--- /dev/null
+From c6112e03497bba3c6519823ae038ccb30155c15f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 22:02:56 +0000
+Subject: afs: Fix fileserver probe RTT handling
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit ca57f02295f188d6c65ec02202402979880fa6d8 ]
+
+The fileserver probing code attempts to work out the best fileserver to
+use for a volume by retrieving the RTT calculated by AF_RXRPC for the
+probe call sent to each server and comparing them. Sometimes, however,
+no RTT estimate is available and rxrpc_kernel_get_srtt() returns false,
+leading good fileservers to be given an RTT of UINT_MAX and thus causing
+the rotation algorithm to ignore them.
+
+Fix afs_select_fileserver() to ignore rxrpc_kernel_get_srtt()'s return
+value and just take the estimated RTT it provides - which will be capped
+at 1 second.
+
+Fixes: 1d4adfaf6574 ("rxrpc: Make rxrpc_kernel_get_srtt() indicate validity")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
+Tested-by: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Link: https://lore.kernel.org/r/166965503999.3392585.13954054113218099395.stgit@warthog.procyon.org.uk/
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/fs_probe.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/afs/fs_probe.c b/fs/afs/fs_probe.c
+index c0031a3ab42f..3ac5fcf98d0d 100644
+--- a/fs/afs/fs_probe.c
++++ b/fs/afs/fs_probe.c
+@@ -167,8 +167,8 @@ void afs_fileserver_probe_result(struct afs_call *call)
+ clear_bit(AFS_SERVER_FL_HAS_FS64, &server->flags);
+ }
+
+- if (rxrpc_kernel_get_srtt(call->net->socket, call->rxcall, &rtt_us) &&
+- rtt_us < server->probe.rtt) {
++ rxrpc_kernel_get_srtt(call->net->socket, call->rxcall, &rtt_us);
++ if (rtt_us < server->probe.rtt) {
+ server->probe.rtt = rtt_us;
+ server->rtt = rtt_us;
+ alist->preferred = index;
+--
+2.35.1
+
--- /dev/null
+From 1aeead7283e04aa94512b984c015c6e7bbf7a3a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Nov 2022 17:55:51 +0000
+Subject: afs: Fix server->active leak in afs_put_server
+
+From: Marc Dionne <marc.dionne@auristor.com>
+
+[ Upstream commit ef4d3ea40565a781c25847e9cb96c1bd9f462bc6 ]
+
+The atomic_read was accidentally replaced with atomic_inc_return,
+which prevents the server from getting cleaned up and causes rmmod
+to hang with a warning:
+
+ Can't purge s=00000001
+
+Fixes: 2757a4dc1849 ("afs: Fix access after dec in put functions")
+Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Link: https://lore.kernel.org/r/20221130174053.2665818-1-marc.dionne@auristor.com/
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/server.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/afs/server.c b/fs/afs/server.c
+index 4981baf97835..b5237206eac3 100644
+--- a/fs/afs/server.c
++++ b/fs/afs/server.c
+@@ -406,7 +406,7 @@ void afs_put_server(struct afs_net *net, struct afs_server *server,
+ if (!server)
+ return;
+
+- a = atomic_inc_return(&server->active);
++ a = atomic_read(&server->active);
+ zero = __refcount_dec_and_test(&server->ref, &r);
+ trace_afs_server(debug_id, r - 1, a, reason);
+ if (unlikely(zero))
+--
+2.35.1
+
--- /dev/null
+From 8658aeb027684346ea8f2d979ffaad9d66ccb439 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 11:10:08 +0100
+Subject: aquantia: Do not purge addresses when setting the number of rings
+
+From: Izabela Bakollari <ibakolla@redhat.com>
+
+[ Upstream commit 2a83891130512dafb321418a8e7c9c09268d8c59 ]
+
+IPV6 addresses are purged when setting the number of rx/tx
+rings using ethtool -G. The function aq_set_ringparam
+calls dev_close, which removes the addresses. As a solution,
+call an internal function (aq_ndev_close).
+
+Fixes: c1af5427954b ("net: aquantia: Ethtool based ring size configuration")
+Signed-off-by: Izabela Bakollari <ibakolla@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c | 5 +++--
+ drivers/net/ethernet/aquantia/atlantic/aq_main.c | 4 ++--
+ drivers/net/ethernet/aquantia/atlantic/aq_main.h | 2 ++
+ 3 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c b/drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c
+index 1daecd483b8d..9c1378c22a8e 100644
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c
+@@ -13,6 +13,7 @@
+ #include "aq_ptp.h"
+ #include "aq_filters.h"
+ #include "aq_macsec.h"
++#include "aq_main.h"
+
+ #include <linux/ptp_clock_kernel.h>
+
+@@ -858,7 +859,7 @@ static int aq_set_ringparam(struct net_device *ndev,
+
+ if (netif_running(ndev)) {
+ ndev_running = true;
+- dev_close(ndev);
++ aq_ndev_close(ndev);
+ }
+
+ cfg->rxds = max(ring->rx_pending, hw_caps->rxds_min);
+@@ -874,7 +875,7 @@ static int aq_set_ringparam(struct net_device *ndev,
+ goto err_exit;
+
+ if (ndev_running)
+- err = dev_open(ndev, NULL);
++ err = aq_ndev_open(ndev);
+
+ err_exit:
+ return err;
+diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_main.c b/drivers/net/ethernet/aquantia/atlantic/aq_main.c
+index 8a0af371e7dc..77609dc0a08d 100644
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_main.c
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_main.c
+@@ -58,7 +58,7 @@ struct net_device *aq_ndev_alloc(void)
+ return ndev;
+ }
+
+-static int aq_ndev_open(struct net_device *ndev)
++int aq_ndev_open(struct net_device *ndev)
+ {
+ struct aq_nic_s *aq_nic = netdev_priv(ndev);
+ int err = 0;
+@@ -88,7 +88,7 @@ static int aq_ndev_open(struct net_device *ndev)
+ return err;
+ }
+
+-static int aq_ndev_close(struct net_device *ndev)
++int aq_ndev_close(struct net_device *ndev)
+ {
+ struct aq_nic_s *aq_nic = netdev_priv(ndev);
+ int err = 0;
+diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_main.h b/drivers/net/ethernet/aquantia/atlantic/aq_main.h
+index 99870865f66d..a78c1a168d8e 100644
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_main.h
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_main.h
+@@ -16,5 +16,7 @@ DECLARE_STATIC_KEY_FALSE(aq_xdp_locking_key);
+
+ void aq_ndev_schedule_work(struct work_struct *work);
+ struct net_device *aq_ndev_alloc(void);
++int aq_ndev_open(struct net_device *ndev);
++int aq_ndev_close(struct net_device *ndev);
+
+ #endif /* AQ_MAIN_H */
+--
+2.35.1
+
--- /dev/null
+From 9484e3058e773cc088a6a8ca791ef1ec472202d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 19:59:22 +0100
+Subject: ARM: at91: rm9200: fix usb device clock id
+
+From: Michael Grzeschik <m.grzeschik@pengutronix.de>
+
+[ Upstream commit 57976762428675f259339385d3324d28ee53ec02 ]
+
+Referring to the datasheet the index 2 is the MCKUDP. When enabled, it
+"Enables the automatic disable of the Master Clock of the USB Device
+Port when a suspend condition occurs". We fix the index to the real UDP
+id which "Enables the 48 MHz clock of the USB Device Port".
+
+Cc: nicolas.ferre@microchip.com
+Cc: ludovic.desroches@microchip.com
+Cc: alexandre.belloni@bootlin.com
+Cc: mturquette@baylibre.com
+Cc: sboyd@kernel.org
+Cc: claudiu.beznea@microchip.com
+Cc: linux-clk@vger.kernel.org
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: kernel@pengutronix.de
+Fixes: 02ff48e4d7f7 ("clk: at91: add at91rm9200 pmc driver")
+Fixes: 0e0e528d8260 ("ARM: dts: at91: rm9200: switch to new clock bindings")
+Reviewed-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Link: https://lore.kernel.org/r/20221114185923.1023249-2-m.grzeschik@pengutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/at91rm9200.dtsi | 2 +-
+ drivers/clk/at91/at91rm9200.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/at91rm9200.dtsi b/arch/arm/boot/dts/at91rm9200.dtsi
+index d1181ead18e5..21344fbc89e5 100644
+--- a/arch/arm/boot/dts/at91rm9200.dtsi
++++ b/arch/arm/boot/dts/at91rm9200.dtsi
+@@ -660,7 +660,7 @@ usb1: gadget@fffb0000 {
+ compatible = "atmel,at91rm9200-udc";
+ reg = <0xfffb0000 0x4000>;
+ interrupts = <11 IRQ_TYPE_LEVEL_HIGH 2>;
+- clocks = <&pmc PMC_TYPE_PERIPHERAL 11>, <&pmc PMC_TYPE_SYSTEM 2>;
++ clocks = <&pmc PMC_TYPE_PERIPHERAL 11>, <&pmc PMC_TYPE_SYSTEM 1>;
+ clock-names = "pclk", "hclk";
+ status = "disabled";
+ };
+diff --git a/drivers/clk/at91/at91rm9200.c b/drivers/clk/at91/at91rm9200.c
+index b174f727a8ef..16870943a13e 100644
+--- a/drivers/clk/at91/at91rm9200.c
++++ b/drivers/clk/at91/at91rm9200.c
+@@ -40,7 +40,7 @@ static const struct clk_pll_characteristics rm9200_pll_characteristics = {
+ };
+
+ static const struct sck at91rm9200_systemck[] = {
+- { .n = "udpck", .p = "usbck", .id = 2 },
++ { .n = "udpck", .p = "usbck", .id = 1 },
+ { .n = "uhpck", .p = "usbck", .id = 4 },
+ { .n = "pck0", .p = "prog0", .id = 8 },
+ { .n = "pck1", .p = "prog1", .id = 9 },
+--
+2.35.1
+
--- /dev/null
+From 5b23a646df0c3aa531d2396dc414155428a8bb38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 08:47:19 -0500
+Subject: bpf: Do not copy spin lock field from user in bpf_selem_alloc
+
+From: Xu Kuohai <xukuohai@huawei.com>
+
+[ Upstream commit 836e49e103dfeeff670c934b7d563cbd982fce87 ]
+
+bpf_selem_alloc function is used by inode_storage, sk_storage and
+task_storage maps to set map value, for these map types, there may
+be a spin lock in the map value, so if we use memcpy to copy the whole
+map value from user, the spin lock field may be initialized incorrectly.
+
+Since the spin lock field is zeroed by kzalloc, call copy_map_value
+instead of memcpy to skip copying the spin lock field to fix it.
+
+Fixes: 6ac99e8f23d4 ("bpf: Introduce bpf sk local storage")
+Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
+Link: https://lore.kernel.org/r/20221114134720.1057939-2-xukuohai@huawei.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/bpf_local_storage.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/bpf_local_storage.c b/kernel/bpf/bpf_local_storage.c
+index d13ffb00e981..cbe918ba9035 100644
+--- a/kernel/bpf/bpf_local_storage.c
++++ b/kernel/bpf/bpf_local_storage.c
+@@ -74,7 +74,7 @@ bpf_selem_alloc(struct bpf_local_storage_map *smap, void *owner,
+ gfp_flags | __GFP_NOWARN);
+ if (selem) {
+ if (value)
+- memcpy(SDATA(selem)->data, value, smap->map.value_size);
++ copy_map_value(&smap->map, SDATA(selem)->data, value);
+ return selem;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From de6b38b4fd0db753eab4292567d9bfeda4647032 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 17:57:33 +0800
+Subject: bpf, perf: Use subprog name when reporting subprog ksymbol
+
+From: Hou Tao <houtao1@huawei.com>
+
+[ Upstream commit 47df8a2f78bc34ff170d147d05b121f84e252b85 ]
+
+Since commit bfea9a8574f3 ("bpf: Add name to struct bpf_ksym"), when
+reporting subprog ksymbol to perf, prog name instead of subprog name is
+used. The backtrace of bpf program with subprogs will be incorrect as
+shown below:
+
+ ffffffffc02deace bpf_prog_e44a3057dcb151f8_overwrite+0x66
+ ffffffffc02de9f7 bpf_prog_e44a3057dcb151f8_overwrite+0x9f
+ ffffffffa71d8d4e trace_call_bpf+0xce
+ ffffffffa71c2938 perf_call_bpf_enter.isra.0+0x48
+
+overwrite is the entry program and it invokes the overwrite_htab subprog
+through bpf_loop, but in above backtrace, overwrite program just jumps
+inside itself.
+
+Fixing it by using subprog name when reporting subprog ksymbol. After
+the fix, the output of perf script will be correct as shown below:
+
+ ffffffffc031aad2 bpf_prog_37c0bec7d7c764a4_overwrite_htab+0x66
+ ffffffffc031a9e7 bpf_prog_c7eb827ef4f23e71_overwrite+0x9f
+ ffffffffa3dd8d4e trace_call_bpf+0xce
+ ffffffffa3dc2938 perf_call_bpf_enter.isra.0+0x48
+
+Fixes: bfea9a8574f3 ("bpf: Add name to struct bpf_ksym")
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Link: https://lore.kernel.org/bpf/20221114095733.158588-1-houtao@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index bec18d81b116..8dcbefd90b7f 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -9006,7 +9006,7 @@ static void perf_event_bpf_emit_ksymbols(struct bpf_prog *prog,
+ PERF_RECORD_KSYMBOL_TYPE_BPF,
+ (u64)(unsigned long)subprog->bpf_func,
+ subprog->jited_len, unregister,
+- prog->aux->ksym.name);
++ subprog->aux->ksym.name);
+ }
+ }
+ }
+--
+2.35.1
+
--- /dev/null
+From c4427191b5fc32fa04a212e145479707d155009a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 22:23:54 +0800
+Subject: btrfs: qgroup: fix sleep from invalid context bug in
+ btrfs_qgroup_inherit()
+
+From: ChenXiaoSong <chenxiaosong2@huawei.com>
+
+[ Upstream commit f7e942b5bb35d8e3af54053d19a6bf04143a3955 ]
+
+Syzkaller reported BUG as follows:
+
+ BUG: sleeping function called from invalid context at
+ include/linux/sched/mm.h:274
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0xcd/0x134
+ __might_resched.cold+0x222/0x26b
+ kmem_cache_alloc+0x2e7/0x3c0
+ update_qgroup_limit_item+0xe1/0x390
+ btrfs_qgroup_inherit+0x147b/0x1ee0
+ create_subvol+0x4eb/0x1710
+ btrfs_mksubvol+0xfe5/0x13f0
+ __btrfs_ioctl_snap_create+0x2b0/0x430
+ btrfs_ioctl_snap_create_v2+0x25a/0x520
+ btrfs_ioctl+0x2a1c/0x5ce0
+ __x64_sys_ioctl+0x193/0x200
+ do_syscall_64+0x35/0x80
+
+Fix this by calling qgroup_dirty() on @dstqgroup, and update limit item in
+btrfs_run_qgroups() later outside of the spinlock context.
+
+CC: stable@vger.kernel.org # 4.9+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: ChenXiaoSong <chenxiaosong2@huawei.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/qgroup.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
+index ba323dcb0a0b..db56e0c0e9ac 100644
+--- a/fs/btrfs/qgroup.c
++++ b/fs/btrfs/qgroup.c
+@@ -2920,14 +2920,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, u64 srcid,
+ dstgroup->rsv_rfer = inherit->lim.rsv_rfer;
+ dstgroup->rsv_excl = inherit->lim.rsv_excl;
+
+- ret = update_qgroup_limit_item(trans, dstgroup);
+- if (ret) {
+- fs_info->qgroup_flags |= BTRFS_QGROUP_STATUS_FLAG_INCONSISTENT;
+- btrfs_info(fs_info,
+- "unable to update quota limit for %llu",
+- dstgroup->qgroupid);
+- goto unlock;
+- }
++ qgroup_dirty(fs_info, dstgroup);
+ }
+
+ if (srcid) {
+--
+2.35.1
+
--- /dev/null
+From df20ecc8f011ad4c6a984e9698c6747330c55e39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 20:09:16 +0800
+Subject: can: cc770: cc770_isa_probe(): add missing free_cc770dev()
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 62ec89e74099a3d6995988ed9f2f996b368417ec ]
+
+Add the missing free_cc770dev() before return from cc770_isa_probe()
+in the register_cc770dev() error handling case.
+
+In addition, remove blanks before goto labels.
+
+Fixes: 7e02e5433e00 ("can: cc770: legacy CC770 ISA bus driver")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Link: https://lore.kernel.org/all/1668168557-6024-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/cc770/cc770_isa.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/can/cc770/cc770_isa.c b/drivers/net/can/cc770/cc770_isa.c
+index 194c86e0f340..8f6dccd5a587 100644
+--- a/drivers/net/can/cc770/cc770_isa.c
++++ b/drivers/net/can/cc770/cc770_isa.c
+@@ -264,22 +264,24 @@ static int cc770_isa_probe(struct platform_device *pdev)
+ if (err) {
+ dev_err(&pdev->dev,
+ "couldn't register device (err=%d)\n", err);
+- goto exit_unmap;
++ goto exit_free;
+ }
+
+ dev_info(&pdev->dev, "device registered (reg_base=0x%p, irq=%d)\n",
+ priv->reg_base, dev->irq);
+ return 0;
+
+- exit_unmap:
++exit_free:
++ free_cc770dev(dev);
++exit_unmap:
+ if (mem[idx])
+ iounmap(base);
+- exit_release:
++exit_release:
+ if (mem[idx])
+ release_mem_region(mem[idx], iosize);
+ else
+ release_region(port[idx], iosize);
+- exit:
++exit:
+ return err;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From cb656d3b29dc21b878751caadccec4ea748927d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 16:14:44 +0800
+Subject: can: etas_es58x: es58x_init_netdev(): free netdev when
+ register_candev()
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 709cb2f9ed2006eb1dc4b36b99d601cd24889ec4 ]
+
+In case of register_candev() fails, clear
+es58x_dev->netdev[channel_idx] and add free_candev(). Otherwise
+es58x_free_netdevs() will unregister the netdev that has never been
+registered.
+
+Fixes: 8537257874e9 ("can: etas_es58x: add core support for ETAS ES58X CAN USB interfaces")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Acked-by: Arunachalam Santhanam <Arunachalam.Santhanam@in.bosch.com>
+Acked-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Link: https://lore.kernel.org/all/1668413685-23354-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/etas_es58x/es58x_core.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/usb/etas_es58x/es58x_core.c b/drivers/net/can/usb/etas_es58x/es58x_core.c
+index 25f863b4f5f0..ddb7c5735c9a 100644
+--- a/drivers/net/can/usb/etas_es58x/es58x_core.c
++++ b/drivers/net/can/usb/etas_es58x/es58x_core.c
+@@ -2091,8 +2091,11 @@ static int es58x_init_netdev(struct es58x_device *es58x_dev, int channel_idx)
+ netdev->dev_port = channel_idx;
+
+ ret = register_candev(netdev);
+- if (ret)
++ if (ret) {
++ es58x_dev->netdev[channel_idx] = NULL;
++ free_candev(netdev);
+ return ret;
++ }
+
+ netdev_queue_set_dql_min_limit(netdev_get_tx_queue(netdev, 0),
+ es58x_dev->param->dql_min_limit);
+--
+2.35.1
+
--- /dev/null
+From 58c3bb62a627a0a4e738e7ee8a7d84eee999cec5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 14:36:51 +0800
+Subject: can: m_can: Add check for devm_clk_get
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 68b4f9e0bdd0f920d7303d07bfe226cd0976961d ]
+
+Since the devm_clk_get may return error,
+it should be better to add check for the cdev->hclk,
+as same as cdev->cclk.
+
+Fixes: f524f829b75a ("can: m_can: Create a m_can platform framework")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Link: https://lore.kernel.org/all/20221123063651.26199-1-jiasheng@iscas.ac.cn
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/m_can/m_can.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c
+index 4dc67fdfcdb9..153d8fd08bd8 100644
+--- a/drivers/net/can/m_can/m_can.c
++++ b/drivers/net/can/m_can/m_can.c
+@@ -1910,7 +1910,7 @@ int m_can_class_get_clocks(struct m_can_classdev *cdev)
+ cdev->hclk = devm_clk_get(cdev->dev, "hclk");
+ cdev->cclk = devm_clk_get(cdev->dev, "cclk");
+
+- if (IS_ERR(cdev->cclk)) {
++ if (IS_ERR(cdev->hclk) || IS_ERR(cdev->cclk)) {
+ dev_err(cdev->dev, "no clock found\n");
+ ret = -ENODEV;
+ }
+--
+2.35.1
+
--- /dev/null
+From d91f0b12cd7bee4eeb9f34d5d12adef9ca013fb7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 20:11:23 +0800
+Subject: can: m_can: pci: add missing m_can_class_free_dev() in probe/remove
+ methods
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 1eca1d4cc21b6d0fc5f9a390339804c0afce9439 ]
+
+In m_can_pci_remove() and error handling path of m_can_pci_probe(),
+m_can_class_free_dev() should be called to free resource allocated by
+m_can_class_allocate_dev(), otherwise there will be memleak.
+
+Fixes: cab7ffc0324f ("can: m_can: add PCI glue driver for Intel Elkhart Lake")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Reviewed-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Link: https://lore.kernel.org/all/1668168684-6390-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/m_can/m_can_pci.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/can/m_can/m_can_pci.c b/drivers/net/can/m_can/m_can_pci.c
+index 8f184a852a0a..f2219aa2824b 100644
+--- a/drivers/net/can/m_can/m_can_pci.c
++++ b/drivers/net/can/m_can/m_can_pci.c
+@@ -120,7 +120,7 @@ static int m_can_pci_probe(struct pci_dev *pci, const struct pci_device_id *id)
+
+ ret = pci_alloc_irq_vectors(pci, 1, 1, PCI_IRQ_ALL_TYPES);
+ if (ret < 0)
+- return ret;
++ goto err_free_dev;
+
+ mcan_class->dev = &pci->dev;
+ mcan_class->net->irq = pci_irq_vector(pci, 0);
+@@ -132,7 +132,7 @@ static int m_can_pci_probe(struct pci_dev *pci, const struct pci_device_id *id)
+
+ ret = m_can_class_register(mcan_class);
+ if (ret)
+- goto err;
++ goto err_free_irq;
+
+ /* Enable interrupt control at CAN wrapper IP */
+ writel(0x1, base + CTL_CSR_INT_CTL_OFFSET);
+@@ -144,8 +144,10 @@ static int m_can_pci_probe(struct pci_dev *pci, const struct pci_device_id *id)
+
+ return 0;
+
+-err:
++err_free_irq:
+ pci_free_irq_vectors(pci);
++err_free_dev:
++ m_can_class_free_dev(mcan_class->net);
+ return ret;
+ }
+
+@@ -161,6 +163,7 @@ static void m_can_pci_remove(struct pci_dev *pci)
+ writel(0x0, priv->base + CTL_CSR_INT_CTL_OFFSET);
+
+ m_can_class_unregister(mcan_class);
++ m_can_class_free_dev(mcan_class->net);
+ pci_free_irq_vectors(pci);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From f2cf35c5fa3eac06cb5380e181fd75f0c8514fe0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Nov 2022 20:08:41 +0800
+Subject: can: sja1000_isa: sja1000_isa_probe(): add missing free_sja1000dev()
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 92dfd9310a71d28cefe6a2d5174d43fab240e631 ]
+
+Add the missing free_sja1000dev() before return from
+sja1000_isa_probe() in the register_sja1000dev() error handling case.
+
+In addition, remove blanks before goto labels.
+
+Fixes: 2a6ba39ad6a2 ("can: sja1000: legacy SJA1000 ISA bus driver")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Link: https://lore.kernel.org/all/1668168521-5540-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/sja1000/sja1000_isa.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/can/sja1000/sja1000_isa.c b/drivers/net/can/sja1000/sja1000_isa.c
+index d513fac50718..db3e767d5320 100644
+--- a/drivers/net/can/sja1000/sja1000_isa.c
++++ b/drivers/net/can/sja1000/sja1000_isa.c
+@@ -202,22 +202,24 @@ static int sja1000_isa_probe(struct platform_device *pdev)
+ if (err) {
+ dev_err(&pdev->dev, "registering %s failed (err=%d)\n",
+ DRV_NAME, err);
+- goto exit_unmap;
++ goto exit_free;
+ }
+
+ dev_info(&pdev->dev, "%s device registered (reg_base=0x%p, irq=%d)\n",
+ DRV_NAME, priv->reg_base, dev->irq);
+ return 0;
+
+- exit_unmap:
++exit_free:
++ free_sja1000dev(dev);
++exit_unmap:
+ if (mem[idx])
+ iounmap(base);
+- exit_release:
++exit_release:
+ if (mem[idx])
+ release_mem_region(mem[idx], iosize);
+ else
+ release_region(port[idx], iosize);
+- exit:
++exit:
+ return err;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 890d079282f573b1b87b1180c7450515913e44ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Nov 2022 20:59:56 +0530
+Subject: clk: qcom: gcc-sc8280xp: add cxo as parent for three ufs ref clks
+
+From: Shazad Hussain <quic_shazhuss@quicinc.com>
+
+[ Upstream commit f6abcc21d94393801937aed808b8f055ffec8579 ]
+
+The three UFS reference clocks, gcc_ufs_ref_clkref_clk for external
+UFS devices, gcc_ufs_card_clkref_clk and gcc_ufs_1_card_clkref_clk for
+two PHYs are all sourced from CXO.
+
+Added parent_data for all three reference clocks described above to
+reflect that all three clocks are sourced from CXO to have valid
+frequency for the ref clock needed by UFS controller driver.
+
+Fixes: d65d005f9a6c ("clk: qcom: add sc8280xp GCC driver")
+Link: https://lore.kernel.org/lkml/Y2Tber39cHuOSR%2FW@hovoldconsulting.com/
+Signed-off-by: Shazad Hussain <quic_shazhuss@quicinc.com>
+Tested-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
+Tested-by: Andrew Halaney <ahalaney@redhat.com>
+Reviewed-by: Andrew Halaney <ahalaney@redhat.com>
+Reviewed-by: Brian Masney <bmasney@redhat.com>
+Link: https://lore.kernel.org/r/20221115152956.21677-1-quic_shazhuss@quicinc.com
+Reviewed-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/gcc-sc8280xp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/clk/qcom/gcc-sc8280xp.c b/drivers/clk/qcom/gcc-sc8280xp.c
+index a2f3ffcc5849..fd332383527f 100644
+--- a/drivers/clk/qcom/gcc-sc8280xp.c
++++ b/drivers/clk/qcom/gcc-sc8280xp.c
+@@ -5364,6 +5364,8 @@ static struct clk_branch gcc_ufs_1_card_clkref_clk = {
+ .enable_mask = BIT(0),
+ .hw.init = &(const struct clk_init_data) {
+ .name = "gcc_ufs_1_card_clkref_clk",
++ .parent_data = &gcc_parent_data_tcxo,
++ .num_parents = 1,
+ .ops = &clk_branch2_ops,
+ },
+ },
+@@ -5432,6 +5434,8 @@ static struct clk_branch gcc_ufs_card_clkref_clk = {
+ .enable_mask = BIT(0),
+ .hw.init = &(const struct clk_init_data) {
+ .name = "gcc_ufs_card_clkref_clk",
++ .parent_data = &gcc_parent_data_tcxo,
++ .num_parents = 1,
+ .ops = &clk_branch2_ops,
+ },
+ },
+@@ -5848,6 +5852,8 @@ static struct clk_branch gcc_ufs_ref_clkref_clk = {
+ .enable_mask = BIT(0),
+ .hw.init = &(const struct clk_init_data) {
+ .name = "gcc_ufs_ref_clkref_clk",
++ .parent_data = &gcc_parent_data_tcxo,
++ .num_parents = 1,
+ .ops = &clk_branch2_ops,
+ },
+ },
+--
+2.35.1
+
--- /dev/null
+From cf193b732038f6e8cf5da4f4d489e5d8fe1b36b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Sep 2022 17:58:16 +0200
+Subject: clk: qcom: gdsc: add missing error handling
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit eab4c1ebdd657957bf7ae66ffb8849b462db78b3 ]
+
+Since commit 7eb231c337e0 ("PM / Domains: Convert pm_genpd_init() to
+return an error code") pm_genpd_init() can return an error which the
+caller must handle.
+
+The current error handling was also incomplete as the runtime PM and
+regulator use counts were not balanced in all error paths.
+
+Add the missing error handling to the GDSC initialisation to avoid
+continuing as if nothing happened on errors.
+
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20220929155816.17425-1-johan+linaro@kernel.org
+Stable-dep-of: 4cc47e8add63 ("clk: qcom: gdsc: Remove direct runtime PM calls")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/gdsc.c | 25 +++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/clk/qcom/gdsc.c b/drivers/clk/qcom/gdsc.c
+index d3244006c661..4b66ce0f1940 100644
+--- a/drivers/clk/qcom/gdsc.c
++++ b/drivers/clk/qcom/gdsc.c
+@@ -439,11 +439,8 @@ static int gdsc_init(struct gdsc *sc)
+
+ /* ...and the power-domain */
+ ret = gdsc_pm_runtime_get(sc);
+- if (ret) {
+- if (sc->rsupply)
+- regulator_disable(sc->rsupply);
+- return ret;
+- }
++ if (ret)
++ goto err_disable_supply;
+
+ /*
+ * Votable GDSCs can be ON due to Vote from other masters.
+@@ -452,14 +449,14 @@ static int gdsc_init(struct gdsc *sc)
+ if (sc->flags & VOTABLE) {
+ ret = gdsc_update_collapse_bit(sc, false);
+ if (ret)
+- return ret;
++ goto err_put_rpm;
+ }
+
+ /* Turn on HW trigger mode if supported */
+ if (sc->flags & HW_CTRL) {
+ ret = gdsc_hwctrl(sc, true);
+ if (ret < 0)
+- return ret;
++ goto err_put_rpm;
+ }
+
+ /*
+@@ -486,9 +483,21 @@ static int gdsc_init(struct gdsc *sc)
+ sc->pd.power_off = gdsc_disable;
+ if (!sc->pd.power_on)
+ sc->pd.power_on = gdsc_enable;
+- pm_genpd_init(&sc->pd, NULL, !on);
++
++ ret = pm_genpd_init(&sc->pd, NULL, !on);
++ if (ret)
++ goto err_put_rpm;
+
+ return 0;
++
++err_put_rpm:
++ if (on)
++ gdsc_pm_runtime_put(sc);
++err_disable_supply:
++ if (on && sc->rsupply)
++ regulator_disable(sc->rsupply);
++
++ return ret;
+ }
+
+ int gdsc_register(struct gdsc_desc *desc,
+--
+2.35.1
+
--- /dev/null
+From 42653dc83ef163db191df8daebbe229752070f41 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Nov 2022 11:30:30 -0700
+Subject: clk: qcom: gdsc: Remove direct runtime PM calls
+
+From: Stephen Boyd <swboyd@chromium.org>
+
+[ Upstream commit 4cc47e8add635408e063c98b52d56b7ceacf0b70 ]
+
+We shouldn't be calling runtime PM APIs from within the genpd
+enable/disable path for a couple reasons.
+
+First, this causes an AA lockdep splat[1] because genpd can call into
+genpd code again while holding the genpd lock.
+
+WARNING: possible recursive locking detected
+5.19.0-rc2-lockdep+ #7 Not tainted
+--------------------------------------------
+kworker/2:1/49 is trying to acquire lock:
+ffffffeea0370788 (&genpd->mlock){+.+.}-{3:3}, at: genpd_lock_mtx+0x24/0x30
+
+but task is already holding lock:
+ffffffeea03710a8 (&genpd->mlock){+.+.}-{3:3}, at: genpd_lock_mtx+0x24/0x30
+
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(&genpd->mlock);
+ lock(&genpd->mlock);
+
+ *** DEADLOCK ***
+
+ May be due to missing lock nesting notation
+
+3 locks held by kworker/2:1/49:
+ #0: 74ffff80811a5748 ((wq_completion)pm){+.+.}-{0:0}, at: process_one_work+0x320/0x5fc
+ #1: ffffffc008537cf8 ((work_completion)(&genpd->power_off_work)){+.+.}-{0:0}, at: process_one_work+0x354/0x5fc
+ #2: ffffffeea03710a8 (&genpd->mlock){+.+.}-{3:3}, at: genpd_lock_mtx+0x24/0x30
+
+stack backtrace:
+CPU: 2 PID: 49 Comm: kworker/2:1 Not tainted 5.19.0-rc2-lockdep+ #7
+Hardware name: Google Lazor (rev3 - 8) with KB Backlight (DT)
+Workqueue: pm genpd_power_off_work_fn
+Call trace:
+ dump_backtrace+0x1a0/0x200
+ show_stack+0x24/0x30
+ dump_stack_lvl+0x7c/0xa0
+ dump_stack+0x18/0x44
+ __lock_acquire+0xb38/0x3634
+ lock_acquire+0x180/0x2d4
+ __mutex_lock_common+0x118/0xe30
+ mutex_lock_nested+0x70/0x7c
+ genpd_lock_mtx+0x24/0x30
+ genpd_runtime_suspend+0x2f0/0x414
+ __rpm_callback+0xdc/0x1b8
+ rpm_callback+0x4c/0xcc
+ rpm_suspend+0x21c/0x5f0
+ rpm_idle+0x17c/0x1e0
+ __pm_runtime_idle+0x78/0xcc
+ gdsc_disable+0x24c/0x26c
+ _genpd_power_off+0xd4/0x1c4
+ genpd_power_off+0x2d8/0x41c
+ genpd_power_off_work_fn+0x60/0x94
+ process_one_work+0x398/0x5fc
+ worker_thread+0x42c/0x6c4
+ kthread+0x194/0x1b4
+ ret_from_fork+0x10/0x20
+
+Second, this confuses runtime PM on CoachZ for the camera devices by
+causing the camera clock controller's runtime PM usage_count to go
+negative after resuming from suspend. This is because runtime PM is
+being used on the clock controller while runtime PM is disabled for the
+device.
+
+The reason for the negative count is because a GDSC is represented as a
+genpd and each genpd that is attached to a device is resumed during the
+noirq phase of system wide suspend/resume (see the noirq suspend ops
+assignment in pm_genpd_init() for more details). The camera GDSCs are
+attached to camera devices with the 'power-domains' property in DT.
+Every device has runtime PM disabled in the late system suspend phase
+via __device_suspend_late(). Runtime PM is not usable until runtime PM
+is enabled in device_resume_early(). The noirq phases run after the
+'late' and before the 'early' phase of suspend/resume. When the genpds
+are resumed in genpd_resume_noirq(), we call down into gdsc_enable()
+that calls pm_runtime_resume_and_get() and that returns -EACCES to
+indicate failure to resume because runtime PM is disabled for all
+devices.
+
+Upon closer inspection, calling runtime PM APIs like this in the GDSC
+driver doesn't make sense. It was intended to make sure the GDSC for the
+clock controller providing other GDSCs was enabled, specifically the
+MMCX GDSC for the display clk controller on SM8250 (sm8250-dispcc), so
+that GDSC register accesses succeeded. That will already happen because
+we make the 'dev->pm_domain' a parent domain of each GDSC we register in
+gdsc_register() via pm_genpd_add_subdomain(). When any of these GDSCs
+are accessed, we'll enable the parent domain (in this specific case
+MMCX).
+
+We also remove any getting of runtime PM during registration, because
+when a genpd is registered it increments the count on the parent if the
+genpd itself is already enabled.
+
+Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Cc: Johan Hovold <johan+linaro@kernel.org>
+Cc: Ulf Hansson <ulf.hansson@linaro.org>
+Cc: Taniya Das <quic_tdas@quicinc.com>
+Cc: Satya Priya <quic_c_skakit@quicinc.com>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Tested-by: Douglas Anderson <dianders@chromium.org>
+Cc: Matthias Kaehlcke <mka@chromium.org>
+Reported-by: Stephen Boyd <swboyd@chromium.org>
+Link: https://lore.kernel.org/r/CAE-0n52xbZeJ66RaKwggeRB57fUAwjvxGxfFMKOKJMKVyFTe+w@mail.gmail.com [1]
+Fixes: 1b771839de05 ("clk: qcom: gdsc: enable optional power domain support")
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Link: https://lore.kernel.org/r/20221103183030.3594899-1-swboyd@chromium.org
+Tested-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/gdsc.c | 61 ++++-------------------------------------
+ drivers/clk/qcom/gdsc.h | 2 --
+ 2 files changed, 6 insertions(+), 57 deletions(-)
+
+diff --git a/drivers/clk/qcom/gdsc.c b/drivers/clk/qcom/gdsc.c
+index 4b66ce0f1940..39b35058ad47 100644
+--- a/drivers/clk/qcom/gdsc.c
++++ b/drivers/clk/qcom/gdsc.c
+@@ -11,7 +11,6 @@
+ #include <linux/kernel.h>
+ #include <linux/ktime.h>
+ #include <linux/pm_domain.h>
+-#include <linux/pm_runtime.h>
+ #include <linux/regmap.h>
+ #include <linux/regulator/consumer.h>
+ #include <linux/reset-controller.h>
+@@ -56,22 +55,6 @@ enum gdsc_status {
+ GDSC_ON
+ };
+
+-static int gdsc_pm_runtime_get(struct gdsc *sc)
+-{
+- if (!sc->dev)
+- return 0;
+-
+- return pm_runtime_resume_and_get(sc->dev);
+-}
+-
+-static int gdsc_pm_runtime_put(struct gdsc *sc)
+-{
+- if (!sc->dev)
+- return 0;
+-
+- return pm_runtime_put_sync(sc->dev);
+-}
+-
+ /* Returns 1 if GDSC status is status, 0 if not, and < 0 on error */
+ static int gdsc_check_status(struct gdsc *sc, enum gdsc_status status)
+ {
+@@ -271,8 +254,9 @@ static void gdsc_retain_ff_on(struct gdsc *sc)
+ regmap_update_bits(sc->regmap, sc->gdscr, mask, mask);
+ }
+
+-static int _gdsc_enable(struct gdsc *sc)
++static int gdsc_enable(struct generic_pm_domain *domain)
+ {
++ struct gdsc *sc = domain_to_gdsc(domain);
+ int ret;
+
+ if (sc->pwrsts == PWRSTS_ON)
+@@ -328,22 +312,11 @@ static int _gdsc_enable(struct gdsc *sc)
+ return 0;
+ }
+
+-static int gdsc_enable(struct generic_pm_domain *domain)
++static int gdsc_disable(struct generic_pm_domain *domain)
+ {
+ struct gdsc *sc = domain_to_gdsc(domain);
+ int ret;
+
+- ret = gdsc_pm_runtime_get(sc);
+- if (ret)
+- return ret;
+-
+- return _gdsc_enable(sc);
+-}
+-
+-static int _gdsc_disable(struct gdsc *sc)
+-{
+- int ret;
+-
+ if (sc->pwrsts == PWRSTS_ON)
+ return gdsc_assert_reset(sc);
+
+@@ -378,18 +351,6 @@ static int _gdsc_disable(struct gdsc *sc)
+ return 0;
+ }
+
+-static int gdsc_disable(struct generic_pm_domain *domain)
+-{
+- struct gdsc *sc = domain_to_gdsc(domain);
+- int ret;
+-
+- ret = _gdsc_disable(sc);
+-
+- gdsc_pm_runtime_put(sc);
+-
+- return ret;
+-}
+-
+ static int gdsc_init(struct gdsc *sc)
+ {
+ u32 mask, val;
+@@ -437,11 +398,6 @@ static int gdsc_init(struct gdsc *sc)
+ return ret;
+ }
+
+- /* ...and the power-domain */
+- ret = gdsc_pm_runtime_get(sc);
+- if (ret)
+- goto err_disable_supply;
+-
+ /*
+ * Votable GDSCs can be ON due to Vote from other masters.
+ * If a Votable GDSC is ON, make sure we have a Vote.
+@@ -449,14 +405,14 @@ static int gdsc_init(struct gdsc *sc)
+ if (sc->flags & VOTABLE) {
+ ret = gdsc_update_collapse_bit(sc, false);
+ if (ret)
+- goto err_put_rpm;
++ goto err_disable_supply;
+ }
+
+ /* Turn on HW trigger mode if supported */
+ if (sc->flags & HW_CTRL) {
+ ret = gdsc_hwctrl(sc, true);
+ if (ret < 0)
+- goto err_put_rpm;
++ goto err_disable_supply;
+ }
+
+ /*
+@@ -486,13 +442,10 @@ static int gdsc_init(struct gdsc *sc)
+
+ ret = pm_genpd_init(&sc->pd, NULL, !on);
+ if (ret)
+- goto err_put_rpm;
++ goto err_disable_supply;
+
+ return 0;
+
+-err_put_rpm:
+- if (on)
+- gdsc_pm_runtime_put(sc);
+ err_disable_supply:
+ if (on && sc->rsupply)
+ regulator_disable(sc->rsupply);
+@@ -531,8 +484,6 @@ int gdsc_register(struct gdsc_desc *desc,
+ for (i = 0; i < num; i++) {
+ if (!scs[i])
+ continue;
+- if (pm_runtime_enabled(dev))
+- scs[i]->dev = dev;
+ scs[i]->regmap = regmap;
+ scs[i]->rcdev = rcdev;
+ ret = gdsc_init(scs[i]);
+diff --git a/drivers/clk/qcom/gdsc.h b/drivers/clk/qcom/gdsc.h
+index 5de48c9439b2..8d569232bbd6 100644
+--- a/drivers/clk/qcom/gdsc.h
++++ b/drivers/clk/qcom/gdsc.h
+@@ -30,7 +30,6 @@ struct reset_controller_dev;
+ * @resets: ids of resets associated with this gdsc
+ * @reset_count: number of @resets
+ * @rcdev: reset controller
+- * @dev: the device holding the GDSC, used for pm_runtime calls
+ */
+ struct gdsc {
+ struct generic_pm_domain pd;
+@@ -69,7 +68,6 @@ struct gdsc {
+
+ const char *supply;
+ struct regulator *rsupply;
+- struct device *dev;
+ };
+
+ struct gdsc_desc {
+--
+2.35.1
+
--- /dev/null
+From 1b03d76c393b98c18398a8e53730a33182da2cd0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Oct 2022 17:13:40 +0200
+Subject: clk: samsung: exynos7885: Correct "div4" clock parents
+
+From: David Virag <virag.david003@gmail.com>
+
+[ Upstream commit ef80c95c29dc67c3034f32d93c41e2ede398e387 ]
+
+"div4" DIVs which divide PLLs by 4 are actually dividing "div2" DIVs by
+2 to achieve a by 4 division, thus their parents are the respective
+"div2" DIVs. These DIVs were mistakenly set to have the PLLs as parents.
+This leads to the kernel thinking "div4"s and everything under them run
+at 2x the clock speed. Fix this.
+
+Fixes: 45bd8166a1d8 ("clk: samsung: Add initial Exynos7885 clock driver")
+Signed-off-by: David Virag <virag.david003@gmail.com>
+Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
+Link: https://lore.kernel.org/r/20221013151341.151208-1-virag.david003@gmail.com
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/samsung/clk-exynos7885.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/samsung/clk-exynos7885.c b/drivers/clk/samsung/clk-exynos7885.c
+index a7b106302706..368c50badd15 100644
+--- a/drivers/clk/samsung/clk-exynos7885.c
++++ b/drivers/clk/samsung/clk-exynos7885.c
+@@ -182,7 +182,7 @@ static const struct samsung_div_clock top_div_clks[] __initconst = {
+ CLK_CON_DIV_PLL_SHARED0_DIV2, 0, 1),
+ DIV(CLK_DOUT_SHARED0_DIV3, "dout_shared0_div3", "fout_shared0_pll",
+ CLK_CON_DIV_PLL_SHARED0_DIV3, 0, 2),
+- DIV(CLK_DOUT_SHARED0_DIV4, "dout_shared0_div4", "fout_shared0_pll",
++ DIV(CLK_DOUT_SHARED0_DIV4, "dout_shared0_div4", "dout_shared0_div2",
+ CLK_CON_DIV_PLL_SHARED0_DIV4, 0, 1),
+ DIV(CLK_DOUT_SHARED0_DIV5, "dout_shared0_div5", "fout_shared0_pll",
+ CLK_CON_DIV_PLL_SHARED0_DIV5, 0, 3),
+@@ -190,7 +190,7 @@ static const struct samsung_div_clock top_div_clks[] __initconst = {
+ CLK_CON_DIV_PLL_SHARED1_DIV2, 0, 1),
+ DIV(CLK_DOUT_SHARED1_DIV3, "dout_shared1_div3", "fout_shared1_pll",
+ CLK_CON_DIV_PLL_SHARED1_DIV3, 0, 2),
+- DIV(CLK_DOUT_SHARED1_DIV4, "dout_shared1_div4", "fout_shared1_pll",
++ DIV(CLK_DOUT_SHARED1_DIV4, "dout_shared1_div4", "dout_shared1_div2",
+ CLK_CON_DIV_PLL_SHARED1_DIV4, 0, 1),
+
+ /* CORE */
+--
+2.35.1
+
--- /dev/null
+From 37b5ba5713be78835b7b623ad1f3b89acf51d6d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 14:53:43 +0000
+Subject: clocksource/drivers/arm_arch_timer: Fix XGene-1 TVAL register math
+ error
+
+From: Joe Korty <joe.korty@concurrent-rt.com>
+
+[ Upstream commit 839a973988a94c15002cbd81536e4af6ced2bd30 ]
+
+The TVAL register is 32 bit signed. Thus only the lower 31 bits are
+available to specify when an interrupt is to occur at some time in the
+near future. Attempting to specify a larger interval with TVAL results
+in a negative time delta which means the timer fires immediately upon
+being programmed, rather than firing at that expected future time.
+
+The solution is for Linux to declare that TVAL is a 31 bit register rather
+than give its true size of 32 bits. This prevents Linux from programming
+TVAL with a too-large value. Note that, prior to 5.16, this little trick
+was the standard way to handle TVAL in Linux, so there is nothing new
+happening here on that front.
+
+The softlockup detector hides the issue, because it keeps generating
+short timer deadlines that are within the scope of the broken timer.
+
+Disabling it, it starts using NO_HZ with much longer timer deadlines, which
+turns into an interrupt flood:
+
+ 11: 1124855130 949168462 758009394 76417474 104782230 30210281
+ 310890 1734323687 GICv2 29 Level arch_timer
+
+And "much longer" isn't that long: it takes less than 43s to underflow
+TVAL at 50MHz (the frequency of the counter on XGene-1).
+
+Some comments on the v1 version of this patch by Marc Zyngier:
+
+ XGene implements CVAL (a 64bit comparator) in terms of TVAL (a countdown
+ register) instead of the other way around. TVAL being a 32bit register,
+ the width of the counter should equally be 32. However, TVAL is a
+ *signed* value, and keeps counting down in the negative range once the
+ timer fires.
+
+ It means that any TVAL value with bit 31 set will fire immediately,
+ as it cannot be distinguished from an already expired timer. Reducing
+ the timer range back to a paltry 31 bits papers over the issue.
+
+ Another problem cannot be fixed though, which is that the timer interrupt
+ *must* be handled within the negative countdown period, or the interrupt
+ will be lost (TVAL will rollover to a positive value, indicative of a
+ new timer deadline).
+
+Fixes: 012f18850452 ("clocksource/drivers/arm_arch_timer: Work around broken CVAL implementations")
+Signed-off-by: Joe Korty <joe.korty@concurrent-rt.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20221024165422.GA51107@zipoli.concurrent-rt.com
+Link: https://lore.kernel.org/r/20221121145343.896018-1-maz@kernel.org
+
+[maz: revamped the commit message]
+
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/arm_arch_timer.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clocksource/arm_arch_timer.c b/drivers/clocksource/arm_arch_timer.c
+index a7ff77550e17..933bb960490d 100644
+--- a/drivers/clocksource/arm_arch_timer.c
++++ b/drivers/clocksource/arm_arch_timer.c
+@@ -806,6 +806,9 @@ static u64 __arch_timer_check_delta(void)
+ /*
+ * XGene-1 implements CVAL in terms of TVAL, meaning
+ * that the maximum timer range is 32bit. Shame on them.
++ *
++ * Note that TVAL is signed, thus has only 31 of its
++ * 32 bits to express magnitude.
+ */
+ MIDR_ALL_VERSIONS(MIDR_CPU_MODEL(ARM_CPU_IMP_APM,
+ APM_CPU_PART_POTENZA)),
+@@ -813,8 +816,8 @@ static u64 __arch_timer_check_delta(void)
+ };
+
+ if (is_midr_in_range_list(read_cpuid_id(), broken_cval_midrs)) {
+- pr_warn_once("Broken CNTx_CVAL_EL1, limiting width to 32bits");
+- return CLOCKSOURCE_MASK(32);
++ pr_warn_once("Broken CNTx_CVAL_EL1, using 31 bit TVAL instead.\n");
++ return CLOCKSOURCE_MASK(31);
+ }
+ #endif
+ return CLOCKSOURCE_MASK(arch_counter_get_width());
+--
+2.35.1
+
--- /dev/null
+From b6a59d200030922cbf5f674b8bf6378cf61393be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Mar 2022 20:05:32 +0800
+Subject: drm/amd/pm: add smu_v13_0_10 driver if version
+
+From: Yang Wang <KevinYang.Wang@amd.com>
+
+[ Upstream commit 8e039cd176c61a9770e1956038c93738efc800f7 ]
+
+add smu_v13_0_10 driver if version
+
+Signed-off-by: Yang Wang <KevinYang.Wang@amd.com>
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Stable-dep-of: f2e1aa267f12 ("drm/amd/pm: update driver if header for smu_13_0_7")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h | 1 +
+ drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c | 3 +++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h b/drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h
+index 3e29fe4cc4ae..dd5867561068 100644
+--- a/drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h
++++ b/drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h
+@@ -32,6 +32,7 @@
+ #define SMU13_DRIVER_IF_VERSION_SMU_V13_0_5 0x04
+ #define SMU13_DRIVER_IF_VERSION_SMU_V13_0_0 0x30
+ #define SMU13_DRIVER_IF_VERSION_SMU_V13_0_7 0x2C
++#define SMU13_DRIVER_IF_VERSION_SMU_V13_0_10 0x1D
+
+ #define SMU13_MODE1_RESET_WAIT_TIME_IN_MS 500 //500ms
+
+diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c
+index 33710dcf1eb1..e7380aa4f6be 100644
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c
+@@ -304,6 +304,9 @@ int smu_v13_0_check_fw_version(struct smu_context *smu)
+ case IP_VERSION(13, 0, 5):
+ smu->smc_driver_if_version = SMU13_DRIVER_IF_VERSION_SMU_V13_0_5;
+ break;
++ case IP_VERSION(13, 0, 10):
++ smu->smc_driver_if_version = SMU13_DRIVER_IF_VERSION_SMU_V13_0_10;
++ break;
+ default:
+ dev_err(adev->dev, "smu unsupported IP version: 0x%x.\n",
+ adev->ip_versions[MP1_HWIP][0]);
+--
+2.35.1
+
--- /dev/null
+From cdbe3ded21a69f013a5b8aa9593a3610dd58c306 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 09:08:42 +0800
+Subject: drm/amd/pm: update driver if header for smu_13_0_7
+
+From: lyndonli <Lyndon.Li@amd.com>
+
+[ Upstream commit f2e1aa267f12b82e03927d1e918d2844ddd3eea5 ]
+
+update driver if header for smu_13_0_7
+
+Signed-off-by: lyndonli <Lyndon.Li@amd.com>
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Reviewed-by: Kenneth Feng <kenneth.feng@amd.com>
+Reviewed-by: Evan Quan <evan.quan@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org # 6.0.x
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../inc/pmfw_if/smu13_driver_if_v13_0_7.h | 117 ++++++++++++------
+ drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h | 2 +-
+ 2 files changed, 80 insertions(+), 39 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/swsmu/inc/pmfw_if/smu13_driver_if_v13_0_7.h b/drivers/gpu/drm/amd/pm/swsmu/inc/pmfw_if/smu13_driver_if_v13_0_7.h
+index 25c08f963f49..d6b13933a98f 100644
+--- a/drivers/gpu/drm/amd/pm/swsmu/inc/pmfw_if/smu13_driver_if_v13_0_7.h
++++ b/drivers/gpu/drm/amd/pm/swsmu/inc/pmfw_if/smu13_driver_if_v13_0_7.h
+@@ -25,10 +25,10 @@
+
+ // *** IMPORTANT ***
+ // PMFW TEAM: Always increment the interface version on any change to this file
+-#define SMU13_DRIVER_IF_VERSION 0x2C
++#define SMU13_DRIVER_IF_VERSION 0x35
+
+ //Increment this version if SkuTable_t or BoardTable_t change
+-#define PPTABLE_VERSION 0x20
++#define PPTABLE_VERSION 0x27
+
+ #define NUM_GFXCLK_DPM_LEVELS 16
+ #define NUM_SOCCLK_DPM_LEVELS 8
+@@ -96,7 +96,7 @@
+ #define FEATURE_MEM_TEMP_READ_BIT 47
+ #define FEATURE_ATHUB_MMHUB_PG_BIT 48
+ #define FEATURE_SOC_PCC_BIT 49
+-#define FEATURE_SPARE_50_BIT 50
++#define FEATURE_EDC_PWRBRK_BIT 50
+ #define FEATURE_SPARE_51_BIT 51
+ #define FEATURE_SPARE_52_BIT 52
+ #define FEATURE_SPARE_53_BIT 53
+@@ -282,15 +282,15 @@ typedef enum {
+ } I2cControllerPort_e;
+
+ typedef enum {
+- I2C_CONTROLLER_NAME_VR_GFX = 0,
+- I2C_CONTROLLER_NAME_VR_SOC,
+- I2C_CONTROLLER_NAME_VR_VMEMP,
+- I2C_CONTROLLER_NAME_VR_VDDIO,
+- I2C_CONTROLLER_NAME_LIQUID0,
+- I2C_CONTROLLER_NAME_LIQUID1,
+- I2C_CONTROLLER_NAME_PLX,
+- I2C_CONTROLLER_NAME_OTHER,
+- I2C_CONTROLLER_NAME_COUNT,
++ I2C_CONTROLLER_NAME_VR_GFX = 0,
++ I2C_CONTROLLER_NAME_VR_SOC,
++ I2C_CONTROLLER_NAME_VR_VMEMP,
++ I2C_CONTROLLER_NAME_VR_VDDIO,
++ I2C_CONTROLLER_NAME_LIQUID0,
++ I2C_CONTROLLER_NAME_LIQUID1,
++ I2C_CONTROLLER_NAME_PLX,
++ I2C_CONTROLLER_NAME_FAN_INTAKE,
++ I2C_CONTROLLER_NAME_COUNT,
+ } I2cControllerName_e;
+
+ typedef enum {
+@@ -302,6 +302,7 @@ typedef enum {
+ I2C_CONTROLLER_THROTTLER_LIQUID0,
+ I2C_CONTROLLER_THROTTLER_LIQUID1,
+ I2C_CONTROLLER_THROTTLER_PLX,
++ I2C_CONTROLLER_THROTTLER_FAN_INTAKE,
+ I2C_CONTROLLER_THROTTLER_INA3221,
+ I2C_CONTROLLER_THROTTLER_COUNT,
+ } I2cControllerThrottler_e;
+@@ -309,8 +310,9 @@ typedef enum {
+ typedef enum {
+ I2C_CONTROLLER_PROTOCOL_VR_XPDE132G5,
+ I2C_CONTROLLER_PROTOCOL_VR_IR35217,
+- I2C_CONTROLLER_PROTOCOL_TMP_TMP102A,
++ I2C_CONTROLLER_PROTOCOL_TMP_MAX31875,
+ I2C_CONTROLLER_PROTOCOL_INA3221,
++ I2C_CONTROLLER_PROTOCOL_TMP_MAX6604,
+ I2C_CONTROLLER_PROTOCOL_COUNT,
+ } I2cControllerProtocol_e;
+
+@@ -690,6 +692,9 @@ typedef struct {
+ #define PP_OD_FEATURE_UCLK_BIT 8
+ #define PP_OD_FEATURE_ZERO_FAN_BIT 9
+ #define PP_OD_FEATURE_TEMPERATURE_BIT 10
++#define PP_OD_FEATURE_POWER_FEATURE_CTRL_BIT 11
++#define PP_OD_FEATURE_ASIC_TDC_BIT 12
++#define PP_OD_FEATURE_COUNT 13
+
+ typedef enum {
+ PP_OD_POWER_FEATURE_ALWAYS_ENABLED,
+@@ -697,6 +702,11 @@ typedef enum {
+ PP_OD_POWER_FEATURE_ALWAYS_DISABLED,
+ } PP_OD_POWER_FEATURE_e;
+
++typedef enum {
++ FAN_MODE_AUTO = 0,
++ FAN_MODE_MANUAL_LINEAR,
++} FanMode_e;
++
+ typedef struct {
+ uint32_t FeatureCtrlMask;
+
+@@ -708,8 +718,8 @@ typedef struct {
+ uint8_t RuntimePwrSavingFeaturesCtrl;
+
+ //Frequency changes
+- int16_t GfxclkFmin; // MHz
+- int16_t GfxclkFmax; // MHz
++ int16_t GfxclkFmin; // MHz
++ int16_t GfxclkFmax; // MHz
+ uint16_t UclkFmin; // MHz
+ uint16_t UclkFmax; // MHz
+
+@@ -730,7 +740,12 @@ typedef struct {
+ uint8_t MaxOpTemp;
+ uint8_t Padding[4];
+
+- uint32_t Spare[12];
++ uint16_t GfxVoltageFullCtrlMode;
++ uint16_t GfxclkFullCtrlMode;
++ uint16_t UclkFullCtrlMode;
++ int16_t AsicTdc;
++
++ uint32_t Spare[10];
+ uint32_t MmHubPadding[8]; // SMU internal use. Adding here instead of external as a workaround
+ } OverDriveTable_t;
+
+@@ -748,8 +763,8 @@ typedef struct {
+ uint8_t IdlePwrSavingFeaturesCtrl;
+ uint8_t RuntimePwrSavingFeaturesCtrl;
+
+- uint16_t GfxclkFmin; // MHz
+- uint16_t GfxclkFmax; // MHz
++ int16_t GfxclkFmin; // MHz
++ int16_t GfxclkFmax; // MHz
+ uint16_t UclkFmin; // MHz
+ uint16_t UclkFmax; // MHz
+
+@@ -769,7 +784,12 @@ typedef struct {
+ uint8_t MaxOpTemp;
+ uint8_t Padding[4];
+
+- uint32_t Spare[12];
++ uint16_t GfxVoltageFullCtrlMode;
++ uint16_t GfxclkFullCtrlMode;
++ uint16_t UclkFullCtrlMode;
++ int16_t AsicTdc;
++
++ uint32_t Spare[10];
+
+ } OverDriveLimits_t;
+
+@@ -903,7 +923,8 @@ typedef struct {
+ uint16_t FanStartTempMin;
+ uint16_t FanStartTempMax;
+
+- uint32_t Spare[12];
++ uint16_t PowerMinPpt0[POWER_SOURCE_COUNT];
++ uint32_t Spare[11];
+
+ } MsgLimits_t;
+
+@@ -1086,11 +1107,13 @@ typedef struct {
+ uint32_t GfxoffSpare[15];
+
+ // GFX GPO
+- float DfllBtcMasterScalerM;
++ uint32_t DfllBtcMasterScalerM;
+ int32_t DfllBtcMasterScalerB;
+- float DfllBtcSlaveScalerM;
++ uint32_t DfllBtcSlaveScalerM;
+ int32_t DfllBtcSlaveScalerB;
+- uint32_t GfxGpoSpare[12];
++ uint32_t DfllPccAsWaitCtrl; //GDFLL_AS_WAIT_CTRL_PCC register value to be passed to RLC msg
++ uint32_t DfllPccAsStepCtrl; //GDFLL_AS_STEP_CTRL_PCC register value to be passed to RLC msg
++ uint32_t GfxGpoSpare[10];
+
+ // GFX DCS
+
+@@ -1106,7 +1129,10 @@ typedef struct {
+ uint16_t DcsTimeout; //This is the amount of time SMU FW waits for RLC to put GFX into GFXOFF before reverting to the fallback mechanism of throttling GFXCLK to Fmin.
+
+
+- uint32_t DcsSpare[16];
++ uint32_t DcsSpare[14];
++
++ // UCLK section
++ uint16_t ShadowFreqTableUclk[NUM_UCLK_DPM_LEVELS]; // In MHz
+
+ // UCLK section
+ uint8_t UseStrobeModeOptimizations; //Set to indicate that FW should use strobe mode optimizations
+@@ -1163,13 +1189,14 @@ typedef struct {
+ uint16_t IntakeTempHighIntakeAcousticLimit;
+ uint16_t IntakeTempAcouticLimitReleaseRate;
+
+- uint16_t FanStalledTempLimitOffset;
++ int16_t FanAbnormalTempLimitOffset;
+ uint16_t FanStalledTriggerRpm;
+- uint16_t FanAbnormalTriggerRpm;
+- uint16_t FanPadding;
+-
+- uint32_t FanSpare[14];
++ uint16_t FanAbnormalTriggerRpmCoeff;
++ uint16_t FanAbnormalDetectionEnable;
+
++ uint8_t FanIntakeSensorSupport;
++ uint8_t FanIntakePadding[3];
++ uint32_t FanSpare[13];
+ // SECTION: VDD_GFX AVFS
+
+ uint8_t OverrideGfxAvfsFuses;
+@@ -1193,7 +1220,6 @@ typedef struct {
+ uint32_t dGbV_dT_vmin;
+ uint32_t dGbV_dT_vmax;
+
+- //Unused: PMFW-9370
+ uint32_t V2F_vmin_range_low;
+ uint32_t V2F_vmin_range_high;
+ uint32_t V2F_vmax_range_low;
+@@ -1238,8 +1264,21 @@ typedef struct {
+ // SECTION: Advanced Options
+ uint32_t DebugOverrides;
+
++ // Section: Total Board Power idle vs active coefficients
++ uint8_t TotalBoardPowerSupport;
++ uint8_t TotalBoardPowerPadding[3];
++
++ int16_t TotalIdleBoardPowerM;
++ int16_t TotalIdleBoardPowerB;
++ int16_t TotalBoardPowerM;
++ int16_t TotalBoardPowerB;
++
++ QuadraticInt_t qFeffCoeffGameClock[POWER_SOURCE_COUNT];
++ QuadraticInt_t qFeffCoeffBaseClock[POWER_SOURCE_COUNT];
++ QuadraticInt_t qFeffCoeffBoostClock[POWER_SOURCE_COUNT];
++
+ // SECTION: Sku Reserved
+- uint32_t Spare[64];
++ uint32_t Spare[43];
+
+ // Padding for MMHUB - do not modify this
+ uint32_t MmHubPadding[8];
+@@ -1304,7 +1343,8 @@ typedef struct {
+ // SECTION: Clock Spread Spectrum
+
+ // UCLK Spread Spectrum
+- uint16_t UclkSpreadPadding;
++ uint8_t UclkTrainingModeSpreadPercent; // Q4.4
++ uint8_t UclkSpreadPadding;
+ uint16_t UclkSpreadFreq; // kHz
+
+ // UCLK Spread Spectrum
+@@ -1317,11 +1357,7 @@ typedef struct {
+
+ // Section: Memory Config
+ uint8_t DramWidth; // Width of interface to the channel for each DRAM module. See DRAM_BIT_WIDTH_TYPE_e
+- uint8_t PaddingMem1[3];
+-
+- // Section: Total Board Power
+- uint16_t TotalBoardPower; //Only needed for TCP Estimated case, where TCP = TGP+Total Board Power
+- uint16_t BoardPowerPadding;
++ uint8_t PaddingMem1[7];
+
+ // SECTION: UMC feature flags
+ uint8_t HsrEnabled;
+@@ -1423,8 +1459,11 @@ typedef struct {
+ uint16_t Vcn1ActivityPercentage ;
+
+ uint32_t EnergyAccumulator;
+- uint16_t AverageSocketPower ;
++ uint16_t AverageSocketPower;
++ uint16_t AverageTotalBoardPower;
++
+ uint16_t AvgTemperature[TEMP_COUNT];
++ uint16_t AvgTemperatureFanIntake;
+
+ uint8_t PcieRate ;
+ uint8_t PcieWidth ;
+@@ -1592,5 +1631,7 @@ typedef struct {
+ #define IH_INTERRUPT_CONTEXT_ID_AUDIO_D0 0x5
+ #define IH_INTERRUPT_CONTEXT_ID_AUDIO_D3 0x6
+ #define IH_INTERRUPT_CONTEXT_ID_THERMAL_THROTTLING 0x7
++#define IH_INTERRUPT_CONTEXT_ID_FAN_ABNORMAL 0x8
++#define IH_INTERRUPT_CONTEXT_ID_FAN_RECOVERY 0x9
+
+ #endif
+diff --git a/drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h b/drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h
+index b7f4569aff2a..865d6358918d 100644
+--- a/drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h
++++ b/drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h
+@@ -31,7 +31,7 @@
+ #define SMU13_DRIVER_IF_VERSION_SMU_V13_0_4 0x07
+ #define SMU13_DRIVER_IF_VERSION_SMU_V13_0_5 0x04
+ #define SMU13_DRIVER_IF_VERSION_SMU_V13_0_0_10 0x32
+-#define SMU13_DRIVER_IF_VERSION_SMU_V13_0_7 0x2C
++#define SMU13_DRIVER_IF_VERSION_SMU_V13_0_7 0x35
+ #define SMU13_DRIVER_IF_VERSION_SMU_V13_0_10 0x1D
+
+ #define SMU13_MODE1_RESET_WAIT_TIME_IN_MS 500 //500ms
+--
+2.35.1
+
--- /dev/null
+From 6919d199ab957179b4888cb0910a61567a0bd547 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Oct 2022 11:24:05 +0800
+Subject: drm/amd/pm: update driver-if header for smu_v13_0_10
+
+From: Kenneth Feng <kenneth.feng@amd.com>
+
+[ Upstream commit 09aef0258a327409bb2279a5ba8f82ad2ca099ca ]
+
+update driver-if header for smu_v13_0_10 and merge with smu_v13_0_0
+
+Signed-off-by: Kenneth Feng <kenneth.feng@amd.com>
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Stable-dep-of: f2e1aa267f12 ("drm/amd/pm: update driver if header for smu_13_0_7")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../inc/pmfw_if/smu13_driver_if_v13_0_0.h | 111 +++++++++++++-----
+ drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h | 2 +-
+ .../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c | 6 +-
+ 3 files changed, 84 insertions(+), 35 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/swsmu/inc/pmfw_if/smu13_driver_if_v13_0_0.h b/drivers/gpu/drm/amd/pm/swsmu/inc/pmfw_if/smu13_driver_if_v13_0_0.h
+index 063f4a737605..b76f0f7e4299 100644
+--- a/drivers/gpu/drm/amd/pm/swsmu/inc/pmfw_if/smu13_driver_if_v13_0_0.h
++++ b/drivers/gpu/drm/amd/pm/swsmu/inc/pmfw_if/smu13_driver_if_v13_0_0.h
+@@ -25,7 +25,7 @@
+ #define SMU13_DRIVER_IF_V13_0_0_H
+
+ //Increment this version if SkuTable_t or BoardTable_t change
+-#define PPTABLE_VERSION 0x24
++#define PPTABLE_VERSION 0x26
+
+ #define NUM_GFXCLK_DPM_LEVELS 16
+ #define NUM_SOCCLK_DPM_LEVELS 8
+@@ -109,6 +109,22 @@
+ #define FEATURE_SPARE_63_BIT 63
+ #define NUM_FEATURES 64
+
++#define ALLOWED_FEATURE_CTRL_DEFAULT 0xFFFFFFFFFFFFFFFFULL
++#define ALLOWED_FEATURE_CTRL_SCPM ((1 << FEATURE_DPM_GFXCLK_BIT) | \
++ (1 << FEATURE_DPM_GFX_POWER_OPTIMIZER_BIT) | \
++ (1 << FEATURE_DPM_UCLK_BIT) | \
++ (1 << FEATURE_DPM_FCLK_BIT) | \
++ (1 << FEATURE_DPM_SOCCLK_BIT) | \
++ (1 << FEATURE_DPM_MP0CLK_BIT) | \
++ (1 << FEATURE_DPM_LINK_BIT) | \
++ (1 << FEATURE_DPM_DCN_BIT) | \
++ (1 << FEATURE_DS_GFXCLK_BIT) | \
++ (1 << FEATURE_DS_SOCCLK_BIT) | \
++ (1 << FEATURE_DS_FCLK_BIT) | \
++ (1 << FEATURE_DS_LCLK_BIT) | \
++ (1 << FEATURE_DS_DCFCLK_BIT) | \
++ (1 << FEATURE_DS_UCLK_BIT))
++
+ //For use with feature control messages
+ typedef enum {
+ FEATURE_PWR_ALL,
+@@ -133,6 +149,7 @@ typedef enum {
+ #define DEBUG_OVERRIDE_DISABLE_DFLL 0x00000200
+ #define DEBUG_OVERRIDE_ENABLE_RLC_VF_BRINGUP_MODE 0x00000400
+ #define DEBUG_OVERRIDE_DFLL_MASTER_MODE 0x00000800
++#define DEBUG_OVERRIDE_ENABLE_PROFILING_MODE 0x00001000
+
+ // VR Mapping Bit Defines
+ #define VR_MAPPING_VR_SELECT_MASK 0x01
+@@ -262,15 +279,15 @@ typedef enum {
+ } I2cControllerPort_e;
+
+ typedef enum {
+- I2C_CONTROLLER_NAME_VR_GFX = 0,
+- I2C_CONTROLLER_NAME_VR_SOC,
+- I2C_CONTROLLER_NAME_VR_VMEMP,
+- I2C_CONTROLLER_NAME_VR_VDDIO,
+- I2C_CONTROLLER_NAME_LIQUID0,
+- I2C_CONTROLLER_NAME_LIQUID1,
+- I2C_CONTROLLER_NAME_PLX,
+- I2C_CONTROLLER_NAME_OTHER,
+- I2C_CONTROLLER_NAME_COUNT,
++ I2C_CONTROLLER_NAME_VR_GFX = 0,
++ I2C_CONTROLLER_NAME_VR_SOC,
++ I2C_CONTROLLER_NAME_VR_VMEMP,
++ I2C_CONTROLLER_NAME_VR_VDDIO,
++ I2C_CONTROLLER_NAME_LIQUID0,
++ I2C_CONTROLLER_NAME_LIQUID1,
++ I2C_CONTROLLER_NAME_PLX,
++ I2C_CONTROLLER_NAME_FAN_INTAKE,
++ I2C_CONTROLLER_NAME_COUNT,
+ } I2cControllerName_e;
+
+ typedef enum {
+@@ -282,16 +299,17 @@ typedef enum {
+ I2C_CONTROLLER_THROTTLER_LIQUID0,
+ I2C_CONTROLLER_THROTTLER_LIQUID1,
+ I2C_CONTROLLER_THROTTLER_PLX,
++ I2C_CONTROLLER_THROTTLER_FAN_INTAKE,
+ I2C_CONTROLLER_THROTTLER_INA3221,
+ I2C_CONTROLLER_THROTTLER_COUNT,
+ } I2cControllerThrottler_e;
+
+ typedef enum {
+- I2C_CONTROLLER_PROTOCOL_VR_XPDE132G5,
+- I2C_CONTROLLER_PROTOCOL_VR_IR35217,
+- I2C_CONTROLLER_PROTOCOL_TMP_TMP102A,
+- I2C_CONTROLLER_PROTOCOL_INA3221,
+- I2C_CONTROLLER_PROTOCOL_COUNT,
++ I2C_CONTROLLER_PROTOCOL_VR_XPDE132G5,
++ I2C_CONTROLLER_PROTOCOL_VR_IR35217,
++ I2C_CONTROLLER_PROTOCOL_TMP_MAX31875,
++ I2C_CONTROLLER_PROTOCOL_INA3221,
++ I2C_CONTROLLER_PROTOCOL_COUNT,
+ } I2cControllerProtocol_e;
+
+ typedef struct {
+@@ -658,13 +676,20 @@ typedef struct {
+
+ #define PP_NUM_OD_VF_CURVE_POINTS PP_NUM_RTAVFS_PWL_ZONES + 1
+
++typedef enum {
++ FAN_MODE_AUTO = 0,
++ FAN_MODE_MANUAL_LINEAR,
++} FanMode_e;
+
+ typedef struct {
+ uint32_t FeatureCtrlMask;
+
+ //Voltage control
+ int16_t VoltageOffsetPerZoneBoundary[PP_NUM_OD_VF_CURVE_POINTS];
+- uint16_t reserved[2];
++ uint16_t VddGfxVmax; // in mV
++
++ uint8_t IdlePwrSavingFeaturesCtrl;
++ uint8_t RuntimePwrSavingFeaturesCtrl;
+
+ //Frequency changes
+ int16_t GfxclkFmin; // MHz
+@@ -674,7 +699,7 @@ typedef struct {
+
+ //PPT
+ int16_t Ppt; // %
+- int16_t reserved1;
++ int16_t Tdc;
+
+ //Fan control
+ uint8_t FanLinearPwmPoints[NUM_OD_FAN_MAX_POINTS];
+@@ -701,16 +726,19 @@ typedef struct {
+ uint32_t FeatureCtrlMask;
+
+ int16_t VoltageOffsetPerZoneBoundary;
+- uint16_t reserved[2];
++ uint16_t VddGfxVmax; // in mV
++
++ uint8_t IdlePwrSavingFeaturesCtrl;
++ uint8_t RuntimePwrSavingFeaturesCtrl;
+
+- uint16_t GfxclkFmin; // MHz
+- uint16_t GfxclkFmax; // MHz
++ int16_t GfxclkFmin; // MHz
++ int16_t GfxclkFmax; // MHz
+ uint16_t UclkFmin; // MHz
+ uint16_t UclkFmax; // MHz
+
+ //PPT
+ int16_t Ppt; // %
+- int16_t reserved1;
++ int16_t Tdc;
+
+ uint8_t FanLinearPwmPoints;
+ uint8_t FanLinearTempPoints;
+@@ -857,7 +885,8 @@ typedef struct {
+ uint16_t FanStartTempMin;
+ uint16_t FanStartTempMax;
+
+- uint32_t Spare[12];
++ uint16_t PowerMinPpt0[POWER_SOURCE_COUNT];
++ uint32_t Spare[11];
+
+ } MsgLimits_t;
+
+@@ -1041,7 +1070,17 @@ typedef struct {
+ uint32_t GfxoffSpare[15];
+
+ // GFX GPO
+- uint32_t GfxGpoSpare[16];
++ uint32_t DfllBtcMasterScalerM;
++ int32_t DfllBtcMasterScalerB;
++ uint32_t DfllBtcSlaveScalerM;
++ int32_t DfllBtcSlaveScalerB;
++
++ uint32_t DfllPccAsWaitCtrl; //GDFLL_AS_WAIT_CTRL_PCC register value to be passed to RLC msg
++ uint32_t DfllPccAsStepCtrl; //GDFLL_AS_STEP_CTRL_PCC register value to be passed to RLC msg
++
++ uint32_t DfllL2FrequencyBoostM; //Unitless (float)
++ uint32_t DfllL2FrequencyBoostB; //In MHz (integer)
++ uint32_t GfxGpoSpare[8];
+
+ // GFX DCS
+
+@@ -1114,12 +1153,14 @@ typedef struct {
+ uint16_t IntakeTempHighIntakeAcousticLimit;
+ uint16_t IntakeTempAcouticLimitReleaseRate;
+
+- uint16_t FanStalledTempLimitOffset;
++ int16_t FanAbnormalTempLimitOffset;
+ uint16_t FanStalledTriggerRpm;
+- uint16_t FanAbnormalTriggerRpm;
+- uint16_t FanPadding;
++ uint16_t FanAbnormalTriggerRpmCoeff;
++ uint16_t FanAbnormalDetectionEnable;
+
+- uint32_t FanSpare[14];
++ uint8_t FanIntakeSensorSupport;
++ uint8_t FanIntakePadding[3];
++ uint32_t FanSpare[13];
+
+ // SECTION: VDD_GFX AVFS
+
+@@ -1198,8 +1239,13 @@ typedef struct {
+ int16_t TotalBoardPowerM;
+ int16_t TotalBoardPowerB;
+
++ //PMFW-11158
++ QuadraticInt_t qFeffCoeffGameClock[POWER_SOURCE_COUNT];
++ QuadraticInt_t qFeffCoeffBaseClock[POWER_SOURCE_COUNT];
++ QuadraticInt_t qFeffCoeffBoostClock[POWER_SOURCE_COUNT];
++
+ // SECTION: Sku Reserved
+- uint32_t Spare[61];
++ uint32_t Spare[43];
+
+ // Padding for MMHUB - do not modify this
+ uint32_t MmHubPadding[8];
+@@ -1288,8 +1334,11 @@ typedef struct {
+ uint32_t PostVoltageSetBacoDelay; // in microseconds. Amount of time FW will wait after power good is established or PSI0 command is issued
+ uint32_t BacoEntryDelay; // in milliseconds. Amount of time FW will wait to trigger BACO entry after receiving entry notification from OS
+
++ uint8_t FuseWritePowerMuxPresent;
++ uint8_t FuseWritePadding[3];
++
+ // SECTION: Board Reserved
+- uint32_t BoardSpare[64];
++ uint32_t BoardSpare[63];
+
+ // SECTION: Structure Padding
+
+@@ -1381,7 +1430,7 @@ typedef struct {
+ uint16_t AverageTotalBoardPower;
+
+ uint16_t AvgTemperature[TEMP_COUNT];
+- uint16_t TempPadding;
++ uint16_t AvgTemperatureFanIntake;
+
+ uint8_t PcieRate ;
+ uint8_t PcieWidth ;
+@@ -1550,5 +1599,7 @@ typedef struct {
+ #define IH_INTERRUPT_CONTEXT_ID_AUDIO_D0 0x5
+ #define IH_INTERRUPT_CONTEXT_ID_AUDIO_D3 0x6
+ #define IH_INTERRUPT_CONTEXT_ID_THERMAL_THROTTLING 0x7
++#define IH_INTERRUPT_CONTEXT_ID_FAN_ABNORMAL 0x8
++#define IH_INTERRUPT_CONTEXT_ID_FAN_RECOVERY 0x9
+
+ #endif
+diff --git a/drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h b/drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h
+index dd5867561068..b7f4569aff2a 100644
+--- a/drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h
++++ b/drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h
+@@ -30,7 +30,7 @@
+ #define SMU13_DRIVER_IF_VERSION_ALDE 0x08
+ #define SMU13_DRIVER_IF_VERSION_SMU_V13_0_4 0x07
+ #define SMU13_DRIVER_IF_VERSION_SMU_V13_0_5 0x04
+-#define SMU13_DRIVER_IF_VERSION_SMU_V13_0_0 0x30
++#define SMU13_DRIVER_IF_VERSION_SMU_V13_0_0_10 0x32
+ #define SMU13_DRIVER_IF_VERSION_SMU_V13_0_7 0x2C
+ #define SMU13_DRIVER_IF_VERSION_SMU_V13_0_10 0x1D
+
+diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c
+index e7380aa4f6be..1983e0d29e9d 100644
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c
+@@ -288,7 +288,8 @@ int smu_v13_0_check_fw_version(struct smu_context *smu)
+ smu->smc_driver_if_version = SMU13_DRIVER_IF_VERSION_ALDE;
+ break;
+ case IP_VERSION(13, 0, 0):
+- smu->smc_driver_if_version = SMU13_DRIVER_IF_VERSION_SMU_V13_0_0;
++ case IP_VERSION(13, 0, 10):
++ smu->smc_driver_if_version = SMU13_DRIVER_IF_VERSION_SMU_V13_0_0_10;
+ break;
+ case IP_VERSION(13, 0, 7):
+ smu->smc_driver_if_version = SMU13_DRIVER_IF_VERSION_SMU_V13_0_7;
+@@ -304,9 +305,6 @@ int smu_v13_0_check_fw_version(struct smu_context *smu)
+ case IP_VERSION(13, 0, 5):
+ smu->smc_driver_if_version = SMU13_DRIVER_IF_VERSION_SMU_V13_0_5;
+ break;
+- case IP_VERSION(13, 0, 10):
+- smu->smc_driver_if_version = SMU13_DRIVER_IF_VERSION_SMU_V13_0_10;
+- break;
+ default:
+ dev_err(adev->dev, "smu unsupported IP version: 0x%x.\n",
+ adev->ip_versions[MP1_HWIP][0]);
+--
+2.35.1
+
--- /dev/null
+From 4aed28c21b4027da7c1b419c29667f93485305dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Sep 2022 09:52:13 +0200
+Subject: drm/amdgpu: cleanup error handling in amdgpu_cs_parser_bos
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christian König <christian.koenig@amd.com>
+
+[ Upstream commit 4953b6b22ab9d7f64706631a027b1ed1130ce4c8 ]
+
+Return early on success and so remove all those "if (r)" in the error
+path.
+
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Stable-dep-of: 4458da0bb09d ("drm/amdgpu: fix userptr HMM range handling v2")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 37 +++++++++++++-------------
+ 1 file changed, 18 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
+index aa3ce01cd538..fee99a40804e 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
+@@ -608,35 +608,34 @@ static int amdgpu_cs_parser_bos(struct amdgpu_cs_parser *p,
+ if (r)
+ goto error_validate;
+
+- amdgpu_cs_report_moved_bytes(p->adev, p->bytes_moved,
+- p->bytes_moved_vis);
+-
+- amdgpu_job_set_resources(p->job, p->bo_list->gds_obj,
+- p->bo_list->gws_obj, p->bo_list->oa_obj);
+-
+- if (!r && p->uf_entry.tv.bo) {
++ if (p->uf_entry.tv.bo) {
+ struct amdgpu_bo *uf = ttm_to_amdgpu_bo(p->uf_entry.tv.bo);
+
+ r = amdgpu_ttm_alloc_gart(&uf->tbo);
++ if (r)
++ goto error_validate;
++
+ p->job->uf_addr += amdgpu_bo_gpu_offset(uf);
+ }
+
++ amdgpu_cs_report_moved_bytes(p->adev, p->bytes_moved,
++ p->bytes_moved_vis);
++ amdgpu_job_set_resources(p->job, p->bo_list->gds_obj,
++ p->bo_list->gws_obj, p->bo_list->oa_obj);
++ return 0;
++
+ error_validate:
+- if (r)
+- ttm_eu_backoff_reservation(&p->ticket, &p->validated);
++ ttm_eu_backoff_reservation(&p->ticket, &p->validated);
+
+ out_free_user_pages:
+- if (r) {
+- amdgpu_bo_list_for_each_userptr_entry(e, p->bo_list) {
+- struct amdgpu_bo *bo = ttm_to_amdgpu_bo(e->tv.bo);
++ amdgpu_bo_list_for_each_userptr_entry(e, p->bo_list) {
++ struct amdgpu_bo *bo = ttm_to_amdgpu_bo(e->tv.bo);
+
+- if (!e->user_pages)
+- continue;
+- amdgpu_ttm_tt_get_user_pages_done(bo->tbo.ttm);
+- kvfree(e->user_pages);
+- e->user_pages = NULL;
+- }
+- mutex_unlock(&p->bo_list->bo_list_mutex);
++ if (!e->user_pages)
++ continue;
++ amdgpu_ttm_tt_get_user_pages_done(bo->tbo.ttm);
++ kvfree(e->user_pages);
++ e->user_pages = NULL;
+ }
+ return r;
+ }
+--
+2.35.1
+
--- /dev/null
+From ff0ff35201cb8d517a33863ea5ac00e57188de27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 12:31:41 +0100
+Subject: drm/amdgpu: fix userptr HMM range handling v2
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christian König <christian.koenig@amd.com>
+
+[ Upstream commit 4458da0bb09d4435956b4377685e8836935e9b9d ]
+
+The basic problem here is that it's not allowed to page fault while
+holding the reservation lock.
+
+So it can happen that multiple processes try to validate an userptr
+at the same time.
+
+Work around that by putting the HMM range object into the mutex
+protected bo list for now.
+
+v2: make sure range is set to NULL in case of an error
+
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
+CC: stable@vger.kernel.org
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 12 +++--
+ drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c | 1 +
+ drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.h | 3 ++
+ drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 8 +--
+ drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 6 ++-
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 53 ++++++-------------
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h | 14 +++--
+ 7 files changed, 46 insertions(+), 51 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
+index 7db4aef9c45c..5e184952ec98 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
+@@ -985,6 +985,7 @@ static int init_user_pages(struct kgd_mem *mem, uint64_t user_addr,
+ struct amdkfd_process_info *process_info = mem->process_info;
+ struct amdgpu_bo *bo = mem->bo;
+ struct ttm_operation_ctx ctx = { true, false };
++ struct hmm_range *range;
+ int ret = 0;
+
+ mutex_lock(&process_info->lock);
+@@ -1014,7 +1015,7 @@ static int init_user_pages(struct kgd_mem *mem, uint64_t user_addr,
+ return 0;
+ }
+
+- ret = amdgpu_ttm_tt_get_user_pages(bo, bo->tbo.ttm->pages);
++ ret = amdgpu_ttm_tt_get_user_pages(bo, bo->tbo.ttm->pages, &range);
+ if (ret) {
+ pr_err("%s: Failed to get user pages: %d\n", __func__, ret);
+ goto unregister_out;
+@@ -1032,7 +1033,7 @@ static int init_user_pages(struct kgd_mem *mem, uint64_t user_addr,
+ amdgpu_bo_unreserve(bo);
+
+ release_out:
+- amdgpu_ttm_tt_get_user_pages_done(bo->tbo.ttm);
++ amdgpu_ttm_tt_get_user_pages_done(bo->tbo.ttm, range);
+ unregister_out:
+ if (ret)
+ amdgpu_mn_unregister(bo);
+@@ -2367,6 +2368,8 @@ static int update_invalid_user_pages(struct amdkfd_process_info *process_info,
+ /* Go through userptr_inval_list and update any invalid user_pages */
+ list_for_each_entry(mem, &process_info->userptr_inval_list,
+ validate_list.head) {
++ struct hmm_range *range;
++
+ invalid = atomic_read(&mem->invalid);
+ if (!invalid)
+ /* BO hasn't been invalidated since the last
+@@ -2377,7 +2380,8 @@ static int update_invalid_user_pages(struct amdkfd_process_info *process_info,
+ bo = mem->bo;
+
+ /* Get updated user pages */
+- ret = amdgpu_ttm_tt_get_user_pages(bo, bo->tbo.ttm->pages);
++ ret = amdgpu_ttm_tt_get_user_pages(bo, bo->tbo.ttm->pages,
++ &range);
+ if (ret) {
+ pr_debug("Failed %d to get user pages\n", ret);
+
+@@ -2396,7 +2400,7 @@ static int update_invalid_user_pages(struct amdkfd_process_info *process_info,
+ * FIXME: Cannot ignore the return code, must hold
+ * notifier_lock
+ */
+- amdgpu_ttm_tt_get_user_pages_done(bo->tbo.ttm);
++ amdgpu_ttm_tt_get_user_pages_done(bo->tbo.ttm, range);
+ }
+
+ /* Mark the BO as valid unless it was invalidated
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
+index 2168163aad2d..252a876b0725 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
+@@ -209,6 +209,7 @@ void amdgpu_bo_list_get_list(struct amdgpu_bo_list *list,
+ list_add_tail(&e->tv.head, &bucket[priority]);
+
+ e->user_pages = NULL;
++ e->range = NULL;
+ }
+
+ /* Connect the sorted buckets in the output list. */
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.h
+index 9caea1688fc3..e4d78491bcc7 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.h
+@@ -26,6 +26,8 @@
+ #include <drm/ttm/ttm_execbuf_util.h>
+ #include <drm/amdgpu_drm.h>
+
++struct hmm_range;
++
+ struct amdgpu_device;
+ struct amdgpu_bo;
+ struct amdgpu_bo_va;
+@@ -36,6 +38,7 @@ struct amdgpu_bo_list_entry {
+ struct amdgpu_bo_va *bo_va;
+ uint32_t priority;
+ struct page **user_pages;
++ struct hmm_range *range;
+ bool user_invalidated;
+ };
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
+index fee99a40804e..7e350ea0368b 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
+@@ -548,7 +548,7 @@ static int amdgpu_cs_parser_bos(struct amdgpu_cs_parser *p,
+ goto out_free_user_pages;
+ }
+
+- r = amdgpu_ttm_tt_get_user_pages(bo, e->user_pages);
++ r = amdgpu_ttm_tt_get_user_pages(bo, e->user_pages, &e->range);
+ if (r) {
+ kvfree(e->user_pages);
+ e->user_pages = NULL;
+@@ -633,9 +633,10 @@ static int amdgpu_cs_parser_bos(struct amdgpu_cs_parser *p,
+
+ if (!e->user_pages)
+ continue;
+- amdgpu_ttm_tt_get_user_pages_done(bo->tbo.ttm);
++ amdgpu_ttm_tt_get_user_pages_done(bo->tbo.ttm, e->range);
+ kvfree(e->user_pages);
+ e->user_pages = NULL;
++ e->range = NULL;
+ }
+ return r;
+ }
+@@ -1230,7 +1231,8 @@ static int amdgpu_cs_submit(struct amdgpu_cs_parser *p,
+ amdgpu_bo_list_for_each_userptr_entry(e, p->bo_list) {
+ struct amdgpu_bo *bo = ttm_to_amdgpu_bo(e->tv.bo);
+
+- r |= !amdgpu_ttm_tt_get_user_pages_done(bo->tbo.ttm);
++ r |= !amdgpu_ttm_tt_get_user_pages_done(bo->tbo.ttm, e->range);
++ e->range = NULL;
+ }
+ if (r) {
+ r = -EAGAIN;
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
+index 111484ceb47d..91571b1324f2 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
+@@ -378,6 +378,7 @@ int amdgpu_gem_userptr_ioctl(struct drm_device *dev, void *data,
+ struct amdgpu_device *adev = drm_to_adev(dev);
+ struct drm_amdgpu_gem_userptr *args = data;
+ struct drm_gem_object *gobj;
++ struct hmm_range *range;
+ struct amdgpu_bo *bo;
+ uint32_t handle;
+ int r;
+@@ -418,7 +419,8 @@ int amdgpu_gem_userptr_ioctl(struct drm_device *dev, void *data,
+ goto release_object;
+
+ if (args->flags & AMDGPU_GEM_USERPTR_VALIDATE) {
+- r = amdgpu_ttm_tt_get_user_pages(bo, bo->tbo.ttm->pages);
++ r = amdgpu_ttm_tt_get_user_pages(bo, bo->tbo.ttm->pages,
++ &range);
+ if (r)
+ goto release_object;
+
+@@ -441,7 +443,7 @@ int amdgpu_gem_userptr_ioctl(struct drm_device *dev, void *data,
+
+ user_pages_done:
+ if (args->flags & AMDGPU_GEM_USERPTR_VALIDATE)
+- amdgpu_ttm_tt_get_user_pages_done(bo->tbo.ttm);
++ amdgpu_ttm_tt_get_user_pages_done(bo->tbo.ttm, range);
+
+ release_object:
+ drm_gem_object_put(gobj);
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
+index 9e6c23266a1a..dfb8875e0f28 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
+@@ -642,9 +642,6 @@ struct amdgpu_ttm_tt {
+ struct task_struct *usertask;
+ uint32_t userflags;
+ bool bound;
+-#if IS_ENABLED(CONFIG_DRM_AMDGPU_USERPTR)
+- struct hmm_range *range;
+-#endif
+ };
+
+ #define ttm_to_amdgpu_ttm_tt(ptr) container_of(ptr, struct amdgpu_ttm_tt, ttm)
+@@ -657,7 +654,8 @@ struct amdgpu_ttm_tt {
+ * Calling function must call amdgpu_ttm_tt_userptr_range_done() once and only
+ * once afterwards to stop HMM tracking
+ */
+-int amdgpu_ttm_tt_get_user_pages(struct amdgpu_bo *bo, struct page **pages)
++int amdgpu_ttm_tt_get_user_pages(struct amdgpu_bo *bo, struct page **pages,
++ struct hmm_range **range)
+ {
+ struct ttm_tt *ttm = bo->tbo.ttm;
+ struct amdgpu_ttm_tt *gtt = ttm_to_amdgpu_ttm_tt(ttm);
+@@ -667,16 +665,15 @@ int amdgpu_ttm_tt_get_user_pages(struct amdgpu_bo *bo, struct page **pages)
+ bool readonly;
+ int r = 0;
+
++ /* Make sure get_user_pages_done() can cleanup gracefully */
++ *range = NULL;
++
+ mm = bo->notifier.mm;
+ if (unlikely(!mm)) {
+ DRM_DEBUG_DRIVER("BO is not registered?\n");
+ return -EFAULT;
+ }
+
+- /* Another get_user_pages is running at the same time?? */
+- if (WARN_ON(gtt->range))
+- return -EFAULT;
+-
+ if (!mmget_not_zero(mm)) /* Happens during process shutdown */
+ return -ESRCH;
+
+@@ -694,7 +691,7 @@ int amdgpu_ttm_tt_get_user_pages(struct amdgpu_bo *bo, struct page **pages)
+
+ readonly = amdgpu_ttm_tt_is_readonly(ttm);
+ r = amdgpu_hmm_range_get_pages(&bo->notifier, mm, pages, start,
+- ttm->num_pages, >t->range, readonly,
++ ttm->num_pages, range, readonly,
+ true, NULL);
+ out_unlock:
+ mmap_read_unlock(mm);
+@@ -712,30 +709,24 @@ int amdgpu_ttm_tt_get_user_pages(struct amdgpu_bo *bo, struct page **pages)
+ *
+ * Returns: true if pages are still valid
+ */
+-bool amdgpu_ttm_tt_get_user_pages_done(struct ttm_tt *ttm)
++bool amdgpu_ttm_tt_get_user_pages_done(struct ttm_tt *ttm,
++ struct hmm_range *range)
+ {
+ struct amdgpu_ttm_tt *gtt = ttm_to_amdgpu_ttm_tt(ttm);
+- bool r = false;
+
+- if (!gtt || !gtt->userptr)
++ if (!gtt || !gtt->userptr || !range)
+ return false;
+
+ DRM_DEBUG_DRIVER("user_pages_done 0x%llx pages 0x%x\n",
+ gtt->userptr, ttm->num_pages);
+
+- WARN_ONCE(!gtt->range || !gtt->range->hmm_pfns,
+- "No user pages to check\n");
++ WARN_ONCE(!range->hmm_pfns, "No user pages to check\n");
+
+- if (gtt->range) {
+- /*
+- * FIXME: Must always hold notifier_lock for this, and must
+- * not ignore the return code.
+- */
+- r = amdgpu_hmm_range_get_pages_done(gtt->range);
+- gtt->range = NULL;
+- }
+-
+- return !r;
++ /*
++ * FIXME: Must always hold notifier_lock for this, and must
++ * not ignore the return code.
++ */
++ return !amdgpu_hmm_range_get_pages_done(range);
+ }
+ #endif
+
+@@ -812,20 +803,6 @@ static void amdgpu_ttm_tt_unpin_userptr(struct ttm_device *bdev,
+ /* unmap the pages mapped to the device */
+ dma_unmap_sgtable(adev->dev, ttm->sg, direction, 0);
+ sg_free_table(ttm->sg);
+-
+-#if IS_ENABLED(CONFIG_DRM_AMDGPU_USERPTR)
+- if (gtt->range) {
+- unsigned long i;
+-
+- for (i = 0; i < ttm->num_pages; i++) {
+- if (ttm->pages[i] !=
+- hmm_pfn_to_page(gtt->range->hmm_pfns[i]))
+- break;
+- }
+-
+- WARN((i == ttm->num_pages), "Missing get_user_page_done\n");
+- }
+-#endif
+ }
+
+ static void amdgpu_ttm_gart_bind(struct amdgpu_device *adev,
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h
+index 6a70818039dd..a37207011a69 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.h
+@@ -39,6 +39,8 @@
+
+ #define AMDGPU_POISON 0xd0bed0be
+
++struct hmm_range;
++
+ struct amdgpu_gtt_mgr {
+ struct ttm_resource_manager manager;
+ struct drm_mm mm;
+@@ -149,15 +151,19 @@ void amdgpu_ttm_recover_gart(struct ttm_buffer_object *tbo);
+ uint64_t amdgpu_ttm_domain_start(struct amdgpu_device *adev, uint32_t type);
+
+ #if IS_ENABLED(CONFIG_DRM_AMDGPU_USERPTR)
+-int amdgpu_ttm_tt_get_user_pages(struct amdgpu_bo *bo, struct page **pages);
+-bool amdgpu_ttm_tt_get_user_pages_done(struct ttm_tt *ttm);
++int amdgpu_ttm_tt_get_user_pages(struct amdgpu_bo *bo, struct page **pages,
++ struct hmm_range **range);
++bool amdgpu_ttm_tt_get_user_pages_done(struct ttm_tt *ttm,
++ struct hmm_range *range);
+ #else
+ static inline int amdgpu_ttm_tt_get_user_pages(struct amdgpu_bo *bo,
+- struct page **pages)
++ struct page **pages,
++ struct hmm_range **range)
+ {
+ return -EPERM;
+ }
+-static inline bool amdgpu_ttm_tt_get_user_pages_done(struct ttm_tt *ttm)
++static inline bool amdgpu_ttm_tt_get_user_pages_done(struct ttm_tt *ttm,
++ struct hmm_range *range)
+ {
+ return false;
+ }
+--
+2.35.1
+
--- /dev/null
+From ac24019d70845bf8f3bdf198dbc2c2df5ff8171b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Mar 2022 10:59:14 +0100
+Subject: drm/amdgpu: move setting the job resources
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christian König <christian.koenig@amd.com>
+
+[ Upstream commit 736ec9fadd7a1fde8480df7e5cfac465c07ff6f3 ]
+
+Move setting the job resources into amdgpu_job.c
+
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
+Reviewed-by: Luben Tuikov <luben.tuikov@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Stable-dep-of: 4458da0bb09d ("drm/amdgpu: fix userptr HMM range handling v2")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 21 ++-------------------
+ drivers/gpu/drm/amd/amdgpu/amdgpu_job.c | 17 +++++++++++++++++
+ drivers/gpu/drm/amd/amdgpu/amdgpu_job.h | 2 ++
+ 3 files changed, 21 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
+index b7bae833c804..aa3ce01cd538 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
+@@ -495,9 +495,6 @@ static int amdgpu_cs_parser_bos(struct amdgpu_cs_parser *p,
+ struct amdgpu_vm *vm = &fpriv->vm;
+ struct amdgpu_bo_list_entry *e;
+ struct list_head duplicates;
+- struct amdgpu_bo *gds;
+- struct amdgpu_bo *gws;
+- struct amdgpu_bo *oa;
+ int r;
+
+ INIT_LIST_HEAD(&p->validated);
+@@ -614,22 +611,8 @@ static int amdgpu_cs_parser_bos(struct amdgpu_cs_parser *p,
+ amdgpu_cs_report_moved_bytes(p->adev, p->bytes_moved,
+ p->bytes_moved_vis);
+
+- gds = p->bo_list->gds_obj;
+- gws = p->bo_list->gws_obj;
+- oa = p->bo_list->oa_obj;
+-
+- if (gds) {
+- p->job->gds_base = amdgpu_bo_gpu_offset(gds) >> PAGE_SHIFT;
+- p->job->gds_size = amdgpu_bo_size(gds) >> PAGE_SHIFT;
+- }
+- if (gws) {
+- p->job->gws_base = amdgpu_bo_gpu_offset(gws) >> PAGE_SHIFT;
+- p->job->gws_size = amdgpu_bo_size(gws) >> PAGE_SHIFT;
+- }
+- if (oa) {
+- p->job->oa_base = amdgpu_bo_gpu_offset(oa) >> PAGE_SHIFT;
+- p->job->oa_size = amdgpu_bo_size(oa) >> PAGE_SHIFT;
+- }
++ amdgpu_job_set_resources(p->job, p->bo_list->gds_obj,
++ p->bo_list->gws_obj, p->bo_list->oa_obj);
+
+ if (!r && p->uf_entry.tv.bo) {
+ struct amdgpu_bo *uf = ttm_to_amdgpu_bo(p->uf_entry.tv.bo);
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c
+index c2fd6f3076a6..3b025aace283 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_job.c
+@@ -129,6 +129,23 @@ int amdgpu_job_alloc_with_ib(struct amdgpu_device *adev, unsigned size,
+ return r;
+ }
+
++void amdgpu_job_set_resources(struct amdgpu_job *job, struct amdgpu_bo *gds,
++ struct amdgpu_bo *gws, struct amdgpu_bo *oa)
++{
++ if (gds) {
++ job->gds_base = amdgpu_bo_gpu_offset(gds) >> PAGE_SHIFT;
++ job->gds_size = amdgpu_bo_size(gds) >> PAGE_SHIFT;
++ }
++ if (gws) {
++ job->gws_base = amdgpu_bo_gpu_offset(gws) >> PAGE_SHIFT;
++ job->gws_size = amdgpu_bo_size(gws) >> PAGE_SHIFT;
++ }
++ if (oa) {
++ job->oa_base = amdgpu_bo_gpu_offset(oa) >> PAGE_SHIFT;
++ job->oa_size = amdgpu_bo_size(oa) >> PAGE_SHIFT;
++ }
++}
++
+ void amdgpu_job_free_resources(struct amdgpu_job *job)
+ {
+ struct amdgpu_ring *ring = to_amdgpu_ring(job->base.sched);
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_job.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_job.h
+index babc0af751c2..2a1961bf1194 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_job.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_job.h
+@@ -76,6 +76,8 @@ int amdgpu_job_alloc(struct amdgpu_device *adev, unsigned num_ibs,
+ struct amdgpu_job **job, struct amdgpu_vm *vm);
+ int amdgpu_job_alloc_with_ib(struct amdgpu_device *adev, unsigned size,
+ enum amdgpu_ib_pool_type pool, struct amdgpu_job **job);
++void amdgpu_job_set_resources(struct amdgpu_job *job, struct amdgpu_bo *gds,
++ struct amdgpu_bo *gws, struct amdgpu_bo *oa);
+ void amdgpu_job_free_resources(struct amdgpu_job *job);
+ void amdgpu_job_free(struct amdgpu_job *job);
+ int amdgpu_job_submit(struct amdgpu_job *job, struct drm_sched_entity *entity,
+--
+2.35.1
+
--- /dev/null
+From 82bf46d8d2e5f6dd904fc4604c7b1bf09b3dd067 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 13:35:59 -0600
+Subject: dsa: lan9303: Correct stat name
+
+From: Jerry Ray <jerry.ray@microchip.com>
+
+[ Upstream commit 39f59bca275d2d819a8788c0f962e9e89843efc9 ]
+
+This patch changes the reported ethtool statistics for the lan9303
+family of parts covered by this driver.
+
+The TxUnderRun statistic label is renamed to RxShort to accurately
+reflect what stat the device is reporting. I did not reorder the
+statistics as that might cause problems with existing user code that
+are expecting the stats at a certain offset.
+
+Fixes: a1292595e006 ("net: dsa: add new DSA switch driver for the SMSC-LAN9303")
+Signed-off-by: Jerry Ray <jerry.ray@microchip.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20221128193559.6572-1-jerry.ray@microchip.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/lan9303-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/lan9303-core.c b/drivers/net/dsa/lan9303-core.c
+index e03ff1f267bb..1de62604434d 100644
+--- a/drivers/net/dsa/lan9303-core.c
++++ b/drivers/net/dsa/lan9303-core.c
+@@ -959,7 +959,7 @@ static const struct lan9303_mib_desc lan9303_mib[] = {
+ { .offset = LAN9303_MAC_TX_BRDCST_CNT_0, .name = "TxBroad", },
+ { .offset = LAN9303_MAC_TX_PAUSE_CNT_0, .name = "TxPause", },
+ { .offset = LAN9303_MAC_TX_MULCST_CNT_0, .name = "TxMulti", },
+- { .offset = LAN9303_MAC_RX_UNDSZE_CNT_0, .name = "TxUnderRun", },
++ { .offset = LAN9303_MAC_RX_UNDSZE_CNT_0, .name = "RxShort", },
+ { .offset = LAN9303_MAC_TX_64_CNT_0, .name = "Tx64Byte", },
+ { .offset = LAN9303_MAC_TX_127_CNT_0, .name = "Tx128Byte", },
+ { .offset = LAN9303_MAC_TX_255_CNT_0, .name = "Tx256Byte", },
+--
+2.35.1
+
--- /dev/null
+From 06d53eaed4409c281f8928eae5968fbc9b538d27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 01:24:07 +0800
+Subject: e100: Fix possible use after free in e100_xmit_prepare
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 45605c75c52c7ae7bfe902214343aabcfe5ba0ff ]
+
+In e100_xmit_prepare(), if we can't map the skb, then return -ENOMEM, so
+e100_xmit_frame() will return NETDEV_TX_BUSY and the upper layer will
+resend the skb. But the skb is already freed, which will cause UAF bug
+when the upper layer resends the skb.
+
+Remove the harmful free.
+
+Fixes: 5e5d49422dfb ("e100: Release skb when DMA mapping is failed in e100_xmit_prepare")
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e100.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c
+index 11a884aa5082..90a2ba20e902 100644
+--- a/drivers/net/ethernet/intel/e100.c
++++ b/drivers/net/ethernet/intel/e100.c
+@@ -1741,11 +1741,8 @@ static int e100_xmit_prepare(struct nic *nic, struct cb *cb,
+ dma_addr = dma_map_single(&nic->pdev->dev, skb->data, skb->len,
+ DMA_TO_DEVICE);
+ /* If we can't map the skb, have the upper layer try later */
+- if (dma_mapping_error(&nic->pdev->dev, dma_addr)) {
+- dev_kfree_skb_any(skb);
+- skb = NULL;
++ if (dma_mapping_error(&nic->pdev->dev, dma_addr))
+ return -ENOMEM;
+- }
+
+ /*
+ * Use the last 4 bytes of the SKB payload packet as the CRC, used for
+--
+2.35.1
+
--- /dev/null
+From 5031932e18dc3cd8589351ae92643f6c6404b0a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 08:26:39 +0000
+Subject: fm10k: Fix error handling in fm10k_init_module()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit 771a794c0a3c3e7f0d86cc34be4f9537e8c0a20c ]
+
+A problem about modprobe fm10k failed is triggered with the following log
+given:
+
+ Intel(R) Ethernet Switch Host Interface Driver
+ Copyright(c) 2013 - 2019 Intel Corporation.
+ debugfs: Directory 'fm10k' with parent '/' already present!
+
+The reason is that fm10k_init_module() returns fm10k_register_pci_driver()
+directly without checking its return value, if fm10k_register_pci_driver()
+failed, it returns without removing debugfs and destroy workqueue,
+resulting the debugfs of fm10k can never be created later and leaks the
+workqueue.
+
+ fm10k_init_module()
+ alloc_workqueue()
+ fm10k_dbg_init() # create debugfs
+ fm10k_register_pci_driver()
+ pci_register_driver()
+ driver_register()
+ bus_add_driver()
+ priv = kzalloc(...) # OOM happened
+ # return without remove debugfs and destroy workqueue
+
+Fix by remove debugfs and destroy workqueue when
+fm10k_register_pci_driver() returns error.
+
+Fixes: 7461fd913afe ("fm10k: Add support for debugfs")
+Fixes: b382bb1b3e2d ("fm10k: use separate workqueue for fm10k driver")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/fm10k/fm10k_main.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/fm10k/fm10k_main.c b/drivers/net/ethernet/intel/fm10k/fm10k_main.c
+index 3362f26d7f99..1b273446621c 100644
+--- a/drivers/net/ethernet/intel/fm10k/fm10k_main.c
++++ b/drivers/net/ethernet/intel/fm10k/fm10k_main.c
+@@ -32,6 +32,8 @@ struct workqueue_struct *fm10k_workqueue;
+ **/
+ static int __init fm10k_init_module(void)
+ {
++ int ret;
++
+ pr_info("%s\n", fm10k_driver_string);
+ pr_info("%s\n", fm10k_copyright);
+
+@@ -43,7 +45,13 @@ static int __init fm10k_init_module(void)
+
+ fm10k_dbg_init();
+
+- return fm10k_register_pci_driver();
++ ret = fm10k_register_pci_driver();
++ if (ret) {
++ fm10k_dbg_exit();
++ destroy_workqueue(fm10k_workqueue);
++ }
++
++ return ret;
+ }
+ module_init(fm10k_init_module);
+
+--
+2.35.1
+
--- /dev/null
+From 4e7e4199a3ca8fa40d4f686cc5fc0ec38f723c6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 01:43:29 +0000
+Subject: hwmon: (asus-ec-sensors) Add checks for devm_kcalloc
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit 9bdc112be727cf1ba65be79541147f960c3349d8 ]
+
+As the devm_kcalloc may return NULL, the return value needs to be checked
+to avoid NULL poineter dereference.
+
+Fixes: d0ddfd241e57 ("hwmon: (asus-ec-sensors) add driver for ASUS EC")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Link: https://lore.kernel.org/r/20221125014329.121560-1-yuancan@huawei.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/asus-ec-sensors.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/hwmon/asus-ec-sensors.c b/drivers/hwmon/asus-ec-sensors.c
+index 81e688975c6a..a901e4e33d81 100644
+--- a/drivers/hwmon/asus-ec-sensors.c
++++ b/drivers/hwmon/asus-ec-sensors.c
+@@ -938,6 +938,8 @@ static int asus_ec_probe(struct platform_device *pdev)
+ ec_data->nr_sensors = hweight_long(ec_data->board_info->sensors);
+ ec_data->sensors = devm_kcalloc(dev, ec_data->nr_sensors,
+ sizeof(struct ec_sensor), GFP_KERNEL);
++ if (!ec_data->sensors)
++ return -ENOMEM;
+
+ status = setup_lock_data(dev);
+ if (status) {
+--
+2.35.1
+
--- /dev/null
+From a6dd9a68c78d0a3c6c1d2fc31efe1446c50616e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 11:23:13 -0500
+Subject: hwmon: (coretemp) Check for null before removing sysfs attrs
+
+From: Phil Auld <pauld@redhat.com>
+
+[ Upstream commit a89ff5f5cc64b9fe7a992cf56988fd36f56ca82a ]
+
+If coretemp_add_core() gets an error then pdata->core_data[indx]
+is already NULL and has been kfreed. Don't pass that to
+sysfs_remove_group() as that will crash in sysfs_remove_group().
+
+[Shortened for readability]
+[91854.020159] sysfs: cannot create duplicate filename '/devices/platform/coretemp.0/hwmon/hwmon2/temp20_label'
+<cpu offline>
+[91855.126115] BUG: kernel NULL pointer dereference, address: 0000000000000188
+[91855.165103] #PF: supervisor read access in kernel mode
+[91855.194506] #PF: error_code(0x0000) - not-present page
+[91855.224445] PGD 0 P4D 0
+[91855.238508] Oops: 0000 [#1] PREEMPT SMP PTI
+...
+[91855.342716] RIP: 0010:sysfs_remove_group+0xc/0x80
+...
+[91855.796571] Call Trace:
+[91855.810524] coretemp_cpu_offline+0x12b/0x1dd [coretemp]
+[91855.841738] ? coretemp_cpu_online+0x180/0x180 [coretemp]
+[91855.871107] cpuhp_invoke_callback+0x105/0x4b0
+[91855.893432] cpuhp_thread_fun+0x8e/0x150
+...
+
+Fix this by checking for NULL first.
+
+Signed-off-by: Phil Auld <pauld@redhat.com>
+Cc: linux-hwmon@vger.kernel.org
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: Jean Delvare <jdelvare@suse.com>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20221117162313.3164803-1-pauld@redhat.com
+Fixes: 199e0de7f5df3 ("hwmon: (coretemp) Merge pkgtemp with coretemp")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/coretemp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c
+index 8bf32c6c85d9..30a19d711f89 100644
+--- a/drivers/hwmon/coretemp.c
++++ b/drivers/hwmon/coretemp.c
+@@ -533,6 +533,10 @@ static void coretemp_remove_core(struct platform_data *pdata, int indx)
+ {
+ struct temp_data *tdata = pdata->core_data[indx];
+
++ /* if we errored on add then this is already gone */
++ if (!tdata)
++ return;
++
+ /* Remove the sysfs attributes */
+ sysfs_remove_group(&pdata->hwmon_dev->kobj, &tdata->attr_group);
+
+--
+2.35.1
+
--- /dev/null
+From 6316a659122c708340d0930e525d65858ec16093 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 17:33:03 +0800
+Subject: hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 7dec14537c5906b8bf40fd6fd6d9c3850f8df11d ]
+
+As comment of pci_get_domain_bus_and_slot() says, it returns
+a pci device with refcount increment, when finish using it,
+the caller must decrement the reference count by calling
+pci_dev_put(). So call it after using to avoid refcount leak.
+
+Fixes: 14513ee696a0 ("hwmon: (coretemp) Use PCI host bridge ID to identify CPU if necessary")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221118093303.214163-1-yangyingliang@huawei.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/coretemp.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c
+index 30a19d711f89..9bee4d33fbdf 100644
+--- a/drivers/hwmon/coretemp.c
++++ b/drivers/hwmon/coretemp.c
+@@ -242,10 +242,13 @@ static int adjust_tjmax(struct cpuinfo_x86 *c, u32 id, struct device *dev)
+ */
+ if (host_bridge && host_bridge->vendor == PCI_VENDOR_ID_INTEL) {
+ for (i = 0; i < ARRAY_SIZE(tjmax_pci_table); i++) {
+- if (host_bridge->device == tjmax_pci_table[i].device)
++ if (host_bridge->device == tjmax_pci_table[i].device) {
++ pci_dev_put(host_bridge);
+ return tjmax_pci_table[i].tjmax;
++ }
+ }
+ }
++ pci_dev_put(host_bridge);
+
+ for (i = 0; i < ARRAY_SIZE(tjmax_table); i++) {
+ if (strstr(c->x86_model_id, tjmax_table[i].id))
+--
+2.35.1
+
--- /dev/null
+From 6a57f5a8fe71dfdd485ae6a8498e85a6ea81dc60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Nov 2022 20:56:06 +0800
+Subject: hwmon: (i5500_temp) fix missing pci_disable_device()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 3b7f98f237528c496ea0b689bace0e35eec3e060 ]
+
+pci_disable_device() need be called while module exiting, switch to use
+pcim_enable(), pci_disable_device() will be called in pcim_release().
+
+Fixes: ada072816be1 ("hwmon: (i5500_temp) New driver for the Intel 5500/5520/X58 chipsets")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20221112125606.3751430-1-yangyingliang@huawei.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/i5500_temp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/i5500_temp.c b/drivers/hwmon/i5500_temp.c
+index 05f68e9c9477..23b9f94fe0a9 100644
+--- a/drivers/hwmon/i5500_temp.c
++++ b/drivers/hwmon/i5500_temp.c
+@@ -117,7 +117,7 @@ static int i5500_temp_probe(struct pci_dev *pdev,
+ u32 tstimer;
+ s8 tsfsc;
+
+- err = pci_enable_device(pdev);
++ err = pcim_enable_device(pdev);
+ if (err) {
+ dev_err(&pdev->dev, "Failed to enable device\n");
+ return err;
+--
+2.35.1
+
--- /dev/null
+From 58778645ad718852f00c369ee605cd94c22954ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 11:44:23 +0800
+Subject: hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit e2a87785aab0dac190ac89be6a9ba955e2c634f2 ]
+
+Smatch report warning as follows:
+
+drivers/hwmon/ibmpex.c:509 ibmpex_register_bmc() warn:
+ '&data->list' not removed from list
+
+If ibmpex_find_sensors() fails in ibmpex_register_bmc(), data will
+be freed, but data->list will not be removed from driver_data.bmc_data,
+then list traversal may cause UAF.
+
+Fix by removeing it from driver_data.bmc_data before free().
+
+Fixes: 57c7c3a0fdea ("hwmon: IBM power meter driver")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Link: https://lore.kernel.org/r/20221117034423.2935739-1-cuigaosheng1@huawei.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/ibmpex.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/hwmon/ibmpex.c b/drivers/hwmon/ibmpex.c
+index f6ec165c0fa8..1837cccd993c 100644
+--- a/drivers/hwmon/ibmpex.c
++++ b/drivers/hwmon/ibmpex.c
+@@ -502,6 +502,7 @@ static void ibmpex_register_bmc(int iface, struct device *dev)
+ return;
+
+ out_register:
++ list_del(&data->list);
+ hwmon_device_unregister(data->hwmon_dev);
+ out_user:
+ ipmi_destroy_user(data->user);
+--
+2.35.1
+
--- /dev/null
+From f10f650a1bbebb9fec05a6e595ee53fbf2e2d806 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 12:45:08 +0800
+Subject: hwmon: (ina3221) Fix shunt sum critical calculation
+
+From: Ninad Malwade <nmalwade@nvidia.com>
+
+[ Upstream commit b8d27d2ce8dfc207e4b67b929a86f2be76fbc6ef ]
+
+The shunt sum critical limit register value should be left shifted
+by one bit as its LSB-0 is a reserved bit.
+
+Fixes: 2057bdfb7184 ("hwmon: (ina3221) Add summation feature support")
+Signed-off-by: Ninad Malwade <nmalwade@nvidia.com>
+Reviewed-by: Thierry Reding <treding@nvidia.com>
+Link: https://lore.kernel.org/r/20221108044508.23463-1-nmalwade@nvidia.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/ina3221.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/ina3221.c b/drivers/hwmon/ina3221.c
+index 58d3828e2ec0..14586b2fb17d 100644
+--- a/drivers/hwmon/ina3221.c
++++ b/drivers/hwmon/ina3221.c
+@@ -228,7 +228,7 @@ static int ina3221_read_value(struct ina3221_data *ina, unsigned int reg,
+ * Shunt Voltage Sum register has 14-bit value with 1-bit shift
+ * Other Shunt Voltage registers have 12 bits with 3-bit shift
+ */
+- if (reg == INA3221_SHUNT_SUM)
++ if (reg == INA3221_SHUNT_SUM || reg == INA3221_CRIT_SUM)
+ *val = sign_extend32(regval >> 1, 14);
+ else
+ *val = sign_extend32(regval >> 3, 12);
+@@ -465,7 +465,7 @@ static int ina3221_write_curr(struct device *dev, u32 attr,
+ * SHUNT_SUM: (1 / 40uV) << 1 = 1 / 20uV
+ * SHUNT[1-3]: (1 / 40uV) << 3 = 1 / 5uV
+ */
+- if (reg == INA3221_SHUNT_SUM)
++ if (reg == INA3221_SHUNT_SUM || reg == INA3221_CRIT_SUM)
+ regval = DIV_ROUND_CLOSEST(voltage_uv, 20) & 0xfffe;
+ else
+ regval = DIV_ROUND_CLOSEST(voltage_uv, 5) & 0xfff8;
+--
+2.35.1
+
--- /dev/null
+From 5382bc01381403488696ea4f250b6bb5ec301222 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 13:21:08 -0600
+Subject: hwmon: (ltc2947) fix temperature scaling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Derek Nguyen <derek.nguyen@collins.com>
+
+[ Upstream commit 07e06193ead86d4812f431b4d87bbd4161222e3f ]
+
+The LTC2947 datasheet (Rev. B) calls out in the section "Register
+Description: Non-Accumulated Result Registers" (pg. 30) that "To
+calculate temperature, multiply the TEMP register value by 0.204°C
+and add 5.5°C". Fix to add 5.5C and not 0.55C.
+
+Fixes: 9f90fd652bed ("hwmon: Add support for ltc2947")
+Signed-off-by: Derek Nguyen <derek.nguyen@collins.com>
+Signed-off-by: Brandon Maier <brandon.maier@collins.com>
+Link: https://lore.kernel.org/r/20221110192108.20624-1-brandon.maier@collins.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/ltc2947-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/ltc2947-core.c b/drivers/hwmon/ltc2947-core.c
+index 5423466de697..e918490f3ff7 100644
+--- a/drivers/hwmon/ltc2947-core.c
++++ b/drivers/hwmon/ltc2947-core.c
+@@ -396,7 +396,7 @@ static int ltc2947_read_temp(struct device *dev, const u32 attr, long *val,
+ return ret;
+
+ /* in milidegrees celcius, temp is given by: */
+- *val = (__val * 204) + 550;
++ *val = (__val * 204) + 5500;
+
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From f2606b8f21c52e369d37a94297bab2acc2c13bf1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 09:27:25 +0800
+Subject: i40e: Fix error handling in i40e_init_module()
+
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+
+[ Upstream commit 479dd06149425b9e00477f52200872587af76a48 ]
+
+i40e_init_module() won't free the debugfs directory created by
+i40e_dbg_init() when pci_register_driver() failed. Add fail path to
+call i40e_dbg_exit() to remove the debugfs entries to prevent the bug.
+
+i40e: Intel(R) Ethernet Connection XL710 Network Driver
+i40e: Copyright (c) 2013 - 2019 Intel Corporation.
+debugfs: Directory 'i40e' with parent '/' already present!
+
+Fixes: 41c445ff0f48 ("i40e: main driver core")
+Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Tested-by: Gurucharan G <gurucharanx.g@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index b3336d31f8a9..023685cca2c1 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -16652,6 +16652,8 @@ static struct pci_driver i40e_driver = {
+ **/
+ static int __init i40e_init_module(void)
+ {
++ int err;
++
+ pr_info("%s: %s\n", i40e_driver_name, i40e_driver_string);
+ pr_info("%s: %s\n", i40e_driver_name, i40e_copyright);
+
+@@ -16669,7 +16671,14 @@ static int __init i40e_init_module(void)
+ }
+
+ i40e_dbg_init();
+- return pci_register_driver(&i40e_driver);
++ err = pci_register_driver(&i40e_driver);
++ if (err) {
++ destroy_workqueue(i40e_wq);
++ i40e_dbg_exit();
++ return err;
++ }
++
++ return 0;
+ }
+ module_init(i40e_init_module);
+
+--
+2.35.1
+
--- /dev/null
+From 295ec05b117e74c1ad5f8be12725dba7cb3c36bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 08:26:40 +0000
+Subject: iavf: Fix error handling in iavf_init_module()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit 227d8d2f7f2278b8468c5531b0cd0f2a905b4486 ]
+
+The iavf_init_module() won't destroy workqueue when pci_register_driver()
+failed. Call destroy_workqueue() when pci_register_driver() failed to
+prevent the resource leak.
+
+Similar to the handling of u132_hcd_init in commit f276e002793c
+("usb: u132-hcd: fix resource leak")
+
+Fixes: 2803b16c10ea ("i40e/i40evf: Use private workqueue")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index cff03723f4f9..4e03712726f2 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -5196,6 +5196,8 @@ static struct pci_driver iavf_driver = {
+ **/
+ static int __init iavf_init_module(void)
+ {
++ int ret;
++
+ pr_info("iavf: %s\n", iavf_driver_string);
+
+ pr_info("%s\n", iavf_copyright);
+@@ -5206,7 +5208,12 @@ static int __init iavf_init_module(void)
+ pr_err("%s: Failed to create workqueue\n", iavf_driver_name);
+ return -ENOMEM;
+ }
+- return pci_register_driver(&iavf_driver);
++
++ ret = pci_register_driver(&iavf_driver);
++ if (ret)
++ destroy_workqueue(iavf_wq);
++
++ return ret;
+ }
+
+ module_init(iavf_init_module);
+--
+2.35.1
+
--- /dev/null
+From f3d539779ea4995758d53f18939b96576c5abbff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 15:19:46 +0000
+Subject: iio: health: afe4403: Fix oob read in afe4403_read_raw
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 58143c1ed5882c138a3cd2251a336fc8755f23d9 ]
+
+KASAN report out-of-bounds read as follows:
+
+BUG: KASAN: global-out-of-bounds in afe4403_read_raw+0x42e/0x4c0
+Read of size 4 at addr ffffffffc02ac638 by task cat/279
+
+Call Trace:
+ afe4403_read_raw
+ iio_read_channel_info
+ dev_attr_show
+
+The buggy address belongs to the variable:
+ afe4403_channel_leds+0x18/0xffffffffffffe9e0
+
+This issue can be reproduced by singe command:
+
+ $ cat /sys/bus/spi/devices/spi0.0/iio\:device0/in_intensity6_raw
+
+The array size of afe4403_channel_leds is less than channels, so access
+with chan->address cause OOB read in afe4403_read_raw. Fix it by moving
+access before use it.
+
+Fixes: b36e8257641a ("iio: health/afe440x: Use regmap fields")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Acked-by: Andrew Davis <afd@ti.com>
+Link: https://lore.kernel.org/r/20221107151946.89260-1-weiyongjun@huaweicloud.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/health/afe4403.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iio/health/afe4403.c b/drivers/iio/health/afe4403.c
+index 3bb4028c5d74..df3bc5c3d378 100644
+--- a/drivers/iio/health/afe4403.c
++++ b/drivers/iio/health/afe4403.c
+@@ -245,14 +245,14 @@ static int afe4403_read_raw(struct iio_dev *indio_dev,
+ int *val, int *val2, long mask)
+ {
+ struct afe4403_data *afe = iio_priv(indio_dev);
+- unsigned int reg = afe4403_channel_values[chan->address];
+- unsigned int field = afe4403_channel_leds[chan->address];
++ unsigned int reg, field;
+ int ret;
+
+ switch (chan->type) {
+ case IIO_INTENSITY:
+ switch (mask) {
+ case IIO_CHAN_INFO_RAW:
++ reg = afe4403_channel_values[chan->address];
+ ret = afe4403_read(afe, reg, val);
+ if (ret)
+ return ret;
+@@ -262,6 +262,7 @@ static int afe4403_read_raw(struct iio_dev *indio_dev,
+ case IIO_CURRENT:
+ switch (mask) {
+ case IIO_CHAN_INFO_RAW:
++ field = afe4403_channel_leds[chan->address];
+ ret = regmap_field_read(afe->fields[field], val);
+ if (ret)
+ return ret;
+--
+2.35.1
+
--- /dev/null
+From ce69a9a7c7f275746591febb1f06f5f67d7797de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Nov 2022 15:20:10 +0000
+Subject: iio: health: afe4404: Fix oob read in afe4404_[read|write]_raw
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit fc92d9e3de0b2d30a3ccc08048a5fad533e4672b ]
+
+KASAN report out-of-bounds read as follows:
+
+BUG: KASAN: global-out-of-bounds in afe4404_read_raw+0x2ce/0x380
+Read of size 4 at addr ffffffffc00e4658 by task cat/278
+
+Call Trace:
+ afe4404_read_raw
+ iio_read_channel_info
+ dev_attr_show
+
+The buggy address belongs to the variable:
+ afe4404_channel_leds+0x18/0xffffffffffffe9c0
+
+This issue can be reproduce by singe command:
+
+ $ cat /sys/bus/i2c/devices/0-0058/iio\:device0/in_intensity6_raw
+
+The array size of afe4404_channel_leds and afe4404_channel_offdacs
+are less than channels, so access with chan->address cause OOB read
+in afe4404_[read|write]_raw. Fix it by moving access before use them.
+
+Fixes: b36e8257641a ("iio: health/afe440x: Use regmap fields")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Acked-by: Andrew Davis <afd@ti.com>
+Link: https://lore.kernel.org/r/20221107152010.95937-1-weiyongjun@huaweicloud.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/health/afe4404.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/iio/health/afe4404.c b/drivers/iio/health/afe4404.c
+index dd7800159051..f03c466c9385 100644
+--- a/drivers/iio/health/afe4404.c
++++ b/drivers/iio/health/afe4404.c
+@@ -250,20 +250,20 @@ static int afe4404_read_raw(struct iio_dev *indio_dev,
+ int *val, int *val2, long mask)
+ {
+ struct afe4404_data *afe = iio_priv(indio_dev);
+- unsigned int value_reg = afe4404_channel_values[chan->address];
+- unsigned int led_field = afe4404_channel_leds[chan->address];
+- unsigned int offdac_field = afe4404_channel_offdacs[chan->address];
++ unsigned int value_reg, led_field, offdac_field;
+ int ret;
+
+ switch (chan->type) {
+ case IIO_INTENSITY:
+ switch (mask) {
+ case IIO_CHAN_INFO_RAW:
++ value_reg = afe4404_channel_values[chan->address];
+ ret = regmap_read(afe->regmap, value_reg, val);
+ if (ret)
+ return ret;
+ return IIO_VAL_INT;
+ case IIO_CHAN_INFO_OFFSET:
++ offdac_field = afe4404_channel_offdacs[chan->address];
+ ret = regmap_field_read(afe->fields[offdac_field], val);
+ if (ret)
+ return ret;
+@@ -273,6 +273,7 @@ static int afe4404_read_raw(struct iio_dev *indio_dev,
+ case IIO_CURRENT:
+ switch (mask) {
+ case IIO_CHAN_INFO_RAW:
++ led_field = afe4404_channel_leds[chan->address];
+ ret = regmap_field_read(afe->fields[led_field], val);
+ if (ret)
+ return ret;
+@@ -295,19 +296,20 @@ static int afe4404_write_raw(struct iio_dev *indio_dev,
+ int val, int val2, long mask)
+ {
+ struct afe4404_data *afe = iio_priv(indio_dev);
+- unsigned int led_field = afe4404_channel_leds[chan->address];
+- unsigned int offdac_field = afe4404_channel_offdacs[chan->address];
++ unsigned int led_field, offdac_field;
+
+ switch (chan->type) {
+ case IIO_INTENSITY:
+ switch (mask) {
+ case IIO_CHAN_INFO_OFFSET:
++ offdac_field = afe4404_channel_offdacs[chan->address];
+ return regmap_field_write(afe->fields[offdac_field], val);
+ }
+ break;
+ case IIO_CURRENT:
+ switch (mask) {
+ case IIO_CHAN_INFO_RAW:
++ led_field = afe4404_channel_leds[chan->address];
+ return regmap_field_write(afe->fields[led_field], val);
+ }
+ break;
+--
+2.35.1
+
--- /dev/null
+From c389f96649818ab45f942d2c853314094c672dee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 16:47:29 -0500
+Subject: iio: light: rpr0521: add missing Kconfig dependencies
+
+From: Paul Gazzillo <paul@pgazz.com>
+
+[ Upstream commit 6ac12303572ef9ace5603c2c07f5f1b00a33f580 ]
+
+Fix an implicit declaration of function error for rpr0521 under some configs
+
+When CONFIG_RPR0521 is enabled without CONFIG_IIO_TRIGGERED_BUFFER,
+the build results in "implicit declaration of function" errors, e.g.,
+ drivers/iio/light/rpr0521.c:434:3: error: implicit declaration of function
+ 'iio_trigger_poll_chained' [-Werror=implicit-function-declaration]
+ 434 | iio_trigger_poll_chained(data->drdy_trigger0);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~
+
+This fix adds select dependencies to RPR0521's configuration declaration.
+
+Fixes: e12ffd241c00 ("iio: light: rpr0521 triggered buffer")
+Signed-off-by: Paul Gazzillo <paul@pgazz.com>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216678
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20221110214729.ls5ixav5kxpeftk7@device
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/light/Kconfig | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/iio/light/Kconfig b/drivers/iio/light/Kconfig
+index 8537e88f02e3..c02393009a2c 100644
+--- a/drivers/iio/light/Kconfig
++++ b/drivers/iio/light/Kconfig
+@@ -293,6 +293,8 @@ config RPR0521
+ tristate "ROHM RPR0521 ALS and proximity sensor driver"
+ depends on I2C
+ select REGMAP_I2C
++ select IIO_BUFFER
++ select IIO_TRIGGERED_BUFFER
+ help
+ Say Y here if you want to build support for ROHM's RPR0521
+ ambient light and proximity sensor device.
+--
+2.35.1
+
--- /dev/null
+From 390ccc57a269ff3955ade14ce1234e8860f43e61 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 10:57:58 +0800
+Subject: ixgbevf: Fix resource leak in ixgbevf_init_module()
+
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+
+[ Upstream commit 8cfa238a48f34038464b99d0b4825238c2687181 ]
+
+ixgbevf_init_module() won't destroy the workqueue created by
+create_singlethread_workqueue() when pci_register_driver() failed. Add
+destroy_workqueue() in fail path to prevent the resource leak.
+
+Similar to the handling of u132_hcd_init in commit f276e002793c
+("usb: u132-hcd: fix resource leak")
+
+Fixes: 40a13e2493c9 ("ixgbevf: Use a private workqueue to avoid certain possible hangs")
+Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
+Reviewed-by: Saeed Mahameed <saeed@kernel.org>
+Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
+index 2f12fbe229c1..624b8aa4508c 100644
+--- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
++++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
+@@ -4869,6 +4869,8 @@ static struct pci_driver ixgbevf_driver = {
+ **/
+ static int __init ixgbevf_init_module(void)
+ {
++ int err;
++
+ pr_info("%s\n", ixgbevf_driver_string);
+ pr_info("%s\n", ixgbevf_copyright);
+ ixgbevf_wq = create_singlethread_workqueue(ixgbevf_driver_name);
+@@ -4877,7 +4879,13 @@ static int __init ixgbevf_init_module(void)
+ return -ENOMEM;
+ }
+
+- return pci_register_driver(&ixgbevf_driver);
++ err = pci_register_driver(&ixgbevf_driver);
++ if (err) {
++ destroy_workqueue(ixgbevf_wq);
++ return err;
++ }
++
++ return 0;
+ }
+
+ module_init(ixgbevf_init_module);
+--
+2.35.1
+
--- /dev/null
+From ef268e57b665da9aaed9278c6a1e3aad17d9659c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 18:26:34 +0000
+Subject: kbuild: fix -Wimplicit-function-declaration in
+ license_is_gpl_compatible
+
+From: Sam James <sam@gentoo.org>
+
+[ Upstream commit 50c697215a8cc22f0e58c88f06f2716c05a26e85 ]
+
+Add missing <linux/string.h> include for strcmp.
+
+Clang 16 makes -Wimplicit-function-declaration an error by default.
+Unfortunately, out of tree modules may use this in configure scripts,
+which means failure might cause silent miscompilation or misconfiguration.
+
+For more information, see LWN.net [0] or LLVM's Discourse [1], gentoo-dev@ [2],
+or the (new) c-std-porting mailing list [3].
+
+[0] https://lwn.net/Articles/913505/
+[1] https://discourse.llvm.org/t/configure-script-breakage-with-the-new-werror-implicit-function-declaration/65213
+[2] https://archives.gentoo.org/gentoo-dev/message/dd9f2d3082b8b6f8dfbccb0639e6e240
+[3] hosted at lists.linux.dev.
+
+[akpm@linux-foundation.org: remember "linux/"]
+Link: https://lkml.kernel.org/r/20221116182634.2823136-1-sam@gentoo.org
+Signed-off-by: Sam James <sam@gentoo.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/license.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/include/linux/license.h b/include/linux/license.h
+index 7cce390f120b..ad937f57f2cb 100644
+--- a/include/linux/license.h
++++ b/include/linux/license.h
+@@ -2,6 +2,8 @@
+ #ifndef __LICENSE_H
+ #define __LICENSE_H
+
++#include <linux/string.h>
++
+ static inline int license_is_gpl_compatible(const char *license)
+ {
+ return (strcmp(license, "GPL") == 0
+--
+2.35.1
+
--- /dev/null
+From e7ecda7886f83441ac523087ea6ec2730e81ccfd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Nov 2022 15:23:49 +0800
+Subject: libbpf: Handle size overflow for ringbuf mmap
+
+From: Hou Tao <houtao1@huawei.com>
+
+[ Upstream commit 927cbb478adf917e0a142b94baa37f06279cc466 ]
+
+The maximum size of ringbuf is 2GB on x86-64 host, so 2 * max_entries
+will overflow u32 when mapping producer page and data pages. Only
+casting max_entries to size_t is not enough, because for 32-bits
+application on 64-bits kernel the size of read-only mmap region
+also could overflow size_t.
+
+So fixing it by casting the size of read-only mmap region into a __u64
+and checking whether or not there will be overflow during mmap.
+
+Fixes: bf99c936f947 ("libbpf: Add BPF ring buffer support")
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20221116072351.1168938-3-houtao@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/ringbuf.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/tools/lib/bpf/ringbuf.c b/tools/lib/bpf/ringbuf.c
+index 8bc117bcc7bc..c42ba9358d8c 100644
+--- a/tools/lib/bpf/ringbuf.c
++++ b/tools/lib/bpf/ringbuf.c
+@@ -59,6 +59,7 @@ int ring_buffer__add(struct ring_buffer *rb, int map_fd,
+ __u32 len = sizeof(info);
+ struct epoll_event *e;
+ struct ring *r;
++ __u64 mmap_sz;
+ void *tmp;
+ int err;
+
+@@ -97,8 +98,7 @@ int ring_buffer__add(struct ring_buffer *rb, int map_fd,
+ r->mask = info.max_entries - 1;
+
+ /* Map writable consumer page */
+- tmp = mmap(NULL, rb->page_size, PROT_READ | PROT_WRITE, MAP_SHARED,
+- map_fd, 0);
++ tmp = mmap(NULL, rb->page_size, PROT_READ | PROT_WRITE, MAP_SHARED, map_fd, 0);
+ if (tmp == MAP_FAILED) {
+ err = -errno;
+ pr_warn("ringbuf: failed to mmap consumer page for map fd=%d: %d\n",
+@@ -111,8 +111,12 @@ int ring_buffer__add(struct ring_buffer *rb, int map_fd,
+ * data size to allow simple reading of samples that wrap around the
+ * end of a ring buffer. See kernel implementation for details.
+ * */
+- tmp = mmap(NULL, rb->page_size + 2 * info.max_entries, PROT_READ,
+- MAP_SHARED, map_fd, rb->page_size);
++ mmap_sz = rb->page_size + 2 * (__u64)info.max_entries;
++ if (mmap_sz != (__u64)(size_t)mmap_sz) {
++ pr_warn("ringbuf: ring buffer size (%u) is too big\n", info.max_entries);
++ return libbpf_err(-E2BIG);
++ }
++ tmp = mmap(NULL, (size_t)mmap_sz, PROT_READ, MAP_SHARED, map_fd, rb->page_size);
+ if (tmp == MAP_FAILED) {
+ err = -errno;
+ ringbuf_unmap_ring(rb, r);
+--
+2.35.1
+
--- /dev/null
+From 562ebc4b373c9f1dcb2df3f8bbfa6438c007ae91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 15:52:57 +0100
+Subject: libbpf: Use correct return pointer in attach_raw_tp
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+[ Upstream commit 5fd2a60aecf3a42b14fa371c55b3dbb18b229230 ]
+
+We need to pass '*link' to final libbpf_get_error,
+because that one holds the return value, not 'link'.
+
+Fixes: 4fa5bcfe07f7 ("libbpf: Allow BPF program auto-attach handlers to bail out")
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20221114145257.882322-1-jolsa@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index e36c44090720..79ea83be21ce 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -11143,7 +11143,7 @@ static int attach_raw_tp(const struct bpf_program *prog, long cookie, struct bpf
+ }
+
+ *link = bpf_program__attach_raw_tracepoint(prog, tp_name);
+- return libbpf_get_error(link);
++ return libbpf_get_error(*link);
+ }
+
+ /* Common logic for all BPF program types that attach to a btf_id */
+--
+2.35.1
+
--- /dev/null
+From 9b9deffc3157520332a896598747bf1d265ed226 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 16:42:37 +0100
+Subject: mptcp: don't orphan ssk in mptcp_close()
+
+From: Menglong Dong <imagedong@tencent.com>
+
+[ Upstream commit fe94800184f22d4778628f1321dce5acb7513d84 ]
+
+All of the subflows of a msk will be orphaned in mptcp_close(), which
+means the subflows are in DEAD state. After then, DATA_FIN will be sent,
+and the other side will response with a DATA_ACK for this DATA_FIN.
+
+However, if the other side still has pending data, the data that received
+on these subflows will not be passed to the msk, as they are DEAD and
+subflow_data_ready() will not be called in tcp_data_ready(). Therefore,
+these data can't be acked, and they will be retransmitted again and again,
+until timeout.
+
+Fix this by setting ssk->sk_socket and ssk->sk_wq to 'NULL', instead of
+orphaning the subflows in __mptcp_close(), as Paolo suggested.
+
+Fixes: e16163b6e2b7 ("mptcp: refactor shutdown and close")
+Reviewed-by: Biao Jiang <benbjiang@tencent.com>
+Reviewed-by: Mengen Sun <mengensun@tencent.com>
+Signed-off-by: Menglong Dong <imagedong@tencent.com>
+Reviewed-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/protocol.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
+index b568f55998f3..42d5e0a7952a 100644
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -2297,12 +2297,7 @@ static void __mptcp_close_ssk(struct sock *sk, struct sock *ssk,
+ goto out;
+ }
+
+- /* if we are invoked by the msk cleanup code, the subflow is
+- * already orphaned
+- */
+- if (ssk->sk_socket)
+- sock_orphan(ssk);
+-
++ sock_orphan(ssk);
+ subflow->disposable = 1;
+
+ /* if ssk hit tcp_done(), tcp_cleanup_ulp() cleared the related ops
+@@ -2833,7 +2828,11 @@ bool __mptcp_close(struct sock *sk, long timeout)
+ if (ssk == msk->first)
+ subflow->fail_tout = 0;
+
+- sock_orphan(ssk);
++ /* detach from the parent socket, but allow data_ready to
++ * push incoming data into the mptcp stack, to properly ack it
++ */
++ ssk->sk_socket = NULL;
++ ssk->sk_wq = NULL;
+ unlock_sock_fast(ssk, slow);
+ }
+ sock_orphan(sk);
+--
+2.35.1
+
--- /dev/null
+From 6ae13ed2327aecb5600c45ce7e842e3a85686458 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 16:42:38 +0100
+Subject: mptcp: fix sleep in atomic at close time
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit b4f166651d03b5484fa179817ba8ad4899a5a6ac ]
+
+Matt reported a splat at msk close time:
+
+ BUG: sleeping function called from invalid context at net/mptcp/protocol.c:2877
+ in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 155, name: packetdrill
+ preempt_count: 201, expected: 0
+ RCU nest depth: 0, expected: 0
+ 4 locks held by packetdrill/155:
+ #0: ffff888001536990 (&sb->s_type->i_mutex_key#6){+.+.}-{3:3}, at: __sock_release (net/socket.c:650)
+ #1: ffff88800b498130 (sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_close (net/mptcp/protocol.c:2973)
+ #2: ffff88800b49a130 (sk_lock-AF_INET/1){+.+.}-{0:0}, at: __mptcp_close_ssk (net/mptcp/protocol.c:2363)
+ #3: ffff88800b49a0b0 (slock-AF_INET){+...}-{2:2}, at: __lock_sock_fast (include/net/sock.h:1820)
+ Preemption disabled at:
+ 0x0
+ CPU: 1 PID: 155 Comm: packetdrill Not tainted 6.1.0-rc5 #365
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
+ Call Trace:
+ <TASK>
+ dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4))
+ __might_resched.cold (kernel/sched/core.c:9891)
+ __mptcp_destroy_sock (include/linux/kernel.h:110)
+ __mptcp_close (net/mptcp/protocol.c:2959)
+ mptcp_subflow_queue_clean (include/net/sock.h:1777)
+ __mptcp_close_ssk (net/mptcp/protocol.c:2363)
+ mptcp_destroy_common (net/mptcp/protocol.c:3170)
+ mptcp_destroy (include/net/sock.h:1495)
+ __mptcp_destroy_sock (net/mptcp/protocol.c:2886)
+ __mptcp_close (net/mptcp/protocol.c:2959)
+ mptcp_close (net/mptcp/protocol.c:2974)
+ inet_release (net/ipv4/af_inet.c:432)
+ __sock_release (net/socket.c:651)
+ sock_close (net/socket.c:1367)
+ __fput (fs/file_table.c:320)
+ task_work_run (kernel/task_work.c:181 (discriminator 1))
+ exit_to_user_mode_prepare (include/linux/resume_user_mode.h:49)
+ syscall_exit_to_user_mode (kernel/entry/common.c:130)
+ do_syscall_64 (arch/x86/entry/common.c:87)
+ entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
+
+We can't call mptcp_close under the 'fast' socket lock variant, replace
+it with a sock_lock_nested() as the relevant code is already under the
+listening msk socket lock protection.
+
+Reported-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/316
+Fixes: 30e51b923e43 ("mptcp: fix unreleased socket in accept queue")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/subflow.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
+index 02a54d59697b..2159b5f9988f 100644
+--- a/net/mptcp/subflow.c
++++ b/net/mptcp/subflow.c
+@@ -1745,16 +1745,16 @@ void mptcp_subflow_queue_clean(struct sock *listener_ssk)
+
+ for (msk = head; msk; msk = next) {
+ struct sock *sk = (struct sock *)msk;
+- bool slow, do_cancel_work;
++ bool do_cancel_work;
+
+ sock_hold(sk);
+- slow = lock_sock_fast_nested(sk);
++ lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
+ next = msk->dl_next;
+ msk->first = NULL;
+ msk->dl_next = NULL;
+
+ do_cancel_work = __mptcp_close(sk, 0);
+- unlock_sock_fast(sk, slow);
++ release_sock(sk);
+ if (do_cancel_work)
+ mptcp_cancel_work(sk);
+ sock_put(sk);
+--
+2.35.1
+
--- /dev/null
+From b39519a0fefd7e850abc974c9838bd1184de2e57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 16:10:05 +0800
+Subject: net/9p: Fix a potential socket leak in p9_socket_open
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit dcc14cfd7debe11b825cb077e75d91d2575b4cb8 ]
+
+Both p9_fd_create_tcp() and p9_fd_create_unix() will call
+p9_socket_open(). If the creation of p9_trans_fd fails,
+p9_fd_create_tcp() and p9_fd_create_unix() will return an
+error directly instead of releasing the cscoket, which will
+result in a socket leak.
+
+This patch adds sock_release() to fix the leak issue.
+
+Fixes: 6b18662e239a ("9p connect fixes")
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+ACKed-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/9p/trans_fd.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
+index 8487321c1fc7..3e056fb043bb 100644
+--- a/net/9p/trans_fd.c
++++ b/net/9p/trans_fd.c
+@@ -862,8 +862,10 @@ static int p9_socket_open(struct p9_client *client, struct socket *csocket)
+ struct file *file;
+
+ p = kzalloc(sizeof(struct p9_trans_fd), GFP_KERNEL);
+- if (!p)
++ if (!p) {
++ sock_release(csocket);
+ return -ENOMEM;
++ }
+
+ csocket->sk->sk_allocation = GFP_NOIO;
+ file = sock_alloc_file(csocket, 0, NULL);
+--
+2.35.1
+
--- /dev/null
+From 65fc2ede8e27c10e9af25ddf15e8fff9e0bc8551 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 11:43:03 +0300
+Subject: net: ethernet: nixge: fix NULL dereference
+
+From: Yuri Karpov <YKarpov@ispras.ru>
+
+[ Upstream commit 9256db4e45e8b497b0e993cc3ed4ad08eb2389b6 ]
+
+In function nixge_hw_dma_bd_release() dereference of NULL pointer
+priv->rx_bd_v is possible for the case of its allocation failure in
+nixge_hw_dma_bd_init().
+
+Move for() loop with priv->rx_bd_v dereference under the check for
+its validity.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 492caffa8a1a ("net: ethernet: nixge: Add support for National Instruments XGE netdev")
+Signed-off-by: Yuri Karpov <YKarpov@ispras.ru>
+Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ni/nixge.c | 29 +++++++++++++++--------------
+ 1 file changed, 15 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/net/ethernet/ni/nixge.c b/drivers/net/ethernet/ni/nixge.c
+index 4fc279a17562..bef3f0506487 100644
+--- a/drivers/net/ethernet/ni/nixge.c
++++ b/drivers/net/ethernet/ni/nixge.c
+@@ -249,25 +249,26 @@ static void nixge_hw_dma_bd_release(struct net_device *ndev)
+ struct sk_buff *skb;
+ int i;
+
+- for (i = 0; i < RX_BD_NUM; i++) {
+- phys_addr = nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i],
+- phys);
+-
+- dma_unmap_single(ndev->dev.parent, phys_addr,
+- NIXGE_MAX_JUMBO_FRAME_SIZE,
+- DMA_FROM_DEVICE);
+-
+- skb = (struct sk_buff *)(uintptr_t)
+- nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i],
+- sw_id_offset);
+- dev_kfree_skb(skb);
+- }
++ if (priv->rx_bd_v) {
++ for (i = 0; i < RX_BD_NUM; i++) {
++ phys_addr = nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i],
++ phys);
++
++ dma_unmap_single(ndev->dev.parent, phys_addr,
++ NIXGE_MAX_JUMBO_FRAME_SIZE,
++ DMA_FROM_DEVICE);
++
++ skb = (struct sk_buff *)(uintptr_t)
++ nixge_hw_dma_bd_get_addr(&priv->rx_bd_v[i],
++ sw_id_offset);
++ dev_kfree_skb(skb);
++ }
+
+- if (priv->rx_bd_v)
+ dma_free_coherent(ndev->dev.parent,
+ sizeof(*priv->rx_bd_v) * RX_BD_NUM,
+ priv->rx_bd_v,
+ priv->rx_bd_p);
++ }
+
+ if (priv->tx_skb)
+ devm_kfree(ndev->dev.parent, priv->tx_skb);
+--
+2.35.1
+
--- /dev/null
+From f0b536829b39a64a0bff20fd5eca9cd26f09b40e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 15:56:04 +0900
+Subject: net: ethernet: renesas: ravb: Fix promiscuous mode after system
+ resumed
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+[ Upstream commit d66233a312ec9013af3e37e4030b479a20811ec3 ]
+
+After system resumed on some environment board, the promiscuous mode
+is disabled because the SoC turned off. So, call ravb_set_rx_mode() in
+the ravb_resume() to fix the issue.
+
+Reported-by: Tho Vu <tho.vu.wh@renesas.com>
+Fixes: 0184165b2f42 ("ravb: add sleep PM suspend/resume support")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/20221128065604.1864391-1-yoshihiro.shimoda.uh@renesas.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
+index 7e32b04eb0c7..44f9b31f8b99 100644
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -3013,6 +3013,7 @@ static int __maybe_unused ravb_resume(struct device *dev)
+ ret = ravb_open(ndev);
+ if (ret < 0)
+ return ret;
++ ravb_set_rx_mode(ndev);
+ netif_device_attach(ndev);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From fc2d03f0271ae20ca50987b5ea961fee6a54bbed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 11:03:08 +0800
+Subject: net: ethernet: ti: am65-cpsw: fix error handling in
+ am65_cpsw_nuss_probe()
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 46fb6512538d201d9a5b2bd7138b6751c37fdf0b ]
+
+The am65_cpsw_nuss_cleanup_ndev() function calls unregister_netdev()
+even if register_netdev() fails, which triggers WARN_ON(1) in
+unregister_netdevice_many(). To fix it, make sure that
+unregister_netdev() is called only on registered netdev.
+
+Compile tested only.
+
+Fixes: 84b4aa493249 ("net: ethernet: ti: am65-cpsw: add multi port support in mac-only mode")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ti/am65-cpsw-nuss.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/ethernet/ti/am65-cpsw-nuss.c
+index 348201e10d49..95baacd6c761 100644
+--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c
++++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c
+@@ -2061,7 +2061,7 @@ static void am65_cpsw_nuss_cleanup_ndev(struct am65_cpsw_common *common)
+
+ for (i = 0; i < common->port_num; i++) {
+ port = &common->ports[i];
+- if (port->ndev)
++ if (port->ndev && port->ndev->reg_state == NETREG_REGISTERED)
+ unregister_netdev(port->ndev);
+ }
+ }
+--
+2.35.1
+
--- /dev/null
+From 8c210559043a1d06ff6e6e43dcda04b97dfb2958 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 15:57:24 +0800
+Subject: net: hsr: Fix potential use-after-free
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 7e177d32442b7ed08a9fa61b61724abc548cb248 ]
+
+The skb is delivered to netif_rx() which may free it, after calling this,
+dereferencing skb may trigger use-after-free.
+
+Fixes: f421436a591d ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Link: https://lore.kernel.org/r/20221125075724.27912-1-yuehaibing@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/hsr/hsr_forward.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
+index a50429a62f74..56bb27d67a2e 100644
+--- a/net/hsr/hsr_forward.c
++++ b/net/hsr/hsr_forward.c
+@@ -351,17 +351,18 @@ static void hsr_deliver_master(struct sk_buff *skb, struct net_device *dev,
+ struct hsr_node *node_src)
+ {
+ bool was_multicast_frame;
+- int res;
++ int res, recv_len;
+
+ was_multicast_frame = (skb->pkt_type == PACKET_MULTICAST);
+ hsr_addr_subst_source(node_src, skb);
+ skb_pull(skb, ETH_HLEN);
++ recv_len = skb->len;
+ res = netif_rx(skb);
+ if (res == NET_RX_DROP) {
+ dev->stats.rx_dropped++;
+ } else {
+ dev->stats.rx_packets++;
+- dev->stats.rx_bytes += skb->len;
++ dev->stats.rx_bytes += recv_len;
+ if (was_multicast_frame)
+ dev->stats.multicast++;
+ }
+--
+2.35.1
+
--- /dev/null
+From b0b5d1fb8537bcb7e834295968bbb6a697c990e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 23:01:30 +0800
+Subject: net: mdiobus: fix unbalanced node reference count
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit cdde1560118f82498fc9e9a7c1ef7f0ef7755891 ]
+
+I got the following report while doing device(mscc-miim) load test
+with CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled:
+
+ OF: ERROR: memory leak, expected refcount 1 instead of 2,
+ of_node_get()/of_node_put() unbalanced - destroy cset entry:
+ attach overlay node /spi/soc@0/mdio@7107009c/ethernet-phy@0
+
+If the 'fwnode' is not an acpi node, the refcount is get in
+fwnode_mdiobus_phy_device_register(), but it has never been
+put when the device is freed in the normal path. So call
+fwnode_handle_put() in phy_device_release() to avoid leak.
+
+If it's an acpi node, it has never been get, but it's put
+in the error path, so call fwnode_handle_get() before
+phy_device_register() to keep get/put operation balanced.
+
+Fixes: bc1bee3b87ee ("net: mdiobus: Introduce fwnode_mdiobus_register_phy()")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20221124150130.609420-1-yangyingliang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/mdio/fwnode_mdio.c | 2 +-
+ drivers/net/phy/phy_device.c | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/mdio/fwnode_mdio.c b/drivers/net/mdio/fwnode_mdio.c
+index 1c1584fca632..40e745a1d185 100644
+--- a/drivers/net/mdio/fwnode_mdio.c
++++ b/drivers/net/mdio/fwnode_mdio.c
+@@ -120,7 +120,7 @@ int fwnode_mdiobus_register_phy(struct mii_bus *bus,
+ /* Associate the fwnode with the device structure so it
+ * can be looked up later.
+ */
+- phy->mdio.dev.fwnode = child;
++ phy->mdio.dev.fwnode = fwnode_handle_get(child);
+
+ /* All data is now stored in the phy struct, so register it */
+ rc = phy_device_register(phy);
+diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
+index 70c4d48f32c6..3607077cf86f 100644
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -216,6 +216,7 @@ static void phy_mdio_device_free(struct mdio_device *mdiodev)
+
+ static void phy_device_release(struct device *dev)
+ {
++ fwnode_handle_put(dev->fwnode);
+ kfree(to_phy_device(dev));
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 6b0e1ed571870888bac2e68297e0da10a2651c2f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Nov 2022 21:47:07 +0800
+Subject: net/mlx5: DR, Fix uninitialized var warning
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 52f7cf70eb8fac6111786c59ae9dfc5cf2bee710 ]
+
+Smatch warns this:
+
+drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c:81
+ mlx5dr_table_set_miss_action() error: uninitialized symbol 'ret'.
+
+Initializing ret with -EOPNOTSUPP and fix missing action case.
+
+Fixes: 7838e1725394 ("net/mlx5: DR, Expose steering table functionality")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reviewed-by: Roi Dayan <roid@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c
+index 31d443dd8386..f68461b13391 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_table.c
+@@ -46,7 +46,7 @@ static int dr_table_set_miss_action_nic(struct mlx5dr_domain *dmn,
+ int mlx5dr_table_set_miss_action(struct mlx5dr_table *tbl,
+ struct mlx5dr_action *action)
+ {
+- int ret;
++ int ret = -EOPNOTSUPP;
+
+ if (action && action->action_type != DR_ACTION_TYP_FT)
+ return -EOPNOTSUPP;
+@@ -67,6 +67,9 @@ int mlx5dr_table_set_miss_action(struct mlx5dr_table *tbl,
+ goto out;
+ }
+
++ if (ret)
++ goto out;
++
+ /* Release old action */
+ if (tbl->miss_action)
+ refcount_dec(&tbl->miss_action->refcount);
+--
+2.35.1
+
--- /dev/null
+From 96d4ea214b10cf02e918c2dd07c34d75962f7d4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 09:48:13 +0200
+Subject: net/mlx5: E-switch, Destroy legacy fdb table when needed
+
+From: Chris Mi <cmi@nvidia.com>
+
+[ Upstream commit 2318b8bb94a3a21363cd0d49cad5934bd1e2d60e ]
+
+The cited commit removes eswitch mode none. But when disabling
+sriov in legacy mode or changing from switchdev to legacy mode
+without sriov enabled, the legacy fdb table is not destroyed.
+
+It is not the right behavior. Destroy legacy fdb table in above
+two caes.
+
+Fixes: f019679ea5f2 ("net/mlx5: E-switch, Remove dependency between sriov and eswitch mode")
+Signed-off-by: Chris Mi <cmi@nvidia.com>
+Reviewed-by: Roi Dayan <roid@nvidia.com>
+Reviewed-by: Eli Cohen <elic@nvidia.com>
+Reviewed-by: Mark Bloch <mbloch@nvidia.com>
+Reviewed-by: Vlad Buslov <vladbu@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 3 +++
+ drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c | 7 +++++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+index 4d8b8f6143cc..59cffa49e4b5 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+@@ -1363,6 +1363,9 @@ void mlx5_eswitch_disable_sriov(struct mlx5_eswitch *esw, bool clear_vf)
+ esw_offloads_del_send_to_vport_meta_rules(esw);
+ devl_rate_nodes_destroy(devlink);
+ }
++ /* Destroy legacy fdb when disabling sriov in legacy mode. */
++ if (esw->mode == MLX5_ESWITCH_LEGACY)
++ mlx5_eswitch_disable_locked(esw);
+
+ esw->esw_funcs.num_vfs = 0;
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+index 061ac8799354..11cb7d28e1f8 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+@@ -3270,6 +3270,13 @@ static int esw_offloads_stop(struct mlx5_eswitch *esw,
+ int err;
+
+ esw->mode = MLX5_ESWITCH_LEGACY;
++
++ /* If changing from switchdev to legacy mode without sriov enabled,
++ * no need to create legacy fdb.
++ */
++ if (!mlx5_sriov_is_enabled(esw->dev))
++ return 0;
++
+ err = mlx5_eswitch_enable_locked(esw, MLX5_ESWITCH_IGNORE_NUM_VFS);
+ if (err)
+ NL_SET_ERR_MSG_MOD(extack, "Failed setting eswitch to legacy");
+--
+2.35.1
+
--- /dev/null
+From e006e8b90f589f69f12f4723e0bb4c2cfdda48f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Aug 2022 05:09:07 +0300
+Subject: net/mlx5: E-switch, Fix duplicate lag creation
+
+From: Chris Mi <cmi@nvidia.com>
+
+[ Upstream commit e87c6a832f889c093c055a30a7b8c6843e6573bf ]
+
+If creating bond first and then enabling sriov in switchdev mode,
+will hit the following syndrome:
+
+mlx5_core 0000:08:00.0: mlx5_cmd_out_err:778:(pid 25543): CREATE_LAG(0x840) op_mod(0x0) failed, status bad parameter(0x3), syndrome (0x7d49cb), err(-22)
+
+The reason is because the offending patch removes eswitch mode
+none. In vf lag, the checking of eswitch mode none is replaced
+by checking if sriov is enabled. But when driver enables sriov,
+it triggers the bond workqueue task first and then setting sriov
+number in pci_enable_sriov(). So the check fails.
+
+Fix it by checking if sriov is enabled using eswitch internal
+counter that is set before triggering the bond workqueue task.
+
+Fixes: f019679ea5f2 ("net/mlx5: E-switch, Remove dependency between sriov and eswitch mode")
+Signed-off-by: Chris Mi <cmi@nvidia.com>
+Reviewed-by: Roi Dayan <roid@nvidia.com>
+Reviewed-by: Mark Bloch <mbloch@nvidia.com>
+Reviewed-by: Vlad Buslov <vladbu@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/eswitch.h | 8 ++++++++
+ drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c | 5 +++--
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
+index 87ce5a208cb5..5ceed4e6c658 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
+@@ -731,6 +731,14 @@ void mlx5_eswitch_offloads_destroy_single_fdb(struct mlx5_eswitch *master_esw,
+ struct mlx5_eswitch *slave_esw);
+ int mlx5_eswitch_reload_reps(struct mlx5_eswitch *esw);
+
++static inline int mlx5_eswitch_num_vfs(struct mlx5_eswitch *esw)
++{
++ if (mlx5_esw_allowed(esw))
++ return esw->esw_funcs.num_vfs;
++
++ return 0;
++}
++
+ #else /* CONFIG_MLX5_ESWITCH */
+ /* eswitch API stubs */
+ static inline int mlx5_eswitch_init(struct mlx5_core_dev *dev) { return 0; }
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c
+index 065102278cb8..a879e0b0f702 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c
+@@ -649,8 +649,9 @@ static bool mlx5_lag_check_prereq(struct mlx5_lag *ldev)
+
+ #ifdef CONFIG_MLX5_ESWITCH
+ dev = ldev->pf[MLX5_LAG_P1].dev;
+- if ((mlx5_sriov_is_enabled(dev)) && !is_mdev_switchdev_mode(dev))
+- return false;
++ for (i = 0; i < ldev->ports; i++)
++ if (mlx5_eswitch_num_vfs(dev->priv.eswitch) && !is_mdev_switchdev_mode(dev))
++ return false;
+
+ mode = mlx5_eswitch_mode(dev);
+ for (i = 0; i < ldev->ports; i++)
+--
+2.35.1
+
--- /dev/null
+From eb9b86fbeed453fbb8c9653f19e978f8fb83ff3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 19:22:04 +0800
+Subject: net/mlx5: Fix uninitialized variable bug in outlen_write()
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 3f5769a074c13d8f08455e40586600419e02a880 ]
+
+If sscanf() return 0, outlen is uninitialized and used in kzalloc(),
+this is unexpected. We should return -EINVAL if the string is invalid.
+
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+index 74bd05e5dda2..e7a894ba5c3e 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -1497,8 +1497,8 @@ static ssize_t outlen_write(struct file *filp, const char __user *buf,
+ return -EFAULT;
+
+ err = sscanf(outlen_str, "%d", &outlen);
+- if (err < 0)
+- return err;
++ if (err != 1)
++ return -EINVAL;
+
+ ptr = kzalloc(outlen, GFP_KERNEL);
+ if (!ptr)
+--
+2.35.1
+
--- /dev/null
+From 59b248e2e9757e440a5e96f1f1106b4f88af976d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Nov 2022 01:30:06 -0800
+Subject: net/mlx5: Lag, Fix for loop when checking lag
+
+From: Chris Mi <cmi@nvidia.com>
+
+[ Upstream commit 0e682f04b4b59eac0b0a030251513589c4607458 ]
+
+The cited commit adds a for loop to check if each port supports lag
+or not. But dev is not initialized correctly. Fix it by initializing
+dev for each iteration.
+
+Fixes: e87c6a832f88 ("net/mlx5: E-switch, Fix duplicate lag creation")
+Signed-off-by: Chris Mi <cmi@nvidia.com>
+Reported-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Link: https://lore.kernel.org/r/20221129093006.378840-2-saeed@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c
+index a879e0b0f702..48f86e12f5c0 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/lag.c
+@@ -648,11 +648,13 @@ static bool mlx5_lag_check_prereq(struct mlx5_lag *ldev)
+ return false;
+
+ #ifdef CONFIG_MLX5_ESWITCH
+- dev = ldev->pf[MLX5_LAG_P1].dev;
+- for (i = 0; i < ldev->ports; i++)
++ for (i = 0; i < ldev->ports; i++) {
++ dev = ldev->pf[i].dev;
+ if (mlx5_eswitch_num_vfs(dev->priv.eswitch) && !is_mdev_switchdev_mode(dev))
+ return false;
++ }
+
++ dev = ldev->pf[MLX5_LAG_P1].dev;
+ mode = mlx5_eswitch_mode(dev);
+ for (i = 0; i < ldev->ports; i++)
+ if (mlx5_eswitch_mode(ldev->pf[i].dev) != mode)
+--
+2.35.1
+
--- /dev/null
+From 2663600782dae20a81f917ca8126de60f40eec5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 20:04:29 +0200
+Subject: net/mlx5e: Fix use-after-free when reverting termination table
+
+From: Roi Dayan <roid@nvidia.com>
+
+[ Upstream commit 52c795af04441d76f565c4634f893e5b553df2ae ]
+
+When having multiple dests with termination tables and second one
+or afterwards fails the driver reverts usage of term tables but
+doesn't reset the assignment in attr->dests[num_vport_dests].termtbl
+which case a use-after-free when releasing the rule.
+Fix by resetting the assignment of termtbl to null.
+
+Fixes: 10caabdaad5a ("net/mlx5e: Use termination table for VLAN push actions")
+Signed-off-by: Roi Dayan <roid@nvidia.com>
+Reviewed-by: Maor Dickman <maord@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c
+index 108a3503f413..edd910258314 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c
+@@ -312,6 +312,8 @@ mlx5_eswitch_add_termtbl_rule(struct mlx5_eswitch *esw,
+ for (curr_dest = 0; curr_dest < num_vport_dests; curr_dest++) {
+ struct mlx5_termtbl_handle *tt = attr->dests[curr_dest].termtbl;
+
++ attr->dests[curr_dest].termtbl = NULL;
++
+ /* search for the destination associated with the
+ * current term table
+ */
+--
+2.35.1
+
--- /dev/null
+From ebe4606066cc0da19e913b64e8389130f4b1af35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 07:09:17 +0000
+Subject: net: net_netdev: Fix error handling in ntb_netdev_init_module()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit b8f79dccd38edf7db4911c353d9cd792ab13a327 ]
+
+The ntb_netdev_init_module() returns the ntb_transport_register_client()
+directly without checking its return value, if
+ntb_transport_register_client() failed, the NTB client device is not
+unregistered.
+
+Fix by unregister NTB client device when ntb_transport_register_client()
+failed.
+
+Fixes: 548c237c0a99 ("net: Add support for NTB virtual ethernet device")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ntb_netdev.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ntb_netdev.c b/drivers/net/ntb_netdev.c
+index 80bdc07f2cd3..dd7e273c90cb 100644
+--- a/drivers/net/ntb_netdev.c
++++ b/drivers/net/ntb_netdev.c
+@@ -484,7 +484,14 @@ static int __init ntb_netdev_init_module(void)
+ rc = ntb_transport_register_client_dev(KBUILD_MODNAME);
+ if (rc)
+ return rc;
+- return ntb_transport_register_client(&ntb_netdev_client);
++
++ rc = ntb_transport_register_client(&ntb_netdev_client);
++ if (rc) {
++ ntb_transport_unregister_client_dev(KBUILD_MODNAME);
++ return rc;
++ }
++
++ return 0;
+ }
+ module_init(ntb_netdev_init_module);
+
+--
+2.35.1
+
--- /dev/null
+From 5fe0de08748706c620fedaaf89e52891fbfb9e3e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 21:28:08 +0800
+Subject: net: phy: fix null-ptr-deref while probe() failed
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 369eb2c9f1f72adbe91e0ea8efb130f0a2ba11a6 ]
+
+I got a null-ptr-deref report as following when doing fault injection test:
+
+BUG: kernel NULL pointer dereference, address: 0000000000000058
+Oops: 0000 [#1] PREEMPT SMP KASAN PTI
+CPU: 1 PID: 253 Comm: 507-spi-dm9051 Tainted: G B N 6.1.0-rc3+
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
+RIP: 0010:klist_put+0x2d/0xd0
+Call Trace:
+ <TASK>
+ klist_remove+0xf1/0x1c0
+ device_release_driver_internal+0x23e/0x2d0
+ bus_remove_device+0x1bd/0x240
+ device_del+0x357/0x770
+ phy_device_remove+0x11/0x30
+ mdiobus_unregister+0xa5/0x140
+ release_nodes+0x6a/0xa0
+ devres_release_all+0xf8/0x150
+ device_unbind_cleanup+0x19/0xd0
+
+//probe path:
+phy_device_register()
+ device_add()
+
+phy_connect
+ phy_attach_direct() //set device driver
+ probe() //it's failed, driver is not bound
+ device_bind_driver() // probe failed, it's not called
+
+//remove path:
+phy_device_remove()
+ device_del()
+ device_release_driver_internal()
+ __device_release_driver() //dev->drv is not NULL
+ klist_remove() <- knode_driver is not added yet, cause null-ptr-deref
+
+In phy_attach_direct(), after setting the 'dev->driver', probe() fails,
+device_bind_driver() is not called, so the knode_driver->n_klist is not
+set, then it causes null-ptr-deref in __device_release_driver() while
+deleting device. Fix this by setting dev->driver to NULL in the error
+path in phy_attach_direct().
+
+Fixes: e13934563db0 ("[PATCH] PHY Layer fixup")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/phy_device.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
+index 4df8c337221b..70c4d48f32c6 100644
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -1518,6 +1518,7 @@ int phy_attach_direct(struct net_device *dev, struct phy_device *phydev,
+
+ error_module_put:
+ module_put(d->driver->owner);
++ d->driver = NULL;
+ error_put_device:
+ put_device(d);
+ if (ndev_owner != bus->owner)
+--
+2.35.1
+
--- /dev/null
+From 646928fda18681c89b034ca060c8642d4b2e7916 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 02:51:34 +0900
+Subject: net: tun: Fix use-after-free in tun_detach()
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit 5daadc86f27ea4d691e2131c04310d0418c6cd12 ]
+
+syzbot reported use-after-free in tun_detach() [1]. This causes call
+trace like below:
+
+==================================================================
+BUG: KASAN: use-after-free in notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75
+Read of size 8 at addr ffff88807324e2a8 by task syz-executor.0/3673
+
+CPU: 0 PID: 3673 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller-00044-gcc675d22e422 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
+ print_address_description mm/kasan/report.c:284 [inline]
+ print_report+0x15e/0x461 mm/kasan/report.c:395
+ kasan_report+0xbf/0x1f0 mm/kasan/report.c:495
+ notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75
+ call_netdevice_notifiers_info+0x86/0x130 net/core/dev.c:1942
+ call_netdevice_notifiers_extack net/core/dev.c:1983 [inline]
+ call_netdevice_notifiers net/core/dev.c:1997 [inline]
+ netdev_wait_allrefs_any net/core/dev.c:10237 [inline]
+ netdev_run_todo+0xbc6/0x1100 net/core/dev.c:10351
+ tun_detach drivers/net/tun.c:704 [inline]
+ tun_chr_close+0xe4/0x190 drivers/net/tun.c:3467
+ __fput+0x27c/0xa90 fs/file_table.c:320
+ task_work_run+0x16f/0x270 kernel/task_work.c:179
+ exit_task_work include/linux/task_work.h:38 [inline]
+ do_exit+0xb3d/0x2a30 kernel/exit.c:820
+ do_group_exit+0xd4/0x2a0 kernel/exit.c:950
+ get_signal+0x21b1/0x2440 kernel/signal.c:2858
+ arch_do_signal_or_restart+0x86/0x2300 arch/x86/kernel/signal.c:869
+ exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
+ exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
+ syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
+ do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+The cause of the issue is that sock_put() from __tun_detach() drops
+last reference count for struct net, and then notifier_call_chain()
+from netdev_state_change() accesses that struct net.
+
+This patch fixes the issue by calling sock_put() from tun_detach()
+after all necessary accesses for the struct net has done.
+
+Fixes: 83c1f36f9880 ("tun: send netlink notification when the device is modified")
+Reported-by: syzbot+106f9b687cd64ee70cd1@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?id=96eb7f1ce75ef933697f24eeab928c4a716edefe [1]
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Link: https://lore.kernel.org/r/20221124175134.1589053-1-syoshida@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/tun.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/tun.c b/drivers/net/tun.c
+index 3387074a2bdb..167e6a3784ca 100644
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -686,7 +686,6 @@ static void __tun_detach(struct tun_file *tfile, bool clean)
+ if (tun)
+ xdp_rxq_info_unreg(&tfile->xdp_rxq);
+ ptr_ring_cleanup(&tfile->tx_ring, tun_ptr_free);
+- sock_put(&tfile->sk);
+ }
+ }
+
+@@ -702,6 +701,9 @@ static void tun_detach(struct tun_file *tfile, bool clean)
+ if (dev)
+ netdev_state_change(dev);
+ rtnl_unlock();
++
++ if (clean)
++ sock_put(&tfile->sk);
+ }
+
+ static void tun_detach_all(struct net_device *dev)
+--
+2.35.1
+
--- /dev/null
+From abff31ad9b8ae90983eebac658ba1b991d525dda Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 16:08:17 +0530
+Subject: net: wwan: iosm: fix crash in peek throughput test
+
+From: M Chetan Kumar <m.chetan.kumar@linux.intel.com>
+
+[ Upstream commit 2290a1d46bf30f9e0bcf49ad20d5c30d0e099989 ]
+
+Peek throughput UL test is resulting in crash. If the UL
+transfer block free list is exhaust, the peeked skb is freed.
+In the next transfer freed skb is referred from UL list which
+results in crash.
+
+Don't free the skb if UL transfer blocks are unavailable. The
+pending skb will be picked for transfer on UL transfer block
+available.
+
+Fixes: 1f52d7b62285 ("net: wwan: iosm: Enable M.2 7360 WWAN card support")
+Signed-off-by: M Chetan Kumar <m.chetan.kumar@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wwan/iosm/iosm_ipc_mux_codec.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wwan/iosm/iosm_ipc_mux_codec.c b/drivers/net/wwan/iosm/iosm_ipc_mux_codec.c
+index c16365123660..738420bd14af 100644
+--- a/drivers/net/wwan/iosm/iosm_ipc_mux_codec.c
++++ b/drivers/net/wwan/iosm/iosm_ipc_mux_codec.c
+@@ -1207,10 +1207,9 @@ static int mux_ul_dg_update_tbl_index(struct iosm_mux *ipc_mux,
+ qlth_n_ql_size, ul_list);
+ ipc_mux_ul_adb_finish(ipc_mux);
+ if (ipc_mux_ul_adb_allocate(ipc_mux, adb, &ipc_mux->size_needed,
+- IOSM_AGGR_MUX_SIG_ADBH)) {
+- dev_kfree_skb(src_skb);
++ IOSM_AGGR_MUX_SIG_ADBH))
+ return -ENOMEM;
+- }
++
+ ipc_mux->size_needed = le32_to_cpu(adb->adbh->block_length);
+
+ ipc_mux->size_needed += offsetof(struct mux_adth, dg);
+--
+2.35.1
+
--- /dev/null
+From c3a5cdea07482f3db53a59d850fa555514903741 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 16:08:03 +0530
+Subject: net: wwan: iosm: fix dma_alloc_coherent incompatible pointer type
+
+From: M Chetan Kumar <m.chetan.kumar@linux.intel.com>
+
+[ Upstream commit 4a99e3c8ed888577b947cbed97d88c9706896105 ]
+
+Fix build error reported on armhf while preparing 6.1-rc5
+for Debian.
+
+iosm_ipc_protocol.c:244:36: error: passing argument 3 of
+'dma_alloc_coherent' from incompatible pointer type.
+
+Change phy_ap_shm type from phys_addr_t to dma_addr_t.
+
+Fixes: faed4c6f6f48 ("net: iosm: shared memory protocol")
+Reported-by: Bonaccorso Salvatore <carnil@debian.org>
+Signed-off-by: M Chetan Kumar <m.chetan.kumar@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wwan/iosm/iosm_ipc_protocol.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wwan/iosm/iosm_ipc_protocol.h b/drivers/net/wwan/iosm/iosm_ipc_protocol.h
+index 9b3a6d86ece7..289397c4ea6c 100644
+--- a/drivers/net/wwan/iosm/iosm_ipc_protocol.h
++++ b/drivers/net/wwan/iosm/iosm_ipc_protocol.h
+@@ -122,7 +122,7 @@ struct iosm_protocol {
+ struct iosm_imem *imem;
+ struct ipc_rsp *rsp_ring[IPC_MEM_MSG_ENTRIES];
+ struct device *dev;
+- phys_addr_t phy_ap_shm;
++ dma_addr_t phy_ap_shm;
+ u32 old_msg_tail;
+ };
+
+--
+2.35.1
+
--- /dev/null
+From f61bb51bee284f7580ef47aa2ce98449e0d6ef64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 16:08:32 +0530
+Subject: net: wwan: iosm: fix incorrect skb length
+
+From: M Chetan Kumar <m.chetan.kumar@linux.intel.com>
+
+[ Upstream commit c34ca4f32c24bf748493b49085e43cd714cf8357 ]
+
+skb passed to network layer contains incorrect length.
+
+In mux aggregation protocol, the datagram block received
+from device contains block signature, packet & datagram
+header. The right skb len to be calculated by subracting
+datagram pad len from datagram length.
+
+Whereas in mux lite protocol, the skb contains single
+datagram so skb len is calculated by subtracting the
+packet offset from datagram header.
+
+Fixes: 1f52d7b62285 ("net: wwan: iosm: Enable M.2 7360 WWAN card support")
+Signed-off-by: M Chetan Kumar <m.chetan.kumar@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wwan/iosm/iosm_ipc_mux_codec.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wwan/iosm/iosm_ipc_mux_codec.c b/drivers/net/wwan/iosm/iosm_ipc_mux_codec.c
+index 738420bd14af..d6b166fc5c0e 100644
+--- a/drivers/net/wwan/iosm/iosm_ipc_mux_codec.c
++++ b/drivers/net/wwan/iosm/iosm_ipc_mux_codec.c
+@@ -365,7 +365,8 @@ static void ipc_mux_dl_cmd_decode(struct iosm_mux *ipc_mux, struct sk_buff *skb)
+ /* Pass the DL packet to the netif layer. */
+ static int ipc_mux_net_receive(struct iosm_mux *ipc_mux, int if_id,
+ struct iosm_wwan *wwan, u32 offset,
+- u8 service_class, struct sk_buff *skb)
++ u8 service_class, struct sk_buff *skb,
++ u32 pkt_len)
+ {
+ struct sk_buff *dest_skb = skb_clone(skb, GFP_ATOMIC);
+
+@@ -373,7 +374,7 @@ static int ipc_mux_net_receive(struct iosm_mux *ipc_mux, int if_id,
+ return -ENOMEM;
+
+ skb_pull(dest_skb, offset);
+- skb_set_tail_pointer(dest_skb, dest_skb->len);
++ skb_trim(dest_skb, pkt_len);
+ /* Pass the packet to the netif layer. */
+ dest_skb->priority = service_class;
+
+@@ -429,7 +430,7 @@ static void ipc_mux_dl_fcth_decode(struct iosm_mux *ipc_mux,
+ static void ipc_mux_dl_adgh_decode(struct iosm_mux *ipc_mux,
+ struct sk_buff *skb)
+ {
+- u32 pad_len, packet_offset;
++ u32 pad_len, packet_offset, adgh_len;
+ struct iosm_wwan *wwan;
+ struct mux_adgh *adgh;
+ u8 *block = skb->data;
+@@ -470,10 +471,12 @@ static void ipc_mux_dl_adgh_decode(struct iosm_mux *ipc_mux,
+ packet_offset = sizeof(*adgh) + pad_len;
+
+ if_id += ipc_mux->wwan_q_offset;
++ adgh_len = le16_to_cpu(adgh->length);
+
+ /* Pass the packet to the netif layer */
+ rc = ipc_mux_net_receive(ipc_mux, if_id, wwan, packet_offset,
+- adgh->service_class, skb);
++ adgh->service_class, skb,
++ adgh_len - packet_offset);
+ if (rc) {
+ dev_err(ipc_mux->dev, "mux adgh decoding error");
+ return;
+@@ -547,7 +550,7 @@ static int mux_dl_process_dg(struct iosm_mux *ipc_mux, struct mux_adbh *adbh,
+ int if_id, int nr_of_dg)
+ {
+ u32 dl_head_pad_len = ipc_mux->session[if_id].dl_head_pad_len;
+- u32 packet_offset, i, rc;
++ u32 packet_offset, i, rc, dg_len;
+
+ for (i = 0; i < nr_of_dg; i++, dg++) {
+ if (le32_to_cpu(dg->datagram_index)
+@@ -562,11 +565,12 @@ static int mux_dl_process_dg(struct iosm_mux *ipc_mux, struct mux_adbh *adbh,
+ packet_offset =
+ le32_to_cpu(dg->datagram_index) +
+ dl_head_pad_len;
++ dg_len = le16_to_cpu(dg->datagram_length);
+ /* Pass the packet to the netif layer. */
+ rc = ipc_mux_net_receive(ipc_mux, if_id, ipc_mux->wwan,
+ packet_offset,
+- dg->service_class,
+- skb);
++ dg->service_class, skb,
++ dg_len - dl_head_pad_len);
+ if (rc)
+ goto dg_error;
+ }
+--
+2.35.1
+
--- /dev/null
+From 3e633a93fc5bbe8b6091005590ea14e60f545d0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 16:07:46 +0530
+Subject: net: wwan: iosm: fix kernel test robot reported error
+
+From: M Chetan Kumar <m.chetan.kumar@linux.intel.com>
+
+[ Upstream commit 985a02e75881b73a43c9433a718b49d272a9dd6b ]
+
+sparse warnings - iosm_ipc_mux_codec.c:1474 using plain
+integer as NULL pointer.
+
+Use skb_trim() to reset skb tail & len.
+
+Fixes: 9413491e20e1 ("net: iosm: encode or decode datagram")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: M Chetan Kumar <m.chetan.kumar@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wwan/iosm/iosm_ipc_mux_codec.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/wwan/iosm/iosm_ipc_mux_codec.c b/drivers/net/wwan/iosm/iosm_ipc_mux_codec.c
+index d41e373f9c0a..c16365123660 100644
+--- a/drivers/net/wwan/iosm/iosm_ipc_mux_codec.c
++++ b/drivers/net/wwan/iosm/iosm_ipc_mux_codec.c
+@@ -1471,8 +1471,7 @@ void ipc_mux_ul_encoded_process(struct iosm_mux *ipc_mux, struct sk_buff *skb)
+ ipc_mux->ul_data_pend_bytes);
+
+ /* Reset the skb settings. */
+- skb->tail = 0;
+- skb->len = 0;
++ skb_trim(skb, 0);
+
+ /* Add the consumed ADB to the free list. */
+ skb_queue_tail((&ipc_mux->ul_adb.free_list), skb);
+--
+2.35.1
+
--- /dev/null
+From 9546987a5728bc98d4870916926c07cdf5dbaf4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Nov 2022 06:38:38 +0000
+Subject: nvmem: rmem: Fix return value check in rmem_read()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 58e92c4a496b27156020a59a98c7f4a92c2b1533 ]
+
+In case of error, the function memremap() returns NULL pointer
+not ERR_PTR(). The IS_ERR() test in the return value check
+should be replaced with NULL test.
+
+Fixes: 5a3fa75a4d9c ("nvmem: Add driver to expose reserved memory as nvmem")
+Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Cc: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Acked-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20221118063840.6357-3-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvmem/rmem.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvmem/rmem.c b/drivers/nvmem/rmem.c
+index b11c3c974b3d..80cb187f1481 100644
+--- a/drivers/nvmem/rmem.c
++++ b/drivers/nvmem/rmem.c
+@@ -37,9 +37,9 @@ static int rmem_read(void *context, unsigned int offset,
+ * but as of Dec 2020 this isn't possible on arm64.
+ */
+ addr = memremap(priv->mem->base, available, MEMREMAP_WB);
+- if (IS_ERR(addr)) {
++ if (!addr) {
+ dev_err(priv->dev, "Failed to remap memory region\n");
+- return PTR_ERR(addr);
++ return -ENOMEM;
+ }
+
+ count = memory_read_from_buffer(val, bytes, &off, addr, available);
+--
+2.35.1
+
--- /dev/null
+From 4bc917c56469a332b55307191416bd053fe28214 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Nov 2022 10:32:09 +0800
+Subject: of: property: decrement node refcount in
+ of_fwnode_get_reference_args()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 60d865bd5a9b15a3961eb1c08bd4155682a3c81e ]
+
+In of_fwnode_get_reference_args(), the refcount of of_args.np has
+been incremented in the case of successful return from
+of_parse_phandle_with_args() or of_parse_phandle_with_fixed_args().
+
+Decrement the refcount if of_args is not returned to the caller of
+of_fwnode_get_reference_args().
+
+Fixes: 3e3119d3088f ("device property: Introduce fwnode_property_get_reference_args")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Frank Rowand <frowand.list@gmail.com>
+Link: https://lore.kernel.org/r/20221121023209.3909759-1-yangyingliang@huawei.com
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/property.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/of/property.c b/drivers/of/property.c
+index 967f79b59016..134cfc980b70 100644
+--- a/drivers/of/property.c
++++ b/drivers/of/property.c
+@@ -993,8 +993,10 @@ of_fwnode_get_reference_args(const struct fwnode_handle *fwnode,
+ nargs, index, &of_args);
+ if (ret < 0)
+ return ret;
+- if (!args)
++ if (!args) {
++ of_node_put(of_args.np);
+ return 0;
++ }
+
+ args->nargs = of_args.args_count;
+ args->fwnode = of_fwnode_handle(of_args.np);
+--
+2.35.1
+
--- /dev/null
+From 29dbb974f5e14a1dd4f870cfa3fa20d0c892f920 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Nov 2022 11:18:12 -0500
+Subject: packet: do not set TP_STATUS_CSUM_VALID on CHECKSUM_COMPLETE
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit b85f628aa158a653c006e9c1405a117baef8c868 ]
+
+CHECKSUM_COMPLETE signals that skb->csum stores the sum over the
+entire packet. It does not imply that an embedded l4 checksum
+field has been validated.
+
+Fixes: 682f048bd494 ("af_packet: pass checksum validation status to the user")
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/20221128161812.640098-1-willemdebruijn.kernel@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/packet/af_packet.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 5cbe07116e04..5727cb7ec174 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2293,8 +2293,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
+ if (skb->ip_summed == CHECKSUM_PARTIAL)
+ status |= TP_STATUS_CSUMNOTREADY;
+ else if (skb->pkt_type != PACKET_OUTGOING &&
+- (skb->ip_summed == CHECKSUM_COMPLETE ||
+- skb_csum_unnecessary(skb)))
++ skb_csum_unnecessary(skb))
+ status |= TP_STATUS_CSUM_VALID;
+
+ if (snaplen > res)
+@@ -3520,8 +3519,7 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
+ if (skb->ip_summed == CHECKSUM_PARTIAL)
+ aux.tp_status |= TP_STATUS_CSUMNOTREADY;
+ else if (skb->pkt_type != PACKET_OUTGOING &&
+- (skb->ip_summed == CHECKSUM_COMPLETE ||
+- skb_csum_unnecessary(skb)))
++ skb_csum_unnecessary(skb))
+ aux.tp_status |= TP_STATUS_CSUM_VALID;
+
+ aux.tp_len = origlen;
+--
+2.35.1
+
--- /dev/null
+From bc8f916fe37c35ea7a74e2f1e1dcbe1e04d5de58 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 18:06:42 +0800
+Subject: qlcnic: fix sleep-in-atomic-context bugs caused by msleep
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+[ Upstream commit 8dbd6e4ce1b9c527921643d9e34f188a10d4e893 ]
+
+The watchdog timer is used to monitor whether the process
+of transmitting data is timeout. If we use qlcnic driver,
+the dev_watchdog() that is the timer handler of watchdog
+timer will call qlcnic_tx_timeout() to process the timeout.
+But the qlcnic_tx_timeout() calls msleep(), as a result,
+the sleep-in-atomic-context bugs will happen. The processes
+are shown below:
+
+ (atomic context)
+dev_watchdog
+ qlcnic_tx_timeout
+ qlcnic_83xx_idc_request_reset
+ qlcnic_83xx_lock_driver
+ msleep
+
+---------------------------
+
+ (atomic context)
+dev_watchdog
+ qlcnic_tx_timeout
+ qlcnic_83xx_idc_request_reset
+ qlcnic_83xx_lock_driver
+ qlcnic_83xx_recover_driver_lock
+ msleep
+
+Fix by changing msleep() to mdelay(), the mdelay() is
+busy-waiting and the bugs could be mitigated.
+
+Fixes: 629263acaea3 ("qlcnic: 83xx CNA inter driver communication mechanism")
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
+index bd0607680329..2fd5c6fdb500 100644
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
+@@ -2991,7 +2991,7 @@ static void qlcnic_83xx_recover_driver_lock(struct qlcnic_adapter *adapter)
+ QLCWRX(adapter->ahw, QLC_83XX_RECOVER_DRV_LOCK, val);
+ dev_info(&adapter->pdev->dev,
+ "%s: lock recovery initiated\n", __func__);
+- msleep(QLC_83XX_DRV_LOCK_RECOVERY_DELAY);
++ mdelay(QLC_83XX_DRV_LOCK_RECOVERY_DELAY);
+ val = QLCRDX(adapter->ahw, QLC_83XX_RECOVER_DRV_LOCK);
+ id = ((val >> 2) & 0xF);
+ if (id == adapter->portnum) {
+@@ -3027,7 +3027,7 @@ int qlcnic_83xx_lock_driver(struct qlcnic_adapter *adapter)
+ if (status)
+ break;
+
+- msleep(QLC_83XX_DRV_LOCK_WAIT_DELAY);
++ mdelay(QLC_83XX_DRV_LOCK_WAIT_DELAY);
+ i++;
+
+ if (i == 1)
+--
+2.35.1
+
--- /dev/null
+From f25154acf7a4c19f32e15f959fe675ee46525310 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Sep 2022 13:22:11 +0530
+Subject: scripts/faddr2line: Fix regression in name resolution on ppc64le
+
+From: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+
+[ Upstream commit 2d77de1581bb5b470486edaf17a7d70151131afd ]
+
+Commit 1d1a0e7c5100 ("scripts/faddr2line: Fix overlapping text section
+failures") can cause faddr2line to fail on ppc64le on some
+distributions, while it works fine on other distributions. The failure
+can be attributed to differences in the readelf output.
+
+ $ ./scripts/faddr2line vmlinux find_busiest_group+0x00
+ no match for find_busiest_group+0x00
+
+On ppc64le, readelf adds the localentry tag before the symbol name on
+some distributions, and adds the localentry tag after the symbol name on
+other distributions. This problem has been discussed previously:
+
+ https://lore.kernel.org/bpf/20191211160133.GB4580@calabresa/
+
+This problem can be overcome by filtering out the localentry tags in the
+readelf output. Similar fixes are already present in the kernel by way
+of the following commits:
+
+ 1fd6cee127e2 ("libbpf: Fix VERSIONED_SYM_COUNT number parsing")
+ aa915931ac3e ("libbpf: Fix readelf output parsing for Fedora")
+
+[jpoimboe: rework commit log]
+
+Fixes: 1d1a0e7c5100 ("scripts/faddr2line: Fix overlapping text section failures")
+Signed-off-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Acked-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Reviewed-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Link: https://lore.kernel.org/r/20220927075211.897152-1-srikar@linux.vnet.ibm.com
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/faddr2line | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/scripts/faddr2line b/scripts/faddr2line
+index 5514c23f45c2..0e73aca4f908 100755
+--- a/scripts/faddr2line
++++ b/scripts/faddr2line
+@@ -74,7 +74,8 @@ command -v ${ADDR2LINE} >/dev/null 2>&1 || die "${ADDR2LINE} isn't installed"
+ find_dir_prefix() {
+ local objfile=$1
+
+- local start_kernel_addr=$(${READELF} --symbols --wide $objfile | ${AWK} '$8 == "start_kernel" {printf "0x%s", $2}')
++ local start_kernel_addr=$(${READELF} --symbols --wide $objfile | sed 's/\[.*\]//' |
++ ${AWK} '$8 == "start_kernel" {printf "0x%s", $2}')
+ [[ -z $start_kernel_addr ]] && return
+
+ local file_line=$(${ADDR2LINE} -e $objfile $start_kernel_addr)
+@@ -178,7 +179,7 @@ __faddr2line() {
+ found=2
+ break
+ fi
+- done < <(${READELF} --symbols --wide $objfile | ${AWK} -v sec=$sym_sec '$7 == sec' | sort --key=2)
++ done < <(${READELF} --symbols --wide $objfile | sed 's/\[.*\]//' | ${AWK} -v sec=$sym_sec '$7 == sec' | sort --key=2)
+
+ if [[ $found = 0 ]]; then
+ warn "can't find symbol: sym_name: $sym_name sym_sec: $sym_sec sym_addr: $sym_addr sym_elf_size: $sym_elf_size"
+@@ -259,7 +260,7 @@ __faddr2line() {
+
+ DONE=1
+
+- done < <(${READELF} --symbols --wide $objfile | ${AWK} -v fn=$sym_name '$4 == "FUNC" && $8 == fn')
++ done < <(${READELF} --symbols --wide $objfile | sed 's/\[.*\]//' | ${AWK} -v fn=$sym_name '$4 == "FUNC" && $8 == fn')
+ }
+
+ [[ $# -lt 2 ]] && usage
+--
+2.35.1
+
--- /dev/null
+From a25cc4e69b61f0c708101b2409f17e1d58d6a30c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Nov 2022 11:17:20 +0800
+Subject: sctp: fix memory leak in sctp_stream_outq_migrate()
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 9ed7bfc79542119ac0a9e1ce8a2a5285e43433e9 ]
+
+When sctp_stream_outq_migrate() is called to release stream out resources,
+the memory pointed to by prio_head in stream out is not released.
+
+The memory leak information is as follows:
+ unreferenced object 0xffff88801fe79f80 (size 64):
+ comm "sctp_repo", pid 7957, jiffies 4294951704 (age 36.480s)
+ hex dump (first 32 bytes):
+ 80 9f e7 1f 80 88 ff ff 80 9f e7 1f 80 88 ff ff ................
+ 90 9f e7 1f 80 88 ff ff 90 9f e7 1f 80 88 ff ff ................
+ backtrace:
+ [<ffffffff81b215c6>] kmalloc_trace+0x26/0x60
+ [<ffffffff88ae517c>] sctp_sched_prio_set+0x4cc/0x770
+ [<ffffffff88ad64f2>] sctp_stream_init_ext+0xd2/0x1b0
+ [<ffffffff88aa2604>] sctp_sendmsg_to_asoc+0x1614/0x1a30
+ [<ffffffff88ab7ff1>] sctp_sendmsg+0xda1/0x1ef0
+ [<ffffffff87f765ed>] inet_sendmsg+0x9d/0xe0
+ [<ffffffff8754b5b3>] sock_sendmsg+0xd3/0x120
+ [<ffffffff8755446a>] __sys_sendto+0x23a/0x340
+ [<ffffffff87554651>] __x64_sys_sendto+0xe1/0x1b0
+ [<ffffffff89978b49>] do_syscall_64+0x39/0xb0
+ [<ffffffff89a0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Link: https://syzkaller.appspot.com/bug?exrid=29c402e56c4760763cc0
+Fixes: 637784ade221 ("sctp: introduce priority based stream scheduler")
+Reported-by: syzbot+29c402e56c4760763cc0@syzkaller.appspotmail.com
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Reviewed-by: Xin Long <lucien.xin@gmail.com>
+Link: https://lore.kernel.org/r/20221126031720.378562-1-shaozhengchao@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sctp/stream_sched.h | 2 ++
+ net/sctp/stream.c | 25 ++++++++++++++++++-------
+ net/sctp/stream_sched.c | 5 +++++
+ net/sctp/stream_sched_prio.c | 19 +++++++++++++++++++
+ net/sctp/stream_sched_rr.c | 5 +++++
+ 5 files changed, 49 insertions(+), 7 deletions(-)
+
+diff --git a/include/net/sctp/stream_sched.h b/include/net/sctp/stream_sched.h
+index 01a70b27e026..65058faea4db 100644
+--- a/include/net/sctp/stream_sched.h
++++ b/include/net/sctp/stream_sched.h
+@@ -26,6 +26,8 @@ struct sctp_sched_ops {
+ int (*init)(struct sctp_stream *stream);
+ /* Init a stream */
+ int (*init_sid)(struct sctp_stream *stream, __u16 sid, gfp_t gfp);
++ /* free a stream */
++ void (*free_sid)(struct sctp_stream *stream, __u16 sid);
+ /* Frees the entire thing */
+ void (*free)(struct sctp_stream *stream);
+
+diff --git a/net/sctp/stream.c b/net/sctp/stream.c
+index ef9fceadef8d..ee6514af830f 100644
+--- a/net/sctp/stream.c
++++ b/net/sctp/stream.c
+@@ -52,6 +52,19 @@ static void sctp_stream_shrink_out(struct sctp_stream *stream, __u16 outcnt)
+ }
+ }
+
++static void sctp_stream_free_ext(struct sctp_stream *stream, __u16 sid)
++{
++ struct sctp_sched_ops *sched;
++
++ if (!SCTP_SO(stream, sid)->ext)
++ return;
++
++ sched = sctp_sched_ops_from_stream(stream);
++ sched->free_sid(stream, sid);
++ kfree(SCTP_SO(stream, sid)->ext);
++ SCTP_SO(stream, sid)->ext = NULL;
++}
++
+ /* Migrates chunks from stream queues to new stream queues if needed,
+ * but not across associations. Also, removes those chunks to streams
+ * higher than the new max.
+@@ -70,16 +83,14 @@ static void sctp_stream_outq_migrate(struct sctp_stream *stream,
+ * sctp_stream_update will swap ->out pointers.
+ */
+ for (i = 0; i < outcnt; i++) {
+- kfree(SCTP_SO(new, i)->ext);
++ sctp_stream_free_ext(new, i);
+ SCTP_SO(new, i)->ext = SCTP_SO(stream, i)->ext;
+ SCTP_SO(stream, i)->ext = NULL;
+ }
+ }
+
+- for (i = outcnt; i < stream->outcnt; i++) {
+- kfree(SCTP_SO(stream, i)->ext);
+- SCTP_SO(stream, i)->ext = NULL;
+- }
++ for (i = outcnt; i < stream->outcnt; i++)
++ sctp_stream_free_ext(stream, i);
+ }
+
+ static int sctp_stream_alloc_out(struct sctp_stream *stream, __u16 outcnt,
+@@ -174,9 +185,9 @@ void sctp_stream_free(struct sctp_stream *stream)
+ struct sctp_sched_ops *sched = sctp_sched_ops_from_stream(stream);
+ int i;
+
+- sched->free(stream);
++ sched->unsched_all(stream);
+ for (i = 0; i < stream->outcnt; i++)
+- kfree(SCTP_SO(stream, i)->ext);
++ sctp_stream_free_ext(stream, i);
+ genradix_free(&stream->out);
+ genradix_free(&stream->in);
+ }
+diff --git a/net/sctp/stream_sched.c b/net/sctp/stream_sched.c
+index 1ad565ed5627..7c8f9d89e16a 100644
+--- a/net/sctp/stream_sched.c
++++ b/net/sctp/stream_sched.c
+@@ -46,6 +46,10 @@ static int sctp_sched_fcfs_init_sid(struct sctp_stream *stream, __u16 sid,
+ return 0;
+ }
+
++static void sctp_sched_fcfs_free_sid(struct sctp_stream *stream, __u16 sid)
++{
++}
++
+ static void sctp_sched_fcfs_free(struct sctp_stream *stream)
+ {
+ }
+@@ -96,6 +100,7 @@ static struct sctp_sched_ops sctp_sched_fcfs = {
+ .get = sctp_sched_fcfs_get,
+ .init = sctp_sched_fcfs_init,
+ .init_sid = sctp_sched_fcfs_init_sid,
++ .free_sid = sctp_sched_fcfs_free_sid,
+ .free = sctp_sched_fcfs_free,
+ .enqueue = sctp_sched_fcfs_enqueue,
+ .dequeue = sctp_sched_fcfs_dequeue,
+diff --git a/net/sctp/stream_sched_prio.c b/net/sctp/stream_sched_prio.c
+index 80b5a2c4cbc7..4fc9f2923ed1 100644
+--- a/net/sctp/stream_sched_prio.c
++++ b/net/sctp/stream_sched_prio.c
+@@ -204,6 +204,24 @@ static int sctp_sched_prio_init_sid(struct sctp_stream *stream, __u16 sid,
+ return sctp_sched_prio_set(stream, sid, 0, gfp);
+ }
+
++static void sctp_sched_prio_free_sid(struct sctp_stream *stream, __u16 sid)
++{
++ struct sctp_stream_priorities *prio = SCTP_SO(stream, sid)->ext->prio_head;
++ int i;
++
++ if (!prio)
++ return;
++
++ SCTP_SO(stream, sid)->ext->prio_head = NULL;
++ for (i = 0; i < stream->outcnt; i++) {
++ if (SCTP_SO(stream, i)->ext &&
++ SCTP_SO(stream, i)->ext->prio_head == prio)
++ return;
++ }
++
++ kfree(prio);
++}
++
+ static void sctp_sched_prio_free(struct sctp_stream *stream)
+ {
+ struct sctp_stream_priorities *prio, *n;
+@@ -323,6 +341,7 @@ static struct sctp_sched_ops sctp_sched_prio = {
+ .get = sctp_sched_prio_get,
+ .init = sctp_sched_prio_init,
+ .init_sid = sctp_sched_prio_init_sid,
++ .free_sid = sctp_sched_prio_free_sid,
+ .free = sctp_sched_prio_free,
+ .enqueue = sctp_sched_prio_enqueue,
+ .dequeue = sctp_sched_prio_dequeue,
+diff --git a/net/sctp/stream_sched_rr.c b/net/sctp/stream_sched_rr.c
+index ff425aed62c7..cc444fe0d67c 100644
+--- a/net/sctp/stream_sched_rr.c
++++ b/net/sctp/stream_sched_rr.c
+@@ -90,6 +90,10 @@ static int sctp_sched_rr_init_sid(struct sctp_stream *stream, __u16 sid,
+ return 0;
+ }
+
++static void sctp_sched_rr_free_sid(struct sctp_stream *stream, __u16 sid)
++{
++}
++
+ static void sctp_sched_rr_free(struct sctp_stream *stream)
+ {
+ sctp_sched_rr_unsched_all(stream);
+@@ -177,6 +181,7 @@ static struct sctp_sched_ops sctp_sched_rr = {
+ .get = sctp_sched_rr_get,
+ .init = sctp_sched_rr_init,
+ .init_sid = sctp_sched_rr_init_sid,
++ .free_sid = sctp_sched_rr_free_sid,
+ .free = sctp_sched_rr_free,
+ .enqueue = sctp_sched_rr_enqueue,
+ .dequeue = sctp_sched_rr_dequeue,
+--
+2.35.1
+
--- /dev/null
+btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch
+drm-amdgpu-move-setting-the-job-resources.patch
+drm-amdgpu-cleanup-error-handling-in-amdgpu_cs_parse.patch
+drm-amdgpu-fix-userptr-hmm-range-handling-v2.patch
+kbuild-fix-wimplicit-function-declaration-in-license.patch
+drm-amd-pm-add-smu_v13_0_10-driver-if-version.patch
+drm-amd-pm-update-driver-if-header-for-smu_v13_0_10.patch
+drm-amd-pm-update-driver-if-header-for-smu_13_0_7.patch
+clk-samsung-exynos7885-correct-div4-clock-parents.patch
+clk-qcom-gdsc-add-missing-error-handling.patch
+clk-qcom-gdsc-remove-direct-runtime-pm-calls.patch
+iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch
+iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch
+iio-light-rpr0521-add-missing-kconfig-dependencies.patch
+libbpf-use-correct-return-pointer-in-attach_raw_tp.patch
+bpf-perf-use-subprog-name-when-reporting-subprog-ksy.patch
+scripts-faddr2line-fix-regression-in-name-resolution.patch
+arm-at91-rm9200-fix-usb-device-clock-id.patch
+libbpf-handle-size-overflow-for-ringbuf-mmap.patch
+hwmon-ltc2947-fix-temperature-scaling.patch
+hwmon-ina3221-fix-shunt-sum-critical-calculation.patch
+hwmon-i5500_temp-fix-missing-pci_disable_device.patch
+hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch
+clocksource-drivers-arm_arch_timer-fix-xgene-1-tval-.patch
+bpf-do-not-copy-spin-lock-field-from-user-in-bpf_sel.patch
+nvmem-rmem-fix-return-value-check-in-rmem_read.patch
+of-property-decrement-node-refcount-in-of_fwnode_get.patch
+clk-qcom-gcc-sc8280xp-add-cxo-as-parent-for-three-uf.patch
+ixgbevf-fix-resource-leak-in-ixgbevf_init_module.patch
+i40e-fix-error-handling-in-i40e_init_module.patch
+fm10k-fix-error-handling-in-fm10k_init_module.patch
+iavf-fix-error-handling-in-iavf_init_module.patch
+e100-fix-possible-use-after-free-in-e100_xmit_prepar.patch
+net-mlx5-dr-fix-uninitialized-var-warning.patch
+net-mlx5-e-switch-destroy-legacy-fdb-table-when-need.patch
+net-mlx5-e-switch-fix-duplicate-lag-creation.patch
+net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch
+net-mlx5e-fix-use-after-free-when-reverting-terminat.patch
+can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch
+can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch
+can-etas_es58x-es58x_init_netdev-free-netdev-when-re.patch
+can-m_can-pci-add-missing-m_can_class_free_dev-in-pr.patch
+can-m_can-add-check-for-devm_clk_get.patch
+vfs-fix-copy_file_range-averts-filesystem-freeze-pro.patch
+qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch
+aquantia-do-not-purge-addresses-when-setting-the-num.patch
+wifi-cfg80211-fix-buffer-overflow-in-elem-comparison.patch
+wifi-cfg80211-don-t-allow-multi-bssid-in-s1g.patch
+wifi-mac8021-fix-possible-oob-access-in-ieee80211_ge.patch
+net-phy-fix-null-ptr-deref-while-probe-failed.patch
+net-ethernet-ti-am65-cpsw-fix-error-handling-in-am65.patch
+net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch
+net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch
+net-ethernet-nixge-fix-null-dereference.patch
+net-wwan-iosm-fix-kernel-test-robot-reported-error.patch
+net-wwan-iosm-fix-dma_alloc_coherent-incompatible-po.patch
+net-wwan-iosm-fix-crash-in-peek-throughput-test.patch
+net-wwan-iosm-fix-incorrect-skb-length.patch
+dsa-lan9303-correct-stat-name.patch
+mptcp-don-t-orphan-ssk-in-mptcp_close.patch
+mptcp-fix-sleep-in-atomic-at-close-time.patch
+tipc-re-fetch-skb-cb-after-tipc_msg_validate.patch
+net-hsr-fix-potential-use-after-free.patch
+net-mdiobus-fix-unbalanced-node-reference-count.patch
+afs-fix-fileserver-probe-rtt-handling.patch
+net-tun-fix-use-after-free-in-tun_detach.patch
+net-mlx5-lag-fix-for-loop-when-checking-lag.patch
+packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch
+sctp-fix-memory-leak-in-sctp_stream_outq_migrate.patch
+net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch
+afs-fix-server-active-leak-in-afs_put_server.patch
+hwmon-coretemp-check-for-null-before-removing-sysfs-.patch
+hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch
+hwmon-asus-ec-sensors-add-checks-for-devm_kcalloc.patch
--- /dev/null
+From 78c870220945c1dc48f4f48d220cb7e1071b85d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 12:46:43 -0500
+Subject: tipc: re-fetch skb cb after tipc_msg_validate
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 3067bc61fcfe3081bf4807ce65560f499e895e77 ]
+
+As the call trace shows, the original skb was freed in tipc_msg_validate(),
+and dereferencing the old skb cb would cause an use-after-free crash.
+
+ BUG: KASAN: use-after-free in tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]
+ Call Trace:
+ <IRQ>
+ tipc_crypto_rcv_complete+0x1835/0x2240 [tipc]
+ tipc_crypto_rcv+0xd32/0x1ec0 [tipc]
+ tipc_rcv+0x744/0x1150 [tipc]
+ ...
+ Allocated by task 47078:
+ kmem_cache_alloc_node+0x158/0x4d0
+ __alloc_skb+0x1c1/0x270
+ tipc_buf_acquire+0x1e/0xe0 [tipc]
+ tipc_msg_create+0x33/0x1c0 [tipc]
+ tipc_link_build_proto_msg+0x38a/0x2100 [tipc]
+ tipc_link_timeout+0x8b8/0xef0 [tipc]
+ tipc_node_timeout+0x2a1/0x960 [tipc]
+ call_timer_fn+0x2d/0x1c0
+ ...
+ Freed by task 47078:
+ tipc_msg_validate+0x7b/0x440 [tipc]
+ tipc_crypto_rcv_complete+0x4b5/0x2240 [tipc]
+ tipc_crypto_rcv+0xd32/0x1ec0 [tipc]
+ tipc_rcv+0x744/0x1150 [tipc]
+
+This patch fixes it by re-fetching the skb cb from the new allocated skb
+after calling tipc_msg_validate().
+
+Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
+Reported-by: Shuang Li <shuali@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Link: https://lore.kernel.org/r/1b1cdba762915325bd8ef9a98d0276eb673df2a5.1669398403.git.lucien.xin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/crypto.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c
+index f09316a9035f..d67440de011e 100644
+--- a/net/tipc/crypto.c
++++ b/net/tipc/crypto.c
+@@ -1971,6 +1971,9 @@ static void tipc_crypto_rcv_complete(struct net *net, struct tipc_aead *aead,
+ /* Ok, everything's fine, try to synch own keys according to peers' */
+ tipc_crypto_key_synch(rx, *skb);
+
++ /* Re-fetch skb cb as skb might be changed in tipc_msg_validate */
++ skb_cb = TIPC_SKB_CB(*skb);
++
+ /* Mark skb decrypted */
+ skb_cb->decrypted = 1;
+
+--
+2.35.1
+
--- /dev/null
+From 8aa4ecdc3287ff2602086ea137ba46d0fae50960 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 22:52:49 +0200
+Subject: vfs: fix copy_file_range() averts filesystem freeze protection
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+[ Upstream commit 10bc8e4af65946b727728d7479c028742321b60a ]
+
+Commit 868f9f2f8e00 ("vfs: fix copy_file_range() regression in cross-fs
+copies") removed fallback to generic_copy_file_range() for cross-fs
+cases inside vfs_copy_file_range().
+
+To preserve behavior of nfsd and ksmbd server-side-copy, the fallback to
+generic_copy_file_range() was added in nfsd and ksmbd code, but that
+call is missing sb_start_write(), fsnotify hooks and more.
+
+Ideally, nfsd and ksmbd would pass a flag to vfs_copy_file_range() that
+will take care of the fallback, but that code would be subtle and we got
+vfs_copy_file_range() logic wrong too many times already.
+
+Instead, add a flag to explicitly request vfs_copy_file_range() to
+perform only generic_copy_file_range() and let nfsd and ksmbd use this
+flag only in the fallback path.
+
+This choise keeps the logic changes to minimum in the non-nfsd/ksmbd code
+paths to reduce the risk of further regressions.
+
+Fixes: 868f9f2f8e00 ("vfs: fix copy_file_range() regression in cross-fs copies")
+Tested-by: Namjae Jeon <linkinjeon@kernel.org>
+Tested-by: Luis Henriques <lhenriques@suse.de>
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ksmbd/vfs.c | 6 +++---
+ fs/nfsd/vfs.c | 4 ++--
+ fs/read_write.c | 19 +++++++++++++++----
+ include/linux/fs.h | 8 ++++++++
+ 4 files changed, 28 insertions(+), 9 deletions(-)
+
+diff --git a/fs/ksmbd/vfs.c b/fs/ksmbd/vfs.c
+index 78d01033604c..c5c801e38b63 100644
+--- a/fs/ksmbd/vfs.c
++++ b/fs/ksmbd/vfs.c
+@@ -1784,9 +1784,9 @@ int ksmbd_vfs_copy_file_ranges(struct ksmbd_work *work,
+ ret = vfs_copy_file_range(src_fp->filp, src_off,
+ dst_fp->filp, dst_off, len, 0);
+ if (ret == -EOPNOTSUPP || ret == -EXDEV)
+- ret = generic_copy_file_range(src_fp->filp, src_off,
+- dst_fp->filp, dst_off,
+- len, 0);
++ ret = vfs_copy_file_range(src_fp->filp, src_off,
++ dst_fp->filp, dst_off, len,
++ COPY_FILE_SPLICE);
+ if (ret < 0)
+ return ret;
+
+diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
+index f3cd614e1f1e..dc24d67d0ca4 100644
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -572,8 +572,8 @@ ssize_t nfsd_copy_file_range(struct file *src, u64 src_pos, struct file *dst,
+ ret = vfs_copy_file_range(src, src_pos, dst, dst_pos, count, 0);
+
+ if (ret == -EOPNOTSUPP || ret == -EXDEV)
+- ret = generic_copy_file_range(src, src_pos, dst, dst_pos,
+- count, 0);
++ ret = vfs_copy_file_range(src, src_pos, dst, dst_pos, count,
++ COPY_FILE_SPLICE);
+ return ret;
+ }
+
+diff --git a/fs/read_write.c b/fs/read_write.c
+index 328ce8cf9a85..24b9668d6377 100644
+--- a/fs/read_write.c
++++ b/fs/read_write.c
+@@ -1388,6 +1388,8 @@ ssize_t generic_copy_file_range(struct file *file_in, loff_t pos_in,
+ struct file *file_out, loff_t pos_out,
+ size_t len, unsigned int flags)
+ {
++ lockdep_assert(sb_write_started(file_inode(file_out)->i_sb));
++
+ return do_splice_direct(file_in, &pos_in, file_out, &pos_out,
+ len > MAX_RW_COUNT ? MAX_RW_COUNT : len, 0);
+ }
+@@ -1424,7 +1426,9 @@ static int generic_copy_file_checks(struct file *file_in, loff_t pos_in,
+ * and several different sets of file_operations, but they all end up
+ * using the same ->copy_file_range() function pointer.
+ */
+- if (file_out->f_op->copy_file_range) {
++ if (flags & COPY_FILE_SPLICE) {
++ /* cross sb splice is allowed */
++ } else if (file_out->f_op->copy_file_range) {
+ if (file_in->f_op->copy_file_range !=
+ file_out->f_op->copy_file_range)
+ return -EXDEV;
+@@ -1474,8 +1478,9 @@ ssize_t vfs_copy_file_range(struct file *file_in, loff_t pos_in,
+ size_t len, unsigned int flags)
+ {
+ ssize_t ret;
++ bool splice = flags & COPY_FILE_SPLICE;
+
+- if (flags != 0)
++ if (flags & ~COPY_FILE_SPLICE)
+ return -EINVAL;
+
+ ret = generic_copy_file_checks(file_in, pos_in, file_out, pos_out, &len,
+@@ -1501,14 +1506,14 @@ ssize_t vfs_copy_file_range(struct file *file_in, loff_t pos_in,
+ * same sb using clone, but for filesystems where both clone and copy
+ * are supported (e.g. nfs,cifs), we only call the copy method.
+ */
+- if (file_out->f_op->copy_file_range) {
++ if (!splice && file_out->f_op->copy_file_range) {
+ ret = file_out->f_op->copy_file_range(file_in, pos_in,
+ file_out, pos_out,
+ len, flags);
+ goto done;
+ }
+
+- if (file_in->f_op->remap_file_range &&
++ if (!splice && file_in->f_op->remap_file_range &&
+ file_inode(file_in)->i_sb == file_inode(file_out)->i_sb) {
+ ret = file_in->f_op->remap_file_range(file_in, pos_in,
+ file_out, pos_out,
+@@ -1528,6 +1533,8 @@ ssize_t vfs_copy_file_range(struct file *file_in, loff_t pos_in,
+ * consistent story about which filesystems support copy_file_range()
+ * and which filesystems do not, that will allow userspace tools to
+ * make consistent desicions w.r.t using copy_file_range().
++ *
++ * We also get here if caller (e.g. nfsd) requested COPY_FILE_SPLICE.
+ */
+ ret = generic_copy_file_range(file_in, pos_in, file_out, pos_out, len,
+ flags);
+@@ -1582,6 +1589,10 @@ SYSCALL_DEFINE6(copy_file_range, int, fd_in, loff_t __user *, off_in,
+ pos_out = f_out.file->f_pos;
+ }
+
++ ret = -EINVAL;
++ if (flags != 0)
++ goto out;
++
+ ret = vfs_copy_file_range(f_in.file, pos_in, f_out.file, pos_out, len,
+ flags);
+ if (ret > 0) {
+diff --git a/include/linux/fs.h b/include/linux/fs.h
+index 7203f5582fd4..be074b6895b9 100644
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -2087,6 +2087,14 @@ struct dir_context {
+ */
+ #define REMAP_FILE_ADVISORY (REMAP_FILE_CAN_SHORTEN)
+
++/*
++ * These flags control the behavior of vfs_copy_file_range().
++ * They are not available to the user via syscall.
++ *
++ * COPY_FILE_SPLICE: call splice direct instead of fs clone/copy ops
++ */
++#define COPY_FILE_SPLICE (1 << 0)
++
+ struct iov_iter;
+ struct io_uring_cmd;
+
+--
+2.35.1
+
--- /dev/null
+From 5c77b52ffb5807534ac9b6410ce7d57d1c5fc3dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 12:36:58 +0100
+Subject: wifi: cfg80211: don't allow multi-BSSID in S1G
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit acd3c92acc7aaec50a94d0a7faf7ccd74e952493 ]
+
+In S1G beacon frames there shouldn't be multi-BSSID elements
+since that's not supported, remove that to avoid a potential
+integer underflow and/or misparsing the frames due to the
+different length of the fixed part of the frame.
+
+While at it, initialize non_tx_data so we don't send garbage
+values to the user (even if it doesn't seem to matter now.)
+
+Reported-and-tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
+Fixes: 9eaffe5078ca ("cfg80211: convert S1G beacon to scan results")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/scan.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index 56db0f12ca7c..b4d788572992 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -2527,10 +2527,15 @@ cfg80211_inform_bss_frame_data(struct wiphy *wiphy,
+ const struct cfg80211_bss_ies *ies1, *ies2;
+ size_t ielen = len - offsetof(struct ieee80211_mgmt,
+ u.probe_resp.variable);
+- struct cfg80211_non_tx_bss non_tx_data;
++ struct cfg80211_non_tx_bss non_tx_data = {};
+
+ res = cfg80211_inform_single_bss_frame_data(wiphy, data, mgmt,
+ len, gfp);
++
++ /* don't do any further MBSSID handling for S1G */
++ if (ieee80211_is_s1g_beacon(mgmt->frame_control))
++ return res;
++
+ if (!res || !wiphy->support_mbssid ||
+ !cfg80211_find_elem(WLAN_EID_MULTIPLE_BSSID, ie, ielen))
+ return res;
+--
+2.35.1
+
--- /dev/null
+From 89bba7876286ba61d4611e484631a1cd5931ae47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 12:36:57 +0100
+Subject: wifi: cfg80211: fix buffer overflow in elem comparison
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 9f16b5c82a025cd4c864737409234ddc44fb166a ]
+
+For vendor elements, the code here assumes that 5 octets
+are present without checking. Since the element itself is
+already checked to fit, we only need to check the length.
+
+Reported-and-tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
+Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/scan.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index 9067e4b70855..56db0f12ca7c 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -330,7 +330,8 @@ static size_t cfg80211_gen_new_ie(const u8 *ie, size_t ielen,
+ * determine if they are the same ie.
+ */
+ if (tmp_old[0] == WLAN_EID_VENDOR_SPECIFIC) {
+- if (!memcmp(tmp_old + 2, tmp + 2, 5)) {
++ if (tmp_old[1] >= 5 && tmp[1] >= 5 &&
++ !memcmp(tmp_old + 2, tmp + 2, 5)) {
+ /* same vendor ie, copy from
+ * subelement
+ */
+--
+2.35.1
+
--- /dev/null
+From 689dc269038367aed63c440ec4efba573139faa4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Nov 2022 16:19:26 +0100
+Subject: wifi: mac8021: fix possible oob access in ieee80211_get_rate_duration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 3e8f7abcc3473bc9603323803aeaed4ffcc3a2ab ]
+
+Fix possible out-of-bound access in ieee80211_get_rate_duration routine
+as reported by the following UBSAN report:
+
+UBSAN: array-index-out-of-bounds in net/mac80211/airtime.c:455:47
+index 15 is out of range for type 'u16 [12]'
+CPU: 2 PID: 217 Comm: kworker/u32:10 Not tainted 6.1.0-060100rc3-generic
+Hardware name: Acer Aspire TC-281/Aspire TC-281, BIOS R01-A2 07/18/2017
+Workqueue: mt76 mt76u_tx_status_data [mt76_usb]
+Call Trace:
+ <TASK>
+ show_stack+0x4e/0x61
+ dump_stack_lvl+0x4a/0x6f
+ dump_stack+0x10/0x18
+ ubsan_epilogue+0x9/0x43
+ __ubsan_handle_out_of_bounds.cold+0x42/0x47
+ieee80211_get_rate_duration.constprop.0+0x22f/0x2a0 [mac80211]
+ ? ieee80211_tx_status_ext+0x32e/0x640 [mac80211]
+ ieee80211_calc_rx_airtime+0xda/0x120 [mac80211]
+ ieee80211_calc_tx_airtime+0xb4/0x100 [mac80211]
+ mt76x02_send_tx_status+0x266/0x480 [mt76x02_lib]
+ mt76x02_tx_status_data+0x52/0x80 [mt76x02_lib]
+ mt76u_tx_status_data+0x67/0xd0 [mt76_usb]
+ process_one_work+0x225/0x400
+ worker_thread+0x50/0x3e0
+ ? process_one_work+0x400/0x400
+ kthread+0xe9/0x110
+ ? kthread_complete_and_exit+0x20/0x20
+ ret_from_fork+0x22/0x30
+
+Fixes: db3e1c40cf2f ("mac80211: Import airtime calculation code from mt76")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/airtime.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/mac80211/airtime.c b/net/mac80211/airtime.c
+index 2e66598fac79..e8ebd343e2bf 100644
+--- a/net/mac80211/airtime.c
++++ b/net/mac80211/airtime.c
+@@ -452,6 +452,9 @@ static u32 ieee80211_get_rate_duration(struct ieee80211_hw *hw,
+ (status->encoding == RX_ENC_HE && streams > 8)))
+ return 0;
+
++ if (idx >= MCS_GROUP_RATES)
++ return 0;
++
+ duration = airtime_mcs_groups[group].duration[idx];
+ duration <<= airtime_mcs_groups[group].shift;
+ *overhead = 36 + (streams << 2);
+--
+2.35.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
