--- /dev/null
+From d93fb173e62ce53d624e5d54e29531dc05e26294 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Oct 2023 17:16:03 -0700
+Subject: ARM: OMAP: timer32K: fix all kernel-doc warnings
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 7eeca8ccd1066c68d6002dbbe26433f8c17c53eb ]
+
+Fix kernel-doc warnings reported by the kernel test robot:
+
+timer32k.c:186: warning: cannot understand function prototype: 'struct timespec64 persistent_ts; '
+timer32k.c:191: warning: Function parameter or member 'ts' not described in 'omap_read_persistent_clock64'
+timer32k.c:216: warning: Function parameter or member 'vbase' not described in 'omap_init_clocksource_32k'
+timer32k.c:216: warning: Excess function parameter 'pbase' description in 'omap_init_clocksource_32k'
+timer32k.c:216: warning: Excess function parameter 'size' description in 'omap_init_clocksource_32k'
+timer32k.c:216: warning: No description found for return value of 'omap_init_clocksource_32k'
+
+Fixes: a451570c008b ("ARM: OMAP: 32k counter: Provide y2038-safe omap_read_persistent_clock() replacement")
+Fixes: 1fe97c8f6a1d ("ARM: OMAP: Make OMAP clocksource source selection using kernel param")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/all/202310070106.8QSyJOm3-lkp@intel.com/
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Vaibhav Hiremath <hvaibhav@ti.com>
+Cc: Felipe Balbi <balbi@ti.com>
+Cc: Tony Lindgren <tony@atomide.com>
+Cc: Xunlei Pang <pang.xunlei@linaro.org>
+Cc: John Stultz <john.stultz@linaro.org>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Aaro Koskinen <aaro.koskinen@iki.fi>
+Cc: Janusz Krzysztofik <jmkrzyszt@gmail.com>
+Cc: linux-omap@vger.kernel.org
+Cc: linux-arm-kernel@lists.infradead.org
+Message-ID: <20231007001603.24972-1-rdunlap@infradead.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-omap1/timer32k.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/arch/arm/mach-omap1/timer32k.c b/arch/arm/mach-omap1/timer32k.c
+index 410d17d1d4431..f618a6df29382 100644
+--- a/arch/arm/mach-omap1/timer32k.c
++++ b/arch/arm/mach-omap1/timer32k.c
+@@ -176,17 +176,18 @@ static u64 notrace omap_32k_read_sched_clock(void)
+ return sync32k_cnt_reg ? readl_relaxed(sync32k_cnt_reg) : 0;
+ }
+
++static struct timespec64 persistent_ts;
++static cycles_t cycles;
++static unsigned int persistent_mult, persistent_shift;
++
+ /**
+ * omap_read_persistent_clock64 - Return time from a persistent clock.
++ * @ts: &struct timespec64 for the returned time
+ *
+ * Reads the time from a source which isn't disabled during PM, the
+ * 32k sync timer. Convert the cycles elapsed since last read into
+ * nsecs and adds to a monotonically increasing timespec64.
+ */
+-static struct timespec64 persistent_ts;
+-static cycles_t cycles;
+-static unsigned int persistent_mult, persistent_shift;
+-
+ static void omap_read_persistent_clock64(struct timespec64 *ts)
+ {
+ unsigned long long nsecs;
+@@ -206,10 +207,9 @@ static void omap_read_persistent_clock64(struct timespec64 *ts)
+ /**
+ * omap_init_clocksource_32k - setup and register counter 32k as a
+ * kernel clocksource
+- * @pbase: base addr of counter_32k module
+- * @size: size of counter_32k to map
++ * @vbase: base addr of counter_32k module
+ *
+- * Returns 0 upon success or negative error code upon failure.
++ * Returns: %0 upon success or negative error code upon failure.
+ *
+ */
+ static int __init omap_init_clocksource_32k(void __iomem *vbase)
+--
+2.42.0
+
--- /dev/null
+From 6d99329d76811496ef44bbab9df5844612de49f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Aug 2023 15:55:38 +0200
+Subject: arm64: dts: qcom: sa8775p: correct PMIC GPIO label in gpio-ranges
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit f822899c28572a854f2c746da5ed707d752458ab ]
+
+There are several PMICs with GPIO nodes and one of the nodes referenced
+other's in gpio-ranges which could result in deferred-probes like:
+
+ qcom-spmi-gpio c440000.spmi:pmic@2:gpio@8800: can't add gpio chip
+
+Reported-by: Brian Masney <bmasney@redhat.com>
+Closes: https://lore.kernel.org/all/ZN5KIlI+RDu92jsi@brian-x1/
+Fixes: e5a893a7cec5 ("arm64: dts: qcom: sa8775p: add PMIC GPIO controller nodes")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Brian Masney <bmasney@redhat.com>
+Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Tested-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Link: https://lore.kernel.org/r/20230818135538.47481-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sa8775p-pmics.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sa8775p-pmics.dtsi b/arch/arm64/boot/dts/qcom/sa8775p-pmics.dtsi
+index eaa43f022a654..e205ef42f8d43 100644
+--- a/arch/arm64/boot/dts/qcom/sa8775p-pmics.dtsi
++++ b/arch/arm64/boot/dts/qcom/sa8775p-pmics.dtsi
+@@ -197,7 +197,7 @@
+ compatible = "qcom,pmm8654au-gpio", "qcom,spmi-gpio";
+ reg = <0x8800>;
+ gpio-controller;
+- gpio-ranges = <&pmm8654au_2_gpios 0 0 12>;
++ gpio-ranges = <&pmm8654au_1_gpios 0 0 12>;
+ #gpio-cells = <2>;
+ interrupt-controller;
+ #interrupt-cells = <2>;
+--
+2.42.0
+
--- /dev/null
+From 702e0678a86e7ebd312cfa19cdc84bf06a1941f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Oct 2023 12:47:26 +0100
+Subject: arm64: dts: rockchip: Add i2s0-2ch-bus-bclk-off pins to RK3399
+
+From: Christopher Obbard <chris.obbard@collabora.com>
+
+[ Upstream commit 3975e72b164dc8347a28dd0d5f11b346af534635 ]
+
+Commit 0efaf8078393 ("arm64: dts: rockchip: add i2s0-2ch-bus pins on
+rk3399") introduced a pinctl for i2s0 in two-channel mode. Commit
+91419ae0420f ("arm64: dts: rockchip: use BCLK to GPIO switch on rk3399")
+modified i2s0 to switch the corresponding pins off when idle.
+
+Although an idle pinctrl node was added for i2s0 in 8-channel mode, a
+similar idle pinctrl node for i2s0 in 2-channel mode was not added. Add
+it.
+
+Fixes: 91419ae0420f ("arm64: dts: rockchip: use BCLK to GPIO switch on rk3399")
+Signed-off-by: Christopher Obbard <chris.obbard@collabora.com>
+Link: https://lore.kernel.org/r/20231013114737.494410-2-chris.obbard@collabora.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3399.dtsi | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3399.dtsi b/arch/arm64/boot/dts/rockchip/rk3399.dtsi
+index bf1251cc71954..63f3d6e6a8631 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3399.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3399.dtsi
+@@ -2440,6 +2440,16 @@
+ <4 RK_PA0 1 &pcfg_pull_none>;
+ };
+
++ i2s0_2ch_bus_bclk_off: i2s0-2ch-bus-bclk-off {
++ rockchip,pins =
++ <3 RK_PD0 RK_FUNC_GPIO &pcfg_pull_none>,
++ <3 RK_PD1 1 &pcfg_pull_none>,
++ <3 RK_PD2 1 &pcfg_pull_none>,
++ <3 RK_PD3 1 &pcfg_pull_none>,
++ <3 RK_PD7 1 &pcfg_pull_none>,
++ <4 RK_PA0 1 &pcfg_pull_none>;
++ };
++
+ i2s0_8ch_bus: i2s0-8ch-bus {
+ rockchip,pins =
+ <3 RK_PD0 1 &pcfg_pull_none>,
+--
+2.42.0
+
--- /dev/null
+From 7ba1c596a238879a5b66b5efd2b42c8d83f5a602 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Oct 2023 13:19:28 +0100
+Subject: btrfs: fix unwritten extent buffer after snapshotting a new subvolume
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit eb96e221937af3c7bb8a63208dbab813ca5d3d7e ]
+
+When creating a snapshot of a subvolume that was created in the current
+transaction, we can end up not persisting a dirty extent buffer that is
+referenced by the snapshot, resulting in IO errors due to checksum failures
+when trying to read the extent buffer later from disk. A sequence of steps
+that leads to this is the following:
+
+1) At ioctl.c:create_subvol() we allocate an extent buffer, with logical
+ address 36007936, for the leaf/root of a new subvolume that has an ID
+ of 291. We mark the extent buffer as dirty, and at this point the
+ subvolume tree has a single node/leaf which is also its root (level 0);
+
+2) We no longer commit the transaction used to create the subvolume at
+ create_subvol(). We used to, but that was recently removed in
+ commit 1b53e51a4a8f ("btrfs: don't commit transaction for every subvol
+ create");
+
+3) The transaction used to create the subvolume has an ID of 33, so the
+ extent buffer 36007936 has a generation of 33;
+
+4) Several updates happen to subvolume 291 during transaction 33, several
+ files created and its tree height changes from 0 to 1, so we end up with
+ a new root at level 1 and the extent buffer 36007936 is now a leaf of
+ that new root node, which is extent buffer 36048896.
+
+ The commit root remains as 36007936, since we are still at transaction
+ 33;
+
+5) Creation of a snapshot of subvolume 291, with an ID of 292, starts at
+ ioctl.c:create_snapshot(). This triggers a commit of transaction 33 and
+ we end up at transaction.c:create_pending_snapshot(), in the critical
+ section of a transaction commit.
+
+ There we COW the root of subvolume 291, which is extent buffer 36048896.
+ The COW operation returns extent buffer 36048896, since there's no need
+ to COW because the extent buffer was created in this transaction and it
+ was not written yet.
+
+ The we call btrfs_copy_root() against the root node 36048896. During
+ this operation we allocate a new extent buffer to turn into the root
+ node of the snapshot, copy the contents of the root node 36048896 into
+ this snapshot root extent buffer, set the owner to 292 (the ID of the
+ snapshot), etc, and then we call btrfs_inc_ref(). This will create a
+ delayed reference for each leaf pointed by the root node with a
+ reference root of 292 - this includes a reference for the leaf
+ 36007936.
+
+ After that we set the bit BTRFS_ROOT_FORCE_COW in the root's state.
+
+ Then we call btrfs_insert_dir_item(), to create the directory entry in
+ in the tree of subvolume 291 that points to the snapshot. This ends up
+ needing to modify leaf 36007936 to insert the respective directory
+ items. Because the bit BTRFS_ROOT_FORCE_COW is set for the root's state,
+ we need to COW the leaf. We end up at btrfs_force_cow_block() and then
+ at update_ref_for_cow().
+
+ At update_ref_for_cow() we call btrfs_block_can_be_shared() which
+ returns false, despite the fact the leaf 36007936 is shared - the
+ subvolume's root and the snapshot's root point to that leaf. The
+ reason that it incorrectly returns false is because the commit root
+ of the subvolume is extent buffer 36007936 - it was the initial root
+ of the subvolume when we created it. So btrfs_block_can_be_shared()
+ which has the following logic:
+
+ int btrfs_block_can_be_shared(struct btrfs_root *root,
+ struct extent_buffer *buf)
+ {
+ if (test_bit(BTRFS_ROOT_SHAREABLE, &root->state) &&
+ buf != root->node && buf != root->commit_root &&
+ (btrfs_header_generation(buf) <=
+ btrfs_root_last_snapshot(&root->root_item) ||
+ btrfs_header_flag(buf, BTRFS_HEADER_FLAG_RELOC)))
+ return 1;
+
+ return 0;
+ }
+
+ Returns false (0) since 'buf' (extent buffer 36007936) matches the
+ root's commit root.
+
+ As a result, at update_ref_for_cow(), we don't check for the number
+ of references for extent buffer 36007936, we just assume it's not
+ shared and therefore that it has only 1 reference, so we set the local
+ variable 'refs' to 1.
+
+ Later on, in the final if-else statement at update_ref_for_cow():
+
+ static noinline int update_ref_for_cow(struct btrfs_trans_handle *trans,
+ struct btrfs_root *root,
+ struct extent_buffer *buf,
+ struct extent_buffer *cow,
+ int *last_ref)
+ {
+ (...)
+ if (refs > 1) {
+ (...)
+ } else {
+ (...)
+ btrfs_clear_buffer_dirty(trans, buf);
+ *last_ref = 1;
+ }
+ }
+
+ So we mark the extent buffer 36007936 as not dirty, and as a result
+ we don't write it to disk later in the transaction commit, despite the
+ fact that the snapshot's root points to it.
+
+ Attempting to access the leaf or dumping the tree for example shows
+ that the extent buffer was not written:
+
+ $ btrfs inspect-internal dump-tree -t 292 /dev/sdb
+ btrfs-progs v6.2.2
+ file tree key (292 ROOT_ITEM 33)
+ node 36110336 level 1 items 2 free space 119 generation 33 owner 292
+ node 36110336 flags 0x1(WRITTEN) backref revision 1
+ checksum stored a8103e3e
+ checksum calced a8103e3e
+ fs uuid 90c9a46f-ae9f-4626-9aff-0cbf3e2e3a79
+ chunk uuid e8c9c885-78f4-4d31-85fe-89e5f5fd4a07
+ key (256 INODE_ITEM 0) block 36007936 gen 33
+ key (257 EXTENT_DATA 0) block 36052992 gen 33
+ checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29
+ checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29
+ total bytes 107374182400
+ bytes used 38572032
+ uuid 90c9a46f-ae9f-4626-9aff-0cbf3e2e3a79
+
+ The respective on disk region is full of zeroes as the device was
+ trimmed at mkfs time.
+
+ Obviously 'btrfs check' also detects and complains about this:
+
+ $ btrfs check /dev/sdb
+ Opening filesystem to check...
+ Checking filesystem on /dev/sdb
+ UUID: 90c9a46f-ae9f-4626-9aff-0cbf3e2e3a79
+ generation: 33 (33)
+ [1/7] checking root items
+ [2/7] checking extents
+ checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29
+ checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29
+ checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29
+ bad tree block 36007936, bytenr mismatch, want=36007936, have=0
+ owner ref check failed [36007936 4096]
+ ERROR: errors found in extent allocation tree or chunk allocation
+ [3/7] checking free space tree
+ [4/7] checking fs roots
+ checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29
+ checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29
+ checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29
+ bad tree block 36007936, bytenr mismatch, want=36007936, have=0
+ The following tree block(s) is corrupted in tree 292:
+ tree block bytenr: 36110336, level: 1, node key: (256, 1, 0)
+ root 292 root dir 256 not found
+ ERROR: errors found in fs roots
+ found 38572032 bytes used, error(s) found
+ total csum bytes: 16048
+ total tree bytes: 1265664
+ total fs tree bytes: 1118208
+ total extent tree bytes: 65536
+ btree space waste bytes: 562598
+ file data blocks allocated: 65978368
+ referenced 36569088
+
+Fix this by updating btrfs_block_can_be_shared() to consider that an
+extent buffer may be shared if it matches the commit root and if its
+generation matches the current transaction's generation.
+
+This can be reproduced with the following script:
+
+ $ cat test.sh
+ #!/bin/bash
+
+ MNT=/mnt/sdi
+ DEV=/dev/sdi
+
+ # Use a filesystem with a 64K node size so that we have the same node
+ # size on every machine regardless of its page size (on x86_64 default
+ # node size is 16K due to the 4K page size, while on PPC it's 64K by
+ # default). This way we can make sure we are able to create a btree for
+ # the subvolume with a height of 2.
+ mkfs.btrfs -f -n 64K $DEV
+ mount $DEV $MNT
+
+ btrfs subvolume create $MNT/subvol
+
+ # Create a few empty files on the subvolume, this bumps its btree
+ # height to 2 (root node at level 1 and 2 leaves).
+ for ((i = 1; i <= 300; i++)); do
+ echo -n > $MNT/subvol/file_$i
+ done
+
+ btrfs subvolume snapshot -r $MNT/subvol $MNT/subvol/snap
+
+ umount $DEV
+
+ btrfs check $DEV
+
+Running it on a 6.5 kernel (or any 6.6-rc kernel at the moment):
+
+ $ ./test.sh
+ Create subvolume '/mnt/sdi/subvol'
+ Create a readonly snapshot of '/mnt/sdi/subvol' in '/mnt/sdi/subvol/snap'
+ Opening filesystem to check...
+ Checking filesystem on /dev/sdi
+ UUID: bbdde2ff-7d02-45ca-8a73-3c36f23755a1
+ [1/7] checking root items
+ [2/7] checking extents
+ parent transid verify failed on 30539776 wanted 7 found 5
+ parent transid verify failed on 30539776 wanted 7 found 5
+ parent transid verify failed on 30539776 wanted 7 found 5
+ Ignoring transid failure
+ owner ref check failed [30539776 65536]
+ ERROR: errors found in extent allocation tree or chunk allocation
+ [3/7] checking free space tree
+ [4/7] checking fs roots
+ parent transid verify failed on 30539776 wanted 7 found 5
+ Ignoring transid failure
+ Wrong key of child node/leaf, wanted: (256, 1, 0), have: (2, 132, 0)
+ Wrong generation of child node/leaf, wanted: 5, have: 7
+ root 257 root dir 256 not found
+ ERROR: errors found in fs roots
+ found 917504 bytes used, error(s) found
+ total csum bytes: 0
+ total tree bytes: 851968
+ total fs tree bytes: 393216
+ total extent tree bytes: 65536
+ btree space waste bytes: 736550
+ file data blocks allocated: 0
+ referenced 0
+
+A test case for fstests will follow soon.
+
+Fixes: 1b53e51a4a8f ("btrfs: don't commit transaction for every subvol create")
+CC: stable@vger.kernel.org # 6.5+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/backref.c | 14 +++++++++-----
+ fs/btrfs/backref.h | 3 ++-
+ fs/btrfs/ctree.c | 21 ++++++++++++++++-----
+ fs/btrfs/ctree.h | 3 ++-
+ fs/btrfs/relocation.c | 7 ++++---
+ 5 files changed, 33 insertions(+), 15 deletions(-)
+
+diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c
+index b7d54efb47288..a4a809efc92fc 100644
+--- a/fs/btrfs/backref.c
++++ b/fs/btrfs/backref.c
+@@ -3196,12 +3196,14 @@ static int handle_direct_tree_backref(struct btrfs_backref_cache *cache,
+ * We still need to do a tree search to find out the parents. This is for
+ * TREE_BLOCK_REF backref (keyed or inlined).
+ *
++ * @trans: Transaction handle.
+ * @ref_key: The same as @ref_key in handle_direct_tree_backref()
+ * @tree_key: The first key of this tree block.
+ * @path: A clean (released) path, to avoid allocating path every time
+ * the function get called.
+ */
+-static int handle_indirect_tree_backref(struct btrfs_backref_cache *cache,
++static int handle_indirect_tree_backref(struct btrfs_trans_handle *trans,
++ struct btrfs_backref_cache *cache,
+ struct btrfs_path *path,
+ struct btrfs_key *ref_key,
+ struct btrfs_key *tree_key,
+@@ -3315,7 +3317,7 @@ static int handle_indirect_tree_backref(struct btrfs_backref_cache *cache,
+ * If we know the block isn't shared we can avoid
+ * checking its backrefs.
+ */
+- if (btrfs_block_can_be_shared(root, eb))
++ if (btrfs_block_can_be_shared(trans, root, eb))
+ upper->checked = 0;
+ else
+ upper->checked = 1;
+@@ -3363,11 +3365,13 @@ static int handle_indirect_tree_backref(struct btrfs_backref_cache *cache,
+ * links aren't yet bi-directional. Needs to finish such links.
+ * Use btrfs_backref_finish_upper_links() to finish such linkage.
+ *
++ * @trans: Transaction handle.
+ * @path: Released path for indirect tree backref lookup
+ * @iter: Released backref iter for extent tree search
+ * @node_key: The first key of the tree block
+ */
+-int btrfs_backref_add_tree_node(struct btrfs_backref_cache *cache,
++int btrfs_backref_add_tree_node(struct btrfs_trans_handle *trans,
++ struct btrfs_backref_cache *cache,
+ struct btrfs_path *path,
+ struct btrfs_backref_iter *iter,
+ struct btrfs_key *node_key,
+@@ -3467,8 +3471,8 @@ int btrfs_backref_add_tree_node(struct btrfs_backref_cache *cache,
+ * offset means the root objectid. We need to search
+ * the tree to get its parent bytenr.
+ */
+- ret = handle_indirect_tree_backref(cache, path, &key, node_key,
+- cur);
++ ret = handle_indirect_tree_backref(trans, cache, path,
++ &key, node_key, cur);
+ if (ret < 0)
+ goto out;
+ }
+diff --git a/fs/btrfs/backref.h b/fs/btrfs/backref.h
+index 1616e3e3f1e41..71d535e03dca8 100644
+--- a/fs/btrfs/backref.h
++++ b/fs/btrfs/backref.h
+@@ -540,7 +540,8 @@ static inline void btrfs_backref_panic(struct btrfs_fs_info *fs_info,
+ bytenr);
+ }
+
+-int btrfs_backref_add_tree_node(struct btrfs_backref_cache *cache,
++int btrfs_backref_add_tree_node(struct btrfs_trans_handle *trans,
++ struct btrfs_backref_cache *cache,
+ struct btrfs_path *path,
+ struct btrfs_backref_iter *iter,
+ struct btrfs_key *node_key,
+diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
+index da519c1b6ad08..617d4827eec26 100644
+--- a/fs/btrfs/ctree.c
++++ b/fs/btrfs/ctree.c
+@@ -367,7 +367,8 @@ int btrfs_copy_root(struct btrfs_trans_handle *trans,
+ /*
+ * check if the tree block can be shared by multiple trees
+ */
+-int btrfs_block_can_be_shared(struct btrfs_root *root,
++int btrfs_block_can_be_shared(struct btrfs_trans_handle *trans,
++ struct btrfs_root *root,
+ struct extent_buffer *buf)
+ {
+ /*
+@@ -376,11 +377,21 @@ int btrfs_block_can_be_shared(struct btrfs_root *root,
+ * not allocated by tree relocation, we know the block is not shared.
+ */
+ if (test_bit(BTRFS_ROOT_SHAREABLE, &root->state) &&
+- buf != root->node && buf != root->commit_root &&
++ buf != root->node &&
+ (btrfs_header_generation(buf) <=
+ btrfs_root_last_snapshot(&root->root_item) ||
+- btrfs_header_flag(buf, BTRFS_HEADER_FLAG_RELOC)))
+- return 1;
++ btrfs_header_flag(buf, BTRFS_HEADER_FLAG_RELOC))) {
++ if (buf != root->commit_root)
++ return 1;
++ /*
++ * An extent buffer that used to be the commit root may still be
++ * shared because the tree height may have increased and it
++ * became a child of a higher level root. This can happen when
++ * snapshotting a subvolume created in the current transaction.
++ */
++ if (btrfs_header_generation(buf) == trans->transid)
++ return 1;
++ }
+
+ return 0;
+ }
+@@ -415,7 +426,7 @@ static noinline int update_ref_for_cow(struct btrfs_trans_handle *trans,
+ * are only allowed for blocks use full backrefs.
+ */
+
+- if (btrfs_block_can_be_shared(root, buf)) {
++ if (btrfs_block_can_be_shared(trans, root, buf)) {
+ ret = btrfs_lookup_extent_info(trans, fs_info, buf->start,
+ btrfs_header_level(buf), 1,
+ &refs, &flags);
+diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
+index 9419f4e37a58c..ff40acd63a374 100644
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -540,7 +540,8 @@ int btrfs_copy_root(struct btrfs_trans_handle *trans,
+ struct btrfs_root *root,
+ struct extent_buffer *buf,
+ struct extent_buffer **cow_ret, u64 new_root_objectid);
+-int btrfs_block_can_be_shared(struct btrfs_root *root,
++int btrfs_block_can_be_shared(struct btrfs_trans_handle *trans,
++ struct btrfs_root *root,
+ struct extent_buffer *buf);
+ int btrfs_del_ptr(struct btrfs_trans_handle *trans, struct btrfs_root *root,
+ struct btrfs_path *path, int level, int slot);
+diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
+index d69a331a6d113..62ed57551824c 100644
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -466,6 +466,7 @@ static bool handle_useless_nodes(struct reloc_control *rc,
+ * cached.
+ */
+ static noinline_for_stack struct btrfs_backref_node *build_backref_tree(
++ struct btrfs_trans_handle *trans,
+ struct reloc_control *rc, struct btrfs_key *node_key,
+ int level, u64 bytenr)
+ {
+@@ -499,8 +500,8 @@ static noinline_for_stack struct btrfs_backref_node *build_backref_tree(
+
+ /* Breadth-first search to build backref cache */
+ do {
+- ret = btrfs_backref_add_tree_node(cache, path, iter, node_key,
+- cur);
++ ret = btrfs_backref_add_tree_node(trans, cache, path, iter,
++ node_key, cur);
+ if (ret < 0) {
+ err = ret;
+ goto out;
+@@ -2803,7 +2804,7 @@ int relocate_tree_blocks(struct btrfs_trans_handle *trans,
+
+ /* Do tree relocation */
+ rbtree_postorder_for_each_entry_safe(block, next, blocks, rb_node) {
+- node = build_backref_tree(rc, &block->key,
++ node = build_backref_tree(trans, rc, &block->key,
+ block->level, block->bytenr);
+ if (IS_ERR(node)) {
+ err = PTR_ERR(node);
+--
+2.42.0
+
--- /dev/null
+From b3fe10d1e2394dc1c147a22f83e7f286f6e1f354 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Aug 2023 19:02:11 +0800
+Subject: btrfs: remove v0 extent handling
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 182741d287fb1ea870ee6ef45aa1915a0b031233 ]
+
+The v0 extent item has been deprecated for a long time, and we don't have
+any report from the community either.
+
+So it's time to remove the v0 extent specific error handling, and just
+treat them as regular extent tree corruption.
+
+This patch would remove the btrfs_print_v0_err() helper, and enhance the
+involved error handling to treat them just as any extent tree
+corruption. No reports regarding v0 extents have been seen since the
+graceful handling was added in 2018.
+
+This involves:
+
+- btrfs_backref_add_tree_node()
+ This change is a little tricky, the new code is changed to only handle
+ BTRFS_TREE_BLOCK_REF_KEY and BTRFS_SHARED_BLOCK_REF_KEY.
+
+ But this is safe, as we have rejected any unknown inline refs through
+ btrfs_get_extent_inline_ref_type().
+ For keyed backrefs, we're safe to skip anything we don't know (that's
+ if it can pass tree-checker in the first place).
+
+- btrfs_lookup_extent_info()
+- lookup_inline_extent_backref()
+- run_delayed_extent_op()
+- __btrfs_free_extent()
+- add_tree_block()
+ Regular error handling of unexpected extent tree item, and abort
+ transaction (if we have a trans handle).
+
+- remove_extent_data_ref()
+ It's pretty much the same as the regular rejection of unknown backref
+ key.
+ But for this particular case, we can also remove a BUG_ON().
+
+- extent_data_ref_count()
+ We can remove the BTRFS_EXTENT_REF_V0_KEY BUG_ON(), as it would be
+ rejected by the only caller.
+
+- btrfs_print_leaf()
+ Remove the handling for BTRFS_EXTENT_REF_V0_KEY.
+
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Stable-dep-of: eb96e221937a ("btrfs: fix unwritten extent buffer after snapshotting a new subvolume")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/backref.c | 29 +++++++++++----------------
+ fs/btrfs/extent-tree.c | 35 ++++++++++++++++++++-------------
+ fs/btrfs/messages.c | 6 ------
+ fs/btrfs/messages.h | 2 --
+ fs/btrfs/print-tree.c | 10 ++++------
+ fs/btrfs/relocation.c | 11 ++++++-----
+ include/trace/events/btrfs.h | 1 -
+ include/uapi/linux/btrfs_tree.h | 6 +++++-
+ 8 files changed, 48 insertions(+), 52 deletions(-)
+
+diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c
+index 79336fa853db3..b7d54efb47288 100644
+--- a/fs/btrfs/backref.c
++++ b/fs/btrfs/backref.c
+@@ -3373,7 +3373,6 @@ int btrfs_backref_add_tree_node(struct btrfs_backref_cache *cache,
+ struct btrfs_key *node_key,
+ struct btrfs_backref_node *cur)
+ {
+- struct btrfs_fs_info *fs_info = cache->fs_info;
+ struct btrfs_backref_edge *edge;
+ struct btrfs_backref_node *exist;
+ int ret;
+@@ -3462,25 +3461,21 @@ int btrfs_backref_add_tree_node(struct btrfs_backref_cache *cache,
+ ret = handle_direct_tree_backref(cache, &key, cur);
+ if (ret < 0)
+ goto out;
+- continue;
+- } else if (unlikely(key.type == BTRFS_EXTENT_REF_V0_KEY)) {
+- ret = -EINVAL;
+- btrfs_print_v0_err(fs_info);
+- btrfs_handle_fs_error(fs_info, ret, NULL);
+- goto out;
+- } else if (key.type != BTRFS_TREE_BLOCK_REF_KEY) {
+- continue;
++ } else if (key.type == BTRFS_TREE_BLOCK_REF_KEY) {
++ /*
++ * key.type == BTRFS_TREE_BLOCK_REF_KEY, inline ref
++ * offset means the root objectid. We need to search
++ * the tree to get its parent bytenr.
++ */
++ ret = handle_indirect_tree_backref(cache, path, &key, node_key,
++ cur);
++ if (ret < 0)
++ goto out;
+ }
+-
+ /*
+- * key.type == BTRFS_TREE_BLOCK_REF_KEY, inline ref offset
+- * means the root objectid. We need to search the tree to get
+- * its parent bytenr.
++ * Unrecognized tree backref items (if it can pass tree-checker)
++ * would be ignored.
+ */
+- ret = handle_indirect_tree_backref(cache, path, &key, node_key,
+- cur);
+- if (ret < 0)
+- goto out;
+ }
+ ret = 0;
+ cur->checked = 1;
+diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
+index 2cf8d646085c2..14ea6b587e97b 100644
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -187,8 +187,10 @@ int btrfs_lookup_extent_info(struct btrfs_trans_handle *trans,
+ num_refs = btrfs_extent_refs(leaf, ei);
+ extent_flags = btrfs_extent_flags(leaf, ei);
+ } else {
+- ret = -EINVAL;
+- btrfs_print_v0_err(fs_info);
++ ret = -EUCLEAN;
++ btrfs_err(fs_info,
++ "unexpected extent item size, has %u expect >= %zu",
++ item_size, sizeof(*ei));
+ if (trans)
+ btrfs_abort_transaction(trans, ret);
+ else
+@@ -624,12 +626,12 @@ static noinline int remove_extent_data_ref(struct btrfs_trans_handle *trans,
+ ref2 = btrfs_item_ptr(leaf, path->slots[0],
+ struct btrfs_shared_data_ref);
+ num_refs = btrfs_shared_data_ref_count(leaf, ref2);
+- } else if (unlikely(key.type == BTRFS_EXTENT_REF_V0_KEY)) {
+- btrfs_print_v0_err(trans->fs_info);
+- btrfs_abort_transaction(trans, -EINVAL);
+- return -EINVAL;
+ } else {
+- BUG();
++ btrfs_err(trans->fs_info,
++ "unrecognized backref key (%llu %u %llu)",
++ key.objectid, key.type, key.offset);
++ btrfs_abort_transaction(trans, -EUCLEAN);
++ return -EUCLEAN;
+ }
+
+ BUG_ON(num_refs < refs_to_drop);
+@@ -660,7 +662,6 @@ static noinline u32 extent_data_ref_count(struct btrfs_path *path,
+ leaf = path->nodes[0];
+ btrfs_item_key_to_cpu(leaf, &key, path->slots[0]);
+
+- BUG_ON(key.type == BTRFS_EXTENT_REF_V0_KEY);
+ if (iref) {
+ /*
+ * If type is invalid, we should have bailed out earlier than
+@@ -881,8 +882,10 @@ int lookup_inline_extent_backref(struct btrfs_trans_handle *trans,
+ leaf = path->nodes[0];
+ item_size = btrfs_item_size(leaf, path->slots[0]);
+ if (unlikely(item_size < sizeof(*ei))) {
+- err = -EINVAL;
+- btrfs_print_v0_err(fs_info);
++ err = -EUCLEAN;
++ btrfs_err(fs_info,
++ "unexpected extent item size, has %llu expect >= %zu",
++ item_size, sizeof(*ei));
+ btrfs_abort_transaction(trans, err);
+ goto out;
+ }
+@@ -1683,8 +1686,10 @@ static int run_delayed_extent_op(struct btrfs_trans_handle *trans,
+ item_size = btrfs_item_size(leaf, path->slots[0]);
+
+ if (unlikely(item_size < sizeof(*ei))) {
+- err = -EINVAL;
+- btrfs_print_v0_err(fs_info);
++ err = -EUCLEAN;
++ btrfs_err(fs_info,
++ "unexpected extent item size, has %u expect >= %zu",
++ item_size, sizeof(*ei));
+ btrfs_abort_transaction(trans, err);
+ goto out;
+ }
+@@ -3113,8 +3118,10 @@ static int __btrfs_free_extent(struct btrfs_trans_handle *trans,
+ leaf = path->nodes[0];
+ item_size = btrfs_item_size(leaf, extent_slot);
+ if (unlikely(item_size < sizeof(*ei))) {
+- ret = -EINVAL;
+- btrfs_print_v0_err(info);
++ ret = -EUCLEAN;
++ btrfs_err(trans->fs_info,
++ "unexpected extent item size, has %u expect >= %zu",
++ item_size, sizeof(*ei));
+ btrfs_abort_transaction(trans, ret);
+ goto out;
+ }
+diff --git a/fs/btrfs/messages.c b/fs/btrfs/messages.c
+index 23fc11af498ac..21f2d101f681d 100644
+--- a/fs/btrfs/messages.c
++++ b/fs/btrfs/messages.c
+@@ -252,12 +252,6 @@ void __cold _btrfs_printk(const struct btrfs_fs_info *fs_info, const char *fmt,
+ }
+ #endif
+
+-void __cold btrfs_print_v0_err(struct btrfs_fs_info *fs_info)
+-{
+- btrfs_err(fs_info,
+-"Unsupported V0 extent filesystem detected. Aborting. Please re-create your filesystem with a newer kernel");
+-}
+-
+ #if BITS_PER_LONG == 32
+ void __cold btrfs_warn_32bit_limit(struct btrfs_fs_info *fs_info)
+ {
+diff --git a/fs/btrfs/messages.h b/fs/btrfs/messages.h
+index deedc1a168e24..1ae6f8e23e071 100644
+--- a/fs/btrfs/messages.h
++++ b/fs/btrfs/messages.h
+@@ -181,8 +181,6 @@ do { \
+ #define ASSERT(expr) (void)(expr)
+ #endif
+
+-void __cold btrfs_print_v0_err(struct btrfs_fs_info *fs_info);
+-
+ __printf(5, 6)
+ __cold
+ void __btrfs_handle_fs_error(struct btrfs_fs_info *fs_info, const char *function,
+diff --git a/fs/btrfs/print-tree.c b/fs/btrfs/print-tree.c
+index aa06d9ca911d9..0c93439e929fb 100644
+--- a/fs/btrfs/print-tree.c
++++ b/fs/btrfs/print-tree.c
+@@ -95,8 +95,10 @@ static void print_extent_item(const struct extent_buffer *eb, int slot, int type
+ int ref_index = 0;
+
+ if (unlikely(item_size < sizeof(*ei))) {
+- btrfs_print_v0_err(eb->fs_info);
+- btrfs_handle_fs_error(eb->fs_info, -EINVAL, NULL);
++ btrfs_err(eb->fs_info,
++ "unexpected extent item size, has %u expect >= %zu",
++ item_size, sizeof(*ei));
++ btrfs_handle_fs_error(eb->fs_info, -EUCLEAN, NULL);
+ }
+
+ ei = btrfs_item_ptr(eb, slot, struct btrfs_extent_item);
+@@ -291,10 +293,6 @@ void btrfs_print_leaf(const struct extent_buffer *l)
+ btrfs_file_extent_num_bytes(l, fi),
+ btrfs_file_extent_ram_bytes(l, fi));
+ break;
+- case BTRFS_EXTENT_REF_V0_KEY:
+- btrfs_print_v0_err(fs_info);
+- btrfs_handle_fs_error(fs_info, -EINVAL, NULL);
+- break;
+ case BTRFS_BLOCK_GROUP_ITEM_KEY:
+ bi = btrfs_item_ptr(l, i,
+ struct btrfs_block_group_item);
+diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
+index 5f4ff7d5b5c19..d69a331a6d113 100644
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -3256,12 +3256,13 @@ static int add_tree_block(struct reloc_control *rc,
+ if (type == BTRFS_TREE_BLOCK_REF_KEY)
+ owner = btrfs_extent_inline_ref_offset(eb, iref);
+ }
+- } else if (unlikely(item_size == sizeof(struct btrfs_extent_item_v0))) {
+- btrfs_print_v0_err(eb->fs_info);
+- btrfs_handle_fs_error(eb->fs_info, -EINVAL, NULL);
+- return -EINVAL;
+ } else {
+- BUG();
++ btrfs_print_leaf(eb);
++ btrfs_err(rc->block_group->fs_info,
++ "unrecognized tree backref at tree block %llu slot %u",
++ eb->start, path->slots[0]);
++ btrfs_release_path(path);
++ return -EUCLEAN;
+ }
+
+ btrfs_release_path(path);
+diff --git a/include/trace/events/btrfs.h b/include/trace/events/btrfs.h
+index a8206f5332e99..da0734b182f2f 100644
+--- a/include/trace/events/btrfs.h
++++ b/include/trace/events/btrfs.h
+@@ -38,7 +38,6 @@ struct find_free_extent_ctl;
+ __print_symbolic(type, \
+ { BTRFS_TREE_BLOCK_REF_KEY, "TREE_BLOCK_REF" }, \
+ { BTRFS_EXTENT_DATA_REF_KEY, "EXTENT_DATA_REF" }, \
+- { BTRFS_EXTENT_REF_V0_KEY, "EXTENT_REF_V0" }, \
+ { BTRFS_SHARED_BLOCK_REF_KEY, "SHARED_BLOCK_REF" }, \
+ { BTRFS_SHARED_DATA_REF_KEY, "SHARED_DATA_REF" })
+
+diff --git a/include/uapi/linux/btrfs_tree.h b/include/uapi/linux/btrfs_tree.h
+index ab38d0f411fa4..fc3c32186d7eb 100644
+--- a/include/uapi/linux/btrfs_tree.h
++++ b/include/uapi/linux/btrfs_tree.h
+@@ -220,7 +220,11 @@
+
+ #define BTRFS_EXTENT_DATA_REF_KEY 178
+
+-#define BTRFS_EXTENT_REF_V0_KEY 180
++/*
++ * Obsolete key. Defintion removed in 6.6, value may be reused in the future.
++ *
++ * #define BTRFS_EXTENT_REF_V0_KEY 180
++ */
+
+ #define BTRFS_SHARED_BLOCK_REF_KEY 182
+
+--
+2.42.0
+
--- /dev/null
+From ee73007bfdcfe85432af4d890118a676b0331fbd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Oct 2023 10:15:56 +0300
+Subject: clk: ti: Fix missing omap4 mcbsp functional clock and aliases
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit cc2d819dd7df94a72bde7b9b9331a6535084092d ]
+
+We are using a wrong mcbsp functional clock. The interconnect target module
+driver provided clock for mcbsp is not same as the mcbsp functional clock
+known as the gfclk main_clk. The mcbsp functional clocks for mcbsp should
+have been added before we dropped the legacy platform data.
+
+Additionally we are also missing the clock aliases for the clocks used by
+the audio driver if reparenting is needed. This causes audio driver errors
+like "CLKS: could not clk_get() prcm_fck" for mcbsp as reported by Andreas.
+The mcbsp clock aliases too should have been added before we dropped the
+legacy platform data.
+
+Let's add the clocks and aliases with a single patch to fix the issue.
+
+Fixes: 349355ce3a05 ("ARM: OMAP2+: Drop legacy platform data for omap4 mcbsp")
+Reported-by: Andreas Kemnade <andreas@kemnade.info>
+Reported-by: Péter Ujfalusi <peter.ujfalusi@gmail.com>
+Acked-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/ti/omap/omap4-l4-abe.dtsi | 6 ++++++
+ arch/arm/boot/dts/ti/omap/omap4-l4.dtsi | 2 ++
+ drivers/clk/ti/clk-44xx.c | 5 +++++
+ 3 files changed, 13 insertions(+)
+
+diff --git a/arch/arm/boot/dts/ti/omap/omap4-l4-abe.dtsi b/arch/arm/boot/dts/ti/omap/omap4-l4-abe.dtsi
+index 7ae8b620515c5..59f546a278f87 100644
+--- a/arch/arm/boot/dts/ti/omap/omap4-l4-abe.dtsi
++++ b/arch/arm/boot/dts/ti/omap/omap4-l4-abe.dtsi
+@@ -109,6 +109,8 @@
+ reg = <0x0 0xff>, /* MPU private access */
+ <0x49022000 0xff>; /* L3 Interconnect */
+ reg-names = "mpu", "dma";
++ clocks = <&abe_clkctrl OMAP4_MCBSP1_CLKCTRL 24>;
++ clock-names = "fck";
+ interrupts = <GIC_SPI 17 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "common";
+ ti,buffer-size = <128>;
+@@ -142,6 +144,8 @@
+ reg = <0x0 0xff>, /* MPU private access */
+ <0x49024000 0xff>; /* L3 Interconnect */
+ reg-names = "mpu", "dma";
++ clocks = <&abe_clkctrl OMAP4_MCBSP2_CLKCTRL 24>;
++ clock-names = "fck";
+ interrupts = <GIC_SPI 22 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "common";
+ ti,buffer-size = <128>;
+@@ -175,6 +179,8 @@
+ reg = <0x0 0xff>, /* MPU private access */
+ <0x49026000 0xff>; /* L3 Interconnect */
+ reg-names = "mpu", "dma";
++ clocks = <&abe_clkctrl OMAP4_MCBSP3_CLKCTRL 24>;
++ clock-names = "fck";
+ interrupts = <GIC_SPI 23 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "common";
+ ti,buffer-size = <128>;
+diff --git a/arch/arm/boot/dts/ti/omap/omap4-l4.dtsi b/arch/arm/boot/dts/ti/omap/omap4-l4.dtsi
+index 46b8f9efd4131..3fcef3080eaec 100644
+--- a/arch/arm/boot/dts/ti/omap/omap4-l4.dtsi
++++ b/arch/arm/boot/dts/ti/omap/omap4-l4.dtsi
+@@ -2043,6 +2043,8 @@
+ compatible = "ti,omap4-mcbsp";
+ reg = <0x0 0xff>; /* L4 Interconnect */
+ reg-names = "mpu";
++ clocks = <&l4_per_clkctrl OMAP4_MCBSP4_CLKCTRL 24>;
++ clock-names = "fck";
+ interrupts = <GIC_SPI 16 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "common";
+ ti,buffer-size = <128>;
+diff --git a/drivers/clk/ti/clk-44xx.c b/drivers/clk/ti/clk-44xx.c
+index 868bc7af21b0b..9b2824ed785b9 100644
+--- a/drivers/clk/ti/clk-44xx.c
++++ b/drivers/clk/ti/clk-44xx.c
+@@ -749,9 +749,14 @@ static struct ti_dt_clk omap44xx_clks[] = {
+ DT_CLK(NULL, "mcbsp1_sync_mux_ck", "abe-clkctrl:0028:26"),
+ DT_CLK(NULL, "mcbsp2_sync_mux_ck", "abe-clkctrl:0030:26"),
+ DT_CLK(NULL, "mcbsp3_sync_mux_ck", "abe-clkctrl:0038:26"),
++ DT_CLK("40122000.mcbsp", "prcm_fck", "abe-clkctrl:0028:26"),
++ DT_CLK("40124000.mcbsp", "prcm_fck", "abe-clkctrl:0030:26"),
++ DT_CLK("40126000.mcbsp", "prcm_fck", "abe-clkctrl:0038:26"),
+ DT_CLK(NULL, "mcbsp4_sync_mux_ck", "l4-per-clkctrl:00c0:26"),
++ DT_CLK("48096000.mcbsp", "prcm_fck", "l4-per-clkctrl:00c0:26"),
+ DT_CLK(NULL, "ocp2scp_usb_phy_phy_48m", "l3-init-clkctrl:00c0:8"),
+ DT_CLK(NULL, "otg_60m_gfclk", "l3-init-clkctrl:0040:24"),
++ DT_CLK(NULL, "pad_fck", "pad_clks_ck"),
+ DT_CLK(NULL, "per_mcbsp4_gfclk", "l4-per-clkctrl:00c0:24"),
+ DT_CLK(NULL, "pmd_stm_clock_mux_ck", "emu-sys-clkctrl:0000:20"),
+ DT_CLK(NULL, "pmd_trace_clk_mux_ck", "emu-sys-clkctrl:0000:22"),
+--
+2.42.0
+
--- /dev/null
+From 257d43fdcd6b3fc3d33c5efc0dc88693a068ad93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Oct 2023 10:15:56 +0300
+Subject: clk: ti: Fix missing omap5 mcbsp functional clock and aliases
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit 0b9a4a67c60d3e15b39a69d480a50ce7eeff9bc1 ]
+
+We are using a wrong mcbsp functional clock. The interconnect target module
+driver provided clock for mcbsp is not same as the mcbsp functional clock
+known as the gfclk main_clk. The mcbsp functional clocks for mcbsp should
+have been added before we dropped the legacy platform data.
+
+Additionally we are also missing the clock aliases for the clocks used by
+the audio driver if reparenting is needed. This causes audio driver errors
+like "CLKS: could not clk_get() prcm_fck" for mcbsp as reported by Andreas.
+The mcbsp clock aliases too should have been added before we dropped the
+legacy platform data.
+
+Let's add the clocks and aliases with a single patch to fix the issue
+similar to omap4. On omap5, there is no mcbsp4 instance on the l4_per
+interconnect.
+
+Fixes: b1da0fa21bd1 ("ARM: OMAP2+: Drop legacy platform data for omap5 mcbsp")
+Cc: H. Nikolaus Schaller <hns@goldelico.com>
+Reported-by: Andreas Kemnade <andreas@kemnade.info>
+Reported-by: Péter Ujfalusi <peter.ujfalusi@gmail.com>
+Acked-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/ti/omap/omap5-l4-abe.dtsi | 6 ++++++
+ drivers/clk/ti/clk-54xx.c | 4 ++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/arch/arm/boot/dts/ti/omap/omap5-l4-abe.dtsi b/arch/arm/boot/dts/ti/omap/omap5-l4-abe.dtsi
+index a03bca5a35844..97b0c3b5f573f 100644
+--- a/arch/arm/boot/dts/ti/omap/omap5-l4-abe.dtsi
++++ b/arch/arm/boot/dts/ti/omap/omap5-l4-abe.dtsi
+@@ -109,6 +109,8 @@
+ reg = <0x0 0xff>, /* MPU private access */
+ <0x49022000 0xff>; /* L3 Interconnect */
+ reg-names = "mpu", "dma";
++ clocks = <&abe_clkctrl OMAP5_MCBSP1_CLKCTRL 24>;
++ clock-names = "fck";
+ interrupts = <GIC_SPI 17 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "common";
+ ti,buffer-size = <128>;
+@@ -142,6 +144,8 @@
+ reg = <0x0 0xff>, /* MPU private access */
+ <0x49024000 0xff>; /* L3 Interconnect */
+ reg-names = "mpu", "dma";
++ clocks = <&abe_clkctrl OMAP5_MCBSP2_CLKCTRL 24>;
++ clock-names = "fck";
+ interrupts = <GIC_SPI 22 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "common";
+ ti,buffer-size = <128>;
+@@ -175,6 +179,8 @@
+ reg = <0x0 0xff>, /* MPU private access */
+ <0x49026000 0xff>; /* L3 Interconnect */
+ reg-names = "mpu", "dma";
++ clocks = <&abe_clkctrl OMAP5_MCBSP3_CLKCTRL 24>;
++ clock-names = "fck";
+ interrupts = <GIC_SPI 23 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "common";
+ ti,buffer-size = <128>;
+diff --git a/drivers/clk/ti/clk-54xx.c b/drivers/clk/ti/clk-54xx.c
+index b4aff76eb3735..74dfd5823f835 100644
+--- a/drivers/clk/ti/clk-54xx.c
++++ b/drivers/clk/ti/clk-54xx.c
+@@ -565,15 +565,19 @@ static struct ti_dt_clk omap54xx_clks[] = {
+ DT_CLK(NULL, "gpio8_dbclk", "l4per-clkctrl:00f8:8"),
+ DT_CLK(NULL, "mcbsp1_gfclk", "abe-clkctrl:0028:24"),
+ DT_CLK(NULL, "mcbsp1_sync_mux_ck", "abe-clkctrl:0028:26"),
++ DT_CLK("40122000.mcbsp", "prcm_fck", "abe-clkctrl:0028:26"),
+ DT_CLK(NULL, "mcbsp2_gfclk", "abe-clkctrl:0030:24"),
+ DT_CLK(NULL, "mcbsp2_sync_mux_ck", "abe-clkctrl:0030:26"),
++ DT_CLK("40124000.mcbsp", "prcm_fck", "abe-clkctrl:0030:26"),
+ DT_CLK(NULL, "mcbsp3_gfclk", "abe-clkctrl:0038:24"),
+ DT_CLK(NULL, "mcbsp3_sync_mux_ck", "abe-clkctrl:0038:26"),
++ DT_CLK("40126000.mcbsp", "prcm_fck", "abe-clkctrl:0038:26"),
+ DT_CLK(NULL, "mmc1_32khz_clk", "l3init-clkctrl:0008:8"),
+ DT_CLK(NULL, "mmc1_fclk", "l3init-clkctrl:0008:25"),
+ DT_CLK(NULL, "mmc1_fclk_mux", "l3init-clkctrl:0008:24"),
+ DT_CLK(NULL, "mmc2_fclk", "l3init-clkctrl:0010:25"),
+ DT_CLK(NULL, "mmc2_fclk_mux", "l3init-clkctrl:0010:24"),
++ DT_CLK(NULL, "pad_fck", "pad_clks_ck"),
+ DT_CLK(NULL, "sata_ref_clk", "l3init-clkctrl:0068:8"),
+ DT_CLK(NULL, "timer10_gfclk_mux", "l4per-clkctrl:0008:24"),
+ DT_CLK(NULL, "timer11_gfclk_mux", "l4per-clkctrl:0010:24"),
+--
+2.42.0
+
--- /dev/null
+From 7bb19663c9d4e8e95f794c50d467e1fc1afbcec7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Oct 2023 10:02:42 -0700
+Subject: drm/i915/mcr: Hold GT forcewake during steering operations
+
+From: Matt Roper <matthew.d.roper@intel.com>
+
+[ Upstream commit 78cc55e0b64c820673a796635daf82c7eadfe152 ]
+
+The steering control and semaphore registers are inside an "always on"
+power domain with respect to RC6. However there are some issues if
+higher-level platform sleep states are entering/exiting at the same time
+these registers are accessed. Grabbing GT forcewake and holding it over
+the entire lock/steer/unlock cycle ensures that those sleep states have
+been fully exited before we access these registers.
+
+This is expected to become a formally documented/numbered workaround
+soon.
+
+Note that this patch alone isn't expected to have an immediately
+noticeable impact on MCR (mis)behavior; an upcoming pcode firmware
+update will also be necessary to provide the other half of this
+workaround.
+
+v2:
+ - Move the forcewake inside the Xe_LPG-specific IP version check. This
+ should only be necessary on platforms that have a steering semaphore.
+
+Fixes: 3100240bf846 ("drm/i915/mtl: Add hardware-level lock for steering")
+Cc: Radhakrishna Sripada <radhakrishna.sripada@intel.com>
+Cc: Jonathan Cavitt <jonathan.cavitt@intel.com>
+Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
+Reviewed-by: Radhakrishna Sripada <radhakrishna.sripada@intel.com>
+Reviewed-by: Jonathan Cavitt <jonathan.cavitt@intel.com>
+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20231019170241.2102037-2-matthew.d.roper@intel.com
+(cherry picked from commit 8fa1c7cd1fe9cdfc426a603e1f1eecd3f463c487)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gt/intel_gt_mcr.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/intel_gt_mcr.c b/drivers/gpu/drm/i915/gt/intel_gt_mcr.c
+index 0b414eae16831..2c0f1f3e28ff8 100644
+--- a/drivers/gpu/drm/i915/gt/intel_gt_mcr.c
++++ b/drivers/gpu/drm/i915/gt/intel_gt_mcr.c
+@@ -376,9 +376,26 @@ void intel_gt_mcr_lock(struct intel_gt *gt, unsigned long *flags)
+ * driver threads, but also with hardware/firmware agents. A dedicated
+ * locking register is used.
+ */
+- if (GRAPHICS_VER_FULL(gt->i915) >= IP_VER(12, 70))
++ if (GRAPHICS_VER_FULL(gt->i915) >= IP_VER(12, 70)) {
++ /*
++ * The steering control and semaphore registers are inside an
++ * "always on" power domain with respect to RC6. However there
++ * are some issues if higher-level platform sleep states are
++ * entering/exiting at the same time these registers are
++ * accessed. Grabbing GT forcewake and holding it over the
++ * entire lock/steer/unlock cycle ensures that those sleep
++ * states have been fully exited before we access these
++ * registers. This wakeref will be released in the unlock
++ * routine.
++ *
++ * This is expected to become a formally documented/numbered
++ * workaround soon.
++ */
++ intel_uncore_forcewake_get(gt->uncore, FORCEWAKE_GT);
++
+ err = wait_for(intel_uncore_read_fw(gt->uncore,
+ MTL_STEER_SEMAPHORE) == 0x1, 100);
++ }
+
+ /*
+ * Even on platforms with a hardware lock, we'll continue to grab
+@@ -415,8 +432,11 @@ void intel_gt_mcr_unlock(struct intel_gt *gt, unsigned long flags)
+ {
+ spin_unlock_irqrestore(>->mcr_lock, flags);
+
+- if (GRAPHICS_VER_FULL(gt->i915) >= IP_VER(12, 70))
++ if (GRAPHICS_VER_FULL(gt->i915) >= IP_VER(12, 70)) {
+ intel_uncore_write_fw(gt->uncore, MTL_STEER_SEMAPHORE, 0x1);
++
++ intel_uncore_forcewake_put(gt->uncore, FORCEWAKE_GT);
++ }
+ }
+
+ /**
+--
+2.42.0
+
--- /dev/null
+From aa421104e17f265ecb7ce60a8230a96facf4fcd6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Aug 2023 13:28:54 -0700
+Subject: drm/i915/perf: Determine context valid in OA reports
+
+From: Umesh Nerlige Ramappa <umesh.nerlige.ramappa@intel.com>
+
+[ Upstream commit cba94bbcff08d209710dd7bdc139caad675a6f8d ]
+
+When supporting OA for TGL, it was seen that the context valid bit in
+the report ID was not defined, however revisiting the spec seems to have
+this bit defined. The bit is used to determine if a context is valid on
+a context switch and is essential to determine active and idle periods
+for a context. Re-enable the context valid bit for gen12 platforms.
+
+BSpec: 52196 (description of report_id)
+
+v2: Include BSpec reference (Ashutosh)
+
+Fixes: 00a7f0d7155c ("drm/i915/tgl: Add perf support on TGL")
+Signed-off-by: Umesh Nerlige Ramappa <umesh.nerlige.ramappa@intel.com>
+Reviewed-by: Ashutosh Dixit <ashutosh.dixit@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230802202854.1224547-1-umesh.nerlige.ramappa@intel.com
+(cherry picked from commit 7eeaedf79989a8f131939782832e21e9218ed2a0)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/i915_perf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/i915_perf.c b/drivers/gpu/drm/i915/i915_perf.c
+index 49c6f1ff11284..331685e1b7b7d 100644
+--- a/drivers/gpu/drm/i915/i915_perf.c
++++ b/drivers/gpu/drm/i915/i915_perf.c
+@@ -482,8 +482,7 @@ static void oa_report_id_clear(struct i915_perf_stream *stream, u32 *report)
+ static bool oa_report_ctx_invalid(struct i915_perf_stream *stream, void *report)
+ {
+ return !(oa_report_id(stream, report) &
+- stream->perf->gen8_valid_ctx_bit) &&
+- GRAPHICS_VER(stream->perf->i915) <= 11;
++ stream->perf->gen8_valid_ctx_bit);
+ }
+
+ static u64 oa_timestamp(struct i915_perf_stream *stream, void *report)
+@@ -5106,6 +5105,7 @@ static void i915_perf_init_info(struct drm_i915_private *i915)
+ perf->gen8_valid_ctx_bit = BIT(16);
+ break;
+ case 12:
++ perf->gen8_valid_ctx_bit = BIT(16);
+ /*
+ * Calculate offset at runtime in oa_pin_context for gen12 and
+ * cache the value in perf->ctx_oactxctrl_offset.
+--
+2.42.0
+
--- /dev/null
+From fb32f77b3dcbe36b67aa07c3bf693ce8b7c1cfe0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jun 2023 10:42:07 +0800
+Subject: drm/logicvc: Kconfig: select REGMAP and REGMAP_MMIO
+
+From: Sui Jingfeng <suijingfeng@loongson.cn>
+
+[ Upstream commit 4e6c38c38723a954b85aa9ee62603bb4a37acbb4 ]
+
+drm/logicvc driver is depend on REGMAP and REGMAP_MMIO, should select this
+two kconfig option, otherwise the driver failed to compile on platform
+without REGMAP_MMIO selected:
+
+ERROR: modpost: "__devm_regmap_init_mmio_clk" [drivers/gpu/drm/logicvc/logicvc-drm.ko] undefined!
+make[1]: *** [scripts/Makefile.modpost:136: Module.symvers] Error 1
+make: *** [Makefile:1978: modpost] Error 2
+
+Signed-off-by: Sui Jingfeng <suijingfeng@loongson.cn>
+Acked-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Fixes: efeeaefe9be5 ("drm: Add support for the LogiCVC display controller")
+Link: https://patchwork.freedesktop.org/patch/msgid/20230608024207.581401-1-suijingfeng@loongson.cn
+Signed-off-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/logicvc/Kconfig | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/logicvc/Kconfig b/drivers/gpu/drm/logicvc/Kconfig
+index fa7a883688094..1df22a852a23e 100644
+--- a/drivers/gpu/drm/logicvc/Kconfig
++++ b/drivers/gpu/drm/logicvc/Kconfig
+@@ -5,5 +5,7 @@ config DRM_LOGICVC
+ select DRM_KMS_HELPER
+ select DRM_KMS_DMA_HELPER
+ select DRM_GEM_DMA_HELPER
++ select REGMAP
++ select REGMAP_MMIO
+ help
+ DRM display driver for the logiCVC programmable logic block from Xylon
+--
+2.42.0
+
--- /dev/null
+From 13a8a8d212bc7d1a30c49b927e894b898c9f7f7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Oct 2023 11:29:08 +0800
+Subject: firmware/imx-dsp: Fix use_after_free in imx_dsp_setup_channels()
+
+From: Hao Ge <gehao@kylinos.cn>
+
+[ Upstream commit 1558b1a8dd388f5fcc3abc1e24de854a295044c3 ]
+
+dsp_chan->name and chan_name points to same block of memory,
+because dev_err still needs to be used it,so we need free
+it's memory after use to avoid use_after_free.
+
+Fixes: e527adfb9b7d ("firmware: imx-dsp: Fix an error handling path in imx_dsp_setup_channels()")
+Signed-off-by: Hao Ge <gehao@kylinos.cn>
+Reviewed-by: Daniel Baluta <daniel.baluta@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/imx/imx-dsp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/firmware/imx/imx-dsp.c b/drivers/firmware/imx/imx-dsp.c
+index 1f410809d3ee4..0f656e4191d5c 100644
+--- a/drivers/firmware/imx/imx-dsp.c
++++ b/drivers/firmware/imx/imx-dsp.c
+@@ -115,11 +115,11 @@ static int imx_dsp_setup_channels(struct imx_dsp_ipc *dsp_ipc)
+ dsp_chan->idx = i % 2;
+ dsp_chan->ch = mbox_request_channel_byname(cl, chan_name);
+ if (IS_ERR(dsp_chan->ch)) {
+- kfree(dsp_chan->name);
+ ret = PTR_ERR(dsp_chan->ch);
+ if (ret != -EPROBE_DEFER)
+ dev_err(dev, "Failed to request mbox chan %s ret %d\n",
+ chan_name, ret);
++ kfree(dsp_chan->name);
+ goto out;
+ }
+
+--
+2.42.0
+
--- /dev/null
+From a4273208a9f3e6c5dd146958076068bd0f14bc8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 22 Oct 2023 22:25:18 +0200
+Subject: gtp: fix fragmentation needed check with gso
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 4530e5b8e2dad63dcad2206232dd86e4b1489b6c ]
+
+Call skb_gso_validate_network_len() to check if packet is over PMTU.
+
+Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/gtp.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
+index acb20ad4e37eb..477b4d4f860bd 100644
+--- a/drivers/net/gtp.c
++++ b/drivers/net/gtp.c
+@@ -871,8 +871,9 @@ static int gtp_build_skb_ip4(struct sk_buff *skb, struct net_device *dev,
+
+ skb_dst_update_pmtu_no_confirm(skb, mtu);
+
+- if (!skb_is_gso(skb) && (iph->frag_off & htons(IP_DF)) &&
+- mtu < ntohs(iph->tot_len)) {
++ if (iph->frag_off & htons(IP_DF) &&
++ ((!skb_is_gso(skb) && skb->len > mtu) ||
++ (skb_is_gso(skb) && !skb_gso_validate_network_len(skb, mtu)))) {
+ netdev_dbg(dev, "packet too big, fragmentation needed\n");
+ icmp_ndo_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED,
+ htonl(mtu));
+--
+2.42.0
+
--- /dev/null
+From e53e51a5cbcbb25540a2e915d2e9914e3cef4807 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 22 Oct 2023 22:25:17 +0200
+Subject: gtp: uapi: fix GTPA_MAX
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit adc8df12d91a2b8350b0cd4c7fec3e8546c9d1f8 ]
+
+Subtract one to __GTPA_MAX, otherwise GTPA_MAX is off by 2.
+
+Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/gtp.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/uapi/linux/gtp.h b/include/uapi/linux/gtp.h
+index 2f61298a7b779..3dcdb9e33cba2 100644
+--- a/include/uapi/linux/gtp.h
++++ b/include/uapi/linux/gtp.h
+@@ -33,6 +33,6 @@ enum gtp_attrs {
+ GTPA_PAD,
+ __GTPA_MAX,
+ };
+-#define GTPA_MAX (__GTPA_MAX + 1)
++#define GTPA_MAX (__GTPA_MAX - 1)
+
+ #endif /* _UAPI_LINUX_GTP_H_ */
+--
+2.42.0
+
--- /dev/null
+From 0b59e6dea85ad94e8e4b2e914222f76b9ad931af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Oct 2023 18:37:20 +0200
+Subject: i40e: Fix I40E_FLAG_VF_VLAN_PRUNING value
+
+From: Ivan Vecera <ivecera@redhat.com>
+
+[ Upstream commit 665e7d83c5386f9abdc67b2e4b6e6d9579aadfcb ]
+
+Commit c87c938f62d8f1 ("i40e: Add VF VLAN pruning") added new
+PF flag I40E_FLAG_VF_VLAN_PRUNING but its value collides with
+existing I40E_FLAG_TOTAL_PORT_SHUTDOWN_ENABLED flag.
+
+Move the affected flag at the end of the flags and fix its value.
+
+Reproducer:
+[root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 link-down-on-close on
+[root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 vf-vlan-pruning on
+[root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 link-down-on-close off
+[ 6323.142585] i40e 0000:02:00.0: Setting link-down-on-close not supported on this port (because total-port-shutdown is enabled)
+netlink error: Operation not supported
+[root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 vf-vlan-pruning off
+[root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 link-down-on-close off
+
+The link-down-on-close flag cannot be modified after setting vf-vlan-pruning
+because vf-vlan-pruning shares the same bit with total-port-shutdown flag
+that prevents any modification of link-down-on-close flag.
+
+Fixes: c87c938f62d8 ("i40e: Add VF VLAN pruning")
+Cc: Mateusz Palczewski <mateusz.palczewski@intel.com>
+Cc: Simon Horman <horms@kernel.org>
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h
+index 6e310a5394678..55bb0b5310d5b 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e.h
++++ b/drivers/net/ethernet/intel/i40e/i40e.h
+@@ -580,7 +580,6 @@ struct i40e_pf {
+ #define I40E_FLAG_DISABLE_FW_LLDP BIT(24)
+ #define I40E_FLAG_RS_FEC BIT(25)
+ #define I40E_FLAG_BASE_R_FEC BIT(26)
+-#define I40E_FLAG_VF_VLAN_PRUNING BIT(27)
+ /* TOTAL_PORT_SHUTDOWN
+ * Allows to physically disable the link on the NIC's port.
+ * If enabled, (after link down request from the OS)
+@@ -603,6 +602,7 @@ struct i40e_pf {
+ * in abilities field of i40e_aq_set_phy_config structure
+ */
+ #define I40E_FLAG_TOTAL_PORT_SHUTDOWN_ENABLED BIT(27)
++#define I40E_FLAG_VF_VLAN_PRUNING BIT(28)
+
+ struct i40e_client_instance *cinst;
+ bool stat_offsets_loaded;
+--
+2.42.0
+
--- /dev/null
+From 2c6341835c8dcdd57a157f2447f0db01c7b222d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Oct 2023 14:27:14 -0700
+Subject: i40e: Fix wrong check for I40E_TXR_FLAGS_WB_ON_ITR
+
+From: Ivan Vecera <ivecera@redhat.com>
+
+[ Upstream commit 77a8c982ff0d4c3a14022c6fe9e3dbfb327552ec ]
+
+The I40E_TXR_FLAGS_WB_ON_ITR is i40e_ring flag and not i40e_pf one.
+
+Fixes: 8e0764b4d6be42 ("i40e/i40evf: Add support for writeback on ITR feature for X722")
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://lore.kernel.org/r/20231023212714.178032-1-jacob.e.keller@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_txrx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
+index 93485a6824365..b59fef9d7c4ad 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
+@@ -2854,7 +2854,7 @@ int i40e_napi_poll(struct napi_struct *napi, int budget)
+ return budget;
+ }
+
+- if (vsi->back->flags & I40E_TXR_FLAGS_WB_ON_ITR)
++ if (q_vector->tx.ring[0].flags & I40E_TXR_FLAGS_WB_ON_ITR)
+ q_vector->arm_wb_state = false;
+
+ /* Exit the polling mode, but don't re-enable interrupts if stack might
+--
+2.42.0
+
--- /dev/null
+From 2e3dd3d45c67b0db46f0396f7c4bd52d7f3a8c5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Oct 2023 11:32:13 -0700
+Subject: iavf: in iavf_down, disable queues when removing the driver
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+[ Upstream commit 53798666648af3aa0dd512c2380576627237a800 ]
+
+In iavf_down, we're skipping the scheduling of certain operations if
+the driver is being removed. However, the IAVF_FLAG_AQ_DISABLE_QUEUES
+request must not be skipped in this case, because iavf_close waits
+for the transition to the __IAVF_DOWN state, which happens in
+iavf_virtchnl_completion after the queues are released.
+
+Without this fix, "rmmod iavf" takes half a second per interface that's
+up and prints the "Device resources not yet released" warning.
+
+Fixes: c8de44b577eb ("iavf: do not process adminq tasks when __IAVF_IN_REMOVE_TASK is set")
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Tested-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://lore.kernel.org/r/20231025183213.874283-1-jacob.e.keller@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index 14875cd85a8e3..13bfc9333a8c3 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -1437,9 +1437,9 @@ void iavf_down(struct iavf_adapter *adapter)
+ adapter->aq_required |= IAVF_FLAG_AQ_DEL_FDIR_FILTER;
+ if (!list_empty(&adapter->adv_rss_list_head))
+ adapter->aq_required |= IAVF_FLAG_AQ_DEL_ADV_RSS_CFG;
+- adapter->aq_required |= IAVF_FLAG_AQ_DISABLE_QUEUES;
+ }
+
++ adapter->aq_required |= IAVF_FLAG_AQ_DISABLE_QUEUES;
+ mod_delayed_work(adapter->wq, &adapter->watchdog_task, 0);
+ }
+
+--
+2.42.0
+
--- /dev/null
+From ce9da8719169cf4553583353126f37726a154df1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Oct 2023 09:13:46 +0200
+Subject: iavf: initialize waitqueues before starting watchdog_task
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+[ Upstream commit 7db3111043885c146e795c199d39c3f9042d97c0 ]
+
+It is not safe to initialize the waitqueues after queueing the
+watchdog_task. It will be using them.
+
+The chance of this causing a real problem is very small, because
+there will be some sleeping before any of the waitqueues get used.
+I got a crash only after inserting an artificial sleep in iavf_probe.
+
+Queue the watchdog_task as the last step in iavf_probe. Add a comment to
+prevent repeating the mistake.
+
+Fixes: fe2647ab0c99 ("i40evf: prevent VF close returning before state transitions to DOWN")
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index 8ea5c0825c3c4..14875cd85a8e3 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -4982,8 +4982,6 @@ static int iavf_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ INIT_WORK(&adapter->finish_config, iavf_finish_config);
+ INIT_DELAYED_WORK(&adapter->watchdog_task, iavf_watchdog_task);
+ INIT_DELAYED_WORK(&adapter->client_task, iavf_client_task);
+- queue_delayed_work(adapter->wq, &adapter->watchdog_task,
+- msecs_to_jiffies(5 * (pdev->devfn & 0x07)));
+
+ /* Setup the wait queue for indicating transition to down status */
+ init_waitqueue_head(&adapter->down_waitqueue);
+@@ -4994,6 +4992,9 @@ static int iavf_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ /* Setup the wait queue for indicating virtchannel events */
+ init_waitqueue_head(&adapter->vc_waitqueue);
+
++ queue_delayed_work(adapter->wq, &adapter->watchdog_task,
++ msecs_to_jiffies(5 * (pdev->devfn & 0x07)));
++ /* Initialization goes on in the work. Do not add more of it below. */
+ return 0;
+
+ err_ioremap:
+--
+2.42.0
+
--- /dev/null
+From 0c5c602061eb8b4f6e5f69c98351ad60167a04dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Oct 2023 13:40:35 -0700
+Subject: igb: Fix potential memory leak in igb_add_ethtool_nfc_entry
+
+From: Mateusz Palczewski <mateusz.palczewski@intel.com>
+
+[ Upstream commit 8c0b48e01daba5ca58f939a8425855d3f4f2ed14 ]
+
+Add check for return of igb_update_ethtool_nfc_entry so that in case
+of any potential errors the memory alocated for input will be freed.
+
+Fixes: 0e71def25281 ("igb: add support of RX network flow classification")
+Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
+Signed-off-by: Mateusz Palczewski <mateusz.palczewski@intel.com>
+Tested-by: Arpana Arland <arpanax.arland@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_ethtool.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_ethtool.c b/drivers/net/ethernet/intel/igb/igb_ethtool.c
+index 319ed601eaa1e..4ee849985e2b8 100644
+--- a/drivers/net/ethernet/intel/igb/igb_ethtool.c
++++ b/drivers/net/ethernet/intel/igb/igb_ethtool.c
+@@ -2978,11 +2978,15 @@ static int igb_add_ethtool_nfc_entry(struct igb_adapter *adapter,
+ if (err)
+ goto err_out_w_lock;
+
+- igb_update_ethtool_nfc_entry(adapter, input, input->sw_idx);
++ err = igb_update_ethtool_nfc_entry(adapter, input, input->sw_idx);
++ if (err)
++ goto err_out_input_filter;
+
+ spin_unlock(&adapter->nfc_lock);
+ return 0;
+
++err_out_input_filter:
++ igb_erase_filter(adapter, input);
+ err_out_w_lock:
+ spin_unlock(&adapter->nfc_lock);
+ err_out:
+--
+2.42.0
+
--- /dev/null
+From 73868dc2281cb618093659565c86d84c26904538 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Oct 2023 13:36:41 -0700
+Subject: igc: Fix ambiguity in the ethtool advertising
+
+From: Sasha Neftin <sasha.neftin@intel.com>
+
+[ Upstream commit e7684d29efdf37304c62bb337ea55b3428ca118e ]
+
+The 'ethtool_convert_link_mode_to_legacy_u32' method does not allow us to
+advertise 2500M speed support and TP (twisted pair) properly. Convert to
+'ethtool_link_ksettings_test_link_mode' to advertise supported speed and
+eliminate ambiguity.
+
+Fixes: 8c5ad0dae93c ("igc: Add ethtool support")
+Suggested-by: Dima Ruinskiy <dima.ruinskiy@intel.com>
+Suggested-by: Vitaly Lifshits <vitaly.lifshits@intel.com>
+Signed-off-by: Sasha Neftin <sasha.neftin@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://lore.kernel.org/r/20231019203641.3661960-1-jacob.e.keller@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_ethtool.c | 35 ++++++++++++++------
+ 1 file changed, 25 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_ethtool.c b/drivers/net/ethernet/intel/igc/igc_ethtool.c
+index 7ab6dd58e4001..dd8a9d27a1670 100644
+--- a/drivers/net/ethernet/intel/igc/igc_ethtool.c
++++ b/drivers/net/ethernet/intel/igc/igc_ethtool.c
+@@ -1817,7 +1817,7 @@ igc_ethtool_set_link_ksettings(struct net_device *netdev,
+ struct igc_adapter *adapter = netdev_priv(netdev);
+ struct net_device *dev = adapter->netdev;
+ struct igc_hw *hw = &adapter->hw;
+- u32 advertising;
++ u16 advertised = 0;
+
+ /* When adapter in resetting mode, autoneg/speed/duplex
+ * cannot be changed
+@@ -1842,18 +1842,33 @@ igc_ethtool_set_link_ksettings(struct net_device *netdev,
+ while (test_and_set_bit(__IGC_RESETTING, &adapter->state))
+ usleep_range(1000, 2000);
+
+- ethtool_convert_link_mode_to_legacy_u32(&advertising,
+- cmd->link_modes.advertising);
+- /* Converting to legacy u32 drops ETHTOOL_LINK_MODE_2500baseT_Full_BIT.
+- * We have to check this and convert it to ADVERTISE_2500_FULL
+- * (aka ETHTOOL_LINK_MODE_2500baseX_Full_BIT) explicitly.
+- */
+- if (ethtool_link_ksettings_test_link_mode(cmd, advertising, 2500baseT_Full))
+- advertising |= ADVERTISE_2500_FULL;
++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising,
++ 2500baseT_Full))
++ advertised |= ADVERTISE_2500_FULL;
++
++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising,
++ 1000baseT_Full))
++ advertised |= ADVERTISE_1000_FULL;
++
++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising,
++ 100baseT_Full))
++ advertised |= ADVERTISE_100_FULL;
++
++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising,
++ 100baseT_Half))
++ advertised |= ADVERTISE_100_HALF;
++
++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising,
++ 10baseT_Full))
++ advertised |= ADVERTISE_10_FULL;
++
++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising,
++ 10baseT_Half))
++ advertised |= ADVERTISE_10_HALF;
+
+ if (cmd->base.autoneg == AUTONEG_ENABLE) {
+ hw->mac.autoneg = 1;
+- hw->phy.autoneg_advertised = advertising;
++ hw->phy.autoneg_advertised = advertised;
+ if (adapter->fc_autoneg)
+ hw->fc.requested_mode = igc_fc_default;
+ } else {
+--
+2.42.0
+
--- /dev/null
+From 8fbf62904e406e112d817f8173caf187e60172a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Oct 2023 12:21:04 +0000
+Subject: neighbour: fix various data-races
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit a9beb7e81bcb876615e1fbb3c07f3f9dba69831f ]
+
+1) tbl->gc_thresh1, tbl->gc_thresh2, tbl->gc_thresh3 and tbl->gc_interval
+ can be written from sysfs.
+
+2) tbl->last_flush is read locklessly from neigh_alloc()
+
+3) tbl->proxy_queue.qlen is read locklessly from neightbl_fill_info()
+
+4) neightbl_fill_info() reads cpu stats that can be changed concurrently.
+
+Fixes: c7fb64db001f ("[NETLINK]: Neighbour table configuration and statistics via rtnetlink")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20231019122104.1448310-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/neighbour.c | 67 +++++++++++++++++++++++---------------------
+ 1 file changed, 35 insertions(+), 32 deletions(-)
+
+diff --git a/net/core/neighbour.c b/net/core/neighbour.c
+index f16ec0e8a0348..4a1d669b46f90 100644
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -251,7 +251,8 @@ bool neigh_remove_one(struct neighbour *ndel, struct neigh_table *tbl)
+
+ static int neigh_forced_gc(struct neigh_table *tbl)
+ {
+- int max_clean = atomic_read(&tbl->gc_entries) - tbl->gc_thresh2;
++ int max_clean = atomic_read(&tbl->gc_entries) -
++ READ_ONCE(tbl->gc_thresh2);
+ unsigned long tref = jiffies - 5 * HZ;
+ struct neighbour *n, *tmp;
+ int shrunk = 0;
+@@ -280,7 +281,7 @@ static int neigh_forced_gc(struct neigh_table *tbl)
+ }
+ }
+
+- tbl->last_flush = jiffies;
++ WRITE_ONCE(tbl->last_flush, jiffies);
+
+ write_unlock_bh(&tbl->lock);
+
+@@ -464,17 +465,17 @@ static struct neighbour *neigh_alloc(struct neigh_table *tbl,
+ {
+ struct neighbour *n = NULL;
+ unsigned long now = jiffies;
+- int entries;
++ int entries, gc_thresh3;
+
+ if (exempt_from_gc)
+ goto do_alloc;
+
+ entries = atomic_inc_return(&tbl->gc_entries) - 1;
+- if (entries >= tbl->gc_thresh3 ||
+- (entries >= tbl->gc_thresh2 &&
+- time_after(now, tbl->last_flush + 5 * HZ))) {
+- if (!neigh_forced_gc(tbl) &&
+- entries >= tbl->gc_thresh3) {
++ gc_thresh3 = READ_ONCE(tbl->gc_thresh3);
++ if (entries >= gc_thresh3 ||
++ (entries >= READ_ONCE(tbl->gc_thresh2) &&
++ time_after(now, READ_ONCE(tbl->last_flush) + 5 * HZ))) {
++ if (!neigh_forced_gc(tbl) && entries >= gc_thresh3) {
+ net_info_ratelimited("%s: neighbor table overflow!\n",
+ tbl->id);
+ NEIGH_CACHE_STAT_INC(tbl, table_fulls);
+@@ -955,13 +956,14 @@ static void neigh_periodic_work(struct work_struct *work)
+
+ if (time_after(jiffies, tbl->last_rand + 300 * HZ)) {
+ struct neigh_parms *p;
+- tbl->last_rand = jiffies;
++
++ WRITE_ONCE(tbl->last_rand, jiffies);
+ list_for_each_entry(p, &tbl->parms_list, list)
+ p->reachable_time =
+ neigh_rand_reach_time(NEIGH_VAR(p, BASE_REACHABLE_TIME));
+ }
+
+- if (atomic_read(&tbl->entries) < tbl->gc_thresh1)
++ if (atomic_read(&tbl->entries) < READ_ONCE(tbl->gc_thresh1))
+ goto out;
+
+ for (i = 0 ; i < (1 << nht->hash_shift); i++) {
+@@ -2167,15 +2169,16 @@ static int neightbl_fill_info(struct sk_buff *skb, struct neigh_table *tbl,
+ ndtmsg->ndtm_pad2 = 0;
+
+ if (nla_put_string(skb, NDTA_NAME, tbl->id) ||
+- nla_put_msecs(skb, NDTA_GC_INTERVAL, tbl->gc_interval, NDTA_PAD) ||
+- nla_put_u32(skb, NDTA_THRESH1, tbl->gc_thresh1) ||
+- nla_put_u32(skb, NDTA_THRESH2, tbl->gc_thresh2) ||
+- nla_put_u32(skb, NDTA_THRESH3, tbl->gc_thresh3))
++ nla_put_msecs(skb, NDTA_GC_INTERVAL, READ_ONCE(tbl->gc_interval),
++ NDTA_PAD) ||
++ nla_put_u32(skb, NDTA_THRESH1, READ_ONCE(tbl->gc_thresh1)) ||
++ nla_put_u32(skb, NDTA_THRESH2, READ_ONCE(tbl->gc_thresh2)) ||
++ nla_put_u32(skb, NDTA_THRESH3, READ_ONCE(tbl->gc_thresh3)))
+ goto nla_put_failure;
+ {
+ unsigned long now = jiffies;
+- long flush_delta = now - tbl->last_flush;
+- long rand_delta = now - tbl->last_rand;
++ long flush_delta = now - READ_ONCE(tbl->last_flush);
++ long rand_delta = now - READ_ONCE(tbl->last_rand);
+ struct neigh_hash_table *nht;
+ struct ndt_config ndc = {
+ .ndtc_key_len = tbl->key_len,
+@@ -2183,7 +2186,7 @@ static int neightbl_fill_info(struct sk_buff *skb, struct neigh_table *tbl,
+ .ndtc_entries = atomic_read(&tbl->entries),
+ .ndtc_last_flush = jiffies_to_msecs(flush_delta),
+ .ndtc_last_rand = jiffies_to_msecs(rand_delta),
+- .ndtc_proxy_qlen = tbl->proxy_queue.qlen,
++ .ndtc_proxy_qlen = READ_ONCE(tbl->proxy_queue.qlen),
+ };
+
+ rcu_read_lock();
+@@ -2206,17 +2209,17 @@ static int neightbl_fill_info(struct sk_buff *skb, struct neigh_table *tbl,
+ struct neigh_statistics *st;
+
+ st = per_cpu_ptr(tbl->stats, cpu);
+- ndst.ndts_allocs += st->allocs;
+- ndst.ndts_destroys += st->destroys;
+- ndst.ndts_hash_grows += st->hash_grows;
+- ndst.ndts_res_failed += st->res_failed;
+- ndst.ndts_lookups += st->lookups;
+- ndst.ndts_hits += st->hits;
+- ndst.ndts_rcv_probes_mcast += st->rcv_probes_mcast;
+- ndst.ndts_rcv_probes_ucast += st->rcv_probes_ucast;
+- ndst.ndts_periodic_gc_runs += st->periodic_gc_runs;
+- ndst.ndts_forced_gc_runs += st->forced_gc_runs;
+- ndst.ndts_table_fulls += st->table_fulls;
++ ndst.ndts_allocs += READ_ONCE(st->allocs);
++ ndst.ndts_destroys += READ_ONCE(st->destroys);
++ ndst.ndts_hash_grows += READ_ONCE(st->hash_grows);
++ ndst.ndts_res_failed += READ_ONCE(st->res_failed);
++ ndst.ndts_lookups += READ_ONCE(st->lookups);
++ ndst.ndts_hits += READ_ONCE(st->hits);
++ ndst.ndts_rcv_probes_mcast += READ_ONCE(st->rcv_probes_mcast);
++ ndst.ndts_rcv_probes_ucast += READ_ONCE(st->rcv_probes_ucast);
++ ndst.ndts_periodic_gc_runs += READ_ONCE(st->periodic_gc_runs);
++ ndst.ndts_forced_gc_runs += READ_ONCE(st->forced_gc_runs);
++ ndst.ndts_table_fulls += READ_ONCE(st->table_fulls);
+ }
+
+ if (nla_put_64bit(skb, NDTA_STATS, sizeof(ndst), &ndst,
+@@ -2445,16 +2448,16 @@ static int neightbl_set(struct sk_buff *skb, struct nlmsghdr *nlh,
+ goto errout_tbl_lock;
+
+ if (tb[NDTA_THRESH1])
+- tbl->gc_thresh1 = nla_get_u32(tb[NDTA_THRESH1]);
++ WRITE_ONCE(tbl->gc_thresh1, nla_get_u32(tb[NDTA_THRESH1]));
+
+ if (tb[NDTA_THRESH2])
+- tbl->gc_thresh2 = nla_get_u32(tb[NDTA_THRESH2]);
++ WRITE_ONCE(tbl->gc_thresh2, nla_get_u32(tb[NDTA_THRESH2]));
+
+ if (tb[NDTA_THRESH3])
+- tbl->gc_thresh3 = nla_get_u32(tb[NDTA_THRESH3]);
++ WRITE_ONCE(tbl->gc_thresh3, nla_get_u32(tb[NDTA_THRESH3]));
+
+ if (tb[NDTA_GC_INTERVAL])
+- tbl->gc_interval = nla_get_msecs(tb[NDTA_GC_INTERVAL]);
++ WRITE_ONCE(tbl->gc_interval, nla_get_msecs(tb[NDTA_GC_INTERVAL]));
+
+ err = 0;
+
+--
+2.42.0
+
--- /dev/null
+From e62d51cac4718aabe24c628b1f61f1ef5064f862 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Oct 2023 11:24:57 +0000
+Subject: net: do not leave an empty skb in write queue
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 72bf4f1767f0386970dc04726dc5bc2e3991dc19 ]
+
+Under memory stress conditions, tcp_sendmsg_locked()
+might call sk_stream_wait_memory(), thus releasing the socket lock.
+
+If a fresh skb has been allocated prior to this,
+we should not leave it in the write queue otherwise
+tcp_write_xmit() could panic.
+
+This apparently does not happen often, but a future change
+in __sk_mem_raise_allocated() that Shakeel and others are
+considering would increase chances of being hurt.
+
+Under discussion is to remove this controversial part:
+
+ /* Fail only if socket is _under_ its sndbuf.
+ * In this case we cannot block, so that we have to fail.
+ */
+ if (sk->sk_wmem_queued + size >= sk->sk_sndbuf) {
+ /* Force charge with __GFP_NOFAIL */
+ if (memcg_charge && !charged) {
+ mem_cgroup_charge_skmem(sk->sk_memcg, amt,
+ gfp_memcg_charge() | __GFP_NOFAIL);
+ }
+ return 1;
+ }
+
+Fixes: fdfc5c8594c2 ("tcp: remove empty skb from write queue in error cases")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Shakeel Butt <shakeelb@google.com>
+Link: https://lore.kernel.org/r/20231019112457.1190114-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index 9bdc1b2eaf734..a0a87446f827c 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -925,10 +925,11 @@ int tcp_send_mss(struct sock *sk, int *size_goal, int flags)
+ return mss_now;
+ }
+
+-/* In some cases, both sendmsg() could have added an skb to the write queue,
+- * but failed adding payload on it. We need to remove it to consume less
++/* In some cases, sendmsg() could have added an skb to the write queue,
++ * but failed adding payload on it. We need to remove it to consume less
+ * memory, but more importantly be able to generate EPOLLOUT for Edge Trigger
+- * epoll() users.
++ * epoll() users. Another reason is that tcp_write_xmit() does not like
++ * finding an empty skb in the write queue.
+ */
+ void tcp_remove_empty_skb(struct sock *sk)
+ {
+@@ -1286,6 +1287,7 @@ int tcp_sendmsg_locked(struct sock *sk, struct msghdr *msg, size_t size)
+
+ wait_for_space:
+ set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
++ tcp_remove_empty_skb(sk);
+ if (copied)
+ tcp_push(sk, flags & ~MSG_MORE, mss_now,
+ TCP_NAGLE_PUSH, size_goal);
+--
+2.42.0
+
--- /dev/null
+From 9cdb285d676d628cfe803ae19d5f024c6d70b45f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Oct 2023 09:20:53 +0300
+Subject: net: ethernet: adi: adin1110: Fix uninitialized variable
+
+From: Dell Jin <dell.jin.code@outlook.com>
+
+[ Upstream commit 965f9b8c0c1b37fa2a0e3ef56e40d5666d4cbb5c ]
+
+The spi_transfer struct has to have all it's fields initialized to 0 in
+this case, since not all of them are set before starting the transfer.
+Otherwise, spi_sync_transfer() will sometimes return an error.
+
+Fixes: a526a3cc9c8d ("net: ethernet: adi: adin1110: Fix SPI transfers")
+Signed-off-by: Dell Jin <dell.jin.code@outlook.com>
+Signed-off-by: Ciprian Regus <ciprian.regus@analog.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/adi/adin1110.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/adi/adin1110.c b/drivers/net/ethernet/adi/adin1110.c
+index ca66b747b7c5d..d7c274af6d4da 100644
+--- a/drivers/net/ethernet/adi/adin1110.c
++++ b/drivers/net/ethernet/adi/adin1110.c
+@@ -294,7 +294,7 @@ static int adin1110_read_fifo(struct adin1110_port_priv *port_priv)
+ {
+ struct adin1110_priv *priv = port_priv->priv;
+ u32 header_len = ADIN1110_RD_HEADER_LEN;
+- struct spi_transfer t;
++ struct spi_transfer t = {0};
+ u32 frame_size_no_fcs;
+ struct sk_buff *rxb;
+ u32 frame_size;
+--
+2.42.0
+
--- /dev/null
+From 2c307fd167276a5b7ca5df018f7e2dd808f9e723 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Oct 2023 14:58:47 +0200
+Subject: net/handshake: fix file ref count in handshake_nl_accept_doit()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Moritz Wanzenböck <moritz.wanzenboeck@linbit.com>
+
+[ Upstream commit 7798b59409c345d4a6034a4326bceb9f7e2e8b58 ]
+
+If req->hr_proto->hp_accept() fail, we call fput() twice:
+Once in the error path, but also a second time because sock->file
+is at that point already associated with the file descriptor. Once
+the task exits, as it would probably do after receiving an error
+reading from netlink, the fd is closed, calling fput() a second time.
+
+To fix, we move installing the file after the error path for the
+hp_accept() call. In the case of errors we simply put the unused fd.
+In case of success we can use fd_install() to link the sock->file
+to the reserved fd.
+
+Fixes: 7ea9c1ec66bc ("net/handshake: Fix handshake_dup() ref counting")
+Signed-off-by: Moritz Wanzenböck <moritz.wanzenboeck@linbit.com>
+Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
+Link: https://lore.kernel.org/r/20231019125847.276443-1-moritz.wanzenboeck@linbit.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/handshake/netlink.c | 30 +++++-------------------------
+ 1 file changed, 5 insertions(+), 25 deletions(-)
+
+diff --git a/net/handshake/netlink.c b/net/handshake/netlink.c
+index d0bc1dd8e65a8..80c7302692c74 100644
+--- a/net/handshake/netlink.c
++++ b/net/handshake/netlink.c
+@@ -87,29 +87,6 @@ struct nlmsghdr *handshake_genl_put(struct sk_buff *msg,
+ }
+ EXPORT_SYMBOL(handshake_genl_put);
+
+-/*
+- * dup() a kernel socket for use as a user space file descriptor
+- * in the current process. The kernel socket must have an
+- * instatiated struct file.
+- *
+- * Implicit argument: "current()"
+- */
+-static int handshake_dup(struct socket *sock)
+-{
+- struct file *file;
+- int newfd;
+-
+- file = get_file(sock->file);
+- newfd = get_unused_fd_flags(O_CLOEXEC);
+- if (newfd < 0) {
+- fput(file);
+- return newfd;
+- }
+-
+- fd_install(newfd, file);
+- return newfd;
+-}
+-
+ int handshake_nl_accept_doit(struct sk_buff *skb, struct genl_info *info)
+ {
+ struct net *net = sock_net(skb->sk);
+@@ -133,17 +110,20 @@ int handshake_nl_accept_doit(struct sk_buff *skb, struct genl_info *info)
+ goto out_status;
+
+ sock = req->hr_sk->sk_socket;
+- fd = handshake_dup(sock);
++ fd = get_unused_fd_flags(O_CLOEXEC);
+ if (fd < 0) {
+ err = fd;
+ goto out_complete;
+ }
++
+ err = req->hr_proto->hp_accept(req, info, fd);
+ if (err) {
+- fput(sock->file);
++ put_unused_fd(fd);
+ goto out_complete;
+ }
+
++ fd_install(fd, get_file(sock->file));
++
+ trace_handshake_cmd_accept(net, req, req->hr_sk, fd);
+ return 0;
+
+--
+2.42.0
+
--- /dev/null
+From 84dbcbccb3f51734794f4a4eb1c83c825ec23da3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Oct 2023 20:03:53 +0200
+Subject: net: ieee802154: adf7242: Fix some potential buffer overflow in
+ adf7242_stats_show()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit ca082f019d8fbb983f03080487946da714154bae ]
+
+strncat() usage in adf7242_debugfs_init() is wrong.
+The size given to strncat() is the maximum number of bytes that can be
+written, excluding the trailing NULL.
+
+Here, the size that is passed, DNAME_INLINE_LEN, does not take into account
+the size of "adf7242-" that is already in the array.
+
+In order to fix it, use snprintf() instead.
+
+Fixes: 7302b9d90117 ("ieee802154/adf7242: Driver for ADF7242 MAC IEEE802154")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/adf7242.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ieee802154/adf7242.c b/drivers/net/ieee802154/adf7242.c
+index a03490ba2e5b3..cc7ddc40020fd 100644
+--- a/drivers/net/ieee802154/adf7242.c
++++ b/drivers/net/ieee802154/adf7242.c
+@@ -1162,9 +1162,10 @@ static int adf7242_stats_show(struct seq_file *file, void *offset)
+
+ static void adf7242_debugfs_init(struct adf7242_local *lp)
+ {
+- char debugfs_dir_name[DNAME_INLINE_LEN + 1] = "adf7242-";
++ char debugfs_dir_name[DNAME_INLINE_LEN + 1];
+
+- strncat(debugfs_dir_name, dev_name(&lp->spi->dev), DNAME_INLINE_LEN);
++ snprintf(debugfs_dir_name, sizeof(debugfs_dir_name),
++ "adf7242-%s", dev_name(&lp->spi->dev));
+
+ lp->debugfs_root = debugfs_create_dir(debugfs_dir_name, NULL);
+
+--
+2.42.0
+
--- /dev/null
+From 1eff7a5d1b589c39d98a3c21eb5d3bcd0f28dcdf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Oct 2023 21:58:57 +0200
+Subject: net/sched: act_ct: additional checks for outdated flows
+
+From: Vlad Buslov <vladbu@nvidia.com>
+
+[ Upstream commit a63b6622120cd03a304796dbccb80655b3a21798 ]
+
+Current nf_flow_is_outdated() implementation considers any flow table flow
+which state diverged from its underlying CT connection status for teardown
+which can be problematic in the following cases:
+
+- Flow has never been offloaded to hardware in the first place either
+because flow table has hardware offload disabled (flag
+NF_FLOWTABLE_HW_OFFLOAD is not set) or because it is still pending on 'add'
+workqueue to be offloaded for the first time. The former is incorrect, the
+later generates excessive deletions and additions of flows.
+
+- Flow is already pending to be updated on the workqueue. Tearing down such
+flows will also generate excessive removals from the flow table, especially
+on highly loaded system where the latency to re-offload a flow via 'add'
+workqueue can be quite high.
+
+When considering a flow for teardown as outdated verify that it is both
+offloaded to hardware and doesn't have any pending updates.
+
+Fixes: 41f2c7c342d3 ("net/sched: act_ct: Fix promotion of offloaded unreplied tuple")
+Reviewed-by: Paul Blakey <paulb@nvidia.com>
+Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_ct.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
+index 2b5ef83e44243..ad7c955453782 100644
+--- a/net/sched/act_ct.c
++++ b/net/sched/act_ct.c
+@@ -281,6 +281,8 @@ static int tcf_ct_flow_table_fill_actions(struct net *net,
+ static bool tcf_ct_flow_is_outdated(const struct flow_offload *flow)
+ {
+ return test_bit(IPS_SEEN_REPLY_BIT, &flow->ct->status) &&
++ test_bit(IPS_HW_OFFLOAD_BIT, &flow->ct->status) &&
++ !test_bit(NF_FLOW_HW_PENDING, &flow->flags) &&
+ !test_bit(NF_FLOW_HW_ESTABLISHED, &flow->flags);
+ }
+
+--
+2.42.0
+
--- /dev/null
+From 38a6770cd7aff449253eefd648a6c4107c6d0cbf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Oct 2023 02:03:44 +0900
+Subject: net: usb: smsc95xx: Fix uninit-value access in smsc95xx_read_reg
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit 51a32e828109b4a209efde44505baa356b37a4ce ]
+
+syzbot reported the following uninit-value access issue [1]:
+
+smsc95xx 1-1:0.0 (unnamed net_device) (uninitialized): Failed to read reg index 0x00000030: -32
+smsc95xx 1-1:0.0 (unnamed net_device) (uninitialized): Error reading E2P_CMD
+=====================================================
+BUG: KMSAN: uninit-value in smsc95xx_reset+0x409/0x25f0 drivers/net/usb/smsc95xx.c:896
+ smsc95xx_reset+0x409/0x25f0 drivers/net/usb/smsc95xx.c:896
+ smsc95xx_bind+0x9bc/0x22e0 drivers/net/usb/smsc95xx.c:1131
+ usbnet_probe+0x100b/0x4060 drivers/net/usb/usbnet.c:1750
+ usb_probe_interface+0xc75/0x1210 drivers/usb/core/driver.c:396
+ really_probe+0x506/0xf40 drivers/base/dd.c:658
+ __driver_probe_device+0x2a7/0x5d0 drivers/base/dd.c:800
+ driver_probe_device+0x72/0x7b0 drivers/base/dd.c:830
+ __device_attach_driver+0x55a/0x8f0 drivers/base/dd.c:958
+ bus_for_each_drv+0x3ff/0x620 drivers/base/bus.c:457
+ __device_attach+0x3bd/0x640 drivers/base/dd.c:1030
+ device_initial_probe+0x32/0x40 drivers/base/dd.c:1079
+ bus_probe_device+0x3d8/0x5a0 drivers/base/bus.c:532
+ device_add+0x16ae/0x1f20 drivers/base/core.c:3622
+ usb_set_configuration+0x31c9/0x38c0 drivers/usb/core/message.c:2207
+ usb_generic_driver_probe+0x109/0x2a0 drivers/usb/core/generic.c:238
+ usb_probe_device+0x290/0x4a0 drivers/usb/core/driver.c:293
+ really_probe+0x506/0xf40 drivers/base/dd.c:658
+ __driver_probe_device+0x2a7/0x5d0 drivers/base/dd.c:800
+ driver_probe_device+0x72/0x7b0 drivers/base/dd.c:830
+ __device_attach_driver+0x55a/0x8f0 drivers/base/dd.c:958
+ bus_for_each_drv+0x3ff/0x620 drivers/base/bus.c:457
+ __device_attach+0x3bd/0x640 drivers/base/dd.c:1030
+ device_initial_probe+0x32/0x40 drivers/base/dd.c:1079
+ bus_probe_device+0x3d8/0x5a0 drivers/base/bus.c:532
+ device_add+0x16ae/0x1f20 drivers/base/core.c:3622
+ usb_new_device+0x15f6/0x22f0 drivers/usb/core/hub.c:2589
+ hub_port_connect drivers/usb/core/hub.c:5440 [inline]
+ hub_port_connect_change drivers/usb/core/hub.c:5580 [inline]
+ port_event drivers/usb/core/hub.c:5740 [inline]
+ hub_event+0x53bc/0x7290 drivers/usb/core/hub.c:5822
+ process_one_work kernel/workqueue.c:2630 [inline]
+ process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2703
+ worker_thread+0xf45/0x1490 kernel/workqueue.c:2784
+ kthread+0x3e8/0x540 kernel/kthread.c:388
+ ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
+
+Local variable buf.i225 created at:
+ smsc95xx_read_reg drivers/net/usb/smsc95xx.c:90 [inline]
+ smsc95xx_reset+0x203/0x25f0 drivers/net/usb/smsc95xx.c:892
+ smsc95xx_bind+0x9bc/0x22e0 drivers/net/usb/smsc95xx.c:1131
+
+CPU: 1 PID: 773 Comm: kworker/1:2 Not tainted 6.6.0-rc1-syzkaller-00125-ge42bebf6db29 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
+Workqueue: usb_hub_wq hub_event
+=====================================================
+
+Similar to e9c65989920f ("net: usb: smsc75xx: Fix uninit-value access in
+__smsc75xx_read_reg"), this issue is caused because usbnet_read_cmd() reads
+less bytes than requested (zero byte in the reproducer). In this case,
+'buf' is not properly filled.
+
+This patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads
+less bytes than requested.
+
+sysbot reported similar uninit-value access issue [2]. The root cause is
+the same as mentioned above, and this patch addresses it as well.
+
+Fixes: 2f7ca802bdae ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver")
+Reported-and-tested-by: syzbot+c74c24b43c9ae534f0e0@syzkaller.appspotmail.com
+Reported-and-tested-by: syzbot+2c97a98a5ba9ea9c23bd@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=c74c24b43c9ae534f0e0 [1]
+Closes: https://syzkaller.appspot.com/bug?extid=2c97a98a5ba9ea9c23bd [2]
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/smsc95xx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
+index 17da42fe605c3..a530f20ee2575 100644
+--- a/drivers/net/usb/smsc95xx.c
++++ b/drivers/net/usb/smsc95xx.c
+@@ -95,7 +95,9 @@ static int __must_check smsc95xx_read_reg(struct usbnet *dev, u32 index,
+ ret = fn(dev, USB_VENDOR_REQUEST_READ_REGISTER, USB_DIR_IN
+ | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+ 0, index, &buf, 4);
+- if (ret < 0) {
++ if (ret < 4) {
++ ret = ret < 0 ? ret : -ENODATA;
++
+ if (ret != -ENODEV)
+ netdev_warn(dev->net, "Failed to read reg index 0x%08x: %d\n",
+ index, ret);
+--
+2.42.0
+
--- /dev/null
+From e141d5c920143223efc185ce29ea2f3e9ac4035b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Oct 2023 21:09:47 +0200
+Subject: netfilter: flowtable: GC pushes back packets to classic path
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 735795f68b37e9bb49f642407a0d49b1631ea1c7 ]
+
+Since 41f2c7c342d3 ("net/sched: act_ct: Fix promotion of offloaded
+unreplied tuple"), flowtable GC pushes back flows with IPS_SEEN_REPLY
+back to classic path in every run, ie. every second. This is because of
+a new check for NF_FLOW_HW_ESTABLISHED which is specific of sched/act_ct.
+
+In Netfilter's flowtable case, NF_FLOW_HW_ESTABLISHED never gets set on
+and IPS_SEEN_REPLY is unreliable since users decide when to offload the
+flow before, such bit might be set on at a later stage.
+
+Fix it by adding a custom .gc handler that sched/act_ct can use to
+deal with its NF_FLOW_HW_ESTABLISHED bit.
+
+Fixes: 41f2c7c342d3 ("net/sched: act_ct: Fix promotion of offloaded unreplied tuple")
+Reported-by: Vladimir Smelhaus <vl.sm@email.cz>
+Reviewed-by: Paul Blakey <paulb@nvidia.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netfilter/nf_flow_table.h | 1 +
+ net/netfilter/nf_flow_table_core.c | 14 +++++++-------
+ net/sched/act_ct.c | 7 +++++++
+ 3 files changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
+index d466e1a3b0b19..fe1507c1db828 100644
+--- a/include/net/netfilter/nf_flow_table.h
++++ b/include/net/netfilter/nf_flow_table.h
+@@ -53,6 +53,7 @@ struct nf_flowtable_type {
+ struct list_head list;
+ int family;
+ int (*init)(struct nf_flowtable *ft);
++ bool (*gc)(const struct flow_offload *flow);
+ int (*setup)(struct nf_flowtable *ft,
+ struct net_device *dev,
+ enum flow_block_command cmd);
+diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
+index 1d34d700bd09b..920a5a29ae1dc 100644
+--- a/net/netfilter/nf_flow_table_core.c
++++ b/net/netfilter/nf_flow_table_core.c
+@@ -316,12 +316,6 @@ void flow_offload_refresh(struct nf_flowtable *flow_table,
+ }
+ EXPORT_SYMBOL_GPL(flow_offload_refresh);
+
+-static bool nf_flow_is_outdated(const struct flow_offload *flow)
+-{
+- return test_bit(IPS_SEEN_REPLY_BIT, &flow->ct->status) &&
+- !test_bit(NF_FLOW_HW_ESTABLISHED, &flow->flags);
+-}
+-
+ static inline bool nf_flow_has_expired(const struct flow_offload *flow)
+ {
+ return nf_flow_timeout_delta(flow->timeout) <= 0;
+@@ -407,12 +401,18 @@ nf_flow_table_iterate(struct nf_flowtable *flow_table,
+ return err;
+ }
+
++static bool nf_flow_custom_gc(struct nf_flowtable *flow_table,
++ const struct flow_offload *flow)
++{
++ return flow_table->type->gc && flow_table->type->gc(flow);
++}
++
+ static void nf_flow_offload_gc_step(struct nf_flowtable *flow_table,
+ struct flow_offload *flow, void *data)
+ {
+ if (nf_flow_has_expired(flow) ||
+ nf_ct_is_dying(flow->ct) ||
+- nf_flow_is_outdated(flow))
++ nf_flow_custom_gc(flow_table, flow))
+ flow_offload_teardown(flow);
+
+ if (test_bit(NF_FLOW_TEARDOWN, &flow->flags)) {
+diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
+index abc71a06d634a..2b5ef83e44243 100644
+--- a/net/sched/act_ct.c
++++ b/net/sched/act_ct.c
+@@ -278,7 +278,14 @@ static int tcf_ct_flow_table_fill_actions(struct net *net,
+ return err;
+ }
+
++static bool tcf_ct_flow_is_outdated(const struct flow_offload *flow)
++{
++ return test_bit(IPS_SEEN_REPLY_BIT, &flow->ct->status) &&
++ !test_bit(NF_FLOW_HW_ESTABLISHED, &flow->flags);
++}
++
+ static struct nf_flowtable_type flowtable_ct = {
++ .gc = tcf_ct_flow_is_outdated,
+ .action = tcf_ct_flow_table_fill_actions,
+ .owner = THIS_MODULE,
+ };
+--
+2.42.0
+
--- /dev/null
+From 9f5132a0fef378399d984a91e8bbe4ec8f64b07d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Oct 2023 14:06:54 -0700
+Subject: r8152: Cancel hw_phy_work if we have an error in probe
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit bb8adff9123e492598162ac1baad01a53891aef6 ]
+
+The error handling in rtl8152_probe() is missing a call to cancel the
+hw_phy_work. Add it in to match what's in the cleanup code in
+rtl8152_disconnect().
+
+Fixes: a028a9e003f2 ("r8152: move the settings of PHY to a work queue")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Grant Grundler <grundler@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/r8152.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
+index 86fbad8c2264c..a894f267d375d 100644
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -9802,6 +9802,7 @@ static int rtl8152_probe(struct usb_interface *intf,
+
+ out1:
+ tasklet_kill(&tp->tx_tl);
++ cancel_delayed_work_sync(&tp->hw_phy_work);
+ if (tp->rtl_ops.unload)
+ tp->rtl_ops.unload(tp);
+ usb_set_intfdata(intf, NULL);
+--
+2.42.0
+
--- /dev/null
+From d7a0fde276f8f1c7755a973491fdf804805f1122 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Oct 2023 14:06:52 -0700
+Subject: r8152: Increase USB control msg timeout to 5000ms as per spec
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit a5feba71ec9c14a54c3babdc732c5b6866d8ee43 ]
+
+According to the comment next to USB_CTRL_GET_TIMEOUT and
+USB_CTRL_SET_TIMEOUT, although sending/receiving control messages is
+usually quite fast, the spec allows them to take up to 5 seconds.
+Let's increase the timeout in the Realtek driver from 500ms to 5000ms
+(using the #defines) to account for this.
+
+This is not just a theoretical change. The need for the longer timeout
+was seen in testing. Specifically, if you drop a sc7180-trogdor based
+Chromebook into the kdb debugger and then "go" again after sitting in
+the debugger for a while, the next USB control message takes a long
+time. Out of ~40 tests the slowest USB control message was 4.5
+seconds.
+
+While dropping into kdb is not exactly an end-user scenario, the above
+is similar to what could happen due to an temporary interrupt storm,
+what could happen if there was a host controller (HW or SW) issue, or
+what could happen if the Realtek device got into a confused state and
+needed time to recover.
+
+This change is fairly critical since the r8152 driver in Linux doesn't
+expect register reads/writes (which are backed by USB control
+messages) to fail.
+
+Fixes: ac718b69301c ("net/usb: new driver for RTL8152")
+Suggested-by: Hayes Wang <hayeswang@realtek.com>
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Grant Grundler <grundler@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/r8152.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
+index e88bedca8f32f..bf83ce5317cea 100644
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -1212,7 +1212,7 @@ int get_registers(struct r8152 *tp, u16 value, u16 index, u16 size, void *data)
+
+ ret = usb_control_msg(tp->udev, tp->pipe_ctrl_in,
+ RTL8152_REQ_GET_REGS, RTL8152_REQT_READ,
+- value, index, tmp, size, 500);
++ value, index, tmp, size, USB_CTRL_GET_TIMEOUT);
+ if (ret < 0)
+ memset(data, 0xff, size);
+ else
+@@ -1235,7 +1235,7 @@ int set_registers(struct r8152 *tp, u16 value, u16 index, u16 size, void *data)
+
+ ret = usb_control_msg(tp->udev, tp->pipe_ctrl_out,
+ RTL8152_REQ_SET_REGS, RTL8152_REQT_WRITE,
+- value, index, tmp, size, 500);
++ value, index, tmp, size, USB_CTRL_SET_TIMEOUT);
+
+ kfree(tmp);
+
+@@ -9512,7 +9512,8 @@ static u8 __rtl_get_hw_ver(struct usb_device *udev)
+
+ ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
+ RTL8152_REQ_GET_REGS, RTL8152_REQT_READ,
+- PLA_TCR0, MCU_TYPE_PLA, tmp, sizeof(*tmp), 500);
++ PLA_TCR0, MCU_TYPE_PLA, tmp, sizeof(*tmp),
++ USB_CTRL_GET_TIMEOUT);
+ if (ret > 0)
+ ocp_data = (__le32_to_cpu(*tmp) >> 16) & VERSION_MASK;
+
+--
+2.42.0
+
--- /dev/null
+From 73a15d73014065f2c34eb2b1e3c79e423c798cdd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Oct 2023 14:06:55 -0700
+Subject: r8152: Release firmware if we have an error in probe
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit b8d35024d4059ca550cba11ac9ab23a6c238d929 ]
+
+The error handling in rtl8152_probe() is missing a call to release
+firmware. Add it in to match what's in the cleanup code in
+rtl8152_disconnect().
+
+Fixes: 9370f2d05a2a ("r8152: support request_firmware for RTL8153")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Grant Grundler <grundler@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/r8152.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
+index a894f267d375d..14497e5558bf9 100644
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -9805,6 +9805,7 @@ static int rtl8152_probe(struct usb_interface *intf,
+ cancel_delayed_work_sync(&tp->hw_phy_work);
+ if (tp->rtl_ops.unload)
+ tp->rtl_ops.unload(tp);
++ rtl8152_release_firmware(tp);
+ usb_set_intfdata(intf, NULL);
+ out:
+ free_netdev(netdev);
+--
+2.42.0
+
--- /dev/null
+From c8439599d45089a16d9f8d32f1f5cd3b6863ad6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Oct 2023 14:06:53 -0700
+Subject: r8152: Run the unload routine if we have errors during probe
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit 5dd17689526971c5ae12bc8398f34bd68cd0499e ]
+
+The rtl8152_probe() function lacks a call to the chip-specific
+unload() routine when it sees an error in probe. Add it in to match
+the cleanup code in rtl8152_disconnect().
+
+Fixes: ac718b69301c ("net/usb: new driver for RTL8152")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Grant Grundler <grundler@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/r8152.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
+index bf83ce5317cea..86fbad8c2264c 100644
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -9802,6 +9802,8 @@ static int rtl8152_probe(struct usb_interface *intf,
+
+ out1:
+ tasklet_kill(&tp->tx_tl);
++ if (tp->rtl_ops.unload)
++ tp->rtl_ops.unload(tp);
+ usb_set_intfdata(intf, NULL);
+ out:
+ free_netdev(netdev);
+--
+2.42.0
+
--- /dev/null
+From 4ec497e12fc582311dfcfd3aad9ae25811210207 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Oct 2023 21:34:38 +0200
+Subject: r8169: fix the KCSAN reported data race in rtl_rx while reading
+ desc->opts1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+
+[ Upstream commit f97eee484e71890131f9c563c5cc6d5a69e4308d ]
+
+KCSAN reported the following data-race bug:
+
+==================================================================
+BUG: KCSAN: data-race in rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4430 drivers/net/ethernet/realtek/r8169_main.c:4583) r8169
+
+race at unknown origin, with read to 0xffff888117e43510 of 4 bytes by interrupt on cpu 21:
+rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4430 drivers/net/ethernet/realtek/r8169_main.c:4583) r8169
+__napi_poll (net/core/dev.c:6527)
+net_rx_action (net/core/dev.c:6596 net/core/dev.c:6727)
+__do_softirq (kernel/softirq.c:553)
+__irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632)
+irq_exit_rcu (kernel/softirq.c:647)
+sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1074 (discriminator 14))
+asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:645)
+cpuidle_enter_state (drivers/cpuidle/cpuidle.c:291)
+cpuidle_enter (drivers/cpuidle/cpuidle.c:390)
+call_cpuidle (kernel/sched/idle.c:135)
+do_idle (kernel/sched/idle.c:219 kernel/sched/idle.c:282)
+cpu_startup_entry (kernel/sched/idle.c:378 (discriminator 1))
+start_secondary (arch/x86/kernel/smpboot.c:210 arch/x86/kernel/smpboot.c:294)
+secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:433)
+
+value changed: 0x80003fff -> 0x3402805f
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 21 PID: 0 Comm: swapper/21 Tainted: G L 6.6.0-rc2-kcsan-00143-gb5cbe7c00aa0 #41
+Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023
+==================================================================
+
+drivers/net/ethernet/realtek/r8169_main.c:
+==========================================
+ 4429
+ → 4430 status = le32_to_cpu(desc->opts1);
+ 4431 if (status & DescOwn)
+ 4432 break;
+ 4433
+ 4434 /* This barrier is needed to keep us from reading
+ 4435 * any other fields out of the Rx descriptor until
+ 4436 * we know the status of DescOwn
+ 4437 */
+ 4438 dma_rmb();
+ 4439
+ 4440 if (unlikely(status & RxRES)) {
+ 4441 if (net_ratelimit())
+ 4442 netdev_warn(dev, "Rx ERROR. status = %08x\n",
+
+Marco Elver explained that dma_rmb() doesn't prevent the compiler to tear up the access to
+desc->opts1 which can be written to concurrently. READ_ONCE() should prevent that from
+happening:
+
+ 4429
+ → 4430 status = le32_to_cpu(READ_ONCE(desc->opts1));
+ 4431 if (status & DescOwn)
+ 4432 break;
+ 4433
+
+As the consequence of this fix, this KCSAN warning was eliminated.
+
+Fixes: 6202806e7c03a ("r8169: drop member opts1_mask from struct rtl8169_private")
+Suggested-by: Marco Elver <elver@google.com>
+Cc: Heiner Kallweit <hkallweit1@gmail.com>
+Cc: nic_swsd@realtek.com
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: netdev@vger.kernel.org
+Link: https://lore.kernel.org/lkml/dc7fc8fa-4ea4-e9a9-30a6-7c83e6b53188@alu.unizg.hr/
+Signed-off-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+Acked-by: Marco Elver <elver@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/realtek/r8169_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c
+index 7e14a1d958c8e..361b90007148b 100644
+--- a/drivers/net/ethernet/realtek/r8169_main.c
++++ b/drivers/net/ethernet/realtek/r8169_main.c
+@@ -4427,7 +4427,7 @@ static int rtl_rx(struct net_device *dev, struct rtl8169_private *tp, int budget
+ dma_addr_t addr;
+ u32 status;
+
+- status = le32_to_cpu(desc->opts1);
++ status = le32_to_cpu(READ_ONCE(desc->opts1));
+ if (status & DescOwn)
+ break;
+
+--
+2.42.0
+
--- /dev/null
+From 21bd7d34226ffd8b7f143efb71e18e698cbc6b25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Oct 2023 21:34:34 +0200
+Subject: r8169: fix the KCSAN reported data-race in rtl_tx() while reading
+ tp->cur_tx
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+
+[ Upstream commit c1c0ce31b2420d5c173228a2132a492ede03d81f ]
+
+KCSAN reported the following data-race:
+
+==================================================================
+BUG: KCSAN: data-race in rtl8169_poll [r8169] / rtl8169_start_xmit [r8169]
+
+write (marked) to 0xffff888102474b74 of 4 bytes by task 5358 on cpu 29:
+rtl8169_start_xmit (drivers/net/ethernet/realtek/r8169_main.c:4254) r8169
+dev_hard_start_xmit (./include/linux/netdevice.h:4889 ./include/linux/netdevice.h:4903 net/core/dev.c:3544 net/core/dev.c:3560)
+sch_direct_xmit (net/sched/sch_generic.c:342)
+__dev_queue_xmit (net/core/dev.c:3817 net/core/dev.c:4306)
+ip_finish_output2 (./include/linux/netdevice.h:3082 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv4/ip_output.c:233)
+__ip_finish_output (net/ipv4/ip_output.c:311 net/ipv4/ip_output.c:293)
+ip_finish_output (net/ipv4/ip_output.c:328)
+ip_output (net/ipv4/ip_output.c:435)
+ip_send_skb (./include/net/dst.h:458 net/ipv4/ip_output.c:127 net/ipv4/ip_output.c:1486)
+udp_send_skb (net/ipv4/udp.c:963)
+udp_sendmsg (net/ipv4/udp.c:1246)
+inet_sendmsg (net/ipv4/af_inet.c:840 (discriminator 4))
+sock_sendmsg (net/socket.c:730 net/socket.c:753)
+__sys_sendto (net/socket.c:2177)
+__x64_sys_sendto (net/socket.c:2185)
+do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
+entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
+
+read to 0xffff888102474b74 of 4 bytes by interrupt on cpu 21:
+rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4397 drivers/net/ethernet/realtek/r8169_main.c:4581) r8169
+__napi_poll (net/core/dev.c:6527)
+net_rx_action (net/core/dev.c:6596 net/core/dev.c:6727)
+__do_softirq (kernel/softirq.c:553)
+__irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632)
+irq_exit_rcu (kernel/softirq.c:647)
+common_interrupt (arch/x86/kernel/irq.c:247 (discriminator 14))
+asm_common_interrupt (./arch/x86/include/asm/idtentry.h:636)
+cpuidle_enter_state (drivers/cpuidle/cpuidle.c:291)
+cpuidle_enter (drivers/cpuidle/cpuidle.c:390)
+call_cpuidle (kernel/sched/idle.c:135)
+do_idle (kernel/sched/idle.c:219 kernel/sched/idle.c:282)
+cpu_startup_entry (kernel/sched/idle.c:378 (discriminator 1))
+start_secondary (arch/x86/kernel/smpboot.c:210 arch/x86/kernel/smpboot.c:294)
+secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:433)
+
+value changed: 0x002f4815 -> 0x002f4816
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 21 PID: 0 Comm: swapper/21 Tainted: G L 6.6.0-rc2-kcsan-00143-gb5cbe7c00aa0 #41
+Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023
+==================================================================
+
+The write side of drivers/net/ethernet/realtek/r8169_main.c is:
+==================
+ 4251 /* rtl_tx needs to see descriptor changes before updated tp->cur_tx */
+ 4252 smp_wmb();
+ 4253
+ → 4254 WRITE_ONCE(tp->cur_tx, tp->cur_tx + frags + 1);
+ 4255
+ 4256 stop_queue = !netif_subqueue_maybe_stop(dev, 0, rtl_tx_slots_avail(tp),
+ 4257 R8169_TX_STOP_THRS,
+ 4258 R8169_TX_START_THRS);
+
+The read side is the function rtl_tx():
+
+ 4355 static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp,
+ 4356 int budget)
+ 4357 {
+ 4358 unsigned int dirty_tx, bytes_compl = 0, pkts_compl = 0;
+ 4359 struct sk_buff *skb;
+ 4360
+ 4361 dirty_tx = tp->dirty_tx;
+ 4362
+ 4363 while (READ_ONCE(tp->cur_tx) != dirty_tx) {
+ 4364 unsigned int entry = dirty_tx % NUM_TX_DESC;
+ 4365 u32 status;
+ 4366
+ 4367 status = le32_to_cpu(tp->TxDescArray[entry].opts1);
+ 4368 if (status & DescOwn)
+ 4369 break;
+ 4370
+ 4371 skb = tp->tx_skb[entry].skb;
+ 4372 rtl8169_unmap_tx_skb(tp, entry);
+ 4373
+ 4374 if (skb) {
+ 4375 pkts_compl++;
+ 4376 bytes_compl += skb->len;
+ 4377 napi_consume_skb(skb, budget);
+ 4378 }
+ 4379 dirty_tx++;
+ 4380 }
+ 4381
+ 4382 if (tp->dirty_tx != dirty_tx) {
+ 4383 dev_sw_netstats_tx_add(dev, pkts_compl, bytes_compl);
+ 4384 WRITE_ONCE(tp->dirty_tx, dirty_tx);
+ 4385
+ 4386 netif_subqueue_completed_wake(dev, 0, pkts_compl, bytes_compl,
+ 4387 rtl_tx_slots_avail(tp),
+ 4388 R8169_TX_START_THRS);
+ 4389 /*
+ 4390 * 8168 hack: TxPoll requests are lost when the Tx packets are
+ 4391 * too close. Let's kick an extra TxPoll request when a burst
+ 4392 * of start_xmit activity is detected (if it is not detected,
+ 4393 * it is slow enough). -- FR
+ 4394 * If skb is NULL then we come here again once a tx irq is
+ 4395 * triggered after the last fragment is marked transmitted.
+ 4396 */
+ → 4397 if (tp->cur_tx != dirty_tx && skb)
+ 4398 rtl8169_doorbell(tp);
+ 4399 }
+ 4400 }
+
+Obviously from the code, an earlier detected data-race for tp->cur_tx was fixed in the
+line 4363:
+
+ 4363 while (READ_ONCE(tp->cur_tx) != dirty_tx) {
+
+but the same solution is required for protecting the other access to tp->cur_tx:
+
+ → 4397 if (READ_ONCE(tp->cur_tx) != dirty_tx && skb)
+ 4398 rtl8169_doorbell(tp);
+
+The write in the line 4254 is protected with WRITE_ONCE(), but the read in the line 4397
+might have suffered read tearing under some compiler optimisations.
+
+The fix eliminated the KCSAN data-race report for this bug.
+
+It is yet to be evaluated what happens if tp->cur_tx changes between the test in line 4363
+and line 4397. This test should certainly not be cached by the compiler in some register
+for such a long time, while asynchronous writes to tp->cur_tx might have occurred in line
+4254 in the meantime.
+
+Fixes: 94d8a98e6235c ("r8169: reduce number of workaround doorbell rings")
+Cc: Heiner Kallweit <hkallweit1@gmail.com>
+Cc: nic_swsd@realtek.com
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: Marco Elver <elver@google.com>
+Cc: netdev@vger.kernel.org
+Link: https://lore.kernel.org/lkml/dc7fc8fa-4ea4-e9a9-30a6-7c83e6b53188@alu.unizg.hr/
+Signed-off-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+Acked-by: Marco Elver <elver@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/realtek/r8169_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c
+index 6351a2dc13bce..281aaa8518472 100644
+--- a/drivers/net/ethernet/realtek/r8169_main.c
++++ b/drivers/net/ethernet/realtek/r8169_main.c
+@@ -4394,7 +4394,7 @@ static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp,
+ * If skb is NULL then we come here again once a tx irq is
+ * triggered after the last fragment is marked transmitted.
+ */
+- if (tp->cur_tx != dirty_tx && skb)
++ if (READ_ONCE(tp->cur_tx) != dirty_tx && skb)
+ rtl8169_doorbell(tp);
+ }
+ }
+--
+2.42.0
+
--- /dev/null
+From 7b075c9b3a126c8497c28f47eed506f927c5ac00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Oct 2023 21:34:36 +0200
+Subject: r8169: fix the KCSAN reported data-race in rtl_tx while reading
+ TxDescArray[entry].opts1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+
+[ Upstream commit dcf75a0f6bc136de94e88178ae5f51b7f879abc9 ]
+
+KCSAN reported the following data-race:
+
+==================================================================
+BUG: KCSAN: data-race in rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4368 drivers/net/ethernet/realtek/r8169_main.c:4581) r8169
+
+race at unknown origin, with read to 0xffff888140d37570 of 4 bytes by interrupt on cpu 21:
+rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4368 drivers/net/ethernet/realtek/r8169_main.c:4581) r8169
+__napi_poll (net/core/dev.c:6527)
+net_rx_action (net/core/dev.c:6596 net/core/dev.c:6727)
+__do_softirq (kernel/softirq.c:553)
+__irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632)
+irq_exit_rcu (kernel/softirq.c:647)
+sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1074 (discriminator 14))
+asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:645)
+cpuidle_enter_state (drivers/cpuidle/cpuidle.c:291)
+cpuidle_enter (drivers/cpuidle/cpuidle.c:390)
+call_cpuidle (kernel/sched/idle.c:135)
+do_idle (kernel/sched/idle.c:219 kernel/sched/idle.c:282)
+cpu_startup_entry (kernel/sched/idle.c:378 (discriminator 1))
+start_secondary (arch/x86/kernel/smpboot.c:210 arch/x86/kernel/smpboot.c:294)
+secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:433)
+
+value changed: 0xb0000042 -> 0x00000000
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 21 PID: 0 Comm: swapper/21 Tainted: G L 6.6.0-rc2-kcsan-00143-gb5cbe7c00aa0 #41
+Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023
+==================================================================
+
+The read side is in
+
+drivers/net/ethernet/realtek/r8169_main.c
+=========================================
+ 4355 static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp,
+ 4356 int budget)
+ 4357 {
+ 4358 unsigned int dirty_tx, bytes_compl = 0, pkts_compl = 0;
+ 4359 struct sk_buff *skb;
+ 4360
+ 4361 dirty_tx = tp->dirty_tx;
+ 4362
+ 4363 while (READ_ONCE(tp->cur_tx) != dirty_tx) {
+ 4364 unsigned int entry = dirty_tx % NUM_TX_DESC;
+ 4365 u32 status;
+ 4366
+ → 4367 status = le32_to_cpu(tp->TxDescArray[entry].opts1);
+ 4368 if (status & DescOwn)
+ 4369 break;
+ 4370
+ 4371 skb = tp->tx_skb[entry].skb;
+ 4372 rtl8169_unmap_tx_skb(tp, entry);
+ 4373
+ 4374 if (skb) {
+ 4375 pkts_compl++;
+ 4376 bytes_compl += skb->len;
+ 4377 napi_consume_skb(skb, budget);
+ 4378 }
+ 4379 dirty_tx++;
+ 4380 }
+ 4381
+ 4382 if (tp->dirty_tx != dirty_tx) {
+ 4383 dev_sw_netstats_tx_add(dev, pkts_compl, bytes_compl);
+ 4384 WRITE_ONCE(tp->dirty_tx, dirty_tx);
+ 4385
+ 4386 netif_subqueue_completed_wake(dev, 0, pkts_compl, bytes_compl,
+ 4387 rtl_tx_slots_avail(tp),
+ 4388 R8169_TX_START_THRS);
+ 4389 /*
+ 4390 * 8168 hack: TxPoll requests are lost when the Tx packets are
+ 4391 * too close. Let's kick an extra TxPoll request when a burst
+ 4392 * of start_xmit activity is detected (if it is not detected,
+ 4393 * it is slow enough). -- FR
+ 4394 * If skb is NULL then we come here again once a tx irq is
+ 4395 * triggered after the last fragment is marked transmitted.
+ 4396 */
+ 4397 if (READ_ONCE(tp->cur_tx) != dirty_tx && skb)
+ 4398 rtl8169_doorbell(tp);
+ 4399 }
+ 4400 }
+
+tp->TxDescArray[entry].opts1 is reported to have a data-race and READ_ONCE() fixes
+this KCSAN warning.
+
+ 4366
+ → 4367 status = le32_to_cpu(READ_ONCE(tp->TxDescArray[entry].opts1));
+ 4368 if (status & DescOwn)
+ 4369 break;
+ 4370
+
+Cc: Heiner Kallweit <hkallweit1@gmail.com>
+Cc: nic_swsd@realtek.com
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: Marco Elver <elver@google.com>
+Cc: netdev@vger.kernel.org
+Link: https://lore.kernel.org/lkml/dc7fc8fa-4ea4-e9a9-30a6-7c83e6b53188@alu.unizg.hr/
+Signed-off-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+Acked-by: Marco Elver <elver@google.com>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/realtek/r8169_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c
+index 281aaa8518472..7e14a1d958c8e 100644
+--- a/drivers/net/ethernet/realtek/r8169_main.c
++++ b/drivers/net/ethernet/realtek/r8169_main.c
+@@ -4364,7 +4364,7 @@ static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp,
+ unsigned int entry = dirty_tx % NUM_TX_DESC;
+ u32 status;
+
+- status = le32_to_cpu(tp->TxDescArray[entry].opts1);
++ status = le32_to_cpu(READ_ONCE(tp->TxDescArray[entry].opts1));
+ if (status & DescOwn)
+ break;
+
+--
+2.42.0
+
drm-i915-pmu-check-if-pmu-is-closed-before-stopping-event.patch
drm-amd-disable-aspm-for-vi-w-all-intel-systems.patch
drm-dp_mst-fix-null-deref-in-get_mst_branch_device_by_guid_helper.patch
+btrfs-remove-v0-extent-handling.patch
+btrfs-fix-unwritten-extent-buffer-after-snapshotting.patch
+arm64-dts-qcom-sa8775p-correct-pmic-gpio-label-in-gp.patch
+arm-omap-timer32k-fix-all-kernel-doc-warnings.patch
+firmware-imx-dsp-fix-use_after_free-in-imx_dsp_setup.patch
+clk-ti-fix-missing-omap4-mcbsp-functional-clock-and-.patch
+clk-ti-fix-missing-omap5-mcbsp-functional-clock-and-.patch
+arm64-dts-rockchip-add-i2s0-2ch-bus-bclk-off-pins-to.patch
+r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch
+r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch-11985
+r8169-fix-the-kcsan-reported-data-race-in-rtl_rx-whi.patch
+iavf-initialize-waitqueues-before-starting-watchdog_.patch
+i40e-fix-i40e_flag_vf_vlan_pruning-value.patch
+treewide-spelling-fix-in-comment.patch
+igb-fix-potential-memory-leak-in-igb_add_ethtool_nfc.patch
+net-do-not-leave-an-empty-skb-in-write-queue.patch
+neighbour-fix-various-data-races.patch
+igc-fix-ambiguity-in-the-ethtool-advertising.patch
+net-ethernet-adi-adin1110-fix-uninitialized-variable.patch
+net-ieee802154-adf7242-fix-some-potential-buffer-ove.patch
+net-usb-smsc95xx-fix-uninit-value-access-in-smsc95xx.patch
+r8152-increase-usb-control-msg-timeout-to-5000ms-as-.patch
+r8152-run-the-unload-routine-if-we-have-errors-durin.patch
+r8152-cancel-hw_phy_work-if-we-have-an-error-in-prob.patch
+r8152-release-firmware-if-we-have-an-error-in-probe.patch
+tcp-fix-wrong-rto-timeout-when-received-sack-renegin.patch
+wifi-cfg80211-pass-correct-pointer-to-rdev_inform_bs.patch
+wifi-cfg80211-fix-assoc-response-warning-on-failed-l.patch
+wifi-mac80211-don-t-drop-all-unprotected-public-acti.patch
+net-handshake-fix-file-ref-count-in-handshake_nl_acc.patch
+gtp-uapi-fix-gtpa_max.patch
+gtp-fix-fragmentation-needed-check-with-gso.patch
+drm-i915-perf-determine-context-valid-in-oa-reports.patch
+i40e-fix-wrong-check-for-i40e_txr_flags_wb_on_itr.patch
+netfilter-flowtable-gc-pushes-back-packets-to-classi.patch
+net-sched-act_ct-additional-checks-for-outdated-flow.patch
+drm-logicvc-kconfig-select-regmap-and-regmap_mmio.patch
+drm-i915-mcr-hold-gt-forcewake-during-steering-opera.patch
+iavf-in-iavf_down-disable-queues-when-removing-the-d.patch
--- /dev/null
+From 58a14745efbc88dcf599a39d1c2ceaa279c4a180 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Oct 2023 08:19:47 +0800
+Subject: tcp: fix wrong RTO timeout when received SACK reneging
+
+From: Fred Chen <fred.chenchen03@gmail.com>
+
+[ Upstream commit d2a0fc372aca561556e765d0a9ec365c7c12f0ad ]
+
+This commit fix wrong RTO timeout when received SACK reneging.
+
+When an ACK arrived pointing to a SACK reneging, tcp_check_sack_reneging()
+will rearm the RTO timer for min(1/2*srtt, 10ms) into to the future.
+
+But since the commit 62d9f1a6945b ("tcp: fix TLP timer not set when
+CA_STATE changes from DISORDER to OPEN") merged, the tcp_set_xmit_timer()
+is moved after tcp_fastretrans_alert()(which do the SACK reneging check),
+so the RTO timeout will be overwrited by tcp_set_xmit_timer() with
+icsk_rto instead of 1/2*srtt.
+
+Here is a packetdrill script to check this bug:
+0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
++0 bind(3, ..., ...) = 0
++0 listen(3, 1) = 0
+
+// simulate srtt to 100ms
++0 < S 0:0(0) win 32792 <mss 1000, sackOK,nop,nop,nop,wscale 7>
++0 > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK,nop,wscale 7>
++.1 < . 1:1(0) ack 1 win 1024
+
++0 accept(3, ..., ...) = 4
+
++0 write(4, ..., 10000) = 10000
++0 > P. 1:10001(10000) ack 1
+
+// inject sack
++.1 < . 1:1(0) ack 1 win 257 <sack 1001:10001,nop,nop>
++0 > . 1:1001(1000) ack 1
+
+// inject sack reneging
++.1 < . 1:1(0) ack 1001 win 257 <sack 9001:10001,nop,nop>
+
+// we expect rto fired in 1/2*srtt (50ms)
++.05 > . 1001:2001(1000) ack 1
+
+This fix remove the FLAG_SET_XMIT_TIMER from ack_flag when
+tcp_check_sack_reneging() set RTO timer with 1/2*srtt to avoid
+being overwrited later.
+
+Fixes: 62d9f1a6945b ("tcp: fix TLP timer not set when CA_STATE changes from DISORDER to OPEN")
+Signed-off-by: Fred Chen <fred.chenchen03@gmail.com>
+Reviewed-by: Neal Cardwell <ncardwell@google.com>
+Tested-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_input.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index a5781f86ac375..7d544f965b264 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -2202,16 +2202,17 @@ void tcp_enter_loss(struct sock *sk)
+ * restore sanity to the SACK scoreboard. If the apparent reneging
+ * persists until this RTO then we'll clear the SACK scoreboard.
+ */
+-static bool tcp_check_sack_reneging(struct sock *sk, int flag)
++static bool tcp_check_sack_reneging(struct sock *sk, int *ack_flag)
+ {
+- if (flag & FLAG_SACK_RENEGING &&
+- flag & FLAG_SND_UNA_ADVANCED) {
++ if (*ack_flag & FLAG_SACK_RENEGING &&
++ *ack_flag & FLAG_SND_UNA_ADVANCED) {
+ struct tcp_sock *tp = tcp_sk(sk);
+ unsigned long delay = max(usecs_to_jiffies(tp->srtt_us >> 4),
+ msecs_to_jiffies(10));
+
+ inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,
+ delay, TCP_RTO_MAX);
++ *ack_flag &= ~FLAG_SET_XMIT_TIMER;
+ return true;
+ }
+ return false;
+@@ -2981,7 +2982,7 @@ static void tcp_fastretrans_alert(struct sock *sk, const u32 prior_snd_una,
+ tp->prior_ssthresh = 0;
+
+ /* B. In all the states check for reneging SACKs. */
+- if (tcp_check_sack_reneging(sk, flag))
++ if (tcp_check_sack_reneging(sk, ack_flag))
+ return;
+
+ /* C. Check consistency of the current state. */
+--
+2.42.0
+
--- /dev/null
+From b76acb567ec191b728bbfd9c76c1da76835f7e46 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Oct 2023 17:31:56 +0800
+Subject: treewide: Spelling fix in comment
+
+From: Kunwu Chan <chentao@kylinos.cn>
+
+[ Upstream commit fb71ba0ed8be9534493c80ba00142a64d9972a72 ]
+
+reques -> request
+
+Fixes: 09dde54c6a69 ("PS3: gelic: Add wireless support for PS3")
+Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/toshiba/ps3_gelic_wireless.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/toshiba/ps3_gelic_wireless.c b/drivers/net/ethernet/toshiba/ps3_gelic_wireless.c
+index dc14a66583ff3..44488c153ea25 100644
+--- a/drivers/net/ethernet/toshiba/ps3_gelic_wireless.c
++++ b/drivers/net/ethernet/toshiba/ps3_gelic_wireless.c
+@@ -1217,7 +1217,7 @@ static int gelic_wl_set_encodeext(struct net_device *netdev,
+ key_index = wl->current_key;
+
+ if (!enc->length && (ext->ext_flags & IW_ENCODE_EXT_SET_TX_KEY)) {
+- /* reques to change default key index */
++ /* request to change default key index */
+ pr_debug("%s: request to change default key to %d\n",
+ __func__, key_index);
+ wl->current_key = key_index;
+--
+2.42.0
+
--- /dev/null
+From 2c52a4c1f2361185c5da60ad515fb7149126bd4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Oct 2023 11:42:51 +0200
+Subject: wifi: cfg80211: fix assoc response warning on failed links
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit c434b2be2d80d236bb090fdb493d4bd5ed589238 ]
+
+The warning here shouldn't be done before we even set the
+bss field (or should've used the input data). Move the
+assignment before the warning to fix it.
+
+We noticed this now because of Wen's bugfix, where the bug
+fixed there had previously hidden this other bug.
+
+Fixes: 53ad07e9823b ("wifi: cfg80211: support reporting failed links")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/mlme.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c
+index 3e2c398abddcc..55a1d3633853f 100644
+--- a/net/wireless/mlme.c
++++ b/net/wireless/mlme.c
+@@ -43,10 +43,11 @@ void cfg80211_rx_assoc_resp(struct net_device *dev,
+
+ for (link_id = 0; link_id < ARRAY_SIZE(data->links); link_id++) {
+ cr.links[link_id].status = data->links[link_id].status;
++ cr.links[link_id].bss = data->links[link_id].bss;
++
+ WARN_ON_ONCE(cr.links[link_id].status != WLAN_STATUS_SUCCESS &&
+ (!cr.ap_mld_addr || !cr.links[link_id].bss));
+
+- cr.links[link_id].bss = data->links[link_id].bss;
+ if (!cr.links[link_id].bss)
+ continue;
+ cr.links[link_id].bssid = data->links[link_id].bss->bssid;
+--
+2.42.0
+
--- /dev/null
+From e2733f864069d28f9e1d1fcc816b6c5218970a47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Oct 2023 08:48:27 -0700
+Subject: wifi: cfg80211: pass correct pointer to rdev_inform_bss()
+
+From: Ben Greear <greearb@candelatech.com>
+
+[ Upstream commit 3e3929ef889e650dd585dc0f4f7f18240688811a ]
+
+Confusing struct member names here resulted in passing
+the wrong pointer, causing crashes. Pass the correct one.
+
+Fixes: eb142608e2c4 ("wifi: cfg80211: use a struct for inform_single_bss data")
+Signed-off-by: Ben Greear <greearb@candelatech.com>
+Link: https://lore.kernel.org/r/20231021154827.1142734-1-greearb@candelatech.com
+[rewrite commit message, add fixes]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/scan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index 939deecf0bbef..8210a6090ac16 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -2125,7 +2125,7 @@ cfg80211_inform_single_bss_data(struct wiphy *wiphy,
+ if (!res)
+ goto drop;
+
+- rdev_inform_bss(rdev, &res->pub, ies, data->drv_data);
++ rdev_inform_bss(rdev, &res->pub, ies, drv_data->drv_data);
+
+ if (data->bss_source == BSS_SOURCE_MBSSID) {
+ /* this is a nontransmitting bss, we need to add it to
+--
+2.42.0
+
--- /dev/null
+From 8c47c76ec8c3b00ab3060f748d4e48f5549d737d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Oct 2023 14:52:48 +0300
+Subject: wifi: mac80211: don't drop all unprotected public action frames
+
+From: Avraham Stern <avraham.stern@intel.com>
+
+[ Upstream commit 91535613b6090fc968c601d11d4e2f16b333713c ]
+
+Not all public action frames have a protected variant. When MFP is
+enabled drop only public action frames that have a dual protected
+variant.
+
+Fixes: 76a3059cf124 ("wifi: mac80211: drop some unprotected action frames")
+Signed-off-by: Avraham Stern <avraham.stern@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20231016145213.2973e3c8d3bb.I6198b8d3b04cf4a97b06660d346caec3032f232a@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/ieee80211.h | 29 +++++++++++++++++++++++++++++
+ net/mac80211/rx.c | 3 +--
+ 2 files changed, 30 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
+index 4b998090898e3..1d7aea6342171 100644
+--- a/include/linux/ieee80211.h
++++ b/include/linux/ieee80211.h
+@@ -4236,6 +4236,35 @@ static inline bool ieee80211_is_public_action(struct ieee80211_hdr *hdr,
+ return mgmt->u.action.category == WLAN_CATEGORY_PUBLIC;
+ }
+
++/**
++ * ieee80211_is_protected_dual_of_public_action - check if skb contains a
++ * protected dual of public action management frame
++ * @skb: the skb containing the frame, length will be checked
++ *
++ * Return: true if the skb contains a protected dual of public action
++ * management frame, false otherwise.
++ */
++static inline bool
++ieee80211_is_protected_dual_of_public_action(struct sk_buff *skb)
++{
++ u8 action;
++
++ if (!ieee80211_is_public_action((void *)skb->data, skb->len) ||
++ skb->len < IEEE80211_MIN_ACTION_SIZE + 1)
++ return false;
++
++ action = *(u8 *)(skb->data + IEEE80211_MIN_ACTION_SIZE);
++
++ return action != WLAN_PUB_ACTION_20_40_BSS_COEX &&
++ action != WLAN_PUB_ACTION_DSE_REG_LOC_ANN &&
++ action != WLAN_PUB_ACTION_MSMT_PILOT &&
++ action != WLAN_PUB_ACTION_TDLS_DISCOVER_RES &&
++ action != WLAN_PUB_ACTION_LOC_TRACK_NOTI &&
++ action != WLAN_PUB_ACTION_FTM_REQUEST &&
++ action != WLAN_PUB_ACTION_FTM_RESPONSE &&
++ action != WLAN_PUB_ACTION_FILS_DISCOVERY;
++}
++
+ /**
+ * _ieee80211_is_group_privacy_action - check if frame is a group addressed
+ * privacy action frame
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index e751cda5eef69..8f6b6f56b65b4 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -2468,8 +2468,7 @@ static int ieee80211_drop_unencrypted_mgmt(struct ieee80211_rx_data *rx)
+
+ /* drop unicast public action frames when using MPF */
+ if (is_unicast_ether_addr(mgmt->da) &&
+- ieee80211_is_public_action((void *)rx->skb->data,
+- rx->skb->len))
++ ieee80211_is_protected_dual_of_public_action(rx->skb))
+ return -EACCES;
+ }
+
+--
+2.42.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
