--- /dev/null
+From 5e812095a571ec5397848b58693a5741de59490f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 20:26:06 +0800
+Subject: 9p/fd: fix issue of list_del corruption in p9_fd_cancel()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 11c10956515b8ec44cf4f2a7b9d8bf8b9dc05ec4 ]
+
+Syz reported the following issue:
+kernel BUG at lib/list_debug.c:53!
+invalid opcode: 0000 [#1] PREEMPT SMP KASAN
+RIP: 0010:__list_del_entry_valid.cold+0x5c/0x72
+Call Trace:
+<TASK>
+p9_fd_cancel+0xb1/0x270
+p9_client_rpc+0x8ea/0xba0
+p9_client_create+0x9c0/0xed0
+v9fs_session_init+0x1e0/0x1620
+v9fs_mount+0xba/0xb80
+legacy_get_tree+0x103/0x200
+vfs_get_tree+0x89/0x2d0
+path_mount+0x4c0/0x1ac0
+__x64_sys_mount+0x33b/0x430
+do_syscall_64+0x35/0x80
+entry_SYSCALL_64_after_hwframe+0x46/0xb0
+</TASK>
+
+The process is as follows:
+Thread A: Thread B:
+p9_poll_workfn() p9_client_create()
+... ...
+ p9_conn_cancel() p9_fd_cancel()
+ list_del() ...
+ ... list_del() //list_del
+ corruption
+There is no lock protection when deleting list in p9_conn_cancel(). After
+deleting list in Thread A, thread B will delete the same list again. It
+will cause issue of list_del corruption.
+
+Setting req->status to REQ_STATUS_ERROR under lock prevents other
+cleanup paths from trying to manipulate req_list.
+The other thread can safely check req->status because it still holds a
+reference to req at this point.
+
+Link: https://lkml.kernel.org/r/20221110122606.383352-1-shaozhengchao@huawei.com
+Fixes: 52f1c45dde91 ("9p: trans_fd/p9_conn_cancel: drop client lock earlier")
+Reported-by: syzbot+9b69b8d10ab4a7d88056@syzkaller.appspotmail.com
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+[Dominique: add description of the fix in commit message]
+Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/9p/trans_fd.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
+index 0191f22d1ec3..8487321c1fc7 100644
+--- a/net/9p/trans_fd.c
++++ b/net/9p/trans_fd.c
+@@ -202,9 +202,11 @@ static void p9_conn_cancel(struct p9_conn *m, int err)
+
+ list_for_each_entry_safe(req, rtmp, &m->req_list, req_list) {
+ list_move(&req->req_list, &cancel_list);
++ req->status = REQ_STATUS_ERROR;
+ }
+ list_for_each_entry_safe(req, rtmp, &m->unsent_req_list, req_list) {
+ list_move(&req->req_list, &cancel_list);
++ req->status = REQ_STATUS_ERROR;
+ }
+
+ spin_unlock(&m->req_lock);
+--
+2.35.1
+
--- /dev/null
+From 44fe6e4e444f177f3128ad81522bce3ffd651de4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Oct 2022 14:06:48 +0800
+Subject: af_key: Fix send_acquire race with pfkey_register
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 7f57f8165cb6d2c206e2b9ada53b9e2d6d8af42f ]
+
+The function pfkey_send_acquire may race with pfkey_register
+(which could even be in a different name space). This may result
+in a buffer overrun.
+
+Allocating the maximum amount of memory that could be used prevents
+this.
+
+Reported-by: syzbot+1e9af9185d8850e2c2fa@syzkaller.appspotmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/key/af_key.c | 32 ++++++++++++++++++++++----------
+ 1 file changed, 22 insertions(+), 10 deletions(-)
+
+diff --git a/net/key/af_key.c b/net/key/af_key.c
+index c85df5b958d2..213287814328 100644
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -2905,7 +2905,7 @@ static int count_ah_combs(const struct xfrm_tmpl *t)
+ break;
+ if (!aalg->pfkey_supported)
+ continue;
+- if (aalg_tmpl_set(t, aalg) && aalg->available)
++ if (aalg_tmpl_set(t, aalg))
+ sz += sizeof(struct sadb_comb);
+ }
+ return sz + sizeof(struct sadb_prop);
+@@ -2923,7 +2923,7 @@ static int count_esp_combs(const struct xfrm_tmpl *t)
+ if (!ealg->pfkey_supported)
+ continue;
+
+- if (!(ealg_tmpl_set(t, ealg) && ealg->available))
++ if (!(ealg_tmpl_set(t, ealg)))
+ continue;
+
+ for (k = 1; ; k++) {
+@@ -2934,16 +2934,17 @@ static int count_esp_combs(const struct xfrm_tmpl *t)
+ if (!aalg->pfkey_supported)
+ continue;
+
+- if (aalg_tmpl_set(t, aalg) && aalg->available)
++ if (aalg_tmpl_set(t, aalg))
+ sz += sizeof(struct sadb_comb);
+ }
+ }
+ return sz + sizeof(struct sadb_prop);
+ }
+
+-static void dump_ah_combs(struct sk_buff *skb, const struct xfrm_tmpl *t)
++static int dump_ah_combs(struct sk_buff *skb, const struct xfrm_tmpl *t)
+ {
+ struct sadb_prop *p;
++ int sz = 0;
+ int i;
+
+ p = skb_put(skb, sizeof(struct sadb_prop));
+@@ -2971,13 +2972,17 @@ static void dump_ah_combs(struct sk_buff *skb, const struct xfrm_tmpl *t)
+ c->sadb_comb_soft_addtime = 20*60*60;
+ c->sadb_comb_hard_usetime = 8*60*60;
+ c->sadb_comb_soft_usetime = 7*60*60;
++ sz += sizeof(*c);
+ }
+ }
++
++ return sz + sizeof(*p);
+ }
+
+-static void dump_esp_combs(struct sk_buff *skb, const struct xfrm_tmpl *t)
++static int dump_esp_combs(struct sk_buff *skb, const struct xfrm_tmpl *t)
+ {
+ struct sadb_prop *p;
++ int sz = 0;
+ int i, k;
+
+ p = skb_put(skb, sizeof(struct sadb_prop));
+@@ -3019,8 +3024,11 @@ static void dump_esp_combs(struct sk_buff *skb, const struct xfrm_tmpl *t)
+ c->sadb_comb_soft_addtime = 20*60*60;
+ c->sadb_comb_hard_usetime = 8*60*60;
+ c->sadb_comb_soft_usetime = 7*60*60;
++ sz += sizeof(*c);
+ }
+ }
++
++ return sz + sizeof(*p);
+ }
+
+ static int key_notify_policy_expire(struct xfrm_policy *xp, const struct km_event *c)
+@@ -3150,6 +3158,7 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct
+ struct sadb_x_sec_ctx *sec_ctx;
+ struct xfrm_sec_ctx *xfrm_ctx;
+ int ctx_size = 0;
++ int alg_size = 0;
+
+ sockaddr_size = pfkey_sockaddr_size(x->props.family);
+ if (!sockaddr_size)
+@@ -3161,16 +3170,16 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct
+ sizeof(struct sadb_x_policy);
+
+ if (x->id.proto == IPPROTO_AH)
+- size += count_ah_combs(t);
++ alg_size = count_ah_combs(t);
+ else if (x->id.proto == IPPROTO_ESP)
+- size += count_esp_combs(t);
++ alg_size = count_esp_combs(t);
+
+ if ((xfrm_ctx = x->security)) {
+ ctx_size = PFKEY_ALIGN8(xfrm_ctx->ctx_len);
+ size += sizeof(struct sadb_x_sec_ctx) + ctx_size;
+ }
+
+- skb = alloc_skb(size + 16, GFP_ATOMIC);
++ skb = alloc_skb(size + alg_size + 16, GFP_ATOMIC);
+ if (skb == NULL)
+ return -ENOMEM;
+
+@@ -3224,10 +3233,13 @@ static int pfkey_send_acquire(struct xfrm_state *x, struct xfrm_tmpl *t, struct
+ pol->sadb_x_policy_priority = xp->priority;
+
+ /* Set sadb_comb's. */
++ alg_size = 0;
+ if (x->id.proto == IPPROTO_AH)
+- dump_ah_combs(skb, t);
++ alg_size = dump_ah_combs(skb, t);
+ else if (x->id.proto == IPPROTO_ESP)
+- dump_esp_combs(skb, t);
++ alg_size = dump_esp_combs(skb, t);
++
++ hdr->sadb_msg_len += alg_size / 8;
+
+ /* security context */
+ if (xfrm_ctx) {
+--
+2.35.1
+
--- /dev/null
+From 5ca79fc9d8b75393a7b5dd9ba84f0b23001dce8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Nov 2022 14:24:38 +0800
+Subject: arcnet: fix potential memory leak in com20020_probe()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 1c40cde6b5171d9c8dfc69be00464fd1c75e210b ]
+
+In com20020_probe(), if com20020_config() fails, dev and info
+will not be freed, which will lead to a memory leak.
+
+This patch adds freeing dev and info after com20020_config()
+fails to fix this bug.
+
+Compile tested only.
+
+Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions")
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/arcnet/com20020_cs.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/arcnet/com20020_cs.c b/drivers/net/arcnet/com20020_cs.c
+index 24150c933fcb..dc3253b318da 100644
+--- a/drivers/net/arcnet/com20020_cs.c
++++ b/drivers/net/arcnet/com20020_cs.c
+@@ -113,6 +113,7 @@ static int com20020_probe(struct pcmcia_device *p_dev)
+ struct com20020_dev *info;
+ struct net_device *dev;
+ struct arcnet_local *lp;
++ int ret = -ENOMEM;
+
+ dev_dbg(&p_dev->dev, "com20020_attach()\n");
+
+@@ -142,12 +143,18 @@ static int com20020_probe(struct pcmcia_device *p_dev)
+ info->dev = dev;
+ p_dev->priv = info;
+
+- return com20020_config(p_dev);
++ ret = com20020_config(p_dev);
++ if (ret)
++ goto fail_config;
++
++ return 0;
+
++fail_config:
++ free_arcdev(dev);
+ fail_alloc_dev:
+ kfree(info);
+ fail_alloc_info:
+- return -ENOMEM;
++ return ret;
+ } /* com20020_attach */
+
+ static void com20020_detach(struct pcmcia_device *link)
+--
+2.35.1
+
--- /dev/null
+From a153a0bfcf9df37505442db2dad031e9023983cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Oct 2022 16:31:15 +0200
+Subject: ARM: dts: am335x-pcm-953: Define fixed regulators in root node
+
+From: Dominik Haller <d.haller@phytec.de>
+
+[ Upstream commit 8950f345a67d8046d2472dd6ea81fa18ef5b4844 ]
+
+Remove the regulators node and define fixed regulators in the root node.
+Prevents the sdhci-omap driver from waiting in probe deferral forever
+because of the missing vmmc-supply and keeps am335x-pcm-953 consistent with
+the other Phytec AM335 boards.
+
+Fixes: bb07a829ec38 ("ARM: dts: Add support for phyCORE-AM335x PCM-953 carrier board")
+Signed-off-by: Dominik Haller <d.haller@phytec.de>
+Message-Id: <20221011143115.248003-1-d.haller@phytec.de>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/am335x-pcm-953.dtsi | 28 +++++++++++++--------------
+ 1 file changed, 13 insertions(+), 15 deletions(-)
+
+diff --git a/arch/arm/boot/dts/am335x-pcm-953.dtsi b/arch/arm/boot/dts/am335x-pcm-953.dtsi
+index dae448040a97..947497413977 100644
+--- a/arch/arm/boot/dts/am335x-pcm-953.dtsi
++++ b/arch/arm/boot/dts/am335x-pcm-953.dtsi
+@@ -12,22 +12,20 @@ / {
+ compatible = "phytec,am335x-pcm-953", "phytec,am335x-phycore-som", "ti,am33xx";
+
+ /* Power */
+- regulators {
+- vcc3v3: fixedregulator@1 {
+- compatible = "regulator-fixed";
+- regulator-name = "vcc3v3";
+- regulator-min-microvolt = <3300000>;
+- regulator-max-microvolt = <3300000>;
+- regulator-boot-on;
+- };
++ vcc3v3: fixedregulator1 {
++ compatible = "regulator-fixed";
++ regulator-name = "vcc3v3";
++ regulator-min-microvolt = <3300000>;
++ regulator-max-microvolt = <3300000>;
++ regulator-boot-on;
++ };
+
+- vcc1v8: fixedregulator@2 {
+- compatible = "regulator-fixed";
+- regulator-name = "vcc1v8";
+- regulator-min-microvolt = <1800000>;
+- regulator-max-microvolt = <1800000>;
+- regulator-boot-on;
+- };
++ vcc1v8: fixedregulator2 {
++ compatible = "regulator-fixed";
++ regulator-name = "vcc1v8";
++ regulator-min-microvolt = <1800000>;
++ regulator-max-microvolt = <1800000>;
++ regulator-boot-on;
+ };
+
+ /* User IO */
+--
+2.35.1
+
--- /dev/null
+From 85743f593ed8c45f531be12e5d364f954c25303f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 19:59:23 +0100
+Subject: ARM: dts: at91: sam9g20ek: enable udc vbus gpio pinctrl
+
+From: Michael Grzeschik <m.grzeschik@pengutronix.de>
+
+[ Upstream commit 40a2226e8bfacb79dd154dea68febeead9d847e9 ]
+
+We set the PIOC to GPIO mode. This way the pin becomes an
+input signal will be usable by the controller. Without
+this change the udc on the 9g20ek does not work.
+
+Cc: nicolas.ferre@microchip.com
+Cc: ludovic.desroches@microchip.com
+Cc: alexandre.belloni@bootlin.com
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: kernel@pengutronix.de
+Fixes: 5cb4e73575e3 ("ARM: at91: add at91sam9g20ek boards dt support")
+Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Link: https://lore.kernel.org/r/20221114185923.1023249-3-m.grzeschik@pengutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/at91sam9g20ek_common.dtsi | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/arch/arm/boot/dts/at91sam9g20ek_common.dtsi b/arch/arm/boot/dts/at91sam9g20ek_common.dtsi
+index 60d61291f344..024af2db638e 100644
+--- a/arch/arm/boot/dts/at91sam9g20ek_common.dtsi
++++ b/arch/arm/boot/dts/at91sam9g20ek_common.dtsi
+@@ -39,6 +39,13 @@ pinctrl_pck0_as_mck: pck0_as_mck {
+
+ };
+
++ usb1 {
++ pinctrl_usb1_vbus_gpio: usb1_vbus_gpio {
++ atmel,pins =
++ <AT91_PIOC 5 AT91_PERIPH_GPIO AT91_PINCTRL_DEGLITCH>; /* PC5 GPIO */
++ };
++ };
++
+ mmc0_slot1 {
+ pinctrl_board_mmc0_slot1: mmc0_slot1-board {
+ atmel,pins =
+@@ -84,6 +91,8 @@ macb0: ethernet@fffc4000 {
+ };
+
+ usb1: gadget@fffa4000 {
++ pinctrl-0 = <&pinctrl_usb1_vbus_gpio>;
++ pinctrl-names = "default";
+ atmel,vbus-gpio = <&pioC 5 GPIO_ACTIVE_HIGH>;
+ status = "okay";
+ };
+--
+2.35.1
+
--- /dev/null
+From 6a7e117086e54c822205669f125647b2bd2d3af0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 10:41:02 -0300
+Subject: ARM: dts: imx6q-prti6q: Fix ref/tcxo-clock-frequency properties
+
+From: Fabio Estevam <festevam@denx.de>
+
+[ Upstream commit e68be7b39f21d8a9291a5a3019787cd3ca999dd7 ]
+
+make dtbs_check gives the following errors:
+
+ref-clock-frequency: size (9) error for type uint32
+tcxo-clock-frequency: size (9) error for type uint32
+
+Fix it by passing the frequencies inside < > as documented in
+Documentation/devicetree/bindings/net/wireless/ti,wlcore.yaml.
+
+Signed-off-by: Fabio Estevam <festevam@denx.de>
+Fixes: 0d446a505592 ("ARM: dts: add Protonic PRTI6Q board")
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6q-prti6q.dts | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/imx6q-prti6q.dts b/arch/arm/boot/dts/imx6q-prti6q.dts
+index b4605edfd2ab..d8fa83effd63 100644
+--- a/arch/arm/boot/dts/imx6q-prti6q.dts
++++ b/arch/arm/boot/dts/imx6q-prti6q.dts
+@@ -364,8 +364,8 @@ wifi {
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_wifi>;
+ interrupts-extended = <&gpio1 30 IRQ_TYPE_LEVEL_HIGH>;
+- ref-clock-frequency = "38400000";
+- tcxo-clock-frequency = "19200000";
++ ref-clock-frequency = <38400000>;
++ tcxo-clock-frequency = <19200000>;
+ };
+ };
+
+--
+2.35.1
+
--- /dev/null
+From 27baa624b7bea468c15d5e1e3ccbba7f823b56ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 06:20:11 +0000
+Subject: ARM: mxs: fix memory leak in mxs_machine_init()
+
+From: Zheng Yongjun <zhengyongjun3@huawei.com>
+
+[ Upstream commit f31e3c204d1844b8680a442a48868af5ac3d5481 ]
+
+If of_property_read_string() failed, 'soc_dev_attr' should be
+freed before return. Otherwise there is a memory leak.
+
+Fixes: 2046338dcbc6 ("ARM: mxs: Use soc bus infrastructure")
+Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com>
+Reviewed-by: Marco Felsch <m.felsch@pengutronix.de>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-mxs/mach-mxs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-mxs/mach-mxs.c b/arch/arm/mach-mxs/mach-mxs.c
+index 25c9d184fa4c..1c57ac401649 100644
+--- a/arch/arm/mach-mxs/mach-mxs.c
++++ b/arch/arm/mach-mxs/mach-mxs.c
+@@ -393,8 +393,10 @@ static void __init mxs_machine_init(void)
+
+ root = of_find_node_by_path("/");
+ ret = of_property_read_string(root, "model", &soc_dev_attr->machine);
+- if (ret)
++ if (ret) {
++ kfree(soc_dev_attr);
+ return;
++ }
+
+ soc_dev_attr->family = "Freescale MXS Family";
+ soc_dev_attr->soc_id = mxs_get_soc_id();
+--
+2.35.1
+
--- /dev/null
+From be637b7746fdbc573e7d90e841af7f8e3fa3f158 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 00:15:13 +0800
+Subject: arm64: dts: rockchip: Fix Pine64 Quartz4-B PMIC interrupt
+
+From: Chen-Yu Tsai <wens@csie.org>
+
+[ Upstream commit 562105c1b072411c71ac2202410d83ee79297624 ]
+
+Ths PMIC's interrupt line is tied to GPIO0_A3. This is described
+correctly for the pinmux setting, but incorrectly for the interrupt.
+
+Correct the interrupt setting so that interrupts from the PMIC get
+delivered.
+
+Fixes: dcc8c66bef79 ("arm64: dts: rockchip: add Pine64 Quartz64-B device tree")
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Reviewed-by: Peter Geis <pgwipeout@gmail.com>
+Link: https://lore.kernel.org/r/20221106161513.4140-1-wens@kernel.org
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3566-quartz64-b.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3566-quartz64-b.dts b/arch/arm64/boot/dts/rockchip/rk3566-quartz64-b.dts
+index 528bb4e8ac77..a2d0524e0ec9 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3566-quartz64-b.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3566-quartz64-b.dts
+@@ -176,7 +176,7 @@ rk809: pmic@20 {
+ compatible = "rockchip,rk809";
+ reg = <0x20>;
+ interrupt-parent = <&gpio0>;
+- interrupts = <RK_PA7 IRQ_TYPE_LEVEL_LOW>;
++ interrupts = <RK_PA3 IRQ_TYPE_LEVEL_LOW>;
+ clock-output-names = "rk808-clkout1", "rk808-clkout2";
+
+ pinctrl-names = "default";
+--
+2.35.1
+
--- /dev/null
+From 7bdab3e72cdc0c77f293cbc8f71ad33cb3a7302a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Sep 2022 14:53:48 +0200
+Subject: arm64: dts: rockchip: fix quartz64-a bluetooth configuration
+
+From: Lev Popov <leo@nabam.net>
+
+[ Upstream commit 2dcd7e0c821fe9b663f7d3382b6d2faa8edf2129 ]
+
+For "Quartz64 Model A" add missing RTS line to the UART interface used by
+bluetooth and swap bluetooth host-wakeup and device-wakeup gpio pins to
+match the boards physical layout. This changes are necessary to make
+bluetooth provided by the wireless module work.
+
+Also set max-speed on the bluetooth device as it's not automatically
+detected.
+
+Fixes: b33a22a1e7c4 ("arm64: dts: rockchip: add basic dts for Pine64 Quartz64-A")
+Signed-off-by: Lev Popov <leo@nabam.net>
+Link: https://lore.kernel.org/r/20220926125350.64783-1-leo@nabam.net
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3566-quartz64-a.dts | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3566-quartz64-a.dts b/arch/arm64/boot/dts/rockchip/rk3566-quartz64-a.dts
+index a05460b92415..25a8c781f4e7 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3566-quartz64-a.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3566-quartz64-a.dts
+@@ -740,7 +740,7 @@ &uart0 {
+
+ &uart1 {
+ pinctrl-names = "default";
+- pinctrl-0 = <&uart1m0_xfer &uart1m0_ctsn>;
++ pinctrl-0 = <&uart1m0_xfer &uart1m0_ctsn &uart1m0_rtsn>;
+ status = "okay";
+ uart-has-rtscts;
+
+@@ -748,13 +748,14 @@ bluetooth {
+ compatible = "brcm,bcm43438-bt";
+ clocks = <&rk817 1>;
+ clock-names = "lpo";
+- device-wakeup-gpios = <&gpio2 RK_PC1 GPIO_ACTIVE_HIGH>;
+- host-wakeup-gpios = <&gpio2 RK_PC0 GPIO_ACTIVE_HIGH>;
++ host-wakeup-gpios = <&gpio2 RK_PC1 GPIO_ACTIVE_HIGH>;
++ device-wakeup-gpios = <&gpio2 RK_PC0 GPIO_ACTIVE_HIGH>;
+ shutdown-gpios = <&gpio2 RK_PB7 GPIO_ACTIVE_HIGH>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&bt_host_wake_l &bt_wake_l &bt_enable_h>;
+ vbat-supply = <&vcc_sys>;
+ vddio-supply = <&vcca1v8_pmu>;
++ max-speed = <3000000>;
+ };
+ };
+
+--
+2.35.1
+
--- /dev/null
+From 0413d34adc5819256a4b0c624e15efe3bf0a54d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 07:40:23 +0800
+Subject: ASoC: hdac_hda: fix hda pcm buffer overflow issue
+
+From: Junxiao Chang <junxiao.chang@intel.com>
+
+[ Upstream commit 37882100cd0629d830db430a8cee0b724fe1fea3 ]
+
+When KASAN is enabled, below log might be dumped with Intel EHL hardware:
+[ 48.583597] ==================================================================
+[ 48.585921] BUG: KASAN: slab-out-of-bounds in hdac_hda_dai_hw_params+0x20a/0x22b [snd_soc_hdac_hda]
+[ 48.587995] Write of size 4 at addr ffff888103489708 by task pulseaudio/759
+
+[ 48.589237] CPU: 2 PID: 759 Comm: pulseaudio Tainted: G U E 5.15.71-intel-ese-standard-lts #9
+[ 48.591272] Hardware name: Intel Corporation Elkhart Lake Embedded Platform/ElkhartLake LPDDR4x T3 CRB, BIOS EHLSFWI1.R00.4251.A01.2206130432 06/13/2022
+[ 48.593010] Call Trace:
+[ 48.593648] <TASK>
+[ 48.593852] dump_stack_lvl+0x34/0x48
+[ 48.594404] print_address_description.constprop.0+0x1f/0x140
+[ 48.595174] ? hdac_hda_dai_hw_params+0x20a/0x22b [snd_soc_hdac_hda]
+[ 48.595868] ? hdac_hda_dai_hw_params+0x20a/0x22b [snd_soc_hdac_hda]
+[ 48.596519] kasan_report.cold+0x7f/0x11b
+[ 48.597003] ? hdac_hda_dai_hw_params+0x20a/0x22b [snd_soc_hdac_hda]
+[ 48.597885] hdac_hda_dai_hw_params+0x20a/0x22b [snd_soc_hdac_hda]
+
+HDAC_LAST_DAI_ID is last index id, pcm buffer array size should
+be +1 to avoid out of bound access.
+
+Fixes: 608b8c36c371 ("ASoC: hdac_hda: add support for HDMI/DP as a HDA codec")
+Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Junxiao Chang <junxiao.chang@intel.com>
+Signed-off-by: Furong Zhou <furong.zhou@intel.com>
+Link: https://lore.kernel.org/r/20221109234023.3111035-1-junxiao.chang@intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/hdac_hda.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/hdac_hda.h b/sound/soc/codecs/hdac_hda.h
+index fc19c34ca00e..b65560981abb 100644
+--- a/sound/soc/codecs/hdac_hda.h
++++ b/sound/soc/codecs/hdac_hda.h
+@@ -14,7 +14,7 @@ enum {
+ HDAC_HDMI_1_DAI_ID,
+ HDAC_HDMI_2_DAI_ID,
+ HDAC_HDMI_3_DAI_ID,
+- HDAC_LAST_DAI_ID = HDAC_HDMI_3_DAI_ID,
++ HDAC_DAI_ID_NUM
+ };
+
+ struct hdac_hda_pcm {
+@@ -24,7 +24,7 @@ struct hdac_hda_pcm {
+
+ struct hdac_hda_priv {
+ struct hda_codec *codec;
+- struct hdac_hda_pcm pcm[HDAC_LAST_DAI_ID];
++ struct hdac_hda_pcm pcm[HDAC_DAI_ID_NUM];
+ bool need_display_power;
+ };
+
+--
+2.35.1
+
--- /dev/null
+From b7c2a85dca6b25a5954948051360460ee574dc57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Aug 2022 13:17:24 +0200
+Subject: ASoC: Intel: Drop hdac_ext usage for codec device creation
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit 3fd63658caed9494cca1d4789a66d3d2def2a0ab ]
+
+To make snd_hda_codec_device_init() the only constructor for struct
+hda_codec instances remaining tasks are:
+
+1) no struct may wrap struct hda_codec as its base type
+2) bus drivers (skylake and sof) which are the current hdac_ext users
+ need to be adjusted to make use of newly added codec init and exit
+ routines instead
+3) as bus drivers (skylake and sof) are to be responsible for creating
+ codec device and assigning it to hdac_hda_priv->codec,
+ hdac_hda_dev_probe() has to be freed of that job
+
+To keep git bisect happy, all of these in made in one-go.
+
+Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Acked-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20220816111727.3218543-4-cezary.rojewski@intel.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Stable-dep-of: 37882100cd06 ("ASoC: hdac_hda: fix hda pcm buffer overflow issue")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/hdac_hda.c | 26 +++++++-----------
+ sound/soc/codecs/hdac_hda.h | 2 +-
+ sound/soc/intel/boards/hda_dsp_common.c | 2 +-
+ sound/soc/intel/boards/skl_hda_dsp_generic.c | 2 +-
+ sound/soc/intel/skylake/skl.c | 26 ++++++++----------
+ sound/soc/sof/intel/hda-codec.c | 29 ++++++++------------
+ 6 files changed, 36 insertions(+), 51 deletions(-)
+
+diff --git a/sound/soc/codecs/hdac_hda.c b/sound/soc/codecs/hdac_hda.c
+index 8debcee59224..77df4c5b274a 100644
+--- a/sound/soc/codecs/hdac_hda.c
++++ b/sound/soc/codecs/hdac_hda.c
+@@ -246,7 +246,7 @@ static int hdac_hda_dai_hw_free(struct snd_pcm_substream *substream,
+ return -EINVAL;
+
+ hda_stream = &pcm->stream[substream->stream];
+- snd_hda_codec_cleanup(&hda_pvt->codec, hda_stream, substream);
++ snd_hda_codec_cleanup(hda_pvt->codec, hda_stream, substream);
+
+ return 0;
+ }
+@@ -264,7 +264,7 @@ static int hdac_hda_dai_prepare(struct snd_pcm_substream *substream,
+ int ret = 0;
+
+ hda_pvt = snd_soc_component_get_drvdata(component);
+- hdev = &hda_pvt->codec.core;
++ hdev = &hda_pvt->codec->core;
+ pcm = snd_soc_find_pcm_from_dai(hda_pvt, dai);
+ if (!pcm)
+ return -EINVAL;
+@@ -274,7 +274,7 @@ static int hdac_hda_dai_prepare(struct snd_pcm_substream *substream,
+ stream = hda_pvt->pcm[dai->id].stream_tag[substream->stream];
+ format_val = hda_pvt->pcm[dai->id].format_val[substream->stream];
+
+- ret = snd_hda_codec_prepare(&hda_pvt->codec, hda_stream,
++ ret = snd_hda_codec_prepare(hda_pvt->codec, hda_stream,
+ stream, format_val, substream);
+ if (ret < 0)
+ dev_err(&hdev->dev, "codec prepare failed %d\n", ret);
+@@ -299,7 +299,7 @@ static int hdac_hda_dai_open(struct snd_pcm_substream *substream,
+
+ hda_stream = &pcm->stream[substream->stream];
+
+- return hda_stream->ops.open(hda_stream, &hda_pvt->codec, substream);
++ return hda_stream->ops.open(hda_stream, hda_pvt->codec, substream);
+ }
+
+ static void hdac_hda_dai_close(struct snd_pcm_substream *substream,
+@@ -317,7 +317,7 @@ static void hdac_hda_dai_close(struct snd_pcm_substream *substream,
+
+ hda_stream = &pcm->stream[substream->stream];
+
+- hda_stream->ops.close(hda_stream, &hda_pvt->codec, substream);
++ hda_stream->ops.close(hda_stream, hda_pvt->codec, substream);
+
+ snd_hda_codec_pcm_put(pcm);
+ }
+@@ -325,7 +325,7 @@ static void hdac_hda_dai_close(struct snd_pcm_substream *substream,
+ static struct hda_pcm *snd_soc_find_pcm_from_dai(struct hdac_hda_priv *hda_pvt,
+ struct snd_soc_dai *dai)
+ {
+- struct hda_codec *hcodec = &hda_pvt->codec;
++ struct hda_codec *hcodec = hda_pvt->codec;
+ struct hda_pcm *cpcm;
+ const char *pcm_name;
+
+@@ -394,8 +394,8 @@ static int hdac_hda_codec_probe(struct snd_soc_component *component)
+ snd_soc_component_get_drvdata(component);
+ struct snd_soc_dapm_context *dapm =
+ snd_soc_component_get_dapm(component);
+- struct hdac_device *hdev = &hda_pvt->codec.core;
+- struct hda_codec *hcodec = &hda_pvt->codec;
++ struct hdac_device *hdev = &hda_pvt->codec->core;
++ struct hda_codec *hcodec = hda_pvt->codec;
+ struct hdac_ext_link *hlink;
+ hda_codec_patch_t patch;
+ int ret;
+@@ -515,8 +515,8 @@ static void hdac_hda_codec_remove(struct snd_soc_component *component)
+ {
+ struct hdac_hda_priv *hda_pvt =
+ snd_soc_component_get_drvdata(component);
+- struct hdac_device *hdev = &hda_pvt->codec.core;
+- struct hda_codec *codec = &hda_pvt->codec;
++ struct hdac_device *hdev = &hda_pvt->codec->core;
++ struct hda_codec *codec = hda_pvt->codec;
+ struct hdac_ext_link *hlink = NULL;
+
+ hlink = snd_hdac_ext_bus_get_link(hdev->bus, dev_name(&hdev->dev));
+@@ -584,7 +584,6 @@ static const struct snd_soc_component_driver hdac_hda_codec = {
+ static int hdac_hda_dev_probe(struct hdac_device *hdev)
+ {
+ struct hdac_ext_link *hlink;
+- struct hdac_hda_priv *hda_pvt;
+ int ret;
+
+ /* hold the ref while we probe */
+@@ -595,10 +594,6 @@ static int hdac_hda_dev_probe(struct hdac_device *hdev)
+ }
+ snd_hdac_ext_bus_link_get(hdev->bus, hlink);
+
+- hda_pvt = hdac_to_hda_priv(hdev);
+- if (!hda_pvt)
+- return -ENOMEM;
+-
+ /* ASoC specific initialization */
+ ret = devm_snd_soc_register_component(&hdev->dev,
+ &hdac_hda_codec, hdac_hda_dais,
+@@ -608,7 +603,6 @@ static int hdac_hda_dev_probe(struct hdac_device *hdev)
+ return ret;
+ }
+
+- dev_set_drvdata(&hdev->dev, hda_pvt);
+ snd_hdac_ext_bus_link_put(hdev->bus, hlink);
+
+ return ret;
+diff --git a/sound/soc/codecs/hdac_hda.h b/sound/soc/codecs/hdac_hda.h
+index d0efc5e254ae..fc19c34ca00e 100644
+--- a/sound/soc/codecs/hdac_hda.h
++++ b/sound/soc/codecs/hdac_hda.h
+@@ -23,7 +23,7 @@ struct hdac_hda_pcm {
+ };
+
+ struct hdac_hda_priv {
+- struct hda_codec codec;
++ struct hda_codec *codec;
+ struct hdac_hda_pcm pcm[HDAC_LAST_DAI_ID];
+ bool need_display_power;
+ };
+diff --git a/sound/soc/intel/boards/hda_dsp_common.c b/sound/soc/intel/boards/hda_dsp_common.c
+index 83c7dfbccd9d..04b7d4f7f9e2 100644
+--- a/sound/soc/intel/boards/hda_dsp_common.c
++++ b/sound/soc/intel/boards/hda_dsp_common.c
+@@ -54,7 +54,7 @@ int hda_dsp_hdmi_build_controls(struct snd_soc_card *card,
+ return -EINVAL;
+
+ hda_pvt = snd_soc_component_get_drvdata(comp);
+- hcodec = &hda_pvt->codec;
++ hcodec = hda_pvt->codec;
+
+ list_for_each_entry(hpcm, &hcodec->pcm_list_head, list) {
+ spcm = hda_dsp_hdmi_pcm_handle(card, i);
+diff --git a/sound/soc/intel/boards/skl_hda_dsp_generic.c b/sound/soc/intel/boards/skl_hda_dsp_generic.c
+index 81144efb4b44..879ebba52832 100644
+--- a/sound/soc/intel/boards/skl_hda_dsp_generic.c
++++ b/sound/soc/intel/boards/skl_hda_dsp_generic.c
+@@ -190,7 +190,7 @@ static void skl_set_hda_codec_autosuspend_delay(struct snd_soc_card *card)
+ * all codecs are on the same bus, so it's sufficient
+ * to look up only the first one
+ */
+- snd_hda_set_power_save(hda_pvt->codec.bus,
++ snd_hda_set_power_save(hda_pvt->codec->bus,
+ HDA_CODEC_AUTOSUSPEND_DELAY_MS);
+ break;
+ }
+diff --git a/sound/soc/intel/skylake/skl.c b/sound/soc/intel/skylake/skl.c
+index 33b0ed6b0534..c7c1cad2a753 100644
+--- a/sound/soc/intel/skylake/skl.c
++++ b/sound/soc/intel/skylake/skl.c
+@@ -694,7 +694,7 @@ static void skl_codec_device_exit(struct device *dev)
+ snd_hdac_device_exit(dev_to_hdac_dev(dev));
+ }
+
+-static __maybe_unused struct hda_codec *skl_codec_device_init(struct hdac_bus *bus, int addr)
++static struct hda_codec *skl_codec_device_init(struct hdac_bus *bus, int addr)
+ {
+ struct hda_codec *codec;
+ int ret;
+@@ -729,9 +729,8 @@ static int probe_codec(struct hdac_bus *bus, int addr)
+ struct skl_dev *skl = bus_to_skl(bus);
+ #if IS_ENABLED(CONFIG_SND_SOC_INTEL_SKYLAKE_HDAUDIO_CODEC)
+ struct hdac_hda_priv *hda_codec;
+- int err;
+ #endif
+- struct hdac_device *hdev;
++ struct hda_codec *codec;
+
+ mutex_lock(&bus->cmd_mutex);
+ snd_hdac_bus_send_cmd(bus, cmd);
+@@ -747,25 +746,22 @@ static int probe_codec(struct hdac_bus *bus, int addr)
+ if (!hda_codec)
+ return -ENOMEM;
+
+- hda_codec->codec.bus = skl_to_hbus(skl);
+- hdev = &hda_codec->codec.core;
++ codec = skl_codec_device_init(bus, addr);
++ if (IS_ERR(codec))
++ return PTR_ERR(codec);
+
+- err = snd_hdac_ext_bus_device_init(bus, addr, hdev, HDA_DEV_ASOC);
+- if (err < 0)
+- return err;
++ hda_codec->codec = codec;
++ dev_set_drvdata(&codec->core.dev, hda_codec);
+
+ /* use legacy bus only for HDA codecs, idisp uses ext bus */
+ if ((res & 0xFFFF0000) != IDISP_INTEL_VENDOR_ID) {
+- hdev->type = HDA_DEV_LEGACY;
+- load_codec_module(&hda_codec->codec);
++ codec->core.type = HDA_DEV_LEGACY;
++ load_codec_module(hda_codec->codec);
+ }
+ return 0;
+ #else
+- hdev = devm_kzalloc(&skl->pci->dev, sizeof(*hdev), GFP_KERNEL);
+- if (!hdev)
+- return -ENOMEM;
+-
+- return snd_hdac_ext_bus_device_init(bus, addr, hdev, HDA_DEV_ASOC);
++ codec = skl_codec_device_init(bus, addr);
++ return PTR_ERR_OR_ZERO(codec);
+ #endif /* CONFIG_SND_SOC_INTEL_SKYLAKE_HDAUDIO_CODEC */
+ }
+
+diff --git a/sound/soc/sof/intel/hda-codec.c b/sound/soc/sof/intel/hda-codec.c
+index 4c128ba02340..73336648cd25 100644
+--- a/sound/soc/sof/intel/hda-codec.c
++++ b/sound/soc/sof/intel/hda-codec.c
+@@ -114,8 +114,7 @@ static void hda_codec_device_exit(struct device *dev)
+ snd_hdac_device_exit(dev_to_hdac_dev(dev));
+ }
+
+-static __maybe_unused struct hda_codec *
+-hda_codec_device_init(struct hdac_bus *bus, int addr, int type)
++static struct hda_codec *hda_codec_device_init(struct hdac_bus *bus, int addr, int type)
+ {
+ struct hda_codec *codec;
+ int ret;
+@@ -145,11 +144,10 @@ static int hda_codec_probe(struct snd_sof_dev *sdev, int address,
+ {
+ #if IS_ENABLED(CONFIG_SND_SOC_SOF_HDA_AUDIO_CODEC)
+ struct hdac_hda_priv *hda_priv;
+- struct hda_codec *codec;
+ int type = HDA_DEV_LEGACY;
+ #endif
+ struct hda_bus *hbus = sof_to_hbus(sdev);
+- struct hdac_device *hdev;
++ struct hda_codec *codec;
+ u32 hda_cmd = (address << 28) | (AC_NODE_ROOT << 20) |
+ (AC_VERB_PARAMETERS << 8) | AC_PAR_VENDOR_ID;
+ u32 resp = -1;
+@@ -172,20 +170,20 @@ static int hda_codec_probe(struct snd_sof_dev *sdev, int address,
+ if (!hda_priv)
+ return -ENOMEM;
+
+- hda_priv->codec.bus = hbus;
+- hdev = &hda_priv->codec.core;
+- codec = &hda_priv->codec;
+-
+ /* only probe ASoC codec drivers for HDAC-HDMI */
+ if (!hda_codec_use_common_hdmi && (resp & 0xFFFF0000) == IDISP_VID_INTEL)
+ type = HDA_DEV_ASOC;
+
+- ret = snd_hdac_ext_bus_device_init(&hbus->core, address, hdev, type);
++ codec = hda_codec_device_init(&hbus->core, address, type);
++ ret = PTR_ERR_OR_ZERO(codec);
+ if (ret < 0)
+ return ret;
+
++ hda_priv->codec = codec;
++ dev_set_drvdata(&codec->core.dev, hda_priv);
++
+ if ((resp & 0xFFFF0000) == IDISP_VID_INTEL) {
+- if (!hdev->bus->audio_component) {
++ if (!hbus->core.audio_component) {
+ dev_dbg(sdev->dev,
+ "iDisp hw present but no driver\n");
+ ret = -ENOENT;
+@@ -211,15 +209,12 @@ static int hda_codec_probe(struct snd_sof_dev *sdev, int address,
+
+ out:
+ if (ret < 0) {
+- snd_hdac_device_unregister(hdev);
+- put_device(&hdev->dev);
++ snd_hdac_device_unregister(&codec->core);
++ put_device(&codec->core.dev);
+ }
+ #else
+- hdev = devm_kzalloc(sdev->dev, sizeof(*hdev), GFP_KERNEL);
+- if (!hdev)
+- return -ENOMEM;
+-
+- ret = snd_hdac_ext_bus_device_init(&hbus->core, address, hdev, HDA_DEV_ASOC);
++ codec = hda_codec_device_init(&hbus->core, address);
++ ret = PTR_ERR_OR_ZERO(codec);
+ #endif
+
+ return ret;
+--
+2.35.1
+
--- /dev/null
+From 3a30bcd213a5b161da01e6d88754a588dad63559 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Aug 2022 13:17:22 +0200
+Subject: ASoC: Intel: Skylake: Introduce HDA codec init and exit routines
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit e4746d94d00c52918461bc169e009b6784a38e21 ]
+
+Preliminary step in making snd_hda_codec_device_init() the only
+constructor for struct hda_codec instances. To do that, existing usage
+of hdac_ext equivalents has to be dropped.
+
+Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Acked-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20220816111727.3218543-2-cezary.rojewski@intel.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Stable-dep-of: 37882100cd06 ("ASoC: hdac_hda: fix hda pcm buffer overflow issue")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/skylake/skl.c | 29 +++++++++++++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+
+diff --git a/sound/soc/intel/skylake/skl.c b/sound/soc/intel/skylake/skl.c
+index aeca58246fc7..33b0ed6b0534 100644
+--- a/sound/soc/intel/skylake/skl.c
++++ b/sound/soc/intel/skylake/skl.c
+@@ -689,6 +689,35 @@ static void load_codec_module(struct hda_codec *codec)
+
+ #endif /* CONFIG_SND_SOC_INTEL_SKYLAKE_HDAUDIO_CODEC */
+
++static void skl_codec_device_exit(struct device *dev)
++{
++ snd_hdac_device_exit(dev_to_hdac_dev(dev));
++}
++
++static __maybe_unused struct hda_codec *skl_codec_device_init(struct hdac_bus *bus, int addr)
++{
++ struct hda_codec *codec;
++ int ret;
++
++ codec = snd_hda_codec_device_init(to_hda_bus(bus), addr, "ehdaudio%dD%d", bus->idx, addr);
++ if (IS_ERR(codec)) {
++ dev_err(bus->dev, "device init failed for hdac device\n");
++ return codec;
++ }
++
++ codec->core.type = HDA_DEV_ASOC;
++ codec->core.dev.release = skl_codec_device_exit;
++
++ ret = snd_hdac_device_register(&codec->core);
++ if (ret) {
++ dev_err(bus->dev, "failed to register hdac device\n");
++ snd_hdac_device_exit(&codec->core);
++ return ERR_PTR(ret);
++ }
++
++ return codec;
++}
++
+ /*
+ * Probe the given codec address
+ */
+--
+2.35.1
+
--- /dev/null
+From 8041c1d6dd05e29f3a8b07b8ca8f0342079b720a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 16:25:08 +0800
+Subject: ASoC: max98373: Add checks for devm_kcalloc
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 60591bbf6d5eb44f275eb733943b7757325c1b60 ]
+
+As the devm_kcalloc may return NULL pointer,
+it should be better to check the return value
+in order to avoid NULL poineter dereference.
+
+Fixes: 349dd23931d1 ("ASoC: max98373: don't access volatile registers in bias level off")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Link: https://lore.kernel.org/r/20221116082508.17418-1-jiasheng@iscas.ac.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/max98373-i2c.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/sound/soc/codecs/max98373-i2c.c b/sound/soc/codecs/max98373-i2c.c
+index 3e04c7f0cce4..ec0905df65d1 100644
+--- a/sound/soc/codecs/max98373-i2c.c
++++ b/sound/soc/codecs/max98373-i2c.c
+@@ -549,6 +549,10 @@ static int max98373_i2c_probe(struct i2c_client *i2c)
+ max98373->cache = devm_kcalloc(&i2c->dev, max98373->cache_num,
+ sizeof(*max98373->cache),
+ GFP_KERNEL);
++ if (!max98373->cache) {
++ ret = -ENOMEM;
++ return ret;
++ }
+
+ for (i = 0; i < max98373->cache_num; i++)
+ max98373->cache[i].reg = max98373_i2c_cache_reg[i];
+--
+2.35.1
+
--- /dev/null
+From c3b6c65587ed9cbe252afd66096377f280d9966c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 14:06:12 -0500
+Subject: ASoC: sgtl5000: Reset the CHIP_CLK_CTRL reg on remove
+
+From: Detlev Casanova <detlev.casanova@collabora.com>
+
+[ Upstream commit 0bb8e9b36b5b7f2e77892981ff6c27ee831d8026 ]
+
+Since commit bf2aebccddef ("ASoC: sgtl5000: Fix noise on shutdown/remove"),
+the device power control registers are reset when the driver is
+removed/shutdown.
+
+This is an issue when the device is configured to use the PLL clock. The
+device will stop responding if it is still configured to use the PLL
+clock but the PLL clock is powered down.
+
+When rebooting linux, the probe function will show:
+sgtl5000 0-000a: Error reading chip id -11
+
+Make sure that the CHIP_CLK_CTRL is reset to its default value before
+powering down the device.
+
+Fixes: bf2aebccddef ("ASoC: sgtl5000: Fix noise on shutdown/remove")
+Signed-off-by: Detlev Casanova <detlev.casanova@collabora.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Link: https://lore.kernel.org/r/20221110190612.1341469-1-detlev.casanova@collabora.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/sgtl5000.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/codecs/sgtl5000.c b/sound/soc/codecs/sgtl5000.c
+index 3fafd9fc5cfd..75a45ad55aa8 100644
+--- a/sound/soc/codecs/sgtl5000.c
++++ b/sound/soc/codecs/sgtl5000.c
+@@ -1794,6 +1794,7 @@ static int sgtl5000_i2c_remove(struct i2c_client *client)
+ {
+ struct sgtl5000_priv *sgtl5000 = i2c_get_clientdata(client);
+
++ regmap_write(sgtl5000->regmap, SGTL5000_CHIP_CLK_CTRL, SGTL5000_CHIP_CLK_CTRL_DEFAULT);
+ regmap_write(sgtl5000->regmap, SGTL5000_CHIP_DIG_POWER, SGTL5000_DIG_POWER_DEFAULT);
+ regmap_write(sgtl5000->regmap, SGTL5000_CHIP_ANA_POWER, SGTL5000_ANA_POWER_DEFAULT);
+
+--
+2.35.1
+
--- /dev/null
+From 219afc4d991565de986a68de9c150077c1f35cd7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 13:22:13 +0000
+Subject: ASoC: soc-pcm: Don't zero TDM masks in __soc_pcm_open()
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 39bd801d6908900e9ab0cdc2655150f95ddd4f1a ]
+
+The DAI tx_mask and rx_mask are set by snd_soc_dai_set_tdm_slot()
+and used by later code that depends on the TDM settings. So
+__soc_pcm_open() should not be obliterating those mask values.
+
+The code in __soc_pcm_hw_params() uses these masks to calculate the
+active channels so that only the AIF_IN/AIF_OUT widgets for the
+active TDM slots are enabled. The zeroing of the masks in
+__soc_pcm_open() disables this functionality so all AIF widgets
+were enabled even for channels that are not assigned to a TDM slot.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Fixes: 2e5894d73789 ("ASoC: pcm: Add support for DAI multicodec")
+Link: https://lore.kernel.org/r/20221104132213.121847-1-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-pcm.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c
+index 4d9b91e7e14f..f6a996f0f9c7 100644
+--- a/sound/soc/soc-pcm.c
++++ b/sound/soc/soc-pcm.c
+@@ -800,11 +800,6 @@ static int __soc_pcm_open(struct snd_soc_pcm_runtime *rtd,
+ ret = snd_soc_dai_startup(dai, substream);
+ if (ret < 0)
+ goto err;
+-
+- if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
+- dai->tx_mask = 0;
+- else
+- dai->rx_mask = 0;
+ }
+
+ /* Dynamic PCM DAI links compat checks use dynamic capabilities */
+--
+2.35.1
+
--- /dev/null
+From 5f08ca2c986acd9e22d559f75b1ece19449470f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Aug 2022 13:17:23 +0200
+Subject: ASoC: SOF: Intel: Introduce HDA codec init and exit routines
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit 829c67319806009abfe3b0b82b3b8b153a2c5e32 ]
+
+Preliminary step in making snd_hda_codec_device_init() the only
+constructor for struct hda_codec instances. To do that, existing usage
+of hdac_ext equivalents has to be dropped.
+
+Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Acked-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20220816111727.3218543-3-cezary.rojewski@intel.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Stable-dep-of: 37882100cd06 ("ASoC: hdac_hda: fix hda pcm buffer overflow issue")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/intel/hda-codec.c | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+diff --git a/sound/soc/sof/intel/hda-codec.c b/sound/soc/sof/intel/hda-codec.c
+index 2f3f4a733d9e..4c128ba02340 100644
+--- a/sound/soc/sof/intel/hda-codec.c
++++ b/sound/soc/sof/intel/hda-codec.c
+@@ -109,6 +109,36 @@ EXPORT_SYMBOL_NS(hda_codec_jack_check, SND_SOC_SOF_HDA_AUDIO_CODEC);
+ #define is_generic_config(x) 0
+ #endif
+
++static void hda_codec_device_exit(struct device *dev)
++{
++ snd_hdac_device_exit(dev_to_hdac_dev(dev));
++}
++
++static __maybe_unused struct hda_codec *
++hda_codec_device_init(struct hdac_bus *bus, int addr, int type)
++{
++ struct hda_codec *codec;
++ int ret;
++
++ codec = snd_hda_codec_device_init(to_hda_bus(bus), addr, "ehdaudio%dD%d", bus->idx, addr);
++ if (IS_ERR(codec)) {
++ dev_err(bus->dev, "device init failed for hdac device\n");
++ return codec;
++ }
++
++ codec->core.type = type;
++ codec->core.dev.release = hda_codec_device_exit;
++
++ ret = snd_hdac_device_register(&codec->core);
++ if (ret) {
++ dev_err(bus->dev, "failed to register hdac device\n");
++ snd_hdac_device_exit(&codec->core);
++ return ERR_PTR(ret);
++ }
++
++ return codec;
++}
++
+ /* probe individual codec */
+ static int hda_codec_probe(struct snd_sof_dev *sdev, int address,
+ bool hda_codec_use_common_hdmi)
+--
+2.35.1
+
--- /dev/null
+From 4e92e2b99da6f496f21bc0c003fe032123d8f463 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 08:27:53 +0100
+Subject: blk-mq: fix queue reference leak on blk_mq_alloc_disk_for_queue
+ failure
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 22c17e279a1b03bad7987e4a4192b289b890f293 ]
+
+Drop the request queue reference just acquired when __alloc_disk_node
+failed.
+
+Fixes: 6f8191fdf41d ("block: simplify disk shutdown")
+Reported-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Link: https://lore.kernel.org/r/20221122072753.426077-1-hch@lst.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-mq.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/block/blk-mq.c b/block/blk-mq.c
+index 4402e4ecb8b1..3f1f5e3e0951 100644
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -3956,9 +3956,14 @@ EXPORT_SYMBOL(__blk_mq_alloc_disk);
+ struct gendisk *blk_mq_alloc_disk_for_queue(struct request_queue *q,
+ struct lock_class_key *lkclass)
+ {
++ struct gendisk *disk;
++
+ if (!blk_get_queue(q))
+ return NULL;
+- return __alloc_disk_node(q, NUMA_NO_NODE, lkclass);
++ disk = __alloc_disk_node(q, NUMA_NO_NODE, lkclass);
++ if (!disk)
++ blk_put_queue(q);
++ return disk;
+ }
+ EXPORT_SYMBOL(blk_mq_alloc_disk_for_queue);
+
+--
+2.35.1
+
--- /dev/null
+From 39e73055b68976a0d983a262d8fa3b0c31923758 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Nov 2022 15:02:02 +0800
+Subject: bnx2x: fix pci device refcount leak in bnx2x_vf_is_pcie_pending()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 3637a29ccbb6461b7268c5c5db525935d510afc6 ]
+
+As comment of pci_get_domain_bus_and_slot() says, it returns
+a pci device with refcount increment, when finish using it,
+the caller must decrement the reference count by calling
+pci_dev_put(). Call pci_dev_put() before returning from
+bnx2x_vf_is_pcie_pending() to avoid refcount leak.
+
+Fixes: b56e9670ffa4 ("bnx2x: Prepare device and initialize VF database")
+Suggested-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Link: https://lore.kernel.org/r/20221119070202.1407648-1-yangyingliang@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c
+index 11d15cd03600..77d4cb4ad782 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c
+@@ -795,16 +795,20 @@ static void bnx2x_vf_enable_traffic(struct bnx2x *bp, struct bnx2x_virtf *vf)
+
+ static u8 bnx2x_vf_is_pcie_pending(struct bnx2x *bp, u8 abs_vfid)
+ {
+- struct pci_dev *dev;
+ struct bnx2x_virtf *vf = bnx2x_vf_by_abs_fid(bp, abs_vfid);
++ struct pci_dev *dev;
++ bool pending;
+
+ if (!vf)
+ return false;
+
+ dev = pci_get_domain_bus_and_slot(vf->domain, vf->bus, vf->devfn);
+- if (dev)
+- return bnx2x_is_pcie_pending(dev);
+- return false;
++ if (!dev)
++ return false;
++ pending = bnx2x_is_pcie_pending(dev);
++ pci_dev_put(dev);
++
++ return pending;
+ }
+
+ int bnx2x_vf_flr_clnup_epilog(struct bnx2x *bp, u8 abs_vfid)
+--
+2.35.1
+
--- /dev/null
+From 33b5c15a3c8254d3ca517eca9d04ff0ba0ff2d82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 11:43:53 +0800
+Subject: bonding: fix ICMPv6 header handling when receiving IPv6 messages
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 4d633d1b468b6eb107a81b2fd10b9debddca3d47 ]
+
+Currently, we get icmp6hdr via function icmp6_hdr(), which needs the skb
+transport header to be set first. But there is no rule to ask driver set
+transport header before netif_receive_skb() and bond_handle_frame(). So
+we will not able to get correct icmp6hdr on some drivers.
+
+Fix this by using skb_header_pointer to get the IPv6 and ICMPV6 headers.
+
+Reported-by: Liang Li <liali@redhat.com>
+Fixes: 4e24be018eb9 ("bonding: add new parameter ns_targets")
+Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Link: https://lore.kernel.org/r/20221118034353.1736727-1-liuhangbin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 86d42306aa5e..76dd5ff1d99d 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3231,16 +3231,23 @@ static int bond_na_rcv(const struct sk_buff *skb, struct bonding *bond,
+ struct slave *slave)
+ {
+ struct slave *curr_active_slave, *curr_arp_slave;
+- struct icmp6hdr *hdr = icmp6_hdr(skb);
+ struct in6_addr *saddr, *daddr;
++ struct {
++ struct ipv6hdr ip6;
++ struct icmp6hdr icmp6;
++ } *combined, _combined;
+
+ if (skb->pkt_type == PACKET_OTHERHOST ||
+- skb->pkt_type == PACKET_LOOPBACK ||
+- hdr->icmp6_type != NDISC_NEIGHBOUR_ADVERTISEMENT)
++ skb->pkt_type == PACKET_LOOPBACK)
++ goto out;
++
++ combined = skb_header_pointer(skb, 0, sizeof(_combined), &_combined);
++ if (!combined || combined->ip6.nexthdr != NEXTHDR_ICMP ||
++ combined->icmp6.icmp6_type != NDISC_NEIGHBOUR_ADVERTISEMENT)
+ goto out;
+
+- saddr = &ipv6_hdr(skb)->saddr;
+- daddr = &ipv6_hdr(skb)->daddr;
++ saddr = &combined->ip6.saddr;
++ daddr = &combined->ip6.saddr;
+
+ slave_dbg(bond->dev, slave->dev, "%s: %s/%d av %d sv %d sip %pI6c tip %pI6c\n",
+ __func__, slave->dev->name, bond_slave_state(slave),
+--
+2.35.1
+
--- /dev/null
+From b75208806f9d39415562f2d00fbe0728c635eb08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Nov 2022 19:57:47 -0600
+Subject: bus: sunxi-rsb: Remove the shutdown callback
+
+From: Samuel Holland <samuel@sholland.org>
+
+[ Upstream commit 5f4696ddca4b8a0bbbc36bd46829f97aab5a4552 ]
+
+Shutting down the RSB controller prevents communicating with a PMIC
+inside pm_power_off(), since that gets called after device_shutdown(),
+so it breaks system poweroff on some boards.
+
+Reported-by: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
+Tested-by: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
+Acked-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Fixes: 843107498f91 ("bus: sunxi-rsb: Implement suspend/resume/shutdown callbacks")
+Signed-off-by: Samuel Holland <samuel@sholland.org>
+Link: https://lore.kernel.org/r/20221114015749.28490-2-samuel@sholland.org
+Signed-off-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bus/sunxi-rsb.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+diff --git a/drivers/bus/sunxi-rsb.c b/drivers/bus/sunxi-rsb.c
+index 4cd2e127946e..17343cd75338 100644
+--- a/drivers/bus/sunxi-rsb.c
++++ b/drivers/bus/sunxi-rsb.c
+@@ -812,14 +812,6 @@ static int sunxi_rsb_remove(struct platform_device *pdev)
+ return 0;
+ }
+
+-static void sunxi_rsb_shutdown(struct platform_device *pdev)
+-{
+- struct sunxi_rsb *rsb = platform_get_drvdata(pdev);
+-
+- pm_runtime_disable(&pdev->dev);
+- sunxi_rsb_hw_exit(rsb);
+-}
+-
+ static const struct dev_pm_ops sunxi_rsb_dev_pm_ops = {
+ SET_RUNTIME_PM_OPS(sunxi_rsb_runtime_suspend,
+ sunxi_rsb_runtime_resume, NULL)
+@@ -835,7 +827,6 @@ MODULE_DEVICE_TABLE(of, sunxi_rsb_of_match_table);
+ static struct platform_driver sunxi_rsb_driver = {
+ .probe = sunxi_rsb_probe,
+ .remove = sunxi_rsb_remove,
+- .shutdown = sunxi_rsb_shutdown,
+ .driver = {
+ .name = RSB_CTRL_NAME,
+ .of_match_table = sunxi_rsb_of_match_table,
+--
+2.35.1
+
--- /dev/null
+From 6abb3ae53b1374d007b0665bdfec09bcc9eed9b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Nov 2022 19:57:48 -0600
+Subject: bus: sunxi-rsb: Support atomic transfers
+
+From: Samuel Holland <samuel@sholland.org>
+
+[ Upstream commit 077686da0e2162c4ea5ae0df205849c2a7a84479 ]
+
+When communicating with a PMIC during system poweroff (pm_power_off()),
+IRQs are disabled and we are in a RCU read-side critical section, so we
+cannot use wait_for_completion_io_timeout(). Instead, poll the status
+register for transfer completion.
+
+Fixes: d787dcdb9c8f ("bus: sunxi-rsb: Add driver for Allwinner Reduced Serial Bus")
+Signed-off-by: Samuel Holland <samuel@sholland.org>
+Reviewed-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Link: https://lore.kernel.org/r/20221114015749.28490-3-samuel@sholland.org
+Signed-off-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bus/sunxi-rsb.c | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/bus/sunxi-rsb.c b/drivers/bus/sunxi-rsb.c
+index 17343cd75338..3aa91aed3bf7 100644
+--- a/drivers/bus/sunxi-rsb.c
++++ b/drivers/bus/sunxi-rsb.c
+@@ -267,6 +267,9 @@ EXPORT_SYMBOL_GPL(sunxi_rsb_driver_register);
+ /* common code that starts a transfer */
+ static int _sunxi_rsb_run_xfer(struct sunxi_rsb *rsb)
+ {
++ u32 int_mask, status;
++ bool timeout;
++
+ if (readl(rsb->regs + RSB_CTRL) & RSB_CTRL_START_TRANS) {
+ dev_dbg(rsb->dev, "RSB transfer still in progress\n");
+ return -EBUSY;
+@@ -274,13 +277,23 @@ static int _sunxi_rsb_run_xfer(struct sunxi_rsb *rsb)
+
+ reinit_completion(&rsb->complete);
+
+- writel(RSB_INTS_LOAD_BSY | RSB_INTS_TRANS_ERR | RSB_INTS_TRANS_OVER,
+- rsb->regs + RSB_INTE);
++ int_mask = RSB_INTS_LOAD_BSY | RSB_INTS_TRANS_ERR | RSB_INTS_TRANS_OVER;
++ writel(int_mask, rsb->regs + RSB_INTE);
+ writel(RSB_CTRL_START_TRANS | RSB_CTRL_GLOBAL_INT_ENB,
+ rsb->regs + RSB_CTRL);
+
+- if (!wait_for_completion_io_timeout(&rsb->complete,
+- msecs_to_jiffies(100))) {
++ if (irqs_disabled()) {
++ timeout = readl_poll_timeout_atomic(rsb->regs + RSB_INTS,
++ status, (status & int_mask),
++ 10, 100000);
++ writel(status, rsb->regs + RSB_INTS);
++ } else {
++ timeout = !wait_for_completion_io_timeout(&rsb->complete,
++ msecs_to_jiffies(100));
++ status = rsb->status;
++ }
++
++ if (timeout) {
+ dev_dbg(rsb->dev, "RSB timeout\n");
+
+ /* abort the transfer */
+@@ -292,18 +305,18 @@ static int _sunxi_rsb_run_xfer(struct sunxi_rsb *rsb)
+ return -ETIMEDOUT;
+ }
+
+- if (rsb->status & RSB_INTS_LOAD_BSY) {
++ if (status & RSB_INTS_LOAD_BSY) {
+ dev_dbg(rsb->dev, "RSB busy\n");
+ return -EBUSY;
+ }
+
+- if (rsb->status & RSB_INTS_TRANS_ERR) {
+- if (rsb->status & RSB_INTS_TRANS_ERR_ACK) {
++ if (status & RSB_INTS_TRANS_ERR) {
++ if (status & RSB_INTS_TRANS_ERR_ACK) {
+ dev_dbg(rsb->dev, "RSB slave nack\n");
+ return -EINVAL;
+ }
+
+- if (rsb->status & RSB_INTS_TRANS_ERR_DATA) {
++ if (status & RSB_INTS_TRANS_ERR_DATA) {
+ dev_dbg(rsb->dev, "RSB transfer data error\n");
+ return -EIO;
+ }
+--
+2.35.1
+
--- /dev/null
+From 5e4534c08bcfa8607a7ef116c2af62775c1a8ceb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 15:35:38 +0800
+Subject: cpufreq: amd-pstate: change amd-pstate driver to be built-in type
+
+From: Perry Yuan <Perry.Yuan@amd.com>
+
+[ Upstream commit 456ca88d8a5258fc66edc42a10053ac8473de2b1 ]
+
+Currently when the amd-pstate and acpi_cpufreq are both built into
+kernel as module driver, amd-pstate will not be loaded by default
+in this case.
+
+Change amd-pstate driver as built-in type, it will resolve the loading
+sequence problem to allow user to make amd-pstate driver as the default
+cpufreq scaling driver.
+
+Acked-by: Huang Rui <ray.huang@amd.com>
+Reviewed-by: Gautham R. Shenoy <gautham.shenoy@amd.com>
+Tested-by: Wyes Karny <wyes.karny@amd.com>
+Signed-off-by: Perry Yuan <Perry.Yuan@amd.com>
+Fixes: ec437d71db77 ("cpufreq: amd-pstate: Introduce a new AMD P-State driver to support future processors")
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/Kconfig.x86 | 2 +-
+ drivers/cpufreq/amd-pstate.c | 11 +----------
+ 2 files changed, 2 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/cpufreq/Kconfig.x86 b/drivers/cpufreq/Kconfig.x86
+index 55516043b656..8184378f67ef 100644
+--- a/drivers/cpufreq/Kconfig.x86
++++ b/drivers/cpufreq/Kconfig.x86
+@@ -35,7 +35,7 @@ config X86_PCC_CPUFREQ
+ If in doubt, say N.
+
+ config X86_AMD_PSTATE
+- tristate "AMD Processor P-State driver"
++ bool "AMD Processor P-State driver"
+ depends on X86 && ACPI
+ select ACPI_PROCESSOR
+ select ACPI_CPPC_LIB if X86_64
+diff --git a/drivers/cpufreq/amd-pstate.c b/drivers/cpufreq/amd-pstate.c
+index d63a28c5f95a..e808d2b3ef57 100644
+--- a/drivers/cpufreq/amd-pstate.c
++++ b/drivers/cpufreq/amd-pstate.c
+@@ -718,16 +718,7 @@ static int __init amd_pstate_init(void)
+
+ return ret;
+ }
+-
+-static void __exit amd_pstate_exit(void)
+-{
+- cpufreq_unregister_driver(&amd_pstate_driver);
+-
+- amd_pstate_enable(false);
+-}
+-
+-module_init(amd_pstate_init);
+-module_exit(amd_pstate_exit);
++device_initcall(amd_pstate_init);
+
+ MODULE_AUTHOR("Huang Rui <ray.huang@amd.com>");
+ MODULE_DESCRIPTION("AMD Processor P-state Frequency Driver");
+--
+2.35.1
+
--- /dev/null
+From a0a72565c726c9560ceeadb136134095bd5d1b7f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 17:49:11 -0800
+Subject: dccp/tcp: Reset saddr on failure after inet6?_hash_connect().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 77934dc6db0d2b111a8f2759e9ad2fb67f5cffa5 ]
+
+When connect() is called on a socket bound to the wildcard address,
+we change the socket's saddr to a local address. If the socket
+fails to connect() to the destination, we have to reset the saddr.
+
+However, when an error occurs after inet_hash6?_connect() in
+(dccp|tcp)_v[46]_conect(), we forget to reset saddr and leave
+the socket bound to the address.
+
+From the user's point of view, whether saddr is reset or not varies
+with errno. Let's fix this inconsistent behaviour.
+
+Note that after this patch, the repro [0] will trigger the WARN_ON()
+in inet_csk_get_port() again, but this patch is not buggy and rather
+fixes a bug papering over the bhash2's bug for which we need another
+fix.
+
+For the record, the repro causes -EADDRNOTAVAIL in inet_hash6_connect()
+by this sequence:
+
+ s1 = socket()
+ s1.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
+ s1.bind(('127.0.0.1', 10000))
+ s1.sendto(b'hello', MSG_FASTOPEN, (('127.0.0.1', 10000)))
+ # or s1.connect(('127.0.0.1', 10000))
+
+ s2 = socket()
+ s2.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1)
+ s2.bind(('0.0.0.0', 10000))
+ s2.connect(('127.0.0.1', 10000)) # -EADDRNOTAVAIL
+
+ s2.listen(32) # WARN_ON(inet_csk(sk)->icsk_bind2_hash != tb2);
+
+[0]: https://syzkaller.appspot.com/bug?extid=015d756bbd1f8b5c8f09
+
+Fixes: 3df80d9320bc ("[DCCP]: Introduce DCCPv6")
+Fixes: 7c657876b63c ("[DCCP]: Initial implementation")
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Acked-by: Joanne Koong <joannelkoong@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/dccp/ipv4.c | 2 ++
+ net/dccp/ipv6.c | 2 ++
+ net/ipv4/tcp_ipv4.c | 2 ++
+ net/ipv6/tcp_ipv6.c | 2 ++
+ 4 files changed, 8 insertions(+)
+
+diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
+index da6e3b20cd75..60379ad7ae06 100644
+--- a/net/dccp/ipv4.c
++++ b/net/dccp/ipv4.c
+@@ -136,6 +136,8 @@ int dccp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
+ * This unhashes the socket and releases the local port, if necessary.
+ */
+ dccp_set_state(sk, DCCP_CLOSED);
++ if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
++ inet_reset_saddr(sk);
+ ip_rt_put(rt);
+ sk->sk_route_caps = 0;
+ inet->inet_dport = 0;
+diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
+index fd44638ec16b..f9ed81a0ddbb 100644
+--- a/net/dccp/ipv6.c
++++ b/net/dccp/ipv6.c
+@@ -967,6 +967,8 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
+
+ late_failure:
+ dccp_set_state(sk, DCCP_CLOSED);
++ if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
++ inet_reset_saddr(sk);
+ __sk_dst_reset(sk);
+ failure:
+ inet->inet_dport = 0;
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index fe9a6022db66..ef8013e2134f 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -323,6 +323,8 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
+ * if necessary.
+ */
+ tcp_set_state(sk, TCP_CLOSE);
++ if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
++ inet_reset_saddr(sk);
+ ip_rt_put(rt);
+ sk->sk_route_caps = 0;
+ inet->inet_dport = 0;
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index e54eee80ce5f..5516cfb96c48 100644
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -340,6 +340,8 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
+
+ late_failure:
+ tcp_set_state(sk, TCP_CLOSE);
++ if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
++ inet_reset_saddr(sk);
+ failure:
+ inet->inet_dport = 0;
+ sk->sk_route_caps = 0;
+--
+2.35.1
+
--- /dev/null
+From 138dcfa460ed96b55c25e81b5cf1e7643378af56 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Nov 2022 00:05:36 +0800
+Subject: dma-buf: fix racing conflict of dma_heap_add()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dawei Li <set_pte_at@outlook.com>
+
+[ Upstream commit 432e25902b9651622578c6248e549297d03caf66 ]
+
+Racing conflict could be:
+task A task B
+list_for_each_entry
+strcmp(h->name))
+ list_for_each_entry
+ strcmp(h->name)
+kzalloc kzalloc
+...... .....
+device_create device_create
+list_add
+ list_add
+
+The root cause is that task B has no idea about the fact someone
+else(A) has inserted heap with same name when it calls list_add,
+so a potential collision occurs.
+
+Fixes: c02a81fba74f ("dma-buf: Add dma-buf heaps framework")
+Signed-off-by: Dawei Li <set_pte_at@outlook.com>
+Acked-by: Andrew Davis <afd@ti.com>
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Sumit Semwal <sumit.semwal@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/TYCP286MB2323873BBDF88020781FB986CA3B9@TYCP286MB2323.JPNP286.PROD.OUTLOOK.COM
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma-buf/dma-heap.c | 28 +++++++++++++++-------------
+ 1 file changed, 15 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/dma-buf/dma-heap.c b/drivers/dma-buf/dma-heap.c
+index 8f5848aa144f..59d158873f4c 100644
+--- a/drivers/dma-buf/dma-heap.c
++++ b/drivers/dma-buf/dma-heap.c
+@@ -233,18 +233,6 @@ struct dma_heap *dma_heap_add(const struct dma_heap_export_info *exp_info)
+ return ERR_PTR(-EINVAL);
+ }
+
+- /* check the name is unique */
+- mutex_lock(&heap_list_lock);
+- list_for_each_entry(h, &heap_list, list) {
+- if (!strcmp(h->name, exp_info->name)) {
+- mutex_unlock(&heap_list_lock);
+- pr_err("dma_heap: Already registered heap named %s\n",
+- exp_info->name);
+- return ERR_PTR(-EINVAL);
+- }
+- }
+- mutex_unlock(&heap_list_lock);
+-
+ heap = kzalloc(sizeof(*heap), GFP_KERNEL);
+ if (!heap)
+ return ERR_PTR(-ENOMEM);
+@@ -283,13 +271,27 @@ struct dma_heap *dma_heap_add(const struct dma_heap_export_info *exp_info)
+ err_ret = ERR_CAST(dev_ret);
+ goto err2;
+ }
+- /* Add heap to the list */
++
+ mutex_lock(&heap_list_lock);
++ /* check the name is unique */
++ list_for_each_entry(h, &heap_list, list) {
++ if (!strcmp(h->name, exp_info->name)) {
++ mutex_unlock(&heap_list_lock);
++ pr_err("dma_heap: Already registered heap named %s\n",
++ exp_info->name);
++ err_ret = ERR_PTR(-EINVAL);
++ goto err3;
++ }
++ }
++
++ /* Add heap to the list */
+ list_add(&heap->list, &heap_list);
+ mutex_unlock(&heap_list_lock);
+
+ return heap;
+
++err3:
++ device_destroy(dma_heap_class, heap->heap_devt);
+ err2:
+ cdev_del(&heap->heap_cdev);
+ err1:
+--
+2.35.1
+
--- /dev/null
+From 740facdd0d2a17e9fa1d5f536aaf38f2468ba795 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Nov 2022 16:11:34 +0800
+Subject: Drivers: hv: vmbus: fix double free in the error path of
+ vmbus_add_channel_work()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit f92a4b50f0bd7fd52391dc4bb9a309085d278f91 ]
+
+In the error path of vmbus_device_register(), device_unregister()
+is called, which calls vmbus_device_release(). The latter frees
+the struct hv_device that was passed in to vmbus_device_register().
+So remove the kfree() in vmbus_add_channel_work() to avoid a double
+free.
+
+Fixes: c2e5df616e1a ("vmbus: add per-channel sysfs info")
+Suggested-by: Michael Kelley <mikelley@microsoft.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Michael Kelley <mikelley@microsoft.com>
+Link: https://lore.kernel.org/r/20221119081135.1564691-2-yangyingliang@huawei.com
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hv/channel_mgmt.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c
+index 5b120402d405..cc23b90cae02 100644
+--- a/drivers/hv/channel_mgmt.c
++++ b/drivers/hv/channel_mgmt.c
+@@ -533,13 +533,17 @@ static void vmbus_add_channel_work(struct work_struct *work)
+ * Add the new device to the bus. This will kick off device-driver
+ * binding which eventually invokes the device driver's AddDevice()
+ * method.
++ *
++ * If vmbus_device_register() fails, the 'device_obj' is freed in
++ * vmbus_device_release() as called by device_unregister() in the
++ * error path of vmbus_device_register(). In the outside error
++ * path, there's no need to free it.
+ */
+ ret = vmbus_device_register(newchannel->device_obj);
+
+ if (ret != 0) {
+ pr_err("unable to add child device object (relid %d)\n",
+ newchannel->offermsg.child_relid);
+- kfree(newchannel->device_obj);
+ goto err_deq_chan;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 4c847547bfa1ffe6cc7262cd4edc0de9636e0c42 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Nov 2022 16:11:35 +0800
+Subject: Drivers: hv: vmbus: fix possible memory leak in
+ vmbus_device_register()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 25c94b051592c010abe92c85b0485f1faedc83f3 ]
+
+If device_register() returns error in vmbus_device_register(),
+the name allocated by dev_set_name() must be freed. As comment
+of device_register() says, it should use put_device() to give
+up the reference in the error path. So fix this by calling
+put_device(), then the name can be freed in kobject_cleanup().
+
+Fixes: 09d50ff8a233 ("Staging: hv: make the Hyper-V virtual bus code build")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Michael Kelley <mikelley@microsoft.com>
+Link: https://lore.kernel.org/r/20221119081135.1564691-3-yangyingliang@huawei.com
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hv/vmbus_drv.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
+index 3c833ea60db6..939ccf921e71 100644
+--- a/drivers/hv/vmbus_drv.c
++++ b/drivers/hv/vmbus_drv.c
+@@ -2083,6 +2083,7 @@ int vmbus_device_register(struct hv_device *child_device_obj)
+ ret = device_register(&child_device_obj->device);
+ if (ret) {
+ pr_err("Unable to register child device\n");
++ put_device(&child_device_obj->device);
+ return ret;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From a6bf6648d7e27728038a34b847b5aae58edf6bad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 14:22:43 +0200
+Subject: drm/i915: Fix warn in intel_display_power_*_domain() functions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Imre Deak <imre.deak@intel.com>
+
+[ Upstream commit ebbaa4392e36521fb893973d8a0fcb32f3b6d5eb ]
+
+The intel_display_power_*_domain() functions should always warn if a
+default domain is returned as a fallback, fix this up. Spotted by Ville.
+
+Fixes: 979e1b32e0e2 ("drm/i915: Sanitize the port -> DDI/AUX power domain mapping for each platform")
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: Jouni Högander <jouni.hogander@intel.com>
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221114122251.21327-2-imre.deak@intel.com
+(cherry picked from commit 10b85f0e1d922210ae857afed6d012ec32c4b6cb)
+Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/display/intel_display_power.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/display/intel_display_power.c b/drivers/gpu/drm/i915/display/intel_display_power.c
+index 589af257edeb..3bb113b42cfa 100644
+--- a/drivers/gpu/drm/i915/display/intel_display_power.c
++++ b/drivers/gpu/drm/i915/display/intel_display_power.c
+@@ -2427,7 +2427,7 @@ intel_display_power_ddi_io_domain(struct drm_i915_private *i915, enum port port)
+ {
+ const struct intel_ddi_port_domains *domains = intel_port_domains_for_port(i915, port);
+
+- if (drm_WARN_ON(&i915->drm, !domains) || domains->ddi_io == POWER_DOMAIN_INVALID)
++ if (drm_WARN_ON(&i915->drm, !domains || domains->ddi_io == POWER_DOMAIN_INVALID))
+ return POWER_DOMAIN_PORT_DDI_IO_A;
+
+ return domains->ddi_io + (int)(port - domains->port_start);
+@@ -2438,7 +2438,7 @@ intel_display_power_ddi_lanes_domain(struct drm_i915_private *i915, enum port po
+ {
+ const struct intel_ddi_port_domains *domains = intel_port_domains_for_port(i915, port);
+
+- if (drm_WARN_ON(&i915->drm, !domains) || domains->ddi_lanes == POWER_DOMAIN_INVALID)
++ if (drm_WARN_ON(&i915->drm, !domains || domains->ddi_lanes == POWER_DOMAIN_INVALID))
+ return POWER_DOMAIN_PORT_DDI_LANES_A;
+
+ return domains->ddi_lanes + (int)(port - domains->port_start);
+@@ -2464,7 +2464,7 @@ intel_display_power_legacy_aux_domain(struct drm_i915_private *i915, enum aux_ch
+ {
+ const struct intel_ddi_port_domains *domains = intel_port_domains_for_aux_ch(i915, aux_ch);
+
+- if (drm_WARN_ON(&i915->drm, !domains) || domains->aux_legacy_usbc == POWER_DOMAIN_INVALID)
++ if (drm_WARN_ON(&i915->drm, !domains || domains->aux_legacy_usbc == POWER_DOMAIN_INVALID))
+ return POWER_DOMAIN_AUX_A;
+
+ return domains->aux_legacy_usbc + (int)(aux_ch - domains->aux_ch_start);
+@@ -2475,7 +2475,7 @@ intel_display_power_tbt_aux_domain(struct drm_i915_private *i915, enum aux_ch au
+ {
+ const struct intel_ddi_port_domains *domains = intel_port_domains_for_aux_ch(i915, aux_ch);
+
+- if (drm_WARN_ON(&i915->drm, !domains) || domains->aux_tbt == POWER_DOMAIN_INVALID)
++ if (drm_WARN_ON(&i915->drm, !domains || domains->aux_tbt == POWER_DOMAIN_INVALID))
+ return POWER_DOMAIN_AUX_TBT1;
+
+ return domains->aux_tbt + (int)(aux_ch - domains->aux_ch_start);
+--
+2.35.1
+
--- /dev/null
+From f284857ad6013fb3bccf7bd5d78cfa4524ff5c35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 20:20:01 +0000
+Subject: fs: do not update freeing inode i_io_list
+
+From: Svyatoslav Feldsherov <feldsherov@google.com>
+
+[ Upstream commit 4e3c51f4e805291b057d12f5dda5aeb50a538dc4 ]
+
+After commit cbfecb927f42 ("fs: record I_DIRTY_TIME even if inode
+already has I_DIRTY_INODE") writeback_single_inode can push inode with
+I_DIRTY_TIME set to b_dirty_time list. In case of freeing inode with
+I_DIRTY_TIME set this can happen after deletion of inode from i_io_list
+at evict. Stack trace is following.
+
+evict
+fat_evict_inode
+fat_truncate_blocks
+fat_flush_inodes
+writeback_inode
+sync_inode_metadata(inode, sync=0)
+writeback_single_inode(inode, wbc) <- wbc->sync_mode == WB_SYNC_NONE
+
+This will lead to use after free in flusher thread.
+
+Similar issue can be triggered if writeback_single_inode in the
+stack trace update inode->i_io_list. Add explicit check to avoid it.
+
+Fixes: cbfecb927f42 ("fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE")
+Reported-by: syzbot+6ba92bd00d5093f7e371@syzkaller.appspotmail.com
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Svyatoslav Feldsherov <feldsherov@google.com>
+Link: https://lore.kernel.org/r/20221115202001.324188-1-feldsherov@google.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fs-writeback.c | 30 +++++++++++++++++++-----------
+ 1 file changed, 19 insertions(+), 11 deletions(-)
+
+diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
+index 443f83382b9b..9958d4020771 100644
+--- a/fs/fs-writeback.c
++++ b/fs/fs-writeback.c
+@@ -1712,18 +1712,26 @@ static int writeback_single_inode(struct inode *inode,
+ wb = inode_to_wb_and_lock_list(inode);
+ spin_lock(&inode->i_lock);
+ /*
+- * If the inode is now fully clean, then it can be safely removed from
+- * its writeback list (if any). Otherwise the flusher threads are
+- * responsible for the writeback lists.
++ * If the inode is freeing, its i_io_list shoudn't be updated
++ * as it can be finally deleted at this moment.
+ */
+- if (!(inode->i_state & I_DIRTY_ALL))
+- inode_cgwb_move_to_attached(inode, wb);
+- else if (!(inode->i_state & I_SYNC_QUEUED)) {
+- if ((inode->i_state & I_DIRTY))
+- redirty_tail_locked(inode, wb);
+- else if (inode->i_state & I_DIRTY_TIME) {
+- inode->dirtied_when = jiffies;
+- inode_io_list_move_locked(inode, wb, &wb->b_dirty_time);
++ if (!(inode->i_state & I_FREEING)) {
++ /*
++ * If the inode is now fully clean, then it can be safely
++ * removed from its writeback list (if any). Otherwise the
++ * flusher threads are responsible for the writeback lists.
++ */
++ if (!(inode->i_state & I_DIRTY_ALL))
++ inode_cgwb_move_to_attached(inode, wb);
++ else if (!(inode->i_state & I_SYNC_QUEUED)) {
++ if ((inode->i_state & I_DIRTY))
++ redirty_tail_locked(inode, wb);
++ else if (inode->i_state & I_DIRTY_TIME) {
++ inode->dirtied_when = jiffies;
++ inode_io_list_move_locked(inode,
++ wb,
++ &wb->b_dirty_time);
++ }
+ }
+ }
+
+--
+2.35.1
+
--- /dev/null
+From e24b59516a20045f6bf991329dba0e1fb19acac9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 16:31:34 +0000
+Subject: fscache: fix OOB Read in __fscache_acquire_volume
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 9f0933ac026f7e54fe096797af9de20724e79097 ]
+
+The type of a->key[0] is char in fscache_volume_same(). If the length
+of cache volume key is greater than 127, the value of a->key[0] is less
+than 0. In this case, klen becomes much larger than 255 after type
+conversion, because the type of klen is size_t. As a result, memcmp()
+is read out of bounds.
+
+This causes a slab-out-of-bounds Read in __fscache_acquire_volume(), as
+reported by Syzbot.
+
+Fix this by changing the type of the stored key to "u8 *" rather than
+"char *" (it isn't a simple string anyway). Also put in a check that
+the volume name doesn't exceed NAME_MAX.
+
+ BUG: KASAN: slab-out-of-bounds in memcmp+0x16f/0x1c0 lib/string.c:757
+ Read of size 8 at addr ffff888016f3aa90 by task syz-executor344/3613
+ Call Trace:
+ memcmp+0x16f/0x1c0 lib/string.c:757
+ memcmp include/linux/fortify-string.h:420 [inline]
+ fscache_volume_same fs/fscache/volume.c:133 [inline]
+ fscache_hash_volume fs/fscache/volume.c:171 [inline]
+ __fscache_acquire_volume+0x76c/0x1080 fs/fscache/volume.c:328
+ fscache_acquire_volume include/linux/fscache.h:204 [inline]
+ v9fs_cache_session_get_cookie+0x143/0x240 fs/9p/cache.c:34
+ v9fs_session_init+0x1166/0x1810 fs/9p/v9fs.c:473
+ v9fs_mount+0xba/0xc90 fs/9p/vfs_super.c:126
+ legacy_get_tree+0x105/0x220 fs/fs_context.c:610
+ vfs_get_tree+0x89/0x2f0 fs/super.c:1530
+ do_new_mount fs/namespace.c:3040 [inline]
+ path_mount+0x1326/0x1e20 fs/namespace.c:3370
+ do_mount fs/namespace.c:3383 [inline]
+ __do_sys_mount fs/namespace.c:3591 [inline]
+ __se_sys_mount fs/namespace.c:3568 [inline]
+ __x64_sys_mount+0x27f/0x300 fs/namespace.c:3568
+
+Fixes: 62ab63352350 ("fscache: Implement volume registration")
+Reported-by: syzbot+a76f6a6e524cf2080aa3@syzkaller.appspotmail.com
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Zhang Peng <zhangpeng362@huawei.com>
+Reviewed-by: Jingbo Xu <jefflexu@linux.alibaba.com>
+cc: Dominique Martinet <asmadeus@codewreck.org>
+cc: Jeff Layton <jlayton@kernel.org>
+cc: v9fs-developer@lists.sourceforge.net
+cc: linux-cachefs@redhat.com
+Link: https://lore.kernel.org/r/Y3OH+Dmi0QIOK18n@codewreck.org/ # Zhang Peng's v1 fix
+Link: https://lore.kernel.org/r/20221115140447.2971680-1-zhangpeng362@huawei.com/ # Zhang Peng's v2 fix
+Link: https://lore.kernel.org/r/166869954095.3793579.8500020902371015443.stgit@warthog.procyon.org.uk/ # v1
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fscache/volume.c | 7 +++++--
+ include/linux/fscache.h | 2 +-
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/fs/fscache/volume.c b/fs/fscache/volume.c
+index a058e0136bfe..ab8ceddf9efa 100644
+--- a/fs/fscache/volume.c
++++ b/fs/fscache/volume.c
+@@ -203,7 +203,11 @@ static struct fscache_volume *fscache_alloc_volume(const char *volume_key,
+ struct fscache_volume *volume;
+ struct fscache_cache *cache;
+ size_t klen, hlen;
+- char *key;
++ u8 *key;
++
++ klen = strlen(volume_key);
++ if (klen > NAME_MAX)
++ return NULL;
+
+ if (!coherency_data)
+ coherency_len = 0;
+@@ -229,7 +233,6 @@ static struct fscache_volume *fscache_alloc_volume(const char *volume_key,
+ /* Stick the length on the front of the key and pad it out to make
+ * hashing easier.
+ */
+- klen = strlen(volume_key);
+ hlen = round_up(1 + klen + 1, sizeof(__le32));
+ key = kzalloc(hlen, GFP_KERNEL);
+ if (!key)
+diff --git a/include/linux/fscache.h b/include/linux/fscache.h
+index 36e5dd84cf59..8e312c8323a8 100644
+--- a/include/linux/fscache.h
++++ b/include/linux/fscache.h
+@@ -75,7 +75,7 @@ struct fscache_volume {
+ atomic_t n_accesses; /* Number of cache accesses in progress */
+ unsigned int debug_id;
+ unsigned int key_hash; /* Hash of key string */
+- char *key; /* Volume ID, eg. "afs@example.com@1234" */
++ u8 *key; /* Volume ID, eg. "afs@example.com@1234" */
+ struct list_head proc_link; /* Link in /proc/fs/fscache/volumes */
+ struct hlist_bl_node hash_link; /* Link in hash table */
+ struct work_struct work;
+--
+2.35.1
+
--- /dev/null
+From 312f06f7bbb3db3bbed2ecd83d3951c35377af6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 11:25:02 +0100
+Subject: iavf: Do not restart Tx queues after reset task failure
+
+From: Ivan Vecera <ivecera@redhat.com>
+
+[ Upstream commit 08f1c147b7265245d67321585c68a27e990e0c4b ]
+
+After commit aa626da947e9 ("iavf: Detach device during reset task")
+the device is detached during reset task and re-attached at its end.
+The problem occurs when reset task fails because Tx queues are
+restarted during device re-attach and this leads later to a crash.
+
+To resolve this issue properly close the net device in cause of
+failure in reset task to avoid restarting of tx queues at the end.
+Also replace the hacky manipulation with IFF_UP flag by device close
+that clears properly both IFF_UP and __LINK_STATE_START flags.
+In these case iavf_close() does not do anything because the adapter
+state is already __IAVF_DOWN.
+
+Reproducer:
+1) Run some Tx traffic (e.g. iperf3) over iavf interface
+2) Set VF trusted / untrusted in loop
+
+[root@host ~]# cat repro.sh
+
+PF=enp65s0f0
+IF=${PF}v0
+
+ip link set up $IF
+ip addr add 192.168.0.2/24 dev $IF
+sleep 1
+
+iperf3 -c 192.168.0.1 -t 600 --logfile /dev/null &
+sleep 2
+
+while :; do
+ ip link set $PF vf 0 trust on
+ ip link set $PF vf 0 trust off
+done
+[root@host ~]# ./repro.sh
+
+Result:
+[ 2006.650969] iavf 0000:41:01.0: Failed to init adminq: -53
+[ 2006.675662] ice 0000:41:00.0: VF 0 is now trusted
+[ 2006.689997] iavf 0000:41:01.0: Reset task did not complete, VF disabled
+[ 2006.696611] iavf 0000:41:01.0: failed to allocate resources during reinit
+[ 2006.703209] ice 0000:41:00.0: VF 0 is now untrusted
+[ 2006.737011] ice 0000:41:00.0: VF 0 is now trusted
+[ 2006.764536] ice 0000:41:00.0: VF 0 is now untrusted
+[ 2006.768919] BUG: kernel NULL pointer dereference, address: 0000000000000b4a
+[ 2006.776358] #PF: supervisor read access in kernel mode
+[ 2006.781488] #PF: error_code(0x0000) - not-present page
+[ 2006.786620] PGD 0 P4D 0
+[ 2006.789152] Oops: 0000 [#1] PREEMPT SMP NOPTI
+[ 2006.792903] ice 0000:41:00.0: VF 0 is now trusted
+[ 2006.793501] CPU: 4 PID: 0 Comm: swapper/4 Kdump: loaded Not tainted 6.1.0-rc3+ #2
+[ 2006.805668] Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.4 04/13/2022
+[ 2006.815915] RIP: 0010:iavf_xmit_frame_ring+0x96/0xf70 [iavf]
+[ 2006.821028] ice 0000:41:00.0: VF 0 is now untrusted
+[ 2006.821572] Code: 48 83 c1 04 48 c1 e1 04 48 01 f9 48 83 c0 10 6b 50 f8 55 c1 ea 14 45 8d 64 14 01 48 39 c8 75 eb 41 83 fc 07 0f 8f e9 08 00 00 <0f> b7 45 4a 0f b7 55 48 41 8d 74 24 05 31 c9 66 39 d0 0f 86 da 00
+[ 2006.845181] RSP: 0018:ffffb253004bc9e8 EFLAGS: 00010293
+[ 2006.850397] RAX: ffff9d154de45b00 RBX: ffff9d15497d52e8 RCX: ffff9d154de45b00
+[ 2006.856327] ice 0000:41:00.0: VF 0 is now trusted
+[ 2006.857523] RDX: 0000000000000000 RSI: 00000000000005a8 RDI: ffff9d154de45ac0
+[ 2006.857525] RBP: 0000000000000b00 R08: ffff9d159cb010ac R09: 0000000000000001
+[ 2006.857526] R10: ffff9d154de45940 R11: 0000000000000000 R12: 0000000000000002
+[ 2006.883600] R13: ffff9d1770838dc0 R14: 0000000000000000 R15: ffffffffc07b8380
+[ 2006.885840] ice 0000:41:00.0: VF 0 is now untrusted
+[ 2006.890725] FS: 0000000000000000(0000) GS:ffff9d248e900000(0000) knlGS:0000000000000000
+[ 2006.890727] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 2006.909419] CR2: 0000000000000b4a CR3: 0000000c39c10002 CR4: 0000000000770ee0
+[ 2006.916543] PKRU: 55555554
+[ 2006.918254] ice 0000:41:00.0: VF 0 is now trusted
+[ 2006.919248] Call Trace:
+[ 2006.919250] <IRQ>
+[ 2006.919252] dev_hard_start_xmit+0x9e/0x1f0
+[ 2006.932587] sch_direct_xmit+0xa0/0x370
+[ 2006.936424] __dev_queue_xmit+0x7af/0xd00
+[ 2006.940429] ip_finish_output2+0x26c/0x540
+[ 2006.944519] ip_output+0x71/0x110
+[ 2006.947831] ? __ip_finish_output+0x2b0/0x2b0
+[ 2006.952180] __ip_queue_xmit+0x16d/0x400
+[ 2006.952721] ice 0000:41:00.0: VF 0 is now untrusted
+[ 2006.956098] __tcp_transmit_skb+0xa96/0xbf0
+[ 2006.965148] __tcp_retransmit_skb+0x174/0x860
+[ 2006.969499] ? cubictcp_cwnd_event+0x40/0x40
+[ 2006.973769] tcp_retransmit_skb+0x14/0xb0
+...
+
+Fixes: aa626da947e9 ("iavf: Detach device during reset task")
+Cc: Jacob Keller <jacob.e.keller@intel.com>
+Cc: Patryk Piotrowski <patryk.piotrowski@intel.com>
+Cc: SlawomirX Laba <slawomirx.laba@intel.com>
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index 7d349ca708c7..f59b725785eb 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -2921,7 +2921,6 @@ static void iavf_disable_vf(struct iavf_adapter *adapter)
+ iavf_free_queues(adapter);
+ memset(adapter->vf_res, 0, IAVF_VIRTCHNL_VF_RESOURCE_SIZE);
+ iavf_shutdown_adminq(&adapter->hw);
+- adapter->netdev->flags &= ~IFF_UP;
+ adapter->flags &= ~IAVF_FLAG_RESET_PENDING;
+ iavf_change_state(adapter, __IAVF_DOWN);
+ wake_up(&adapter->down_waitqueue);
+@@ -3021,6 +3020,11 @@ static void iavf_reset_task(struct work_struct *work)
+ iavf_disable_vf(adapter);
+ mutex_unlock(&adapter->client_lock);
+ mutex_unlock(&adapter->crit_lock);
++ if (netif_running(netdev)) {
++ rtnl_lock();
++ dev_close(netdev);
++ rtnl_unlock();
++ }
+ return; /* Do not attempt to reinit. It's dead, Jim. */
+ }
+
+@@ -3173,6 +3177,16 @@ static void iavf_reset_task(struct work_struct *work)
+
+ mutex_unlock(&adapter->client_lock);
+ mutex_unlock(&adapter->crit_lock);
++
++ if (netif_running(netdev)) {
++ /* Close device to ensure that Tx queues will not be started
++ * during netif_device_attach() at the end of the reset task.
++ */
++ rtnl_lock();
++ dev_close(netdev);
++ rtnl_unlock();
++ }
++
+ dev_err(&adapter->pdev->dev, "failed to allocate resources during reinit\n");
+ reset_finish:
+ rtnl_lock();
+--
+2.35.1
+
--- /dev/null
+From 797a613c9c2fccc2fa4fe6ea4038cabd1f01ba34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 10:35:34 +0100
+Subject: iavf: Fix a crash during reset task
+
+From: Ivan Vecera <ivecera@redhat.com>
+
+[ Upstream commit c678669d6b13b77de3b99b97526aaf23c3088d0a ]
+
+Recent commit aa626da947e9 ("iavf: Detach device during reset task")
+removed netif_tx_stop_all_queues() with an assumption that Tx queues
+are already stopped by netif_device_detach() in the beginning of
+reset task. This assumption is incorrect because during reset
+task a potential link event can start Tx queues again.
+Revert this change to fix this issue.
+
+Reproducer:
+1. Run some Tx traffic (e.g. iperf3) over iavf interface
+2. Switch MTU of this interface in a loop
+
+[root@host ~]# cat repro.sh
+
+IF=enp2s0f0v0
+
+iperf3 -c 192.168.0.1 -t 600 --logfile /dev/null &
+sleep 2
+
+while :; do
+ for i in 1280 1500 2000 900 ; do
+ ip link set $IF mtu $i
+ sleep 2
+ done
+done
+[root@host ~]# ./repro.sh
+
+Result:
+[ 306.199917] iavf 0000:02:02.0 enp2s0f0v0: NIC Link is Up Speed is 40 Gbps Full Duplex
+[ 308.205944] iavf 0000:02:02.0 enp2s0f0v0: NIC Link is Up Speed is 40 Gbps Full Duplex
+[ 310.103223] BUG: kernel NULL pointer dereference, address: 0000000000000008
+[ 310.110179] #PF: supervisor write access in kernel mode
+[ 310.115396] #PF: error_code(0x0002) - not-present page
+[ 310.120526] PGD 0 P4D 0
+[ 310.123057] Oops: 0002 [#1] PREEMPT SMP NOPTI
+[ 310.127408] CPU: 24 PID: 183 Comm: kworker/u64:9 Kdump: loaded Not tainted 6.1.0-rc3+ #2
+[ 310.135485] Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.4 04/13/2022
+[ 310.145728] Workqueue: iavf iavf_reset_task [iavf]
+[ 310.150520] RIP: 0010:iavf_xmit_frame_ring+0xd1/0xf70 [iavf]
+[ 310.156180] Code: d0 0f 86 da 00 00 00 83 e8 01 0f b7 fa 29 f8 01 c8 39 c6 0f 8f a0 08 00 00 48 8b 45 20 48 8d 14 92 bf 01 00 00 00 4c 8d 3c d0 <49> 89 5f 08 8b 43 70 66 41 89 7f 14 41 89 47 10 f6 83 82 00 00 00
+[ 310.174918] RSP: 0018:ffffbb5f0082caa0 EFLAGS: 00010293
+[ 310.180137] RAX: 0000000000000000 RBX: ffff92345471a6e8 RCX: 0000000000000200
+[ 310.187259] RDX: 0000000000000000 RSI: 000000000000000d RDI: 0000000000000001
+[ 310.194385] RBP: ffff92341d249000 R08: ffff92434987fcac R09: 0000000000000001
+[ 310.201509] R10: 0000000011f683b9 R11: 0000000011f50641 R12: 0000000000000008
+[ 310.208631] R13: ffff923447500000 R14: 0000000000000000 R15: 0000000000000000
+[ 310.215756] FS: 0000000000000000(0000) GS:ffff92434ee00000(0000) knlGS:0000000000000000
+[ 310.223835] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 310.229572] CR2: 0000000000000008 CR3: 0000000fbc210004 CR4: 0000000000770ee0
+[ 310.236696] PKRU: 55555554
+[ 310.239399] Call Trace:
+[ 310.241844] <IRQ>
+[ 310.243855] ? dst_alloc+0x5b/0xb0
+[ 310.247260] dev_hard_start_xmit+0x9e/0x1f0
+[ 310.251439] sch_direct_xmit+0xa0/0x370
+[ 310.255276] __qdisc_run+0x13e/0x580
+[ 310.258848] __dev_queue_xmit+0x431/0xd00
+[ 310.262851] ? selinux_ip_postroute+0x147/0x3f0
+[ 310.267377] ip_finish_output2+0x26c/0x540
+
+Fixes: aa626da947e9 ("iavf: Detach device during reset task")
+Cc: Jacob Keller <jacob.e.keller@intel.com>
+Cc: Patryk Piotrowski <patryk.piotrowski@intel.com>
+Cc: SlawomirX Laba <slawomirx.laba@intel.com>
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index 79fef8c59d65..7d349ca708c7 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -3033,6 +3033,7 @@ static void iavf_reset_task(struct work_struct *work)
+
+ if (running) {
+ netif_carrier_off(netdev);
++ netif_tx_stop_all_queues(netdev);
+ adapter->link_up = false;
+ iavf_napi_disable_all(adapter);
+ }
+--
+2.35.1
+
--- /dev/null
+From 8a19ad3112a35ca9e97dec46f369ba85eaf8fbfd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 14:00:03 +0100
+Subject: iavf: Fix race condition between iavf_shutdown and iavf_remove
+
+From: Slawomir Laba <slawomirx.laba@intel.com>
+
+[ Upstream commit a8417330f8a57275ed934293e832982b6d882713 ]
+
+Fix a deadlock introduced by commit
+974578017fc1 ("iavf: Add waiting so the port is initialized in remove")
+due to race condition between iavf_shutdown and iavf_remove, where
+iavf_remove stucks forever in while loop since iavf_shutdown already
+set __IAVF_REMOVE adapter state.
+
+Fix this by checking if the __IAVF_IN_REMOVE_TASK has already been
+set and return if so.
+
+Fixes: 974578017fc1 ("iavf: Add waiting so the port is initialized in remove")
+Signed-off-by: Slawomir Laba <slawomirx.laba@intel.com>
+Signed-off-by: Mateusz Palczewski <mateusz.palczewski@intel.com>
+Tested-by: Marek Szlosek <marek.szlosek@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index 005bb8378c76..cff03723f4f9 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -5042,23 +5042,21 @@ static int __maybe_unused iavf_resume(struct device *dev_d)
+ static void iavf_remove(struct pci_dev *pdev)
+ {
+ struct iavf_adapter *adapter = iavf_pdev_to_adapter(pdev);
+- struct net_device *netdev = adapter->netdev;
+ struct iavf_fdir_fltr *fdir, *fdirtmp;
+ struct iavf_vlan_filter *vlf, *vlftmp;
++ struct iavf_cloud_filter *cf, *cftmp;
+ struct iavf_adv_rss *rss, *rsstmp;
+ struct iavf_mac_filter *f, *ftmp;
+- struct iavf_cloud_filter *cf, *cftmp;
+- struct iavf_hw *hw = &adapter->hw;
++ struct net_device *netdev;
++ struct iavf_hw *hw;
+ int err;
+
+- /* When reboot/shutdown is in progress no need to do anything
+- * as the adapter is already REMOVE state that was set during
+- * iavf_shutdown() callback.
+- */
+- if (adapter->state == __IAVF_REMOVE)
++ netdev = adapter->netdev;
++ hw = &adapter->hw;
++
++ if (test_and_set_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section))
+ return;
+
+- set_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section);
+ /* Wait until port initialization is complete.
+ * There are flows where register/unregister netdev may race.
+ */
+--
+2.35.1
+
--- /dev/null
+From d6d6113ac5026ef0b61aeb6adf51eed27a3a3974 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 15:14:44 +0100
+Subject: iavf: remove INITIAL_MAC_SET to allow gARP to work properly
+
+From: Stefan Assmann <sassmann@kpanic.de>
+
+[ Upstream commit bb861c14f1b8cb9cbf03a132db7f22ec4e692b91 ]
+
+IAVF_FLAG_INITIAL_MAC_SET prevents waiting on iavf_is_mac_set_handled()
+the first time the MAC is set. This breaks gratuitous ARP because the
+MAC address has not been updated yet when the gARP packet is sent out.
+
+Current behaviour:
+$ echo 1 > /sys/class/net/ens4f0/device/sriov_numvfs
+iavf 0000:88:02.0: MAC address: ee:04:19:14:ec:ea
+$ ip addr add 192.168.1.1/24 dev ens4f0v0
+$ ip link set dev ens4f0v0 up
+$ echo 1 > /proc/sys/net/ipv4/conf/ens4f0v0/arp_notify
+$ ip link set ens4f0v0 addr 00:11:22:33:44:55
+07:23:41.676611 ee:04:19:14:ec:ea > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.1.1 tell 192.168.1.1, length 28
+
+With IAVF_FLAG_INITIAL_MAC_SET removed:
+$ echo 1 > /sys/class/net/ens4f0/device/sriov_numvfs
+iavf 0000:88:02.0: MAC address: 3e:8a:16:a2:37:6d
+$ ip addr add 192.168.1.1/24 dev ens4f0v0
+$ ip link set dev ens4f0v0 up
+$ echo 1 > /proc/sys/net/ipv4/conf/ens4f0v0/arp_notify
+$ ip link set ens4f0v0 addr 00:11:22:33:44:55
+07:28:01.836608 00:11:22:33:44:55 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.1.1 tell 192.168.1.1, length 28
+
+Fixes: 35a2443d0910 ("iavf: Add waiting for response from PF in set mac")
+Signed-off-by: Stefan Assmann <sassmann@kpanic.de>
+Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf.h | 1 -
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 8 --------
+ 2 files changed, 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h
+index 3f6187c16424..0d1bab4ac1b0 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf.h
++++ b/drivers/net/ethernet/intel/iavf/iavf.h
+@@ -298,7 +298,6 @@ struct iavf_adapter {
+ #define IAVF_FLAG_QUEUES_DISABLED BIT(17)
+ #define IAVF_FLAG_SETUP_NETDEV_FEATURES BIT(18)
+ #define IAVF_FLAG_REINIT_MSIX_NEEDED BIT(20)
+-#define IAVF_FLAG_INITIAL_MAC_SET BIT(23)
+ /* duplicates for common code */
+ #define IAVF_FLAG_DCB_ENABLED 0
+ /* flags for admin queue service task */
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index f59b725785eb..005bb8378c76 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -1087,12 +1087,6 @@ static int iavf_set_mac(struct net_device *netdev, void *p)
+ if (ret)
+ return ret;
+
+- /* If this is an initial set MAC during VF spawn do not wait */
+- if (adapter->flags & IAVF_FLAG_INITIAL_MAC_SET) {
+- adapter->flags &= ~IAVF_FLAG_INITIAL_MAC_SET;
+- return 0;
+- }
+-
+ ret = wait_event_interruptible_timeout(adapter->vc_waitqueue,
+ iavf_is_mac_set_handled(netdev, addr->sa_data),
+ msecs_to_jiffies(2500));
+@@ -2605,8 +2599,6 @@ static void iavf_init_config_adapter(struct iavf_adapter *adapter)
+ ether_addr_copy(netdev->perm_addr, adapter->hw.mac.addr);
+ }
+
+- adapter->flags |= IAVF_FLAG_INITIAL_MAC_SET;
+-
+ adapter->tx_desc_count = IAVF_DEFAULT_TXD;
+ adapter->rx_desc_count = IAVF_DEFAULT_RXD;
+ err = iavf_init_interrupt_scheme(adapter);
+--
+2.35.1
+
--- /dev/null
+From 364af0a9ec465b2fc19c1548347387e6fc1b433a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 02:40:15 +0800
+Subject: io_uring/filetable: fix file reference underflow
+
+From: Lin Ma <linma@zju.edu.cn>
+
+[ Upstream commit 9d94c04c0db024922e886c9fd429659f22f48ea4 ]
+
+There is an interesting reference bug when -ENOMEM occurs in calling of
+io_install_fixed_file(). KASan report like below:
+
+[ 14.057131] ==================================================================
+[ 14.059161] BUG: KASAN: use-after-free in unix_get_socket+0x10/0x90
+[ 14.060975] Read of size 8 at addr ffff88800b09cf20 by task kworker/u8:2/45
+[ 14.062684]
+[ 14.062768] CPU: 2 PID: 45 Comm: kworker/u8:2 Not tainted 6.1.0-rc4 #1
+[ 14.063099] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+[ 14.063666] Workqueue: events_unbound io_ring_exit_work
+[ 14.063936] Call Trace:
+[ 14.064065] <TASK>
+[ 14.064175] dump_stack_lvl+0x34/0x48
+[ 14.064360] print_report+0x172/0x475
+[ 14.064547] ? _raw_spin_lock_irq+0x83/0xe0
+[ 14.064758] ? __virt_addr_valid+0xef/0x170
+[ 14.064975] ? unix_get_socket+0x10/0x90
+[ 14.065167] kasan_report+0xad/0x130
+[ 14.065353] ? unix_get_socket+0x10/0x90
+[ 14.065553] unix_get_socket+0x10/0x90
+[ 14.065744] __io_sqe_files_unregister+0x87/0x1e0
+[ 14.065989] ? io_rsrc_refs_drop+0x1c/0xd0
+[ 14.066199] io_ring_exit_work+0x388/0x6a5
+[ 14.066410] ? io_uring_try_cancel_requests+0x5bf/0x5bf
+[ 14.066674] ? try_to_wake_up+0xdb/0x910
+[ 14.066873] ? virt_to_head_page+0xbe/0xbe
+[ 14.067080] ? __schedule+0x574/0xd20
+[ 14.067273] ? read_word_at_a_time+0xe/0x20
+[ 14.067492] ? strscpy+0xb5/0x190
+[ 14.067665] process_one_work+0x423/0x710
+[ 14.067879] worker_thread+0x2a2/0x6f0
+[ 14.068073] ? process_one_work+0x710/0x710
+[ 14.068284] kthread+0x163/0x1a0
+[ 14.068454] ? kthread_complete_and_exit+0x20/0x20
+[ 14.068697] ret_from_fork+0x22/0x30
+[ 14.068886] </TASK>
+[ 14.069000]
+[ 14.069088] Allocated by task 289:
+[ 14.069269] kasan_save_stack+0x1e/0x40
+[ 14.069463] kasan_set_track+0x21/0x30
+[ 14.069652] __kasan_slab_alloc+0x58/0x70
+[ 14.069899] kmem_cache_alloc+0xc5/0x200
+[ 14.070100] __alloc_file+0x20/0x160
+[ 14.070283] alloc_empty_file+0x3b/0xc0
+[ 14.070479] path_openat+0xc3/0x1770
+[ 14.070689] do_filp_open+0x150/0x270
+[ 14.070888] do_sys_openat2+0x113/0x270
+[ 14.071081] __x64_sys_openat+0xc8/0x140
+[ 14.071283] do_syscall_64+0x3b/0x90
+[ 14.071466] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[ 14.071791]
+[ 14.071874] Freed by task 0:
+[ 14.072027] kasan_save_stack+0x1e/0x40
+[ 14.072224] kasan_set_track+0x21/0x30
+[ 14.072415] kasan_save_free_info+0x2a/0x50
+[ 14.072627] __kasan_slab_free+0x106/0x190
+[ 14.072858] kmem_cache_free+0x98/0x340
+[ 14.073075] rcu_core+0x427/0xe50
+[ 14.073249] __do_softirq+0x110/0x3cd
+[ 14.073440]
+[ 14.073523] Last potentially related work creation:
+[ 14.073801] kasan_save_stack+0x1e/0x40
+[ 14.074017] __kasan_record_aux_stack+0x97/0xb0
+[ 14.074264] call_rcu+0x41/0x550
+[ 14.074436] task_work_run+0xf4/0x170
+[ 14.074619] exit_to_user_mode_prepare+0x113/0x120
+[ 14.074858] syscall_exit_to_user_mode+0x1d/0x40
+[ 14.075092] do_syscall_64+0x48/0x90
+[ 14.075272] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[ 14.075529]
+[ 14.075612] Second to last potentially related work creation:
+[ 14.075900] kasan_save_stack+0x1e/0x40
+[ 14.076098] __kasan_record_aux_stack+0x97/0xb0
+[ 14.076325] task_work_add+0x72/0x1b0
+[ 14.076512] fput+0x65/0xc0
+[ 14.076657] filp_close+0x8e/0xa0
+[ 14.076825] __x64_sys_close+0x15/0x50
+[ 14.077019] do_syscall_64+0x3b/0x90
+[ 14.077199] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[ 14.077448]
+[ 14.077530] The buggy address belongs to the object at ffff88800b09cf00
+[ 14.077530] which belongs to the cache filp of size 232
+[ 14.078105] The buggy address is located 32 bytes inside of
+[ 14.078105] 232-byte region [ffff88800b09cf00, ffff88800b09cfe8)
+[ 14.078685]
+[ 14.078771] The buggy address belongs to the physical page:
+[ 14.079046] page:000000001bd520e7 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800b09de00 pfn:0xb09c
+[ 14.079575] head:000000001bd520e7 order:1 compound_mapcount:0 compound_pincount:0
+[ 14.079946] flags: 0x100000000010200(slab|head|node=0|zone=1)
+[ 14.080244] raw: 0100000000010200 0000000000000000 dead000000000001 ffff88800493cc80
+[ 14.080629] raw: ffff88800b09de00 0000000080190018 00000001ffffffff 0000000000000000
+[ 14.081016] page dumped because: kasan: bad access detected
+[ 14.081293]
+[ 14.081376] Memory state around the buggy address:
+[ 14.081618] ffff88800b09ce00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 14.081974] ffff88800b09ce80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
+[ 14.082336] >ffff88800b09cf00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 14.082690] ^
+[ 14.082909] ffff88800b09cf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
+[ 14.083266] ffff88800b09d000: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
+[ 14.083622] ==================================================================
+
+The actual tracing of this bug is shown below:
+
+commit 8c71fe750215 ("io_uring: ensure fput() called correspondingly
+when direct install fails") adds an additional fput() in
+io_fixed_fd_install() when io_file_bitmap_get() returns error values. In
+that case, the routine will never make it to io_install_fixed_file() due
+to an early return.
+
+static int io_fixed_fd_install(...)
+{
+ if (alloc_slot) {
+ ...
+ ret = io_file_bitmap_get(ctx);
+ if (unlikely(ret < 0)) {
+ io_ring_submit_unlock(ctx, issue_flags);
+ fput(file);
+ return ret;
+ }
+ ...
+ }
+ ...
+ ret = io_install_fixed_file(req, file, issue_flags, file_slot);
+ ...
+}
+
+In the above scenario, the reference is okay as io_fixed_fd_install()
+ensures the fput() is called when something bad happens, either via
+bitmap or via inner io_install_fixed_file().
+
+However, the commit 61c1b44a21d7 ("io_uring: fix deadlock on iowq file
+slot alloc") breaks the balance because it places fput() into the common
+path for both io_file_bitmap_get() and io_install_fixed_file(). Since
+io_install_fixed_file() handles the fput() itself, the reference
+underflow come across then.
+
+There are some extra commits make the current code into
+io_fixed_fd_install() -> __io_fixed_fd_install() ->
+io_install_fixed_file()
+
+However, the fact that there is an extra fput() is called if
+io_install_fixed_file() calls fput(). Traversing through the code, I
+find that the existing two callers to __io_fixed_fd_install():
+io_fixed_fd_install() and io_msg_send_fd() have fput() when handling
+error return, this patch simply removes the fput() in
+io_install_fixed_file() to fix the bug.
+
+Fixes: 61c1b44a21d7 ("io_uring: fix deadlock on iowq file slot alloc")
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Link: https://lore.kernel.org/r/be4ba4b.5d44.184a0a406a4.Coremail.linma@zju.edu.cn
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ io_uring/filetable.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/io_uring/filetable.c b/io_uring/filetable.c
+index 7b473259f3f4..68dfc6936aa7 100644
+--- a/io_uring/filetable.c
++++ b/io_uring/filetable.c
+@@ -101,8 +101,6 @@ static int io_install_fixed_file(struct io_ring_ctx *ctx, struct file *file,
+ err:
+ if (needs_switch)
+ io_rsrc_node_switch(ctx, ctx->file_data);
+- if (ret)
+- fput(file);
+ return ret;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From f49bdcc706dcb8cf28d503fe99c12554abc58cc8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 07:15:54 -0700
+Subject: io_uring/poll: fix poll_refs race with cancelation
+
+From: Lin Ma <linma@zju.edu.cn>
+
+[ Upstream commit 12ad3d2d6c5b0131a6052de91360849e3e154846 ]
+
+There is an interesting race condition of poll_refs which could result
+in a NULL pointer dereference. The crash trace is like:
+
+KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
+CPU: 0 PID: 30781 Comm: syz-executor.2 Not tainted 6.0.0-g493ffd6605b2 #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+1.13.0-1ubuntu1.1 04/01/2014
+RIP: 0010:io_poll_remove_entry io_uring/poll.c:154 [inline]
+RIP: 0010:io_poll_remove_entries+0x171/0x5b4 io_uring/poll.c:190
+Code: ...
+RSP: 0018:ffff88810dfefba0 EFLAGS: 00010202
+RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000040000
+RDX: ffffc900030c4000 RSI: 000000000003ffff RDI: 0000000000040000
+RBP: 0000000000000008 R08: ffffffff9764d3dd R09: fffffbfff3836781
+R10: fffffbfff3836781 R11: 0000000000000000 R12: 1ffff11003422d60
+R13: ffff88801a116b04 R14: ffff88801a116ac0 R15: dffffc0000000000
+FS: 00007f9c07497700(0000) GS:ffff88811a600000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007ffb5c00ea98 CR3: 0000000105680005 CR4: 0000000000770ef0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+PKRU: 55555554
+Call Trace:
+ <TASK>
+ io_apoll_task_func+0x3f/0xa0 io_uring/poll.c:299
+ handle_tw_list io_uring/io_uring.c:1037 [inline]
+ tctx_task_work+0x37e/0x4f0 io_uring/io_uring.c:1090
+ task_work_run+0x13a/0x1b0 kernel/task_work.c:177
+ get_signal+0x2402/0x25a0 kernel/signal.c:2635
+ arch_do_signal_or_restart+0x3b/0x660 arch/x86/kernel/signal.c:869
+ exit_to_user_mode_loop kernel/entry/common.c:166 [inline]
+ exit_to_user_mode_prepare+0xc2/0x160 kernel/entry/common.c:201
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
+ syscall_exit_to_user_mode+0x58/0x160 kernel/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+The root cause for this is a tiny overlooking in
+io_poll_check_events() when cocurrently run with poll cancel routine
+io_poll_cancel_req().
+
+The interleaving to trigger use-after-free:
+
+CPU0 | CPU1
+ |
+io_apoll_task_func() | io_poll_cancel_req()
+ io_poll_check_events() |
+ // do while first loop |
+ v = atomic_read(...) |
+ // v = poll_refs = 1 |
+ ... | io_poll_mark_cancelled()
+ | atomic_or()
+ | // poll_refs =
+IO_POLL_CANCEL_FLAG | 1
+ |
+ atomic_sub_return(...) |
+ // poll_refs = IO_POLL_CANCEL_FLAG |
+ // loop continue |
+ |
+ | io_poll_execute()
+ | io_poll_get_ownership()
+ | // poll_refs =
+IO_POLL_CANCEL_FLAG | 1
+ | // gets the ownership
+ v = atomic_read(...) |
+ // poll_refs not change |
+ |
+ if (v & IO_POLL_CANCEL_FLAG) |
+ return -ECANCELED; |
+ // io_poll_check_events return |
+ // will go into |
+ // io_req_complete_failed() free req |
+ |
+ | io_apoll_task_func()
+ | // also go into
+io_req_complete_failed()
+
+And the interleaving to trigger the kernel WARNING:
+
+CPU0 | CPU1
+ |
+io_apoll_task_func() | io_poll_cancel_req()
+ io_poll_check_events() |
+ // do while first loop |
+ v = atomic_read(...) |
+ // v = poll_refs = 1 |
+ ... | io_poll_mark_cancelled()
+ | atomic_or()
+ | // poll_refs =
+IO_POLL_CANCEL_FLAG | 1
+ |
+ atomic_sub_return(...) |
+ // poll_refs = IO_POLL_CANCEL_FLAG |
+ // loop continue |
+ |
+ v = atomic_read(...) |
+ // v = IO_POLL_CANCEL_FLAG |
+ | io_poll_execute()
+ | io_poll_get_ownership()
+ | // poll_refs =
+IO_POLL_CANCEL_FLAG | 1
+ | // gets the ownership
+ |
+ WARN_ON_ONCE(!(v & IO_POLL_REF_MASK))) |
+ // v & IO_POLL_REF_MASK = 0 WARN |
+ |
+ | io_apoll_task_func()
+ | // also go into
+io_req_complete_failed()
+
+By looking up the source code and communicating with Pavel, the
+implementation of this atomic poll refs should continue the loop of
+io_poll_check_events() just to avoid somewhere else to grab the
+ownership. Therefore, this patch simply adds another AND operation to
+make sure the loop will stop if it finds the poll_refs is exactly equal
+to IO_POLL_CANCEL_FLAG. Since io_poll_cancel_req() grabs ownership and
+will finally make its way to io_req_complete_failed(), the req will
+be reclaimed as expected.
+
+Fixes: aa43477b0402 ("io_uring: poll rework")
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Reviewed-by: Pavel Begunkov <asml.silence@gmail.com>
+[axboe: tweak description and code style]
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ io_uring/poll.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/io_uring/poll.c b/io_uring/poll.c
+index 055632e9092a..0d721f8c4bc4 100644
+--- a/io_uring/poll.c
++++ b/io_uring/poll.c
+@@ -274,7 +274,8 @@ static int io_poll_check_events(struct io_kiocb *req, bool *locked)
+ * Release all references, retry if someone tried to restart
+ * task_work while we were executing it.
+ */
+- } while (atomic_sub_return(v & IO_POLL_REF_MASK, &req->poll_refs));
++ } while (atomic_sub_return(v & IO_POLL_REF_MASK, &req->poll_refs) &
++ IO_POLL_REF_MASK);
+
+ return IOU_POLL_NO_ACTION;
+ }
+--
+2.35.1
+
--- /dev/null
+From bffaa8cd0edead6caec65278b1c10e5c3e646251 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Nov 2022 15:28:38 +0800
+Subject: ipv4: Fix error return code in fib_table_insert()
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit 568fe84940ac0e4e0b2cd7751b8b4911f7b9c215 ]
+
+In fib_table_insert(), if the alias was already inserted, but node not
+exist, the error code should be set before return from error handling path.
+
+Fixes: a6c76c17df02 ("ipv4: Notify route after insertion to the routing table")
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Link: https://lore.kernel.org/r/20221120072838.2167047-1-william.xuanziyang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/fib_trie.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
+index 452ff177e4da..f26d5ac117d6 100644
+--- a/net/ipv4/fib_trie.c
++++ b/net/ipv4/fib_trie.c
+@@ -1381,8 +1381,10 @@ int fib_table_insert(struct net *net, struct fib_table *tb,
+
+ /* The alias was already inserted, so the node must exist. */
+ l = l ? l : fib_find_node(t, &tp, key);
+- if (WARN_ON_ONCE(!l))
++ if (WARN_ON_ONCE(!l)) {
++ err = -ENOENT;
+ goto out_free_new_fa;
++ }
+
+ if (fib_find_alias(&l->leaf, new_fa->fa_slen, 0, 0, tb->tb_id, true) ==
+ new_fa) {
+--
+2.35.1
+
--- /dev/null
+From ccee9bc96eff59f1be118e10b85dce17a9303402 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 17:19:14 -0800
+Subject: ipvlan: hold lower dev to avoid possible use-after-free
+
+From: Mahesh Bandewar <maheshb@google.com>
+
+[ Upstream commit 40b9d1ab63f5c4f3cb69450044d07b45e5af72e1 ]
+
+Recently syzkaller discovered the issue of disappearing lower
+device (NETDEV_UNREGISTER) while the virtual device (like
+macvlan) is still having it as a lower device. So it's just
+a matter of time similar discovery will be made for IPvlan
+device setup. So fixing it preemptively. Also while at it,
+add a refcount tracker.
+
+Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.")
+Signed-off-by: Mahesh Bandewar <maheshb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipvlan/ipvlan.h | 1 +
+ drivers/net/ipvlan/ipvlan_main.c | 2 ++
+ 2 files changed, 3 insertions(+)
+
+diff --git a/drivers/net/ipvlan/ipvlan.h b/drivers/net/ipvlan/ipvlan.h
+index de94921cbef9..025e0c19ec25 100644
+--- a/drivers/net/ipvlan/ipvlan.h
++++ b/drivers/net/ipvlan/ipvlan.h
+@@ -98,6 +98,7 @@ struct ipvl_port {
+ struct sk_buff_head backlog;
+ int count;
+ struct ida ida;
++ netdevice_tracker dev_tracker;
+ };
+
+ struct ipvl_skb_cb {
+diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/net/ipvlan/ipvlan_main.c
+index 49ba8a50dfb1..9043bcd1b41d 100644
+--- a/drivers/net/ipvlan/ipvlan_main.c
++++ b/drivers/net/ipvlan/ipvlan_main.c
+@@ -83,6 +83,7 @@ static int ipvlan_port_create(struct net_device *dev)
+ if (err)
+ goto err;
+
++ netdev_hold(dev, &port->dev_tracker, GFP_KERNEL);
+ return 0;
+
+ err:
+@@ -95,6 +96,7 @@ static void ipvlan_port_destroy(struct net_device *dev)
+ struct ipvl_port *port = ipvlan_port_get_rtnl(dev);
+ struct sk_buff *skb;
+
++ netdev_put(dev, &port->dev_tracker);
+ if (port->mode == IPVLAN_MODE_L3S)
+ ipvlan_l3s_unregister(port);
+ netdev_rx_handler_unregister(dev);
+--
+2.35.1
+
--- /dev/null
+From a68c4f0ab3651dda97ffdfb7ad7963586a75947d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 09:12:49 +0800
+Subject: macsec: Fix invalid error code set
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 7cef6b73fba96abef731a53501924fc3c4a0f947 ]
+
+'ret' is defined twice in macsec_changelink(), when it is set in macsec_is_offloaded
+case, it will be invalid before return.
+
+Fixes: 3cf3227a21d1 ("net: macsec: hardware offloading infrastructure")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reviewed-by: Saeed Mahameed <saeed@kernel.org>
+Reviewed-by: Antoine Tenart <atenart@kernel.org>
+Link: https://lore.kernel.org/r/20221118011249.48112-1-yuehaibing@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macsec.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
+index d145ad189778..104fc564a766 100644
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -3855,7 +3855,6 @@ static int macsec_changelink(struct net_device *dev, struct nlattr *tb[],
+ if (macsec_is_offloaded(macsec)) {
+ const struct macsec_ops *ops;
+ struct macsec_context ctx;
+- int ret;
+
+ ops = macsec_get_ops(netdev_priv(dev), &ctx);
+ if (!ops) {
+--
+2.35.1
+
--- /dev/null
+From e1bb4ea41d0da5a102a8f8567be1983a3200697f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 21:53:05 +0100
+Subject: net/cdc_ncm: Fix multicast RX support for CDC NCM devices with ZLP
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Santiago Ruano Rincón <santiago.ruano-rincon@imt-atlantique.fr>
+
+[ Upstream commit 748064b54c99418f615aabff5755996cd9816969 ]
+
+ZLP for DisplayLink ethernet devices was enabled in 6.0:
+266c0190aee3 ("net/cdc_ncm: Enable ZLP for DisplayLink ethernet devices").
+The related driver_info should be the "same as cdc_ncm_info, but with
+FLAG_SEND_ZLP". However, set_rx_mode that enables handling multicast
+traffic was missing in the new cdc_ncm_zlp_info.
+
+usbnet_cdc_update_filter rx mode was introduced in linux 5.9 with:
+e10dcb1b6ba7 ("net: cdc_ncm: hook into set_rx_mode to admit multicast
+traffic")
+
+Without this hook, multicast, and then IPv6 SLAAC, is broken.
+
+Fixes: 266c0190aee3 ("net/cdc_ncm: Enable ZLP for DisplayLink ethernet devices")
+Signed-off-by: Santiago Ruano Rincón <santiago.ruano-rincon@imt-atlantique.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/cdc_ncm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
+index 8d5cbda33f66..0897fdb6254b 100644
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -1915,6 +1915,7 @@ static const struct driver_info cdc_ncm_zlp_info = {
+ .status = cdc_ncm_status,
+ .rx_fixup = cdc_ncm_rx_fixup,
+ .tx_fixup = cdc_ncm_tx_fixup,
++ .set_rx_mode = usbnet_cdc_update_filter,
+ };
+
+ /* Same as cdc_ncm_info, but with FLAG_WWAN */
+--
+2.35.1
+
--- /dev/null
+From c7d8af2f3d709cacfb95aa8cb5445fd4ecc1eaf0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 03:32:26 +0000
+Subject: net: dm9051: Fix missing dev_kfree_skb() in dm9051_loop_rx()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit bac81f40c2c1484a2bd416b3fbf983f6e76488cd ]
+
+The dm9051_loop_rx() returns without release skb when dm9051_stop_mrcmd()
+returns error, free the skb to avoid this leak.
+
+Fixes: 2dc95a4d30ed ("net: Add dm9051 driver")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/davicom/dm9051.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/davicom/dm9051.c b/drivers/net/ethernet/davicom/dm9051.c
+index a523ddda7609..de7105a84747 100644
+--- a/drivers/net/ethernet/davicom/dm9051.c
++++ b/drivers/net/ethernet/davicom/dm9051.c
+@@ -798,8 +798,10 @@ static int dm9051_loop_rx(struct board_info *db)
+ }
+
+ ret = dm9051_stop_mrcmd(db);
+- if (ret)
++ if (ret) {
++ dev_kfree_skb(skb);
+ return ret;
++ }
+
+ skb->protocol = eth_type_trans(skb, db->ndev);
+ if (db->ndev->features & NETIF_F_RXCSUM)
+--
+2.35.1
+
--- /dev/null
+From 0158b4b7b23ff257e9687497fff9a10567cc0118 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 12:06:53 +0200
+Subject: net: dsa: sja1105: disallow C45 transactions on the BASE-TX MDIO bus
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 24deec6b9e4a051635f75777844ffc184644fec9 ]
+
+You'd think people know that the internal 100BASE-TX PHY on the SJA1110
+responds only to clause 22 MDIO transactions, but they don't :)
+
+When a clause 45 transaction is attempted, sja1105_base_tx_mdio_read()
+and sja1105_base_tx_mdio_write() don't expect "reg" to contain bit 30
+set (MII_ADDR_C45) and pack this value into the SPI transaction buffer.
+
+But the field in the SPI buffer has a width smaller than 30 bits, so we
+see this confusing message from the packing() API rather than a proper
+rejection of C45 transactions:
+
+Call trace:
+ dump_stack+0x1c/0x38
+ sja1105_pack+0xbc/0xc0 [sja1105]
+ sja1105_xfer+0x114/0x2b0 [sja1105]
+ sja1105_xfer_u32+0x44/0xf4 [sja1105]
+ sja1105_base_tx_mdio_read+0x44/0x7c [sja1105]
+ mdiobus_read+0x44/0x80
+ get_phy_c45_ids+0x70/0x234
+ get_phy_device+0x68/0x15c
+ fwnode_mdiobus_register_phy+0x74/0x240
+ of_mdiobus_register+0x13c/0x380
+ sja1105_mdiobus_register+0x368/0x490 [sja1105]
+ sja1105_setup+0x94/0x119c [sja1105]
+Cannot store 401d2405 inside bits 24-4 (would truncate)
+
+Fixes: 5a8f09748ee7 ("net: dsa: sja1105: register the MDIO buses for 100base-T1 and 100base-TX")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/sja1105/sja1105_mdio.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/dsa/sja1105/sja1105_mdio.c b/drivers/net/dsa/sja1105/sja1105_mdio.c
+index 215dd17ca790..4059fcc8c832 100644
+--- a/drivers/net/dsa/sja1105/sja1105_mdio.c
++++ b/drivers/net/dsa/sja1105/sja1105_mdio.c
+@@ -256,6 +256,9 @@ static int sja1105_base_tx_mdio_read(struct mii_bus *bus, int phy, int reg)
+ u32 tmp;
+ int rc;
+
++ if (reg & MII_ADDR_C45)
++ return -EOPNOTSUPP;
++
+ rc = sja1105_xfer_u32(priv, SPI_READ, regs->mdio_100base_tx + reg,
+ &tmp, NULL);
+ if (rc < 0)
+@@ -272,6 +275,9 @@ static int sja1105_base_tx_mdio_write(struct mii_bus *bus, int phy, int reg,
+ const struct sja1105_regs *regs = priv->info->regs;
+ u32 tmp = val;
+
++ if (reg & MII_ADDR_C45)
++ return -EOPNOTSUPP;
++
+ return sja1105_xfer_u32(priv, SPI_WRITE, regs->mdio_100base_tx + reg,
+ &tmp, NULL);
+ }
+--
+2.35.1
+
--- /dev/null
+From 306a1eef0576dc6d1ed0b4d3ceaacf297187f76d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Sep 2022 12:52:02 +0300
+Subject: net: enetc: cache accesses to &priv->si->hw
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 715bf2610f1d1adf3d4f9b7b3dd729984ec4270a ]
+
+The &priv->si->hw construct dereferences 2 pointers and makes lines
+longer than they need to be, in turn making the code harder to read.
+
+Replace &priv->si->hw accesses with a "hw" variable when there are 2 or
+more accesses within a function that dereference this. This includes
+loops, since &priv->si->hw is a loop invariant.
+
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 290b5fe096e7 ("net: enetc: preserve TX ring priority across reconfiguration")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/enetc/enetc.c | 28 +++++----
+ drivers/net/ethernet/freescale/enetc/enetc.h | 9 +--
+ .../net/ethernet/freescale/enetc/enetc_qos.c | 60 +++++++++----------
+ 3 files changed, 49 insertions(+), 48 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/enetc/enetc.c b/drivers/net/ethernet/freescale/enetc/enetc.c
+index d0fd3045ce11..e6dbc78f490c 100644
+--- a/drivers/net/ethernet/freescale/enetc/enetc.c
++++ b/drivers/net/ethernet/freescale/enetc/enetc.c
+@@ -2121,13 +2121,14 @@ static void enetc_setup_rxbdr(struct enetc_hw *hw, struct enetc_bdr *rx_ring)
+
+ static void enetc_setup_bdrs(struct enetc_ndev_priv *priv)
+ {
++ struct enetc_hw *hw = &priv->si->hw;
+ int i;
+
+ for (i = 0; i < priv->num_tx_rings; i++)
+- enetc_setup_txbdr(&priv->si->hw, priv->tx_ring[i]);
++ enetc_setup_txbdr(hw, priv->tx_ring[i]);
+
+ for (i = 0; i < priv->num_rx_rings; i++)
+- enetc_setup_rxbdr(&priv->si->hw, priv->rx_ring[i]);
++ enetc_setup_rxbdr(hw, priv->rx_ring[i]);
+ }
+
+ static void enetc_clear_rxbdr(struct enetc_hw *hw, struct enetc_bdr *rx_ring)
+@@ -2160,13 +2161,14 @@ static void enetc_clear_txbdr(struct enetc_hw *hw, struct enetc_bdr *tx_ring)
+
+ static void enetc_clear_bdrs(struct enetc_ndev_priv *priv)
+ {
++ struct enetc_hw *hw = &priv->si->hw;
+ int i;
+
+ for (i = 0; i < priv->num_tx_rings; i++)
+- enetc_clear_txbdr(&priv->si->hw, priv->tx_ring[i]);
++ enetc_clear_txbdr(hw, priv->tx_ring[i]);
+
+ for (i = 0; i < priv->num_rx_rings; i++)
+- enetc_clear_rxbdr(&priv->si->hw, priv->rx_ring[i]);
++ enetc_clear_rxbdr(hw, priv->rx_ring[i]);
+
+ udelay(1);
+ }
+@@ -2174,13 +2176,13 @@ static void enetc_clear_bdrs(struct enetc_ndev_priv *priv)
+ static int enetc_setup_irqs(struct enetc_ndev_priv *priv)
+ {
+ struct pci_dev *pdev = priv->si->pdev;
++ struct enetc_hw *hw = &priv->si->hw;
+ int i, j, err;
+
+ for (i = 0; i < priv->bdr_int_num; i++) {
+ int irq = pci_irq_vector(pdev, ENETC_BDR_INT_BASE_IDX + i);
+ struct enetc_int_vector *v = priv->int_vector[i];
+ int entry = ENETC_BDR_INT_BASE_IDX + i;
+- struct enetc_hw *hw = &priv->si->hw;
+
+ snprintf(v->name, sizeof(v->name), "%s-rxtx%d",
+ priv->ndev->name, i);
+@@ -2268,13 +2270,14 @@ static void enetc_setup_interrupts(struct enetc_ndev_priv *priv)
+
+ static void enetc_clear_interrupts(struct enetc_ndev_priv *priv)
+ {
++ struct enetc_hw *hw = &priv->si->hw;
+ int i;
+
+ for (i = 0; i < priv->num_tx_rings; i++)
+- enetc_txbdr_wr(&priv->si->hw, i, ENETC_TBIER, 0);
++ enetc_txbdr_wr(hw, i, ENETC_TBIER, 0);
+
+ for (i = 0; i < priv->num_rx_rings; i++)
+- enetc_rxbdr_wr(&priv->si->hw, i, ENETC_RBIER, 0);
++ enetc_rxbdr_wr(hw, i, ENETC_RBIER, 0);
+ }
+
+ static int enetc_phylink_connect(struct net_device *ndev)
+@@ -2441,6 +2444,7 @@ int enetc_setup_tc_mqprio(struct net_device *ndev, void *type_data)
+ {
+ struct enetc_ndev_priv *priv = netdev_priv(ndev);
+ struct tc_mqprio_qopt *mqprio = type_data;
++ struct enetc_hw *hw = &priv->si->hw;
+ struct enetc_bdr *tx_ring;
+ int num_stack_tx_queues;
+ u8 num_tc;
+@@ -2457,7 +2461,7 @@ int enetc_setup_tc_mqprio(struct net_device *ndev, void *type_data)
+ /* Reset all ring priorities to 0 */
+ for (i = 0; i < priv->num_tx_rings; i++) {
+ tx_ring = priv->tx_ring[i];
+- enetc_set_bdr_prio(&priv->si->hw, tx_ring->index, 0);
++ enetc_set_bdr_prio(hw, tx_ring->index, 0);
+ }
+
+ return 0;
+@@ -2476,7 +2480,7 @@ int enetc_setup_tc_mqprio(struct net_device *ndev, void *type_data)
+ */
+ for (i = 0; i < num_tc; i++) {
+ tx_ring = priv->tx_ring[i];
+- enetc_set_bdr_prio(&priv->si->hw, tx_ring->index, i);
++ enetc_set_bdr_prio(hw, tx_ring->index, i);
+ }
+
+ /* Reset the number of netdev queues based on the TC count */
+@@ -2589,19 +2593,21 @@ static int enetc_set_rss(struct net_device *ndev, int en)
+ static void enetc_enable_rxvlan(struct net_device *ndev, bool en)
+ {
+ struct enetc_ndev_priv *priv = netdev_priv(ndev);
++ struct enetc_hw *hw = &priv->si->hw;
+ int i;
+
+ for (i = 0; i < priv->num_rx_rings; i++)
+- enetc_bdr_enable_rxvlan(&priv->si->hw, i, en);
++ enetc_bdr_enable_rxvlan(hw, i, en);
+ }
+
+ static void enetc_enable_txvlan(struct net_device *ndev, bool en)
+ {
+ struct enetc_ndev_priv *priv = netdev_priv(ndev);
++ struct enetc_hw *hw = &priv->si->hw;
+ int i;
+
+ for (i = 0; i < priv->num_tx_rings; i++)
+- enetc_bdr_enable_txvlan(&priv->si->hw, i, en);
++ enetc_bdr_enable_txvlan(hw, i, en);
+ }
+
+ void enetc_set_features(struct net_device *ndev, netdev_features_t features)
+diff --git a/drivers/net/ethernet/freescale/enetc/enetc.h b/drivers/net/ethernet/freescale/enetc/enetc.h
+index 2cfe6944ebd3..748677b2ce1f 100644
+--- a/drivers/net/ethernet/freescale/enetc/enetc.h
++++ b/drivers/net/ethernet/freescale/enetc/enetc.h
+@@ -467,19 +467,20 @@ int enetc_set_psfp(struct net_device *ndev, bool en);
+
+ static inline void enetc_get_max_cap(struct enetc_ndev_priv *priv)
+ {
++ struct enetc_hw *hw = &priv->si->hw;
+ u32 reg;
+
+- reg = enetc_port_rd(&priv->si->hw, ENETC_PSIDCAPR);
++ reg = enetc_port_rd(hw, ENETC_PSIDCAPR);
+ priv->psfp_cap.max_streamid = reg & ENETC_PSIDCAPR_MSK;
+ /* Port stream filter capability */
+- reg = enetc_port_rd(&priv->si->hw, ENETC_PSFCAPR);
++ reg = enetc_port_rd(hw, ENETC_PSFCAPR);
+ priv->psfp_cap.max_psfp_filter = reg & ENETC_PSFCAPR_MSK;
+ /* Port stream gate capability */
+- reg = enetc_port_rd(&priv->si->hw, ENETC_PSGCAPR);
++ reg = enetc_port_rd(hw, ENETC_PSGCAPR);
+ priv->psfp_cap.max_psfp_gate = (reg & ENETC_PSGCAPR_SGIT_MSK);
+ priv->psfp_cap.max_psfp_gatelist = (reg & ENETC_PSGCAPR_GCL_MSK) >> 16;
+ /* Port flow meter capability */
+- reg = enetc_port_rd(&priv->si->hw, ENETC_PFMCAPR);
++ reg = enetc_port_rd(hw, ENETC_PFMCAPR);
+ priv->psfp_cap.max_psfp_meter = reg & ENETC_PFMCAPR_MSK;
+ }
+
+diff --git a/drivers/net/ethernet/freescale/enetc/enetc_qos.c b/drivers/net/ethernet/freescale/enetc/enetc_qos.c
+index f8a2f02ce22d..2e783ef73690 100644
+--- a/drivers/net/ethernet/freescale/enetc/enetc_qos.c
++++ b/drivers/net/ethernet/freescale/enetc/enetc_qos.c
+@@ -17,8 +17,9 @@ static u16 enetc_get_max_gcl_len(struct enetc_hw *hw)
+
+ void enetc_sched_speed_set(struct enetc_ndev_priv *priv, int speed)
+ {
++ struct enetc_hw *hw = &priv->si->hw;
+ u32 old_speed = priv->speed;
+- u32 pspeed;
++ u32 pspeed, tmp;
+
+ if (speed == old_speed)
+ return;
+@@ -39,16 +40,15 @@ void enetc_sched_speed_set(struct enetc_ndev_priv *priv, int speed)
+ }
+
+ priv->speed = speed;
+- enetc_port_wr(&priv->si->hw, ENETC_PMR,
+- (enetc_port_rd(&priv->si->hw, ENETC_PMR)
+- & (~ENETC_PMR_PSPEED_MASK))
+- | pspeed);
++ tmp = enetc_port_rd(hw, ENETC_PMR);
++ enetc_port_wr(hw, ENETC_PMR, (tmp & ~ENETC_PMR_PSPEED_MASK) | pspeed);
+ }
+
+ static int enetc_setup_taprio(struct net_device *ndev,
+ struct tc_taprio_qopt_offload *admin_conf)
+ {
+ struct enetc_ndev_priv *priv = netdev_priv(ndev);
++ struct enetc_hw *hw = &priv->si->hw;
+ struct enetc_cbd cbd = {.cmd = 0};
+ struct tgs_gcl_conf *gcl_config;
+ struct tgs_gcl_data *gcl_data;
+@@ -61,15 +61,13 @@ static int enetc_setup_taprio(struct net_device *ndev,
+ int err;
+ int i;
+
+- if (admin_conf->num_entries > enetc_get_max_gcl_len(&priv->si->hw))
++ if (admin_conf->num_entries > enetc_get_max_gcl_len(hw))
+ return -EINVAL;
+ gcl_len = admin_conf->num_entries;
+
+- tge = enetc_rd(&priv->si->hw, ENETC_QBV_PTGCR_OFFSET);
++ tge = enetc_rd(hw, ENETC_QBV_PTGCR_OFFSET);
+ if (!admin_conf->enable) {
+- enetc_wr(&priv->si->hw,
+- ENETC_QBV_PTGCR_OFFSET,
+- tge & (~ENETC_QBV_TGE));
++ enetc_wr(hw, ENETC_QBV_PTGCR_OFFSET, tge & ~ENETC_QBV_TGE);
+
+ priv->active_offloads &= ~ENETC_F_QBV;
+
+@@ -117,14 +115,11 @@ static int enetc_setup_taprio(struct net_device *ndev,
+ cbd.cls = BDCR_CMD_PORT_GCL;
+ cbd.status_flags = 0;
+
+- enetc_wr(&priv->si->hw, ENETC_QBV_PTGCR_OFFSET,
+- tge | ENETC_QBV_TGE);
++ enetc_wr(hw, ENETC_QBV_PTGCR_OFFSET, tge | ENETC_QBV_TGE);
+
+ err = enetc_send_cmd(priv->si, &cbd);
+ if (err)
+- enetc_wr(&priv->si->hw,
+- ENETC_QBV_PTGCR_OFFSET,
+- tge & (~ENETC_QBV_TGE));
++ enetc_wr(hw, ENETC_QBV_PTGCR_OFFSET, tge & ~ENETC_QBV_TGE);
+
+ enetc_cbd_free_data_mem(priv->si, data_size, tmp, &dma);
+
+@@ -138,6 +133,7 @@ int enetc_setup_tc_taprio(struct net_device *ndev, void *type_data)
+ {
+ struct tc_taprio_qopt_offload *taprio = type_data;
+ struct enetc_ndev_priv *priv = netdev_priv(ndev);
++ struct enetc_hw *hw = &priv->si->hw;
+ int err;
+ int i;
+
+@@ -147,16 +143,14 @@ int enetc_setup_tc_taprio(struct net_device *ndev, void *type_data)
+ return -EBUSY;
+
+ for (i = 0; i < priv->num_tx_rings; i++)
+- enetc_set_bdr_prio(&priv->si->hw,
+- priv->tx_ring[i]->index,
++ enetc_set_bdr_prio(hw, priv->tx_ring[i]->index,
+ taprio->enable ? i : 0);
+
+ err = enetc_setup_taprio(ndev, taprio);
+
+ if (err)
+ for (i = 0; i < priv->num_tx_rings; i++)
+- enetc_set_bdr_prio(&priv->si->hw,
+- priv->tx_ring[i]->index,
++ enetc_set_bdr_prio(hw, priv->tx_ring[i]->index,
+ taprio->enable ? 0 : i);
+
+ return err;
+@@ -178,7 +172,7 @@ int enetc_setup_tc_cbs(struct net_device *ndev, void *type_data)
+ struct tc_cbs_qopt_offload *cbs = type_data;
+ u32 port_transmit_rate = priv->speed;
+ u8 tc_nums = netdev_get_num_tc(ndev);
+- struct enetc_si *si = priv->si;
++ struct enetc_hw *hw = &priv->si->hw;
+ u32 hi_credit_bit, hi_credit_reg;
+ u32 max_interference_size;
+ u32 port_frame_max_size;
+@@ -199,15 +193,15 @@ int enetc_setup_tc_cbs(struct net_device *ndev, void *type_data)
+ * lower than this TC have been disabled.
+ */
+ if (tc == prio_top &&
+- enetc_get_cbs_enable(&si->hw, prio_next)) {
++ enetc_get_cbs_enable(hw, prio_next)) {
+ dev_err(&ndev->dev,
+ "Disable TC%d before disable TC%d\n",
+ prio_next, tc);
+ return -EINVAL;
+ }
+
+- enetc_port_wr(&si->hw, ENETC_PTCCBSR1(tc), 0);
+- enetc_port_wr(&si->hw, ENETC_PTCCBSR0(tc), 0);
++ enetc_port_wr(hw, ENETC_PTCCBSR1(tc), 0);
++ enetc_port_wr(hw, ENETC_PTCCBSR0(tc), 0);
+
+ return 0;
+ }
+@@ -224,13 +218,13 @@ int enetc_setup_tc_cbs(struct net_device *ndev, void *type_data)
+ * higher than this TC have been enabled.
+ */
+ if (tc == prio_next) {
+- if (!enetc_get_cbs_enable(&si->hw, prio_top)) {
++ if (!enetc_get_cbs_enable(hw, prio_top)) {
+ dev_err(&ndev->dev,
+ "Enable TC%d first before enable TC%d\n",
+ prio_top, prio_next);
+ return -EINVAL;
+ }
+- bw_sum += enetc_get_cbs_bw(&si->hw, prio_top);
++ bw_sum += enetc_get_cbs_bw(hw, prio_top);
+ }
+
+ if (bw_sum + bw >= 100) {
+@@ -239,7 +233,7 @@ int enetc_setup_tc_cbs(struct net_device *ndev, void *type_data)
+ return -EINVAL;
+ }
+
+- enetc_port_rd(&si->hw, ENETC_PTCMSDUR(tc));
++ enetc_port_rd(hw, ENETC_PTCMSDUR(tc));
+
+ /* For top prio TC, the max_interfrence_size is maxSizedFrame.
+ *
+@@ -259,8 +253,8 @@ int enetc_setup_tc_cbs(struct net_device *ndev, void *type_data)
+ u32 m0, ma, r0, ra;
+
+ m0 = port_frame_max_size * 8;
+- ma = enetc_port_rd(&si->hw, ENETC_PTCMSDUR(prio_top)) * 8;
+- ra = enetc_get_cbs_bw(&si->hw, prio_top) *
++ ma = enetc_port_rd(hw, ENETC_PTCMSDUR(prio_top)) * 8;
++ ra = enetc_get_cbs_bw(hw, prio_top) *
+ port_transmit_rate * 10000ULL;
+ r0 = port_transmit_rate * 1000000ULL;
+ max_interference_size = m0 + ma +
+@@ -280,10 +274,10 @@ int enetc_setup_tc_cbs(struct net_device *ndev, void *type_data)
+ hi_credit_reg = (u32)div_u64((ENETC_CLK * 100ULL) * hi_credit_bit,
+ port_transmit_rate * 1000000ULL);
+
+- enetc_port_wr(&si->hw, ENETC_PTCCBSR1(tc), hi_credit_reg);
++ enetc_port_wr(hw, ENETC_PTCCBSR1(tc), hi_credit_reg);
+
+ /* Set bw register and enable this traffic class */
+- enetc_port_wr(&si->hw, ENETC_PTCCBSR0(tc), bw | ENETC_CBSE);
++ enetc_port_wr(hw, ENETC_PTCCBSR0(tc), bw | ENETC_CBSE);
+
+ return 0;
+ }
+@@ -293,6 +287,7 @@ int enetc_setup_tc_txtime(struct net_device *ndev, void *type_data)
+ struct enetc_ndev_priv *priv = netdev_priv(ndev);
+ struct tc_etf_qopt_offload *qopt = type_data;
+ u8 tc_nums = netdev_get_num_tc(ndev);
++ struct enetc_hw *hw = &priv->si->hw;
+ int tc;
+
+ if (!tc_nums)
+@@ -304,12 +299,11 @@ int enetc_setup_tc_txtime(struct net_device *ndev, void *type_data)
+ return -EINVAL;
+
+ /* TSD and Qbv are mutually exclusive in hardware */
+- if (enetc_rd(&priv->si->hw, ENETC_QBV_PTGCR_OFFSET) & ENETC_QBV_TGE)
++ if (enetc_rd(hw, ENETC_QBV_PTGCR_OFFSET) & ENETC_QBV_TGE)
+ return -EBUSY;
+
+ priv->tx_ring[tc]->tsd_enable = qopt->enable;
+- enetc_port_wr(&priv->si->hw, ENETC_PTCTSDR(tc),
+- qopt->enable ? ENETC_TSDE : 0);
++ enetc_port_wr(hw, ENETC_PTCTSDR(tc), qopt->enable ? ENETC_TSDE : 0);
+
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From 3141e01fb539012903048b637dd4ac15065f68bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 15:09:36 +0200
+Subject: net: enetc: preserve TX ring priority across reconfiguration
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 290b5fe096e7dd0aad730d1af4f7f2d9fea43e11 ]
+
+In the blamed commit, a rudimentary reallocation procedure for RX buffer
+descriptors was implemented, for the situation when their format changes
+between normal (no PTP) and extended (PTP).
+
+enetc_hwtstamp_set() calls enetc_close() and enetc_open() in a sequence,
+and this sequence loses information which was previously configured in
+the TX BDR Mode Register, specifically via the enetc_set_bdr_prio() call.
+The TX ring priority is configured by tc-mqprio and tc-taprio, and
+affects important things for TSN such as the TX time of packets. The
+issue manifests itself most visibly by the fact that isochron --txtime
+reports premature packet transmissions when PTP is first enabled on an
+enetc interface.
+
+Save the TX ring priority in a new field in struct enetc_bdr (occupies a
+2 byte hole on arm64) in order to make this survive a ring reconfiguration.
+
+Fixes: 434cebabd3a2 ("enetc: Add dynamic allocation of extended Rx BD rings")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Alexander Lobakin <alexandr.lobakin@intel.com>
+Link: https://lore.kernel.org/r/20221122130936.1704151-1-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/enetc/enetc.c | 8 ++++---
+ drivers/net/ethernet/freescale/enetc/enetc.h | 1 +
+ .../net/ethernet/freescale/enetc/enetc_qos.c | 21 ++++++++++++-------
+ 3 files changed, 19 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/enetc/enetc.c b/drivers/net/ethernet/freescale/enetc/enetc.c
+index e6dbc78f490c..1d8ec1b120a1 100644
+--- a/drivers/net/ethernet/freescale/enetc/enetc.c
++++ b/drivers/net/ethernet/freescale/enetc/enetc.c
+@@ -2058,7 +2058,7 @@ static void enetc_setup_txbdr(struct enetc_hw *hw, struct enetc_bdr *tx_ring)
+ /* enable Tx ints by setting pkt thr to 1 */
+ enetc_txbdr_wr(hw, idx, ENETC_TBICR0, ENETC_TBICR0_ICEN | 0x1);
+
+- tbmr = ENETC_TBMR_EN;
++ tbmr = ENETC_TBMR_EN | ENETC_TBMR_SET_PRIO(tx_ring->prio);
+ if (tx_ring->ndev->features & NETIF_F_HW_VLAN_CTAG_TX)
+ tbmr |= ENETC_TBMR_VIH;
+
+@@ -2461,7 +2461,8 @@ int enetc_setup_tc_mqprio(struct net_device *ndev, void *type_data)
+ /* Reset all ring priorities to 0 */
+ for (i = 0; i < priv->num_tx_rings; i++) {
+ tx_ring = priv->tx_ring[i];
+- enetc_set_bdr_prio(hw, tx_ring->index, 0);
++ tx_ring->prio = 0;
++ enetc_set_bdr_prio(hw, tx_ring->index, tx_ring->prio);
+ }
+
+ return 0;
+@@ -2480,7 +2481,8 @@ int enetc_setup_tc_mqprio(struct net_device *ndev, void *type_data)
+ */
+ for (i = 0; i < num_tc; i++) {
+ tx_ring = priv->tx_ring[i];
+- enetc_set_bdr_prio(hw, tx_ring->index, i);
++ tx_ring->prio = i;
++ enetc_set_bdr_prio(hw, tx_ring->index, tx_ring->prio);
+ }
+
+ /* Reset the number of netdev queues based on the TC count */
+diff --git a/drivers/net/ethernet/freescale/enetc/enetc.h b/drivers/net/ethernet/freescale/enetc/enetc.h
+index 748677b2ce1f..bb1b3b0e40e4 100644
+--- a/drivers/net/ethernet/freescale/enetc/enetc.h
++++ b/drivers/net/ethernet/freescale/enetc/enetc.h
+@@ -95,6 +95,7 @@ struct enetc_bdr {
+ void __iomem *rcir;
+ };
+ u16 index;
++ u16 prio;
+ int bd_count; /* # of BDs */
+ int next_to_use;
+ int next_to_clean;
+diff --git a/drivers/net/ethernet/freescale/enetc/enetc_qos.c b/drivers/net/ethernet/freescale/enetc/enetc_qos.c
+index 2e783ef73690..5fcb02b00699 100644
+--- a/drivers/net/ethernet/freescale/enetc/enetc_qos.c
++++ b/drivers/net/ethernet/freescale/enetc/enetc_qos.c
+@@ -134,6 +134,7 @@ int enetc_setup_tc_taprio(struct net_device *ndev, void *type_data)
+ struct tc_taprio_qopt_offload *taprio = type_data;
+ struct enetc_ndev_priv *priv = netdev_priv(ndev);
+ struct enetc_hw *hw = &priv->si->hw;
++ struct enetc_bdr *tx_ring;
+ int err;
+ int i;
+
+@@ -142,16 +143,20 @@ int enetc_setup_tc_taprio(struct net_device *ndev, void *type_data)
+ if (priv->tx_ring[i]->tsd_enable)
+ return -EBUSY;
+
+- for (i = 0; i < priv->num_tx_rings; i++)
+- enetc_set_bdr_prio(hw, priv->tx_ring[i]->index,
+- taprio->enable ? i : 0);
++ for (i = 0; i < priv->num_tx_rings; i++) {
++ tx_ring = priv->tx_ring[i];
++ tx_ring->prio = taprio->enable ? i : 0;
++ enetc_set_bdr_prio(hw, tx_ring->index, tx_ring->prio);
++ }
+
+ err = enetc_setup_taprio(ndev, taprio);
+-
+- if (err)
+- for (i = 0; i < priv->num_tx_rings; i++)
+- enetc_set_bdr_prio(hw, priv->tx_ring[i]->index,
+- taprio->enable ? 0 : i);
++ if (err) {
++ for (i = 0; i < priv->num_tx_rings; i++) {
++ tx_ring = priv->tx_ring[i];
++ tx_ring->prio = taprio->enable ? 0 : i;
++ enetc_set_bdr_prio(hw, tx_ring->index, tx_ring->prio);
++ }
++ }
+
+ return err;
+ }
+--
+2.35.1
+
--- /dev/null
+From 484fd6fdf013ea302b765c132858f13b5e4958ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 19:13:56 +0800
+Subject: net: ethernet: mtk_eth_soc: fix error handling in mtk_open()
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit f70074140524c59a0935947b06dd6cb6e1ea642d ]
+
+If mtk_start_dma() fails, invoke phylink_disconnect_phy() to perform
+cleanup. phylink_disconnect_phy() contains the put_device action. If
+phylink_disconnect_phy is not performed, the Kref of netdev will leak.
+
+Fixes: b8fc9f30821e ("net: ethernet: mediatek: Add basic PHYLINK support")
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Link: https://lore.kernel.org/r/20221117111356.161547-1-liujian56@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+index 84433f3a3e22..a75f5931f746 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+@@ -2979,8 +2979,10 @@ static int mtk_open(struct net_device *dev)
+ u32 gdm_config = MTK_GDMA_TO_PDMA;
+
+ err = mtk_start_dma(eth);
+- if (err)
++ if (err) {
++ phylink_disconnect_phy(mac->phylink);
+ return err;
++ }
+
+ if (eth->soc->offload_version && mtk_ppe_start(eth->ppe) == 0)
+ gdm_config = MTK_GDMA_TO_PPE;
+--
+2.35.1
+
--- /dev/null
+From 2f8480dd1390869d9da5d9aff1394927b1dc2cfc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Nov 2022 11:54:05 +0800
+Subject: net: ethernet: mtk_eth_soc: fix potential memory leak in
+ mtk_rx_alloc()
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit 3213f808ae21be3891885de2f3a775afafcda987 ]
+
+When fail to dma_map_single() in mtk_rx_alloc(), it returns directly.
+But the memory allocated for local variable data is not freed, and
+local variabel data has not been attached to ring->data[i] yet, so the
+memory allocated for local variable data will not be freed outside
+mtk_rx_alloc() too. Thus memory leak would occur in this scenario.
+
+Add skb_free_frag(data) when dma_map_single() failed.
+
+Fixes: 23233e577ef9 ("net: ethernet: mtk_eth_soc: rely on page_pool for single page buffers")
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Acked-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Link: https://lore.kernel.org/r/20221120035405.1464341-1-william.xuanziyang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+index a75f5931f746..916b570bdbf4 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+@@ -2363,8 +2363,10 @@ static int mtk_rx_alloc(struct mtk_eth *eth, int ring_no, int rx_flag)
+ data + NET_SKB_PAD + eth->ip_align,
+ ring->buf_size, DMA_FROM_DEVICE);
+ if (unlikely(dma_mapping_error(eth->dma_dev,
+- dma_addr)))
++ dma_addr))) {
++ skb_free_frag(data);
+ return -ENOMEM;
++ }
+ }
+ rxd->rxd1 = (unsigned int)dma_addr;
+ ring->data[i] = data;
+--
+2.35.1
+
--- /dev/null
+From 4e58a22b8c56dd315710693fe63bc284a76b017d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Nov 2022 13:52:58 +0800
+Subject: net: ethernet: mtk_eth_soc: fix resource leak in error path
+
+From: Yan Cangang <nalanzeyu@gmail.com>
+
+[ Upstream commit 8110437e59616293228cd781c486d8495a61e36a ]
+
+In mtk_probe(), when mtk_ppe_init() or mtk_eth_offload_init() failed,
+mtk_mdio_cleanup() isn't called. Fix it.
+
+Fixes: ba37b7caf1ed ("net: ethernet: mtk_eth_soc: add support for initializing the PPE")
+Fixes: 502e84e2382d ("net: ethernet: mtk_eth_soc: add flow offloading support")
+Signed-off-by: Yan Cangang <nalanzeyu@gmail.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+index 3db24ddd1261..aee57b22c496 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+@@ -4114,12 +4114,12 @@ static int mtk_probe(struct platform_device *pdev)
+ eth->ppe = mtk_ppe_init(eth, eth->base + ppe_addr, 2);
+ if (!eth->ppe) {
+ err = -ENOMEM;
+- goto err_free_dev;
++ goto err_deinit_mdio;
+ }
+
+ err = mtk_eth_offload_init(eth);
+ if (err)
+- goto err_free_dev;
++ goto err_deinit_mdio;
+ }
+
+ for (i = 0; i < MTK_MAX_DEVS; i++) {
+--
+2.35.1
+
--- /dev/null
+From 6563f43c89765e075e8784d921e17bd680d01189 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 12:11:15 +0200
+Subject: net: ethernet: mtk_eth_soc: move gdma_to_ppe and ppe_base definitions
+ in mtk register map
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 329bce5139cfb00dba40f038ec090572b81ff2a9 ]
+
+This is a preliminary patch to introduce mt7986 hw packet engine.
+
+Tested-by: Daniel Golle <daniel@makrotopia.org>
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: 8110437e5961 ("net: ethernet: mtk_eth_soc: fix resource leak in error path")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 15 +++++++++++----
+ drivers/net/ethernet/mediatek/mtk_eth_soc.h | 3 ++-
+ drivers/net/ethernet/mediatek/mtk_ppe.h | 2 --
+ 3 files changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+index 916b570bdbf4..83c636d44142 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+@@ -73,6 +73,8 @@ static const struct mtk_reg_map mtk_reg_map = {
+ .fq_blen = 0x1b2c,
+ },
+ .gdm1_cnt = 0x2400,
++ .gdma_to_ppe = 0x4444,
++ .ppe_base = 0x0c00,
+ };
+
+ static const struct mtk_reg_map mt7628_reg_map = {
+@@ -126,6 +128,8 @@ static const struct mtk_reg_map mt7986_reg_map = {
+ .fq_blen = 0x472c,
+ },
+ .gdm1_cnt = 0x1c00,
++ .gdma_to_ppe = 0x3333,
++ .ppe_base = 0x2000,
+ };
+
+ /* strings used by ethtool */
+@@ -2978,6 +2982,7 @@ static int mtk_open(struct net_device *dev)
+
+ /* we run 2 netdevs on the same dma ring so we only bring it up once */
+ if (!refcount_read(ð->dma_refcnt)) {
++ const struct mtk_soc_data *soc = eth->soc;
+ u32 gdm_config = MTK_GDMA_TO_PDMA;
+
+ err = mtk_start_dma(eth);
+@@ -2986,15 +2991,15 @@ static int mtk_open(struct net_device *dev)
+ return err;
+ }
+
+- if (eth->soc->offload_version && mtk_ppe_start(eth->ppe) == 0)
+- gdm_config = MTK_GDMA_TO_PPE;
++ if (soc->offload_version && mtk_ppe_start(eth->ppe) == 0)
++ gdm_config = soc->reg_map->gdma_to_ppe;
+
+ mtk_gdm_config(eth, gdm_config);
+
+ napi_enable(ð->tx_napi);
+ napi_enable(ð->rx_napi);
+ mtk_tx_irq_enable(eth, MTK_TX_DONE_INT);
+- mtk_rx_irq_enable(eth, eth->soc->txrx.rx_irq_done_mask);
++ mtk_rx_irq_enable(eth, soc->txrx.rx_irq_done_mask);
+ refcount_set(ð->dma_refcnt, 1);
+ }
+ else
+@@ -4104,7 +4109,9 @@ static int mtk_probe(struct platform_device *pdev)
+ }
+
+ if (eth->soc->offload_version) {
+- eth->ppe = mtk_ppe_init(eth, eth->base + MTK_ETH_PPE_BASE, 2);
++ u32 ppe_addr = eth->soc->reg_map->ppe_base;
++
++ eth->ppe = mtk_ppe_init(eth, eth->base + ppe_addr, 2);
+ if (!eth->ppe) {
+ err = -ENOMEM;
+ goto err_free_dev;
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.h b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
+index 0f9668a4079d..511752729f5c 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.h
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
+@@ -105,7 +105,6 @@
+ #define MTK_GDMA_TCS_EN BIT(21)
+ #define MTK_GDMA_UCS_EN BIT(20)
+ #define MTK_GDMA_TO_PDMA 0x0
+-#define MTK_GDMA_TO_PPE 0x4444
+ #define MTK_GDMA_DROP_ALL 0x7777
+
+ /* Unicast Filter MAC Address Register - Low */
+@@ -955,6 +954,8 @@ struct mtk_reg_map {
+ u32 fq_blen; /* fq free page buffer length */
+ } qdma;
+ u32 gdm1_cnt;
++ u32 gdma_to_ppe;
++ u32 ppe_base;
+ };
+
+ /* struct mtk_eth_data - This is the structure holding all differences
+diff --git a/drivers/net/ethernet/mediatek/mtk_ppe.h b/drivers/net/ethernet/mediatek/mtk_ppe.h
+index 69ffce04d630..ceb7dfe281de 100644
+--- a/drivers/net/ethernet/mediatek/mtk_ppe.h
++++ b/drivers/net/ethernet/mediatek/mtk_ppe.h
+@@ -8,8 +8,6 @@
+ #include <linux/bitfield.h>
+ #include <linux/rhashtable.h>
+
+-#define MTK_ETH_PPE_BASE 0xc00
+-
+ #define MTK_PPE_ENTRIES_SHIFT 3
+ #define MTK_PPE_ENTRIES (1024 << MTK_PPE_ENTRIES_SHIFT)
+ #define MTK_PPE_HASH_MASK (MTK_PPE_ENTRIES - 1)
+--
+2.35.1
+
--- /dev/null
+From b034d1ecdd1dbd4497d9c5c8da4fe32fb429d1c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Sep 2022 12:11:16 +0200
+Subject: net: ethernet: mtk_eth_soc: move ppe table hash offset to
+ mtk_soc_data structure
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit ba2fc48c5e1e9e1934939f0d12ff8b985dcc6e5d ]
+
+This is a preliminary patch to introduce mt7986 hw packet engine.
+
+Tested-by: Daniel Golle <daniel@makrotopia.org>
+Co-developed-by: Bo Jiao <Bo.Jiao@mediatek.com>
+Signed-off-by: Bo Jiao <Bo.Jiao@mediatek.com>
+Co-developed-by: Sujuan Chen <sujuan.chen@mediatek.com>
+Signed-off-by: Sujuan Chen <sujuan.chen@mediatek.com>
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: 8110437e5961 ("net: ethernet: mtk_eth_soc: fix resource leak in error path")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 4 ++++
+ drivers/net/ethernet/mediatek/mtk_eth_soc.h | 2 ++
+ drivers/net/ethernet/mediatek/mtk_ppe.c | 24 +++++++++++++++------
+ drivers/net/ethernet/mediatek/mtk_ppe.h | 2 +-
+ 4 files changed, 25 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+index 83c636d44142..3db24ddd1261 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+@@ -4210,6 +4210,7 @@ static const struct mtk_soc_data mt7621_data = {
+ .required_clks = MT7621_CLKS_BITMAP,
+ .required_pctl = false,
+ .offload_version = 2,
++ .hash_offset = 2,
+ .txrx = {
+ .txd_size = sizeof(struct mtk_tx_dma),
+ .rxd_size = sizeof(struct mtk_rx_dma),
+@@ -4228,6 +4229,7 @@ static const struct mtk_soc_data mt7622_data = {
+ .required_clks = MT7622_CLKS_BITMAP,
+ .required_pctl = false,
+ .offload_version = 2,
++ .hash_offset = 2,
+ .txrx = {
+ .txd_size = sizeof(struct mtk_tx_dma),
+ .rxd_size = sizeof(struct mtk_rx_dma),
+@@ -4245,6 +4247,7 @@ static const struct mtk_soc_data mt7623_data = {
+ .required_clks = MT7623_CLKS_BITMAP,
+ .required_pctl = true,
+ .offload_version = 2,
++ .hash_offset = 2,
+ .txrx = {
+ .txd_size = sizeof(struct mtk_tx_dma),
+ .rxd_size = sizeof(struct mtk_rx_dma),
+@@ -4278,6 +4281,7 @@ static const struct mtk_soc_data mt7986_data = {
+ .caps = MT7986_CAPS,
+ .required_clks = MT7986_CLKS_BITMAP,
+ .required_pctl = false,
++ .hash_offset = 4,
+ .txrx = {
+ .txd_size = sizeof(struct mtk_tx_dma_v2),
+ .rxd_size = sizeof(struct mtk_rx_dma_v2),
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.h b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
+index 511752729f5c..26ed1c8b77c3 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.h
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
+@@ -969,6 +969,7 @@ struct mtk_reg_map {
+ * the target SoC
+ * @required_pctl A bool value to show whether the SoC requires
+ * the extra setup for those pins used by GMAC.
++ * @hash_offset Flow table hash offset.
+ * @txd_size Tx DMA descriptor size.
+ * @rxd_size Rx DMA descriptor size.
+ * @rx_irq_done_mask Rx irq done register mask.
+@@ -983,6 +984,7 @@ struct mtk_soc_data {
+ u32 required_clks;
+ bool required_pctl;
+ u8 offload_version;
++ u8 hash_offset;
+ netdev_features_t hw_features;
+ struct {
+ u32 txd_size;
+diff --git a/drivers/net/ethernet/mediatek/mtk_ppe.c b/drivers/net/ethernet/mediatek/mtk_ppe.c
+index 148ea636ef97..6ecac461fd76 100644
+--- a/drivers/net/ethernet/mediatek/mtk_ppe.c
++++ b/drivers/net/ethernet/mediatek/mtk_ppe.c
+@@ -88,7 +88,7 @@ static void mtk_ppe_cache_enable(struct mtk_ppe *ppe, bool enable)
+ enable * MTK_PPE_CACHE_CTL_EN);
+ }
+
+-static u32 mtk_ppe_hash_entry(struct mtk_foe_entry *e)
++static u32 mtk_ppe_hash_entry(struct mtk_eth *eth, struct mtk_foe_entry *e)
+ {
+ u32 hv1, hv2, hv3;
+ u32 hash;
+@@ -122,7 +122,7 @@ static u32 mtk_ppe_hash_entry(struct mtk_foe_entry *e)
+ hash = (hash >> 24) | ((hash & 0xffffff) << 8);
+ hash ^= hv1 ^ hv2 ^ hv3;
+ hash ^= hash >> 16;
+- hash <<= 1;
++ hash <<= (ffs(eth->soc->hash_offset) - 1);
+ hash &= MTK_PPE_ENTRIES - 1;
+
+ return hash;
+@@ -540,15 +540,16 @@ mtk_foe_entry_commit_l2(struct mtk_ppe *ppe, struct mtk_flow_entry *entry)
+ int mtk_foe_entry_commit(struct mtk_ppe *ppe, struct mtk_flow_entry *entry)
+ {
+ int type = FIELD_GET(MTK_FOE_IB1_PACKET_TYPE, entry->data.ib1);
++ const struct mtk_soc_data *soc = ppe->eth->soc;
+ u32 hash;
+
+ if (type == MTK_PPE_PKT_TYPE_BRIDGE)
+ return mtk_foe_entry_commit_l2(ppe, entry);
+
+- hash = mtk_ppe_hash_entry(&entry->data);
++ hash = mtk_ppe_hash_entry(ppe->eth, &entry->data);
+ entry->hash = 0xffff;
+ spin_lock_bh(&ppe_lock);
+- hlist_add_head(&entry->list, &ppe->foe_flow[hash / 2]);
++ hlist_add_head(&entry->list, &ppe->foe_flow[hash / soc->hash_offset]);
+ spin_unlock_bh(&ppe_lock);
+
+ return 0;
+@@ -558,6 +559,7 @@ static void
+ mtk_foe_entry_commit_subflow(struct mtk_ppe *ppe, struct mtk_flow_entry *entry,
+ u16 hash)
+ {
++ const struct mtk_soc_data *soc = ppe->eth->soc;
+ struct mtk_flow_entry *flow_info;
+ struct mtk_foe_entry foe, *hwe;
+ struct mtk_foe_mac_info *l2;
+@@ -572,7 +574,8 @@ mtk_foe_entry_commit_subflow(struct mtk_ppe *ppe, struct mtk_flow_entry *entry,
+ flow_info->l2_data.base_flow = entry;
+ flow_info->type = MTK_FLOW_TYPE_L2_SUBFLOW;
+ flow_info->hash = hash;
+- hlist_add_head(&flow_info->list, &ppe->foe_flow[hash / 2]);
++ hlist_add_head(&flow_info->list,
++ &ppe->foe_flow[hash / soc->hash_offset]);
+ hlist_add_head(&flow_info->l2_data.list, &entry->l2_flows);
+
+ hwe = &ppe->foe_table[hash];
+@@ -596,7 +599,8 @@ mtk_foe_entry_commit_subflow(struct mtk_ppe *ppe, struct mtk_flow_entry *entry,
+
+ void __mtk_ppe_check_skb(struct mtk_ppe *ppe, struct sk_buff *skb, u16 hash)
+ {
+- struct hlist_head *head = &ppe->foe_flow[hash / 2];
++ const struct mtk_soc_data *soc = ppe->eth->soc;
++ struct hlist_head *head = &ppe->foe_flow[hash / soc->hash_offset];
+ struct mtk_foe_entry *hwe = &ppe->foe_table[hash];
+ struct mtk_flow_entry *entry;
+ struct mtk_foe_bridge key = {};
+@@ -680,9 +684,11 @@ int mtk_foe_entry_idle_time(struct mtk_ppe *ppe, struct mtk_flow_entry *entry)
+ struct mtk_ppe *mtk_ppe_init(struct mtk_eth *eth, void __iomem *base,
+ int version)
+ {
++ const struct mtk_soc_data *soc = eth->soc;
+ struct device *dev = eth->dev;
+ struct mtk_foe_entry *foe;
+ struct mtk_ppe *ppe;
++ u32 foe_flow_size;
+
+ ppe = devm_kzalloc(dev, sizeof(*ppe), GFP_KERNEL);
+ if (!ppe)
+@@ -705,6 +711,12 @@ struct mtk_ppe *mtk_ppe_init(struct mtk_eth *eth, void __iomem *base,
+
+ ppe->foe_table = foe;
+
++ foe_flow_size = (MTK_PPE_ENTRIES / soc->hash_offset) *
++ sizeof(*ppe->foe_flow);
++ ppe->foe_flow = devm_kzalloc(dev, foe_flow_size, GFP_KERNEL);
++ if (!ppe->foe_flow)
++ return NULL;
++
+ mtk_ppe_debugfs_init(ppe);
+
+ return ppe;
+diff --git a/drivers/net/ethernet/mediatek/mtk_ppe.h b/drivers/net/ethernet/mediatek/mtk_ppe.h
+index ceb7dfe281de..7a16503690f3 100644
+--- a/drivers/net/ethernet/mediatek/mtk_ppe.h
++++ b/drivers/net/ethernet/mediatek/mtk_ppe.h
+@@ -270,7 +270,7 @@ struct mtk_ppe {
+ dma_addr_t foe_phys;
+
+ u16 foe_check_time[MTK_PPE_ENTRIES];
+- struct hlist_head foe_flow[MTK_PPE_ENTRIES / 2];
++ struct hlist_head *foe_flow;
+
+ struct rhashtable l2_flows;
+
+--
+2.35.1
+
--- /dev/null
+From 321a0d21f20bb1651f164110cfff276422f4feba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 19:34:39 +0200
+Subject: net: liquidio: simplify if expression
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit 733d4bbf9514890eb53ebe75827bf1fb4fd25ebe ]
+
+Fix the warning reported by kbuild:
+
+cocci warnings: (new ones prefixed by >>)
+>> drivers/net/ethernet/cavium/liquidio/lio_main.c:1797:54-56: WARNING !A || A && B is equivalent to !A || B
+ drivers/net/ethernet/cavium/liquidio/lio_main.c:1827:54-56: WARNING !A || A && B is equivalent to !A || B
+
+Fixes: 8979f428a4af ("net: liquidio: release resources when liquidio driver open failed")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Reviewed-by: Saeed Mahameed <saeed@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cavium/liquidio/lio_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/cavium/liquidio/lio_main.c b/drivers/net/ethernet/cavium/liquidio/lio_main.c
+index bf6a72143040..1e5dc0ea0e31 100644
+--- a/drivers/net/ethernet/cavium/liquidio/lio_main.c
++++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c
+@@ -1799,7 +1799,7 @@ static int liquidio_open(struct net_device *netdev)
+
+ ifstate_set(lio, LIO_IFSTATE_RUNNING);
+
+- if (!OCTEON_CN23XX_PF(oct) || (OCTEON_CN23XX_PF(oct) && !oct->msix_on)) {
++ if (!OCTEON_CN23XX_PF(oct) || !oct->msix_on) {
+ ret = setup_tx_poll_fn(netdev);
+ if (ret)
+ goto err_poll;
+@@ -1829,7 +1829,7 @@ static int liquidio_open(struct net_device *netdev)
+ return 0;
+
+ err_rx_ctrl:
+- if (!OCTEON_CN23XX_PF(oct) || (OCTEON_CN23XX_PF(oct) && !oct->msix_on))
++ if (!OCTEON_CN23XX_PF(oct) || !oct->msix_on)
+ cleanup_tx_poll_fn(netdev);
+ err_poll:
+ if (lio->ptp_clock) {
+--
+2.35.1
+
--- /dev/null
+From b1c19dd1a51c78e28e747637999bd947a52d65fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 19:10:31 +0800
+Subject: net: marvell: prestera: add missing unregister_netdev() in
+ prestera_port_create()
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 9a234a2a085ab9fd2be8d0c1eedfcd10f74b97eb ]
+
+If prestera_port_sfp_bind() fails, unregister_netdev() should be called
+in error handling path.
+
+Compile tested only.
+
+Fixes: 52323ef75414 ("net: marvell: prestera: add phylink support")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Link: https://lore.kernel.org/r/1669115432-36841-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/prestera/prestera_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/marvell/prestera/prestera_main.c b/drivers/net/ethernet/marvell/prestera/prestera_main.c
+index a0ad0bcbf89f..9f588ecba93e 100644
+--- a/drivers/net/ethernet/marvell/prestera/prestera_main.c
++++ b/drivers/net/ethernet/marvell/prestera/prestera_main.c
+@@ -730,6 +730,7 @@ static int prestera_port_create(struct prestera_switch *sw, u32 id)
+ return 0;
+
+ err_sfp_bind:
++ unregister_netdev(dev);
+ err_register_netdev:
+ prestera_port_list_del(port);
+ err_port_init:
+--
+2.35.1
+
--- /dev/null
+From c70bcadfa56c1aaaecf4dd9813c4432922c00228 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 18:28:06 +0300
+Subject: net/mlx4: Check retval of mlx4_bitmap_init
+
+From: Peter Kosyh <pkosyh@yandex.ru>
+
+[ Upstream commit 594c61ffc77de0a197934aa0f1df9285c68801c6 ]
+
+If mlx4_bitmap_init fails, mlx4_bitmap_alloc_range will dereference
+the NULL pointer (bitmap->table).
+
+Make sure, that mlx4_bitmap_alloc_range called in no error case.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: d57febe1a478 ("net/mlx4: Add A0 hybrid steering")
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Peter Kosyh <pkosyh@yandex.ru>
+Link: https://lore.kernel.org/r/20221117152806.278072-1-pkosyh@yandex.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/qp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx4/qp.c b/drivers/net/ethernet/mellanox/mlx4/qp.c
+index b149e601f673..48cfaa7eaf50 100644
+--- a/drivers/net/ethernet/mellanox/mlx4/qp.c
++++ b/drivers/net/ethernet/mellanox/mlx4/qp.c
+@@ -697,7 +697,8 @@ static int mlx4_create_zones(struct mlx4_dev *dev,
+ err = mlx4_bitmap_init(*bitmap + k, 1,
+ MLX4_QP_TABLE_RAW_ETH_SIZE - 1, 0,
+ 0);
+- mlx4_bitmap_alloc_range(*bitmap + k, 1, 1, 0);
++ if (!err)
++ mlx4_bitmap_alloc_range(*bitmap + k, 1, 1, 0);
+ }
+
+ if (err)
+--
+2.35.1
+
--- /dev/null
+From 03872a04c29b00192985c348156b493fe21d79f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 May 2022 09:14:03 +0300
+Subject: net/mlx5: cmdif, Print info on any firmware cmd failure to tracepoint
+
+From: Moshe Shemesh <moshe@nvidia.com>
+
+[ Upstream commit 870c2481174b839e7159555127bc8b5a5d0699ba ]
+
+While moving to new CMD API (quiet API), some pre-existing flows may call the new API
+function that in case of error, returns the error instead of printing it as previously done.
+For such flows we bring back the print but to tracepoint this time for sys admins to
+have the ability to check for errors especially for commands using the new quiet API.
+
+Tracepoint output example:
+ devlink-1333 [001] ..... 822.746922: mlx5_cmd: ACCESS_REG(0x805) op_mod(0x0) failed, status bad resource(0x5), syndrome (0xb06e1f), err(-22)
+
+Fixes: f23519e542e5 ("net/mlx5: cmdif, Add new api for command execution")
+Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
+Reviewed-by: Shay Drory <shayd@nvidia.com>
+Reviewed-by: Maor Gottlieb <maorg@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 41 +++++++++--------
+ .../mellanox/mlx5/core/diag/cmd_tracepoint.h | 45 +++++++++++++++++++
+ include/linux/mlx5/driver.h | 1 +
+ 3 files changed, 68 insertions(+), 19 deletions(-)
+ create mode 100644 drivers/net/ethernet/mellanox/mlx5/core/diag/cmd_tracepoint.h
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+index 2e0d59ca62b5..df3e284ca5c6 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -45,6 +45,8 @@
+ #include "mlx5_core.h"
+ #include "lib/eq.h"
+ #include "lib/tout.h"
++#define CREATE_TRACE_POINTS
++#include "diag/cmd_tracepoint.h"
+
+ enum {
+ CMD_IF_REV = 5,
+@@ -785,27 +787,14 @@ EXPORT_SYMBOL(mlx5_cmd_out_err);
+ static void cmd_status_print(struct mlx5_core_dev *dev, void *in, void *out)
+ {
+ u16 opcode, op_mod;
+- u32 syndrome;
+- u8 status;
+ u16 uid;
+- int err;
+-
+- syndrome = MLX5_GET(mbox_out, out, syndrome);
+- status = MLX5_GET(mbox_out, out, status);
+
+ opcode = MLX5_GET(mbox_in, in, opcode);
+ op_mod = MLX5_GET(mbox_in, in, op_mod);
+ uid = MLX5_GET(mbox_in, in, uid);
+
+- err = cmd_status_to_err(status);
+-
+ if (!uid && opcode != MLX5_CMD_OP_DESTROY_MKEY)
+ mlx5_cmd_out_err(dev, opcode, op_mod, out);
+- else
+- mlx5_core_dbg(dev,
+- "%s(0x%x) op_mod(0x%x) uid(%d) failed, status %s(0x%x), syndrome (0x%x), err(%d)\n",
+- mlx5_command_str(opcode), opcode, op_mod, uid,
+- cmd_status_str(status), status, syndrome, err);
+ }
+
+ int mlx5_cmd_check(struct mlx5_core_dev *dev, int err, void *in, void *out)
+@@ -1892,6 +1881,16 @@ static int cmd_exec(struct mlx5_core_dev *dev, void *in, int in_size, void *out,
+ return err;
+ }
+
++static void mlx5_cmd_err_trace(struct mlx5_core_dev *dev, u16 opcode, u16 op_mod, void *out)
++{
++ u32 syndrome = MLX5_GET(mbox_out, out, syndrome);
++ u8 status = MLX5_GET(mbox_out, out, status);
++
++ trace_mlx5_cmd(mlx5_command_str(opcode), opcode, op_mod,
++ cmd_status_str(status), status, syndrome,
++ cmd_status_to_err(status));
++}
++
+ static void cmd_status_log(struct mlx5_core_dev *dev, u16 opcode, u8 status,
+ u32 syndrome, int err)
+ {
+@@ -1914,7 +1913,7 @@ static void cmd_status_log(struct mlx5_core_dev *dev, u16 opcode, u8 status,
+ }
+
+ /* preserve -EREMOTEIO for outbox.status != OK, otherwise return err as is */
+-static int cmd_status_err(struct mlx5_core_dev *dev, int err, u16 opcode, void *out)
++static int cmd_status_err(struct mlx5_core_dev *dev, int err, u16 opcode, u16 op_mod, void *out)
+ {
+ u32 syndrome = MLX5_GET(mbox_out, out, syndrome);
+ u8 status = MLX5_GET(mbox_out, out, status);
+@@ -1922,8 +1921,10 @@ static int cmd_status_err(struct mlx5_core_dev *dev, int err, u16 opcode, void *
+ if (err == -EREMOTEIO) /* -EREMOTEIO is preserved */
+ err = -EIO;
+
+- if (!err && status != MLX5_CMD_STAT_OK)
++ if (!err && status != MLX5_CMD_STAT_OK) {
+ err = -EREMOTEIO;
++ mlx5_cmd_err_trace(dev, opcode, op_mod, out);
++ }
+
+ cmd_status_log(dev, opcode, status, syndrome, err);
+ return err;
+@@ -1951,9 +1952,9 @@ int mlx5_cmd_do(struct mlx5_core_dev *dev, void *in, int in_size, void *out, int
+ {
+ int err = cmd_exec(dev, in, in_size, out, out_size, NULL, NULL, false);
+ u16 opcode = MLX5_GET(mbox_in, in, opcode);
++ u16 op_mod = MLX5_GET(mbox_in, in, op_mod);
+
+- err = cmd_status_err(dev, err, opcode, out);
+- return err;
++ return cmd_status_err(dev, err, opcode, op_mod, out);
+ }
+ EXPORT_SYMBOL(mlx5_cmd_do);
+
+@@ -1997,8 +1998,9 @@ int mlx5_cmd_exec_polling(struct mlx5_core_dev *dev, void *in, int in_size,
+ {
+ int err = cmd_exec(dev, in, in_size, out, out_size, NULL, NULL, true);
+ u16 opcode = MLX5_GET(mbox_in, in, opcode);
++ u16 op_mod = MLX5_GET(mbox_in, in, op_mod);
+
+- err = cmd_status_err(dev, err, opcode, out);
++ err = cmd_status_err(dev, err, opcode, op_mod, out);
+ return mlx5_cmd_check(dev, err, in, out);
+ }
+ EXPORT_SYMBOL(mlx5_cmd_exec_polling);
+@@ -2034,7 +2036,7 @@ static void mlx5_cmd_exec_cb_handler(int status, void *_work)
+ struct mlx5_async_ctx *ctx;
+
+ ctx = work->ctx;
+- status = cmd_status_err(ctx->dev, status, work->opcode, work->out);
++ status = cmd_status_err(ctx->dev, status, work->opcode, work->op_mod, work->out);
+ work->user_callback(status, work);
+ if (atomic_dec_and_test(&ctx->num_inflight))
+ complete(&ctx->inflight_done);
+@@ -2049,6 +2051,7 @@ int mlx5_cmd_exec_cb(struct mlx5_async_ctx *ctx, void *in, int in_size,
+ work->ctx = ctx;
+ work->user_callback = callback;
+ work->opcode = MLX5_GET(mbox_in, in, opcode);
++ work->op_mod = MLX5_GET(mbox_in, in, op_mod);
+ work->out = out;
+ if (WARN_ON(!atomic_inc_not_zero(&ctx->num_inflight)))
+ return -EIO;
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/cmd_tracepoint.h b/drivers/net/ethernet/mellanox/mlx5/core/diag/cmd_tracepoint.h
+new file mode 100644
+index 000000000000..406ebe17405f
+--- /dev/null
++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/cmd_tracepoint.h
+@@ -0,0 +1,45 @@
++/* SPDX-License-Identifier: GPL-2.0 OR Linux-OpenIB */
++/* Copyright (c) 2022, NVIDIA CORPORATION & AFFILIATES. All rights reserved. */
++
++#undef TRACE_SYSTEM
++#define TRACE_SYSTEM mlx5
++
++#if !defined(_MLX5_CMD_TP_H_) || defined(TRACE_HEADER_MULTI_READ)
++#define _MLX5_CMD_TP_H_
++
++#include <linux/tracepoint.h>
++#include <linux/trace_seq.h>
++
++TRACE_EVENT(mlx5_cmd,
++ TP_PROTO(const char *command_str, u16 opcode, u16 op_mod,
++ const char *status_str, u8 status, u32 syndrome, int err),
++ TP_ARGS(command_str, opcode, op_mod, status_str, status, syndrome, err),
++ TP_STRUCT__entry(__string(command_str, command_str)
++ __field(u16, opcode)
++ __field(u16, op_mod)
++ __string(status_str, status_str)
++ __field(u8, status)
++ __field(u32, syndrome)
++ __field(int, err)
++ ),
++ TP_fast_assign(__assign_str(command_str, command_str);
++ __entry->opcode = opcode;
++ __entry->op_mod = op_mod;
++ __assign_str(status_str, status_str);
++ __entry->status = status;
++ __entry->syndrome = syndrome;
++ __entry->err = err;
++ ),
++ TP_printk("%s(0x%x) op_mod(0x%x) failed, status %s(0x%x), syndrome (0x%x), err(%d)",
++ __get_str(command_str), __entry->opcode, __entry->op_mod,
++ __get_str(status_str), __entry->status, __entry->syndrome,
++ __entry->err)
++);
++
++#endif /* _MLX5_CMD_TP_H_ */
++
++#undef TRACE_INCLUDE_PATH
++#define TRACE_INCLUDE_PATH ./diag
++#undef TRACE_INCLUDE_FILE
++#define TRACE_INCLUDE_FILE cmd_tracepoint
++#include <trace/define_trace.h>
+diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
+index 454dab40baf6..2d56cfe0911d 100644
+--- a/include/linux/mlx5/driver.h
++++ b/include/linux/mlx5/driver.h
+@@ -984,6 +984,7 @@ struct mlx5_async_work {
+ struct mlx5_async_ctx *ctx;
+ mlx5_async_cbk_t user_callback;
+ u16 opcode; /* cmd opcode */
++ u16 op_mod; /* cmd op_mod */
+ void *out; /* pointer to the cmd output buffer */
+ };
+
+--
+2.35.1
+
--- /dev/null
+From 5bb6463b36f7f0d83171dc1db39f3c1334661f4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Jul 2022 09:49:07 +0300
+Subject: net/mlx5: Do not query pci info while pci disabled
+
+From: Roy Novich <royno@nvidia.com>
+
+[ Upstream commit 394164f9d5a3020a7fd719d228386d48d544ec67 ]
+
+The driver should not interact with PCI while PCI is disabled. Trying to
+do so may result in being unable to get vital signs during PCI reset,
+driver gets timed out and fails to recover.
+
+Fixes: fad1783a6d66 ("net/mlx5: Print more info on pci error handlers")
+Signed-off-by: Roy Novich <royno@nvidia.com>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Reviewed-by: Aya Levin <ayal@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/main.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+index e5e32430b6af..ac178796e484 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -1759,7 +1759,8 @@ static pci_ers_result_t mlx5_pci_err_detected(struct pci_dev *pdev,
+ res = state == pci_channel_io_perm_failure ?
+ PCI_ERS_RESULT_DISCONNECT : PCI_ERS_RESULT_NEED_RESET;
+
+- mlx5_pci_trace(dev, "Exit, result = %d, %s\n", res, result2str(res));
++ mlx5_core_info(dev, "%s Device state = %d pci_status: %d. Exit, result = %d, %s\n",
++ __func__, dev->state, dev->pci_status, res, result2str(res));
+ return res;
+ }
+
+@@ -1798,7 +1799,8 @@ static pci_ers_result_t mlx5_pci_slot_reset(struct pci_dev *pdev)
+ struct mlx5_core_dev *dev = pci_get_drvdata(pdev);
+ int err;
+
+- mlx5_pci_trace(dev, "Enter\n");
++ mlx5_core_info(dev, "%s Device state = %d pci_status: %d. Enter\n",
++ __func__, dev->state, dev->pci_status);
+
+ err = mlx5_pci_enable_device(dev);
+ if (err) {
+@@ -1820,7 +1822,8 @@ static pci_ers_result_t mlx5_pci_slot_reset(struct pci_dev *pdev)
+
+ res = PCI_ERS_RESULT_RECOVERED;
+ out:
+- mlx5_pci_trace(dev, "Exit, err = %d, result = %d, %s\n", err, res, result2str(res));
++ mlx5_core_info(dev, "%s Device state = %d pci_status: %d. Exit, err = %d, result = %d, %s\n",
++ __func__, dev->state, dev->pci_status, err, res, result2str(res));
+ return res;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 2dda68e888d0819c8b8c04955e5ce4bdfcea87bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 11:10:15 +0200
+Subject: net/mlx5: E-Switch, Set correctly vport destination
+
+From: Roi Dayan <roid@nvidia.com>
+
+[ Upstream commit 6d942e40448931be9371f1ba8cb592778807ce18 ]
+
+The cited commit moved from using reformat_id integer to packet_reformat
+pointer which introduced the possibility to null pointer dereference.
+When setting packet reformat flag and pkt_reformat pointer must
+exists so checking MLX5_ESW_DEST_ENCAP is not enough, we need
+to make sure the pkt_reformat is valid and check for MLX5_ESW_DEST_ENCAP_VALID.
+If the dest encap valid flag does not exists then pkt_reformat can be
+either invalid address or null.
+Also, to make sure we don't try to access invalid pkt_reformat set it to
+null when invalidated and invalidate it before calling add flow code as
+its logically more correct and to be safe.
+
+Fixes: 2b688ea5efde ("net/mlx5: Add flow steering actions to fs_cmd shim layer")
+Signed-off-by: Roi Dayan <roid@nvidia.com>
+Reviewed-by: Chris Mi <cmi@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c | 10 ++++++----
+ .../net/ethernet/mellanox/mlx5/core/eswitch_offloads.c | 2 +-
+ 2 files changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c
+index 5aff97914367..5b6a79d2034e 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c
+@@ -224,15 +224,16 @@ void mlx5e_tc_encap_flows_del(struct mlx5e_priv *priv,
+ list_for_each_entry(flow, flow_list, tmp_list) {
+ if (!mlx5e_is_offloaded_flow(flow) || flow_flag_test(flow, SLOW))
+ continue;
+- spec = &flow->attr->parse_attr->spec;
+-
+- /* update from encap rule to slow path rule */
+- rule = mlx5e_tc_offload_to_slow_path(esw, flow, spec);
+
+ attr = mlx5e_tc_get_encap_attr(flow);
+ esw_attr = attr->esw_attr;
+ /* mark the flow's encap dest as non-valid */
+ esw_attr->dests[flow->tmp_entry_index].flags &= ~MLX5_ESW_DEST_ENCAP_VALID;
++ esw_attr->dests[flow->tmp_entry_index].pkt_reformat = NULL;
++
++ /* update from encap rule to slow path rule */
++ spec = &flow->attr->parse_attr->spec;
++ rule = mlx5e_tc_offload_to_slow_path(esw, flow, spec);
+
+ if (IS_ERR(rule)) {
+ err = PTR_ERR(rule);
+@@ -251,6 +252,7 @@ void mlx5e_tc_encap_flows_del(struct mlx5e_priv *priv,
+ /* we know that the encap is valid */
+ e->flags &= ~MLX5_ENCAP_ENTRY_VALID;
+ mlx5_packet_reformat_dealloc(priv->mdev, e->pkt_reformat);
++ e->pkt_reformat = NULL;
+ }
+
+ static void mlx5e_take_tmp_flow(struct mlx5e_tc_flow *flow,
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+index 3c68cac4a9c2..061ac8799354 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+@@ -431,7 +431,7 @@ esw_setup_vport_dest(struct mlx5_flow_destination *dest, struct mlx5_flow_act *f
+ mlx5_lag_mpesw_is_activated(esw->dev))
+ dest[dest_idx].type = MLX5_FLOW_DESTINATION_TYPE_UPLINK;
+ }
+- if (esw_attr->dests[attr_idx].flags & MLX5_ESW_DEST_ENCAP) {
++ if (esw_attr->dests[attr_idx].flags & MLX5_ESW_DEST_ENCAP_VALID) {
+ if (pkt_reformat) {
+ flow_act->action |= MLX5_FLOW_CONTEXT_ACTION_PACKET_REFORMAT;
+ flow_act->pkt_reformat = esw_attr->dests[attr_idx].pkt_reformat;
+--
+2.35.1
+
--- /dev/null
+From e840186a0281c8ef375548a025b9b8bda254c768 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Oct 2022 12:25:59 +0300
+Subject: net/mlx5: Fix FW tracer timestamp calculation
+
+From: Moshe Shemesh <moshe@nvidia.com>
+
+[ Upstream commit 61db3d7b99a367416e489ccf764cc5f9b00d62a1 ]
+
+Fix a bug in calculation of FW tracer timestamp. Decreasing one in the
+calculation should effect only bits 52_7 and not effect bits 6_0 of the
+timestamp, otherwise bits 6_0 are always set in this calculation.
+
+Fixes: 70dd6fdb8987 ("net/mlx5: FW tracer, parse traces and kernel tracing support")
+Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
+Reviewed-by: Feras Daoud <ferasda@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+index 978a2bb8e122..21831386b26e 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+@@ -638,7 +638,7 @@ static void mlx5_tracer_handle_timestamp_trace(struct mlx5_fw_tracer *tracer,
+ trace_timestamp = (timestamp_event.timestamp & MASK_52_7) |
+ (str_frmt->timestamp & MASK_6_0);
+ else
+- trace_timestamp = ((timestamp_event.timestamp & MASK_52_7) - 1) |
++ trace_timestamp = ((timestamp_event.timestamp - 1) & MASK_52_7) |
+ (str_frmt->timestamp & MASK_6_0);
+
+ mlx5_tracer_print_trace(str_frmt, dev, trace_timestamp);
+--
+2.35.1
+
--- /dev/null
+From 86d068207a06e7badd2c3ec81512735c77800c65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 09:07:20 +0200
+Subject: net/mlx5: Fix handling of entry refcount when command is not issued
+ to FW
+
+From: Moshe Shemesh <moshe@nvidia.com>
+
+[ Upstream commit aaf2e65cac7f2e1ae729c2fbc849091df9699f96 ]
+
+In case command interface is down, or the command is not allowed, driver
+did not increment the entry refcount, but might have decrement as part
+of forced completion handling.
+
+Fix that by always increment and decrement the refcount to make it
+symmetric for all flows.
+
+Fixes: 50b2412b7e78 ("net/mlx5: Avoid possible free of command entry while timeout comp handler")
+Signed-off-by: Eran Ben Elisha <eranbe@nvidia.com>
+Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
+Reported-by: Jack Wang <jinpu.wang@ionos.com>
+Tested-by: Jack Wang <jinpu.wang@ionos.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+index df3e284ca5c6..74bd05e5dda2 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -1005,6 +1005,7 @@ static void cmd_work_handler(struct work_struct *work)
+ cmd_ent_get(ent);
+ set_bit(MLX5_CMD_ENT_STATE_PENDING_COMP, &ent->state);
+
++ cmd_ent_get(ent); /* for the _real_ FW event on completion */
+ /* Skip sending command to fw if internal error */
+ if (mlx5_cmd_is_down(dev) || !opcode_allowed(&dev->cmd, ent->op)) {
+ ent->ret = -ENXIO;
+@@ -1012,7 +1013,6 @@ static void cmd_work_handler(struct work_struct *work)
+ return;
+ }
+
+- cmd_ent_get(ent); /* for the _real_ FW event on completion */
+ /* ring doorbell after the descriptor is valid */
+ mlx5_core_dbg(dev, "writing 0x%x to command doorbell\n", 1 << ent->idx);
+ wmb();
+@@ -1661,8 +1661,8 @@ static void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool force
+ cmd_ent_put(ent); /* timeout work was canceled */
+
+ if (!forced || /* Real FW completion */
+- pci_channel_offline(dev->pdev) || /* FW is inaccessible */
+- dev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR)
++ mlx5_cmd_is_down(dev) || /* No real FW completion is expected */
++ !opcode_allowed(cmd, ent->op))
+ cmd_ent_put(ent);
+
+ ent->ts2 = ktime_get_ns();
+--
+2.35.1
+
--- /dev/null
+From 7e1c7c716ce90dbf2d4c77791d60c06faa84ee95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 Oct 2022 09:03:48 +0300
+Subject: net/mlx5: Fix sync reset event handler error flow
+
+From: Moshe Shemesh <moshe@nvidia.com>
+
+[ Upstream commit e1ad07b9227f9cbaf4bd2b6ec00b84c303657593 ]
+
+When sync reset now event handling fails on mlx5_pci_link_toggle() then
+no reset was done. However, since mlx5_cmd_fast_teardown_hca() was
+already done, the firmware function is closed and the driver is left
+without firmware functionality.
+
+Fix it by setting device error state and reopen the firmware resources.
+Reopening is done by the thread that was called for devlink reload
+fw_activate as it already holds the devlink lock.
+
+Fixes: 5ec697446f46 ("net/mlx5: Add support for devlink reload action fw activate")
+Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
+Reviewed-by: Aya Levin <ayal@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c
+index 9d908a0ccfef..1e46f9afa40e 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c
+@@ -9,7 +9,8 @@ enum {
+ MLX5_FW_RESET_FLAGS_RESET_REQUESTED,
+ MLX5_FW_RESET_FLAGS_NACK_RESET_REQUEST,
+ MLX5_FW_RESET_FLAGS_PENDING_COMP,
+- MLX5_FW_RESET_FLAGS_DROP_NEW_REQUESTS
++ MLX5_FW_RESET_FLAGS_DROP_NEW_REQUESTS,
++ MLX5_FW_RESET_FLAGS_RELOAD_REQUIRED
+ };
+
+ struct mlx5_fw_reset {
+@@ -406,7 +407,7 @@ static void mlx5_sync_reset_now_event(struct work_struct *work)
+ err = mlx5_pci_link_toggle(dev);
+ if (err) {
+ mlx5_core_warn(dev, "mlx5_pci_link_toggle failed, no reset done, err %d\n", err);
+- goto done;
++ set_bit(MLX5_FW_RESET_FLAGS_RELOAD_REQUIRED, &fw_reset->reset_flags);
+ }
+
+ mlx5_enter_error_state(dev, true);
+@@ -482,6 +483,10 @@ int mlx5_fw_reset_wait_reset_done(struct mlx5_core_dev *dev)
+ goto out;
+ }
+ err = fw_reset->ret;
++ if (test_and_clear_bit(MLX5_FW_RESET_FLAGS_RELOAD_REQUIRED, &fw_reset->reset_flags)) {
++ mlx5_unload_one_devl_locked(dev);
++ mlx5_load_one_devl_locked(dev, false);
++ }
+ out:
+ clear_bit(MLX5_FW_RESET_FLAGS_PENDING_COMP, &fw_reset->reset_flags);
+ return err;
+--
+2.35.1
+
--- /dev/null
+From eebe589567154bca6359d245da694b5a94532ec4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Aug 2022 12:38:41 +0300
+Subject: net/mlx5: SF: Fix probing active SFs during driver probe phase
+
+From: Shay Drory <shayd@nvidia.com>
+
+[ Upstream commit 4f57332d6a551185ba729617f04455e83fbe4e41 ]
+
+When SF devices and SF port representors are located on different
+functions, unloading and reloading of SF parent driver doesn't recreate
+the existing SF present in the device.
+Fix it by querying SFs and probe active SFs during driver probe phase.
+
+Fixes: 90d010b8634b ("net/mlx5: SF, Add auxiliary device support")
+Signed-off-by: Shay Drory <shayd@nvidia.com>
+Reviewed-by: Parav Pandit <parav@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/mellanox/mlx5/core/sf/dev/dev.c | 88 +++++++++++++++++++
+ 1 file changed, 88 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/dev.c b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/dev.c
+index 7da012ff0d41..8e2abbab05f0 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/dev.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/dev.c
+@@ -18,6 +18,10 @@ struct mlx5_sf_dev_table {
+ phys_addr_t base_address;
+ u64 sf_bar_length;
+ struct notifier_block nb;
++ struct mutex table_lock; /* Serializes sf life cycle and vhca state change handler */
++ struct workqueue_struct *active_wq;
++ struct work_struct work;
++ u8 stop_active_wq:1;
+ struct mlx5_core_dev *dev;
+ };
+
+@@ -168,6 +172,7 @@ mlx5_sf_dev_state_change_handler(struct notifier_block *nb, unsigned long event_
+ return 0;
+
+ sf_index = event->function_id - base_id;
++ mutex_lock(&table->table_lock);
+ sf_dev = xa_load(&table->devices, sf_index);
+ switch (event->new_vhca_state) {
+ case MLX5_VHCA_STATE_INVALID:
+@@ -191,6 +196,7 @@ mlx5_sf_dev_state_change_handler(struct notifier_block *nb, unsigned long event_
+ default:
+ break;
+ }
++ mutex_unlock(&table->table_lock);
+ return 0;
+ }
+
+@@ -215,6 +221,78 @@ static int mlx5_sf_dev_vhca_arm_all(struct mlx5_sf_dev_table *table)
+ return 0;
+ }
+
++static void mlx5_sf_dev_add_active_work(struct work_struct *work)
++{
++ struct mlx5_sf_dev_table *table = container_of(work, struct mlx5_sf_dev_table, work);
++ u32 out[MLX5_ST_SZ_DW(query_vhca_state_out)] = {};
++ struct mlx5_core_dev *dev = table->dev;
++ u16 max_functions;
++ u16 function_id;
++ u16 sw_func_id;
++ int err = 0;
++ u8 state;
++ int i;
++
++ max_functions = mlx5_sf_max_functions(dev);
++ function_id = MLX5_CAP_GEN(dev, sf_base_id);
++ for (i = 0; i < max_functions; i++, function_id++) {
++ if (table->stop_active_wq)
++ return;
++ err = mlx5_cmd_query_vhca_state(dev, function_id, out, sizeof(out));
++ if (err)
++ /* A failure of specific vhca doesn't mean others will
++ * fail as well.
++ */
++ continue;
++ state = MLX5_GET(query_vhca_state_out, out, vhca_state_context.vhca_state);
++ if (state != MLX5_VHCA_STATE_ACTIVE)
++ continue;
++
++ sw_func_id = MLX5_GET(query_vhca_state_out, out, vhca_state_context.sw_function_id);
++ mutex_lock(&table->table_lock);
++ /* Don't probe device which is already probe */
++ if (!xa_load(&table->devices, i))
++ mlx5_sf_dev_add(dev, i, function_id, sw_func_id);
++ /* There is a race where SF got inactive after the query
++ * above. e.g.: the query returns that the state of the
++ * SF is active, and after that the eswitch manager set it to
++ * inactive.
++ * This case cannot be managed in SW, since the probing of the
++ * SF is on one system, and the inactivation is on a different
++ * system.
++ * If the inactive is done after the SF perform init_hca(),
++ * the SF will fully probe and then removed. If it was
++ * done before init_hca(), the SF probe will fail.
++ */
++ mutex_unlock(&table->table_lock);
++ }
++}
++
++/* In case SFs are generated externally, probe active SFs */
++static int mlx5_sf_dev_queue_active_work(struct mlx5_sf_dev_table *table)
++{
++ if (MLX5_CAP_GEN(table->dev, eswitch_manager))
++ return 0; /* the table is local */
++
++ /* Use a workqueue to probe active SFs, which are in large
++ * quantity and may take up to minutes to probe.
++ */
++ table->active_wq = create_singlethread_workqueue("mlx5_active_sf");
++ if (!table->active_wq)
++ return -ENOMEM;
++ INIT_WORK(&table->work, &mlx5_sf_dev_add_active_work);
++ queue_work(table->active_wq, &table->work);
++ return 0;
++}
++
++static void mlx5_sf_dev_destroy_active_work(struct mlx5_sf_dev_table *table)
++{
++ if (table->active_wq) {
++ table->stop_active_wq = true;
++ destroy_workqueue(table->active_wq);
++ }
++}
++
+ void mlx5_sf_dev_table_create(struct mlx5_core_dev *dev)
+ {
+ struct mlx5_sf_dev_table *table;
+@@ -240,11 +318,17 @@ void mlx5_sf_dev_table_create(struct mlx5_core_dev *dev)
+ table->base_address = pci_resource_start(dev->pdev, 2);
+ table->max_sfs = max_sfs;
+ xa_init(&table->devices);
++ mutex_init(&table->table_lock);
+ dev->priv.sf_dev_table = table;
+
+ err = mlx5_vhca_event_notifier_register(dev, &table->nb);
+ if (err)
+ goto vhca_err;
++
++ err = mlx5_sf_dev_queue_active_work(table);
++ if (err)
++ goto add_active_err;
++
+ err = mlx5_sf_dev_vhca_arm_all(table);
+ if (err)
+ goto arm_err;
+@@ -252,6 +336,8 @@ void mlx5_sf_dev_table_create(struct mlx5_core_dev *dev)
+ return;
+
+ arm_err:
++ mlx5_sf_dev_destroy_active_work(table);
++add_active_err:
+ mlx5_vhca_event_notifier_unregister(dev, &table->nb);
+ vhca_err:
+ table->max_sfs = 0;
+@@ -279,7 +365,9 @@ void mlx5_sf_dev_table_destroy(struct mlx5_core_dev *dev)
+ if (!table)
+ return;
+
++ mlx5_sf_dev_destroy_active_work(table);
+ mlx5_vhca_event_notifier_unregister(dev, &table->nb);
++ mutex_destroy(&table->table_lock);
+
+ /* Now that event handler is not running, it is safe to destroy
+ * the sf device without race.
+--
+2.35.1
+
--- /dev/null
+From 5e25da545fee2753d618391ccfe3afade0fa4144 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 07:45:45 +0200
+Subject: net/mlx5e: Offload rule only when all encaps are valid
+
+From: Chris Mi <cmi@nvidia.com>
+
+[ Upstream commit f377422044b2093c835e5f3717f8c8c58da1db1f ]
+
+The cited commit adds a for loop to support multiple encapsulations.
+But it only checks if the last encap is valid.
+
+Fix it by setting slow path flag when one of the encap is invalid.
+
+Fixes: f493f15534ec ("net/mlx5e: Move flow attr reformat action bit to per dest flags")
+Signed-off-by: Chris Mi <cmi@nvidia.com>
+Reviewed-by: Roi Dayan <roid@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mellanox/mlx5/core/en/tc_tun_encap.c | 6 ++----
+ .../mellanox/mlx5/core/en/tc_tun_encap.h | 3 +--
+ drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 17 ++++++-----------
+ 3 files changed, 9 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c
+index 5b6a79d2034e..ff73d25bc6eb 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c
+@@ -764,8 +764,7 @@ int mlx5e_attach_encap(struct mlx5e_priv *priv,
+ struct net_device *mirred_dev,
+ int out_index,
+ struct netlink_ext_ack *extack,
+- struct net_device **encap_dev,
+- bool *encap_valid)
++ struct net_device **encap_dev)
+ {
+ struct mlx5_eswitch *esw = priv->mdev->priv.eswitch;
+ struct mlx5e_tc_flow_parse_attr *parse_attr;
+@@ -880,9 +879,8 @@ int mlx5e_attach_encap(struct mlx5e_priv *priv,
+ if (e->flags & MLX5_ENCAP_ENTRY_VALID) {
+ attr->esw_attr->dests[out_index].pkt_reformat = e->pkt_reformat;
+ attr->esw_attr->dests[out_index].flags |= MLX5_ESW_DEST_ENCAP_VALID;
+- *encap_valid = true;
+ } else {
+- *encap_valid = false;
++ flow_flag_set(flow, SLOW);
+ }
+ mutex_unlock(&esw->offloads.encap_tbl_lock);
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.h b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.h
+index d542b8476491..8ad273dde40e 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.h
+@@ -17,8 +17,7 @@ int mlx5e_attach_encap(struct mlx5e_priv *priv,
+ struct net_device *mirred_dev,
+ int out_index,
+ struct netlink_ext_ack *extack,
+- struct net_device **encap_dev,
+- bool *encap_valid);
++ struct net_device **encap_dev);
+
+ int mlx5e_attach_decap(struct mlx5e_priv *priv,
+ struct mlx5e_tc_flow *flow,
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+index 229c14b1af00..949ef560df78 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+@@ -1620,7 +1620,6 @@ set_encap_dests(struct mlx5e_priv *priv,
+ struct mlx5e_tc_flow *flow,
+ struct mlx5_flow_attr *attr,
+ struct netlink_ext_ack *extack,
+- bool *encap_valid,
+ bool *vf_tun)
+ {
+ struct mlx5e_tc_flow_parse_attr *parse_attr;
+@@ -1637,7 +1636,6 @@ set_encap_dests(struct mlx5e_priv *priv,
+ parse_attr = attr->parse_attr;
+ esw_attr = attr->esw_attr;
+ *vf_tun = false;
+- *encap_valid = true;
+
+ for (out_index = 0; out_index < MLX5_MAX_FLOW_FWD_VPORTS; out_index++) {
+ struct net_device *out_dev;
+@@ -1654,7 +1652,7 @@ set_encap_dests(struct mlx5e_priv *priv,
+ goto out;
+ }
+ err = mlx5e_attach_encap(priv, flow, attr, out_dev, out_index,
+- extack, &encap_dev, encap_valid);
++ extack, &encap_dev);
+ dev_put(out_dev);
+ if (err)
+ goto out;
+@@ -1718,8 +1716,8 @@ mlx5e_tc_add_fdb_flow(struct mlx5e_priv *priv,
+ struct mlx5e_tc_flow_parse_attr *parse_attr;
+ struct mlx5_flow_attr *attr = flow->attr;
+ struct mlx5_esw_flow_attr *esw_attr;
+- bool vf_tun, encap_valid;
+ u32 max_prio, max_chain;
++ bool vf_tun;
+ int err = 0;
+
+ parse_attr = attr->parse_attr;
+@@ -1809,7 +1807,7 @@ mlx5e_tc_add_fdb_flow(struct mlx5e_priv *priv,
+ esw_attr->int_port = int_port;
+ }
+
+- err = set_encap_dests(priv, flow, attr, extack, &encap_valid, &vf_tun);
++ err = set_encap_dests(priv, flow, attr, extack, &vf_tun);
+ if (err)
+ goto err_out;
+
+@@ -1839,7 +1837,7 @@ mlx5e_tc_add_fdb_flow(struct mlx5e_priv *priv,
+ * (1) there's no error
+ * (2) there's an encap action and we don't have valid neigh
+ */
+- if (!encap_valid || flow_flag_test(flow, SLOW))
++ if (flow_flag_test(flow, SLOW))
+ flow->rule[0] = mlx5e_tc_offload_to_slow_path(esw, flow, &parse_attr->spec);
+ else
+ flow->rule[0] = mlx5e_tc_offload_fdb_rules(esw, flow, &parse_attr->spec, attr);
+@@ -3737,7 +3735,7 @@ alloc_flow_post_acts(struct mlx5e_tc_flow *flow, struct netlink_ext_ack *extack)
+ struct mlx5e_post_act *post_act = get_post_action(flow->priv);
+ struct mlx5_flow_attr *attr, *next_attr = NULL;
+ struct mlx5e_post_act_handle *handle;
+- bool vf_tun, encap_valid = true;
++ bool vf_tun;
+ int err;
+
+ /* This is going in reverse order as needed.
+@@ -3759,13 +3757,10 @@ alloc_flow_post_acts(struct mlx5e_tc_flow *flow, struct netlink_ext_ack *extack)
+ if (list_is_last(&attr->list, &flow->attrs))
+ break;
+
+- err = set_encap_dests(flow->priv, flow, attr, extack, &encap_valid, &vf_tun);
++ err = set_encap_dests(flow->priv, flow, attr, extack, &vf_tun);
+ if (err)
+ goto out_free;
+
+- if (!encap_valid)
+- flow_flag_set(flow, SLOW);
+-
+ err = actions_prepare_mod_hdr_actions(flow->priv, flow, attr, extack);
+ if (err)
+ goto out_free;
+--
+2.35.1
+
--- /dev/null
+From 0a4159b014052763351d29204f4583893185e041 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 16:40:32 +0800
+Subject: net: mvpp2: fix possible invalid pointer dereference
+
+From: Hui Tang <tanghui20@huawei.com>
+
+[ Upstream commit cbe867685386af1f0a2648f5279f6e4c74bfd17f ]
+
+It will cause invalid pointer dereference to priv->cm3_base behind,
+if PTR_ERR(priv->cm3_base) in mvpp2_get_sram().
+
+Fixes: e54ad1e01c00 ("net: mvpp2: add CM3 SRAM memory map")
+Signed-off-by: Hui Tang <tanghui20@huawei.com>
+Link: https://lore.kernel.org/r/20221117084032.101144-1-tanghui20@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+index eaa51cd7456b..8f86be995092 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+@@ -7352,6 +7352,7 @@ static int mvpp2_get_sram(struct platform_device *pdev,
+ struct mvpp2 *priv)
+ {
+ struct resource *res;
++ void __iomem *base;
+
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 2);
+ if (!res) {
+@@ -7362,9 +7363,12 @@ static int mvpp2_get_sram(struct platform_device *pdev,
+ return 0;
+ }
+
+- priv->cm3_base = devm_ioremap_resource(&pdev->dev, res);
++ base = devm_ioremap_resource(&pdev->dev, res);
++ if (IS_ERR(base))
++ return PTR_ERR(base);
+
+- return PTR_ERR_OR_ZERO(priv->cm3_base);
++ priv->cm3_base = base;
++ return 0;
+ }
+
+ static int mvpp2_probe(struct platform_device *pdev)
+--
+2.35.1
+
--- /dev/null
+From c26d17d65872f3c6aa61e7094f72ba797cff2454 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 23:09:41 +0100
+Subject: net: neigh: decrement the family specific qlen
+
+From: Thomas Zeitlhofer <thomas.zeitlhofer+lkml@ze-it.at>
+
+[ Upstream commit 8207f253a097fe15c93d85ac15ebb73c5e39e1e1 ]
+
+Commit 0ff4eb3d5ebb ("neighbour: make proxy_queue.qlen limit
+per-device") introduced the length counter qlen in struct neigh_parms.
+There are separate neigh_parms instances for IPv4/ARP and IPv6/ND, and
+while the family specific qlen is incremented in pneigh_enqueue(), the
+mentioned commit decrements always the IPv4/ARP specific qlen,
+regardless of the currently processed family, in pneigh_queue_purge()
+and neigh_proxy_process().
+
+As a result, with IPv6/ND, the family specific qlen is only incremented
+(and never decremented) until it exceeds PROXY_QLEN, and then, according
+to the check in pneigh_enqueue(), neighbor solicitations are not
+answered anymore. As an example, this is noted when using the
+subnet-router anycast address to access a Linux router. After a certain
+amount of time (in the observed case, qlen exceeded PROXY_QLEN after two
+days), the Linux router stops answering neighbor solicitations for its
+subnet-router anycast address and effectively becomes unreachable.
+
+Another result with IPv6/ND is that the IPv4/ARP specific qlen is
+decremented more often than incremented. This leads to negative qlen
+values, as a signed integer has been used for the length counter qlen,
+and potentially to an integer overflow.
+
+Fix this by introducing the helper function neigh_parms_qlen_dec(),
+which decrements the family specific qlen. Thereby, make use of the
+existing helper function neigh_get_dev_parms_rcu(), whose definition
+therefore needs to be placed earlier in neighbour.c. Take the family
+member from struct neigh_table to determine the currently processed
+family and appropriately call neigh_parms_qlen_dec() from
+pneigh_queue_purge() and neigh_proxy_process().
+
+Additionally, use an unsigned integer for the length counter qlen.
+
+Fixes: 0ff4eb3d5ebb ("neighbour: make proxy_queue.qlen limit per-device")
+Signed-off-by: Thomas Zeitlhofer <thomas.zeitlhofer+lkml@ze-it.at>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/neighbour.h | 2 +-
+ net/core/neighbour.c | 58 +++++++++++++++++++++--------------------
+ 2 files changed, 31 insertions(+), 29 deletions(-)
+
+diff --git a/include/net/neighbour.h b/include/net/neighbour.h
+index 3827a6b395fd..bce6b228cf56 100644
+--- a/include/net/neighbour.h
++++ b/include/net/neighbour.h
+@@ -83,7 +83,7 @@ struct neigh_parms {
+ struct rcu_head rcu_head;
+
+ int reachable_time;
+- int qlen;
++ u32 qlen;
+ int data[NEIGH_VAR_DATA_MAX];
+ DECLARE_BITMAP(data_state, NEIGH_VAR_DATA_MAX);
+ };
+diff --git a/net/core/neighbour.c b/net/core/neighbour.c
+index 84755db81e9d..35f5a3125808 100644
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -307,7 +307,31 @@ static int neigh_del_timer(struct neighbour *n)
+ return 0;
+ }
+
+-static void pneigh_queue_purge(struct sk_buff_head *list, struct net *net)
++static struct neigh_parms *neigh_get_dev_parms_rcu(struct net_device *dev,
++ int family)
++{
++ switch (family) {
++ case AF_INET:
++ return __in_dev_arp_parms_get_rcu(dev);
++ case AF_INET6:
++ return __in6_dev_nd_parms_get_rcu(dev);
++ }
++ return NULL;
++}
++
++static void neigh_parms_qlen_dec(struct net_device *dev, int family)
++{
++ struct neigh_parms *p;
++
++ rcu_read_lock();
++ p = neigh_get_dev_parms_rcu(dev, family);
++ if (p)
++ p->qlen--;
++ rcu_read_unlock();
++}
++
++static void pneigh_queue_purge(struct sk_buff_head *list, struct net *net,
++ int family)
+ {
+ struct sk_buff_head tmp;
+ unsigned long flags;
+@@ -321,13 +345,7 @@ static void pneigh_queue_purge(struct sk_buff_head *list, struct net *net)
+ struct net_device *dev = skb->dev;
+
+ if (net == NULL || net_eq(dev_net(dev), net)) {
+- struct in_device *in_dev;
+-
+- rcu_read_lock();
+- in_dev = __in_dev_get_rcu(dev);
+- if (in_dev)
+- in_dev->arp_parms->qlen--;
+- rcu_read_unlock();
++ neigh_parms_qlen_dec(dev, family);
+ __skb_unlink(skb, list);
+ __skb_queue_tail(&tmp, skb);
+ }
+@@ -409,7 +427,8 @@ static int __neigh_ifdown(struct neigh_table *tbl, struct net_device *dev,
+ write_lock_bh(&tbl->lock);
+ neigh_flush_dev(tbl, dev, skip_perm);
+ pneigh_ifdown_and_unlock(tbl, dev);
+- pneigh_queue_purge(&tbl->proxy_queue, dev ? dev_net(dev) : NULL);
++ pneigh_queue_purge(&tbl->proxy_queue, dev ? dev_net(dev) : NULL,
++ tbl->family);
+ if (skb_queue_empty_lockless(&tbl->proxy_queue))
+ del_timer_sync(&tbl->proxy_timer);
+ return 0;
+@@ -1621,13 +1640,8 @@ static void neigh_proxy_process(struct timer_list *t)
+
+ if (tdif <= 0) {
+ struct net_device *dev = skb->dev;
+- struct in_device *in_dev;
+
+- rcu_read_lock();
+- in_dev = __in_dev_get_rcu(dev);
+- if (in_dev)
+- in_dev->arp_parms->qlen--;
+- rcu_read_unlock();
++ neigh_parms_qlen_dec(dev, tbl->family);
+ __skb_unlink(skb, &tbl->proxy_queue);
+
+ if (tbl->proxy_redo && netif_running(dev)) {
+@@ -1821,7 +1835,7 @@ int neigh_table_clear(int index, struct neigh_table *tbl)
+ cancel_delayed_work_sync(&tbl->managed_work);
+ cancel_delayed_work_sync(&tbl->gc_work);
+ del_timer_sync(&tbl->proxy_timer);
+- pneigh_queue_purge(&tbl->proxy_queue, NULL);
++ pneigh_queue_purge(&tbl->proxy_queue, NULL, tbl->family);
+ neigh_ifdown(tbl, NULL);
+ if (atomic_read(&tbl->entries))
+ pr_crit("neighbour leakage\n");
+@@ -3542,18 +3556,6 @@ static int proc_unres_qlen(struct ctl_table *ctl, int write,
+ return ret;
+ }
+
+-static struct neigh_parms *neigh_get_dev_parms_rcu(struct net_device *dev,
+- int family)
+-{
+- switch (family) {
+- case AF_INET:
+- return __in_dev_arp_parms_get_rcu(dev);
+- case AF_INET6:
+- return __in6_dev_nd_parms_get_rcu(dev);
+- }
+- return NULL;
+-}
+-
+ static void neigh_copy_dflt_parms(struct net *net, struct neigh_parms *p,
+ int index)
+ {
+--
+2.35.1
+
--- /dev/null
+From c5ec43f7a3e4f4e532f31b80347d908a05ae70cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 21:51:48 +0800
+Subject: net: pch_gbe: fix pci device refcount leak while module exiting
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 5619537284f1017e9f6c7500b02b859b3830a06d ]
+
+As comment of pci_get_domain_bus_and_slot() says, it returns
+a pci device with refcount increment, when finish using it,
+the caller must decrement the reference count by calling
+pci_dev_put().
+
+In pch_gbe_probe(), pci_get_domain_bus_and_slot() is called,
+so in error path in probe() and remove() function, pci_dev_put()
+should be called to avoid refcount leak. Compile tested only.
+
+Fixes: 1a0bdadb4e36 ("net/pch_gbe: supports eg20t ptp clock")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221117135148.301014-1-yangyingliang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
+index 98792907a4c3..63b6b7d86ccb 100644
+--- a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
++++ b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
+@@ -2460,6 +2460,7 @@ static void pch_gbe_remove(struct pci_dev *pdev)
+ unregister_netdev(netdev);
+
+ pch_gbe_phy_hw_reset(&adapter->hw);
++ pci_dev_put(adapter->ptp_pdev);
+
+ free_netdev(netdev);
+ }
+@@ -2535,7 +2536,7 @@ static int pch_gbe_probe(struct pci_dev *pdev,
+ /* setup the private structure */
+ ret = pch_gbe_sw_init(adapter);
+ if (ret)
+- goto err_free_netdev;
++ goto err_put_dev;
+
+ /* Initialize PHY */
+ ret = pch_gbe_init_phy(adapter);
+@@ -2593,6 +2594,8 @@ static int pch_gbe_probe(struct pci_dev *pdev,
+
+ err_free_adapter:
+ pch_gbe_phy_hw_reset(&adapter->hw);
++err_put_dev:
++ pci_dev_put(adapter->ptp_pdev);
+ err_free_netdev:
+ free_netdev(netdev);
+ return ret;
+--
+2.35.1
+
--- /dev/null
+From 0ebba388f1ab3fac28a3a99366c8801c02b6b2a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 14:55:27 +0800
+Subject: net: pch_gbe: fix potential memleak in pch_gbe_tx_queue()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 2360f9b8c4e81d242d4cbf99d630a2fffa681fab ]
+
+In pch_gbe_xmit_frame(), NETDEV_TX_OK will be returned whether
+pch_gbe_tx_queue() sends data successfully or not, so pch_gbe_tx_queue()
+needs to free skb before returning. But pch_gbe_tx_queue() returns without
+freeing skb in case of dma_map_single() fails. Add dev_kfree_skb_any()
+to fix it.
+
+Fixes: 77555ee72282 ("net: Add Gigabit Ethernet driver of Topcliff PCH")
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
+index 46da937ad27f..98792907a4c3 100644
+--- a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
++++ b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
+@@ -1143,6 +1143,7 @@ static void pch_gbe_tx_queue(struct pch_gbe_adapter *adapter,
+ buffer_info->dma = 0;
+ buffer_info->time_stamp = 0;
+ tx_ring->next_to_use = ring_num;
++ dev_kfree_skb_any(skb);
+ return;
+ }
+ buffer_info->mapped = true;
+--
+2.35.1
+
--- /dev/null
+From 6a435eca6e713eb787fb747672607f1d506c7e41 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 10:36:35 +0000
+Subject: net: phy: at803x: fix error return code in at803x_probe()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 1f0dd412e34e177621769866bef347f0b22364df ]
+
+Fix to return a negative error code from the ccr read error handling
+case instead of 0, as done elsewhere in this function.
+
+Fixes: 3265f4218878 ("net: phy: at803x: add fiber support")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20221118103635.254256-1-weiyongjun@huaweicloud.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/at803x.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/at803x.c b/drivers/net/phy/at803x.c
+index 59fe356942b5..249e7ee4a2bb 100644
+--- a/drivers/net/phy/at803x.c
++++ b/drivers/net/phy/at803x.c
+@@ -862,8 +862,10 @@ static int at803x_probe(struct phy_device *phydev)
+ .wolopts = 0,
+ };
+
+- if (ccr < 0)
++ if (ccr < 0) {
++ ret = ccr;
+ goto err;
++ }
+ mode_cfg = ccr & AT803X_MODE_CFG_MASK;
+
+ switch (mode_cfg) {
+--
+2.35.1
+
--- /dev/null
+From 3c44ca99934207f7ac2d559d8c1a84223f1fadcf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 16:50:38 +0800
+Subject: net/qla3xxx: fix potential memleak in ql3xxx_send()
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 62a7311fb96c61d281da9852dbee4712fc8c3277 ]
+
+The ql3xxx_send() returns NETDEV_TX_OK without freeing skb in error
+handling case, add dev_kfree_skb_any() to fix it.
+
+Fixes: bd36b0ac5d06 ("qla3xxx: Add support for Qlogic 4032 chip.")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Link: https://lore.kernel.org/r/1668675039-21138-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qla3xxx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/qlogic/qla3xxx.c b/drivers/net/ethernet/qlogic/qla3xxx.c
+index 06f4d9a9e938..5a2d70a91868 100644
+--- a/drivers/net/ethernet/qlogic/qla3xxx.c
++++ b/drivers/net/ethernet/qlogic/qla3xxx.c
+@@ -2471,6 +2471,7 @@ static netdev_tx_t ql3xxx_send(struct sk_buff *skb,
+ skb_shinfo(skb)->nr_frags);
+ if (tx_cb->seg_count == -1) {
+ netdev_err(ndev, "%s: invalid segment count!\n", __func__);
++ dev_kfree_skb_any(skb);
+ return NETDEV_TX_OK;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From e773288f8d7d8d4143f564eb1d83ab0006a66108 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 16:33:03 -0500
+Subject: net: sched: allow act_ct to be built without NF_NAT
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 8427fd100c7b7793650e212a81e42f1cf124613d ]
+
+In commit f11fe1dae1c4 ("net/sched: Make NET_ACT_CT depends on NF_NAT"),
+it fixed the build failure when NF_NAT is m and NET_ACT_CT is y by
+adding depends on NF_NAT for NET_ACT_CT. However, it would also cause
+NET_ACT_CT cannot be built without NF_NAT, which is not expected. This
+patch fixes it by changing to use "(!NF_NAT || NF_NAT)" as the depend.
+
+Fixes: f11fe1dae1c4 ("net/sched: Make NET_ACT_CT depends on NF_NAT")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Link: https://lore.kernel.org/r/b6386f28d1ba34721795fb776a91cbdabb203447.1668807183.git.lucien.xin@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sched/Kconfig b/net/sched/Kconfig
+index 1e8ab4749c6c..4662a6ce8a7e 100644
+--- a/net/sched/Kconfig
++++ b/net/sched/Kconfig
+@@ -976,7 +976,7 @@ config NET_ACT_TUNNEL_KEY
+
+ config NET_ACT_CT
+ tristate "connection tracking tc action"
+- depends on NET_CLS_ACT && NF_CONNTRACK && NF_NAT && NF_FLOW_TABLE
++ depends on NET_CLS_ACT && NF_CONNTRACK && (!NF_NAT || NF_NAT) && NF_FLOW_TABLE
+ help
+ Say Y here to allow sending the packets to conntrack module.
+
+--
+2.35.1
+
--- /dev/null
+From 0dd115e3f4730e3e1c5c06e087f19999b333b609 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 20:59:18 +0800
+Subject: net: sparx5: fix error handling in sparx5_port_open()
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit 4305fe232b8aa59af3761adc9fe6b6aa40913960 ]
+
+If phylink_of_phy_connect() fails, the port should be disabled.
+If sparx5_serdes_set()/phy_power_on() fails, the port should be
+disabled and the phylink should be stopped and disconnected.
+
+Fixes: 946e7fd5053a ("net: sparx5: add port module support")
+Fixes: f3cad2611a77 ("net: sparx5: add hostmode with phylink support")
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Tested-by: Bjarni Jonasson <bjarni.jonasson@microchip.com>
+Reviewed-by: Steen Hegelund <steen.hegelund@microchip.com>
+Link: https://lore.kernel.org/r/20221117125918.203997-1-liujian56@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/microchip/sparx5/sparx5_netdev.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_netdev.c b/drivers/net/ethernet/microchip/sparx5/sparx5_netdev.c
+index af4d3e1f1a6d..3f112a897a60 100644
+--- a/drivers/net/ethernet/microchip/sparx5/sparx5_netdev.c
++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_netdev.c
+@@ -103,7 +103,7 @@ static int sparx5_port_open(struct net_device *ndev)
+ err = phylink_of_phy_connect(port->phylink, port->of_node, 0);
+ if (err) {
+ netdev_err(ndev, "Could not attach to PHY\n");
+- return err;
++ goto err_connect;
+ }
+
+ phylink_start(port->phylink);
+@@ -115,10 +115,20 @@ static int sparx5_port_open(struct net_device *ndev)
+ err = sparx5_serdes_set(port->sparx5, port, &port->conf);
+ else
+ err = phy_power_on(port->serdes);
+- if (err)
++ if (err) {
+ netdev_err(ndev, "%s failed\n", __func__);
++ goto out_power;
++ }
+ }
+
++ return 0;
++
++out_power:
++ phylink_stop(port->phylink);
++ phylink_disconnect_phy(port->phylink);
++err_connect:
++ sparx5_port_enable(port, false);
++
+ return err;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 4ac33d3bd679ff0df5159027ab4c8b123fe7065e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 16:22:36 +0800
+Subject: net: thunderx: Fix the ACPI memory leak
+
+From: Yu Liao <liaoyu15@huawei.com>
+
+[ Upstream commit 661e5ebbafd26d9d2e3c749f5cf591e55c7364f5 ]
+
+The ACPI buffer memory (string.pointer) should be freed as the buffer is
+not used after returning from bgx_acpi_match_id(), free it to prevent
+memory leak.
+
+Fixes: 46b903a01c05 ("net, thunder, bgx: Add support to get MAC address from ACPI.")
+Signed-off-by: Yu Liao <liaoyu15@huawei.com>
+Link: https://lore.kernel.org/r/20221123082237.1220521-1-liaoyu15@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+index 2f6484dc186a..7eb2ddbe9bad 100644
+--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+@@ -1436,8 +1436,10 @@ static acpi_status bgx_acpi_match_id(acpi_handle handle, u32 lvl,
+ return AE_OK;
+ }
+
+- if (strncmp(string.pointer, bgx_sel, 4))
++ if (strncmp(string.pointer, bgx_sel, 4)) {
++ kfree(string.pointer);
+ return AE_OK;
++ }
+
+ acpi_walk_namespace(ACPI_TYPE_DEVICE, handle, 1,
+ bgx_acpi_register_phy, NULL, bgx, NULL);
+--
+2.35.1
+
--- /dev/null
+From af10742b035b2fff445d519af0b9a531eae570b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 14:24:47 +0800
+Subject: net: wwan: iosm: use ACPI_FREE() but not kfree() in
+ ipc_pcie_read_bios_cfg()
+
+From: Wang ShaoBo <bobo.shaobowang@huawei.com>
+
+[ Upstream commit e541dd7763fc34aec2f93f652a396cc2e7b92d8d ]
+
+acpi_evaluate_dsm() should be coupled with ACPI_FREE() to free the ACPI
+memory, because we need to track the allocation of acpi_object when
+ACPI_DBG_TRACK_ALLOCATIONS enabled, so use ACPI_FREE() instead of kfree().
+
+Fixes: d38a648d2d6c ("net: wwan: iosm: fix memory leak in ipc_pcie_read_bios_cfg")
+Signed-off-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
+Link: https://lore.kernel.org/r/20221118062447.2324881-1-bobo.shaobowang@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wwan/iosm/iosm_ipc_pcie.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wwan/iosm/iosm_ipc_pcie.c b/drivers/net/wwan/iosm/iosm_ipc_pcie.c
+index 97cb6846c6ae..f604d4a01e1b 100644
+--- a/drivers/net/wwan/iosm/iosm_ipc_pcie.c
++++ b/drivers/net/wwan/iosm/iosm_ipc_pcie.c
+@@ -249,7 +249,7 @@ static enum ipc_pcie_sleep_state ipc_pcie_read_bios_cfg(struct device *dev)
+ if (object->integer.value == 3)
+ sleep_state = IPC_PCIE_D3L2;
+
+- kfree(object);
++ ACPI_FREE(object);
+
+ default_ret:
+ return sleep_state;
+--
+2.35.1
+
--- /dev/null
+From e92470b62594c52c9671f1ab1485733402d45130 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 20:19:40 +0800
+Subject: net: wwan: t7xx: Fix the ACPI memory leak
+
+From: Hanjun Guo <guohanjun@huawei.com>
+
+[ Upstream commit 08e8a949f684e1fbc4b1efd2337d72ec8f3613d9 ]
+
+The ACPI buffer memory (buffer.pointer) should be freed as the
+buffer is not used after acpi_evaluate_object(), free it to
+prevent memory leak.
+
+Fixes: 13e920d93e37 ("net: wwan: t7xx: Add core components")
+Signed-off-by: Hanjun Guo <guohanjun@huawei.com>
+Link: https://lore.kernel.org/r/1669119580-28977-1-git-send-email-guohanjun@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wwan/t7xx/t7xx_modem_ops.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wwan/t7xx/t7xx_modem_ops.c b/drivers/net/wwan/t7xx/t7xx_modem_ops.c
+index 3458af31e864..7d0f5e4f0a78 100644
+--- a/drivers/net/wwan/t7xx/t7xx_modem_ops.c
++++ b/drivers/net/wwan/t7xx/t7xx_modem_ops.c
+@@ -165,6 +165,8 @@ static int t7xx_acpi_reset(struct t7xx_pci_dev *t7xx_dev, char *fn_name)
+ return -EFAULT;
+ }
+
++ kfree(buffer.pointer);
++
+ #endif
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From d8852aaefc6a0f39574834c66ca5501fc2e7dc99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 12:39:07 -0700
+Subject: netfilter: conntrack: Fix data-races around ct mark
+
+From: Daniel Xu <dxu@dxuuu.xyz>
+
+[ Upstream commit 52d1aa8b8249ff477aaa38b6f74a8ced780d079c ]
+
+nf_conn:mark can be read from and written to in parallel. Use
+READ_ONCE()/WRITE_ONCE() for reads and writes to prevent unwanted
+compiler optimizations.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Daniel Xu <dxu@dxuuu.xyz>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/flow_dissector.c | 2 +-
+ net/ipv4/netfilter/ipt_CLUSTERIP.c | 4 ++--
+ net/netfilter/nf_conntrack_core.c | 2 +-
+ net/netfilter/nf_conntrack_netlink.c | 24 ++++++++++++++----------
+ net/netfilter/nf_conntrack_standalone.c | 2 +-
+ net/netfilter/nft_ct.c | 6 +++---
+ net/netfilter/xt_connmark.c | 18 ++++++++++--------
+ net/openvswitch/conntrack.c | 8 ++++----
+ net/sched/act_connmark.c | 4 ++--
+ net/sched/act_ct.c | 8 ++++----
+ net/sched/act_ctinfo.c | 6 +++---
+ 11 files changed, 45 insertions(+), 39 deletions(-)
+
+diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
+index 7105529abb0f..c433b1fb961a 100644
+--- a/net/core/flow_dissector.c
++++ b/net/core/flow_dissector.c
+@@ -272,7 +272,7 @@ skb_flow_dissect_ct(const struct sk_buff *skb,
+ key->ct_zone = ct->zone.id;
+ #endif
+ #if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK)
+- key->ct_mark = ct->mark;
++ key->ct_mark = READ_ONCE(ct->mark);
+ #endif
+
+ cl = nf_ct_labels_find(ct);
+diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
+index f8e176c77d1c..b3cc416ed292 100644
+--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
++++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
+@@ -435,7 +435,7 @@ clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par)
+
+ switch (ctinfo) {
+ case IP_CT_NEW:
+- ct->mark = hash;
++ WRITE_ONCE(ct->mark, hash);
+ break;
+ case IP_CT_RELATED:
+ case IP_CT_RELATED_REPLY:
+@@ -452,7 +452,7 @@ clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par)
+ #ifdef DEBUG
+ nf_ct_dump_tuple_ip(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
+ #endif
+- pr_debug("hash=%u ct_hash=%u ", hash, ct->mark);
++ pr_debug("hash=%u ct_hash=%u ", hash, READ_ONCE(ct->mark));
+ if (!clusterip_responsible(cipinfo->config, hash)) {
+ pr_debug("not responsible\n");
+ return NF_DROP;
+diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
+index 8f261cd5b3a5..60289c074eef 100644
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -1781,7 +1781,7 @@ init_conntrack(struct net *net, struct nf_conn *tmpl,
+ }
+
+ #ifdef CONFIG_NF_CONNTRACK_MARK
+- ct->mark = exp->master->mark;
++ ct->mark = READ_ONCE(exp->master->mark);
+ #endif
+ #ifdef CONFIG_NF_CONNTRACK_SECMARK
+ ct->secmark = exp->master->secmark;
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index 7562b215b932..d71150a40fb0 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -328,9 +328,9 @@ ctnetlink_dump_timestamp(struct sk_buff *skb, const struct nf_conn *ct)
+ }
+
+ #ifdef CONFIG_NF_CONNTRACK_MARK
+-static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)
++static int ctnetlink_dump_mark(struct sk_buff *skb, u32 mark)
+ {
+- if (nla_put_be32(skb, CTA_MARK, htonl(ct->mark)))
++ if (nla_put_be32(skb, CTA_MARK, htonl(mark)))
+ goto nla_put_failure;
+ return 0;
+
+@@ -543,7 +543,7 @@ static int ctnetlink_dump_extinfo(struct sk_buff *skb,
+ static int ctnetlink_dump_info(struct sk_buff *skb, struct nf_conn *ct)
+ {
+ if (ctnetlink_dump_status(skb, ct) < 0 ||
+- ctnetlink_dump_mark(skb, ct) < 0 ||
++ ctnetlink_dump_mark(skb, READ_ONCE(ct->mark)) < 0 ||
+ ctnetlink_dump_secctx(skb, ct) < 0 ||
+ ctnetlink_dump_id(skb, ct) < 0 ||
+ ctnetlink_dump_use(skb, ct) < 0 ||
+@@ -722,6 +722,7 @@ ctnetlink_conntrack_event(unsigned int events, const struct nf_ct_event *item)
+ struct sk_buff *skb;
+ unsigned int type;
+ unsigned int flags = 0, group;
++ u32 mark;
+ int err;
+
+ if (events & (1 << IPCT_DESTROY)) {
+@@ -826,8 +827,9 @@ ctnetlink_conntrack_event(unsigned int events, const struct nf_ct_event *item)
+ }
+
+ #ifdef CONFIG_NF_CONNTRACK_MARK
+- if ((events & (1 << IPCT_MARK) || ct->mark)
+- && ctnetlink_dump_mark(skb, ct) < 0)
++ mark = READ_ONCE(ct->mark);
++ if ((events & (1 << IPCT_MARK) || mark) &&
++ ctnetlink_dump_mark(skb, mark) < 0)
+ goto nla_put_failure;
+ #endif
+ nlmsg_end(skb, nlh);
+@@ -1154,7 +1156,7 @@ static int ctnetlink_filter_match(struct nf_conn *ct, void *data)
+ }
+
+ #ifdef CONFIG_NF_CONNTRACK_MARK
+- if ((ct->mark & filter->mark.mask) != filter->mark.val)
++ if ((READ_ONCE(ct->mark) & filter->mark.mask) != filter->mark.val)
+ goto ignore_entry;
+ #endif
+ status = (u32)READ_ONCE(ct->status);
+@@ -2002,9 +2004,9 @@ static void ctnetlink_change_mark(struct nf_conn *ct,
+ mask = ~ntohl(nla_get_be32(cda[CTA_MARK_MASK]));
+
+ mark = ntohl(nla_get_be32(cda[CTA_MARK]));
+- newmark = (ct->mark & mask) ^ mark;
+- if (newmark != ct->mark)
+- ct->mark = newmark;
++ newmark = (READ_ONCE(ct->mark) & mask) ^ mark;
++ if (newmark != READ_ONCE(ct->mark))
++ WRITE_ONCE(ct->mark, newmark);
+ }
+ #endif
+
+@@ -2669,6 +2671,7 @@ static int __ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct)
+ {
+ const struct nf_conntrack_zone *zone;
+ struct nlattr *nest_parms;
++ u32 mark;
+
+ zone = nf_ct_zone(ct);
+
+@@ -2730,7 +2733,8 @@ static int __ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct)
+ goto nla_put_failure;
+
+ #ifdef CONFIG_NF_CONNTRACK_MARK
+- if (ct->mark && ctnetlink_dump_mark(skb, ct) < 0)
++ mark = READ_ONCE(ct->mark);
++ if (mark && ctnetlink_dump_mark(skb, mark) < 0)
+ goto nla_put_failure;
+ #endif
+ if (ctnetlink_dump_labels(skb, ct) < 0)
+diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
+index 4ffe84c5a82c..bca839ab1ae8 100644
+--- a/net/netfilter/nf_conntrack_standalone.c
++++ b/net/netfilter/nf_conntrack_standalone.c
+@@ -366,7 +366,7 @@ static int ct_seq_show(struct seq_file *s, void *v)
+ goto release;
+
+ #if defined(CONFIG_NF_CONNTRACK_MARK)
+- seq_printf(s, "mark=%u ", ct->mark);
++ seq_printf(s, "mark=%u ", READ_ONCE(ct->mark));
+ #endif
+
+ ct_show_secctx(s, ct);
+diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
+index a3f01f209a53..641dc21f92b4 100644
+--- a/net/netfilter/nft_ct.c
++++ b/net/netfilter/nft_ct.c
+@@ -98,7 +98,7 @@ static void nft_ct_get_eval(const struct nft_expr *expr,
+ return;
+ #ifdef CONFIG_NF_CONNTRACK_MARK
+ case NFT_CT_MARK:
+- *dest = ct->mark;
++ *dest = READ_ONCE(ct->mark);
+ return;
+ #endif
+ #ifdef CONFIG_NF_CONNTRACK_SECMARK
+@@ -297,8 +297,8 @@ static void nft_ct_set_eval(const struct nft_expr *expr,
+ switch (priv->key) {
+ #ifdef CONFIG_NF_CONNTRACK_MARK
+ case NFT_CT_MARK:
+- if (ct->mark != value) {
+- ct->mark = value;
++ if (READ_ONCE(ct->mark) != value) {
++ WRITE_ONCE(ct->mark, value);
+ nf_conntrack_event_cache(IPCT_MARK, ct);
+ }
+ break;
+diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
+index e5ebc0810675..ad3c033db64e 100644
+--- a/net/netfilter/xt_connmark.c
++++ b/net/netfilter/xt_connmark.c
+@@ -30,6 +30,7 @@ connmark_tg_shift(struct sk_buff *skb, const struct xt_connmark_tginfo2 *info)
+ u_int32_t new_targetmark;
+ struct nf_conn *ct;
+ u_int32_t newmark;
++ u_int32_t oldmark;
+
+ ct = nf_ct_get(skb, &ctinfo);
+ if (ct == NULL)
+@@ -37,14 +38,15 @@ connmark_tg_shift(struct sk_buff *skb, const struct xt_connmark_tginfo2 *info)
+
+ switch (info->mode) {
+ case XT_CONNMARK_SET:
+- newmark = (ct->mark & ~info->ctmask) ^ info->ctmark;
++ oldmark = READ_ONCE(ct->mark);
++ newmark = (oldmark & ~info->ctmask) ^ info->ctmark;
+ if (info->shift_dir == D_SHIFT_RIGHT)
+ newmark >>= info->shift_bits;
+ else
+ newmark <<= info->shift_bits;
+
+- if (ct->mark != newmark) {
+- ct->mark = newmark;
++ if (READ_ONCE(ct->mark) != newmark) {
++ WRITE_ONCE(ct->mark, newmark);
+ nf_conntrack_event_cache(IPCT_MARK, ct);
+ }
+ break;
+@@ -55,15 +57,15 @@ connmark_tg_shift(struct sk_buff *skb, const struct xt_connmark_tginfo2 *info)
+ else
+ new_targetmark <<= info->shift_bits;
+
+- newmark = (ct->mark & ~info->ctmask) ^
++ newmark = (READ_ONCE(ct->mark) & ~info->ctmask) ^
+ new_targetmark;
+- if (ct->mark != newmark) {
+- ct->mark = newmark;
++ if (READ_ONCE(ct->mark) != newmark) {
++ WRITE_ONCE(ct->mark, newmark);
+ nf_conntrack_event_cache(IPCT_MARK, ct);
+ }
+ break;
+ case XT_CONNMARK_RESTORE:
+- new_targetmark = (ct->mark & info->ctmask);
++ new_targetmark = (READ_ONCE(ct->mark) & info->ctmask);
+ if (info->shift_dir == D_SHIFT_RIGHT)
+ new_targetmark >>= info->shift_bits;
+ else
+@@ -126,7 +128,7 @@ connmark_mt(const struct sk_buff *skb, struct xt_action_param *par)
+ if (ct == NULL)
+ return false;
+
+- return ((ct->mark & info->mask) == info->mark) ^ info->invert;
++ return ((READ_ONCE(ct->mark) & info->mask) == info->mark) ^ info->invert;
+ }
+
+ static int connmark_mt_check(const struct xt_mtchk_param *par)
+diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
+index 4e70df91d0f2..fc5b374fe568 100644
+--- a/net/openvswitch/conntrack.c
++++ b/net/openvswitch/conntrack.c
+@@ -152,7 +152,7 @@ static u8 ovs_ct_get_state(enum ip_conntrack_info ctinfo)
+ static u32 ovs_ct_get_mark(const struct nf_conn *ct)
+ {
+ #if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK)
+- return ct ? ct->mark : 0;
++ return ct ? READ_ONCE(ct->mark) : 0;
+ #else
+ return 0;
+ #endif
+@@ -340,9 +340,9 @@ static int ovs_ct_set_mark(struct nf_conn *ct, struct sw_flow_key *key,
+ #if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK)
+ u32 new_mark;
+
+- new_mark = ct_mark | (ct->mark & ~(mask));
+- if (ct->mark != new_mark) {
+- ct->mark = new_mark;
++ new_mark = ct_mark | (READ_ONCE(ct->mark) & ~(mask));
++ if (READ_ONCE(ct->mark) != new_mark) {
++ WRITE_ONCE(ct->mark, new_mark);
+ if (nf_ct_is_confirmed(ct))
+ nf_conntrack_event_cache(IPCT_MARK, ct);
+ key->ct.mark = new_mark;
+diff --git a/net/sched/act_connmark.c b/net/sched/act_connmark.c
+index 09e2aafc8943..0deb4e96a6c2 100644
+--- a/net/sched/act_connmark.c
++++ b/net/sched/act_connmark.c
+@@ -62,7 +62,7 @@ static int tcf_connmark_act(struct sk_buff *skb, const struct tc_action *a,
+
+ c = nf_ct_get(skb, &ctinfo);
+ if (c) {
+- skb->mark = c->mark;
++ skb->mark = READ_ONCE(c->mark);
+ /* using overlimits stats to count how many packets marked */
+ ca->tcf_qstats.overlimits++;
+ goto out;
+@@ -82,7 +82,7 @@ static int tcf_connmark_act(struct sk_buff *skb, const struct tc_action *a,
+ c = nf_ct_tuplehash_to_ctrack(thash);
+ /* using overlimits stats to count how many packets marked */
+ ca->tcf_qstats.overlimits++;
+- skb->mark = c->mark;
++ skb->mark = READ_ONCE(c->mark);
+ nf_ct_put(c);
+
+ out:
+diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
+index 5950974ae8f6..a015915e5b72 100644
+--- a/net/sched/act_ct.c
++++ b/net/sched/act_ct.c
+@@ -178,7 +178,7 @@ static void tcf_ct_flow_table_add_action_meta(struct nf_conn *ct,
+ entry = tcf_ct_flow_table_flow_action_get_next(action);
+ entry->id = FLOW_ACTION_CT_METADATA;
+ #if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK)
+- entry->ct_metadata.mark = ct->mark;
++ entry->ct_metadata.mark = READ_ONCE(ct->mark);
+ #endif
+ ctinfo = dir == IP_CT_DIR_ORIGINAL ? IP_CT_ESTABLISHED :
+ IP_CT_ESTABLISHED_REPLY;
+@@ -940,9 +940,9 @@ static void tcf_ct_act_set_mark(struct nf_conn *ct, u32 mark, u32 mask)
+ if (!mask)
+ return;
+
+- new_mark = mark | (ct->mark & ~(mask));
+- if (ct->mark != new_mark) {
+- ct->mark = new_mark;
++ new_mark = mark | (READ_ONCE(ct->mark) & ~(mask));
++ if (READ_ONCE(ct->mark) != new_mark) {
++ WRITE_ONCE(ct->mark, new_mark);
+ if (nf_ct_is_confirmed(ct))
+ nf_conntrack_event_cache(IPCT_MARK, ct);
+ }
+diff --git a/net/sched/act_ctinfo.c b/net/sched/act_ctinfo.c
+index 0281e45987a4..65a20f3c9514 100644
+--- a/net/sched/act_ctinfo.c
++++ b/net/sched/act_ctinfo.c
+@@ -33,7 +33,7 @@ static void tcf_ctinfo_dscp_set(struct nf_conn *ct, struct tcf_ctinfo *ca,
+ {
+ u8 dscp, newdscp;
+
+- newdscp = (((ct->mark & cp->dscpmask) >> cp->dscpmaskshift) << 2) &
++ newdscp = (((READ_ONCE(ct->mark) & cp->dscpmask) >> cp->dscpmaskshift) << 2) &
+ ~INET_ECN_MASK;
+
+ switch (proto) {
+@@ -73,7 +73,7 @@ static void tcf_ctinfo_cpmark_set(struct nf_conn *ct, struct tcf_ctinfo *ca,
+ struct sk_buff *skb)
+ {
+ ca->stats_cpmark_set++;
+- skb->mark = ct->mark & cp->cpmarkmask;
++ skb->mark = READ_ONCE(ct->mark) & cp->cpmarkmask;
+ }
+
+ static int tcf_ctinfo_act(struct sk_buff *skb, const struct tc_action *a,
+@@ -131,7 +131,7 @@ static int tcf_ctinfo_act(struct sk_buff *skb, const struct tc_action *a,
+ }
+
+ if (cp->mode & CTINFO_MODE_DSCP)
+- if (!cp->dscpstatemask || (ct->mark & cp->dscpstatemask))
++ if (!cp->dscpstatemask || (READ_ONCE(ct->mark) & cp->dscpstatemask))
+ tcf_ctinfo_dscp_set(ct, ca, cp, skb, wlen, proto);
+
+ if (cp->mode & CTINFO_MODE_CPMARK)
+--
+2.35.1
+
--- /dev/null
+From 0d7c7ce9bcd34a84ca816c6c0386669a62caa959 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 19:26:15 +0100
+Subject: netfilter: flowtable_offload: add missing locking
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit bcd9e3c1656d0f7dd9743598c65c3ae24efb38d0 ]
+
+nf_flow_table_block_setup and the driver TC_SETUP_FT call can modify the flow
+block cb list while they are being traversed elsewhere, causing a crash.
+Add a write lock around the calls to protect readers
+
+Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")
+Reported-by: Chad Monroe <chad.monroe@smartrg.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_flow_table_offload.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
+index b04645ced89b..00b522890d77 100644
+--- a/net/netfilter/nf_flow_table_offload.c
++++ b/net/netfilter/nf_flow_table_offload.c
+@@ -1098,6 +1098,7 @@ static int nf_flow_table_block_setup(struct nf_flowtable *flowtable,
+ struct flow_block_cb *block_cb, *next;
+ int err = 0;
+
++ down_write(&flowtable->flow_block_lock);
+ switch (cmd) {
+ case FLOW_BLOCK_BIND:
+ list_splice(&bo->cb_list, &flowtable->flow_block.cb_list);
+@@ -1112,6 +1113,7 @@ static int nf_flow_table_block_setup(struct nf_flowtable *flowtable,
+ WARN_ON_ONCE(1);
+ err = -EOPNOTSUPP;
+ }
++ up_write(&flowtable->flow_block_lock);
+
+ return err;
+ }
+@@ -1168,7 +1170,9 @@ static int nf_flow_table_offload_cmd(struct flow_block_offload *bo,
+
+ nf_flow_table_block_offload_init(bo, dev_net(dev), cmd, flowtable,
+ extack);
++ down_write(&flowtable->flow_block_lock);
+ err = dev->netdev_ops->ndo_setup_tc(dev, TC_SETUP_FT, bo);
++ up_write(&flowtable->flow_block_lock);
+ if (err < 0)
+ return err;
+
+--
+2.35.1
+
--- /dev/null
+From 063d887e6805f11fc8ec4968d76a2e79088e062d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Sep 2022 14:26:50 -0400
+Subject: netfilter: ipset: regression in ip_set_hash_ip.c
+
+From: Vishwanath Pai <vpai@akamai.com>
+
+[ Upstream commit c7aa1a76d4a0a3c401025b60c401412bbb60f8c6 ]
+
+This patch introduced a regression: commit 48596a8ddc46 ("netfilter:
+ipset: Fix adding an IPv4 range containing more than 2^31 addresses")
+
+The variable e.ip is passed to adtfn() function which finally adds the
+ip address to the set. The patch above refactored the for loop and moved
+e.ip = htonl(ip) to the end of the for loop.
+
+What this means is that if the value of "ip" changes between the first
+assignement of e.ip and the forloop, then e.ip is pointing to a
+different ip address than "ip".
+
+Test case:
+$ ipset create jdtest_tmp hash:ip family inet hashsize 2048 maxelem 100000
+$ ipset add jdtest_tmp 10.0.1.1/31
+ipset v6.21.1: Element cannot be added to the set: it's already added
+
+The value of ip gets updated inside the "else if (tb[IPSET_ATTR_CIDR])"
+block but e.ip is still pointing to the old value.
+
+Fixes: 48596a8ddc46 ("netfilter: ipset: Fix adding an IPv4 range containing more than 2^31 addresses")
+Reviewed-by: Joshua Hunt <johunt@akamai.com>
+Signed-off-by: Vishwanath Pai <vpai@akamai.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipset/ip_set_hash_ip.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/net/netfilter/ipset/ip_set_hash_ip.c b/net/netfilter/ipset/ip_set_hash_ip.c
+index dd30c03d5a23..75d556d71652 100644
+--- a/net/netfilter/ipset/ip_set_hash_ip.c
++++ b/net/netfilter/ipset/ip_set_hash_ip.c
+@@ -151,18 +151,16 @@ hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[],
+ if (((u64)ip_to - ip + 1) >> (32 - h->netmask) > IPSET_MAX_RANGE)
+ return -ERANGE;
+
+- if (retried) {
++ if (retried)
+ ip = ntohl(h->next.ip);
+- e.ip = htonl(ip);
+- }
+ for (; ip <= ip_to;) {
++ e.ip = htonl(ip);
+ ret = adtfn(set, &e, &ext, &ext, flags);
+ if (ret && !ip_set_eexist(ret, flags))
+ return ret;
+
+ ip += hosts;
+- e.ip = htonl(ip);
+- if (e.ip == 0)
++ if (ip == 0)
+ return 0;
+
+ ret = 0;
+--
+2.35.1
+
--- /dev/null
+From de5a5d98dd956fe8f2ffbf6f1f3089eb0d14235c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 20:18:58 +0100
+Subject: netfilter: ipset: restore allowing 64 clashing elements in
+ hash:net,iface
+
+From: Jozsef Kadlecsik <kadlec@netfilter.org>
+
+[ Upstream commit 6a66ce44a51bdfc47721f0c591137df2d4b21247 ]
+
+The commit 510841da1fcc ("netfilter: ipset: enforce documented limit to
+prevent allocating huge memory") was too strict and prevented to add up to
+64 clashing elements to a hash:net,iface type of set. This patch fixes the
+issue and now the type behaves as documented.
+
+Fixes: 510841da1fcc ("netfilter: ipset: enforce documented limit to prevent allocating huge memory")
+Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipset/ip_set_hash_gen.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
+index 3adc291d9ce1..7499192af586 100644
+--- a/net/netfilter/ipset/ip_set_hash_gen.h
++++ b/net/netfilter/ipset/ip_set_hash_gen.h
+@@ -916,7 +916,7 @@ mtype_add(struct ip_set *set, void *value, const struct ip_set_ext *ext,
+ #ifdef IP_SET_HASH_WITH_MULTI
+ if (h->bucketsize >= AHASH_MAX_TUNED)
+ goto set_full;
+- else if (h->bucketsize < multi)
++ else if (h->bucketsize <= multi)
+ h->bucketsize += AHASH_INIT_SIZE;
+ #endif
+ if (n->size >= AHASH_MAX(h)) {
+--
+2.35.1
+
--- /dev/null
+From b02d98151e07db34bdb39fcdc2ebba209377c634 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 11:31:54 +0100
+Subject: netfilter: nf_tables: do not set up extensions for end interval
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 33c7aba0b4ffd6d7cdab862a034eb582a5120a38 ]
+
+Elements with an end interval flag set on do not store extensions. The
+global set definition is currently setting on the timeout and stateful
+expression for end interval elements.
+
+This leads to skipping end interval elements from the set->ops->walk()
+path as the expired check bogusly reports true.
+
+Moreover, do not set up stateful expressions for elements with end
+interval flag set on since this is never used.
+
+Fixes: 65038428b2c6 ("netfilter: nf_tables: allow to specify stateful expression in set definition")
+Fixes: 8d8540c4f5e0 ("netfilter: nft_set_rbtree: add timeout support")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 42e370575c30..0a6f3c1e9ab7 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -5958,7 +5958,8 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
+ &timeout);
+ if (err)
+ return err;
+- } else if (set->flags & NFT_SET_TIMEOUT) {
++ } else if (set->flags & NFT_SET_TIMEOUT &&
++ !(flags & NFT_SET_ELEM_INTERVAL_END)) {
+ timeout = set->timeout;
+ }
+
+@@ -6024,7 +6025,8 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
+ err = -EOPNOTSUPP;
+ goto err_set_elem_expr;
+ }
+- } else if (set->num_exprs > 0) {
++ } else if (set->num_exprs > 0 &&
++ !(flags & NFT_SET_ELEM_INTERVAL_END)) {
+ err = nft_set_elem_expr_clone(ctx, set, expr_array);
+ if (err < 0)
+ goto err_set_elem_expr_clone;
+--
+2.35.1
+
--- /dev/null
+From 91e4bec2517cbdc057bffbb67d8a5c9e0d943b24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 16:24:19 +0800
+Subject: NFC: nci: fix memory leak in nci_rx_data_packet()
+
+From: Liu Shixin <liushixin2@huawei.com>
+
+[ Upstream commit 53270fb0fd77fe786d8c07a0793981d797836b93 ]
+
+Syzbot reported a memory leak about skb:
+
+unreferenced object 0xffff88810e144e00 (size 240):
+ comm "syz-executor284", pid 3701, jiffies 4294952403 (age 12.620s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff83ab79a9>] __alloc_skb+0x1f9/0x270 net/core/skbuff.c:497
+ [<ffffffff82a5cf64>] alloc_skb include/linux/skbuff.h:1267 [inline]
+ [<ffffffff82a5cf64>] virtual_ncidev_write+0x24/0xe0 drivers/nfc/virtual_ncidev.c:116
+ [<ffffffff815f6503>] do_loop_readv_writev fs/read_write.c:759 [inline]
+ [<ffffffff815f6503>] do_loop_readv_writev fs/read_write.c:743 [inline]
+ [<ffffffff815f6503>] do_iter_write+0x253/0x300 fs/read_write.c:863
+ [<ffffffff815f66ed>] vfs_writev+0xdd/0x240 fs/read_write.c:934
+ [<ffffffff815f68f6>] do_writev+0xa6/0x1c0 fs/read_write.c:977
+ [<ffffffff848802d5>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ [<ffffffff848802d5>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ [<ffffffff84a00087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+In nci_rx_data_packet(), if we don't get a valid conn_info, we will return
+directly but forget to release the skb.
+
+Reported-by: syzbot+cdb9a427d1bc08815104@syzkaller.appspotmail.com
+Fixes: 4aeee6871e8c ("NFC: nci: Add dynamic logical connections support")
+Signed-off-by: Liu Shixin <liushixin2@huawei.com>
+Link: https://lore.kernel.org/r/20221118082419.239475-1-liushixin2@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/nci/data.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/nfc/nci/data.c b/net/nfc/nci/data.c
+index aa5e712adf07..3d36ea5701f0 100644
+--- a/net/nfc/nci/data.c
++++ b/net/nfc/nci/data.c
+@@ -279,8 +279,10 @@ void nci_rx_data_packet(struct nci_dev *ndev, struct sk_buff *skb)
+ nci_plen(skb->data));
+
+ conn_info = nci_get_conn_info_by_conn_id(ndev, nci_conn_id(skb->data));
+- if (!conn_info)
++ if (!conn_info) {
++ kfree_skb(skb);
+ return;
++ }
+
+ /* strip the nci data header */
+ skb_pull(skb, NCI_DATA_HDR_SIZE);
+--
+2.35.1
+
--- /dev/null
+From 15d6780e4860a345c773de73165aa25c503cdb18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 21:02:49 +0800
+Subject: nfc/nci: fix race with opening and closing
+
+From: Lin Ma <linma@zju.edu.cn>
+
+[ Upstream commit 0ad6bded175e829c2ca261529c9dce39a32a042d ]
+
+Previously we leverage NCI_UNREG and the lock inside nci_close_device to
+prevent the race condition between opening a device and closing a
+device. However, it still has problem because a failed opening command
+will erase the NCI_UNREG flag and allow another opening command to
+bypass the status checking.
+
+This fix corrects that by making sure the NCI_UNREG is held.
+
+Reported-by: syzbot+43475bf3cfbd6e41f5b7@syzkaller.appspotmail.com
+Fixes: 48b71a9e66c2 ("NFC: add NCI_UNREG flag to eliminate the race")
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/nci/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
+index 6a193cce2a75..4ffdf2f45c44 100644
+--- a/net/nfc/nci/core.c
++++ b/net/nfc/nci/core.c
+@@ -542,7 +542,7 @@ static int nci_open_device(struct nci_dev *ndev)
+ skb_queue_purge(&ndev->tx_q);
+
+ ndev->ops->close(ndev);
+- ndev->flags = 0;
++ ndev->flags &= BIT(NCI_UNREG);
+ }
+
+ done:
+--
+2.35.1
+
--- /dev/null
+From 83596260290d5ab70b2844ea37beca74f0fd2e00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 18:42:46 -0600
+Subject: nfc: st-nci: fix incorrect sizing calculations in EVT_TRANSACTION
+
+From: Martin Faltesek <mfaltesek@google.com>
+
+[ Upstream commit 0254f31a7df3bb3b90c2d9dd2d4052f7b95eb287 ]
+
+The transaction buffer is allocated by using the size of the packet buf,
+and subtracting two which seems intended to remove the two tags which are
+not present in the target structure. This calculation leads to under
+counting memory because of differences between the packet contents and the
+target structure. The aid_len field is a u8 in the packet, but a u32 in
+the structure, resulting in at least 3 bytes always being under counted.
+Further, the aid data is a variable length field in the packet, but fixed
+in the structure, so if this field is less than the max, the difference is
+added to the under counting.
+
+To fix, perform validation checks progressively to safely reach the
+next field, to determine the size of both buffers and verify both tags.
+Once all validation checks pass, allocate the buffer and copy the data.
+This eliminates freeing memory on the error path, as validation checks are
+moved ahead of memory allocation.
+
+Reported-by: Denis Efremov <denis.e.efremov@oracle.com>
+Reviewed-by: Guenter Roeck <groeck@google.com>
+Fixes: 5d1ceb7f5e56 ("NFC: st21nfcb: Add HCI transaction event support")
+Signed-off-by: Martin Faltesek <mfaltesek@google.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/st-nci/se.c | 51 +++++++++++++++++++++++++++++------------
+ 1 file changed, 36 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/nfc/st-nci/se.c b/drivers/nfc/st-nci/se.c
+index fc59916ae5ae..ec87dd21e054 100644
+--- a/drivers/nfc/st-nci/se.c
++++ b/drivers/nfc/st-nci/se.c
+@@ -312,6 +312,8 @@ static int st_nci_hci_connectivity_event_received(struct nci_dev *ndev,
+ int r = 0;
+ struct device *dev = &ndev->nfc_dev->dev;
+ struct nfc_evt_transaction *transaction;
++ u32 aid_len;
++ u8 params_len;
+
+ pr_debug("connectivity gate event: %x\n", event);
+
+@@ -325,28 +327,47 @@ static int st_nci_hci_connectivity_event_received(struct nci_dev *ndev,
+ * Description Tag Length
+ * AID 81 5 to 16
+ * PARAMETERS 82 0 to 255
++ *
++ * The key differences are aid storage length is variably sized
++ * in the packet, but fixed in nfc_evt_transaction, and that
++ * the aid_len is u8 in the packet, but u32 in the structure,
++ * and the tags in the packet are not included in
++ * nfc_evt_transaction.
++ *
++ * size(b): 1 1 5-16 1 1 0-255
++ * offset: 0 1 2 aid_len + 2 aid_len + 3 aid_len + 4
++ * mem name: aid_tag(M) aid_len aid params_tag(M) params_len params
++ * example: 0x81 5-16 X 0x82 0-255 X
+ */
+- if (skb->len < NFC_MIN_AID_LENGTH + 2 ||
+- skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG)
++ if (skb->len < 2 || skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG)
+ return -EPROTO;
+
+- transaction = devm_kzalloc(dev, skb->len - 2, GFP_KERNEL);
+- if (!transaction)
+- return -ENOMEM;
++ aid_len = skb->data[1];
+
+- transaction->aid_len = skb->data[1];
+- memcpy(transaction->aid, &skb->data[2], transaction->aid_len);
++ if (skb->len < aid_len + 4 ||
++ aid_len > sizeof(transaction->aid))
++ return -EPROTO;
+
+- /* Check next byte is PARAMETERS tag (82) */
+- if (skb->data[transaction->aid_len + 2] !=
+- NFC_EVT_TRANSACTION_PARAMS_TAG) {
+- devm_kfree(dev, transaction);
++ params_len = skb->data[aid_len + 3];
++
++ /* Verify PARAMETERS tag is (82), and final check that there is
++ * enough space in the packet to read everything.
++ */
++ if (skb->data[aid_len + 2] != NFC_EVT_TRANSACTION_PARAMS_TAG ||
++ skb->len < aid_len + 4 + params_len)
+ return -EPROTO;
+- }
+
+- transaction->params_len = skb->data[transaction->aid_len + 3];
+- memcpy(transaction->params, skb->data +
+- transaction->aid_len + 4, transaction->params_len);
++ transaction = devm_kzalloc(dev, sizeof(*transaction) +
++ params_len, GFP_KERNEL);
++ if (!transaction)
++ return -ENOMEM;
++
++ transaction->aid_len = aid_len;
++ transaction->params_len = params_len;
++
++ memcpy(transaction->aid, &skb->data[2], aid_len);
++ memcpy(transaction->params, &skb->data[aid_len + 4],
++ params_len);
+
+ r = nfc_se_transaction(ndev->nfc_dev, host, transaction);
+ break;
+--
+2.35.1
+
--- /dev/null
+From 35b136ba2a4e841881e9bff68906e5b0ff6949b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 18:42:44 -0600
+Subject: nfc: st-nci: fix incorrect validating logic in EVT_TRANSACTION
+
+From: Martin Faltesek <mfaltesek@google.com>
+
+[ Upstream commit c60c152230828825c06e62a8f1ce956d4b659266 ]
+
+The first validation check for EVT_TRANSACTION has two different checks
+tied together with logical AND. One is a check for minimum packet length,
+and the other is for a valid aid_tag. If either condition is true (fails),
+then an error should be triggered. The fix is to change && to ||.
+
+Reported-by: Denis Efremov <denis.e.efremov@oracle.com>
+Reviewed-by: Guenter Roeck <groeck@google.com>
+Fixes: 5d1ceb7f5e56 ("NFC: st21nfcb: Add HCI transaction event support")
+Signed-off-by: Martin Faltesek <mfaltesek@google.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/st-nci/se.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nfc/st-nci/se.c b/drivers/nfc/st-nci/se.c
+index 7764b1a4c3cf..589e1dec78e7 100644
+--- a/drivers/nfc/st-nci/se.c
++++ b/drivers/nfc/st-nci/se.c
+@@ -326,7 +326,7 @@ static int st_nci_hci_connectivity_event_received(struct nci_dev *ndev,
+ * AID 81 5 to 16
+ * PARAMETERS 82 0 to 255
+ */
+- if (skb->len < NFC_MIN_AID_LENGTH + 2 &&
++ if (skb->len < NFC_MIN_AID_LENGTH + 2 ||
+ skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG)
+ return -EPROTO;
+
+--
+2.35.1
+
--- /dev/null
+From c5747effd631529130e15b46a8cdca85aa8f7577 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 18:42:45 -0600
+Subject: nfc: st-nci: fix memory leaks in EVT_TRANSACTION
+
+From: Martin Faltesek <mfaltesek@google.com>
+
+[ Upstream commit 440f2ae9c9f06e26f5dcea697a53717fc61a318c ]
+
+Error path does not free previously allocated memory. Add devm_kfree() to
+the failure path.
+
+Reported-by: Denis Efremov <denis.e.efremov@oracle.com>
+Reviewed-by: Guenter Roeck <groeck@google.com>
+Fixes: 5d1ceb7f5e56 ("NFC: st21nfcb: Add HCI transaction event support")
+Signed-off-by: Martin Faltesek <mfaltesek@google.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/st-nci/se.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nfc/st-nci/se.c b/drivers/nfc/st-nci/se.c
+index 589e1dec78e7..fc59916ae5ae 100644
+--- a/drivers/nfc/st-nci/se.c
++++ b/drivers/nfc/st-nci/se.c
+@@ -339,8 +339,10 @@ static int st_nci_hci_connectivity_event_received(struct nci_dev *ndev,
+
+ /* Check next byte is PARAMETERS tag (82) */
+ if (skb->data[transaction->aid_len + 2] !=
+- NFC_EVT_TRANSACTION_PARAMS_TAG)
++ NFC_EVT_TRANSACTION_PARAMS_TAG) {
++ devm_kfree(dev, transaction);
+ return -EPROTO;
++ }
+
+ transaction->params_len = skb->data[transaction->aid_len + 3];
+ memcpy(transaction->params, skb->data +
+--
+2.35.1
+
--- /dev/null
+From 9db7ce20fe3b87c84d9a5a60cf313e675f8144d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 16:37:44 +0100
+Subject: nfp: add port from netdev validation for EEPROM access
+
+From: Jaco Coetzee <jaco.coetzee@corigine.com>
+
+[ Upstream commit 0873016d46f6dfafd1bdf4d9b935b3331b226f7c ]
+
+Setting of the port flag `NFP_PORT_CHANGED`, introduced
+to ensure the correct reading of EEPROM data, causes a
+fatal kernel NULL pointer dereference in cases where
+the target netdev type cannot be determined.
+
+Add validation of port struct pointer before attempting
+to set the `NFP_PORT_CHANGED` flag. Return that operation
+is not supported if the netdev type cannot be determined.
+
+Fixes: 4ae97cae07e1 ("nfp: ethtool: fix the display error of `ethtool -m DEVNAME`")
+Signed-off-by: Jaco Coetzee <jaco.coetzee@corigine.com>
+Reviewed-by: Louis Peens <louis.peens@corigine.com>
+Signed-off-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
+index b19bff0db1fd..400b22ad6a34 100644
+--- a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
+@@ -1395,6 +1395,9 @@ nfp_port_get_module_info(struct net_device *netdev,
+ u8 data;
+
+ port = nfp_port_from_netdev(netdev);
++ if (!port)
++ return -EOPNOTSUPP;
++
+ /* update port state to get latest interface */
+ set_bit(NFP_PORT_CHANGED, &port->flags);
+ eth_port = nfp_port_get_eth_port(port);
+--
+2.35.1
+
--- /dev/null
+From c88db5ce639a64a23f0ab55f6ca217d60e144590 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 16:37:43 +0100
+Subject: nfp: fill splittable of devlink_port_attrs correctly
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Diana Wang <na.wang@corigine.com>
+
+[ Upstream commit 4abd9600b9d15d3d92a9ac25cf200422a4c415ee ]
+
+The error is reflected in that it shows wrong splittable status of
+port when executing "devlink port show".
+The reason which leads the error is that the assigned operation of
+splittable is just a simple negation operation of split and it does
+not consider port lanes quantity. A splittable port should have
+several lanes that can be split(lanes quantity > 1).
+If without the judgement, it will show wrong message for some
+firmware, such as 2x25G, 2x10G.
+
+Fixes: a0f49b548652 ("devlink: Add a new devlink port split ability attribute and pass to netlink")
+Signed-off-by: Diana Wang <na.wang@corigine.com>
+Reviewed-by: Louis Peens <louis.peens@corigine.com>
+Reviewed-by: Niklas Söderlund <niklas.soderlund@corigine.com>
+Signed-off-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/netronome/nfp/nfp_devlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/netronome/nfp/nfp_devlink.c b/drivers/net/ethernet/netronome/nfp/nfp_devlink.c
+index 405786c00334..cb08d7bf9524 100644
+--- a/drivers/net/ethernet/netronome/nfp/nfp_devlink.c
++++ b/drivers/net/ethernet/netronome/nfp/nfp_devlink.c
+@@ -341,7 +341,7 @@ int nfp_devlink_port_register(struct nfp_app *app, struct nfp_port *port)
+ return ret;
+
+ attrs.split = eth_port.is_split;
+- attrs.splittable = !attrs.split;
++ attrs.splittable = eth_port.port_lanes > 1 && !attrs.split;
+ attrs.lanes = eth_port.port_lanes;
+ attrs.flavour = DEVLINK_PORT_FLAVOUR_PHYSICAL;
+ attrs.phys.port_number = eth_port.label_port;
+--
+2.35.1
+
--- /dev/null
+From 88de914b83bd929355d3da9395b75280628f0113 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 20:46:58 +0800
+Subject: octeontx2-af: debugsfs: fix pci device refcount leak
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit d66608803aa2ffb9e475623343f69996305771ae ]
+
+As comment of pci_get_domain_bus_and_slot() says, it returns
+a pci device with refcount increment, when finish using it,
+the caller must decrement the reference count by calling
+pci_dev_put().
+
+So before returning from rvu_dbg_rvu_pf_cgx_map_display() or
+cgx_print_dmac_flt(), pci_dev_put() is called to avoid refcount
+leak.
+
+Fixes: dbc52debf95f ("octeontx2-af: Debugfs support for DMAC filters")
+Fixes: e2fb37303865 ("octeontx2-af: Display CGX, NIX and PF map in debugfs.")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221117124658.162409-1-yangyingliang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c
+index f42a09f04b25..70cda1571324 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c
++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c
+@@ -535,6 +535,8 @@ static int rvu_dbg_rvu_pf_cgx_map_display(struct seq_file *filp, void *unused)
+ sprintf(lmac, "LMAC%d", lmac_id);
+ seq_printf(filp, "%s\t0x%x\t\tNIX%d\t\t%s\t%s\n",
+ dev_name(&pdev->dev), pcifunc, blkid, cgx, lmac);
++
++ pci_dev_put(pdev);
+ }
+ return 0;
+ }
+@@ -2221,6 +2223,7 @@ static int cgx_print_dmac_flt(struct seq_file *s, int lmac_id)
+ }
+ }
+
++ pci_dev_put(pdev);
+ return 0;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From a69944c0831993020c329a03779df45ae000b1cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 14:59:19 +0800
+Subject: octeontx2-af: Fix reference count issue in rvu_sdp_init()
+
+From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+
+[ Upstream commit ad17c2a3f11b0f6b122e7842d8f7d9a5fcc7ac63 ]
+
+pci_get_device() will decrease the reference count for the *from*
+parameter. So we don't need to call put_device() to decrease the
+reference. Let's remove the put_device() in the loop and only decrease
+the reference count of the returned 'pdev' for the last loop because it
+will not be passed to pci_get_device() as input parameter. We don't need
+to check if 'pdev' is NULL because it is already checked inside
+pci_dev_put(). Also add pci_dev_put() for the error path.
+
+Fixes: fe1939bb2340 ("octeontx2-af: Add SDP interface support")
+Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Reviewed-by: Saeed Mahameed <saeed@kernel.org>
+Link: https://lore.kernel.org/r/20221123065919.31499-1-wangxiongfeng2@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/af/rvu_sdp.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_sdp.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_sdp.c
+index b04fb226f708..ae50d56258ec 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_sdp.c
++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_sdp.c
+@@ -62,15 +62,18 @@ int rvu_sdp_init(struct rvu *rvu)
+ pfvf->sdp_info = devm_kzalloc(rvu->dev,
+ sizeof(struct sdp_node_info),
+ GFP_KERNEL);
+- if (!pfvf->sdp_info)
++ if (!pfvf->sdp_info) {
++ pci_dev_put(pdev);
+ return -ENOMEM;
++ }
+
+ dev_info(rvu->dev, "SDP PF number:%d\n", sdp_pf_num[i]);
+
+- put_device(&pdev->dev);
+ i++;
+ }
+
++ pci_dev_put(pdev);
++
+ return 0;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From fd0c53295dc3613348fbc5e5e3bc1499a52b2acc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 13:54:49 +0800
+Subject: octeontx2-pf: Add check for devm_kcalloc
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit cd07eadd5147ffdae11b6fd28b77a3872f2a2484 ]
+
+As the devm_kcalloc may return NULL pointer,
+it should be better to add check for the return
+value, as same as the others.
+
+Fixes: e8e095b3b370 ("octeontx2-af: cn10k: Bandwidth profiles config support")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Link: https://lore.kernel.org/r/20221122055449.31247-1-jiasheng@iscas.ac.cn
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
+index 0879a48411f3..3dc90060d70d 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
+@@ -4979,6 +4979,8 @@ static int nix_setup_ipolicers(struct rvu *rvu,
+ ipolicer->ref_count = devm_kcalloc(rvu->dev,
+ ipolicer->band_prof.max,
+ sizeof(u16), GFP_KERNEL);
++ if (!ipolicer->ref_count)
++ return -ENOMEM;
+ }
+
+ /* Set policer timeunit to 2us ie (19 + 1) * 100 nsec = 2us */
+--
+2.35.1
+
--- /dev/null
+From 3ce956996c7082c047976f5825d568d0126ea7b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Nov 2022 15:29:53 -0700
+Subject: PCI: hv: Only reuse existing IRTE allocation for Multi-MSI
+
+From: Dexuan Cui <decui@microsoft.com>
+
+[ Upstream commit c234ba8042920fa83635808dc5673f36869ca280 ]
+
+Jeffrey added Multi-MSI support to the pci-hyperv driver by the 4 patches:
+08e61e861a0e ("PCI: hv: Fix multi-MSI to allow more than one MSI vector")
+455880dfe292 ("PCI: hv: Fix hv_arch_irq_unmask() for multi-MSI")
+b4b77778ecc5 ("PCI: hv: Reuse existing IRTE allocation in compose_msi_msg()")
+a2bad844a67b ("PCI: hv: Fix interrupt mapping for multi-MSI")
+
+It turns out that the third patch (b4b77778ecc5) causes a performance
+regression because all the interrupts now happen on 1 physical CPU (or two
+pCPUs, if one pCPU doesn't have enough vectors). When a guest has many PCI
+devices, it may suffer from soft lockups if the workload is heavy, e.g.,
+see https://lwn.net/ml/linux-kernel/20220804025104.15673-1-decui@microsoft.com/
+
+Commit b4b77778ecc5 itself is good. The real issue is that the hypercall in
+hv_irq_unmask() -> hv_arch_irq_unmask() ->
+hv_do_hypercall(HVCALL_RETARGET_INTERRUPT...) only changes the target
+virtual CPU rather than physical CPU; with b4b77778ecc5, the pCPU is
+determined only once in hv_compose_msi_msg() where only vCPU0 is specified;
+consequently the hypervisor only uses 1 target pCPU for all the interrupts.
+
+Note: before b4b77778ecc5, the pCPU is determined twice, and when the pCPU
+is determined the second time, the vCPU in the effective affinity mask is
+used (i.e., it isn't always vCPU0), so the hypervisor chooses different
+pCPU for each interrupt.
+
+The hypercall will be fixed in future to update the pCPU as well, but
+that will take quite a while, so let's restore the old behavior in
+hv_compose_msi_msg(), i.e., don't reuse the existing IRTE allocation for
+single-MSI and MSI-X; for multi-MSI, we choose the vCPU in a round-robin
+manner for each PCI device, so the interrupts of different devices can
+happen on different pCPUs, though the interrupts of each device happen on
+some single pCPU.
+
+The hypercall fix may not be backported to all old versions of Hyper-V, so
+we want to have this guest side change forever (or at least till we're sure
+the old affected versions of Hyper-V are no longer supported).
+
+Fixes: b4b77778ecc5 ("PCI: hv: Reuse existing IRTE allocation in compose_msi_msg()")
+Co-developed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
+Signed-off-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
+Co-developed-by: Carl Vanderlip <quic_carlv@quicinc.com>
+Signed-off-by: Carl Vanderlip <quic_carlv@quicinc.com>
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Reviewed-by: Michael Kelley <mikelley@microsoft.com>
+Link: https://lore.kernel.org/r/20221104222953.11356-1-decui@microsoft.com
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-hyperv.c | 90 ++++++++++++++++++++++++-----
+ 1 file changed, 75 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c
+index ba64284eaf9f..f1ec8931dfbc 100644
+--- a/drivers/pci/controller/pci-hyperv.c
++++ b/drivers/pci/controller/pci-hyperv.c
+@@ -1613,7 +1613,7 @@ static void hv_pci_compose_compl(void *context, struct pci_response *resp,
+ }
+
+ static u32 hv_compose_msi_req_v1(
+- struct pci_create_interrupt *int_pkt, const struct cpumask *affinity,
++ struct pci_create_interrupt *int_pkt,
+ u32 slot, u8 vector, u16 vector_count)
+ {
+ int_pkt->message_type.type = PCI_CREATE_INTERRUPT_MESSAGE;
+@@ -1631,6 +1631,35 @@ static u32 hv_compose_msi_req_v1(
+ return sizeof(*int_pkt);
+ }
+
++/*
++ * The vCPU selected by hv_compose_multi_msi_req_get_cpu() and
++ * hv_compose_msi_req_get_cpu() is a "dummy" vCPU because the final vCPU to be
++ * interrupted is specified later in hv_irq_unmask() and communicated to Hyper-V
++ * via the HVCALL_RETARGET_INTERRUPT hypercall. But the choice of dummy vCPU is
++ * not irrelevant because Hyper-V chooses the physical CPU to handle the
++ * interrupts based on the vCPU specified in message sent to the vPCI VSP in
++ * hv_compose_msi_msg(). Hyper-V's choice of pCPU is not visible to the guest,
++ * but assigning too many vPCI device interrupts to the same pCPU can cause a
++ * performance bottleneck. So we spread out the dummy vCPUs to influence Hyper-V
++ * to spread out the pCPUs that it selects.
++ *
++ * For the single-MSI and MSI-X cases, it's OK for hv_compose_msi_req_get_cpu()
++ * to always return the same dummy vCPU, because a second call to
++ * hv_compose_msi_msg() contains the "real" vCPU, causing Hyper-V to choose a
++ * new pCPU for the interrupt. But for the multi-MSI case, the second call to
++ * hv_compose_msi_msg() exits without sending a message to the vPCI VSP, so the
++ * original dummy vCPU is used. This dummy vCPU must be round-robin'ed so that
++ * the pCPUs are spread out. All interrupts for a multi-MSI device end up using
++ * the same pCPU, even though the vCPUs will be spread out by later calls
++ * to hv_irq_unmask(), but that is the best we can do now.
++ *
++ * With Hyper-V in Nov 2022, the HVCALL_RETARGET_INTERRUPT hypercall does *not*
++ * cause Hyper-V to reselect the pCPU based on the specified vCPU. Such an
++ * enhancement is planned for a future version. With that enhancement, the
++ * dummy vCPU selection won't matter, and interrupts for the same multi-MSI
++ * device will be spread across multiple pCPUs.
++ */
++
+ /*
+ * Create MSI w/ dummy vCPU set targeting just one vCPU, overwritten
+ * by subsequent retarget in hv_irq_unmask().
+@@ -1640,18 +1669,39 @@ static int hv_compose_msi_req_get_cpu(const struct cpumask *affinity)
+ return cpumask_first_and(affinity, cpu_online_mask);
+ }
+
+-static u32 hv_compose_msi_req_v2(
+- struct pci_create_interrupt2 *int_pkt, const struct cpumask *affinity,
+- u32 slot, u8 vector, u16 vector_count)
++/*
++ * Make sure the dummy vCPU values for multi-MSI don't all point to vCPU0.
++ */
++static int hv_compose_multi_msi_req_get_cpu(void)
+ {
++ static DEFINE_SPINLOCK(multi_msi_cpu_lock);
++
++ /* -1 means starting with CPU 0 */
++ static int cpu_next = -1;
++
++ unsigned long flags;
+ int cpu;
+
++ spin_lock_irqsave(&multi_msi_cpu_lock, flags);
++
++ cpu_next = cpumask_next_wrap(cpu_next, cpu_online_mask, nr_cpu_ids,
++ false);
++ cpu = cpu_next;
++
++ spin_unlock_irqrestore(&multi_msi_cpu_lock, flags);
++
++ return cpu;
++}
++
++static u32 hv_compose_msi_req_v2(
++ struct pci_create_interrupt2 *int_pkt, int cpu,
++ u32 slot, u8 vector, u16 vector_count)
++{
+ int_pkt->message_type.type = PCI_CREATE_INTERRUPT_MESSAGE2;
+ int_pkt->wslot.slot = slot;
+ int_pkt->int_desc.vector = vector;
+ int_pkt->int_desc.vector_count = vector_count;
+ int_pkt->int_desc.delivery_mode = DELIVERY_MODE;
+- cpu = hv_compose_msi_req_get_cpu(affinity);
+ int_pkt->int_desc.processor_array[0] =
+ hv_cpu_number_to_vp_number(cpu);
+ int_pkt->int_desc.processor_count = 1;
+@@ -1660,18 +1710,15 @@ static u32 hv_compose_msi_req_v2(
+ }
+
+ static u32 hv_compose_msi_req_v3(
+- struct pci_create_interrupt3 *int_pkt, const struct cpumask *affinity,
++ struct pci_create_interrupt3 *int_pkt, int cpu,
+ u32 slot, u32 vector, u16 vector_count)
+ {
+- int cpu;
+-
+ int_pkt->message_type.type = PCI_CREATE_INTERRUPT_MESSAGE3;
+ int_pkt->wslot.slot = slot;
+ int_pkt->int_desc.vector = vector;
+ int_pkt->int_desc.reserved = 0;
+ int_pkt->int_desc.vector_count = vector_count;
+ int_pkt->int_desc.delivery_mode = DELIVERY_MODE;
+- cpu = hv_compose_msi_req_get_cpu(affinity);
+ int_pkt->int_desc.processor_array[0] =
+ hv_cpu_number_to_vp_number(cpu);
+ int_pkt->int_desc.processor_count = 1;
+@@ -1715,12 +1762,18 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg)
+ struct pci_create_interrupt3 v3;
+ } int_pkts;
+ } __packed ctxt;
++ bool multi_msi;
+ u64 trans_id;
+ u32 size;
+ int ret;
++ int cpu;
++
++ msi_desc = irq_data_get_msi_desc(data);
++ multi_msi = !msi_desc->pci.msi_attrib.is_msix &&
++ msi_desc->nvec_used > 1;
+
+ /* Reuse the previous allocation */
+- if (data->chip_data) {
++ if (data->chip_data && multi_msi) {
+ int_desc = data->chip_data;
+ msg->address_hi = int_desc->address >> 32;
+ msg->address_lo = int_desc->address & 0xffffffff;
+@@ -1728,7 +1781,6 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg)
+ return;
+ }
+
+- msi_desc = irq_data_get_msi_desc(data);
+ pdev = msi_desc_to_pci_dev(msi_desc);
+ dest = irq_data_get_effective_affinity_mask(data);
+ pbus = pdev->bus;
+@@ -1738,11 +1790,18 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg)
+ if (!hpdev)
+ goto return_null_message;
+
++ /* Free any previous message that might have already been composed. */
++ if (data->chip_data && !multi_msi) {
++ int_desc = data->chip_data;
++ data->chip_data = NULL;
++ hv_int_desc_free(hpdev, int_desc);
++ }
++
+ int_desc = kzalloc(sizeof(*int_desc), GFP_ATOMIC);
+ if (!int_desc)
+ goto drop_reference;
+
+- if (!msi_desc->pci.msi_attrib.is_msix && msi_desc->nvec_used > 1) {
++ if (multi_msi) {
+ /*
+ * If this is not the first MSI of Multi MSI, we already have
+ * a mapping. Can exit early.
+@@ -1767,9 +1826,11 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg)
+ */
+ vector = 32;
+ vector_count = msi_desc->nvec_used;
++ cpu = hv_compose_multi_msi_req_get_cpu();
+ } else {
+ vector = hv_msi_get_int_vector(data);
+ vector_count = 1;
++ cpu = hv_compose_msi_req_get_cpu(dest);
+ }
+
+ /*
+@@ -1785,7 +1846,6 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg)
+ switch (hbus->protocol_version) {
+ case PCI_PROTOCOL_VERSION_1_1:
+ size = hv_compose_msi_req_v1(&ctxt.int_pkts.v1,
+- dest,
+ hpdev->desc.win_slot.slot,
+ (u8)vector,
+ vector_count);
+@@ -1794,7 +1854,7 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg)
+ case PCI_PROTOCOL_VERSION_1_2:
+ case PCI_PROTOCOL_VERSION_1_3:
+ size = hv_compose_msi_req_v2(&ctxt.int_pkts.v2,
+- dest,
++ cpu,
+ hpdev->desc.win_slot.slot,
+ (u8)vector,
+ vector_count);
+@@ -1802,7 +1862,7 @@ static void hv_compose_msi_msg(struct irq_data *data, struct msi_msg *msg)
+
+ case PCI_PROTOCOL_VERSION_1_4:
+ size = hv_compose_msi_req_v3(&ctxt.int_pkts.v3,
+- dest,
++ cpu,
+ hpdev->desc.win_slot.slot,
+ vector,
+ vector_count);
+--
+2.35.1
+
--- /dev/null
+From c042e11e847dc6b22306281815236292311e5b10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 Oct 2022 21:55:54 +0100
+Subject: power: supply: ab8500: Defer thermal zone probe
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit 767e684367e4759d9855b184045b7a9d6b19acd2 ]
+
+The call thermal_zone_get_zone_by_name() used to return the
+thermal zone right away, but recent refactorings in the
+thermal core has changed this so the thermal zone used by
+the battery is probed later, and the call returns -ENODEV.
+
+This was always quite fragile. If we get -ENODEV, then
+return a -EPROBE_DEFER and try again later.
+
+Cc: phone-devel@vger.kernel.org
+Fixes: 2b0e7ac0841b ("power: supply: ab8500: Integrate thermal zone")
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/ab8500_btemp.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/power/supply/ab8500_btemp.c b/drivers/power/supply/ab8500_btemp.c
+index 863fabe05bdc..307ee6f71042 100644
+--- a/drivers/power/supply/ab8500_btemp.c
++++ b/drivers/power/supply/ab8500_btemp.c
+@@ -725,7 +725,14 @@ static int ab8500_btemp_probe(struct platform_device *pdev)
+ /* Get thermal zone and ADC */
+ di->tz = thermal_zone_get_zone_by_name("battery-thermal");
+ if (IS_ERR(di->tz)) {
+- return dev_err_probe(dev, PTR_ERR(di->tz),
++ ret = PTR_ERR(di->tz);
++ /*
++ * This usually just means we are probing before the thermal
++ * zone, so just defer.
++ */
++ if (ret == -ENODEV)
++ ret = -EPROBE_DEFER;
++ return dev_err_probe(dev, ret,
+ "failed to get battery thermal zone\n");
+ }
+ di->bat_ctrl = devm_iio_channel_get(dev, "bat_ctrl");
+--
+2.35.1
+
--- /dev/null
+From 2b16a3b1c9108e9665ae8f6ff1440e499077fbf0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 Oct 2022 00:40:52 +0200
+Subject: power: supply: ip5xxx: Fix integer overflow in current_now
+ calculation
+
+From: Ondrej Jirman <megi@xff.cz>
+
+[ Upstream commit f9be5cb6c1f0191f8bcf4413b7e17e58e8dfaaa1 ]
+
+When current is larger than ~2A, the multiplication in current_now
+property overflows and the kernel reports invalid negative current
+value. Change the numerator and denominator while preserving their
+ratio to allow up to +-6A before the overflow.
+
+Fixes: 75853406fa27 ("power: supply: Add a driver for Injoinic power bank ICs")
+Signed-off-by: Ondrej Jirman <megi@xff.cz>
+Reviewed-by: Samuel Holland <samuel@sholland.org>
+[use 149197/200 instead of 261095/350 as suggested by Samuel]
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/ip5xxx_power.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/power/supply/ip5xxx_power.c b/drivers/power/supply/ip5xxx_power.c
+index 218e8e689a3f..00221e9c0bfc 100644
+--- a/drivers/power/supply/ip5xxx_power.c
++++ b/drivers/power/supply/ip5xxx_power.c
+@@ -352,7 +352,7 @@ static int ip5xxx_battery_get_property(struct power_supply *psy,
+ ret = ip5xxx_battery_read_adc(ip5xxx, IP5XXX_BATIADC_DAT0,
+ IP5XXX_BATIADC_DAT1, &raw);
+
+- val->intval = DIV_ROUND_CLOSEST(raw * 745985, 1000);
++ val->intval = DIV_ROUND_CLOSEST(raw * 149197, 200);
+ return 0;
+
+ case POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT:
+--
+2.35.1
+
--- /dev/null
+From 025abbf188552a266d0839a73cc04aa35cf4de47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 15:43:39 +0800
+Subject: regulator: core: fix kobject release warning and memory leak in
+ regulator_register()
+
+From: Zeng Heng <zengheng4@huawei.com>
+
+[ Upstream commit 5f4b204b6b8153923d5be8002c5f7082985d153f ]
+
+Here is a warning report about lack of registered release()
+from kobject lib:
+
+Device '(null)' does not have a release() function, it is broken and must be fixed.
+WARNING: CPU: 0 PID: 48430 at drivers/base/core.c:2332 device_release+0x104/0x120
+Call Trace:
+ kobject_put+0xdc/0x180
+ put_device+0x1b/0x30
+ regulator_register+0x651/0x1170
+ devm_regulator_register+0x4f/0xb0
+
+When regulator_register() returns fail and directly goto `clean` symbol,
+rdev->dev has not registered release() function yet (which is registered
+by regulator_class in the following), so rdev needs to be freed manually.
+If rdev->dev.of_node is not NULL, which means the of_node has gotten by
+regulator_of_get_init_data(), it needs to call of_node_put() to avoid
+refcount leak.
+
+Otherwise, only calling put_device() would lead memory leak of rdev
+in further:
+
+unreferenced object 0xffff88810d0b1000 (size 2048):
+ comm "107-i2c-rtq6752", pid 48430, jiffies 4342258431 (age 1341.780s)
+ backtrace:
+ kmalloc_trace+0x22/0x110
+ regulator_register+0x184/0x1170
+ devm_regulator_register+0x4f/0xb0
+
+When regulator_register() returns fail and goto `wash` symbol,
+rdev->dev has registered release() function, so directly call
+put_device() to cleanup everything.
+
+Fixes: d3c731564e09 ("regulator: plug of_node leak in regulator_register()'s error path")
+Signed-off-by: Zeng Heng <zengheng4@huawei.com>
+Link: https://lore.kernel.org/r/20221116074339.1024240-1-zengheng4@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/core.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
+index c3871565fd7d..5f82a996dbea 100644
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -5616,11 +5616,15 @@ regulator_register(const struct regulator_desc *regulator_desc,
+ mutex_lock(®ulator_list_mutex);
+ regulator_ena_gpio_free(rdev);
+ mutex_unlock(®ulator_list_mutex);
++ put_device(&rdev->dev);
++ rdev = NULL;
+ clean:
+ if (dangling_of_gpiod)
+ gpiod_put(config->ena_gpiod);
++ if (rdev && rdev->dev.of_node)
++ of_node_put(rdev->dev.of_node);
++ kfree(rdev);
+ kfree(config);
+- put_device(&rdev->dev);
+ rinse:
+ if (dangling_cfg_gpiod)
+ gpiod_put(cfg->ena_gpiod);
+--
+2.35.1
+
--- /dev/null
+From c9f9a8792ad418097f85dd96ee1bbeb27e789bd9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 11:37:06 +0800
+Subject: regulator: core: fix UAF in destroy_regulator()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 1f386d6894d0f1b7de8ef640c41622ddd698e7ab ]
+
+I got a UAF report as following:
+
+==================================================================
+BUG: KASAN: use-after-free in __lock_acquire+0x935/0x2060
+Read of size 8 at addr ffff88810e838220 by task python3/268
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x67/0x83
+ print_report+0x178/0x4b0
+ kasan_report+0x90/0x190
+ __lock_acquire+0x935/0x2060
+ lock_acquire+0x156/0x400
+ _raw_spin_lock+0x2a/0x40
+ lockref_get+0x11/0x30
+ simple_recursive_removal+0x41/0x440
+ debugfs_remove.part.12+0x32/0x50
+ debugfs_remove+0x29/0x30
+ _regulator_put.cold.54+0x3e/0x27f
+ regulator_put+0x1f/0x30
+ release_nodes+0x6a/0xa0
+ devres_release_all+0xf8/0x150
+
+Allocated by task 37:
+ kasan_save_stack+0x1c/0x40
+ kasan_set_track+0x21/0x30
+ __kasan_slab_alloc+0x5d/0x70
+ slab_post_alloc_hook+0x62/0x510
+ kmem_cache_alloc_lru+0x222/0x5a0
+ __d_alloc+0x31/0x440
+ d_alloc+0x30/0xf0
+ d_alloc_parallel+0xc4/0xd20
+ __lookup_slow+0x15e/0x2f0
+ lookup_one_len+0x13a/0x150
+ start_creating+0xea/0x190
+ debugfs_create_dir+0x1e/0x210
+ create_regulator+0x254/0x4e0
+ _regulator_get+0x2a1/0x467
+ _devm_regulator_get+0x5a/0xb0
+ regulator_virtual_probe+0xb9/0x1a0
+
+Freed by task 30:
+ kasan_save_stack+0x1c/0x40
+ kasan_set_track+0x21/0x30
+ kasan_save_free_info+0x2a/0x50
+ __kasan_slab_free+0x102/0x190
+ kmem_cache_free+0xf6/0x600
+ rcu_core+0x54c/0x12b0
+ __do_softirq+0xf2/0x5e3
+
+Last potentially related work creation:
+ kasan_save_stack+0x1c/0x40
+ __kasan_record_aux_stack+0x98/0xb0
+ call_rcu+0x42/0x700
+ dentry_free+0x6c/0xd0
+ __dentry_kill+0x23b/0x2d0
+ dput.part.31+0x431/0x780
+ simple_recursive_removal+0xa9/0x440
+ debugfs_remove.part.12+0x32/0x50
+ debugfs_remove+0x29/0x30
+ regulator_unregister+0xe3/0x230
+ release_nodes+0x6a/0xa0
+
+==================================================================
+
+Here is how happened:
+
+processor A processor B
+regulator_register()
+ rdev_init_debugfs()
+ rdev->debugfs = debugfs_create_dir()
+ devm_regulator_get()
+ rdev = regulator_dev_lookup()
+ create_regulator(rdev)
+ // using rdev->debugfs as parent
+ debugfs_create_dir(rdev->debugfs)
+
+mfd_remove_devices_fn()
+ release_nodes()
+ regulator_unregister()
+ // free rdev->debugfs
+ debugfs_remove_recursive(rdev->debugfs)
+ release_nodes()
+ destroy_regulator()
+ debugfs_remove_recursive() <- causes UAF
+
+In devm_regulator_get(), after getting rdev, the refcount
+is get, so fix this by moving debugfs_remove_recursive()
+to regulator_dev_release(), then it can be proctected by
+the refcount, the 'rdev->debugfs' can not be freed until
+the refcount is 0.
+
+Fixes: 5de705194e98 ("regulator: Add basic per consumer debugfs")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221116033706.3595812-1-yangyingliang@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
+index 5f82a996dbea..c0f368f1b49f 100644
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -5138,6 +5138,7 @@ static void regulator_dev_release(struct device *dev)
+ {
+ struct regulator_dev *rdev = dev_get_drvdata(dev);
+
++ debugfs_remove_recursive(rdev->debugfs);
+ kfree(rdev->constraints);
+ of_node_put(rdev->dev.of_node);
+ kfree(rdev);
+@@ -5653,7 +5654,6 @@ void regulator_unregister(struct regulator_dev *rdev)
+
+ mutex_lock(®ulator_list_mutex);
+
+- debugfs_remove_recursive(rdev->debugfs);
+ WARN_ON(rdev->open_count);
+ regulator_remove_coupling(rdev);
+ unset_regulator_supplies(rdev);
+--
+2.35.1
+
--- /dev/null
+From ff85ee52d9b11cb51f5ad95614fe73fe5a00de1d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 17:29:43 +0800
+Subject: regulator: rt5759: fix OOB in validate_desc()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 7920e0fbced429ab18ad4402e3914146a6a0921b ]
+
+I got the following OOB report:
+
+ BUG: KASAN: slab-out-of-bounds in validate_desc+0xba/0x109
+ Read of size 8 at addr ffff888107db8ff0 by task python3/253
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x67/0x83
+ print_report+0x178/0x4b0
+ kasan_report+0x90/0x190
+ validate_desc+0xba/0x109
+ gpiod_set_value_cansleep+0x40/0x5a
+ regulator_ena_gpio_ctrl+0x93/0xfc
+ _regulator_do_enable.cold.61+0x89/0x163
+ set_machine_constraints+0x140a/0x159c
+ regulator_register.cold.73+0x762/0x10cd
+ devm_regulator_register+0x57/0xb0
+ rt5759_probe+0x3a0/0x4ac [rt5759_regulator]
+
+The desc used in validate_desc() is passed from 'reg_cfg.ena_gpiod',
+which is not initialized. Fix this by initializing 'reg_cfg' to 0.
+
+Fixes: 7b36ddb208bd ("regulator: rt5759: Add support for Richtek RT5759 DCDC converter")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221116092943.1668326-1-yangyingliang@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/rt5759-regulator.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/regulator/rt5759-regulator.c b/drivers/regulator/rt5759-regulator.c
+index 6b96899eb27e..8488417f4b2c 100644
+--- a/drivers/regulator/rt5759-regulator.c
++++ b/drivers/regulator/rt5759-regulator.c
+@@ -243,6 +243,7 @@ static int rt5759_regulator_register(struct rt5759_priv *priv)
+ if (priv->chip_type == CHIP_TYPE_RT5759A)
+ reg_desc->uV_step = RT5759A_STEP_UV;
+
++ memset(®_cfg, 0, sizeof(reg_cfg));
+ reg_cfg.dev = priv->dev;
+ reg_cfg.of_node = np;
+ reg_cfg.init_data = of_get_regulator_init_data(priv->dev, np, reg_desc);
+--
+2.35.1
+
--- /dev/null
+From 01f822afe59810dde285365818c62300117094a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Nov 2022 23:12:07 +0100
+Subject: regulator: twl6030: re-add TWL6032_SUBCLASS
+
+From: Andreas Kemnade <andreas@kemnade.info>
+
+[ Upstream commit 3d6c982b26db94cc21bc9f7784f63e8286b7be62 ]
+
+In former times, info->feature was populated via the parent driver
+by pdata/regulator_init_data->driver_data for all regulators when
+USB_PRODUCT_ID_LSB indicates a TWL6032.
+Today, the information is not set, so re-add it at the regulator
+definitions.
+
+Fixes: 25d82337705e2 ("regulator: twl: make driver DT only")
+Signed-off-by: Andreas Kemnade <andreas@kemnade.info>
+Link: https://lore.kernel.org/r/20221120221208.3093727-2-andreas@kemnade.info
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/twl6030-regulator.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/regulator/twl6030-regulator.c b/drivers/regulator/twl6030-regulator.c
+index 430265c404d6..7c7e3648ea4b 100644
+--- a/drivers/regulator/twl6030-regulator.c
++++ b/drivers/regulator/twl6030-regulator.c
+@@ -530,6 +530,7 @@ static const struct twlreg_info TWL6030_INFO_##label = { \
+ #define TWL6032_ADJUSTABLE_LDO(label, offset) \
+ static const struct twlreg_info TWL6032_INFO_##label = { \
+ .base = offset, \
++ .features = TWL6032_SUBCLASS, \
+ .desc = { \
+ .name = #label, \
+ .id = TWL6032_REG_##label, \
+@@ -562,6 +563,7 @@ static const struct twlreg_info TWLFIXED_INFO_##label = { \
+ #define TWL6032_ADJUSTABLE_SMPS(label, offset) \
+ static const struct twlreg_info TWLSMPS_INFO_##label = { \
+ .base = offset, \
++ .features = TWL6032_SUBCLASS, \
+ .desc = { \
+ .name = #label, \
+ .id = TWL6032_REG_##label, \
+--
+2.35.1
+
--- /dev/null
+From 9403af24c1668ac7399b73a7fce210467644e468 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 14:02:28 +0000
+Subject: rxrpc: Fix race between conn bundle lookup and bundle removal
+ [ZDI-CAN-15975]
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 3bcd6c7eaa53b56c3f584da46a1f7652e759d0e5 ]
+
+After rxrpc_unbundle_conn() has removed a connection from a bundle, it
+checks to see if there are any conns with available channels and, if not,
+removes and attempts to destroy the bundle.
+
+Whilst it does check after grabbing client_bundles_lock that there are no
+connections attached, this races with rxrpc_look_up_bundle() retrieving the
+bundle, but not attaching a connection for the connection to be attached
+later.
+
+There is therefore a window in which the bundle can get destroyed before we
+manage to attach a new connection to it.
+
+Fix this by adding an "active" counter to struct rxrpc_bundle:
+
+ (1) rxrpc_connect_call() obtains an active count by prepping/looking up a
+ bundle and ditches it before returning.
+
+ (2) If, during rxrpc_connect_call(), a connection is added to the bundle,
+ this obtains an active count, which is held until the connection is
+ discarded.
+
+ (3) rxrpc_deactivate_bundle() is created to drop an active count on a
+ bundle and destroy it when the active count reaches 0. The active
+ count is checked inside client_bundles_lock() to prevent a race with
+ rxrpc_look_up_bundle().
+
+ (4) rxrpc_unbundle_conn() then calls rxrpc_deactivate_bundle().
+
+Fixes: 245500d853e9 ("rxrpc: Rewrite the client connection manager")
+Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-15975
+Signed-off-by: David Howells <dhowells@redhat.com>
+Tested-by: zdi-disclosures@trendmicro.com
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/ar-internal.h | 1 +
+ net/rxrpc/conn_client.c | 38 +++++++++++++++++++++++---------------
+ 2 files changed, 24 insertions(+), 15 deletions(-)
+
+diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h
+index 62c70709d798..e0123efa2a62 100644
+--- a/net/rxrpc/ar-internal.h
++++ b/net/rxrpc/ar-internal.h
+@@ -399,6 +399,7 @@ enum rxrpc_conn_proto_state {
+ struct rxrpc_bundle {
+ struct rxrpc_conn_parameters params;
+ refcount_t ref;
++ atomic_t active; /* Number of active users */
+ unsigned int debug_id;
+ bool try_upgrade; /* True if the bundle is attempting upgrade */
+ bool alloc_conn; /* True if someone's getting a conn */
+diff --git a/net/rxrpc/conn_client.c b/net/rxrpc/conn_client.c
+index 3c9eeb5b750c..bdb335cb2d05 100644
+--- a/net/rxrpc/conn_client.c
++++ b/net/rxrpc/conn_client.c
+@@ -40,6 +40,8 @@ __read_mostly unsigned long rxrpc_conn_idle_client_fast_expiry = 2 * HZ;
+ DEFINE_IDR(rxrpc_client_conn_ids);
+ static DEFINE_SPINLOCK(rxrpc_conn_id_lock);
+
++static void rxrpc_deactivate_bundle(struct rxrpc_bundle *bundle);
++
+ /*
+ * Get a connection ID and epoch for a client connection from the global pool.
+ * The connection struct pointer is then recorded in the idr radix tree. The
+@@ -123,6 +125,7 @@ static struct rxrpc_bundle *rxrpc_alloc_bundle(struct rxrpc_conn_parameters *cp,
+ bundle->params = *cp;
+ rxrpc_get_peer(bundle->params.peer);
+ refcount_set(&bundle->ref, 1);
++ atomic_set(&bundle->active, 1);
+ spin_lock_init(&bundle->channel_lock);
+ INIT_LIST_HEAD(&bundle->waiting_calls);
+ }
+@@ -149,7 +152,7 @@ void rxrpc_put_bundle(struct rxrpc_bundle *bundle)
+
+ dead = __refcount_dec_and_test(&bundle->ref, &r);
+
+- _debug("PUT B=%x %d", d, r);
++ _debug("PUT B=%x %d", d, r - 1);
+ if (dead)
+ rxrpc_free_bundle(bundle);
+ }
+@@ -338,6 +341,7 @@ static struct rxrpc_bundle *rxrpc_look_up_bundle(struct rxrpc_conn_parameters *c
+ rxrpc_free_bundle(candidate);
+ found_bundle:
+ rxrpc_get_bundle(bundle);
++ atomic_inc(&bundle->active);
+ spin_unlock(&local->client_bundles_lock);
+ _leave(" = %u [found]", bundle->debug_id);
+ return bundle;
+@@ -435,6 +439,7 @@ static void rxrpc_add_conn_to_bundle(struct rxrpc_bundle *bundle, gfp_t gfp)
+ if (old)
+ trace_rxrpc_client(old, -1, rxrpc_client_replace);
+ candidate->bundle_shift = shift;
++ atomic_inc(&bundle->active);
+ bundle->conns[i] = candidate;
+ for (j = 0; j < RXRPC_MAXCALLS; j++)
+ set_bit(shift + j, &bundle->avail_chans);
+@@ -725,6 +730,7 @@ int rxrpc_connect_call(struct rxrpc_sock *rx,
+ smp_rmb();
+
+ out_put_bundle:
++ rxrpc_deactivate_bundle(bundle);
+ rxrpc_put_bundle(bundle);
+ out:
+ _leave(" = %d", ret);
+@@ -900,9 +906,8 @@ void rxrpc_disconnect_client_call(struct rxrpc_bundle *bundle, struct rxrpc_call
+ static void rxrpc_unbundle_conn(struct rxrpc_connection *conn)
+ {
+ struct rxrpc_bundle *bundle = conn->bundle;
+- struct rxrpc_local *local = bundle->params.local;
+ unsigned int bindex;
+- bool need_drop = false, need_put = false;
++ bool need_drop = false;
+ int i;
+
+ _enter("C=%x", conn->debug_id);
+@@ -921,15 +926,22 @@ static void rxrpc_unbundle_conn(struct rxrpc_connection *conn)
+ }
+ spin_unlock(&bundle->channel_lock);
+
+- /* If there are no more connections, remove the bundle */
+- if (!bundle->avail_chans) {
+- _debug("maybe unbundle");
+- spin_lock(&local->client_bundles_lock);
++ if (need_drop) {
++ rxrpc_deactivate_bundle(bundle);
++ rxrpc_put_connection(conn);
++ }
++}
+
+- for (i = 0; i < ARRAY_SIZE(bundle->conns); i++)
+- if (bundle->conns[i])
+- break;
+- if (i == ARRAY_SIZE(bundle->conns) && !bundle->params.exclusive) {
++/*
++ * Drop the active count on a bundle.
++ */
++static void rxrpc_deactivate_bundle(struct rxrpc_bundle *bundle)
++{
++ struct rxrpc_local *local = bundle->params.local;
++ bool need_put = false;
++
++ if (atomic_dec_and_lock(&bundle->active, &local->client_bundles_lock)) {
++ if (!bundle->params.exclusive) {
+ _debug("erase bundle");
+ rb_erase(&bundle->local_node, &local->client_bundles);
+ need_put = true;
+@@ -939,10 +951,6 @@ static void rxrpc_unbundle_conn(struct rxrpc_connection *conn)
+ if (need_put)
+ rxrpc_put_bundle(bundle);
+ }
+-
+- if (need_drop)
+- rxrpc_put_connection(conn);
+- _leave("");
+ }
+
+ /*
+--
+2.35.1
+
--- /dev/null
+From 272391e8709498bb3fa9c8f4e38bf8d62cb574c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 11:08:29 +0000
+Subject: s390/ap: fix memory leak in ap_init_qci_info()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 9ac74f0666ceab0b1047e9d59be846a3345e4e98 ]
+
+If kzalloc() for 'ap_qci_info_old' failed, 'ap_qci_info' shold be
+freed before return. Otherwise it is a memory leak.
+
+Link: https://lore.kernel.org/r/20221114110830.542246-1-weiyongjun@huaweicloud.com
+Fixes: 283915850a44 ("s390/ap: notify drivers on config changed and scan complete callbacks")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/crypto/ap_bus.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/s390/crypto/ap_bus.c b/drivers/s390/crypto/ap_bus.c
+index 59ac98f2bd27..b02c631f3b71 100644
+--- a/drivers/s390/crypto/ap_bus.c
++++ b/drivers/s390/crypto/ap_bus.c
+@@ -233,8 +233,11 @@ static void __init ap_init_qci_info(void)
+ if (!ap_qci_info)
+ return;
+ ap_qci_info_old = kzalloc(sizeof(*ap_qci_info_old), GFP_KERNEL);
+- if (!ap_qci_info_old)
++ if (!ap_qci_info_old) {
++ kfree(ap_qci_info);
++ ap_qci_info = NULL;
+ return;
++ }
+ if (ap_fetch_qci_info(ap_qci_info) != 0) {
+ kfree(ap_qci_info);
+ kfree(ap_qci_info_old);
+--
+2.35.1
+
--- /dev/null
+From 731ddf139d57e96d09c846bc98241acf6a81757d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 13:05:39 +0100
+Subject: s390/crashdump: fix TOD programmable field size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit f44e07a8afdd713ddc1a8832c39372fe5dd86895 ]
+
+The size of the TOD programmable field was incorrectly increased from
+four to eight bytes with commit 1a2c5840acf9 ("s390/dump: cleanup CPU
+save area handling").
+This leads to an elf notes section NT_S390_TODPREG which has a size of
+eight instead of four bytes in case of kdump, however even worse is
+that the contents is incorrect: it is supposed to contain only the
+contents of the TOD programmable field, but in fact contains a mix of
+the TOD programmable field (32 bit upper bits) and parts of the CPU
+timer register (lower 32 bits).
+
+Fix this by simply changing the size of the todpreg field within the
+save area structure. This will implicitly also fix the size of the
+corresponding elf notes sections.
+
+This also gets rid of this compile time warning:
+
+in function ‘fortify_memcpy_chk’,
+ inlined from ‘save_area_add_regs’ at arch/s390/kernel/crash_dump.c:99:2:
+./include/linux/fortify-string.h:413:25: error: call to ‘__read_overflow2_field’
+ declared with attribute warning: detected read beyond size of field
+ (2nd parameter); maybe use struct_group()? [-Werror=attribute-warning]
+ 413 | __read_overflow2_field(q_size_field, size);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Fixes: 1a2c5840acf9 ("s390/dump: cleanup CPU save area handling")
+Reviewed-by: Christian Borntraeger <borntraeger@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/crash_dump.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/s390/kernel/crash_dump.c b/arch/s390/kernel/crash_dump.c
+index bad8f47fc5d6..c1b2b0d4af77 100644
+--- a/arch/s390/kernel/crash_dump.c
++++ b/arch/s390/kernel/crash_dump.c
+@@ -45,7 +45,7 @@ struct save_area {
+ u64 fprs[16];
+ u32 fpc;
+ u32 prefix;
+- u64 todpreg;
++ u32 todpreg;
+ u64 timer;
+ u64 todcmp;
+ u64 vxrs_low[16];
+--
+2.35.1
+
--- /dev/null
+From ef980eda3f3b9fc4dc7fffb28d67a5309af56a18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 17:07:18 +0100
+Subject: s390/dasd: fix no record found for raw_track_access
+
+From: Stefan Haberland <sth@linux.ibm.com>
+
+[ Upstream commit 590ce6d96d6a224b470a3862c33a483d5022bfdb ]
+
+For DASD devices in raw_track_access mode only full track images are
+read and written.
+For this purpose it is not necessary to do search operation in the
+locate record extended function. The documentation even states that
+this might fail if the searched record is not found on a track.
+
+Currently the driver sets a value of 1 in the search field for the first
+record after record zero. This is the default for disks not in
+raw_track_access mode but record 1 might be missing on a completely
+empty track.
+
+There has not been any problem with this on IBM storage servers but it
+might lead to errors with DASD devices on other vendors storage servers.
+
+Fix this by setting the search field to 0. Record zero is always available
+even on a completely empty track.
+
+Fixes: e4dbb0f2b5dd ("[S390] dasd: Add support for raw ECKD access.")
+Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
+Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
+Link: https://lore.kernel.org/r/20221123160719.3002694-4-sth@linux.ibm.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/block/dasd_eckd.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c
+index 3cc93e2e4e15..2dec81e7e6ab 100644
+--- a/drivers/s390/block/dasd_eckd.c
++++ b/drivers/s390/block/dasd_eckd.c
+@@ -4681,7 +4681,6 @@ static struct dasd_ccw_req *dasd_eckd_build_cp_raw(struct dasd_device *startdev,
+ struct dasd_device *basedev;
+ struct req_iterator iter;
+ struct dasd_ccw_req *cqr;
+- unsigned int first_offs;
+ unsigned int trkcount;
+ unsigned long *idaws;
+ unsigned int size;
+@@ -4715,7 +4714,6 @@ static struct dasd_ccw_req *dasd_eckd_build_cp_raw(struct dasd_device *startdev,
+ last_trk = (blk_rq_pos(req) + blk_rq_sectors(req) - 1) /
+ DASD_RAW_SECTORS_PER_TRACK;
+ trkcount = last_trk - first_trk + 1;
+- first_offs = 0;
+
+ if (rq_data_dir(req) == READ)
+ cmd = DASD_ECKD_CCW_READ_TRACK;
+@@ -4759,13 +4757,13 @@ static struct dasd_ccw_req *dasd_eckd_build_cp_raw(struct dasd_device *startdev,
+
+ if (use_prefix) {
+ prefix_LRE(ccw++, data, first_trk, last_trk, cmd, basedev,
+- startdev, 1, first_offs + 1, trkcount, 0, 0);
++ startdev, 1, 0, trkcount, 0, 0);
+ } else {
+ define_extent(ccw++, data, first_trk, last_trk, cmd, basedev, 0);
+ ccw[-1].flags |= CCW_FLAG_CC;
+
+ data += sizeof(struct DE_eckd_data);
+- locate_record_ext(ccw++, data, first_trk, first_offs + 1,
++ locate_record_ext(ccw++, data, first_trk, 0,
+ trkcount, cmd, basedev, 0, 0);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 00411eff666d48e8783c9b1634fe9a46acdc2a9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 10:48:42 -0800
+Subject: scsi: storvsc: Fix handling of srb_status and capacity change events
+
+From: Michael Kelley <mikelley@microsoft.com>
+
+[ Upstream commit b8a5376c321b4669f7ffabc708fd30c3970f3084 ]
+
+Current handling of the srb_status is incorrect. Commit 52e1b3b3daa9
+("scsi: storvsc: Correctly handle multiple flags in srb_status")
+is based on srb_status being a set of flags, when in fact only the
+2 high order bits are flags and the remaining 6 bits are an integer
+status. Because the integer values of interest mostly look like flags,
+the code actually works when treated that way.
+
+But in the interest of correctness going forward, fix this by treating
+the low 6 bits of srb_status as an integer status code. Add handling
+for SRB_STATUS_INVALID_REQUEST, which was the original intent of commit
+52e1b3b3daa9. Furthermore, treat the ERROR, ABORTED, and INVALID_REQUEST
+srb status codes as essentially equivalent for the cases we care about.
+There's no harm in doing so, and it isn't always clear which status code
+current or older versions of Hyper-V report for particular conditions.
+
+Treating the srb status codes as equivalent has the additional benefit
+of ensuring that capacity change events result in an immediate rescan
+so that the new size is known to Linux. Existing code checks SCSI
+sense data for capacity change events when the srb status is ABORTED.
+But capacity change events are also being observed when Hyper-V reports
+the srb status as ERROR. Without the immediate rescan, the new size
+isn't known until something else causes a rescan (such as running
+fdisk to expand a partition), and in the meantime, tools such as "lsblk"
+continue to report the old size.
+
+Fixes: 52e1b3b3daa9 ("scsi: storvsc: Correctly handle multiple flags in srb_status")
+Reported-by: Juan Tian <juantian@microsoft.com>
+Signed-off-by: Michael Kelley <mikelley@microsoft.com>
+Link: https://lore.kernel.org/r/1668019722-1983-1-git-send-email-mikelley@microsoft.com
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/storvsc_drv.c | 69 +++++++++++++++++++-------------------
+ 1 file changed, 34 insertions(+), 35 deletions(-)
+
+diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
+index 8ced292c4b96..d93604318ecd 100644
+--- a/drivers/scsi/storvsc_drv.c
++++ b/drivers/scsi/storvsc_drv.c
+@@ -300,16 +300,21 @@ enum storvsc_request_type {
+ };
+
+ /*
+- * SRB status codes and masks; a subset of the codes used here.
++ * SRB status codes and masks. In the 8-bit field, the two high order bits
++ * are flags, while the remaining 6 bits are an integer status code. The
++ * definitions here include only the subset of the integer status codes that
++ * are tested for in this driver.
+ */
+-
+ #define SRB_STATUS_AUTOSENSE_VALID 0x80
+ #define SRB_STATUS_QUEUE_FROZEN 0x40
+-#define SRB_STATUS_INVALID_LUN 0x20
+-#define SRB_STATUS_SUCCESS 0x01
+-#define SRB_STATUS_ABORTED 0x02
+-#define SRB_STATUS_ERROR 0x04
+-#define SRB_STATUS_DATA_OVERRUN 0x12
++
++/* SRB status integer codes */
++#define SRB_STATUS_SUCCESS 0x01
++#define SRB_STATUS_ABORTED 0x02
++#define SRB_STATUS_ERROR 0x04
++#define SRB_STATUS_INVALID_REQUEST 0x06
++#define SRB_STATUS_DATA_OVERRUN 0x12
++#define SRB_STATUS_INVALID_LUN 0x20
+
+ #define SRB_STATUS(status) \
+ (status & ~(SRB_STATUS_AUTOSENSE_VALID | SRB_STATUS_QUEUE_FROZEN))
+@@ -966,38 +971,25 @@ static void storvsc_handle_error(struct vmscsi_request *vm_srb,
+ void (*process_err_fn)(struct work_struct *work);
+ struct hv_host_device *host_dev = shost_priv(host);
+
+- /*
+- * In some situations, Hyper-V sets multiple bits in the
+- * srb_status, such as ABORTED and ERROR. So process them
+- * individually, with the most specific bits first.
+- */
+-
+- if (vm_srb->srb_status & SRB_STATUS_INVALID_LUN) {
+- set_host_byte(scmnd, DID_NO_CONNECT);
+- process_err_fn = storvsc_remove_lun;
+- goto do_work;
+- }
++ switch (SRB_STATUS(vm_srb->srb_status)) {
++ case SRB_STATUS_ERROR:
++ case SRB_STATUS_ABORTED:
++ case SRB_STATUS_INVALID_REQUEST:
++ if (vm_srb->srb_status & SRB_STATUS_AUTOSENSE_VALID) {
++ /* Check for capacity change */
++ if ((asc == 0x2a) && (ascq == 0x9)) {
++ process_err_fn = storvsc_device_scan;
++ /* Retry the I/O that triggered this. */
++ set_host_byte(scmnd, DID_REQUEUE);
++ goto do_work;
++ }
+
+- if (vm_srb->srb_status & SRB_STATUS_ABORTED) {
+- if (vm_srb->srb_status & SRB_STATUS_AUTOSENSE_VALID &&
+- /* Capacity data has changed */
+- (asc == 0x2a) && (ascq == 0x9)) {
+- process_err_fn = storvsc_device_scan;
+ /*
+- * Retry the I/O that triggered this.
++ * Otherwise, let upper layer deal with the
++ * error when sense message is present
+ */
+- set_host_byte(scmnd, DID_REQUEUE);
+- goto do_work;
+- }
+- }
+-
+- if (vm_srb->srb_status & SRB_STATUS_ERROR) {
+- /*
+- * Let upper layer deal with error when
+- * sense message is present.
+- */
+- if (vm_srb->srb_status & SRB_STATUS_AUTOSENSE_VALID)
+ return;
++ }
+
+ /*
+ * If there is an error; offline the device since all
+@@ -1020,6 +1012,13 @@ static void storvsc_handle_error(struct vmscsi_request *vm_srb,
+ default:
+ set_host_byte(scmnd, DID_ERROR);
+ }
++ return;
++
++ case SRB_STATUS_INVALID_LUN:
++ set_host_byte(scmnd, DID_NO_CONNECT);
++ process_err_fn = storvsc_remove_lun;
++ goto do_work;
++
+ }
+ return;
+
+--
+2.35.1
+
--- /dev/null
+From 477fd82f0a20f48442f8229106fc7daf2dd26b4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 14:10:46 -0800
+Subject: selftests: mptcp: fix mibit vs mbit mix up
+
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+
+[ Upstream commit 3de88b95c4d436d78afc0266a0bed76c35ddeb62 ]
+
+The estimated time was supposing the rate was expressed in mibit
+(bit * 1024^2) but it is in mbit (bit * 1000^2).
+
+This makes the threshold higher but in a more realistic way to avoid
+false positives reported by CI instances.
+
+Before this patch, the thresholds were at 7561/4005ms and now they are
+at 7906/4178ms.
+
+While at it, also fix a typo in the linked comment, spotted by Mat.
+
+Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/310
+Fixes: 1a418cb8e888 ("mptcp: simult flow self-tests")
+Suggested-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/mptcp/simult_flows.sh | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/net/mptcp/simult_flows.sh b/tools/testing/selftests/net/mptcp/simult_flows.sh
+index ffa13a957a36..40aeb5a71a2a 100755
+--- a/tools/testing/selftests/net/mptcp/simult_flows.sh
++++ b/tools/testing/selftests/net/mptcp/simult_flows.sh
+@@ -247,9 +247,10 @@ run_test()
+ tc -n $ns2 qdisc add dev ns2eth1 root netem rate ${rate1}mbit $delay1
+ tc -n $ns2 qdisc add dev ns2eth2 root netem rate ${rate2}mbit $delay2
+
+- # time is measured in ms, account for transfer size, affegated link speed
++ # time is measured in ms, account for transfer size, aggregated link speed
+ # and header overhead (10%)
+- local time=$((size * 8 * 1000 * 10 / (( $rate1 + $rate2) * 1024 *1024 * 9) ))
++ # ms byte -> bit 10% mbit -> kbit -> bit 10%
++ local time=$((1000 * size * 8 * 10 / ((rate1 + rate2) * 1000 * 1000 * 9) ))
+
+ # mptcp_connect will do some sleeps to allow the mp_join handshake
+ # completion (see mptcp_connect): 200ms on each side, add some slack
+--
+2.35.1
+
--- /dev/null
+From fe569da15ba7d9824a42099dec5426f49422fb28 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 14:10:44 -0800
+Subject: selftests: mptcp: gives slow test-case more time
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 22b29557aef3c9d673c887911b504c6d47009de4 ]
+
+On slow or busy VM, some test-cases still fail because the
+data transfer completes before the endpoint manipulation
+actually took effect.
+
+Address the issue by artificially increasing the runtime for
+the relevant test-cases.
+
+Fixes: ef360019db40 ("selftests: mptcp: signal addresses testcases")
+Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/309
+Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_join.sh | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tools/testing/selftests/net/mptcp/mptcp_join.sh b/tools/testing/selftests/net/mptcp/mptcp_join.sh
+index ff83ef426df5..e52b79440123 100755
+--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
+@@ -2105,7 +2105,7 @@ remove_tests()
+ pm_nl_set_limits $ns2 1 3
+ pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow
+ pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow
+- run_tests $ns1 $ns2 10.0.1.1 0 -1 -2 slow
++ run_tests $ns1 $ns2 10.0.1.1 0 -1 -2 speed_10
+ chk_join_nr 3 3 3
+ chk_add_nr 1 1
+ chk_rm_nr 2 2
+@@ -2118,7 +2118,7 @@ remove_tests()
+ pm_nl_add_endpoint $ns1 10.0.3.1 flags signal
+ pm_nl_add_endpoint $ns1 10.0.4.1 flags signal
+ pm_nl_set_limits $ns2 3 3
+- run_tests $ns1 $ns2 10.0.1.1 0 -3 0 slow
++ run_tests $ns1 $ns2 10.0.1.1 0 -3 0 speed_10
+ chk_join_nr 3 3 3
+ chk_add_nr 3 3
+ chk_rm_nr 3 3 invert
+@@ -2131,7 +2131,7 @@ remove_tests()
+ pm_nl_add_endpoint $ns1 10.0.3.1 flags signal
+ pm_nl_add_endpoint $ns1 10.0.14.1 flags signal
+ pm_nl_set_limits $ns2 3 3
+- run_tests $ns1 $ns2 10.0.1.1 0 -3 0 slow
++ run_tests $ns1 $ns2 10.0.1.1 0 -3 0 speed_10
+ chk_join_nr 1 1 1
+ chk_add_nr 3 3
+ chk_rm_nr 3 1 invert
+--
+2.35.1
+
--- /dev/null
+From bf5c39536989746e8d070ee77deecc70bea85d72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 14:10:45 -0800
+Subject: selftests: mptcp: run mptcp_sockopt from a new netns
+
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+
+[ Upstream commit 7e68d31020f18f8d695d5f143fc16cdaa96166cb ]
+
+Not running it from a new netns causes issues if some MPTCP settings are
+modified, e.g. if MPTCP is disabled from the sysctl knob, if multiple
+addresses are available and added to the MPTCP path-manager, etc.
+
+In these cases, the created connection will not behave as expected, e.g.
+unable to create an MPTCP socket, more than one subflow is seen, etc.
+
+A new "sandbox" net namespace is now created and used to run
+mptcp_sockopt from this controlled environment.
+
+Fixes: ce9979129a0b ("selftests: mptcp: add mptcp getsockopt test cases")
+Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_sockopt.sh | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/tools/testing/selftests/net/mptcp/mptcp_sockopt.sh b/tools/testing/selftests/net/mptcp/mptcp_sockopt.sh
+index 0879da915014..80d36f7cfee8 100755
+--- a/tools/testing/selftests/net/mptcp/mptcp_sockopt.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_sockopt.sh
+@@ -35,8 +35,9 @@ init()
+
+ ns1="ns1-$rndh"
+ ns2="ns2-$rndh"
++ ns_sbox="ns_sbox-$rndh"
+
+- for netns in "$ns1" "$ns2";do
++ for netns in "$ns1" "$ns2" "$ns_sbox";do
+ ip netns add $netns || exit $ksft_skip
+ ip -net $netns link set lo up
+ ip netns exec $netns sysctl -q net.mptcp.enabled=1
+@@ -73,7 +74,7 @@ init()
+
+ cleanup()
+ {
+- for netns in "$ns1" "$ns2"; do
++ for netns in "$ns1" "$ns2" "$ns_sbox"; do
+ ip netns del $netns
+ done
+ rm -f "$cin" "$cout"
+@@ -243,7 +244,7 @@ do_mptcp_sockopt_tests()
+ {
+ local lret=0
+
+- ./mptcp_sockopt
++ ip netns exec "$ns_sbox" ./mptcp_sockopt
+ lret=$?
+
+ if [ $lret -ne 0 ]; then
+@@ -252,7 +253,7 @@ do_mptcp_sockopt_tests()
+ return
+ fi
+
+- ./mptcp_sockopt -6
++ ip netns exec "$ns_sbox" ./mptcp_sockopt -6
+ lret=$?
+
+ if [ $lret -ne 0 ]; then
+--
+2.35.1
+
risc-v-vdso-do-not-add-missing-symbols-to-version-se.patch
mips-pic32-treat-port-as-signed-integer.patch
io_uring-poll-lockdep-annote-io_poll_req_insert_lock.patch
+xfrm-fix-disable_policy-on-ipv4-early-demux.patch
+arm64-dts-rockchip-fix-quartz64-a-bluetooth-configur.patch
+xfrm-replay-fix-esn-wrap-around-for-gso.patch
+af_key-fix-send_acquire-race-with-pfkey_register.patch
+power-supply-ip5xxx-fix-integer-overflow-in-current_.patch
+power-supply-ab8500-defer-thermal-zone-probe.patch
+arm-dts-am335x-pcm-953-define-fixed-regulators-in-ro.patch
+asoc-intel-skylake-introduce-hda-codec-init-and-exit.patch
+asoc-sof-intel-introduce-hda-codec-init-and-exit-rou.patch
+asoc-intel-drop-hdac_ext-usage-for-codec-device-crea.patch
+asoc-hdac_hda-fix-hda-pcm-buffer-overflow-issue.patch
+asoc-sgtl5000-reset-the-chip_clk_ctrl-reg-on-remove.patch
+asoc-soc-pcm-don-t-zero-tdm-masks-in-__soc_pcm_open.patch
+x86-hyperv-restore-vp-assist-page-after-cpu-offlinin.patch
+scsi-storvsc-fix-handling-of-srb_status-and-capacity.patch
+pci-hv-only-reuse-existing-irte-allocation-for-multi.patch
+arm64-dts-rockchip-fix-pine64-quartz4-b-pmic-interru.patch
+asoc-max98373-add-checks-for-devm_kcalloc.patch
+regulator-core-fix-kobject-release-warning-and-memor.patch
+regulator-rt5759-fix-oob-in-validate_desc.patch
+spi-dw-dma-decrease-reference-count-in-dw_spi_dma_in.patch
+regulator-core-fix-uaf-in-destroy_regulator.patch
+bus-sunxi-rsb-remove-the-shutdown-callback.patch
+bus-sunxi-rsb-support-atomic-transfers.patch
+tee-optee-fix-possible-memory-leak-in-optee_register.patch
+spi-tegra210-quad-fix-duplicate-resource-error.patch
+arm-dts-at91-sam9g20ek-enable-udc-vbus-gpio-pinctrl.patch
+selftests-mptcp-gives-slow-test-case-more-time.patch
+selftests-mptcp-run-mptcp_sockopt-from-a-new-netns.patch
+selftests-mptcp-fix-mibit-vs-mbit-mix-up.patch
+net-liquidio-simplify-if-expression.patch
+net-neigh-decrement-the-family-specific-qlen.patch
+ipvlan-hold-lower-dev-to-avoid-possible-use-after-fr.patch
+rxrpc-fix-race-between-conn-bundle-lookup-and-bundle.patch
+net-dsa-sja1105-disallow-c45-transactions-on-the-bas.patch
+nfc-nci-fix-race-with-opening-and-closing.patch
+net-pch_gbe-fix-potential-memleak-in-pch_gbe_tx_queu.patch
+9p-fd-fix-issue-of-list_del-corruption-in-p9_fd_canc.patch
+netfilter-conntrack-fix-data-races-around-ct-mark.patch
+netfilter-nf_tables-do-not-set-up-extensions-for-end.patch
+iavf-fix-a-crash-during-reset-task.patch
+iavf-do-not-restart-tx-queues-after-reset-task-failu.patch
+iavf-remove-initial_mac_set-to-allow-garp-to-work-pr.patch
+iavf-fix-race-condition-between-iavf_shutdown-and-ia.patch
+arm-mxs-fix-memory-leak-in-mxs_machine_init.patch
+arm-dts-imx6q-prti6q-fix-ref-tcxo-clock-frequency-pr.patch
+net-ethernet-mtk_eth_soc-fix-error-handling-in-mtk_o.patch
+net-mlx4-check-retval-of-mlx4_bitmap_init.patch
+net-mvpp2-fix-possible-invalid-pointer-dereference.patch
+net-qla3xxx-fix-potential-memleak-in-ql3xxx_send.patch
+octeontx2-af-debugsfs-fix-pci-device-refcount-leak.patch
+net-pch_gbe-fix-pci-device-refcount-leak-while-modul.patch
+nfp-fill-splittable-of-devlink_port_attrs-correctly.patch
+nfp-add-port-from-netdev-validation-for-eeprom-acces.patch
+bonding-fix-icmpv6-header-handling-when-receiving-ip.patch
+macsec-fix-invalid-error-code-set.patch
+drm-i915-fix-warn-in-intel_display_power_-_domain-fu.patch
+drivers-hv-vmbus-fix-double-free-in-the-error-path-o.patch
+drivers-hv-vmbus-fix-possible-memory-leak-in-vmbus_d.patch
+netfilter-ipset-regression-in-ip_set_hash_ip.c.patch
+net-mlx5-do-not-query-pci-info-while-pci-disabled.patch
+net-mlx5-fix-fw-tracer-timestamp-calculation.patch
+net-mlx5-sf-fix-probing-active-sfs-during-driver-pro.patch
+net-mlx5-cmdif-print-info-on-any-firmware-cmd-failur.patch
+net-mlx5-fix-handling-of-entry-refcount-when-command.patch
+net-mlx5-e-switch-set-correctly-vport-destination.patch
+net-mlx5-fix-sync-reset-event-handler-error-flow.patch
+net-mlx5e-offload-rule-only-when-all-encaps-are-vali.patch
+net-phy-at803x-fix-error-return-code-in-at803x_probe.patch
+tipc-set-con-sock-in-tipc_conn_alloc.patch
+tipc-add-an-extra-conn_get-in-tipc_conn_alloc.patch
+tipc-check-skb_linearize-return-value-in-tipc_disc_r.patch
+zonefs-fix-race-between-modprobe-and-mount.patch
+xfrm-fix-oops-in-__xfrm_state_delete.patch
+xfrm-fix-ignored-return-value-in-xfrm6_init.patch
+net-wwan-iosm-use-acpi_free-but-not-kfree-in-ipc_pci.patch
+sfc-fix-potential-memleak-in-__ef100_hard_start_xmit.patch
+net-sparx5-fix-error-handling-in-sparx5_port_open.patch
+net-sched-allow-act_ct-to-be-built-without-nf_nat.patch
+nfc-nci-fix-memory-leak-in-nci_rx_data_packet.patch
+regulator-twl6030-re-add-twl6032_subclass.patch
+bnx2x-fix-pci-device-refcount-leak-in-bnx2x_vf_is_pc.patch
+dma-buf-fix-racing-conflict-of-dma_heap_add.patch
+tsnep-fix-rotten-packets.patch
+cpufreq-amd-pstate-change-amd-pstate-driver-to-be-bu.patch
+netfilter-ipset-restore-allowing-64-clashing-element.patch
+netfilter-flowtable_offload-add-missing-locking.patch
+fs-do-not-update-freeing-inode-i_io_list.patch
+blk-mq-fix-queue-reference-leak-on-blk_mq_alloc_disk.patch
+test_kprobes-fix-implicit-declaration-error-of-test_.patch
+dccp-tcp-reset-saddr-on-failure-after-inet6-_hash_co.patch
+net-ethernet-mtk_eth_soc-fix-potential-memory-leak-i.patch
+net-ethernet-mtk_eth_soc-move-gdma_to_ppe-and-ppe_ba.patch
+net-ethernet-mtk_eth_soc-move-ppe-table-hash-offset-.patch
+net-ethernet-mtk_eth_soc-fix-resource-leak-in-error-.patch
+ipv4-fix-error-return-code-in-fib_table_insert.patch
+arcnet-fix-potential-memory-leak-in-com20020_probe.patch
+net-dm9051-fix-missing-dev_kfree_skb-in-dm9051_loop_.patch
+net-cdc_ncm-fix-multicast-rx-support-for-cdc-ncm-dev.patch
+s390-ap-fix-memory-leak-in-ap_init_qci_info.patch
+s390-dasd-fix-no-record-found-for-raw_track_access.patch
+fscache-fix-oob-read-in-__fscache_acquire_volume.patch
+nfc-st-nci-fix-incorrect-validating-logic-in-evt_tra.patch
+nfc-st-nci-fix-memory-leaks-in-evt_transaction.patch
+nfc-st-nci-fix-incorrect-sizing-calculations-in-evt_.patch
+net-marvell-prestera-add-missing-unregister_netdev-i.patch
+net-enetc-cache-accesses-to-priv-si-hw.patch
+net-enetc-preserve-tx-ring-priority-across-reconfigu.patch
+octeontx2-pf-add-check-for-devm_kcalloc.patch
+net-wwan-t7xx-fix-the-acpi-memory-leak.patch
+virtio_net-fix-probe-failed-when-modprobe-virtio_net.patch
+octeontx2-af-fix-reference-count-issue-in-rvu_sdp_in.patch
+net-thunderx-fix-the-acpi-memory-leak.patch
+s390-crashdump-fix-tod-programmable-field-size.patch
+io_uring-filetable-fix-file-reference-underflow.patch
+io_uring-poll-fix-poll_refs-race-with-cancelation.patch
--- /dev/null
+From e876771de81ea88eb1c3c4994e01626c211e5887 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 15:50:09 +0800
+Subject: sfc: fix potential memleak in __ef100_hard_start_xmit()
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit aad98abd5cb8133507f22654f56bcb443aaa2d89 ]
+
+The __ef100_hard_start_xmit() returns NETDEV_TX_OK without freeing skb
+in error handling case, add dev_kfree_skb_any() to fix it.
+
+Fixes: 51b35a454efd ("sfc: skeleton EF100 PF driver")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Acked-by: Martin Habets <habetsm.xilinx@gmail.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Link: https://lore.kernel.org/r/1668671409-10909-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sfc/ef100_netdev.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/sfc/ef100_netdev.c b/drivers/net/ethernet/sfc/ef100_netdev.c
+index 17b9d37218cb..4c33c3b5f32b 100644
+--- a/drivers/net/ethernet/sfc/ef100_netdev.c
++++ b/drivers/net/ethernet/sfc/ef100_netdev.c
+@@ -217,6 +217,7 @@ netdev_tx_t __ef100_hard_start_xmit(struct sk_buff *skb,
+ skb->len, skb->data_len, channel->channel);
+ if (!efx->n_channels || !efx->n_tx_channels || !channel) {
+ netif_stop_queue(net_dev);
++ dev_kfree_skb_any(skb);
+ goto err;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From f7241f155d060a82288e0ab59eb0ee5d640ddf35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 17:32:04 +0800
+Subject: spi: dw-dma: decrease reference count in dw_spi_dma_init_mfld()
+
+From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+
+[ Upstream commit 804313b64e412a81b0b3389a10e7622452004aa6 ]
+
+pci_get_device() will increase the reference count for the returned
+pci_dev. Since 'dma_dev' is only used to filter the channel in
+dw_spi_dma_chan_filer() after using it we need to call pci_dev_put() to
+decrease the reference count. Also add pci_dev_put() for the error case.
+
+Fixes: 7063c0d942a1 ("spi/dw_spi: add DMA support")
+Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Acked-by: Serge Semin <fancer.lancer@gmail.com>
+Link: https://lore.kernel.org/r/20221116093204.46700-1-wangxiongfeng2@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-dw-dma.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/spi/spi-dw-dma.c b/drivers/spi/spi-dw-dma.c
+index 1322b8cce5b7..ababb910b391 100644
+--- a/drivers/spi/spi-dw-dma.c
++++ b/drivers/spi/spi-dw-dma.c
+@@ -128,12 +128,15 @@ static int dw_spi_dma_init_mfld(struct device *dev, struct dw_spi *dws)
+
+ dw_spi_dma_sg_burst_init(dws);
+
++ pci_dev_put(dma_dev);
++
+ return 0;
+
+ free_rxchan:
+ dma_release_channel(dws->rxchan);
+ dws->rxchan = NULL;
+ err_exit:
++ pci_dev_put(dma_dev);
+ return -EBUSY;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 74098bfbf6d561738dbeb85457b8c234fabe7f21 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 12:33:20 +0530
+Subject: spi: tegra210-quad: Fix duplicate resource error
+
+From: Krishna Yarlagadda <kyarlagadda@nvidia.com>
+
+[ Upstream commit 2197aa6b0aa236b9896a09b9d08d6924d18b84f6 ]
+
+controller data alloc is done with client device data causing duplicate
+resource error. Allocate memory using controller device when using devm
+
+Fixes: f89d2cc3967a ("spi: tegra210-quad: use devm call for cdata memory")
+
+Signed-off-by: Krishna Yarlagadda <kyarlagadda@nvidia.com>
+Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
+Tested-by: Jon Hunter <jonathanh@nvidia.com>
+Link: https://lore.kernel.org/r/20221117070320.18720-1-kyarlagadda@nvidia.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-tegra210-quad.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c
+index 10f0c5a6e0dc..9f356612ba7e 100644
+--- a/drivers/spi/spi-tegra210-quad.c
++++ b/drivers/spi/spi-tegra210-quad.c
+@@ -924,8 +924,9 @@ static int tegra_qspi_start_transfer_one(struct spi_device *spi,
+ static struct tegra_qspi_client_data *tegra_qspi_parse_cdata_dt(struct spi_device *spi)
+ {
+ struct tegra_qspi_client_data *cdata;
++ struct tegra_qspi *tqspi = spi_master_get_devdata(spi->master);
+
+- cdata = devm_kzalloc(&spi->dev, sizeof(*cdata), GFP_KERNEL);
++ cdata = devm_kzalloc(tqspi->dev, sizeof(*cdata), GFP_KERNEL);
+ if (!cdata)
+ return NULL;
+
+--
+2.35.1
+
--- /dev/null
+From 65e10427888380aa71e8110b8a01296fbcc8bad6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 22:01:24 +0800
+Subject: tee: optee: fix possible memory leak in optee_register_device()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit cce616e012c215d65c15e5d1afa73182dea49389 ]
+
+If device_register() returns error in optee_register_device(),
+the name allocated by dev_set_name() need be freed. As comment
+of device_register() says, it should use put_device() to give
+up the reference in the error path. So fix this by calling
+put_device(), then the name can be freed in kobject_cleanup(),
+and optee_device is freed in optee_release_device().
+
+Fixes: c3fa24af9244 ("tee: optee: add TEE bus device enumeration support")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
+Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tee/optee/device.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tee/optee/device.c b/drivers/tee/optee/device.c
+index f3947be13e2e..64f0e047c23d 100644
+--- a/drivers/tee/optee/device.c
++++ b/drivers/tee/optee/device.c
+@@ -80,7 +80,7 @@ static int optee_register_device(const uuid_t *device_uuid)
+ rc = device_register(&optee_device->dev);
+ if (rc) {
+ pr_err("device registration failed, err: %d\n", rc);
+- kfree(optee_device);
++ put_device(&optee_device->dev);
+ }
+
+ return rc;
+--
+2.35.1
+
--- /dev/null
+From e3a2dc6aa55c599d683542158592648717d09312 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 11:06:20 +0800
+Subject: test_kprobes: fix implicit declaration error of test_kprobes
+
+From: Li Hua <hucool.lihua@huawei.com>
+
+[ Upstream commit de3db3f883a82c4800f4af0ae2cc3b96a408ee9b ]
+
+If KPROBES_SANITY_TEST and ARCH_CORRECT_STACKTRACE_ON_KRETPROBE is enabled, but
+STACKTRACE is not set. Build failed as below:
+
+lib/test_kprobes.c: In function `stacktrace_return_handler':
+lib/test_kprobes.c:228:8: error: implicit declaration of function `stack_trace_save'; did you mean `stacktrace_driver'? [-Werror=implicit-function-declaration]
+ ret = stack_trace_save(stack_buf, STACK_BUF_SIZE, 0);
+ ^~~~~~~~~~~~~~~~
+ stacktrace_driver
+cc1: all warnings being treated as errors
+scripts/Makefile.build:250: recipe for target 'lib/test_kprobes.o' failed
+make[2]: *** [lib/test_kprobes.o] Error 1
+
+To fix this error, Select STACKTRACE if ARCH_CORRECT_STACKTRACE_ON_KRETPROBE is enabled.
+
+Link: https://lkml.kernel.org/r/20221121030620.63181-1-hucool.lihua@huawei.com
+Fixes: 1f6d3a8f5e39 ("kprobes: Add a test case for stacktrace from kretprobe handler")
+Signed-off-by: Li Hua <hucool.lihua@huawei.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/Kconfig.debug | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
+index cb131fad117c..997d23641448 100644
+--- a/lib/Kconfig.debug
++++ b/lib/Kconfig.debug
+@@ -2095,6 +2095,7 @@ config KPROBES_SANITY_TEST
+ depends on DEBUG_KERNEL
+ depends on KPROBES
+ depends on KUNIT
++ select STACKTRACE if ARCH_CORRECT_STACKTRACE_ON_KRETPROBE
+ default KUNIT_ALL_TESTS
+ help
+ This option provides for testing basic kprobes functionality on
+--
+2.35.1
+
--- /dev/null
+From 8593526f6388b13cae2cf18b269a4dbfa2817fe4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 16:45:01 -0500
+Subject: tipc: add an extra conn_get in tipc_conn_alloc
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit a7b42969d63f47320853a802efd879fbdc4e010e ]
+
+One extra conn_get() is needed in tipc_conn_alloc(), as after
+tipc_conn_alloc() is called, tipc_conn_close() may free this
+con before deferencing it in tipc_topsrv_accept():
+
+ tipc_conn_alloc();
+ newsk = newsock->sk;
+ <---- tipc_conn_close();
+ write_lock_bh(&sk->sk_callback_lock);
+ newsk->sk_data_ready = tipc_conn_data_ready;
+
+Then an uaf issue can be triggered:
+
+ BUG: KASAN: use-after-free in tipc_topsrv_accept+0x1e7/0x370 [tipc]
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x33/0x46
+ print_report+0x178/0x4b0
+ kasan_report+0x8c/0x100
+ kasan_check_range+0x179/0x1e0
+ tipc_topsrv_accept+0x1e7/0x370 [tipc]
+ process_one_work+0x6a3/0x1030
+ worker_thread+0x8a/0xdf0
+
+This patch fixes it by holding it in tipc_conn_alloc(), then after
+all accessing in tipc_topsrv_accept() releasing it. Note when does
+this in tipc_topsrv_kern_subscr(), as tipc_conn_rcv_sub() returns
+0 or -1 only, we don't need to check for "> 0".
+
+Fixes: c5fa7b3cf3cb ("tipc: introduce new TIPC server infrastructure")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/topsrv.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c
+index b0f9aa521670..e3b427a70398 100644
+--- a/net/tipc/topsrv.c
++++ b/net/tipc/topsrv.c
+@@ -206,6 +206,7 @@ static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s, struct socket *s
+ set_bit(CF_CONNECTED, &con->flags);
+ con->server = s;
+ con->sock = sock;
++ conn_get(con);
+ spin_unlock_bh(&s->idr_lock);
+
+ return con;
+@@ -484,6 +485,7 @@ static void tipc_topsrv_accept(struct work_struct *work)
+
+ /* Wake up receive process in case of 'SYN+' message */
+ newsk->sk_data_ready(newsk);
++ conn_put(con);
+ }
+ }
+
+@@ -583,10 +585,11 @@ bool tipc_topsrv_kern_subscr(struct net *net, u32 port, u32 type, u32 lower,
+
+ *conid = con->conid;
+ rc = tipc_conn_rcv_sub(tipc_topsrv(net), con, &sub);
+- if (rc >= 0)
+- return true;
++ if (rc)
++ conn_put(con);
++
+ conn_put(con);
+- return false;
++ return !rc;
+ }
+
+ void tipc_topsrv_kern_unsubscr(struct net *net, int conid)
+--
+2.35.1
+
--- /dev/null
+From 8f2a99331d690acddf5b6b48ae0655901ae85691 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Nov 2022 15:28:32 +0800
+Subject: tipc: check skb_linearize() return value in tipc_disc_rcv()
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit cd0f6421162201e4b22ce757a1966729323185eb ]
+
+If skb_linearize() fails in tipc_disc_rcv(), we need to free the skb instead of
+handle it.
+
+Fixes: 25b0b9c4e835 ("tipc: handle collisions of 32-bit node address hash values")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Link: https://lore.kernel.org/r/20221119072832.7896-1-yuehaibing@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/discover.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/tipc/discover.c b/net/tipc/discover.c
+index e8630707901e..e8dcdf267c0c 100644
+--- a/net/tipc/discover.c
++++ b/net/tipc/discover.c
+@@ -211,7 +211,10 @@ void tipc_disc_rcv(struct net *net, struct sk_buff *skb,
+ u32 self;
+ int err;
+
+- skb_linearize(skb);
++ if (skb_linearize(skb)) {
++ kfree_skb(skb);
++ return;
++ }
+ hdr = buf_msg(skb);
+
+ if (caps & TIPC_NODE_ID128)
+--
+2.35.1
+
--- /dev/null
+From 7e9335d9ca87109b511eb3cb4989f6321fda2f17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 16:45:00 -0500
+Subject: tipc: set con sock in tipc_conn_alloc
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 0e5d56c64afcd6fd2d132ea972605b66f8a7d3c4 ]
+
+A crash was reported by Wei Chen:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000018
+ RIP: 0010:tipc_conn_close+0x12/0x100
+ Call Trace:
+ tipc_topsrv_exit_net+0x139/0x320
+ ops_exit_list.isra.9+0x49/0x80
+ cleanup_net+0x31a/0x540
+ process_one_work+0x3fa/0x9f0
+ worker_thread+0x42/0x5c0
+
+It was caused by !con->sock in tipc_conn_close(). In tipc_topsrv_accept(),
+con is allocated in conn_idr then its sock is set:
+
+ con = tipc_conn_alloc();
+ ... <----[1]
+ con->sock = newsock;
+
+If tipc_conn_close() is called in anytime of [1], the null-pointer-def
+is triggered by con->sock->sk due to con->sock is not yet set.
+
+This patch fixes it by moving the con->sock setting to tipc_conn_alloc()
+under s->idr_lock. So that con->sock can never be NULL when getting the
+con from s->conn_idr. It will be also safer to move con->server and flag
+CF_CONNECTED setting under s->idr_lock, as they should all be set before
+tipc_conn_alloc() is called.
+
+Fixes: c5fa7b3cf3cb ("tipc: introduce new TIPC server infrastructure")
+Reported-by: Wei Chen <harperchen1110@gmail.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/topsrv.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c
+index d92ec92f0b71..b0f9aa521670 100644
+--- a/net/tipc/topsrv.c
++++ b/net/tipc/topsrv.c
+@@ -176,7 +176,7 @@ static void tipc_conn_close(struct tipc_conn *con)
+ conn_put(con);
+ }
+
+-static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s)
++static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s, struct socket *sock)
+ {
+ struct tipc_conn *con;
+ int ret;
+@@ -202,10 +202,11 @@ static struct tipc_conn *tipc_conn_alloc(struct tipc_topsrv *s)
+ }
+ con->conid = ret;
+ s->idr_in_use++;
+- spin_unlock_bh(&s->idr_lock);
+
+ set_bit(CF_CONNECTED, &con->flags);
+ con->server = s;
++ con->sock = sock;
++ spin_unlock_bh(&s->idr_lock);
+
+ return con;
+ }
+@@ -467,7 +468,7 @@ static void tipc_topsrv_accept(struct work_struct *work)
+ ret = kernel_accept(lsock, &newsock, O_NONBLOCK);
+ if (ret < 0)
+ return;
+- con = tipc_conn_alloc(srv);
++ con = tipc_conn_alloc(srv, newsock);
+ if (IS_ERR(con)) {
+ ret = PTR_ERR(con);
+ sock_release(newsock);
+@@ -479,7 +480,6 @@ static void tipc_topsrv_accept(struct work_struct *work)
+ newsk->sk_data_ready = tipc_conn_data_ready;
+ newsk->sk_write_space = tipc_conn_write_space;
+ newsk->sk_user_data = con;
+- con->sock = newsock;
+ write_unlock_bh(&newsk->sk_callback_lock);
+
+ /* Wake up receive process in case of 'SYN+' message */
+@@ -577,12 +577,11 @@ bool tipc_topsrv_kern_subscr(struct net *net, u32 port, u32 type, u32 lower,
+ sub.filter = filter;
+ *(u64 *)&sub.usr_handle = (u64)port;
+
+- con = tipc_conn_alloc(tipc_topsrv(net));
++ con = tipc_conn_alloc(tipc_topsrv(net), NULL);
+ if (IS_ERR(con))
+ return false;
+
+ *conid = con->conid;
+- con->sock = NULL;
+ rc = tipc_conn_rcv_sub(tipc_topsrv(net), con, &sub);
+ if (rc >= 0)
+ return true;
+--
+2.35.1
+
--- /dev/null
+From 70f281401e14f9d20458d8fa333d57740f33819b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Nov 2022 22:18:25 +0100
+Subject: tsnep: Fix rotten packets
+
+From: Gerhard Engleder <gerhard@engleder-embedded.com>
+
+[ Upstream commit 2dc4ac91f845b690ddf2ad39172c3698b2769fa2 ]
+
+If PTP synchronisation is done every second, then sporadic the interval
+is higher than one second:
+
+ptp4l[696.582]: master offset -17 s2 freq -1891 path delay 573
+ptp4l[697.582]: master offset -22 s2 freq -1901 path delay 573
+ptp4l[699.368]: master offset -1 s2 freq -1887 path delay 573
+ ^^^^^^^ Should be 698.582!
+
+This problem is caused by rotten packets, which are received after
+polling but before interrupts are enabled again. This can be fixed by
+checking for pending work and rescheduling if necessary after interrupts
+has been enabled again.
+
+Fixes: 403f69bbdbad ("tsnep: Add TSN endpoint Ethernet MAC driver")
+Signed-off-by: Gerhard Engleder <gerhard@engleder-embedded.com>
+Link: https://lore.kernel.org/r/20221119211825.81805-1-gerhard@engleder-embedded.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/engleder/tsnep_main.c | 57 +++++++++++++++++++++-
+ 1 file changed, 56 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/engleder/tsnep_main.c b/drivers/net/ethernet/engleder/tsnep_main.c
+index a5f7152a1716..6a2617cc5490 100644
+--- a/drivers/net/ethernet/engleder/tsnep_main.c
++++ b/drivers/net/ethernet/engleder/tsnep_main.c
+@@ -504,6 +504,27 @@ static bool tsnep_tx_poll(struct tsnep_tx *tx, int napi_budget)
+ return (budget != 0);
+ }
+
++static bool tsnep_tx_pending(struct tsnep_tx *tx)
++{
++ unsigned long flags;
++ struct tsnep_tx_entry *entry;
++ bool pending = false;
++
++ spin_lock_irqsave(&tx->lock, flags);
++
++ if (tx->read != tx->write) {
++ entry = &tx->entry[tx->read];
++ if ((__le32_to_cpu(entry->desc_wb->properties) &
++ TSNEP_TX_DESC_OWNER_MASK) ==
++ (entry->properties & TSNEP_TX_DESC_OWNER_MASK))
++ pending = true;
++ }
++
++ spin_unlock_irqrestore(&tx->lock, flags);
++
++ return pending;
++}
++
+ static int tsnep_tx_open(struct tsnep_adapter *adapter, void __iomem *addr,
+ struct tsnep_tx *tx)
+ {
+@@ -751,6 +772,19 @@ static int tsnep_rx_poll(struct tsnep_rx *rx, struct napi_struct *napi,
+ return done;
+ }
+
++static bool tsnep_rx_pending(struct tsnep_rx *rx)
++{
++ struct tsnep_rx_entry *entry;
++
++ entry = &rx->entry[rx->read];
++ if ((__le32_to_cpu(entry->desc_wb->properties) &
++ TSNEP_DESC_OWNER_COUNTER_MASK) ==
++ (entry->properties & TSNEP_DESC_OWNER_COUNTER_MASK))
++ return true;
++
++ return false;
++}
++
+ static int tsnep_rx_open(struct tsnep_adapter *adapter, void __iomem *addr,
+ struct tsnep_rx *rx)
+ {
+@@ -795,6 +829,17 @@ static void tsnep_rx_close(struct tsnep_rx *rx)
+ tsnep_rx_ring_cleanup(rx);
+ }
+
++static bool tsnep_pending(struct tsnep_queue *queue)
++{
++ if (queue->tx && tsnep_tx_pending(queue->tx))
++ return true;
++
++ if (queue->rx && tsnep_rx_pending(queue->rx))
++ return true;
++
++ return false;
++}
++
+ static int tsnep_poll(struct napi_struct *napi, int budget)
+ {
+ struct tsnep_queue *queue = container_of(napi, struct tsnep_queue,
+@@ -815,9 +860,19 @@ static int tsnep_poll(struct napi_struct *napi, int budget)
+ if (!complete)
+ return budget;
+
+- if (likely(napi_complete_done(napi, done)))
++ if (likely(napi_complete_done(napi, done))) {
+ tsnep_enable_irq(queue->adapter, queue->irq_mask);
+
++ /* reschedule if work is already pending, prevent rotten packets
++ * which are transmitted or received after polling but before
++ * interrupt enable
++ */
++ if (tsnep_pending(queue)) {
++ tsnep_disable_irq(queue->adapter, queue->irq_mask);
++ napi_schedule(napi);
++ }
++ }
++
+ return min(done, budget - 1);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 3e369b6b4a4d52c75e81457fb2f1685c529ee137 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 23:00:46 +0800
+Subject: virtio_net: Fix probe failed when modprobe virtio_net
+
+From: Li Zetao <lizetao1@huawei.com>
+
+[ Upstream commit b0686565946368892c2cdf92f102392e24823588 ]
+
+When doing the following test steps, an error was found:
+ step 1: modprobe virtio_net succeeded
+ # modprobe virtio_net <-- OK
+
+ step 2: fault injection in register_netdevice()
+ # modprobe -r virtio_net <-- OK
+ # ...
+ FAULT_INJECTION: forcing a failure.
+ name failslab, interval 1, probability 0, space 0, times 0
+ CPU: 0 PID: 3521 Comm: modprobe
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
+ Call Trace:
+ <TASK>
+ ...
+ should_failslab+0xa/0x20
+ ...
+ dev_set_name+0xc0/0x100
+ netdev_register_kobject+0xc2/0x340
+ register_netdevice+0xbb9/0x1320
+ virtnet_probe+0x1d72/0x2658 [virtio_net]
+ ...
+ </TASK>
+ virtio_net: probe of virtio0 failed with error -22
+
+ step 3: modprobe virtio_net failed
+ # modprobe virtio_net <-- failed
+ virtio_net: probe of virtio0 failed with error -2
+
+The root cause of the problem is that the queues are not
+disable on the error handling path when register_netdevice()
+fails in virtnet_probe(), resulting in an error "-ENOENT"
+returned in the next modprobe call in setup_vq().
+
+virtio_pci_modern_device uses virtqueues to send or
+receive message, and "queue_enable" records whether the
+queues are available. In vp_modern_find_vqs(), all queues
+will be selected and activated, but once queues are enabled
+there is no way to go back except reset.
+
+Fix it by reset virtio device on error handling path. This
+makes error handling follow the same order as normal device
+cleanup in virtnet_remove() which does: unregister, destroy
+failover, then reset. And that flow is better tested than
+error handling so we can be reasonably sure it works well.
+
+Fixes: 024655555021 ("virtio_net: fix use after free on allocation failure")
+Signed-off-by: Li Zetao <lizetao1@huawei.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Link: https://lore.kernel.org/r/20221122150046.3910638-1-lizetao1@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/virtio_net.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index 9cce7dec7366..f5c88d232b11 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -3933,12 +3933,11 @@ static int virtnet_probe(struct virtio_device *vdev)
+ return 0;
+
+ free_unregister_netdev:
+- virtio_reset_device(vdev);
+-
+ unregister_netdev(dev);
+ free_failover:
+ net_failover_destroy(vi->failover);
+ free_vqs:
++ virtio_reset_device(vdev);
+ cancel_delayed_work_sync(&vi->refill);
+ free_receive_page_frags(vi);
+ virtnet_del_vqs(vi);
+--
+2.35.1
+
--- /dev/null
+From 9f472512579b132a4350e4692588f95c8d903d68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 20:06:01 +0100
+Subject: x86/hyperv: Restore VP assist page after cpu offlining/onlining
+
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+[ Upstream commit ee6815416380bc069b7dcbdff0682d4c53617527 ]
+
+Commit e5d9b714fe40 ("x86/hyperv: fix root partition faults when writing
+to VP assist page MSR") moved 'wrmsrl(HV_X64_MSR_VP_ASSIST_PAGE)' under
+'if (*hvp)' condition. This works for root partition as hv_cpu_die()
+does memunmap() and sets 'hv_vp_assist_page[cpu]' to NULL but breaks
+non-root partitions as hv_cpu_die() doesn't free 'hv_vp_assist_page[cpu]'
+for them. This causes VP assist page to remain unset after CPU
+offline/online cycle:
+
+$ rdmsr -p 24 0x40000073
+ 10212f001
+$ echo 0 > /sys/devices/system/cpu/cpu24/online
+$ echo 1 > /sys/devices/system/cpu/cpu24/online
+$ rdmsr -p 24 0x40000073
+ 0
+
+Fix the issue by always writing to HV_X64_MSR_VP_ASSIST_PAGE in
+hv_cpu_init(). Note, checking 'if (!*hvp)', for root partition is
+pointless as hv_cpu_die() always sets 'hv_vp_assist_page[cpu]' to
+NULL (and it's also NULL initially).
+
+Note: the fact that 'hv_vp_assist_page[cpu]' is reset to NULL may
+present a (potential) issue for KVM. While Hyper-V uses
+CPUHP_AP_ONLINE_DYN stage in CPU hotplug, KVM uses CPUHP_AP_KVM_STARTING
+which comes earlier in CPU teardown sequence. It is theoretically
+possible that Enlightened VMCS is still in use. It is unclear if the
+issue is real and if using KVM with Hyper-V root partition is even
+possible.
+
+While on it, drop the unneeded smp_processor_id() call from hv_cpu_init().
+
+Fixes: e5d9b714fe40 ("x86/hyperv: fix root partition faults when writing to VP assist page MSR")
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Reviewed-by: Michael Kelley <mikelley@microsoft.com>
+Link: https://lore.kernel.org/r/20221103190601.399343-1-vkuznets@redhat.com
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/hyperv/hv_init.c | 54 +++++++++++++++++++--------------------
+ 1 file changed, 26 insertions(+), 28 deletions(-)
+
+diff --git a/arch/x86/hyperv/hv_init.c b/arch/x86/hyperv/hv_init.c
+index 3de6d8b53367..a0165df3c4d8 100644
+--- a/arch/x86/hyperv/hv_init.c
++++ b/arch/x86/hyperv/hv_init.c
+@@ -77,7 +77,7 @@ static int hyperv_init_ghcb(void)
+ static int hv_cpu_init(unsigned int cpu)
+ {
+ union hv_vp_assist_msr_contents msr = { 0 };
+- struct hv_vp_assist_page **hvp = &hv_vp_assist_page[smp_processor_id()];
++ struct hv_vp_assist_page **hvp = &hv_vp_assist_page[cpu];
+ int ret;
+
+ ret = hv_common_cpu_init(cpu);
+@@ -87,34 +87,32 @@ static int hv_cpu_init(unsigned int cpu)
+ if (!hv_vp_assist_page)
+ return 0;
+
+- if (!*hvp) {
+- if (hv_root_partition) {
+- /*
+- * For root partition we get the hypervisor provided VP assist
+- * page, instead of allocating a new page.
+- */
+- rdmsrl(HV_X64_MSR_VP_ASSIST_PAGE, msr.as_uint64);
+- *hvp = memremap(msr.pfn <<
+- HV_X64_MSR_VP_ASSIST_PAGE_ADDRESS_SHIFT,
+- PAGE_SIZE, MEMREMAP_WB);
+- } else {
+- /*
+- * The VP assist page is an "overlay" page (see Hyper-V TLFS's
+- * Section 5.2.1 "GPA Overlay Pages"). Here it must be zeroed
+- * out to make sure we always write the EOI MSR in
+- * hv_apic_eoi_write() *after* the EOI optimization is disabled
+- * in hv_cpu_die(), otherwise a CPU may not be stopped in the
+- * case of CPU offlining and the VM will hang.
+- */
++ if (hv_root_partition) {
++ /*
++ * For root partition we get the hypervisor provided VP assist
++ * page, instead of allocating a new page.
++ */
++ rdmsrl(HV_X64_MSR_VP_ASSIST_PAGE, msr.as_uint64);
++ *hvp = memremap(msr.pfn << HV_X64_MSR_VP_ASSIST_PAGE_ADDRESS_SHIFT,
++ PAGE_SIZE, MEMREMAP_WB);
++ } else {
++ /*
++ * The VP assist page is an "overlay" page (see Hyper-V TLFS's
++ * Section 5.2.1 "GPA Overlay Pages"). Here it must be zeroed
++ * out to make sure we always write the EOI MSR in
++ * hv_apic_eoi_write() *after* the EOI optimization is disabled
++ * in hv_cpu_die(), otherwise a CPU may not be stopped in the
++ * case of CPU offlining and the VM will hang.
++ */
++ if (!*hvp)
+ *hvp = __vmalloc(PAGE_SIZE, GFP_KERNEL | __GFP_ZERO);
+- if (*hvp)
+- msr.pfn = vmalloc_to_pfn(*hvp);
+- }
+- WARN_ON(!(*hvp));
+- if (*hvp) {
+- msr.enable = 1;
+- wrmsrl(HV_X64_MSR_VP_ASSIST_PAGE, msr.as_uint64);
+- }
++ if (*hvp)
++ msr.pfn = vmalloc_to_pfn(*hvp);
++
++ }
++ if (!WARN_ON(!(*hvp))) {
++ msr.enable = 1;
++ wrmsrl(HV_X64_MSR_VP_ASSIST_PAGE, msr.as_uint64);
+ }
+
+ return hyperv_init_ghcb();
+--
+2.35.1
+
--- /dev/null
+From f7895586258e5e2dfd2dc17693d6d2b0997fa426 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 Oct 2022 22:16:43 +0300
+Subject: xfrm: fix "disable_policy" on ipv4 early demux
+
+From: Eyal Birger <eyal.birger@gmail.com>
+
+[ Upstream commit 3a5913183aa1b14148c723bda030e6102ad73008 ]
+
+The commit in the "Fixes" tag tried to avoid a case where policy check
+is ignored due to dst caching in next hops.
+
+However, when the traffic is locally consumed, the dst may be cached
+in a local TCP or UDP socket as part of early demux. In this case the
+"disable_policy" flag is not checked as ip_route_input_noref() was only
+called before caching, and thus, packets after the initial packet in a
+flow will be dropped if not matching policies.
+
+Fix by checking the "disable_policy" flag also when a valid dst is
+already available.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216557
+Reported-by: Monil Patel <monil191989@gmail.com>
+Fixes: e6175a2ed1f1 ("xfrm: fix "disable_policy" flag use when arriving from different devices")
+Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
+
+----
+
+v2: use dev instead of skb->dev
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_input.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
+index 1b512390b3cf..e880ce77322a 100644
+--- a/net/ipv4/ip_input.c
++++ b/net/ipv4/ip_input.c
+@@ -366,6 +366,11 @@ static int ip_rcv_finish_core(struct net *net, struct sock *sk,
+ iph->tos, dev);
+ if (unlikely(err))
+ goto drop_error;
++ } else {
++ struct in_device *in_dev = __in_dev_get_rcu(dev);
++
++ if (in_dev && IN_DEV_ORCONF(in_dev, NOPOLICY))
++ IPCB(skb)->flags |= IPSKB_NOPOLICY;
+ }
+
+ #ifdef CONFIG_IP_ROUTE_CLASSID
+--
+2.35.1
+
--- /dev/null
+From 4f1b3542a6934c578fb7e0e845f1a6111713d762 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 17:07:13 +0800
+Subject: xfrm: Fix ignored return value in xfrm6_init()
+
+From: Chen Zhongjin <chenzhongjin@huawei.com>
+
+[ Upstream commit 40781bfb836eda57d19c0baa37c7e72590e05fdc ]
+
+When IPv6 module initializing in xfrm6_init(), register_pernet_subsys()
+is possible to fail but its return value is ignored.
+
+If IPv6 initialization fails later and xfrm6_fini() is called,
+removing uninitialized list in xfrm6_net_ops will cause null-ptr-deref:
+
+KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
+CPU: 1 PID: 330 Comm: insmod
+RIP: 0010:unregister_pernet_operations+0xc9/0x450
+Call Trace:
+ <TASK>
+ unregister_pernet_subsys+0x31/0x3e
+ xfrm6_fini+0x16/0x30 [ipv6]
+ ip6_route_init+0xcd/0x128 [ipv6]
+ inet6_init+0x29c/0x602 [ipv6]
+ ...
+
+Fix it by catching the error return value of register_pernet_subsys().
+
+Fixes: 8d068875caca ("xfrm: make gc_thresh configurable in all namespaces")
+Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/xfrm6_policy.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
+index 4a4b0e49ec92..ea435eba3053 100644
+--- a/net/ipv6/xfrm6_policy.c
++++ b/net/ipv6/xfrm6_policy.c
+@@ -287,9 +287,13 @@ int __init xfrm6_init(void)
+ if (ret)
+ goto out_state;
+
+- register_pernet_subsys(&xfrm6_net_ops);
++ ret = register_pernet_subsys(&xfrm6_net_ops);
++ if (ret)
++ goto out_protocol;
+ out:
+ return ret;
++out_protocol:
++ xfrm6_protocol_fini();
+ out_state:
+ xfrm6_state_fini();
+ out_policy:
+--
+2.35.1
+
--- /dev/null
+From 843ef277be0c7f40e3ac2f998851c10cacc50111 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Nov 2022 11:18:48 +0100
+Subject: xfrm: Fix oops in __xfrm_state_delete()
+
+From: Thomas Jarosch <thomas.jarosch@intra2net.com>
+
+[ Upstream commit b97df039a68b2f3e848e238df5d5d06343ea497b ]
+
+Kernel 5.14 added a new "byseq" index to speed
+up xfrm_state lookups by sequence number in commit
+fe9f1d8779cb ("xfrm: add state hashtable keyed by seq")
+
+While the patch was thorough, the function pfkey_send_new_mapping()
+in net/af_key.c also modifies x->km.seq and never added
+the current xfrm_state to the "byseq" index.
+
+This leads to the following kernel Ooops:
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ ..
+ RIP: 0010:__xfrm_state_delete+0xc9/0x1c0
+ ..
+ Call Trace:
+ <TASK>
+ xfrm_state_delete+0x1e/0x40
+ xfrm_del_sa+0xb0/0x110 [xfrm_user]
+ xfrm_user_rcv_msg+0x12d/0x270 [xfrm_user]
+ ? remove_entity_load_avg+0x8a/0xa0
+ ? copy_to_user_state_extra+0x580/0x580 [xfrm_user]
+ netlink_rcv_skb+0x51/0x100
+ xfrm_netlink_rcv+0x30/0x50 [xfrm_user]
+ netlink_unicast+0x1a6/0x270
+ netlink_sendmsg+0x22a/0x480
+ __sys_sendto+0x1a6/0x1c0
+ ? __audit_syscall_entry+0xd8/0x130
+ ? __audit_syscall_exit+0x249/0x2b0
+ __x64_sys_sendto+0x23/0x30
+ do_syscall_64+0x3a/0x90
+ entry_SYSCALL_64_after_hwframe+0x61/0xcb
+
+Exact location of the crash in __xfrm_state_delete():
+ if (x->km.seq)
+ hlist_del_rcu(&x->byseq);
+
+The hlist_node "byseq" was never populated.
+
+The bug only triggers if a new NAT traversal mapping (changed IP or port)
+is detected in esp_input_done2() / esp6_input_done2(), which in turn
+indirectly calls pfkey_send_new_mapping() *if* the kernel is compiled
+with CONFIG_NET_KEY and "af_key" is active.
+
+The PF_KEYv2 message SADB_X_NAT_T_NEW_MAPPING is not part of RFC 2367.
+Various implementations have been examined how they handle
+the "sadb_msg_seq" header field:
+
+- racoon (Android): does not process SADB_X_NAT_T_NEW_MAPPING
+- strongswan: does not care about sadb_msg_seq
+- openswan: does not care about sadb_msg_seq
+
+There is no standard how PF_KEYv2 sadb_msg_seq should be populated
+for SADB_X_NAT_T_NEW_MAPPING and it's not used in popular
+implementations either. Herbert Xu suggested we should just
+use the current km.seq value as is. This fixes the root cause
+of the oops since we no longer modify km.seq itself.
+
+The update of "km.seq" looks like a copy'n'paste error
+from pfkey_send_acquire(). SADB_ACQUIRE must indeed assign a unique km.seq
+number according to RFC 2367. It has been verified that code paths
+involving pfkey_send_acquire() don't cause the same Oops.
+
+PF_KEYv2 SADB_X_NAT_T_NEW_MAPPING support was originally added here:
+ https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
+
+ commit cbc3488685b20e7b2a98ad387a1a816aada569d8
+ Author: Derek Atkins <derek@ihtfp.com>
+ AuthorDate: Wed Apr 2 13:21:02 2003 -0800
+
+ [IPSEC]: Implement UDP Encapsulation framework.
+
+ In particular, implement ESPinUDP encapsulation for IPsec
+ Nat Traversal.
+
+A note on triggering the bug: I was not able to trigger it using VMs.
+There is one VPN using a high latency link on our production VPN server
+that triggered it like once a day though.
+
+Link: https://github.com/strongswan/strongswan/issues/992
+Link: https://lore.kernel.org/netdev/00959f33ee52c4b3b0084d42c430418e502db554.1652340703.git.antony.antony@secunet.com/T/
+Link: https://lore.kernel.org/netdev/20221027142455.3975224-1-chenzhihao@meizu.com/T/
+
+Fixes: fe9f1d8779cb ("xfrm: add state hashtable keyed by seq")
+Reported-by: Roth Mark <rothm@mail.com>
+Reported-by: Zhihao Chen <chenzhihao@meizu.com>
+Tested-by: Roth Mark <rothm@mail.com>
+Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
+Acked-by: Antony Antony <antony.antony@secunet.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/key/af_key.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/key/af_key.c b/net/key/af_key.c
+index 213287814328..95edcbedf6ef 100644
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -3394,7 +3394,7 @@ static int pfkey_send_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr,
+ hdr->sadb_msg_len = size / sizeof(uint64_t);
+ hdr->sadb_msg_errno = 0;
+ hdr->sadb_msg_reserved = 0;
+- hdr->sadb_msg_seq = x->km.seq = get_acqseq();
++ hdr->sadb_msg_seq = x->km.seq;
+ hdr->sadb_msg_pid = 0;
+
+ /* SA */
+--
+2.35.1
+
--- /dev/null
+From 077c9a443722578c9646cc69d8fcf22586195633 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Oct 2022 08:34:47 +0200
+Subject: xfrm: replay: Fix ESN wrap around for GSO
+
+From: Christian Langrock <christian.langrock@secunet.com>
+
+[ Upstream commit 4b549ccce941798703f159b227aa28c716aa78fa ]
+
+When using GSO it can happen that the wrong seq_hi is used for the last
+packets before the wrap around. This can lead to double usage of a
+sequence number. To avoid this, we should serialize this last GSO
+packet.
+
+Fixes: d7dbefc45cf5 ("xfrm: Add xfrm_replay_overflow functions for offloading")
+Co-developed-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Christian Langrock <christian.langrock@secunet.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/esp4_offload.c | 3 +++
+ net/ipv6/esp6_offload.c | 3 +++
+ net/xfrm/xfrm_device.c | 15 ++++++++++++++-
+ net/xfrm/xfrm_replay.c | 2 +-
+ 4 files changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c
+index 170152772d33..3969fa805679 100644
+--- a/net/ipv4/esp4_offload.c
++++ b/net/ipv4/esp4_offload.c
+@@ -314,6 +314,9 @@ static int esp_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features_
+ xo->seq.low += skb_shinfo(skb)->gso_segs;
+ }
+
++ if (xo->seq.low < seq)
++ xo->seq.hi++;
++
+ esp.seqno = cpu_to_be64(seq + ((u64)xo->seq.hi << 32));
+
+ ip_hdr(skb)->tot_len = htons(skb->len);
+diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
+index 79d43548279c..242f4295940e 100644
+--- a/net/ipv6/esp6_offload.c
++++ b/net/ipv6/esp6_offload.c
+@@ -346,6 +346,9 @@ static int esp6_xmit(struct xfrm_state *x, struct sk_buff *skb, netdev_features
+ xo->seq.low += skb_shinfo(skb)->gso_segs;
+ }
+
++ if (xo->seq.low < seq)
++ xo->seq.hi++;
++
+ esp.seqno = cpu_to_be64(xo->seq.low + ((u64)xo->seq.hi << 32));
+
+ len = skb->len - sizeof(struct ipv6hdr);
+diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
+index 637ca8838436..9af6bf1652e4 100644
+--- a/net/xfrm/xfrm_device.c
++++ b/net/xfrm/xfrm_device.c
+@@ -97,6 +97,18 @@ static void xfrm_outer_mode_prep(struct xfrm_state *x, struct sk_buff *skb)
+ }
+ }
+
++static inline bool xmit_xfrm_check_overflow(struct sk_buff *skb)
++{
++ struct xfrm_offload *xo = xfrm_offload(skb);
++ __u32 seq = xo->seq.low;
++
++ seq += skb_shinfo(skb)->gso_segs;
++ if (unlikely(seq < xo->seq.low))
++ return true;
++
++ return false;
++}
++
+ struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t features, bool *again)
+ {
+ int err;
+@@ -134,7 +146,8 @@ struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t featur
+ return skb;
+ }
+
+- if (skb_is_gso(skb) && unlikely(x->xso.dev != dev)) {
++ if (skb_is_gso(skb) && (unlikely(x->xso.dev != dev) ||
++ unlikely(xmit_xfrm_check_overflow(skb)))) {
+ struct sk_buff *segs;
+
+ /* Packet got rerouted, fixup features and segment it. */
+diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
+index 9277d81b344c..49dd788859d8 100644
+--- a/net/xfrm/xfrm_replay.c
++++ b/net/xfrm/xfrm_replay.c
+@@ -714,7 +714,7 @@ static int xfrm_replay_overflow_offload_esn(struct xfrm_state *x, struct sk_buff
+ oseq += skb_shinfo(skb)->gso_segs;
+ }
+
+- if (unlikely(oseq < replay_esn->oseq)) {
++ if (unlikely(xo->seq.low < replay_esn->oseq)) {
+ XFRM_SKB_CB(skb)->seq.output.hi = ++oseq_hi;
+ xo->seq.hi = oseq_hi;
+ replay_esn->oseq_hi = oseq_hi;
+--
+2.35.1
+
--- /dev/null
+From db3322723a7af513bbf8c73d9476e48dac0034fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Nov 2022 18:57:59 +0800
+Subject: zonefs: Fix race between modprobe and mount
+
+From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+
+[ Upstream commit 4e45886956a20942800259f326a04417292ae314 ]
+
+There is a race between modprobe and mount as below:
+
+ modprobe zonefs | mount -t zonefs
+--------------------------------|-------------------------
+ zonefs_init |
+ register_filesystem [1] |
+ | zonefs_fill_super [2]
+ zonefs_sysfs_init [3] |
+
+1. register zonefs suceess, then
+2. user can mount the zonefs
+3. if sysfs initialize failed, the module initialize failed.
+
+Then the mount process maybe some error happened since the module
+initialize failed.
+
+Let's register zonefs after all dependency resource ready. And
+reorder the dependency resource release in module exit.
+
+Fixes: 9277a6d4fbd4 ("zonefs: Export open zone resource information through sysfs")
+Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/zonefs/super.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/fs/zonefs/super.c b/fs/zonefs/super.c
+index 860f0b1032c6..625749fbedf4 100644
+--- a/fs/zonefs/super.c
++++ b/fs/zonefs/super.c
+@@ -1905,18 +1905,18 @@ static int __init zonefs_init(void)
+ if (ret)
+ return ret;
+
+- ret = register_filesystem(&zonefs_type);
++ ret = zonefs_sysfs_init();
+ if (ret)
+ goto destroy_inodecache;
+
+- ret = zonefs_sysfs_init();
++ ret = register_filesystem(&zonefs_type);
+ if (ret)
+- goto unregister_fs;
++ goto sysfs_exit;
+
+ return 0;
+
+-unregister_fs:
+- unregister_filesystem(&zonefs_type);
++sysfs_exit:
++ zonefs_sysfs_exit();
+ destroy_inodecache:
+ zonefs_destroy_inodecache();
+
+@@ -1925,9 +1925,9 @@ static int __init zonefs_init(void)
+
+ static void __exit zonefs_exit(void)
+ {
++ unregister_filesystem(&zonefs_type);
+ zonefs_sysfs_exit();
+ zonefs_destroy_inodecache();
+- unregister_filesystem(&zonefs_type);
+ }
+
+ MODULE_AUTHOR("Damien Le Moal");
+--
+2.35.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
