--- /dev/null
+From c665678028aa7d997d78f7b083f0af57a41c1f52 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Jul 2023 03:40:17 +0200
+Subject: ARM: dts: BCM5301X: Extend RAM to full 256MB for Linksys EA6500 V2
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Aleksey Nasibulin <alealexpro100@ya.ru>
+
+[ Upstream commit 91994e59079dcb455783d3f9ea338eea6f671af3 ]
+
+Linksys ea6500-v2 have 256MB of ram. Currently we only use 128MB.
+Expand the definition to use all the available RAM.
+
+Fixes: 03e96644d7a8 ("ARM: dts: BCM5301X: Add basic DT for Linksys EA6500 V2")
+Signed-off-by: Aleksey Nasibulin <alealexpro100@ya.ru>
+Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
+Cc: stable@vger.kernel.org
+Acked-by: Rafał Miłecki <rafal@milecki.pl>
+Link: https://lore.kernel.org/r/20230712014017.28123-1-ansuelsmth@gmail.com
+Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/bcm4708-linksys-ea6500-v2.dts | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/bcm4708-linksys-ea6500-v2.dts b/arch/arm/boot/dts/bcm4708-linksys-ea6500-v2.dts
+index cd797b4202ad8..01c48faabfade 100644
+--- a/arch/arm/boot/dts/bcm4708-linksys-ea6500-v2.dts
++++ b/arch/arm/boot/dts/bcm4708-linksys-ea6500-v2.dts
+@@ -19,7 +19,8 @@
+
+ memory@0 {
+ device_type = "memory";
+- reg = <0x00000000 0x08000000>;
++ reg = <0x00000000 0x08000000>,
++ <0x88000000 0x08000000>;
+ };
+
+ gpio-keys {
+--
+2.40.1
+
--- /dev/null
+From ec5b4f99044ee976bf886c93c4b1e960a439b0b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Jul 2023 17:37:20 +0200
+Subject: ARM: dts: samsung: exynos4210-i9100: Fix LCD screen's physical size
+
+From: Paul Cercueil <paul@crapouillou.net>
+
+[ Upstream commit b3f3fc32e5ff1e848555af8616318cc667457f90 ]
+
+The previous values were completely bogus, and resulted in the computed
+DPI ratio being much lower than reality, causing applications and UIs to
+misbehave.
+
+The new values were measured by myself with a ruler.
+
+Signed-off-by: Paul Cercueil <paul@crapouillou.net>
+Acked-by: Sam Ravnborg <sam@ravnborg.org>
+Fixes: 8620cc2f99b7 ("ARM: dts: exynos: Add devicetree file for the Galaxy S2")
+Cc: <stable@vger.kernel.org> # v5.8+
+Link: https://lore.kernel.org/r/20230714153720.336990-1-paul@crapouillou.net
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/exynos4210-i9100.dts | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/exynos4210-i9100.dts b/arch/arm/boot/dts/exynos4210-i9100.dts
+index 5f5d9b1357365..93880bdbcad98 100644
+--- a/arch/arm/boot/dts/exynos4210-i9100.dts
++++ b/arch/arm/boot/dts/exynos4210-i9100.dts
+@@ -200,8 +200,8 @@
+ power-on-delay = <10>;
+ reset-delay = <10>;
+
+- panel-width-mm = <90>;
+- panel-height-mm = <154>;
++ panel-width-mm = <56>;
++ panel-height-mm = <93>;
+
+ display-timings {
+ timing {
+--
+2.40.1
+
--- /dev/null
+From c6d385e15c15835fc66580a4a40b43e09285149b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Aug 2023 15:59:00 +0800
+Subject: block: don't add or resize partition on the disk with
+ GENHD_FL_NO_PART
+
+From: Li Lingfeng <lilingfeng3@huawei.com>
+
+[ Upstream commit 1a721de8489fa559ff4471f73c58bb74ac5580d3 ]
+
+Commit a33df75c6328 ("block: use an xarray for disk->part_tbl") remove
+disk_expand_part_tbl() in add_partition(), which means all kinds of
+devices will support extended dynamic `dev_t`.
+However, some devices with GENHD_FL_NO_PART are not expected to add or
+resize partition.
+Fix this by adding check of GENHD_FL_NO_PART before add or resize
+partition.
+
+Fixes: a33df75c6328 ("block: use an xarray for disk->part_tbl")
+Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20230831075900.1725842-1-lilingfeng@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/ioctl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/block/ioctl.c b/block/ioctl.c
+index cd506a9029630..8f39e413f12a3 100644
+--- a/block/ioctl.c
++++ b/block/ioctl.c
+@@ -20,6 +20,8 @@ static int blkpg_do_ioctl(struct block_device *bdev,
+ struct blkpg_partition p;
+ long long start, length;
+
++ if (disk->flags & GENHD_FL_NO_PART)
++ return -EINVAL;
+ if (!capable(CAP_SYS_ADMIN))
+ return -EACCES;
+ if (copy_from_user(&p, upart, sizeof(struct blkpg_partition)))
+--
+2.40.1
+
--- /dev/null
+From f406e6d560195db6c772cda55a383c045c3338c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Nov 2021 14:06:13 +0100
+Subject: block: move GENHD_FL_BLOCK_EVENTS_ON_EXCL_WRITE to disk->event_flags
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 1545e0b419ba1d9b9bee4061d4826340afe6b0aa ]
+
+GENHD_FL_BLOCK_EVENTS_ON_EXCL_WRITE is all about the event reporting
+mechanism, so move it to the event_flags field.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20211122130625.1136848-3-hch@lst.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: 1a721de8489f ("block: don't add or resize partition on the disk with GENHD_FL_NO_PART")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bdev.c | 2 +-
+ drivers/block/paride/pcd.c | 2 +-
+ drivers/scsi/sr.c | 5 +++--
+ include/linux/genhd.h | 6 ++----
+ 4 files changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/block/bdev.c b/block/bdev.c
+index 18abafb135e0b..b8599a4088843 100644
+--- a/block/bdev.c
++++ b/block/bdev.c
+@@ -835,7 +835,7 @@ struct block_device *blkdev_get_by_dev(dev_t dev, fmode_t mode, void *holder)
+ * used in blkdev_get/put().
+ */
+ if ((mode & FMODE_WRITE) && !bdev->bd_write_holder &&
+- (disk->flags & GENHD_FL_BLOCK_EVENTS_ON_EXCL_WRITE)) {
++ (disk->event_flags & DISK_EVENT_FLAG_BLOCK_ON_EXCL_WRITE)) {
+ bdev->bd_write_holder = true;
+ unblock_events = false;
+ }
+diff --git a/drivers/block/paride/pcd.c b/drivers/block/paride/pcd.c
+index 93ed636262328..6ac716e614e30 100644
+--- a/drivers/block/paride/pcd.c
++++ b/drivers/block/paride/pcd.c
+@@ -929,8 +929,8 @@ static int pcd_init_unit(struct pcd_unit *cd, bool autoprobe, int port,
+ disk->minors = 1;
+ strcpy(disk->disk_name, cd->name); /* umm... */
+ disk->fops = &pcd_bdops;
+- disk->flags = GENHD_FL_BLOCK_EVENTS_ON_EXCL_WRITE;
+ disk->events = DISK_EVENT_MEDIA_CHANGE;
++ disk->event_flags = DISK_EVENT_FLAG_BLOCK_ON_EXCL_WRITE;
+
+ if (!pi_init(cd->pi, autoprobe, port, mode, unit, protocol, delay,
+ pcd_buffer, PI_PCD, verbose, cd->name))
+diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c
+index 652cd81d77753..af210910dadf2 100644
+--- a/drivers/scsi/sr.c
++++ b/drivers/scsi/sr.c
+@@ -684,9 +684,10 @@ static int sr_probe(struct device *dev)
+ disk->minors = 1;
+ sprintf(disk->disk_name, "sr%d", minor);
+ disk->fops = &sr_bdops;
+- disk->flags = GENHD_FL_CD | GENHD_FL_BLOCK_EVENTS_ON_EXCL_WRITE;
++ disk->flags = GENHD_FL_CD;
+ disk->events = DISK_EVENT_MEDIA_CHANGE | DISK_EVENT_EJECT_REQUEST;
+- disk->event_flags = DISK_EVENT_FLAG_POLL | DISK_EVENT_FLAG_UEVENT;
++ disk->event_flags = DISK_EVENT_FLAG_POLL | DISK_EVENT_FLAG_UEVENT |
++ DISK_EVENT_FLAG_BLOCK_ON_EXCL_WRITE;
+
+ blk_queue_rq_timeout(sdev->request_queue, SR_TIMEOUT);
+
+diff --git a/include/linux/genhd.h b/include/linux/genhd.h
+index 3234b43fefb5c..300f796b8773d 100644
+--- a/include/linux/genhd.h
++++ b/include/linux/genhd.h
+@@ -60,9 +60,6 @@ struct partition_meta_info {
+ * (``BLOCK_EXT_MAJOR``).
+ * This affects the maximum number of partitions.
+ *
+- * ``GENHD_FL_BLOCK_EVENTS_ON_EXCL_WRITE`` (0x0100): event polling is
+- * blocked whenever a writer holds an exclusive lock.
+- *
+ * ``GENHD_FL_NO_PART_SCAN`` (0x0200): partition scanning is disabled.
+ * Used for loop devices in their default settings and some MMC
+ * devices.
+@@ -80,7 +77,6 @@ struct partition_meta_info {
+ #define GENHD_FL_CD 0x0008
+ #define GENHD_FL_SUPPRESS_PARTITION_INFO 0x0020
+ #define GENHD_FL_EXT_DEVT 0x0040
+-#define GENHD_FL_BLOCK_EVENTS_ON_EXCL_WRITE 0x0100
+ #define GENHD_FL_NO_PART_SCAN 0x0200
+ #define GENHD_FL_HIDDEN 0x0400
+
+@@ -94,6 +90,8 @@ enum {
+ DISK_EVENT_FLAG_POLL = 1 << 0,
+ /* Forward events to udev */
+ DISK_EVENT_FLAG_UEVENT = 1 << 1,
++ /* Block event polling when open for exclusive write */
++ DISK_EVENT_FLAG_BLOCK_ON_EXCL_WRITE = 1 << 2,
+ };
+
+ struct disk_events;
+--
+2.40.1
+
--- /dev/null
+From 64555eebdcaa3e05009b8cff683004d14f9b3c47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Nov 2021 14:06:12 +0100
+Subject: block: move GENHD_FL_NATIVE_CAPACITY to disk->state
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 86416916466514e4ae0b7296d20133b6427c4c1f ]
+
+The flag to indicate an unlocked native capacity is dynamic state,
+not a driver capability flag, so move it to disk->state.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20211122130625.1136848-2-hch@lst.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: 1a721de8489f ("block: don't add or resize partition on the disk with GENHD_FL_NO_PART")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/partitions/core.c | 15 ++++++---------
+ include/linux/genhd.h | 8 +-------
+ 2 files changed, 7 insertions(+), 16 deletions(-)
+
+diff --git a/block/partitions/core.c b/block/partitions/core.c
+index b9e9af84f5188..1ead8c0015616 100644
+--- a/block/partitions/core.c
++++ b/block/partitions/core.c
+@@ -526,18 +526,15 @@ int bdev_resize_partition(struct gendisk *disk, int partno, sector_t start,
+
+ static bool disk_unlock_native_capacity(struct gendisk *disk)
+ {
+- const struct block_device_operations *bdops = disk->fops;
+-
+- if (bdops->unlock_native_capacity &&
+- !(disk->flags & GENHD_FL_NATIVE_CAPACITY)) {
+- printk(KERN_CONT "enabling native capacity\n");
+- bdops->unlock_native_capacity(disk);
+- disk->flags |= GENHD_FL_NATIVE_CAPACITY;
+- return true;
+- } else {
++ if (!disk->fops->unlock_native_capacity ||
++ test_and_set_bit(GD_NATIVE_CAPACITY, &disk->state)) {
+ printk(KERN_CONT "truncated\n");
+ return false;
+ }
++
++ printk(KERN_CONT "enabling native capacity\n");
++ disk->fops->unlock_native_capacity(disk);
++ return true;
+ }
+
+ void blk_drop_partitions(struct gendisk *disk)
+diff --git a/include/linux/genhd.h b/include/linux/genhd.h
+index 0b48a0cf42624..3234b43fefb5c 100644
+--- a/include/linux/genhd.h
++++ b/include/linux/genhd.h
+@@ -60,12 +60,6 @@ struct partition_meta_info {
+ * (``BLOCK_EXT_MAJOR``).
+ * This affects the maximum number of partitions.
+ *
+- * ``GENHD_FL_NATIVE_CAPACITY`` (0x0080): based on information in the
+- * partition table, the device's capacity has been extended to its
+- * native capacity; i.e. the device has hidden capacity used by one
+- * of the partitions (this is a flag used so that native capacity is
+- * only ever unlocked once).
+- *
+ * ``GENHD_FL_BLOCK_EVENTS_ON_EXCL_WRITE`` (0x0100): event polling is
+ * blocked whenever a writer holds an exclusive lock.
+ *
+@@ -86,7 +80,6 @@ struct partition_meta_info {
+ #define GENHD_FL_CD 0x0008
+ #define GENHD_FL_SUPPRESS_PARTITION_INFO 0x0020
+ #define GENHD_FL_EXT_DEVT 0x0040
+-#define GENHD_FL_NATIVE_CAPACITY 0x0080
+ #define GENHD_FL_BLOCK_EVENTS_ON_EXCL_WRITE 0x0100
+ #define GENHD_FL_NO_PART_SCAN 0x0200
+ #define GENHD_FL_HIDDEN 0x0400
+@@ -140,6 +133,7 @@ struct gendisk {
+ #define GD_NEED_PART_SCAN 0
+ #define GD_READ_ONLY 1
+ #define GD_DEAD 2
++#define GD_NATIVE_CAPACITY 3
+
+ struct mutex open_mutex; /* open/close mutex */
+ unsigned open_partitions; /* number of open partitions */
+--
+2.40.1
+
--- /dev/null
+From 898290c1f04e2c40a83b8799401f861a6e2b0915 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Nov 2021 14:06:17 +0100
+Subject: block: rename GENHD_FL_NO_PART_SCAN to GENHD_FL_NO_PART
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 46e7eac647b34ed4106a8262f8bedbb90801fadd ]
+
+The GENHD_FL_NO_PART_SCAN controls more than just partitions canning,
+so rename it to GENHD_FL_NO_PART.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Ulf Hansson <ulf.hansson@linaro.org>
+Link: https://lore.kernel.org/r/20211122130625.1136848-7-hch@lst.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: 1a721de8489f ("block: don't add or resize partition on the disk with GENHD_FL_NO_PART")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/genhd.c | 2 +-
+ drivers/block/loop.c | 8 ++++----
+ drivers/block/n64cart.c | 2 +-
+ drivers/mmc/core/block.c | 4 ++--
+ include/linux/genhd.h | 13 ++++++-------
+ 5 files changed, 14 insertions(+), 15 deletions(-)
+
+diff --git a/block/genhd.c b/block/genhd.c
+index a1d9e785dcf70..6123f13e148e0 100644
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -495,7 +495,7 @@ int device_add_disk(struct device *parent, struct gendisk *disk,
+ * and don't bother scanning for partitions either.
+ */
+ disk->flags |= GENHD_FL_SUPPRESS_PARTITION_INFO;
+- disk->flags |= GENHD_FL_NO_PART_SCAN;
++ disk->flags |= GENHD_FL_NO_PART;
+ } else {
+ ret = bdi_register(disk->bdi, "%u:%u",
+ disk->major, disk->first_minor);
+diff --git a/drivers/block/loop.c b/drivers/block/loop.c
+index c96bdb3e7ac52..1d60d5ac0db80 100644
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -1314,7 +1314,7 @@ static int loop_configure(struct loop_device *lo, fmode_t mode,
+ lo->lo_flags |= LO_FLAGS_PARTSCAN;
+ partscan = lo->lo_flags & LO_FLAGS_PARTSCAN;
+ if (partscan)
+- lo->lo_disk->flags &= ~GENHD_FL_NO_PART_SCAN;
++ lo->lo_disk->flags &= ~GENHD_FL_NO_PART;
+
+ /* enable and uncork uevent now that we are done */
+ dev_set_uevent_suppress(disk_to_dev(lo->lo_disk), 0);
+@@ -1463,7 +1463,7 @@ static int __loop_clr_fd(struct loop_device *lo, bool release)
+ mutex_lock(&lo->lo_mutex);
+ lo->lo_flags = 0;
+ if (!part_shift)
+- lo->lo_disk->flags |= GENHD_FL_NO_PART_SCAN;
++ lo->lo_disk->flags |= GENHD_FL_NO_PART;
+ lo->lo_state = Lo_unbound;
+ mutex_unlock(&lo->lo_mutex);
+
+@@ -1580,7 +1580,7 @@ loop_set_status(struct loop_device *lo, const struct loop_info64 *info)
+
+ if (!err && (lo->lo_flags & LO_FLAGS_PARTSCAN) &&
+ !(prev_lo_flags & LO_FLAGS_PARTSCAN)) {
+- lo->lo_disk->flags &= ~GENHD_FL_NO_PART_SCAN;
++ lo->lo_disk->flags &= ~GENHD_FL_NO_PART;
+ partscan = true;
+ }
+ out_unlock:
+@@ -2410,7 +2410,7 @@ static int loop_add(int i)
+ * userspace tools. Parameters like this in general should be avoided.
+ */
+ if (!part_shift)
+- disk->flags |= GENHD_FL_NO_PART_SCAN;
++ disk->flags |= GENHD_FL_NO_PART;
+ disk->flags |= GENHD_FL_EXT_DEVT;
+ atomic_set(&lo->lo_refcnt, 0);
+ mutex_init(&lo->lo_mutex);
+diff --git a/drivers/block/n64cart.c b/drivers/block/n64cart.c
+index bcaabf038947c..0bda4a468c660 100644
+--- a/drivers/block/n64cart.c
++++ b/drivers/block/n64cart.c
+@@ -137,7 +137,7 @@ static int __init n64cart_probe(struct platform_device *pdev)
+ return -ENOMEM;
+
+ disk->first_minor = 0;
+- disk->flags = GENHD_FL_NO_PART_SCAN;
++ disk->flags = GENHD_FL_NO_PART;
+ disk->fops = &n64cart_fops;
+ disk->private_data = &pdev->dev;
+ strcpy(disk->disk_name, "n64cart");
+diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c
+index 965b44a095077..25077a1a3d821 100644
+--- a/drivers/mmc/core/block.c
++++ b/drivers/mmc/core/block.c
+@@ -2447,8 +2447,8 @@ static struct mmc_blk_data *mmc_blk_alloc_req(struct mmc_card *card,
+ set_disk_ro(md->disk, md->read_only || default_ro);
+ md->disk->flags = GENHD_FL_EXT_DEVT;
+ if (area_type & (MMC_BLK_DATA_AREA_RPMB | MMC_BLK_DATA_AREA_BOOT))
+- md->disk->flags |= GENHD_FL_NO_PART_SCAN
+- | GENHD_FL_SUPPRESS_PARTITION_INFO;
++ md->disk->flags |= GENHD_FL_NO_PART |
++ GENHD_FL_SUPPRESS_PARTITION_INFO;
+
+ /*
+ * As discussed on lkml, GENHD_FL_REMOVABLE should:
+diff --git a/include/linux/genhd.h b/include/linux/genhd.h
+index 300f796b8773d..690b7f7996d15 100644
+--- a/include/linux/genhd.h
++++ b/include/linux/genhd.h
+@@ -60,15 +60,15 @@ struct partition_meta_info {
+ * (``BLOCK_EXT_MAJOR``).
+ * This affects the maximum number of partitions.
+ *
+- * ``GENHD_FL_NO_PART_SCAN`` (0x0200): partition scanning is disabled.
+- * Used for loop devices in their default settings and some MMC
+- * devices.
++ * ``GENHD_FL_NO_PART`` (0x0200): partition support is disabled.
++ * The kernel will not scan for partitions from add_disk, and users
++ * can't add partitions manually.
+ *
+ * ``GENHD_FL_HIDDEN`` (0x0400): the block device is hidden; it
+ * doesn't produce events, doesn't appear in sysfs, and doesn't have
+ * an associated ``bdev``.
+ * Implies ``GENHD_FL_SUPPRESS_PARTITION_INFO`` and
+- * ``GENHD_FL_NO_PART_SCAN``.
++ * ``GENHD_FL_NO_PART``.
+ * Used for multipath devices.
+ */
+ #define GENHD_FL_REMOVABLE 0x0001
+@@ -77,7 +77,7 @@ struct partition_meta_info {
+ #define GENHD_FL_CD 0x0008
+ #define GENHD_FL_SUPPRESS_PARTITION_INFO 0x0020
+ #define GENHD_FL_EXT_DEVT 0x0040
+-#define GENHD_FL_NO_PART_SCAN 0x0200
++#define GENHD_FL_NO_PART 0x0200
+ #define GENHD_FL_HIDDEN 0x0400
+
+ enum {
+@@ -185,8 +185,7 @@ static inline int disk_max_parts(struct gendisk *disk)
+
+ static inline bool disk_part_scan_enabled(struct gendisk *disk)
+ {
+- return disk_max_parts(disk) > 1 &&
+- !(disk->flags & GENHD_FL_NO_PART_SCAN);
++ return disk_max_parts(disk) > 1 && !(disk->flags & GENHD_FL_NO_PART);
+ }
+
+ static inline dev_t disk_devt(struct gendisk *disk)
+--
+2.40.1
+
--- /dev/null
+From cc96c9e2e71c0619a85629553395c1efc073b28a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Sep 2023 18:17:52 +0800
+Subject: hsr: Fix uninit-value access in fill_frame_info()
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit 484b4833c604c0adcf19eac1ca14b60b757355b5 ]
+
+Syzbot reports the following uninit-value access problem.
+
+=====================================================
+BUG: KMSAN: uninit-value in fill_frame_info net/hsr/hsr_forward.c:601 [inline]
+BUG: KMSAN: uninit-value in hsr_forward_skb+0x9bd/0x30f0 net/hsr/hsr_forward.c:616
+ fill_frame_info net/hsr/hsr_forward.c:601 [inline]
+ hsr_forward_skb+0x9bd/0x30f0 net/hsr/hsr_forward.c:616
+ hsr_dev_xmit+0x192/0x330 net/hsr/hsr_device.c:223
+ __netdev_start_xmit include/linux/netdevice.h:4889 [inline]
+ netdev_start_xmit include/linux/netdevice.h:4903 [inline]
+ xmit_one net/core/dev.c:3544 [inline]
+ dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3560
+ __dev_queue_xmit+0x34d0/0x52a0 net/core/dev.c:4340
+ dev_queue_xmit include/linux/netdevice.h:3082 [inline]
+ packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
+ packet_snd net/packet/af_packet.c:3087 [inline]
+ packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ sock_sendmsg net/socket.c:753 [inline]
+ __sys_sendto+0x781/0xa30 net/socket.c:2176
+ __do_sys_sendto net/socket.c:2188 [inline]
+ __se_sys_sendto net/socket.c:2184 [inline]
+ __ia32_sys_sendto+0x11f/0x1c0 net/socket.c:2184
+ do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
+ __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178
+ do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203
+ do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246
+ entry_SYSENTER_compat_after_hwframe+0x70/0x82
+
+Uninit was created at:
+ slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767
+ slab_alloc_node mm/slub.c:3478 [inline]
+ kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523
+ kmalloc_reserve+0x148/0x470 net/core/skbuff.c:559
+ __alloc_skb+0x318/0x740 net/core/skbuff.c:644
+ alloc_skb include/linux/skbuff.h:1286 [inline]
+ alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6299
+ sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2794
+ packet_alloc_skb net/packet/af_packet.c:2936 [inline]
+ packet_snd net/packet/af_packet.c:3030 [inline]
+ packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ sock_sendmsg net/socket.c:753 [inline]
+ __sys_sendto+0x781/0xa30 net/socket.c:2176
+ __do_sys_sendto net/socket.c:2188 [inline]
+ __se_sys_sendto net/socket.c:2184 [inline]
+ __ia32_sys_sendto+0x11f/0x1c0 net/socket.c:2184
+ do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
+ __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178
+ do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203
+ do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246
+ entry_SYSENTER_compat_after_hwframe+0x70/0x82
+
+It is because VLAN not yet supported in hsr driver. Return error
+when protocol is ETH_P_8021Q in fill_frame_info() now to fix it.
+
+Fixes: 451d8123f897 ("net: prp: add packet handling support")
+Reported-by: syzbot+bf7e6250c7ce248f3ec9@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=bf7e6250c7ce248f3ec9
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/hsr/hsr_forward.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
+index 35382ed686d1d..12ba43023d30e 100644
+--- a/net/hsr/hsr_forward.c
++++ b/net/hsr/hsr_forward.c
+@@ -552,6 +552,7 @@ static int fill_frame_info(struct hsr_frame_info *frame,
+ proto = vlan_hdr->vlanhdr.h_vlan_encapsulated_proto;
+ /* FIXME: */
+ netdev_warn_once(skb->dev, "VLAN not yet supported");
++ return -EINVAL;
+ }
+
+ frame->is_from_san = false;
+--
+2.40.1
+
--- /dev/null
+From 764b7742f30e45ac833be29b4455a2c991a8d211 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Sep 2023 15:42:13 +0000
+Subject: ipv6: fix ip6_sock_set_addr_preferences() typo
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 8cdd9f1aaedf823006449faa4e540026c692ac43 ]
+
+ip6_sock_set_addr_preferences() second argument should be an integer.
+
+SUNRPC attempts to set IPV6_PREFER_SRC_PUBLIC were
+translated to IPV6_PREFER_SRC_TMP
+
+Fixes: 18d5ad623275 ("ipv6: add ip6_sock_set_addr_preferences")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Chuck Lever <chuck.lever@oracle.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20230911154213.713941-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ipv6.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/ipv6.h b/include/net/ipv6.h
+index 20930086b2288..6b3309e55dcb1 100644
+--- a/include/net/ipv6.h
++++ b/include/net/ipv6.h
+@@ -1258,7 +1258,7 @@ static inline int __ip6_sock_set_addr_preferences(struct sock *sk, int val)
+ return 0;
+ }
+
+-static inline int ip6_sock_set_addr_preferences(struct sock *sk, bool val)
++static inline int ip6_sock_set_addr_preferences(struct sock *sk, int val)
+ {
+ int ret;
+
+--
+2.40.1
+
--- /dev/null
+From 25952b91c793e6e3246ab974110cf3a1293d8cd1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Sep 2023 13:28:14 -0700
+Subject: ixgbe: fix timestamp configuration code
+
+From: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+
+[ Upstream commit 3c44191dd76cf9c0cc49adaf34384cbd42ef8ad2 ]
+
+The commit in fixes introduced flags to control the status of hardware
+configuration while processing packets. At the same time another structure
+is used to provide configuration of timestamper to user-space applications.
+The way it was coded makes this structures go out of sync easily. The
+repro is easy for 82599 chips:
+
+[root@hostname ~]# hwstamp_ctl -i eth0 -r 12 -t 1
+current settings:
+tx_type 0
+rx_filter 0
+new settings:
+tx_type 1
+rx_filter 12
+
+The eth0 device is properly configured to timestamp any PTPv2 events.
+
+[root@hostname ~]# hwstamp_ctl -i eth0 -r 1 -t 1
+current settings:
+tx_type 1
+rx_filter 12
+SIOCSHWTSTAMP failed: Numerical result out of range
+The requested time stamping mode is not supported by the hardware.
+
+The error is properly returned because HW doesn't support all packets
+timestamping. But the adapter->flags is cleared of timestamp flags
+even though no HW configuration was done. From that point no RX timestamps
+are received by user-space application. But configuration shows good
+values:
+
+[root@hostname ~]# hwstamp_ctl -i eth0
+current settings:
+tx_type 1
+rx_filter 12
+
+Fix the issue by applying new flags only when the HW was actually
+configured.
+
+Fixes: a9763f3cb54c ("ixgbe: Update PTP to support X550EM_x devices")
+Signed-off-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 28 +++++++++++---------
+ 1 file changed, 15 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c
+index 29be1d6eca436..affd132534eab 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c
+@@ -989,6 +989,7 @@ static int ixgbe_ptp_set_timestamp_mode(struct ixgbe_adapter *adapter,
+ u32 tsync_tx_ctl = IXGBE_TSYNCTXCTL_ENABLED;
+ u32 tsync_rx_ctl = IXGBE_TSYNCRXCTL_ENABLED;
+ u32 tsync_rx_mtrl = PTP_EV_PORT << 16;
++ u32 aflags = adapter->flags;
+ bool is_l2 = false;
+ u32 regval;
+
+@@ -1010,20 +1011,20 @@ static int ixgbe_ptp_set_timestamp_mode(struct ixgbe_adapter *adapter,
+ case HWTSTAMP_FILTER_NONE:
+ tsync_rx_ctl = 0;
+ tsync_rx_mtrl = 0;
+- adapter->flags &= ~(IXGBE_FLAG_RX_HWTSTAMP_ENABLED |
+- IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER);
++ aflags &= ~(IXGBE_FLAG_RX_HWTSTAMP_ENABLED |
++ IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER);
+ break;
+ case HWTSTAMP_FILTER_PTP_V1_L4_SYNC:
+ tsync_rx_ctl |= IXGBE_TSYNCRXCTL_TYPE_L4_V1;
+ tsync_rx_mtrl |= IXGBE_RXMTRL_V1_SYNC_MSG;
+- adapter->flags |= (IXGBE_FLAG_RX_HWTSTAMP_ENABLED |
+- IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER);
++ aflags |= (IXGBE_FLAG_RX_HWTSTAMP_ENABLED |
++ IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER);
+ break;
+ case HWTSTAMP_FILTER_PTP_V1_L4_DELAY_REQ:
+ tsync_rx_ctl |= IXGBE_TSYNCRXCTL_TYPE_L4_V1;
+ tsync_rx_mtrl |= IXGBE_RXMTRL_V1_DELAY_REQ_MSG;
+- adapter->flags |= (IXGBE_FLAG_RX_HWTSTAMP_ENABLED |
+- IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER);
++ aflags |= (IXGBE_FLAG_RX_HWTSTAMP_ENABLED |
++ IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER);
+ break;
+ case HWTSTAMP_FILTER_PTP_V2_EVENT:
+ case HWTSTAMP_FILTER_PTP_V2_L2_EVENT:
+@@ -1037,8 +1038,8 @@ static int ixgbe_ptp_set_timestamp_mode(struct ixgbe_adapter *adapter,
+ tsync_rx_ctl |= IXGBE_TSYNCRXCTL_TYPE_EVENT_V2;
+ is_l2 = true;
+ config->rx_filter = HWTSTAMP_FILTER_PTP_V2_EVENT;
+- adapter->flags |= (IXGBE_FLAG_RX_HWTSTAMP_ENABLED |
+- IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER);
++ aflags |= (IXGBE_FLAG_RX_HWTSTAMP_ENABLED |
++ IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER);
+ break;
+ case HWTSTAMP_FILTER_PTP_V1_L4_EVENT:
+ case HWTSTAMP_FILTER_NTP_ALL:
+@@ -1049,7 +1050,7 @@ static int ixgbe_ptp_set_timestamp_mode(struct ixgbe_adapter *adapter,
+ if (hw->mac.type >= ixgbe_mac_X550) {
+ tsync_rx_ctl |= IXGBE_TSYNCRXCTL_TYPE_ALL;
+ config->rx_filter = HWTSTAMP_FILTER_ALL;
+- adapter->flags |= IXGBE_FLAG_RX_HWTSTAMP_ENABLED;
++ aflags |= IXGBE_FLAG_RX_HWTSTAMP_ENABLED;
+ break;
+ }
+ fallthrough;
+@@ -1060,8 +1061,6 @@ static int ixgbe_ptp_set_timestamp_mode(struct ixgbe_adapter *adapter,
+ * Delay_Req messages and hardware does not support
+ * timestamping all packets => return error
+ */
+- adapter->flags &= ~(IXGBE_FLAG_RX_HWTSTAMP_ENABLED |
+- IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER);
+ config->rx_filter = HWTSTAMP_FILTER_NONE;
+ return -ERANGE;
+ }
+@@ -1093,8 +1092,8 @@ static int ixgbe_ptp_set_timestamp_mode(struct ixgbe_adapter *adapter,
+ IXGBE_TSYNCRXCTL_TYPE_ALL |
+ IXGBE_TSYNCRXCTL_TSIP_UT_EN;
+ config->rx_filter = HWTSTAMP_FILTER_ALL;
+- adapter->flags |= IXGBE_FLAG_RX_HWTSTAMP_ENABLED;
+- adapter->flags &= ~IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER;
++ aflags |= IXGBE_FLAG_RX_HWTSTAMP_ENABLED;
++ aflags &= ~IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER;
+ is_l2 = true;
+ break;
+ default:
+@@ -1127,6 +1126,9 @@ static int ixgbe_ptp_set_timestamp_mode(struct ixgbe_adapter *adapter,
+
+ IXGBE_WRITE_FLUSH(hw);
+
++ /* configure adapter flags only when HW is actually configured */
++ adapter->flags = aflags;
++
+ /* clear TX/RX time stamp registers, just to be sure */
+ ixgbe_ptp_clear_tx_timestamp(adapter);
+ IXGBE_READ_REG(hw, IXGBE_RXSTMPH);
+--
+2.40.1
+
--- /dev/null
+From 27f56d46b33a2093dd633bbefd2ad1f89495f98e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Sep 2023 19:27:53 -0700
+Subject: kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit a22730b1b4bf437c6bbfdeff5feddf54be4aeada ]
+
+syzkaller found a memory leak in kcm_sendmsg(), and commit c821a88bd720
+("kcm: Fix memory leak in error path of kcm_sendmsg()") suppressed it by
+updating kcm_tx_msg(head)->last_skb if partial data is copied so that the
+following sendmsg() will resume from the skb.
+
+However, we cannot know how many bytes were copied when we get the error.
+Thus, we could mess up the MSG_MORE queue.
+
+When kcm_sendmsg() fails for SOCK_DGRAM, we should purge the queue as we
+do so for UDP by udp_flush_pending_frames().
+
+Even without this change, when the error occurred, the following sendmsg()
+resumed from a wrong skb and the queue was messed up. However, we have
+yet to get such a report, and only syzkaller stumbled on it. So, this
+can be changed safely.
+
+Note this does not change SOCK_SEQPACKET behaviour.
+
+Fixes: c821a88bd720 ("kcm: Fix memory leak in error path of kcm_sendmsg()")
+Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://lore.kernel.org/r/20230912022753.33327-1-kuniyu@amazon.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/kcm/kcmsock.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
+index 2d06617e89891..0d1ab4149553c 100644
+--- a/net/kcm/kcmsock.c
++++ b/net/kcm/kcmsock.c
+@@ -1064,17 +1064,18 @@ static int kcm_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+ out_error:
+ kcm_push(kcm);
+
+- if (copied && sock->type == SOCK_SEQPACKET) {
++ if (sock->type == SOCK_SEQPACKET) {
+ /* Wrote some bytes before encountering an
+ * error, return partial success.
+ */
+- goto partial_message;
+- }
+-
+- if (head != kcm->seq_skb)
++ if (copied)
++ goto partial_message;
++ if (head != kcm->seq_skb)
++ kfree_skb(head);
++ } else {
+ kfree_skb(head);
+- else if (copied)
+- kcm_tx_msg(head)->last_skb = skb;
++ kcm->seq_skb = NULL;
++ }
+
+ err = sk_stream_error(sk, msg->msg_flags, err);
+
+--
+2.40.1
+
--- /dev/null
+From 672e7ee8ab689691379a88d1a0360531c796423c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 10 Sep 2023 02:03:10 +0900
+Subject: kcm: Fix memory leak in error path of kcm_sendmsg()
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit c821a88bd720b0046433173185fd841a100d44ad ]
+
+syzbot reported a memory leak like below:
+
+BUG: memory leak
+unreferenced object 0xffff88810b088c00 (size 240):
+ comm "syz-executor186", pid 5012, jiffies 4294943306 (age 13.680s)
+ hex dump (first 32 bytes):
+ 00 89 08 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff83e5d5ff>] __alloc_skb+0x1ef/0x230 net/core/skbuff.c:634
+ [<ffffffff84606e59>] alloc_skb include/linux/skbuff.h:1289 [inline]
+ [<ffffffff84606e59>] kcm_sendmsg+0x269/0x1050 net/kcm/kcmsock.c:815
+ [<ffffffff83e479c6>] sock_sendmsg_nosec net/socket.c:725 [inline]
+ [<ffffffff83e479c6>] sock_sendmsg+0x56/0xb0 net/socket.c:748
+ [<ffffffff83e47f55>] ____sys_sendmsg+0x365/0x470 net/socket.c:2494
+ [<ffffffff83e4c389>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2548
+ [<ffffffff83e4c536>] __sys_sendmsg+0xa6/0x120 net/socket.c:2577
+ [<ffffffff84ad7bb8>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ [<ffffffff84ad7bb8>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
+ [<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+In kcm_sendmsg(), kcm_tx_msg(head)->last_skb is used as a cursor to append
+newly allocated skbs to 'head'. If some bytes are copied, an error occurred,
+and jumped to out_error label, 'last_skb' is left unmodified. A later
+kcm_sendmsg() will use an obsoleted 'last_skb' reference, corrupting the
+'head' frag_list and causing the leak.
+
+This patch fixes this issue by properly updating the last allocated skb in
+'last_skb'.
+
+Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
+Reported-and-tested-by: syzbot+6f98de741f7dbbfc4ccb@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=6f98de741f7dbbfc4ccb
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/kcm/kcmsock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
+index 43005bba2d407..2d06617e89891 100644
+--- a/net/kcm/kcmsock.c
++++ b/net/kcm/kcmsock.c
+@@ -1073,6 +1073,8 @@ static int kcm_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+
+ if (head != kcm->seq_skb)
+ kfree_skb(head);
++ else if (copied)
++ kcm_tx_msg(head)->last_skb = skb;
+
+ err = sk_stream_error(sk, msg->msg_flags, err);
+
+--
+2.40.1
+
--- /dev/null
+From 7bc0b039ee9aa7ce7e13972975ab7de9b39f4081 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Jul 2023 13:53:17 +0200
+Subject: kselftest/runner.sh: Propagate SIGTERM to runner child
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Björn Töpel <bjorn@rivosinc.com>
+
+[ Upstream commit 9616cb34b08ec86642b162eae75c5a7ca8debe3c ]
+
+Timeouts in kselftest are done using the "timeout" command with the
+"--foreground" option. Without the "foreground" option, it is not
+possible for a user to cancel the runner using SIGINT, because the
+signal is not propagated to timeout which is running in a different
+process group. The "forground" options places the timeout in the same
+process group as its parent, but only sends the SIGTERM (on timeout)
+signal to the forked process. Unfortunately, this does not play nice
+with all kselftests, e.g. "net:fcnal-test.sh", where the child
+processes will linger because timeout does not send SIGTERM to the
+group.
+
+Some users have noted these hangs [1].
+
+Fix this by nesting the timeout with an additional timeout without the
+foreground option.
+
+Link: https://lore.kernel.org/all/7650b2eb-0aee-a2b0-2e64-c9bc63210f67@alu.unizg.hr/ # [1]
+Fixes: 651e0d881461 ("kselftest/runner: allow to properly deliver signals to tests")
+Signed-off-by: Björn Töpel <bjorn@rivosinc.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/kselftest/runner.sh | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/kselftest/runner.sh b/tools/testing/selftests/kselftest/runner.sh
+index a9ba782d8ca0f..83616f0779a7e 100644
+--- a/tools/testing/selftests/kselftest/runner.sh
++++ b/tools/testing/selftests/kselftest/runner.sh
+@@ -33,7 +33,8 @@ tap_timeout()
+ {
+ # Make sure tests will time out if utility is available.
+ if [ -x /usr/bin/timeout ] ; then
+- /usr/bin/timeout --foreground "$kselftest_timeout" $1
++ /usr/bin/timeout --foreground "$kselftest_timeout" \
++ /usr/bin/timeout "$kselftest_timeout" $1
+ else
+ $1
+ fi
+--
+2.40.1
+
--- /dev/null
+From cec96e16f461e51e8741c1ecea90b2f06e2bf6aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Sep 2023 16:33:48 +0300
+Subject: net: dsa: sja1105: hide all multicast addresses from "bridge fdb
+ show"
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 02c652f5465011126152bbd93b6a582a1d0c32f1 ]
+
+Commit 4d9423549501 ("net: dsa: sja1105: offload bridge port flags to
+device") has partially hidden some multicast entries from showing up in
+the "bridge fdb show" output, but it wasn't enough. Addresses which are
+added through "bridge mdb add" still show up. Hide them all.
+
+Fixes: 291d1e72b756 ("net: dsa: sja1105: Add support for FDB and MDB management")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/sja1105/sja1105_main.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c
+index d5600d0d6ef10..493192a8000c8 100644
+--- a/drivers/net/dsa/sja1105/sja1105_main.c
++++ b/drivers/net/dsa/sja1105/sja1105_main.c
+@@ -1794,13 +1794,14 @@ static int sja1105_fdb_dump(struct dsa_switch *ds, int port,
+ if (!(l2_lookup.destports & BIT(port)))
+ continue;
+
+- /* We need to hide the FDB entry for unknown multicast */
+- if (l2_lookup.macaddr == SJA1105_UNKNOWN_MULTICAST &&
+- l2_lookup.mask_macaddr == SJA1105_UNKNOWN_MULTICAST)
+- continue;
+-
+ u64_to_ether_addr(l2_lookup.macaddr, macaddr);
+
++ /* Hardware FDB is shared for fdb and mdb, "bridge fdb show"
++ * only wants to see unicast
++ */
++ if (is_multicast_ether_addr(macaddr))
++ continue;
++
+ /* We need to hide the dsa_8021q VLANs from the user. */
+ if (!priv->vlan_aware)
+ l2_lookup.vlanid = 0;
+--
+2.40.1
+
--- /dev/null
+From 1323120b5cb6eba9f605beb2452315d636bbf4be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Sep 2023 14:19:50 +0800
+Subject: net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in
+ mtk_hwlro_get_fdir_all()
+
+From: Hangyu Hua <hbh25y@gmail.com>
+
+[ Upstream commit e4c79810755f66c9a933ca810da2724133b1165a ]
+
+rule_locs is allocated in ethtool_get_rxnfc and the size is determined by
+rule_cnt from user space. So rule_cnt needs to be check before using
+rule_locs to avoid NULL pointer dereference.
+
+Fixes: 7aab747e5563 ("net: ethernet: mediatek: add ethtool functions to configure RX flows of HW LRO")
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+index 50ee9d3d4c841..139dfdb1e58bd 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+@@ -2038,6 +2038,9 @@ static int mtk_hwlro_get_fdir_all(struct net_device *dev,
+ int i;
+
+ for (i = 0; i < MTK_MAX_LRO_IP_CNT; i++) {
++ if (cnt == cmd->rule_cnt)
++ return -EMSGSIZE;
++
+ if (mac->hwlro_ip[i]) {
+ rule_locs[cnt] = i;
+ cnt++;
+--
+2.40.1
+
--- /dev/null
+From 480347b7361a4fea7921cfd8509c4ac038164278 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Sep 2023 14:19:49 +0800
+Subject: net: ethernet: mvpp2_main: fix possible OOB write in
+ mvpp2_ethtool_get_rxnfc()
+
+From: Hangyu Hua <hbh25y@gmail.com>
+
+[ Upstream commit 51fe0a470543f345e3c62b6798929de3ddcedc1d ]
+
+rules is allocated in ethtool_get_rxnfc and the size is determined by
+rule_cnt from user space. So rule_cnt needs to be check before using
+rules to avoid OOB writing or NULL pointer dereference.
+
+Fixes: 90b509b39ac9 ("net: mvpp2: cls: Add Classification offload support")
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Reviewed-by: Marcin Wojtas <mw@semihalf.com>
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+index ddd4ed34b0f20..31b3ede563c04 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+@@ -5572,6 +5572,11 @@ static int mvpp2_ethtool_get_rxnfc(struct net_device *dev,
+ break;
+ case ETHTOOL_GRXCLSRLALL:
+ for (i = 0; i < MVPP2_N_RFS_ENTRIES_PER_FLOW; i++) {
++ if (loc == info->rule_cnt) {
++ ret = -EMSGSIZE;
++ break;
++ }
++
+ if (port->rfs_rules[i])
+ rules[loc++] = i;
+ }
+--
+2.40.1
+
--- /dev/null
+From ae02352800cb4b7cf2be370c6e063911c6b89b58 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Sep 2023 10:57:09 +0800
+Subject: net: ipv4: fix one memleak in __inet_del_ifa()
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit ac28b1ec6135649b5d78b028e47264cb3ebca5ea ]
+
+I got the below warning when do fuzzing test:
+unregister_netdevice: waiting for bond0 to become free. Usage count = 2
+
+It can be repoduced via:
+
+ip link add bond0 type bond
+sysctl -w net.ipv4.conf.bond0.promote_secondaries=1
+ip addr add 4.117.174.103/0 scope 0x40 dev bond0
+ip addr add 192.168.100.111/255.255.255.254 scope 0 dev bond0
+ip addr add 0.0.0.4/0 scope 0x40 secondary dev bond0
+ip addr del 4.117.174.103/0 scope 0x40 dev bond0
+ip link delete bond0 type bond
+
+In this reproduction test case, an incorrect 'last_prim' is found in
+__inet_del_ifa(), as a result, the secondary address(0.0.0.4/0 scope 0x40)
+is lost. The memory of the secondary address is leaked and the reference of
+in_device and net_device is leaked.
+
+Fix this problem:
+Look for 'last_prim' starting at location of the deleted IP and inserting
+the promoted IP into the location of 'last_prim'.
+
+Fixes: 0ff60a45678e ("[IPV4]: Fix secondary IP addresses after promotion")
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/devinet.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
+index 9ac41ffdc6344..c511751c2f41a 100644
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -351,14 +351,14 @@ static void __inet_del_ifa(struct in_device *in_dev,
+ {
+ struct in_ifaddr *promote = NULL;
+ struct in_ifaddr *ifa, *ifa1;
+- struct in_ifaddr *last_prim;
++ struct in_ifaddr __rcu **last_prim;
+ struct in_ifaddr *prev_prom = NULL;
+ int do_promote = IN_DEV_PROMOTE_SECONDARIES(in_dev);
+
+ ASSERT_RTNL();
+
+ ifa1 = rtnl_dereference(*ifap);
+- last_prim = rtnl_dereference(in_dev->ifa_list);
++ last_prim = ifap;
+ if (in_dev->dead)
+ goto no_promotions;
+
+@@ -372,7 +372,7 @@ static void __inet_del_ifa(struct in_device *in_dev,
+ while ((ifa = rtnl_dereference(*ifap1)) != NULL) {
+ if (!(ifa->ifa_flags & IFA_F_SECONDARY) &&
+ ifa1->ifa_scope <= ifa->ifa_scope)
+- last_prim = ifa;
++ last_prim = &ifa->ifa_next;
+
+ if (!(ifa->ifa_flags & IFA_F_SECONDARY) ||
+ ifa1->ifa_mask != ifa->ifa_mask ||
+@@ -436,9 +436,9 @@ static void __inet_del_ifa(struct in_device *in_dev,
+
+ rcu_assign_pointer(prev_prom->ifa_next, next_sec);
+
+- last_sec = rtnl_dereference(last_prim->ifa_next);
++ last_sec = rtnl_dereference(*last_prim);
+ rcu_assign_pointer(promote->ifa_next, last_sec);
+- rcu_assign_pointer(last_prim->ifa_next, promote);
++ rcu_assign_pointer(*last_prim, promote);
+ }
+
+ promote->ifa_flags &= ~IFA_F_SECONDARY;
+--
+2.40.1
+
--- /dev/null
+From 3e4ed8a8a9730219a574d61c340ebed5fbb39d8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Sep 2023 11:31:43 +0800
+Subject: net/smc: use smc_lgr_list.lock to protect smc_lgr_list.list iterate
+ in smcr_port_add
+
+From: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+
+[ Upstream commit f5146e3ef0a9eea405874b36178c19a4863b8989 ]
+
+While doing smcr_port_add, there maybe linkgroup add into or delete
+from smc_lgr_list.list at the same time, which may result kernel crash.
+So, use smc_lgr_list.lock to protect smc_lgr_list.list iterate in
+smcr_port_add.
+
+The crash calltrace show below:
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+PGD 0 P4D 0
+Oops: 0000 [#1] SMP NOPTI
+CPU: 0 PID: 559726 Comm: kworker/0:92 Kdump: loaded Tainted: G
+Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 449e491 04/01/2014
+Workqueue: events smc_ib_port_event_work [smc]
+RIP: 0010:smcr_port_add+0xa6/0xf0 [smc]
+RSP: 0000:ffffa5a2c8f67de0 EFLAGS: 00010297
+RAX: 0000000000000001 RBX: ffff9935e0650000 RCX: 0000000000000000
+RDX: 0000000000000010 RSI: ffff9935e0654290 RDI: ffff9935c8560000
+RBP: 0000000000000000 R08: 0000000000000000 R09: ffff9934c0401918
+R10: 0000000000000000 R11: ffffffffb4a5c278 R12: ffff99364029aae4
+R13: ffff99364029aa00 R14: 00000000ffffffed R15: ffff99364029ab08
+FS: 0000000000000000(0000) GS:ffff994380600000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000000 CR3: 0000000f06a10003 CR4: 0000000002770ef0
+PKRU: 55555554
+Call Trace:
+ smc_ib_port_event_work+0x18f/0x380 [smc]
+ process_one_work+0x19b/0x340
+ worker_thread+0x30/0x370
+ ? process_one_work+0x340/0x340
+ kthread+0x114/0x130
+ ? __kthread_cancel_work+0x50/0x50
+ ret_from_fork+0x1f/0x30
+
+Fixes: 1f90a05d9ff9 ("net/smc: add smcr_port_add() and smcr_link_up() processing")
+Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/smc_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c
+index f08fcc50fad3c..b84896acd4732 100644
+--- a/net/smc/smc_core.c
++++ b/net/smc/smc_core.c
+@@ -1486,6 +1486,7 @@ void smcr_port_add(struct smc_ib_device *smcibdev, u8 ibport)
+ {
+ struct smc_link_group *lgr, *n;
+
++ spin_lock_bh(&smc_lgr_list.lock);
+ list_for_each_entry_safe(lgr, n, &smc_lgr_list.list, list) {
+ struct smc_link *link;
+
+@@ -1500,6 +1501,7 @@ void smcr_port_add(struct smc_ib_device *smcibdev, u8 ibport)
+ if (link)
+ smc_llc_add_link_local(link);
+ }
++ spin_unlock_bh(&smc_lgr_list.lock);
+ }
+
+ /* link is down - switch connections to alternate link,
+--
+2.40.1
+
--- /dev/null
+From 66d03a0771959b7b6d7968e8ffd65ae6b0dfb8c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 9 Sep 2023 16:14:34 +0800
+Subject: net/tls: do not free tls_rec on async operation in
+ bpf_exec_tx_verdict()
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit cfaa80c91f6f99b9342b6557f0f0e1143e434066 ]
+
+I got the below warning when do fuzzing test:
+BUG: KASAN: null-ptr-deref in scatterwalk_copychunks+0x320/0x470
+Read of size 4 at addr 0000000000000008 by task kworker/u8:1/9
+
+CPU: 0 PID: 9 Comm: kworker/u8:1 Tainted: G OE
+Hardware name: linux,dummy-virt (DT)
+Workqueue: pencrypt_parallel padata_parallel_worker
+Call trace:
+ dump_backtrace+0x0/0x420
+ show_stack+0x34/0x44
+ dump_stack+0x1d0/0x248
+ __kasan_report+0x138/0x140
+ kasan_report+0x44/0x6c
+ __asan_load4+0x94/0xd0
+ scatterwalk_copychunks+0x320/0x470
+ skcipher_next_slow+0x14c/0x290
+ skcipher_walk_next+0x2fc/0x480
+ skcipher_walk_first+0x9c/0x110
+ skcipher_walk_aead_common+0x380/0x440
+ skcipher_walk_aead_encrypt+0x54/0x70
+ ccm_encrypt+0x13c/0x4d0
+ crypto_aead_encrypt+0x7c/0xfc
+ pcrypt_aead_enc+0x28/0x84
+ padata_parallel_worker+0xd0/0x2dc
+ process_one_work+0x49c/0xbdc
+ worker_thread+0x124/0x880
+ kthread+0x210/0x260
+ ret_from_fork+0x10/0x18
+
+This is because the value of rec_seq of tls_crypto_info configured by the
+user program is too large, for example, 0xffffffffffffff. In addition, TLS
+is asynchronously accelerated. When tls_do_encryption() returns
+-EINPROGRESS and sk->sk_err is set to EBADMSG due to rec_seq overflow,
+skmsg is released before the asynchronous encryption process ends. As a
+result, the UAF problem occurs during the asynchronous processing of the
+encryption module.
+
+If the operation is asynchronous and the encryption module returns
+EINPROGRESS, do not free the record information.
+
+Fixes: 635d93981786 ("net/tls: free record only on encryption error")
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://lore.kernel.org/r/20230909081434.2324940-1-liujian56@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tls/tls_sw.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
+index bc897ff56e789..101d231c1b610 100644
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -809,7 +809,7 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk,
+ psock = sk_psock_get(sk);
+ if (!psock || !policy) {
+ err = tls_push_record(sk, flags, record_type);
+- if (err && sk->sk_err == EBADMSG) {
++ if (err && err != -EINPROGRESS && sk->sk_err == EBADMSG) {
+ *copied -= sk_msg_free(sk, msg);
+ tls_free_open_rec(sk);
+ err = -sk->sk_err;
+@@ -838,7 +838,7 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk,
+ switch (psock->eval) {
+ case __SK_PASS:
+ err = tls_push_record(sk, flags, record_type);
+- if (err && sk->sk_err == EBADMSG) {
++ if (err && err != -EINPROGRESS && sk->sk_err == EBADMSG) {
+ *copied -= sk_msg_free(sk, msg);
+ tls_free_open_rec(sk);
+ err = -sk->sk_err;
+--
+2.40.1
+
--- /dev/null
+From 2ce25bc5d358cbaaea6ea11f5db7f3a7cdc14ba6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Sep 2021 15:01:04 -0700
+Subject: pcd: cleanup initialization
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit af761f277b7fd896c27cb1100b25f11567987822 ]
+
+Refactor the pcd initialization to have a dedicated helper to initialize
+a single disk.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: 1a721de8489f ("block: don't add or resize partition on the disk with GENHD_FL_NO_PART")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/paride/pcd.c | 286 ++++++++++++++++---------------------
+ 1 file changed, 127 insertions(+), 159 deletions(-)
+
+diff --git a/drivers/block/paride/pcd.c b/drivers/block/paride/pcd.c
+index 8903fdaa20466..93ed636262328 100644
+--- a/drivers/block/paride/pcd.c
++++ b/drivers/block/paride/pcd.c
+@@ -183,8 +183,6 @@ static int pcd_audio_ioctl(struct cdrom_device_info *cdi,
+ static int pcd_packet(struct cdrom_device_info *cdi,
+ struct packet_command *cgc);
+
+-static int pcd_detect(void);
+-static void pcd_probe_capabilities(void);
+ static void do_pcd_read_drq(void);
+ static blk_status_t pcd_queue_rq(struct blk_mq_hw_ctx *hctx,
+ const struct blk_mq_queue_data *bd);
+@@ -302,53 +300,6 @@ static const struct blk_mq_ops pcd_mq_ops = {
+ .queue_rq = pcd_queue_rq,
+ };
+
+-static void pcd_init_units(void)
+-{
+- struct pcd_unit *cd;
+- int unit;
+-
+- pcd_drive_count = 0;
+- for (unit = 0, cd = pcd; unit < PCD_UNITS; unit++, cd++) {
+- struct gendisk *disk;
+-
+- if (blk_mq_alloc_sq_tag_set(&cd->tag_set, &pcd_mq_ops, 1,
+- BLK_MQ_F_SHOULD_MERGE))
+- continue;
+-
+- disk = blk_mq_alloc_disk(&cd->tag_set, cd);
+- if (IS_ERR(disk)) {
+- blk_mq_free_tag_set(&cd->tag_set);
+- continue;
+- }
+-
+- INIT_LIST_HEAD(&cd->rq_list);
+- blk_queue_bounce_limit(disk->queue, BLK_BOUNCE_HIGH);
+- cd->disk = disk;
+- cd->pi = &cd->pia;
+- cd->present = 0;
+- cd->last_sense = 0;
+- cd->changed = 1;
+- cd->drive = (*drives[unit])[D_SLV];
+- if ((*drives[unit])[D_PRT])
+- pcd_drive_count++;
+-
+- cd->name = &cd->info.name[0];
+- snprintf(cd->name, sizeof(cd->info.name), "%s%d", name, unit);
+- cd->info.ops = &pcd_dops;
+- cd->info.handle = cd;
+- cd->info.speed = 0;
+- cd->info.capacity = 1;
+- cd->info.mask = 0;
+- disk->major = major;
+- disk->first_minor = unit;
+- disk->minors = 1;
+- strcpy(disk->disk_name, cd->name); /* umm... */
+- disk->fops = &pcd_bdops;
+- disk->flags = GENHD_FL_BLOCK_EVENTS_ON_EXCL_WRITE;
+- disk->events = DISK_EVENT_MEDIA_CHANGE;
+- }
+-}
+-
+ static int pcd_open(struct cdrom_device_info *cdi, int purpose)
+ {
+ struct pcd_unit *cd = cdi->handle;
+@@ -679,90 +630,31 @@ static int pcd_probe(struct pcd_unit *cd, int ms)
+ return -1;
+ }
+
+-static void pcd_probe_capabilities(void)
++static int pcd_probe_capabilities(struct pcd_unit *cd)
+ {
+- int unit, r;
+- char buffer[32];
+ char cmd[12] = { 0x5a, 1 << 3, 0x2a, 0, 0, 0, 0, 18, 0, 0, 0, 0 };
+- struct pcd_unit *cd;
+-
+- for (unit = 0, cd = pcd; unit < PCD_UNITS; unit++, cd++) {
+- if (!cd->present)
+- continue;
+- r = pcd_atapi(cd, cmd, 18, buffer, "mode sense capabilities");
+- if (r)
+- continue;
+- /* we should now have the cap page */
+- if ((buffer[11] & 1) == 0)
+- cd->info.mask |= CDC_CD_R;
+- if ((buffer[11] & 2) == 0)
+- cd->info.mask |= CDC_CD_RW;
+- if ((buffer[12] & 1) == 0)
+- cd->info.mask |= CDC_PLAY_AUDIO;
+- if ((buffer[14] & 1) == 0)
+- cd->info.mask |= CDC_LOCK;
+- if ((buffer[14] & 8) == 0)
+- cd->info.mask |= CDC_OPEN_TRAY;
+- if ((buffer[14] >> 6) == 0)
+- cd->info.mask |= CDC_CLOSE_TRAY;
+- }
+-}
+-
+-static int pcd_detect(void)
+-{
+- int k, unit;
+- struct pcd_unit *cd;
+-
+- printk("%s: %s version %s, major %d, nice %d\n",
+- name, name, PCD_VERSION, major, nice);
++ char buffer[32];
++ int ret;
+
+- par_drv = pi_register_driver(name);
+- if (!par_drv) {
+- pr_err("failed to register %s driver\n", name);
+- return -1;
+- }
++ ret = pcd_atapi(cd, cmd, 18, buffer, "mode sense capabilities");
++ if (ret)
++ return ret;
++
++ /* we should now have the cap page */
++ if ((buffer[11] & 1) == 0)
++ cd->info.mask |= CDC_CD_R;
++ if ((buffer[11] & 2) == 0)
++ cd->info.mask |= CDC_CD_RW;
++ if ((buffer[12] & 1) == 0)
++ cd->info.mask |= CDC_PLAY_AUDIO;
++ if ((buffer[14] & 1) == 0)
++ cd->info.mask |= CDC_LOCK;
++ if ((buffer[14] & 8) == 0)
++ cd->info.mask |= CDC_OPEN_TRAY;
++ if ((buffer[14] >> 6) == 0)
++ cd->info.mask |= CDC_CLOSE_TRAY;
+
+- k = 0;
+- if (pcd_drive_count == 0) { /* nothing spec'd - so autoprobe for 1 */
+- cd = pcd;
+- if (cd->disk && pi_init(cd->pi, 1, -1, -1, -1, -1, -1,
+- pcd_buffer, PI_PCD, verbose, cd->name)) {
+- if (!pcd_probe(cd, -1)) {
+- cd->present = 1;
+- k++;
+- } else
+- pi_release(cd->pi);
+- }
+- } else {
+- for (unit = 0, cd = pcd; unit < PCD_UNITS; unit++, cd++) {
+- int *conf = *drives[unit];
+- if (!conf[D_PRT])
+- continue;
+- if (!cd->disk)
+- continue;
+- if (!pi_init(cd->pi, 0, conf[D_PRT], conf[D_MOD],
+- conf[D_UNI], conf[D_PRO], conf[D_DLY],
+- pcd_buffer, PI_PCD, verbose, cd->name))
+- continue;
+- if (!pcd_probe(cd, conf[D_SLV])) {
+- cd->present = 1;
+- k++;
+- } else
+- pi_release(cd->pi);
+- }
+- }
+- if (k)
+- return 0;
+-
+- printk("%s: No CD-ROM drive found\n", name);
+- for (unit = 0, cd = pcd; unit < PCD_UNITS; unit++, cd++) {
+- if (!cd->disk)
+- continue;
+- blk_cleanup_disk(cd->disk);
+- blk_mq_free_tag_set(&cd->tag_set);
+- }
+- pi_unregister_driver(par_drv);
+- return -1;
++ return 0;
+ }
+
+ /* I/O request processing */
+@@ -999,43 +891,121 @@ static int pcd_get_mcn(struct cdrom_device_info *cdi, struct cdrom_mcn *mcn)
+ return 0;
+ }
+
++static int pcd_init_unit(struct pcd_unit *cd, bool autoprobe, int port,
++ int mode, int unit, int protocol, int delay, int ms)
++{
++ struct gendisk *disk;
++ int ret;
++
++ ret = blk_mq_alloc_sq_tag_set(&cd->tag_set, &pcd_mq_ops, 1,
++ BLK_MQ_F_SHOULD_MERGE);
++ if (ret)
++ return ret;
++
++ disk = blk_mq_alloc_disk(&cd->tag_set, cd);
++ if (IS_ERR(disk)) {
++ ret = PTR_ERR(disk);
++ goto out_free_tag_set;
++ }
++
++ INIT_LIST_HEAD(&cd->rq_list);
++ blk_queue_bounce_limit(disk->queue, BLK_BOUNCE_HIGH);
++ cd->disk = disk;
++ cd->pi = &cd->pia;
++ cd->present = 0;
++ cd->last_sense = 0;
++ cd->changed = 1;
++ cd->drive = (*drives[cd - pcd])[D_SLV];
++
++ cd->name = &cd->info.name[0];
++ snprintf(cd->name, sizeof(cd->info.name), "%s%d", name, unit);
++ cd->info.ops = &pcd_dops;
++ cd->info.handle = cd;
++ cd->info.speed = 0;
++ cd->info.capacity = 1;
++ cd->info.mask = 0;
++ disk->major = major;
++ disk->first_minor = unit;
++ disk->minors = 1;
++ strcpy(disk->disk_name, cd->name); /* umm... */
++ disk->fops = &pcd_bdops;
++ disk->flags = GENHD_FL_BLOCK_EVENTS_ON_EXCL_WRITE;
++ disk->events = DISK_EVENT_MEDIA_CHANGE;
++
++ if (!pi_init(cd->pi, autoprobe, port, mode, unit, protocol, delay,
++ pcd_buffer, PI_PCD, verbose, cd->name))
++ goto out_free_disk;
++ if (pcd_probe(cd, ms))
++ goto out_pi_release;
++
++ cd->present = 1;
++ pcd_probe_capabilities(cd);
++ register_cdrom(cd->disk, &cd->info);
++ add_disk(cd->disk);
++ return 0;
++
++out_pi_release:
++ pi_release(cd->pi);
++out_free_disk:
++ blk_cleanup_disk(cd->disk);
++out_free_tag_set:
++ blk_mq_free_tag_set(&cd->tag_set);
++ return ret;
++}
++
+ static int __init pcd_init(void)
+ {
+- struct pcd_unit *cd;
+- int unit;
++ int found = 0, unit;
+
+ if (disable)
+ return -EINVAL;
+
+- pcd_init_units();
++ if (register_blkdev(major, name))
++ return -EBUSY;
+
+- if (pcd_detect())
+- return -ENODEV;
++ pr_info("%s: %s version %s, major %d, nice %d\n",
++ name, name, PCD_VERSION, major, nice);
+
+- /* get the atapi capabilities page */
+- pcd_probe_capabilities();
++ par_drv = pi_register_driver(name);
++ if (!par_drv) {
++ pr_err("failed to register %s driver\n", name);
++ goto out_unregister_blkdev;
++ }
+
+- if (register_blkdev(major, name)) {
+- for (unit = 0, cd = pcd; unit < PCD_UNITS; unit++, cd++) {
+- if (!cd->disk)
+- continue;
++ for (unit = 0; unit < PCD_UNITS; unit++) {
++ if ((*drives[unit])[D_PRT])
++ pcd_drive_count++;
++ }
+
+- blk_cleanup_queue(cd->disk->queue);
+- blk_mq_free_tag_set(&cd->tag_set);
+- put_disk(cd->disk);
++ if (pcd_drive_count == 0) { /* nothing spec'd - so autoprobe for 1 */
++ if (!pcd_init_unit(pcd, 1, -1, -1, -1, -1, -1, -1))
++ found++;
++ } else {
++ for (unit = 0; unit < PCD_UNITS; unit++) {
++ struct pcd_unit *cd = &pcd[unit];
++ int *conf = *drives[unit];
++
++ if (!conf[D_PRT])
++ continue;
++ if (!pcd_init_unit(cd, 0, conf[D_PRT], conf[D_MOD],
++ conf[D_UNI], conf[D_PRO], conf[D_DLY],
++ conf[D_SLV]))
++ found++;
+ }
+- return -EBUSY;
+ }
+
+- for (unit = 0, cd = pcd; unit < PCD_UNITS; unit++, cd++) {
+- if (cd->present) {
+- register_cdrom(cd->disk, &cd->info);
+- cd->disk->private_data = cd;
+- add_disk(cd->disk);
+- }
++ if (!found) {
++ pr_info("%s: No CD-ROM drive found\n", name);
++ goto out_unregister_pi_driver;
+ }
+
+ return 0;
++
++out_unregister_pi_driver:
++ pi_unregister_driver(par_drv);
++out_unregister_blkdev:
++ unregister_blkdev(major, name);
++ return -ENODEV;
+ }
+
+ static void __exit pcd_exit(void)
+@@ -1044,20 +1014,18 @@ static void __exit pcd_exit(void)
+ int unit;
+
+ for (unit = 0, cd = pcd; unit < PCD_UNITS; unit++, cd++) {
+- if (!cd->disk)
++ if (!cd->present)
+ continue;
+
+- if (cd->present) {
+- del_gendisk(cd->disk);
+- pi_release(cd->pi);
+- unregister_cdrom(&cd->info);
+- }
+- blk_cleanup_queue(cd->disk->queue);
++ del_gendisk(cd->disk);
++ pi_release(cd->pi);
++ unregister_cdrom(&cd->info);
++ blk_cleanup_disk(cd->disk);
++
+ blk_mq_free_tag_set(&cd->tag_set);
+- put_disk(cd->disk);
+ }
+- unregister_blkdev(major, name);
+ pi_unregister_driver(par_drv);
++ unregister_blkdev(major, name);
+ }
+
+ MODULE_LICENSE("GPL");
+--
+2.40.1
+
--- /dev/null
+From e40883f94039856babcaec4cc3f7c4060ae0c958 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Sep 2021 15:01:03 -0700
+Subject: pcd: move the identify buffer into pcd_identify
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 7d8b72aaddd3ec5f350d3e9988d6735a7b9b18e9 ]
+
+No need to pass it through a bunch of functions.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: 1a721de8489f ("block: don't add or resize partition on the disk with GENHD_FL_NO_PART")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/paride/pcd.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/block/paride/pcd.c b/drivers/block/paride/pcd.c
+index f9cdd11f02f58..8903fdaa20466 100644
+--- a/drivers/block/paride/pcd.c
++++ b/drivers/block/paride/pcd.c
+@@ -630,10 +630,11 @@ static int pcd_drive_status(struct cdrom_device_info *cdi, int slot_nr)
+ return CDS_DISC_OK;
+ }
+
+-static int pcd_identify(struct pcd_unit *cd, char *id)
++static int pcd_identify(struct pcd_unit *cd)
+ {
+- int k, s;
+ char id_cmd[12] = { 0x12, 0, 0, 0, 36, 0, 0, 0, 0, 0, 0, 0 };
++ char id[18];
++ int k, s;
+
+ pcd_bufblk = -1;
+
+@@ -664,15 +665,15 @@ static int pcd_identify(struct pcd_unit *cd, char *id)
+ * returns 0, with id set if drive is detected
+ * -1, if drive detection failed
+ */
+-static int pcd_probe(struct pcd_unit *cd, int ms, char *id)
++static int pcd_probe(struct pcd_unit *cd, int ms)
+ {
+ if (ms == -1) {
+ for (cd->drive = 0; cd->drive <= 1; cd->drive++)
+- if (!pcd_reset(cd) && !pcd_identify(cd, id))
++ if (!pcd_reset(cd) && !pcd_identify(cd))
+ return 0;
+ } else {
+ cd->drive = ms;
+- if (!pcd_reset(cd) && !pcd_identify(cd, id))
++ if (!pcd_reset(cd) && !pcd_identify(cd))
+ return 0;
+ }
+ return -1;
+@@ -709,7 +710,6 @@ static void pcd_probe_capabilities(void)
+
+ static int pcd_detect(void)
+ {
+- char id[18];
+ int k, unit;
+ struct pcd_unit *cd;
+
+@@ -727,7 +727,7 @@ static int pcd_detect(void)
+ cd = pcd;
+ if (cd->disk && pi_init(cd->pi, 1, -1, -1, -1, -1, -1,
+ pcd_buffer, PI_PCD, verbose, cd->name)) {
+- if (!pcd_probe(cd, -1, id)) {
++ if (!pcd_probe(cd, -1)) {
+ cd->present = 1;
+ k++;
+ } else
+@@ -744,7 +744,7 @@ static int pcd_detect(void)
+ conf[D_UNI], conf[D_PRO], conf[D_DLY],
+ pcd_buffer, PI_PCD, verbose, cd->name))
+ continue;
+- if (!pcd_probe(cd, conf[D_SLV], id)) {
++ if (!pcd_probe(cd, conf[D_SLV])) {
+ cd->present = 1;
+ k++;
+ } else
+--
+2.40.1
+
--- /dev/null
+From 8fc1f17cfaf5b5a2768089a1457c8712aab6b4d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Sep 2023 08:49:32 -0400
+Subject: platform/mellanox: mlxbf-pmc: Fix potential buffer overflows
+
+From: Shravan Kumar Ramani <shravankr@nvidia.com>
+
+[ Upstream commit 80ccd40568bcd3655b0fd0be1e9b3379fd6e1056 ]
+
+Replace sprintf with sysfs_emit where possible.
+Size check in mlxbf_pmc_event_list_show should account for "\0".
+
+Fixes: 1a218d312e65 ("platform/mellanox: mlxbf-pmc: Add Mellanox BlueField PMC driver")
+Signed-off-by: Shravan Kumar Ramani <shravankr@nvidia.com>
+Reviewed-by: Vadim Pasternak <vadimp@nvidia.com>
+Reviewed-by: David Thompson <davthompson@nvidia.com>
+Link: https://lore.kernel.org/r/bef39ef32319a31b32f999065911f61b0d3b17c3.1693917738.git.shravankr@nvidia.com
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/mellanox/mlxbf-pmc.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/platform/mellanox/mlxbf-pmc.c b/drivers/platform/mellanox/mlxbf-pmc.c
+index be967d797c28e..95afcae7b9fa9 100644
+--- a/drivers/platform/mellanox/mlxbf-pmc.c
++++ b/drivers/platform/mellanox/mlxbf-pmc.c
+@@ -1008,7 +1008,7 @@ static ssize_t mlxbf_pmc_counter_show(struct device *dev,
+ } else
+ return -EINVAL;
+
+- return sprintf(buf, "0x%llx\n", value);
++ return sysfs_emit(buf, "0x%llx\n", value);
+ }
+
+ /* Store function for "counter" sysfs files */
+@@ -1078,13 +1078,13 @@ static ssize_t mlxbf_pmc_event_show(struct device *dev,
+
+ err = mlxbf_pmc_read_event(blk_num, cnt_num, is_l3, &evt_num);
+ if (err)
+- return sprintf(buf, "No event being monitored\n");
++ return sysfs_emit(buf, "No event being monitored\n");
+
+ evt_name = mlxbf_pmc_get_event_name(pmc->block_name[blk_num], evt_num);
+ if (!evt_name)
+ return -EINVAL;
+
+- return sprintf(buf, "0x%llx: %s\n", evt_num, evt_name);
++ return sysfs_emit(buf, "0x%llx: %s\n", evt_num, evt_name);
+ }
+
+ /* Store function for "event" sysfs files */
+@@ -1139,9 +1139,9 @@ static ssize_t mlxbf_pmc_event_list_show(struct device *dev,
+ return -EINVAL;
+
+ for (i = 0, buf[0] = '\0'; i < size; ++i) {
+- len += sprintf(e_info, "0x%x: %s\n", events[i].evt_num,
+- events[i].evt_name);
+- if (len > PAGE_SIZE)
++ len += snprintf(e_info, sizeof(e_info), "0x%x: %s\n",
++ events[i].evt_num, events[i].evt_name);
++ if (len >= PAGE_SIZE)
+ break;
+ strcat(buf, e_info);
+ ret = len;
+@@ -1168,7 +1168,7 @@ static ssize_t mlxbf_pmc_enable_show(struct device *dev,
+
+ value = FIELD_GET(MLXBF_PMC_L3C_PERF_CNT_CFG_EN, perfcnt_cfg);
+
+- return sprintf(buf, "%d\n", value);
++ return sysfs_emit(buf, "%d\n", value);
+ }
+
+ /* Store function for "enable" sysfs files - only for l3cache */
+--
+2.40.1
+
--- /dev/null
+From 0e575a50ba94aafea84558ac307d6a84ec6d7168 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Sep 2023 08:49:33 -0400
+Subject: platform/mellanox: mlxbf-pmc: Fix reading of unprogrammed events
+
+From: Shravan Kumar Ramani <shravankr@nvidia.com>
+
+[ Upstream commit 0f5969452e162efc50bdc98968fb62b424a9874b ]
+
+This fix involves 2 changes:
+ - All event regs have a reset value of 0, which is not a valid
+ event_number as per the event_list for most blocks and hence seen
+ as an error. Add a "disable" event with event_number 0 for all blocks.
+
+ - The enable bit for each counter need not be checked before
+ reading the event info, and hence removed.
+
+Fixes: 1a218d312e65 ("platform/mellanox: mlxbf-pmc: Add Mellanox BlueField PMC driver")
+Signed-off-by: Shravan Kumar Ramani <shravankr@nvidia.com>
+Reviewed-by: Vadim Pasternak <vadimp@nvidia.com>
+Reviewed-by: David Thompson <davthompson@nvidia.com>
+Link: https://lore.kernel.org/r/04d0213932d32681de1c716b54320ed894e52425.1693917738.git.shravankr@nvidia.com
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/mellanox/mlxbf-pmc.c | 27 +++++++--------------------
+ 1 file changed, 7 insertions(+), 20 deletions(-)
+
+diff --git a/drivers/platform/mellanox/mlxbf-pmc.c b/drivers/platform/mellanox/mlxbf-pmc.c
+index 95afcae7b9fa9..2d4bbe99959ef 100644
+--- a/drivers/platform/mellanox/mlxbf-pmc.c
++++ b/drivers/platform/mellanox/mlxbf-pmc.c
+@@ -191,6 +191,7 @@ static const struct mlxbf_pmc_events mlxbf_pmc_smgen_events[] = {
+ };
+
+ static const struct mlxbf_pmc_events mlxbf_pmc_trio_events_1[] = {
++ { 0x0, "DISABLE" },
+ { 0xa0, "TPIO_DATA_BEAT" },
+ { 0xa1, "TDMA_DATA_BEAT" },
+ { 0xa2, "MAP_DATA_BEAT" },
+@@ -214,6 +215,7 @@ static const struct mlxbf_pmc_events mlxbf_pmc_trio_events_1[] = {
+ };
+
+ static const struct mlxbf_pmc_events mlxbf_pmc_trio_events_2[] = {
++ { 0x0, "DISABLE" },
+ { 0xa0, "TPIO_DATA_BEAT" },
+ { 0xa1, "TDMA_DATA_BEAT" },
+ { 0xa2, "MAP_DATA_BEAT" },
+@@ -246,6 +248,7 @@ static const struct mlxbf_pmc_events mlxbf_pmc_trio_events_2[] = {
+ };
+
+ static const struct mlxbf_pmc_events mlxbf_pmc_ecc_events[] = {
++ { 0x0, "DISABLE" },
+ { 0x100, "ECC_SINGLE_ERROR_CNT" },
+ { 0x104, "ECC_DOUBLE_ERROR_CNT" },
+ { 0x114, "SERR_INJ" },
+@@ -258,6 +261,7 @@ static const struct mlxbf_pmc_events mlxbf_pmc_ecc_events[] = {
+ };
+
+ static const struct mlxbf_pmc_events mlxbf_pmc_mss_events[] = {
++ { 0x0, "DISABLE" },
+ { 0xc0, "RXREQ_MSS" },
+ { 0xc1, "RXDAT_MSS" },
+ { 0xc2, "TXRSP_MSS" },
+@@ -265,6 +269,7 @@ static const struct mlxbf_pmc_events mlxbf_pmc_mss_events[] = {
+ };
+
+ static const struct mlxbf_pmc_events mlxbf_pmc_hnf_events[] = {
++ { 0x0, "DISABLE" },
+ { 0x45, "HNF_REQUESTS" },
+ { 0x46, "HNF_REJECTS" },
+ { 0x47, "ALL_BUSY" },
+@@ -323,6 +328,7 @@ static const struct mlxbf_pmc_events mlxbf_pmc_hnf_events[] = {
+ };
+
+ static const struct mlxbf_pmc_events mlxbf_pmc_hnfnet_events[] = {
++ { 0x0, "DISABLE" },
+ { 0x12, "CDN_REQ" },
+ { 0x13, "DDN_REQ" },
+ { 0x14, "NDN_REQ" },
+@@ -892,7 +898,7 @@ static int mlxbf_pmc_read_event(int blk_num, uint32_t cnt_num, bool is_l3,
+ uint64_t *result)
+ {
+ uint32_t perfcfg_offset, perfval_offset;
+- uint64_t perfmon_cfg, perfevt, perfctl;
++ uint64_t perfmon_cfg, perfevt;
+
+ if (cnt_num >= pmc->block[blk_num].counters)
+ return -EINVAL;
+@@ -904,25 +910,6 @@ static int mlxbf_pmc_read_event(int blk_num, uint32_t cnt_num, bool is_l3,
+ perfval_offset = perfcfg_offset +
+ pmc->block[blk_num].counters * MLXBF_PMC_REG_SIZE;
+
+- /* Set counter in "read" mode */
+- perfmon_cfg = FIELD_PREP(MLXBF_PMC_PERFMON_CONFIG_ADDR,
+- MLXBF_PMC_PERFCTL);
+- perfmon_cfg |= FIELD_PREP(MLXBF_PMC_PERFMON_CONFIG_STROBE, 1);
+- perfmon_cfg |= FIELD_PREP(MLXBF_PMC_PERFMON_CONFIG_WR_R_B, 0);
+-
+- if (mlxbf_pmc_write(pmc->block[blk_num].mmio_base + perfcfg_offset,
+- MLXBF_PMC_WRITE_REG_64, perfmon_cfg))
+- return -EFAULT;
+-
+- /* Check if the counter is enabled */
+-
+- if (mlxbf_pmc_read(pmc->block[blk_num].mmio_base + perfval_offset,
+- MLXBF_PMC_READ_REG_64, &perfctl))
+- return -EFAULT;
+-
+- if (!FIELD_GET(MLXBF_PMC_PERFCTL_EN0, perfctl))
+- return -EINVAL;
+-
+ /* Set counter in "read" mode */
+ perfmon_cfg = FIELD_PREP(MLXBF_PMC_PERFMON_CONFIG_ADDR,
+ MLXBF_PMC_PERFEVT);
+--
+2.40.1
+
--- /dev/null
+From a0268e698376eaf7e86b28fff41952ff9e78cc15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Aug 2023 13:43:00 -0400
+Subject: platform/mellanox: mlxbf-tmfifo: Drop jumbo frames
+
+From: Liming Sun <limings@nvidia.com>
+
+[ Upstream commit fc4c655821546239abb3cf4274d66b9747aa87dd ]
+
+This commit drops over-sized network packets to avoid tmfifo
+queue stuck.
+
+Fixes: 1357dfd7261f ("platform/mellanox: Add TmFifo driver for Mellanox BlueField Soc")
+Signed-off-by: Liming Sun <limings@nvidia.com>
+Reviewed-by: Vadim Pasternak <vadimp@nvidia.com>
+Reviewed-by: David Thompson <davthompson@nvidia.com>
+Link: https://lore.kernel.org/r/9318936c2447f76db475c985ca6d91f057efcd41.1693322547.git.limings@nvidia.com
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/mellanox/mlxbf-tmfifo.c | 24 +++++++++++++++++-------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/platform/mellanox/mlxbf-tmfifo.c b/drivers/platform/mellanox/mlxbf-tmfifo.c
+index 42fcccf06157f..194f3205e5597 100644
+--- a/drivers/platform/mellanox/mlxbf-tmfifo.c
++++ b/drivers/platform/mellanox/mlxbf-tmfifo.c
+@@ -205,7 +205,7 @@ static u8 mlxbf_tmfifo_net_default_mac[ETH_ALEN] = {
+ static efi_char16_t mlxbf_tmfifo_efi_name[] = L"RshimMacAddr";
+
+ /* Maximum L2 header length. */
+-#define MLXBF_TMFIFO_NET_L2_OVERHEAD 36
++#define MLXBF_TMFIFO_NET_L2_OVERHEAD (ETH_HLEN + VLAN_HLEN)
+
+ /* Supported virtio-net features. */
+ #define MLXBF_TMFIFO_NET_FEATURES \
+@@ -623,13 +623,14 @@ static void mlxbf_tmfifo_rxtx_word(struct mlxbf_tmfifo_vring *vring,
+ * flag is set.
+ */
+ static void mlxbf_tmfifo_rxtx_header(struct mlxbf_tmfifo_vring *vring,
+- struct vring_desc *desc,
++ struct vring_desc **desc,
+ bool is_rx, bool *vring_change)
+ {
+ struct mlxbf_tmfifo *fifo = vring->fifo;
+ struct virtio_net_config *config;
+ struct mlxbf_tmfifo_msg_hdr hdr;
+ int vdev_id, hdr_len;
++ bool drop_rx = false;
+
+ /* Read/Write packet header. */
+ if (is_rx) {
+@@ -649,8 +650,8 @@ static void mlxbf_tmfifo_rxtx_header(struct mlxbf_tmfifo_vring *vring,
+ if (ntohs(hdr.len) >
+ __virtio16_to_cpu(virtio_legacy_is_little_endian(),
+ config->mtu) +
+- MLXBF_TMFIFO_NET_L2_OVERHEAD)
+- return;
++ MLXBF_TMFIFO_NET_L2_OVERHEAD)
++ drop_rx = true;
+ } else {
+ vdev_id = VIRTIO_ID_CONSOLE;
+ hdr_len = 0;
+@@ -665,16 +666,25 @@ static void mlxbf_tmfifo_rxtx_header(struct mlxbf_tmfifo_vring *vring,
+
+ if (!tm_dev2)
+ return;
+- vring->desc = desc;
++ vring->desc = *desc;
+ vring = &tm_dev2->vrings[MLXBF_TMFIFO_VRING_RX];
+ *vring_change = true;
+ }
++
++ if (drop_rx && !IS_VRING_DROP(vring)) {
++ if (vring->desc_head)
++ mlxbf_tmfifo_release_pkt(vring);
++ *desc = &vring->drop_desc;
++ vring->desc_head = *desc;
++ vring->desc = *desc;
++ }
++
+ vring->pkt_len = ntohs(hdr.len) + hdr_len;
+ } else {
+ /* Network virtio has an extra header. */
+ hdr_len = (vring->vdev_id == VIRTIO_ID_NET) ?
+ sizeof(struct virtio_net_hdr) : 0;
+- vring->pkt_len = mlxbf_tmfifo_get_pkt_len(vring, desc);
++ vring->pkt_len = mlxbf_tmfifo_get_pkt_len(vring, *desc);
+ hdr.type = (vring->vdev_id == VIRTIO_ID_NET) ?
+ VIRTIO_ID_NET : VIRTIO_ID_CONSOLE;
+ hdr.len = htons(vring->pkt_len - hdr_len);
+@@ -723,7 +733,7 @@ static bool mlxbf_tmfifo_rxtx_one_desc(struct mlxbf_tmfifo_vring *vring,
+
+ /* Beginning of a packet. Start to Rx/Tx packet header. */
+ if (vring->pkt_len == 0) {
+- mlxbf_tmfifo_rxtx_header(vring, desc, is_rx, &vring_change);
++ mlxbf_tmfifo_rxtx_header(vring, &desc, is_rx, &vring_change);
+ (*avail)--;
+
+ /* Return if new packet is for another ring. */
+--
+2.40.1
+
--- /dev/null
+From 42f1820da4e66cf6daefe8e131b3806fa55b4cb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Aug 2023 13:42:59 -0400
+Subject: platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more
+ descriptors
+
+From: Liming Sun <limings@nvidia.com>
+
+[ Upstream commit 78034cbece79c2d730ad0770b3b7f23eedbbecf5 ]
+
+This commit fixes tmfifo console stuck issue when the virtual
+networking interface is in down state. In such case, the network
+Rx descriptors runs out and causes the Rx network packet staying
+in the head of the tmfifo thus blocking the console packets. The
+fix is to drop the Rx network packet when no more Rx descriptors.
+Function name mlxbf_tmfifo_release_pending_pkt() is also renamed
+to mlxbf_tmfifo_release_pkt() to be more approperiate.
+
+Fixes: 1357dfd7261f ("platform/mellanox: Add TmFifo driver for Mellanox BlueField Soc")
+Signed-off-by: Liming Sun <limings@nvidia.com>
+Reviewed-by: Vadim Pasternak <vadimp@nvidia.com>
+Reviewed-by: David Thompson <davthompson@nvidia.com>
+Link: https://lore.kernel.org/r/8c0177dc938ae03f52ff7e0b62dbeee74b7bec09.1693322547.git.limings@nvidia.com
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/mellanox/mlxbf-tmfifo.c | 66 ++++++++++++++++++------
+ 1 file changed, 49 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/platform/mellanox/mlxbf-tmfifo.c b/drivers/platform/mellanox/mlxbf-tmfifo.c
+index 64d22ecf3cddd..42fcccf06157f 100644
+--- a/drivers/platform/mellanox/mlxbf-tmfifo.c
++++ b/drivers/platform/mellanox/mlxbf-tmfifo.c
+@@ -56,6 +56,7 @@ struct mlxbf_tmfifo;
+ * @vq: pointer to the virtio virtqueue
+ * @desc: current descriptor of the pending packet
+ * @desc_head: head descriptor of the pending packet
++ * @drop_desc: dummy desc for packet dropping
+ * @cur_len: processed length of the current descriptor
+ * @rem_len: remaining length of the pending packet
+ * @pkt_len: total length of the pending packet
+@@ -72,6 +73,7 @@ struct mlxbf_tmfifo_vring {
+ struct virtqueue *vq;
+ struct vring_desc *desc;
+ struct vring_desc *desc_head;
++ struct vring_desc drop_desc;
+ int cur_len;
+ int rem_len;
+ u32 pkt_len;
+@@ -83,6 +85,14 @@ struct mlxbf_tmfifo_vring {
+ struct mlxbf_tmfifo *fifo;
+ };
+
++/* Check whether vring is in drop mode. */
++#define IS_VRING_DROP(_r) ({ \
++ typeof(_r) (r) = (_r); \
++ (r->desc_head == &r->drop_desc ? true : false); })
++
++/* A stub length to drop maximum length packet. */
++#define VRING_DROP_DESC_MAX_LEN GENMASK(15, 0)
++
+ /* Interrupt types. */
+ enum {
+ MLXBF_TM_RX_LWM_IRQ,
+@@ -243,6 +253,7 @@ static int mlxbf_tmfifo_alloc_vrings(struct mlxbf_tmfifo *fifo,
+ vring->align = SMP_CACHE_BYTES;
+ vring->index = i;
+ vring->vdev_id = tm_vdev->vdev.id.device;
++ vring->drop_desc.len = VRING_DROP_DESC_MAX_LEN;
+ dev = &tm_vdev->vdev.dev;
+
+ size = vring_size(vring->num, vring->align);
+@@ -348,7 +359,7 @@ static u32 mlxbf_tmfifo_get_pkt_len(struct mlxbf_tmfifo_vring *vring,
+ return len;
+ }
+
+-static void mlxbf_tmfifo_release_pending_pkt(struct mlxbf_tmfifo_vring *vring)
++static void mlxbf_tmfifo_release_pkt(struct mlxbf_tmfifo_vring *vring)
+ {
+ struct vring_desc *desc_head;
+ u32 len = 0;
+@@ -577,19 +588,25 @@ static void mlxbf_tmfifo_rxtx_word(struct mlxbf_tmfifo_vring *vring,
+
+ if (vring->cur_len + sizeof(u64) <= len) {
+ /* The whole word. */
+- if (is_rx)
+- memcpy(addr + vring->cur_len, &data, sizeof(u64));
+- else
+- memcpy(&data, addr + vring->cur_len, sizeof(u64));
++ if (!IS_VRING_DROP(vring)) {
++ if (is_rx)
++ memcpy(addr + vring->cur_len, &data,
++ sizeof(u64));
++ else
++ memcpy(&data, addr + vring->cur_len,
++ sizeof(u64));
++ }
+ vring->cur_len += sizeof(u64);
+ } else {
+ /* Leftover bytes. */
+- if (is_rx)
+- memcpy(addr + vring->cur_len, &data,
+- len - vring->cur_len);
+- else
+- memcpy(&data, addr + vring->cur_len,
+- len - vring->cur_len);
++ if (!IS_VRING_DROP(vring)) {
++ if (is_rx)
++ memcpy(addr + vring->cur_len, &data,
++ len - vring->cur_len);
++ else
++ memcpy(&data, addr + vring->cur_len,
++ len - vring->cur_len);
++ }
+ vring->cur_len = len;
+ }
+
+@@ -690,8 +707,16 @@ static bool mlxbf_tmfifo_rxtx_one_desc(struct mlxbf_tmfifo_vring *vring,
+ /* Get the descriptor of the next packet. */
+ if (!vring->desc) {
+ desc = mlxbf_tmfifo_get_next_pkt(vring, is_rx);
+- if (!desc)
+- return false;
++ if (!desc) {
++ /* Drop next Rx packet to avoid stuck. */
++ if (is_rx) {
++ desc = &vring->drop_desc;
++ vring->desc_head = desc;
++ vring->desc = desc;
++ } else {
++ return false;
++ }
++ }
+ } else {
+ desc = vring->desc;
+ }
+@@ -724,17 +749,24 @@ static bool mlxbf_tmfifo_rxtx_one_desc(struct mlxbf_tmfifo_vring *vring,
+ vring->rem_len -= len;
+
+ /* Get the next desc on the chain. */
+- if (vring->rem_len > 0 &&
++ if (!IS_VRING_DROP(vring) && vring->rem_len > 0 &&
+ (virtio16_to_cpu(vdev, desc->flags) & VRING_DESC_F_NEXT)) {
+ idx = virtio16_to_cpu(vdev, desc->next);
+ desc = &vr->desc[idx];
+ goto mlxbf_tmfifo_desc_done;
+ }
+
+- /* Done and release the pending packet. */
+- mlxbf_tmfifo_release_pending_pkt(vring);
++ /* Done and release the packet. */
+ desc = NULL;
+ fifo->vring[is_rx] = NULL;
++ if (!IS_VRING_DROP(vring)) {
++ mlxbf_tmfifo_release_pkt(vring);
++ } else {
++ vring->pkt_len = 0;
++ vring->desc_head = NULL;
++ vring->desc = NULL;
++ return false;
++ }
+
+ /*
+ * Make sure the load/store are in order before
+@@ -914,7 +946,7 @@ static void mlxbf_tmfifo_virtio_del_vqs(struct virtio_device *vdev)
+
+ /* Release the pending packet. */
+ if (vring->desc)
+- mlxbf_tmfifo_release_pending_pkt(vring);
++ mlxbf_tmfifo_release_pkt(vring);
+ vq = vring->vq;
+ if (vq) {
+ vring->vq = NULL;
+--
+2.40.1
+
--- /dev/null
+From 62e90cb697ed7da8d0d2c1cab8a97781a22b1dc7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Sep 2023 15:01:52 +0800
+Subject: r8152: check budget for r8152_poll()
+
+From: Hayes Wang <hayeswang@realtek.com>
+
+[ Upstream commit a7b8d60b37237680009dd0b025fe8c067aba0ee3 ]
+
+According to the document of napi, there is no rx process when the
+budget is 0. Therefore, r8152_poll() has to return 0 directly when the
+budget is equal to 0.
+
+Fixes: d2187f8e4454 ("r8152: divide the tx and rx bottom functions")
+Signed-off-by: Hayes Wang <hayeswang@realtek.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/r8152.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
+index 579524cb5d9b2..4cd9bcca84c5b 100644
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -2625,6 +2625,9 @@ static int r8152_poll(struct napi_struct *napi, int budget)
+ struct r8152 *tp = container_of(napi, struct r8152, napi);
+ int work_done;
+
++ if (!budget)
++ return 0;
++
+ work_done = rx_bottom(tp, budget);
+
+ if (work_done < budget) {
+--
+2.40.1
+
perf-hists-browser-fix-hierarchy-mode-header.patch
perf-tools-handle-old-data-in-perf_record_attr.patch
perf-hists-browser-fix-the-number-of-entries-for-e-key.patch
+pcd-move-the-identify-buffer-into-pcd_identify.patch
+pcd-cleanup-initialization.patch
+block-move-genhd_fl_native_capacity-to-disk-state.patch
+block-move-genhd_fl_block_events_on_excl_write-to-di.patch
+block-rename-genhd_fl_no_part_scan-to-genhd_fl_no_pa.patch
+block-don-t-add-or-resize-partition-on-the-disk-with.patch
+arm-dts-samsung-exynos4210-i9100-fix-lcd-screen-s-ph.patch
+arm-dts-bcm5301x-extend-ram-to-full-256mb-for-linksy.patch
+net-ipv4-fix-one-memleak-in-__inet_del_ifa.patch
+kselftest-runner.sh-propagate-sigterm-to-runner-chil.patch
+net-smc-use-smc_lgr_list.lock-to-protect-smc_lgr_lis.patch
+net-ethernet-mvpp2_main-fix-possible-oob-write-in-mv.patch
+net-ethernet-mtk_eth_soc-fix-possible-null-pointer-d.patch
+hsr-fix-uninit-value-access-in-fill_frame_info.patch
+net-dsa-sja1105-hide-all-multicast-addresses-from-br.patch
+r8152-check-budget-for-r8152_poll.patch
+kcm-fix-memory-leak-in-error-path-of-kcm_sendmsg.patch
+platform-mellanox-mlxbf-tmfifo-drop-the-rx-packet-if.patch
+platform-mellanox-mlxbf-tmfifo-drop-jumbo-frames.patch
+platform-mellanox-mlxbf-pmc-fix-potential-buffer-ove.patch
+platform-mellanox-mlxbf-pmc-fix-reading-of-unprogram.patch
+net-tls-do-not-free-tls_rec-on-async-operation-in-bp.patch
+ipv6-fix-ip6_sock_set_addr_preferences-typo.patch
+ixgbe-fix-timestamp-configuration-code.patch
+kcm-fix-error-handling-for-sock_dgram-in-kcm_sendmsg.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
