-ish-hid/ipc/ipc.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hid/intel-ish-hid/ipc/ipc.c b/drivers/hid/intel-ish-hid/ipc/ipc.c
+index 45e0c7b1c9ec6..6c942dd1abca2 100644
+--- a/drivers/hid/intel-ish-hid/ipc/ipc.c
++++ b/drivers/hid/intel-ish-hid/ipc/ipc.c
+@@ -5,6 +5,7 @@
+ * Copyright (c) 2014-2016, Intel Corporation.
+ */
+
++#include <linux/devm-helpers.h>
+ #include <linux/sched.h>
+ #include <linux/spinlock.h>
+ #include <linux/delay.h>
+@@ -621,7 +622,6 @@ static void recv_ipc(struct ishtp_device *dev, uint32_t doorbell_val)
+ case MNG_RESET_NOTIFY:
+ if (!ishtp_dev) {
+ ishtp_dev = dev;
+- INIT_WORK(&fw_reset_work, fw_reset_work_fn);
+ }
+ schedule_work(&fw_reset_work);
+ break;
+@@ -936,6 +936,7 @@ struct ishtp_device *ish_dev_init(struct pci_dev *pdev)
+ {
+ struct ishtp_device *dev;
+ int i;
++ int ret;
+
+ dev = devm_kzalloc(&pdev->dev,
+ sizeof(struct ishtp_device) + sizeof(struct ish_hw),
+@@ -971,6 +972,12 @@ struct ishtp_device *ish_dev_init(struct pci_dev *pdev)
+ list_add_tail(&tx_buf->link, &dev->wr_free_list);
+ }
+
++ ret = devm_work_autocancel(&pdev->dev, &fw_reset_work, fw_reset_work_fn);
++ if (ret) {
++ dev_err(dev->devc, "Failed to initialise FW reset work\n");
++ return NULL;
++ }
++
+ dev->ops = &ish_hw_ops;
+ dev->devc = &pdev->dev;
+ dev->mtu = IPC_PAYLOAD_SIZE - sizeof(struct ishtp_msg_hdr);
+--
+2.39.2
+
--- /dev/null
+From a18a7be6cae85cc2bd74d46edf1a7ac434428f01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Mar 2023 15:11:07 +1300
+Subject: m68k: Only force 030 bus error if PC not in exception table
+
+From: Michael Schmitz <schmitzmic@gmail.com>
+
+[ Upstream commit e36a82bebbf7da814530d5a179bef9df5934b717 ]
+
+__get_kernel_nofault() does copy data in supervisor mode when
+forcing a task backtrace log through /proc/sysrq_trigger.
+This is expected cause a bus error exception on e.g. NULL
+pointer dereferencing when logging a kernel task has no
+workqueue associated. This bus error ought to be ignored.
+
+Our 030 bus error handler is ill equipped to deal with this:
+
+Whenever ssw indicates a kernel mode access on a data fault,
+we don't even attempt to handle the fault and instead always
+send a SEGV signal (or panic). As a result, the check
+for exception handling at the fault PC (buried in
+send_sig_fault() which gets called from do_page_fault()
+eventually) is never used.
+
+In contrast, both 040 and 060 access error handlers do not
+care whether a fault happened on supervisor mode access,
+and will call do_page_fault() on those, ultimately honoring
+the exception table.
+
+Add a check in bus_error030 to call do_page_fault() in case
+we do have an entry for the fault PC in our exception table.
+
+I had attempted a fix for this earlier in 2019 that did rely
+on testing pagefault_disabled() (see link below) to achieve
+the same thing, but this patch should be more generic.
+
+Tested on 030 Atari Falcon.
+
+Reported-by: Eero Tamminen <oak@helsinkinet.fi>
+Link: https://lore.kernel.org/r/alpine.LNX.2.21.1904091023540.25@nippy.intranet
+Link: https://lore.kernel.org/r/63130691-1984-c423-c1f2-73bfd8d3dcd3@gmail.com
+Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/r/20230301021107.26307-1-schmitzmic@gmail.com
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/kernel/traps.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/m68k/kernel/traps.c b/arch/m68k/kernel/traps.c
+index 59fc63feb0dcc..6f647742a6ca9 100644
+--- a/arch/m68k/kernel/traps.c
++++ b/arch/m68k/kernel/traps.c
+@@ -30,6 +30,7 @@
+ #include <linux/init.h>
+ #include <linux/ptrace.h>
+ #include <linux/kallsyms.h>
++#include <linux/extable.h>
+
+ #include <asm/setup.h>
+ #include <asm/fpu.h>
+@@ -544,7 +545,8 @@ static inline void bus_error030 (struct frame *fp)
+ errorcode |= 2;
+
+ if (mmusr & (MMU_I | MMU_WP)) {
+- if (ssw & 4) {
++ /* We might have an exception table for this PC */
++ if (ssw & 4 && !search_exception_tables(fp->ptregs.pc)) {
+ pr_err("Data %s fault at %#010lx in %s (pc=%#lx)\n",
+ ssw & RW ? "read" : "write",
+ fp->un.fmtb.daddr,
+--
+2.39.2
+
--- /dev/null
+From 07e80923eecb11538851e4f5c1d851d78f0b5616 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jan 2023 18:01:39 +0100
+Subject: net/sched: act_mirred: better wording on protection against excessive
+ stack growth
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit 78dcdffe0418ac8f3f057f26fe71ccf4d8ed851f ]
+
+with commit e2ca070f89ec ("net: sched: protect against stack overflow in
+TC act_mirred"), act_mirred protected itself against excessive stack growth
+using per_cpu counter of nested calls to tcf_mirred_act(), and capping it
+to MIRRED_RECURSION_LIMIT. However, such protection does not detect
+recursion/loops in case the packet is enqueued to the backlog (for example,
+when the mirred target device has RPS or skb timestamping enabled). Change
+the wording from "recursion" to "nesting" to make it more clear to readers.
+
+CC: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: ca22da2fbd69 ("act_mirred: use the backlog for nested calls to mirred ingress")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_mirred.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
+index efc963ab995a3..b28d49495de09 100644
+--- a/net/sched/act_mirred.c
++++ b/net/sched/act_mirred.c
+@@ -28,8 +28,8 @@
+ static LIST_HEAD(mirred_list);
+ static DEFINE_SPINLOCK(mirred_list_lock);
+
+-#define MIRRED_RECURSION_LIMIT 4
+-static DEFINE_PER_CPU(unsigned int, mirred_rec_level);
++#define MIRRED_NEST_LIMIT 4
++static DEFINE_PER_CPU(unsigned int, mirred_nest_level);
+
+ static bool tcf_mirred_is_act_redirect(int action)
+ {
+@@ -223,7 +223,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a,
+ struct sk_buff *skb2 = skb;
+ bool m_mac_header_xmit;
+ struct net_device *dev;
+- unsigned int rec_level;
++ unsigned int nest_level;
+ int retval, err = 0;
+ bool use_reinsert;
+ bool want_ingress;
+@@ -234,11 +234,11 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a,
+ int mac_len;
+ bool at_nh;
+
+- rec_level = __this_cpu_inc_return(mirred_rec_level);
+- if (unlikely(rec_level > MIRRED_RECURSION_LIMIT)) {
++ nest_level = __this_cpu_inc_return(mirred_nest_level);
++ if (unlikely(nest_level > MIRRED_NEST_LIMIT)) {
+ net_warn_ratelimited("Packet exceeded mirred recursion limit on dev %s\n",
+ netdev_name(skb->dev));
+- __this_cpu_dec(mirred_rec_level);
++ __this_cpu_dec(mirred_nest_level);
+ return TC_ACT_SHOT;
+ }
+
+@@ -308,7 +308,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a,
+ err = tcf_mirred_forward(res->ingress, skb);
+ if (err)
+ tcf_action_inc_overlimit_qstats(&m->common);
+- __this_cpu_dec(mirred_rec_level);
++ __this_cpu_dec(mirred_nest_level);
+ return TC_ACT_CONSUMED;
+ }
+ }
+@@ -320,7 +320,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a,
+ if (tcf_mirred_is_act_redirect(m_eaction))
+ retval = TC_ACT_SHOT;
+ }
+- __this_cpu_dec(mirred_rec_level);
++ __this_cpu_dec(mirred_nest_level);
+
+ return retval;
+ }
+--
+2.39.2
+
--- /dev/null
+From 35682e838ab058aeb979f47d2bd7834f929bb1ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Mar 2023 12:59:33 +0100
+Subject: net: usb: cdc_mbim: avoid altsetting toggling for Telit FE990
+
+From: Enrico Sau <enrico.sau@gmail.com>
+
+[ Upstream commit 418383e6ed6b4624a54ec05c535f13d184fbf33b ]
+
+Add quirk CDC_MBIM_FLAG_AVOID_ALTSETTING_TOGGLE for Telit FE990
+0x1081 composition in order to avoid bind error.
+
+Signed-off-by: Enrico Sau <enrico.sau@gmail.com>
+Link: https://lore.kernel.org/r/20230306115933.198259-1-enrico.sau@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/cdc_mbim.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/usb/cdc_mbim.c b/drivers/net/usb/cdc_mbim.c
+index c0b8b4aa78f37..a3ccf0cee093c 100644
+--- a/drivers/net/usb/cdc_mbim.c
++++ b/drivers/net/usb/cdc_mbim.c
+@@ -664,6 +664,11 @@ static const struct usb_device_id mbim_devs[] = {
+ .driver_info = (unsigned long)&cdc_mbim_info_avoid_altsetting_toggle,
+ },
+
++ /* Telit FE990 */
++ { USB_DEVICE_AND_INTERFACE_INFO(0x1bc7, 0x1081, USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE),
++ .driver_info = (unsigned long)&cdc_mbim_info_avoid_altsetting_toggle,
++ },
++
+ /* default entry */
+ { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_MBIM, USB_CDC_PROTO_NONE),
+ .driver_info = (unsigned long)&cdc_mbim_info_zlp,
+--
+2.39.2
+
--- /dev/null
+From 823c644f2a867103cf3b897c9204b9daf6e0d3a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Mar 2023 13:05:28 +0100
+Subject: net: usb: qmi_wwan: add Telit 0x1080 composition
+
+From: Enrico Sau <enrico.sau@gmail.com>
+
+[ Upstream commit 382e363d5bed0cec5807b35761d14e55955eee63 ]
+
+Add the following Telit FE990 composition:
+
+0x1080: tty, adb, rmnet, tty, tty, tty, tty
+
+Signed-off-by: Enrico Sau <enrico.sau@gmail.com>
+Link: https://lore.kernel.org/r/20230306120528.198842-1-enrico.sau@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
+index 7b358b896a6d7..8646c4d90361c 100644
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1358,6 +1358,7 @@ static const struct usb_device_id products[] = {
+ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1050, 2)}, /* Telit FN980 */
+ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1060, 2)}, /* Telit LN920 */
+ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1070, 2)}, /* Telit FN990 */
++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1080, 2)}, /* Telit FE990 */
+ {QMI_FIXED_INTF(0x1bc7, 0x1100, 3)}, /* Telit ME910 */
+ {QMI_FIXED_INTF(0x1bc7, 0x1101, 3)}, /* Telit ME910 dual modem */
+ {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */
+--
+2.39.2
+
--- /dev/null
+From bd77fb7baf9678e3258eae6bcf92e3ba99fb08c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Mar 2021 15:34:20 -0400
+Subject: riscv: Bump COMMAND_LINE_SIZE value to 1024
+
+From: Alexandre Ghiti <alex@ghiti.fr>
+
+[ Upstream commit 61fc1ee8be26bc192d691932b0a67eabee45d12f ]
+
+Increase COMMAND_LINE_SIZE as the current default value is too low
+for syzbot kernel command line.
+
+There has been considerable discussion on this patch that has led to a
+larger patch set removing COMMAND_LINE_SIZE from the uapi headers on all
+ports. That's not quite done yet, but it's gotten far enough we're
+confident this is not a uABI change so this is safe.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Alexandre Ghiti <alex@ghiti.fr>
+Link: https://lore.kernel.org/r/20210316193420.904-1-alex@ghiti.fr
+[Palmer: it's not uabi]
+Link: https://lore.kernel.org/linux-riscv/874b8076-b0d1-4aaa-bcd8-05d523060152@app.fastmail.com/#t
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/include/uapi/asm/setup.h | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+ create mode 100644 arch/riscv/include/uapi/asm/setup.h
+
+diff --git a/arch/riscv/include/uapi/asm/setup.h b/arch/riscv/include/uapi/asm/setup.h
+new file mode 100644
+index 0000000000000..66b13a5228808
+--- /dev/null
++++ b/arch/riscv/include/uapi/asm/setup.h
+@@ -0,0 +1,8 @@
++/* SPDX-License-Identifier: GPL-2.0-only WITH Linux-syscall-note */
++
++#ifndef _UAPI_ASM_RISCV_SETUP_H
++#define _UAPI_ASM_RISCV_SETUP_H
++
++#define COMMAND_LINE_SIZE 1024
++
++#endif /* _UAPI_ASM_RISCV_SETUP_H */
+--
+2.39.2
+
--- /dev/null
+From 955ac45b84df532ccc0ba2efe557da217c919f3f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Feb 2023 11:10:30 +0800
+Subject: scsi: hisi_sas: Check devm_add_action() return value
+
+From: Kang Chen <void0red@gmail.com>
+
+[ Upstream commit 06d1a90de60208054cca15ef200138cfdbb642a9 ]
+
+In case devm_add_action() fails, check it in the caller of
+interrupt_preinit_v3_hw().
+
+Link: https://lore.kernel.org/r/20230227031030.893324-1-void0red@gmail.com
+Signed-off-by: Kang Chen <void0red@gmail.com>
+Acked-by: Xiang Chen <chenxiang66@hisilicon.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
+index fa22cb712be5a..9515ab66a7789 100644
+--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
++++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
+@@ -2424,8 +2424,7 @@ static int interrupt_preinit_v3_hw(struct hisi_hba *hisi_hba)
+ hisi_hba->cq_nvecs = vectors - BASE_VECTORS_V3_HW;
+ shost->nr_hw_queues = hisi_hba->cq_nvecs;
+
+- devm_add_action(&pdev->dev, hisi_sas_v3_free_vectors, pdev);
+- return 0;
++ return devm_add_action(&pdev->dev, hisi_sas_v3_free_vectors, pdev);
+ }
+
+ static int interrupt_init_v3_hw(struct hisi_hba *hisi_hba)
+--
+2.39.2
+
--- /dev/null
+From e882ed9564d926a1f5277d658289231202eff4eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Mar 2023 18:19:14 +0100
+Subject: scsi: lpfc: Avoid usage of list iterator variable after loop
+
+From: Jakob Koschel <jkl820.git@gmail.com>
+
+[ Upstream commit 2850b23e9f9ae3696e472d2883ea1b43aafa884e ]
+
+If the &epd_pool->list is empty when executing
+lpfc_get_io_buf_from_expedite_pool() the function would return an invalid
+pointer. Even in the case if the list is guaranteed to be populated, the
+iterator variable should not be used after the loop to be more robust for
+future changes.
+
+Linus proposed to avoid any use of the list iterator variable after the
+loop, in the attempt to move the list iterator variable declaration into
+the macro to avoid any potential misuse after the loop [1].
+
+Link: https://lore.kernel.org/all/CAHk-=wgRr_D8CB-D9Kg-c=EHreAsk5SqXPwr9Y7k9sA6cWXJ6w@mail.gmail.com/ [1]
+Signed-off-by: Jakob Koschel <jkl820.git@gmail.com>
+Link: https://lore.kernel.org/r/20230301-scsi-lpfc-avoid-list-iterator-after-loop-v1-1-325578ae7561@gmail.com
+Reviewed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_sli.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index 1f1d346adc038..30bc72324f068 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -22166,20 +22166,20 @@ lpfc_get_io_buf_from_private_pool(struct lpfc_hba *phba,
+ static struct lpfc_io_buf *
+ lpfc_get_io_buf_from_expedite_pool(struct lpfc_hba *phba)
+ {
+- struct lpfc_io_buf *lpfc_ncmd;
++ struct lpfc_io_buf *lpfc_ncmd = NULL, *iter;
+ struct lpfc_io_buf *lpfc_ncmd_next;
+ unsigned long iflag;
+ struct lpfc_epd_pool *epd_pool;
+
+ epd_pool = &phba->epd_pool;
+- lpfc_ncmd = NULL;
+
+ spin_lock_irqsave(&epd_pool->lock, iflag);
+ if (epd_pool->count > 0) {
+- list_for_each_entry_safe(lpfc_ncmd, lpfc_ncmd_next,
++ list_for_each_entry_safe(iter, lpfc_ncmd_next,
+ &epd_pool->list, list) {
+- list_del(&lpfc_ncmd->list);
++ list_del(&iter->list);
+ epd_pool->count--;
++ lpfc_ncmd = iter;
+ break;
+ }
+ }
+--
+2.39.2
+
--- /dev/null
+From d1a622265c4f23853d4abf9281947aabebdce969 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Feb 2023 20:43:36 -0800
+Subject: scsi: lpfc: Check kzalloc() in lpfc_sli4_cgn_params_read()
+
+From: Justin Tee <justin.tee@broadcom.com>
+
+[ Upstream commit 312320b0e0ec21249a17645683fe5304d796aec1 ]
+
+If kzalloc() fails in lpfc_sli4_cgn_params_read(), then we rely on
+lpfc_read_object()'s routine to NULL check pdata.
+
+Currently, an early return error is thrown from lpfc_read_object() to
+protect us from NULL ptr dereference, but the errno code is -ENODEV.
+
+Change the errno code to a more appropriate -ENOMEM.
+
+Reported-by: Kang Chen <void0red@gmail.com>
+Link: https://lore.kernel.org/all/20230226102338.3362585-1-void0red@gmail.com
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Link: https://lore.kernel.org/r/20230228044336.5195-1-justintee8345@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_init.c | 2 ++
+ drivers/scsi/lpfc/lpfc_sli.c | 4 ----
+ 2 files changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
+index 855817f6fe671..f79299f6178cd 100644
+--- a/drivers/scsi/lpfc/lpfc_init.c
++++ b/drivers/scsi/lpfc/lpfc_init.c
+@@ -7056,6 +7056,8 @@ lpfc_sli4_cgn_params_read(struct lpfc_hba *phba)
+ /* Find out if the FW has a new set of congestion parameters. */
+ len = sizeof(struct lpfc_cgn_param);
+ pdata = kzalloc(len, GFP_KERNEL);
++ if (!pdata)
++ return -ENOMEM;
+ ret = lpfc_read_object(phba, (char *)LPFC_PORT_CFG_NAME,
+ pdata, len);
+
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index 7d333167047f5..1f1d346adc038 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -22376,10 +22376,6 @@ lpfc_read_object(struct lpfc_hba *phba, char *rdobject, uint32_t *datap,
+ struct lpfc_dmabuf *pcmd;
+ u32 rd_object_name[LPFC_MBX_OBJECT_NAME_LEN_DW] = {0};
+
+- /* sanity check on queue memory */
+- if (!datap)
+- return -ENODEV;
+-
+ mbox = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL);
+ if (!mbox)
+ return -ENOMEM;
+--
+2.39.2
+
--- /dev/null
+From 7beaeaa932c6ea1e4abea96b42c389a941b97ab8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Feb 2023 08:48:34 -0800
+Subject: scsi: storvsc: Handle BlockSize change in Hyper-V VHD/VHDX file
+
+From: Michael Kelley <mikelley@microsoft.com>
+
+[ Upstream commit 11d9874c4204a785f43d899a1ab12f9dc8d9de3e ]
+
+Hyper-V uses a VHD or VHDX file on the host as the underlying storage for a
+virtual disk. The VHD/VHDX file format is a sparse format where real disk
+space on the host is assigned in chunks that the VHD/VHDX file format calls
+the BlockSize. This BlockSize is not to be confused with the 512-byte (or
+4096-byte) sector size of the underlying storage device. The default block
+size for a new VHD/VHDX file is 32 Mbytes. When a guest VM touches any
+disk space within a 32 Mbyte chunk of the VHD/VHDX file, Hyper-V allocates
+32 Mbytes of real disk space for that section of the VHD/VHDX. Similarly,
+if a discard operation is done that covers an entire 32 Mbyte chunk,
+Hyper-V will free the real disk space for that portion of the VHD/VHDX.
+This BlockSize is surfaced in Linux as the "discard_granularity" in
+/sys/block/sd<x>/queue, which makes sense.
+
+Hyper-V also has differencing disks that can overlay a VHD/VHDX file to
+capture changes to the VHD/VHDX while preserving the original VHD/VHDX.
+One example of this differencing functionality is for VM snapshots. When a
+snapshot is created, a differencing disk is created. If the snapshot is
+rolled back, Hyper-V can just delete the differencing disk, and the VM will
+see the original disk contents at the time the snapshot was taken.
+Differencing disks are used in other scenarios as well.
+
+The BlockSize for a differencing disk defaults to 2 Mbytes, not 32 Mbytes.
+The smaller default is used because changes to differencing disks are
+typically scattered all over, and Hyper-V doesn't want to allocate 32
+Mbytes of real disk space for a stray write here or there. The smaller
+BlockSize provides more efficient use of real disk space.
+
+When a differencing disk is added to a VHD/VHDX, Hyper-V reports
+UNIT_ATTENTION with a sense code indicating "Operating parameters have
+changed", because the value of discard_granularity should be changed to 2
+Mbytes. When the differencing disk is removed, discard_granularity should
+be changed back to 32 Mbytes. However, current code simply reports a
+message from scsi_report_sense() and the value of
+/sys/block/sd<x>/queue/discard_granularity is not updated. The message
+isn't very actionable by a sysadmin.
+
+Fix this by having the storvsc driver check for the sense code indicating
+that the underly VHD/VHDX block size has changed, and do a rescan of the
+device to pick up the new discard_granularity. With this change the entire
+transition to/from differencing disks is handled automatically and
+transparently, with no confusing messages being output.
+
+Link: https://lore.kernel.org/r/1677516514-86060-1-git-send-email-mikelley@microsoft.com
+Signed-off-by: Michael Kelley <mikelley@microsoft.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/storvsc_drv.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
+index 6110dfd903f74..83a3d9f085d84 100644
+--- a/drivers/scsi/storvsc_drv.c
++++ b/drivers/scsi/storvsc_drv.c
+@@ -1050,6 +1050,22 @@ static void storvsc_handle_error(struct vmscsi_request *vm_srb,
+ goto do_work;
+ }
+
++ /*
++ * Check for "Operating parameters have changed"
++ * due to Hyper-V changing the VHD/VHDX BlockSize
++ * when adding/removing a differencing disk. This
++ * causes discard_granularity to change, so do a
++ * rescan to pick up the new granularity. We don't
++ * want scsi_report_sense() to output a message
++ * that a sysadmin wouldn't know what to do with.
++ */
++ if ((asc == 0x3f) && (ascq != 0x03) &&
++ (ascq != 0x0e)) {
++ process_err_fn = storvsc_device_scan;
++ set_host_byte(scmnd, DID_REQUEUE);
++ goto do_work;
++ }
++
+ /*
+ * Otherwise, let upper layer deal with the
+ * error when sense message is present
+--
+2.39.2
+
--- /dev/null
+From eebe4fce913a756d0e9765780705f41eb1a3c01c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Feb 2023 15:15:56 +0100
+Subject: scsi: target: iscsi: Fix an error message in iscsi_check_key()
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit 6cc55c969b7ce8d85e09a636693d4126c3676c11 ]
+
+The first half of the error message is printed by pr_err(), the second half
+is printed by pr_debug(). The user will therefore see only the first part
+of the message and will miss some useful information.
+
+Link: https://lore.kernel.org/r/20230214141556.762047-1-mlombard@redhat.com
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/iscsi/iscsi_target_parameters.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c
+index 6bc3aaf655fc4..62004e3fe1ccc 100644
+--- a/drivers/target/iscsi/iscsi_target_parameters.c
++++ b/drivers/target/iscsi/iscsi_target_parameters.c
+@@ -1262,18 +1262,20 @@ static struct iscsi_param *iscsi_check_key(
+ return param;
+
+ if (!(param->phase & phase)) {
+- pr_err("Key \"%s\" may not be negotiated during ",
+- param->name);
++ char *phase_name;
++
+ switch (phase) {
+ case PHASE_SECURITY:
+- pr_debug("Security phase.\n");
++ phase_name = "Security";
+ break;
+ case PHASE_OPERATIONAL:
+- pr_debug("Operational phase.\n");
++ phase_name = "Operational";
+ break;
+ default:
+- pr_debug("Unknown phase.\n");
++ phase_name = "Unknown";
+ }
++ pr_err("Key \"%s\" may not be negotiated during %s phase.\n",
++ param->name, phase_name);
+ return NULL;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From d4789e12694fda00f6e77345b51ca24bf19de883 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Feb 2023 09:07:40 -0500
+Subject: scsi: ufs: core: Add soft dependency on governor_simpleondemand
+
+From: Adrien Thierry <athierry@redhat.com>
+
+[ Upstream commit 2ebe16155dc8bd4e602cad5b5f65458d2eaa1a75 ]
+
+The ufshcd driver uses simpleondemand governor for devfreq. Add it to the
+list of ufshcd softdeps to allow userspace initramfs tools like dracut to
+automatically pull the governor module into the initramfs together with UFS
+drivers.
+
+Link: https://lore.kernel.org/r/20230220140740.14379-1-athierry@redhat.com
+Signed-off-by: Adrien Thierry <athierry@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index eaa91aec036b1..fd430d24f6de9 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -9749,5 +9749,6 @@ module_exit(ufshcd_core_exit);
+ MODULE_AUTHOR("Santosh Yaragnavi <santosh.sy@samsung.com>");
+ MODULE_AUTHOR("Vinayak Holikatti <h.vinayak@samsung.com>");
+ MODULE_DESCRIPTION("Generic UFS host controller driver Core");
++MODULE_SOFTDEP("pre: governor_simpleondemand");
+ MODULE_LICENSE("GPL");
+ MODULE_VERSION(UFSHCD_DRIVER_VERSION);
+--
+2.39.2
+
--- /dev/null
+From 937e1b69386ea5c3faa8006bdaf94d023014f45e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Feb 2023 14:44:22 -0500
+Subject: scsi: ufs: core: Initialize devfreq synchronously
+
+From: Adrien Thierry <athierry@redhat.com>
+
+[ Upstream commit 7dafc3e007918384c8693ff8d70381b5c1e9c247 ]
+
+During UFS initialization, devfreq initialization is asynchronous:
+ufshcd_async_scan() calls ufshcd_add_lus(), which in turn initializes
+devfreq for UFS. The simple ondemand governor is then loaded. If it is
+built as a module, request_module() is called and throws a warning:
+
+ WARNING: CPU: 7 PID: 167 at kernel/kmod.c:136 __request_module+0x1e0/0x460
+ Modules linked in: crct10dif_ce llcc_qcom phy_qcom_qmp_usb ufs_qcom phy_qcom_snps_femto_v2 ufshcd_pltfrm phy_qcom_qmp_combo ufshcd_core phy_qcom_qmp_ufs qcom_wdt socinfo fuse ipv6
+ CPU: 7 PID: 167 Comm: kworker/u16:3 Not tainted 6.2.0-rc6-00009-g58706f7fb045 #1
+ Hardware name: Qualcomm SA8540P Ride (DT)
+ Workqueue: events_unbound async_run_entry_fn
+ pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : __request_module+0x1e0/0x460
+ lr : __request_module+0x1d8/0x460
+ sp : ffff800009323b90
+ x29: ffff800009323b90 x28: 0000000000000000 x27: 0000000000000000
+ x26: ffff800009323d50 x25: ffff7b9045f57810 x24: ffff7b9045f57830
+ x23: ffffdc5a83e426e8 x22: ffffdc5ae80a9818 x21: 0000000000000001
+ x20: ffffdc5ae7502f98 x19: ffff7b9045f57800 x18: ffffffffffffffff
+ x17: 312f716572667665 x16: 642f7366752e3030 x15: 0000000000000000
+ x14: 000000000000021c x13: 0000000000005400 x12: ffff7b9042ed7614
+ x11: ffff7b9042ed7600 x10: 00000000636c0890 x9 : 0000000000000038
+ x8 : ffff7b9045f2c880 x7 : ffff7b9045f57c68 x6 : 0000000000000080
+ x5 : 0000000000000000 x4 : 8000000000000000 x3 : 0000000000000000
+ x2 : 0000000000000000 x1 : ffffdc5ae5d382f0 x0 : 0000000000000001
+ Call trace:
+ __request_module+0x1e0/0x460
+ try_then_request_governor+0x7c/0x100
+ devfreq_add_device+0x4b0/0x5fc
+ ufshcd_async_scan+0x1d4/0x310 [ufshcd_core]
+ async_run_entry_fn+0x34/0xe0
+ process_one_work+0x1d0/0x320
+ worker_thread+0x14c/0x444
+ kthread+0x10c/0x110
+ ret_from_fork+0x10/0x20
+
+This occurs because synchronous module loading from async is not
+allowed. According to __request_module():
+
+ /*
+ * We don't allow synchronous module loading from async. Module
+ * init may invoke async_synchronize_full() which will end up
+ * waiting for this task which already is waiting for the module
+ * loading to complete, leading to a deadlock.
+ */
+
+Such a deadlock was experienced on the Qualcomm QDrive3/sa8540p-ride. With
+DEVFREQ_GOV_SIMPLE_ONDEMAND=m, the boot hangs after the warning.
+
+Fix both the warning and the deadlock by moving devfreq initialization out
+of the async routine.
+
+Tested on the sa8540p-ride by using fio to put the UFS under load, and
+printing the trace generated by
+/sys/kernel/tracing/events/ufs/ufshcd_clk_scaling events. The trace looks
+similar with and without the change.
+
+Link: https://lore.kernel.org/r/20230217194423.42553-1-athierry@redhat.com
+Signed-off-by: Adrien Thierry <athierry@redhat.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 47 ++++++++++++++++++++++++++-------------
+ drivers/scsi/ufs/ufshcd.h | 1 +
+ 2 files changed, 32 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index 120831428ec6f..eaa91aec036b1 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -1307,6 +1307,13 @@ static int ufshcd_devfreq_target(struct device *dev,
+ struct ufs_clk_info *clki;
+ unsigned long irq_flags;
+
++ /*
++ * Skip devfreq if UFS initialization is not finished.
++ * Otherwise ufs could be in a inconsistent state.
++ */
++ if (!smp_load_acquire(&hba->logical_unit_scan_finished))
++ return 0;
++
+ if (!ufshcd_is_clkscaling_supported(hba))
+ return -EINVAL;
+
+@@ -7881,22 +7888,6 @@ static int ufshcd_add_lus(struct ufs_hba *hba)
+ if (ret)
+ goto out;
+
+- /* Initialize devfreq after UFS device is detected */
+- if (ufshcd_is_clkscaling_supported(hba)) {
+- memcpy(&hba->clk_scaling.saved_pwr_info.info,
+- &hba->pwr_info,
+- sizeof(struct ufs_pa_layer_attr));
+- hba->clk_scaling.saved_pwr_info.is_valid = true;
+- hba->clk_scaling.is_allowed = true;
+-
+- ret = ufshcd_devfreq_init(hba);
+- if (ret)
+- goto out;
+-
+- hba->clk_scaling.is_enabled = true;
+- ufshcd_init_clk_scaling_sysfs(hba);
+- }
+-
+ ufs_bsg_probe(hba);
+ ufshpb_init(hba);
+ scsi_scan_host(hba->host);
+@@ -8030,6 +8021,12 @@ static void ufshcd_async_scan(void *data, async_cookie_t cookie)
+ if (ret) {
+ pm_runtime_put_sync(hba->dev);
+ ufshcd_hba_exit(hba);
++ } else {
++ /*
++ * Make sure that when reader code sees UFS initialization has finished,
++ * all initialization steps have really been executed.
++ */
++ smp_store_release(&hba->logical_unit_scan_finished, true);
+ }
+ }
+
+@@ -9590,12 +9587,30 @@ int ufshcd_init(struct ufs_hba *hba, void __iomem *mmio_base, unsigned int irq)
+ */
+ ufshcd_set_ufs_dev_active(hba);
+
++ /* Initialize devfreq */
++ if (ufshcd_is_clkscaling_supported(hba)) {
++ memcpy(&hba->clk_scaling.saved_pwr_info.info,
++ &hba->pwr_info,
++ sizeof(struct ufs_pa_layer_attr));
++ hba->clk_scaling.saved_pwr_info.is_valid = true;
++ hba->clk_scaling.is_allowed = true;
++
++ err = ufshcd_devfreq_init(hba);
++ if (err)
++ goto rpm_put_sync;
++
++ hba->clk_scaling.is_enabled = true;
++ ufshcd_init_clk_scaling_sysfs(hba);
++ }
++
+ async_schedule(ufshcd_async_scan, hba);
+ ufs_sysfs_add_nodes(hba->dev);
+
+ device_enable_async_suspend(dev);
+ return 0;
+
++rpm_put_sync:
++ pm_runtime_put_sync(dev);
+ free_tmf_queue:
+ blk_cleanup_queue(hba->tmf_queue);
+ free_tmf_tag_set:
+diff --git a/drivers/scsi/ufs/ufshcd.h b/drivers/scsi/ufs/ufshcd.h
+index c8513cc6c2bdd..33d9c096ec7fd 100644
+--- a/drivers/scsi/ufs/ufshcd.h
++++ b/drivers/scsi/ufs/ufshcd.h
+@@ -838,6 +838,7 @@ struct ufs_hba {
+ struct completion *uic_async_done;
+
+ enum ufshcd_state ufshcd_state;
++ bool logical_unit_scan_finished;
+ u32 eh_flags;
+ u32 intr_mask;
+ u16 ee_ctrl_mask; /* Exception event mask */
+--
+2.39.2
+
--- /dev/null
+From a524b212fd945e47005874a2869bdee50777d27f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Mar 2023 11:21:38 +0000
+Subject: selftests/bpf: check that modifier resolves after pointer
+
+From: Lorenz Bauer <lorenz.bauer@isovalent.com>
+
+[ Upstream commit dfdd608c3b365f0fd49d7e13911ebcde06b9865b ]
+
+Add a regression test that ensures that a VAR pointing at a
+modifier which follows a PTR (or STRUCT or ARRAY) is resolved
+correctly by the datasec validator.
+
+Signed-off-by: Lorenz Bauer <lmb@isovalent.com>
+Link: https://lore.kernel.org/r/20230306112138.155352-3-lmb@isovalent.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/btf.c | 28 ++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/btf.c b/tools/testing/selftests/bpf/prog_tests/btf.c
+index 50afa75bd45b1..2a04dbec510de 100644
+--- a/tools/testing/selftests/bpf/prog_tests/btf.c
++++ b/tools/testing/selftests/bpf/prog_tests/btf.c
+@@ -882,6 +882,34 @@ static struct btf_raw_test raw_tests[] = {
+ .btf_load_err = true,
+ .err_str = "Invalid elem",
+ },
++{
++ .descr = "var after datasec, ptr followed by modifier",
++ .raw_types = {
++ /* .bss section */ /* [1] */
++ BTF_TYPE_ENC(NAME_TBD, BTF_INFO_ENC(BTF_KIND_DATASEC, 0, 2),
++ sizeof(void*)+4),
++ BTF_VAR_SECINFO_ENC(4, 0, sizeof(void*)),
++ BTF_VAR_SECINFO_ENC(6, sizeof(void*), 4),
++ /* int */ /* [2] */
++ BTF_TYPE_INT_ENC(0, BTF_INT_SIGNED, 0, 32, 4),
++ /* int* */ /* [3] */
++ BTF_TYPE_ENC(0, BTF_INFO_ENC(BTF_KIND_PTR, 0, 0), 2),
++ BTF_VAR_ENC(NAME_TBD, 3, 0), /* [4] */
++ /* const int */ /* [5] */
++ BTF_TYPE_ENC(0, BTF_INFO_ENC(BTF_KIND_CONST, 0, 0), 2),
++ BTF_VAR_ENC(NAME_TBD, 5, 0), /* [6] */
++ BTF_END_RAW,
++ },
++ .str_sec = "\0a\0b\0c\0",
++ .str_sec_size = sizeof("\0a\0b\0c\0"),
++ .map_type = BPF_MAP_TYPE_ARRAY,
++ .map_name = ".bss",
++ .key_size = sizeof(int),
++ .value_size = sizeof(void*)+4,
++ .key_type_id = 0,
++ .value_type_id = 1,
++ .max_entries = 1,
++},
+ /* Test member exceeds the size of struct.
+ *
+ * struct A {
+--
+2.39.2
+
thunderbolt-add-missing-unset_inbound_sbtx-for-retimer-access.patch
thunderbolt-use-const-qualifier-for-ring_interrupt_index.patch
thunderbolt-rename-shadowed-variables-bit-to-interrupt_bit-and-auto_clear_bit.patch
+scsi-ufs-core-initialize-devfreq-synchronously.patch
+acpi-x86-utils-add-cezanne-to-the-list-for-forcing-s.patch
+riscv-bump-command_line_size-value-to-1024.patch
+drm-cirrus-null-check-pipe-plane.state-fb-in-cirrus_.patch
+hid-cp2112-fix-driver-not-registering-gpio-irq-chip-.patch
+ca8210-fix-mac_len-negative-array-access.patch
+hid-intel-ish-hid-ipc-fix-potential-use-after-free-i.patch
+m68k-only-force-030-bus-error-if-pc-not-in-exception.patch
+selftests-bpf-check-that-modifier-resolves-after-poi.patch
+scsi-target-iscsi-fix-an-error-message-in-iscsi_chec.patch
+scsi-hisi_sas-check-devm_add_action-return-value.patch
+scsi-ufs-core-add-soft-dependency-on-governor_simple.patch
+scsi-lpfc-check-kzalloc-in-lpfc_sli4_cgn_params_read.patch
+scsi-lpfc-avoid-usage-of-list-iterator-variable-afte.patch
+scsi-storvsc-handle-blocksize-change-in-hyper-v-vhd-.patch
+net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch
+net-usb-qmi_wwan-add-telit-0x1080-composition.patch
+sh-sanitize-the-flags-on-sigreturn.patch
+net-sched-act_mirred-better-wording-on-protection-ag.patch
+act_mirred-use-the-backlog-for-nested-calls-to-mirre.patch
--- /dev/null
+From 38c7d2b9dff3c9fbb663533bf565a48b60bebc78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Mar 2023 01:20:30 +0000
+Subject: sh: sanitize the flags on sigreturn
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 573b22ccb7ce9ab7f0539a2e11a9d3609a8783f5 ]
+
+We fetch %SR value from sigframe; it might have been modified by signal
+handler, so we can't trust it with any bits that are not modifiable in
+user mode.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Rich Felker <dalias@libc.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sh/include/asm/processor_32.h | 1 +
+ arch/sh/kernel/signal_32.c | 3 +++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/arch/sh/include/asm/processor_32.h b/arch/sh/include/asm/processor_32.h
+index aa92cc933889d..6c7966e627758 100644
+--- a/arch/sh/include/asm/processor_32.h
++++ b/arch/sh/include/asm/processor_32.h
+@@ -50,6 +50,7 @@
+ #define SR_FD 0x00008000
+ #define SR_MD 0x40000000
+
++#define SR_USER_MASK 0x00000303 // M, Q, S, T bits
+ /*
+ * DSP structure and data
+ */
+diff --git a/arch/sh/kernel/signal_32.c b/arch/sh/kernel/signal_32.c
+index dd3092911efad..dc13702003f0f 100644
+--- a/arch/sh/kernel/signal_32.c
++++ b/arch/sh/kernel/signal_32.c
+@@ -115,6 +115,7 @@ static int
+ restore_sigcontext(struct pt_regs *regs, struct sigcontext __user *sc, int *r0_p)
+ {
+ unsigned int err = 0;
++ unsigned int sr = regs->sr & ~SR_USER_MASK;
+
+ #define COPY(x) err |= __get_user(regs->x, &sc->sc_##x)
+ COPY(regs[1]);
+@@ -130,6 +131,8 @@ restore_sigcontext(struct pt_regs *regs, struct sigcontext __user *sc, int *r0_p
+ COPY(sr); COPY(pc);
+ #undef COPY
+
++ regs->sr = (regs->sr & SR_USER_MASK) | sr;
++
+ #ifdef CONFIG_SH_FPU
+ if (boot_cpu_data.flags & CPU_HAS_FPU) {
+ int owned_fp;
+--
+2.39.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
