--- /dev/null
+From 304b50ff58f0cf7ad6056906af18db4688196022 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Sep 2023 14:11:33 +0200
+Subject: accel/ivpu: Don't flood dmesg with VPU ready message
+
+From: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
+
+[ Upstream commit 002652555022728c42b5517c6c11265b8c3ab827 ]
+
+Use ivpu_dbg() to print the VPU ready message so it doesn't pollute
+the dmesg.
+
+Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
+Reviewed-by: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>
+Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
+Signed-off-by: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230925121137.872158-3-stanislaw.gruszka@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/accel/ivpu/ivpu_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/accel/ivpu/ivpu_drv.c b/drivers/accel/ivpu/ivpu_drv.c
+index 8396db2b52030..09dee5be20700 100644
+--- a/drivers/accel/ivpu/ivpu_drv.c
++++ b/drivers/accel/ivpu/ivpu_drv.c
+@@ -303,7 +303,7 @@ static int ivpu_wait_for_ready(struct ivpu_device *vdev)
+ }
+
+ if (!ret)
+- ivpu_info(vdev, "VPU ready message received successfully\n");
++ ivpu_dbg(vdev, PM, "VPU ready message received successfully\n");
+ else
+ ivpu_hw_diagnose_failure(vdev);
+
+--
+2.40.1
+
--- /dev/null
+From 0be23f2de483d12d9121ca364ee85bd33ca380c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Sep 2023 07:07:38 +0300
+Subject: ARM: dts: ti: omap: Fix noisy serial with overrun-throttle-ms for
+ mapphone
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit 5ad37b5e30433afa7a5513e3eb61f69fa0976785 ]
+
+On mapphone devices we may get lots of noise on the micro-USB port in debug
+uart mode until the phy-cpcap-usb driver probes. Let's limit the noise by
+using overrun-throttle-ms.
+
+Note that there is also a related separate issue where the charger cable
+connected may cause random sysrq requests until phy-cpcap-usb probes that
+still remains.
+
+Cc: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
+Cc: Carl Philipp Klemm <philipp@uvos.xyz>
+Cc: Merlijn Wajer <merlijn@wizzup.org>
+Cc: Pavel Machek <pavel@ucw.cz>
+Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/ti/omap/motorola-mapphone-common.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm/boot/dts/ti/omap/motorola-mapphone-common.dtsi b/arch/arm/boot/dts/ti/omap/motorola-mapphone-common.dtsi
+index d69f0f4b4990d..d2d516d113baa 100644
+--- a/arch/arm/boot/dts/ti/omap/motorola-mapphone-common.dtsi
++++ b/arch/arm/boot/dts/ti/omap/motorola-mapphone-common.dtsi
+@@ -640,6 +640,7 @@ &uart1 {
+ &uart3 {
+ interrupts-extended = <&wakeupgen GIC_SPI 74 IRQ_TYPE_LEVEL_HIGH
+ &omap4_pmx_core 0x17c>;
++ overrun-throttle-ms = <500>;
+ };
+
+ &uart4 {
+--
+2.40.1
+
--- /dev/null
+From 3f1c288c0e2c6c8801aacdc16d4e109b11793b9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Aug 2023 14:56:34 -0500
+Subject: arm64: dts: mediatek: Fix "mediatek,merge-mute" and
+ "mediatek,merge-fifo-en" types
+
+From: Rob Herring <robh@kernel.org>
+
+[ Upstream commit 5f8456b1faefb06fcf6028dced9f37aa880c779d ]
+
+"mediatek,merge-mute" and "mediatek,merge-fifo-en" properties are defined
+and used as boolean properties which in DT have no value.
+
+Signed-off-by: Rob Herring <robh@kernel.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20230830195650.704737-1-robh@kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8195.dtsi | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8195.dtsi b/arch/arm64/boot/dts/mediatek/mt8195.dtsi
+index 43011bc41da77..54c674c45b49a 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8195.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8195.dtsi
+@@ -2958,7 +2958,7 @@ merge1: vpp-merge@1c10c000 {
+ clock-names = "merge","merge_async";
+ power-domains = <&spm MT8195_POWER_DOMAIN_VDOSYS1>;
+ mediatek,gce-client-reg = <&gce0 SUBSYS_1c10XXXX 0xc000 0x1000>;
+- mediatek,merge-mute = <1>;
++ mediatek,merge-mute;
+ resets = <&vdosys1 MT8195_VDOSYS1_SW0_RST_B_MERGE0_DL_ASYNC>;
+ };
+
+@@ -2971,7 +2971,7 @@ merge2: vpp-merge@1c10d000 {
+ clock-names = "merge","merge_async";
+ power-domains = <&spm MT8195_POWER_DOMAIN_VDOSYS1>;
+ mediatek,gce-client-reg = <&gce0 SUBSYS_1c10XXXX 0xd000 0x1000>;
+- mediatek,merge-mute = <1>;
++ mediatek,merge-mute;
+ resets = <&vdosys1 MT8195_VDOSYS1_SW0_RST_B_MERGE1_DL_ASYNC>;
+ };
+
+@@ -2984,7 +2984,7 @@ merge3: vpp-merge@1c10e000 {
+ clock-names = "merge","merge_async";
+ power-domains = <&spm MT8195_POWER_DOMAIN_VDOSYS1>;
+ mediatek,gce-client-reg = <&gce0 SUBSYS_1c10XXXX 0xe000 0x1000>;
+- mediatek,merge-mute = <1>;
++ mediatek,merge-mute;
+ resets = <&vdosys1 MT8195_VDOSYS1_SW0_RST_B_MERGE2_DL_ASYNC>;
+ };
+
+@@ -2997,7 +2997,7 @@ merge4: vpp-merge@1c10f000 {
+ clock-names = "merge","merge_async";
+ power-domains = <&spm MT8195_POWER_DOMAIN_VDOSYS1>;
+ mediatek,gce-client-reg = <&gce0 SUBSYS_1c10XXXX 0xf000 0x1000>;
+- mediatek,merge-mute = <1>;
++ mediatek,merge-mute;
+ resets = <&vdosys1 MT8195_VDOSYS1_SW0_RST_B_MERGE3_DL_ASYNC>;
+ };
+
+@@ -3010,7 +3010,7 @@ merge5: vpp-merge@1c110000 {
+ clock-names = "merge","merge_async";
+ power-domains = <&spm MT8195_POWER_DOMAIN_VDOSYS1>;
+ mediatek,gce-client-reg = <&gce0 SUBSYS_1c11XXXX 0x0000 0x1000>;
+- mediatek,merge-fifo-en = <1>;
++ mediatek,merge-fifo-en;
+ resets = <&vdosys1 MT8195_VDOSYS1_SW0_RST_B_MERGE4_DL_ASYNC>;
+ };
+
+--
+2.40.1
+
--- /dev/null
+From ce942b70117d945d169645c1b503f9921e48e8df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Sep 2023 08:46:22 +0900
+Subject: ata: libata-core: Fix compilation warning in ata_dev_config_ncq()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+[ Upstream commit ed518d9ba980dc0d27c7d1dea1e627ba001d1977 ]
+
+The 24 bytes length allocated to the ncq_desc string in
+ata_dev_config_lba() for ata_dev_config_ncq() to use is too short,
+causing the following gcc compilation warnings when compiling with W=1:
+
+drivers/ata/libata-core.c: In function ‘ata_dev_configure’:
+drivers/ata/libata-core.c:2378:56: warning: ‘%d’ directive output may be truncated writing between 1 and 2 bytes into a region of size between 1 and 11 [-Wformat-truncation=]
+ 2378 | snprintf(desc, desc_sz, "NCQ (depth %d/%d)%s", hdepth,
+ | ^~
+In function ‘ata_dev_config_ncq’,
+ inlined from ‘ata_dev_config_lba’ at drivers/ata/libata-core.c:2649:8,
+ inlined from ‘ata_dev_configure’ at drivers/ata/libata-core.c:2952:9:
+drivers/ata/libata-core.c:2378:41: note: directive argument in the range [1, 32]
+ 2378 | snprintf(desc, desc_sz, "NCQ (depth %d/%d)%s", hdepth,
+ | ^~~~~~~~~~~~~~~~~~~~~
+drivers/ata/libata-core.c:2378:17: note: ‘snprintf’ output between 16 and 31 bytes into a destination of size 24
+ 2378 | snprintf(desc, desc_sz, "NCQ (depth %d/%d)%s", hdepth,
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ 2379 | ddepth, aa_desc);
+ | ~~~~~~~~~~~~~~~~
+
+Avoid these warnings and the potential truncation by changing the size
+of the ncq_desc string to 32 characters.
+
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index 2a21f4d9500db..97a842b57a751 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -2624,7 +2624,7 @@ static int ata_dev_config_lba(struct ata_device *dev)
+ {
+ const u16 *id = dev->id;
+ const char *lba_desc;
+- char ncq_desc[24];
++ char ncq_desc[32];
+ int ret;
+
+ dev->flags |= ATA_DFLAG_LBA;
+--
+2.40.1
+
--- /dev/null
+From 93df695d95e4b84e91fcd9c2a27a794c77e33304 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Sep 2023 09:08:40 +0900
+Subject: ata: libata-eh: Fix compilation warning in ata_eh_link_report()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+[ Upstream commit 49728bdc702391902a473b9393f1620eea32acb0 ]
+
+The 6 bytes length of the tries_buf string in ata_eh_link_report() is
+too short and results in a gcc compilation warning with W-!:
+
+drivers/ata/libata-eh.c: In function ‘ata_eh_link_report’:
+drivers/ata/libata-eh.c:2371:59: warning: ‘%d’ directive output may be truncated writing between 1 and 11 bytes into a region of size 4 [-Wformat-truncation=]
+ 2371 | snprintf(tries_buf, sizeof(tries_buf), " t%d",
+ | ^~
+drivers/ata/libata-eh.c:2371:56: note: directive argument in the range [-2147483648, 4]
+ 2371 | snprintf(tries_buf, sizeof(tries_buf), " t%d",
+ | ^~~~~~
+drivers/ata/libata-eh.c:2371:17: note: ‘snprintf’ output between 4 and 14 bytes into a destination of size 6
+ 2371 | snprintf(tries_buf, sizeof(tries_buf), " t%d",
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ 2372 | ap->eh_tries);
+ | ~~~~~~~~~~~~~
+
+Avoid this warning by increasing the string size to 16B.
+
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-eh.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c
+index 150e7ab62d1ae..e7c4edb04f8ed 100644
+--- a/drivers/ata/libata-eh.c
++++ b/drivers/ata/libata-eh.c
+@@ -2366,7 +2366,7 @@ static void ata_eh_link_report(struct ata_link *link)
+ struct ata_eh_context *ehc = &link->eh_context;
+ struct ata_queued_cmd *qc;
+ const char *frozen, *desc;
+- char tries_buf[6] = "";
++ char tries_buf[16] = "";
+ int tag, nr_failed = 0;
+
+ if (ehc->i.flags & ATA_EHI_QUIET)
+--
+2.40.1
+
--- /dev/null
+From 6cf292f54db42da2d6ef594886f64e5410c57074 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Sep 2023 04:39:34 +0000
+Subject: Bluetooth: Avoid redundant authentication
+
+From: Ying Hsu <yinghsu@chromium.org>
+
+[ Upstream commit 1d8e801422d66e4b8c7b187c52196bef94eed887 ]
+
+While executing the Android 13 CTS Verifier Secure Server test on a
+ChromeOS device, it was observed that the Bluetooth host initiates
+authentication for an RFCOMM connection after SSP completes.
+When this happens, some Intel Bluetooth controllers, like AC9560, would
+disconnect with "Connection Rejected due to Security Reasons (0x0e)".
+
+Historically, BlueZ did not mandate this authentication while an
+authenticated combination key was already in use for the connection.
+This behavior was changed since commit 7b5a9241b780
+("Bluetooth: Introduce requirements for security level 4").
+So, this patch addresses the aforementioned disconnection issue by
+restoring the previous behavior.
+
+Signed-off-by: Ying Hsu <yinghsu@chromium.org>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_conn.c | 63 ++++++++++++++++++++++------------------
+ 1 file changed, 35 insertions(+), 28 deletions(-)
+
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
+index d75bb9a1d4acf..41250e4b94dff 100644
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -2400,34 +2400,41 @@ int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type,
+ if (!test_bit(HCI_CONN_AUTH, &conn->flags))
+ goto auth;
+
+- /* An authenticated FIPS approved combination key has sufficient
+- * security for security level 4. */
+- if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256 &&
+- sec_level == BT_SECURITY_FIPS)
+- goto encrypt;
+-
+- /* An authenticated combination key has sufficient security for
+- security level 3. */
+- if ((conn->key_type == HCI_LK_AUTH_COMBINATION_P192 ||
+- conn->key_type == HCI_LK_AUTH_COMBINATION_P256) &&
+- sec_level == BT_SECURITY_HIGH)
+- goto encrypt;
+-
+- /* An unauthenticated combination key has sufficient security for
+- security level 1 and 2. */
+- if ((conn->key_type == HCI_LK_UNAUTH_COMBINATION_P192 ||
+- conn->key_type == HCI_LK_UNAUTH_COMBINATION_P256) &&
+- (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW))
+- goto encrypt;
+-
+- /* A combination key has always sufficient security for the security
+- levels 1 or 2. High security level requires the combination key
+- is generated using maximum PIN code length (16).
+- For pre 2.1 units. */
+- if (conn->key_type == HCI_LK_COMBINATION &&
+- (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW ||
+- conn->pin_length == 16))
+- goto encrypt;
++ switch (conn->key_type) {
++ case HCI_LK_AUTH_COMBINATION_P256:
++ /* An authenticated FIPS approved combination key has
++ * sufficient security for security level 4 or lower.
++ */
++ if (sec_level <= BT_SECURITY_FIPS)
++ goto encrypt;
++ break;
++ case HCI_LK_AUTH_COMBINATION_P192:
++ /* An authenticated combination key has sufficient security for
++ * security level 3 or lower.
++ */
++ if (sec_level <= BT_SECURITY_HIGH)
++ goto encrypt;
++ break;
++ case HCI_LK_UNAUTH_COMBINATION_P192:
++ case HCI_LK_UNAUTH_COMBINATION_P256:
++ /* An unauthenticated combination key has sufficient security
++ * for security level 2 or lower.
++ */
++ if (sec_level <= BT_SECURITY_MEDIUM)
++ goto encrypt;
++ break;
++ case HCI_LK_COMBINATION:
++ /* A combination key has always sufficient security for the
++ * security levels 2 or lower. High security level requires the
++ * combination key is generated using maximum PIN code length
++ * (16). For pre 2.1 units.
++ */
++ if (sec_level <= BT_SECURITY_MEDIUM || conn->pin_length == 16)
++ goto encrypt;
++ break;
++ default:
++ break;
++ }
+
+ auth:
+ if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
+--
+2.40.1
+
--- /dev/null
+From 829056195e3e6e684ca8d81f1758f56c9af2adf9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Aug 2023 14:46:26 +0800
+Subject: Bluetooth: btusb: add shutdown function for QCA6174
+
+From: Rocky Liao <quic_rjliao@quicinc.com>
+
+[ Upstream commit 187f8b648cc16f07c66ab1d89d961bdcff779bf7 ]
+
+We should send hci reset command before bt turn off, which can reset bt
+firmware status.
+
+Signed-off-by: Rocky Liao <quic_rjliao@quicinc.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btusb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index dfdfb72d350fe..ca9e2a210fff2 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -4348,6 +4348,7 @@ static int btusb_probe(struct usb_interface *intf,
+
+ if (id->driver_info & BTUSB_QCA_ROME) {
+ data->setup_on_usb = btusb_setup_qca;
++ hdev->shutdown = btusb_shutdown_qca;
+ hdev->set_bdaddr = btusb_set_bdaddr_ath3012;
+ hdev->cmd_timeout = btusb_qca_cmd_timeout;
+ set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
+--
+2.40.1
+
--- /dev/null
+From f31692ed5e91accd9c8de539c5b57c60d7242344 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Sep 2023 14:42:27 -0700
+Subject: Bluetooth: hci_core: Fix build warnings
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit dcda165706b9fbfd685898d46a6749d7d397e0c0 ]
+
+This fixes the following warnings:
+
+net/bluetooth/hci_core.c: In function ‘hci_register_dev’:
+net/bluetooth/hci_core.c:2620:54: warning: ‘%d’ directive output may
+be truncated writing between 1 and 10 bytes into a region of size 5
+[-Wformat-truncation=]
+ 2620 | snprintf(hdev->name, sizeof(hdev->name), "hci%d", id);
+ | ^~
+net/bluetooth/hci_core.c:2620:50: note: directive argument in the range
+[0, 2147483647]
+ 2620 | snprintf(hdev->name, sizeof(hdev->name), "hci%d", id);
+ | ^~~~~~~
+net/bluetooth/hci_core.c:2620:9: note: ‘snprintf’ output between 5 and
+14 bytes into a destination of size 8
+ 2620 | snprintf(hdev->name, sizeof(hdev->name), "hci%d", id);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci_core.h | 2 +-
+ net/bluetooth/hci_core.c | 8 +++++---
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
+index 87e063250d142..abb7cb5db9457 100644
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -350,7 +350,7 @@ struct hci_dev {
+ struct list_head list;
+ struct mutex lock;
+
+- char name[8];
++ const char *name;
+ unsigned long flags;
+ __u16 id;
+ __u8 bus;
+diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
+index 26a265d9c59cd..63d4d38863acb 100644
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -2617,7 +2617,11 @@ int hci_register_dev(struct hci_dev *hdev)
+ if (id < 0)
+ return id;
+
+- snprintf(hdev->name, sizeof(hdev->name), "hci%d", id);
++ error = dev_set_name(&hdev->dev, "hci%u", id);
++ if (error)
++ return error;
++
++ hdev->name = dev_name(&hdev->dev);
+ hdev->id = id;
+
+ BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
+@@ -2639,8 +2643,6 @@ int hci_register_dev(struct hci_dev *hdev)
+ if (!IS_ERR_OR_NULL(bt_debugfs))
+ hdev->debugfs = debugfs_create_dir(hdev->name, bt_debugfs);
+
+- dev_set_name(&hdev->dev, "%s", hdev->name);
+-
+ error = device_add(&hdev->dev);
+ if (error < 0)
+ goto err_wqueue;
+--
+2.40.1
+
--- /dev/null
+From 6d2f426f4a9436ed3164ec7d2936857b912a39f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Oct 2023 13:59:59 -0700
+Subject: Bluetooth: hci_event: Fix using memcmp when comparing keys
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit b541260615f601ae1b5d6d0cc54e790de706303b ]
+
+memcmp is not consider safe to use with cryptographic secrets:
+
+ 'Do not use memcmp() to compare security critical data, such as
+ cryptographic secrets, because the required CPU time depends on the
+ number of equal bytes.'
+
+While usage of memcmp for ZERO_KEY may not be considered a security
+critical data, it can lead to more usage of memcmp with pairing keys
+which could introduce more security problems.
+
+Fixes: 455c2ff0a558 ("Bluetooth: Fix BR/EDR out-of-band pairing with only initiator data")
+Fixes: 33155c4aae52 ("Bluetooth: hci_event: Ignore NULL link key")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 9d8aa6ad23dc2..dd70fd5313840 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -26,6 +26,8 @@
+ /* Bluetooth HCI event handling. */
+
+ #include <asm/unaligned.h>
++#include <linux/crypto.h>
++#include <crypto/algapi.h>
+
+ #include <net/bluetooth/bluetooth.h>
+ #include <net/bluetooth/hci_core.h>
+@@ -4730,7 +4732,7 @@ static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data,
+ goto unlock;
+
+ /* Ignore NULL link key against CVE-2020-26555 */
+- if (!memcmp(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
++ if (!crypto_memneq(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
+ bt_dev_dbg(hdev, "Ignore NULL link key (ZERO KEY) for %pMR",
+ &ev->bdaddr);
+ hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
+@@ -5270,8 +5272,8 @@ static u8 bredr_oob_data_present(struct hci_conn *conn)
+ * available, then do not declare that OOB data is
+ * present.
+ */
+- if (!memcmp(data->rand256, ZERO_KEY, 16) ||
+- !memcmp(data->hash256, ZERO_KEY, 16))
++ if (!crypto_memneq(data->rand256, ZERO_KEY, 16) ||
++ !crypto_memneq(data->hash256, ZERO_KEY, 16))
+ return 0x00;
+
+ return 0x02;
+@@ -5281,8 +5283,8 @@ static u8 bredr_oob_data_present(struct hci_conn *conn)
+ * not supported by the hardware, then check that if
+ * P-192 data values are present.
+ */
+- if (!memcmp(data->rand192, ZERO_KEY, 16) ||
+- !memcmp(data->hash192, ZERO_KEY, 16))
++ if (!crypto_memneq(data->rand192, ZERO_KEY, 16) ||
++ !crypto_memneq(data->hash192, ZERO_KEY, 16))
+ return 0x00;
+
+ return 0x01;
+--
+2.40.1
+
--- /dev/null
+From b7bbe510c0454e4829cb714de5dd786eae4e42f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 Sep 2023 15:53:32 +0300
+Subject: Bluetooth: hci_sync: always check if connection is alive before
+ deleting
+
+From: Pauli Virtanen <pav@iki.fi>
+
+[ Upstream commit a239110ee8e0b0aafa265f0d54f7a16744855e70 ]
+
+In hci_abort_conn_sync it is possible that conn is deleted concurrently
+by something else, also e.g. when waiting for hdev->lock. This causes
+double deletion of the conn, so UAF or conn_hash.list corruption.
+
+Fix by having all code paths check that the connection is still in
+conn_hash before deleting it, while holding hdev->lock which prevents
+any races.
+
+Log (when powering off while BAP streaming, occurs rarely):
+=======================================================================
+kernel BUG at lib/list_debug.c:56!
+...
+ ? __list_del_entry_valid (lib/list_debug.c:56)
+ hci_conn_del (net/bluetooth/hci_conn.c:154) bluetooth
+ hci_abort_conn_sync (net/bluetooth/hci_sync.c:5415) bluetooth
+ ? __pfx_hci_abort_conn_sync+0x10/0x10 [bluetooth]
+ ? lock_release+0x1d5/0x3c0
+ ? hci_disconnect_all_sync.constprop.0+0xb2/0x230 [bluetooth]
+ ? __pfx_lock_release+0x10/0x10
+ ? __kmem_cache_free+0x14d/0x2e0
+ hci_disconnect_all_sync.constprop.0+0xda/0x230 [bluetooth]
+ ? __pfx_hci_disconnect_all_sync.constprop.0+0x10/0x10 [bluetooth]
+ ? hci_clear_adv_sync+0x14f/0x170 [bluetooth]
+ ? __pfx_set_powered_sync+0x10/0x10 [bluetooth]
+ hci_set_powered_sync+0x293/0x450 [bluetooth]
+=======================================================================
+
+Fixes: 94d9ba9f9888 ("Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync")
+Signed-off-by: Pauli Virtanen <pav@iki.fi>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sync.c | 26 ++++++++++++--------------
+ 1 file changed, 12 insertions(+), 14 deletions(-)
+
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index d21127e992c0f..360813ab0c4db 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -5374,6 +5374,7 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
+ {
+ int err = 0;
+ u16 handle = conn->handle;
++ bool disconnect = false;
+ struct hci_conn *c;
+
+ switch (conn->state) {
+@@ -5389,24 +5390,15 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
+ break;
+ case BT_OPEN:
+ case BT_BOUND:
+- hci_dev_lock(hdev);
+- hci_conn_failed(conn, reason);
+- hci_dev_unlock(hdev);
+- return 0;
++ break;
+ default:
+- hci_dev_lock(hdev);
+- conn->state = BT_CLOSED;
+- hci_disconn_cfm(conn, reason);
+- hci_conn_del(conn);
+- hci_dev_unlock(hdev);
+- return 0;
++ disconnect = true;
++ break;
+ }
+
+ hci_dev_lock(hdev);
+
+- /* Check if the connection hasn't been cleanup while waiting
+- * commands to complete.
+- */
++ /* Check if the connection has been cleaned up concurrently */
+ c = hci_conn_hash_lookup_handle(hdev, handle);
+ if (!c || c != conn) {
+ err = 0;
+@@ -5418,7 +5410,13 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
+ * or in case of LE it was still scanning so it can be cleanup
+ * safely.
+ */
+- hci_conn_failed(conn, reason);
++ if (disconnect) {
++ conn->state = BT_CLOSED;
++ hci_disconn_cfm(conn, reason);
++ hci_conn_del(conn);
++ } else {
++ hci_conn_failed(conn, reason);
++ }
+
+ unlock:
+ hci_dev_unlock(hdev);
+--
+2.40.1
+
--- /dev/null
+From 6182f8d0628c5259552c58e96a4f2842bde2e0da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Jul 2023 00:25:25 +0300
+Subject: Bluetooth: hci_sync: delete CIS in BT_OPEN/CONNECT/BOUND when
+ aborting
+
+From: Pauli Virtanen <pav@iki.fi>
+
+[ Upstream commit 2889bdd0a9a195533c2103e7b39ab0de844d72f6 ]
+
+Dropped CIS that are in state BT_OPEN/BT_BOUND, and in state BT_CONNECT
+with HCI_CONN_CREATE_CIS unset, should be cleaned up immediately.
+Closing CIS ISO sockets should result to the hci_conn be deleted, so
+that potentially pending CIG removal can run.
+
+hci_abort_conn cannot refer to them by handle, since their handle is
+still unset if Set CIG Parameters has not yet completed.
+
+This fixes CIS not being terminated if the socket is shut down
+immediately after connection, so that the hci_abort_conn runs before Set
+CIG Parameters completes. See new BlueZ test "ISO Connect Close - Success"
+
+Signed-off-by: Pauli Virtanen <pav@iki.fi>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Stable-dep-of: a239110ee8e0 ("Bluetooth: hci_sync: always check if connection is alive before deleting")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sync.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index 73cdd051dd464..d21127e992c0f 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -5302,6 +5302,10 @@ static int hci_connect_cancel_sync(struct hci_dev *hdev, struct hci_conn *conn,
+ if (test_bit(HCI_CONN_CREATE_CIS, &conn->flags))
+ return hci_disconnect_sync(hdev, conn, reason);
+
++ /* CIS with no Create CIS sent have nothing to cancel */
++ if (bacmp(&conn->dst, BDADDR_ANY))
++ return HCI_ERROR_LOCAL_HOST_TERM;
++
+ /* There is no way to cancel a BIS without terminating the BIG
+ * which is done later on connection cleanup.
+ */
+@@ -5384,13 +5388,11 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
+ err = hci_reject_conn_sync(hdev, conn, reason);
+ break;
+ case BT_OPEN:
+- /* Cleanup bises that failed to be established */
+- if (test_and_clear_bit(HCI_CONN_BIG_SYNC_FAILED, &conn->flags)) {
+- hci_dev_lock(hdev);
+- hci_conn_failed(conn, reason);
+- hci_dev_unlock(hdev);
+- }
+- break;
++ case BT_BOUND:
++ hci_dev_lock(hdev);
++ hci_conn_failed(conn, reason);
++ hci_dev_unlock(hdev);
++ return 0;
+ default:
+ hci_dev_lock(hdev);
+ conn->state = BT_CLOSED;
+--
+2.40.1
+
--- /dev/null
+From 865d000cbbe5f7e7ed259eb5562ca0e535a3760d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jun 2023 15:55:47 -0700
+Subject: Bluetooth: hci_sync: Fix not handling ISO_LINK in hci_abort_conn_sync
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 04a51d616929eb96b7a3e547bc11d3bb46af2c9f ]
+
+ISO_LINK connections where not being handled properly on
+hci_abort_conn_sync which sometimes resulted in sending the wrong
+commands, or in case of having the reject command being sent by the
+socket code (iso.c) which is sort of a layer violation.
+
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Stable-dep-of: acab8ff29a2a ("Bluetooth: ISO: Fix invalid context error")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_conn.c | 23 +++++++++++++++++++----
+ net/bluetooth/hci_sync.c | 34 ++++++++++++++++++++++++++++++++++
+ net/bluetooth/iso.c | 14 --------------
+ 3 files changed, 53 insertions(+), 18 deletions(-)
+
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
+index 41250e4b94dff..4e9654fe89c9e 100644
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -1277,7 +1277,12 @@ u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle)
+
+ static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err)
+ {
+- struct hci_conn *conn = data;
++ struct hci_conn *conn;
++ u16 handle = PTR_ERR(data);
++
++ conn = hci_conn_hash_lookup_handle(hdev, handle);
++ if (!conn)
++ return;
+
+ bt_dev_dbg(hdev, "err %d", err);
+
+@@ -1302,10 +1307,17 @@ static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err)
+
+ static int hci_connect_le_sync(struct hci_dev *hdev, void *data)
+ {
+- struct hci_conn *conn = data;
++ struct hci_conn *conn;
++ u16 handle = PTR_ERR(data);
++
++ conn = hci_conn_hash_lookup_handle(hdev, handle);
++ if (!conn)
++ return 0;
+
+ bt_dev_dbg(hdev, "conn %p", conn);
+
++ conn->state = BT_CONNECT;
++
+ return hci_le_create_conn_sync(hdev, conn);
+ }
+
+@@ -1375,10 +1387,10 @@ struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
+ conn->sec_level = BT_SECURITY_LOW;
+ conn->conn_timeout = conn_timeout;
+
+- conn->state = BT_CONNECT;
+ clear_bit(HCI_CONN_SCANNING, &conn->flags);
+
+- err = hci_cmd_sync_queue(hdev, hci_connect_le_sync, conn,
++ err = hci_cmd_sync_queue(hdev, hci_connect_le_sync,
++ ERR_PTR(conn->handle),
+ create_le_conn_complete);
+ if (err) {
+ hci_conn_del(conn);
+@@ -2905,6 +2917,9 @@ int hci_abort_conn(struct hci_conn *conn, u8 reason)
+ /* If the connection is pending check the command opcode since that
+ * might be blocking on hci_cmd_sync_work while waiting its respective
+ * event so we need to hci_cmd_sync_cancel to cancel it.
++ *
++ * hci_connect_le serializes the connection attempts so only one
++ * connection can be in BT_CONNECT at time.
+ */
+ if (conn->state == BT_CONNECT && hdev->req_status == HCI_REQ_PEND) {
+ switch (hci_skb_event(hdev->sent_cmd)) {
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index 6aaecd6e656bc..caf4263ef9b77 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -5290,6 +5290,24 @@ static int hci_connect_cancel_sync(struct hci_dev *hdev, struct hci_conn *conn,
+ if (conn->type == LE_LINK)
+ return hci_le_connect_cancel_sync(hdev, conn, reason);
+
++ if (conn->type == ISO_LINK) {
++ /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E
++ * page 1857:
++ *
++ * If this command is issued for a CIS on the Central and the
++ * CIS is successfully terminated before being established,
++ * then an HCI_LE_CIS_Established event shall also be sent for
++ * this CIS with the Status Operation Cancelled by Host (0x44).
++ */
++ if (test_bit(HCI_CONN_CREATE_CIS, &conn->flags))
++ return hci_disconnect_sync(hdev, conn, reason);
++
++ /* There is no way to cancel a BIS without terminating the BIG
++ * which is done later on connection cleanup.
++ */
++ return 0;
++ }
++
+ if (hdev->hci_ver < BLUETOOTH_VER_1_2)
+ return 0;
+
+@@ -5316,11 +5334,27 @@ static int hci_reject_sco_sync(struct hci_dev *hdev, struct hci_conn *conn,
+ sizeof(cp), &cp, HCI_CMD_TIMEOUT);
+ }
+
++static int hci_le_reject_cis_sync(struct hci_dev *hdev, struct hci_conn *conn,
++ u8 reason)
++{
++ struct hci_cp_le_reject_cis cp;
++
++ memset(&cp, 0, sizeof(cp));
++ cp.handle = cpu_to_le16(conn->handle);
++ cp.reason = reason;
++
++ return __hci_cmd_sync_status(hdev, HCI_OP_LE_REJECT_CIS,
++ sizeof(cp), &cp, HCI_CMD_TIMEOUT);
++}
++
+ static int hci_reject_conn_sync(struct hci_dev *hdev, struct hci_conn *conn,
+ u8 reason)
+ {
+ struct hci_cp_reject_conn_req cp;
+
++ if (conn->type == ISO_LINK)
++ return hci_le_reject_cis_sync(hdev, conn, reason);
++
+ if (conn->type == SCO_LINK || conn->type == ESCO_LINK)
+ return hci_reject_sco_sync(hdev, conn, reason);
+
+diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
+index 42f7b257bdfbc..c8460eb7f5c0b 100644
+--- a/net/bluetooth/iso.c
++++ b/net/bluetooth/iso.c
+@@ -622,18 +622,6 @@ static void iso_sock_kill(struct sock *sk)
+ sock_put(sk);
+ }
+
+-static void iso_conn_defer_reject(struct hci_conn *conn)
+-{
+- struct hci_cp_le_reject_cis cp;
+-
+- BT_DBG("conn %p", conn);
+-
+- memset(&cp, 0, sizeof(cp));
+- cp.handle = cpu_to_le16(conn->handle);
+- cp.reason = HCI_ERROR_REJ_BAD_ADDR;
+- hci_send_cmd(conn->hdev, HCI_OP_LE_REJECT_CIS, sizeof(cp), &cp);
+-}
+-
+ static void __iso_sock_close(struct sock *sk)
+ {
+ BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
+@@ -658,8 +646,6 @@ static void __iso_sock_close(struct sock *sk)
+ break;
+
+ case BT_CONNECT2:
+- if (iso_pi(sk)->conn->hcon)
+- iso_conn_defer_reject(iso_pi(sk)->conn->hcon);
+ iso_chan_del(sk, ECONNRESET);
+ break;
+ case BT_CONNECT:
+--
+2.40.1
+
--- /dev/null
+From ddb95109cc3114a580eb4c6380911262b7226375 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Aug 2023 16:23:41 -0700
+Subject: Bluetooth: hci_sync: Introduce PTR_UINT/UINT_PTR macros
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit a1f6c3aef13c9e7f8d459bd464e9e34da1342c0c ]
+
+This introduces PTR_UINT/UINT_PTR macros and replace the use of
+PTR_ERR/ERR_PTR.
+
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Stable-dep-of: acab8ff29a2a ("Bluetooth: ISO: Fix invalid context error")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci_sync.h | 3 +++
+ net/bluetooth/hci_conn.c | 19 ++++++++++---------
+ net/bluetooth/hci_sync.c | 4 ++--
+ 3 files changed, 15 insertions(+), 11 deletions(-)
+
+diff --git a/include/net/bluetooth/hci_sync.h b/include/net/bluetooth/hci_sync.h
+index b516a0f4a55b8..57eeb07aeb251 100644
+--- a/include/net/bluetooth/hci_sync.h
++++ b/include/net/bluetooth/hci_sync.h
+@@ -5,6 +5,9 @@
+ * Copyright (C) 2021 Intel Corporation
+ */
+
++#define UINT_PTR(_handle) ((void *)((uintptr_t)_handle))
++#define PTR_UINT(_ptr) ((uintptr_t)((void *)_ptr))
++
+ typedef int (*hci_cmd_sync_work_func_t)(struct hci_dev *hdev, void *data);
+ typedef void (*hci_cmd_sync_work_destroy_t)(struct hci_dev *hdev, void *data,
+ int err);
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
+index 4e9654fe89c9e..6d6192f514d0f 100644
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -874,7 +874,7 @@ static void bis_cleanup(struct hci_conn *conn)
+
+ static int remove_cig_sync(struct hci_dev *hdev, void *data)
+ {
+- u8 handle = PTR_ERR(data);
++ u8 handle = PTR_UINT(data);
+
+ return hci_le_remove_cig_sync(hdev, handle);
+ }
+@@ -883,7 +883,8 @@ static int hci_le_remove_cig(struct hci_dev *hdev, u8 handle)
+ {
+ bt_dev_dbg(hdev, "handle 0x%2.2x", handle);
+
+- return hci_cmd_sync_queue(hdev, remove_cig_sync, ERR_PTR(handle), NULL);
++ return hci_cmd_sync_queue(hdev, remove_cig_sync, UINT_PTR(handle),
++ NULL);
+ }
+
+ static void find_cis(struct hci_conn *conn, void *data)
+@@ -1278,7 +1279,7 @@ u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle)
+ static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err)
+ {
+ struct hci_conn *conn;
+- u16 handle = PTR_ERR(data);
++ u16 handle = PTR_UINT(data);
+
+ conn = hci_conn_hash_lookup_handle(hdev, handle);
+ if (!conn)
+@@ -1308,7 +1309,7 @@ static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err)
+ static int hci_connect_le_sync(struct hci_dev *hdev, void *data)
+ {
+ struct hci_conn *conn;
+- u16 handle = PTR_ERR(data);
++ u16 handle = PTR_UINT(data);
+
+ conn = hci_conn_hash_lookup_handle(hdev, handle);
+ if (!conn)
+@@ -1390,7 +1391,7 @@ struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
+ clear_bit(HCI_CONN_SCANNING, &conn->flags);
+
+ err = hci_cmd_sync_queue(hdev, hci_connect_le_sync,
+- ERR_PTR(conn->handle),
++ UINT_PTR(conn->handle),
+ create_le_conn_complete);
+ if (err) {
+ hci_conn_del(conn);
+@@ -1767,7 +1768,7 @@ static int hci_le_create_big(struct hci_conn *conn, struct bt_iso_qos *qos)
+
+ static int set_cig_params_sync(struct hci_dev *hdev, void *data)
+ {
+- u8 cig_id = PTR_ERR(data);
++ u8 cig_id = PTR_UINT(data);
+ struct hci_conn *conn;
+ struct bt_iso_qos *qos;
+ struct iso_cig_params pdu;
+@@ -1877,7 +1878,7 @@ static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos)
+
+ done:
+ if (hci_cmd_sync_queue(hdev, set_cig_params_sync,
+- ERR_PTR(qos->ucast.cig), NULL) < 0)
++ UINT_PTR(qos->ucast.cig), NULL) < 0)
+ return false;
+
+ return true;
+@@ -2891,7 +2892,7 @@ u32 hci_conn_get_phy(struct hci_conn *conn)
+ static int abort_conn_sync(struct hci_dev *hdev, void *data)
+ {
+ struct hci_conn *conn;
+- u16 handle = PTR_ERR(data);
++ u16 handle = PTR_UINT(data);
+
+ conn = hci_conn_hash_lookup_handle(hdev, handle);
+ if (!conn)
+@@ -2931,6 +2932,6 @@ int hci_abort_conn(struct hci_conn *conn, u8 reason)
+ }
+ }
+
+- return hci_cmd_sync_queue(hdev, abort_conn_sync, ERR_PTR(conn->handle),
++ return hci_cmd_sync_queue(hdev, abort_conn_sync, UINT_PTR(conn->handle),
+ NULL);
+ }
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index caf4263ef9b77..73cdd051dd464 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -6545,7 +6545,7 @@ int hci_get_random_address(struct hci_dev *hdev, bool require_privacy,
+
+ static int _update_adv_data_sync(struct hci_dev *hdev, void *data)
+ {
+- u8 instance = PTR_ERR(data);
++ u8 instance = PTR_UINT(data);
+
+ return hci_update_adv_data_sync(hdev, instance);
+ }
+@@ -6553,5 +6553,5 @@ static int _update_adv_data_sync(struct hci_dev *hdev, void *data)
+ int hci_update_adv_data(struct hci_dev *hdev, u8 instance)
+ {
+ return hci_cmd_sync_queue(hdev, _update_adv_data_sync,
+- ERR_PTR(instance), NULL);
++ UINT_PTR(instance), NULL);
+ }
+--
+2.40.1
+
--- /dev/null
+From 65ecc0e066f4e0d2dc0d4c22f6bb07ba3b47f9d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Sep 2023 10:52:57 +0300
+Subject: Bluetooth: ISO: Fix invalid context error
+
+From: Iulia Tanasescu <iulia.tanasescu@nxp.com>
+
+[ Upstream commit acab8ff29a2a226409cfe04e6d2e0896928c1b3a ]
+
+This moves the hci_le_terminate_big_sync call from rx_work
+to cmd_sync_work, to avoid calling sleeping function from
+an invalid context.
+
+Reported-by: syzbot+c715e1bd8dfbcb1ab176@syzkaller.appspotmail.com
+Fixes: a0bfde167b50 ("Bluetooth: ISO: Add support for connecting multiple BISes")
+Signed-off-by: Iulia Tanasescu <iulia.tanasescu@nxp.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index d331027363313..9d8aa6ad23dc2 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -6978,6 +6978,14 @@ static void hci_le_cis_req_evt(struct hci_dev *hdev, void *data,
+ hci_dev_unlock(hdev);
+ }
+
++static int hci_iso_term_big_sync(struct hci_dev *hdev, void *data)
++{
++ u8 handle = PTR_UINT(data);
++
++ return hci_le_terminate_big_sync(hdev, handle,
++ HCI_ERROR_LOCAL_HOST_TERM);
++}
++
+ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
+ struct sk_buff *skb)
+ {
+@@ -7022,16 +7030,17 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
+ rcu_read_lock();
+ }
+
++ rcu_read_unlock();
++
+ if (!ev->status && !i)
+ /* If no BISes have been connected for the BIG,
+ * terminate. This is in case all bound connections
+ * have been closed before the BIG creation
+ * has completed.
+ */
+- hci_le_terminate_big_sync(hdev, ev->handle,
+- HCI_ERROR_LOCAL_HOST_TERM);
++ hci_cmd_sync_queue(hdev, hci_iso_term_big_sync,
++ UINT_PTR(ev->handle), NULL);
+
+- rcu_read_unlock();
+ hci_dev_unlock(hdev);
+ }
+
+--
+2.40.1
+
--- /dev/null
+From 56ca3238a6c6f1e8c8c98f67fe375b2e1437a521 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Sep 2023 12:09:21 +0100
+Subject: btrfs: error out when COWing block using a stale transaction
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 48774f3bf8b4dd3b1a0e155825c9ce48483db14c ]
+
+At btrfs_cow_block() we have these checks to verify we are not using a
+stale transaction (a past transaction with an unblocked state or higher),
+and the only thing we do is to trigger a WARN with a message and a stack
+trace. This however is a critical problem, highly unexpected and if it
+happens it's most likely due to a bug, so we should error out and turn the
+fs into error state so that such issue is much more easily noticed if it's
+triggered.
+
+The problem is critical because using such stale transaction will lead to
+not persisting the extent buffer used for the COW operation, as allocating
+a tree block adds the range of the respective extent buffer to the
+->dirty_pages iotree of the transaction, and a stale transaction, in the
+unlocked state or higher, will not flush dirty extent buffers anymore,
+therefore resulting in not persisting the tree block and resource leaks
+(not cleaning the dirty_pages iotree for example).
+
+So do the following changes:
+
+1) Return -EUCLEAN if we find a stale transaction;
+
+2) Turn the fs into error state, with error -EUCLEAN, so that no
+ transaction can be committed, and generate a stack trace;
+
+3) Combine both conditions into a single if statement, as both are related
+ and have the same error message;
+
+4) Mark the check as unlikely, since this is not expected to ever happen.
+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ctree.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
+index a4cb4b6429870..7afd0a6495f37 100644
+--- a/fs/btrfs/ctree.c
++++ b/fs/btrfs/ctree.c
+@@ -686,14 +686,22 @@ noinline int btrfs_cow_block(struct btrfs_trans_handle *trans,
+ btrfs_err(fs_info,
+ "COW'ing blocks on a fs root that's being dropped");
+
+- if (trans->transaction != fs_info->running_transaction)
+- WARN(1, KERN_CRIT "trans %llu running %llu\n",
+- trans->transid,
+- fs_info->running_transaction->transid);
+-
+- if (trans->transid != fs_info->generation)
+- WARN(1, KERN_CRIT "trans %llu running %llu\n",
+- trans->transid, fs_info->generation);
++ /*
++ * COWing must happen through a running transaction, which always
++ * matches the current fs generation (it's a transaction with a state
++ * less than TRANS_STATE_UNBLOCKED). If it doesn't, then turn the fs
++ * into error state to prevent the commit of any transaction.
++ */
++ if (unlikely(trans->transaction != fs_info->running_transaction ||
++ trans->transid != fs_info->generation)) {
++ btrfs_abort_transaction(trans, -EUCLEAN);
++ btrfs_crit(fs_info,
++"unexpected transaction when attempting to COW block %llu on root %llu, transaction %llu running transaction %llu fs generation %llu",
++ buf->start, btrfs_root_id(root), trans->transid,
++ fs_info->running_transaction->transid,
++ fs_info->generation);
++ return -EUCLEAN;
++ }
+
+ if (!should_cow_block(trans, root, buf)) {
+ *cow_ret = buf;
+--
+2.40.1
+
--- /dev/null
+From 039d1e895086421c2ff1c61f16c771613e6b734f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Sep 2023 12:09:23 +0100
+Subject: btrfs: error out when reallocating block for defrag using a stale
+ transaction
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit e36f94914021e58ee88a8856c7fdf35adf9c7ee1 ]
+
+At btrfs_realloc_node() we have these checks to verify we are not using a
+stale transaction (a past transaction with an unblocked state or higher),
+and the only thing we do is to trigger two WARN_ON(). This however is a
+critical problem, highly unexpected and if it happens it's most likely due
+to a bug, so we should error out and turn the fs into error state so that
+such issue is much more easily noticed if it's triggered.
+
+The problem is critical because in btrfs_realloc_node() we COW tree blocks,
+and using such stale transaction will lead to not persisting the extent
+buffers used for the COW operations, as allocating tree block adds the
+range of the respective extent buffers to the ->dirty_pages iotree of the
+transaction, and a stale transaction, in the unlocked state or higher,
+will not flush dirty extent buffers anymore, therefore resulting in not
+persisting the tree block and resource leaks (not cleaning the dirty_pages
+iotree for example).
+
+So do the following changes:
+
+1) Return -EUCLEAN if we find a stale transaction;
+
+2) Turn the fs into error state, with error -EUCLEAN, so that no
+ transaction can be committed, and generate a stack trace;
+
+3) Combine both conditions into a single if statement, as both are related
+ and have the same error message;
+
+4) Mark the check as unlikely, since this is not expected to ever happen.
+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ctree.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
+index db1f3bc7f3284..da519c1b6ad08 100644
+--- a/fs/btrfs/ctree.c
++++ b/fs/btrfs/ctree.c
+@@ -817,8 +817,22 @@ int btrfs_realloc_node(struct btrfs_trans_handle *trans,
+ int progress_passed = 0;
+ struct btrfs_disk_key disk_key;
+
+- WARN_ON(trans->transaction != fs_info->running_transaction);
+- WARN_ON(trans->transid != fs_info->generation);
++ /*
++ * COWing must happen through a running transaction, which always
++ * matches the current fs generation (it's a transaction with a state
++ * less than TRANS_STATE_UNBLOCKED). If it doesn't, then turn the fs
++ * into error state to prevent the commit of any transaction.
++ */
++ if (unlikely(trans->transaction != fs_info->running_transaction ||
++ trans->transid != fs_info->generation)) {
++ btrfs_abort_transaction(trans, -EUCLEAN);
++ btrfs_crit(fs_info,
++"unexpected transaction when attempting to reallocate parent %llu for root %llu, transaction %llu running transaction %llu fs generation %llu",
++ parent->start, btrfs_root_id(root), trans->transid,
++ fs_info->running_transaction->transid,
++ fs_info->generation);
++ return -EUCLEAN;
++ }
+
+ parent_nritems = btrfs_header_nritems(parent);
+ blocksize = fs_info->nodesize;
+--
+2.40.1
+
--- /dev/null
+From ca2a5edf6951d491cb9e419a485733ad5498040c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Sep 2023 12:09:22 +0100
+Subject: btrfs: error when COWing block from a root that is being deleted
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit a2caab29884397e583d09be6546259a83ebfbdb1 ]
+
+At btrfs_cow_block() we check if the block being COWed belongs to a root
+that is being deleted and if so we log an error message. However this is
+an unexpected case and it indicates a bug somewhere, so we should return
+an error and abort the transaction. So change this in the following ways:
+
+1) Abort the transaction with -EUCLEAN, so that if the issue ever happens
+ it can easily be noticed;
+
+2) Change the logged message level from error to critical, and change the
+ message itself to print the block's logical address and the ID of the
+ root;
+
+3) Return -EUCLEAN to the caller;
+
+4) As this is an unexpected scenario, that should never happen, mark the
+ check as unlikely, allowing the compiler to potentially generate better
+ code.
+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ctree.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
+index 7afd0a6495f37..db1f3bc7f3284 100644
+--- a/fs/btrfs/ctree.c
++++ b/fs/btrfs/ctree.c
+@@ -682,9 +682,13 @@ noinline int btrfs_cow_block(struct btrfs_trans_handle *trans,
+ u64 search_start;
+ int ret;
+
+- if (test_bit(BTRFS_ROOT_DELETING, &root->state))
+- btrfs_err(fs_info,
+- "COW'ing blocks on a fs root that's being dropped");
++ if (unlikely(test_bit(BTRFS_ROOT_DELETING, &root->state))) {
++ btrfs_abort_transaction(trans, -EUCLEAN);
++ btrfs_crit(fs_info,
++ "attempt to COW block %llu on root %llu that is being deleted",
++ buf->start, btrfs_root_id(root));
++ return -EUCLEAN;
++ }
+
+ /*
+ * COWing must happen through a running transaction, which always
+--
+2.40.1
+
--- /dev/null
+From 178be444b4e1f87dc6190ec8c9b121ca211bb3e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Sep 2023 18:20:18 +0100
+Subject: btrfs: fix race when refilling delayed refs block reserve
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 2ed45c0f1879079b30248568c515cf60fc668d8a ]
+
+If we have two (or more) tasks attempting to refill the delayed refs block
+reserve we can end up with the delayed block reserve being over reserved,
+that is, with a reserved space greater than its size. If this happens, we
+are holding to more reserved space than necessary for a while.
+
+The race happens like this:
+
+1) The delayed refs block reserve has a size of 8M and a reserved space of
+ 6M for example;
+
+2) Task A calls btrfs_delayed_refs_rsv_refill();
+
+3) Task B also calls btrfs_delayed_refs_rsv_refill();
+
+4) Task A sees there's a 2M difference between the size and the reserved
+ space of the delayed refs rsv, so it will reserve 2M of space by
+ calling btrfs_reserve_metadata_bytes();
+
+5) Task B also sees that 2M difference, and like task A, it reserves
+ another 2M of metadata space;
+
+6) Both task A and task B increase the reserved space of block reserve
+ by 2M, by calling btrfs_block_rsv_add_bytes(), so the block reserve
+ ends up with a size of 8M and a reserved space of 10M;
+
+7) The extra, over reserved space will eventually be freed by some task
+ calling btrfs_delayed_refs_rsv_release() -> btrfs_block_rsv_release()
+ -> block_rsv_release_bytes(), as there we will detect the over reserve
+ and release that space.
+
+So fix this by checking if we still need to add space to the delayed refs
+block reserve after reserving the metadata space, and if we don't, just
+release that space immediately.
+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/delayed-ref.c | 37 ++++++++++++++++++++++++++++++++++---
+ 1 file changed, 34 insertions(+), 3 deletions(-)
+
+diff --git a/fs/btrfs/delayed-ref.c b/fs/btrfs/delayed-ref.c
+index 6a13cf00218bc..1043f66cc130d 100644
+--- a/fs/btrfs/delayed-ref.c
++++ b/fs/btrfs/delayed-ref.c
+@@ -163,6 +163,8 @@ int btrfs_delayed_refs_rsv_refill(struct btrfs_fs_info *fs_info,
+ struct btrfs_block_rsv *block_rsv = &fs_info->delayed_refs_rsv;
+ u64 limit = btrfs_calc_delayed_ref_bytes(fs_info, 1);
+ u64 num_bytes = 0;
++ u64 refilled_bytes;
++ u64 to_free;
+ int ret = -ENOSPC;
+
+ spin_lock(&block_rsv->lock);
+@@ -178,9 +180,38 @@ int btrfs_delayed_refs_rsv_refill(struct btrfs_fs_info *fs_info,
+ ret = btrfs_reserve_metadata_bytes(fs_info, block_rsv, num_bytes, flush);
+ if (ret)
+ return ret;
+- btrfs_block_rsv_add_bytes(block_rsv, num_bytes, false);
+- trace_btrfs_space_reservation(fs_info, "delayed_refs_rsv",
+- 0, num_bytes, 1);
++
++ /*
++ * We may have raced with someone else, so check again if we the block
++ * reserve is still not full and release any excess space.
++ */
++ spin_lock(&block_rsv->lock);
++ if (block_rsv->reserved < block_rsv->size) {
++ u64 needed = block_rsv->size - block_rsv->reserved;
++
++ if (num_bytes >= needed) {
++ block_rsv->reserved += needed;
++ block_rsv->full = true;
++ to_free = num_bytes - needed;
++ refilled_bytes = needed;
++ } else {
++ block_rsv->reserved += num_bytes;
++ to_free = 0;
++ refilled_bytes = num_bytes;
++ }
++ } else {
++ to_free = num_bytes;
++ refilled_bytes = 0;
++ }
++ spin_unlock(&block_rsv->lock);
++
++ if (to_free > 0)
++ btrfs_space_info_free_bytes_may_use(fs_info, block_rsv->space_info,
++ to_free);
++
++ if (refilled_bytes > 0)
++ trace_btrfs_space_reservation(fs_info, "delayed_refs_rsv", 0,
++ refilled_bytes, 1);
+ return 0;
+ }
+
+--
+2.40.1
+
--- /dev/null
+From 8568c507117e70a1f74e00e11b560d5b84a2f6bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Sep 2023 15:47:27 -0400
+Subject: btrfs: fix some -Wmaybe-uninitialized warnings in ioctl.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit 9147b9ded499d9853bdf0e9804b7eaa99c4429ed ]
+
+Jens reported the following warnings from -Wmaybe-uninitialized recent
+Linus' branch.
+
+ In file included from ./include/asm-generic/rwonce.h:26,
+ from ./arch/arm64/include/asm/rwonce.h:71,
+ from ./include/linux/compiler.h:246,
+ from ./include/linux/export.h:5,
+ from ./include/linux/linkage.h:7,
+ from ./include/linux/kernel.h:17,
+ from fs/btrfs/ioctl.c:6:
+ In function ‘instrument_copy_from_user_before’,
+ inlined from ‘_copy_from_user’ at ./include/linux/uaccess.h:148:3,
+ inlined from ‘copy_from_user’ at ./include/linux/uaccess.h:183:7,
+ inlined from ‘btrfs_ioctl_space_info’ at fs/btrfs/ioctl.c:2999:6,
+ inlined from ‘btrfs_ioctl’ at fs/btrfs/ioctl.c:4616:10:
+ ./include/linux/kasan-checks.h:38:27: warning: ‘space_args’ may be used
+ uninitialized [-Wmaybe-uninitialized]
+ 38 | #define kasan_check_write __kasan_check_write
+ ./include/linux/instrumented.h:129:9: note: in expansion of macro
+ ‘kasan_check_write’
+ 129 | kasan_check_write(to, n);
+ | ^~~~~~~~~~~~~~~~~
+ ./include/linux/kasan-checks.h: In function ‘btrfs_ioctl’:
+ ./include/linux/kasan-checks.h:20:6: note: by argument 1 of type ‘const
+ volatile void *’ to ‘__kasan_check_write’ declared here
+ 20 | bool __kasan_check_write(const volatile void *p, unsigned int
+ size);
+ | ^~~~~~~~~~~~~~~~~~~
+ fs/btrfs/ioctl.c:2981:39: note: ‘space_args’ declared here
+ 2981 | struct btrfs_ioctl_space_args space_args;
+ | ^~~~~~~~~~
+ In function ‘instrument_copy_from_user_before’,
+ inlined from ‘_copy_from_user’ at ./include/linux/uaccess.h:148:3,
+ inlined from ‘copy_from_user’ at ./include/linux/uaccess.h:183:7,
+ inlined from ‘_btrfs_ioctl_send’ at fs/btrfs/ioctl.c:4343:9,
+ inlined from ‘btrfs_ioctl’ at fs/btrfs/ioctl.c:4658:10:
+ ./include/linux/kasan-checks.h:38:27: warning: ‘args32’ may be used
+ uninitialized [-Wmaybe-uninitialized]
+ 38 | #define kasan_check_write __kasan_check_write
+ ./include/linux/instrumented.h:129:9: note: in expansion of macro
+ ‘kasan_check_write’
+ 129 | kasan_check_write(to, n);
+ | ^~~~~~~~~~~~~~~~~
+ ./include/linux/kasan-checks.h: In function ‘btrfs_ioctl’:
+ ./include/linux/kasan-checks.h:20:6: note: by argument 1 of type ‘const
+ volatile void *’ to ‘__kasan_check_write’ declared here
+ 20 | bool __kasan_check_write(const volatile void *p, unsigned int
+ size);
+ | ^~~~~~~~~~~~~~~~~~~
+ fs/btrfs/ioctl.c:4341:49: note: ‘args32’ declared here
+ 4341 | struct btrfs_ioctl_send_args_32 args32;
+ | ^~~~~~
+
+This was due to his config options and having KASAN turned on,
+which adds some extra checks around copy_from_user(), which then
+triggered the -Wmaybe-uninitialized checker for these cases.
+
+Fix the warnings by initializing the different structs we're copying
+into.
+
+Reported-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ioctl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
+index d27b0d86b8e2c..bf35b6fce8f07 100644
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -2978,7 +2978,7 @@ static void get_block_group_info(struct list_head *groups_list,
+ static long btrfs_ioctl_space_info(struct btrfs_fs_info *fs_info,
+ void __user *arg)
+ {
+- struct btrfs_ioctl_space_args space_args;
++ struct btrfs_ioctl_space_args space_args = { 0 };
+ struct btrfs_ioctl_space_info space;
+ struct btrfs_ioctl_space_info *dest;
+ struct btrfs_ioctl_space_info *dest_orig;
+@@ -4338,7 +4338,7 @@ static int _btrfs_ioctl_send(struct inode *inode, void __user *argp, bool compat
+
+ if (compat) {
+ #if defined(CONFIG_64BIT) && defined(CONFIG_COMPAT)
+- struct btrfs_ioctl_send_args_32 args32;
++ struct btrfs_ioctl_send_args_32 args32 = { 0 };
+
+ ret = copy_from_user(&args32, argp, sizeof(args32));
+ if (ret)
+--
+2.40.1
+
--- /dev/null
+From 2b9bc11590cff977f28b4c8b3c5f54a3fb622992 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Sep 2023 12:15:24 -0400
+Subject: btrfs: initialize start_slot in btrfs_log_prealloc_extents
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit b4c639f699349880b7918b861e1bd360442ec450 ]
+
+Jens reported a compiler warning when using
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y that looks like this
+
+ fs/btrfs/tree-log.c: In function ‘btrfs_log_prealloc_extents’:
+ fs/btrfs/tree-log.c:4828:23: warning: ‘start_slot’ may be used
+ uninitialized [-Wmaybe-uninitialized]
+ 4828 | ret = copy_items(trans, inode, dst_path, path,
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ 4829 | start_slot, ins_nr, 1, 0);
+ | ~~~~~~~~~~~~~~~~~~~~~~~~~
+ fs/btrfs/tree-log.c:4725:13: note: ‘start_slot’ was declared here
+ 4725 | int start_slot;
+ | ^~~~~~~~~~
+
+The compiler is incorrect, as we only use this code when ins_len > 0,
+and when ins_len > 0 we have start_slot properly initialized. However
+we generally find the -Wmaybe-uninitialized warnings valuable, so
+initialize start_slot to get rid of the warning.
+
+Reported-by: Jens Axboe <axboe@kernel.dk>
+Tested-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tree-log.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index 365a1cc0a3c35..a00e7a0bc713d 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -4722,7 +4722,7 @@ static int btrfs_log_prealloc_extents(struct btrfs_trans_handle *trans,
+ struct extent_buffer *leaf;
+ int slot;
+ int ins_nr = 0;
+- int start_slot;
++ int start_slot = 0;
+ int ret;
+
+ if (!(inode->flags & BTRFS_INODE_PREALLOC))
+--
+2.40.1
+
--- /dev/null
+From 12b0f13348c1f95959887bc74f88e36f5b53e837 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Sep 2023 18:20:19 +0100
+Subject: btrfs: prevent transaction block reserve underflow when starting
+ transaction
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit a7ddeeb079505961355cf0106154da0110f1fdff ]
+
+When starting a transaction, with a non-zero number of items, we reserve
+metadata space for that number of items and for delayed refs by doing a
+call to btrfs_block_rsv_add(), with the transaction block reserve passed
+as the block reserve argument. This reserves metadata space and adds it
+to the transaction block reserve. Later we migrate the space we reserved
+for delayed references from the transaction block reserve into the delayed
+refs block reserve, by calling btrfs_migrate_to_delayed_refs_rsv().
+
+btrfs_migrate_to_delayed_refs_rsv() decrements the number of bytes to
+migrate from the source block reserve, and this however may result in an
+underflow in case the space added to the transaction block reserve ended
+up being used by another task that has not reserved enough space for its
+own use - examples are tasks doing reflinks or hole punching because they
+end up calling btrfs_replace_file_extents() -> btrfs_drop_extents() and
+may need to modify/COW a variable number of leaves/paths, so they keep
+trying to use space from the transaction block reserve when they need to
+COW an extent buffer, and may end up trying to use more space then they
+have reserved (1 unit/path only for removing file extent items).
+
+This can be avoided by simply reserving space first without adding it to
+the transaction block reserve, then add the space for delayed refs to the
+delayed refs block reserve and finally add the remaining reserved space
+to the transaction block reserve. This also makes the code a bit shorter
+and simpler. So just do that.
+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/delayed-ref.c | 9 +--------
+ fs/btrfs/delayed-ref.h | 1 -
+ fs/btrfs/transaction.c | 6 +++---
+ 3 files changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/fs/btrfs/delayed-ref.c b/fs/btrfs/delayed-ref.c
+index 1043f66cc130d..9fe4ccca50a06 100644
+--- a/fs/btrfs/delayed-ref.c
++++ b/fs/btrfs/delayed-ref.c
+@@ -103,24 +103,17 @@ void btrfs_update_delayed_refs_rsv(struct btrfs_trans_handle *trans)
+ * Transfer bytes to our delayed refs rsv.
+ *
+ * @fs_info: the filesystem
+- * @src: source block rsv to transfer from
+ * @num_bytes: number of bytes to transfer
+ *
+- * This transfers up to the num_bytes amount from the src rsv to the
++ * This transfers up to the num_bytes amount, previously reserved, to the
+ * delayed_refs_rsv. Any extra bytes are returned to the space info.
+ */
+ void btrfs_migrate_to_delayed_refs_rsv(struct btrfs_fs_info *fs_info,
+- struct btrfs_block_rsv *src,
+ u64 num_bytes)
+ {
+ struct btrfs_block_rsv *delayed_refs_rsv = &fs_info->delayed_refs_rsv;
+ u64 to_free = 0;
+
+- spin_lock(&src->lock);
+- src->reserved -= num_bytes;
+- src->size -= num_bytes;
+- spin_unlock(&src->lock);
+-
+ spin_lock(&delayed_refs_rsv->lock);
+ if (delayed_refs_rsv->size > delayed_refs_rsv->reserved) {
+ u64 delta = delayed_refs_rsv->size -
+diff --git a/fs/btrfs/delayed-ref.h b/fs/btrfs/delayed-ref.h
+index b8e14b0ba5f16..fd9bf2b709c0e 100644
+--- a/fs/btrfs/delayed-ref.h
++++ b/fs/btrfs/delayed-ref.h
+@@ -407,7 +407,6 @@ void btrfs_update_delayed_refs_rsv(struct btrfs_trans_handle *trans);
+ int btrfs_delayed_refs_rsv_refill(struct btrfs_fs_info *fs_info,
+ enum btrfs_reserve_flush_enum flush);
+ void btrfs_migrate_to_delayed_refs_rsv(struct btrfs_fs_info *fs_info,
+- struct btrfs_block_rsv *src,
+ u64 num_bytes);
+ bool btrfs_check_space_for_delayed_refs(struct btrfs_fs_info *fs_info);
+
+diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c
+index 5bbd288b9cb54..0554ca2a8e3ba 100644
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -625,14 +625,14 @@ start_transaction(struct btrfs_root *root, unsigned int num_items,
+ reloc_reserved = true;
+ }
+
+- ret = btrfs_block_rsv_add(fs_info, rsv, num_bytes, flush);
++ ret = btrfs_reserve_metadata_bytes(fs_info, rsv, num_bytes, flush);
+ if (ret)
+ goto reserve_fail;
+ if (delayed_refs_bytes) {
+- btrfs_migrate_to_delayed_refs_rsv(fs_info, rsv,
+- delayed_refs_bytes);
++ btrfs_migrate_to_delayed_refs_rsv(fs_info, delayed_refs_bytes);
+ num_bytes -= delayed_refs_bytes;
+ }
++ btrfs_block_rsv_add_bytes(rsv, num_bytes, true);
+
+ if (rsv->space_info->force_alloc)
+ do_chunk_alloc = true;
+--
+2.40.1
+
--- /dev/null
+From 45c29b924747efcc70c11234f813959b8d68ab3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Sep 2023 18:20:23 +0100
+Subject: btrfs: return -EUCLEAN for delayed tree ref with a ref count not
+ equals to 1
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 1bf76df3fee56d6637718e267f7c34ed70d0c7dc ]
+
+When running a delayed tree reference, if we find a ref count different
+from 1, we return -EIO. This isn't an IO error, as it indicates either a
+bug in the delayed refs code or a memory corruption, so change the error
+code from -EIO to -EUCLEAN. Also tag the branch as 'unlikely' as this is
+not expected to ever happen, and change the error message to print the
+tree block's bytenr without the parenthesis (and there was a missing space
+between the 'block' word and the opening parenthesis), for consistency as
+that's the style we used everywhere else.
+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/extent-tree.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
+index 0917c5f39e3d0..2cf8d646085c2 100644
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -1715,12 +1715,12 @@ static int run_delayed_tree_ref(struct btrfs_trans_handle *trans,
+ parent = ref->parent;
+ ref_root = ref->root;
+
+- if (node->ref_mod != 1) {
++ if (unlikely(node->ref_mod != 1)) {
+ btrfs_err(trans->fs_info,
+- "btree block(%llu) has %d references rather than 1: action %d ref_root %llu parent %llu",
++ "btree block %llu has %d references rather than 1: action %d ref_root %llu parent %llu",
+ node->bytenr, node->ref_mod, node->action, ref_root,
+ parent);
+- return -EIO;
++ return -EUCLEAN;
+ }
+ if (node->action == BTRFS_ADD_DELAYED_REF && insert_reserved) {
+ BUG_ON(!extent_op || !extent_op->update_flags);
+--
+2.40.1
+
--- /dev/null
+From 00a3e540993685226292b6223c4bd84c38a671f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Jul 2023 21:05:27 +0800
+Subject: cpufreq: schedutil: Update next_freq when cpufreq_limits change
+
+From: Xuewen Yan <xuewen.yan@unisoc.com>
+
+[ Upstream commit 9e0bc36ab07c550d791bf17feeb479f1dfc42d89 ]
+
+When cpufreq's policy is 'single', there is a scenario that will
+cause sg_policy's next_freq to be unable to update.
+
+When the CPU's util is always max, the cpufreq will be max,
+and then if we change the policy's scaling_max_freq to be a
+lower freq, indeed, the sg_policy's next_freq need change to
+be the lower freq, however, because the cpu_is_busy, the next_freq
+would keep the max_freq.
+
+For example:
+
+The cpu7 is a single CPU:
+
+ unisoc:/sys/devices/system/cpu/cpufreq/policy7 # while true;do done& [1] 4737
+ unisoc:/sys/devices/system/cpu/cpufreq/policy7 # taskset -p 80 4737
+ pid 4737's current affinity mask: ff
+ pid 4737's new affinity mask: 80
+ unisoc:/sys/devices/system/cpu/cpufreq/policy7 # cat scaling_max_freq
+ 2301000
+ unisoc:/sys/devices/system/cpu/cpufreq/policy7 # cat scaling_cur_freq
+ 2301000
+ unisoc:/sys/devices/system/cpu/cpufreq/policy7 # echo 2171000 > scaling_max_freq
+ unisoc:/sys/devices/system/cpu/cpufreq/policy7 # cat scaling_max_freq
+ 2171000
+
+At this time, the sg_policy's next_freq would stay at 2301000, which
+is wrong.
+
+To fix this, add a check for the ->need_freq_update flag.
+
+[ mingo: Clarified the changelog. ]
+
+Co-developed-by: Guohua Yan <guohua.yan@unisoc.com>
+Signed-off-by: Xuewen Yan <xuewen.yan@unisoc.com>
+Signed-off-by: Guohua Yan <guohua.yan@unisoc.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: "Rafael J. Wysocki" <rafael@kernel.org>
+Link: https://lore.kernel.org/r/20230719130527.8074-1-xuewen.yan@unisoc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/cpufreq_schedutil.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/sched/cpufreq_schedutil.c b/kernel/sched/cpufreq_schedutil.c
+index 4492608b7d7f1..458d359f5991c 100644
+--- a/kernel/sched/cpufreq_schedutil.c
++++ b/kernel/sched/cpufreq_schedutil.c
+@@ -350,7 +350,8 @@ static void sugov_update_single_freq(struct update_util_data *hook, u64 time,
+ * Except when the rq is capped by uclamp_max.
+ */
+ if (!uclamp_rq_is_capped(cpu_rq(sg_cpu->cpu)) &&
+- sugov_cpu_is_busy(sg_cpu) && next_f < sg_policy->next_freq) {
++ sugov_cpu_is_busy(sg_cpu) && next_f < sg_policy->next_freq &&
++ !sg_policy->need_freq_update) {
+ next_f = sg_policy->next_freq;
+
+ /* Restore cached freq as next_freq has changed */
+--
+2.40.1
+
--- /dev/null
+From bc1443a459e7b6a30b5851dacfe03b8a6907f7f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Aug 2023 12:25:26 +0800
+Subject: drm/amd/pm: add unique_id for gc 11.0.3
+
+From: Kenneth Feng <kenneth.feng@amd.com>
+
+[ Upstream commit 4953856f280b2b606089a72a93a1e9212a3adaca ]
+
+add unique_id for gc 11.0.3
+
+Signed-off-by: Kenneth Feng <kenneth.feng@amd.com>
+Reviewed-by: Feifei Xu <Feifei.Xu@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/amdgpu_pm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/amd/pm/amdgpu_pm.c b/drivers/gpu/drm/amd/pm/amdgpu_pm.c
+index d68fe5474676b..7f7a476b6829c 100644
+--- a/drivers/gpu/drm/amd/pm/amdgpu_pm.c
++++ b/drivers/gpu/drm/amd/pm/amdgpu_pm.c
+@@ -2077,6 +2077,7 @@ static int default_attr_update(struct amdgpu_device *adev, struct amdgpu_device_
+ case IP_VERSION(11, 0, 0):
+ case IP_VERSION(11, 0, 1):
+ case IP_VERSION(11, 0, 2):
++ case IP_VERSION(11, 0, 3):
+ *states = ATTR_STATE_SUPPORTED;
+ break;
+ default:
+--
+2.40.1
+
--- /dev/null
+From dabf378b73246574d9667b16270e51b4d65c230f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Oct 2023 13:47:10 +0200
+Subject: drm: panel-orientation-quirks: Add quirk for One Mix 2S
+
+From: Kai Uwe Broulik <foss-linux@broulik.de>
+
+[ Upstream commit cbb7eb2dbd9472816e42a1b0fdb51af49abbf812 ]
+
+The One Mix 2S is a mini laptop with a 1200x1920 portrait screen
+mounted in a landscape oriented clamshell case. Because of the too
+generic DMI strings this entry is also doing bios-date matching.
+
+Signed-off-by: Kai Uwe Broulik <foss-linux@broulik.de>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Liviu Dudau <liviu.dudau@arm.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20231001114710.336172-1-foss-linux@broulik.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_panel_orientation_quirks.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+index 0cb646cb04ee1..d5c15292ae937 100644
+--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+@@ -38,6 +38,14 @@ static const struct drm_dmi_panel_orientation_data gpd_micropc = {
+ .orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP,
+ };
+
++static const struct drm_dmi_panel_orientation_data gpd_onemix2s = {
++ .width = 1200,
++ .height = 1920,
++ .bios_dates = (const char * const []){ "05/21/2018", "10/26/2018",
++ "03/04/2019", NULL },
++ .orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP,
++};
++
+ static const struct drm_dmi_panel_orientation_data gpd_pocket = {
+ .width = 1200,
+ .height = 1920,
+@@ -401,6 +409,14 @@ static const struct dmi_system_id orientation_data[] = {
+ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "LTH17"),
+ },
+ .driver_data = (void *)&lcd800x1280_rightside_up,
++ }, { /* One Mix 2S (generic strings, also match on bios date) */
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Default string"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Default string"),
++ DMI_EXACT_MATCH(DMI_BOARD_VENDOR, "Default string"),
++ DMI_EXACT_MATCH(DMI_BOARD_NAME, "Default string"),
++ },
++ .driver_data = (void *)&gpd_onemix2s,
+ },
+ {}
+ };
+--
+2.40.1
+
--- /dev/null
+From 5c5a033d3a2ad2ef0d5b100aca246e15811d245c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Sep 2023 22:51:31 -0600
+Subject: fs-writeback: do not requeue a clean inode having skipped pages
+
+From: Chunhai Guo <guochunhai@vivo.com>
+
+[ Upstream commit be049c3a088d512187407b7fd036cecfab46d565 ]
+
+When writing back an inode and performing an fsync on it concurrently, a
+deadlock issue may arise as shown below. In each writeback iteration, a
+clean inode is requeued to the wb->b_dirty queue due to non-zero
+pages_skipped, without anything actually being written. This causes an
+infinite loop and prevents the plug from being flushed, resulting in a
+deadlock. We now avoid requeuing the clean inode to prevent this issue.
+
+ wb_writeback fsync (inode-Y)
+blk_start_plug(&plug)
+for (;;) {
+ iter i-1: some reqs with page-X added into plug->mq_list // f2fs node page-X with PG_writeback
+ filemap_fdatawrite
+ __filemap_fdatawrite_range // write inode-Y with sync_mode WB_SYNC_ALL
+ do_writepages
+ f2fs_write_data_pages
+ __f2fs_write_data_pages // wb_sync_req[DATA]++ for WB_SYNC_ALL
+ f2fs_write_cache_pages
+ f2fs_write_single_data_page
+ f2fs_do_write_data_page
+ f2fs_outplace_write_data
+ f2fs_update_data_blkaddr
+ f2fs_wait_on_page_writeback
+ wait_on_page_writeback // wait for f2fs node page-X
+ iter i:
+ progress = __writeback_inodes_wb(wb, work)
+ . writeback_sb_inodes
+ . __writeback_single_inode // write inode-Y with sync_mode WB_SYNC_NONE
+ . . do_writepages
+ . . f2fs_write_data_pages
+ . . . __f2fs_write_data_pages // skip writepages due to (wb_sync_req[DATA]>0)
+ . . . wbc->pages_skipped += get_dirty_pages(inode) // wbc->pages_skipped = 1
+ . if (!(inode->i_state & I_DIRTY_ALL)) // i_state = I_SYNC | I_SYNC_QUEUED
+ . total_wrote++; // total_wrote = 1
+ . requeue_inode // requeue inode-Y to wb->b_dirty queue due to non-zero pages_skipped
+ if (progress) // progress = 1
+ continue;
+ iter i+1:
+ queue_io
+ // similar process with iter i, infinite for-loop !
+}
+blk_finish_plug(&plug) // flush plug won't be called
+
+Signed-off-by: Chunhai Guo <guochunhai@vivo.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Message-Id: <20230916045131.957929-1-guochunhai@vivo.com>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fs-writeback.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
+index aca4b48113945..d532a93e980d7 100644
+--- a/fs/fs-writeback.c
++++ b/fs/fs-writeback.c
+@@ -1535,10 +1535,15 @@ static void requeue_inode(struct inode *inode, struct bdi_writeback *wb,
+
+ if (wbc->pages_skipped) {
+ /*
+- * writeback is not making progress due to locked
+- * buffers. Skip this inode for now.
++ * Writeback is not making progress due to locked buffers.
++ * Skip this inode for now. Although having skipped pages
++ * is odd for clean inodes, it can happen for some
++ * filesystems so handle that gracefully.
+ */
+- redirty_tail_locked(inode, wb);
++ if (inode->i_state & I_DIRTY_ALL)
++ redirty_tail_locked(inode, wb);
++ else
++ inode_cgwb_move_to_attached(inode, wb);
+ return;
+ }
+
+--
+2.40.1
+
--- /dev/null
+From e4b6cbdf2c225ba49f481bb91cb100872f428f1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Sep 2023 10:29:14 +0000
+Subject: gpio: timberdale: Fix potential deadlock on &tgpio->lock
+
+From: Chengfeng Ye <dg573847474@gmail.com>
+
+[ Upstream commit 9e8bc2dda5a7a8e2babc9975f4b11c9a6196e490 ]
+
+As timbgpio_irq_enable()/timbgpio_irq_disable() callback could be
+executed under irq context, it could introduce double locks on
+&tgpio->lock if it preempts other execution units requiring
+the same locks.
+
+timbgpio_gpio_set()
+--> timbgpio_update_bit()
+--> spin_lock(&tgpio->lock)
+<interrupt>
+ --> timbgpio_irq_disable()
+ --> spin_lock_irqsave(&tgpio->lock)
+
+This flaw was found by an experimental static analysis tool I am
+developing for irq-related deadlock.
+
+To prevent the potential deadlock, the patch uses spin_lock_irqsave()
+on &tgpio->lock inside timbgpio_gpio_set() to prevent the possible
+deadlock scenario.
+
+Signed-off-by: Chengfeng Ye <dg573847474@gmail.com>
+Reviewed-by: Andy Shevchenko <andy@kernel.org>
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-timberdale.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpio/gpio-timberdale.c b/drivers/gpio/gpio-timberdale.c
+index de14949a3fe5a..92c1f2baa4bff 100644
+--- a/drivers/gpio/gpio-timberdale.c
++++ b/drivers/gpio/gpio-timberdale.c
+@@ -43,9 +43,10 @@ static int timbgpio_update_bit(struct gpio_chip *gpio, unsigned index,
+ unsigned offset, bool enabled)
+ {
+ struct timbgpio *tgpio = gpiochip_get_data(gpio);
++ unsigned long flags;
+ u32 reg;
+
+- spin_lock(&tgpio->lock);
++ spin_lock_irqsave(&tgpio->lock, flags);
+ reg = ioread32(tgpio->membase + offset);
+
+ if (enabled)
+@@ -54,7 +55,7 @@ static int timbgpio_update_bit(struct gpio_chip *gpio, unsigned index,
+ reg &= ~(1 << index);
+
+ iowrite32(reg, tgpio->membase + offset);
+- spin_unlock(&tgpio->lock);
++ spin_unlock_irqrestore(&tgpio->lock, flags);
+
+ return 0;
+ }
+--
+2.40.1
+
--- /dev/null
+From af142d97ef13db798a0aa127cecd5499957e1415 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Oct 2023 21:07:00 +0200
+Subject: HID: Add quirk to ignore the touchscreen battery on HP ENVY
+ 15-eu0556ng
+
+From: Fabian Vogt <fabian@ritter-vogt.de>
+
+[ Upstream commit b009aa38a380becd98cc4e01c9b7626a11cb4905 ]
+
+Like various other devices using similar hardware, this model reports a
+perpetually empty battery (0-1%).
+
+Join the others and apply HID_BATTERY_QUIRK_IGNORE.
+
+Signed-off-by: Fabian Vogt <fabian@ritter-vogt.de>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/hid-input.c | 2 ++
+ 2 files changed, 3 insertions(+)
+
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index 8a310f8ff20f5..cc0d0186a0d95 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -425,6 +425,7 @@
+ #define I2C_DEVICE_ID_HP_SPECTRE_X360_13T_AW100 0x29F5
+ #define I2C_DEVICE_ID_HP_SPECTRE_X360_14T_EA100_V1 0x2BED
+ #define I2C_DEVICE_ID_HP_SPECTRE_X360_14T_EA100_V2 0x2BEE
++#define I2C_DEVICE_ID_HP_ENVY_X360_15_EU0556NG 0x2D02
+
+ #define USB_VENDOR_ID_ELECOM 0x056e
+ #define USB_DEVICE_ID_ELECOM_BM084 0x0061
+diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
+index 40a5645f8fe81..5e2f721855e59 100644
+--- a/drivers/hid/hid-input.c
++++ b/drivers/hid/hid-input.c
+@@ -406,6 +406,8 @@ static const struct hid_device_id hid_battery_quirks[] = {
+ HID_BATTERY_QUIRK_IGNORE },
+ { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_HP_SPECTRE_X360_14T_EA100_V2),
+ HID_BATTERY_QUIRK_IGNORE },
++ { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_HP_ENVY_X360_15_EU0556NG),
++ HID_BATTERY_QUIRK_IGNORE },
+ {}
+ };
+
+--
+2.40.1
+
--- /dev/null
+From b79724a120faba7fd2cb830b87ef25a3ba4f8b2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 10:40:59 +0800
+Subject: HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event
+
+From: Ma Ke <make_ruc2021@163.com>
+
+[ Upstream commit ffe3b7837a2bb421df84d0177481db9f52c93a71 ]
+
+There is a slab-out-of-bounds Write bug in hid-holtek-kbd driver.
+The problem is the driver assumes the device must have an input
+but some malicious devices violate this assumption.
+
+Fix this by checking hid_device's input is non-empty before its usage.
+
+Signed-off-by: Ma Ke <make_ruc2021@163.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-holtek-kbd.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/hid/hid-holtek-kbd.c b/drivers/hid/hid-holtek-kbd.c
+index 403506b9697e7..b346d68a06f5a 100644
+--- a/drivers/hid/hid-holtek-kbd.c
++++ b/drivers/hid/hid-holtek-kbd.c
+@@ -130,6 +130,10 @@ static int holtek_kbd_input_event(struct input_dev *dev, unsigned int type,
+ return -ENODEV;
+
+ boot_hid = usb_get_intfdata(boot_interface);
++ if (list_empty(&boot_hid->inputs)) {
++ hid_err(hid, "no inputs found\n");
++ return -ENODEV;
++ }
+ boot_hid_input = list_first_entry(&boot_hid->inputs,
+ struct hid_input, list);
+
+--
+2.40.1
+
--- /dev/null
+From 96152aea283d4cd04ed9662707475b56e1a0cc97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Aug 2023 00:24:38 +0200
+Subject: HID: logitech-hidpp: Add Bluetooth ID for the Logitech M720 Triathlon
+ mouse
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 2d866603e25b1ce7e536839f62d1faae1c03d92f ]
+
+Using hidpp for the M720 adds battery info reporting and hires
+scrolling support.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Bastien Nocera <hadess@hadess.net>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-logitech-hidpp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
+index 1c00e4121c7ef..08b68f8476dbb 100644
+--- a/drivers/hid/hid-logitech-hidpp.c
++++ b/drivers/hid/hid-logitech-hidpp.c
+@@ -4676,6 +4676,8 @@ static const struct hid_device_id hidpp_devices[] = {
+ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH, 0xb008) },
+ { /* MX Master mouse over Bluetooth */
+ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH, 0xb012) },
++ { /* M720 Triathlon mouse over Bluetooth */
++ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH, 0xb015) },
+ { /* MX Ergo trackball over Bluetooth */
+ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH, 0xb01d) },
+ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH, 0xb01e) },
+--
+2.40.1
+
--- /dev/null
+From 5164c02c2210bd9a3d8c38c0e78bb10701735335 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 17 Sep 2023 16:18:43 +0000
+Subject: HID: multitouch: Add required quirk for Synaptics 0xcd7e device
+
+From: Rahul Rameshbabu <sergeantsagara@protonmail.com>
+
+[ Upstream commit 1437e4547edf41689d7135faaca4222ef0081bc1 ]
+
+Register the Synaptics device as a special multitouch device with certain
+quirks that may improve usability of the touchpad device.
+
+Reported-by: Rain <rain@sunshowers.io>
+Closes: https://lore.kernel.org/linux-input/2bbb8e1d-1793-4df1-810f-cb0137341ff4@app.fastmail.com/
+Signed-off-by: Rahul Rameshbabu <sergeantsagara@protonmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-multitouch.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
+index 521b2ffb42449..8db4ae05febc8 100644
+--- a/drivers/hid/hid-multitouch.c
++++ b/drivers/hid/hid-multitouch.c
+@@ -2144,6 +2144,10 @@ static const struct hid_device_id mt_devices[] = {
+ USB_DEVICE_ID_MTP_STM)},
+
+ /* Synaptics devices */
++ { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT,
++ HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8,
++ USB_VENDOR_ID_SYNAPTICS, 0xcd7e) },
++
+ { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT,
+ HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8,
+ USB_VENDOR_ID_SYNAPTICS, 0xce08) },
+--
+2.40.1
+
--- /dev/null
+From 1c83d1145acea995e95597cde563d50cf377ad9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Sep 2023 16:06:01 +0200
+Subject: HID: nintendo: reinitialize USB Pro Controller after resuming from
+ suspend
+
+From: Martino Fontana <tinozzo123@gmail.com>
+
+[ Upstream commit 95ea4d9fd385fe335b989f22d409df079a042b7a ]
+
+When suspending the computer, a Switch Pro Controller connected via USB will
+lose its internal status. However, because the USB connection was technically
+never lost, when resuming the computer, the driver will attempt to communicate
+with the controller as if nothing happened (and fail).
+Because of this, the user was forced to manually disconnect the controller
+(or to press the sync button on the controller to power it off), so that it
+can be re-initialized.
+
+With this patch, the controller will be automatically re-initialized after
+resuming from suspend.
+
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=216233
+
+Signed-off-by: Martino Fontana <tinozzo123@gmail.com>
+Reviewed-by: Daniel J. Ogorchock <djogorchock@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-nintendo.c | 175 ++++++++++++++++++++++---------------
+ 1 file changed, 103 insertions(+), 72 deletions(-)
+
+diff --git a/drivers/hid/hid-nintendo.c b/drivers/hid/hid-nintendo.c
+index 250f5d2f888ab..10468f727e5bb 100644
+--- a/drivers/hid/hid-nintendo.c
++++ b/drivers/hid/hid-nintendo.c
+@@ -2088,7 +2088,9 @@ static int joycon_read_info(struct joycon_ctlr *ctlr)
+ struct joycon_input_report *report;
+
+ req.subcmd_id = JC_SUBCMD_REQ_DEV_INFO;
++ mutex_lock(&ctlr->output_mutex);
+ ret = joycon_send_subcmd(ctlr, &req, 0, HZ);
++ mutex_unlock(&ctlr->output_mutex);
+ if (ret) {
+ hid_err(ctlr->hdev, "Failed to get joycon info; ret=%d\n", ret);
+ return ret;
+@@ -2117,6 +2119,85 @@ static int joycon_read_info(struct joycon_ctlr *ctlr)
+ return 0;
+ }
+
++static int joycon_init(struct hid_device *hdev)
++{
++ struct joycon_ctlr *ctlr = hid_get_drvdata(hdev);
++ int ret = 0;
++
++ mutex_lock(&ctlr->output_mutex);
++ /* if handshake command fails, assume ble pro controller */
++ if ((jc_type_is_procon(ctlr) || jc_type_is_chrggrip(ctlr)) &&
++ !joycon_send_usb(ctlr, JC_USB_CMD_HANDSHAKE, HZ)) {
++ hid_dbg(hdev, "detected USB controller\n");
++ /* set baudrate for improved latency */
++ ret = joycon_send_usb(ctlr, JC_USB_CMD_BAUDRATE_3M, HZ);
++ if (ret) {
++ hid_err(hdev, "Failed to set baudrate; ret=%d\n", ret);
++ goto out_unlock;
++ }
++ /* handshake */
++ ret = joycon_send_usb(ctlr, JC_USB_CMD_HANDSHAKE, HZ);
++ if (ret) {
++ hid_err(hdev, "Failed handshake; ret=%d\n", ret);
++ goto out_unlock;
++ }
++ /*
++ * Set no timeout (to keep controller in USB mode).
++ * This doesn't send a response, so ignore the timeout.
++ */
++ joycon_send_usb(ctlr, JC_USB_CMD_NO_TIMEOUT, HZ/10);
++ } else if (jc_type_is_chrggrip(ctlr)) {
++ hid_err(hdev, "Failed charging grip handshake\n");
++ ret = -ETIMEDOUT;
++ goto out_unlock;
++ }
++
++ /* get controller calibration data, and parse it */
++ ret = joycon_request_calibration(ctlr);
++ if (ret) {
++ /*
++ * We can function with default calibration, but it may be
++ * inaccurate. Provide a warning, and continue on.
++ */
++ hid_warn(hdev, "Analog stick positions may be inaccurate\n");
++ }
++
++ /* get IMU calibration data, and parse it */
++ ret = joycon_request_imu_calibration(ctlr);
++ if (ret) {
++ /*
++ * We can function with default calibration, but it may be
++ * inaccurate. Provide a warning, and continue on.
++ */
++ hid_warn(hdev, "Unable to read IMU calibration data\n");
++ }
++
++ /* Set the reporting mode to 0x30, which is the full report mode */
++ ret = joycon_set_report_mode(ctlr);
++ if (ret) {
++ hid_err(hdev, "Failed to set report mode; ret=%d\n", ret);
++ goto out_unlock;
++ }
++
++ /* Enable rumble */
++ ret = joycon_enable_rumble(ctlr);
++ if (ret) {
++ hid_err(hdev, "Failed to enable rumble; ret=%d\n", ret);
++ goto out_unlock;
++ }
++
++ /* Enable the IMU */
++ ret = joycon_enable_imu(ctlr);
++ if (ret) {
++ hid_err(hdev, "Failed to enable the IMU; ret=%d\n", ret);
++ goto out_unlock;
++ }
++
++out_unlock:
++ mutex_unlock(&ctlr->output_mutex);
++ return ret;
++}
++
+ /* Common handler for parsing inputs */
+ static int joycon_ctlr_read_handler(struct joycon_ctlr *ctlr, u8 *data,
+ int size)
+@@ -2248,85 +2329,19 @@ static int nintendo_hid_probe(struct hid_device *hdev,
+
+ hid_device_io_start(hdev);
+
+- /* Initialize the controller */
+- mutex_lock(&ctlr->output_mutex);
+- /* if handshake command fails, assume ble pro controller */
+- if ((jc_type_is_procon(ctlr) || jc_type_is_chrggrip(ctlr)) &&
+- !joycon_send_usb(ctlr, JC_USB_CMD_HANDSHAKE, HZ)) {
+- hid_dbg(hdev, "detected USB controller\n");
+- /* set baudrate for improved latency */
+- ret = joycon_send_usb(ctlr, JC_USB_CMD_BAUDRATE_3M, HZ);
+- if (ret) {
+- hid_err(hdev, "Failed to set baudrate; ret=%d\n", ret);
+- goto err_mutex;
+- }
+- /* handshake */
+- ret = joycon_send_usb(ctlr, JC_USB_CMD_HANDSHAKE, HZ);
+- if (ret) {
+- hid_err(hdev, "Failed handshake; ret=%d\n", ret);
+- goto err_mutex;
+- }
+- /*
+- * Set no timeout (to keep controller in USB mode).
+- * This doesn't send a response, so ignore the timeout.
+- */
+- joycon_send_usb(ctlr, JC_USB_CMD_NO_TIMEOUT, HZ/10);
+- } else if (jc_type_is_chrggrip(ctlr)) {
+- hid_err(hdev, "Failed charging grip handshake\n");
+- ret = -ETIMEDOUT;
+- goto err_mutex;
+- }
+-
+- /* get controller calibration data, and parse it */
+- ret = joycon_request_calibration(ctlr);
++ ret = joycon_init(hdev);
+ if (ret) {
+- /*
+- * We can function with default calibration, but it may be
+- * inaccurate. Provide a warning, and continue on.
+- */
+- hid_warn(hdev, "Analog stick positions may be inaccurate\n");
+- }
+-
+- /* get IMU calibration data, and parse it */
+- ret = joycon_request_imu_calibration(ctlr);
+- if (ret) {
+- /*
+- * We can function with default calibration, but it may be
+- * inaccurate. Provide a warning, and continue on.
+- */
+- hid_warn(hdev, "Unable to read IMU calibration data\n");
+- }
+-
+- /* Set the reporting mode to 0x30, which is the full report mode */
+- ret = joycon_set_report_mode(ctlr);
+- if (ret) {
+- hid_err(hdev, "Failed to set report mode; ret=%d\n", ret);
+- goto err_mutex;
+- }
+-
+- /* Enable rumble */
+- ret = joycon_enable_rumble(ctlr);
+- if (ret) {
+- hid_err(hdev, "Failed to enable rumble; ret=%d\n", ret);
+- goto err_mutex;
+- }
+-
+- /* Enable the IMU */
+- ret = joycon_enable_imu(ctlr);
+- if (ret) {
+- hid_err(hdev, "Failed to enable the IMU; ret=%d\n", ret);
+- goto err_mutex;
++ hid_err(hdev, "Failed to initialize controller; ret=%d\n", ret);
++ goto err_close;
+ }
+
+ ret = joycon_read_info(ctlr);
+ if (ret) {
+ hid_err(hdev, "Failed to retrieve controller info; ret=%d\n",
+ ret);
+- goto err_mutex;
++ goto err_close;
+ }
+
+- mutex_unlock(&ctlr->output_mutex);
+-
+ /* Initialize the leds */
+ ret = joycon_leds_create(ctlr);
+ if (ret) {
+@@ -2352,8 +2367,6 @@ static int nintendo_hid_probe(struct hid_device *hdev,
+ hid_dbg(hdev, "probe - success\n");
+ return 0;
+
+-err_mutex:
+- mutex_unlock(&ctlr->output_mutex);
+ err_close:
+ hid_hw_close(hdev);
+ err_stop:
+@@ -2383,6 +2396,20 @@ static void nintendo_hid_remove(struct hid_device *hdev)
+ hid_hw_stop(hdev);
+ }
+
++#ifdef CONFIG_PM
++
++static int nintendo_hid_resume(struct hid_device *hdev)
++{
++ int ret = joycon_init(hdev);
++
++ if (ret)
++ hid_err(hdev, "Failed to restore controller after resume");
++
++ return ret;
++}
++
++#endif
++
+ static const struct hid_device_id nintendo_hid_devices[] = {
+ { HID_USB_DEVICE(USB_VENDOR_ID_NINTENDO,
+ USB_DEVICE_ID_NINTENDO_PROCON) },
+@@ -2404,6 +2431,10 @@ static struct hid_driver nintendo_hid_driver = {
+ .probe = nintendo_hid_probe,
+ .remove = nintendo_hid_remove,
+ .raw_event = nintendo_hid_event,
++
++#ifdef CONFIG_PM
++ .resume = nintendo_hid_resume,
++#endif
+ };
+ module_hid_driver(nintendo_hid_driver);
+
+--
+2.40.1
+
--- /dev/null
+From 9d3f40668aabe2f20cd22b19125d6ac52c93d25d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Sep 2023 23:54:06 +0200
+Subject: i2c: mux: Avoid potential false error message in i2c_mux_add_adapter
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit b13e59e74ff71a1004e0508107e91e9a84fd7388 ]
+
+I2C_CLASS_DEPRECATED is a flag and not an actual class.
+There's nothing speaking against both, parent and child, having
+I2C_CLASS_DEPRECATED set. Therefore exclude it from the check.
+
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Acked-by: Peter Rosin <peda@axentia.se>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/i2c-mux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/i2c-mux.c b/drivers/i2c/i2c-mux.c
+index 313904be5f3bd..57ff09f18c371 100644
+--- a/drivers/i2c/i2c-mux.c
++++ b/drivers/i2c/i2c-mux.c
+@@ -341,7 +341,7 @@ int i2c_mux_add_adapter(struct i2c_mux_core *muxc,
+ priv->adap.lock_ops = &i2c_parent_lock_ops;
+
+ /* Sanity check on class */
+- if (i2c_mux_parent_classes(parent) & class)
++ if (i2c_mux_parent_classes(parent) & class & ~I2C_CLASS_DEPRECATED)
+ dev_err(&parent->dev,
+ "Segment %d behind mux can't share classes with ancestors\n",
+ chan_id);
+--
+2.40.1
+
--- /dev/null
+From ab58fb6285dfd2ec47f73c95d974d091f5795188 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Sep 2023 14:43:01 +0200
+Subject: iio: light: vcnl4000: Don't power on/off chip in config
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: MÃ¥rten Lindahl <marten.lindahl@axis.com>
+
+[ Upstream commit 7e87ab38eed09c9dec56da361d74158159ae84a3 ]
+
+After enabling/disabling interrupts on the vcnl4040 chip the als and/or
+ps sensor is powered on or off depending on the interrupt enable bits.
+This is made as a last step in write_event_config.
+
+But there is no reason to do this as the runtime PM handles the power
+state of the sensors. Interfering with this may impact sensor readings.
+
+Consider the following:
+ 1. Userspace makes sensor data reading which triggers RPM resume
+ (sensor powered on) and a RPM suspend timeout. The timeout is 2000ms
+ before RPM suspend powers the sensor off if no new reading is made
+ within the timeout period.
+ 2. Userspace disables interrupts => powers sensor off
+ 3. Userspace reads sensor data = 0 because sensor is off and the
+ suspend timeout has not passed. For each new reading made within the
+ timeout period the timeout is renewed with 2000ms and RPM will not
+ make a new resume (device was not suspended). So the sensor will
+ not be powered on.
+ 4. No further userspace reading for 2000ms ends RPM suspend timeout and
+ triggers suspend (powers off already powered off sensor).
+
+Powering sensor off in (2) makes all consecutive readings made within
+2000ms to the previous reading (3) return invalid data.
+
+Skip setting power state when writing new event config.
+
+Fixes: 546676121cb9 ("iio: light: vcnl4000: Add interrupt support for vcnl4040")
+Fixes: bc292aaf9cb4 ("iio: light: vcnl4000: add illuminance irq vcnl4040/4200")
+Signed-off-by: MÃ¥rten Lindahl <marten.lindahl@axis.com>
+Link: https://lore.kernel.org/r/20230907-vcnl4000-pm-fix-v2-1-298e01f54db4@axis.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/light/vcnl4000.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/iio/light/vcnl4000.c b/drivers/iio/light/vcnl4000.c
+index 7c7362e288213..66433886b7b03 100644
+--- a/drivers/iio/light/vcnl4000.c
++++ b/drivers/iio/light/vcnl4000.c
+@@ -994,7 +994,6 @@ static int vcnl4040_write_event_config(struct iio_dev *indio_dev,
+
+ out:
+ mutex_unlock(&data->vcnl4000_lock);
+- data->chip_spec->set_power_state(data, data->ps_int != 0);
+
+ return ret;
+ }
+--
+2.40.1
+
--- /dev/null
+From 4feaa27fa7f0ae8652ed81af2fed83edccb95dc6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Oct 2023 13:55:31 -0400
+Subject: io-wq: fully initialize wqe before calling
+ cpuhp_state_add_instance_nocalls()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jeff Moyer <jmoyer@redhat.com>
+
+[ Upstream commit 0f8baa3c9802fbfe313c901e1598397b61b91ada ]
+
+I received a bug report with the following signature:
+
+[ 1759.937637] BUG: unable to handle page fault for address: ffffffffffffffe8
+[ 1759.944564] #PF: supervisor read access in kernel mode
+[ 1759.949732] #PF: error_code(0x0000) - not-present page
+[ 1759.954901] PGD 7ab615067 P4D 7ab615067 PUD 7ab617067 PMD 0
+[ 1759.960596] Oops: 0000 1 PREEMPT SMP PTI
+[ 1759.964804] CPU: 15 PID: 109 Comm: cpuhp/15 Kdump: loaded Tainted: G X ------- — 5.14.0-362.3.1.el9_3.x86_64 #1
+[ 1759.976609] Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 06/20/2018
+[ 1759.985181] RIP: 0010:io_wq_for_each_worker.isra.0+0x24/0xa0
+[ 1759.990877] Code: 90 90 90 90 90 90 0f 1f 44 00 00 41 56 41 55 41 54 55 48 8d 6f 78 53 48 8b 47 78 48 39 c5 74 4f 49 89 f5 49 89 d4 48 8d 58 e8 <8b> 13 85 d2 74 32 8d 4a 01 89 d0 f0 0f b1 0b 75 5c 09 ca 78 3d 48
+[ 1760.009758] RSP: 0000:ffffb6f403603e20 EFLAGS: 00010286
+[ 1760.015013] RAX: 0000000000000000 RBX: ffffffffffffffe8 RCX: 0000000000000000
+[ 1760.022188] RDX: ffffb6f403603e50 RSI: ffffffffb11e95b0 RDI: ffff9f73b09e9400
+[ 1760.029362] RBP: ffff9f73b09e9478 R08: 000000000000000f R09: 0000000000000000
+[ 1760.036536] R10: ffffffffffffff00 R11: ffffb6f403603d80 R12: ffffb6f403603e50
+[ 1760.043712] R13: ffffffffb11e95b0 R14: ffffffffb28531e8 R15: ffff9f7a6fbdf548
+[ 1760.050887] FS: 0000000000000000(0000) GS:ffff9f7a6fbc0000(0000) knlGS:0000000000000000
+[ 1760.059025] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1760.064801] CR2: ffffffffffffffe8 CR3: 00000007ab610002 CR4: 00000000007706e0
+[ 1760.071976] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 1760.079150] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 1760.086325] PKRU: 55555554
+[ 1760.089044] Call Trace:
+[ 1760.091501] <TASK>
+[ 1760.093612] ? show_trace_log_lvl+0x1c4/0x2df
+[ 1760.097995] ? show_trace_log_lvl+0x1c4/0x2df
+[ 1760.102377] ? __io_wq_cpu_online+0x54/0xb0
+[ 1760.106584] ? __die_body.cold+0x8/0xd
+[ 1760.110356] ? page_fault_oops+0x134/0x170
+[ 1760.114479] ? kernelmode_fixup_or_oops+0x84/0x110
+[ 1760.119298] ? exc_page_fault+0xa8/0x150
+[ 1760.123247] ? asm_exc_page_fault+0x22/0x30
+[ 1760.127458] ? __pfx_io_wq_worker_affinity+0x10/0x10
+[ 1760.132453] ? __pfx_io_wq_worker_affinity+0x10/0x10
+[ 1760.137446] ? io_wq_for_each_worker.isra.0+0x24/0xa0
+[ 1760.142527] __io_wq_cpu_online+0x54/0xb0
+[ 1760.146558] cpuhp_invoke_callback+0x109/0x460
+[ 1760.151029] ? __pfx_io_wq_cpu_offline+0x10/0x10
+[ 1760.155673] ? __pfx_smpboot_thread_fn+0x10/0x10
+[ 1760.160320] cpuhp_thread_fun+0x8d/0x140
+[ 1760.164266] smpboot_thread_fn+0xd3/0x1a0
+[ 1760.168297] kthread+0xdd/0x100
+[ 1760.171457] ? __pfx_kthread+0x10/0x10
+[ 1760.175225] ret_from_fork+0x29/0x50
+[ 1760.178826] </TASK>
+[ 1760.181022] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs rfkill sunrpc vfat fat dm_multipath intel_rapl_msr intel_rapl_common isst_if_common ipmi_ssif nfit libnvdimm mgag200 i2c_algo_bit ioatdma drm_shmem_helper drm_kms_helper acpi_ipmi syscopyarea x86_pkg_temp_thermal sysfillrect ipmi_si intel_powerclamp sysimgblt ipmi_devintf coretemp acpi_power_meter ipmi_msghandler rapl pcspkr dca intel_pch_thermal intel_cstate ses lpc_ich intel_uncore enclosure hpilo mei_me mei acpi_tad fuse drm xfs sd_mod sg bnx2x nvme nvme_core crct10dif_pclmul crc32_pclmul nvme_common ghash_clmulni_intel smartpqi tg3 t10_pi mdio uas libcrc32c crc32c_intel scsi_transport_sas usb_storage hpwdt wmi dm_mirror dm_region_hash dm_log dm_mod
+[ 1760.248623] CR2: ffffffffffffffe8
+
+A cpu hotplug callback was issued before wq->all_list was initialized.
+This results in a null pointer dereference. The fix is to fully setup
+the io_wq before calling cpuhp_state_add_instance_nocalls().
+
+Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
+Link: https://lore.kernel.org/r/x49y1ghnecs.fsf@segfault.boston.devel.redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ io_uring/io-wq.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/io_uring/io-wq.c b/io_uring/io-wq.c
+index 2c03bc881edfd..fbab9b2727fde 100644
+--- a/io_uring/io-wq.c
++++ b/io_uring/io-wq.c
+@@ -1130,9 +1130,6 @@ struct io_wq *io_wq_create(unsigned bounded, struct io_wq_data *data)
+ wq = kzalloc(sizeof(struct io_wq), GFP_KERNEL);
+ if (!wq)
+ return ERR_PTR(-ENOMEM);
+- ret = cpuhp_state_add_instance_nocalls(io_wq_online, &wq->cpuhp_node);
+- if (ret)
+- goto err_wq;
+
+ refcount_inc(&data->hash->refs);
+ wq->hash = data->hash;
+@@ -1165,13 +1162,14 @@ struct io_wq *io_wq_create(unsigned bounded, struct io_wq_data *data)
+ wq->task = get_task_struct(data->task);
+ atomic_set(&wq->worker_refs, 1);
+ init_completion(&wq->worker_done);
++ ret = cpuhp_state_add_instance_nocalls(io_wq_online, &wq->cpuhp_node);
++ if (ret)
++ goto err;
++
+ return wq;
+ err:
+ io_wq_put_hash(data->hash);
+- cpuhp_state_remove_instance_nocalls(io_wq_online, &wq->cpuhp_node);
+-
+ free_cpumask_var(wq->cpu_mask);
+-err_wq:
+ kfree(wq);
+ return ERR_PTR(ret);
+ }
+--
+2.40.1
+
--- /dev/null
+From 5a9ad11bc741f418763acbc252a8d899afcd8805 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Sep 2023 15:55:08 +0800
+Subject: ipv4/fib: send notify when delete source address routes
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 4b2b606075e50cdae62ab2356b0a1e206947c354 ]
+
+After deleting an interface address in fib_del_ifaddr(), the function
+scans the fib_info list for stray entries and calls fib_flush() and
+fib_table_flush(). Then the stray entries will be deleted silently and no
+RTM_DELROUTE notification will be sent.
+
+This lack of notification can make routing daemons, or monitor like
+`ip monitor route` miss the routing changes. e.g.
+
++ ip link add dummy1 type dummy
++ ip link add dummy2 type dummy
++ ip link set dummy1 up
++ ip link set dummy2 up
++ ip addr add 192.168.5.5/24 dev dummy1
++ ip route add 7.7.7.0/24 dev dummy2 src 192.168.5.5
++ ip -4 route
+7.7.7.0/24 dev dummy2 scope link src 192.168.5.5
+192.168.5.0/24 dev dummy1 proto kernel scope link src 192.168.5.5
++ ip monitor route
++ ip addr del 192.168.5.5/24 dev dummy1
+Deleted 192.168.5.0/24 dev dummy1 proto kernel scope link src 192.168.5.5
+Deleted broadcast 192.168.5.255 dev dummy1 table local proto kernel scope link src 192.168.5.5
+Deleted local 192.168.5.5 dev dummy1 table local proto kernel scope host src 192.168.5.5
+
+As Ido reminded, fib_table_flush() isn't only called when an address is
+deleted, but also when an interface is deleted or put down. The lack of
+notification in these cases is deliberate. And commit 7c6bb7d2faaf
+("net/ipv6: Add knob to skip DELROUTE message on device down") introduced
+a sysctl to make IPv6 behave like IPv4 in this regard. So we can't send
+the route delete notify blindly in fib_table_flush().
+
+To fix this issue, let's add a new flag in "struct fib_info" to track the
+deleted prefer source address routes, and only send notify for them.
+
+After update:
++ ip monitor route
++ ip addr del 192.168.5.5/24 dev dummy1
+Deleted 192.168.5.0/24 dev dummy1 proto kernel scope link src 192.168.5.5
+Deleted broadcast 192.168.5.255 dev dummy1 table local proto kernel scope link src 192.168.5.5
+Deleted local 192.168.5.5 dev dummy1 table local proto kernel scope host src 192.168.5.5
+Deleted 7.7.7.0/24 dev dummy2 scope link src 192.168.5.5
+
+Suggested-by: Thomas Haller <thaller@redhat.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://lore.kernel.org/r/20230922075508.848925-1-liuhangbin@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ip_fib.h | 1 +
+ net/ipv4/fib_semantics.c | 1 +
+ net/ipv4/fib_trie.c | 4 ++++
+ 3 files changed, 6 insertions(+)
+
+diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
+index f0c13864180e2..15de07d365405 100644
+--- a/include/net/ip_fib.h
++++ b/include/net/ip_fib.h
+@@ -154,6 +154,7 @@ struct fib_info {
+ int fib_nhs;
+ bool fib_nh_is_v6;
+ bool nh_updated;
++ bool pfsrc_removed;
+ struct nexthop *nh;
+ struct rcu_head rcu;
+ struct fib_nh fib_nh[];
+diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
+index 894d8ac6b9d0e..5eb1b8d302bbd 100644
+--- a/net/ipv4/fib_semantics.c
++++ b/net/ipv4/fib_semantics.c
+@@ -1891,6 +1891,7 @@ int fib_sync_down_addr(struct net_device *dev, __be32 local)
+ continue;
+ if (fi->fib_prefsrc == local) {
+ fi->fib_flags |= RTNH_F_DEAD;
++ fi->pfsrc_removed = true;
+ ret++;
+ }
+ }
+diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
+index d13fb9e76b971..9bdfdab906fe0 100644
+--- a/net/ipv4/fib_trie.c
++++ b/net/ipv4/fib_trie.c
+@@ -2027,6 +2027,7 @@ void fib_table_flush_external(struct fib_table *tb)
+ int fib_table_flush(struct net *net, struct fib_table *tb, bool flush_all)
+ {
+ struct trie *t = (struct trie *)tb->tb_data;
++ struct nl_info info = { .nl_net = net };
+ struct key_vector *pn = t->kv;
+ unsigned long cindex = 1;
+ struct hlist_node *tmp;
+@@ -2089,6 +2090,9 @@ int fib_table_flush(struct net *net, struct fib_table *tb, bool flush_all)
+
+ fib_notify_alias_delete(net, n->key, &n->leaf, fa,
+ NULL);
++ if (fi->pfsrc_removed)
++ rtmsg_fib(RTM_DELROUTE, htonl(n->key), fa,
++ KEYLENGTH - fa->fa_slen, tb->tb_id, &info, 0);
+ hlist_del_rcu(&fa->fa_list);
+ fib_release_info(fa->fa_info);
+ alias_free_mem_rcu(fa);
+--
+2.40.1
+
--- /dev/null
+From 749a8c06548582ef24307408371bfe77bd65b2ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Aug 2023 13:31:53 +0300
+Subject: net/mlx5: E-switch, register event handler before arming the event
+
+From: Shay Drory <shayd@nvidia.com>
+
+[ Upstream commit 7624e58a8b3a251e3e5108b32f2183b34453db32 ]
+
+Currently, mlx5 is registering event handler for vport context change
+event some time after arming the event. this can lead to missing an
+event, which will result in wrong rules in the FDB.
+Hence, register the event handler before arming the event.
+
+This solution is valid since FW is sending vport context change event
+only on vports which SW armed, and SW arming the vport when enabling
+it, which is done after the FDB has been created.
+
+Fixes: 6933a9379559 ("net/mlx5: E-Switch, Use async events chain")
+Signed-off-by: Shay Drory <shayd@nvidia.com>
+Reviewed-by: Mark Bloch <mbloch@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/eswitch.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+index 6e9b1b183190d..51afb97b9e452 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+@@ -1022,11 +1022,8 @@ const u32 *mlx5_esw_query_functions(struct mlx5_core_dev *dev)
+ return ERR_PTR(err);
+ }
+
+-static void mlx5_eswitch_event_handlers_register(struct mlx5_eswitch *esw)
++static void mlx5_eswitch_event_handler_register(struct mlx5_eswitch *esw)
+ {
+- MLX5_NB_INIT(&esw->nb, eswitch_vport_event, NIC_VPORT_CHANGE);
+- mlx5_eq_notifier_register(esw->dev, &esw->nb);
+-
+ if (esw->mode == MLX5_ESWITCH_OFFLOADS && mlx5_eswitch_is_funcs_handler(esw->dev)) {
+ MLX5_NB_INIT(&esw->esw_funcs.nb, mlx5_esw_funcs_changed_handler,
+ ESW_FUNCTIONS_CHANGED);
+@@ -1034,13 +1031,11 @@ static void mlx5_eswitch_event_handlers_register(struct mlx5_eswitch *esw)
+ }
+ }
+
+-static void mlx5_eswitch_event_handlers_unregister(struct mlx5_eswitch *esw)
++static void mlx5_eswitch_event_handler_unregister(struct mlx5_eswitch *esw)
+ {
+ if (esw->mode == MLX5_ESWITCH_OFFLOADS && mlx5_eswitch_is_funcs_handler(esw->dev))
+ mlx5_eq_notifier_unregister(esw->dev, &esw->esw_funcs.nb);
+
+- mlx5_eq_notifier_unregister(esw->dev, &esw->nb);
+-
+ flush_workqueue(esw->work_queue);
+ }
+
+@@ -1419,6 +1414,9 @@ int mlx5_eswitch_enable_locked(struct mlx5_eswitch *esw, int num_vfs)
+
+ mlx5_eswitch_update_num_of_vfs(esw, num_vfs);
+
++ MLX5_NB_INIT(&esw->nb, eswitch_vport_event, NIC_VPORT_CHANGE);
++ mlx5_eq_notifier_register(esw->dev, &esw->nb);
++
+ if (esw->mode == MLX5_ESWITCH_LEGACY) {
+ err = esw_legacy_enable(esw);
+ } else {
+@@ -1431,7 +1429,7 @@ int mlx5_eswitch_enable_locked(struct mlx5_eswitch *esw, int num_vfs)
+
+ esw->fdb_table.flags |= MLX5_ESW_FDB_CREATED;
+
+- mlx5_eswitch_event_handlers_register(esw);
++ mlx5_eswitch_event_handler_register(esw);
+
+ esw_info(esw->dev, "Enable: mode(%s), nvfs(%d), necvfs(%d), active vports(%d)\n",
+ esw->mode == MLX5_ESWITCH_LEGACY ? "LEGACY" : "OFFLOADS",
+@@ -1558,7 +1556,8 @@ void mlx5_eswitch_disable_locked(struct mlx5_eswitch *esw)
+ */
+ mlx5_esw_mode_change_notify(esw, MLX5_ESWITCH_LEGACY);
+
+- mlx5_eswitch_event_handlers_unregister(esw);
++ mlx5_eq_notifier_unregister(esw->dev, &esw->nb);
++ mlx5_eswitch_event_handler_unregister(esw);
+
+ esw_info(esw->dev, "Disable: mode(%s), nvfs(%d), necvfs(%d), active vports(%d)\n",
+ esw->mode == MLX5_ESWITCH_LEGACY ? "LEGACY" : "OFFLOADS",
+--
+2.40.1
+
--- /dev/null
+From 1263f8d35d84879bab0cc8eb74339db0767ad18a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Sep 2023 21:48:30 +0300
+Subject: net/mlx5: Handle fw tracer change ownership event based on MTRC
+
+From: Maher Sanalla <msanalla@nvidia.com>
+
+[ Upstream commit 92fd39634541eb0a11bf1bafbc8ba92d6ddb8dba ]
+
+Currently, whenever fw issues a change ownership event, the PF that owns
+the fw tracer drops its ownership directly and the other PFs try to pick
+up the ownership via what MTRC register suggests.
+
+In some cases, driver releases the ownership of the tracer and reacquires
+it later on. Whenever the driver releases ownership of the tracer, fw
+issues a change ownership event. This event can be delayed and come after
+driver has reacquired ownership of the tracer. Thus the late event will
+trigger the tracer owner PF to release the ownership again and lead to a
+scenario where no PF is owning the tracer.
+
+To prevent the scenario described above, when handling a change
+ownership event, do not drop ownership of the tracer directly, instead
+read the fw MTRC register to retrieve the up-to-date owner of the tracer
+and set it accordingly in driver level.
+
+Fixes: f53aaa31cce7 ("net/mlx5: FW tracer, implement tracer logic")
+Signed-off-by: Maher Sanalla <msanalla@nvidia.com>
+Reviewed-by: Shay Drory <shayd@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+index 7c0f2adbea000..ad789349c06e6 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+@@ -848,7 +848,7 @@ static void mlx5_fw_tracer_ownership_change(struct work_struct *work)
+
+ mlx5_core_dbg(tracer->dev, "FWTracer: ownership changed, current=(%d)\n", tracer->owner);
+ if (tracer->owner) {
+- tracer->owner = false;
++ mlx5_fw_tracer_ownership_acquire(tracer);
+ return;
+ }
+
+--
+2.40.1
+
--- /dev/null
+From ccfcc99f7c365dfe4ef8804767004c156d2e9fb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Sep 2023 02:28:47 +0000
+Subject: net/mlx5e: Don't offload internal port if filter device is out device
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit 06b4eac9c4beda520b8a4dbbb8e33dba9d1c8fba ]
+
+In the cited commit, if the routing device is ovs internal port, the
+out device is set to uplink, and packets go out after encapsulation.
+
+If filter device is uplink, it can trigger the following syndrome:
+mlx5_core 0000:08:00.0: mlx5_cmd_out_err:803:(pid 3966): SET_FLOW_TABLE_ENTRY(0x936) op_mod(0x0) failed, status bad parameter(0x3), syndrome (0xcdb051), err(-22)
+
+Fix this issue by not offloading internal port if filter device is out
+device. In this case, packets are not forwarded to the root table to
+be processed, the termination table is used instead to forward them
+from uplink to uplink.
+
+Fixes: 100ad4e2d758 ("net/mlx5e: Offload internal port as encap route device")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Ariel Levkovich <lariel@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c
+index 1730f6a716eea..b10e40e1a9c14 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c
+@@ -24,7 +24,8 @@ static int mlx5e_set_int_port_tunnel(struct mlx5e_priv *priv,
+
+ route_dev = dev_get_by_index(dev_net(e->out_dev), e->route_dev_ifindex);
+
+- if (!route_dev || !netif_is_ovs_master(route_dev))
++ if (!route_dev || !netif_is_ovs_master(route_dev) ||
++ attr->parse_attr->filter_dev == e->out_dev)
+ goto out;
+
+ err = mlx5e_set_fwd_to_int_port_actions(priv, attr, e->route_dev_ifindex,
+--
+2.40.1
+
--- /dev/null
+From d68608aa198d301df50f1dacc84351884f754835 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Sep 2023 18:26:47 +0300
+Subject: net/mlx5e: Fix VF representors reporting zero counters to "ip -s"
+ command
+
+From: Amir Tzin <amirtz@nvidia.com>
+
+[ Upstream commit 80f1241484dd1b1d4eab1a0211d52ec2bd83e2f1 ]
+
+Although vf_vport entry of struct mlx5e_stats is never updated, its
+values are mistakenly copied to the caller structure in the VF
+representor .ndo_get_stat_64 callback mlx5e_rep_get_stats(). Remove
+redundant entry and use the updated one, rep_stats, instead.
+
+Fixes: 64b68e369649 ("net/mlx5: Refactor and expand rep vport stat group")
+Reviewed-by: Patrisious Haddad <phaddad@nvidia.com>
+Signed-off-by: Amir Tzin <amirtz@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 2 +-
+ drivers/net/ethernet/mellanox/mlx5/core/en_stats.h | 11 ++++++++++-
+ drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 5 +++--
+ 3 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+index 5bdd2d09a8d5c..0cd44ef190058 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+@@ -704,7 +704,7 @@ mlx5e_rep_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats)
+
+ /* update HW stats in background for next time */
+ mlx5e_queue_update_stats(priv);
+- memcpy(stats, &priv->stats.vf_vport, sizeof(*stats));
++ mlx5e_stats_copy_rep_stats(stats, &priv->stats.rep_stats);
+ }
+
+ static int mlx5e_rep_change_mtu(struct net_device *netdev, int new_mtu)
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h
+index 1ff8a06027dcf..67938b4ea1b90 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h
+@@ -475,11 +475,20 @@ struct mlx5e_stats {
+ struct mlx5e_vnic_env_stats vnic;
+ struct mlx5e_vport_stats vport;
+ struct mlx5e_pport_stats pport;
+- struct rtnl_link_stats64 vf_vport;
+ struct mlx5e_pcie_stats pcie;
+ struct mlx5e_rep_stats rep_stats;
+ };
+
++static inline void mlx5e_stats_copy_rep_stats(struct rtnl_link_stats64 *vf_vport,
++ struct mlx5e_rep_stats *rep_stats)
++{
++ memset(vf_vport, 0, sizeof(*vf_vport));
++ vf_vport->rx_packets = rep_stats->vport_rx_packets;
++ vf_vport->tx_packets = rep_stats->vport_tx_packets;
++ vf_vport->rx_bytes = rep_stats->vport_rx_bytes;
++ vf_vport->tx_bytes = rep_stats->vport_tx_bytes;
++}
++
+ extern mlx5e_stats_grp_t mlx5e_nic_stats_grps[];
+ unsigned int mlx5e_nic_stats_grps_num(struct mlx5e_priv *priv);
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+index 4b22a91482cec..5797d8607633e 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+@@ -4931,7 +4931,8 @@ static int scan_tc_matchall_fdb_actions(struct mlx5e_priv *priv,
+ if (err)
+ return err;
+
+- rpriv->prev_vf_vport_stats = priv->stats.vf_vport;
++ mlx5e_stats_copy_rep_stats(&rpriv->prev_vf_vport_stats,
++ &priv->stats.rep_stats);
+ break;
+ default:
+ NL_SET_ERR_MSG_MOD(extack, "mlx5 supports only police action for matchall");
+@@ -4971,7 +4972,7 @@ void mlx5e_tc_stats_matchall(struct mlx5e_priv *priv,
+ u64 dbytes;
+ u64 dpkts;
+
+- cur_stats = priv->stats.vf_vport;
++ mlx5e_stats_copy_rep_stats(&cur_stats, &priv->stats.rep_stats);
+ dpkts = cur_stats.rx_packets - rpriv->prev_vf_vport_stats.rx_packets;
+ dbytes = cur_stats.rx_bytes - rpriv->prev_vf_vport_stats.rx_bytes;
+ rpriv->prev_vf_vport_stats = cur_stats;
+--
+2.40.1
+
--- /dev/null
+From 951bdb85da9f5b09f6d953b408bfdc644ecbd1dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Oct 2023 14:05:29 +0300
+Subject: net/mlx5e: RX, Fix page_pool allocation failure recovery for striding
+ rq
+
+From: Dragos Tatulea <dtatulea@nvidia.com>
+
+[ Upstream commit be43b7489a3c4702799e50179da69c3df7d6899b ]
+
+When a page allocation fails during refill in mlx5e_post_rx_mpwqes, the
+page will be released again on the next refill call. This triggers the
+page_pool negative page fragment count warning below:
+
+ [ 2436.447717] WARNING: CPU: 1 PID: 2419 at include/net/page_pool/helpers.h:130 mlx5e_page_release_fragmented.isra.0+0x42/0x50 [mlx5_core]
+ ...
+ [ 2436.447895] RIP: 0010:mlx5e_page_release_fragmented.isra.0+0x42/0x50 [mlx5_core]
+ [ 2436.447991] Call Trace:
+ [ 2436.447975] mlx5e_post_rx_mpwqes+0x1d5/0xcf0 [mlx5_core]
+ [ 2436.447994] <IRQ>
+ [ 2436.447996] ? __warn+0x7d/0x120
+ [ 2436.448009] ? mlx5e_handle_rx_cqe_mpwrq+0x109/0x1d0 [mlx5_core]
+ [ 2436.448002] ? mlx5e_page_release_fragmented.isra.0+0x42/0x50 [mlx5_core]
+ [ 2436.448044] ? mlx5e_poll_rx_cq+0x87/0x6e0 [mlx5_core]
+ [ 2436.448061] ? report_bug+0x155/0x180
+ [ 2436.448065] ? handle_bug+0x36/0x70
+ [ 2436.448067] ? exc_invalid_op+0x13/0x60
+ [ 2436.448070] ? asm_exc_invalid_op+0x16/0x20
+ [ 2436.448079] mlx5e_napi_poll+0x122/0x6b0 [mlx5_core]
+ [ 2436.448077] ? mlx5e_page_release_fragmented.isra.0+0x42/0x50 [mlx5_core]
+ [ 2436.448113] ? generic_exec_single+0x35/0x100
+ [ 2436.448117] __napi_poll+0x25/0x1a0
+ [ 2436.448120] net_rx_action+0x28a/0x300
+ [ 2436.448122] __do_softirq+0xcd/0x279
+ [ 2436.448126] irq_exit_rcu+0x6a/0x90
+ [ 2436.448128] sysvec_apic_timer_interrupt+0x6e/0x90
+ [ 2436.448130] </IRQ>
+
+This patch fixes the striding rq case by setting the skip flag on all
+the wqe pages that were expected to have new pages allocated.
+
+Fixes: 4c2a13236807 ("net/mlx5e: RX, Defer page release in striding rq for better recycling")
+Tested-by: Chris Mason <clm@fb.com>
+Reported-by: Chris Mason <clm@fb.com>
+Closes: https://lore.kernel.org/netdev/117FF31A-7BE0-4050-B2BB-E41F224FF72F@meta.com
+Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+index 41d37159e027b..0b558db1a9455 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+@@ -816,6 +816,8 @@ static int mlx5e_alloc_rx_mpwqe(struct mlx5e_rq *rq, u16 ix)
+ mlx5e_page_release_fragmented(rq, frag_page);
+ }
+
++ bitmap_fill(wi->skip_release_bitmap, rq->mpwqe.pages_per_wqe);
++
+ err:
+ rq->stats->buff_alloc_err++;
+
+--
+2.40.1
+
--- /dev/null
+From dbf09386026a5d75f89f47d9f3c92de026fad3f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Sep 2023 17:31:49 +0300
+Subject: net/mlx5e: RX, Fix page_pool allocation failure recovery for legacy
+ rq
+
+From: Dragos Tatulea <dtatulea@nvidia.com>
+
+[ Upstream commit ef9369e9c30846f5e052a11ccc70e1f6b8dc557a ]
+
+When a page allocation fails during refill in mlx5e_refill_rx_wqes, the
+page will be released again on the next refill call. This triggers the
+page_pool negative page fragment count warning below:
+
+ [ 338.326070] WARNING: CPU: 4 PID: 0 at include/net/page_pool/helpers.h:130 mlx5e_page_release_fragmented.isra.0+0x42/0x50 [mlx5_core]
+ ...
+ [ 338.328993] RIP: 0010:mlx5e_page_release_fragmented.isra.0+0x42/0x50 [mlx5_core]
+ [ 338.329094] Call Trace:
+ [ 338.329097] <IRQ>
+ [ 338.329100] ? __warn+0x7d/0x120
+ [ 338.329105] ? mlx5e_page_release_fragmented.isra.0+0x42/0x50 [mlx5_core]
+ [ 338.329173] ? report_bug+0x155/0x180
+ [ 338.329179] ? handle_bug+0x3c/0x60
+ [ 338.329183] ? exc_invalid_op+0x13/0x60
+ [ 338.329187] ? asm_exc_invalid_op+0x16/0x20
+ [ 338.329192] ? mlx5e_page_release_fragmented.isra.0+0x42/0x50 [mlx5_core]
+ [ 338.329259] mlx5e_post_rx_wqes+0x210/0x5a0 [mlx5_core]
+ [ 338.329327] ? mlx5e_poll_rx_cq+0x88/0x6f0 [mlx5_core]
+ [ 338.329394] mlx5e_napi_poll+0x127/0x6b0 [mlx5_core]
+ [ 338.329461] __napi_poll+0x25/0x1a0
+ [ 338.329465] net_rx_action+0x28a/0x300
+ [ 338.329468] __do_softirq+0xcd/0x279
+ [ 338.329473] irq_exit_rcu+0x6a/0x90
+ [ 338.329477] common_interrupt+0x82/0xa0
+ [ 338.329482] </IRQ>
+
+This patch fixes the legacy rq case by releasing all allocated fragments
+and then setting the skip flag on all released fragments. It is
+important to note that the number of released fragments will be higher
+than the number of allocated fragments when an allocation error occurs.
+
+Fixes: 3f93f82988bc ("net/mlx5e: RX, Defer page release in legacy rq for better recycling")
+Tested-by: Chris Mason <clm@fb.com>
+Reported-by: Chris Mason <clm@fb.com>
+Closes: https://lore.kernel.org/netdev/117FF31A-7BE0-4050-B2BB-E41F224FF72F@meta.com
+Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/en_rx.c | 33 ++++++++++++++-----
+ 1 file changed, 24 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+index 0b558db1a9455..5df970e6e29d5 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+@@ -457,26 +457,41 @@ static int mlx5e_alloc_rx_wqes(struct mlx5e_rq *rq, u16 ix, int wqe_bulk)
+ static int mlx5e_refill_rx_wqes(struct mlx5e_rq *rq, u16 ix, int wqe_bulk)
+ {
+ int remaining = wqe_bulk;
+- int i = 0;
++ int total_alloc = 0;
++ int refill_alloc;
++ int refill;
+
+ /* The WQE bulk is split into smaller bulks that are sized
+ * according to the page pool cache refill size to avoid overflowing
+ * the page pool cache due to too many page releases at once.
+ */
+ do {
+- int refill = min_t(u16, rq->wqe.info.refill_unit, remaining);
+- int alloc_count;
++ refill = min_t(u16, rq->wqe.info.refill_unit, remaining);
+
+- mlx5e_free_rx_wqes(rq, ix + i, refill);
+- alloc_count = mlx5e_alloc_rx_wqes(rq, ix + i, refill);
+- i += alloc_count;
+- if (unlikely(alloc_count != refill))
+- break;
++ mlx5e_free_rx_wqes(rq, ix + total_alloc, refill);
++ refill_alloc = mlx5e_alloc_rx_wqes(rq, ix + total_alloc, refill);
++ if (unlikely(refill_alloc != refill))
++ goto err_free;
+
++ total_alloc += refill_alloc;
+ remaining -= refill;
+ } while (remaining);
+
+- return i;
++ return total_alloc;
++
++err_free:
++ mlx5e_free_rx_wqes(rq, ix, total_alloc + refill_alloc);
++
++ for (int i = 0; i < total_alloc + refill; i++) {
++ int j = mlx5_wq_cyc_ctr2ix(&rq->wqe.wq, ix + i);
++ struct mlx5e_wqe_frag_info *frag;
++
++ frag = get_frag(rq, j);
++ for (int k = 0; k < rq->wqe.info.num_frags; k++, frag++)
++ frag->flags |= BIT(MLX5E_WQE_FRAG_SKIP_RELEASE);
++ }
++
++ return 0;
+ }
+
+ static void
+--
+2.40.1
+
--- /dev/null
+From d1238c12445f52f3100e7eb32243487f13ba7b54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Sep 2023 10:06:24 +0300
+Subject: net/mlx5e: Take RTNL lock before triggering netdev notifiers
+
+From: Lama Kayal <lkayal@nvidia.com>
+
+[ Upstream commit c51c673462a266fb813cf189f8190798a12d3124 ]
+
+Hold RTNL lock when calling xdp_set_features() with a registered netdev,
+as the call triggers the netdev notifiers. This could happen when
+switching from nic profile to uplink representor for example.
+
+Similar logic which fixed a similar scenario was previously introduced in
+the following commit:
+commit 72cc65497065 net/mlx5e: Take RTNL lock when needed before calling
+xdp_set_features().
+
+This fixes the following assertion and warning call trace:
+
+RTNL: assertion failed at net/core/dev.c (1961)
+WARNING: CPU: 13 PID: 2529 at net/core/dev.c:1961
+call_netdevice_notifiers_info+0x7c/0x80
+Modules linked in: rpcrdma rdma_ucm ib_iser libiscsi
+scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib
+ib_uverbs ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink
+nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5
+auth_rpcgss oid_registry overlay mlx5_core zram zsmalloc fuse
+CPU: 13 PID: 2529 Comm: devlink Not tainted
+6.5.0_for_upstream_min_debug_2023_09_07_20_04 #1
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
+rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
+RIP: 0010:call_netdevice_notifiers_info+0x7c/0x80
+Code: 8f ff 80 3d 77 0d 16 01 00 75 c5 ba a9 07 00 00 48
+c7 c6 c4 bb 0d 82 48 c7 c7 18 c8 06 82 c6 05 5b 0d 16 01 01 e8 44 f6 8c
+ff <0f> 0b eb a2 0f 1f 44 00 00 55 48 89 e5 41 54 48 83 e4 f0 48 83 ec
+RSP: 0018:ffff88819930f7f0 EFLAGS: 00010282
+RAX: 0000000000000000 RBX: ffffffff8309f740 RCX: 0000000000000027
+RDX: ffff88885fb5b5c8 RSI: 0000000000000001 RDI: ffff88885fb5b5c0
+RBP: 0000000000000028 R08: ffff88887ffabaa8 R09: 0000000000000003
+R10: ffff88887fecbac0 R11: ffff88887ff7bac0 R12: ffff88819930f810
+R13: ffff88810b7fea40 R14: ffff8881154e8fd8 R15: ffff888107e881a0
+FS: 00007f3ad248f800(0000) GS:ffff88885fb40000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000563b85f164e0 CR3: 0000000113b5c006 CR4: 0000000000370ea0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ ? __warn+0x79/0x120
+ ? call_netdevice_notifiers_info+0x7c/0x80
+ ? report_bug+0x17c/0x190
+ ? handle_bug+0x3c/0x60
+ ? exc_invalid_op+0x14/0x70
+ ? asm_exc_invalid_op+0x16/0x20
+ ? call_netdevice_notifiers_info+0x7c/0x80
+ call_netdevice_notifiers+0x2e/0x50
+ mlx5e_set_xdp_feature+0x21/0x50 [mlx5_core]
+ mlx5e_build_rep_params+0x97/0x130 [mlx5_core]
+ mlx5e_init_ul_rep+0x9f/0x100 [mlx5_core]
+ mlx5e_netdev_init_profile+0x76/0x110 [mlx5_core]
+ mlx5e_netdev_attach_profile+0x1f/0x90 [mlx5_core]
+ mlx5e_netdev_change_profile+0x92/0x160 [mlx5_core]
+ mlx5e_vport_rep_load+0x329/0x4a0 [mlx5_core]
+ mlx5_esw_offloads_rep_load+0x9e/0xf0 [mlx5_core]
+ esw_offloads_enable+0x4bc/0xe90 [mlx5_core]
+ mlx5_eswitch_enable_locked+0x3c8/0x570 [mlx5_core]
+ ? kmalloc_trace+0x25/0x80
+ mlx5_devlink_eswitch_mode_set+0x224/0x680 [mlx5_core]
+ ? devlink_get_from_attrs_lock+0x9e/0x110
+ devlink_nl_cmd_eswitch_set_doit+0x60/0xe0
+ genl_family_rcv_msg_doit+0xd0/0x120
+ genl_rcv_msg+0x180/0x2b0
+ ? devlink_get_from_attrs_lock+0x110/0x110
+ ? devlink_nl_cmd_eswitch_get_doit+0x290/0x290
+ ? devlink_pernet_pre_exit+0xf0/0xf0
+ ? genl_family_rcv_msg_dumpit+0xf0/0xf0
+ netlink_rcv_skb+0x54/0x100
+ genl_rcv+0x24/0x40
+ netlink_unicast+0x1fc/0x2c0
+ netlink_sendmsg+0x232/0x4a0
+ sock_sendmsg+0x38/0x60
+ ? _copy_from_user+0x2a/0x60
+ __sys_sendto+0x110/0x160
+ ? handle_mm_fault+0x161/0x260
+ ? do_user_addr_fault+0x276/0x620
+ __x64_sys_sendto+0x20/0x30
+ do_syscall_64+0x3d/0x90
+ entry_SYSCALL_64_after_hwframe+0x46/0xb0
+RIP: 0033:0x7f3ad231340a
+Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3
+0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f
+05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
+RSP: 002b:00007ffd70aad4b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 0000000000c36b00 RCX:00007f3ad231340a
+RDX: 0000000000000038 RSI: 0000000000c36b00 RDI: 0000000000000003
+RBP: 0000000000c36910 R08: 00007f3ad2625200 R09: 000000000000000c
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
+ </TASK>
+---[ end trace 0000000000000000 ]---
+------------[ cut here ]------------
+
+Fixes: 4d5ab0ad964d ("net/mlx5e: take into account device reconfiguration for xdp_features flag")
+Signed-off-by: Lama Kayal <lkayal@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+index 99b3843396f33..5bdd2d09a8d5c 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+@@ -772,6 +772,7 @@ static int mlx5e_rep_max_nch_limit(struct mlx5_core_dev *mdev)
+
+ static void mlx5e_build_rep_params(struct net_device *netdev)
+ {
++ const bool take_rtnl = netdev->reg_state == NETREG_REGISTERED;
+ struct mlx5e_priv *priv = netdev_priv(netdev);
+ struct mlx5e_rep_priv *rpriv = priv->ppriv;
+ struct mlx5_eswitch_rep *rep = rpriv->rep;
+@@ -797,8 +798,15 @@ static void mlx5e_build_rep_params(struct net_device *netdev)
+ /* RQ */
+ mlx5e_build_rq_params(mdev, params);
+
++ /* If netdev is already registered (e.g. move from nic profile to uplink,
++ * RTNL lock must be held before triggering netdev notifiers.
++ */
++ if (take_rtnl)
++ rtnl_lock();
+ /* update XDP supported features */
+ mlx5e_set_xdp_feature(netdev);
++ if (take_rtnl)
++ rtnl_unlock();
+
+ /* CQ moderation params */
+ params->rx_dim_enabled = MLX5_CAP_GEN(mdev, cq_moderation);
+--
+2.40.1
+
--- /dev/null
+From f68cfbdf7627eb23955163f4131ba02a4e5439ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Sep 2023 17:50:18 +0300
+Subject: net/mlx5e: XDP, Fix XDP_REDIRECT mpwqe page fragment leaks on
+ shutdown
+
+From: Dragos Tatulea <dtatulea@nvidia.com>
+
+[ Upstream commit aaab619ccd07a32e5b29aa7e59b20de1dcc7a29e ]
+
+When mlx5e_xdp_xmit is called without the XDP_XMIT_FLUSH set it is
+possible that it leaves a mpwqe session open. That is ok during runtime:
+the session will be closed on the next call to mlx5e_xdp_xmit. But
+having a mpwqe session still open at XDP sq close time is problematic:
+the pc counter is not updated before flushing the contents of the
+xdpi_fifo. This results in leaking page fragments.
+
+The fix is to always close the mpwqe session at the end of
+mlx5e_xdp_xmit, regardless of the XDP_XMIT_FLUSH flag being set or not.
+
+Fixes: 5e0d2eef771e ("net/mlx5e: XDP, Support Enhanced Multi-Packet TX WQE")
+Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c b/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c
+index 40589cebb7730..4fd4c9febab95 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c
+@@ -873,11 +873,11 @@ int mlx5e_xdp_xmit(struct net_device *dev, int n, struct xdp_frame **frames,
+ }
+
+ out:
+- if (flags & XDP_XMIT_FLUSH) {
+- if (sq->mpwqe.wqe)
+- mlx5e_xdp_mpwqe_complete(sq);
++ if (sq->mpwqe.wqe)
++ mlx5e_xdp_mpwqe_complete(sq);
++
++ if (flags & XDP_XMIT_FLUSH)
+ mlx5e_xmit_xdp_doorbell(sq);
+- }
+
+ return nxmit;
+ }
+--
+2.40.1
+
--- /dev/null
+From a4b3867e7b8f208e720e8084fce3a8c783f35150 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Oct 2023 18:38:16 -0700
+Subject: net: move altnames together with the netdevice
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 8e15aee621618a3ee3abecaf1fd8c1428098b7ef ]
+
+The altname nodes are currently not moved to the new netns
+when netdevice itself moves:
+
+ [ ~]# ip netns add test
+ [ ~]# ip -netns test link add name eth0 type dummy
+ [ ~]# ip -netns test link property add dev eth0 altname some-name
+ [ ~]# ip -netns test link show dev some-name
+ 2: eth0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
+ link/ether 1e:67:ed:19:3d:24 brd ff:ff:ff:ff:ff:ff
+ altname some-name
+ [ ~]# ip -netns test link set dev eth0 netns 1
+ [ ~]# ip link
+ ...
+ 3: eth0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
+ link/ether 02:40:88:62:ec:b8 brd ff:ff:ff:ff:ff:ff
+ altname some-name
+ [ ~]# ip li show dev some-name
+ Device "some-name" does not exist.
+
+Remove them from the hash table when device is unlisted
+and add back when listed again.
+
+Fixes: 36fbf1e52bd3 ("net: rtnetlink: add linkprop commands to add and delete alternative ifnames")
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index a450234f68a54..b1ba00e57a1ab 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -379,6 +379,7 @@ static void netdev_name_node_alt_flush(struct net_device *dev)
+ /* Device list insertion */
+ static void list_netdevice(struct net_device *dev)
+ {
++ struct netdev_name_node *name_node;
+ struct net *net = dev_net(dev);
+
+ ASSERT_RTNL();
+@@ -389,6 +390,10 @@ static void list_netdevice(struct net_device *dev)
+ hlist_add_head_rcu(&dev->index_hlist,
+ dev_index_hash(net, dev->ifindex));
+ write_unlock(&dev_base_lock);
++
++ netdev_for_each_altname(dev, name_node)
++ netdev_name_node_add(net, name_node);
++
+ /* We reserved the ifindex, this can't fail */
+ WARN_ON(xa_store(&net->dev_by_index, dev->ifindex, dev, GFP_KERNEL));
+
+@@ -400,12 +405,16 @@ static void list_netdevice(struct net_device *dev)
+ */
+ static void unlist_netdevice(struct net_device *dev, bool lock)
+ {
++ struct netdev_name_node *name_node;
+ struct net *net = dev_net(dev);
+
+ ASSERT_RTNL();
+
+ xa_erase(&net->dev_by_index, dev->ifindex);
+
++ netdev_for_each_altname(dev, name_node)
++ netdev_name_node_del(name_node);
++
+ /* Unlink dev from the device chain */
+ if (lock)
+ write_lock(&dev_base_lock);
+@@ -10873,7 +10882,6 @@ void unregister_netdevice_many_notify(struct list_head *head,
+ synchronize_net();
+
+ list_for_each_entry(dev, head, unreg_list) {
+- struct netdev_name_node *name_node;
+ struct sk_buff *skb = NULL;
+
+ /* Shutdown queueing discipline. */
+@@ -10901,9 +10909,6 @@ void unregister_netdevice_many_notify(struct list_head *head,
+ dev_uc_flush(dev);
+ dev_mc_flush(dev);
+
+- netdev_for_each_altname(dev, name_node)
+- netdev_name_node_del(name_node);
+- synchronize_rcu();
+ netdev_name_node_alt_flush(dev);
+ netdev_name_node_free(dev->name_node);
+
+--
+2.40.1
+
--- /dev/null
+From 61576515c6913e1ae2c4e7c01d832b985f66500e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Oct 2023 15:48:51 +0800
+Subject: net/smc: fix smc clc failed issue when netdevice not in init_net
+
+From: Albert Huang <huangjie.albert@bytedance.com>
+
+[ Upstream commit c68681ae46eaaa1640b52fe366d21a93b2185df5 ]
+
+If the netdevice is within a container and communicates externally
+through network technologies such as VxLAN, we won't be able to find
+routing information in the init_net namespace. To address this issue,
+we need to add a struct net parameter to the smc_ib_find_route function.
+This allow us to locate the routing information within the corresponding
+net namespace, ensuring the correct completion of the SMC CLC interaction.
+
+Fixes: e5c4744cfb59 ("net/smc: add SMC-Rv2 connection establishment")
+Signed-off-by: Albert Huang <huangjie.albert@bytedance.com>
+Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
+Reviewed-by: Wenjia Zhang <wenjia@linux.ibm.com>
+Link: https://lore.kernel.org/r/20231011074851.95280-1-huangjie.albert@bytedance.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 3 ++-
+ net/smc/smc_ib.c | 7 ++++---
+ net/smc/smc_ib.h | 2 +-
+ 3 files changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index fa7b8015cd7bb..01bd576ffa5e1 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -1199,6 +1199,7 @@ static int smc_connect_rdma_v2_prepare(struct smc_sock *smc,
+ (struct smc_clc_msg_accept_confirm_v2 *)aclc;
+ struct smc_clc_first_contact_ext *fce =
+ smc_get_clc_first_contact_ext(clc_v2, false);
++ struct net *net = sock_net(&smc->sk);
+ int rc;
+
+ if (!ini->first_contact_peer || aclc->hdr.version == SMC_V1)
+@@ -1208,7 +1209,7 @@ static int smc_connect_rdma_v2_prepare(struct smc_sock *smc,
+ memcpy(ini->smcrv2.nexthop_mac, &aclc->r0.lcl.mac, ETH_ALEN);
+ ini->smcrv2.uses_gateway = false;
+ } else {
+- if (smc_ib_find_route(smc->clcsock->sk->sk_rcv_saddr,
++ if (smc_ib_find_route(net, smc->clcsock->sk->sk_rcv_saddr,
+ smc_ib_gid_to_ipv4(aclc->r0.lcl.gid),
+ ini->smcrv2.nexthop_mac,
+ &ini->smcrv2.uses_gateway))
+diff --git a/net/smc/smc_ib.c b/net/smc/smc_ib.c
+index 9b66d6aeeb1ae..89981dbe46c94 100644
+--- a/net/smc/smc_ib.c
++++ b/net/smc/smc_ib.c
+@@ -193,7 +193,7 @@ bool smc_ib_port_active(struct smc_ib_device *smcibdev, u8 ibport)
+ return smcibdev->pattr[ibport - 1].state == IB_PORT_ACTIVE;
+ }
+
+-int smc_ib_find_route(__be32 saddr, __be32 daddr,
++int smc_ib_find_route(struct net *net, __be32 saddr, __be32 daddr,
+ u8 nexthop_mac[], u8 *uses_gateway)
+ {
+ struct neighbour *neigh = NULL;
+@@ -205,7 +205,7 @@ int smc_ib_find_route(__be32 saddr, __be32 daddr,
+
+ if (daddr == cpu_to_be32(INADDR_NONE))
+ goto out;
+- rt = ip_route_output_flow(&init_net, &fl4, NULL);
++ rt = ip_route_output_flow(net, &fl4, NULL);
+ if (IS_ERR(rt))
+ goto out;
+ if (rt->rt_uses_gateway && rt->rt_gw_family != AF_INET)
+@@ -235,6 +235,7 @@ static int smc_ib_determine_gid_rcu(const struct net_device *ndev,
+ if (smcrv2 && attr->gid_type == IB_GID_TYPE_ROCE_UDP_ENCAP &&
+ smc_ib_gid_to_ipv4((u8 *)&attr->gid) != cpu_to_be32(INADDR_NONE)) {
+ struct in_device *in_dev = __in_dev_get_rcu(ndev);
++ struct net *net = dev_net(ndev);
+ const struct in_ifaddr *ifa;
+ bool subnet_match = false;
+
+@@ -248,7 +249,7 @@ static int smc_ib_determine_gid_rcu(const struct net_device *ndev,
+ }
+ if (!subnet_match)
+ goto out;
+- if (smcrv2->daddr && smc_ib_find_route(smcrv2->saddr,
++ if (smcrv2->daddr && smc_ib_find_route(net, smcrv2->saddr,
+ smcrv2->daddr,
+ smcrv2->nexthop_mac,
+ &smcrv2->uses_gateway))
+diff --git a/net/smc/smc_ib.h b/net/smc/smc_ib.h
+index 034295676e881..ebcb05ede7f55 100644
+--- a/net/smc/smc_ib.h
++++ b/net/smc/smc_ib.h
+@@ -113,7 +113,7 @@ void smc_ib_sync_sg_for_device(struct smc_link *lnk,
+ int smc_ib_determine_gid(struct smc_ib_device *smcibdev, u8 ibport,
+ unsigned short vlan_id, u8 gid[], u8 *sgid_index,
+ struct smc_init_info_smcrv2 *smcrv2);
+-int smc_ib_find_route(__be32 saddr, __be32 daddr,
++int smc_ib_find_route(struct net *net, __be32 saddr, __be32 daddr,
+ u8 nexthop_mac[], u8 *uses_gateway);
+ bool smc_ib_is_valid_local_systemid(void);
+ int smcr_nl_get_device(struct sk_buff *skb, struct netlink_callback *cb);
+--
+2.40.1
+
--- /dev/null
+From a1e70723561808918567b223a81c29b808e3b664 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Aug 2023 21:20:27 +0800
+Subject: net/smc: support smc release version negotiation in clc handshake
+
+From: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+
+[ Upstream commit 1e700948c9db0d09f691f715e8f4b947e51e35b5 ]
+
+Support smc release version negotiation in clc handshake based on
+SMC v2, where no negotiation process for different releases, but
+for different versions. The latest smc release version was updated
+to v2.1. And currently there are two release versions of SMCv2, v2.0
+and v2.1. In the release version negotiation, client sends the preferred
+release version by CLC Proposal Message, server makes decision for which
+release version to use based on the client preferred release version and
+self-supported release version (here choose the minimum release version
+of the client preferred and server latest supported), then the decision
+returns to client by CLC Accept Message. Client confirms the decision by
+CLC Confirm Message.
+
+Client Server
+ Proposal(preferred release version)
+ ------------------------------------>
+
+ Accept(accpeted release version)
+ min(client preferred, server latest supported)
+ <------------------------------------
+
+ Confirm(accpeted release version)
+ ------------------------------------>
+
+Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+Reviewed-by: Tony Lu <tonylu@linux.alibaba.com>
+Reviewed-by: Jan Karcher <jaka@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: c68681ae46ea ("net/smc: fix smc clc failed issue when netdevice not in init_net")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 21 +++++++++++++++++----
+ net/smc/smc.h | 5 ++++-
+ net/smc/smc_clc.c | 14 +++++++-------
+ net/smc/smc_clc.h | 23 ++++++++++++++++++++++-
+ net/smc/smc_core.h | 1 +
+ 5 files changed, 51 insertions(+), 13 deletions(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index c0e4e587b4994..077e5864fc441 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -1198,8 +1198,7 @@ static int smc_connect_rdma_v2_prepare(struct smc_sock *smc,
+ struct smc_clc_msg_accept_confirm_v2 *clc_v2 =
+ (struct smc_clc_msg_accept_confirm_v2 *)aclc;
+ struct smc_clc_first_contact_ext *fce =
+- (struct smc_clc_first_contact_ext *)
+- (((u8 *)clc_v2) + sizeof(*clc_v2));
++ smc_get_clc_first_contact_ext(clc_v2, false);
+
+ if (!ini->first_contact_peer || aclc->hdr.version == SMC_V1)
+ return 0;
+@@ -1218,6 +1217,9 @@ static int smc_connect_rdma_v2_prepare(struct smc_sock *smc,
+ return SMC_CLC_DECL_NOINDIRECT;
+ }
+ }
++
++ ini->release_nr = fce->release;
++
+ return 0;
+ }
+
+@@ -1386,6 +1388,13 @@ static int smc_connect_ism(struct smc_sock *smc,
+ struct smc_clc_msg_accept_confirm_v2 *aclc_v2 =
+ (struct smc_clc_msg_accept_confirm_v2 *)aclc;
+
++ if (ini->first_contact_peer) {
++ struct smc_clc_first_contact_ext *fce =
++ smc_get_clc_first_contact_ext(aclc_v2, true);
++
++ ini->release_nr = fce->release;
++ }
++
+ rc = smc_v2_determine_accepted_chid(aclc_v2, ini);
+ if (rc)
+ return rc;
+@@ -1420,7 +1429,7 @@ static int smc_connect_ism(struct smc_sock *smc,
+ }
+
+ rc = smc_clc_send_confirm(smc, ini->first_contact_local,
+- aclc->hdr.version, eid, NULL);
++ aclc->hdr.version, eid, ini);
+ if (rc)
+ goto connect_abort;
+ mutex_unlock(&smc_server_lgr_pending);
+@@ -1996,6 +2005,10 @@ static int smc_listen_v2_check(struct smc_sock *new_smc,
+ }
+ }
+
++ ini->release_nr = pclc_v2_ext->hdr.flag.release;
++ if (pclc_v2_ext->hdr.flag.release > SMC_RELEASE)
++ ini->release_nr = SMC_RELEASE;
++
+ out:
+ if (!ini->smcd_version && !ini->smcr_version)
+ return rc;
+@@ -2443,7 +2456,7 @@ static void smc_listen_work(struct work_struct *work)
+ /* send SMC Accept CLC message */
+ accept_version = ini->is_smcd ? ini->smcd_version : ini->smcr_version;
+ rc = smc_clc_send_accept(new_smc, ini->first_contact_local,
+- accept_version, ini->negotiated_eid);
++ accept_version, ini->negotiated_eid, ini);
+ if (rc)
+ goto out_unlock;
+
+diff --git a/net/smc/smc.h b/net/smc/smc.h
+index 1f2b912c43d10..24745fde4ac26 100644
+--- a/net/smc/smc.h
++++ b/net/smc/smc.h
+@@ -21,7 +21,10 @@
+
+ #define SMC_V1 1 /* SMC version V1 */
+ #define SMC_V2 2 /* SMC version V2 */
+-#define SMC_RELEASE 0
++
++#define SMC_RELEASE_0 0
++#define SMC_RELEASE_1 1
++#define SMC_RELEASE SMC_RELEASE_1 /* the latest release version */
+
+ #define SMCPROTO_SMC 0 /* SMC protocol, IPv4 */
+ #define SMCPROTO_SMC6 1 /* SMC protocol, IPv6 */
+diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
+index c90d9e5dda540..fb0be0817e8a5 100644
+--- a/net/smc/smc_clc.c
++++ b/net/smc/smc_clc.c
+@@ -420,11 +420,11 @@ smc_clc_msg_decl_valid(struct smc_clc_msg_decline *dclc)
+ return true;
+ }
+
+-static void smc_clc_fill_fce(struct smc_clc_first_contact_ext *fce, int *len)
++static void smc_clc_fill_fce(struct smc_clc_first_contact_ext *fce, int *len, int release_nr)
+ {
+ memset(fce, 0, sizeof(*fce));
+ fce->os_type = SMC_CLC_OS_LINUX;
+- fce->release = SMC_RELEASE;
++ fce->release = release_nr;
+ memcpy(fce->hostname, smc_hostname, sizeof(smc_hostname));
+ (*len) += sizeof(*fce);
+ }
+@@ -1019,7 +1019,7 @@ static int smc_clc_send_confirm_accept(struct smc_sock *smc,
+ memcpy(clc_v2->d1.eid, eid, SMC_MAX_EID_LEN);
+ len = SMCD_CLC_ACCEPT_CONFIRM_LEN_V2;
+ if (first_contact)
+- smc_clc_fill_fce(&fce, &len);
++ smc_clc_fill_fce(&fce, &len, ini->release_nr);
+ clc_v2->hdr.length = htons(len);
+ }
+ memcpy(trl.eyecatcher, SMCD_EYECATCHER,
+@@ -1063,10 +1063,10 @@ static int smc_clc_send_confirm_accept(struct smc_sock *smc,
+ memcpy(clc_v2->r1.eid, eid, SMC_MAX_EID_LEN);
+ len = SMCR_CLC_ACCEPT_CONFIRM_LEN_V2;
+ if (first_contact) {
+- smc_clc_fill_fce(&fce, &len);
++ smc_clc_fill_fce(&fce, &len, ini->release_nr);
+ fce.v2_direct = !link->lgr->uses_gateway;
+ memset(&gle, 0, sizeof(gle));
+- if (ini && clc->hdr.type == SMC_CLC_CONFIRM) {
++ if (clc->hdr.type == SMC_CLC_CONFIRM) {
+ gle.gid_cnt = ini->smcrv2.gidlist.len;
+ len += sizeof(gle);
+ len += gle.gid_cnt * sizeof(gle.gid[0]);
+@@ -1141,7 +1141,7 @@ int smc_clc_send_confirm(struct smc_sock *smc, bool clnt_first_contact,
+
+ /* send CLC ACCEPT message across internal TCP socket */
+ int smc_clc_send_accept(struct smc_sock *new_smc, bool srv_first_contact,
+- u8 version, u8 *negotiated_eid)
++ u8 version, u8 *negotiated_eid, struct smc_init_info *ini)
+ {
+ struct smc_clc_msg_accept_confirm_v2 aclc_v2;
+ int len;
+@@ -1149,7 +1149,7 @@ int smc_clc_send_accept(struct smc_sock *new_smc, bool srv_first_contact,
+ memset(&aclc_v2, 0, sizeof(aclc_v2));
+ aclc_v2.hdr.type = SMC_CLC_ACCEPT;
+ len = smc_clc_send_confirm_accept(new_smc, &aclc_v2, srv_first_contact,
+- version, negotiated_eid, NULL);
++ version, negotiated_eid, ini);
+ if (len < ntohs(aclc_v2.hdr.length))
+ len = len >= 0 ? -EPROTO : -new_smc->clcsock->sk->sk_err;
+
+diff --git a/net/smc/smc_clc.h b/net/smc/smc_clc.h
+index 5fee545c9a109..b923e89acafb0 100644
+--- a/net/smc/smc_clc.h
++++ b/net/smc/smc_clc.h
+@@ -370,6 +370,27 @@ smc_get_clc_smcd_v2_ext(struct smc_clc_v2_extension *prop_v2ext)
+ ntohs(prop_v2ext->hdr.smcd_v2_ext_offset));
+ }
+
++static inline struct smc_clc_first_contact_ext *
++smc_get_clc_first_contact_ext(struct smc_clc_msg_accept_confirm_v2 *clc_v2,
++ bool is_smcd)
++{
++ int clc_v2_len;
++
++ if (clc_v2->hdr.version == SMC_V1 ||
++ !(clc_v2->hdr.typev2 & SMC_FIRST_CONTACT_MASK))
++ return NULL;
++
++ if (is_smcd)
++ clc_v2_len =
++ offsetofend(struct smc_clc_msg_accept_confirm_v2, d1);
++ else
++ clc_v2_len =
++ offsetofend(struct smc_clc_msg_accept_confirm_v2, r1);
++
++ return (struct smc_clc_first_contact_ext *)(((u8 *)clc_v2) +
++ clc_v2_len);
++}
++
+ struct smcd_dev;
+ struct smc_init_info;
+
+@@ -382,7 +403,7 @@ int smc_clc_send_proposal(struct smc_sock *smc, struct smc_init_info *ini);
+ int smc_clc_send_confirm(struct smc_sock *smc, bool clnt_first_contact,
+ u8 version, u8 *eid, struct smc_init_info *ini);
+ int smc_clc_send_accept(struct smc_sock *smc, bool srv_first_contact,
+- u8 version, u8 *negotiated_eid);
++ u8 version, u8 *negotiated_eid, struct smc_init_info *ini);
+ void smc_clc_init(void) __init;
+ void smc_clc_exit(void);
+ void smc_clc_get_hostname(u8 **host);
+diff --git a/net/smc/smc_core.h b/net/smc/smc_core.h
+index 1645fba0d2d38..5bbc16f851e05 100644
+--- a/net/smc/smc_core.h
++++ b/net/smc/smc_core.h
+@@ -374,6 +374,7 @@ struct smc_init_info {
+ u8 is_smcd;
+ u8 smc_type_v1;
+ u8 smc_type_v2;
++ u8 release_nr;
+ u8 first_contact_peer;
+ u8 first_contact_local;
+ unsigned short vlan_id;
+--
+2.40.1
+
--- /dev/null
+From 6a0b0a9ecf20c93587831891cd4b1f11447de56c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Aug 2023 21:20:29 +0800
+Subject: net/smc: support smc v2.x features validate
+
+From: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+
+[ Upstream commit 6ac1e6563f5915cd38b6bc6a8b26964b2252f751 ]
+
+Support SMC v2.x features validate for SMC v2.1. This is the frame
+code for SMC v2.x features validate, and will take effects only when
+the negotiated release version is v2.1 or later.
+
+For Server, v2.x features' validation should be done in smc_clc_srv_
+v2x_features_validate when receiving v2.1 or later CLC Proposal Message,
+such as max conns, max links negotiation, the decision of the final
+value of max conns and max links should be made in this function.
+And final check for server when receiving v2.1 or later CLC Confirm
+Message should be done in smc_clc_v2x_features_confirm_check.
+
+For client, v2.x features' validation should be done in smc_clc_clnt_
+v2x_features_validate when receiving v2.1 or later CLC Accept Message,
+for example, the decision to accpt the accepted value or to decline
+should be made in this function.
+
+Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+Reviewed-by: Tony Lu <tonylu@linux.alibaba.com>
+Reviewed-by: Jan Karcher <jaka@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: c68681ae46ea ("net/smc: fix smc clc failed issue when netdevice not in init_net")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 18 ++++++++++++++++++
+ net/smc/smc_clc.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
+ net/smc/smc_clc.h | 7 +++++++
+ 3 files changed, 71 insertions(+)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index 077e5864fc441..fa7b8015cd7bb 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -1199,6 +1199,7 @@ static int smc_connect_rdma_v2_prepare(struct smc_sock *smc,
+ (struct smc_clc_msg_accept_confirm_v2 *)aclc;
+ struct smc_clc_first_contact_ext *fce =
+ smc_get_clc_first_contact_ext(clc_v2, false);
++ int rc;
+
+ if (!ini->first_contact_peer || aclc->hdr.version == SMC_V1)
+ return 0;
+@@ -1219,6 +1220,9 @@ static int smc_connect_rdma_v2_prepare(struct smc_sock *smc,
+ }
+
+ ini->release_nr = fce->release;
++ rc = smc_clc_clnt_v2x_features_validate(fce, ini);
++ if (rc)
++ return rc;
+
+ return 0;
+ }
+@@ -1393,6 +1397,9 @@ static int smc_connect_ism(struct smc_sock *smc,
+ smc_get_clc_first_contact_ext(aclc_v2, true);
+
+ ini->release_nr = fce->release;
++ rc = smc_clc_clnt_v2x_features_validate(fce, ini);
++ if (rc)
++ return rc;
+ }
+
+ rc = smc_v2_determine_accepted_chid(aclc_v2, ini);
+@@ -2443,6 +2450,10 @@ static void smc_listen_work(struct work_struct *work)
+ if (rc)
+ goto out_decl;
+
++ rc = smc_clc_srv_v2x_features_validate(pclc, ini);
++ if (rc)
++ goto out_decl;
++
+ mutex_lock(&smc_server_lgr_pending);
+ smc_close_init(new_smc);
+ smc_rx_init(new_smc);
+@@ -2475,6 +2486,13 @@ static void smc_listen_work(struct work_struct *work)
+ goto out_decl;
+ }
+
++ rc = smc_clc_v2x_features_confirm_check(cclc, ini);
++ if (rc) {
++ if (!ini->is_smcd)
++ goto out_unlock;
++ goto out_decl;
++ }
++
+ /* finish worker */
+ if (!ini->is_smcd) {
+ rc = smc_listen_rdma_finish(new_smc, cclc,
+diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
+index fb0be0817e8a5..f50d1b019a80f 100644
+--- a/net/smc/smc_clc.c
++++ b/net/smc/smc_clc.c
+@@ -1156,6 +1156,52 @@ int smc_clc_send_accept(struct smc_sock *new_smc, bool srv_first_contact,
+ return len > 0 ? 0 : len;
+ }
+
++int smc_clc_srv_v2x_features_validate(struct smc_clc_msg_proposal *pclc,
++ struct smc_init_info *ini)
++{
++ struct smc_clc_v2_extension *pclc_v2_ext;
++
++ if ((!(ini->smcd_version & SMC_V2) && !(ini->smcr_version & SMC_V2)) ||
++ ini->release_nr < SMC_RELEASE_1)
++ return 0;
++
++ pclc_v2_ext = smc_get_clc_v2_ext(pclc);
++ if (!pclc_v2_ext)
++ return SMC_CLC_DECL_NOV2EXT;
++
++ return 0;
++}
++
++int smc_clc_clnt_v2x_features_validate(struct smc_clc_first_contact_ext *fce,
++ struct smc_init_info *ini)
++{
++ if (ini->release_nr < SMC_RELEASE_1)
++ return 0;
++
++ return 0;
++}
++
++int smc_clc_v2x_features_confirm_check(struct smc_clc_msg_accept_confirm *cclc,
++ struct smc_init_info *ini)
++{
++ struct smc_clc_msg_accept_confirm_v2 *clc_v2 =
++ (struct smc_clc_msg_accept_confirm_v2 *)cclc;
++ struct smc_clc_first_contact_ext *fce =
++ smc_get_clc_first_contact_ext(clc_v2, ini->is_smcd);
++
++ if (cclc->hdr.version == SMC_V1 ||
++ !(cclc->hdr.typev2 & SMC_FIRST_CONTACT_MASK))
++ return 0;
++
++ if (ini->release_nr != fce->release)
++ return SMC_CLC_DECL_RELEASEERR;
++
++ if (fce->release < SMC_RELEASE_1)
++ return 0;
++
++ return 0;
++}
++
+ void smc_clc_get_hostname(u8 **host)
+ {
+ *host = &smc_hostname[0];
+diff --git a/net/smc/smc_clc.h b/net/smc/smc_clc.h
+index b923e89acafb0..32fa56bfa06d5 100644
+--- a/net/smc/smc_clc.h
++++ b/net/smc/smc_clc.h
+@@ -45,6 +45,7 @@
+ #define SMC_CLC_DECL_NOSEID 0x03030006 /* peer sent no SEID */
+ #define SMC_CLC_DECL_NOSMCD2DEV 0x03030007 /* no SMC-Dv2 device found */
+ #define SMC_CLC_DECL_NOUEID 0x03030008 /* peer sent no UEID */
++#define SMC_CLC_DECL_RELEASEERR 0x03030009 /* release version negotiate failed */
+ #define SMC_CLC_DECL_MODEUNSUPP 0x03040000 /* smc modes do not match (R or D)*/
+ #define SMC_CLC_DECL_RMBE_EC 0x03050000 /* peer has eyecatcher in RMBE */
+ #define SMC_CLC_DECL_OPTUNSUPP 0x03060000 /* fastopen sockopt not supported */
+@@ -404,6 +405,12 @@ int smc_clc_send_confirm(struct smc_sock *smc, bool clnt_first_contact,
+ u8 version, u8 *eid, struct smc_init_info *ini);
+ int smc_clc_send_accept(struct smc_sock *smc, bool srv_first_contact,
+ u8 version, u8 *negotiated_eid, struct smc_init_info *ini);
++int smc_clc_srv_v2x_features_validate(struct smc_clc_msg_proposal *pclc,
++ struct smc_init_info *ini);
++int smc_clc_clnt_v2x_features_validate(struct smc_clc_first_contact_ext *fce,
++ struct smc_init_info *ini);
++int smc_clc_v2x_features_confirm_check(struct smc_clc_msg_accept_confirm *cclc,
++ struct smc_init_info *ini);
+ void smc_clc_init(void) __init;
+ void smc_clc_exit(void);
+ void smc_clc_get_hostname(u8 **host);
+--
+2.40.1
+
--- /dev/null
+From 3e438fc7e62173a7f73219f1e7a2a4012ea1d0d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Jul 2023 11:55:29 -0700
+Subject: net: store netdevs in an xarray
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 759ab1edb56c88906830fd6b2e7b12514dd32758 ]
+
+Iterating over the netdev hash table for netlink dumps is hard.
+Dumps are done in "chunks" so we need to save the position
+after each chunk, so we know where to restart from. Because
+netdevs are stored in a hash table we remember which bucket
+we were in and how many devices we dumped.
+
+Since we don't hold any locks across the "chunks" - devices may
+come and go while we're dumping. If that happens we may miss
+a device (if device is deleted from the bucket we were in).
+We indicate to user space that this may have happened by setting
+NLM_F_DUMP_INTR. User space is supposed to dump again (I think)
+if it sees that. Somehow I doubt most user space gets this right..
+
+To illustrate let's look at an example:
+
+ System state:
+ start: # [A, B, C]
+ del: B # [A, C]
+
+with the hash table we may dump [A, B], missing C completely even
+tho it existed both before and after the "del B".
+
+Add an xarray and use it to allocate ifindexes. This way we
+can iterate ifindexes in order, without the worry that we'll
+skip one. We may still generate a dump of a state which "never
+existed", for example for a set of values and sequence of ops:
+
+ System state:
+ start: # [A, B]
+ add: C # [A, C, B]
+ del: B # [A, C]
+
+we may generate a dump of [A], if C got an index between A and B.
+System has never been in such state. But I'm 90% sure that's perfectly
+fine, important part is that we can't _miss_ devices which exist before
+and after. User space which wants to mirror kernel's state subscribes
+to notifications and does periodic dumps so it will know that C exists
+from the notification about its creation or from the next dump
+(next dump is _guaranteed_ to include C, if it doesn't get removed).
+
+To avoid any perf regressions keep the hash table for now. Most
+net namespaces have very few devices and microbenchmarking 1M lookups
+on Skylake I get the following results (not counting loopback
+to number of devs):
+
+ #devs | hash | xa | delta
+ 2 | 18.3 | 20.1 | + 9.8%
+ 16 | 18.3 | 20.1 | + 9.5%
+ 64 | 18.3 | 26.3 | +43.8%
+ 128 | 20.4 | 26.3 | +28.6%
+ 256 | 20.0 | 26.4 | +32.1%
+ 1024 | 26.6 | 26.7 | + 0.2%
+ 8192 |541.3 | 33.5 | -93.8%
+
+No surprises since the hash table has 256 entries.
+The microbenchmark scans indexes in order, if the pattern is more
+random xa starts to win at 512 devices already. But that's a lot
+of devices, in practice.
+
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Link: https://lore.kernel.org/r/20230726185530.2247698-2-kuba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 8e15aee62161 ("net: move altnames together with the netdevice")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/net_namespace.h | 4 +-
+ net/core/dev.c | 82 ++++++++++++++++++++++++-------------
+ 2 files changed, 57 insertions(+), 29 deletions(-)
+
+diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
+index 78beaa765c733..9f6add96de2d7 100644
+--- a/include/net/net_namespace.h
++++ b/include/net/net_namespace.h
+@@ -42,6 +42,7 @@
+ #include <linux/idr.h>
+ #include <linux/skbuff.h>
+ #include <linux/notifier.h>
++#include <linux/xarray.h>
+
+ struct user_namespace;
+ struct proc_dir_entry;
+@@ -69,7 +70,7 @@ struct net {
+ atomic_t dev_unreg_count;
+
+ unsigned int dev_base_seq; /* protected by rtnl_mutex */
+- int ifindex;
++ u32 ifindex;
+
+ spinlock_t nsid_lock;
+ atomic_t fnhe_genid;
+@@ -110,6 +111,7 @@ struct net {
+
+ struct hlist_head *dev_name_head;
+ struct hlist_head *dev_index_head;
++ struct xarray dev_by_index;
+ struct raw_notifier_head netdev_chain;
+
+ /* Note that @hash_mix can be read millions times per second,
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 45ec18d8b0f6b..a450234f68a54 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -389,6 +389,8 @@ static void list_netdevice(struct net_device *dev)
+ hlist_add_head_rcu(&dev->index_hlist,
+ dev_index_hash(net, dev->ifindex));
+ write_unlock(&dev_base_lock);
++ /* We reserved the ifindex, this can't fail */
++ WARN_ON(xa_store(&net->dev_by_index, dev->ifindex, dev, GFP_KERNEL));
+
+ dev_base_seq_inc(net);
+ }
+@@ -398,8 +400,12 @@ static void list_netdevice(struct net_device *dev)
+ */
+ static void unlist_netdevice(struct net_device *dev, bool lock)
+ {
++ struct net *net = dev_net(dev);
++
+ ASSERT_RTNL();
+
++ xa_erase(&net->dev_by_index, dev->ifindex);
++
+ /* Unlink dev from the device chain */
+ if (lock)
+ write_lock(&dev_base_lock);
+@@ -9529,23 +9535,35 @@ int dev_change_xdp_fd(struct net_device *dev, struct netlink_ext_ack *extack,
+ }
+
+ /**
+- * dev_new_index - allocate an ifindex
+- * @net: the applicable net namespace
++ * dev_index_reserve() - allocate an ifindex in a namespace
++ * @net: the applicable net namespace
++ * @ifindex: requested ifindex, pass %0 to get one allocated
++ *
++ * Allocate a ifindex for a new device. Caller must either use the ifindex
++ * to store the device (via list_netdevice()) or call dev_index_release()
++ * to give the index up.
+ *
+- * Returns a suitable unique value for a new device interface
+- * number. The caller must hold the rtnl semaphore or the
+- * dev_base_lock to be sure it remains unique.
++ * Return: a suitable unique value for a new device interface number or -errno.
+ */
+-static int dev_new_index(struct net *net)
++static int dev_index_reserve(struct net *net, u32 ifindex)
+ {
+- int ifindex = net->ifindex;
++ int err;
+
+- for (;;) {
+- if (++ifindex <= 0)
+- ifindex = 1;
+- if (!__dev_get_by_index(net, ifindex))
+- return net->ifindex = ifindex;
+- }
++ if (!ifindex)
++ err = xa_alloc_cyclic(&net->dev_by_index, &ifindex, NULL,
++ xa_limit_31b, &net->ifindex, GFP_KERNEL);
++ else
++ err = xa_insert(&net->dev_by_index, ifindex, NULL, GFP_KERNEL);
++ if (err < 0)
++ return err;
++
++ return ifindex;
++}
++
++static void dev_index_release(struct net *net, int ifindex)
++{
++ /* Expect only unused indexes, unlist_netdevice() removes the used */
++ WARN_ON(xa_erase(&net->dev_by_index, ifindex));
+ }
+
+ /* Delayed registration/unregisteration */
+@@ -10015,11 +10033,10 @@ int register_netdevice(struct net_device *dev)
+ goto err_uninit;
+ }
+
+- ret = -EBUSY;
+- if (!dev->ifindex)
+- dev->ifindex = dev_new_index(net);
+- else if (__dev_get_by_index(net, dev->ifindex))
++ ret = dev_index_reserve(net, dev->ifindex);
++ if (ret < 0)
+ goto err_uninit;
++ dev->ifindex = ret;
+
+ /* Transfer changeable features to wanted_features and enable
+ * software offloads (GSO and GRO).
+@@ -10066,7 +10083,7 @@ int register_netdevice(struct net_device *dev)
+ ret = call_netdevice_notifiers(NETDEV_POST_INIT, dev);
+ ret = notifier_to_errno(ret);
+ if (ret)
+- goto err_uninit;
++ goto err_ifindex_release;
+
+ ret = netdev_register_kobject(dev);
+ write_lock(&dev_base_lock);
+@@ -10122,6 +10139,8 @@ int register_netdevice(struct net_device *dev)
+
+ err_uninit_notify:
+ call_netdevice_notifiers(NETDEV_PRE_UNINIT, dev);
++err_ifindex_release:
++ dev_index_release(net, dev->ifindex);
+ err_uninit:
+ if (dev->netdev_ops->ndo_uninit)
+ dev->netdev_ops->ndo_uninit(dev);
+@@ -11009,9 +11028,19 @@ int __dev_change_net_namespace(struct net_device *dev, struct net *net,
+ goto out;
+
+ /* Check that new_ifindex isn't used yet. */
+- err = -EBUSY;
+- if (new_ifindex && __dev_get_by_index(net, new_ifindex))
+- goto out;
++ if (new_ifindex) {
++ err = dev_index_reserve(net, new_ifindex);
++ if (err < 0)
++ goto out;
++ } else {
++ /* If there is an ifindex conflict assign a new one */
++ err = dev_index_reserve(net, dev->ifindex);
++ if (err == -EBUSY)
++ err = dev_index_reserve(net, 0);
++ if (err < 0)
++ goto out;
++ new_ifindex = err;
++ }
+
+ /*
+ * And now a mini version of register_netdevice unregister_netdevice.
+@@ -11039,13 +11068,6 @@ int __dev_change_net_namespace(struct net_device *dev, struct net *net,
+ rcu_barrier();
+
+ new_nsid = peernet2id_alloc(dev_net(dev), net, GFP_KERNEL);
+- /* If there is an ifindex conflict assign a new one */
+- if (!new_ifindex) {
+- if (__dev_get_by_index(net, dev->ifindex))
+- new_ifindex = dev_new_index(net);
+- else
+- new_ifindex = dev->ifindex;
+- }
+
+ rtmsg_ifinfo_newnet(RTM_DELLINK, dev, ~0U, GFP_KERNEL, &new_nsid,
+ new_ifindex);
+@@ -11226,6 +11248,9 @@ static int __net_init netdev_init(struct net *net)
+ if (net->dev_index_head == NULL)
+ goto err_idx;
+
++ net->ifindex = 1;
++ xa_init_flags(&net->dev_by_index, XA_FLAGS_ALLOC);
++
+ RAW_INIT_NOTIFIER_HEAD(&net->netdev_chain);
+
+ return 0;
+@@ -11323,6 +11348,7 @@ static void __net_exit netdev_exit(struct net *net)
+ {
+ kfree(net->dev_name_head);
+ kfree(net->dev_index_head);
++ xa_destroy(&net->dev_by_index);
+ if (net != &init_net)
+ WARN_ON_ONCE(!list_empty(&net->dev_base_head));
+ }
+--
+2.40.1
+
--- /dev/null
+From c0578fe3ab6f4656528ea0923aec4e7d36a47c15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Jul 2023 21:15:55 +0200
+Subject: net/tls: split tls_rx_reader_lock
+
+From: Hannes Reinecke <hare@suse.de>
+
+[ Upstream commit f9ae3204fb45d0749befc1cdff50f691c7461e5a ]
+
+Split tls_rx_reader_{lock,unlock} into an 'acquire/release' and
+the actual locking part.
+With that we can use the tls_rx_reader_lock in situations where
+the socket is already locked.
+
+Suggested-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Link: https://lore.kernel.org/r/20230726191556.41714-6-hare@suse.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 419ce133ab92 ("tcp: allow again tcp_disconnect() when threads are waiting")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tls/tls_sw.c | 38 ++++++++++++++++++++++----------------
+ 1 file changed, 22 insertions(+), 16 deletions(-)
+
+diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
+index e047abc600893..a83f474933033 100644
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -1845,13 +1845,10 @@ tls_read_flush_backlog(struct sock *sk, struct tls_prot_info *prot,
+ return sk_flush_backlog(sk);
+ }
+
+-static int tls_rx_reader_lock(struct sock *sk, struct tls_sw_context_rx *ctx,
+- bool nonblock)
++static int tls_rx_reader_acquire(struct sock *sk, struct tls_sw_context_rx *ctx,
++ bool nonblock)
+ {
+ long timeo;
+- int err;
+-
+- lock_sock(sk);
+
+ timeo = sock_rcvtimeo(sk, nonblock);
+
+@@ -1865,26 +1862,30 @@ static int tls_rx_reader_lock(struct sock *sk, struct tls_sw_context_rx *ctx,
+ !READ_ONCE(ctx->reader_present), &wait);
+ remove_wait_queue(&ctx->wq, &wait);
+
+- if (timeo <= 0) {
+- err = -EAGAIN;
+- goto err_unlock;
+- }
+- if (signal_pending(current)) {
+- err = sock_intr_errno(timeo);
+- goto err_unlock;
+- }
++ if (timeo <= 0)
++ return -EAGAIN;
++ if (signal_pending(current))
++ return sock_intr_errno(timeo);
+ }
+
+ WRITE_ONCE(ctx->reader_present, 1);
+
+ return 0;
++}
+
+-err_unlock:
+- release_sock(sk);
++static int tls_rx_reader_lock(struct sock *sk, struct tls_sw_context_rx *ctx,
++ bool nonblock)
++{
++ int err;
++
++ lock_sock(sk);
++ err = tls_rx_reader_acquire(sk, ctx, nonblock);
++ if (err)
++ release_sock(sk);
+ return err;
+ }
+
+-static void tls_rx_reader_unlock(struct sock *sk, struct tls_sw_context_rx *ctx)
++static void tls_rx_reader_release(struct sock *sk, struct tls_sw_context_rx *ctx)
+ {
+ if (unlikely(ctx->reader_contended)) {
+ if (wq_has_sleeper(&ctx->wq))
+@@ -1896,6 +1897,11 @@ static void tls_rx_reader_unlock(struct sock *sk, struct tls_sw_context_rx *ctx)
+ }
+
+ WRITE_ONCE(ctx->reader_present, 0);
++}
++
++static void tls_rx_reader_unlock(struct sock *sk, struct tls_sw_context_rx *ctx)
++{
++ tls_rx_reader_release(sk, ctx);
+ release_sock(sk);
+ }
+
+--
+2.40.1
+
--- /dev/null
+From 5134a5b5531b39ff0a1cc717f8397b1f2ec35970 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Oct 2023 13:12:58 +0200
+Subject: netfilter: nf_tables: do not remove elements if set backend
+ implements .abort
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit ebd032fa881882fef2acb9da1bbde48d8233241d ]
+
+pipapo set backend maintains two copies of the datastructure, removing
+the elements from the copy that is going to be discarded slows down
+the abort path significantly, from several minutes to few seconds after
+this patch.
+
+Fixes: 212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit protocol")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index e43d9508e7a9c..0d48d2e27a1ad 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -10336,7 +10336,10 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
+ break;
+ }
+ te = (struct nft_trans_elem *)trans->data;
+- nft_setelem_remove(net, te->set, &te->elem);
++ if (!te->set->ops->abort ||
++ nft_setelem_is_catchall(te->set, &te->elem))
++ nft_setelem_remove(net, te->set, &te->elem);
++
+ if (!nft_setelem_is_catchall(te->set, &te->elem))
+ atomic_dec(&te->set->nelems);
+
+--
+2.40.1
+
--- /dev/null
+From 3538f84c2bad0acbf3bd5116110d8d96f8f78fe6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Oct 2023 13:18:39 +0200
+Subject: netfilter: nf_tables: revert do not remove elements if set backend
+ implements .abort
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit f86fb94011aeb3b26337fc22204ca726aeb8bc24 ]
+
+nf_tables_abort_release() path calls nft_set_elem_destroy() for
+NFT_MSG_NEWSETELEM which releases the element, however, a reference to
+the element still remains in the working copy.
+
+Fixes: ebd032fa8818 ("netfilter: nf_tables: do not remove elements if set backend implements .abort")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 0d48d2e27a1ad..e43d9508e7a9c 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -10336,10 +10336,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
+ break;
+ }
+ te = (struct nft_trans_elem *)trans->data;
+- if (!te->set->ops->abort ||
+- nft_setelem_is_catchall(te->set, &te->elem))
+- nft_setelem_remove(net, te->set, &te->elem);
+-
++ nft_setelem_remove(net, te->set, &te->elem);
+ if (!nft_setelem_is_catchall(te->set, &te->elem))
+ atomic_dec(&te->set->nelems);
+
+--
+2.40.1
+
--- /dev/null
+From c3a654796f04f8b227949ab242ee8e2640ea8abd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Sep 2023 09:17:28 -0400
+Subject: nfs: decrement nrequests counter before releasing the req
+
+From: Jeff Layton <jlayton@kernel.org>
+
+[ Upstream commit dd1b2026323a2d075ac553cecfd7a0c23c456c59 ]
+
+I hit this panic in testing:
+
+[ 6235.500016] run fstests generic/464 at 2023-09-18 22:51:24
+[ 6288.410761] BUG: kernel NULL pointer dereference, address: 0000000000000000
+[ 6288.412174] #PF: supervisor read access in kernel mode
+[ 6288.413160] #PF: error_code(0x0000) - not-present page
+[ 6288.413992] PGD 0 P4D 0
+[ 6288.414603] Oops: 0000 [#1] PREEMPT SMP PTI
+[ 6288.415419] CPU: 0 PID: 340798 Comm: kworker/u18:8 Not tainted 6.6.0-rc1-gdcf620ceebac #95
+[ 6288.416538] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
+[ 6288.417701] Workqueue: nfsiod rpc_async_release [sunrpc]
+[ 6288.418676] RIP: 0010:nfs_inode_remove_request+0xc8/0x150 [nfs]
+[ 6288.419836] Code: ff ff 48 8b 43 38 48 8b 7b 10 a8 04 74 5b 48 85 ff 74 56 48 8b 07 a9 00 00 08 00 74 58 48 8b 07 f6 c4 10 74 50 e8 c8 44 b3 d5 <48> 8b 00 f0 48 ff 88 30 ff ff ff 5b 5d 41 5c c3 cc cc cc cc 48 8b
+[ 6288.422389] RSP: 0018:ffffbd618353bda8 EFLAGS: 00010246
+[ 6288.423234] RAX: 0000000000000000 RBX: ffff9a29f9a25280 RCX: 0000000000000000
+[ 6288.424351] RDX: ffff9a29f9a252b4 RSI: 000000000000000b RDI: ffffef41448e3840
+[ 6288.425345] RBP: ffffef41448e3840 R08: 0000000000000038 R09: ffffffffffffffff
+[ 6288.426334] R10: 0000000000033f80 R11: ffff9a2a7fffa000 R12: ffff9a29093f98c4
+[ 6288.427353] R13: 0000000000000000 R14: ffff9a29230f62e0 R15: ffff9a29230f62d0
+[ 6288.428358] FS: 0000000000000000(0000) GS:ffff9a2a77c00000(0000) knlGS:0000000000000000
+[ 6288.429513] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 6288.430427] CR2: 0000000000000000 CR3: 0000000264748002 CR4: 0000000000770ef0
+[ 6288.431553] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 6288.432715] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 6288.433698] PKRU: 55555554
+[ 6288.434196] Call Trace:
+[ 6288.434667] <TASK>
+[ 6288.435132] ? __die+0x1f/0x70
+[ 6288.435723] ? page_fault_oops+0x159/0x450
+[ 6288.436389] ? try_to_wake_up+0x98/0x5d0
+[ 6288.437044] ? do_user_addr_fault+0x65/0x660
+[ 6288.437728] ? exc_page_fault+0x7a/0x180
+[ 6288.438368] ? asm_exc_page_fault+0x22/0x30
+[ 6288.439137] ? nfs_inode_remove_request+0xc8/0x150 [nfs]
+[ 6288.440112] ? nfs_inode_remove_request+0xa0/0x150 [nfs]
+[ 6288.440924] nfs_commit_release_pages+0x16e/0x340 [nfs]
+[ 6288.441700] ? __pfx_call_transmit+0x10/0x10 [sunrpc]
+[ 6288.442475] ? _raw_spin_lock_irqsave+0x23/0x50
+[ 6288.443161] nfs_commit_release+0x15/0x40 [nfs]
+[ 6288.443926] rpc_free_task+0x36/0x60 [sunrpc]
+[ 6288.444741] rpc_async_release+0x29/0x40 [sunrpc]
+[ 6288.445509] process_one_work+0x171/0x340
+[ 6288.446135] worker_thread+0x277/0x3a0
+[ 6288.446724] ? __pfx_worker_thread+0x10/0x10
+[ 6288.447376] kthread+0xf0/0x120
+[ 6288.447903] ? __pfx_kthread+0x10/0x10
+[ 6288.448500] ret_from_fork+0x2d/0x50
+[ 6288.449078] ? __pfx_kthread+0x10/0x10
+[ 6288.449665] ret_from_fork_asm+0x1b/0x30
+[ 6288.450283] </TASK>
+[ 6288.450688] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace sunrpc nls_iso8859_1 nls_cp437 vfat fat 9p netfs ext4 kvm_intel crc16 mbcache jbd2 joydev kvm xfs irqbypass virtio_net pcspkr net_failover psmouse failover 9pnet_virtio cirrus drm_shmem_helper virtio_balloon drm_kms_helper button evdev drm loop dm_mod zram zsmalloc crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha512_ssse3 sha512_generic virtio_blk nvme aesni_intel crypto_simd cryptd nvme_core t10_pi i6300esb crc64_rocksoft_generic crc64_rocksoft crc64 virtio_pci virtio virtio_pci_legacy_dev virtio_pci_modern_dev virtio_ring serio_raw btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq autofs4
+[ 6288.460211] CR2: 0000000000000000
+[ 6288.460787] ---[ end trace 0000000000000000 ]---
+[ 6288.461571] RIP: 0010:nfs_inode_remove_request+0xc8/0x150 [nfs]
+[ 6288.462500] Code: ff ff 48 8b 43 38 48 8b 7b 10 a8 04 74 5b 48 85 ff 74 56 48 8b 07 a9 00 00 08 00 74 58 48 8b 07 f6 c4 10 74 50 e8 c8 44 b3 d5 <48> 8b 00 f0 48 ff 88 30 ff ff ff 5b 5d 41 5c c3 cc cc cc cc 48 8b
+[ 6288.465136] RSP: 0018:ffffbd618353bda8 EFLAGS: 00010246
+[ 6288.465963] RAX: 0000000000000000 RBX: ffff9a29f9a25280 RCX: 0000000000000000
+[ 6288.467035] RDX: ffff9a29f9a252b4 RSI: 000000000000000b RDI: ffffef41448e3840
+[ 6288.468093] RBP: ffffef41448e3840 R08: 0000000000000038 R09: ffffffffffffffff
+[ 6288.469121] R10: 0000000000033f80 R11: ffff9a2a7fffa000 R12: ffff9a29093f98c4
+[ 6288.470109] R13: 0000000000000000 R14: ffff9a29230f62e0 R15: ffff9a29230f62d0
+[ 6288.471106] FS: 0000000000000000(0000) GS:ffff9a2a77c00000(0000) knlGS:0000000000000000
+[ 6288.472216] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 6288.473059] CR2: 0000000000000000 CR3: 0000000264748002 CR4: 0000000000770ef0
+[ 6288.474096] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 6288.475097] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 6288.476148] PKRU: 55555554
+[ 6288.476665] note: kworker/u18:8[340798] exited with irqs disabled
+
+Once we've released "req", it's not safe to dereference it anymore.
+Decrement the nrequests counter before dropping the reference.
+
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
+Tested-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/write.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nfs/write.c b/fs/nfs/write.c
+index 8c1ee1a1a28f1..7720b5e43014b 100644
+--- a/fs/nfs/write.c
++++ b/fs/nfs/write.c
+@@ -802,8 +802,8 @@ static void nfs_inode_remove_request(struct nfs_page *req)
+ }
+
+ if (test_and_clear_bit(PG_INODE_REF, &req->wb_flags)) {
+- nfs_release_request(req);
+ atomic_long_dec(&NFS_I(nfs_page_to_inode(req))->nrequests);
++ nfs_release_request(req);
+ }
+ }
+
+--
+2.40.1
+
--- /dev/null
+From 1eb264b5616a1cdaff309ce21e91addbccd2f6ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Sep 2023 09:33:12 -0400
+Subject: overlayfs: set ctime when setting mtime and atime
+
+From: Jeff Layton <jlayton@kernel.org>
+
+[ Upstream commit 03dbab3bba5f009d053635c729d1244f2c8bad38 ]
+
+Nathan reported that he was seeing the new warning in
+setattr_copy_mgtime pop when starting podman containers. Overlayfs is
+trying to set the atime and mtime via notify_change without also
+setting the ctime.
+
+POSIX states that when the atime and mtime are updated via utimes() that
+we must also update the ctime to the current time. The situation with
+overlayfs copy-up is analogies, so add ATTR_CTIME to the bitmask.
+notify_change will fill in the value.
+
+Reported-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Tested-by: Nathan Chancellor <nathan@kernel.org>
+Acked-by: Christian Brauner <brauner@kernel.org>
+Acked-by: Amir Goldstein <amir73il@gmail.com>
+Message-Id: <20230913-ctime-v1-1-c6bc509cbc27@kernel.org>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/overlayfs/copy_up.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
+index 986d37a4c2750..ab32c6b28d400 100644
+--- a/fs/overlayfs/copy_up.c
++++ b/fs/overlayfs/copy_up.c
+@@ -337,7 +337,7 @@ static int ovl_set_timestamps(struct ovl_fs *ofs, struct dentry *upperdentry,
+ {
+ struct iattr attr = {
+ .ia_valid =
+- ATTR_ATIME | ATTR_MTIME | ATTR_ATIME_SET | ATTR_MTIME_SET,
++ ATTR_ATIME | ATTR_MTIME | ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_CTIME,
+ .ia_atime = stat->atime,
+ .ia_mtime = stat->mtime,
+ };
+--
+2.40.1
+
--- /dev/null
+From 88479bb9290af2dc9092ca5091fc6e9338f66a0c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Sep 2023 18:46:32 +0200
+Subject: platform/x86: touchscreen_dmi: Add info for the BUSH Bush Windows
+ tablet
+
+From: Tomasz Swiatek <swiatektomasz99@gmail.com>
+
+[ Upstream commit 34c271e778c1d8589ee9c833eee5ecb6fbb03149 ]
+
+Add touchscreen info for the BUSH Bush Windows tablet.
+
+It was tested using gslx680_ts_acpi module and on patched kernel
+installed on device.
+
+Link: https://github.com/onitake/gsl-firmware/pull/215
+Link: https://github.com/systemd/systemd/pull/29268
+Signed-off-by: Tomasz Swiatek <swiatektomasz99@gmail.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/touchscreen_dmi.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/drivers/platform/x86/touchscreen_dmi.c b/drivers/platform/x86/touchscreen_dmi.c
+index f9301a9382e74..363a9848e2b88 100644
+--- a/drivers/platform/x86/touchscreen_dmi.c
++++ b/drivers/platform/x86/touchscreen_dmi.c
+@@ -42,6 +42,21 @@ static const struct ts_dmi_data archos_101_cesium_educ_data = {
+ .properties = archos_101_cesium_educ_props,
+ };
+
++static const struct property_entry bush_bush_windows_tablet_props[] = {
++ PROPERTY_ENTRY_U32("touchscreen-size-x", 1850),
++ PROPERTY_ENTRY_U32("touchscreen-size-y", 1280),
++ PROPERTY_ENTRY_BOOL("touchscreen-swapped-x-y"),
++ PROPERTY_ENTRY_U32("silead,max-fingers", 10),
++ PROPERTY_ENTRY_BOOL("silead,home-button"),
++ PROPERTY_ENTRY_STRING("firmware-name", "gsl1680-bush-bush-windows-tablet.fw"),
++ { }
++};
++
++static const struct ts_dmi_data bush_bush_windows_tablet_data = {
++ .acpi_name = "MSSL1680:00",
++ .properties = bush_bush_windows_tablet_props,
++};
++
+ static const struct property_entry chuwi_hi8_props[] = {
+ PROPERTY_ENTRY_U32("touchscreen-size-x", 1665),
+ PROPERTY_ENTRY_U32("touchscreen-size-y", 1140),
+@@ -1070,6 +1085,13 @@ const struct dmi_system_id touchscreen_dmi_table[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "ARCHOS 101 Cesium Educ"),
+ },
+ },
++ {
++ /* Bush Windows tablet */
++ .driver_data = (void *)&bush_bush_windows_tablet_data,
++ .matches = {
++ DMI_MATCH(DMI_PRODUCT_NAME, "Bush Windows tablet"),
++ },
++ },
+ {
+ /* Chuwi Hi8 */
+ .driver_data = (void *)&chuwi_hi8_data,
+--
+2.40.1
+
--- /dev/null
+From 69800a37a42f898fdc5c80d9a2ad6e9739fb5e19 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Oct 2023 19:59:00 -0400
+Subject: platform/x86: touchscreen_dmi: Add info for the Positivo C4128B
+
+From: Renan Guilherme Lebre Ramos <japareaggae@gmail.com>
+
+[ Upstream commit aa7dcba3bae6869122828b144a3cfd231718089d ]
+
+Add information for the Positivo C4128B, a notebook/tablet convertible.
+
+Link: https://github.com/onitake/gsl-firmware/pull/217
+Signed-off-by: Renan Guilherme Lebre Ramos <japareaggae@gmail.com>
+Link: https://lore.kernel.org/r/20231004235900.426240-1-japareaggae@gmail.com
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/touchscreen_dmi.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+diff --git a/drivers/platform/x86/touchscreen_dmi.c b/drivers/platform/x86/touchscreen_dmi.c
+index 363a9848e2b88..0c67337726984 100644
+--- a/drivers/platform/x86/touchscreen_dmi.c
++++ b/drivers/platform/x86/touchscreen_dmi.c
+@@ -771,6 +771,21 @@ static const struct ts_dmi_data pipo_w11_data = {
+ .properties = pipo_w11_props,
+ };
+
++static const struct property_entry positivo_c4128b_props[] = {
++ PROPERTY_ENTRY_U32("touchscreen-min-x", 4),
++ PROPERTY_ENTRY_U32("touchscreen-min-y", 13),
++ PROPERTY_ENTRY_U32("touchscreen-size-x", 1915),
++ PROPERTY_ENTRY_U32("touchscreen-size-y", 1269),
++ PROPERTY_ENTRY_STRING("firmware-name", "gsl1680-positivo-c4128b.fw"),
++ PROPERTY_ENTRY_U32("silead,max-fingers", 10),
++ { }
++};
++
++static const struct ts_dmi_data positivo_c4128b_data = {
++ .acpi_name = "MSSL1680:00",
++ .properties = positivo_c4128b_props,
++};
++
+ static const struct property_entry pov_mobii_wintab_p800w_v20_props[] = {
+ PROPERTY_ENTRY_U32("touchscreen-min-x", 32),
+ PROPERTY_ENTRY_U32("touchscreen-min-y", 16),
+@@ -1502,6 +1517,14 @@ const struct dmi_system_id touchscreen_dmi_table[] = {
+ DMI_MATCH(DMI_BIOS_VERSION, "MOMO.G.WI71C.MABMRBA02"),
+ },
+ },
++ {
++ /* Positivo C4128B */
++ .driver_data = (void *)&positivo_c4128b_data,
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Positivo Tecnologia SA"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "C4128B-1"),
++ },
++ },
+ {
+ /* Point of View mobii wintab p800w (v2.0) */
+ .driver_data = (void *)&pov_mobii_wintab_p800w_v20_data,
+--
+2.40.1
+
--- /dev/null
+From 7f49a77116344f24e5597542928436b6fa10c0b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Aug 2023 09:37:43 -0400
+Subject: pwr-mlxbf: extend Kconfig to include gpio-mlxbf3 dependency
+
+From: David Thompson <davthompson@nvidia.com>
+
+[ Upstream commit 82f07f1acf417b81e793145c167dd5e156024de4 ]
+
+The BlueField power handling driver (pwr-mlxbf.c) provides
+functionality for both BlueField-2 and BlueField-3 based
+platforms. This driver also depends on the SoC-specific
+BlueField GPIO driver, whether gpio-mlxbf2 or gpio-mlxbf3.
+This patch extends the Kconfig definition to include the
+dependency on the gpio-mlxbf3 driver, if applicable.
+
+Signed-off-by: David Thompson <davthompson@nvidia.com>
+Reviewed-by: Asmaa Mnebhi <asmaa@nvidia.com>
+Link: https://lore.kernel.org/r/20230823133743.31275-1-davthompson@nvidia.com
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/reset/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/power/reset/Kconfig b/drivers/power/reset/Kconfig
+index fff07b2bd77b9..62f592e617339 100644
+--- a/drivers/power/reset/Kconfig
++++ b/drivers/power/reset/Kconfig
+@@ -307,7 +307,7 @@ config NVMEM_REBOOT_MODE
+
+ config POWER_MLXBF
+ tristate "Mellanox BlueField power handling driver"
+- depends on (GPIO_MLXBF2 && ACPI)
++ depends on (GPIO_MLXBF2 || GPIO_MLXBF3) && ACPI
+ help
+ This driver supports reset or low power mode handling for Mellanox BlueField.
+
+--
+2.40.1
+
--- /dev/null
+From 80b46e09c202e7438bbe28a47f581378c7b01d87 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Sep 2023 00:50:27 +0200
+Subject: regulator/core: Revert "fix kobject release warning and memory leak
+ in regulator_register()"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+
+[ Upstream commit 6e800968f6a715c0661716d2ec5e1f56ed9f9c08 ]
+
+This reverts commit 5f4b204b6b8153923d5be8002c5f7082985d153f.
+
+Since rdev->dev now has a release() callback, the proper way of freeing
+the initialized device can be restored.
+
+Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+Link: https://lore.kernel.org/r/d7f469f3f7b1f0e1d52f9a7ede3f3c5703382090.1695077303.git.mirq-linux@rere.qmqm.pl
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/core.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
+index 2820badc7a126..3137e40fcd3e0 100644
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -5724,15 +5724,11 @@ regulator_register(struct device *dev,
+ mutex_lock(®ulator_list_mutex);
+ regulator_ena_gpio_free(rdev);
+ mutex_unlock(®ulator_list_mutex);
+- put_device(&rdev->dev);
+- rdev = NULL;
+ clean:
+ if (dangling_of_gpiod)
+ gpiod_put(config->ena_gpiod);
+- if (rdev && rdev->dev.of_node)
+- of_node_put(rdev->dev.of_node);
+- kfree(rdev);
+ kfree(config);
++ put_device(&rdev->dev);
+ rinse:
+ if (dangling_cfg_gpiod)
+ gpiod_put(cfg->ena_gpiod);
+--
+2.40.1
+
--- /dev/null
+From e7e9be2f877114220b79f912d7c34e7dd1b29783 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Sep 2023 15:45:17 +0200
+Subject: rfkill: sync before userspace visibility/changes
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 2c3dfba4cf84ac4f306cc6653b37b6dd6859ae9d ]
+
+If userspace quickly opens /dev/rfkill after a new
+instance was created, it might see the old state of
+the instance from before the sync work runs and may
+even _change_ the state, only to have the sync work
+change it again.
+
+Fix this by doing the sync inline where needed, not
+just for /dev/rfkill but also for sysfs.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rfkill/core.c | 32 ++++++++++++++++++++++++++------
+ 1 file changed, 26 insertions(+), 6 deletions(-)
+
+diff --git a/net/rfkill/core.c b/net/rfkill/core.c
+index 01fca7a10b4bb..08630896b6c88 100644
+--- a/net/rfkill/core.c
++++ b/net/rfkill/core.c
+@@ -48,6 +48,7 @@ struct rfkill {
+ bool persistent;
+ bool polling_paused;
+ bool suspended;
++ bool need_sync;
+
+ const struct rfkill_ops *ops;
+ void *data;
+@@ -368,6 +369,17 @@ static void rfkill_set_block(struct rfkill *rfkill, bool blocked)
+ rfkill_event(rfkill);
+ }
+
++static void rfkill_sync(struct rfkill *rfkill)
++{
++ lockdep_assert_held(&rfkill_global_mutex);
++
++ if (!rfkill->need_sync)
++ return;
++
++ rfkill_set_block(rfkill, rfkill_global_states[rfkill->type].cur);
++ rfkill->need_sync = false;
++}
++
+ static void rfkill_update_global_state(enum rfkill_type type, bool blocked)
+ {
+ int i;
+@@ -730,6 +742,10 @@ static ssize_t soft_show(struct device *dev, struct device_attribute *attr,
+ {
+ struct rfkill *rfkill = to_rfkill(dev);
+
++ mutex_lock(&rfkill_global_mutex);
++ rfkill_sync(rfkill);
++ mutex_unlock(&rfkill_global_mutex);
++
+ return sysfs_emit(buf, "%d\n", (rfkill->state & RFKILL_BLOCK_SW) ? 1 : 0);
+ }
+
+@@ -751,6 +767,7 @@ static ssize_t soft_store(struct device *dev, struct device_attribute *attr,
+ return -EINVAL;
+
+ mutex_lock(&rfkill_global_mutex);
++ rfkill_sync(rfkill);
+ rfkill_set_block(rfkill, state);
+ mutex_unlock(&rfkill_global_mutex);
+
+@@ -783,6 +800,10 @@ static ssize_t state_show(struct device *dev, struct device_attribute *attr,
+ {
+ struct rfkill *rfkill = to_rfkill(dev);
+
++ mutex_lock(&rfkill_global_mutex);
++ rfkill_sync(rfkill);
++ mutex_unlock(&rfkill_global_mutex);
++
+ return sysfs_emit(buf, "%d\n", user_state_from_blocked(rfkill->state));
+ }
+
+@@ -805,6 +826,7 @@ static ssize_t state_store(struct device *dev, struct device_attribute *attr,
+ return -EINVAL;
+
+ mutex_lock(&rfkill_global_mutex);
++ rfkill_sync(rfkill);
+ rfkill_set_block(rfkill, state == RFKILL_USER_STATE_SOFT_BLOCKED);
+ mutex_unlock(&rfkill_global_mutex);
+
+@@ -1032,14 +1054,10 @@ static void rfkill_uevent_work(struct work_struct *work)
+
+ static void rfkill_sync_work(struct work_struct *work)
+ {
+- struct rfkill *rfkill;
+- bool cur;
+-
+- rfkill = container_of(work, struct rfkill, sync_work);
++ struct rfkill *rfkill = container_of(work, struct rfkill, sync_work);
+
+ mutex_lock(&rfkill_global_mutex);
+- cur = rfkill_global_states[rfkill->type].cur;
+- rfkill_set_block(rfkill, cur);
++ rfkill_sync(rfkill);
+ mutex_unlock(&rfkill_global_mutex);
+ }
+
+@@ -1087,6 +1105,7 @@ int __must_check rfkill_register(struct rfkill *rfkill)
+ round_jiffies_relative(POLL_INTERVAL));
+
+ if (!rfkill->persistent || rfkill_epo_lock_active) {
++ rfkill->need_sync = true;
+ schedule_work(&rfkill->sync_work);
+ } else {
+ #ifdef CONFIG_RFKILL_INPUT
+@@ -1171,6 +1190,7 @@ static int rfkill_fop_open(struct inode *inode, struct file *file)
+ ev = kzalloc(sizeof(*ev), GFP_KERNEL);
+ if (!ev)
+ goto free;
++ rfkill_sync(rfkill);
+ rfkill_fill_event(&ev->ev, rfkill, RFKILL_OP_ADD);
+ list_add_tail(&ev->list, &data->events);
+ }
+--
+2.40.1
+
net-avoid-uaf-on-deleted-altname.patch
net-fix-ifname-in-netlink-ntf-during-netns-move.patch
net-check-for-altname-conflicts-when-changing-netdev-s-netns.patch
+iio-light-vcnl4000-don-t-power-on-off-chip-in-config.patch
+pwr-mlxbf-extend-kconfig-to-include-gpio-mlxbf3-depe.patch
+arm-dts-ti-omap-fix-noisy-serial-with-overrun-thrott.patch
+arm64-dts-mediatek-fix-mediatek-merge-mute-and-media.patch
+fs-writeback-do-not-requeue-a-clean-inode-having-ski.patch
+btrfs-fix-race-when-refilling-delayed-refs-block-res.patch
+btrfs-prevent-transaction-block-reserve-underflow-wh.patch
+btrfs-return-euclean-for-delayed-tree-ref-with-a-ref.patch
+btrfs-initialize-start_slot-in-btrfs_log_prealloc_ex.patch
+i2c-mux-avoid-potential-false-error-message-in-i2c_m.patch
+overlayfs-set-ctime-when-setting-mtime-and-atime.patch
+accel-ivpu-don-t-flood-dmesg-with-vpu-ready-message.patch
+gpio-timberdale-fix-potential-deadlock-on-tgpio-lock.patch
+ata-libata-core-fix-compilation-warning-in-ata_dev_c.patch
+ata-libata-eh-fix-compilation-warning-in-ata_eh_link.patch
+tracing-relax-trace_event_eval_update-execution-with.patch
+wifi-mwifiex-sanity-check-tlv_len-and-tlv_bitmap_len.patch
+wifi-cfg80211-validate-ap-phy-operation-before-start.patch
+wifi-iwlwifi-ensure-ack-flag-is-properly-cleared.patch
+rfkill-sync-before-userspace-visibility-changes.patch
+hid-logitech-hidpp-add-bluetooth-id-for-the-logitech.patch
+hid-holtek-fix-slab-out-of-bounds-write-in-holtek_kb.patch
+bluetooth-btusb-add-shutdown-function-for-qca6174.patch
+bluetooth-avoid-redundant-authentication.patch
+bluetooth-hci_core-fix-build-warnings.patch
+wifi-cfg80211-fix-6ghz-scan-configuration.patch
+wifi-mac80211-work-around-cisco-ap-9115-vht-mpdu-len.patch
+wifi-mac80211-allow-transmitting-eapol-frames-with-t.patch
+wifi-cfg80211-avoid-leaking-stack-data-into-trace.patch
+regulator-core-revert-fix-kobject-release-warning-an.patch
+sunrpc-fail-quickly-when-server-does-not-recognize-t.patch
+sunrpc-tls-lock-the-lower_xprt-during-the-tls-handsh.patch
+nfs-decrement-nrequests-counter-before-releasing-the.patch
+sky2-make-sure-there-is-at-least-one-frag_addr-avail.patch
+ipv4-fib-send-notify-when-delete-source-address-rout.patch
+drm-panel-orientation-quirks-add-quirk-for-one-mix-2.patch
+btrfs-fix-some-wmaybe-uninitialized-warnings-in-ioct.patch
+btrfs-error-out-when-cowing-block-using-a-stale-tran.patch
+btrfs-error-when-cowing-block-from-a-root-that-is-be.patch
+btrfs-error-out-when-reallocating-block-for-defrag-u.patch
+platform-x86-touchscreen_dmi-add-info-for-the-bush-b.patch
+drm-amd-pm-add-unique_id-for-gc-11.0.3.patch
+hid-multitouch-add-required-quirk-for-synaptics-0xcd.patch
+hid-nintendo-reinitialize-usb-pro-controller-after-r.patch
+hid-add-quirk-to-ignore-the-touchscreen-battery-on-h.patch
+platform-x86-touchscreen_dmi-add-info-for-the-positi.patch
+cpufreq-schedutil-update-next_freq-when-cpufreq_limi.patch
+io-wq-fully-initialize-wqe-before-calling-cpuhp_stat.patch
+bluetooth-hci_sync-fix-not-handling-iso_link-in-hci_.patch
+bluetooth-hci_sync-introduce-ptr_uint-uint_ptr-macro.patch
+bluetooth-iso-fix-invalid-context-error.patch
+bluetooth-hci_sync-delete-cis-in-bt_open-connect-bou.patch
+bluetooth-hci_sync-always-check-if-connection-is-ali.patch
+netfilter-nf_tables-do-not-remove-elements-if-set-ba.patch
+net-mlx5-e-switch-register-event-handler-before-armi.patch
+net-mlx5-handle-fw-tracer-change-ownership-event-bas.patch
+net-mlx5e-rx-fix-page_pool-allocation-failure-recove.patch
+net-mlx5e-rx-fix-page_pool-allocation-failure-recove.patch-32687
+net-mlx5e-xdp-fix-xdp_redirect-mpwqe-page-fragment-l.patch
+net-mlx5e-take-rtnl-lock-before-triggering-netdev-no.patch
+net-mlx5e-don-t-offload-internal-port-if-filter-devi.patch
+net-mlx5e-fix-vf-representors-reporting-zero-counter.patch
+net-tls-split-tls_rx_reader_lock.patch
+tcp-allow-again-tcp_disconnect-when-threads-are-wait.patch
+net-smc-support-smc-release-version-negotiation-in-c.patch
+net-smc-support-smc-v2.x-features-validate.patch
+net-smc-fix-smc-clc-failed-issue-when-netdevice-not-.patch
+bluetooth-hci_event-fix-using-memcmp-when-comparing-.patch
+netfilter-nf_tables-revert-do-not-remove-elements-if.patch
+tcp_bpf-properly-release-resources-on-error-paths.patch
+net-store-netdevs-in-an-xarray.patch
+net-move-altnames-together-with-the-netdevice.patch
--- /dev/null
+From 7ae14a798864f2ba60966526852451a98f0ab319 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Sep 2023 09:50:39 -0700
+Subject: sky2: Make sure there is at least one frag_addr available
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 6a70e5cbedaf8ad10528ac9ac114f3ec20f422df ]
+
+In the pathological case of building sky2 with 16k PAGE_SIZE, the
+frag_addr[] array would never be used, so the original code was correct
+that size should be 0. But the compiler now gets upset with 0 size arrays
+in places where it hasn't eliminated the code that might access such an
+array (it can't figure out that in this case an rx skb with fragments
+would never be created). To keep the compiler happy, make sure there is
+at least 1 frag_addr in struct rx_ring_info:
+
+ In file included from include/linux/skbuff.h:28,
+ from include/net/net_namespace.h:43,
+ from include/linux/netdevice.h:38,
+ from drivers/net/ethernet/marvell/sky2.c:18:
+ drivers/net/ethernet/marvell/sky2.c: In function 'sky2_rx_unmap_skb':
+ include/linux/dma-mapping.h:416:36: warning: array subscript i is outside array bounds of 'dma_addr_t[0]' {aka 'long long unsigned int[]'} [-Warray-bounds=]
+ 416 | #define dma_unmap_page(d, a, s, r) dma_unmap_page_attrs(d, a, s, r, 0)
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ drivers/net/ethernet/marvell/sky2.c:1257:17: note: in expansion of macro 'dma_unmap_page'
+ 1257 | dma_unmap_page(&pdev->dev, re->frag_addr[i],
+ | ^~~~~~~~~~~~~~
+ In file included from drivers/net/ethernet/marvell/sky2.c:41:
+ drivers/net/ethernet/marvell/sky2.h:2198:25: note: while referencing 'frag_addr'
+ 2198 | dma_addr_t frag_addr[ETH_JUMBO_MTU >> PAGE_SHIFT];
+ | ^~~~~~~~~
+
+With CONFIG_PAGE_SIZE_16KB=y, PAGE_SHIFT == 14, so:
+
+ #define ETH_JUMBO_MTU 9000
+
+causes "ETH_JUMBO_MTU >> PAGE_SHIFT" to be 0. Use "?: 1" to solve this build warning.
+
+Cc: Mirko Lindner <mlindner@marvell.com>
+Cc: Stephen Hemminger <stephen@networkplumber.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: netdev@vger.kernel.org
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202309191958.UBw1cjXk-lkp@intel.com/
+Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/sky2.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/sky2.h b/drivers/net/ethernet/marvell/sky2.h
+index ddec1627f1a7b..8d0bacf4e49cc 100644
+--- a/drivers/net/ethernet/marvell/sky2.h
++++ b/drivers/net/ethernet/marvell/sky2.h
+@@ -2195,7 +2195,7 @@ struct rx_ring_info {
+ struct sk_buff *skb;
+ dma_addr_t data_addr;
+ DEFINE_DMA_UNMAP_LEN(data_size);
+- dma_addr_t frag_addr[ETH_JUMBO_MTU >> PAGE_SHIFT];
++ dma_addr_t frag_addr[ETH_JUMBO_MTU >> PAGE_SHIFT ?: 1];
+ };
+
+ enum flow_control {
+--
+2.40.1
+
--- /dev/null
+From e18117f24271eb5a06d938c44d09accb8f1fbb61 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Sep 2023 16:05:26 -0400
+Subject: SUNRPC: Fail quickly when server does not recognize TLS
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit 5623ecfcbec165f040a23248d39680f0cc5c0854 ]
+
+rpcauth_checkverf() should return a distinct error code when a
+server recognizes the AUTH_TLS probe but does not support TLS so
+that the client's header decoder can respond appropriately and
+quickly. No retries are necessary is in this case, since the server
+has already affirmatively answered "TLS is unsupported".
+
+Suggested-by: Trond Myklebust <trondmy@hammerspace.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/auth.c | 11 ++++++++---
+ net/sunrpc/auth_tls.c | 4 ++--
+ net/sunrpc/clnt.c | 10 +++++++++-
+ 3 files changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/net/sunrpc/auth.c b/net/sunrpc/auth.c
+index 2f16f9d179662..814b0169f9723 100644
+--- a/net/sunrpc/auth.c
++++ b/net/sunrpc/auth.c
+@@ -769,9 +769,14 @@ int rpcauth_wrap_req(struct rpc_task *task, struct xdr_stream *xdr)
+ * @task: controlling RPC task
+ * @xdr: xdr_stream containing RPC Reply header
+ *
+- * On success, @xdr is updated to point past the verifier and
+- * zero is returned. Otherwise, @xdr is in an undefined state
+- * and a negative errno is returned.
++ * Return values:
++ * %0: Verifier is valid. @xdr now points past the verifier.
++ * %-EIO: Verifier is corrupted or message ended early.
++ * %-EACCES: Verifier is intact but not valid.
++ * %-EPROTONOSUPPORT: Server does not support the requested auth type.
++ *
++ * When a negative errno is returned, @xdr is left in an undefined
++ * state.
+ */
+ int
+ rpcauth_checkverf(struct rpc_task *task, struct xdr_stream *xdr)
+diff --git a/net/sunrpc/auth_tls.c b/net/sunrpc/auth_tls.c
+index de7678f8a23d2..87f570fd3b00e 100644
+--- a/net/sunrpc/auth_tls.c
++++ b/net/sunrpc/auth_tls.c
+@@ -129,9 +129,9 @@ static int tls_validate(struct rpc_task *task, struct xdr_stream *xdr)
+ if (*p != rpc_auth_null)
+ return -EIO;
+ if (xdr_stream_decode_opaque_inline(xdr, &str, starttls_len) != starttls_len)
+- return -EIO;
++ return -EPROTONOSUPPORT;
+ if (memcmp(str, starttls_token, starttls_len))
+- return -EIO;
++ return -EPROTONOSUPPORT;
+ return 0;
+ }
+
+diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
+index be6be7d785315..9fb0ccabc1a26 100644
+--- a/net/sunrpc/clnt.c
++++ b/net/sunrpc/clnt.c
+@@ -2721,7 +2721,15 @@ rpc_decode_header(struct rpc_task *task, struct xdr_stream *xdr)
+
+ out_verifier:
+ trace_rpc_bad_verifier(task);
+- goto out_garbage;
++ switch (error) {
++ case -EPROTONOSUPPORT:
++ goto out_err;
++ case -EACCES:
++ /* Re-encode with a fresh cred */
++ fallthrough;
++ default:
++ goto out_garbage;
++ }
+
+ out_msg_denied:
+ error = -EACCES;
+--
+2.40.1
+
--- /dev/null
+From b43b2a4cfcbfb2deda3af3b5f379748515b3b1e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Sep 2023 17:03:22 -0400
+Subject: SUNRPC/TLS: Lock the lower_xprt during the tls handshake
+
+From: Anna Schumaker <Anna.Schumaker@Netapp.com>
+
+[ Upstream commit 26e8bfa30dac2ccd29dd25f391dfc73475c33329 ]
+
+Otherwise we run the risk of having the lower_xprt freed from underneath
+us, causing an oops that looks like this:
+
+[ 224.150698] BUG: kernel NULL pointer dereference, address: 0000000000000018
+[ 224.150951] #PF: supervisor read access in kernel mode
+[ 224.151117] #PF: error_code(0x0000) - not-present page
+[ 224.151278] PGD 0 P4D 0
+[ 224.151361] Oops: 0000 [#1] PREEMPT SMP NOPTI
+[ 224.151499] CPU: 2 PID: 99 Comm: kworker/u10:6 Not tainted 6.6.0-rc3-g6465e260f487 #41264 a00b0960990fb7bc6d6a330ee03588b67f08a47b
+[ 224.151977] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 2/2/2022
+[ 224.152216] Workqueue: xprtiod xs_tcp_tls_setup_socket [sunrpc]
+[ 224.152434] RIP: 0010:xs_tcp_tls_setup_socket+0x3cc/0x7e0 [sunrpc]
+[ 224.152643] Code: 00 00 48 8b 7c 24 08 e9 f3 01 00 00 48 83 7b c0 00 0f 85 d2 01 00 00 49 8d 84 24 f8 05 00 00 48 89 44 24 10 48 8b 00 48 89 c5 <4c> 8b 68 18 66 41 83 3f 0a 75 71 45 31 ff 4c 89 ef 31 f6 e8 5c 76
+[ 224.153246] RSP: 0018:ffffb00ec060fd18 EFLAGS: 00010246
+[ 224.153427] RAX: 0000000000000000 RBX: ffff8c06c2e53e40 RCX: 0000000000000001
+[ 224.153652] RDX: ffff8c073bca2408 RSI: 0000000000000282 RDI: ffff8c06c259ee00
+[ 224.153868] RBP: 0000000000000000 R08: ffffffff9da55aa0 R09: 0000000000000001
+[ 224.154084] R10: 00000034306c30f1 R11: 0000000000000002 R12: ffff8c06c2e51800
+[ 224.154300] R13: ffff8c06c355d400 R14: 0000000004208160 R15: ffff8c06c2e53820
+[ 224.154521] FS: 0000000000000000(0000) GS:ffff8c073bd00000(0000) knlGS:0000000000000000
+[ 224.154763] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 224.154940] CR2: 0000000000000018 CR3: 0000000062c1e000 CR4: 0000000000750ee0
+[ 224.155157] PKRU: 55555554
+[ 224.155244] Call Trace:
+[ 224.155325] <TASK>
+[ 224.155395] ? __die_body+0x68/0xb0
+[ 224.155507] ? page_fault_oops+0x34c/0x3a0
+[ 224.155635] ? _raw_spin_unlock_irqrestore+0xe/0x40
+[ 224.155793] ? exc_page_fault+0x7a/0x1b0
+[ 224.155916] ? asm_exc_page_fault+0x26/0x30
+[ 224.156047] ? xs_tcp_tls_setup_socket+0x3cc/0x7e0 [sunrpc ae3a15912ae37fd51dafbdbc2dbd069117f8f5c8]
+[ 224.156367] ? xs_tcp_tls_setup_socket+0x2fe/0x7e0 [sunrpc ae3a15912ae37fd51dafbdbc2dbd069117f8f5c8]
+[ 224.156697] ? __pfx_xs_tls_handshake_done+0x10/0x10 [sunrpc ae3a15912ae37fd51dafbdbc2dbd069117f8f5c8]
+[ 224.157013] process_scheduled_works+0x24e/0x450
+[ 224.157158] worker_thread+0x21c/0x2d0
+[ 224.157275] ? __pfx_worker_thread+0x10/0x10
+[ 224.157409] kthread+0xe8/0x110
+[ 224.157510] ? __pfx_kthread+0x10/0x10
+[ 224.157628] ret_from_fork+0x37/0x50
+[ 224.157741] ? __pfx_kthread+0x10/0x10
+[ 224.157859] ret_from_fork_asm+0x1b/0x30
+[ 224.157983] </TASK>
+
+Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/xprtsock.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
+index 9f010369100a2..f392718951b1e 100644
+--- a/net/sunrpc/xprtsock.c
++++ b/net/sunrpc/xprtsock.c
+@@ -2645,6 +2645,10 @@ static void xs_tcp_tls_setup_socket(struct work_struct *work)
+ rcu_read_lock();
+ lower_xprt = rcu_dereference(lower_clnt->cl_xprt);
+ rcu_read_unlock();
++
++ if (wait_on_bit_lock(&lower_xprt->state, XPRT_LOCKED, TASK_KILLABLE))
++ goto out_unlock;
++
+ status = xs_tls_handshake_sync(lower_xprt, &upper_xprt->xprtsec);
+ if (status) {
+ trace_rpc_tls_not_started(upper_clnt, upper_xprt);
+@@ -2654,6 +2658,7 @@ static void xs_tcp_tls_setup_socket(struct work_struct *work)
+ status = xs_tcp_tls_finish_connecting(lower_xprt, upper_transport);
+ if (status)
+ goto out_close;
++ xprt_release_write(lower_xprt, NULL);
+
+ trace_rpc_socket_connect(upper_xprt, upper_transport->sock, 0);
+ if (!xprt_test_and_set_connected(upper_xprt)) {
+@@ -2675,6 +2680,7 @@ static void xs_tcp_tls_setup_socket(struct work_struct *work)
+ return;
+
+ out_close:
++ xprt_release_write(lower_xprt, NULL);
+ rpc_shutdown_client(lower_clnt);
+
+ /* xprt_force_disconnect() wakes tasks with a fixed tk_status code.
+--
+2.40.1
+
--- /dev/null
+From aabe6025e66f79bddb81c90b12297b780ff6cf4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Oct 2023 09:20:55 +0200
+Subject: tcp: allow again tcp_disconnect() when threads are waiting
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 419ce133ab928ab5efd7b50b2ef36ddfd4eadbd2 ]
+
+As reported by Tom, .NET and applications build on top of it rely
+on connect(AF_UNSPEC) to async cancel pending I/O operations on TCP
+socket.
+
+The blamed commit below caused a regression, as such cancellation
+can now fail.
+
+As suggested by Eric, this change addresses the problem explicitly
+causing blocking I/O operation to terminate immediately (with an error)
+when a concurrent disconnect() is executed.
+
+Instead of tracking the number of threads blocked on a given socket,
+track the number of disconnect() issued on such socket. If such counter
+changes after a blocking operation releasing and re-acquiring the socket
+lock, error out the current operation.
+
+Fixes: 4faeee0cf8a5 ("tcp: deny tcp_disconnect() when threads are waiting")
+Reported-by: Tom Deseyn <tdeseyn@redhat.com>
+Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1886305
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/f3b95e47e3dbed840960548aebaa8d954372db41.1697008693.git.pabeni@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../chelsio/inline_crypto/chtls/chtls_io.c | 36 +++++++++++++++----
+ include/net/sock.h | 10 +++---
+ net/core/stream.c | 12 ++++---
+ net/ipv4/af_inet.c | 10 ++++--
+ net/ipv4/inet_connection_sock.c | 1 -
+ net/ipv4/tcp.c | 16 ++++-----
+ net/ipv4/tcp_bpf.c | 4 +++
+ net/mptcp/protocol.c | 7 ----
+ net/tls/tls_main.c | 10 ++++--
+ net/tls/tls_sw.c | 19 ++++++----
+ 10 files changed, 80 insertions(+), 45 deletions(-)
+
+diff --git a/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_io.c b/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_io.c
+index 5fc64e47568a9..d567e42e17601 100644
+--- a/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_io.c
++++ b/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_io.c
+@@ -911,7 +911,7 @@ static int csk_wait_memory(struct chtls_dev *cdev,
+ struct sock *sk, long *timeo_p)
+ {
+ DEFINE_WAIT_FUNC(wait, woken_wake_function);
+- int err = 0;
++ int ret, err = 0;
+ long current_timeo;
+ long vm_wait = 0;
+ bool noblock;
+@@ -942,10 +942,13 @@ static int csk_wait_memory(struct chtls_dev *cdev,
+
+ set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
+ sk->sk_write_pending++;
+- sk_wait_event(sk, ¤t_timeo, sk->sk_err ||
+- (sk->sk_shutdown & SEND_SHUTDOWN) ||
+- (csk_mem_free(cdev, sk) && !vm_wait), &wait);
++ ret = sk_wait_event(sk, ¤t_timeo, sk->sk_err ||
++ (sk->sk_shutdown & SEND_SHUTDOWN) ||
++ (csk_mem_free(cdev, sk) && !vm_wait),
++ &wait);
+ sk->sk_write_pending--;
++ if (ret < 0)
++ goto do_error;
+
+ if (vm_wait) {
+ vm_wait -= current_timeo;
+@@ -1348,6 +1351,7 @@ static int chtls_pt_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
+ int copied = 0;
+ int target;
+ long timeo;
++ int ret;
+
+ buffers_freed = 0;
+
+@@ -1423,7 +1427,11 @@ static int chtls_pt_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
+ if (copied >= target)
+ break;
+ chtls_cleanup_rbuf(sk, copied);
+- sk_wait_data(sk, &timeo, NULL);
++ ret = sk_wait_data(sk, &timeo, NULL);
++ if (ret < 0) {
++ copied = copied ? : ret;
++ goto unlock;
++ }
+ continue;
+ found_ok_skb:
+ if (!skb->len) {
+@@ -1518,6 +1526,8 @@ static int chtls_pt_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
+
+ if (buffers_freed)
+ chtls_cleanup_rbuf(sk, copied);
++
++unlock:
+ release_sock(sk);
+ return copied;
+ }
+@@ -1534,6 +1544,7 @@ static int peekmsg(struct sock *sk, struct msghdr *msg,
+ int copied = 0;
+ size_t avail; /* amount of available data in current skb */
+ long timeo;
++ int ret;
+
+ lock_sock(sk);
+ timeo = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
+@@ -1585,7 +1596,12 @@ static int peekmsg(struct sock *sk, struct msghdr *msg,
+ release_sock(sk);
+ lock_sock(sk);
+ } else {
+- sk_wait_data(sk, &timeo, NULL);
++ ret = sk_wait_data(sk, &timeo, NULL);
++ if (ret < 0) {
++ /* here 'copied' is 0 due to previous checks */
++ copied = ret;
++ break;
++ }
+ }
+
+ if (unlikely(peek_seq != tp->copied_seq)) {
+@@ -1656,6 +1672,7 @@ int chtls_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
+ int copied = 0;
+ long timeo;
+ int target; /* Read at least this many bytes */
++ int ret;
+
+ buffers_freed = 0;
+
+@@ -1747,7 +1764,11 @@ int chtls_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
+ if (copied >= target)
+ break;
+ chtls_cleanup_rbuf(sk, copied);
+- sk_wait_data(sk, &timeo, NULL);
++ ret = sk_wait_data(sk, &timeo, NULL);
++ if (ret < 0) {
++ copied = copied ? : ret;
++ goto unlock;
++ }
+ continue;
+
+ found_ok_skb:
+@@ -1816,6 +1837,7 @@ int chtls_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
+ if (buffers_freed)
+ chtls_cleanup_rbuf(sk, copied);
+
++unlock:
+ release_sock(sk);
+ return copied;
+ }
+diff --git a/include/net/sock.h b/include/net/sock.h
+index 4e787285fc66b..fc189910e63fc 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -336,7 +336,7 @@ struct sk_filter;
+ * @sk_cgrp_data: cgroup data for this cgroup
+ * @sk_memcg: this socket's memory cgroup association
+ * @sk_write_pending: a write to stream socket waits to start
+- * @sk_wait_pending: number of threads blocked on this socket
++ * @sk_disconnects: number of disconnect operations performed on this sock
+ * @sk_state_change: callback to indicate change in the state of the sock
+ * @sk_data_ready: callback to indicate there is data to be processed
+ * @sk_write_space: callback to indicate there is bf sending space available
+@@ -429,7 +429,7 @@ struct sock {
+ unsigned int sk_napi_id;
+ #endif
+ int sk_rcvbuf;
+- int sk_wait_pending;
++ int sk_disconnects;
+
+ struct sk_filter __rcu *sk_filter;
+ union {
+@@ -1189,8 +1189,7 @@ static inline void sock_rps_reset_rxhash(struct sock *sk)
+ }
+
+ #define sk_wait_event(__sk, __timeo, __condition, __wait) \
+- ({ int __rc; \
+- __sk->sk_wait_pending++; \
++ ({ int __rc, __dis = __sk->sk_disconnects; \
+ release_sock(__sk); \
+ __rc = __condition; \
+ if (!__rc) { \
+@@ -1200,8 +1199,7 @@ static inline void sock_rps_reset_rxhash(struct sock *sk)
+ } \
+ sched_annotate_sleep(); \
+ lock_sock(__sk); \
+- __sk->sk_wait_pending--; \
+- __rc = __condition; \
++ __rc = __dis == __sk->sk_disconnects ? __condition : -EPIPE; \
+ __rc; \
+ })
+
+diff --git a/net/core/stream.c b/net/core/stream.c
+index f5c4e47df1650..96fbcb9bbb30a 100644
+--- a/net/core/stream.c
++++ b/net/core/stream.c
+@@ -117,7 +117,7 @@ EXPORT_SYMBOL(sk_stream_wait_close);
+ */
+ int sk_stream_wait_memory(struct sock *sk, long *timeo_p)
+ {
+- int err = 0;
++ int ret, err = 0;
+ long vm_wait = 0;
+ long current_timeo = *timeo_p;
+ DEFINE_WAIT_FUNC(wait, woken_wake_function);
+@@ -142,11 +142,13 @@ int sk_stream_wait_memory(struct sock *sk, long *timeo_p)
+
+ set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
+ sk->sk_write_pending++;
+- sk_wait_event(sk, ¤t_timeo, READ_ONCE(sk->sk_err) ||
+- (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN) ||
+- (sk_stream_memory_free(sk) &&
+- !vm_wait), &wait);
++ ret = sk_wait_event(sk, ¤t_timeo, READ_ONCE(sk->sk_err) ||
++ (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN) ||
++ (sk_stream_memory_free(sk) && !vm_wait),
++ &wait);
+ sk->sk_write_pending--;
++ if (ret < 0)
++ goto do_error;
+
+ if (vm_wait) {
+ vm_wait -= current_timeo;
+diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
+index 02736b83c3032..0c0ae021b7ff5 100644
+--- a/net/ipv4/af_inet.c
++++ b/net/ipv4/af_inet.c
+@@ -587,7 +587,6 @@ static long inet_wait_for_connect(struct sock *sk, long timeo, int writebias)
+
+ add_wait_queue(sk_sleep(sk), &wait);
+ sk->sk_write_pending += writebias;
+- sk->sk_wait_pending++;
+
+ /* Basic assumption: if someone sets sk->sk_err, he _must_
+ * change state of the socket from TCP_SYN_*.
+@@ -603,7 +602,6 @@ static long inet_wait_for_connect(struct sock *sk, long timeo, int writebias)
+ }
+ remove_wait_queue(sk_sleep(sk), &wait);
+ sk->sk_write_pending -= writebias;
+- sk->sk_wait_pending--;
+ return timeo;
+ }
+
+@@ -632,6 +630,7 @@ int __inet_stream_connect(struct socket *sock, struct sockaddr *uaddr,
+ return -EINVAL;
+
+ if (uaddr->sa_family == AF_UNSPEC) {
++ sk->sk_disconnects++;
+ err = sk->sk_prot->disconnect(sk, flags);
+ sock->state = err ? SS_DISCONNECTING : SS_UNCONNECTED;
+ goto out;
+@@ -686,6 +685,7 @@ int __inet_stream_connect(struct socket *sock, struct sockaddr *uaddr,
+ int writebias = (sk->sk_protocol == IPPROTO_TCP) &&
+ tcp_sk(sk)->fastopen_req &&
+ tcp_sk(sk)->fastopen_req->data ? 1 : 0;
++ int dis = sk->sk_disconnects;
+
+ /* Error code is set above */
+ if (!timeo || !inet_wait_for_connect(sk, timeo, writebias))
+@@ -694,6 +694,11 @@ int __inet_stream_connect(struct socket *sock, struct sockaddr *uaddr,
+ err = sock_intr_errno(timeo);
+ if (signal_pending(current))
+ goto out;
++
++ if (dis != sk->sk_disconnects) {
++ err = -EPIPE;
++ goto out;
++ }
+ }
+
+ /* Connection was closed by RST, timeout, ICMP error
+@@ -715,6 +720,7 @@ int __inet_stream_connect(struct socket *sock, struct sockaddr *uaddr,
+ sock_error:
+ err = sock_error(sk) ? : -ECONNABORTED;
+ sock->state = SS_UNCONNECTED;
++ sk->sk_disconnects++;
+ if (sk->sk_prot->disconnect(sk, flags))
+ sock->state = SS_DISCONNECTING;
+ goto out;
+diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
+index aeebe88166899..394a498c28232 100644
+--- a/net/ipv4/inet_connection_sock.c
++++ b/net/ipv4/inet_connection_sock.c
+@@ -1145,7 +1145,6 @@ struct sock *inet_csk_clone_lock(const struct sock *sk,
+ if (newsk) {
+ struct inet_connection_sock *newicsk = inet_csk(newsk);
+
+- newsk->sk_wait_pending = 0;
+ inet_sk_set_state(newsk, TCP_SYN_RECV);
+ newicsk->icsk_bind_hash = NULL;
+ newicsk->icsk_bind2_hash = NULL;
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index 9cfc07d1e4252..9bdc1b2eaf734 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -829,7 +829,9 @@ ssize_t tcp_splice_read(struct socket *sock, loff_t *ppos,
+ */
+ if (!skb_queue_empty(&sk->sk_receive_queue))
+ break;
+- sk_wait_data(sk, &timeo, NULL);
++ ret = sk_wait_data(sk, &timeo, NULL);
++ if (ret < 0)
++ break;
+ if (signal_pending(current)) {
+ ret = sock_intr_errno(timeo);
+ break;
+@@ -2442,7 +2444,11 @@ static int tcp_recvmsg_locked(struct sock *sk, struct msghdr *msg, size_t len,
+ __sk_flush_backlog(sk);
+ } else {
+ tcp_cleanup_rbuf(sk, copied);
+- sk_wait_data(sk, &timeo, last);
++ err = sk_wait_data(sk, &timeo, last);
++ if (err < 0) {
++ err = copied ? : err;
++ goto out;
++ }
+ }
+
+ if ((flags & MSG_PEEK) &&
+@@ -2966,12 +2972,6 @@ int tcp_disconnect(struct sock *sk, int flags)
+ int old_state = sk->sk_state;
+ u32 seq;
+
+- /* Deny disconnect if other threads are blocked in sk_wait_event()
+- * or inet_wait_for_connect().
+- */
+- if (sk->sk_wait_pending)
+- return -EBUSY;
+-
+ if (old_state != TCP_CLOSE)
+ tcp_set_state(sk, TCP_CLOSE);
+
+diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
+index 3272682030015..ba2e921881248 100644
+--- a/net/ipv4/tcp_bpf.c
++++ b/net/ipv4/tcp_bpf.c
+@@ -307,6 +307,8 @@ static int tcp_bpf_recvmsg_parser(struct sock *sk,
+ }
+
+ data = tcp_msg_wait_data(sk, psock, timeo);
++ if (data < 0)
++ return data;
+ if (data && !sk_psock_queue_empty(psock))
+ goto msg_bytes_ready;
+ copied = -EAGAIN;
+@@ -351,6 +353,8 @@ static int tcp_bpf_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
+
+ timeo = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
+ data = tcp_msg_wait_data(sk, psock, timeo);
++ if (data < 0)
++ return data;
+ if (data) {
+ if (!sk_psock_queue_empty(psock))
+ goto msg_bytes_ready;
+diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
+index d2a47c6f9655b..0850d6a43049c 100644
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -3063,12 +3063,6 @@ static int mptcp_disconnect(struct sock *sk, int flags)
+ {
+ struct mptcp_sock *msk = mptcp_sk(sk);
+
+- /* Deny disconnect if other threads are blocked in sk_wait_event()
+- * or inet_wait_for_connect().
+- */
+- if (sk->sk_wait_pending)
+- return -EBUSY;
+-
+ /* We are on the fastopen error path. We can't call straight into the
+ * subflows cleanup code due to lock nesting (we are already under
+ * msk->firstsocket lock).
+@@ -3139,7 +3133,6 @@ struct sock *mptcp_sk_clone_init(const struct sock *sk,
+ inet_sk(nsk)->pinet6 = mptcp_inet6_sk(nsk);
+ #endif
+
+- nsk->sk_wait_pending = 0;
+ __mptcp_init_sock(nsk);
+
+ msk = mptcp_sk(nsk);
+diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
+index 4a8ee2f6badb9..f3d3fc1c32676 100644
+--- a/net/tls/tls_main.c
++++ b/net/tls/tls_main.c
+@@ -96,8 +96,8 @@ void update_sk_prot(struct sock *sk, struct tls_context *ctx)
+
+ int wait_on_pending_writer(struct sock *sk, long *timeo)
+ {
+- int rc = 0;
+ DEFINE_WAIT_FUNC(wait, woken_wake_function);
++ int ret, rc = 0;
+
+ add_wait_queue(sk_sleep(sk), &wait);
+ while (1) {
+@@ -111,9 +111,13 @@ int wait_on_pending_writer(struct sock *sk, long *timeo)
+ break;
+ }
+
+- if (sk_wait_event(sk, timeo,
+- !READ_ONCE(sk->sk_write_pending), &wait))
++ ret = sk_wait_event(sk, timeo,
++ !READ_ONCE(sk->sk_write_pending), &wait);
++ if (ret) {
++ if (ret < 0)
++ rc = ret;
+ break;
++ }
+ }
+ remove_wait_queue(sk_sleep(sk), &wait);
+ return rc;
+diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
+index a83f474933033..ce925f3a52492 100644
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -1288,6 +1288,7 @@ tls_rx_rec_wait(struct sock *sk, struct sk_psock *psock, bool nonblock,
+ struct tls_context *tls_ctx = tls_get_ctx(sk);
+ struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx);
+ DEFINE_WAIT_FUNC(wait, woken_wake_function);
++ int ret = 0;
+ long timeo;
+
+ timeo = sock_rcvtimeo(sk, nonblock);
+@@ -1299,6 +1300,9 @@ tls_rx_rec_wait(struct sock *sk, struct sk_psock *psock, bool nonblock,
+ if (sk->sk_err)
+ return sock_error(sk);
+
++ if (ret < 0)
++ return ret;
++
+ if (!skb_queue_empty(&sk->sk_receive_queue)) {
+ tls_strp_check_rcv(&ctx->strp);
+ if (tls_strp_msg_ready(ctx))
+@@ -1317,10 +1321,10 @@ tls_rx_rec_wait(struct sock *sk, struct sk_psock *psock, bool nonblock,
+ released = true;
+ add_wait_queue(sk_sleep(sk), &wait);
+ sk_set_bit(SOCKWQ_ASYNC_WAITDATA, sk);
+- sk_wait_event(sk, &timeo,
+- tls_strp_msg_ready(ctx) ||
+- !sk_psock_queue_empty(psock),
+- &wait);
++ ret = sk_wait_event(sk, &timeo,
++ tls_strp_msg_ready(ctx) ||
++ !sk_psock_queue_empty(psock),
++ &wait);
+ sk_clear_bit(SOCKWQ_ASYNC_WAITDATA, sk);
+ remove_wait_queue(sk_sleep(sk), &wait);
+
+@@ -1849,6 +1853,7 @@ static int tls_rx_reader_acquire(struct sock *sk, struct tls_sw_context_rx *ctx,
+ bool nonblock)
+ {
+ long timeo;
++ int ret;
+
+ timeo = sock_rcvtimeo(sk, nonblock);
+
+@@ -1858,14 +1863,16 @@ static int tls_rx_reader_acquire(struct sock *sk, struct tls_sw_context_rx *ctx,
+ ctx->reader_contended = 1;
+
+ add_wait_queue(&ctx->wq, &wait);
+- sk_wait_event(sk, &timeo,
+- !READ_ONCE(ctx->reader_present), &wait);
++ ret = sk_wait_event(sk, &timeo,
++ !READ_ONCE(ctx->reader_present), &wait);
+ remove_wait_queue(&ctx->wq, &wait);
+
+ if (timeo <= 0)
+ return -EAGAIN;
+ if (signal_pending(current))
+ return sock_intr_errno(timeo);
++ if (ret < 0)
++ return ret;
+ }
+
+ WRITE_ONCE(ctx->reader_present, 1);
+--
+2.40.1
+
--- /dev/null
+From da2fd0bab1de2ea6cb6c0357146981df7650e537 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Oct 2023 17:49:51 +0200
+Subject: tcp_bpf: properly release resources on error paths
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 68b54aeff804acceb02f228ea2e28419272c1fb9 ]
+
+In the blamed commit below, I completely forgot to release the acquired
+resources before erroring out in the TCP BPF code, as reported by Dan.
+
+Address the issues by replacing the bogus return with a jump to the
+relevant cleanup code.
+
+Fixes: 419ce133ab92 ("tcp: allow again tcp_disconnect() when threads are waiting")
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/r/8f99194c698bcef12666f0a9a999c58f8b1cb52c.1697557782.git.pabeni@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_bpf.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
+index ba2e921881248..53b0d62fd2c2d 100644
+--- a/net/ipv4/tcp_bpf.c
++++ b/net/ipv4/tcp_bpf.c
+@@ -307,8 +307,10 @@ static int tcp_bpf_recvmsg_parser(struct sock *sk,
+ }
+
+ data = tcp_msg_wait_data(sk, psock, timeo);
+- if (data < 0)
+- return data;
++ if (data < 0) {
++ copied = data;
++ goto unlock;
++ }
+ if (data && !sk_psock_queue_empty(psock))
+ goto msg_bytes_ready;
+ copied = -EAGAIN;
+@@ -319,6 +321,8 @@ static int tcp_bpf_recvmsg_parser(struct sock *sk,
+ tcp_rcv_space_adjust(sk);
+ if (copied > 0)
+ __tcp_cleanup_rbuf(sk, copied);
++
++unlock:
+ release_sock(sk);
+ sk_psock_put(sk, psock);
+ return copied;
+@@ -353,8 +357,10 @@ static int tcp_bpf_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
+
+ timeo = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
+ data = tcp_msg_wait_data(sk, psock, timeo);
+- if (data < 0)
+- return data;
++ if (data < 0) {
++ ret = data;
++ goto unlock;
++ }
+ if (data) {
+ if (!sk_psock_queue_empty(psock))
+ goto msg_bytes_ready;
+@@ -365,6 +371,8 @@ static int tcp_bpf_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
+ copied = -EAGAIN;
+ }
+ ret = copied;
++
++unlock:
+ release_sock(sk);
+ sk_psock_put(sk, psock);
+ return ret;
+--
+2.40.1
+
--- /dev/null
+From 2975ea8d6e6511801c5d71a8e3be11db92ac63cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Sep 2023 21:16:37 +0200
+Subject: tracing: relax trace_event_eval_update() execution with
+ cond_resched()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Clément Léger <cleger@rivosinc.com>
+
+[ Upstream commit 23cce5f25491968b23fb9c399bbfb25f13870cd9 ]
+
+When kernel is compiled without preemption, the eval_map_work_func()
+(which calls trace_event_eval_update()) will not be preempted up to its
+complete execution. This can actually cause a problem since if another
+CPU call stop_machine(), the call will have to wait for the
+eval_map_work_func() function to finish executing in the workqueue
+before being able to be scheduled. This problem was observe on a SMP
+system at boot time, when the CPU calling the initcalls executed
+clocksource_done_booting() which in the end calls stop_machine(). We
+observed a 1 second delay because one CPU was executing
+eval_map_work_func() and was not preempted by the stop_machine() task.
+
+Adding a call to cond_resched() in trace_event_eval_update() allows
+other tasks to be executed and thus continue working asynchronously
+like before without blocking any pending task at boot time.
+
+Link: https://lore.kernel.org/linux-trace-kernel/20230929191637.416931-1-cleger@rivosinc.com
+
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Clément Léger <cleger@rivosinc.com>
+Tested-by: Atish Patra <atishp@rivosinc.com>
+Reviewed-by: Atish Patra <atishp@rivosinc.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_events.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
+index 0cf84a7449f5b..9841589b4af7f 100644
+--- a/kernel/trace/trace_events.c
++++ b/kernel/trace/trace_events.c
+@@ -2777,6 +2777,7 @@ void trace_event_eval_update(struct trace_eval_map **map, int len)
+ update_event_fields(call, map[i]);
+ }
+ }
++ cond_resched();
+ }
+ up_write(&trace_event_sem);
+ }
+--
+2.40.1
+
--- /dev/null
+From 7285a8e899d71c983638e12fd378601034992ab1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Sep 2023 17:18:56 +0200
+Subject: wifi: cfg80211: avoid leaking stack data into trace
+
+From: Benjamin Berg <benjamin.berg@intel.com>
+
+[ Upstream commit 334bf33eec5701a1e4e967bcb7cc8611a998334b ]
+
+If the structure is not initialized then boolean types might be copied
+into the tracing data without being initialised. This causes data from
+the stack to leak into the trace and also triggers a UBSAN failure which
+can easily be avoided here.
+
+Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
+Link: https://lore.kernel.org/r/20230925171855.a9271ef53b05.I8180bae663984c91a3e036b87f36a640ba409817@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 3d286f3a60e60..bf968cdbfbb51 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -8502,7 +8502,7 @@ static int nl80211_update_mesh_config(struct sk_buff *skb,
+ struct cfg80211_registered_device *rdev = info->user_ptr[0];
+ struct net_device *dev = info->user_ptr[1];
+ struct wireless_dev *wdev = dev->ieee80211_ptr;
+- struct mesh_config cfg;
++ struct mesh_config cfg = {};
+ u32 mask;
+ int err;
+
+--
+2.40.1
+
--- /dev/null
+From 79e95c5bbf1450c9d81090470c6990cdc5f47977 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 14:10:54 +0300
+Subject: wifi: cfg80211: Fix 6GHz scan configuration
+
+From: Ilan Peer <ilan.peer@intel.com>
+
+[ Upstream commit 0914468adf92296c4cba8a2134e06e3dea150f2e ]
+
+When the scan request includes a non broadcast BSSID, when adding the
+scan parameters for 6GHz collocated scanning, do not include entries
+that do not match the given BSSID.
+
+Signed-off-by: Ilan Peer <ilan.peer@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230918140607.6d31d2a96baf.I6c4e3e3075d1d1878ee41f45190fdc6b86f18708@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/scan.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index 0cf1ce7b69342..939deecf0bbef 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -908,6 +908,10 @@ static int cfg80211_scan_6ghz(struct cfg80211_registered_device *rdev)
+ !cfg80211_find_ssid_match(ap, request))
+ continue;
+
++ if (!is_broadcast_ether_addr(request->bssid) &&
++ !ether_addr_equal(request->bssid, ap->bssid))
++ continue;
++
+ if (!request->n_ssids && ap->multi_bss && !ap->transmitted_bssid)
+ continue;
+
+--
+2.40.1
+
--- /dev/null
+From 748ceee21e02fa09fd1aa27f2d59548583e518e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Sep 2023 12:18:57 +0530
+Subject: wifi: cfg80211: validate AP phy operation before starting it
+
+From: Aditya Kumar Singh <quic_adisi@quicinc.com>
+
+[ Upstream commit 5112fa502708aaaf80acb78273fc8625f221eb11 ]
+
+Many regulatories can have HE/EHT Operation as not permitted. In such
+cases, AP should not be allowed to start if it is using a channel
+having the no operation flag set. However, currently there is no such
+check in place.
+
+Fix this issue by validating such IEs sent during start AP against the
+channel flags.
+
+Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
+Reviewed-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Link: https://lore.kernel.org/r/20230905064857.1503-1-quic_adisi@quicinc.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 705d1cf048309..3d286f3a60e60 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -5910,6 +5910,21 @@ static void nl80211_send_ap_started(struct wireless_dev *wdev,
+ nlmsg_free(msg);
+ }
+
++static int nl80211_validate_ap_phy_operation(struct cfg80211_ap_settings *params)
++{
++ struct ieee80211_channel *channel = params->chandef.chan;
++
++ if ((params->he_cap || params->he_oper) &&
++ (channel->flags & IEEE80211_CHAN_NO_HE))
++ return -EOPNOTSUPP;
++
++ if ((params->eht_cap || params->eht_oper) &&
++ (channel->flags & IEEE80211_CHAN_NO_EHT))
++ return -EOPNOTSUPP;
++
++ return 0;
++}
++
+ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
+ {
+ struct cfg80211_registered_device *rdev = info->user_ptr[0];
+@@ -6179,6 +6194,10 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
+ if (err)
+ goto out_unlock;
+
++ err = nl80211_validate_ap_phy_operation(params);
++ if (err)
++ goto out_unlock;
++
+ if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
+ params->flags = nla_get_u32(
+ info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
+--
+2.40.1
+
--- /dev/null
+From 46a855090c7738d8a2a29a65581b1200b1d5fe4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Aug 2023 13:56:05 -0700
+Subject: wifi: iwlwifi: Ensure ack flag is properly cleared.
+
+From: Ben Greear <greearb@candelatech.com>
+
+[ Upstream commit e8fbe99e87877f0412655f40d7c45bf8471470ac ]
+
+Debugging indicates that nothing else is clearing the info->flags,
+so some frames were flagged as ACKed when they should not be.
+Explicitly clear the ack flag to ensure this does not happen.
+
+Signed-off-by: Ben Greear <greearb@candelatech.com>
+Acked-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230808205605.4105670-1-greearb@candelatech.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+index 36d70d589aedd..898dca3936435 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+@@ -1612,6 +1612,7 @@ static void iwl_mvm_rx_tx_cmd_single(struct iwl_mvm *mvm,
+ iwl_trans_free_tx_cmd(mvm->trans, info->driver_data[1]);
+
+ memset(&info->status, 0, sizeof(info->status));
++ info->flags &= ~(IEEE80211_TX_STAT_ACK | IEEE80211_TX_STAT_TX_FILTERED);
+
+ /* inform mac80211 about what happened with the frame */
+ switch (status & TX_STATUS_MSK) {
+@@ -1964,6 +1965,8 @@ static void iwl_mvm_tx_reclaim(struct iwl_mvm *mvm, int sta_id, int tid,
+ */
+ if (!is_flush)
+ info->flags |= IEEE80211_TX_STAT_ACK;
++ else
++ info->flags &= ~IEEE80211_TX_STAT_ACK;
+ }
+
+ /*
+--
+2.40.1
+
--- /dev/null
+From 27f524271e1fa4e74d1a1bda1f13cb12b3eff711 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Aug 2023 02:47:51 -0400
+Subject: wifi: mac80211: allow transmitting EAPOL frames with tainted key
+
+From: Wen Gong <quic_wgong@quicinc.com>
+
+[ Upstream commit 61304336c67358d49a989e5e0060d8c99bad6ca8 ]
+
+Lower layer device driver stop/wake TX by calling ieee80211_stop_queue()/
+ieee80211_wake_queue() while hw scan. Sometimes hw scan and PTK rekey are
+running in parallel, when M4 sent from wpa_supplicant arrive while the TX
+queue is stopped, then the M4 will pending send, and then new key install
+from wpa_supplicant. After TX queue wake up by lower layer device driver,
+the M4 will be dropped by below call stack.
+
+When key install started, the current key flag is set KEY_FLAG_TAINTED in
+ieee80211_pairwise_rekey(), and then mac80211 wait key install complete by
+lower layer device driver. Meanwhile ieee80211_tx_h_select_key() will return
+TX_DROP for the M4 in step 12 below, and then ieee80211_free_txskb() called
+by ieee80211_tx_dequeue(), so the M4 will not send and free, then the rekey
+process failed becaue AP not receive M4. Please see details in steps below.
+
+There are a interval between KEY_FLAG_TAINTED set for current key flag and
+install key complete by lower layer device driver, the KEY_FLAG_TAINTED is
+set in this interval, all packet including M4 will be dropped in this
+interval, the interval is step 8~13 as below.
+
+issue steps:
+ TX thread install key thread
+1. stop_queue -idle-
+2. sending M4 -idle-
+3. M4 pending -idle-
+4. -idle- starting install key from wpa_supplicant
+5. -idle- =>ieee80211_key_replace()
+6. -idle- =>ieee80211_pairwise_rekey() and set
+ currently key->flags |= KEY_FLAG_TAINTED
+7. -idle- =>ieee80211_key_enable_hw_accel()
+8. -idle- =>drv_set_key() and waiting key install
+ complete from lower layer device driver
+9. wake_queue -waiting state-
+10. re-sending M4 -waiting state-
+11. =>ieee80211_tx_h_select_key() -waiting state-
+12. drop M4 by KEY_FLAG_TAINTED -waiting state-
+13. -idle- install key complete with success/fail
+ success: clear flag KEY_FLAG_TAINTED
+ fail: start disconnect
+
+Hence add check in step 11 above to allow the EAPOL send out in the
+interval. If lower layer device driver use the old key/cipher to encrypt
+the M4, then AP received/decrypt M4 correctly, after M4 send out, lower
+layer device driver install the new key/cipher to hardware and return
+success.
+
+If lower layer device driver use new key/cipher to send the M4, then AP
+will/should drop the M4, then it is same result with this issue, AP will/
+should kick out station as well as this issue.
+
+issue log:
+kworker/u16:4-5238 [000] 6456.108926: stop_queue: phy1 queue:0, reason:0
+wpa_supplicant-961 [003] 6456.119737: rdev_tx_control_port: wiphy_name=phy1 name=wlan0 ifindex=6 dest=ARRAY[9e, 05, 31, 20, 9b, d0] proto=36488 unencrypted=0
+wpa_supplicant-961 [003] 6456.119839: rdev_return_int_cookie: phy1, returned 0, cookie: 504
+wpa_supplicant-961 [003] 6456.120287: rdev_add_key: phy1, netdev:wlan0(6), key_index: 0, mode: 0, pairwise: true, mac addr: 9e:05:31:20:9b:d0
+wpa_supplicant-961 [003] 6456.120453: drv_set_key: phy1 vif:wlan0(2) sta:9e:05:31:20:9b:d0 cipher:0xfac04, flags=0x9, keyidx=0, hw_key_idx=0
+kworker/u16:9-3829 [001] 6456.168240: wake_queue: phy1 queue:0, reason:0
+kworker/u16:9-3829 [001] 6456.168255: drv_wake_tx_queue: phy1 vif:wlan0(2) sta:9e:05:31:20:9b:d0 ac:0 tid:7
+kworker/u16:9-3829 [001] 6456.168305: cfg80211_control_port_tx_status: wdev(1), cookie: 504, ack: false
+wpa_supplicant-961 [003] 6459.167982: drv_return_int: phy1 - -110
+
+issue call stack:
+nl80211_frame_tx_status+0x230/0x340 [cfg80211]
+cfg80211_control_port_tx_status+0x1c/0x28 [cfg80211]
+ieee80211_report_used_skb+0x374/0x3e8 [mac80211]
+ieee80211_free_txskb+0x24/0x40 [mac80211]
+ieee80211_tx_dequeue+0x644/0x954 [mac80211]
+ath10k_mac_tx_push_txq+0xac/0x238 [ath10k_core]
+ath10k_mac_op_wake_tx_queue+0xac/0xe0 [ath10k_core]
+drv_wake_tx_queue+0x80/0x168 [mac80211]
+__ieee80211_wake_txqs+0xe8/0x1c8 [mac80211]
+_ieee80211_wake_txqs+0xb4/0x120 [mac80211]
+ieee80211_wake_txqs+0x48/0x80 [mac80211]
+tasklet_action_common+0xa8/0x254
+tasklet_action+0x2c/0x38
+__do_softirq+0xdc/0x384
+
+Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
+Link: https://lore.kernel.org/r/20230801064751.25803-1-quic_wgong@quicinc.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index 7fe7280e84374..d45d4be63dd87 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -665,7 +665,8 @@ ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx)
+ }
+
+ if (unlikely(tx->key && tx->key->flags & KEY_FLAG_TAINTED &&
+- !ieee80211_is_deauth(hdr->frame_control)))
++ !ieee80211_is_deauth(hdr->frame_control)) &&
++ tx->skb->protocol != tx->sdata->control_port_protocol)
+ return TX_DROP;
+
+ if (!skip_hw && tx->key &&
+--
+2.40.1
+
--- /dev/null
+From 392f090f5f6710d8f283bed8e1e1b59bb608040f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 14:10:55 +0300
+Subject: wifi: mac80211: work around Cisco AP 9115 VHT MPDU length
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 084cf2aeca97566db4fa15d55653c1cba2db83ed ]
+
+Cisco AP module 9115 with FW 17.3 has a bug and sends a too
+large maximum MPDU length in the association response
+(indicating 12k) that it cannot actually process.
+
+Work around that by taking the minimum between what's in the
+association response and the BSS elements (from beacon or
+probe response).
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230918140607.d1966a9a532e.I090225babb7cd4d1081ee9acd40e7de7e41c15ae@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 3 ++-
+ net/mac80211/ibss.c | 2 +-
+ net/mac80211/ieee80211_i.h | 1 +
+ net/mac80211/mesh_plink.c | 2 +-
+ net/mac80211/mlme.c | 27 +++++++++++++++++++++++++--
+ net/mac80211/vht.c | 16 ++++++++++++++--
+ 6 files changed, 44 insertions(+), 7 deletions(-)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index e883c41a2163b..0e3a1753a51c6 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1860,7 +1860,8 @@ static int sta_link_apply_parameters(struct ieee80211_local *local,
+ /* VHT can override some HT caps such as the A-MSDU max length */
+ if (params->vht_capa)
+ ieee80211_vht_cap_ie_to_sta_vht_cap(sdata, sband,
+- params->vht_capa, link_sta);
++ params->vht_capa, NULL,
++ link_sta);
+
+ if (params->he_capa)
+ ieee80211_he_cap_ie_to_sta_he_cap(sdata, sband,
+diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
+index e1900077bc4b9..5542c93edfba0 100644
+--- a/net/mac80211/ibss.c
++++ b/net/mac80211/ibss.c
+@@ -1072,7 +1072,7 @@ static void ieee80211_update_sta_info(struct ieee80211_sub_if_data *sdata,
+ &chandef);
+ memcpy(&cap_ie, elems->vht_cap_elem, sizeof(cap_ie));
+ ieee80211_vht_cap_ie_to_sta_vht_cap(sdata, sband,
+- &cap_ie,
++ &cap_ie, NULL,
+ &sta->deflink);
+ if (memcmp(&cap, &sta->sta.deflink.vht_cap, sizeof(cap)))
+ rates_updated |= true;
+diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
+index f8cd94ba55ccc..2cce9eba6a120 100644
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -2142,6 +2142,7 @@ void
+ ieee80211_vht_cap_ie_to_sta_vht_cap(struct ieee80211_sub_if_data *sdata,
+ struct ieee80211_supported_band *sband,
+ const struct ieee80211_vht_cap *vht_cap_ie,
++ const struct ieee80211_vht_cap *vht_cap_ie2,
+ struct link_sta_info *link_sta);
+ enum ieee80211_sta_rx_bandwidth
+ ieee80211_sta_cap_rx_bw(struct link_sta_info *link_sta);
+diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
+index f3d5bb0a59f10..a1e526419e9d2 100644
+--- a/net/mac80211/mesh_plink.c
++++ b/net/mac80211/mesh_plink.c
+@@ -451,7 +451,7 @@ static void mesh_sta_info_init(struct ieee80211_sub_if_data *sdata,
+ changed |= IEEE80211_RC_BW_CHANGED;
+
+ ieee80211_vht_cap_ie_to_sta_vht_cap(sdata, sband,
+- elems->vht_cap_elem,
++ elems->vht_cap_elem, NULL,
+ &sta->deflink);
+
+ ieee80211_he_cap_ie_to_sta_he_cap(sdata, sband, elems->he_cap,
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index 24b2833e0e475..0c9198997482b 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -4202,10 +4202,33 @@ static bool ieee80211_assoc_config_link(struct ieee80211_link_data *link,
+ elems->ht_cap_elem,
+ link_sta);
+
+- if (elems->vht_cap_elem && !(link->u.mgd.conn_flags & IEEE80211_CONN_DISABLE_VHT))
++ if (elems->vht_cap_elem &&
++ !(link->u.mgd.conn_flags & IEEE80211_CONN_DISABLE_VHT)) {
++ const struct ieee80211_vht_cap *bss_vht_cap = NULL;
++ const struct cfg80211_bss_ies *ies;
++
++ /*
++ * Cisco AP module 9115 with FW 17.3 has a bug and sends a
++ * too large maximum MPDU length in the association response
++ * (indicating 12k) that it cannot actually process ...
++ * Work around that.
++ */
++ rcu_read_lock();
++ ies = rcu_dereference(cbss->ies);
++ if (ies) {
++ const struct element *elem;
++
++ elem = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY,
++ ies->data, ies->len);
++ if (elem && elem->datalen >= sizeof(*bss_vht_cap))
++ bss_vht_cap = (const void *)elem->data;
++ }
++
+ ieee80211_vht_cap_ie_to_sta_vht_cap(sdata, sband,
+ elems->vht_cap_elem,
+- link_sta);
++ bss_vht_cap, link_sta);
++ rcu_read_unlock();
++ }
+
+ if (elems->he_operation && !(link->u.mgd.conn_flags & IEEE80211_CONN_DISABLE_HE) &&
+ elems->he_cap) {
+diff --git a/net/mac80211/vht.c b/net/mac80211/vht.c
+index c1250aa478083..b3a5c3e96a720 100644
+--- a/net/mac80211/vht.c
++++ b/net/mac80211/vht.c
+@@ -4,7 +4,7 @@
+ *
+ * Portions of this file
+ * Copyright(c) 2015 - 2016 Intel Deutschland GmbH
+- * Copyright (C) 2018 - 2022 Intel Corporation
++ * Copyright (C) 2018 - 2023 Intel Corporation
+ */
+
+ #include <linux/ieee80211.h>
+@@ -116,12 +116,14 @@ void
+ ieee80211_vht_cap_ie_to_sta_vht_cap(struct ieee80211_sub_if_data *sdata,
+ struct ieee80211_supported_band *sband,
+ const struct ieee80211_vht_cap *vht_cap_ie,
++ const struct ieee80211_vht_cap *vht_cap_ie2,
+ struct link_sta_info *link_sta)
+ {
+ struct ieee80211_sta_vht_cap *vht_cap = &link_sta->pub->vht_cap;
+ struct ieee80211_sta_vht_cap own_cap;
+ u32 cap_info, i;
+ bool have_80mhz;
++ u32 mpdu_len;
+
+ memset(vht_cap, 0, sizeof(*vht_cap));
+
+@@ -317,11 +319,21 @@ ieee80211_vht_cap_ie_to_sta_vht_cap(struct ieee80211_sub_if_data *sdata,
+
+ link_sta->pub->bandwidth = ieee80211_sta_cur_vht_bw(link_sta);
+
++ /*
++ * Work around the Cisco 9115 FW 17.3 bug by taking the min of
++ * both reported MPDU lengths.
++ */
++ mpdu_len = vht_cap->cap & IEEE80211_VHT_CAP_MAX_MPDU_MASK;
++ if (vht_cap_ie2)
++ mpdu_len = min_t(u32, mpdu_len,
++ le32_get_bits(vht_cap_ie2->vht_cap_info,
++ IEEE80211_VHT_CAP_MAX_MPDU_MASK));
++
+ /*
+ * FIXME - should the amsdu len be per link? store per link
+ * and maintain a minimum?
+ */
+- switch (vht_cap->cap & IEEE80211_VHT_CAP_MAX_MPDU_MASK) {
++ switch (mpdu_len) {
+ case IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_11454:
+ link_sta->pub->agg.max_amsdu_len = IEEE80211_MAX_MPDU_LEN_VHT_11454;
+ break;
+--
+2.40.1
+
--- /dev/null
+From 38c31cd6cb6751aad892de84b53bc5b8c16e19c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Aug 2023 21:10:45 -0600
+Subject: wifi: mwifiex: Sanity check tlv_len and tlv_bitmap_len
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+[ Upstream commit d5a93b7d2877aae4ba7590ad6cb65f8d33079489 ]
+
+Add sanity checks for both `tlv_len` and `tlv_bitmap_len` before
+decoding data from `event_buf`.
+
+This prevents any malicious or buggy firmware from overflowing
+`event_buf` through large values for `tlv_len` and `tlv_bitmap_len`.
+
+Suggested-by: Dan Williams <dcbw@redhat.com>
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/d4f8780527d551552ee96f17a0229e02e1c200d1.1692931954.git.gustavoars@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/marvell/mwifiex/11n_rxreorder.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
+index d1d3632a3ed7b..4ab3a14567b65 100644
+--- a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
++++ b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
+@@ -921,6 +921,14 @@ void mwifiex_11n_rxba_sync_event(struct mwifiex_private *priv,
+ while (tlv_buf_left >= sizeof(*tlv_rxba)) {
+ tlv_type = le16_to_cpu(tlv_rxba->header.type);
+ tlv_len = le16_to_cpu(tlv_rxba->header.len);
++ if (size_add(sizeof(tlv_rxba->header), tlv_len) > tlv_buf_left) {
++ mwifiex_dbg(priv->adapter, WARN,
++ "TLV size (%zu) overflows event_buf buf_left=%d\n",
++ size_add(sizeof(tlv_rxba->header), tlv_len),
++ tlv_buf_left);
++ return;
++ }
++
+ if (tlv_type != TLV_TYPE_RXBA_SYNC) {
+ mwifiex_dbg(priv->adapter, ERROR,
+ "Wrong TLV id=0x%x\n", tlv_type);
+@@ -929,6 +937,14 @@ void mwifiex_11n_rxba_sync_event(struct mwifiex_private *priv,
+
+ tlv_seq_num = le16_to_cpu(tlv_rxba->seq_num);
+ tlv_bitmap_len = le16_to_cpu(tlv_rxba->bitmap_len);
++ if (size_add(sizeof(*tlv_rxba), tlv_bitmap_len) > tlv_buf_left) {
++ mwifiex_dbg(priv->adapter, WARN,
++ "TLV size (%zu) overflows event_buf buf_left=%d\n",
++ size_add(sizeof(*tlv_rxba), tlv_bitmap_len),
++ tlv_buf_left);
++ return;
++ }
++
+ mwifiex_dbg(priv->adapter, INFO,
+ "%pM tid=%d seq_num=%d bitmap_len=%d\n",
+ tlv_rxba->mac, tlv_rxba->tid, tlv_seq_num,
+--
+2.40.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
