--- /dev/null
+From bc664bf4a58231c91e940642c7673b6c08519f11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Sep 2023 13:44:25 -0700
+Subject: drm/msm/dsi: skip the wait for video mode done if not applicable
+
+From: Abhinav Kumar <quic_abhinavk@quicinc.com>
+
+[ Upstream commit ab483e3adcc178254eb1ce0fbdfbea65f86f1006 ]
+
+dsi_wait4video_done() API waits for the DSI video mode engine to
+become idle so that we can transmit the DCS commands in the
+beginning of BLLP. However, with the current sequence, the MDP
+timing engine is turned on after the panel's pre_enable() callback
+which can send out the DCS commands needed to power up the panel.
+
+During those cases, this API will always timeout and print out the
+error spam leading to long bootup times and log flooding.
+
+Fix this by checking if the DSI video engine was actually busy before
+waiting for it to become idle otherwise this is a redundant wait.
+
+changes in v2:
+ - move the reg read below the video mode check
+ - minor fixes in commit text
+
+Closes: https://gitlab.freedesktop.org/drm/msm/-/issues/34
+Fixes: a689554ba6ed ("drm/msm: Initial add DSI connector support")
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/557853/
+Link: https://lore.kernel.org/r/20230915204426.19011-1-quic_abhinavk@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dsi/dsi_host.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
+index c59764f156f94..419cad31830ea 100644
+--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
+@@ -1051,9 +1051,21 @@ static void dsi_wait4video_done(struct msm_dsi_host *msm_host)
+
+ static void dsi_wait4video_eng_busy(struct msm_dsi_host *msm_host)
+ {
++ u32 data;
++
+ if (!(msm_host->mode_flags & MIPI_DSI_MODE_VIDEO))
+ return;
+
++ data = dsi_read(msm_host, REG_DSI_STATUS0);
++
++ /* if video mode engine is not busy, its because
++ * either timing engine was not turned on or the
++ * DSI controller has finished transmitting the video
++ * data already, so no need to wait in those cases
++ */
++ if (!(data & DSI_STATUS0_VIDEO_MODE_ENGINE_BUSY))
++ return;
++
+ if (msm_host->power_on && msm_host->enabled) {
+ dsi_wait4video_done(msm_host);
+ /* delay 4 ms to skip BLLP */
+--
+2.40.1
+
--- /dev/null
+From 0b087ba31ac679d8f47f6dfa97c26a0b8f328423 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Sep 2023 18:02:03 +0800
+Subject: drm/vmwgfx: fix typo of sizeof argument
+
+From: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
+
+[ Upstream commit 39465cac283702a7d4a507a558db81898029c6d3 ]
+
+Since size of 'header' pointer and '*header' structure is equal on 64-bit
+machines issue probably didn't cause any wrong behavior. But anyway,
+fixing typo is required.
+
+Fixes: 7a73ba7469cb ("drm/vmwgfx: Use TTM handles instead of SIDs as user-space surface handles.")
+Co-developed-by: Ivanov Mikhail <ivanov.mikhail1@huawei-partners.com>
+Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
+Reviewed-by: Zack Rusin <zackr@vmware.com>
+Signed-off-by: Zack Rusin <zackr@vmware.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230905100203.1716731-1-konstantin.meskhidze@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+index e3d20048075bf..8db3b3ddbb644 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+@@ -1623,7 +1623,7 @@ static int vmw_cmd_tex_state(struct vmw_private *dev_priv,
+ {
+ VMW_DECLARE_CMD_VAR(*cmd, SVGA3dCmdSetTextureState);
+ SVGA3dTextureState *last_state = (SVGA3dTextureState *)
+- ((unsigned long) header + header->size + sizeof(header));
++ ((unsigned long) header + header->size + sizeof(*header));
+ SVGA3dTextureState *cur_state = (SVGA3dTextureState *)
+ ((unsigned long) header + sizeof(*cmd));
+ struct vmw_resource *ctx;
+--
+2.40.1
+
--- /dev/null
+From 8ebaa6f8b0f75d7e11a78076dd740fd1571ac938 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Apr 2022 14:23:09 -0700
+Subject: eth: remove copies of the NAPI_POLL_WEIGHT define
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 5f012b40ef639343a976553bf3cc26dd0474756e ]
+
+Defining local versions of NAPI_POLL_WEIGHT with the same
+values in the drivers just makes refactoring harder.
+
+Drop the special defines in a bunch of drivers where the
+removal is relatively simple so grouping into one patch
+does not impact reviewability.
+
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: Paul Durrant <paul@xen.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 66cf7435a269 ("xen-netback: use default TX queue size for vifs")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cortina/gemini.c | 4 +---
+ drivers/net/ethernet/marvell/skge.c | 3 +--
+ drivers/net/ethernet/marvell/sky2.c | 3 +--
+ drivers/net/ethernet/ti/davinci_emac.c | 3 +--
+ drivers/net/ethernet/ti/netcp_core.c | 5 ++---
+ drivers/net/xen-netback/interface.c | 3 +--
+ 6 files changed, 7 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c
+index a8a8b77c1611e..a2b8c2a53c8e7 100644
+--- a/drivers/net/ethernet/cortina/gemini.c
++++ b/drivers/net/ethernet/cortina/gemini.c
+@@ -69,7 +69,6 @@ MODULE_PARM_DESC(debug, "Debug level (0=none,...,16=all)");
+ #define DEFAULT_GMAC_RXQ_ORDER 9
+ #define DEFAULT_GMAC_TXQ_ORDER 8
+ #define DEFAULT_RX_BUF_ORDER 11
+-#define DEFAULT_NAPI_WEIGHT 64
+ #define TX_MAX_FRAGS 16
+ #define TX_QUEUE_NUM 1 /* max: 6 */
+ #define RX_MAX_ALLOC_ORDER 2
+@@ -2483,8 +2482,7 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev)
+ netdev->max_mtu = 10236 - VLAN_ETH_HLEN;
+
+ port->freeq_refill = 0;
+- netif_napi_add(netdev, &port->napi, gmac_napi_poll,
+- DEFAULT_NAPI_WEIGHT);
++ netif_napi_add(netdev, &port->napi, gmac_napi_poll, NAPI_POLL_WEIGHT);
+
+ if (is_valid_ether_addr((void *)port->mac_addr)) {
+ memcpy(netdev->dev_addr, port->mac_addr, ETH_ALEN);
+diff --git a/drivers/net/ethernet/marvell/skge.c b/drivers/net/ethernet/marvell/skge.c
+index 095f6c71b4fa1..a75288e3288d2 100644
+--- a/drivers/net/ethernet/marvell/skge.c
++++ b/drivers/net/ethernet/marvell/skge.c
+@@ -50,7 +50,6 @@
+ #define PHY_RETRIES 1000
+ #define ETH_JUMBO_MTU 9000
+ #define TX_WATCHDOG (5 * HZ)
+-#define NAPI_WEIGHT 64
+ #define BLINK_MS 250
+ #define LINK_HZ HZ
+
+@@ -3826,7 +3825,7 @@ static struct net_device *skge_devinit(struct skge_hw *hw, int port,
+ dev->features |= NETIF_F_HIGHDMA;
+
+ skge = netdev_priv(dev);
+- netif_napi_add(dev, &skge->napi, skge_poll, NAPI_WEIGHT);
++ netif_napi_add(dev, &skge->napi, skge_poll, NAPI_POLL_WEIGHT);
+ skge->netdev = dev;
+ skge->hw = hw;
+ skge->msg_enable = netif_msg_init(debug, default_msg);
+diff --git a/drivers/net/ethernet/marvell/sky2.c b/drivers/net/ethernet/marvell/sky2.c
+index df7c23cd33600..01248509addeb 100644
+--- a/drivers/net/ethernet/marvell/sky2.c
++++ b/drivers/net/ethernet/marvell/sky2.c
+@@ -62,7 +62,6 @@
+ #define TX_DEF_PENDING 63
+
+ #define TX_WATCHDOG (5 * HZ)
+-#define NAPI_WEIGHT 64
+ #define PHY_RETRIES 1000
+
+ #define SKY2_EEPROM_MAGIC 0x9955aabb
+@@ -5064,7 +5063,7 @@ static int sky2_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ }
+ }
+
+- netif_napi_add(dev, &hw->napi, sky2_poll, NAPI_WEIGHT);
++ netif_napi_add(dev, &hw->napi, sky2_poll, NAPI_POLL_WEIGHT);
+
+ err = register_netdev(dev);
+ if (err) {
+diff --git a/drivers/net/ethernet/ti/davinci_emac.c b/drivers/net/ethernet/ti/davinci_emac.c
+index fac59032bf83a..9d7b2328a98a3 100644
+--- a/drivers/net/ethernet/ti/davinci_emac.c
++++ b/drivers/net/ethernet/ti/davinci_emac.c
+@@ -113,7 +113,6 @@ static const char emac_version_string[] = "TI DaVinci EMAC Linux v6.1";
+ #define EMAC_DEF_RX_NUM_DESC (128)
+ #define EMAC_DEF_MAX_TX_CH (1) /* Max TX channels configured */
+ #define EMAC_DEF_MAX_RX_CH (1) /* Max RX channels configured */
+-#define EMAC_POLL_WEIGHT (64) /* Default NAPI poll weight */
+
+ /* Buffer descriptor parameters */
+ #define EMAC_DEF_TX_MAX_SERVICE (32) /* TX max service BD's */
+@@ -1918,7 +1917,7 @@ static int davinci_emac_probe(struct platform_device *pdev)
+
+ ndev->netdev_ops = &emac_netdev_ops;
+ ndev->ethtool_ops = ðtool_ops;
+- netif_napi_add(ndev, &priv->napi, emac_poll, EMAC_POLL_WEIGHT);
++ netif_napi_add(ndev, &priv->napi, emac_poll, NAPI_POLL_WEIGHT);
+
+ pm_runtime_enable(&pdev->dev);
+ rc = pm_runtime_get_sync(&pdev->dev);
+diff --git a/drivers/net/ethernet/ti/netcp_core.c b/drivers/net/ethernet/ti/netcp_core.c
+index 5dbb4ed1b1328..1eef4ac59c348 100644
+--- a/drivers/net/ethernet/ti/netcp_core.c
++++ b/drivers/net/ethernet/ti/netcp_core.c
+@@ -24,7 +24,6 @@
+ #include "netcp.h"
+
+ #define NETCP_SOP_OFFSET (NET_IP_ALIGN + NET_SKB_PAD)
+-#define NETCP_NAPI_WEIGHT 64
+ #define NETCP_TX_TIMEOUT (5 * HZ)
+ #define NETCP_PACKET_SIZE (ETH_FRAME_LEN + ETH_FCS_LEN)
+ #define NETCP_MIN_PACKET_SIZE ETH_ZLEN
+@@ -2099,8 +2098,8 @@ static int netcp_create_interface(struct netcp_device *netcp_device,
+ }
+
+ /* NAPI register */
+- netif_napi_add(ndev, &netcp->rx_napi, netcp_rx_poll, NETCP_NAPI_WEIGHT);
+- netif_tx_napi_add(ndev, &netcp->tx_napi, netcp_tx_poll, NETCP_NAPI_WEIGHT);
++ netif_napi_add(ndev, &netcp->rx_napi, netcp_rx_poll, NAPI_POLL_WEIGHT);
++ netif_tx_napi_add(ndev, &netcp->tx_napi, netcp_tx_poll, NAPI_POLL_WEIGHT);
+
+ /* Register the network device */
+ ndev->dev_id = 0;
+diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c
+index 6432f6e7fd548..1f735376539e7 100644
+--- a/drivers/net/xen-netback/interface.c
++++ b/drivers/net/xen-netback/interface.c
+@@ -42,7 +42,6 @@
+ #include <xen/balloon.h>
+
+ #define XENVIF_QUEUE_LENGTH 32
+-#define XENVIF_NAPI_WEIGHT 64
+
+ /* Number of bytes allowed on the internal guest Rx queue. */
+ #define XENVIF_RX_QUEUE_BYTES (XEN_NETIF_RX_RING_SIZE/2 * PAGE_SIZE)
+@@ -682,7 +681,7 @@ int xenvif_connect_data(struct xenvif_queue *queue,
+ atomic_set(&queue->inflight_packets, 0);
+
+ netif_napi_add(queue->vif->dev, &queue->napi, xenvif_poll,
+- XENVIF_NAPI_WEIGHT);
++ NAPI_POLL_WEIGHT);
+
+ if (tx_evtchn == rx_evtchn) {
+ /* feature-split-event-channels == 0 */
+--
+2.40.1
+
--- /dev/null
+From e9ffdde179f07900e3a5f67d9d0cf5a5ba2cdeac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Oct 2023 11:30:49 +0800
+Subject: ieee802154: ca8210: Fix a potential UAF in ca8210_probe
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit f990874b1c98fe8e57ee9385669f501822979258 ]
+
+If of_clk_add_provider() fails in ca8210_register_ext_clock(),
+it calls clk_unregister() to release priv->clk and returns an
+error. However, the caller ca8210_probe() then calls ca8210_remove(),
+where priv->clk is freed again in ca8210_unregister_ext_clock(). In
+this case, a use-after-free may happen in the second time we call
+clk_unregister().
+
+Fix this by removing the first clk_unregister(). Also, priv->clk could
+be an error code on failure of clk_register_fixed_rate(). Use
+IS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock().
+
+Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Message-ID: <20231007033049.22353-1-dinghao.liu@zju.edu.cn>
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/ca8210.c | 17 +++--------------
+ 1 file changed, 3 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c
+index fb57e561d3e61..fdbdc22fe4e5c 100644
+--- a/drivers/net/ieee802154/ca8210.c
++++ b/drivers/net/ieee802154/ca8210.c
+@@ -2782,7 +2782,6 @@ static int ca8210_register_ext_clock(struct spi_device *spi)
+ struct device_node *np = spi->dev.of_node;
+ struct ca8210_priv *priv = spi_get_drvdata(spi);
+ struct ca8210_platform_data *pdata = spi->dev.platform_data;
+- int ret = 0;
+
+ if (!np)
+ return -EFAULT;
+@@ -2799,18 +2798,8 @@ static int ca8210_register_ext_clock(struct spi_device *spi)
+ dev_crit(&spi->dev, "Failed to register external clk\n");
+ return PTR_ERR(priv->clk);
+ }
+- ret = of_clk_add_provider(np, of_clk_src_simple_get, priv->clk);
+- if (ret) {
+- clk_unregister(priv->clk);
+- dev_crit(
+- &spi->dev,
+- "Failed to register external clock as clock provider\n"
+- );
+- } else {
+- dev_info(&spi->dev, "External clock set as clock provider\n");
+- }
+
+- return ret;
++ return of_clk_add_provider(np, of_clk_src_simple_get, priv->clk);
+ }
+
+ /**
+@@ -2822,8 +2811,8 @@ static void ca8210_unregister_ext_clock(struct spi_device *spi)
+ {
+ struct ca8210_priv *priv = spi_get_drvdata(spi);
+
+- if (!priv->clk)
+- return
++ if (IS_ERR_OR_NULL(priv->clk))
++ return;
+
+ of_clk_del_provider(spi->dev.of_node);
+ clk_unregister(priv->clk);
+--
+2.40.1
+
--- /dev/null
+From 06958db698cc2822c684881a9fc3b419f61a4b22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Oct 2023 15:53:09 +0300
+Subject: ixgbe: fix crash with empty VF macvlan list
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 7b5add9af567c44e12196107f0fe106e194034fd ]
+
+The adapter->vf_mvs.l list needs to be initialized even if the list is
+empty. Otherwise it will lead to crashes.
+
+Fixes: a1cbb15c1397 ("ixgbe: Add macvlan support for VF")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Link: https://lore.kernel.org/r/ZSADNdIw8zFx1xw2@kadam
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
+index 0e73e3b1af19a..a3b1295415665 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
+@@ -28,6 +28,9 @@ static inline void ixgbe_alloc_vf_macvlans(struct ixgbe_adapter *adapter,
+ struct vf_macvlans *mv_list;
+ int num_vf_macvlans, i;
+
++ /* Initialize list of VF macvlans */
++ INIT_LIST_HEAD(&adapter->vf_mvs.l);
++
+ num_vf_macvlans = hw->mac.num_rar_entries -
+ (IXGBE_MAX_PF_MACVLANS + 1 + num_vfs);
+ if (!num_vf_macvlans)
+@@ -36,8 +39,6 @@ static inline void ixgbe_alloc_vf_macvlans(struct ixgbe_adapter *adapter,
+ mv_list = kcalloc(num_vf_macvlans, sizeof(struct vf_macvlans),
+ GFP_KERNEL);
+ if (mv_list) {
+- /* Initialize list of VF macvlans */
+- INIT_LIST_HEAD(&adapter->vf_mvs.l);
+ for (i = 0; i < num_vf_macvlans; i++) {
+ mv_list[i].vf = -1;
+ mv_list[i].free = true;
+--
+2.40.1
+
--- /dev/null
+From 1ce8aeba74d042775e9378f6735f88d2ca8bbf40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Oct 2023 17:00:12 +0300
+Subject: mlxsw: fix mlxsw_sp2_nve_vxlan_learning_set() return type
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 1e0b72a2a6432c0ef67ee5ce8d9172a7c20bba25 ]
+
+The mlxsw_sp2_nve_vxlan_learning_set() function is supposed to return
+zero on success or negative error codes. So it needs to be type int
+instead of bool.
+
+Fixes: 4ee70efab68d ("mlxsw: spectrum_nve: Add support for VXLAN on Spectrum-2")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_nve_vxlan.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_nve_vxlan.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_nve_vxlan.c
+index 05517c7feaa56..a20ba23f0ed7a 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_nve_vxlan.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_nve_vxlan.c
+@@ -294,8 +294,8 @@ const struct mlxsw_sp_nve_ops mlxsw_sp1_nve_vxlan_ops = {
+ .fdb_clear_offload = mlxsw_sp_nve_vxlan_clear_offload,
+ };
+
+-static bool mlxsw_sp2_nve_vxlan_learning_set(struct mlxsw_sp *mlxsw_sp,
+- bool learning_en)
++static int mlxsw_sp2_nve_vxlan_learning_set(struct mlxsw_sp *mlxsw_sp,
++ bool learning_en)
+ {
+ char tnpc_pl[MLXSW_REG_TNPC_LEN];
+
+--
+2.40.1
+
--- /dev/null
+From 670022d926913adbc2ddcb6e8a53a8e1f6d45971 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Oct 2023 12:31:10 +0000
+Subject: net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 31c07dffafce914c1d1543c135382a11ff058d93 ]
+
+Sili Luo reported a race in nfc_llcp_sock_get(), leading to UAF.
+
+Getting a reference on the socket found in a lookup while
+holding a lock should happen before releasing the lock.
+
+nfc_llcp_sock_get_sn() has a similar problem.
+
+Finally nfc_llcp_recv_snl() needs to make sure the socket
+found by nfc_llcp_sock_from_sn() does not disappear.
+
+Fixes: 8f50020ed9b8 ("NFC: LLCP late binding")
+Reported-by: Sili Luo <rootlab@huawei.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Willy Tarreau <w@1wt.eu>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20231009123110.3735515-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/llcp_core.c | 30 ++++++++++++------------------
+ 1 file changed, 12 insertions(+), 18 deletions(-)
+
+diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
+index b1107570eaee8..92f70686bee0a 100644
+--- a/net/nfc/llcp_core.c
++++ b/net/nfc/llcp_core.c
+@@ -205,17 +205,13 @@ static struct nfc_llcp_sock *nfc_llcp_sock_get(struct nfc_llcp_local *local,
+
+ if (tmp_sock->ssap == ssap && tmp_sock->dsap == dsap) {
+ llcp_sock = tmp_sock;
++ sock_hold(&llcp_sock->sk);
+ break;
+ }
+ }
+
+ read_unlock(&local->sockets.lock);
+
+- if (llcp_sock == NULL)
+- return NULL;
+-
+- sock_hold(&llcp_sock->sk);
+-
+ return llcp_sock;
+ }
+
+@@ -348,7 +344,8 @@ static int nfc_llcp_wks_sap(const char *service_name, size_t service_name_len)
+
+ static
+ struct nfc_llcp_sock *nfc_llcp_sock_from_sn(struct nfc_llcp_local *local,
+- const u8 *sn, size_t sn_len)
++ const u8 *sn, size_t sn_len,
++ bool needref)
+ {
+ struct sock *sk;
+ struct nfc_llcp_sock *llcp_sock, *tmp_sock;
+@@ -384,6 +381,8 @@ struct nfc_llcp_sock *nfc_llcp_sock_from_sn(struct nfc_llcp_local *local,
+
+ if (memcmp(sn, tmp_sock->service_name, sn_len) == 0) {
+ llcp_sock = tmp_sock;
++ if (needref)
++ sock_hold(&llcp_sock->sk);
+ break;
+ }
+ }
+@@ -425,7 +424,8 @@ u8 nfc_llcp_get_sdp_ssap(struct nfc_llcp_local *local,
+ * to this service name.
+ */
+ if (nfc_llcp_sock_from_sn(local, sock->service_name,
+- sock->service_name_len) != NULL) {
++ sock->service_name_len,
++ false) != NULL) {
+ mutex_unlock(&local->sdp_lock);
+
+ return LLCP_SAP_MAX;
+@@ -833,16 +833,7 @@ static struct nfc_llcp_sock *nfc_llcp_connecting_sock_get(struct nfc_llcp_local
+ static struct nfc_llcp_sock *nfc_llcp_sock_get_sn(struct nfc_llcp_local *local,
+ const u8 *sn, size_t sn_len)
+ {
+- struct nfc_llcp_sock *llcp_sock;
+-
+- llcp_sock = nfc_llcp_sock_from_sn(local, sn, sn_len);
+-
+- if (llcp_sock == NULL)
+- return NULL;
+-
+- sock_hold(&llcp_sock->sk);
+-
+- return llcp_sock;
++ return nfc_llcp_sock_from_sn(local, sn, sn_len, true);
+ }
+
+ static const u8 *nfc_llcp_connect_sn(const struct sk_buff *skb, size_t *sn_len)
+@@ -1307,7 +1298,8 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
+ }
+
+ llcp_sock = nfc_llcp_sock_from_sn(local, service_name,
+- service_name_len);
++ service_name_len,
++ true);
+ if (!llcp_sock) {
+ sap = 0;
+ goto add_snl;
+@@ -1327,6 +1319,7 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
+
+ if (sap == LLCP_SAP_MAX) {
+ sap = 0;
++ nfc_llcp_sock_put(llcp_sock);
+ goto add_snl;
+ }
+
+@@ -1344,6 +1337,7 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
+
+ pr_debug("%p %d\n", llcp_sock, sap);
+
++ nfc_llcp_sock_put(llcp_sock);
+ add_snl:
+ sdp = nfc_llcp_build_sdres_tlv(tid, sap);
+ if (sdp == NULL)
+--
+2.40.1
+
--- /dev/null
+From 8e7f7533ef41321089691047e90c11ad7b885e43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Oct 2023 16:00:54 -0400
+Subject: nfc: nci: assert requested protocol is valid
+
+From: Jeremy Cline <jeremy@jcline.org>
+
+[ Upstream commit 354a6e707e29cb0c007176ee5b8db8be7bd2dee0 ]
+
+The protocol is used in a bit mask to determine if the protocol is
+supported. Assert the provided protocol is less than the maximum
+defined so it doesn't potentially perform a shift-out-of-bounds and
+provide a clearer error for undefined protocols vs unsupported ones.
+
+Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation")
+Reported-and-tested-by: syzbot+0839b78e119aae1fec78@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=0839b78e119aae1fec78
+Signed-off-by: Jeremy Cline <jeremy@jcline.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20231009200054.82557-1-jeremy@jcline.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/nci/core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
+index 57849baf9294d..54b9efb5ae821 100644
+--- a/net/nfc/nci/core.c
++++ b/net/nfc/nci/core.c
+@@ -894,6 +894,11 @@ static int nci_activate_target(struct nfc_dev *nfc_dev,
+ return -EINVAL;
+ }
+
++ if (protocol >= NFC_PROTO_MAX) {
++ pr_err("the requested nfc protocol is invalid\n");
++ return -EINVAL;
++ }
++
+ if (!(nci_target->supported_protocols & (1 << protocol))) {
+ pr_err("target does not support the requested protocol 0x%x\n",
+ protocol);
+--
+2.40.1
+
--- /dev/null
+From 2feccfa51c8c28089f1a694c9ff5291561583fec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Oct 2023 10:12:00 +0900
+Subject: ravb: Fix up dma_free_coherent() call in ravb_remove()
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+[ Upstream commit e6864af61493113558c502b5cd0d754c19b93277 ]
+
+In ravb_remove(), dma_free_coherent() should be call after
+unregister_netdev(). Otherwise, this controller is possible to use
+the freed buffer.
+
+Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/20231005011201.14368-2-yoshihiro.shimoda.uh@renesas.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
+index 231a1295c4700..4698fbde7fb74 100644
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -2212,14 +2212,14 @@ static int ravb_remove(struct platform_device *pdev)
+ if (priv->chip_id != RCAR_GEN2)
+ ravb_ptp_stop(ndev);
+
+- dma_free_coherent(ndev->dev.parent, priv->desc_bat_size, priv->desc_bat,
+- priv->desc_bat_dma);
+ /* Set reset mode */
+ ravb_write(ndev, CCC_OPC_RESET, CCC);
+ unregister_netdev(ndev);
+ netif_napi_del(&priv->napi[RAVB_NC]);
+ netif_napi_del(&priv->napi[RAVB_BE]);
+ ravb_mdio_release(priv);
++ dma_free_coherent(ndev->dev.parent, priv->desc_bat_size, priv->desc_bat,
++ priv->desc_bat_dma);
+ pm_runtime_put_sync(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
+ free_netdev(ndev);
+--
+2.40.1
+
quota-fix-slow-quotaoff.patch
net-prevent-address-rewrite-in-kernel_bind.patch
drm-etvnaviv-fix-bad-backport-leading-to-warning.patch
+drm-msm-dsi-skip-the-wait-for-video-mode-done-if-not.patch
+ravb-fix-up-dma_free_coherent-call-in-ravb_remove.patch
+ieee802154-ca8210-fix-a-potential-uaf-in-ca8210_prob.patch
+mlxsw-fix-mlxsw_sp2_nve_vxlan_learning_set-return-ty.patch
+eth-remove-copies-of-the-napi_poll_weight-define.patch
+xen-netback-use-default-tx-queue-size-for-vifs.patch
+drm-vmwgfx-fix-typo-of-sizeof-argument.patch
+ixgbe-fix-crash-with-empty-vf-macvlan-list.patch
+net-nfc-fix-races-in-nfc_llcp_sock_get-and-nfc_llcp_.patch
+nfc-nci-assert-requested-protocol-is-valid.patch
+workqueue-override-implicit-ordered-attribute-in-wor.patch
--- /dev/null
+From d28cfff4757993869bf18962f54bf3bfc1328242 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Oct 2023 22:48:42 -0400
+Subject: workqueue: Override implicit ordered attribute in
+ workqueue_apply_unbound_cpumask()
+
+From: Waiman Long <longman@redhat.com>
+
+[ Upstream commit ca10d851b9ad0338c19e8e3089e24d565ebfffd7 ]
+
+Commit 5c0338c68706 ("workqueue: restore WQ_UNBOUND/max_active==1
+to be ordered") enabled implicit ordered attribute to be added to
+WQ_UNBOUND workqueues with max_active of 1. This prevented the changing
+of attributes to these workqueues leading to fix commit 0a94efb5acbb
+("workqueue: implicit ordered attribute should be overridable").
+
+However, workqueue_apply_unbound_cpumask() was not updated at that time.
+So sysfs changes to wq_unbound_cpumask has no effect on WQ_UNBOUND
+workqueues with implicit ordered attribute. Since not all WQ_UNBOUND
+workqueues are visible on sysfs, we are not able to make all the
+necessary cpumask changes even if we iterates all the workqueue cpumasks
+in sysfs and changing them one by one.
+
+Fix this problem by applying the corresponding change made
+to apply_workqueue_attrs_locked() in the fix commit to
+workqueue_apply_unbound_cpumask().
+
+Fixes: 5c0338c68706 ("workqueue: restore WQ_UNBOUND/max_active==1 to be ordered")
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/workqueue.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/workqueue.c b/kernel/workqueue.c
+index 856188b0681af..a2c4de2a11327 100644
+--- a/kernel/workqueue.c
++++ b/kernel/workqueue.c
+@@ -5273,9 +5273,13 @@ static int workqueue_apply_unbound_cpumask(void)
+ list_for_each_entry(wq, &workqueues, list) {
+ if (!(wq->flags & WQ_UNBOUND))
+ continue;
++
+ /* creating multiple pwqs breaks ordering guarantee */
+- if (wq->flags & __WQ_ORDERED)
+- continue;
++ if (!list_empty(&wq->pwqs)) {
++ if (wq->flags & __WQ_ORDERED_EXPLICIT)
++ continue;
++ wq->flags &= ~__WQ_ORDERED;
++ }
+
+ ctx = apply_wqattrs_prepare(wq, wq->unbound_attrs);
+ if (!ctx) {
+--
+2.40.1
+
--- /dev/null
+From b98b5917f345f4c07d7c84f6d709fc8b08148e26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Oct 2023 16:08:31 +0200
+Subject: xen-netback: use default TX queue size for vifs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Roger Pau Monne <roger.pau@citrix.com>
+
+[ Upstream commit 66cf7435a26917c0c4d6245ad9137e7606e84fdf ]
+
+Do not set netback interfaces (vifs) default TX queue size to the ring size.
+The TX queue size is not related to the ring size, and using the ring size (32)
+as the queue size can lead to packet drops. Note the TX side of the vif
+interface in the netback domain is the one receiving packets to be injected
+to the guest.
+
+Do not explicitly set the TX queue length to any value when creating the
+interface, and instead use the system default. Note that the queue length can
+also be adjusted at runtime.
+
+Fixes: f942dc2552b8 ('xen network backend driver')
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Acked-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/xen-netback/interface.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c
+index 1f735376539e7..df803f0cc7d57 100644
+--- a/drivers/net/xen-netback/interface.c
++++ b/drivers/net/xen-netback/interface.c
+@@ -41,8 +41,6 @@
+ #include <asm/xen/hypercall.h>
+ #include <xen/balloon.h>
+
+-#define XENVIF_QUEUE_LENGTH 32
+-
+ /* Number of bytes allowed on the internal guest Rx queue. */
+ #define XENVIF_RX_QUEUE_BYTES (XEN_NETIF_RX_RING_SIZE/2 * PAGE_SIZE)
+
+@@ -525,8 +523,6 @@ struct xenvif *xenvif_alloc(struct device *parent, domid_t domid,
+ dev->features = dev->hw_features | NETIF_F_RXCSUM;
+ dev->ethtool_ops = &xenvif_ethtool_ops;
+
+- dev->tx_queue_len = XENVIF_QUEUE_LENGTH;
+-
+ dev->min_mtu = ETH_MIN_MTU;
+ dev->max_mtu = ETH_MAX_MTU - VLAN_ETH_HLEN;
+
+--
+2.40.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
