--- /dev/null
+From e41cb78fc6a5b241c577f73fba7b5e9fa45c635a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 May 2023 11:00:06 +0200
+Subject: af_key: Reject optional tunnel/BEET mode templates in outbound
+ policies
+
+From: Tobias Brunner <tobias@strongswan.org>
+
+[ Upstream commit cf3128a7aca55b2eefb68281d44749c683bdc96f ]
+
+xfrm_state_find() uses `encap_family` of the current template with
+the passed local and remote addresses to find a matching state.
+If an optional tunnel or BEET mode template is skipped in a mixed-family
+scenario, there could be a mismatch causing an out-of-bounds read as
+the addresses were not replaced to match the family of the next template.
+
+While there are theoretical use cases for optional templates in outbound
+policies, the only practical one is to skip IPComp states in inbound
+policies if uncompressed packets are received that are handled by an
+implicitly created IPIP state instead.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Tobias Brunner <tobias@strongswan.org>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/key/af_key.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/net/key/af_key.c b/net/key/af_key.c
+index 95edcbedf6ef2..8c21de50eadf8 100644
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -1940,7 +1940,8 @@ static u32 gen_reqid(struct net *net)
+ }
+
+ static int
+-parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_ipsecrequest *rq)
++parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_policy *pol,
++ struct sadb_x_ipsecrequest *rq)
+ {
+ struct net *net = xp_net(xp);
+ struct xfrm_tmpl *t = xp->xfrm_vec + xp->xfrm_nr;
+@@ -1958,9 +1959,12 @@ parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_ipsecrequest *rq)
+ if ((mode = pfkey_mode_to_xfrm(rq->sadb_x_ipsecrequest_mode)) < 0)
+ return -EINVAL;
+ t->mode = mode;
+- if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_USE)
++ if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_USE) {
++ if ((mode == XFRM_MODE_TUNNEL || mode == XFRM_MODE_BEET) &&
++ pol->sadb_x_policy_dir == IPSEC_DIR_OUTBOUND)
++ return -EINVAL;
+ t->optional = 1;
+- else if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_UNIQUE) {
++ } else if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_UNIQUE) {
+ t->reqid = rq->sadb_x_ipsecrequest_reqid;
+ if (t->reqid > IPSEC_MANUAL_REQID_MAX)
+ t->reqid = 0;
+@@ -2002,7 +2006,7 @@ parse_ipsecrequests(struct xfrm_policy *xp, struct sadb_x_policy *pol)
+ rq->sadb_x_ipsecrequest_len < sizeof(*rq))
+ return -EINVAL;
+
+- if ((err = parse_ipsecrequest(xp, rq)) < 0)
++ if ((err = parse_ipsecrequest(xp, pol, rq)) < 0)
+ return err;
+ len -= rq->sadb_x_ipsecrequest_len;
+ rq = (void*)((u8*)rq + rq->sadb_x_ipsecrequest_len);
+--
+2.39.2
+
--- /dev/null
+From 0657e4cc26a0c74f856212ffb0dc819969bec6a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 May 2023 12:07:11 +0300
+Subject: ALSA: firewire-digi00x: prevent potential use after free
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit c0e72058d5e21982e61a29de6b098f7c1f0db498 ]
+
+This code was supposed to return an error code if init_stream()
+failed, but it instead freed dg00x->rx_stream and returned success.
+This potentially leads to a use after free.
+
+Fixes: 9a08067ec318 ("ALSA: firewire-digi00x: support AMDTP domain")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/c224cbd5-d9e2-4cd4-9bcf-2138eb1d35c6@kili.mountain
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/firewire/digi00x/digi00x-stream.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/sound/firewire/digi00x/digi00x-stream.c b/sound/firewire/digi00x/digi00x-stream.c
+index a15f55b0dce37..295163bb8abb6 100644
+--- a/sound/firewire/digi00x/digi00x-stream.c
++++ b/sound/firewire/digi00x/digi00x-stream.c
+@@ -259,8 +259,10 @@ int snd_dg00x_stream_init_duplex(struct snd_dg00x *dg00x)
+ return err;
+
+ err = init_stream(dg00x, &dg00x->tx_stream);
+- if (err < 0)
++ if (err < 0) {
+ destroy_stream(dg00x, &dg00x->rx_stream);
++ return err;
++ }
+
+ err = amdtp_domain_init(&dg00x->domain);
+ if (err < 0) {
+--
+2.39.2
+
--- /dev/null
+From ca7a3ecd060c99ad79bdf397b12da9b4ebf79e4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 May 2023 12:32:21 -0500
+Subject: ALSA: hda/realtek: Apply HP B&O top speaker profile to Pavilion 15
+
+From: Ryan C. Underwood <nemesis@icequake.net>
+
+[ Upstream commit 92553ee03166ef8fa978e7683f9f4af30c9c4e6b ]
+
+The Pavilion 15 line has B&O top speakers similar to the x360 and
+applying the same profile produces good sound. Without this, the
+sound would be tinny and underpowered without either applying
+model=alc295-hp-x360 or booting another OS first.
+
+Signed-off-by: Ryan Underwood <nemesis@icequake.net>
+Fixes: 563785edfcef ("ALSA: hda/realtek - Add quirk entry for HP Pavilion 15")
+Link: https://lore.kernel.org/r/ZF0mpcMz3ezP9KQw@icequake.net
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 172ffc2c332b7..5d78d4ba1c959 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9363,7 +9363,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x103c, 0x802f, "HP Z240", ALC221_FIXUP_HP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x103c, 0x8077, "HP", ALC256_FIXUP_HP_HEADSET_MIC),
+ SND_PCI_QUIRK(0x103c, 0x8158, "HP", ALC256_FIXUP_HP_HEADSET_MIC),
+- SND_PCI_QUIRK(0x103c, 0x820d, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3),
++ SND_PCI_QUIRK(0x103c, 0x820d, "HP Pavilion 15", ALC295_FIXUP_HP_X360),
+ SND_PCI_QUIRK(0x103c, 0x8256, "HP", ALC221_FIXUP_HP_FRONT_MIC),
+ SND_PCI_QUIRK(0x103c, 0x827e, "HP x360", ALC295_FIXUP_HP_X360),
+ SND_PCI_QUIRK(0x103c, 0x827f, "HP x360", ALC269_FIXUP_HP_MUTE_LED_MIC3),
+--
+2.39.2
+
--- /dev/null
+From 8afbb90503cbc2af02f1db83bae7718f4e4c1856 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 May 2023 18:16:36 +0800
+Subject: ASoC: fsl_micfil: Fix error handler with pm_runtime_enable
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit 17955aba7877a4494d8093ae5498e19469b01d57 ]
+
+There is error message when defer probe happens:
+
+fsl-micfil-dai 30ca0000.micfil: Unbalanced pm_runtime_enable!
+
+Fix the error handler with pm_runtime_enable and add
+fsl_micfil_remove() for pm_runtime_disable.
+
+Fixes: 47a70e6fc9a8 ("ASoC: Add MICFIL SoC Digital Audio Interface driver.")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com
+Link: https://lore.kernel.org/r/1683540996-6136-1-git-send-email-shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_micfil.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/fsl/fsl_micfil.c b/sound/soc/fsl/fsl_micfil.c
+index 4b8fe9b8be407..3a03f49452fa3 100644
+--- a/sound/soc/fsl/fsl_micfil.c
++++ b/sound/soc/fsl/fsl_micfil.c
+@@ -712,7 +712,7 @@ static int fsl_micfil_probe(struct platform_device *pdev)
+ ret = devm_snd_dmaengine_pcm_register(&pdev->dev, NULL, 0);
+ if (ret) {
+ dev_err(&pdev->dev, "failed to pcm register\n");
+- return ret;
++ goto err_pm_disable;
+ }
+
+ fsl_micfil_dai.capture.formats = micfil->soc->formats;
+@@ -722,9 +722,20 @@ static int fsl_micfil_probe(struct platform_device *pdev)
+ if (ret) {
+ dev_err(&pdev->dev, "failed to register component %s\n",
+ fsl_micfil_component.name);
++ goto err_pm_disable;
+ }
+
+ return ret;
++
++err_pm_disable:
++ pm_runtime_disable(&pdev->dev);
++
++ return ret;
++}
++
++static void fsl_micfil_remove(struct platform_device *pdev)
++{
++ pm_runtime_disable(&pdev->dev);
+ }
+
+ static int __maybe_unused fsl_micfil_runtime_suspend(struct device *dev)
+@@ -785,6 +796,7 @@ static const struct dev_pm_ops fsl_micfil_pm_ops = {
+
+ static struct platform_driver fsl_micfil_driver = {
+ .probe = fsl_micfil_probe,
++ .remove_new = fsl_micfil_remove,
+ .driver = {
+ .name = "fsl-micfil-dai",
+ .pm = &fsl_micfil_pm_ops,
+--
+2.39.2
+
--- /dev/null
+From 0decfdd3cde8847c98d43f52d995eee371939515 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 May 2023 09:25:12 -0700
+Subject: ASoC: mediatek: mt8186: Fix use-after-free in driver remove path
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit a93d2afd3f77a7331271a0f25c6a11003db69b3c ]
+
+When devm runs function in the "remove" path for a device it runs them
+in the reverse order. That means that if you have parts of your driver
+that aren't using devm or are using "roll your own" devm w/
+devm_add_action_or_reset() you need to keep that in mind.
+
+The mt8186 audio driver didn't quite get this right. Specifically, in
+mt8186_init_clock() it called mt8186_audsys_clk_register() and then
+went on to call a bunch of other devm function. The caller of
+mt8186_init_clock() used devm_add_action_or_reset() to call
+mt8186_deinit_clock() but, because of the intervening devm functions,
+the order was wrong.
+
+Specifically at probe time, the order was:
+1. mt8186_audsys_clk_register()
+2. afe_priv->clk = devm_kcalloc(...)
+3. afe_priv->clk[i] = devm_clk_get(...)
+
+At remove time, the order (which should have been 3, 2, 1) was:
+1. mt8186_audsys_clk_unregister()
+3. Free all of afe_priv->clk[i]
+2. Free afe_priv->clk
+
+The above seemed to be causing a use-after-free. Luckily, it's easy to
+fix this by simply using devm more correctly. Let's move the
+devm_add_action_or_reset() to the right place. In addition to fixing
+the use-after-free, code inspection shows that this fixes a leak
+(missing call to mt8186_audsys_clk_unregister()) that would have
+happened if any of the syscon_regmap_lookup_by_phandle() calls in
+mt8186_init_clock() had failed.
+
+Fixes: 55b423d5623c ("ASoC: mediatek: mt8186: support audio clock control in platform driver")
+Signed-off-by: Douglas Anderson <dianders@chromium.org
+Link: https://lore.kernel.org/r/20230511092437.1.I31cceffc8c45bb1af16eb613e197b3df92cdc19e@changeid
+Signed-off-by: Mark Brown <broonie@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/mediatek/mt8186/mt8186-afe-clk.c | 6 ---
+ sound/soc/mediatek/mt8186/mt8186-afe-clk.h | 1 -
+ sound/soc/mediatek/mt8186/mt8186-afe-pcm.c | 4 --
+ sound/soc/mediatek/mt8186/mt8186-audsys-clk.c | 46 ++++++++++---------
+ sound/soc/mediatek/mt8186/mt8186-audsys-clk.h | 1 -
+ 5 files changed, 24 insertions(+), 34 deletions(-)
+
+diff --git a/sound/soc/mediatek/mt8186/mt8186-afe-clk.c b/sound/soc/mediatek/mt8186/mt8186-afe-clk.c
+index a6b4f29049bbc..539e3a023bc4e 100644
+--- a/sound/soc/mediatek/mt8186/mt8186-afe-clk.c
++++ b/sound/soc/mediatek/mt8186/mt8186-afe-clk.c
+@@ -644,9 +644,3 @@ int mt8186_init_clock(struct mtk_base_afe *afe)
+
+ return 0;
+ }
+-
+-void mt8186_deinit_clock(void *priv)
+-{
+- struct mtk_base_afe *afe = priv;
+- mt8186_audsys_clk_unregister(afe);
+-}
+diff --git a/sound/soc/mediatek/mt8186/mt8186-afe-clk.h b/sound/soc/mediatek/mt8186/mt8186-afe-clk.h
+index d5988717d8f2d..a9d59e506d9af 100644
+--- a/sound/soc/mediatek/mt8186/mt8186-afe-clk.h
++++ b/sound/soc/mediatek/mt8186/mt8186-afe-clk.h
+@@ -81,7 +81,6 @@ enum {
+ struct mtk_base_afe;
+ int mt8186_set_audio_int_bus_parent(struct mtk_base_afe *afe, int clk_id);
+ int mt8186_init_clock(struct mtk_base_afe *afe);
+-void mt8186_deinit_clock(void *priv);
+ int mt8186_afe_enable_cgs(struct mtk_base_afe *afe);
+ void mt8186_afe_disable_cgs(struct mtk_base_afe *afe);
+ int mt8186_afe_enable_clock(struct mtk_base_afe *afe);
+diff --git a/sound/soc/mediatek/mt8186/mt8186-afe-pcm.c b/sound/soc/mediatek/mt8186/mt8186-afe-pcm.c
+index d7e94e6a19c70..0e3792ccd49f6 100644
+--- a/sound/soc/mediatek/mt8186/mt8186-afe-pcm.c
++++ b/sound/soc/mediatek/mt8186/mt8186-afe-pcm.c
+@@ -2847,10 +2847,6 @@ static int mt8186_afe_pcm_dev_probe(struct platform_device *pdev)
+ return ret;
+ }
+
+- ret = devm_add_action_or_reset(dev, mt8186_deinit_clock, (void *)afe);
+- if (ret)
+- return ret;
+-
+ /* init memif */
+ afe->memif_32bit_supported = 0;
+ afe->memif_size = MT8186_MEMIF_NUM;
+diff --git a/sound/soc/mediatek/mt8186/mt8186-audsys-clk.c b/sound/soc/mediatek/mt8186/mt8186-audsys-clk.c
+index 578969ca91c8e..5666be6b1bd2e 100644
+--- a/sound/soc/mediatek/mt8186/mt8186-audsys-clk.c
++++ b/sound/soc/mediatek/mt8186/mt8186-audsys-clk.c
+@@ -84,6 +84,29 @@ static const struct afe_gate aud_clks[CLK_AUD_NR_CLK] = {
+ GATE_AUD2(CLK_AUD_ETDM_OUT1_BCLK, "aud_etdm_out1_bclk", "top_audio", 24),
+ };
+
++static void mt8186_audsys_clk_unregister(void *data)
++{
++ struct mtk_base_afe *afe = data;
++ struct mt8186_afe_private *afe_priv = afe->platform_priv;
++ struct clk *clk;
++ struct clk_lookup *cl;
++ int i;
++
++ if (!afe_priv)
++ return;
++
++ for (i = 0; i < CLK_AUD_NR_CLK; i++) {
++ cl = afe_priv->lookup[i];
++ if (!cl)
++ continue;
++
++ clk = cl->clk;
++ clk_unregister_gate(clk);
++
++ clkdev_drop(cl);
++ }
++}
++
+ int mt8186_audsys_clk_register(struct mtk_base_afe *afe)
+ {
+ struct mt8186_afe_private *afe_priv = afe->platform_priv;
+@@ -124,27 +147,6 @@ int mt8186_audsys_clk_register(struct mtk_base_afe *afe)
+ afe_priv->lookup[i] = cl;
+ }
+
+- return 0;
++ return devm_add_action_or_reset(afe->dev, mt8186_audsys_clk_unregister, afe);
+ }
+
+-void mt8186_audsys_clk_unregister(struct mtk_base_afe *afe)
+-{
+- struct mt8186_afe_private *afe_priv = afe->platform_priv;
+- struct clk *clk;
+- struct clk_lookup *cl;
+- int i;
+-
+- if (!afe_priv)
+- return;
+-
+- for (i = 0; i < CLK_AUD_NR_CLK; i++) {
+- cl = afe_priv->lookup[i];
+- if (!cl)
+- continue;
+-
+- clk = cl->clk;
+- clk_unregister_gate(clk);
+-
+- clkdev_drop(cl);
+- }
+-}
+diff --git a/sound/soc/mediatek/mt8186/mt8186-audsys-clk.h b/sound/soc/mediatek/mt8186/mt8186-audsys-clk.h
+index b8d6a06e11e8d..897a2914dc191 100644
+--- a/sound/soc/mediatek/mt8186/mt8186-audsys-clk.h
++++ b/sound/soc/mediatek/mt8186/mt8186-audsys-clk.h
+@@ -10,6 +10,5 @@
+ #define _MT8186_AUDSYS_CLK_H_
+
+ int mt8186_audsys_clk_register(struct mtk_base_afe *afe);
+-void mt8186_audsys_clk_unregister(struct mtk_base_afe *afe);
+
+ #endif
+--
+2.39.2
+
--- /dev/null
+From 8ebcccb2f180c8fbd931b967047e08325aaae6b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 14:46:30 +0300
+Subject: ASoC: SOF: topology: Fix logic for copying tuples
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+
+[ Upstream commit 41c5305cc3d827d2ea686533777a285176ae01a0 ]
+
+Topology could have more instances of the tokens being searched for than
+the number of sets that need to be copied. Stop copying token after the
+limit of number of token instances has been reached. This worked before
+only by chance as we had allocated more size for the tuples array than
+the number of actual tokens being parsed.
+
+Fixes: 7006d20e5e9d ("ASoC: SOF: Introduce IPC3 ops")
+Signed-off-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com
+Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com
+Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com
+Link: https://lore.kernel.org/r/20230512114630.24439-1-peter.ujfalusi@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/topology.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c
+index 6a0e7f3b50234..872e44408298f 100644
+--- a/sound/soc/sof/topology.c
++++ b/sound/soc/sof/topology.c
+@@ -545,6 +545,10 @@ static int sof_copy_tuples(struct snd_sof_dev *sdev, struct snd_soc_tplg_vendor_
+ if (*num_copied_tuples == tuples_size)
+ return 0;
+ }
++
++ /* stop when we've found the required token instances */
++ if (found == num_tokens * token_instance_num)
++ return 0;
+ }
+
+ /* next array */
+--
+2.39.2
+
--- /dev/null
+From 2c333f202961ea2f4e4da5335b23811aafecb93a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 May 2023 21:45:35 +0200
+Subject: bridge: always declare tunnel functions
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 89dcd87ce534a3a7f267cfd58505803006f51301 ]
+
+When CONFIG_BRIDGE_VLAN_FILTERING is disabled, two functions are still
+defined but have no prototype or caller. This causes a W=1 warning for
+the missing prototypes:
+
+net/bridge/br_netlink_tunnel.c:29:6: error: no previous prototype for 'vlan_tunid_inrange' [-Werror=missing-prototypes]
+net/bridge/br_netlink_tunnel.c:199:5: error: no previous prototype for 'br_vlan_tunnel_info' [-Werror=missing-prototypes]
+
+The functions are already contitional on CONFIG_BRIDGE_VLAN_FILTERING,
+and I coulnd't easily figure out the right set of #ifdefs, so just
+move the declarations out of the #ifdef to avoid the warning,
+at a small cost in code size over a more elaborate fix.
+
+Fixes: 188c67dd1906 ("net: bridge: vlan options: add support for tunnel id dumping")
+Fixes: 569da0822808 ("net: bridge: vlan options: add support for tunnel mapping set/del")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://lore.kernel.org/r/20230516194625.549249-3-arnd@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_private_tunnel.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/bridge/br_private_tunnel.h b/net/bridge/br_private_tunnel.h
+index 2b053289f0166..efb096025151a 100644
+--- a/net/bridge/br_private_tunnel.h
++++ b/net/bridge/br_private_tunnel.h
+@@ -27,6 +27,10 @@ int br_process_vlan_tunnel_info(const struct net_bridge *br,
+ int br_get_vlan_tunnel_info_size(struct net_bridge_vlan_group *vg);
+ int br_fill_vlan_tunnel_info(struct sk_buff *skb,
+ struct net_bridge_vlan_group *vg);
++bool vlan_tunid_inrange(const struct net_bridge_vlan *v_curr,
++ const struct net_bridge_vlan *v_last);
++int br_vlan_tunnel_info(const struct net_bridge_port *p, int cmd,
++ u16 vid, u32 tun_id, bool *changed);
+
+ #ifdef CONFIG_BRIDGE_VLAN_FILTERING
+ /* br_vlan_tunnel.c */
+@@ -43,10 +47,6 @@ void br_handle_ingress_vlan_tunnel(struct sk_buff *skb,
+ struct net_bridge_vlan_group *vg);
+ int br_handle_egress_vlan_tunnel(struct sk_buff *skb,
+ struct net_bridge_vlan *vlan);
+-bool vlan_tunid_inrange(const struct net_bridge_vlan *v_curr,
+- const struct net_bridge_vlan *v_last);
+-int br_vlan_tunnel_info(const struct net_bridge_port *p, int cmd,
+- u16 vid, u32 tun_id, bool *changed);
+ #else
+ static inline int vlan_tunnel_init(struct net_bridge_vlan_group *vg)
+ {
+--
+2.39.2
+
--- /dev/null
+From 3f3f41d1f8ecaf62af6e6de2ed4e62faba6b77aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 May 2023 20:45:15 +0200
+Subject: can: dev: fix missing CAN XL support in can_put_echo_skb()
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+[ Upstream commit 6bffdc38f9935bae49f980448f3f6be2dada0564 ]
+
+can_put_echo_skb() checks for the enabled IFF_ECHO flag and the
+correct ETH_P type of the given skbuff. When implementing the CAN XL
+support the new check for ETH_P_CANXL has been forgotten.
+
+Fixes: fb08cba12b52 ("can: canxl: update CAN infrastructure for CAN XL frames")
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Link: https://lore.kernel.org/all/20230506184515.39241-1-socketcan@hartkopp.net
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/dev/skb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/dev/skb.c b/drivers/net/can/dev/skb.c
+index 241ec636e91fd..f6d05b3ef59ab 100644
+--- a/drivers/net/can/dev/skb.c
++++ b/drivers/net/can/dev/skb.c
+@@ -54,7 +54,8 @@ int can_put_echo_skb(struct sk_buff *skb, struct net_device *dev,
+ /* check flag whether this packet has to be looped back */
+ if (!(dev->flags & IFF_ECHO) ||
+ (skb->protocol != htons(ETH_P_CAN) &&
+- skb->protocol != htons(ETH_P_CANFD))) {
++ skb->protocol != htons(ETH_P_CANFD) &&
++ skb->protocol != htons(ETH_P_CANXL))) {
+ kfree_skb(skb);
+ return 0;
+ }
+--
+2.39.2
+
--- /dev/null
+From 8967c472af27aeb923bf18d802705e843f816df6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 May 2023 21:09:11 +0200
+Subject: cassini: Fix a memory leak in the error handling path of
+ cas_init_one()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 412cd77a2c24b191c65ea53025222418db09817c ]
+
+cas_saturn_firmware_init() allocates some memory using vmalloc(). This
+memory is freed in the .remove() function but not it the error handling
+path of the probe.
+
+Add the missing vfree() to avoid a memory leak, should an error occur.
+
+Fixes: fcaa40669cd7 ("cassini: use request_firmware")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sun/cassini.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/sun/cassini.c b/drivers/net/ethernet/sun/cassini.c
+index 0aca193d9550d..800956d5464b4 100644
+--- a/drivers/net/ethernet/sun/cassini.c
++++ b/drivers/net/ethernet/sun/cassini.c
+@@ -5095,6 +5095,8 @@ static int cas_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+ cas_shutdown(cp);
+ mutex_unlock(&cp->pm_mutex);
+
++ vfree(cp->fw_data);
++
+ pci_iounmap(pdev, cp->regs);
+
+
+--
+2.39.2
+
--- /dev/null
+From 1da33a5d4b79687a504a50c9ebedcc717bbd2ef5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 May 2023 06:25:44 +0000
+Subject: cpupower: Make TSC read per CPU for Mperf monitor
+
+From: Wyes Karny <wyes.karny@amd.com>
+
+[ Upstream commit c2adb1877b76fc81ae041e1db1a6ed2078c6746b ]
+
+System-wide TSC read could cause a drift in C0 percentage calculation.
+Because if first TSC is read and then one by one mperf is read for all
+cpus, this introduces drift between mperf reading of later CPUs and TSC
+reading. To lower this drift read TSC per CPU and also just after mperf
+read. This technique improves C0 percentage calculation in Mperf monitor.
+
+Before fix: (System 100% busy)
+
+ | Mperf || RAPL || Idle_Stats
+ PKG|CORE| CPU| C0 | Cx | Freq || pack | core || POLL | C1 | C2
+ 0| 0| 0| 87.15| 12.85| 2695||168659003|3970468|| 0.00| 0.00| 0.00
+ 0| 0| 256| 84.62| 15.38| 2695||168659003|3970468|| 0.00| 0.00| 0.00
+ 0| 1| 1| 87.15| 12.85| 2695||168659003|3970468|| 0.00| 0.00| 0.00
+ 0| 1| 257| 84.08| 15.92| 2695||168659003|3970468|| 0.00| 0.00| 0.00
+ 0| 2| 2| 86.61| 13.39| 2695||168659003|3970468|| 0.00| 0.00| 0.00
+ 0| 2| 258| 83.26| 16.74| 2695||168659003|3970468|| 0.00| 0.00| 0.00
+ 0| 3| 3| 86.61| 13.39| 2695||168659003|3970468|| 0.00| 0.00| 0.00
+ 0| 3| 259| 83.60| 16.40| 2695||168659003|3970468|| 0.00| 0.00| 0.00
+ 0| 4| 4| 86.33| 13.67| 2695||168659003|3970468|| 0.00| 0.00| 0.00
+ 0| 4| 260| 83.33| 16.67| 2695||168659003|3970468|| 0.00| 0.00| 0.00
+ 0| 5| 5| 86.06| 13.94| 2695||168659003|3970468|| 0.00| 0.00| 0.00
+ 0| 5| 261| 83.05| 16.95| 2695||168659003|3970468|| 0.00| 0.00| 0.00
+ 0| 6| 6| 85.51| 14.49| 2695||168659003|3970468|| 0.00| 0.00| 0.00
+
+After fix: (System 100% busy)
+
+ | Mperf || RAPL || Idle_Stats
+ PKG|CORE| CPU| C0 | Cx | Freq || pack | core || POLL | C1 | C2
+ 0| 0| 0| 98.03| 1.97| 2415||163295480|3811189|| 0.00| 0.00| 0.00
+ 0| 0| 256| 98.50| 1.50| 2394||163295480|3811189|| 0.00| 0.00| 0.00
+ 0| 1| 1| 99.99| 0.01| 2401||163295480|3811189|| 0.00| 0.00| 0.00
+ 0| 1| 257| 99.99| 0.01| 2375||163295480|3811189|| 0.00| 0.00| 0.00
+ 0| 2| 2| 99.99| 0.01| 2401||163295480|3811189|| 0.00| 0.00| 0.00
+ 0| 2| 258|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00
+ 0| 3| 3|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00
+ 0| 3| 259| 99.99| 0.01| 2435||163295480|3811189|| 0.00| 0.00| 0.00
+ 0| 4| 4|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00
+ 0| 4| 260|100.00| 0.00| 2435||163295480|3811189|| 0.00| 0.00| 0.00
+ 0| 5| 5| 99.99| 0.01| 2401||163295480|3811189|| 0.00| 0.00| 0.00
+ 0| 5| 261|100.00| 0.00| 2435||163295480|3811189|| 0.00| 0.00| 0.00
+ 0| 6| 6|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00
+ 0| 6| 262|100.00| 0.00| 2435||163295480|3811189|| 0.00| 0.00| 0.00
+
+Cc: Thomas Renninger <trenn@suse.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Dominik Brodowski <linux@dominikbrodowski.net>
+
+Fixes: 7fe2f6399a84 ("cpupowerutils - cpufrequtils extended with quite some features")
+Signed-off-by: Wyes Karny <wyes.karny@amd.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../utils/idle_monitor/mperf_monitor.c | 31 +++++++++----------
+ 1 file changed, 14 insertions(+), 17 deletions(-)
+
+diff --git a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c
+index e7d48cb563c0e..ae6af354a81db 100644
+--- a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c
++++ b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c
+@@ -70,8 +70,8 @@ static int max_freq_mode;
+ */
+ static unsigned long max_frequency;
+
+-static unsigned long long tsc_at_measure_start;
+-static unsigned long long tsc_at_measure_end;
++static unsigned long long *tsc_at_measure_start;
++static unsigned long long *tsc_at_measure_end;
+ static unsigned long long *mperf_previous_count;
+ static unsigned long long *aperf_previous_count;
+ static unsigned long long *mperf_current_count;
+@@ -169,7 +169,7 @@ static int mperf_get_count_percent(unsigned int id, double *percent,
+ aperf_diff = aperf_current_count[cpu] - aperf_previous_count[cpu];
+
+ if (max_freq_mode == MAX_FREQ_TSC_REF) {
+- tsc_diff = tsc_at_measure_end - tsc_at_measure_start;
++ tsc_diff = tsc_at_measure_end[cpu] - tsc_at_measure_start[cpu];
+ *percent = 100.0 * mperf_diff / tsc_diff;
+ dprint("%s: TSC Ref - mperf_diff: %llu, tsc_diff: %llu\n",
+ mperf_cstates[id].name, mperf_diff, tsc_diff);
+@@ -206,7 +206,7 @@ static int mperf_get_count_freq(unsigned int id, unsigned long long *count,
+
+ if (max_freq_mode == MAX_FREQ_TSC_REF) {
+ /* Calculate max_freq from TSC count */
+- tsc_diff = tsc_at_measure_end - tsc_at_measure_start;
++ tsc_diff = tsc_at_measure_end[cpu] - tsc_at_measure_start[cpu];
+ time_diff = timespec_diff_us(time_start, time_end);
+ max_frequency = tsc_diff / time_diff;
+ }
+@@ -225,33 +225,27 @@ static int mperf_get_count_freq(unsigned int id, unsigned long long *count,
+ static int mperf_start(void)
+ {
+ int cpu;
+- unsigned long long dbg;
+
+ clock_gettime(CLOCK_REALTIME, &time_start);
+- mperf_get_tsc(&tsc_at_measure_start);
+
+- for (cpu = 0; cpu < cpu_count; cpu++)
++ for (cpu = 0; cpu < cpu_count; cpu++) {
++ mperf_get_tsc(&tsc_at_measure_start[cpu]);
+ mperf_init_stats(cpu);
++ }
+
+- mperf_get_tsc(&dbg);
+- dprint("TSC diff: %llu\n", dbg - tsc_at_measure_start);
+ return 0;
+ }
+
+ static int mperf_stop(void)
+ {
+- unsigned long long dbg;
+ int cpu;
+
+- for (cpu = 0; cpu < cpu_count; cpu++)
++ for (cpu = 0; cpu < cpu_count; cpu++) {
+ mperf_measure_stats(cpu);
++ mperf_get_tsc(&tsc_at_measure_end[cpu]);
++ }
+
+- mperf_get_tsc(&tsc_at_measure_end);
+ clock_gettime(CLOCK_REALTIME, &time_end);
+-
+- mperf_get_tsc(&dbg);
+- dprint("TSC diff: %llu\n", dbg - tsc_at_measure_end);
+-
+ return 0;
+ }
+
+@@ -353,7 +347,8 @@ struct cpuidle_monitor *mperf_register(void)
+ aperf_previous_count = calloc(cpu_count, sizeof(unsigned long long));
+ mperf_current_count = calloc(cpu_count, sizeof(unsigned long long));
+ aperf_current_count = calloc(cpu_count, sizeof(unsigned long long));
+-
++ tsc_at_measure_start = calloc(cpu_count, sizeof(unsigned long long));
++ tsc_at_measure_end = calloc(cpu_count, sizeof(unsigned long long));
+ mperf_monitor.name_len = strlen(mperf_monitor.name);
+ return &mperf_monitor;
+ }
+@@ -364,6 +359,8 @@ void mperf_unregister(void)
+ free(aperf_previous_count);
+ free(mperf_current_count);
+ free(aperf_current_count);
++ free(tsc_at_measure_start);
++ free(tsc_at_measure_end);
+ free(is_valid);
+ }
+
+--
+2.39.2
+
--- /dev/null
+From dca6f3aff6abeaafec195e6aed00f909abd2fa84 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Apr 2023 23:04:11 +0200
+Subject: drm/exynos: fix g2d_open/close helper function definitions
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 2ef0785b30bd6549ddbc124979f1b6596e065ae2 ]
+
+The empty stub functions are defined as global functions, which
+causes a warning because of missing prototypes:
+
+drivers/gpu/drm/exynos/exynos_drm_g2d.h:37:5: error: no previous prototype for 'g2d_open'
+drivers/gpu/drm/exynos/exynos_drm_g2d.h:42:5: error: no previous prototype for 'g2d_close'
+
+Mark them as 'static inline' to avoid the warning and to make
+them behave as intended.
+
+Fixes: eb4d9796fa34 ("drm/exynos: g2d: Convert to driver component API")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/exynos/exynos_drm_g2d.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/exynos/exynos_drm_g2d.h b/drivers/gpu/drm/exynos/exynos_drm_g2d.h
+index 74ea3c26deadc..1a5ae781b56c6 100644
+--- a/drivers/gpu/drm/exynos/exynos_drm_g2d.h
++++ b/drivers/gpu/drm/exynos/exynos_drm_g2d.h
+@@ -34,11 +34,11 @@ static inline int exynos_g2d_exec_ioctl(struct drm_device *dev, void *data,
+ return -ENODEV;
+ }
+
+-int g2d_open(struct drm_device *drm_dev, struct drm_file *file)
++static inline int g2d_open(struct drm_device *drm_dev, struct drm_file *file)
+ {
+ return 0;
+ }
+
+-void g2d_close(struct drm_device *drm_dev, struct drm_file *file)
++static inline void g2d_close(struct drm_device *drm_dev, struct drm_file *file)
+ { }
+ #endif
+--
+2.39.2
+
--- /dev/null
+From 192109a48951265379ca4a0d42b3fbb50695b173 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Apr 2023 15:56:57 +0100
+Subject: drm/msm/dp: unregister audio driver during unbind
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit 85c636284cb63b7740b4ae98881ace92158068d3 ]
+
+while binding the code always registers a audio driver, however there
+is no corresponding unregistration done in unbind. This leads to multiple
+redundant audio platform devices if dp_display_bind and dp_display_unbind
+happens multiple times during startup. On X13s platform this resulted in
+6 to 9 audio codec device instead of just 3 codec devices for 3 dp ports.
+
+Fix this by unregistering codecs on unbind.
+
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Fixes: d13e36d7d222 ("drm/msm/dp: add audio support for Display Port on MSM")
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/533324/
+Link: https://lore.kernel.org/r/20230421145657.12186-1-srinivas.kandagatla@linaro.org
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dp/dp_audio.c | 12 ++++++++++++
+ drivers/gpu/drm/msm/dp/dp_audio.h | 2 ++
+ drivers/gpu/drm/msm/dp/dp_display.c | 1 +
+ 3 files changed, 15 insertions(+)
+
+diff --git a/drivers/gpu/drm/msm/dp/dp_audio.c b/drivers/gpu/drm/msm/dp/dp_audio.c
+index 6666783e1468e..1245c7aa49df8 100644
+--- a/drivers/gpu/drm/msm/dp/dp_audio.c
++++ b/drivers/gpu/drm/msm/dp/dp_audio.c
+@@ -593,6 +593,18 @@ static struct hdmi_codec_pdata codec_data = {
+ .i2s = 1,
+ };
+
++void dp_unregister_audio_driver(struct device *dev, struct dp_audio *dp_audio)
++{
++ struct dp_audio_private *audio_priv;
++
++ audio_priv = container_of(dp_audio, struct dp_audio_private, dp_audio);
++
++ if (audio_priv->audio_pdev) {
++ platform_device_unregister(audio_priv->audio_pdev);
++ audio_priv->audio_pdev = NULL;
++ }
++}
++
+ int dp_register_audio_driver(struct device *dev,
+ struct dp_audio *dp_audio)
+ {
+diff --git a/drivers/gpu/drm/msm/dp/dp_audio.h b/drivers/gpu/drm/msm/dp/dp_audio.h
+index 84e5f4a5d26ba..4ab78880af829 100644
+--- a/drivers/gpu/drm/msm/dp/dp_audio.h
++++ b/drivers/gpu/drm/msm/dp/dp_audio.h
+@@ -53,6 +53,8 @@ struct dp_audio *dp_audio_get(struct platform_device *pdev,
+ int dp_register_audio_driver(struct device *dev,
+ struct dp_audio *dp_audio);
+
++void dp_unregister_audio_driver(struct device *dev, struct dp_audio *dp_audio);
++
+ /**
+ * dp_audio_put()
+ *
+diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c
+index c9d9b384ddd03..57b82e5d0ab12 100644
+--- a/drivers/gpu/drm/msm/dp/dp_display.c
++++ b/drivers/gpu/drm/msm/dp/dp_display.c
+@@ -323,6 +323,7 @@ static void dp_display_unbind(struct device *dev, struct device *master,
+ kthread_stop(dp->ev_tsk);
+
+ dp_power_client_deinit(dp->power);
++ dp_unregister_audio_driver(dev, dp->audio);
+ dp_aux_unregister(dp->aux);
+ dp->drm_dev = NULL;
+ dp->aux->drm_dev = NULL;
+--
+2.39.2
+
--- /dev/null
+From 75fe94f6d728abc0ef15f95f5de05dabf2949fdb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Apr 2023 01:11:09 +0200
+Subject: drm/msm/dpu: Assign missing writeback log_mask
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit a432fc31f03db2546a48bcf5dd69ca28ceb732bf ]
+
+The WB debug log mask ended up never being assigned, leading to writes
+to this block to never be logged even if the mask is enabled in
+dpu_hw_util_log_mask via debugfs.
+
+Fixes: 84a33d0fd921 ("drm/msm/dpu: add dpu_hw_wb abstraction for writeback blocks")
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/533860/
+Link: https://lore.kernel.org/r/20230418-dpu-drop-useless-for-lookup-v3-1-e8d869eea455@somainline.org
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_hw_wb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_wb.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_wb.c
+index 2d28afdf860ef..a3e413d277175 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_wb.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_wb.c
+@@ -61,6 +61,7 @@ static const struct dpu_wb_cfg *_wb_offset(enum dpu_wb wb,
+ for (i = 0; i < m->wb_count; i++) {
+ if (wb == m->wb[i].id) {
+ b->blk_addr = addr + m->wb[i].base;
++ b->log_mask = DPU_DBG_MASK_WB;
+ return &m->wb[i];
+ }
+ }
+--
+2.39.2
+
--- /dev/null
+From 2d14357ab99b68f2679c57937f0abc2245cdd2a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Apr 2023 00:37:17 +0200
+Subject: drm/msm/dpu: Move non-MDP_TOP INTF_INTR offsets out of hwio header
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit e9d9ce5462fecdeefec87953de71df4d025cbc72 ]
+
+These offsets do not fall under the MDP TOP block and do not fit the
+comment right above. Move them to dpu_hw_interrupts.c next to the
+repsective MDP_INTF_x_OFF interrupt block offsets.
+
+Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support")
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/534203/
+Link: https://lore.kernel.org/r/20230411-dpu-intf-te-v4-3-27ce1a5ab5c6@somainline.org
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c | 5 ++++-
+ drivers/gpu/drm/msm/disp/dpu1/dpu_hwio.h | 3 ---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
+index cf1b6d84c18a3..75e1b89c9eacf 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
+@@ -15,7 +15,7 @@
+
+ /*
+ * Register offsets in MDSS register file for the interrupt registers
+- * w.r.t. to the MDP base
++ * w.r.t. the MDP base
+ */
+ #define MDP_SSPP_TOP0_OFF 0x0
+ #define MDP_INTF_0_OFF 0x6A000
+@@ -24,6 +24,9 @@
+ #define MDP_INTF_3_OFF 0x6B800
+ #define MDP_INTF_4_OFF 0x6C000
+ #define MDP_INTF_5_OFF 0x6C800
++#define INTF_INTR_EN 0x1c0
++#define INTF_INTR_STATUS 0x1c4
++#define INTF_INTR_CLEAR 0x1c8
+ #define MDP_AD4_0_OFF 0x7C000
+ #define MDP_AD4_1_OFF 0x7D000
+ #define MDP_AD4_INTR_EN_OFF 0x41c
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hwio.h b/drivers/gpu/drm/msm/disp/dpu1/dpu_hwio.h
+index c8156ed4b7fb8..93081e82c6d74 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hwio.h
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hwio.h
+@@ -20,9 +20,6 @@
+ #define HIST_INTR_EN 0x01c
+ #define HIST_INTR_STATUS 0x020
+ #define HIST_INTR_CLEAR 0x024
+-#define INTF_INTR_EN 0x1C0
+-#define INTF_INTR_STATUS 0x1C4
+-#define INTF_INTR_CLEAR 0x1C8
+ #define SPLIT_DISPLAY_EN 0x2F4
+ #define SPLIT_DISPLAY_UPPER_PIPE_CTRL 0x2F8
+ #define DSPP_IGC_COLOR0_RAM_LUTN 0x300
+--
+2.39.2
+
--- /dev/null
+From f2df0140e19c5caf3303ad6baac812d3005c2c15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Apr 2023 00:37:22 +0200
+Subject: drm/msm/dpu: Remove duplicate register defines from INTF
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit 202c044203ac5860e3025169105368d99f9bc6a2 ]
+
+The INTF_FRAME_LINE_COUNT_EN, INTF_FRAME_COUNT and INTF_LINE_COUNT
+registers are already defined higher up, in the right place when sorted
+numerically.
+
+Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support")
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/534231/
+Link: https://lore.kernel.org/r/20230411-dpu-intf-te-v4-8-27ce1a5ab5c6@somainline.org
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c
+index 7ce66bf3f4c8d..b2a94b9a3e987 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c
+@@ -56,11 +56,6 @@
+ #define INTF_TPG_RGB_MAPPING 0x11C
+ #define INTF_PROG_FETCH_START 0x170
+ #define INTF_PROG_ROT_START 0x174
+-
+-#define INTF_FRAME_LINE_COUNT_EN 0x0A8
+-#define INTF_FRAME_COUNT 0x0AC
+-#define INTF_LINE_COUNT 0x0B0
+-
+ #define INTF_MUX 0x25C
+
+ #define INTF_CFG_ACTIVE_H_EN BIT(29)
+--
+2.39.2
+
--- /dev/null
+From 2d884fa019087d8fd1e7fee1524d1f99e3a0ea54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 May 2023 13:30:41 -0700
+Subject: drm/msm: Fix submit error-path leaks
+
+From: Rob Clark <robdclark@chromium.org>
+
+[ Upstream commit 68dc6c2d5eec45515855cce99256162f45651a0b ]
+
+For errors after msm_submitqueue_get(), we need to drop the submitqueue
+reference. Additionally after get_unused_fd() we need to drop the fd.
+The ordering for dropping the queue lock and put_unused_fd() is not
+important, so just move this all into out_post_unlock.
+
+v2: Only drop queue ref if submit doesn't take it
+v3: Fix unitialized submit ref in error path
+v4: IS_ERR_OR_NULL()
+
+Reported-by: pinkperfect2021@gmail.com
+Fixes: f0de40a131d9 drm/msm: ("Reorder lock vs submit alloc")
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Patchwork: https://patchwork.freedesktop.org/patch/536073/
+Link: https://lore.kernel.org/r/20230509203041.440619-1-robdclark@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_gem_submit.c | 25 ++++++++++++++++++-------
+ 1 file changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
+index d8c9d184190bb..d6162561141c5 100644
+--- a/drivers/gpu/drm/msm/msm_gem_submit.c
++++ b/drivers/gpu/drm/msm/msm_gem_submit.c
+@@ -709,7 +709,7 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
+ struct msm_drm_private *priv = dev->dev_private;
+ struct drm_msm_gem_submit *args = data;
+ struct msm_file_private *ctx = file->driver_priv;
+- struct msm_gem_submit *submit;
++ struct msm_gem_submit *submit = NULL;
+ struct msm_gpu *gpu = priv->gpu;
+ struct msm_gpu_submitqueue *queue;
+ struct msm_ringbuffer *ring;
+@@ -756,13 +756,15 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
+ out_fence_fd = get_unused_fd_flags(O_CLOEXEC);
+ if (out_fence_fd < 0) {
+ ret = out_fence_fd;
+- return ret;
++ goto out_post_unlock;
+ }
+ }
+
+ submit = submit_create(dev, gpu, queue, args->nr_bos, args->nr_cmds);
+- if (IS_ERR(submit))
+- return PTR_ERR(submit);
++ if (IS_ERR(submit)) {
++ ret = PTR_ERR(submit);
++ goto out_post_unlock;
++ }
+
+ trace_msm_gpu_submit(pid_nr(submit->pid), ring->id, submit->ident,
+ args->nr_bos, args->nr_cmds);
+@@ -945,11 +947,20 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
+ if (has_ww_ticket)
+ ww_acquire_fini(&submit->ticket);
+ out_unlock:
+- if (ret && (out_fence_fd >= 0))
+- put_unused_fd(out_fence_fd);
+ mutex_unlock(&queue->lock);
+ out_post_unlock:
+- msm_gem_submit_put(submit);
++ if (ret && (out_fence_fd >= 0))
++ put_unused_fd(out_fence_fd);
++
++ if (!IS_ERR_OR_NULL(submit)) {
++ msm_gem_submit_put(submit);
++ } else {
++ /*
++ * If the submit hasn't yet taken ownership of the queue
++ * then we need to drop the reference ourself:
++ */
++ msm_submitqueue_put(queue);
++ }
+ if (!IS_ERR_OR_NULL(post_deps)) {
+ for (i = 0; i < args->nr_out_syncobjs; ++i) {
+ kfree(post_deps[i].chain);
+--
+2.39.2
+
--- /dev/null
+From 17e003072766cb1c16c6a6eb0402f4987c18a60b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Apr 2023 20:21:32 +0800
+Subject: dt-bindings: display/msm: dsi-controller-main: Document qcom,
+ master-dsi and qcom, sync-dual-dsi
+
+From: Jianhua Lu <lujianhua000@gmail.com>
+
+[ Upstream commit ca29699a57ecee6084a4056f5bfd6f11dd359a71 ]
+
+This fixes warning:
+ sm8250-xiaomi-elish-csot.dtb: dsi@ae94000: Unevaluated properties are not allowed ('qcom,master-dsi', 'qcom,sync-dual-dsi' were unexpected)
+
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Acked-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Jianhua Lu <lujianhua000@gmail.com>
+Fixes: 4dbe55c97741 ("dt-bindings: msm: dsi: add yaml schemas for DSI bindings")
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/534306/
+Link: https://lore.kernel.org/r/20230427122132.24840-1-lujianhua000@gmail.com
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../bindings/display/msm/dsi-controller-main.yaml | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/Documentation/devicetree/bindings/display/msm/dsi-controller-main.yaml b/Documentation/devicetree/bindings/display/msm/dsi-controller-main.yaml
+index 6c5b4783812ae..2fa1759e74d95 100644
+--- a/Documentation/devicetree/bindings/display/msm/dsi-controller-main.yaml
++++ b/Documentation/devicetree/bindings/display/msm/dsi-controller-main.yaml
+@@ -65,6 +65,18 @@ properties:
+ Indicates if the DSI controller is driving a panel which needs
+ 2 DSI links.
+
++ qcom,master-dsi:
++ type: boolean
++ description: |
++ Indicates if the DSI controller is the master DSI controller when
++ qcom,dual-dsi-mode enabled.
++
++ qcom,sync-dual-dsi:
++ type: boolean
++ description: |
++ Indicates if the DSI controller needs to sync the other DSI controller
++ with MIPI DCS commands when qcom,dual-dsi-mode enabled.
++
+ assigned-clocks:
+ maxItems: 2
+ description: |
+--
+2.39.2
+
--- /dev/null
+From 69fc62d48c576ff77f006cdd2e85bf9be1b7704e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 May 2023 19:22:11 -0400
+Subject: erspan: get the proto with the md version for collect_md
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit d80fc101d2eb9b3188c228d61223890aeea480a4 ]
+
+In commit 20704bd1633d ("erspan: build the header with the right proto
+according to erspan_ver"), it gets the proto with t->parms.erspan_ver,
+but t->parms.erspan_ver is not used by collect_md branch, and instead
+it should get the proto with md->version for collect_md.
+
+Thanks to Kevin for pointing this out.
+
+Fixes: 20704bd1633d ("erspan: build the header with the right proto according to erspan_ver")
+Fixes: 94d7d8f29287 ("ip6_gre: add erspan v2 support")
+Reported-by: Kevin Traynor <ktraynor@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Reviewed-by: William Tu <u9012063@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_gre.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
+index 4d5937af08ee9..216b40ccadae0 100644
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -1037,12 +1037,14 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
+ ntohl(tun_id),
+ ntohl(md->u.index), truncate,
+ false);
++ proto = htons(ETH_P_ERSPAN);
+ } else if (md->version == 2) {
+ erspan_build_header_v2(skb,
+ ntohl(tun_id),
+ md->u.md2.dir,
+ get_hwid(&md->u.md2),
+ truncate, false);
++ proto = htons(ETH_P_ERSPAN2);
+ } else {
+ goto tx_err;
+ }
+@@ -1065,24 +1067,25 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
+ break;
+ }
+
+- if (t->parms.erspan_ver == 1)
++ if (t->parms.erspan_ver == 1) {
+ erspan_build_header(skb, ntohl(t->parms.o_key),
+ t->parms.index,
+ truncate, false);
+- else if (t->parms.erspan_ver == 2)
++ proto = htons(ETH_P_ERSPAN);
++ } else if (t->parms.erspan_ver == 2) {
+ erspan_build_header_v2(skb, ntohl(t->parms.o_key),
+ t->parms.dir,
+ t->parms.hwid,
+ truncate, false);
+- else
++ proto = htons(ETH_P_ERSPAN2);
++ } else {
+ goto tx_err;
++ }
+
+ fl6.daddr = t->parms.raddr;
+ }
+
+ /* Push GRE header. */
+- proto = (t->parms.erspan_ver == 1) ? htons(ETH_P_ERSPAN)
+- : htons(ETH_P_ERSPAN2);
+ gre_build_header(skb, 8, TUNNEL_SEQ, proto, 0, htonl(atomic_fetch_inc(&t->o_seqno)));
+
+ /* TooBig packet may have updated dst->dev's mtu */
+--
+2.39.2
+
--- /dev/null
+From d1a88c61fd72140ee094d06f2d487e15ab61ad7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Apr 2023 11:52:55 +0200
+Subject: ice: Fix ice VF reset during iavf initialization
+
+From: Dawid Wesierski <dawidx.wesierski@intel.com>
+
+[ Upstream commit 7255355a0636b4eff08d5e8139c77d98f151c4fc ]
+
+Fix the current implementation that causes ice_trigger_vf_reset()
+to start resetting the VF even when the VF-NIC is still initializing.
+
+When we reset NIC with ice driver it can interfere with
+iavf-vf initialization e.g. during consecutive resets induced by ice
+
+iavf ice
+ | |
+ |<-----------------|
+ | ice resets vf
+ iavf |
+ reset |
+ start |
+ |<-----------------|
+ | ice resets vf
+ | causing iavf
+ | initialization
+ | error
+ | |
+ iavf
+ reset
+ end
+
+This leads to a series of -53 errors
+(failed to init adminq) from the IAVF.
+
+Change the state of the vf_state field to be not active when the IAVF
+is still initializing. Make sure to wait until receiving the message on
+the message box to ensure that the vf is ready and initializded.
+
+In simple terms we use the ACTIVE flag to make sure that the ice
+driver knows if the iavf is ready for another reset
+
+ iavf ice
+ | |
+ | |
+ |<------------- ice resets vf
+ iavf vf_state != ACTIVE
+ reset |
+ start |
+ | |
+ | |
+ iavf |
+ reset-------> vf_state == ACTIVE
+ end ice resets vf
+ | |
+ | |
+
+Fixes: c54d209c78b8 ("ice: Wait for VF to be reset/ready before configuration")
+Signed-off-by: Dawid Wesierski <dawidx.wesierski@intel.com>
+Signed-off-by: Kamil Maziarz <kamil.maziarz@intel.com>
+Acked-by: Jacob Keller <Jacob.e.keller@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_sriov.c | 8 ++++----
+ drivers/net/ethernet/intel/ice/ice_vf_lib.c | 19 +++++++++++++++++++
+ drivers/net/ethernet/intel/ice/ice_vf_lib.h | 1 +
+ drivers/net/ethernet/intel/ice/ice_virtchnl.c | 1 +
+ 4 files changed, 25 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_sriov.c b/drivers/net/ethernet/intel/ice/ice_sriov.c
+index b719e9a771e36..b8c31bf721ad1 100644
+--- a/drivers/net/ethernet/intel/ice/ice_sriov.c
++++ b/drivers/net/ethernet/intel/ice/ice_sriov.c
+@@ -1240,7 +1240,7 @@ int ice_set_vf_spoofchk(struct net_device *netdev, int vf_id, bool ena)
+ if (!vf)
+ return -EINVAL;
+
+- ret = ice_check_vf_ready_for_cfg(vf);
++ ret = ice_check_vf_ready_for_reset(vf);
+ if (ret)
+ goto out_put_vf;
+
+@@ -1355,7 +1355,7 @@ int ice_set_vf_mac(struct net_device *netdev, int vf_id, u8 *mac)
+ goto out_put_vf;
+ }
+
+- ret = ice_check_vf_ready_for_cfg(vf);
++ ret = ice_check_vf_ready_for_reset(vf);
+ if (ret)
+ goto out_put_vf;
+
+@@ -1409,7 +1409,7 @@ int ice_set_vf_trust(struct net_device *netdev, int vf_id, bool trusted)
+ return -EOPNOTSUPP;
+ }
+
+- ret = ice_check_vf_ready_for_cfg(vf);
++ ret = ice_check_vf_ready_for_reset(vf);
+ if (ret)
+ goto out_put_vf;
+
+@@ -1722,7 +1722,7 @@ ice_set_vf_port_vlan(struct net_device *netdev, int vf_id, u16 vlan_id, u8 qos,
+ if (!vf)
+ return -EINVAL;
+
+- ret = ice_check_vf_ready_for_cfg(vf);
++ ret = ice_check_vf_ready_for_reset(vf);
+ if (ret)
+ goto out_put_vf;
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_vf_lib.c b/drivers/net/ethernet/intel/ice/ice_vf_lib.c
+index 86abbcb480d9d..71047fc341392 100644
+--- a/drivers/net/ethernet/intel/ice/ice_vf_lib.c
++++ b/drivers/net/ethernet/intel/ice/ice_vf_lib.c
+@@ -185,6 +185,25 @@ int ice_check_vf_ready_for_cfg(struct ice_vf *vf)
+ return 0;
+ }
+
++/**
++ * ice_check_vf_ready_for_reset - check if VF is ready to be reset
++ * @vf: VF to check if it's ready to be reset
++ *
++ * The purpose of this function is to ensure that the VF is not in reset,
++ * disabled, and is both initialized and active, thus enabling us to safely
++ * initialize another reset.
++ */
++int ice_check_vf_ready_for_reset(struct ice_vf *vf)
++{
++ int ret;
++
++ ret = ice_check_vf_ready_for_cfg(vf);
++ if (!ret && !test_bit(ICE_VF_STATE_ACTIVE, vf->vf_states))
++ ret = -EAGAIN;
++
++ return ret;
++}
++
+ /**
+ * ice_trigger_vf_reset - Reset a VF on HW
+ * @vf: pointer to the VF structure
+diff --git a/drivers/net/ethernet/intel/ice/ice_vf_lib.h b/drivers/net/ethernet/intel/ice/ice_vf_lib.h
+index 9f7fcd8e5714b..e5bed85724622 100644
+--- a/drivers/net/ethernet/intel/ice/ice_vf_lib.h
++++ b/drivers/net/ethernet/intel/ice/ice_vf_lib.h
+@@ -214,6 +214,7 @@ u16 ice_get_num_vfs(struct ice_pf *pf);
+ struct ice_vsi *ice_get_vf_vsi(struct ice_vf *vf);
+ bool ice_is_vf_disabled(struct ice_vf *vf);
+ int ice_check_vf_ready_for_cfg(struct ice_vf *vf);
++int ice_check_vf_ready_for_reset(struct ice_vf *vf);
+ void ice_set_vf_state_dis(struct ice_vf *vf);
+ bool ice_is_any_vf_in_unicast_promisc(struct ice_pf *pf);
+ void
+diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl.c b/drivers/net/ethernet/intel/ice/ice_virtchnl.c
+index 2b4c791b6cbad..ef3c709d6a750 100644
+--- a/drivers/net/ethernet/intel/ice/ice_virtchnl.c
++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl.c
+@@ -3722,6 +3722,7 @@ void ice_vc_process_vf_msg(struct ice_pf *pf, struct ice_rq_event_info *event)
+ ice_vc_notify_vf_link_state(vf);
+ break;
+ case VIRTCHNL_OP_RESET_VF:
++ clear_bit(ICE_VF_STATE_ACTIVE, vf->vf_states);
+ ops->reset_vf(vf);
+ break;
+ case VIRTCHNL_OP_ADD_ETH_ADDR:
+--
+2.39.2
+
--- /dev/null
+From 5f9eb3fbe1f5e354e114dc7c61faa990d0a19b66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jan 2023 17:16:51 -0800
+Subject: ice: introduce clear_reset_state operation
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+[ Upstream commit fa4a15c85c849e92257da6dbffeb1e3a6399fd7b ]
+
+When hardware is reset, the VF relies on the VFGEN_RSTAT register to detect
+when the VF is finished resetting. This is a tri-state register where 0
+indicates a reset is in progress, 1 indicates the hardware is done
+resetting, and 2 indicates that the software is done resetting.
+
+Currently the PF driver relies on the device hardware resetting VFGEN_RSTAT
+when a global reset occurs. This works ok, but it does mean that the VF
+might not immediately notice a reset when the driver first detects that the
+global reset is occurring.
+
+This is also problematic for Scalable IOV, because there is no read/write
+equivalent VFGEN_RSTAT register for the Scalable VSI type. Instead, the
+Scalable IOV VFs will need to emulate this register.
+
+To support this, introduce a new VF operation, clear_reset_state, which is
+called when the PF driver first detects a global reset. The Single Root IOV
+implementation can just write to VFGEN_RSTAT to ensure it's cleared
+immediately, without waiting for the actual hardware reset to begin. The
+Scalable IOV implementation will use this as part of its tracking of the
+reset status to allow properly reporting the emulated VFGEN_RSTAT to the VF
+driver.
+
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Tested-by: Marek Szlosek <marek.szlosek@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Stable-dep-of: 7255355a0636 ("ice: Fix ice VF reset during iavf initialization")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 2 +-
+ drivers/net/ethernet/intel/ice/ice_sriov.c | 16 ++++++++++++++++
+ drivers/net/ethernet/intel/ice/ice_vf_lib.c | 12 +++++++++++-
+ drivers/net/ethernet/intel/ice/ice_vf_lib.h | 5 +++--
+ 4 files changed, 31 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index cfc57cfc46e42..6a50f8ba3940c 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -573,7 +573,7 @@ ice_prepare_for_reset(struct ice_pf *pf, enum ice_reset_req reset_type)
+ /* Disable VFs until reset is completed */
+ mutex_lock(&pf->vfs.table_lock);
+ ice_for_each_vf(pf, bkt, vf)
+- ice_set_vf_state_qs_dis(vf);
++ ice_set_vf_state_dis(vf);
+ mutex_unlock(&pf->vfs.table_lock);
+
+ if (ice_is_eswitch_mode_switchdev(pf)) {
+diff --git a/drivers/net/ethernet/intel/ice/ice_sriov.c b/drivers/net/ethernet/intel/ice/ice_sriov.c
+index b3849bc3d4fc6..b719e9a771e36 100644
+--- a/drivers/net/ethernet/intel/ice/ice_sriov.c
++++ b/drivers/net/ethernet/intel/ice/ice_sriov.c
+@@ -696,6 +696,21 @@ static void ice_sriov_free_vf(struct ice_vf *vf)
+ kfree_rcu(vf, rcu);
+ }
+
++/**
++ * ice_sriov_clear_reset_state - clears VF Reset status register
++ * @vf: the vf to configure
++ */
++static void ice_sriov_clear_reset_state(struct ice_vf *vf)
++{
++ struct ice_hw *hw = &vf->pf->hw;
++
++ /* Clear the reset status register so that VF immediately sees that
++ * the device is resetting, even if hardware hasn't yet gotten around
++ * to clearing VFGEN_RSTAT for us.
++ */
++ wr32(hw, VFGEN_RSTAT(vf->vf_id), VIRTCHNL_VFR_INPROGRESS);
++}
++
+ /**
+ * ice_sriov_clear_mbx_register - clears SRIOV VF's mailbox registers
+ * @vf: the vf to configure
+@@ -835,6 +850,7 @@ static void ice_sriov_post_vsi_rebuild(struct ice_vf *vf)
+ static const struct ice_vf_ops ice_sriov_vf_ops = {
+ .reset_type = ICE_VF_RESET,
+ .free = ice_sriov_free_vf,
++ .clear_reset_state = ice_sriov_clear_reset_state,
+ .clear_mbx_register = ice_sriov_clear_mbx_register,
+ .trigger_reset_register = ice_sriov_trigger_reset_register,
+ .poll_reset_status = ice_sriov_poll_reset_status,
+diff --git a/drivers/net/ethernet/intel/ice/ice_vf_lib.c b/drivers/net/ethernet/intel/ice/ice_vf_lib.c
+index 1c51778db951b..86abbcb480d9d 100644
+--- a/drivers/net/ethernet/intel/ice/ice_vf_lib.c
++++ b/drivers/net/ethernet/intel/ice/ice_vf_lib.c
+@@ -673,7 +673,7 @@ int ice_reset_vf(struct ice_vf *vf, u32 flags)
+ * ice_set_vf_state_qs_dis - Set VF queues state to disabled
+ * @vf: pointer to the VF structure
+ */
+-void ice_set_vf_state_qs_dis(struct ice_vf *vf)
++static void ice_set_vf_state_qs_dis(struct ice_vf *vf)
+ {
+ /* Clear Rx/Tx enabled queues flag */
+ bitmap_zero(vf->txq_ena, ICE_MAX_RSS_QS_PER_VF);
+@@ -681,6 +681,16 @@ void ice_set_vf_state_qs_dis(struct ice_vf *vf)
+ clear_bit(ICE_VF_STATE_QS_ENA, vf->vf_states);
+ }
+
++/**
++ * ice_set_vf_state_dis - Set VF state to disabled
++ * @vf: pointer to the VF structure
++ */
++void ice_set_vf_state_dis(struct ice_vf *vf)
++{
++ ice_set_vf_state_qs_dis(vf);
++ vf->vf_ops->clear_reset_state(vf);
++}
++
+ /* Private functions only accessed from other virtualization files */
+
+ /**
+diff --git a/drivers/net/ethernet/intel/ice/ice_vf_lib.h b/drivers/net/ethernet/intel/ice/ice_vf_lib.h
+index 52bd9a3816bf2..9f7fcd8e5714b 100644
+--- a/drivers/net/ethernet/intel/ice/ice_vf_lib.h
++++ b/drivers/net/ethernet/intel/ice/ice_vf_lib.h
+@@ -56,6 +56,7 @@ struct ice_mdd_vf_events {
+ struct ice_vf_ops {
+ enum ice_disq_rst_src reset_type;
+ void (*free)(struct ice_vf *vf);
++ void (*clear_reset_state)(struct ice_vf *vf);
+ void (*clear_mbx_register)(struct ice_vf *vf);
+ void (*trigger_reset_register)(struct ice_vf *vf, bool is_vflr);
+ bool (*poll_reset_status)(struct ice_vf *vf);
+@@ -213,7 +214,7 @@ u16 ice_get_num_vfs(struct ice_pf *pf);
+ struct ice_vsi *ice_get_vf_vsi(struct ice_vf *vf);
+ bool ice_is_vf_disabled(struct ice_vf *vf);
+ int ice_check_vf_ready_for_cfg(struct ice_vf *vf);
+-void ice_set_vf_state_qs_dis(struct ice_vf *vf);
++void ice_set_vf_state_dis(struct ice_vf *vf);
+ bool ice_is_any_vf_in_unicast_promisc(struct ice_pf *pf);
+ void
+ ice_vf_get_promisc_masks(struct ice_vf *vf, struct ice_vsi *vsi,
+@@ -259,7 +260,7 @@ static inline int ice_check_vf_ready_for_cfg(struct ice_vf *vf)
+ return -EOPNOTSUPP;
+ }
+
+-static inline void ice_set_vf_state_qs_dis(struct ice_vf *vf)
++static inline void ice_set_vf_state_dis(struct ice_vf *vf)
+ {
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 626f935f8ed7bbe4b5945da9e92a8e1e0ffaff9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 May 2023 10:41:46 -0700
+Subject: igb: fix bit_shift to be in [1..8] range
+
+From: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+
+[ Upstream commit 60d758659f1fb49e0d5b6ac2691ede8c0958795b ]
+
+In igb_hash_mc_addr() the expression:
+ "mc_addr[4] >> 8 - bit_shift", right shifting "mc_addr[4]"
+shift by more than 7 bits always yields zero, so hash becomes not so different.
+Add initialization with bit_shift = 1 and add a loop condition to ensure
+bit_shift will be always in [1..8] range.
+
+Fixes: 9d5c824399de ("igb: PCI-Express 82575 Gigabit Ethernet driver")
+Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/e1000_mac.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/e1000_mac.c b/drivers/net/ethernet/intel/igb/e1000_mac.c
+index 205d577bdbbaa..caf91c6f52b4d 100644
+--- a/drivers/net/ethernet/intel/igb/e1000_mac.c
++++ b/drivers/net/ethernet/intel/igb/e1000_mac.c
+@@ -426,7 +426,7 @@ void igb_mta_set(struct e1000_hw *hw, u32 hash_value)
+ static u32 igb_hash_mc_addr(struct e1000_hw *hw, u8 *mc_addr)
+ {
+ u32 hash_value, hash_mask;
+- u8 bit_shift = 0;
++ u8 bit_shift = 1;
+
+ /* Register count multiplied by bits per register */
+ hash_mask = (hw->mac.mta_reg_count * 32) - 1;
+@@ -434,7 +434,7 @@ static u32 igb_hash_mc_addr(struct e1000_hw *hw, u8 *mc_addr)
+ /* For a mc_filter_type of 0, bit_shift is the number of left-shifts
+ * where 0xFF would still fall within the hash mask.
+ */
+- while (hash_mask >> bit_shift != 0xFF)
++ while (hash_mask >> bit_shift != 0xFF && bit_shift < 4)
+ bit_shift++;
+
+ /* The portion of the address that is used for the hash table
+--
+2.39.2
+
--- /dev/null
+From 35ffeb041dad5b60e1ab7d86184bfa835558948c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Mar 2023 12:55:14 +0000
+Subject: media: netup_unidvb: fix use-after-free at del_timer()
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+[ Upstream commit 0f5bb36bf9b39a2a96e730bf4455095b50713f63 ]
+
+When Universal DVB card is detaching, netup_unidvb_dma_fini()
+uses del_timer() to stop dma->timeout timer. But when timer
+handler netup_unidvb_dma_timeout() is running, del_timer()
+could not stop it. As a result, the use-after-free bug could
+happen. The process is shown below:
+
+ (cleanup routine) | (timer routine)
+ | mod_timer(&dev->tx_sim_timer, ..)
+netup_unidvb_finidev() | (wait a time)
+ netup_unidvb_dma_fini() | netup_unidvb_dma_timeout()
+ del_timer(&dma->timeout); |
+ | ndev->pci_dev->dev //USE
+
+Fix by changing del_timer() to del_timer_sync().
+
+Link: https://lore.kernel.org/linux-media/20230308125514.4208-1-duoming@zju.edu.cn
+Fixes: 52b1eaf4c59a ("[media] netup_unidvb: NetUP Universal DVB-S/S2/T/T2/C PCI-E card driver")
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/netup_unidvb/netup_unidvb_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c
+index 8287851b5ffdc..aaa1d2dedebdd 100644
+--- a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c
++++ b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c
+@@ -697,7 +697,7 @@ static void netup_unidvb_dma_fini(struct netup_unidvb_dev *ndev, int num)
+ netup_unidvb_dma_enable(dma, 0);
+ msleep(50);
+ cancel_work_sync(&dma->work);
+- del_timer(&dma->timeout);
++ del_timer_sync(&dma->timeout);
+ }
+
+ static int netup_unidvb_dma_setup(struct netup_unidvb_dev *ndev)
+--
+2.39.2
+
--- /dev/null
+From 4ab52e8cd2ee24cc7fb80a290dead98a38245919 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 May 2023 16:07:27 -0700
+Subject: net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop()
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 93e0401e0fc0c54b0ac05b687cd135c2ac38187c ]
+
+The call to phy_stop() races with the later call to phy_disconnect(),
+resulting in concurrent phy_suspend() calls being run from different
+CPUs. The final call to phy_disconnect() ensures that the PHY is
+stopped and suspended, too.
+
+Fixes: c96e731c93ff ("net: bcmgenet: connect and disconnect from the PHY state machine")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+index f679ed54b3ef2..9860fd66f3bca 100644
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -3460,7 +3460,6 @@ static void bcmgenet_netif_stop(struct net_device *dev)
+ /* Disable MAC transmit. TX DMA disabled must be done before this */
+ umac_enable_set(priv, CMD_TX_EN, false);
+
+- phy_stop(dev->phydev);
+ bcmgenet_disable_rx_napi(priv);
+ bcmgenet_intr_disable(priv);
+
+--
+2.39.2
+
--- /dev/null
+From be4e6258350377f80161449c5354d3ce7bb5c430 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 May 2023 19:56:07 -0700
+Subject: net: bcmgenet: Restore phy_stop() depending upon suspend/close
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 225c657945c4a6307741cb3cc89467eadcc26e9b ]
+
+Removing the phy_stop() from bcmgenet_netif_stop() ended up causing
+warnings from the PHY library that phy_start() is called from the
+RUNNING state since we are no longer stopping the PHY state machine
+during bcmgenet_suspend().
+
+Restore the call to phy_stop() but make it conditional on being called
+from the close or suspend path.
+
+Fixes: c96e731c93ff ("net: bcmgenet: connect and disconnect from the PHY state machine")
+Fixes: 93e0401e0fc0 ("net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop()")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Link: https://lore.kernel.org/r/20230515025608.2587012-1-f.fainelli@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+index 9860fd66f3bca..4da2becfa950c 100644
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -3445,7 +3445,7 @@ static int bcmgenet_open(struct net_device *dev)
+ return ret;
+ }
+
+-static void bcmgenet_netif_stop(struct net_device *dev)
++static void bcmgenet_netif_stop(struct net_device *dev, bool stop_phy)
+ {
+ struct bcmgenet_priv *priv = netdev_priv(dev);
+
+@@ -3460,6 +3460,8 @@ static void bcmgenet_netif_stop(struct net_device *dev)
+ /* Disable MAC transmit. TX DMA disabled must be done before this */
+ umac_enable_set(priv, CMD_TX_EN, false);
+
++ if (stop_phy)
++ phy_stop(dev->phydev);
+ bcmgenet_disable_rx_napi(priv);
+ bcmgenet_intr_disable(priv);
+
+@@ -3480,7 +3482,7 @@ static int bcmgenet_close(struct net_device *dev)
+
+ netif_dbg(priv, ifdown, dev, "bcmgenet_close\n");
+
+- bcmgenet_netif_stop(dev);
++ bcmgenet_netif_stop(dev, false);
+
+ /* Really kill the PHY state machine and disconnect from it */
+ phy_disconnect(dev->phydev);
+@@ -4298,7 +4300,7 @@ static int bcmgenet_suspend(struct device *d)
+
+ netif_device_detach(dev);
+
+- bcmgenet_netif_stop(dev);
++ bcmgenet_netif_stop(dev, true);
+
+ if (!device_may_wakeup(d))
+ phy_suspend(dev->phydev);
+--
+2.39.2
+
--- /dev/null
+From 5e116b41b020732d77f3db0ae8cd1f400b349c7c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 May 2023 09:38:54 +0200
+Subject: net: dsa: mv88e6xxx: Fix mv88e6393x EPC write command offset
+
+From: Marco Migliore <m.migliore@tiesse.com>
+
+[ Upstream commit 1323e0c6e1d7e103d59384c3ac50f72b17a6936c ]
+
+According to datasheet, the command opcode must be specified
+into bits [14:12] of the Extended Port Control register (EPC).
+
+Fixes: de776d0d316f ("net: dsa: mv88e6xxx: add support for mv88e6393x family")
+Signed-off-by: Marco Migliore <m.migliore@tiesse.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mv88e6xxx/port.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/mv88e6xxx/port.h b/drivers/net/dsa/mv88e6xxx/port.h
+index cb04243f37c1e..a91e22d9a6cb3 100644
+--- a/drivers/net/dsa/mv88e6xxx/port.h
++++ b/drivers/net/dsa/mv88e6xxx/port.h
+@@ -276,7 +276,7 @@
+ /* Offset 0x10: Extended Port Control Command */
+ #define MV88E6393X_PORT_EPC_CMD 0x10
+ #define MV88E6393X_PORT_EPC_CMD_BUSY 0x8000
+-#define MV88E6393X_PORT_EPC_CMD_WRITE 0x0300
++#define MV88E6393X_PORT_EPC_CMD_WRITE 0x3000
+ #define MV88E6393X_PORT_EPC_INDEX_PORT_ETYPE 0x02
+
+ /* Offset 0x11: Extended Port Control Data */
+--
+2.39.2
+
--- /dev/null
+From 8165c715b61e7f7e09baa961c98969a786e9c2b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 09:27:12 +0200
+Subject: net: dsa: rzn1-a5psw: disable learning for standalone ports
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Clément Léger <clement.leger@bootlin.com>
+
+[ Upstream commit ec52b69c046a6219011af780aca155a96719637b ]
+
+When ports are in standalone mode, they should have learning disabled to
+avoid adding new entries in the MAC lookup table which might be used by
+other bridge ports to forward packets. While adding that, also make sure
+learning is enabled for CPU port.
+
+Fixes: 888cdb892b61 ("net: dsa: rzn1-a5psw: add Renesas RZ/N1 advanced 5 port switch driver")
+Signed-off-by: Clément Léger <clement.leger@bootlin.com>
+Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
+Reviewed-by: Piotr Raczynski <piotr.raczynski@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/rzn1_a5psw.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/dsa/rzn1_a5psw.c b/drivers/net/dsa/rzn1_a5psw.c
+index 2b0463263767c..790e177e2aef6 100644
+--- a/drivers/net/dsa/rzn1_a5psw.c
++++ b/drivers/net/dsa/rzn1_a5psw.c
+@@ -340,6 +340,14 @@ static void a5psw_flooding_set_resolution(struct a5psw *a5psw, int port,
+ a5psw_reg_writel(a5psw, offsets[i], a5psw->bridged_ports);
+ }
+
++static void a5psw_port_set_standalone(struct a5psw *a5psw, int port,
++ bool standalone)
++{
++ a5psw_port_learning_set(a5psw, port, !standalone);
++ a5psw_flooding_set_resolution(a5psw, port, !standalone);
++ a5psw_port_mgmtfwd_set(a5psw, port, standalone);
++}
++
+ static int a5psw_port_bridge_join(struct dsa_switch *ds, int port,
+ struct dsa_bridge bridge,
+ bool *tx_fwd_offload,
+@@ -355,8 +363,7 @@ static int a5psw_port_bridge_join(struct dsa_switch *ds, int port,
+ }
+
+ a5psw->br_dev = bridge.dev;
+- a5psw_flooding_set_resolution(a5psw, port, true);
+- a5psw_port_mgmtfwd_set(a5psw, port, false);
++ a5psw_port_set_standalone(a5psw, port, false);
+
+ return 0;
+ }
+@@ -366,8 +373,7 @@ static void a5psw_port_bridge_leave(struct dsa_switch *ds, int port,
+ {
+ struct a5psw *a5psw = ds->priv;
+
+- a5psw_flooding_set_resolution(a5psw, port, false);
+- a5psw_port_mgmtfwd_set(a5psw, port, true);
++ a5psw_port_set_standalone(a5psw, port, true);
+
+ /* No more ports bridged */
+ if (a5psw->bridged_ports == BIT(A5PSW_CPU_PORT))
+@@ -761,13 +767,15 @@ static int a5psw_setup(struct dsa_switch *ds)
+ if (dsa_port_is_unused(dp))
+ continue;
+
+- /* Enable egress flooding for CPU port */
+- if (dsa_port_is_cpu(dp))
++ /* Enable egress flooding and learning for CPU port */
++ if (dsa_port_is_cpu(dp)) {
+ a5psw_flooding_set_resolution(a5psw, port, true);
++ a5psw_port_learning_set(a5psw, port, true);
++ }
+
+- /* Enable management forward only for user ports */
++ /* Enable standalone mode for user ports */
+ if (dsa_port_is_user(dp))
+- a5psw_port_mgmtfwd_set(a5psw, port, true);
++ a5psw_port_set_standalone(a5psw, port, true);
+ }
+
+ return 0;
+--
+2.39.2
+
--- /dev/null
+From 057a8f5ddad891cced6acc76f66499fa89fc07f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 09:27:10 +0200
+Subject: net: dsa: rzn1-a5psw: enable management frames for CPU port
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Clément Léger <clement.leger@bootlin.com>
+
+[ Upstream commit 9e4b45f20c5aac786c728619e5ee746bffce1798 ]
+
+Currently, management frame were discarded before reaching the CPU port due
+to a misconfiguration of the MGMT_CONFIG register. Enable them by setting
+the correct value in this register in order to correctly receive management
+frame and handle STP.
+
+Fixes: 888cdb892b61 ("net: dsa: rzn1-a5psw: add Renesas RZ/N1 advanced 5 port switch driver")
+Signed-off-by: Clément Léger <clement.leger@bootlin.com>
+Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
+Reviewed-by: Piotr Raczynski <piotr.raczynski@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/rzn1_a5psw.c | 2 +-
+ drivers/net/dsa/rzn1_a5psw.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/dsa/rzn1_a5psw.c b/drivers/net/dsa/rzn1_a5psw.c
+index ed413d555beca..92a3ac78ab1e5 100644
+--- a/drivers/net/dsa/rzn1_a5psw.c
++++ b/drivers/net/dsa/rzn1_a5psw.c
+@@ -673,7 +673,7 @@ static int a5psw_setup(struct dsa_switch *ds)
+ }
+
+ /* Configure management port */
+- reg = A5PSW_CPU_PORT | A5PSW_MGMT_CFG_DISCARD;
++ reg = A5PSW_CPU_PORT | A5PSW_MGMT_CFG_ENABLE;
+ a5psw_reg_writel(a5psw, A5PSW_MGMT_CFG, reg);
+
+ /* Set pattern 0 to forward all frame to mgmt port */
+diff --git a/drivers/net/dsa/rzn1_a5psw.h b/drivers/net/dsa/rzn1_a5psw.h
+index c67abd49c013d..b4fbf453ff741 100644
+--- a/drivers/net/dsa/rzn1_a5psw.h
++++ b/drivers/net/dsa/rzn1_a5psw.h
+@@ -36,7 +36,7 @@
+ #define A5PSW_INPUT_LEARN_BLOCK(p) BIT(p)
+
+ #define A5PSW_MGMT_CFG 0x20
+-#define A5PSW_MGMT_CFG_DISCARD BIT(7)
++#define A5PSW_MGMT_CFG_ENABLE BIT(6)
+
+ #define A5PSW_MODE_CFG 0x24
+ #define A5PSW_MODE_STATS_RESET BIT(31)
+--
+2.39.2
+
--- /dev/null
+From e82a291982dd2462504a76390651991c360689b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 09:27:11 +0200
+Subject: net: dsa: rzn1-a5psw: fix STP states handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alexis Lothoré <alexis.lothore@bootlin.com>
+
+[ Upstream commit ebe9bc50952757b4b25eaf514da7c464196c9606 ]
+
+stp_set_state() should actually allow receiving BPDU while in LEARNING
+mode which is not the case. Additionally, the BLOCKEN bit does not
+actually forbid sending forwarded frames from that port. To fix this, add
+a5psw_port_tx_enable() function which allows to disable TX. However, while
+its name suggest that TX is totally disabled, it is not and can still
+allow to send BPDUs even if disabled. This can be done by using forced
+forwarding with the switch tagging mechanism but keeping "filtering"
+disabled (which is already the case in the rzn1-a5sw tag driver). With
+these fixes, STP support is now functional.
+
+Fixes: 888cdb892b61 ("net: dsa: rzn1-a5psw: add Renesas RZ/N1 advanced 5 port switch driver")
+Signed-off-by: Clément Léger <clement.leger@bootlin.com>
+Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/rzn1_a5psw.c | 57 ++++++++++++++++++++++++++++++------
+ drivers/net/dsa/rzn1_a5psw.h | 1 +
+ 2 files changed, 49 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/dsa/rzn1_a5psw.c b/drivers/net/dsa/rzn1_a5psw.c
+index 92a3ac78ab1e5..2b0463263767c 100644
+--- a/drivers/net/dsa/rzn1_a5psw.c
++++ b/drivers/net/dsa/rzn1_a5psw.c
+@@ -120,6 +120,22 @@ static void a5psw_port_mgmtfwd_set(struct a5psw *a5psw, int port, bool enable)
+ a5psw_port_pattern_set(a5psw, port, A5PSW_PATTERN_MGMTFWD, enable);
+ }
+
++static void a5psw_port_tx_enable(struct a5psw *a5psw, int port, bool enable)
++{
++ u32 mask = A5PSW_PORT_ENA_TX(port);
++ u32 reg = enable ? mask : 0;
++
++ /* Even though the port TX is disabled through TXENA bit in the
++ * PORT_ENA register, it can still send BPDUs. This depends on the tag
++ * configuration added when sending packets from the CPU port to the
++ * switch port. Indeed, when using forced forwarding without filtering,
++ * even disabled ports will be able to send packets that are tagged.
++ * This allows to implement STP support when ports are in a state where
++ * forwarding traffic should be stopped but BPDUs should still be sent.
++ */
++ a5psw_reg_rmw(a5psw, A5PSW_PORT_ENA, mask, reg);
++}
++
+ static void a5psw_port_enable_set(struct a5psw *a5psw, int port, bool enable)
+ {
+ u32 port_ena = 0;
+@@ -292,6 +308,22 @@ static int a5psw_set_ageing_time(struct dsa_switch *ds, unsigned int msecs)
+ return 0;
+ }
+
++static void a5psw_port_learning_set(struct a5psw *a5psw, int port, bool learn)
++{
++ u32 mask = A5PSW_INPUT_LEARN_DIS(port);
++ u32 reg = !learn ? mask : 0;
++
++ a5psw_reg_rmw(a5psw, A5PSW_INPUT_LEARN, mask, reg);
++}
++
++static void a5psw_port_rx_block_set(struct a5psw *a5psw, int port, bool block)
++{
++ u32 mask = A5PSW_INPUT_LEARN_BLOCK(port);
++ u32 reg = block ? mask : 0;
++
++ a5psw_reg_rmw(a5psw, A5PSW_INPUT_LEARN, mask, reg);
++}
++
+ static void a5psw_flooding_set_resolution(struct a5psw *a5psw, int port,
+ bool set)
+ {
+@@ -344,28 +376,35 @@ static void a5psw_port_bridge_leave(struct dsa_switch *ds, int port,
+
+ static void a5psw_port_stp_state_set(struct dsa_switch *ds, int port, u8 state)
+ {
+- u32 mask = A5PSW_INPUT_LEARN_DIS(port) | A5PSW_INPUT_LEARN_BLOCK(port);
++ bool learning_enabled, rx_enabled, tx_enabled;
+ struct a5psw *a5psw = ds->priv;
+- u32 reg = 0;
+
+ switch (state) {
+ case BR_STATE_DISABLED:
+ case BR_STATE_BLOCKING:
+- reg |= A5PSW_INPUT_LEARN_DIS(port);
+- reg |= A5PSW_INPUT_LEARN_BLOCK(port);
+- break;
+ case BR_STATE_LISTENING:
+- reg |= A5PSW_INPUT_LEARN_DIS(port);
++ rx_enabled = false;
++ tx_enabled = false;
++ learning_enabled = false;
+ break;
+ case BR_STATE_LEARNING:
+- reg |= A5PSW_INPUT_LEARN_BLOCK(port);
++ rx_enabled = false;
++ tx_enabled = false;
++ learning_enabled = true;
+ break;
+ case BR_STATE_FORWARDING:
+- default:
++ rx_enabled = true;
++ tx_enabled = true;
++ learning_enabled = true;
+ break;
++ default:
++ dev_err(ds->dev, "invalid STP state: %d\n", state);
++ return;
+ }
+
+- a5psw_reg_rmw(a5psw, A5PSW_INPUT_LEARN, mask, reg);
++ a5psw_port_learning_set(a5psw, port, learning_enabled);
++ a5psw_port_rx_block_set(a5psw, port, !rx_enabled);
++ a5psw_port_tx_enable(a5psw, port, tx_enabled);
+ }
+
+ static void a5psw_port_fast_age(struct dsa_switch *ds, int port)
+diff --git a/drivers/net/dsa/rzn1_a5psw.h b/drivers/net/dsa/rzn1_a5psw.h
+index b4fbf453ff741..b869192eef3f7 100644
+--- a/drivers/net/dsa/rzn1_a5psw.h
++++ b/drivers/net/dsa/rzn1_a5psw.h
+@@ -19,6 +19,7 @@
+ #define A5PSW_PORT_OFFSET(port) (0x400 * (port))
+
+ #define A5PSW_PORT_ENA 0x8
++#define A5PSW_PORT_ENA_TX(port) BIT(port)
+ #define A5PSW_PORT_ENA_RX_SHIFT 16
+ #define A5PSW_PORT_ENA_TX_RX(port) (BIT((port) + A5PSW_PORT_ENA_RX_SHIFT) | \
+ BIT(port))
+--
+2.39.2
+
--- /dev/null
+From 3c5b3b13b4aa4ee7c98f6f00f8a6834f9ce65dae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 May 2023 22:00:20 +0200
+Subject: net: fec: Better handle pm_runtime_get() failing in .remove()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit f816b9829b19394d318e01953aa3b2721bca040d ]
+
+In the (unlikely) event that pm_runtime_get() (disguised as
+pm_runtime_resume_and_get()) fails, the remove callback returned an
+error early. The problem with this is that the driver core ignores the
+error value and continues removing the device. This results in a
+resource leak. Worse the devm allocated resources are freed and so if a
+callback of the driver is called later the register mapping is already
+gone which probably results in a crash.
+
+Fixes: a31eda65ba21 ("net: fec: fix clock count mis-match")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20230510200020.1534610-1-u.kleine-koenig@pengutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
+index 6f914180f4797..33226a22d8a4a 100644
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -4168,9 +4168,11 @@ fec_drv_remove(struct platform_device *pdev)
+ struct device_node *np = pdev->dev.of_node;
+ int ret;
+
+- ret = pm_runtime_resume_and_get(&pdev->dev);
++ ret = pm_runtime_get_sync(&pdev->dev);
+ if (ret < 0)
+- return ret;
++ dev_err(&pdev->dev,
++ "Failed to resume device in remove callback (%pe)\n",
++ ERR_PTR(ret));
+
+ cancel_work_sync(&fep->tx_timeout_work);
+ fec_ptp_stop(pdev);
+@@ -4183,8 +4185,13 @@ fec_drv_remove(struct platform_device *pdev)
+ of_phy_deregister_fixed_link(np);
+ of_node_put(fep->phy_node);
+
+- clk_disable_unprepare(fep->clk_ahb);
+- clk_disable_unprepare(fep->clk_ipg);
++ /* After pm_runtime_get_sync() failed, the clks are still off, so skip
++ * disabling them again.
++ */
++ if (ret >= 0) {
++ clk_disable_unprepare(fep->clk_ahb);
++ clk_disable_unprepare(fep->clk_ipg);
++ }
+ pm_runtime_put_noidle(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
+
+--
+2.39.2
+
--- /dev/null
+From 68de3588270d10a61e2e684f6e78c44dc6dee79f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 18:00:11 +0800
+Subject: net: hns3: fix output information incomplete for dumping tx queue
+ info with debugfs
+
+From: Jie Wang <wangjie125@huawei.com>
+
+[ Upstream commit 89f6bfb071182f05d7188c255b0e7251c3806f16 ]
+
+In function hns3_dump_tx_queue_info, The print buffer is not enough when
+the tx BD number is configured to 32760. As a result several BD
+information wouldn't be displayed.
+
+So fix it by increasing the tx queue print buffer length.
+
+Fixes: 630a6738da82 ("net: hns3: adjust string spaces of some parameters of tx bd info in debugfs")
+Signed-off-by: Jie Wang <wangjie125@huawei.com>
+Signed-off-by: Hao Lan <lanhao@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 2 +-
+ drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
+index 66feb23f7b7b6..bcccd82a2620f 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
+@@ -130,7 +130,7 @@ static struct hns3_dbg_cmd_info hns3_dbg_cmd[] = {
+ .name = "tx_bd_queue",
+ .cmd = HNAE3_DBG_CMD_TX_BD,
+ .dentry = HNS3_DBG_DENTRY_TX_BD,
+- .buf_len = HNS3_DBG_READ_LEN_4MB,
++ .buf_len = HNS3_DBG_READ_LEN_5MB,
+ .init = hns3_dbg_bd_file_init,
+ },
+ {
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h
+index 97578eabb7d8b..4a5ef8a90a104 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h
+@@ -10,6 +10,7 @@
+ #define HNS3_DBG_READ_LEN_128KB 0x20000
+ #define HNS3_DBG_READ_LEN_1MB 0x100000
+ #define HNS3_DBG_READ_LEN_4MB 0x400000
++#define HNS3_DBG_READ_LEN_5MB 0x500000
+ #define HNS3_DBG_WRITE_LEN 1024
+
+ #define HNS3_DBG_DATA_STR_LEN 32
+--
+2.39.2
+
--- /dev/null
+From 5b0420f4414d4edbe78c04673a502199b5d92bf5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 18:00:13 +0800
+Subject: net: hns3: fix reset delay time to avoid configuration timeout
+
+From: Jie Wang <wangjie125@huawei.com>
+
+[ Upstream commit 814d0c786068e858d889ada3153bff82f64223ad ]
+
+Currently the hns3 vf function reset delays 5000ms before vf rebuild
+process. In product applications, this delay is too long for application
+configurations and causes configuration timeout.
+
+According to the tests, 500ms delay is enough for reset process except PF
+FLR. So this patch modifies delay to 500ms in these scenarios.
+
+Fixes: 6988eb2a9b77 ("net: hns3: Add support to reset the enet/ring mgmt layer")
+Signed-off-by: Jie Wang <wangjie125@huawei.com>
+Signed-off-by: Hao Lan <lanhao@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+index e84e5be8e59ed..b1b14850e958f 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+@@ -1436,7 +1436,10 @@ static int hclgevf_reset_wait(struct hclgevf_dev *hdev)
+ * might happen in case reset assertion was made by PF. Yes, this also
+ * means we might end up waiting bit more even for VF reset.
+ */
+- msleep(5000);
++ if (hdev->reset_type == HNAE3_VF_FULL_RESET)
++ msleep(5000);
++ else
++ msleep(500);
+
+ return 0;
+ }
+--
+2.39.2
+
--- /dev/null
+From 0139ec0c3a41ace5d3eb7d7e682e8c8d4520f7b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 18:00:14 +0800
+Subject: net: hns3: fix reset timeout when enable full VF
+
+From: Jijie Shao <shaojijie@huawei.com>
+
+[ Upstream commit 6b45d5ff8c2c61baddd67d7510075ae121c5e704 ]
+
+The timeout of the cmdq reset command has been increased to
+resolve the reset timeout issue in the full VF scenario.
+The timeout of other cmdq commands remains unchanged.
+
+Fixes: 8d307f8e8cf1 ("net: hns3: create new set of unified hclge_comm_cmd_send APIs")
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: Hao Lan <lanhao@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../hns3/hns3_common/hclge_comm_cmd.c | 25 ++++++++++++++++---
+ .../hns3/hns3_common/hclge_comm_cmd.h | 8 +++++-
+ 2 files changed, 28 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_common/hclge_comm_cmd.c b/drivers/net/ethernet/hisilicon/hns3/hns3_common/hclge_comm_cmd.c
+index f671a63cecde4..c797d54f98caa 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_common/hclge_comm_cmd.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_common/hclge_comm_cmd.c
+@@ -330,9 +330,25 @@ static int hclge_comm_cmd_csq_done(struct hclge_comm_hw *hw)
+ return head == hw->cmq.csq.next_to_use;
+ }
+
+-static void hclge_comm_wait_for_resp(struct hclge_comm_hw *hw,
++static u32 hclge_get_cmdq_tx_timeout(u16 opcode, u32 tx_timeout)
++{
++ static const struct hclge_cmdq_tx_timeout_map cmdq_tx_timeout_map[] = {
++ {HCLGE_OPC_CFG_RST_TRIGGER, HCLGE_COMM_CMDQ_TX_TIMEOUT_500MS},
++ };
++ u32 i;
++
++ for (i = 0; i < ARRAY_SIZE(cmdq_tx_timeout_map); i++)
++ if (cmdq_tx_timeout_map[i].opcode == opcode)
++ return cmdq_tx_timeout_map[i].tx_timeout;
++
++ return tx_timeout;
++}
++
++static void hclge_comm_wait_for_resp(struct hclge_comm_hw *hw, u16 opcode,
+ bool *is_completed)
+ {
++ u32 cmdq_tx_timeout = hclge_get_cmdq_tx_timeout(opcode,
++ hw->cmq.tx_timeout);
+ u32 timeout = 0;
+
+ do {
+@@ -342,7 +358,7 @@ static void hclge_comm_wait_for_resp(struct hclge_comm_hw *hw,
+ }
+ udelay(1);
+ timeout++;
+- } while (timeout < hw->cmq.tx_timeout);
++ } while (timeout < cmdq_tx_timeout);
+ }
+
+ static int hclge_comm_cmd_convert_err_code(u16 desc_ret)
+@@ -406,7 +422,8 @@ static int hclge_comm_cmd_check_result(struct hclge_comm_hw *hw,
+ * if multi descriptors to be sent, use the first one to check
+ */
+ if (HCLGE_COMM_SEND_SYNC(le16_to_cpu(desc->flag)))
+- hclge_comm_wait_for_resp(hw, &is_completed);
++ hclge_comm_wait_for_resp(hw, le16_to_cpu(desc->opcode),
++ &is_completed);
+
+ if (!is_completed)
+ ret = -EBADE;
+@@ -528,7 +545,7 @@ int hclge_comm_cmd_queue_init(struct pci_dev *pdev, struct hclge_comm_hw *hw)
+ cmdq->crq.desc_num = HCLGE_COMM_NIC_CMQ_DESC_NUM;
+
+ /* Setup Tx write back timeout */
+- cmdq->tx_timeout = HCLGE_COMM_CMDQ_TX_TIMEOUT;
++ cmdq->tx_timeout = HCLGE_COMM_CMDQ_TX_TIMEOUT_DEFAULT;
+
+ /* Setup queue rings */
+ ret = hclge_comm_alloc_cmd_queue(hw, HCLGE_COMM_TYPE_CSQ);
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_common/hclge_comm_cmd.h b/drivers/net/ethernet/hisilicon/hns3/hns3_common/hclge_comm_cmd.h
+index b1f9383b418f4..2b2928c6dccfc 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_common/hclge_comm_cmd.h
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_common/hclge_comm_cmd.h
+@@ -54,7 +54,8 @@
+ #define HCLGE_COMM_NIC_SW_RST_RDY BIT(HCLGE_COMM_NIC_SW_RST_RDY_B)
+ #define HCLGE_COMM_NIC_CMQ_DESC_NUM_S 3
+ #define HCLGE_COMM_NIC_CMQ_DESC_NUM 1024
+-#define HCLGE_COMM_CMDQ_TX_TIMEOUT 30000
++#define HCLGE_COMM_CMDQ_TX_TIMEOUT_DEFAULT 30000
++#define HCLGE_COMM_CMDQ_TX_TIMEOUT_500MS 500000
+
+ enum hclge_opcode_type {
+ /* Generic commands */
+@@ -357,6 +358,11 @@ struct hclge_comm_caps_bit_map {
+ u16 local_bit;
+ };
+
++struct hclge_cmdq_tx_timeout_map {
++ u32 opcode;
++ u32 tx_timeout;
++};
++
+ struct hclge_comm_firmware_compat_cmd {
+ __le32 compat;
+ u8 rsv[20];
+--
+2.39.2
+
--- /dev/null
+From 1a3fd2e6b1467ea75359e6da5b65c49287c48aa5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 18:00:12 +0800
+Subject: net: hns3: fix sending pfc frames after reset issue
+
+From: Jijie Shao <shaojijie@huawei.com>
+
+[ Upstream commit f14db07064727dd3bc0906c77a6d2759c1bbb395 ]
+
+To prevent the system from abnormally sending PFC frames after an
+abnormal reset. The hns3 driver notifies the firmware to disable pfc
+before reset.
+
+Fixes: 35d93a30040c ("net: hns3: adjust the process of PF reset")
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: Hao Lan <lanhao@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 15 +++++++++------
+ .../net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c | 4 ++--
+ .../net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h | 5 +++++
+ 3 files changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+index 07ad5f35219e2..50e956d6c3b25 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -8053,12 +8053,15 @@ static void hclge_ae_stop(struct hnae3_handle *handle)
+ /* If it is not PF reset or FLR, the firmware will disable the MAC,
+ * so it only need to stop phy here.
+ */
+- if (test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state) &&
+- hdev->reset_type != HNAE3_FUNC_RESET &&
+- hdev->reset_type != HNAE3_FLR_RESET) {
+- hclge_mac_stop_phy(hdev);
+- hclge_update_link_status(hdev);
+- return;
++ if (test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state)) {
++ hclge_pfc_pause_en_cfg(hdev, HCLGE_PFC_TX_RX_DISABLE,
++ HCLGE_PFC_DISABLE);
++ if (hdev->reset_type != HNAE3_FUNC_RESET &&
++ hdev->reset_type != HNAE3_FLR_RESET) {
++ hclge_mac_stop_phy(hdev);
++ hclge_update_link_status(hdev);
++ return;
++ }
+ }
+
+ hclge_reset_tqp(handle);
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c
+index 4a33f65190e2b..922c0da3660c7 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c
+@@ -171,8 +171,8 @@ int hclge_mac_pause_en_cfg(struct hclge_dev *hdev, bool tx, bool rx)
+ return hclge_cmd_send(&hdev->hw, &desc, 1);
+ }
+
+-static int hclge_pfc_pause_en_cfg(struct hclge_dev *hdev, u8 tx_rx_bitmap,
+- u8 pfc_bitmap)
++int hclge_pfc_pause_en_cfg(struct hclge_dev *hdev, u8 tx_rx_bitmap,
++ u8 pfc_bitmap)
+ {
+ struct hclge_desc desc;
+ struct hclge_pfc_en_cmd *pfc = (struct hclge_pfc_en_cmd *)desc.data;
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h
+index 68f28a98e380b..dd6f1fd486cf2 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h
+@@ -164,6 +164,9 @@ struct hclge_bp_to_qs_map_cmd {
+ u32 rsvd1;
+ };
+
++#define HCLGE_PFC_DISABLE 0
++#define HCLGE_PFC_TX_RX_DISABLE 0
++
+ struct hclge_pfc_en_cmd {
+ u8 tx_rx_en_bitmap;
+ u8 pri_en_bitmap;
+@@ -235,6 +238,8 @@ void hclge_tm_schd_info_update(struct hclge_dev *hdev, u8 num_tc);
+ void hclge_tm_pfc_info_update(struct hclge_dev *hdev);
+ int hclge_tm_dwrr_cfg(struct hclge_dev *hdev);
+ int hclge_tm_init_hw(struct hclge_dev *hdev, bool init);
++int hclge_pfc_pause_en_cfg(struct hclge_dev *hdev, u8 tx_rx_bitmap,
++ u8 pfc_bitmap);
+ int hclge_mac_pause_en_cfg(struct hclge_dev *hdev, bool tx, bool rx);
+ int hclge_pause_addr_cfg(struct hclge_dev *hdev, const u8 *mac_addr);
+ void hclge_pfc_rx_stats_get(struct hclge_dev *hdev, u64 *stats);
+--
+2.39.2
+
--- /dev/null
+From d4a9fd553bfb0ee45bb1aca88ad536016a3898a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 May 2023 20:54:40 +0800
+Subject: net: nsh: Use correct mac_offset to unwind gso skb in
+ nsh_gso_segment()
+
+From: Dong Chenchen <dongchenchen2@huawei.com>
+
+[ Upstream commit c83b49383b595be50647f0c764a48c78b5f3c4f8 ]
+
+As the call trace shows, skb_panic was caused by wrong skb->mac_header
+in nsh_gso_segment():
+
+invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
+CPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1
+RIP: 0010:skb_panic+0xda/0xe0
+call Trace:
+ skb_push+0x91/0xa0
+ nsh_gso_segment+0x4f3/0x570
+ skb_mac_gso_segment+0x19e/0x270
+ __skb_gso_segment+0x1e8/0x3c0
+ validate_xmit_skb+0x452/0x890
+ validate_xmit_skb_list+0x99/0xd0
+ sch_direct_xmit+0x294/0x7c0
+ __dev_queue_xmit+0x16f0/0x1d70
+ packet_xmit+0x185/0x210
+ packet_snd+0xc15/0x1170
+ packet_sendmsg+0x7b/0xa0
+ sock_sendmsg+0x14f/0x160
+
+The root cause is:
+nsh_gso_segment() use skb->network_header - nhoff to reset mac_header
+in skb_gso_error_unwind() if inner-layer protocol gso fails.
+However, skb->network_header may be reset by inner-layer protocol
+gso function e.g. mpls_gso_segment. skb->mac_header reset by the
+inaccurate network_header will be larger than skb headroom.
+
+nsh_gso_segment
+ nhoff = skb->network_header - skb->mac_header;
+ __skb_pull(skb,nsh_len)
+ skb_mac_gso_segment
+ mpls_gso_segment
+ skb_reset_network_header(skb);//skb->network_header+=nsh_len
+ return -EINVAL;
+ skb_gso_error_unwind
+ skb_push(skb, nsh_len);
+ skb->mac_header = skb->network_header - nhoff;
+ // skb->mac_header > skb->headroom, cause skb_push panic
+
+Use correct mac_offset to restore mac_header and get rid of nhoff.
+
+Fixes: c411ed854584 ("nsh: add GSO support")
+Reported-by: syzbot+632b5d9964208bfef8c0@syzkaller.appspotmail.com
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nsh/nsh.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/net/nsh/nsh.c b/net/nsh/nsh.c
+index e9ca007718b7e..0f23e5e8e03eb 100644
+--- a/net/nsh/nsh.c
++++ b/net/nsh/nsh.c
+@@ -77,13 +77,12 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb,
+ netdev_features_t features)
+ {
+ struct sk_buff *segs = ERR_PTR(-EINVAL);
++ u16 mac_offset = skb->mac_header;
+ unsigned int nsh_len, mac_len;
+ __be16 proto;
+- int nhoff;
+
+ skb_reset_network_header(skb);
+
+- nhoff = skb->network_header - skb->mac_header;
+ mac_len = skb->mac_len;
+
+ if (unlikely(!pskb_may_pull(skb, NSH_BASE_HDR_LEN)))
+@@ -108,15 +107,14 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb,
+ segs = skb_mac_gso_segment(skb, features);
+ if (IS_ERR_OR_NULL(segs)) {
+ skb_gso_error_unwind(skb, htons(ETH_P_NSH), nsh_len,
+- skb->network_header - nhoff,
+- mac_len);
++ mac_offset, mac_len);
+ goto out;
+ }
+
+ for (skb = segs; skb; skb = skb->next) {
+ skb->protocol = htons(ETH_P_NSH);
+ __skb_push(skb, nsh_len);
+- skb_set_mac_header(skb, -nhoff);
++ skb->mac_header = mac_offset;
+ skb->network_header = skb->mac_header + mac_len;
+ skb->mac_len = mac_len;
+ }
+--
+2.39.2
+
--- /dev/null
+From 7037274d507d6fd52cd99761ad2c94708f1029fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 May 2023 18:44:10 +0300
+Subject: net: pcs: xpcs: fix C73 AN not getting enabled
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit c46e78ba9a7a09da4f192dc8df15c4e8a07fb9e0 ]
+
+The XPCS expects clause 73 (copper backplane) autoneg to follow the
+ethtool autoneg bit. It actually did that until the blamed
+commit inaptly replaced state->an_enabled (coming from ethtool) with
+phylink_autoneg_inband() (coming from the device tree or struct
+phylink_config), as part of an unrelated phylink_pcs API conversion.
+
+Russell King suggests that state->an_enabled from the original code was
+just a proxy for the ethtool Autoneg bit, and that the correct way of
+restoring the functionality is to check for this bit in the advertising
+mask.
+
+Fixes: 11059740e616 ("net: pcs: xpcs: convert to phylink_pcs_ops")
+Link: https://lore.kernel.org/netdev/ZGNt2MFeRolKGFck@shell.armlinux.org.uk/
+Suggested-by: Russell King (Oracle) <linux@armlinux.org.uk>
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/pcs/pcs-xpcs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/pcs/pcs-xpcs.c b/drivers/net/pcs/pcs-xpcs.c
+index dd88624593c71..3f882bce37f42 100644
+--- a/drivers/net/pcs/pcs-xpcs.c
++++ b/drivers/net/pcs/pcs-xpcs.c
+@@ -881,7 +881,7 @@ int xpcs_do_config(struct dw_xpcs *xpcs, phy_interface_t interface,
+
+ switch (compat->an_mode) {
+ case DW_AN_C73:
+- if (phylink_autoneg_inband(mode)) {
++ if (test_bit(ETHTOOL_LINK_MODE_Autoneg_BIT, advertising)) {
+ ret = xpcs_config_aneg_c73(xpcs, compat);
+ if (ret)
+ return ret;
+--
+2.39.2
+
--- /dev/null
+From 8649533f050e1d272f171bc0dcf76f6748ece389 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 May 2023 18:21:39 +0530
+Subject: net: phy: dp83867: add w/a for packet errors seen with short cables
+
+From: Grygorii Strashko <grygorii.strashko@ti.com>
+
+[ Upstream commit 0b01db274028f5acd207332686ffc92ac77491ac ]
+
+Introduce the W/A for packet errors seen with short cables (<1m) between
+two DP83867 PHYs.
+
+The W/A recommended by DM requires FFE Equalizer Configuration tuning by
+writing value 0x0E81 to DSP_FFE_CFG register (0x012C), surrounded by hard
+and soft resets as follows:
+
+write_reg(0x001F, 0x8000); //hard reset
+write_reg(DSP_FFE_CFG, 0x0E81);
+write_reg(0x001F, 0x4000); //soft reset
+
+Since DP83867 PHY DM says "Changing this register to 0x0E81, will not
+affect Long Cable performance.", enable the W/A by default.
+
+Fixes: 2a10154abcb7 ("net: phy: dp83867: Add TI dp83867 phy")
+Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/dp83867.c | 22 +++++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/dp83867.c b/drivers/net/phy/dp83867.c
+index 7446d5c6c7146..14990f8462ae3 100644
+--- a/drivers/net/phy/dp83867.c
++++ b/drivers/net/phy/dp83867.c
+@@ -42,6 +42,7 @@
+ #define DP83867_STRAP_STS1 0x006E
+ #define DP83867_STRAP_STS2 0x006f
+ #define DP83867_RGMIIDCTL 0x0086
++#define DP83867_DSP_FFE_CFG 0x012c
+ #define DP83867_RXFCFG 0x0134
+ #define DP83867_RXFPMD1 0x0136
+ #define DP83867_RXFPMD2 0x0137
+@@ -910,8 +911,27 @@ static int dp83867_phy_reset(struct phy_device *phydev)
+
+ usleep_range(10, 20);
+
+- return phy_modify(phydev, MII_DP83867_PHYCTRL,
++ err = phy_modify(phydev, MII_DP83867_PHYCTRL,
+ DP83867_PHYCR_FORCE_LINK_GOOD, 0);
++ if (err < 0)
++ return err;
++
++ /* Configure the DSP Feedforward Equalizer Configuration register to
++ * improve short cable (< 1 meter) performance. This will not affect
++ * long cable performance.
++ */
++ err = phy_write_mmd(phydev, DP83867_DEVADDR, DP83867_DSP_FFE_CFG,
++ 0x0e81);
++ if (err < 0)
++ return err;
++
++ err = phy_write(phydev, DP83867_CTRL, DP83867_SW_RESTART);
++ if (err < 0)
++ return err;
++
++ usleep_range(10, 20);
++
++ return 0;
+ }
+
+ static void dp83867_link_change_notify(struct phy_device *phydev)
+--
+2.39.2
+
--- /dev/null
+From 9172b293c26055df2c8693ce36334497ab4ad807 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 May 2023 14:49:24 -0400
+Subject: net: selftests: Fix optstring
+
+From: Benjamin Poirier <bpoirier@nvidia.com>
+
+[ Upstream commit 9ba9485b87ac97fd159abdb4cbd53099bc9f01c6 ]
+
+The cited commit added a stray colon to the 'v' option. That makes the
+option work incorrectly.
+
+ex:
+tools/testing/selftests/net# ./fib_nexthops.sh -v
+(should enable verbose mode, instead it shows help text due to missing arg)
+
+Fixes: 5feba4727395 ("selftests: fib_nexthops: Make ping timeout configurable")
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Signed-off-by: Benjamin Poirier <bpoirier@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/fib_nexthops.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/fib_nexthops.sh b/tools/testing/selftests/net/fib_nexthops.sh
+index a47b26ab48f23..0f5e88c8f4ffe 100755
+--- a/tools/testing/selftests/net/fib_nexthops.sh
++++ b/tools/testing/selftests/net/fib_nexthops.sh
+@@ -2283,7 +2283,7 @@ EOF
+ ################################################################################
+ # main
+
+-while getopts :t:pP46hv:w: o
++while getopts :t:pP46hvw: o
+ do
+ case $o in
+ t) TESTS=$OPTARG;;
+--
+2.39.2
+
--- /dev/null
+From e4871b1aa22c4a77b63a8cbef593964ff8b530de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 15:31:25 +0800
+Subject: net: tun: rebuild error handling in tun_get_user
+
+From: Chuang Wang <nashuiliang@gmail.com>
+
+[ Upstream commit ab00af85d2f886a8e4ace1342d9cc2b232eab6a8 ]
+
+The error handling in tun_get_user is very scattered.
+This patch unifies error handling, reduces duplication of code, and
+makes the logic clearer.
+
+Signed-off-by: Chuang Wang <nashuiliang@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 82b2bc279467 ("tun: Fix memory leak for detached NAPI queue.")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/tun.c | 65 +++++++++++++++++++++--------------------------
+ 1 file changed, 29 insertions(+), 36 deletions(-)
+
+diff --git a/drivers/net/tun.c b/drivers/net/tun.c
+index 91d198aff2f9a..65706824eb828 100644
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -1748,7 +1748,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
+ u32 rxhash = 0;
+ int skb_xdp = 1;
+ bool frags = tun_napi_frags_enabled(tfile);
+- enum skb_drop_reason drop_reason;
++ enum skb_drop_reason drop_reason = SKB_DROP_REASON_NOT_SPECIFIED;
+
+ if (!(tun->flags & IFF_NO_PI)) {
+ if (len < sizeof(pi))
+@@ -1809,10 +1809,9 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
+ * skb was created with generic XDP routine.
+ */
+ skb = tun_build_skb(tun, tfile, from, &gso, len, &skb_xdp);
+- if (IS_ERR(skb)) {
+- dev_core_stats_rx_dropped_inc(tun->dev);
+- return PTR_ERR(skb);
+- }
++ err = PTR_ERR_OR_ZERO(skb);
++ if (err)
++ goto drop;
+ if (!skb)
+ return total_len;
+ } else {
+@@ -1837,13 +1836,9 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
+ noblock);
+ }
+
+- if (IS_ERR(skb)) {
+- if (PTR_ERR(skb) != -EAGAIN)
+- dev_core_stats_rx_dropped_inc(tun->dev);
+- if (frags)
+- mutex_unlock(&tfile->napi_mutex);
+- return PTR_ERR(skb);
+- }
++ err = PTR_ERR_OR_ZERO(skb);
++ if (err)
++ goto drop;
+
+ if (zerocopy)
+ err = zerocopy_sg_from_iter(skb, from);
+@@ -1853,27 +1848,14 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
+ if (err) {
+ err = -EFAULT;
+ drop_reason = SKB_DROP_REASON_SKB_UCOPY_FAULT;
+-drop:
+- dev_core_stats_rx_dropped_inc(tun->dev);
+- kfree_skb_reason(skb, drop_reason);
+- if (frags) {
+- tfile->napi.skb = NULL;
+- mutex_unlock(&tfile->napi_mutex);
+- }
+-
+- return err;
++ goto drop;
+ }
+ }
+
+ if (virtio_net_hdr_to_skb(skb, &gso, tun_is_little_endian(tun))) {
+ atomic_long_inc(&tun->rx_frame_errors);
+- kfree_skb(skb);
+- if (frags) {
+- tfile->napi.skb = NULL;
+- mutex_unlock(&tfile->napi_mutex);
+- }
+-
+- return -EINVAL;
++ err = -EINVAL;
++ goto free_skb;
+ }
+
+ switch (tun->flags & TUN_TYPE_MASK) {
+@@ -1889,9 +1871,8 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
+ pi.proto = htons(ETH_P_IPV6);
+ break;
+ default:
+- dev_core_stats_rx_dropped_inc(tun->dev);
+- kfree_skb(skb);
+- return -EINVAL;
++ err = -EINVAL;
++ goto drop;
+ }
+ }
+
+@@ -1933,11 +1914,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
+ if (ret != XDP_PASS) {
+ rcu_read_unlock();
+ local_bh_enable();
+- if (frags) {
+- tfile->napi.skb = NULL;
+- mutex_unlock(&tfile->napi_mutex);
+- }
+- return total_len;
++ goto unlock_frags;
+ }
+ }
+ rcu_read_unlock();
+@@ -2017,6 +1994,22 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
+ tun_flow_update(tun, rxhash, tfile);
+
+ return total_len;
++
++drop:
++ if (err != -EAGAIN)
++ dev_core_stats_rx_dropped_inc(tun->dev);
++
++free_skb:
++ if (!IS_ERR_OR_NULL(skb))
++ kfree_skb_reason(skb, drop_reason);
++
++unlock_frags:
++ if (frags) {
++ tfile->napi.skb = NULL;
++ mutex_unlock(&tfile->napi_mutex);
++ }
++
++ return err ?: total_len;
+ }
+
+ static ssize_t tun_chr_write_iter(struct kiocb *iocb, struct iov_iter *from)
+--
+2.39.2
+
--- /dev/null
+From 8eba731456e3baa3001e651a95333434cdc0f732 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 May 2023 21:09:46 +0530
+Subject: net: wwan: iosm: fix NULL pointer dereference when removing device
+
+From: M Chetan Kumar <m.chetan.kumar@linux.intel.com>
+
+[ Upstream commit 60829145f1e2650b31ebe6a0ec70a9725b38fa2c ]
+
+In suspend and resume cycle, the removal and rescan of device ends
+up in NULL pointer dereference.
+
+During driver initialization, if the ipc_imem_wwan_channel_init()
+fails to get the valid device capabilities it returns an error and
+further no resource (wwan struct) will be allocated. Now in this
+situation if driver removal procedure is initiated it would result
+in NULL pointer exception since unallocated wwan struct is dereferenced
+inside ipc_wwan_deinit().
+
+ipc_imem_run_state_worker() to handle the called functions return value
+and to release the resource in failure case. It also reports the link
+down event in failure cases. The user space application can handle this
+event to do a device reset for restoring the device communication.
+
+Fixes: 3670970dd8c6 ("net: iosm: shared memory IPC interface")
+Reported-by: Samuel Wein PhD <sam@samwein.com>
+Closes: https://lore.kernel.org/netdev/20230427140819.1310f4bd@kernel.org/T/
+Signed-off-by: M Chetan Kumar <m.chetan.kumar@linux.intel.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wwan/iosm/iosm_ipc_imem.c | 27 ++++++++++++++++++-----
+ drivers/net/wwan/iosm/iosm_ipc_imem_ops.c | 12 ++++++----
+ drivers/net/wwan/iosm/iosm_ipc_imem_ops.h | 6 +++--
+ 3 files changed, 33 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/wwan/iosm/iosm_ipc_imem.c b/drivers/net/wwan/iosm/iosm_ipc_imem.c
+index 1e6a479766429..8ccd4d26b9060 100644
+--- a/drivers/net/wwan/iosm/iosm_ipc_imem.c
++++ b/drivers/net/wwan/iosm/iosm_ipc_imem.c
+@@ -565,24 +565,32 @@ static void ipc_imem_run_state_worker(struct work_struct *instance)
+ struct ipc_mux_config mux_cfg;
+ struct iosm_imem *ipc_imem;
+ u8 ctrl_chl_idx = 0;
++ int ret;
+
+ ipc_imem = container_of(instance, struct iosm_imem, run_state_worker);
+
+ if (ipc_imem->phase != IPC_P_RUN) {
+ dev_err(ipc_imem->dev,
+ "Modem link down. Exit run state worker.");
+- return;
++ goto err_out;
+ }
+
+ if (test_and_clear_bit(IOSM_DEVLINK_INIT, &ipc_imem->flag))
+ ipc_devlink_deinit(ipc_imem->ipc_devlink);
+
+- if (!ipc_imem_setup_cp_mux_cap_init(ipc_imem, &mux_cfg))
+- ipc_imem->mux = ipc_mux_init(&mux_cfg, ipc_imem);
++ ret = ipc_imem_setup_cp_mux_cap_init(ipc_imem, &mux_cfg);
++ if (ret < 0)
++ goto err_out;
++
++ ipc_imem->mux = ipc_mux_init(&mux_cfg, ipc_imem);
++ if (!ipc_imem->mux)
++ goto err_out;
++
++ ret = ipc_imem_wwan_channel_init(ipc_imem, mux_cfg.protocol);
++ if (ret < 0)
++ goto err_ipc_mux_deinit;
+
+- ipc_imem_wwan_channel_init(ipc_imem, mux_cfg.protocol);
+- if (ipc_imem->mux)
+- ipc_imem->mux->wwan = ipc_imem->wwan;
++ ipc_imem->mux->wwan = ipc_imem->wwan;
+
+ while (ctrl_chl_idx < IPC_MEM_MAX_CHANNELS) {
+ if (!ipc_chnl_cfg_get(&chnl_cfg_port, ctrl_chl_idx)) {
+@@ -615,6 +623,13 @@ static void ipc_imem_run_state_worker(struct work_struct *instance)
+
+ /* Complete all memory stores after setting bit */
+ smp_mb__after_atomic();
++
++ return;
++
++err_ipc_mux_deinit:
++ ipc_mux_deinit(ipc_imem->mux);
++err_out:
++ ipc_uevent_send(ipc_imem->dev, UEVENT_CD_READY_LINK_DOWN);
+ }
+
+ static void ipc_imem_handle_irq(struct iosm_imem *ipc_imem, int irq)
+diff --git a/drivers/net/wwan/iosm/iosm_ipc_imem_ops.c b/drivers/net/wwan/iosm/iosm_ipc_imem_ops.c
+index 66b90cc4c3460..109cf89304888 100644
+--- a/drivers/net/wwan/iosm/iosm_ipc_imem_ops.c
++++ b/drivers/net/wwan/iosm/iosm_ipc_imem_ops.c
+@@ -77,8 +77,8 @@ int ipc_imem_sys_wwan_transmit(struct iosm_imem *ipc_imem,
+ }
+
+ /* Initialize wwan channel */
+-void ipc_imem_wwan_channel_init(struct iosm_imem *ipc_imem,
+- enum ipc_mux_protocol mux_type)
++int ipc_imem_wwan_channel_init(struct iosm_imem *ipc_imem,
++ enum ipc_mux_protocol mux_type)
+ {
+ struct ipc_chnl_cfg chnl_cfg = { 0 };
+
+@@ -87,7 +87,7 @@ void ipc_imem_wwan_channel_init(struct iosm_imem *ipc_imem,
+ /* If modem version is invalid (0xffffffff), do not initialize WWAN. */
+ if (ipc_imem->cp_version == -1) {
+ dev_err(ipc_imem->dev, "invalid CP version");
+- return;
++ return -EIO;
+ }
+
+ ipc_chnl_cfg_get(&chnl_cfg, ipc_imem->nr_of_channels);
+@@ -104,9 +104,13 @@ void ipc_imem_wwan_channel_init(struct iosm_imem *ipc_imem,
+
+ /* WWAN registration. */
+ ipc_imem->wwan = ipc_wwan_init(ipc_imem, ipc_imem->dev);
+- if (!ipc_imem->wwan)
++ if (!ipc_imem->wwan) {
+ dev_err(ipc_imem->dev,
+ "failed to register the ipc_wwan interfaces");
++ return -ENOMEM;
++ }
++
++ return 0;
+ }
+
+ /* Map SKB to DMA for transfer */
+diff --git a/drivers/net/wwan/iosm/iosm_ipc_imem_ops.h b/drivers/net/wwan/iosm/iosm_ipc_imem_ops.h
+index f8afb217d9e2f..026c5bd0f9992 100644
+--- a/drivers/net/wwan/iosm/iosm_ipc_imem_ops.h
++++ b/drivers/net/wwan/iosm/iosm_ipc_imem_ops.h
+@@ -91,9 +91,11 @@ int ipc_imem_sys_wwan_transmit(struct iosm_imem *ipc_imem, int if_id,
+ * MUX.
+ * @ipc_imem: Pointer to iosm_imem struct.
+ * @mux_type: Type of mux protocol.
++ *
++ * Return: 0 on success and failure value on error
+ */
+-void ipc_imem_wwan_channel_init(struct iosm_imem *ipc_imem,
+- enum ipc_mux_protocol mux_type);
++int ipc_imem_wwan_channel_init(struct iosm_imem *ipc_imem,
++ enum ipc_mux_protocol mux_type);
+
+ /**
+ * ipc_imem_sys_devlink_open - Open a Flash/CD Channel link to CP
+--
+2.39.2
+
--- /dev/null
+From 8513422591ec102ba5e342578669176313472947 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 May 2023 14:15:15 +0200
+Subject: netfilter: nf_tables: fix nft_trans type confusion
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit e3c361b8acd636f5fe80c02849ca175201edf10c ]
+
+nft_trans_FOO objects all share a common nft_trans base structure, but
+trailing fields depend on the real object size. Access is only safe after
+trans->msg_type check.
+
+Check for rule type first. Found by code inspection.
+
+Fixes: 1a94e38d254b ("netfilter: nf_tables: add NFTA_RULE_ID attribute")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index f663262df6987..31775d54f4b40 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -3692,12 +3692,10 @@ static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
+ struct nft_trans *trans;
+
+ list_for_each_entry(trans, &nft_net->commit_list, list) {
+- struct nft_rule *rule = nft_trans_rule(trans);
+-
+ if (trans->msg_type == NFT_MSG_NEWRULE &&
+ trans->ctx.chain == chain &&
+ id == nft_trans_rule_id(trans))
+- return rule;
++ return nft_trans_rule(trans);
+ }
+ return ERR_PTR(-ENOENT);
+ }
+--
+2.39.2
+
--- /dev/null
+From 6bd90060d25698663978d16c5d4456d7989e3e99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 May 2023 22:39:30 +0200
+Subject: netfilter: nft_set_rbtree: fix null deref on element insertion
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 61ae320a29b0540c16931816299eb86bf2b66c08 ]
+
+There is no guarantee that rb_prev() will not return NULL in nft_rbtree_gc_elem():
+
+general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN
+KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
+ nft_add_set_elem+0x14b0/0x2990
+ nf_tables_newsetelem+0x528/0xb30
+
+Furthermore, there is a possible use-after-free while iterating,
+'node' can be free'd so we need to cache the next value to use.
+
+Fixes: c9e6978e2725 ("netfilter: nft_set_rbtree: Switch to node list walk for overlap detection")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_set_rbtree.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
+index 19ea4d3c35535..2f114aa10f1a7 100644
+--- a/net/netfilter/nft_set_rbtree.c
++++ b/net/netfilter/nft_set_rbtree.c
+@@ -221,7 +221,7 @@ static int nft_rbtree_gc_elem(const struct nft_set *__set,
+ {
+ struct nft_set *set = (struct nft_set *)__set;
+ struct rb_node *prev = rb_prev(&rbe->node);
+- struct nft_rbtree_elem *rbe_prev;
++ struct nft_rbtree_elem *rbe_prev = NULL;
+ struct nft_set_gc_batch *gcb;
+
+ gcb = nft_set_gc_batch_check(set, NULL, GFP_ATOMIC);
+@@ -229,17 +229,21 @@ static int nft_rbtree_gc_elem(const struct nft_set *__set,
+ return -ENOMEM;
+
+ /* search for expired end interval coming before this element. */
+- do {
++ while (prev) {
+ rbe_prev = rb_entry(prev, struct nft_rbtree_elem, node);
+ if (nft_rbtree_interval_end(rbe_prev))
+ break;
+
+ prev = rb_prev(prev);
+- } while (prev != NULL);
++ }
++
++ if (rbe_prev) {
++ rb_erase(&rbe_prev->node, &priv->root);
++ atomic_dec(&set->nelems);
++ }
+
+- rb_erase(&rbe_prev->node, &priv->root);
+ rb_erase(&rbe->node, &priv->root);
+- atomic_sub(2, &set->nelems);
++ atomic_dec(&set->nelems);
+
+ nft_set_gc_batch_add(gcb, rbe);
+ nft_set_gc_batch_complete(gcb);
+@@ -268,7 +272,7 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set,
+ struct nft_set_ext **ext)
+ {
+ struct nft_rbtree_elem *rbe, *rbe_le = NULL, *rbe_ge = NULL;
+- struct rb_node *node, *parent, **p, *first = NULL;
++ struct rb_node *node, *next, *parent, **p, *first = NULL;
+ struct nft_rbtree *priv = nft_set_priv(set);
+ u8 genmask = nft_genmask_next(net);
+ int d, err;
+@@ -307,7 +311,9 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set,
+ * Values stored in the tree are in reversed order, starting from
+ * highest to lowest value.
+ */
+- for (node = first; node != NULL; node = rb_next(node)) {
++ for (node = first; node != NULL; node = next) {
++ next = rb_next(node);
++
+ rbe = rb_entry(node, struct nft_rbtree_elem, node);
+
+ if (!nft_set_elem_active(&rbe->ext, genmask))
+--
+2.39.2
+
--- /dev/null
+From dcd137a257beffcdffe45bd40a68393820fe261c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Dec 2022 16:09:14 +0100
+Subject: platform: Provide a remove callback that returns no value
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 5c5a7680e67ba6fbbb5f4d79fa41485450c1985c ]
+
+struct platform_driver::remove returning an integer made driver authors
+expect that returning an error code was proper error handling. However
+the driver core ignores the error and continues to remove the device
+because there is nothing the core could do anyhow and reentering the
+remove callback again is only calling for trouble.
+
+So this is an source for errors typically yielding resource leaks in the
+error path.
+
+As there are too many platform drivers to neatly convert them all to
+return void in a single go, do it in several steps after this patch:
+
+ a) Convert all drivers to implement .remove_new() returning void instead
+ of .remove() returning int;
+ b) Change struct platform_driver::remove() to return void and so make
+ it identical to .remove_new();
+ c) Change all drivers back to .remove() now with the better prototype;
+ d) drop struct platform_driver::remove_new().
+
+While this touches all drivers eventually twice, steps a) and c) can be
+done one driver after another and so reduces coordination efforts
+immensely and simplifies review.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Link: https://lore.kernel.org/r/20221209150914.3557650-1-u.kleine-koenig@pengutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 17955aba7877 ("ASoC: fsl_micfil: Fix error handler with pm_runtime_enable")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/platform.c | 4 +++-
+ include/linux/platform_device.h | 11 +++++++++++
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/base/platform.c b/drivers/base/platform.c
+index 51bb2289865c7..3a06c214ca1c6 100644
+--- a/drivers/base/platform.c
++++ b/drivers/base/platform.c
+@@ -1416,7 +1416,9 @@ static void platform_remove(struct device *_dev)
+ struct platform_driver *drv = to_platform_driver(_dev->driver);
+ struct platform_device *dev = to_platform_device(_dev);
+
+- if (drv->remove) {
++ if (drv->remove_new) {
++ drv->remove_new(dev);
++ } else if (drv->remove) {
+ int ret = drv->remove(dev);
+
+ if (ret)
+diff --git a/include/linux/platform_device.h b/include/linux/platform_device.h
+index b0d5a253156ec..b845fd83f429b 100644
+--- a/include/linux/platform_device.h
++++ b/include/linux/platform_device.h
+@@ -207,7 +207,18 @@ extern void platform_device_put(struct platform_device *pdev);
+
+ struct platform_driver {
+ int (*probe)(struct platform_device *);
++
++ /*
++ * Traditionally the remove callback returned an int which however is
++ * ignored by the driver core. This led to wrong expectations by driver
++ * authors who thought returning an error code was a valid error
++ * handling strategy. To convert to a callback returning void, new
++ * drivers should implement .remove_new() until the conversion it done
++ * that eventually makes .remove() return void.
++ */
+ int (*remove)(struct platform_device *);
++ void (*remove_new)(struct platform_device *);
++
+ void (*shutdown)(struct platform_device *);
+ int (*suspend)(struct platform_device *, pm_message_t state);
+ int (*resume)(struct platform_device *);
+--
+2.39.2
+
--- /dev/null
+From 1b45b843365f885e0a1f95e87c6cc6f5abf11430 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Apr 2023 09:46:18 +0200
+Subject: Revert "Fix XFRM-I support for nested ESP tunnels"
+
+From: Martin Willi <martin@strongswan.org>
+
+[ Upstream commit 5fc46f94219d1d103ffb5f0832be9da674d85a73 ]
+
+This reverts commit b0355dbbf13c0052931dd14c38c789efed64d3de.
+
+The reverted commit clears the secpath on packets received via xfrm interfaces
+to support nested IPsec tunnels. This breaks Netfilter policy matching using
+xt_policy in the FORWARD chain, as the secpath is missing during forwarding.
+Additionally, Benedict Wong reports that it breaks Transport-in-Tunnel mode.
+
+Fix this regression by reverting the commit until we have a better approach
+for nested IPsec tunnels.
+
+Fixes: b0355dbbf13c ("Fix XFRM-I support for nested ESP tunnels")
+Link: https://lore.kernel.org/netdev/20230412085615.124791-1-martin@strongswan.org/
+Signed-off-by: Martin Willi <martin@strongswan.org>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_interface.c | 54 +++------------------------------------
+ net/xfrm/xfrm_policy.c | 3 ---
+ 2 files changed, 4 insertions(+), 53 deletions(-)
+
+diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c
+index 94a3609548b11..5a67b120c4dbd 100644
+--- a/net/xfrm/xfrm_interface.c
++++ b/net/xfrm/xfrm_interface.c
+@@ -310,52 +310,6 @@ static void xfrmi_scrub_packet(struct sk_buff *skb, bool xnet)
+ skb->mark = 0;
+ }
+
+-static int xfrmi_input(struct sk_buff *skb, int nexthdr, __be32 spi,
+- int encap_type, unsigned short family)
+-{
+- struct sec_path *sp;
+-
+- sp = skb_sec_path(skb);
+- if (sp && (sp->len || sp->olen) &&
+- !xfrm_policy_check(NULL, XFRM_POLICY_IN, skb, family))
+- goto discard;
+-
+- XFRM_SPI_SKB_CB(skb)->family = family;
+- if (family == AF_INET) {
+- XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
+- XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL;
+- } else {
+- XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct ipv6hdr, daddr);
+- XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = NULL;
+- }
+-
+- return xfrm_input(skb, nexthdr, spi, encap_type);
+-discard:
+- kfree_skb(skb);
+- return 0;
+-}
+-
+-static int xfrmi4_rcv(struct sk_buff *skb)
+-{
+- return xfrmi_input(skb, ip_hdr(skb)->protocol, 0, 0, AF_INET);
+-}
+-
+-static int xfrmi6_rcv(struct sk_buff *skb)
+-{
+- return xfrmi_input(skb, skb_network_header(skb)[IP6CB(skb)->nhoff],
+- 0, 0, AF_INET6);
+-}
+-
+-static int xfrmi4_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
+-{
+- return xfrmi_input(skb, nexthdr, spi, encap_type, AF_INET);
+-}
+-
+-static int xfrmi6_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
+-{
+- return xfrmi_input(skb, nexthdr, spi, encap_type, AF_INET6);
+-}
+-
+ static int xfrmi_rcv_cb(struct sk_buff *skb, int err)
+ {
+ const struct xfrm_mode *inner_mode;
+@@ -983,8 +937,8 @@ static struct pernet_operations xfrmi_net_ops = {
+ };
+
+ static struct xfrm6_protocol xfrmi_esp6_protocol __read_mostly = {
+- .handler = xfrmi6_rcv,
+- .input_handler = xfrmi6_input,
++ .handler = xfrm6_rcv,
++ .input_handler = xfrm_input,
+ .cb_handler = xfrmi_rcv_cb,
+ .err_handler = xfrmi6_err,
+ .priority = 10,
+@@ -1034,8 +988,8 @@ static struct xfrm6_tunnel xfrmi_ip6ip_handler __read_mostly = {
+ #endif
+
+ static struct xfrm4_protocol xfrmi_esp4_protocol __read_mostly = {
+- .handler = xfrmi4_rcv,
+- .input_handler = xfrmi4_input,
++ .handler = xfrm4_rcv,
++ .input_handler = xfrm_input,
+ .cb_handler = xfrmi_rcv_cb,
+ .err_handler = xfrmi4_err,
+ .priority = 10,
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index bea48a73a7313..bc04cb83215f9 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -3664,9 +3664,6 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
+ goto reject;
+ }
+
+- if (if_id)
+- secpath_reset(skb);
+-
+ xfrm_pols_put(pols, npols);
+ return 1;
+ }
+--
+2.39.2
+
--- /dev/null
+From e8cf3dad8e8176bbbd4fcdaae4007142b706bd58 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 May 2023 11:12:42 +0200
+Subject: s390/cio: include subchannels without devices also for evaluation
+
+From: Vineeth Vijayan <vneethv@linux.ibm.com>
+
+[ Upstream commit b1b0d5aec1cf9f9a900a14964f869c68688d923e ]
+
+Currently when the new channel-path is enabled, we do evaluation only
+on the subchannels with a device connected on it. This is because,
+in the past, if the device in the subchannel is not working or not
+available, we used to unregister the subchannels. But, from the 'commit
+2297791c92d0 ("s390/cio: dont unregister subchannel from child-drivers")'
+we allow subchannels with or without an active device connected
+on it. So, when we do the io_subchannel_verify, make sure that,
+we are evaluating the subchannels without any device too.
+
+Fixes: 2297791c92d0 ("s390/cio: dont unregister subchannel from child-drivers")
+Reported-by: Boris Fiuczynski <fiuczy@linux.ibm.com>
+Signed-off-by: Vineeth Vijayan <vneethv@linux.ibm.com>
+Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/cio/device.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c
+index 3b1cd0c96a74b..ba4c69226c337 100644
+--- a/drivers/s390/cio/device.c
++++ b/drivers/s390/cio/device.c
+@@ -1102,6 +1102,8 @@ static void io_subchannel_verify(struct subchannel *sch)
+ cdev = sch_get_cdev(sch);
+ if (cdev)
+ dev_fsm_event(cdev, DEV_EVENT_VERIFY);
++ else
++ css_schedule_eval(sch->schid);
+ }
+
+ static void io_subchannel_terminate_path(struct subchannel *sch, u8 mask)
+--
+2.39.2
+
--- /dev/null
+From 66c17b18edb7213498699afd13a896105aff35c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 May 2023 10:20:41 -0700
+Subject: scsi: storvsc: Don't pass unused PFNs to Hyper-V host
+
+From: Michael Kelley <mikelley@microsoft.com>
+
+[ Upstream commit 4e81a6cba517cb33584308a331f14f5e3fec369b ]
+
+In a SCSI request, storvsc pre-allocates space for up to
+MAX_PAGE_BUFFER_COUNT physical frame numbers to be passed to Hyper-V. If
+the size of the I/O request requires more PFNs, a separate memory area of
+exactly the correct size is dynamically allocated.
+
+But when the pre-allocated area is used, current code always passes
+MAX_PAGE_BUFFER_COUNT PFNs to Hyper-V, even if fewer are needed. While
+this doesn't break anything because the additional PFNs are always zero,
+more bytes than necessary are copied into the VMBus channel ring buffer.
+This takes CPU cycles and wastes space in the ring buffer. For a typical 4
+Kbyte I/O that requires only a single PFN, 248 unnecessary bytes are
+copied.
+
+Fix this by setting the payload_sz based on the actual number of PFNs
+required, not the size of the pre-allocated space.
+
+Reported-by: John Starks <jostarks@microsoft.com>
+Fixes: 8f43710543ef ("scsi: storvsc: Support PAGE_SIZE larger than 4K")
+Signed-off-by: Michael Kelley <mikelley@microsoft.com>
+Link: https://lore.kernel.org/r/1684171241-16209-1-git-send-email-mikelley@microsoft.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/storvsc_drv.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
+index a0665bca54b99..5284f9a0b826e 100644
+--- a/drivers/scsi/storvsc_drv.c
++++ b/drivers/scsi/storvsc_drv.c
+@@ -1780,7 +1780,7 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd)
+
+ length = scsi_bufflen(scmnd);
+ payload = (struct vmbus_packet_mpb_array *)&cmd_request->mpb;
+- payload_sz = sizeof(cmd_request->mpb);
++ payload_sz = 0;
+
+ if (scsi_sg_count(scmnd)) {
+ unsigned long offset_in_hvpg = offset_in_hvpage(sgl->offset);
+@@ -1789,10 +1789,10 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd)
+ unsigned long hvpfn, hvpfns_to_add;
+ int j, i = 0, sg_count;
+
+- if (hvpg_count > MAX_PAGE_BUFFER_COUNT) {
++ payload_sz = (hvpg_count * sizeof(u64) +
++ sizeof(struct vmbus_packet_mpb_array));
+
+- payload_sz = (hvpg_count * sizeof(u64) +
+- sizeof(struct vmbus_packet_mpb_array));
++ if (hvpg_count > MAX_PAGE_BUFFER_COUNT) {
+ payload = kzalloc(payload_sz, GFP_ATOMIC);
+ if (!payload)
+ return SCSI_MLQUEUE_DEVICE_BUSY;
+--
+2.39.2
+
--- /dev/null
+From 0f2a089c4a734162475dbb02de35933c8fd50db8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 May 2023 13:16:37 +0200
+Subject: selftests: seg6: disable DAD on IPv6 router cfg for
+ srv6_end_dt4_l3vpn_test
+
+From: Andrea Mayer <andrea.mayer@uniroma2.it>
+
+[ Upstream commit 21a933c79a33add3612808f3be4ad65dd4dc026b ]
+
+The srv6_end_dt4_l3vpn_test instantiates a virtual network consisting of
+several routers (rt-1, rt-2) and hosts.
+When the IPv6 addresses of rt-{1,2} routers are configured, the Deduplicate
+Address Detection (DAD) kicks in when enabled in the Linux distros running
+the selftests. DAD is used to check whether an IPv6 address is already
+assigned in a network. Such a mechanism consists of sending an ICMPv6 Echo
+Request and waiting for a reply.
+As the DAD process could take too long to complete, it may cause the
+failing of some tests carried out by the srv6_end_dt4_l3vpn_test script.
+
+To make the srv6_end_dt4_l3vpn_test more robust, we disable DAD on routers
+since we configure the virtual network manually and do not need any address
+deduplication mechanism at all.
+
+Fixes: 2195444e09b4 ("selftests: add selftest for the SRv6 End.DT4 behavior")
+Signed-off-by: Andrea Mayer <andrea.mayer@uniroma2.it>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh b/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh
+index 1003119773e5d..37f08d582d2fe 100755
+--- a/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh
++++ b/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh
+@@ -232,10 +232,14 @@ setup_rt_networking()
+ local nsname=rt-${rt}
+
+ ip netns add ${nsname}
++
++ ip netns exec ${nsname} sysctl -wq net.ipv6.conf.all.accept_dad=0
++ ip netns exec ${nsname} sysctl -wq net.ipv6.conf.default.accept_dad=0
++
+ ip link set veth-rt-${rt} netns ${nsname}
+ ip -netns ${nsname} link set veth-rt-${rt} name veth0
+
+- ip -netns ${nsname} addr add ${IPv6_RT_NETWORK}::${rt}/64 dev veth0
++ ip -netns ${nsname} addr add ${IPv6_RT_NETWORK}::${rt}/64 dev veth0 nodad
+ ip -netns ${nsname} link set veth0 up
+ ip -netns ${nsname} link set lo up
+
+--
+2.39.2
+
--- /dev/null
+From 72a6f7778f7a6fd5aa90cf545e901689863cf5f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 May 2023 13:16:38 +0200
+Subject: selftets: seg6: disable rp_filter by default in
+ srv6_end_dt4_l3vpn_test
+
+From: Andrea Mayer <andrea.mayer@uniroma2.it>
+
+[ Upstream commit f97b8401e0deb46ad1e4245c21f651f64f55aaa6 ]
+
+On some distributions, the rp_filter is automatically set (=1) by
+default on a netdev basis (also on VRFs).
+In an SRv6 End.DT4 behavior, decapsulated IPv4 packets are routed using
+the table associated with the VRF bound to that tunnel. During lookup
+operations, the rp_filter can lead to packet loss when activated on the
+VRF.
+Therefore, we chose to make this selftest more robust by explicitly
+disabling the rp_filter during tests (as it is automatically set by some
+Linux distributions).
+
+Fixes: 2195444e09b4 ("selftests: add selftest for the SRv6 End.DT4 behavior")
+Reported-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: Andrea Mayer <andrea.mayer@uniroma2.it>
+Tested-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../testing/selftests/net/srv6_end_dt4_l3vpn_test.sh | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh b/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh
+index 37f08d582d2fe..f962823628119 100755
+--- a/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh
++++ b/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh
+@@ -258,6 +258,12 @@ setup_hs()
+
+ # set the networking for the host
+ ip netns add ${hsname}
++
++ # disable the rp_filter otherwise the kernel gets confused about how
++ # to route decap ipv4 packets.
++ ip netns exec ${rtname} sysctl -wq net.ipv4.conf.all.rp_filter=0
++ ip netns exec ${rtname} sysctl -wq net.ipv4.conf.default.rp_filter=0
++
+ ip -netns ${hsname} link add veth0 type veth peer name ${rtveth}
+ ip -netns ${hsname} link set ${rtveth} netns ${rtname}
+ ip -netns ${hsname} addr add ${IPv4_HS_NETWORK}.${hs}/24 dev veth0
+@@ -276,11 +282,6 @@ setup_hs()
+
+ ip netns exec ${rtname} sysctl -wq net.ipv4.conf.${rtveth}.proxy_arp=1
+
+- # disable the rp_filter otherwise the kernel gets confused about how
+- # to route decap ipv4 packets.
+- ip netns exec ${rtname} sysctl -wq net.ipv4.conf.all.rp_filter=0
+- ip netns exec ${rtname} sysctl -wq net.ipv4.conf.${rtveth}.rp_filter=0
+-
+ ip netns exec ${rtname} sh -c "echo 1 > /proc/sys/net/vrf/strict_mode"
+ }
+
+--
+2.39.2
+
--- /dev/null
+From f364e02966e254b8bd8605860488af813dafa92f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Apr 2023 11:19:15 -0700
+Subject: serial: 8250_bcm7271: balance clk_enable calls
+
+From: Doug Berger <opendmb@gmail.com>
+
+[ Upstream commit 8a3b5477256a54ae4a470dcebbcf8cdc18e4696d ]
+
+The sw_baud clock must be disabled when the device driver is not
+connected to the device. This now occurs when probe fails and
+upon remove.
+
+Fixes: 41a469482de2 ("serial: 8250: Add new 8250-core based Broadcom STB driver")
+Reported-by: XuDong Liu <m202071377@hust.edu.cn>
+Link: https://lore.kernel.org/lkml/20230424125100.4783-1-m202071377@hust.edu.cn/
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20230427181916.2983697-2-opendmb@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_bcm7271.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/8250/8250_bcm7271.c b/drivers/tty/serial/8250/8250_bcm7271.c
+index 36e31b96ef4a5..1f0095cf57a7e 100644
+--- a/drivers/tty/serial/8250/8250_bcm7271.c
++++ b/drivers/tty/serial/8250/8250_bcm7271.c
+@@ -1034,7 +1034,7 @@ static int brcmuart_probe(struct platform_device *pdev)
+ if (clk_rate == 0) {
+ dev_err(dev, "clock-frequency or clk not defined\n");
+ ret = -EINVAL;
+- goto release_dma;
++ goto err_clk_disable;
+ }
+
+ dev_dbg(dev, "DMA is %senabled\n", priv->dma_enabled ? "" : "not ");
+@@ -1121,6 +1121,8 @@ static int brcmuart_probe(struct platform_device *pdev)
+ serial8250_unregister_port(priv->line);
+ err:
+ brcmuart_free_bufs(dev, priv);
++err_clk_disable:
++ clk_disable_unprepare(baud_mux_clk);
+ release_dma:
+ if (priv->dma_enabled)
+ brcmuart_arbitration(priv, 0);
+@@ -1135,6 +1137,7 @@ static int brcmuart_remove(struct platform_device *pdev)
+ hrtimer_cancel(&priv->hrt);
+ serial8250_unregister_port(priv->line);
+ brcmuart_free_bufs(&pdev->dev, priv);
++ clk_disable_unprepare(priv->baud_mux_clk);
+ if (priv->dma_enabled)
+ brcmuart_arbitration(priv, 0);
+ return 0;
+--
+2.39.2
+
--- /dev/null
+From 40e8b7e1174091416ff6c8a7ddbd626d01b39fb3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Apr 2023 11:19:16 -0700
+Subject: serial: 8250_bcm7271: fix leak in `brcmuart_probe`
+
+From: Doug Berger <opendmb@gmail.com>
+
+[ Upstream commit f264f2f6f4788dc031cef60a0cf2881902736709 ]
+
+Smatch reports:
+drivers/tty/serial/8250/8250_bcm7271.c:1120 brcmuart_probe() warn:
+'baud_mux_clk' from clk_prepare_enable() not released on lines: 1032.
+
+The issue is fixed by using a managed clock.
+
+Fixes: 41a469482de2 ("serial: 8250: Add new 8250-core based Broadcom STB driver")
+Reported-by: XuDong Liu <m202071377@hust.edu.cn>
+Link: https://lore.kernel.org/lkml/20230424125100.4783-1-m202071377@hust.edu.cn/
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20230427181916.2983697-3-opendmb@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_bcm7271.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/8250/8250_bcm7271.c b/drivers/tty/serial/8250/8250_bcm7271.c
+index 1f0095cf57a7e..ffc7f67e27e35 100644
+--- a/drivers/tty/serial/8250/8250_bcm7271.c
++++ b/drivers/tty/serial/8250/8250_bcm7271.c
+@@ -1014,7 +1014,7 @@ static int brcmuart_probe(struct platform_device *pdev)
+ of_property_read_u32(np, "clock-frequency", &clk_rate);
+
+ /* See if a Baud clock has been specified */
+- baud_mux_clk = of_clk_get_by_name(np, "sw_baud");
++ baud_mux_clk = devm_clk_get(dev, "sw_baud");
+ if (IS_ERR(baud_mux_clk)) {
+ if (PTR_ERR(baud_mux_clk) == -EPROBE_DEFER) {
+ ret = -EPROBE_DEFER;
+--
+2.39.2
+
--- /dev/null
+From 0237fbc56189c178be4e315e6d8c5b8d8e5b8205 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Apr 2023 11:16:36 +0800
+Subject: serial: arc_uart: fix of_iomap leak in `arc_serial_probe`
+
+From: Ke Zhang <m202171830@hust.edu.cn>
+
+[ Upstream commit 8ab5fc55d7f65d58a3c3aeadf11bdf60267cd2bd ]
+
+Smatch reports:
+
+drivers/tty/serial/arc_uart.c:631 arc_serial_probe() warn:
+'port->membase' from of_iomap() not released on lines: 631.
+
+In arc_serial_probe(), if uart_add_one_port() fails,
+port->membase is not released, which would cause a resource leak.
+
+To fix this, I replace of_iomap with devm_platform_ioremap_resource.
+
+Fixes: 8dbe1d5e09a7 ("serial/arc: inline the probe helper")
+Signed-off-by: Ke Zhang <m202171830@hust.edu.cn>
+Reviewed-by: Dongliang Mu <dzm91@hust.edu.cn>
+Link: https://lore.kernel.org/r/20230428031636.44642-1-m202171830@hust.edu.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/arc_uart.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/tty/serial/arc_uart.c b/drivers/tty/serial/arc_uart.c
+index 2a65ea2660e10..f3ccc59d8c1f3 100644
+--- a/drivers/tty/serial/arc_uart.c
++++ b/drivers/tty/serial/arc_uart.c
+@@ -607,10 +607,11 @@ static int arc_serial_probe(struct platform_device *pdev)
+ }
+ uart->baud = val;
+
+- port->membase = of_iomap(np, 0);
+- if (!port->membase)
++ port->membase = devm_platform_ioremap_resource(pdev, 0);
++ if (IS_ERR(port->membase)) {
+ /* No point of dev_err since UART itself is hosed here */
+- return -ENXIO;
++ return PTR_ERR(port->membase);
++ }
+
+ port->irq = irq_of_parse_and_map(np, 0);
+
+--
+2.39.2
+
platform-x86-move-existing-hp-drivers-to-a-new-hp-su.patch
platform-x86-hp-wmi-add-micmute-to-hp_wmi_keymap-str.patch
drm-amdgpu-drop-gfx_v11_0_cp_ecc_error_irq_funcs.patch
+xfrm-don-t-check-the-default-policy-if-the-policy-al.patch
+revert-fix-xfrm-i-support-for-nested-esp-tunnels.patch
+drm-msm-dp-unregister-audio-driver-during-unbind.patch
+drm-msm-dpu-assign-missing-writeback-log_mask.patch
+drm-msm-dpu-move-non-mdp_top-intf_intr-offsets-out-o.patch
+drm-msm-dpu-remove-duplicate-register-defines-from-i.patch
+dt-bindings-display-msm-dsi-controller-main-document.patch
+platform-provide-a-remove-callback-that-returns-no-v.patch
+asoc-fsl_micfil-fix-error-handler-with-pm_runtime_en.patch
+cpupower-make-tsc-read-per-cpu-for-mperf-monitor.patch
+xfrm-reject-optional-tunnel-beet-mode-templates-in-o.patch
+af_key-reject-optional-tunnel-beet-mode-templates-in.patch
+drm-msm-fix-submit-error-path-leaks.patch
+selftests-seg6-disable-dad-on-ipv6-router-cfg-for-sr.patch
+selftets-seg6-disable-rp_filter-by-default-in-srv6_e.patch
+net-fec-better-handle-pm_runtime_get-failing-in-.rem.patch
+net-phy-dp83867-add-w-a-for-packet-errors-seen-with-.patch
+alsa-firewire-digi00x-prevent-potential-use-after-fr.patch
+wifi-mt76-connac-fix-stats-tx_bytes-calculation.patch
+alsa-hda-realtek-apply-hp-b-o-top-speaker-profile-to.patch
+sfc-disable-rxfcs-and-rxall-features-by-default.patch
+vsock-avoid-to-close-connected-socket-after-the-time.patch
+tcp-fix-possible-sk_priority-leak-in-tcp_v4_send_res.patch
+serial-arc_uart-fix-of_iomap-leak-in-arc_serial_prob.patch
+serial-8250_bcm7271-balance-clk_enable-calls.patch
+serial-8250_bcm7271-fix-leak-in-brcmuart_probe.patch
+erspan-get-the-proto-with-the-md-version-for-collect.patch
+net-dsa-rzn1-a5psw-enable-management-frames-for-cpu-.patch
+net-dsa-rzn1-a5psw-fix-stp-states-handling.patch
+net-dsa-rzn1-a5psw-disable-learning-for-standalone-p.patch
+net-hns3-fix-output-information-incomplete-for-dumpi.patch
+net-hns3-fix-sending-pfc-frames-after-reset-issue.patch
+net-hns3-fix-reset-delay-time-to-avoid-configuration.patch
+net-hns3-fix-reset-timeout-when-enable-full-vf.patch
+media-netup_unidvb-fix-use-after-free-at-del_timer.patch
+sunrpc-double-free-xprt_ctxt-while-still-in-use.patch
+sunrpc-always-free-ctxt-when-freeing-deferred-reques.patch
+sunrpc-fix-trace_svc_register-call-site.patch
+asoc-mediatek-mt8186-fix-use-after-free-in-driver-re.patch
+asoc-sof-topology-fix-logic-for-copying-tuples.patch
+drm-exynos-fix-g2d_open-close-helper-function-defini.patch
+net-nsh-use-correct-mac_offset-to-unwind-gso-skb-in-.patch
+virtio-net-maintain-reverse-cleanup-order.patch
+virtio_net-fix-error-unwinding-of-xdp-initialization.patch
+tipc-add-tipc_bearer_min_mtu-to-calculate-min-mtu.patch
+tipc-do-not-update-mtu-if-msg_max-is-too-small-in-mt.patch
+tipc-check-the-bearer-min-mtu-properly-when-setting-.patch
+s390-cio-include-subchannels-without-devices-also-fo.patch
+can-dev-fix-missing-can-xl-support-in-can_put_echo_s.patch
+net-bcmgenet-remove-phy_stop-from-bcmgenet_netif_sto.patch
+net-bcmgenet-restore-phy_stop-depending-upon-suspend.patch
+ice-introduce-clear_reset_state-operation.patch
+ice-fix-ice-vf-reset-during-iavf-initialization.patch
+wifi-cfg80211-drop-entries-with-invalid-bssids-in-rn.patch
+wifi-mac80211-fortify-the-spinlock-against-deadlock-.patch
+wifi-mac80211-fix-min-center-freq-offset-tracing.patch
+wifi-mac80211-abort-running-color-change-when-stoppi.patch
+wifi-iwlwifi-mvm-fix-cancel_delayed_work_sync-deadlo.patch
+wifi-iwlwifi-fw-fix-dbgi-dump.patch
+wifi-iwlwifi-fix-oem-s-name-in-the-ppag-approved-lis.patch
+wifi-iwlwifi-mvm-fix-oem-s-name-in-the-tas-approved-.patch
+wifi-iwlwifi-mvm-don-t-trust-firmware-n_channels.patch
+scsi-storvsc-don-t-pass-unused-pfns-to-hyper-v-host.patch
+net-tun-rebuild-error-handling-in-tun_get_user.patch
+tun-fix-memory-leak-for-detached-napi-queue.patch
+cassini-fix-a-memory-leak-in-the-error-handling-path.patch
+net-dsa-mv88e6xxx-fix-mv88e6393x-epc-write-command-o.patch
+igb-fix-bit_shift-to-be-in-1.8-range.patch
+vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch
+net-wwan-iosm-fix-null-pointer-dereference-when-remo.patch
+net-pcs-xpcs-fix-c73-an-not-getting-enabled.patch
+net-selftests-fix-optstring.patch
+netfilter-nf_tables-fix-nft_trans-type-confusion.patch
+netfilter-nft_set_rbtree-fix-null-deref-on-element-i.patch
+bridge-always-declare-tunnel-functions.patch
--- /dev/null
+From 613928b94b9b5aa4f8869d69b38036d308bcf802 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 May 2023 10:43:33 +0100
+Subject: sfc: disable RXFCS and RXALL features by default
+
+From: Pieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com>
+
+[ Upstream commit 134120b066044399ef59564ff3ba66ab344cfc5b ]
+
+By default we would not want RXFCS and RXALL features enabled as they are
+mainly intended for debugging purposes. This does not stop users from
+enabling them later on as needed.
+
+Fixes: 8e57daf70671 ("sfc_ef100: RX path for EF100")
+Signed-off-by: Pieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com>
+Co-developed-by: Edward Cree <ecree.xilinx@gmail.com>
+Signed-off-by: Edward Cree <ecree.xilinx@gmail.com>
+Reviewed-by: Martin Habets <habetsm.xilinx@gmail.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sfc/ef100_netdev.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/sfc/ef100_netdev.c b/drivers/net/ethernet/sfc/ef100_netdev.c
+index ddcc325ed5701..c6b9ba6803c8d 100644
+--- a/drivers/net/ethernet/sfc/ef100_netdev.c
++++ b/drivers/net/ethernet/sfc/ef100_netdev.c
+@@ -372,7 +372,9 @@ int ef100_probe_netdev(struct efx_probe_data *probe_data)
+ efx->net_dev = net_dev;
+ SET_NETDEV_DEV(net_dev, &efx->pci_dev->dev);
+
+- net_dev->features |= efx->type->offload_features;
++ /* enable all supported features except rx-fcs and rx-all */
++ net_dev->features |= efx->type->offload_features &
++ ~(NETIF_F_RXFCS | NETIF_F_RXALL);
+ net_dev->hw_features |= efx->type->offload_features;
+ net_dev->hw_enc_features |= efx->type->offload_features;
+ net_dev->vlan_features |= NETIF_F_HW_CSUM | NETIF_F_SG |
+--
+2.39.2
+
--- /dev/null
+From cc8da785a3965f55b52346dae919e6489e4eae5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 May 2023 09:42:47 +1000
+Subject: SUNRPC: always free ctxt when freeing deferred request
+
+From: NeilBrown <neilb@suse.de>
+
+[ Upstream commit 948f072ada23e0a504c5e4d7d71d4c83bd0785ec ]
+
+Since the ->xprt_ctxt pointer was added to svc_deferred_req, it has not
+been sufficient to use kfree() to free a deferred request. We may need
+to free the ctxt as well.
+
+As freeing the ctxt is all that ->xpo_release_rqst() does, we repurpose
+it to explicit do that even when the ctxt is not stored in an rqst.
+So we now have ->xpo_release_ctxt() which is given an xprt and a ctxt,
+which may have been taken either from an rqst or from a dreq. The
+caller is now responsible for clearing that pointer after the call to
+->xpo_release_ctxt.
+
+We also clear dr->xprt_ctxt when the ctxt is moved into a new rqst when
+revisiting a deferred request. This ensures there is only one pointer
+to the ctxt, so the risk of double freeing in future is reduced. The
+new code in svc_xprt_release which releases both the ctxt and any
+rq_deferred depends on this.
+
+Fixes: 773f91b2cf3f ("SUNRPC: Fix NFSD's request deferral on RDMA transports")
+Signed-off-by: NeilBrown <neilb@suse.de>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/sunrpc/svc_rdma.h | 2 +-
+ include/linux/sunrpc/svc_xprt.h | 2 +-
+ net/sunrpc/svc_xprt.c | 23 +++++++++++++-----
+ net/sunrpc/svcsock.c | 30 +++++++++++++-----------
+ net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 11 ++++-----
+ net/sunrpc/xprtrdma/svc_rdma_transport.c | 2 +-
+ 6 files changed, 41 insertions(+), 29 deletions(-)
+
+diff --git a/include/linux/sunrpc/svc_rdma.h b/include/linux/sunrpc/svc_rdma.h
+index 24aa159d29a7f..fbc4bd423b355 100644
+--- a/include/linux/sunrpc/svc_rdma.h
++++ b/include/linux/sunrpc/svc_rdma.h
+@@ -176,7 +176,7 @@ extern struct svc_rdma_recv_ctxt *
+ extern void svc_rdma_recv_ctxt_put(struct svcxprt_rdma *rdma,
+ struct svc_rdma_recv_ctxt *ctxt);
+ extern void svc_rdma_flush_recv_queues(struct svcxprt_rdma *rdma);
+-extern void svc_rdma_release_rqst(struct svc_rqst *rqstp);
++extern void svc_rdma_release_ctxt(struct svc_xprt *xprt, void *ctxt);
+ extern int svc_rdma_recvfrom(struct svc_rqst *);
+
+ /* svc_rdma_rw.c */
+diff --git a/include/linux/sunrpc/svc_xprt.h b/include/linux/sunrpc/svc_xprt.h
+index d42a75b3be102..e882fe16a5008 100644
+--- a/include/linux/sunrpc/svc_xprt.h
++++ b/include/linux/sunrpc/svc_xprt.h
+@@ -23,7 +23,7 @@ struct svc_xprt_ops {
+ int (*xpo_sendto)(struct svc_rqst *);
+ int (*xpo_result_payload)(struct svc_rqst *, unsigned int,
+ unsigned int);
+- void (*xpo_release_rqst)(struct svc_rqst *);
++ void (*xpo_release_ctxt)(struct svc_xprt *xprt, void *ctxt);
+ void (*xpo_detach)(struct svc_xprt *);
+ void (*xpo_free)(struct svc_xprt *);
+ void (*xpo_secure_port)(struct svc_rqst *rqstp);
+diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
+index b4306cf1b458c..8117d0e08d5a2 100644
+--- a/net/sunrpc/svc_xprt.c
++++ b/net/sunrpc/svc_xprt.c
+@@ -534,13 +534,23 @@ void svc_reserve(struct svc_rqst *rqstp, int space)
+ }
+ EXPORT_SYMBOL_GPL(svc_reserve);
+
++static void free_deferred(struct svc_xprt *xprt, struct svc_deferred_req *dr)
++{
++ if (!dr)
++ return;
++
++ xprt->xpt_ops->xpo_release_ctxt(xprt, dr->xprt_ctxt);
++ kfree(dr);
++}
++
+ static void svc_xprt_release(struct svc_rqst *rqstp)
+ {
+ struct svc_xprt *xprt = rqstp->rq_xprt;
+
+- xprt->xpt_ops->xpo_release_rqst(rqstp);
++ xprt->xpt_ops->xpo_release_ctxt(xprt, rqstp->rq_xprt_ctxt);
++ rqstp->rq_xprt_ctxt = NULL;
+
+- kfree(rqstp->rq_deferred);
++ free_deferred(xprt, rqstp->rq_deferred);
+ rqstp->rq_deferred = NULL;
+
+ pagevec_release(&rqstp->rq_pvec);
+@@ -1059,7 +1069,7 @@ static void svc_delete_xprt(struct svc_xprt *xprt)
+ spin_unlock_bh(&serv->sv_lock);
+
+ while ((dr = svc_deferred_dequeue(xprt)) != NULL)
+- kfree(dr);
++ free_deferred(xprt, dr);
+
+ call_xpt_users(xprt);
+ svc_xprt_put(xprt);
+@@ -1181,8 +1191,8 @@ static void svc_revisit(struct cache_deferred_req *dreq, int too_many)
+ if (too_many || test_bit(XPT_DEAD, &xprt->xpt_flags)) {
+ spin_unlock(&xprt->xpt_lock);
+ trace_svc_defer_drop(dr);
++ free_deferred(xprt, dr);
+ svc_xprt_put(xprt);
+- kfree(dr);
+ return;
+ }
+ dr->xprt = NULL;
+@@ -1227,14 +1237,13 @@ static struct cache_deferred_req *svc_defer(struct cache_req *req)
+ dr->addrlen = rqstp->rq_addrlen;
+ dr->daddr = rqstp->rq_daddr;
+ dr->argslen = rqstp->rq_arg.len >> 2;
+- dr->xprt_ctxt = rqstp->rq_xprt_ctxt;
+
+ /* back up head to the start of the buffer and copy */
+ skip = rqstp->rq_arg.len - rqstp->rq_arg.head[0].iov_len;
+ memcpy(dr->args, rqstp->rq_arg.head[0].iov_base - skip,
+ dr->argslen << 2);
+ }
+- WARN_ON_ONCE(rqstp->rq_xprt_ctxt != dr->xprt_ctxt);
++ dr->xprt_ctxt = rqstp->rq_xprt_ctxt;
+ rqstp->rq_xprt_ctxt = NULL;
+ trace_svc_defer(rqstp);
+ svc_xprt_get(rqstp->rq_xprt);
+@@ -1268,6 +1277,8 @@ static noinline int svc_deferred_recv(struct svc_rqst *rqstp)
+ rqstp->rq_daddr = dr->daddr;
+ rqstp->rq_respages = rqstp->rq_pages;
+ rqstp->rq_xprt_ctxt = dr->xprt_ctxt;
++
++ dr->xprt_ctxt = NULL;
+ svc_xprt_received(rqstp->rq_xprt);
+ return dr->argslen << 2;
+ }
+diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
+index 815baf308236a..7107fbcbff343 100644
+--- a/net/sunrpc/svcsock.c
++++ b/net/sunrpc/svcsock.c
+@@ -111,27 +111,27 @@ static void svc_reclassify_socket(struct socket *sock)
+ #endif
+
+ /**
+- * svc_tcp_release_rqst - Release transport-related resources
+- * @rqstp: request structure with resources to be released
++ * svc_tcp_release_ctxt - Release transport-related resources
++ * @xprt: the transport which owned the context
++ * @ctxt: the context from rqstp->rq_xprt_ctxt or dr->xprt_ctxt
+ *
+ */
+-static void svc_tcp_release_rqst(struct svc_rqst *rqstp)
++static void svc_tcp_release_ctxt(struct svc_xprt *xprt, void *ctxt)
+ {
+ }
+
+ /**
+- * svc_udp_release_rqst - Release transport-related resources
+- * @rqstp: request structure with resources to be released
++ * svc_udp_release_ctxt - Release transport-related resources
++ * @xprt: the transport which owned the context
++ * @ctxt: the context from rqstp->rq_xprt_ctxt or dr->xprt_ctxt
+ *
+ */
+-static void svc_udp_release_rqst(struct svc_rqst *rqstp)
++static void svc_udp_release_ctxt(struct svc_xprt *xprt, void *ctxt)
+ {
+- struct sk_buff *skb = rqstp->rq_xprt_ctxt;
++ struct sk_buff *skb = ctxt;
+
+- if (skb) {
+- rqstp->rq_xprt_ctxt = NULL;
++ if (skb)
+ consume_skb(skb);
+- }
+ }
+
+ union svc_pktinfo_u {
+@@ -559,7 +559,8 @@ static int svc_udp_sendto(struct svc_rqst *rqstp)
+ unsigned int sent;
+ int err;
+
+- svc_udp_release_rqst(rqstp);
++ svc_udp_release_ctxt(xprt, rqstp->rq_xprt_ctxt);
++ rqstp->rq_xprt_ctxt = NULL;
+
+ svc_set_cmsg_data(rqstp, cmh);
+
+@@ -631,7 +632,7 @@ static const struct svc_xprt_ops svc_udp_ops = {
+ .xpo_recvfrom = svc_udp_recvfrom,
+ .xpo_sendto = svc_udp_sendto,
+ .xpo_result_payload = svc_sock_result_payload,
+- .xpo_release_rqst = svc_udp_release_rqst,
++ .xpo_release_ctxt = svc_udp_release_ctxt,
+ .xpo_detach = svc_sock_detach,
+ .xpo_free = svc_sock_free,
+ .xpo_has_wspace = svc_udp_has_wspace,
+@@ -1159,7 +1160,8 @@ static int svc_tcp_sendto(struct svc_rqst *rqstp)
+ unsigned int sent;
+ int err;
+
+- svc_tcp_release_rqst(rqstp);
++ svc_tcp_release_ctxt(xprt, rqstp->rq_xprt_ctxt);
++ rqstp->rq_xprt_ctxt = NULL;
+
+ atomic_inc(&svsk->sk_sendqlen);
+ mutex_lock(&xprt->xpt_mutex);
+@@ -1204,7 +1206,7 @@ static const struct svc_xprt_ops svc_tcp_ops = {
+ .xpo_recvfrom = svc_tcp_recvfrom,
+ .xpo_sendto = svc_tcp_sendto,
+ .xpo_result_payload = svc_sock_result_payload,
+- .xpo_release_rqst = svc_tcp_release_rqst,
++ .xpo_release_ctxt = svc_tcp_release_ctxt,
+ .xpo_detach = svc_tcp_sock_detach,
+ .xpo_free = svc_sock_free,
+ .xpo_has_wspace = svc_tcp_has_wspace,
+diff --git a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
+index 5242ad121450b..53a7cb2f6c07d 100644
+--- a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
++++ b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
+@@ -239,21 +239,20 @@ void svc_rdma_recv_ctxt_put(struct svcxprt_rdma *rdma,
+ }
+
+ /**
+- * svc_rdma_release_rqst - Release transport-specific per-rqst resources
+- * @rqstp: svc_rqst being released
++ * svc_rdma_release_ctxt - Release transport-specific per-rqst resources
++ * @xprt: the transport which owned the context
++ * @vctxt: the context from rqstp->rq_xprt_ctxt or dr->xprt_ctxt
+ *
+ * Ensure that the recv_ctxt is released whether or not a Reply
+ * was sent. For example, the client could close the connection,
+ * or svc_process could drop an RPC, before the Reply is sent.
+ */
+-void svc_rdma_release_rqst(struct svc_rqst *rqstp)
++void svc_rdma_release_ctxt(struct svc_xprt *xprt, void *vctxt)
+ {
+- struct svc_rdma_recv_ctxt *ctxt = rqstp->rq_xprt_ctxt;
+- struct svc_xprt *xprt = rqstp->rq_xprt;
++ struct svc_rdma_recv_ctxt *ctxt = vctxt;
+ struct svcxprt_rdma *rdma =
+ container_of(xprt, struct svcxprt_rdma, sc_xprt);
+
+- rqstp->rq_xprt_ctxt = NULL;
+ if (ctxt)
+ svc_rdma_recv_ctxt_put(rdma, ctxt);
+ }
+diff --git a/net/sunrpc/xprtrdma/svc_rdma_transport.c b/net/sunrpc/xprtrdma/svc_rdma_transport.c
+index 94b20fb471356..f776f0cb471f0 100644
+--- a/net/sunrpc/xprtrdma/svc_rdma_transport.c
++++ b/net/sunrpc/xprtrdma/svc_rdma_transport.c
+@@ -81,7 +81,7 @@ static const struct svc_xprt_ops svc_rdma_ops = {
+ .xpo_recvfrom = svc_rdma_recvfrom,
+ .xpo_sendto = svc_rdma_sendto,
+ .xpo_result_payload = svc_rdma_result_payload,
+- .xpo_release_rqst = svc_rdma_release_rqst,
++ .xpo_release_ctxt = svc_rdma_release_ctxt,
+ .xpo_detach = svc_rdma_detach,
+ .xpo_free = svc_rdma_free,
+ .xpo_has_wspace = svc_rdma_has_wspace,
+--
+2.39.2
+
--- /dev/null
+From 5ec7e3ff7e0314d0441331e0f11d27e3cd3acbab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 May 2023 09:41:49 +1000
+Subject: SUNRPC: double free xprt_ctxt while still in use
+
+From: NeilBrown <neilb@suse.de>
+
+[ Upstream commit eb8d3a2c809abd73ab0a060fe971d6b9019aa3c1 ]
+
+When an RPC request is deferred, the rq_xprt_ctxt pointer is moved out
+of the svc_rqst into the svc_deferred_req.
+When the deferred request is revisited, the pointer is copied into
+the new svc_rqst - and also remains in the svc_deferred_req.
+
+In the (rare?) case that the request is deferred a second time, the old
+svc_deferred_req is reused - it still has all the correct content.
+However in that case the rq_xprt_ctxt pointer is NOT cleared so that
+when xpo_release_xprt is called, the ctxt is freed (UDP) or possible
+added to a free list (RDMA).
+When the deferred request is revisited for a second time, it will
+reference this ctxt which may be invalid, and the free the object a
+second time which is likely to oops.
+
+So change svc_defer() to *always* clear rq_xprt_ctxt, and assert that
+the value is now stored in the svc_deferred_req.
+
+Fixes: 773f91b2cf3f ("SUNRPC: Fix NFSD's request deferral on RDMA transports")
+Signed-off-by: NeilBrown <neilb@suse.de>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/svc_xprt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
+index c2ce125380080..b4306cf1b458c 100644
+--- a/net/sunrpc/svc_xprt.c
++++ b/net/sunrpc/svc_xprt.c
+@@ -1228,13 +1228,14 @@ static struct cache_deferred_req *svc_defer(struct cache_req *req)
+ dr->daddr = rqstp->rq_daddr;
+ dr->argslen = rqstp->rq_arg.len >> 2;
+ dr->xprt_ctxt = rqstp->rq_xprt_ctxt;
+- rqstp->rq_xprt_ctxt = NULL;
+
+ /* back up head to the start of the buffer and copy */
+ skip = rqstp->rq_arg.len - rqstp->rq_arg.head[0].iov_len;
+ memcpy(dr->args, rqstp->rq_arg.head[0].iov_base - skip,
+ dr->argslen << 2);
+ }
++ WARN_ON_ONCE(rqstp->rq_xprt_ctxt != dr->xprt_ctxt);
++ rqstp->rq_xprt_ctxt = NULL;
+ trace_svc_defer(rqstp);
+ svc_xprt_get(rqstp->rq_xprt);
+ dr->xprt = rqstp->rq_xprt;
+--
+2.39.2
+
--- /dev/null
+From 2646d32f968bf74cbaa7b25b1b2a892569eeded3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 May 2023 15:51:48 -0400
+Subject: SUNRPC: Fix trace_svc_register() call site
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit 07a27305938559fb35f7a46fb90a5e37728bdee6 ]
+
+The trace event recorded incorrect values for the registered family,
+protocol, and port because the arguments are in the wrong order.
+
+Fixes: b4af59328c25 ("SUNRPC: Trace server-side rpcbind registration events")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/svc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
+index 9ee32e06f877e..9b0b21cccca9a 100644
+--- a/net/sunrpc/svc.c
++++ b/net/sunrpc/svc.c
+@@ -1007,7 +1007,7 @@ static int __svc_register(struct net *net, const char *progname,
+ #endif
+ }
+
+- trace_svc_register(progname, version, protocol, port, family, error);
++ trace_svc_register(progname, version, family, protocol, port, error);
+ return error;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 34a8100f0a89286badb5bb8e7ebd32ec63700638 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 May 2023 11:47:49 +0000
+Subject: tcp: fix possible sk_priority leak in tcp_v4_send_reset()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 1e306ec49a1f206fd2cc89a42fac6e6f592a8cc1 ]
+
+When tcp_v4_send_reset() is called with @sk == NULL,
+we do not change ctl_sk->sk_priority, which could have been
+set from a prior invocation.
+
+Change tcp_v4_send_reset() to set sk_priority and sk_mark
+fields before calling ip_send_unicast_reply().
+
+This means tcp_v4_send_reset() and tcp_v4_send_ack()
+no longer have to clear ctl_sk->sk_mark after
+their call to ip_send_unicast_reply().
+
+Fixes: f6c0f5d209fa ("tcp: honor SO_PRIORITY in TIME_WAIT state")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Antoine Tenart <atenart@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_ipv4.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index ad0a5f185a694..b37c1bcb15097 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -829,6 +829,9 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb)
+ inet_twsk(sk)->tw_priority : sk->sk_priority;
+ transmit_time = tcp_transmit_time(sk);
+ xfrm_sk_clone_policy(ctl_sk, sk);
++ } else {
++ ctl_sk->sk_mark = 0;
++ ctl_sk->sk_priority = 0;
+ }
+ ip_send_unicast_reply(ctl_sk,
+ skb, &TCP_SKB_CB(skb)->header.h4.opt,
+@@ -836,7 +839,6 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb)
+ &arg, arg.iov[0].iov_len,
+ transmit_time);
+
+- ctl_sk->sk_mark = 0;
+ xfrm_sk_free_policy(ctl_sk);
+ sock_net_set(ctl_sk, &init_net);
+ __TCP_INC_STATS(net, TCP_MIB_OUTSEGS);
+@@ -935,7 +937,6 @@ static void tcp_v4_send_ack(const struct sock *sk,
+ &arg, arg.iov[0].iov_len,
+ transmit_time);
+
+- ctl_sk->sk_mark = 0;
+ sock_net_set(ctl_sk, &init_net);
+ __TCP_INC_STATS(net, TCP_MIB_OUTSEGS);
+ local_bh_enable();
+--
+2.39.2
+
--- /dev/null
+From 6403db14e5ea15de4435c3dbf748b52baf84e376 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 May 2023 15:52:27 -0400
+Subject: tipc: add tipc_bearer_min_mtu to calculate min mtu
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 3ae6d66b605be604644d4bb5708a7ffd9cf1abe8 ]
+
+As different media may requires different min mtu, and even the
+same media with different net family requires different min mtu,
+add tipc_bearer_min_mtu() to calculate min mtu accordingly.
+
+This API will be used to check the new mtu when doing the link
+mtu negotiation in the next patch.
+
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 56077b56cd3f ("tipc: do not update mtu if msg_max is too small in mtu negotiation")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/bearer.c | 13 +++++++++++++
+ net/tipc/bearer.h | 3 +++
+ net/tipc/udp_media.c | 5 +++--
+ 3 files changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
+index 35cac7733fd3a..0e9a29e1536b7 100644
+--- a/net/tipc/bearer.c
++++ b/net/tipc/bearer.c
+@@ -541,6 +541,19 @@ int tipc_bearer_mtu(struct net *net, u32 bearer_id)
+ return mtu;
+ }
+
++int tipc_bearer_min_mtu(struct net *net, u32 bearer_id)
++{
++ int mtu = TIPC_MIN_BEARER_MTU;
++ struct tipc_bearer *b;
++
++ rcu_read_lock();
++ b = bearer_get(net, bearer_id);
++ if (b)
++ mtu += b->encap_hlen;
++ rcu_read_unlock();
++ return mtu;
++}
++
+ /* tipc_bearer_xmit_skb - sends buffer to destination over bearer
+ */
+ void tipc_bearer_xmit_skb(struct net *net, u32 bearer_id,
+diff --git a/net/tipc/bearer.h b/net/tipc/bearer.h
+index 490ad6e5f7a3c..bd0cc5c287ef8 100644
+--- a/net/tipc/bearer.h
++++ b/net/tipc/bearer.h
+@@ -146,6 +146,7 @@ struct tipc_media {
+ * @identity: array index of this bearer within TIPC bearer array
+ * @disc: ptr to link setup request
+ * @net_plane: network plane ('A' through 'H') currently associated with bearer
++ * @encap_hlen: encap headers length
+ * @up: bearer up flag (bit 0)
+ * @refcnt: tipc_bearer reference counter
+ *
+@@ -170,6 +171,7 @@ struct tipc_bearer {
+ u32 identity;
+ struct tipc_discoverer *disc;
+ char net_plane;
++ u16 encap_hlen;
+ unsigned long up;
+ refcount_t refcnt;
+ };
+@@ -232,6 +234,7 @@ int tipc_bearer_setup(void);
+ void tipc_bearer_cleanup(void);
+ void tipc_bearer_stop(struct net *net);
+ int tipc_bearer_mtu(struct net *net, u32 bearer_id);
++int tipc_bearer_min_mtu(struct net *net, u32 bearer_id);
+ bool tipc_bearer_bcast_support(struct net *net, u32 bearer_id);
+ void tipc_bearer_xmit_skb(struct net *net, u32 bearer_id,
+ struct sk_buff *skb,
+diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
+index c2bb818704c8f..0a85244fd6188 100644
+--- a/net/tipc/udp_media.c
++++ b/net/tipc/udp_media.c
+@@ -738,8 +738,8 @@ static int tipc_udp_enable(struct net *net, struct tipc_bearer *b,
+ udp_conf.local_ip.s_addr = local.ipv4.s_addr;
+ udp_conf.use_udp_checksums = false;
+ ub->ifindex = dev->ifindex;
+- if (tipc_mtu_bad(dev, sizeof(struct iphdr) +
+- sizeof(struct udphdr))) {
++ b->encap_hlen = sizeof(struct iphdr) + sizeof(struct udphdr);
++ if (tipc_mtu_bad(dev, b->encap_hlen)) {
+ err = -EINVAL;
+ goto err;
+ }
+@@ -760,6 +760,7 @@ static int tipc_udp_enable(struct net *net, struct tipc_bearer *b,
+ else
+ udp_conf.local_ip6 = local.ipv6;
+ ub->ifindex = dev->ifindex;
++ b->encap_hlen = sizeof(struct ipv6hdr) + sizeof(struct udphdr);
+ b->mtu = 1280;
+ #endif
+ } else {
+--
+2.39.2
+
--- /dev/null
+From 38faf4c273062ef6ce8902a0ab5227cfbe56228c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 May 2023 15:52:29 -0400
+Subject: tipc: check the bearer min mtu properly when setting it by netlink
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 35a089b5d793d2bfd2cc7cfa6104545184de2ce7 ]
+
+Checking the bearer min mtu with tipc_udp_mtu_bad() only works for
+IPv4 UDP bearer, and IPv6 UDP bearer has a different value for the
+min mtu. This patch checks with encap_hlen + TIPC_MIN_BEARER_MTU
+for min mtu, which works for both IPv4 and IPv6 UDP bearer.
+
+Note that tipc_udp_mtu_bad() is still used to check media min mtu
+in __tipc_nl_media_set(), as m->mtu currently is only used by the
+IPv4 UDP bearer as its default mtu value.
+
+Fixes: 682cd3cf946b ("tipc: confgiure and apply UDP bearer MTU on running links")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/bearer.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
+index 0e9a29e1536b7..53881406e2006 100644
+--- a/net/tipc/bearer.c
++++ b/net/tipc/bearer.c
+@@ -1151,8 +1151,8 @@ int __tipc_nl_bearer_set(struct sk_buff *skb, struct genl_info *info)
+ return -EINVAL;
+ }
+ #ifdef CONFIG_TIPC_MEDIA_UDP
+- if (tipc_udp_mtu_bad(nla_get_u32
+- (props[TIPC_NLA_PROP_MTU]))) {
++ if (nla_get_u32(props[TIPC_NLA_PROP_MTU]) <
++ b->encap_hlen + TIPC_MIN_BEARER_MTU) {
+ NL_SET_ERR_MSG(info->extack,
+ "MTU value is out-of-range");
+ return -EINVAL;
+--
+2.39.2
+
--- /dev/null
+From 397d3b5904f21e1a1c407036157d3df6254e57ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 May 2023 15:52:28 -0400
+Subject: tipc: do not update mtu if msg_max is too small in mtu negotiation
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 56077b56cd3fb78e1c8619e29581ba25a5c55e86 ]
+
+When doing link mtu negotiation, a malicious peer may send Activate msg
+with a very small mtu, e.g. 4 in Shuang's testing, without checking for
+the minimum mtu, l->mtu will be set to 4 in tipc_link_proto_rcv(), then
+n->links[bearer_id].mtu is set to 4294967228, which is a overflow of
+'4 - INT_H_SIZE - EMSG_OVERHEAD' in tipc_link_mss().
+
+With tipc_link.mtu = 4, tipc_link_xmit() kept printing the warning:
+
+ tipc: Too large msg, purging xmit list 1 5 0 40 4!
+ tipc: Too large msg, purging xmit list 1 15 0 60 4!
+
+And with tipc_link_entry.mtu 4294967228, a huge skb was allocated in
+named_distribute(), and when purging it in tipc_link_xmit(), a crash
+was even caused:
+
+ general protection fault, probably for non-canonical address 0x2100001011000dd: 0000 [#1] PREEMPT SMP PTI
+ CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Not tainted 6.3.0.neta #19
+ RIP: 0010:kfree_skb_list_reason+0x7e/0x1f0
+ Call Trace:
+ <IRQ>
+ skb_release_data+0xf9/0x1d0
+ kfree_skb_reason+0x40/0x100
+ tipc_link_xmit+0x57a/0x740 [tipc]
+ tipc_node_xmit+0x16c/0x5c0 [tipc]
+ tipc_named_node_up+0x27f/0x2c0 [tipc]
+ tipc_node_write_unlock+0x149/0x170 [tipc]
+ tipc_rcv+0x608/0x740 [tipc]
+ tipc_udp_recv+0xdc/0x1f0 [tipc]
+ udp_queue_rcv_one_skb+0x33e/0x620
+ udp_unicast_rcv_skb.isra.72+0x75/0x90
+ __udp4_lib_rcv+0x56d/0xc20
+ ip_protocol_deliver_rcu+0x100/0x2d0
+
+This patch fixes it by checking the new mtu against tipc_bearer_min_mtu(),
+and not updating mtu if it is too small.
+
+Fixes: ed193ece2649 ("tipc: simplify link mtu negotiation")
+Reported-by: Shuang Li <shuali@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/link.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/net/tipc/link.c b/net/tipc/link.c
+index b3ce24823f503..2eff1c7949cbc 100644
+--- a/net/tipc/link.c
++++ b/net/tipc/link.c
+@@ -2200,7 +2200,7 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
+ struct tipc_msg *hdr = buf_msg(skb);
+ struct tipc_gap_ack_blks *ga = NULL;
+ bool reply = msg_probe(hdr), retransmitted = false;
+- u32 dlen = msg_data_sz(hdr), glen = 0;
++ u32 dlen = msg_data_sz(hdr), glen = 0, msg_max;
+ u16 peers_snd_nxt = msg_next_sent(hdr);
+ u16 peers_tol = msg_link_tolerance(hdr);
+ u16 peers_prio = msg_linkprio(hdr);
+@@ -2239,6 +2239,9 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
+ switch (mtyp) {
+ case RESET_MSG:
+ case ACTIVATE_MSG:
++ msg_max = msg_max_pkt(hdr);
++ if (msg_max < tipc_bearer_min_mtu(l->net, l->bearer_id))
++ break;
+ /* Complete own link name with peer's interface name */
+ if_name = strrchr(l->name, ':') + 1;
+ if (sizeof(l->name) - (if_name - l->name) <= TIPC_MAX_IF_NAME)
+@@ -2283,8 +2286,8 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
+ l->peer_session = msg_session(hdr);
+ l->in_session = true;
+ l->peer_bearer_id = msg_bearer_id(hdr);
+- if (l->mtu > msg_max_pkt(hdr))
+- l->mtu = msg_max_pkt(hdr);
++ if (l->mtu > msg_max)
++ l->mtu = msg_max;
+ break;
+
+ case STATE_MSG:
+--
+2.39.2
+
--- /dev/null
+From 99b4676b4b1220e0aac5a9426df7b26d97398a7c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 May 2023 11:42:04 -0700
+Subject: tun: Fix memory leak for detached NAPI queue.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 82b2bc279467c875ec36f8ef820f00997c2a4e8e ]
+
+syzkaller reported [0] memory leaks of sk and skb related to the TUN
+device with no repro, but we can reproduce it easily with:
+
+ struct ifreq ifr = {}
+ int fd_tun, fd_tmp;
+ char buf[4] = {};
+
+ fd_tun = openat(AT_FDCWD, "/dev/net/tun", O_WRONLY, 0);
+ ifr.ifr_flags = IFF_TUN | IFF_NAPI | IFF_MULTI_QUEUE;
+ ioctl(fd_tun, TUNSETIFF, &ifr);
+
+ ifr.ifr_flags = IFF_DETACH_QUEUE;
+ ioctl(fd_tun, TUNSETQUEUE, &ifr);
+
+ fd_tmp = socket(AF_PACKET, SOCK_PACKET, 0);
+ ifr.ifr_flags = IFF_UP;
+ ioctl(fd_tmp, SIOCSIFFLAGS, &ifr);
+
+ write(fd_tun, buf, sizeof(buf));
+ close(fd_tun);
+
+If we enable NAPI and multi-queue on a TUN device, we can put skb into
+tfile->sk.sk_write_queue after the queue is detached. We should prevent
+it by checking tfile->detached before queuing skb.
+
+Note this must be done under tfile->sk.sk_write_queue.lock because write()
+and ioctl(IFF_DETACH_QUEUE) can run concurrently. Otherwise, there would
+be a small race window:
+
+ write() ioctl(IFF_DETACH_QUEUE)
+ `- tun_get_user `- __tun_detach
+ |- if (tfile->detached) |- tun_disable_queue
+ | `-> false | `- tfile->detached = tun
+ | `- tun_queue_purge
+ |- spin_lock_bh(&queue->lock)
+ `- __skb_queue_tail(queue, skb)
+
+Another solution is to call tun_queue_purge() when closing and
+reattaching the detached queue, but it could paper over another
+problems. Also, we do the same kind of test for IFF_NAPI_FRAGS.
+
+[0]:
+unreferenced object 0xffff88801edbc800 (size 2048):
+ comm "syz-executor.1", pid 33269, jiffies 4295743834 (age 18.756s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............
+ backtrace:
+ [<000000008c16ea3d>] __do_kmalloc_node mm/slab_common.c:965 [inline]
+ [<000000008c16ea3d>] __kmalloc+0x4a/0x130 mm/slab_common.c:979
+ [<000000003addde56>] kmalloc include/linux/slab.h:563 [inline]
+ [<000000003addde56>] sk_prot_alloc+0xef/0x1b0 net/core/sock.c:2035
+ [<000000003e20621f>] sk_alloc+0x36/0x2f0 net/core/sock.c:2088
+ [<0000000028e43843>] tun_chr_open+0x3d/0x190 drivers/net/tun.c:3438
+ [<000000001b0f1f28>] misc_open+0x1a6/0x1f0 drivers/char/misc.c:165
+ [<000000004376f706>] chrdev_open+0x111/0x300 fs/char_dev.c:414
+ [<00000000614d379f>] do_dentry_open+0x2f9/0x750 fs/open.c:920
+ [<000000008eb24774>] do_open fs/namei.c:3636 [inline]
+ [<000000008eb24774>] path_openat+0x143f/0x1a30 fs/namei.c:3791
+ [<00000000955077b5>] do_filp_open+0xce/0x1c0 fs/namei.c:3818
+ [<00000000b78973b0>] do_sys_openat2+0xf0/0x260 fs/open.c:1356
+ [<00000000057be699>] do_sys_open fs/open.c:1372 [inline]
+ [<00000000057be699>] __do_sys_openat fs/open.c:1388 [inline]
+ [<00000000057be699>] __se_sys_openat fs/open.c:1383 [inline]
+ [<00000000057be699>] __x64_sys_openat+0x83/0xf0 fs/open.c:1383
+ [<00000000a7d2182d>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ [<00000000a7d2182d>] do_syscall_64+0x3c/0x90 arch/x86/entry/common.c:80
+ [<000000004cc4e8c4>] entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+unreferenced object 0xffff88802f671700 (size 240):
+ comm "syz-executor.1", pid 33269, jiffies 4295743854 (age 18.736s)
+ hex dump (first 32 bytes):
+ 68 c9 db 1e 80 88 ff ff 68 c9 db 1e 80 88 ff ff h.......h.......
+ 00 c0 7b 2f 80 88 ff ff 00 c8 db 1e 80 88 ff ff ..{/............
+ backtrace:
+ [<00000000e9d9fdb6>] __alloc_skb+0x223/0x250 net/core/skbuff.c:644
+ [<000000002c3e4e0b>] alloc_skb include/linux/skbuff.h:1288 [inline]
+ [<000000002c3e4e0b>] alloc_skb_with_frags+0x6f/0x350 net/core/skbuff.c:6378
+ [<00000000825f98d7>] sock_alloc_send_pskb+0x3ac/0x3e0 net/core/sock.c:2729
+ [<00000000e9eb3df3>] tun_alloc_skb drivers/net/tun.c:1529 [inline]
+ [<00000000e9eb3df3>] tun_get_user+0x5e1/0x1f90 drivers/net/tun.c:1841
+ [<0000000053096912>] tun_chr_write_iter+0xac/0x120 drivers/net/tun.c:2035
+ [<00000000b9282ae0>] call_write_iter include/linux/fs.h:1868 [inline]
+ [<00000000b9282ae0>] new_sync_write fs/read_write.c:491 [inline]
+ [<00000000b9282ae0>] vfs_write+0x40f/0x530 fs/read_write.c:584
+ [<00000000524566e4>] ksys_write+0xa1/0x170 fs/read_write.c:637
+ [<00000000a7d2182d>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ [<00000000a7d2182d>] do_syscall_64+0x3c/0x90 arch/x86/entry/common.c:80
+ [<000000004cc4e8c4>] entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+Fixes: cde8b15f1aab ("tuntap: add ioctl to attach or detach a file form tuntap device")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/tun.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/drivers/net/tun.c b/drivers/net/tun.c
+index 65706824eb828..7c8db8f6f661e 100644
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -1971,6 +1971,14 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile,
+ int queue_len;
+
+ spin_lock_bh(&queue->lock);
++
++ if (unlikely(tfile->detached)) {
++ spin_unlock_bh(&queue->lock);
++ rcu_read_unlock();
++ err = -EBUSY;
++ goto free_skb;
++ }
++
+ __skb_queue_tail(queue, skb);
+ queue_len = skb_queue_len(queue);
+ spin_unlock(&queue->lock);
+@@ -2506,6 +2514,13 @@ static int tun_xdp_one(struct tun_struct *tun,
+ if (tfile->napi_enabled) {
+ queue = &tfile->sk.sk_write_queue;
+ spin_lock(&queue->lock);
++
++ if (unlikely(tfile->detached)) {
++ spin_unlock(&queue->lock);
++ kfree_skb(skb);
++ return -EBUSY;
++ }
++
+ __skb_queue_tail(queue, skb);
+ spin_unlock(&queue->lock);
+ ret = 1;
+--
+2.39.2
+
--- /dev/null
+From fca81ada14156a939ee86296bfe12a728c147e9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Feb 2023 15:37:38 +0200
+Subject: virtio-net: Maintain reverse cleanup order
+
+From: Parav Pandit <parav@nvidia.com>
+
+[ Upstream commit 27369c9c2b722617063d6b80c758ab153f1d95d4 ]
+
+To easily audit the code, better to keep the device stop()
+sequence to be mirror of the device open() sequence.
+
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: Parav Pandit <parav@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 5306623a9826 ("virtio_net: Fix error unwinding of XDP initialization")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/virtio_net.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index 9a612b13b4e46..08a23ba3d68a2 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -2158,9 +2158,9 @@ static int virtnet_close(struct net_device *dev)
+ cancel_delayed_work_sync(&vi->refill);
+
+ for (i = 0; i < vi->max_queue_pairs; i++) {
++ virtnet_napi_tx_disable(&vi->sq[i].napi);
+ napi_disable(&vi->rq[i].napi);
+ xdp_rxq_info_unreg(&vi->rq[i].xdp_rxq);
+- virtnet_napi_tx_disable(&vi->sq[i].napi);
+ }
+
+ return 0;
+--
+2.39.2
+
--- /dev/null
+From b9f8f1c7ec488ae95452c85edbc1a6caa88e8670 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 11:18:12 -0400
+Subject: virtio_net: Fix error unwinding of XDP initialization
+
+From: Feng Liu <feliu@nvidia.com>
+
+[ Upstream commit 5306623a9826aa7d63b32c6a3803c798a765474d ]
+
+When initializing XDP in virtnet_open(), some rq xdp initialization
+may hit an error causing net device open failed. However, previous
+rqs have already initialized XDP and enabled NAPI, which is not the
+expected behavior. Need to roll back the previous rq initialization
+to avoid leaks in error unwinding of init code.
+
+Also extract helper functions of disable and enable queue pairs.
+Use newly introduced disable helper function in error unwinding and
+virtnet_close. Use enable helper function in virtnet_open.
+
+Fixes: 754b8a21a96d ("virtio_net: setup xdp_rxq_info")
+Signed-off-by: Feng Liu <feliu@nvidia.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Reviewed-by: William Tu <witu@nvidia.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/virtio_net.c | 61 +++++++++++++++++++++++++++++-----------
+ 1 file changed, 44 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index 08a23ba3d68a2..47788f0935514 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -1697,6 +1697,38 @@ static int virtnet_poll(struct napi_struct *napi, int budget)
+ return received;
+ }
+
++static void virtnet_disable_queue_pair(struct virtnet_info *vi, int qp_index)
++{
++ virtnet_napi_tx_disable(&vi->sq[qp_index].napi);
++ napi_disable(&vi->rq[qp_index].napi);
++ xdp_rxq_info_unreg(&vi->rq[qp_index].xdp_rxq);
++}
++
++static int virtnet_enable_queue_pair(struct virtnet_info *vi, int qp_index)
++{
++ struct net_device *dev = vi->dev;
++ int err;
++
++ err = xdp_rxq_info_reg(&vi->rq[qp_index].xdp_rxq, dev, qp_index,
++ vi->rq[qp_index].napi.napi_id);
++ if (err < 0)
++ return err;
++
++ err = xdp_rxq_info_reg_mem_model(&vi->rq[qp_index].xdp_rxq,
++ MEM_TYPE_PAGE_SHARED, NULL);
++ if (err < 0)
++ goto err_xdp_reg_mem_model;
++
++ virtnet_napi_enable(vi->rq[qp_index].vq, &vi->rq[qp_index].napi);
++ virtnet_napi_tx_enable(vi, vi->sq[qp_index].vq, &vi->sq[qp_index].napi);
++
++ return 0;
++
++err_xdp_reg_mem_model:
++ xdp_rxq_info_unreg(&vi->rq[qp_index].xdp_rxq);
++ return err;
++}
++
+ static int virtnet_open(struct net_device *dev)
+ {
+ struct virtnet_info *vi = netdev_priv(dev);
+@@ -1710,22 +1742,20 @@ static int virtnet_open(struct net_device *dev)
+ if (!try_fill_recv(vi, &vi->rq[i], GFP_KERNEL))
+ schedule_delayed_work(&vi->refill, 0);
+
+- err = xdp_rxq_info_reg(&vi->rq[i].xdp_rxq, dev, i, vi->rq[i].napi.napi_id);
++ err = virtnet_enable_queue_pair(vi, i);
+ if (err < 0)
+- return err;
+-
+- err = xdp_rxq_info_reg_mem_model(&vi->rq[i].xdp_rxq,
+- MEM_TYPE_PAGE_SHARED, NULL);
+- if (err < 0) {
+- xdp_rxq_info_unreg(&vi->rq[i].xdp_rxq);
+- return err;
+- }
+-
+- virtnet_napi_enable(vi->rq[i].vq, &vi->rq[i].napi);
+- virtnet_napi_tx_enable(vi, vi->sq[i].vq, &vi->sq[i].napi);
++ goto err_enable_qp;
+ }
+
+ return 0;
++
++err_enable_qp:
++ disable_delayed_refill(vi);
++ cancel_delayed_work_sync(&vi->refill);
++
++ for (i--; i >= 0; i--)
++ virtnet_disable_queue_pair(vi, i);
++ return err;
+ }
+
+ static int virtnet_poll_tx(struct napi_struct *napi, int budget)
+@@ -2157,11 +2187,8 @@ static int virtnet_close(struct net_device *dev)
+ /* Make sure refill_work doesn't re-enable napi! */
+ cancel_delayed_work_sync(&vi->refill);
+
+- for (i = 0; i < vi->max_queue_pairs; i++) {
+- virtnet_napi_tx_disable(&vi->sq[i].napi);
+- napi_disable(&vi->rq[i].napi);
+- xdp_rxq_info_unreg(&vi->rq[i].xdp_rxq);
+- }
++ for (i = 0; i < vi->max_queue_pairs; i++)
++ virtnet_disable_queue_pair(vi, i);
+
+ return 0;
+ }
+--
+2.39.2
+
--- /dev/null
+From aa2554f43397c7d4e797bf845082609e43909ffd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 May 2023 14:23:42 +0000
+Subject: vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit dacab578c7c6cd06c50c89dfa36b0e0f10decd4e ]
+
+syzbot triggered the following splat [1], sending an empty message
+through pppoe_sendmsg().
+
+When VLAN_FLAG_REORDER_HDR flag is set, vlan_dev_hard_header()
+does not push extra bytes for the VLAN header, because vlan is offloaded.
+
+Unfortunately vlan_dev_hard_start_xmit() first reads veth->h_vlan_proto
+before testing (vlan->flags & VLAN_FLAG_REORDER_HDR).
+
+We need to swap the two conditions.
+
+[1]
+BUG: KMSAN: uninit-value in vlan_dev_hard_start_xmit+0x171/0x7f0 net/8021q/vlan_dev.c:111
+vlan_dev_hard_start_xmit+0x171/0x7f0 net/8021q/vlan_dev.c:111
+__netdev_start_xmit include/linux/netdevice.h:4883 [inline]
+netdev_start_xmit include/linux/netdevice.h:4897 [inline]
+xmit_one net/core/dev.c:3580 [inline]
+dev_hard_start_xmit+0x253/0xa20 net/core/dev.c:3596
+__dev_queue_xmit+0x3c7f/0x5ac0 net/core/dev.c:4246
+dev_queue_xmit include/linux/netdevice.h:3053 [inline]
+pppoe_sendmsg+0xa93/0xb80 drivers/net/ppp/pppoe.c:900
+sock_sendmsg_nosec net/socket.c:724 [inline]
+sock_sendmsg net/socket.c:747 [inline]
+____sys_sendmsg+0xa24/0xe40 net/socket.c:2501
+___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555
+__sys_sendmmsg+0x411/0xa50 net/socket.c:2641
+__do_sys_sendmmsg net/socket.c:2670 [inline]
+__se_sys_sendmmsg net/socket.c:2667 [inline]
+__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2667
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Uninit was created at:
+slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:774
+slab_alloc_node mm/slub.c:3452 [inline]
+kmem_cache_alloc_node+0x543/0xab0 mm/slub.c:3497
+kmalloc_reserve+0x148/0x470 net/core/skbuff.c:520
+__alloc_skb+0x3a7/0x850 net/core/skbuff.c:606
+alloc_skb include/linux/skbuff.h:1277 [inline]
+sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2583
+pppoe_sendmsg+0x3af/0xb80 drivers/net/ppp/pppoe.c:867
+sock_sendmsg_nosec net/socket.c:724 [inline]
+sock_sendmsg net/socket.c:747 [inline]
+____sys_sendmsg+0xa24/0xe40 net/socket.c:2501
+___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555
+__sys_sendmmsg+0x411/0xa50 net/socket.c:2641
+__do_sys_sendmmsg net/socket.c:2670 [inline]
+__se_sys_sendmmsg net/socket.c:2667 [inline]
+__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2667
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+CPU: 0 PID: 29770 Comm: syz-executor.0 Not tainted 6.3.0-rc6-syzkaller-gc478e5b17829 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/8021q/vlan_dev.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
+index 07e86d03d4bae..d3e511e1eba8a 100644
+--- a/net/8021q/vlan_dev.c
++++ b/net/8021q/vlan_dev.c
+@@ -108,8 +108,8 @@ static netdev_tx_t vlan_dev_hard_start_xmit(struct sk_buff *skb,
+ * NOTE: THIS ASSUMES DIX ETHERNET, SPECIFICALLY NOT SUPPORTING
+ * OTHER THINGS LIKE FDDI/TokenRing/802.3 SNAPs...
+ */
+- if (veth->h_vlan_proto != vlan->vlan_proto ||
+- vlan->flags & VLAN_FLAG_REORDER_HDR) {
++ if (vlan->flags & VLAN_FLAG_REORDER_HDR ||
++ veth->h_vlan_proto != vlan->vlan_proto) {
+ u16 vlan_tci;
+ vlan_tci = vlan->vlan_id;
+ vlan_tci |= vlan_dev_get_egress_qos_mask(dev, skb->priority);
+--
+2.39.2
+
--- /dev/null
+From 3ef6bbe9016c6c2a91360934ee711c0ab842e03c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 May 2023 19:34:30 +0800
+Subject: vsock: avoid to close connected socket after the timeout
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Zhuang Shengen <zhuangshengen@huawei.com>
+
+[ Upstream commit 6d4486efe9c69626cab423456169e250a5cd3af5 ]
+
+When client and server establish a connection through vsock,
+the client send a request to the server to initiate the connection,
+then start a timer to wait for the server's response. When the server's
+RESPONSE message arrives, the timer also times out and exits. The
+server's RESPONSE message is processed first, and the connection is
+established. However, the client's timer also times out, the original
+processing logic of the client is to directly set the state of this vsock
+to CLOSE and return ETIMEDOUT. It will not notify the server when the port
+is released, causing the server port remain.
+when client's vsock_connect timeout,it should check sk state is
+ESTABLISHED or not. if sk state is ESTABLISHED, it means the connection
+is established, the client should not set the sk state to CLOSE
+
+Note: I encountered this issue on kernel-4.18, which can be fixed by
+this patch. Then I checked the latest code in the community
+and found similar issue.
+
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Signed-off-by: Zhuang Shengen <zhuangshengen@huawei.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/af_vsock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index 884eca7f6743a..8360c790a8a01 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1427,7 +1427,7 @@ static int vsock_connect(struct socket *sock, struct sockaddr *addr,
+ vsock_transport_cancel_pkt(vsk);
+ vsock_remove_connected(vsk);
+ goto out_wait;
+- } else if (timeout == 0) {
++ } else if ((sk->sk_state != TCP_ESTABLISHED) && (timeout == 0)) {
+ err = -ETIMEDOUT;
+ sk->sk_state = TCP_CLOSE;
+ sock->state = SS_UNCONNECTED;
+--
+2.39.2
+
--- /dev/null
+From b0a9bef2401fed790a6cb0bfedf7cd1291cf1089 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Apr 2023 10:32:24 +0300
+Subject: wifi: cfg80211: Drop entries with invalid BSSIDs in RNR
+
+From: Ilan Peer <ilan.peer@intel.com>
+
+[ Upstream commit 1b6b4ed01493b7ea2205ab83c49198f7d13ca9d2 ]
+
+Ignore AP information for entries that include an invalid
+BSSID in the TBTT information field, e.g., all zeros BSSIDs.
+
+Fixes: c8cb5b854b40 ("nl80211/cfg80211: support 6 GHz scanning")
+Signed-off-by: Ilan Peer <ilan.peer@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230424103224.5e65d04d1448.Ic10c8577ae4a85272c407106c9d0a2ecb5372743@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/scan.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index 3d86482e83f51..6c2b73c0d36e8 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -5,7 +5,7 @@
+ * Copyright 2008 Johannes Berg <johannes@sipsolutions.net>
+ * Copyright 2013-2014 Intel Mobile Communications GmbH
+ * Copyright 2016 Intel Deutschland GmbH
+- * Copyright (C) 2018-2022 Intel Corporation
++ * Copyright (C) 2018-2023 Intel Corporation
+ */
+ #include <linux/kernel.h>
+ #include <linux/slab.h>
+@@ -543,6 +543,10 @@ static int cfg80211_parse_ap_info(struct cfg80211_colocated_ap *entry,
+ /* skip the TBTT offset */
+ pos++;
+
++ /* ignore entries with invalid BSSID */
++ if (!is_valid_ether_addr(pos))
++ return -EINVAL;
++
+ memcpy(entry->bssid, pos, ETH_ALEN);
+ pos += ETH_ALEN;
+
+--
+2.39.2
+
--- /dev/null
+From 3f9b1862fb2a86a762ca86684203344684849463 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 May 2023 12:15:51 +0300
+Subject: wifi: iwlwifi: fix OEM's name in the ppag approved list
+
+From: Alon Giladi <alon.giladi@intel.com>
+
+[ Upstream commit eca7296d9a671e9961834d2ace9cc0ce21fc15b3 ]
+
+Fix a spelling mistake.
+
+Fixes: e8e10a37c51c ("iwlwifi: acpi: move ppag code from mvm to fw/acpi")
+Signed-off-by: Alon Giladi <alon.giladi@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230514120631.fdd07f36a8bf.I223e5fb16ab5c95d504c3fdaffd0bd70affad1c2@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/fw/acpi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c
+index a02e5a67b7066..585e8cd2d332d 100644
+--- a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c
++++ b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c
+@@ -38,7 +38,7 @@ static const struct dmi_system_id dmi_ppag_approved_list[] = {
+ },
+ { .ident = "ASUS",
+ .matches = {
+- DMI_MATCH(DMI_SYS_VENDOR, "ASUSTek COMPUTER INC."),
++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+ },
+ },
+ {}
+--
+2.39.2
+
--- /dev/null
+From 270f4a3b3fd3496814d86ce8f24dd7c5f45076e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 May 2023 12:15:48 +0300
+Subject: wifi: iwlwifi: fw: fix DBGI dump
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit d3ae69180bbd74bcbc03a2b6d10ed7eccbe98c23 ]
+
+The DBGI dump is (unsurprisingly) of type DBGI, not SRAM.
+This leads to bad register accesses because the union is
+built differently, there's no allocation ID, and thus the
+allocation ID ends up being 0x8000.
+
+Note that this was already wrong for DRAM vs. SMEM since
+they use different parts of the union, but the allocation
+ID is at the same place, so it worked.
+
+Fix all of this but set the allocation ID in a way that
+the offset calculation ends up without any offset.
+
+Fixes: 34bc27783a31 ("iwlwifi: yoyo: fix DBGI_SRAM ini dump header.")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230514120631.19a302ae4c65.I12272599f7c1930666157b9d5e7f81fe9ec4c421@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
+index 027360e63b926..3ef0b776b7727 100644
+--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
++++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
+@@ -1664,14 +1664,10 @@ static __le32 iwl_get_mon_reg(struct iwl_fw_runtime *fwrt, u32 alloc_id,
+ }
+
+ static void *
+-iwl_dump_ini_mon_fill_header(struct iwl_fw_runtime *fwrt,
+- struct iwl_dump_ini_region_data *reg_data,
++iwl_dump_ini_mon_fill_header(struct iwl_fw_runtime *fwrt, u32 alloc_id,
+ struct iwl_fw_ini_monitor_dump *data,
+ const struct iwl_fw_mon_regs *addrs)
+ {
+- struct iwl_fw_ini_region_tlv *reg = (void *)reg_data->reg_tlv->data;
+- u32 alloc_id = le32_to_cpu(reg->dram_alloc_id);
+-
+ if (!iwl_trans_grab_nic_access(fwrt->trans)) {
+ IWL_ERR(fwrt, "Failed to get monitor header\n");
+ return NULL;
+@@ -1702,8 +1698,10 @@ iwl_dump_ini_mon_dram_fill_header(struct iwl_fw_runtime *fwrt,
+ void *data, u32 data_len)
+ {
+ struct iwl_fw_ini_monitor_dump *mon_dump = (void *)data;
++ struct iwl_fw_ini_region_tlv *reg = (void *)reg_data->reg_tlv->data;
++ u32 alloc_id = le32_to_cpu(reg->dram_alloc_id);
+
+- return iwl_dump_ini_mon_fill_header(fwrt, reg_data, mon_dump,
++ return iwl_dump_ini_mon_fill_header(fwrt, alloc_id, mon_dump,
+ &fwrt->trans->cfg->mon_dram_regs);
+ }
+
+@@ -1713,8 +1711,10 @@ iwl_dump_ini_mon_smem_fill_header(struct iwl_fw_runtime *fwrt,
+ void *data, u32 data_len)
+ {
+ struct iwl_fw_ini_monitor_dump *mon_dump = (void *)data;
++ struct iwl_fw_ini_region_tlv *reg = (void *)reg_data->reg_tlv->data;
++ u32 alloc_id = le32_to_cpu(reg->internal_buffer.alloc_id);
+
+- return iwl_dump_ini_mon_fill_header(fwrt, reg_data, mon_dump,
++ return iwl_dump_ini_mon_fill_header(fwrt, alloc_id, mon_dump,
+ &fwrt->trans->cfg->mon_smem_regs);
+ }
+
+@@ -1725,7 +1725,10 @@ iwl_dump_ini_mon_dbgi_fill_header(struct iwl_fw_runtime *fwrt,
+ {
+ struct iwl_fw_ini_monitor_dump *mon_dump = (void *)data;
+
+- return iwl_dump_ini_mon_fill_header(fwrt, reg_data, mon_dump,
++ return iwl_dump_ini_mon_fill_header(fwrt,
++ /* no offset calculation later */
++ IWL_FW_INI_ALLOCATION_ID_DBGC1,
++ mon_dump,
+ &fwrt->trans->cfg->mon_dbgi_regs);
+ }
+
+--
+2.39.2
+
--- /dev/null
+From ec84705413211a1fa6a9269c614e3824c02eddb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 May 2023 12:15:53 +0300
+Subject: wifi: iwlwifi: mvm: don't trust firmware n_channels
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 682b6dc29d98e857e6ca4bbc077c7dc2899b7473 ]
+
+If the firmware sends us a corrupted MCC response with
+n_channels much larger than the command response can be,
+we might copy far too much (uninitialized) memory and
+even crash if the n_channels is large enough to make it
+run out of the one page allocated for the FW response.
+
+Fix that by checking the lengths. Doing a < comparison
+would be sufficient, but the firmware should be doing
+it correctly, so check more strictly.
+
+Fixes: dcaf9f5ecb6f ("iwlwifi: mvm: add MCC update FW API")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230514120631.d7b233139eb4.I51fd319df8e9d41881fc8450e83d78049518a79a@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/nvm.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c b/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c
+index 6d18a1fd649b9..fdf60afb0f3f2 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c
+@@ -445,6 +445,11 @@ iwl_mvm_update_mcc(struct iwl_mvm *mvm, const char *alpha2,
+ struct iwl_mcc_update_resp *mcc_resp = (void *)pkt->data;
+
+ n_channels = __le32_to_cpu(mcc_resp->n_channels);
++ if (iwl_rx_packet_payload_len(pkt) !=
++ struct_size(mcc_resp, channels, n_channels)) {
++ resp_cp = ERR_PTR(-EINVAL);
++ goto exit;
++ }
+ resp_len = sizeof(struct iwl_mcc_update_resp) +
+ n_channels * sizeof(__le32);
+ resp_cp = kmemdup(mcc_resp, resp_len, GFP_KERNEL);
+@@ -456,6 +461,11 @@ iwl_mvm_update_mcc(struct iwl_mvm *mvm, const char *alpha2,
+ struct iwl_mcc_update_resp_v3 *mcc_resp_v3 = (void *)pkt->data;
+
+ n_channels = __le32_to_cpu(mcc_resp_v3->n_channels);
++ if (iwl_rx_packet_payload_len(pkt) !=
++ struct_size(mcc_resp_v3, channels, n_channels)) {
++ resp_cp = ERR_PTR(-EINVAL);
++ goto exit;
++ }
+ resp_len = sizeof(struct iwl_mcc_update_resp) +
+ n_channels * sizeof(__le32);
+ resp_cp = kzalloc(resp_len, GFP_KERNEL);
+--
+2.39.2
+
--- /dev/null
+From 8485e024529552121d2a4b0bc55e95272a7eef62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 May 2023 12:15:46 +0300
+Subject: wifi: iwlwifi: mvm: fix cancel_delayed_work_sync() deadlock
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit c2d8b7f257b2398f2d866205365895e038beca12 ]
+
+Lockdep points out that we can deadlock here by calling
+cancel_delayed_work_sync() because that might be already
+running and gotten interrupted by the NAPI soft-IRQ.
+Even just calling something that can sleep is wrong in
+this context though.
+
+Luckily, it doesn't even really matter since the things
+we need to do are idempotent, so just drop the _sync().
+
+Fixes: e5d153ec54f0 ("iwlwifi: mvm: fix CSA AP side")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230514120631.b1813c823b4d.I9d20cc06d24fa40b6774d3dd95ea5e2bf8dd015b@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
+index 091225894037c..02c2a06301076 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
+@@ -1975,7 +1975,7 @@ void iwl_mvm_rx_mpdu_mq(struct iwl_mvm *mvm, struct napi_struct *napi,
+ RCU_INIT_POINTER(mvm->csa_tx_blocked_vif, NULL);
+ /* Unblock BCAST / MCAST station */
+ iwl_mvm_modify_all_sta_disable_tx(mvm, mvmvif, false);
+- cancel_delayed_work_sync(&mvm->cs_tx_unblock_dwork);
++ cancel_delayed_work(&mvm->cs_tx_unblock_dwork);
+ }
+ }
+
+--
+2.39.2
+
--- /dev/null
+From a05cf5998135324af872d72908acc990d1f172ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 May 2023 12:15:52 +0300
+Subject: wifi: iwlwifi: mvm: fix OEM's name in the tas approved list
+
+From: Alon Giladi <alon.giladi@intel.com>
+
+[ Upstream commit d0246a0e49efee0f8649d0e4f2350614cdfe6565 ]
+
+Fix a spelling mistake.
+
+Fixes: 2856f623ce48 ("iwlwifi: mvm: Add list of OEMs allowed to use TAS")
+Signed-off-by: Alon Giladi <alon.giladi@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230514120631.4090de6d1878.If9391ef6da78f1b2cc5eb6cb8f6965816bb7a7f5@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+index 5de34edc51fe9..887d0789c96c3 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+@@ -1055,7 +1055,7 @@ static const struct dmi_system_id dmi_tas_approved_list[] = {
+ },
+ { .ident = "LENOVO",
+ .matches = {
+- DMI_MATCH(DMI_SYS_VENDOR, "Lenovo"),
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+ },
+ },
+ { .ident = "DELL",
+--
+2.39.2
+
--- /dev/null
+From 0a34a8f148df9c43bd080e7b06ea623ac2d73ad0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 May 2023 16:04:41 +0800
+Subject: wifi: mac80211: Abort running color change when stopping the AP
+
+From: Michael Lee <michael-cy.lee@mediatek.com>
+
+[ Upstream commit a23d7f5b2fbda114de60c4b53311e052281d7533 ]
+
+When stopping the AP, there might be a color change in progress. It
+should be deactivated here, or the driver might later finalize a color
+change on a stopped AP.
+
+Fixes: 5f9404abdf2a (mac80211: add support for BSS color change)
+Signed-off-by: Michael Lee <michael-cy.lee@mediatek.com>
+Link: https://lore.kernel.org/r/20230504080441.22958-1-michael-cy.lee@mediatek.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index e8beec0a0ae1c..06b9df2fbcd77 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1477,9 +1477,10 @@ static int ieee80211_stop_ap(struct wiphy *wiphy, struct net_device *dev,
+ sdata_dereference(link->u.ap.unsol_bcast_probe_resp,
+ sdata);
+
+- /* abort any running channel switch */
++ /* abort any running channel switch or color change */
+ mutex_lock(&local->mtx);
+ link_conf->csa_active = false;
++ link_conf->color_change_active = false;
+ if (link->csa_block_tx) {
+ ieee80211_wake_vif_queues(local, sdata,
+ IEEE80211_QUEUE_STOP_REASON_CSA);
+--
+2.39.2
+
--- /dev/null
+From 4b654a6522073dbfa84dd45597aba55c174e0f46 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 May 2023 16:45:01 +0300
+Subject: wifi: mac80211: fix min center freq offset tracing
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 248e4776514bf70236e6b1a54c65aa5324c8b1eb ]
+
+We need to set the correct trace variable, otherwise we're
+overwriting something else instead and the right one that
+we print later is not initialized.
+
+Fixes: b6011960f392 ("mac80211: handle channel frequency offset")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230504134511.828474-2-gregory.greenman@intel.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/trace.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/trace.h b/net/mac80211/trace.h
+index 9f4377566c425..c85367a4757a9 100644
+--- a/net/mac80211/trace.h
++++ b/net/mac80211/trace.h
+@@ -67,7 +67,7 @@
+ __entry->min_freq_offset = (c)->chan ? (c)->chan->freq_offset : 0; \
+ __entry->min_chan_width = (c)->width; \
+ __entry->min_center_freq1 = (c)->center_freq1; \
+- __entry->freq1_offset = (c)->freq1_offset; \
++ __entry->min_freq1_offset = (c)->freq1_offset; \
+ __entry->min_center_freq2 = (c)->center_freq2;
+ #define MIN_CHANDEF_PR_FMT " min_control:%d.%03d MHz min_width:%d min_center: %d.%03d/%d MHz"
+ #define MIN_CHANDEF_PR_ARG __entry->min_control_freq, __entry->min_freq_offset, \
+--
+2.39.2
+
--- /dev/null
+From 75d3cb21c9bc10054247c3006c15da03f1e4e47c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Apr 2023 18:40:08 +0200
+Subject: wifi: mac80211: fortify the spinlock against deadlock by interrupt
+
+From: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+
+[ Upstream commit ef6e1997da63ad0ac3fe33153fec9524c9ae56c9 ]
+
+In the function ieee80211_tx_dequeue() there is a particular locking
+sequence:
+
+begin:
+ spin_lock(&local->queue_stop_reason_lock);
+ q_stopped = local->queue_stop_reasons[q];
+ spin_unlock(&local->queue_stop_reason_lock);
+
+However small the chance (increased by ftracetest), an asynchronous
+interrupt can occur in between of spin_lock() and spin_unlock(),
+and the interrupt routine will attempt to lock the same
+&local->queue_stop_reason_lock again.
+
+This will cause a costly reset of the CPU and the wifi device or an
+altogether hang in the single CPU and single core scenario.
+
+The only remaining spin_lock(&local->queue_stop_reason_lock) that
+did not disable interrupts was patched, which should prevent any
+deadlocks on the same CPU/core and the same wifi device.
+
+This is the probable trace of the deadlock:
+
+kernel: ================================
+kernel: WARNING: inconsistent lock state
+kernel: 6.3.0-rc6-mt-20230401-00001-gf86822a1170f #4 Tainted: G W
+kernel: --------------------------------
+kernel: inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.
+kernel: kworker/5:0/25656 [HC0[0]:SC0[0]:HE1:SE1] takes:
+kernel: ffff9d6190779478 (&local->queue_stop_reason_lock){+.?.}-{2:2}, at: return_to_handler+0x0/0x40
+kernel: {IN-SOFTIRQ-W} state was registered at:
+kernel: lock_acquire+0xc7/0x2d0
+kernel: _raw_spin_lock+0x36/0x50
+kernel: ieee80211_tx_dequeue+0xb4/0x1330 [mac80211]
+kernel: iwl_mvm_mac_itxq_xmit+0xae/0x210 [iwlmvm]
+kernel: iwl_mvm_mac_wake_tx_queue+0x2d/0xd0 [iwlmvm]
+kernel: ieee80211_queue_skb+0x450/0x730 [mac80211]
+kernel: __ieee80211_xmit_fast.constprop.66+0x834/0xa50 [mac80211]
+kernel: __ieee80211_subif_start_xmit+0x217/0x530 [mac80211]
+kernel: ieee80211_subif_start_xmit+0x60/0x580 [mac80211]
+kernel: dev_hard_start_xmit+0xb5/0x260
+kernel: __dev_queue_xmit+0xdbe/0x1200
+kernel: neigh_resolve_output+0x166/0x260
+kernel: ip_finish_output2+0x216/0xb80
+kernel: __ip_finish_output+0x2a4/0x4d0
+kernel: ip_finish_output+0x2d/0xd0
+kernel: ip_output+0x82/0x2b0
+kernel: ip_local_out+0xec/0x110
+kernel: igmpv3_sendpack+0x5c/0x90
+kernel: igmp_ifc_timer_expire+0x26e/0x4e0
+kernel: call_timer_fn+0xa5/0x230
+kernel: run_timer_softirq+0x27f/0x550
+kernel: __do_softirq+0xb4/0x3a4
+kernel: irq_exit_rcu+0x9b/0xc0
+kernel: sysvec_apic_timer_interrupt+0x80/0xa0
+kernel: asm_sysvec_apic_timer_interrupt+0x1f/0x30
+kernel: _raw_spin_unlock_irqrestore+0x3f/0x70
+kernel: free_to_partial_list+0x3d6/0x590
+kernel: __slab_free+0x1b7/0x310
+kernel: kmem_cache_free+0x52d/0x550
+kernel: putname+0x5d/0x70
+kernel: do_sys_openat2+0x1d7/0x310
+kernel: do_sys_open+0x51/0x80
+kernel: __x64_sys_openat+0x24/0x30
+kernel: do_syscall_64+0x5c/0x90
+kernel: entry_SYSCALL_64_after_hwframe+0x72/0xdc
+kernel: irq event stamp: 5120729
+kernel: hardirqs last enabled at (5120729): [<ffffffff9d149936>] trace_graph_return+0xd6/0x120
+kernel: hardirqs last disabled at (5120728): [<ffffffff9d149950>] trace_graph_return+0xf0/0x120
+kernel: softirqs last enabled at (5069900): [<ffffffff9cf65b60>] return_to_handler+0x0/0x40
+kernel: softirqs last disabled at (5067555): [<ffffffff9cf65b60>] return_to_handler+0x0/0x40
+kernel:
+ other info that might help us debug this:
+kernel: Possible unsafe locking scenario:
+kernel: CPU0
+kernel: ----
+kernel: lock(&local->queue_stop_reason_lock);
+kernel: <Interrupt>
+kernel: lock(&local->queue_stop_reason_lock);
+kernel:
+ *** DEADLOCK ***
+kernel: 8 locks held by kworker/5:0/25656:
+kernel: #0: ffff9d618009d138 ((wq_completion)events_freezable){+.+.}-{0:0}, at: process_one_work+0x1ca/0x530
+kernel: #1: ffffb1ef4637fe68 ((work_completion)(&local->restart_work)){+.+.}-{0:0}, at: process_one_work+0x1ce/0x530
+kernel: #2: ffffffff9f166548 (rtnl_mutex){+.+.}-{3:3}, at: return_to_handler+0x0/0x40
+kernel: #3: ffff9d6190778728 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: return_to_handler+0x0/0x40
+kernel: #4: ffff9d619077b480 (&mvm->mutex){+.+.}-{3:3}, at: return_to_handler+0x0/0x40
+kernel: #5: ffff9d61907bacd8 (&trans_pcie->mutex){+.+.}-{3:3}, at: return_to_handler+0x0/0x40
+kernel: #6: ffffffff9ef9cda0 (rcu_read_lock){....}-{1:2}, at: iwl_mvm_queue_state_change+0x59/0x3a0 [iwlmvm]
+kernel: #7: ffffffff9ef9cda0 (rcu_read_lock){....}-{1:2}, at: iwl_mvm_mac_itxq_xmit+0x42/0x210 [iwlmvm]
+kernel:
+ stack backtrace:
+kernel: CPU: 5 PID: 25656 Comm: kworker/5:0 Tainted: G W 6.3.0-rc6-mt-20230401-00001-gf86822a1170f #4
+kernel: Hardware name: LENOVO 82H8/LNVNB161216, BIOS GGCN51WW 11/16/2022
+kernel: Workqueue: events_freezable ieee80211_restart_work [mac80211]
+kernel: Call Trace:
+kernel: <TASK>
+kernel: ? ftrace_regs_caller_end+0x66/0x66
+kernel: dump_stack_lvl+0x5f/0xa0
+kernel: dump_stack+0x14/0x20
+kernel: print_usage_bug.part.46+0x208/0x2a0
+kernel: mark_lock.part.47+0x605/0x630
+kernel: ? sched_clock+0xd/0x20
+kernel: ? trace_clock_local+0x14/0x30
+kernel: ? __rb_reserve_next+0x5f/0x490
+kernel: ? _raw_spin_lock+0x1b/0x50
+kernel: __lock_acquire+0x464/0x1990
+kernel: ? mark_held_locks+0x4e/0x80
+kernel: lock_acquire+0xc7/0x2d0
+kernel: ? ftrace_regs_caller_end+0x66/0x66
+kernel: ? ftrace_return_to_handler+0x8b/0x100
+kernel: ? preempt_count_add+0x4/0x70
+kernel: _raw_spin_lock+0x36/0x50
+kernel: ? ftrace_regs_caller_end+0x66/0x66
+kernel: ? ftrace_regs_caller_end+0x66/0x66
+kernel: ieee80211_tx_dequeue+0xb4/0x1330 [mac80211]
+kernel: ? prepare_ftrace_return+0xc5/0x190
+kernel: ? ftrace_graph_func+0x16/0x20
+kernel: ? 0xffffffffc02ab0b1
+kernel: ? lock_acquire+0xc7/0x2d0
+kernel: ? iwl_mvm_mac_itxq_xmit+0x42/0x210 [iwlmvm]
+kernel: ? ieee80211_tx_dequeue+0x9/0x1330 [mac80211]
+kernel: ? __rcu_read_lock+0x4/0x40
+kernel: ? ftrace_regs_caller_end+0x66/0x66
+kernel: iwl_mvm_mac_itxq_xmit+0xae/0x210 [iwlmvm]
+kernel: ? ftrace_regs_caller_end+0x66/0x66
+kernel: iwl_mvm_queue_state_change+0x311/0x3a0 [iwlmvm]
+kernel: ? ftrace_regs_caller_end+0x66/0x66
+kernel: iwl_mvm_wake_sw_queue+0x17/0x20 [iwlmvm]
+kernel: ? ftrace_regs_caller_end+0x66/0x66
+kernel: iwl_txq_gen2_unmap+0x1c9/0x1f0 [iwlwifi]
+kernel: ? ftrace_regs_caller_end+0x66/0x66
+kernel: iwl_txq_gen2_free+0x55/0x130 [iwlwifi]
+kernel: ? ftrace_regs_caller_end+0x66/0x66
+kernel: iwl_txq_gen2_tx_free+0x63/0x80 [iwlwifi]
+kernel: ? ftrace_regs_caller_end+0x66/0x66
+kernel: _iwl_trans_pcie_gen2_stop_device+0x3f3/0x5b0 [iwlwifi]
+kernel: ? _iwl_trans_pcie_gen2_stop_device+0x9/0x5b0 [iwlwifi]
+kernel: ? mutex_lock_nested+0x4/0x30
+kernel: ? ftrace_regs_caller_end+0x66/0x66
+kernel: iwl_trans_pcie_gen2_stop_device+0x5f/0x90 [iwlwifi]
+kernel: ? ftrace_regs_caller_end+0x66/0x66
+kernel: iwl_mvm_stop_device+0x78/0xd0 [iwlmvm]
+kernel: ? ftrace_regs_caller_end+0x66/0x66
+kernel: __iwl_mvm_mac_start+0x114/0x210 [iwlmvm]
+kernel: ? ftrace_regs_caller_end+0x66/0x66
+kernel: iwl_mvm_mac_start+0x76/0x150 [iwlmvm]
+kernel: ? ftrace_regs_caller_end+0x66/0x66
+kernel: drv_start+0x79/0x180 [mac80211]
+kernel: ? ftrace_regs_caller_end+0x66/0x66
+kernel: ieee80211_reconfig+0x1523/0x1ce0 [mac80211]
+kernel: ? synchronize_net+0x4/0x50
+kernel: ? ftrace_regs_caller_end+0x66/0x66
+kernel: ieee80211_restart_work+0x108/0x170 [mac80211]
+kernel: ? ftrace_regs_caller_end+0x66/0x66
+kernel: process_one_work+0x250/0x530
+kernel: ? ftrace_regs_caller_end+0x66/0x66
+kernel: worker_thread+0x48/0x3a0
+kernel: ? __pfx_worker_thread+0x10/0x10
+kernel: kthread+0x10f/0x140
+kernel: ? __pfx_kthread+0x10/0x10
+kernel: ret_from_fork+0x29/0x50
+kernel: </TASK>
+
+Fixes: 4444bc2116ae ("wifi: mac80211: Proper mark iTXQs for resumption")
+Link: https://lore.kernel.org/all/1f58a0d1-d2b9-d851-73c3-93fcc607501c@alu.unizg.hr/
+Reported-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+Cc: Gregory Greenman <gregory.greenman@intel.com>
+Cc: Johannes Berg <johannes.berg@intel.com>
+Link: https://lore.kernel.org/all/cdc80531-f25f-6f9d-b15f-25e16130b53a@alu.unizg.hr/
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: Leon Romanovsky <leon@kernel.org>
+Cc: Alexander Wetzel <alexander@wetzel-home.de>
+Signed-off-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Reviewed-by: tag, or it goes automatically?
+Link: https://lore.kernel.org/r/20230425164005.25272-1-mirsad.todorovac@alu.unizg.hr
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tx.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index 6a1708db652f2..763cefd0cc268 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3718,6 +3718,7 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
+ ieee80211_tx_result r;
+ struct ieee80211_vif *vif = txq->vif;
+ int q = vif->hw_queue[txq->ac];
++ unsigned long flags;
+ bool q_stopped;
+
+ WARN_ON_ONCE(softirq_count() == 0);
+@@ -3726,9 +3727,9 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
+ return NULL;
+
+ begin:
+- spin_lock(&local->queue_stop_reason_lock);
++ spin_lock_irqsave(&local->queue_stop_reason_lock, flags);
+ q_stopped = local->queue_stop_reasons[q];
+- spin_unlock(&local->queue_stop_reason_lock);
++ spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags);
+
+ if (unlikely(q_stopped)) {
+ /* mark for waking later */
+--
+2.39.2
+
--- /dev/null
+From b17bae30bde06f1d9415da37bc18b871da344cd9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Apr 2023 05:39:06 +0800
+Subject: wifi: mt76: connac: fix stats->tx_bytes calculation
+
+From: Ryder Lee <ryder.lee@mediatek.com>
+
+[ Upstream commit c7ab7a29ef5c0779574120d922256ce4651555d3 ]
+
+The stats->tx_bytes shall subtract retry byte from tx byte.
+
+Fixes: 43eaa3689507 ("wifi: mt76: add PPDU based TxS support for WED device")
+Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/b3cd45596943cf5a06b2e08e2fe732ab0b51311b.1682285873.git.ryder.lee@mediatek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt76_connac2_mac.h | 2 +-
+ drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c | 3 ++-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac2_mac.h b/drivers/net/wireless/mediatek/mt76/mt76_connac2_mac.h
+index f33171bcd3432..c3b692eac6f65 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76_connac2_mac.h
++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac2_mac.h
+@@ -163,7 +163,7 @@ enum {
+ #define MT_TXS5_MPDU_TX_CNT GENMASK(31, 23)
+
+ #define MT_TXS6_MPDU_FAIL_CNT GENMASK(31, 23)
+-
++#define MT_TXS7_MPDU_RETRY_BYTE GENMASK(22, 0)
+ #define MT_TXS7_MPDU_RETRY_CNT GENMASK(31, 23)
+
+ /* RXD DW1 */
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c
+index 19f02b632a204..68511597599e3 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c
+@@ -570,7 +570,8 @@ bool mt76_connac2_mac_fill_txs(struct mt76_dev *dev, struct mt76_wcid *wcid,
+ /* PPDU based reporting */
+ if (FIELD_GET(MT_TXS0_TXS_FORMAT, txs) > 1) {
+ stats->tx_bytes +=
+- le32_get_bits(txs_data[5], MT_TXS5_MPDU_TX_BYTE);
++ le32_get_bits(txs_data[5], MT_TXS5_MPDU_TX_BYTE) -
++ le32_get_bits(txs_data[7], MT_TXS7_MPDU_RETRY_BYTE);
+ stats->tx_packets +=
+ le32_get_bits(txs_data[5], MT_TXS5_MPDU_TX_CNT);
+ stats->tx_failed +=
+--
+2.39.2
+
--- /dev/null
+From ff5b5fe28ef60949e32abd21647f6feca12e4602 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Apr 2023 15:12:16 +0200
+Subject: xfrm: don't check the default policy if the policy allows the packet
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 430cac487400494c19a8b85299e979bb07b4671f ]
+
+The current code doesn't let a simple "allow" policy counteract a
+default policy blocking all incoming packets:
+
+ ip x p setdefault in block
+ ip x p a src 192.168.2.1/32 dst 192.168.2.2/32 dir in action allow
+
+At this stage, we have an allow policy (with or without transforms)
+for this packet. It doesn't matter what the default policy says, since
+the policy we looked up lets the packet through. The case of a
+blocking policy is already handled separately, so we can remove this
+check.
+
+Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_policy.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index 7f49dab3b6b59..bea48a73a7313 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -3637,12 +3637,6 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
+ }
+ xfrm_nr = ti;
+
+- if (net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK &&
+- !xfrm_nr) {
+- XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOSTATES);
+- goto reject;
+- }
+-
+ if (npols > 1) {
+ xfrm_tmpl_sort(stp, tpp, xfrm_nr, family);
+ tpp = stp;
+--
+2.39.2
+
--- /dev/null
+From 88dd7115dea15f2f9e629eb55b8016e09421833a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 May 2023 10:59:58 +0200
+Subject: xfrm: Reject optional tunnel/BEET mode templates in outbound policies
+
+From: Tobias Brunner <tobias@strongswan.org>
+
+[ Upstream commit 3d776e31c841ba2f69895d2255a49320bec7cea6 ]
+
+xfrm_state_find() uses `encap_family` of the current template with
+the passed local and remote addresses to find a matching state.
+If an optional tunnel or BEET mode template is skipped in a mixed-family
+scenario, there could be a mismatch causing an out-of-bounds read as
+the addresses were not replaced to match the family of the next template.
+
+While there are theoretical use cases for optional templates in outbound
+policies, the only practical one is to skip IPComp states in inbound
+policies if uncompressed packets are received that are handled by an
+implicitly created IPIP state instead.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Tobias Brunner <tobias@strongswan.org>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 83f35ecacf24f..2d68a173b2273 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1743,7 +1743,7 @@ static void copy_templates(struct xfrm_policy *xp, struct xfrm_user_tmpl *ut,
+ }
+
+ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family,
+- struct netlink_ext_ack *extack)
++ int dir, struct netlink_ext_ack *extack)
+ {
+ u16 prev_family;
+ int i;
+@@ -1769,6 +1769,10 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family,
+ switch (ut[i].mode) {
+ case XFRM_MODE_TUNNEL:
+ case XFRM_MODE_BEET:
++ if (ut[i].optional && dir == XFRM_POLICY_OUT) {
++ NL_SET_ERR_MSG(extack, "Mode in optional template not allowed in outbound policy");
++ return -EINVAL;
++ }
+ break;
+ default:
+ if (ut[i].family != prev_family) {
+@@ -1806,7 +1810,7 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family,
+ }
+
+ static int copy_from_user_tmpl(struct xfrm_policy *pol, struct nlattr **attrs,
+- struct netlink_ext_ack *extack)
++ int dir, struct netlink_ext_ack *extack)
+ {
+ struct nlattr *rt = attrs[XFRMA_TMPL];
+
+@@ -1817,7 +1821,7 @@ static int copy_from_user_tmpl(struct xfrm_policy *pol, struct nlattr **attrs,
+ int nr = nla_len(rt) / sizeof(*utmpl);
+ int err;
+
+- err = validate_tmpl(nr, utmpl, pol->family, extack);
++ err = validate_tmpl(nr, utmpl, pol->family, dir, extack);
+ if (err)
+ return err;
+
+@@ -1894,7 +1898,7 @@ static struct xfrm_policy *xfrm_policy_construct(struct net *net,
+ if (err)
+ goto error;
+
+- if (!(err = copy_from_user_tmpl(xp, attrs, extack)))
++ if (!(err = copy_from_user_tmpl(xp, attrs, p->dir, extack)))
+ err = copy_from_user_sec_ctx(xp, attrs);
+ if (err)
+ goto error;
+@@ -3443,7 +3447,7 @@ static struct xfrm_policy *xfrm_compile_policy(struct sock *sk, int opt,
+ return NULL;
+
+ nr = ((len - sizeof(*p)) / sizeof(*ut));
+- if (validate_tmpl(nr, ut, p->sel.family, NULL))
++ if (validate_tmpl(nr, ut, p->sel.family, p->dir, NULL))
+ return NULL;
+
+ if (p->dir > XFRM_POLICY_OUT)
+--
+2.39.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
