--- /dev/null
+From f24ddc497122c4b128865daea2ace259f8d9c7b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Sep 2023 17:27:08 -0700
+Subject: af_unix: Fix data race around sk->sk_err.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit b192812905e4b134f7b7994b079eb647e9d2d37e ]
+
+As with sk->sk_shutdown shown in the previous patch, sk->sk_err can be
+read locklessly by unix_dgram_sendmsg().
+
+Let's use READ_ONCE() for sk_err as well.
+
+Note that the writer side is marked by commit cc04410af7de ("af_unix:
+annotate lockless accesses to sk->sk_err").
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 71990525d37e2..e5858fa5d6d57 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2692,7 +2692,7 @@ static long sock_wait_for_wmem(struct sock *sk, long timeo)
+ break;
+ if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN)
+ break;
+- if (sk->sk_err)
++ if (READ_ONCE(sk->sk_err))
+ break;
+ timeo = schedule_timeout(timeo);
+ }
+--
+2.40.1
+
--- /dev/null
+From b522bed9cc0d50c646594a1d8278c10d8427730c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Sep 2023 17:27:06 -0700
+Subject: af_unix: Fix data-race around unix_tot_inflight.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit ade32bd8a738d7497ffe9743c46728db26740f78 ]
+
+unix_tot_inflight is changed under spin_lock(unix_gc_lock), but
+unix_release_sock() reads it locklessly.
+
+Let's use READ_ONCE() for unix_tot_inflight.
+
+Note that the writer side was marked by commit 9d6d7f1cb67c ("af_unix:
+annote lockless accesses to unix_tot_inflight & gc_in_progress")
+
+BUG: KCSAN: data-race in unix_inflight / unix_release_sock
+
+write (marked) to 0xffffffff871852b8 of 4 bytes by task 123 on cpu 1:
+ unix_inflight+0x130/0x180 net/unix/scm.c:64
+ unix_attach_fds+0x137/0x1b0 net/unix/scm.c:123
+ unix_scm_to_skb net/unix/af_unix.c:1832 [inline]
+ unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1955
+ sock_sendmsg_nosec net/socket.c:724 [inline]
+ sock_sendmsg+0x148/0x160 net/socket.c:747
+ ____sys_sendmsg+0x4e4/0x610 net/socket.c:2493
+ ___sys_sendmsg+0xc6/0x140 net/socket.c:2547
+ __sys_sendmsg+0x94/0x140 net/socket.c:2576
+ __do_sys_sendmsg net/socket.c:2585 [inline]
+ __se_sys_sendmsg net/socket.c:2583 [inline]
+ __x64_sys_sendmsg+0x45/0x50 net/socket.c:2583
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+read to 0xffffffff871852b8 of 4 bytes by task 4891 on cpu 0:
+ unix_release_sock+0x608/0x910 net/unix/af_unix.c:671
+ unix_release+0x59/0x80 net/unix/af_unix.c:1058
+ __sock_release+0x7d/0x170 net/socket.c:653
+ sock_close+0x19/0x30 net/socket.c:1385
+ __fput+0x179/0x5e0 fs/file_table.c:321
+ ____fput+0x15/0x20 fs/file_table.c:349
+ task_work_run+0x116/0x1a0 kernel/task_work.c:179
+ resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
+ exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
+ exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
+ syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297
+ do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+value changed: 0x00000000 -> 0x00000001
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 4891 Comm: systemd-coredum Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #5
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+
+Fixes: 9305cfa4443d ("[AF_UNIX]: Make unix_tot_inflight counter non-atomic")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index ca31847a6c70c..310952f4c68f7 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -667,7 +667,7 @@ static void unix_release_sock(struct sock *sk, int embrion)
+ * What the above comment does talk about? --ANK(980817)
+ */
+
+- if (unix_tot_inflight)
++ if (READ_ONCE(unix_tot_inflight))
+ unix_gc(); /* Garbage collect fds */
+ }
+
+--
+2.40.1
+
--- /dev/null
+From a3087abbfc6435f984c127f69a3a42ab423b84f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Sep 2023 17:27:07 -0700
+Subject: af_unix: Fix data-races around sk->sk_shutdown.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit afe8764f76346ba838d4f162883e23d2fcfaa90e ]
+
+sk->sk_shutdown is changed under unix_state_lock(sk), but
+unix_dgram_sendmsg() calls two functions to read sk_shutdown locklessly.
+
+ sock_alloc_send_pskb
+ `- sock_wait_for_wmem
+
+Let's use READ_ONCE() there.
+
+Note that the writer side was marked by commit e1d09c2c2f57 ("af_unix:
+Fix data races around sk->sk_shutdown.").
+
+BUG: KCSAN: data-race in sock_alloc_send_pskb / unix_release_sock
+
+write (marked) to 0xffff8880069af12c of 1 bytes by task 1 on cpu 1:
+ unix_release_sock+0x75c/0x910 net/unix/af_unix.c:631
+ unix_release+0x59/0x80 net/unix/af_unix.c:1053
+ __sock_release+0x7d/0x170 net/socket.c:654
+ sock_close+0x19/0x30 net/socket.c:1386
+ __fput+0x2a3/0x680 fs/file_table.c:384
+ ____fput+0x15/0x20 fs/file_table.c:412
+ task_work_run+0x116/0x1a0 kernel/task_work.c:179
+ resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
+ exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
+ exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
+ syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297
+ do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+read to 0xffff8880069af12c of 1 bytes by task 28650 on cpu 0:
+ sock_alloc_send_pskb+0xd2/0x620 net/core/sock.c:2767
+ unix_dgram_sendmsg+0x2f8/0x14f0 net/unix/af_unix.c:1944
+ unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline]
+ unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292
+ sock_sendmsg_nosec net/socket.c:725 [inline]
+ sock_sendmsg+0x148/0x160 net/socket.c:748
+ ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494
+ ___sys_sendmsg+0xc6/0x140 net/socket.c:2548
+ __sys_sendmsg+0x94/0x140 net/socket.c:2577
+ __do_sys_sendmsg net/socket.c:2586 [inline]
+ __se_sys_sendmsg net/socket.c:2584 [inline]
+ __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+value changed: 0x00 -> 0x03
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 28650 Comm: systemd-coredum Not tainted 6.4.0-11989-g6843306689af #6
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index aa628c6314f64..71990525d37e2 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2690,7 +2690,7 @@ static long sock_wait_for_wmem(struct sock *sk, long timeo)
+ prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
+ if (refcount_read(&sk->sk_wmem_alloc) < READ_ONCE(sk->sk_sndbuf))
+ break;
+- if (sk->sk_shutdown & SEND_SHUTDOWN)
++ if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN)
+ break;
+ if (sk->sk_err)
+ break;
+@@ -2720,7 +2720,7 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
+ goto failure;
+
+ err = -EPIPE;
+- if (sk->sk_shutdown & SEND_SHUTDOWN)
++ if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN)
+ goto failure;
+
+ if (sk_wmem_alloc_get(sk) < READ_ONCE(sk->sk_sndbuf))
+--
+2.40.1
+
--- /dev/null
+From 01286a11ca3536e88fe2f497267516abbfc18f2f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Sep 2023 17:27:05 -0700
+Subject: af_unix: Fix data-races around user->unix_inflight.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 0bc36c0650b21df36fbec8136add83936eaf0607 ]
+
+user->unix_inflight is changed under spin_lock(unix_gc_lock),
+but too_many_unix_fds() reads it locklessly.
+
+Let's annotate the write/read accesses to user->unix_inflight.
+
+BUG: KCSAN: data-race in unix_attach_fds / unix_inflight
+
+write to 0xffffffff8546f2d0 of 8 bytes by task 44798 on cpu 1:
+ unix_inflight+0x157/0x180 net/unix/scm.c:66
+ unix_attach_fds+0x147/0x1e0 net/unix/scm.c:123
+ unix_scm_to_skb net/unix/af_unix.c:1827 [inline]
+ unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950
+ unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline]
+ unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292
+ sock_sendmsg_nosec net/socket.c:725 [inline]
+ sock_sendmsg+0x148/0x160 net/socket.c:748
+ ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494
+ ___sys_sendmsg+0xc6/0x140 net/socket.c:2548
+ __sys_sendmsg+0x94/0x140 net/socket.c:2577
+ __do_sys_sendmsg net/socket.c:2586 [inline]
+ __se_sys_sendmsg net/socket.c:2584 [inline]
+ __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+read to 0xffffffff8546f2d0 of 8 bytes by task 44814 on cpu 0:
+ too_many_unix_fds net/unix/scm.c:101 [inline]
+ unix_attach_fds+0x54/0x1e0 net/unix/scm.c:110
+ unix_scm_to_skb net/unix/af_unix.c:1827 [inline]
+ unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950
+ unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline]
+ unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292
+ sock_sendmsg_nosec net/socket.c:725 [inline]
+ sock_sendmsg+0x148/0x160 net/socket.c:748
+ ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494
+ ___sys_sendmsg+0xc6/0x140 net/socket.c:2548
+ __sys_sendmsg+0x94/0x140 net/socket.c:2577
+ __do_sys_sendmsg net/socket.c:2586 [inline]
+ __se_sys_sendmsg net/socket.c:2584 [inline]
+ __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+value changed: 0x000000000000000c -> 0x000000000000000d
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 44814 Comm: systemd-coredum Not tainted 6.4.0-11989-g6843306689af #6
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+
+Fixes: 712f4aad406b ("unix: properly account for FDs passed over unix sockets")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Acked-by: Willy Tarreau <w@1wt.eu>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/scm.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/unix/scm.c b/net/unix/scm.c
+index aa27a02478dc1..e8e2a00bb0f58 100644
+--- a/net/unix/scm.c
++++ b/net/unix/scm.c
+@@ -63,7 +63,7 @@ void unix_inflight(struct user_struct *user, struct file *fp)
+ /* Paired with READ_ONCE() in wait_for_unix_gc() */
+ WRITE_ONCE(unix_tot_inflight, unix_tot_inflight + 1);
+ }
+- user->unix_inflight++;
++ WRITE_ONCE(user->unix_inflight, user->unix_inflight + 1);
+ spin_unlock(&unix_gc_lock);
+ }
+
+@@ -84,7 +84,7 @@ void unix_notinflight(struct user_struct *user, struct file *fp)
+ /* Paired with READ_ONCE() in wait_for_unix_gc() */
+ WRITE_ONCE(unix_tot_inflight, unix_tot_inflight - 1);
+ }
+- user->unix_inflight--;
++ WRITE_ONCE(user->unix_inflight, user->unix_inflight - 1);
+ spin_unlock(&unix_gc_lock);
+ }
+
+@@ -98,7 +98,7 @@ static inline bool too_many_unix_fds(struct task_struct *p)
+ {
+ struct user_struct *user = current_user();
+
+- if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE)))
++ if (unlikely(READ_ONCE(user->unix_inflight) > task_rlimit(p, RLIMIT_NOFILE)))
+ return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
+ return false;
+ }
+--
+2.40.1
+
--- /dev/null
+From defbf63593ad07648b8f20d8c55cc82b97427a48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Jul 2023 09:29:03 +0000
+Subject: backlight: gpio_backlight: Drop output GPIO direction check for
+ initial power state
+
+From: Ying Liu <victor.liu@nxp.com>
+
+[ Upstream commit fe1328b5b2a087221e31da77e617f4c2b70f3b7f ]
+
+So, let's drop output GPIO direction check and only check GPIO value to set
+the initial power state.
+
+Fixes: 706dc68102bc ("backlight: gpio: Explicitly set the direction of the GPIO")
+Signed-off-by: Liu Ying <victor.liu@nxp.com>
+Reviewed-by: Andy Shevchenko <andy@kernel.org>
+Acked-by: Linus Walleij <linus.walleij@linaro.org>
+Acked-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Link: https://lore.kernel.org/r/20230721093342.1532531-1-victor.liu@nxp.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/backlight/gpio_backlight.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/video/backlight/gpio_backlight.c b/drivers/video/backlight/gpio_backlight.c
+index 5c5c99f7979e3..30ec5b6845335 100644
+--- a/drivers/video/backlight/gpio_backlight.c
++++ b/drivers/video/backlight/gpio_backlight.c
+@@ -87,8 +87,7 @@ static int gpio_backlight_probe(struct platform_device *pdev)
+ /* Not booted with device tree or no phandle link to the node */
+ bl->props.power = def_value ? FB_BLANK_UNBLANK
+ : FB_BLANK_POWERDOWN;
+- else if (gpiod_get_direction(gbl->gpiod) == 0 &&
+- gpiod_get_value_cansleep(gbl->gpiod) == 0)
++ else if (gpiod_get_value_cansleep(gbl->gpiod) == 0)
+ bl->props.power = FB_BLANK_POWERDOWN;
+ else
+ bl->props.power = FB_BLANK_UNBLANK;
+--
+2.40.1
+
--- /dev/null
+From b70ad61469004a72e48df14394fe63c889c76f43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Aug 2023 09:27:08 +0800
+Subject: blk-throttle: consider 'carryover_ios/bytes' in throtl_trim_slice()
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit eead0056648cef49d7b15c07ae612fa217083165 ]
+
+Currently, 'carryover_ios/bytes' is not handled in throtl_trim_slice(),
+for consequence, 'carryover_ios/bytes' will be used to throttle bio
+multiple times, for example:
+
+1) set iops limit to 100, and slice start is 0, slice end is 100ms;
+2) current time is 0, and 10 ios are dispatched, those io won't be
+ throttled and io_disp is 10;
+3) still at current time 0, update iops limit to 1000, carryover_ios is
+ updated to (0 - 10) = -10;
+4) in this slice(0 - 100ms), io_allowed = 100 + (-10) = 90, which means
+ only 90 ios can be dispatched without waiting;
+5) assume that io is throttled in slice(0 - 100ms), and
+ throtl_trim_slice() update silce to (100ms - 200ms). In this case,
+ 'carryover_ios/bytes' is not cleared and still only 90 ios can be
+ dispatched between 100ms - 200ms.
+
+Fix this problem by updating 'carryover_ios/bytes' in
+throtl_trim_slice().
+
+Fixes: a880ae93e5b5 ("blk-throttle: fix io hung due to configuration updates")
+Reported-by: zhuxiaohui <zhuxiaohui.400@bytedance.com>
+Link: https://lore.kernel.org/all/20230812072116.42321-1-zhuxiaohui.400@bytedance.com/
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Link: https://lore.kernel.org/r/20230816012708.1193747-5-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-throttle.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/block/blk-throttle.c b/block/blk-throttle.c
+index 931795da4d65d..1007f80278579 100644
+--- a/block/blk-throttle.c
++++ b/block/blk-throttle.c
+@@ -729,8 +729,9 @@ static u64 calculate_bytes_allowed(u64 bps_limit, unsigned long jiffy_elapsed)
+ /* Trim the used slices and adjust slice start accordingly */
+ static inline void throtl_trim_slice(struct throtl_grp *tg, bool rw)
+ {
+- unsigned long time_elapsed, io_trim;
+- u64 bytes_trim;
++ unsigned long time_elapsed;
++ long long bytes_trim;
++ int io_trim;
+
+ BUG_ON(time_before(tg->slice_end[rw], tg->slice_start[rw]));
+
+@@ -758,17 +759,21 @@ static inline void throtl_trim_slice(struct throtl_grp *tg, bool rw)
+ return;
+
+ bytes_trim = calculate_bytes_allowed(tg_bps_limit(tg, rw),
+- time_elapsed);
+- io_trim = calculate_io_allowed(tg_iops_limit(tg, rw), time_elapsed);
+- if (!bytes_trim && !io_trim)
++ time_elapsed) +
++ tg->carryover_bytes[rw];
++ io_trim = calculate_io_allowed(tg_iops_limit(tg, rw), time_elapsed) +
++ tg->carryover_ios[rw];
++ if (bytes_trim <= 0 && io_trim <= 0)
+ return;
+
+- if (tg->bytes_disp[rw] >= bytes_trim)
++ tg->carryover_bytes[rw] = 0;
++ if ((long long)tg->bytes_disp[rw] >= bytes_trim)
+ tg->bytes_disp[rw] -= bytes_trim;
+ else
+ tg->bytes_disp[rw] = 0;
+
+- if (tg->io_disp[rw] >= io_trim)
++ tg->carryover_ios[rw] = 0;
++ if ((int)tg->io_disp[rw] >= io_trim)
+ tg->io_disp[rw] -= io_trim;
+ else
+ tg->io_disp[rw] = 0;
+@@ -776,7 +781,7 @@ static inline void throtl_trim_slice(struct throtl_grp *tg, bool rw)
+ tg->slice_start[rw] += time_elapsed;
+
+ throtl_log(&tg->service_queue,
+- "[%c] trim slice nr=%lu bytes=%llu io=%lu start=%lu end=%lu jiffies=%lu",
++ "[%c] trim slice nr=%lu bytes=%lld io=%d start=%lu end=%lu jiffies=%lu",
+ rw == READ ? 'R' : 'W', time_elapsed / tg->td->throtl_slice,
+ bytes_trim, io_trim, tg->slice_start[rw], tg->slice_end[rw],
+ jiffies);
+--
+2.40.1
+
--- /dev/null
+From 82db798047fc17d422ce6348e87c3f2a46b4cf89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Aug 2023 09:27:07 +0800
+Subject: blk-throttle: use calculate_io/bytes_allowed() for
+ throtl_trim_slice()
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit e8368b57c006dc0e02dcd8a9dc9f2060ff5476fe ]
+
+There are no functional changes, just make the code cleaner.
+
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Link: https://lore.kernel.org/r/20230816012708.1193747-4-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: eead0056648c ("blk-throttle: consider 'carryover_ios/bytes' in throtl_trim_slice()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-throttle.c | 86 +++++++++++++++++++++-----------------------
+ 1 file changed, 41 insertions(+), 45 deletions(-)
+
+diff --git a/block/blk-throttle.c b/block/blk-throttle.c
+index f1bc600c4ded6..931795da4d65d 100644
+--- a/block/blk-throttle.c
++++ b/block/blk-throttle.c
+@@ -697,11 +697,40 @@ static bool throtl_slice_used(struct throtl_grp *tg, bool rw)
+ return true;
+ }
+
++static unsigned int calculate_io_allowed(u32 iops_limit,
++ unsigned long jiffy_elapsed)
++{
++ unsigned int io_allowed;
++ u64 tmp;
++
++ /*
++ * jiffy_elapsed should not be a big value as minimum iops can be
++ * 1 then at max jiffy elapsed should be equivalent of 1 second as we
++ * will allow dispatch after 1 second and after that slice should
++ * have been trimmed.
++ */
++
++ tmp = (u64)iops_limit * jiffy_elapsed;
++ do_div(tmp, HZ);
++
++ if (tmp > UINT_MAX)
++ io_allowed = UINT_MAX;
++ else
++ io_allowed = tmp;
++
++ return io_allowed;
++}
++
++static u64 calculate_bytes_allowed(u64 bps_limit, unsigned long jiffy_elapsed)
++{
++ return mul_u64_u64_div_u64(bps_limit, (u64)jiffy_elapsed, (u64)HZ);
++}
++
+ /* Trim the used slices and adjust slice start accordingly */
+ static inline void throtl_trim_slice(struct throtl_grp *tg, bool rw)
+ {
+- unsigned long nr_slices, time_elapsed, io_trim;
+- u64 bytes_trim, tmp;
++ unsigned long time_elapsed, io_trim;
++ u64 bytes_trim;
+
+ BUG_ON(time_before(tg->slice_end[rw], tg->slice_start[rw]));
+
+@@ -723,19 +752,14 @@ static inline void throtl_trim_slice(struct throtl_grp *tg, bool rw)
+
+ throtl_set_slice_end(tg, rw, jiffies + tg->td->throtl_slice);
+
+- time_elapsed = jiffies - tg->slice_start[rw];
+-
+- nr_slices = time_elapsed / tg->td->throtl_slice;
+-
+- if (!nr_slices)
++ time_elapsed = rounddown(jiffies - tg->slice_start[rw],
++ tg->td->throtl_slice);
++ if (!time_elapsed)
+ return;
+- tmp = tg_bps_limit(tg, rw) * tg->td->throtl_slice * nr_slices;
+- do_div(tmp, HZ);
+- bytes_trim = tmp;
+-
+- io_trim = (tg_iops_limit(tg, rw) * tg->td->throtl_slice * nr_slices) /
+- HZ;
+
++ bytes_trim = calculate_bytes_allowed(tg_bps_limit(tg, rw),
++ time_elapsed);
++ io_trim = calculate_io_allowed(tg_iops_limit(tg, rw), time_elapsed);
+ if (!bytes_trim && !io_trim)
+ return;
+
+@@ -749,41 +773,13 @@ static inline void throtl_trim_slice(struct throtl_grp *tg, bool rw)
+ else
+ tg->io_disp[rw] = 0;
+
+- tg->slice_start[rw] += nr_slices * tg->td->throtl_slice;
++ tg->slice_start[rw] += time_elapsed;
+
+ throtl_log(&tg->service_queue,
+ "[%c] trim slice nr=%lu bytes=%llu io=%lu start=%lu end=%lu jiffies=%lu",
+- rw == READ ? 'R' : 'W', nr_slices, bytes_trim, io_trim,
+- tg->slice_start[rw], tg->slice_end[rw], jiffies);
+-}
+-
+-static unsigned int calculate_io_allowed(u32 iops_limit,
+- unsigned long jiffy_elapsed)
+-{
+- unsigned int io_allowed;
+- u64 tmp;
+-
+- /*
+- * jiffy_elapsed should not be a big value as minimum iops can be
+- * 1 then at max jiffy elapsed should be equivalent of 1 second as we
+- * will allow dispatch after 1 second and after that slice should
+- * have been trimmed.
+- */
+-
+- tmp = (u64)iops_limit * jiffy_elapsed;
+- do_div(tmp, HZ);
+-
+- if (tmp > UINT_MAX)
+- io_allowed = UINT_MAX;
+- else
+- io_allowed = tmp;
+-
+- return io_allowed;
+-}
+-
+-static u64 calculate_bytes_allowed(u64 bps_limit, unsigned long jiffy_elapsed)
+-{
+- return mul_u64_u64_div_u64(bps_limit, (u64)jiffy_elapsed, (u64)HZ);
++ rw == READ ? 'R' : 'W', time_elapsed / tg->td->throtl_slice,
++ bytes_trim, io_trim, tg->slice_start[rw], tg->slice_end[rw],
++ jiffies);
+ }
+
+ static void __tg_update_carryover(struct throtl_grp *tg, bool rw)
+--
+2.40.1
+
--- /dev/null
+From 5970c06d55993e427c7bb7196dd6878befcc7dd5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Aug 2023 10:04:05 +0200
+Subject: bpf: Assign bpf_tramp_run_ctx::saved_run_ctx before recursion check.
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 6764e767f4af1e35f87f3497e1182d945de37f93 ]
+
+__bpf_prog_enter_recur() assigns bpf_tramp_run_ctx::saved_run_ctx before
+performing the recursion check which means in case of a recursion
+__bpf_prog_exit_recur() uses the previously set bpf_tramp_run_ctx::saved_run_ctx
+value.
+
+__bpf_prog_enter_sleepable_recur() assigns bpf_tramp_run_ctx::saved_run_ctx
+after the recursion check which means in case of a recursion
+__bpf_prog_exit_sleepable_recur() uses an uninitialized value. This does not
+look right. If I read the entry trampoline code right, then bpf_tramp_run_ctx
+isn't initialized upfront.
+
+Align __bpf_prog_enter_sleepable_recur() with __bpf_prog_enter_recur() and
+set bpf_tramp_run_ctx::saved_run_ctx before the recursion check is made.
+Remove the assignment of saved_run_ctx in kern_sys_bpf() since it happens
+a few cycles later.
+
+Fixes: e384c7b7b46d0 ("bpf, x86: Create bpf_tramp_run_ctx on the caller thread's stack")
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Link: https://lore.kernel.org/bpf/20230830080405.251926-3-bigeasy@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/syscall.c | 1 -
+ kernel/bpf/trampoline.c | 5 ++---
+ 2 files changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index 76484137233a3..0c8b7733573ee 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -5135,7 +5135,6 @@ int kern_sys_bpf(int cmd, union bpf_attr *attr, unsigned int size)
+ }
+
+ run_ctx.bpf_cookie = 0;
+- run_ctx.saved_run_ctx = NULL;
+ if (!__bpf_prog_enter_sleepable_recur(prog, &run_ctx)) {
+ /* recursion detected */
+ __bpf_prog_exit_sleepable_recur(prog, 0, &run_ctx);
+diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c
+index 88841e352dcdf..c4381dfcd6b09 100644
+--- a/kernel/bpf/trampoline.c
++++ b/kernel/bpf/trampoline.c
+@@ -955,13 +955,12 @@ u64 notrace __bpf_prog_enter_sleepable_recur(struct bpf_prog *prog,
+ migrate_disable();
+ might_fault();
+
++ run_ctx->saved_run_ctx = bpf_set_run_ctx(&run_ctx->run_ctx);
++
+ if (unlikely(this_cpu_inc_return(*(prog->active)) != 1)) {
+ bpf_prog_inc_misses_counter(prog);
+ return 0;
+ }
+-
+- run_ctx->saved_run_ctx = bpf_set_run_ctx(&run_ctx->run_ctx);
+-
+ return bpf_prog_start_time();
+ }
+
+--
+2.40.1
+
--- /dev/null
+From e32b6e912c3fb2970b01ed9867406eb001bcc6f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Aug 2023 10:04:04 +0200
+Subject: bpf: Invoke __bpf_prog_exit_sleepable_recur() on recursion in
+ kern_sys_bpf().
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 7645629f7dc88cd777f98970134bf1a54c8d77e3 ]
+
+If __bpf_prog_enter_sleepable_recur() detects recursion then it returns
+0 without undoing rcu_read_lock_trace(), migrate_disable() or
+decrementing the recursion counter. This is fine in the JIT case because
+the JIT code will jump in the 0 case to the end and invoke the matching
+exit trampoline (__bpf_prog_exit_sleepable_recur()).
+
+This is not the case in kern_sys_bpf() which returns directly to the
+caller with an error code.
+
+Add __bpf_prog_exit_sleepable_recur() as clean up in the recursion case.
+
+Fixes: b1d18a7574d0d ("bpf: Extend sys_bpf commands for bpf_syscall programs.")
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Link: https://lore.kernel.org/bpf/20230830080405.251926-2-bigeasy@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/syscall.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index 7afec961c5728..76484137233a3 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -5138,6 +5138,7 @@ int kern_sys_bpf(int cmd, union bpf_attr *attr, unsigned int size)
+ run_ctx.saved_run_ctx = NULL;
+ if (!__bpf_prog_enter_sleepable_recur(prog, &run_ctx)) {
+ /* recursion detected */
++ __bpf_prog_exit_sleepable_recur(prog, 0, &run_ctx);
+ bpf_prog_put(prog);
+ return -EBUSY;
+ }
+--
+2.40.1
+
--- /dev/null
+From a6967ac0bab9de1ae3a67581bbaac47e4b81bae4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Oct 2022 11:45:16 -0700
+Subject: bpf: Remove prog->active check for bpf_lsm and bpf_iter
+
+From: Martin KaFai Lau <martin.lau@kernel.org>
+
+[ Upstream commit 271de525e1d7f564e88a9d212c50998b49a54476 ]
+
+The commit 64696c40d03c ("bpf: Add __bpf_prog_{enter,exit}_struct_ops for struct_ops trampoline")
+removed prog->active check for struct_ops prog. The bpf_lsm
+and bpf_iter is also using trampoline. Like struct_ops, the bpf_lsm
+and bpf_iter have fixed hooks for the prog to attach. The
+kernel does not call the same hook in a recursive way.
+This patch also removes the prog->active check for
+bpf_lsm and bpf_iter.
+
+A later patch has a test to reproduce the recursion issue
+for a sleepable bpf_lsm program.
+
+This patch appends the '_recur' naming to the existing
+enter and exit functions that track the prog->active counter.
+New __bpf_prog_{enter,exit}[_sleepable] function are
+added to skip the prog->active tracking. The '_struct_ops'
+version is also removed.
+
+It also moves the decision on picking the enter and exit function to
+the new bpf_trampoline_{enter,exit}(). It returns the '_recur' ones
+for all tracing progs to use. For bpf_lsm, bpf_iter,
+struct_ops (no prog->active tracking after 64696c40d03c), and
+bpf_lsm_cgroup (no prog->active tracking after 69fd337a975c7),
+it will return the functions that don't track the prog->active.
+
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Link: https://lore.kernel.org/r/20221025184524.3526117-2-martin.lau@linux.dev
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Stable-dep-of: 7645629f7dc8 ("bpf: Invoke __bpf_prog_exit_sleepable_recur() on recursion in kern_sys_bpf().")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/net/bpf_jit_comp.c | 9 +---
+ arch/x86/net/bpf_jit_comp.c | 19 +--------
+ include/linux/bpf.h | 24 +++++------
+ include/linux/bpf_verifier.h | 13 ++++++
+ kernel/bpf/syscall.c | 5 ++-
+ kernel/bpf/trampoline.c | 80 +++++++++++++++++++++++++++++------
+ 6 files changed, 97 insertions(+), 53 deletions(-)
+
+diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
+index 14134fd34ff79..0ce5f13eabb1b 100644
+--- a/arch/arm64/net/bpf_jit_comp.c
++++ b/arch/arm64/net/bpf_jit_comp.c
+@@ -1655,13 +1655,8 @@ static void invoke_bpf_prog(struct jit_ctx *ctx, struct bpf_tramp_link *l,
+ struct bpf_prog *p = l->link.prog;
+ int cookie_off = offsetof(struct bpf_tramp_run_ctx, bpf_cookie);
+
+- if (p->aux->sleepable) {
+- enter_prog = (u64)__bpf_prog_enter_sleepable;
+- exit_prog = (u64)__bpf_prog_exit_sleepable;
+- } else {
+- enter_prog = (u64)__bpf_prog_enter;
+- exit_prog = (u64)__bpf_prog_exit;
+- }
++ enter_prog = (u64)bpf_trampoline_enter(p);
++ exit_prog = (u64)bpf_trampoline_exit(p);
+
+ if (l->cookie == 0) {
+ /* if cookie is zero, one instruction is enough to store it */
+diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
+index db6053a22e866..5e680e039d0e1 100644
+--- a/arch/x86/net/bpf_jit_comp.c
++++ b/arch/x86/net/bpf_jit_comp.c
+@@ -1813,10 +1813,6 @@ static int invoke_bpf_prog(const struct btf_func_model *m, u8 **pprog,
+ struct bpf_tramp_link *l, int stack_size,
+ int run_ctx_off, bool save_ret)
+ {
+- void (*exit)(struct bpf_prog *prog, u64 start,
+- struct bpf_tramp_run_ctx *run_ctx) = __bpf_prog_exit;
+- u64 (*enter)(struct bpf_prog *prog,
+- struct bpf_tramp_run_ctx *run_ctx) = __bpf_prog_enter;
+ u8 *prog = *pprog;
+ u8 *jmp_insn;
+ int ctx_cookie_off = offsetof(struct bpf_tramp_run_ctx, bpf_cookie);
+@@ -1835,23 +1831,12 @@ static int invoke_bpf_prog(const struct btf_func_model *m, u8 **pprog,
+ */
+ emit_stx(&prog, BPF_DW, BPF_REG_FP, BPF_REG_1, -run_ctx_off + ctx_cookie_off);
+
+- if (p->aux->sleepable) {
+- enter = __bpf_prog_enter_sleepable;
+- exit = __bpf_prog_exit_sleepable;
+- } else if (p->type == BPF_PROG_TYPE_STRUCT_OPS) {
+- enter = __bpf_prog_enter_struct_ops;
+- exit = __bpf_prog_exit_struct_ops;
+- } else if (p->expected_attach_type == BPF_LSM_CGROUP) {
+- enter = __bpf_prog_enter_lsm_cgroup;
+- exit = __bpf_prog_exit_lsm_cgroup;
+- }
+-
+ /* arg1: mov rdi, progs[i] */
+ emit_mov_imm64(&prog, BPF_REG_1, (long) p >> 32, (u32) (long) p);
+ /* arg2: lea rsi, [rbp - ctx_cookie_off] */
+ EMIT4(0x48, 0x8D, 0x75, -run_ctx_off);
+
+- if (emit_call(&prog, enter, prog))
++ if (emit_call(&prog, bpf_trampoline_enter(p), prog))
+ return -EINVAL;
+ /* remember prog start time returned by __bpf_prog_enter */
+ emit_mov_reg(&prog, true, BPF_REG_6, BPF_REG_0);
+@@ -1896,7 +1881,7 @@ static int invoke_bpf_prog(const struct btf_func_model *m, u8 **pprog,
+ emit_mov_reg(&prog, true, BPF_REG_2, BPF_REG_6);
+ /* arg3: lea rdx, [rbp - run_ctx_off] */
+ EMIT4(0x48, 0x8D, 0x55, -run_ctx_off);
+- if (emit_call(&prog, exit, prog))
++ if (emit_call(&prog, bpf_trampoline_exit(p), prog))
+ return -EINVAL;
+
+ *pprog = prog;
+diff --git a/include/linux/bpf.h b/include/linux/bpf.h
+index 8cef9ec3a89c2..b3d3aa8437dce 100644
+--- a/include/linux/bpf.h
++++ b/include/linux/bpf.h
+@@ -862,22 +862,18 @@ int arch_prepare_bpf_trampoline(struct bpf_tramp_image *tr, void *image, void *i
+ const struct btf_func_model *m, u32 flags,
+ struct bpf_tramp_links *tlinks,
+ void *orig_call);
+-/* these two functions are called from generated trampoline */
+-u64 notrace __bpf_prog_enter(struct bpf_prog *prog, struct bpf_tramp_run_ctx *run_ctx);
+-void notrace __bpf_prog_exit(struct bpf_prog *prog, u64 start, struct bpf_tramp_run_ctx *run_ctx);
+-u64 notrace __bpf_prog_enter_sleepable(struct bpf_prog *prog, struct bpf_tramp_run_ctx *run_ctx);
+-void notrace __bpf_prog_exit_sleepable(struct bpf_prog *prog, u64 start,
+- struct bpf_tramp_run_ctx *run_ctx);
+-u64 notrace __bpf_prog_enter_lsm_cgroup(struct bpf_prog *prog,
+- struct bpf_tramp_run_ctx *run_ctx);
+-void notrace __bpf_prog_exit_lsm_cgroup(struct bpf_prog *prog, u64 start,
+- struct bpf_tramp_run_ctx *run_ctx);
+-u64 notrace __bpf_prog_enter_struct_ops(struct bpf_prog *prog,
+- struct bpf_tramp_run_ctx *run_ctx);
+-void notrace __bpf_prog_exit_struct_ops(struct bpf_prog *prog, u64 start,
+- struct bpf_tramp_run_ctx *run_ctx);
++u64 notrace __bpf_prog_enter_sleepable_recur(struct bpf_prog *prog,
++ struct bpf_tramp_run_ctx *run_ctx);
++void notrace __bpf_prog_exit_sleepable_recur(struct bpf_prog *prog, u64 start,
++ struct bpf_tramp_run_ctx *run_ctx);
+ void notrace __bpf_tramp_enter(struct bpf_tramp_image *tr);
+ void notrace __bpf_tramp_exit(struct bpf_tramp_image *tr);
++typedef u64 (*bpf_trampoline_enter_t)(struct bpf_prog *prog,
++ struct bpf_tramp_run_ctx *run_ctx);
++typedef void (*bpf_trampoline_exit_t)(struct bpf_prog *prog, u64 start,
++ struct bpf_tramp_run_ctx *run_ctx);
++bpf_trampoline_enter_t bpf_trampoline_enter(const struct bpf_prog *prog);
++bpf_trampoline_exit_t bpf_trampoline_exit(const struct bpf_prog *prog);
+
+ struct bpf_ksym {
+ unsigned long start;
+diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
+index 0eb8f035b3d9f..1a32baa78ce26 100644
+--- a/include/linux/bpf_verifier.h
++++ b/include/linux/bpf_verifier.h
+@@ -648,4 +648,17 @@ static inline enum bpf_prog_type resolve_prog_type(const struct bpf_prog *prog)
+ prog->aux->dst_prog->type : prog->type;
+ }
+
++static inline bool bpf_prog_check_recur(const struct bpf_prog *prog)
++{
++ switch (resolve_prog_type(prog)) {
++ case BPF_PROG_TYPE_TRACING:
++ return prog->expected_attach_type != BPF_TRACE_ITER;
++ case BPF_PROG_TYPE_STRUCT_OPS:
++ case BPF_PROG_TYPE_LSM:
++ return false;
++ default:
++ return true;
++ }
++}
++
+ #endif /* _LINUX_BPF_VERIFIER_H */
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index 0c44a716f0a24..7afec961c5728 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -5136,13 +5136,14 @@ int kern_sys_bpf(int cmd, union bpf_attr *attr, unsigned int size)
+
+ run_ctx.bpf_cookie = 0;
+ run_ctx.saved_run_ctx = NULL;
+- if (!__bpf_prog_enter_sleepable(prog, &run_ctx)) {
++ if (!__bpf_prog_enter_sleepable_recur(prog, &run_ctx)) {
+ /* recursion detected */
+ bpf_prog_put(prog);
+ return -EBUSY;
+ }
+ attr->test.retval = bpf_prog_run(prog, (void *) (long) attr->test.ctx_in);
+- __bpf_prog_exit_sleepable(prog, 0 /* bpf_prog_run does runtime stats */, &run_ctx);
++ __bpf_prog_exit_sleepable_recur(prog, 0 /* bpf_prog_run does runtime stats */,
++ &run_ctx);
+ bpf_prog_put(prog);
+ return 0;
+ #endif
+diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c
+index 30af8f66e17b4..88841e352dcdf 100644
+--- a/kernel/bpf/trampoline.c
++++ b/kernel/bpf/trampoline.c
+@@ -874,7 +874,7 @@ static __always_inline u64 notrace bpf_prog_start_time(void)
+ * [2..MAX_U64] - execute bpf prog and record execution time.
+ * This is start time.
+ */
+-u64 notrace __bpf_prog_enter(struct bpf_prog *prog, struct bpf_tramp_run_ctx *run_ctx)
++static u64 notrace __bpf_prog_enter_recur(struct bpf_prog *prog, struct bpf_tramp_run_ctx *run_ctx)
+ __acquires(RCU)
+ {
+ rcu_read_lock();
+@@ -911,7 +911,8 @@ static void notrace update_prog_stats(struct bpf_prog *prog,
+ }
+ }
+
+-void notrace __bpf_prog_exit(struct bpf_prog *prog, u64 start, struct bpf_tramp_run_ctx *run_ctx)
++static void notrace __bpf_prog_exit_recur(struct bpf_prog *prog, u64 start,
++ struct bpf_tramp_run_ctx *run_ctx)
+ __releases(RCU)
+ {
+ bpf_reset_run_ctx(run_ctx->saved_run_ctx);
+@@ -922,8 +923,8 @@ void notrace __bpf_prog_exit(struct bpf_prog *prog, u64 start, struct bpf_tramp_
+ rcu_read_unlock();
+ }
+
+-u64 notrace __bpf_prog_enter_lsm_cgroup(struct bpf_prog *prog,
+- struct bpf_tramp_run_ctx *run_ctx)
++static u64 notrace __bpf_prog_enter_lsm_cgroup(struct bpf_prog *prog,
++ struct bpf_tramp_run_ctx *run_ctx)
+ __acquires(RCU)
+ {
+ /* Runtime stats are exported via actual BPF_LSM_CGROUP
+@@ -937,8 +938,8 @@ u64 notrace __bpf_prog_enter_lsm_cgroup(struct bpf_prog *prog,
+ return NO_START_TIME;
+ }
+
+-void notrace __bpf_prog_exit_lsm_cgroup(struct bpf_prog *prog, u64 start,
+- struct bpf_tramp_run_ctx *run_ctx)
++static void notrace __bpf_prog_exit_lsm_cgroup(struct bpf_prog *prog, u64 start,
++ struct bpf_tramp_run_ctx *run_ctx)
+ __releases(RCU)
+ {
+ bpf_reset_run_ctx(run_ctx->saved_run_ctx);
+@@ -947,7 +948,8 @@ void notrace __bpf_prog_exit_lsm_cgroup(struct bpf_prog *prog, u64 start,
+ rcu_read_unlock();
+ }
+
+-u64 notrace __bpf_prog_enter_sleepable(struct bpf_prog *prog, struct bpf_tramp_run_ctx *run_ctx)
++u64 notrace __bpf_prog_enter_sleepable_recur(struct bpf_prog *prog,
++ struct bpf_tramp_run_ctx *run_ctx)
+ {
+ rcu_read_lock_trace();
+ migrate_disable();
+@@ -963,8 +965,8 @@ u64 notrace __bpf_prog_enter_sleepable(struct bpf_prog *prog, struct bpf_tramp_r
+ return bpf_prog_start_time();
+ }
+
+-void notrace __bpf_prog_exit_sleepable(struct bpf_prog *prog, u64 start,
+- struct bpf_tramp_run_ctx *run_ctx)
++void notrace __bpf_prog_exit_sleepable_recur(struct bpf_prog *prog, u64 start,
++ struct bpf_tramp_run_ctx *run_ctx)
+ {
+ bpf_reset_run_ctx(run_ctx->saved_run_ctx);
+
+@@ -974,8 +976,30 @@ void notrace __bpf_prog_exit_sleepable(struct bpf_prog *prog, u64 start,
+ rcu_read_unlock_trace();
+ }
+
+-u64 notrace __bpf_prog_enter_struct_ops(struct bpf_prog *prog,
+- struct bpf_tramp_run_ctx *run_ctx)
++static u64 notrace __bpf_prog_enter_sleepable(struct bpf_prog *prog,
++ struct bpf_tramp_run_ctx *run_ctx)
++{
++ rcu_read_lock_trace();
++ migrate_disable();
++ might_fault();
++
++ run_ctx->saved_run_ctx = bpf_set_run_ctx(&run_ctx->run_ctx);
++
++ return bpf_prog_start_time();
++}
++
++static void notrace __bpf_prog_exit_sleepable(struct bpf_prog *prog, u64 start,
++ struct bpf_tramp_run_ctx *run_ctx)
++{
++ bpf_reset_run_ctx(run_ctx->saved_run_ctx);
++
++ update_prog_stats(prog, start);
++ migrate_enable();
++ rcu_read_unlock_trace();
++}
++
++static u64 notrace __bpf_prog_enter(struct bpf_prog *prog,
++ struct bpf_tramp_run_ctx *run_ctx)
+ __acquires(RCU)
+ {
+ rcu_read_lock();
+@@ -986,8 +1010,8 @@ u64 notrace __bpf_prog_enter_struct_ops(struct bpf_prog *prog,
+ return bpf_prog_start_time();
+ }
+
+-void notrace __bpf_prog_exit_struct_ops(struct bpf_prog *prog, u64 start,
+- struct bpf_tramp_run_ctx *run_ctx)
++static void notrace __bpf_prog_exit(struct bpf_prog *prog, u64 start,
++ struct bpf_tramp_run_ctx *run_ctx)
+ __releases(RCU)
+ {
+ bpf_reset_run_ctx(run_ctx->saved_run_ctx);
+@@ -1007,6 +1031,36 @@ void notrace __bpf_tramp_exit(struct bpf_tramp_image *tr)
+ percpu_ref_put(&tr->pcref);
+ }
+
++bpf_trampoline_enter_t bpf_trampoline_enter(const struct bpf_prog *prog)
++{
++ bool sleepable = prog->aux->sleepable;
++
++ if (bpf_prog_check_recur(prog))
++ return sleepable ? __bpf_prog_enter_sleepable_recur :
++ __bpf_prog_enter_recur;
++
++ if (resolve_prog_type(prog) == BPF_PROG_TYPE_LSM &&
++ prog->expected_attach_type == BPF_LSM_CGROUP)
++ return __bpf_prog_enter_lsm_cgroup;
++
++ return sleepable ? __bpf_prog_enter_sleepable : __bpf_prog_enter;
++}
++
++bpf_trampoline_exit_t bpf_trampoline_exit(const struct bpf_prog *prog)
++{
++ bool sleepable = prog->aux->sleepable;
++
++ if (bpf_prog_check_recur(prog))
++ return sleepable ? __bpf_prog_exit_sleepable_recur :
++ __bpf_prog_exit_recur;
++
++ if (resolve_prog_type(prog) == BPF_PROG_TYPE_LSM &&
++ prog->expected_attach_type == BPF_LSM_CGROUP)
++ return __bpf_prog_exit_lsm_cgroup;
++
++ return sleepable ? __bpf_prog_exit_sleepable : __bpf_prog_exit;
++}
++
+ int __weak
+ arch_prepare_bpf_trampoline(struct bpf_tramp_image *tr, void *image, void *image_end,
+ const struct btf_func_model *m, u32 flags,
+--
+2.40.1
+
--- /dev/null
+From 92ad45f46c91a35659178bbab45871873a544b2f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Sep 2023 13:21:37 -0700
+Subject: bpf, sockmap: Fix skb refcnt race after locking changes
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit a454d84ee20baf7bd7be90721b9821f73c7d23d9 ]
+
+There is a race where skb's from the sk_psock_backlog can be referenced
+after userspace side has already skb_consumed() the sk_buff and its refcnt
+dropped to zer0 causing use after free.
+
+The flow is the following:
+
+ while ((skb = skb_peek(&psock->ingress_skb))
+ sk_psock_handle_Skb(psock, skb, ..., ingress)
+ if (!ingress) ...
+ sk_psock_skb_ingress
+ sk_psock_skb_ingress_enqueue(skb)
+ msg->skb = skb
+ sk_psock_queue_msg(psock, msg)
+ skb_dequeue(&psock->ingress_skb)
+
+The sk_psock_queue_msg() puts the msg on the ingress_msg queue. This is
+what the application reads when recvmsg() is called. An application can
+read this anytime after the msg is placed on the queue. The recvmsg hook
+will also read msg->skb and then after user space reads the msg will call
+consume_skb(skb) on it effectively free'ing it.
+
+But, the race is in above where backlog queue still has a reference to
+the skb and calls skb_dequeue(). If the skb_dequeue happens after the
+user reads and free's the skb we have a use after free.
+
+The !ingress case does not suffer from this problem because it uses
+sendmsg_*(sk, msg) which does not pass the sk_buff further down the
+stack.
+
+The following splat was observed with 'test_progs -t sockmap_listen':
+
+ [ 1022.710250][ T2556] general protection fault, ...
+ [...]
+ [ 1022.712830][ T2556] Workqueue: events sk_psock_backlog
+ [ 1022.713262][ T2556] RIP: 0010:skb_dequeue+0x4c/0x80
+ [ 1022.713653][ T2556] Code: ...
+ [...]
+ [ 1022.720699][ T2556] Call Trace:
+ [ 1022.720984][ T2556] <TASK>
+ [ 1022.721254][ T2556] ? die_addr+0x32/0x80^M
+ [ 1022.721589][ T2556] ? exc_general_protection+0x25a/0x4b0
+ [ 1022.722026][ T2556] ? asm_exc_general_protection+0x22/0x30
+ [ 1022.722489][ T2556] ? skb_dequeue+0x4c/0x80
+ [ 1022.722854][ T2556] sk_psock_backlog+0x27a/0x300
+ [ 1022.723243][ T2556] process_one_work+0x2a7/0x5b0
+ [ 1022.723633][ T2556] worker_thread+0x4f/0x3a0
+ [ 1022.723998][ T2556] ? __pfx_worker_thread+0x10/0x10
+ [ 1022.724386][ T2556] kthread+0xfd/0x130
+ [ 1022.724709][ T2556] ? __pfx_kthread+0x10/0x10
+ [ 1022.725066][ T2556] ret_from_fork+0x2d/0x50
+ [ 1022.725409][ T2556] ? __pfx_kthread+0x10/0x10
+ [ 1022.725799][ T2556] ret_from_fork_asm+0x1b/0x30
+ [ 1022.726201][ T2556] </TASK>
+
+To fix we add an skb_get() before passing the skb to be enqueued in the
+engress queue. This bumps the skb->users refcnt so that consume_skb()
+and kfree_skb will not immediately free the sk_buff. With this we can
+be sure the skb is still around when we do the dequeue. Then we just
+need to decrement the refcnt or free the skb in the backlog case which
+we do by calling kfree_skb() on the ingress case as well as the sendmsg
+case.
+
+Before locking change from fixes tag we had the sock locked so we
+couldn't race with user and there was no issue here.
+
+Fixes: 799aa7f98d53e ("skmsg: Avoid lock_sock() in sk_psock_backlog()")
+Reported-by: Jiri Olsa <jolsa@kernel.org>
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Tested-by: Xu Kuohai <xukuohai@huawei.com>
+Tested-by: Jiri Olsa <jolsa@kernel.org>
+Link: https://lore.kernel.org/bpf/20230901202137.214666-1-john.fastabend@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skmsg.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index 296e45b6c3c0d..a5c1f67dc96ec 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -611,12 +611,18 @@ static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb
+ static int sk_psock_handle_skb(struct sk_psock *psock, struct sk_buff *skb,
+ u32 off, u32 len, bool ingress)
+ {
++ int err = 0;
++
+ if (!ingress) {
+ if (!sock_writeable(psock->sk))
+ return -EAGAIN;
+ return skb_send_sock(psock->sk, skb, off, len);
+ }
+- return sk_psock_skb_ingress(psock, skb, off, len);
++ skb_get(skb);
++ err = sk_psock_skb_ingress(psock, skb, off, len);
++ if (err < 0)
++ kfree_skb(skb);
++ return err;
+ }
+
+ static void sk_psock_skb_state(struct sk_psock *psock,
+@@ -684,9 +690,7 @@ static void sk_psock_backlog(struct work_struct *work)
+ } while (len);
+
+ skb = skb_dequeue(&psock->ingress_skb);
+- if (!ingress) {
+- kfree_skb(skb);
+- }
++ kfree_skb(skb);
+ }
+ end:
+ mutex_unlock(&psock->work_mutex);
+--
+2.40.1
+
--- /dev/null
+From 314d428acfd80bf54132205b4d354d6c7a883479 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Jul 2023 09:44:40 +0800
+Subject: ceph: make members in struct ceph_mds_request_args_ext a union
+
+From: Xiubo Li <xiubli@redhat.com>
+
+[ Upstream commit 3af5ae22030cb59fab4fba35f5a2b62f47e14df9 ]
+
+In ceph mainline it will allow to set the btime in the setattr request
+and just add a 'btime' member in the union 'ceph_mds_request_args' and
+then bump up the header version to 4. That means the total size of union
+'ceph_mds_request_args' will increase sizeof(struct ceph_timespec) bytes,
+but in kclient it will increase the sizeof(setattr_ext) bytes for each
+request.
+
+Since the MDS will always depend on the header's vesion and front_len
+members to decode the 'ceph_mds_request_head' struct, at the same time
+kclient hasn't supported the 'btime' feature yet in setattr request,
+so it's safe to do this change here.
+
+This will save 48 bytes memories for each request.
+
+Fixes: 4f1ddb1ea874 ("ceph: implement updated ceph_mds_request_head structure")
+Signed-off-by: Xiubo Li <xiubli@redhat.com>
+Reviewed-by: Milind Changire <mchangir@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/ceph/ceph_fs.h | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/include/linux/ceph/ceph_fs.h b/include/linux/ceph/ceph_fs.h
+index 49586ff261520..b4fa2a25b7d95 100644
+--- a/include/linux/ceph/ceph_fs.h
++++ b/include/linux/ceph/ceph_fs.h
+@@ -462,17 +462,19 @@ union ceph_mds_request_args {
+ } __attribute__ ((packed));
+
+ union ceph_mds_request_args_ext {
+- union ceph_mds_request_args old;
+- struct {
+- __le32 mode;
+- __le32 uid;
+- __le32 gid;
+- struct ceph_timespec mtime;
+- struct ceph_timespec atime;
+- __le64 size, old_size; /* old_size needed by truncate */
+- __le32 mask; /* CEPH_SETATTR_* */
+- struct ceph_timespec btime;
+- } __attribute__ ((packed)) setattr_ext;
++ union {
++ union ceph_mds_request_args old;
++ struct {
++ __le32 mode;
++ __le32 uid;
++ __le32 gid;
++ struct ceph_timespec mtime;
++ struct ceph_timespec atime;
++ __le64 size, old_size; /* old_size needed by truncate */
++ __le32 mask; /* CEPH_SETATTR_* */
++ struct ceph_timespec btime;
++ } __attribute__ ((packed)) setattr_ext;
++ };
+ };
+
+ #define CEPH_MDS_FLAG_REPLAY 1 /* this is a replayed op */
+--
+2.40.1
+
--- /dev/null
+From dc198723c62779676be1ace1a442d7ab754f8d1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Oct 2022 18:41:20 -0300
+Subject: cifs: use fs_context for automounts
+
+From: Paulo Alcantara <pc@cjr.nz>
+
+[ Upstream commit 9fd29a5bae6e8f94b410374099a6fddb253d2d5f ]
+
+Use filesystem context support to handle dfs links.
+
+Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Stable-dep-of: efc0b0bcffcb ("smb: propagate error code of extract_sharename()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/cifs_dfs_ref.c | 100 ++++++++++++++---------------------
+ 1 file changed, 40 insertions(+), 60 deletions(-)
+
+diff --git a/fs/smb/client/cifs_dfs_ref.c b/fs/smb/client/cifs_dfs_ref.c
+index b0864da9ef434..020e71fe1454e 100644
+--- a/fs/smb/client/cifs_dfs_ref.c
++++ b/fs/smb/client/cifs_dfs_ref.c
+@@ -258,61 +258,23 @@ char *cifs_compose_mount_options(const char *sb_mountdata,
+ goto compose_mount_options_out;
+ }
+
+-/**
+- * cifs_dfs_do_mount - mounts specified path using DFS full path
+- *
+- * Always pass down @fullpath to smb3_do_mount() so we can use the root server
+- * to perform failover in case we failed to connect to the first target in the
+- * referral.
+- *
+- * @mntpt: directory entry for the path we are trying to automount
+- * @cifs_sb: parent/root superblock
+- * @fullpath: full path in UNC format
+- */
+-static struct vfsmount *cifs_dfs_do_mount(struct dentry *mntpt,
+- struct cifs_sb_info *cifs_sb,
+- const char *fullpath)
+-{
+- struct vfsmount *mnt;
+- char *mountdata;
+- char *devname;
+-
+- devname = kstrdup(fullpath, GFP_KERNEL);
+- if (!devname)
+- return ERR_PTR(-ENOMEM);
+-
+- convert_delimiter(devname, '/');
+-
+- /* TODO: change to call fs_context_for_mount(), fill in context directly, call fc_mount */
+-
+- /* See afs_mntpt_do_automount in fs/afs/mntpt.c for an example */
+-
+- /* strip first '\' from fullpath */
+- mountdata = cifs_compose_mount_options(cifs_sb->ctx->mount_options,
+- fullpath + 1, NULL, NULL);
+- if (IS_ERR(mountdata)) {
+- kfree(devname);
+- return (struct vfsmount *)mountdata;
+- }
+-
+- mnt = vfs_submount(mntpt, &cifs_fs_type, devname, mountdata);
+- kfree(mountdata);
+- kfree(devname);
+- return mnt;
+-}
+-
+ /*
+ * Create a vfsmount that we can automount
+ */
+-static struct vfsmount *cifs_dfs_do_automount(struct dentry *mntpt)
++static struct vfsmount *cifs_dfs_do_automount(struct path *path)
+ {
++ int rc;
++ struct dentry *mntpt = path->dentry;
++ struct fs_context *fc;
+ struct cifs_sb_info *cifs_sb;
+- void *page;
++ void *page = NULL;
++ struct smb3_fs_context *ctx, *cur_ctx;
++ struct smb3_fs_context tmp;
+ char *full_path;
+ struct vfsmount *mnt;
+
+- cifs_dbg(FYI, "in %s\n", __func__);
+- BUG_ON(IS_ROOT(mntpt));
++ if (IS_ROOT(mntpt))
++ return ERR_PTR(-ESTALE);
+
+ /*
+ * The MSDFS spec states that paths in DFS referral requests and
+@@ -321,29 +283,47 @@ static struct vfsmount *cifs_dfs_do_automount(struct dentry *mntpt)
+ * gives us the latter, so we must adjust the result.
+ */
+ cifs_sb = CIFS_SB(mntpt->d_sb);
+- if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NO_DFS) {
+- mnt = ERR_PTR(-EREMOTE);
+- goto cdda_exit;
+- }
++ if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NO_DFS)
++ return ERR_PTR(-EREMOTE);
++
++ cur_ctx = cifs_sb->ctx;
++
++ fc = fs_context_for_submount(path->mnt->mnt_sb->s_type, mntpt);
++ if (IS_ERR(fc))
++ return ERR_CAST(fc);
++
++ ctx = smb3_fc2context(fc);
+
+ page = alloc_dentry_path();
+ /* always use tree name prefix */
+ full_path = build_path_from_dentry_optional_prefix(mntpt, page, true);
+ if (IS_ERR(full_path)) {
+ mnt = ERR_CAST(full_path);
+- goto free_full_path;
++ goto out;
+ }
+
+- convert_delimiter(full_path, '\\');
++ convert_delimiter(full_path, '/');
+ cifs_dbg(FYI, "%s: full_path: %s\n", __func__, full_path);
+
+- mnt = cifs_dfs_do_mount(mntpt, cifs_sb, full_path);
+- cifs_dbg(FYI, "%s: cifs_dfs_do_mount:%s , mnt:%p\n", __func__, full_path + 1, mnt);
++ tmp = *cur_ctx;
++ tmp.source = full_path;
++ tmp.UNC = tmp.prepath = NULL;
++
++ rc = smb3_fs_context_dup(ctx, &tmp);
++ if (rc) {
++ mnt = ERR_PTR(rc);
++ goto out;
++ }
++
++ rc = smb3_parse_devname(full_path, ctx);
++ if (!rc)
++ mnt = fc_mount(fc);
++ else
++ mnt = ERR_PTR(rc);
+
+-free_full_path:
++out:
++ put_fs_context(fc);
+ free_dentry_path(page);
+-cdda_exit:
+- cifs_dbg(FYI, "leaving %s\n" , __func__);
+ return mnt;
+ }
+
+@@ -354,9 +334,9 @@ struct vfsmount *cifs_dfs_d_automount(struct path *path)
+ {
+ struct vfsmount *newmnt;
+
+- cifs_dbg(FYI, "in %s\n", __func__);
++ cifs_dbg(FYI, "%s: %pd\n", __func__, path->dentry);
+
+- newmnt = cifs_dfs_do_automount(path->dentry);
++ newmnt = cifs_dfs_do_automount(path);
+ if (IS_ERR(newmnt)) {
+ cifs_dbg(FYI, "leaving %s [automount failed]\n" , __func__);
+ return newmnt;
+--
+2.40.1
+
--- /dev/null
+From 93ebd2eb7897e6fd8913e0ad3b176700f188b837 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Jul 2023 18:35:16 -0700
+Subject: drm/i915/gvt: Drop unused helper intel_vgpu_reset_gtt()
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit a90c367e5af63880008e21dd199dac839e0e9e0f ]
+
+Drop intel_vgpu_reset_gtt() as it no longer has any callers. In addition
+to eliminating dead code, this eliminates the last possible scenario where
+__kvmgt_protect_table_find() can be reached without holding vgpu_lock.
+Requiring vgpu_lock to be held when calling __kvmgt_protect_table_find()
+will allow a protecting the gfn hash with vgpu_lock without too much fuss.
+
+No functional change intended.
+
+Fixes: ba25d977571e ("drm/i915/gvt: Do not destroy ppgtt_mm during vGPU D3->D0.")
+Reviewed-by: Yan Zhao <yan.y.zhao@intel.com>
+Tested-by: Yongwei Ma <yongwei.ma@intel.com>
+Reviewed-by: Zhi Wang <zhi.a.wang@intel.com>
+Link: https://lore.kernel.org/r/20230729013535.1070024-11-seanjc@google.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gvt/gtt.c | 18 ------------------
+ drivers/gpu/drm/i915/gvt/gtt.h | 1 -
+ 2 files changed, 19 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
+index 980d671ac3595..79bf1be68d8cf 100644
+--- a/drivers/gpu/drm/i915/gvt/gtt.c
++++ b/drivers/gpu/drm/i915/gvt/gtt.c
+@@ -2887,24 +2887,6 @@ void intel_vgpu_reset_ggtt(struct intel_vgpu *vgpu, bool invalidate_old)
+ ggtt_invalidate(gvt->gt);
+ }
+
+-/**
+- * intel_vgpu_reset_gtt - reset the all GTT related status
+- * @vgpu: a vGPU
+- *
+- * This function is called from vfio core to reset reset all
+- * GTT related status, including GGTT, PPGTT, scratch page.
+- *
+- */
+-void intel_vgpu_reset_gtt(struct intel_vgpu *vgpu)
+-{
+- /* Shadow pages are only created when there is no page
+- * table tracking data, so remove page tracking data after
+- * removing the shadow pages.
+- */
+- intel_vgpu_destroy_all_ppgtt_mm(vgpu);
+- intel_vgpu_reset_ggtt(vgpu, true);
+-}
+-
+ /**
+ * intel_gvt_restore_ggtt - restore all vGPU's ggtt entries
+ * @gvt: intel gvt device
+diff --git a/drivers/gpu/drm/i915/gvt/gtt.h b/drivers/gpu/drm/i915/gvt/gtt.h
+index a3b0f59ec8bd9..4cb183e06e95a 100644
+--- a/drivers/gpu/drm/i915/gvt/gtt.h
++++ b/drivers/gpu/drm/i915/gvt/gtt.h
+@@ -224,7 +224,6 @@ void intel_vgpu_reset_ggtt(struct intel_vgpu *vgpu, bool invalidate_old);
+ void intel_vgpu_invalidate_ppgtt(struct intel_vgpu *vgpu);
+
+ int intel_gvt_init_gtt(struct intel_gvt *gvt);
+-void intel_vgpu_reset_gtt(struct intel_vgpu *vgpu);
+ void intel_gvt_clean_gtt(struct intel_gvt *gvt);
+
+ struct intel_vgpu_mm *intel_gvt_find_ppgtt_mm(struct intel_vgpu *vgpu,
+--
+2.40.1
+
--- /dev/null
+From 19a66276202da9e7f78dcfaf03dddd92e6393c74 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Jul 2023 18:35:11 -0700
+Subject: drm/i915/gvt: Put the page reference obtained by KVM's gfn_to_pfn()
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit 708e49583d7da863898b25dafe4bcd799c414278 ]
+
+Put the struct page reference acquired by gfn_to_pfn(), KVM's API is that
+the caller is ultimately responsible for dropping any reference.
+
+Note, kvm_release_pfn_clean() ensures the pfn is actually a refcounted
+struct page before trying to put any references.
+
+Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support")
+Reviewed-by: Yan Zhao <yan.y.zhao@intel.com>
+Tested-by: Yongwei Ma <yongwei.ma@intel.com>
+Reviewed-by: Zhi Wang <zhi.a.wang@intel.com>
+Link: https://lore.kernel.org/r/20230729013535.1070024-6-seanjc@google.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gvt/gtt.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
+index 92462cd4bf7cc..980d671ac3595 100644
+--- a/drivers/gpu/drm/i915/gvt/gtt.c
++++ b/drivers/gpu/drm/i915/gvt/gtt.c
+@@ -1179,6 +1179,7 @@ static int is_2MB_gtt_possible(struct intel_vgpu *vgpu,
+ {
+ const struct intel_gvt_gtt_pte_ops *ops = vgpu->gvt->gtt.pte_ops;
+ kvm_pfn_t pfn;
++ int ret;
+
+ if (!HAS_PAGE_SIZES(vgpu->gvt->gt->i915, I915_GTT_PAGE_SIZE_2M))
+ return 0;
+@@ -1192,7 +1193,9 @@ static int is_2MB_gtt_possible(struct intel_vgpu *vgpu,
+ if (!pfn_valid(pfn))
+ return -EINVAL;
+
+- return PageTransHuge(pfn_to_page(pfn));
++ ret = PageTransHuge(pfn_to_page(pfn));
++ kvm_release_pfn_clean(pfn);
++ return ret;
+ }
+
+ static int split_2MB_gtt_entry(struct intel_vgpu *vgpu,
+--
+2.40.1
+
--- /dev/null
+From 84b8b9de22b3c5c07b7b4b0be4093a409407976b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Jul 2023 18:35:07 -0700
+Subject: drm/i915/gvt: Verify pfn is "valid" before dereferencing "struct
+ page"
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit f046923af79158361295ed4f0a588c80b9fdcc1d ]
+
+Check that the pfn found by gfn_to_pfn() is actually backed by "struct
+page" memory prior to retrieving and dereferencing the page. KVM
+supports backing guest memory with VM_PFNMAP, VM_IO, etc., and so
+there is no guarantee the pfn returned by gfn_to_pfn() has an associated
+"struct page".
+
+Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support")
+Reviewed-by: Yan Zhao <yan.y.zhao@intel.com>
+Tested-by: Yongwei Ma <yongwei.ma@intel.com>
+Reviewed-by: Zhi Wang <zhi.a.wang@intel.com>
+Link: https://lore.kernel.org/r/20230729013535.1070024-2-seanjc@google.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gvt/gtt.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
+index 80c60754a5c1c..92462cd4bf7cc 100644
+--- a/drivers/gpu/drm/i915/gvt/gtt.c
++++ b/drivers/gpu/drm/i915/gvt/gtt.c
+@@ -1188,6 +1188,10 @@ static int is_2MB_gtt_possible(struct intel_vgpu *vgpu,
+ pfn = gfn_to_pfn(vgpu->vfio_device.kvm, ops->get_pfn(entry));
+ if (is_error_noslot_pfn(pfn))
+ return -EINVAL;
++
++ if (!pfn_valid(pfn))
++ return -EINVAL;
++
+ return PageTransHuge(pfn_to_page(pfn));
+ }
+
+--
+2.40.1
+
--- /dev/null
+From d47e62eda6aa003b944c0e65a71637fbd8aac95d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Aug 2023 17:30:35 +0200
+Subject: drm/i915: mark requests for GuC virtual engines to avoid
+ use-after-free
+
+From: Andrzej Hajda <andrzej.hajda@intel.com>
+
+[ Upstream commit 5eefc5307c983b59344a4cb89009819f580c84fa ]
+
+References to i915_requests may be trapped by userspace inside a
+sync_file or dmabuf (dma-resv) and held indefinitely across different
+proceses. To counter-act the memory leaks, we try to not to keep
+references from the request past their completion.
+On the other side on fence release we need to know if rq->engine
+is valid and points to hw engine (true for non-virtual requests).
+To make it possible extra bit has been added to rq->execution_mask,
+for marking virtual engines.
+
+Fixes: bcb9aa45d5a0 ("Revert "drm/i915: Hold reference to intel_context over life of i915_request"")
+Signed-off-by: Chris Wilson <chris.p.wilson@linux.intel.com>
+Signed-off-by: Andrzej Hajda <andrzej.hajda@intel.com>
+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
+Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230821153035.3903006-1-andrzej.hajda@intel.com
+(cherry picked from commit 280410677af763f3871b93e794a199cfcf6fb580)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gt/intel_engine_types.h | 1 +
+ drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 3 +++
+ drivers/gpu/drm/i915/i915_request.c | 7 ++-----
+ 3 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/intel_engine_types.h b/drivers/gpu/drm/i915/gt/intel_engine_types.h
+index 6b5d4ea22b673..107f465a27b9e 100644
+--- a/drivers/gpu/drm/i915/gt/intel_engine_types.h
++++ b/drivers/gpu/drm/i915/gt/intel_engine_types.h
+@@ -56,6 +56,7 @@ struct intel_breadcrumbs;
+
+ typedef u32 intel_engine_mask_t;
+ #define ALL_ENGINES ((intel_engine_mask_t)~0ul)
++#define VIRTUAL_ENGINES BIT(BITS_PER_TYPE(intel_engine_mask_t) - 1)
+
+ struct intel_hw_status_page {
+ struct list_head timelines;
+diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
+index 0ec07dad1dcf1..fecdc7ea78ebd 100644
+--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
++++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
+@@ -5111,6 +5111,9 @@ guc_create_virtual(struct intel_engine_cs **siblings, unsigned int count,
+
+ ve->base.flags = I915_ENGINE_IS_VIRTUAL;
+
++ BUILD_BUG_ON(ilog2(VIRTUAL_ENGINES) < I915_NUM_ENGINES);
++ ve->base.mask = VIRTUAL_ENGINES;
++
+ intel_context_init(&ve->context, &ve->base);
+
+ for (n = 0; n < count; n++) {
+diff --git a/drivers/gpu/drm/i915/i915_request.c b/drivers/gpu/drm/i915/i915_request.c
+index 803cd2ad4deb5..7ce126a01cbf6 100644
+--- a/drivers/gpu/drm/i915/i915_request.c
++++ b/drivers/gpu/drm/i915/i915_request.c
+@@ -134,9 +134,7 @@ static void i915_fence_release(struct dma_fence *fence)
+ i915_sw_fence_fini(&rq->semaphore);
+
+ /*
+- * Keep one request on each engine for reserved use under mempressure
+- * do not use with virtual engines as this really is only needed for
+- * kernel contexts.
++ * Keep one request on each engine for reserved use under mempressure.
+ *
+ * We do not hold a reference to the engine here and so have to be
+ * very careful in what rq->engine we poke. The virtual engine is
+@@ -166,8 +164,7 @@ static void i915_fence_release(struct dma_fence *fence)
+ * know that if the rq->execution_mask is a single bit, rq->engine
+ * can be a physical engine with the exact corresponding mask.
+ */
+- if (!intel_engine_is_virtual(rq->engine) &&
+- is_power_of_2(rq->execution_mask) &&
++ if (is_power_of_2(rq->execution_mask) &&
+ !cmpxchg(&rq->engine->request_pool, NULL, rq))
+ return;
+
+--
+2.40.1
+
--- /dev/null
+From ef0f5d27c9b1bac26e1587d4fd4865666454690f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Aug 2023 17:15:46 +0200
+Subject: gfs2: low-memory forced flush fixes
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+[ Upstream commit b74cd55aa9a9d0aca760028a51343ec79812e410 ]
+
+First, function gfs2_ail_flush_reqd checks the SDF_FORCE_AIL_FLUSH flag
+to determine if an AIL flush should be forced in low-memory situations.
+However, it also immediately clears the flag, and when called repeatedly
+as in function gfs2_logd, the flag will be lost. Fix that by pulling
+the SDF_FORCE_AIL_FLUSH flag check out of gfs2_ail_flush_reqd.
+
+Second, function gfs2_writepages sets the SDF_FORCE_AIL_FLUSH flag
+whether or not enough pages were written. If enough pages could be
+written, flushing the AIL is unnecessary, though.
+
+Third, gfs2_writepages doesn't wake up logd after setting the
+SDF_FORCE_AIL_FLUSH flag, so it can take a long time for logd to react.
+It would be preferable to wake up logd, but that hurts the performance
+of some workloads and we don't quite understand why so far, so don't
+wake up logd so far.
+
+Fixes: b066a4eebd4f ("gfs2: forcibly flush ail to relieve memory pressure")
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/aops.c | 4 ++--
+ fs/gfs2/log.c | 8 ++++----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/fs/gfs2/aops.c b/fs/gfs2/aops.c
+index 2f04c0ff7470b..1e9fa26f04fe1 100644
+--- a/fs/gfs2/aops.c
++++ b/fs/gfs2/aops.c
+@@ -182,13 +182,13 @@ static int gfs2_writepages(struct address_space *mapping,
+ int ret;
+
+ /*
+- * Even if we didn't write any pages here, we might still be holding
++ * Even if we didn't write enough pages here, we might still be holding
+ * dirty pages in the ail. We forcibly flush the ail because we don't
+ * want balance_dirty_pages() to loop indefinitely trying to write out
+ * pages held in the ail that it can't find.
+ */
+ ret = iomap_writepages(mapping, wbc, &wpc, &gfs2_writeback_ops);
+- if (ret == 0)
++ if (ret == 0 && wbc->nr_to_write > 0)
+ set_bit(SDF_FORCE_AIL_FLUSH, &sdp->sd_flags);
+ return ret;
+ }
+diff --git a/fs/gfs2/log.c b/fs/gfs2/log.c
+index 69c3facfcbef4..e021d5f50c231 100644
+--- a/fs/gfs2/log.c
++++ b/fs/gfs2/log.c
+@@ -1285,9 +1285,6 @@ static inline int gfs2_ail_flush_reqd(struct gfs2_sbd *sdp)
+ {
+ unsigned int used_blocks = sdp->sd_jdesc->jd_blocks - atomic_read(&sdp->sd_log_blks_free);
+
+- if (test_and_clear_bit(SDF_FORCE_AIL_FLUSH, &sdp->sd_flags))
+- return 1;
+-
+ return used_blocks + atomic_read(&sdp->sd_log_blks_needed) >=
+ atomic_read(&sdp->sd_log_thresh2);
+ }
+@@ -1328,7 +1325,9 @@ int gfs2_logd(void *data)
+ GFS2_LFC_LOGD_JFLUSH_REQD);
+ }
+
+- if (gfs2_ail_flush_reqd(sdp)) {
++ if (test_bit(SDF_FORCE_AIL_FLUSH, &sdp->sd_flags) ||
++ gfs2_ail_flush_reqd(sdp)) {
++ clear_bit(SDF_FORCE_AIL_FLUSH, &sdp->sd_flags);
+ gfs2_ail1_start(sdp);
+ gfs2_ail1_wait(sdp);
+ gfs2_ail1_empty(sdp, 0);
+@@ -1341,6 +1340,7 @@ int gfs2_logd(void *data)
+ try_to_freeze();
+
+ t = wait_event_interruptible_timeout(sdp->sd_logd_waitq,
++ test_bit(SDF_FORCE_AIL_FLUSH, &sdp->sd_flags) ||
+ gfs2_ail_flush_reqd(sdp) ||
+ gfs2_jrnl_flush_reqd(sdp) ||
+ kthread_should_stop(),
+--
+2.40.1
+
--- /dev/null
+From e8c3465d14abb6396181d06e52ca551b9612abba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Aug 2023 15:46:16 +0200
+Subject: gfs2: Switch to wait_event in gfs2_logd
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+[ Upstream commit 6df373b09b1dcf2f7d579f515f653f89a896d417 ]
+
+In gfs2_logd(), switch from an open-coded wait loop to
+wait_event_interruptible_timeout().
+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Stable-dep-of: b74cd55aa9a9 ("gfs2: low-memory forced flush fixes")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/log.c | 17 +++++------------
+ 1 file changed, 5 insertions(+), 12 deletions(-)
+
+diff --git a/fs/gfs2/log.c b/fs/gfs2/log.c
+index 61323deb80bc7..69c3facfcbef4 100644
+--- a/fs/gfs2/log.c
++++ b/fs/gfs2/log.c
+@@ -1304,7 +1304,6 @@ int gfs2_logd(void *data)
+ {
+ struct gfs2_sbd *sdp = data;
+ unsigned long t = 1;
+- DEFINE_WAIT(wait);
+
+ while (!kthread_should_stop()) {
+
+@@ -1341,17 +1340,11 @@ int gfs2_logd(void *data)
+
+ try_to_freeze();
+
+- do {
+- prepare_to_wait(&sdp->sd_logd_waitq, &wait,
+- TASK_INTERRUPTIBLE);
+- if (!gfs2_ail_flush_reqd(sdp) &&
+- !gfs2_jrnl_flush_reqd(sdp) &&
+- !kthread_should_stop())
+- t = schedule_timeout(t);
+- } while(t && !gfs2_ail_flush_reqd(sdp) &&
+- !gfs2_jrnl_flush_reqd(sdp) &&
+- !kthread_should_stop());
+- finish_wait(&sdp->sd_logd_waitq, &wait);
++ t = wait_event_interruptible_timeout(sdp->sd_logd_waitq,
++ gfs2_ail_flush_reqd(sdp) ||
++ gfs2_jrnl_flush_reqd(sdp) ||
++ kthread_should_stop(),
++ t);
+ }
+
+ return 0;
+--
+2.40.1
+
--- /dev/null
+From 87016101bba32ef8b77d35f5d9217cb5700ef077 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Aug 2023 21:38:12 +0000
+Subject: gve: fix frag_list chaining
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 817c7cd2043a83a3d8147f40eea1505ac7300b62 ]
+
+gve_rx_append_frags() is able to build skbs chained with frag_list,
+like GRO engine.
+
+Problem is that shinfo->frag_list should only be used
+for the head of the chain.
+
+All other links should use skb->next pointer.
+
+Otherwise, built skbs are not valid and can cause crashes.
+
+Equivalent code in GRO (skb_gro_receive()) is:
+
+ if (NAPI_GRO_CB(p)->last == p)
+ skb_shinfo(p)->frag_list = skb;
+ else
+ NAPI_GRO_CB(p)->last->next = skb;
+ NAPI_GRO_CB(p)->last = skb;
+
+Fixes: 9b8dd5e5ea48 ("gve: DQO: Add RX path")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Bailey Forrest <bcf@google.com>
+Cc: Willem de Bruijn <willemb@google.com>
+Cc: Catherine Sullivan <csully@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/google/gve/gve_rx_dqo.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/google/gve/gve_rx_dqo.c b/drivers/net/ethernet/google/gve/gve_rx_dqo.c
+index 2e6461b0ea8bc..a9409e3721ad7 100644
+--- a/drivers/net/ethernet/google/gve/gve_rx_dqo.c
++++ b/drivers/net/ethernet/google/gve/gve_rx_dqo.c
+@@ -492,7 +492,10 @@ static int gve_rx_append_frags(struct napi_struct *napi,
+ if (!skb)
+ return -1;
+
+- skb_shinfo(rx->ctx.skb_tail)->frag_list = skb;
++ if (rx->ctx.skb_tail == rx->ctx.skb_head)
++ skb_shinfo(rx->ctx.skb_head)->frag_list = skb;
++ else
++ rx->ctx.skb_tail->next = skb;
+ rx->ctx.skb_tail = skb;
+ num_frags = 0;
+ }
+--
+2.40.1
+
--- /dev/null
+From 1a3c27d0d4fb419a0686c4d7a9c3bb6eeb33e152 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Aug 2023 20:33:17 +0300
+Subject: idr: fix param name in idr_alloc_cyclic() doc
+
+From: Ariel Marcovitch <arielmarcovitch@gmail.com>
+
+[ Upstream commit 2a15de80dd0f7e04a823291aa9eb49c5294f56af ]
+
+The relevant parameter is 'start' and not 'nextid'
+
+Fixes: 460488c58ca8 ("idr: Remove idr_alloc_ext")
+Signed-off-by: Ariel Marcovitch <arielmarcovitch@gmail.com>
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/idr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/idr.c b/lib/idr.c
+index 7ecdfdb5309e7..13f2758c23773 100644
+--- a/lib/idr.c
++++ b/lib/idr.c
+@@ -100,7 +100,7 @@ EXPORT_SYMBOL_GPL(idr_alloc);
+ * @end: The maximum ID (exclusive).
+ * @gfp: Memory allocation flags.
+ *
+- * Allocates an unused ID in the range specified by @nextid and @end. If
++ * Allocates an unused ID in the range specified by @start and @end. If
+ * @end is <= 0, it is treated as one larger than %INT_MAX. This allows
+ * callers to use @start + N as @end as long as N is within integer range.
+ * The search for an unused ID will start at the last ID allocated and will
+--
+2.40.1
+
--- /dev/null
+From 54c65af97a29a3a2cd1325aeccb536f4af23d276 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Jul 2023 10:10:58 +0200
+Subject: igb: Change IGB_MIN to allow set rx/tx value between 64 and 80
+
+From: Olga Zaborska <olga.zaborska@intel.com>
+
+[ Upstream commit 6319685bdc8ad5310890add907b7c42f89302886 ]
+
+Change the minimum value of RX/TX descriptors to 64 to enable setting the rx/tx
+value between 64 and 80. All igb devices can use as low as 64 descriptors.
+This change will unify igb with other drivers.
+Based on commit 7b1be1987c1e ("e1000e: lower ring minimum size to 64")
+
+Fixes: 9d5c824399de ("igb: PCI-Express 82575 Gigabit Ethernet driver")
+Signed-off-by: Olga Zaborska <olga.zaborska@intel.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb.h b/drivers/net/ethernet/intel/igb/igb.h
+index 015b781441149..a2b759531cb7b 100644
+--- a/drivers/net/ethernet/intel/igb/igb.h
++++ b/drivers/net/ethernet/intel/igb/igb.h
+@@ -34,11 +34,11 @@ struct igb_adapter;
+ /* TX/RX descriptor defines */
+ #define IGB_DEFAULT_TXD 256
+ #define IGB_DEFAULT_TX_WORK 128
+-#define IGB_MIN_TXD 80
++#define IGB_MIN_TXD 64
+ #define IGB_MAX_TXD 4096
+
+ #define IGB_DEFAULT_RXD 256
+-#define IGB_MIN_RXD 80
++#define IGB_MIN_RXD 64
+ #define IGB_MAX_RXD 4096
+
+ #define IGB_DEFAULT_ITR 3 /* dynamic */
+--
+2.40.1
+
--- /dev/null
+From 5fe84938aae3e6f8235a76d27d68bfc0729bd1c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Aug 2023 14:19:13 +0200
+Subject: igb: disable virtualization features on 82580
+
+From: Corinna Vinschen <vinschen@redhat.com>
+
+[ Upstream commit fa09bc40b21a33937872c4c4cf0f266ec9fa4869 ]
+
+Disable virtualization features on 82580 just as on i210/i211.
+This avoids that virt functions are acidentally called on 82850.
+
+Fixes: 55cac248caa4 ("igb: Add full support for 82580 devices")
+Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index d0ead18ec0266..45ce4ed16146e 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -3877,8 +3877,9 @@ static void igb_probe_vfs(struct igb_adapter *adapter)
+ struct pci_dev *pdev = adapter->pdev;
+ struct e1000_hw *hw = &adapter->hw;
+
+- /* Virtualization features not supported on i210 family. */
+- if ((hw->mac.type == e1000_i210) || (hw->mac.type == e1000_i211))
++ /* Virtualization features not supported on i210 and 82580 family. */
++ if ((hw->mac.type == e1000_i210) || (hw->mac.type == e1000_i211) ||
++ (hw->mac.type == e1000_82580))
+ return;
+
+ /* Of the below we really only want the effect of getting
+--
+2.40.1
+
--- /dev/null
+From 710211b42ddb124161b1ad64ff8207460d9c0ff7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Jul 2023 10:10:57 +0200
+Subject: igbvf: Change IGBVF_MIN to allow set rx/tx value between 64 and 80
+
+From: Olga Zaborska <olga.zaborska@intel.com>
+
+[ Upstream commit 8360717524a24a421c36ef8eb512406dbd42160a ]
+
+Change the minimum value of RX/TX descriptors to 64 to enable setting the rx/tx
+value between 64 and 80. All igbvf devices can use as low as 64 descriptors.
+This change will unify igbvf with other drivers.
+Based on commit 7b1be1987c1e ("e1000e: lower ring minimum size to 64")
+
+Fixes: d4e0fe01a38a ("igbvf: add new driver to support 82576 virtual functions")
+Signed-off-by: Olga Zaborska <olga.zaborska@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igbvf/igbvf.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igbvf/igbvf.h b/drivers/net/ethernet/intel/igbvf/igbvf.h
+index 57d39ee00b585..7b83678ba83a6 100644
+--- a/drivers/net/ethernet/intel/igbvf/igbvf.h
++++ b/drivers/net/ethernet/intel/igbvf/igbvf.h
+@@ -39,11 +39,11 @@ enum latency_range {
+ /* Tx/Rx descriptor defines */
+ #define IGBVF_DEFAULT_TXD 256
+ #define IGBVF_MAX_TXD 4096
+-#define IGBVF_MIN_TXD 80
++#define IGBVF_MIN_TXD 64
+
+ #define IGBVF_DEFAULT_RXD 256
+ #define IGBVF_MAX_RXD 4096
+-#define IGBVF_MIN_RXD 80
++#define IGBVF_MIN_RXD 64
+
+ #define IGBVF_MIN_ITR_USECS 10 /* 100000 irq/sec */
+ #define IGBVF_MAX_ITR_USECS 10000 /* 100 irq/sec */
+--
+2.40.1
+
--- /dev/null
+From f52f76d995f01b33ec3bf1794279c1f0ff4bba5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Jul 2023 10:10:56 +0200
+Subject: igc: Change IGC_MIN to allow set rx/tx value between 64 and 80
+
+From: Olga Zaborska <olga.zaborska@intel.com>
+
+[ Upstream commit 5aa48279712e1f134aac908acde4df798955a955 ]
+
+Change the minimum value of RX/TX descriptors to 64 to enable setting the rx/tx
+value between 64 and 80. All igc devices can use as low as 64 descriptors.
+This change will unify igc with other drivers.
+Based on commit 7b1be1987c1e ("e1000e: lower ring minimum size to 64")
+
+Fixes: 0507ef8a0372 ("igc: Add transmit and receive fastpath and interrupt handlers")
+Signed-off-by: Olga Zaborska <olga.zaborska@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h
+index f83cbc4a1afa8..d3b17aa1d1a83 100644
+--- a/drivers/net/ethernet/intel/igc/igc.h
++++ b/drivers/net/ethernet/intel/igc/igc.h
+@@ -354,11 +354,11 @@ static inline u32 igc_rss_type(const union igc_adv_rx_desc *rx_desc)
+ /* TX/RX descriptor defines */
+ #define IGC_DEFAULT_TXD 256
+ #define IGC_DEFAULT_TX_WORK 128
+-#define IGC_MIN_TXD 80
++#define IGC_MIN_TXD 64
+ #define IGC_MAX_TXD 4096
+
+ #define IGC_DEFAULT_RXD 256
+-#define IGC_MIN_RXD 80
++#define IGC_MIN_RXD 64
+ #define IGC_MAX_RXD 4096
+
+ /* Supported Rx Buffer Sizes */
+--
+2.40.1
+
--- /dev/null
+From 16f3f80eec94e55498cc162d81ac5c571a11255f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 Jul 2023 12:06:37 -0500
+Subject: Input: iqs7222 - configure power mode before triggering ATI
+
+From: Jeff LaBundy <jeff@labundy.com>
+
+[ Upstream commit 2e00b8bf5624767f6be7427b6eb532524793463e ]
+
+If the device drops into ultra-low-power mode before being placed
+into normal-power mode as part of ATI being triggered, the device
+does not assert any interrupts until the ATI routine is restarted
+two seconds later.
+
+Solve this problem by adopting the vendor's recommendation, which
+calls for the device to be placed into normal-power mode prior to
+being configured and ATI being triggered.
+
+The original implementation followed this sequence, but the order
+was inadvertently changed as part of the resolution of a separate
+erratum.
+
+Fixes: 1e4189d8af27 ("Input: iqs7222 - protect volatile registers")
+Signed-off-by: Jeff LaBundy <jeff@labundy.com>
+Link: https://lore.kernel.org/r/ZKrpHc2Ji9qR25r2@nixie71
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/misc/iqs7222.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/input/misc/iqs7222.c b/drivers/input/misc/iqs7222.c
+index e47ab6c1177f5..f24b174c72667 100644
+--- a/drivers/input/misc/iqs7222.c
++++ b/drivers/input/misc/iqs7222.c
+@@ -1381,9 +1381,6 @@ static int iqs7222_ati_trigger(struct iqs7222_private *iqs7222)
+ if (error)
+ return error;
+
+- sys_setup &= ~IQS7222_SYS_SETUP_INTF_MODE_MASK;
+- sys_setup &= ~IQS7222_SYS_SETUP_PWR_MODE_MASK;
+-
+ for (i = 0; i < IQS7222_NUM_RETRIES; i++) {
+ /*
+ * Trigger ATI from streaming and normal-power modes so that
+@@ -1561,8 +1558,11 @@ static int iqs7222_dev_init(struct iqs7222_private *iqs7222, int dir)
+ return error;
+ }
+
+- if (dir == READ)
++ if (dir == READ) {
++ iqs7222->sys_setup[0] &= ~IQS7222_SYS_SETUP_INTF_MODE_MASK;
++ iqs7222->sys_setup[0] &= ~IQS7222_SYS_SETUP_PWR_MODE_MASK;
+ return 0;
++ }
+
+ return iqs7222_ati_trigger(iqs7222);
+ }
+--
+2.40.1
+
--- /dev/null
+From b932dd16f39d1e2669f45a148d6018874ae3d121 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 23 Jul 2023 22:30:18 -0700
+Subject: Input: tca6416-keypad - always expect proper IRQ number in i2c client
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+[ Upstream commit 687fe7dfb736b03ab820d172ea5dbfc1ec447135 ]
+
+Remove option having i2c client contain raw gpio number instead of proper
+IRQ number. There are no users of this facility in mainline and it will
+allow cleaning up the driver code with regard to wakeup handling, etc.
+
+Link: https://lore.kernel.org/r/20230724053024.352054-1-dmitry.torokhov@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Stable-dep-of: cc141c35af87 ("Input: tca6416-keypad - fix interrupt enable disbalance")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/keyboard/tca6416-keypad.c | 27 +++++++++----------------
+ include/linux/tca6416_keypad.h | 1 -
+ 2 files changed, 10 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/input/keyboard/tca6416-keypad.c b/drivers/input/keyboard/tca6416-keypad.c
+index afcdfbb002ff3..b48adec8fe2e7 100644
+--- a/drivers/input/keyboard/tca6416-keypad.c
++++ b/drivers/input/keyboard/tca6416-keypad.c
+@@ -148,7 +148,7 @@ static int tca6416_keys_open(struct input_dev *dev)
+ if (chip->use_polling)
+ schedule_delayed_work(&chip->dwork, msecs_to_jiffies(100));
+ else
+- enable_irq(chip->irqnum);
++ enable_irq(chip->client->irq);
+
+ return 0;
+ }
+@@ -160,7 +160,7 @@ static void tca6416_keys_close(struct input_dev *dev)
+ if (chip->use_polling)
+ cancel_delayed_work_sync(&chip->dwork);
+ else
+- disable_irq(chip->irqnum);
++ disable_irq(chip->client->irq);
+ }
+
+ static int tca6416_setup_registers(struct tca6416_keypad_chip *chip)
+@@ -266,12 +266,7 @@ static int tca6416_keypad_probe(struct i2c_client *client,
+ goto fail1;
+
+ if (!chip->use_polling) {
+- if (pdata->irq_is_gpio)
+- chip->irqnum = gpio_to_irq(client->irq);
+- else
+- chip->irqnum = client->irq;
+-
+- error = request_threaded_irq(chip->irqnum, NULL,
++ error = request_threaded_irq(client->irq, NULL,
+ tca6416_keys_isr,
+ IRQF_TRIGGER_FALLING |
+ IRQF_ONESHOT | IRQF_NO_AUTOEN,
+@@ -279,7 +274,7 @@ static int tca6416_keypad_probe(struct i2c_client *client,
+ if (error) {
+ dev_dbg(&client->dev,
+ "Unable to claim irq %d; error %d\n",
+- chip->irqnum, error);
++ client->irq, error);
+ goto fail1;
+ }
+ }
+@@ -298,8 +293,8 @@ static int tca6416_keypad_probe(struct i2c_client *client,
+
+ fail2:
+ if (!chip->use_polling) {
+- free_irq(chip->irqnum, chip);
+- enable_irq(chip->irqnum);
++ free_irq(client->irq, chip);
++ enable_irq(client->irq);
+ }
+ fail1:
+ input_free_device(input);
+@@ -312,8 +307,8 @@ static void tca6416_keypad_remove(struct i2c_client *client)
+ struct tca6416_keypad_chip *chip = i2c_get_clientdata(client);
+
+ if (!chip->use_polling) {
+- free_irq(chip->irqnum, chip);
+- enable_irq(chip->irqnum);
++ free_irq(client->irq, chip);
++ enable_irq(client->irq);
+ }
+
+ input_unregister_device(chip->input);
+@@ -324,10 +319,9 @@ static void tca6416_keypad_remove(struct i2c_client *client)
+ static int tca6416_keypad_suspend(struct device *dev)
+ {
+ struct i2c_client *client = to_i2c_client(dev);
+- struct tca6416_keypad_chip *chip = i2c_get_clientdata(client);
+
+ if (device_may_wakeup(dev))
+- enable_irq_wake(chip->irqnum);
++ enable_irq_wake(client->irq);
+
+ return 0;
+ }
+@@ -335,10 +329,9 @@ static int tca6416_keypad_suspend(struct device *dev)
+ static int tca6416_keypad_resume(struct device *dev)
+ {
+ struct i2c_client *client = to_i2c_client(dev);
+- struct tca6416_keypad_chip *chip = i2c_get_clientdata(client);
+
+ if (device_may_wakeup(dev))
+- disable_irq_wake(chip->irqnum);
++ disable_irq_wake(client->irq);
+
+ return 0;
+ }
+diff --git a/include/linux/tca6416_keypad.h b/include/linux/tca6416_keypad.h
+index b0d36a9934ccd..5cf6f6f82aa70 100644
+--- a/include/linux/tca6416_keypad.h
++++ b/include/linux/tca6416_keypad.h
+@@ -25,7 +25,6 @@ struct tca6416_keys_platform_data {
+ unsigned int rep:1; /* enable input subsystem auto repeat */
+ uint16_t pinmask;
+ uint16_t invert;
+- int irq_is_gpio;
+ int use_polling; /* use polling if Interrupt is not connected*/
+ };
+ #endif
+--
+2.40.1
+
--- /dev/null
+From 3f86f357bcb312a5820ffadaa153953572868ab6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 23 Jul 2023 22:30:20 -0700
+Subject: Input: tca6416-keypad - fix interrupt enable disbalance
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+[ Upstream commit cc141c35af873c6796e043adcb820833bd8ef8c5 ]
+
+The driver has been switched to use IRQF_NO_AUTOEN, but in the error
+unwinding and remove paths calls to enable_irq() were left in place, which
+will lead to an incorrect enable counter value.
+
+Fixes: bcd9730a04a1 ("Input: move to use request_irq by IRQF_NO_AUTOEN flag")
+Link: https://lore.kernel.org/r/20230724053024.352054-3-dmitry.torokhov@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/keyboard/tca6416-keypad.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/input/keyboard/tca6416-keypad.c b/drivers/input/keyboard/tca6416-keypad.c
+index b48adec8fe2e7..9c1489c0dae13 100644
+--- a/drivers/input/keyboard/tca6416-keypad.c
++++ b/drivers/input/keyboard/tca6416-keypad.c
+@@ -292,10 +292,8 @@ static int tca6416_keypad_probe(struct i2c_client *client,
+ return 0;
+
+ fail2:
+- if (!chip->use_polling) {
++ if (!chip->use_polling)
+ free_irq(client->irq, chip);
+- enable_irq(client->irq);
+- }
+ fail1:
+ input_free_device(input);
+ kfree(chip);
+@@ -306,10 +304,8 @@ static void tca6416_keypad_remove(struct i2c_client *client)
+ {
+ struct tca6416_keypad_chip *chip = i2c_get_clientdata(client);
+
+- if (!chip->use_polling) {
++ if (!chip->use_polling)
+ free_irq(client->irq, chip);
+- enable_irq(client->irq);
+- }
+
+ input_unregister_device(chip->input);
+ kfree(chip);
+--
+2.40.1
+
--- /dev/null
+From 02ae111853e9de6369edae229e7d12053563c622 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Sep 2023 13:40:46 +0000
+Subject: ip_tunnels: use DEV_STATS_INC()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 9b271ebaf9a2c5c566a54bc6cd915962e8241130 ]
+
+syzbot/KCSAN reported data-races in iptunnel_xmit_stats() [1]
+
+This can run from multiple cpus without mutual exclusion.
+
+Adopt SMP safe DEV_STATS_INC() to update dev->stats fields.
+
+[1]
+BUG: KCSAN: data-race in iptunnel_xmit / iptunnel_xmit
+
+read-write to 0xffff8881353df170 of 8 bytes by task 30263 on cpu 1:
+iptunnel_xmit_stats include/net/ip_tunnels.h:493 [inline]
+iptunnel_xmit+0x432/0x4a0 net/ipv4/ip_tunnel_core.c:87
+ip_tunnel_xmit+0x1477/0x1750 net/ipv4/ip_tunnel.c:831
+__gre_xmit net/ipv4/ip_gre.c:469 [inline]
+ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:662
+__netdev_start_xmit include/linux/netdevice.h:4889 [inline]
+netdev_start_xmit include/linux/netdevice.h:4903 [inline]
+xmit_one net/core/dev.c:3544 [inline]
+dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3560
+__dev_queue_xmit+0xeee/0x1de0 net/core/dev.c:4340
+dev_queue_xmit include/linux/netdevice.h:3082 [inline]
+__bpf_tx_skb net/core/filter.c:2129 [inline]
+__bpf_redirect_no_mac net/core/filter.c:2159 [inline]
+__bpf_redirect+0x723/0x9c0 net/core/filter.c:2182
+____bpf_clone_redirect net/core/filter.c:2453 [inline]
+bpf_clone_redirect+0x16c/0x1d0 net/core/filter.c:2425
+___bpf_prog_run+0xd7d/0x41e0 kernel/bpf/core.c:1954
+__bpf_prog_run512+0x74/0xa0 kernel/bpf/core.c:2195
+bpf_dispatcher_nop_func include/linux/bpf.h:1181 [inline]
+__bpf_prog_run include/linux/filter.h:609 [inline]
+bpf_prog_run include/linux/filter.h:616 [inline]
+bpf_test_run+0x15d/0x3d0 net/bpf/test_run.c:423
+bpf_prog_test_run_skb+0x77b/0xa00 net/bpf/test_run.c:1045
+bpf_prog_test_run+0x265/0x3d0 kernel/bpf/syscall.c:3996
+__sys_bpf+0x3af/0x780 kernel/bpf/syscall.c:5353
+__do_sys_bpf kernel/bpf/syscall.c:5439 [inline]
+__se_sys_bpf kernel/bpf/syscall.c:5437 [inline]
+__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5437
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+read-write to 0xffff8881353df170 of 8 bytes by task 30249 on cpu 0:
+iptunnel_xmit_stats include/net/ip_tunnels.h:493 [inline]
+iptunnel_xmit+0x432/0x4a0 net/ipv4/ip_tunnel_core.c:87
+ip_tunnel_xmit+0x1477/0x1750 net/ipv4/ip_tunnel.c:831
+__gre_xmit net/ipv4/ip_gre.c:469 [inline]
+ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:662
+__netdev_start_xmit include/linux/netdevice.h:4889 [inline]
+netdev_start_xmit include/linux/netdevice.h:4903 [inline]
+xmit_one net/core/dev.c:3544 [inline]
+dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3560
+__dev_queue_xmit+0xeee/0x1de0 net/core/dev.c:4340
+dev_queue_xmit include/linux/netdevice.h:3082 [inline]
+__bpf_tx_skb net/core/filter.c:2129 [inline]
+__bpf_redirect_no_mac net/core/filter.c:2159 [inline]
+__bpf_redirect+0x723/0x9c0 net/core/filter.c:2182
+____bpf_clone_redirect net/core/filter.c:2453 [inline]
+bpf_clone_redirect+0x16c/0x1d0 net/core/filter.c:2425
+___bpf_prog_run+0xd7d/0x41e0 kernel/bpf/core.c:1954
+__bpf_prog_run512+0x74/0xa0 kernel/bpf/core.c:2195
+bpf_dispatcher_nop_func include/linux/bpf.h:1181 [inline]
+__bpf_prog_run include/linux/filter.h:609 [inline]
+bpf_prog_run include/linux/filter.h:616 [inline]
+bpf_test_run+0x15d/0x3d0 net/bpf/test_run.c:423
+bpf_prog_test_run_skb+0x77b/0xa00 net/bpf/test_run.c:1045
+bpf_prog_test_run+0x265/0x3d0 kernel/bpf/syscall.c:3996
+__sys_bpf+0x3af/0x780 kernel/bpf/syscall.c:5353
+__do_sys_bpf kernel/bpf/syscall.c:5439 [inline]
+__se_sys_bpf kernel/bpf/syscall.c:5437 [inline]
+__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5437
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+value changed: 0x0000000000018830 -> 0x0000000000018831
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 30249 Comm: syz-executor.4 Not tainted 6.5.0-syzkaller-11704-g3f86ed6ec0b3 #0
+
+Fixes: 039f50629b7f ("ip_tunnel: Move stats update to iptunnel_xmit()")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ip_tunnels.h | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h
+index fca3576798166..bca80522f95c8 100644
+--- a/include/net/ip_tunnels.h
++++ b/include/net/ip_tunnels.h
+@@ -473,15 +473,14 @@ static inline void iptunnel_xmit_stats(struct net_device *dev, int pkt_len)
+ u64_stats_inc(&tstats->tx_packets);
+ u64_stats_update_end(&tstats->syncp);
+ put_cpu_ptr(tstats);
++ return;
++ }
++
++ if (pkt_len < 0) {
++ DEV_STATS_INC(dev, tx_errors);
++ DEV_STATS_INC(dev, tx_aborted_errors);
+ } else {
+- struct net_device_stats *err_stats = &dev->stats;
+-
+- if (pkt_len < 0) {
+- err_stats->tx_errors++;
+- err_stats->tx_aborted_errors++;
+- } else {
+- err_stats->tx_dropped++;
+- }
++ DEV_STATS_INC(dev, tx_dropped);
+ }
+ }
+
+--
+2.40.1
+
--- /dev/null
+From a1e1b471933f52b6dc8df9aad0d0608bea3f9fa5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Aug 2023 09:55:20 +0000
+Subject: ipv4: annotate data-races around fi->fib_dead
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit fce92af1c29d90184dfec638b5738831097d66e9 ]
+
+syzbot complained about a data-race in fib_table_lookup() [1]
+
+Add appropriate annotations to document it.
+
+[1]
+BUG: KCSAN: data-race in fib_release_info / fib_table_lookup
+
+write to 0xffff888150f31744 of 1 bytes by task 1189 on cpu 0:
+fib_release_info+0x3a0/0x460 net/ipv4/fib_semantics.c:281
+fib_table_delete+0x8d2/0x900 net/ipv4/fib_trie.c:1777
+fib_magic+0x1c1/0x1f0 net/ipv4/fib_frontend.c:1106
+fib_del_ifaddr+0x8cf/0xa60 net/ipv4/fib_frontend.c:1317
+fib_inetaddr_event+0x77/0x200 net/ipv4/fib_frontend.c:1448
+notifier_call_chain kernel/notifier.c:93 [inline]
+blocking_notifier_call_chain+0x90/0x200 kernel/notifier.c:388
+__inet_del_ifa+0x4df/0x800 net/ipv4/devinet.c:432
+inet_del_ifa net/ipv4/devinet.c:469 [inline]
+inetdev_destroy net/ipv4/devinet.c:322 [inline]
+inetdev_event+0x553/0xaf0 net/ipv4/devinet.c:1606
+notifier_call_chain kernel/notifier.c:93 [inline]
+raw_notifier_call_chain+0x6b/0x1c0 kernel/notifier.c:461
+call_netdevice_notifiers_info net/core/dev.c:1962 [inline]
+call_netdevice_notifiers_mtu+0xd2/0x130 net/core/dev.c:2037
+dev_set_mtu_ext+0x30b/0x3e0 net/core/dev.c:8673
+do_setlink+0x5be/0x2430 net/core/rtnetlink.c:2837
+rtnl_setlink+0x255/0x300 net/core/rtnetlink.c:3177
+rtnetlink_rcv_msg+0x807/0x8c0 net/core/rtnetlink.c:6445
+netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2549
+rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6463
+netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
+netlink_unicast+0x56f/0x640 net/netlink/af_netlink.c:1365
+netlink_sendmsg+0x665/0x770 net/netlink/af_netlink.c:1914
+sock_sendmsg_nosec net/socket.c:725 [inline]
+sock_sendmsg net/socket.c:748 [inline]
+sock_write_iter+0x1aa/0x230 net/socket.c:1129
+do_iter_write+0x4b4/0x7b0 fs/read_write.c:860
+vfs_writev+0x1a8/0x320 fs/read_write.c:933
+do_writev+0xf8/0x220 fs/read_write.c:976
+__do_sys_writev fs/read_write.c:1049 [inline]
+__se_sys_writev fs/read_write.c:1046 [inline]
+__x64_sys_writev+0x45/0x50 fs/read_write.c:1046
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+read to 0xffff888150f31744 of 1 bytes by task 21839 on cpu 1:
+fib_table_lookup+0x2bf/0xd50 net/ipv4/fib_trie.c:1585
+fib_lookup include/net/ip_fib.h:383 [inline]
+ip_route_output_key_hash_rcu+0x38c/0x12c0 net/ipv4/route.c:2751
+ip_route_output_key_hash net/ipv4/route.c:2641 [inline]
+__ip_route_output_key include/net/route.h:134 [inline]
+ip_route_output_flow+0xa6/0x150 net/ipv4/route.c:2869
+send4+0x1e7/0x500 drivers/net/wireguard/socket.c:61
+wg_socket_send_skb_to_peer+0x94/0x130 drivers/net/wireguard/socket.c:175
+wg_socket_send_buffer_to_peer+0xd6/0x100 drivers/net/wireguard/socket.c:200
+wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline]
+wg_packet_handshake_send_worker+0x10c/0x150 drivers/net/wireguard/send.c:51
+process_one_work+0x434/0x860 kernel/workqueue.c:2600
+worker_thread+0x5f2/0xa10 kernel/workqueue.c:2751
+kthread+0x1d7/0x210 kernel/kthread.c:389
+ret_from_fork+0x2e/0x40 arch/x86/kernel/process.c:145
+ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
+
+value changed: 0x00 -> 0x01
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 21839 Comm: kworker/u4:18 Tainted: G W 6.5.0-syzkaller #0
+
+Fixes: dccd9ecc3744 ("ipv4: Do not use dead fib_info entries.")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://lore.kernel.org/r/20230830095520.1046984-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/fib_semantics.c | 5 ++++-
+ net/ipv4/fib_trie.c | 3 ++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
+index 3bb890a40ed73..3b6e6bc80dc1c 100644
+--- a/net/ipv4/fib_semantics.c
++++ b/net/ipv4/fib_semantics.c
+@@ -278,7 +278,8 @@ void fib_release_info(struct fib_info *fi)
+ hlist_del(&nexthop_nh->nh_hash);
+ } endfor_nexthops(fi)
+ }
+- fi->fib_dead = 1;
++ /* Paired with READ_ONCE() from fib_table_lookup() */
++ WRITE_ONCE(fi->fib_dead, 1);
+ fib_info_put(fi);
+ }
+ spin_unlock_bh(&fib_info_lock);
+@@ -1581,6 +1582,7 @@ struct fib_info *fib_create_info(struct fib_config *cfg,
+ link_it:
+ ofi = fib_find_info(fi);
+ if (ofi) {
++ /* fib_table_lookup() should not see @fi yet. */
+ fi->fib_dead = 1;
+ free_fib_info(fi);
+ refcount_inc(&ofi->fib_treeref);
+@@ -1619,6 +1621,7 @@ struct fib_info *fib_create_info(struct fib_config *cfg,
+
+ failure:
+ if (fi) {
++ /* fib_table_lookup() should not see @fi yet. */
+ fi->fib_dead = 1;
+ free_fib_info(fi);
+ }
+diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
+index 74d403dbd2b4e..d13fb9e76b971 100644
+--- a/net/ipv4/fib_trie.c
++++ b/net/ipv4/fib_trie.c
+@@ -1582,7 +1582,8 @@ int fib_table_lookup(struct fib_table *tb, const struct flowi4 *flp,
+ if (fa->fa_dscp &&
+ inet_dscp_to_dsfield(fa->fa_dscp) != flp->flowi4_tos)
+ continue;
+- if (fi->fib_dead)
++ /* Paired with WRITE_ONCE() in fib_release_info() */
++ if (READ_ONCE(fi->fib_dead))
+ continue;
+ if (fa->fa_info->fib_scope < flp->flowi4_scope)
+ continue;
+--
+2.40.1
+
--- /dev/null
+From c49cedc6992eec43ac9e3a89c4defdbea018bd7c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Aug 2023 10:03:30 +0200
+Subject: ipv4: ignore dst hint for multipath routes
+
+From: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
+
+[ Upstream commit 6ac66cb03ae306c2e288a9be18226310529f5b25 ]
+
+Route hints when the nexthop is part of a multipath group causes packets
+in the same receive batch to be sent to the same nexthop irrespective of
+the multipath hash of the packet. So, do not extract route hint for
+packets whose destination is part of a multipath group.
+
+A new SKB flag IPSKB_MULTIPATH is introduced for this purpose, set the
+flag when route is looked up in ip_mkroute_input() and use it in
+ip_extract_route_hint() to check for the existence of the flag.
+
+Fixes: 02b24941619f ("ipv4: use dst hint for ipv4 list receive")
+Signed-off-by: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ip.h | 1 +
+ net/ipv4/ip_input.c | 3 ++-
+ net/ipv4/route.c | 1 +
+ 3 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/ip.h b/include/net/ip.h
+index 1872f570abeda..c286344628dba 100644
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@ -57,6 +57,7 @@ struct inet_skb_parm {
+ #define IPSKB_FRAG_PMTU BIT(6)
+ #define IPSKB_L3SLAVE BIT(7)
+ #define IPSKB_NOPOLICY BIT(8)
++#define IPSKB_MULTIPATH BIT(9)
+
+ u16 frag_max_size;
+ };
+diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
+index e880ce77322aa..e7196ecffafc6 100644
+--- a/net/ipv4/ip_input.c
++++ b/net/ipv4/ip_input.c
+@@ -584,7 +584,8 @@ static void ip_sublist_rcv_finish(struct list_head *head)
+ static struct sk_buff *ip_extract_route_hint(const struct net *net,
+ struct sk_buff *skb, int rt_type)
+ {
+- if (fib4_has_custom_rules(net) || rt_type == RTN_BROADCAST)
++ if (fib4_has_custom_rules(net) || rt_type == RTN_BROADCAST ||
++ IPCB(skb)->flags & IPSKB_MULTIPATH)
+ return NULL;
+
+ return skb;
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 51bd9a50a1d1d..a04ffc128e22b 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -2146,6 +2146,7 @@ static int ip_mkroute_input(struct sk_buff *skb,
+ int h = fib_multipath_hash(res->fi->fib_net, NULL, skb, hkeys);
+
+ fib_select_multipath(res, h);
++ IPCB(skb)->flags |= IPSKB_MULTIPATH;
+ }
+ #endif
+
+--
+2.40.1
+
--- /dev/null
+From 33d439c8bac978b68b474affba2854198e92b446 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Aug 2023 10:03:31 +0200
+Subject: ipv6: ignore dst hint for multipath routes
+
+From: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
+
+[ Upstream commit 8423be8926aa82cd2e28bba5cc96ccb72c7ce6be ]
+
+Route hints when the nexthop is part of a multipath group causes packets
+in the same receive batch to be sent to the same nexthop irrespective of
+the multipath hash of the packet. So, do not extract route hint for
+packets whose destination is part of a multipath group.
+
+A new SKB flag IP6SKB_MULTIPATH is introduced for this purpose, set the
+flag when route is looked up in fib6_select_path() and use it in
+ip6_can_use_hint() to check for the existence of the flag.
+
+Fixes: 197dbf24e360 ("ipv6: introduce and uses route look hints for list input.")
+Signed-off-by: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/ipv6.h | 1 +
+ net/ipv6/ip6_input.c | 3 ++-
+ net/ipv6/route.c | 3 +++
+ 3 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
+index 37dfdcfcdd542..15d7529ac9534 100644
+--- a/include/linux/ipv6.h
++++ b/include/linux/ipv6.h
+@@ -146,6 +146,7 @@ struct inet6_skb_parm {
+ #define IP6SKB_JUMBOGRAM 128
+ #define IP6SKB_SEG6 256
+ #define IP6SKB_FAKEJUMBO 512
++#define IP6SKB_MULTIPATH 1024
+ };
+
+ #if defined(CONFIG_NET_L3_MASTER_DEV)
+diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
+index d94041bb42872..b8378814532ce 100644
+--- a/net/ipv6/ip6_input.c
++++ b/net/ipv6/ip6_input.c
+@@ -99,7 +99,8 @@ static bool ip6_can_use_hint(const struct sk_buff *skb,
+ static struct sk_buff *ip6_extract_route_hint(const struct net *net,
+ struct sk_buff *skb)
+ {
+- if (fib6_routes_require_src(net) || fib6_has_custom_rules(net))
++ if (fib6_routes_require_src(net) || fib6_has_custom_rules(net) ||
++ IP6CB(skb)->flags & IP6SKB_MULTIPATH)
+ return NULL;
+
+ return skb;
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index 960ab43a49c46..93957b20fccce 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -425,6 +425,9 @@ void fib6_select_path(const struct net *net, struct fib6_result *res,
+ if (match->nh && have_oif_match && res->nh)
+ return;
+
++ if (skb)
++ IP6CB(skb)->flags |= IP6SKB_MULTIPATH;
++
+ /* We might have already computed the hash for ICMPv6 errors. In such
+ * case it will always be non-zero. Otherwise now is the time to do it.
+ */
+--
+2.40.1
+
--- /dev/null
+From e42cb948f88085e904ab41b02994568913431fd5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Aug 2023 20:50:41 +0900
+Subject: kbuild: do not run depmod for 'make modules_sign'
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit 2429742e506a2b5939a62c629c4a46d91df0ada8 ]
+
+Commit 961ab4a3cd66 ("kbuild: merge scripts/Makefile.modsign to
+scripts/Makefile.modinst") started to run depmod at the end of
+'make modules_sign'.
+
+Move the depmod rule to scripts/Makefile.modinst and run it only when
+$(modules_sign_only) is empty.
+
+Fixes: 961ab4a3cd66 ("kbuild: merge scripts/Makefile.modsign to scripts/Makefile.modinst")
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Reviewed-by: Nicolas Schier <nicolas@fjasle.eu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Makefile | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Makefile b/Makefile
+index 35fc0d62898dc..f23edaa0e8139 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1939,7 +1939,9 @@ quiet_cmd_depmod = DEPMOD $(MODLIB)
+
+ modules_install:
+ $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modinst
++ifndef modules_sign_only
+ $(call cmd,depmod)
++endif
+
+ else # CONFIG_MODULES
+
+--
+2.40.1
+
--- /dev/null
+From 79ed58c7c079dd1883b57614be4b775a2e6b7238 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 22 Jul 2023 13:47:48 +0900
+Subject: kbuild: rpm-pkg: define _arch conditionally
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit 233046a2afd12a4f699305b92ee634eebf1e4f31 ]
+
+Commit 3089b2be0cce ("kbuild: rpm-pkg: fix build error when _arch is
+undefined") does not work as intended; _arch is always defined as
+$UTS_MACHINE.
+
+The intention was to define _arch to $UTS_MACHINE only when it is not
+defined.
+
+Fixes: 3089b2be0cce ("kbuild: rpm-pkg: fix build error when _arch is undefined")
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/package/mkspec | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/package/mkspec b/scripts/package/mkspec
+index 70392fd2fd29c..f892cf8e37f03 100755
+--- a/scripts/package/mkspec
++++ b/scripts/package/mkspec
+@@ -51,7 +51,7 @@ $S Source: kernel-$__KERNELRELEASE.tar.gz
+ Provides: $PROVIDES
+ # $UTS_MACHINE as a fallback of _arch in case
+ # /usr/lib/rpm/platform/*/macros was not included.
+- %define _arch %{?_arch:$UTS_MACHINE}
++ %{!?_arch: %define _arch $UTS_MACHINE}
+ %define __spec_install_post /usr/lib/rpm/brp-compress || :
+ %define debug_package %{nil}
+
+--
+2.40.1
+
--- /dev/null
+From 895454bd20e3aa591f5ee24e7160404b1cd19d6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 3 Sep 2023 02:07:08 +0900
+Subject: kcm: Destroy mutex in kcm_exit_net()
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit 6ad40b36cd3b04209e2d6c89d252c873d8082a59 ]
+
+kcm_exit_net() should call mutex_destroy() on knet->mutex. This is especially
+needed if CONFIG_DEBUG_MUTEXES is enabled.
+
+Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Link: https://lore.kernel.org/r/20230902170708.1727999-1-syoshida@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/kcm/kcmsock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
+index 890a2423f559e..6a97662d7548e 100644
+--- a/net/kcm/kcmsock.c
++++ b/net/kcm/kcmsock.c
+@@ -1981,6 +1981,8 @@ static __net_exit void kcm_exit_net(struct net *net)
+ * that all multiplexors and psocks have been destroyed.
+ */
+ WARN_ON(!list_empty(&knet->mux_list));
++
++ mutex_destroy(&knet->mutex);
+ }
+
+ static struct pernet_operations kcm_net_ops = {
+--
+2.40.1
+
--- /dev/null
+From 91dc7bf7cabdafffe131ba54cf10a1598ffbbcb5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Sep 2023 17:59:14 +0800
+Subject: kconfig: fix possible buffer overflow
+
+From: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
+
+[ Upstream commit a3b7039bb2b22fcd2ad20d59c00ed4e606ce3754 ]
+
+Buffer 'new_argv' is accessed without bound check after accessing with
+bound check via 'new_argc' index.
+
+Fixes: e298f3b49def ("kconfig: add built-in function support")
+Co-developed-by: Ivanov Mikhail <ivanov.mikhail1@huawei-partners.com>
+Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/preprocess.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/scripts/kconfig/preprocess.c b/scripts/kconfig/preprocess.c
+index 748da578b418c..d1f5bcff4b62d 100644
+--- a/scripts/kconfig/preprocess.c
++++ b/scripts/kconfig/preprocess.c
+@@ -396,6 +396,9 @@ static char *eval_clause(const char *str, size_t len, int argc, char *argv[])
+
+ p++;
+ }
++
++ if (new_argc >= FUNCTION_MAX_ARGS)
++ pperror("too many function arguments");
+ new_argv[new_argc++] = prev;
+
+ /*
+--
+2.40.1
+
--- /dev/null
+From 11f5e505e7b73a1d76ba076f00630d72e0e4e3c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Jul 2023 04:19:03 +0000
+Subject: KVM: SVM: correct the size of spec_ctrl field in VMCB save area
+
+From: Manali Shukla <manali.shukla@amd.com>
+
+[ Upstream commit f67063414c0e83bb4a9e12358cc179af53c2a8bb ]
+
+Correct the spec_ctrl field in the VMCB save area based on the AMD
+Programmer's manual.
+
+Originally, the spec_ctrl was listed as u32 with 4 bytes of reserved
+area. The AMD Programmer's Manual now lists the spec_ctrl as 8 bytes
+in VMCB save area.
+
+The Public Processor Programming reference for Genoa, shows SPEC_CTRL
+as 64b register, but the AMD Programmer's Manual lists SPEC_CTRL as
+32b register. This discrepancy will be cleaned up in next revision of
+the AMD Programmer's Manual.
+
+Since remaining bits above bit 7 are reserved bits in SPEC_CTRL MSR
+and thus, not being used, the spec_ctrl added as u32 in the VMCB save
+area is currently not an issue.
+
+Fixes: 3dd2775b74c9 ("KVM: SVM: Create a separate mapping for the SEV-ES save area")
+Suggested-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Manali Shukla <manali.shukla@amd.com>
+Link: https://lore.kernel.org/r/20230717041903.85480-1-manali.shukla@amd.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/svm.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/include/asm/svm.h b/arch/x86/include/asm/svm.h
+index 770dcf75eaa97..a14e62a12d616 100644
+--- a/arch/x86/include/asm/svm.h
++++ b/arch/x86/include/asm/svm.h
+@@ -337,7 +337,7 @@ struct vmcb_save_area {
+ u64 last_excp_from;
+ u64 last_excp_to;
+ u8 reserved_0x298[72];
+- u32 spec_ctrl; /* Guest version of SPEC_CTRL at 0x2E0 */
++ u64 spec_ctrl; /* Guest version of SPEC_CTRL at 0x2E0 */
+ } __packed;
+
+ /* Save area definition for SEV-ES and SEV-SNP guests */
+@@ -504,7 +504,7 @@ struct ghcb {
+ } __packed;
+
+
+-#define EXPECTED_VMCB_SAVE_AREA_SIZE 740
++#define EXPECTED_VMCB_SAVE_AREA_SIZE 744
+ #define EXPECTED_GHCB_SAVE_AREA_SIZE 1032
+ #define EXPECTED_SEV_ES_SAVE_AREA_SIZE 1648
+ #define EXPECTED_VMCB_CONTROL_AREA_SIZE 1024
+--
+2.40.1
+
--- /dev/null
+From 033671fc511439f6fde88640d0bff031ad9bb80a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Oct 2022 11:44:48 -0500
+Subject: KVM: SVM: Name and check reserved fields with structs offset
+
+From: Carlos Bilbao <carlos.bilbao@amd.com>
+
+[ Upstream commit d08b48585309247d4d28051dd7a315eef5d1db26 ]
+
+Rename reserved fields on all structs in arch/x86/include/asm/svm.h
+following their offset within the structs. Include compile time checks for
+this in the same place where other BUILD_BUG_ON for the structs are.
+
+This also solves that fields of struct sev_es_save_area are named by their
+order of appearance, but right now they jump from reserved_5 to reserved_7.
+
+Link: https://lkml.org/lkml/2022/10/22/376
+Signed-off-by: Carlos Bilbao <carlos.bilbao@amd.com>
+Message-Id: <20221024164448.203351-1-carlos.bilbao@amd.com>
+[Use ASSERT_STRUCT_OFFSET + fix a couple wrong offsets. - Paolo]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Stable-dep-of: f67063414c0e ("KVM: SVM: correct the size of spec_ctrl field in VMCB save area")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/svm.h | 93 ++++++++++++++++++++++++++------------
+ arch/x86/kvm/svm/sev.c | 2 +-
+ 2 files changed, 66 insertions(+), 29 deletions(-)
+
+diff --git a/arch/x86/include/asm/svm.h b/arch/x86/include/asm/svm.h
+index 02aac78cb21d4..770dcf75eaa97 100644
+--- a/arch/x86/include/asm/svm.h
++++ b/arch/x86/include/asm/svm.h
+@@ -300,12 +300,13 @@ struct vmcb_save_area {
+ struct vmcb_seg ldtr;
+ struct vmcb_seg idtr;
+ struct vmcb_seg tr;
+- u8 reserved_1[42];
++ /* Reserved fields are named following their struct offset */
++ u8 reserved_0xa0[42];
+ u8 vmpl;
+ u8 cpl;
+- u8 reserved_2[4];
++ u8 reserved_0xcc[4];
+ u64 efer;
+- u8 reserved_3[112];
++ u8 reserved_0xd8[112];
+ u64 cr4;
+ u64 cr3;
+ u64 cr0;
+@@ -313,7 +314,7 @@ struct vmcb_save_area {
+ u64 dr6;
+ u64 rflags;
+ u64 rip;
+- u8 reserved_4[88];
++ u8 reserved_0x180[88];
+ u64 rsp;
+ u64 s_cet;
+ u64 ssp;
+@@ -328,14 +329,14 @@ struct vmcb_save_area {
+ u64 sysenter_esp;
+ u64 sysenter_eip;
+ u64 cr2;
+- u8 reserved_5[32];
++ u8 reserved_0x248[32];
+ u64 g_pat;
+ u64 dbgctl;
+ u64 br_from;
+ u64 br_to;
+ u64 last_excp_from;
+ u64 last_excp_to;
+- u8 reserved_6[72];
++ u8 reserved_0x298[72];
+ u32 spec_ctrl; /* Guest version of SPEC_CTRL at 0x2E0 */
+ } __packed;
+
+@@ -356,12 +357,12 @@ struct sev_es_save_area {
+ u64 vmpl2_ssp;
+ u64 vmpl3_ssp;
+ u64 u_cet;
+- u8 reserved_1[2];
++ u8 reserved_0xc8[2];
+ u8 vmpl;
+ u8 cpl;
+- u8 reserved_2[4];
++ u8 reserved_0xcc[4];
+ u64 efer;
+- u8 reserved_3[104];
++ u8 reserved_0xd8[104];
+ u64 xss;
+ u64 cr4;
+ u64 cr3;
+@@ -378,7 +379,7 @@ struct sev_es_save_area {
+ u64 dr1_addr_mask;
+ u64 dr2_addr_mask;
+ u64 dr3_addr_mask;
+- u8 reserved_4[24];
++ u8 reserved_0x1c0[24];
+ u64 rsp;
+ u64 s_cet;
+ u64 ssp;
+@@ -393,21 +394,21 @@ struct sev_es_save_area {
+ u64 sysenter_esp;
+ u64 sysenter_eip;
+ u64 cr2;
+- u8 reserved_5[32];
++ u8 reserved_0x248[32];
+ u64 g_pat;
+ u64 dbgctl;
+ u64 br_from;
+ u64 br_to;
+ u64 last_excp_from;
+ u64 last_excp_to;
+- u8 reserved_7[80];
++ u8 reserved_0x298[80];
+ u32 pkru;
+- u8 reserved_8[20];
+- u64 reserved_9; /* rax already available at 0x01f8 */
++ u32 tsc_aux;
++ u8 reserved_0x2f0[24];
+ u64 rcx;
+ u64 rdx;
+ u64 rbx;
+- u64 reserved_10; /* rsp already available at 0x01d8 */
++ u64 reserved_0x320; /* rsp already available at 0x01d8 */
+ u64 rbp;
+ u64 rsi;
+ u64 rdi;
+@@ -419,7 +420,7 @@ struct sev_es_save_area {
+ u64 r13;
+ u64 r14;
+ u64 r15;
+- u8 reserved_11[16];
++ u8 reserved_0x380[16];
+ u64 guest_exit_info_1;
+ u64 guest_exit_info_2;
+ u64 guest_exit_int_info;
+@@ -432,7 +433,7 @@ struct sev_es_save_area {
+ u64 pcpu_id;
+ u64 event_inj;
+ u64 xcr0;
+- u8 reserved_12[16];
++ u8 reserved_0x3f0[16];
+
+ /* Floating point area */
+ u64 x87_dp;
+@@ -450,23 +451,23 @@ struct sev_es_save_area {
+ } __packed;
+
+ struct ghcb_save_area {
+- u8 reserved_1[203];
++ u8 reserved_0x0[203];
+ u8 cpl;
+- u8 reserved_2[116];
++ u8 reserved_0xcc[116];
+ u64 xss;
+- u8 reserved_3[24];
++ u8 reserved_0x148[24];
+ u64 dr7;
+- u8 reserved_4[16];
++ u8 reserved_0x168[16];
+ u64 rip;
+- u8 reserved_5[88];
++ u8 reserved_0x180[88];
+ u64 rsp;
+- u8 reserved_6[24];
++ u8 reserved_0x1e0[24];
+ u64 rax;
+- u8 reserved_7[264];
++ u8 reserved_0x200[264];
+ u64 rcx;
+ u64 rdx;
+ u64 rbx;
+- u8 reserved_8[8];
++ u8 reserved_0x320[8];
+ u64 rbp;
+ u64 rsi;
+ u64 rdi;
+@@ -478,12 +479,12 @@ struct ghcb_save_area {
+ u64 r13;
+ u64 r14;
+ u64 r15;
+- u8 reserved_9[16];
++ u8 reserved_0x380[16];
+ u64 sw_exit_code;
+ u64 sw_exit_info_1;
+ u64 sw_exit_info_2;
+ u64 sw_scratch;
+- u8 reserved_10[56];
++ u8 reserved_0x3b0[56];
+ u64 xcr0;
+ u8 valid_bitmap[16];
+ u64 x87_state_gpa;
+@@ -497,7 +498,7 @@ struct ghcb {
+
+ u8 shared_buffer[GHCB_SHARED_BUF_SIZE];
+
+- u8 reserved_1[10];
++ u8 reserved_0xff0[10];
+ u16 protocol_version; /* negotiated SEV-ES/GHCB protocol version */
+ u32 ghcb_usage;
+ } __packed;
+@@ -509,6 +510,9 @@ struct ghcb {
+ #define EXPECTED_VMCB_CONTROL_AREA_SIZE 1024
+ #define EXPECTED_GHCB_SIZE PAGE_SIZE
+
++#define BUILD_BUG_RESERVED_OFFSET(x, y) \
++ ASSERT_STRUCT_OFFSET(struct x, reserved ## _ ## y, y)
++
+ static inline void __unused_size_checks(void)
+ {
+ BUILD_BUG_ON(sizeof(struct vmcb_save_area) != EXPECTED_VMCB_SAVE_AREA_SIZE);
+@@ -516,6 +520,39 @@ static inline void __unused_size_checks(void)
+ BUILD_BUG_ON(sizeof(struct sev_es_save_area) != EXPECTED_SEV_ES_SAVE_AREA_SIZE);
+ BUILD_BUG_ON(sizeof(struct vmcb_control_area) != EXPECTED_VMCB_CONTROL_AREA_SIZE);
+ BUILD_BUG_ON(sizeof(struct ghcb) != EXPECTED_GHCB_SIZE);
++
++ /* Check offsets of reserved fields */
++
++ BUILD_BUG_RESERVED_OFFSET(vmcb_save_area, 0xa0);
++ BUILD_BUG_RESERVED_OFFSET(vmcb_save_area, 0xcc);
++ BUILD_BUG_RESERVED_OFFSET(vmcb_save_area, 0xd8);
++ BUILD_BUG_RESERVED_OFFSET(vmcb_save_area, 0x180);
++ BUILD_BUG_RESERVED_OFFSET(vmcb_save_area, 0x248);
++ BUILD_BUG_RESERVED_OFFSET(vmcb_save_area, 0x298);
++
++ BUILD_BUG_RESERVED_OFFSET(sev_es_save_area, 0xc8);
++ BUILD_BUG_RESERVED_OFFSET(sev_es_save_area, 0xcc);
++ BUILD_BUG_RESERVED_OFFSET(sev_es_save_area, 0xd8);
++ BUILD_BUG_RESERVED_OFFSET(sev_es_save_area, 0x1c0);
++ BUILD_BUG_RESERVED_OFFSET(sev_es_save_area, 0x248);
++ BUILD_BUG_RESERVED_OFFSET(sev_es_save_area, 0x298);
++ BUILD_BUG_RESERVED_OFFSET(sev_es_save_area, 0x2f0);
++ BUILD_BUG_RESERVED_OFFSET(sev_es_save_area, 0x320);
++ BUILD_BUG_RESERVED_OFFSET(sev_es_save_area, 0x380);
++ BUILD_BUG_RESERVED_OFFSET(sev_es_save_area, 0x3f0);
++
++ BUILD_BUG_RESERVED_OFFSET(ghcb_save_area, 0x0);
++ BUILD_BUG_RESERVED_OFFSET(ghcb_save_area, 0xcc);
++ BUILD_BUG_RESERVED_OFFSET(ghcb_save_area, 0x148);
++ BUILD_BUG_RESERVED_OFFSET(ghcb_save_area, 0x168);
++ BUILD_BUG_RESERVED_OFFSET(ghcb_save_area, 0x180);
++ BUILD_BUG_RESERVED_OFFSET(ghcb_save_area, 0x1e0);
++ BUILD_BUG_RESERVED_OFFSET(ghcb_save_area, 0x200);
++ BUILD_BUG_RESERVED_OFFSET(ghcb_save_area, 0x320);
++ BUILD_BUG_RESERVED_OFFSET(ghcb_save_area, 0x380);
++ BUILD_BUG_RESERVED_OFFSET(ghcb_save_area, 0x3b0);
++
++ BUILD_BUG_RESERVED_OFFSET(ghcb, 0xff0);
+ }
+
+ struct vmcb {
+diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
+index e0437acb5cf75..06caee08b7285 100644
+--- a/arch/x86/kvm/svm/sev.c
++++ b/arch/x86/kvm/svm/sev.c
+@@ -2653,7 +2653,7 @@ static int setup_vmgexit_scratch(struct vcpu_svm *svm, bool sync, u64 len)
+ ghcb_scratch_beg = control->ghcb_gpa +
+ offsetof(struct ghcb, shared_buffer);
+ ghcb_scratch_end = control->ghcb_gpa +
+- offsetof(struct ghcb, reserved_1);
++ offsetof(struct ghcb, reserved_0xff0);
+
+ /*
+ * If the scratch area begins within the GHCB, it must be
+--
+2.40.1
+
--- /dev/null
+From 6000f6b475bc1f5b78082390bd6979f3c5693cd1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Aug 2023 09:52:22 -0400
+Subject: mailbox: qcom-ipcc: fix incorrect num_chans counting
+
+From: Jonathan Marek <jonathan@marek.ca>
+
+[ Upstream commit a493208079e299aefdc15169dc80e3da3ebb718a ]
+
+Breaking out early when a match is found leads to an incorrect num_chans
+value when more than one ipcc mailbox channel is used by the same device.
+
+Fixes: e9d50e4b4d04 ("mailbox: qcom-ipcc: Dynamic alloc for channel arrangement")
+Signed-off-by: Jonathan Marek <jonathan@marek.ca>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/qcom-ipcc.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/mailbox/qcom-ipcc.c b/drivers/mailbox/qcom-ipcc.c
+index 7e27acf6c0cca..f597a1bd56847 100644
+--- a/drivers/mailbox/qcom-ipcc.c
++++ b/drivers/mailbox/qcom-ipcc.c
+@@ -227,10 +227,8 @@ static int qcom_ipcc_setup_mbox(struct qcom_ipcc *ipcc,
+ ret = of_parse_phandle_with_args(client_dn, "mboxes",
+ "#mbox-cells", j, &curr_ph);
+ of_node_put(curr_ph.np);
+- if (!ret && curr_ph.np == controller_dn) {
++ if (!ret && curr_ph.np == controller_dn)
+ ipcc->num_chans++;
+- break;
+- }
+ }
+ }
+
+--
+2.40.1
+
--- /dev/null
+From cefef8b55bffacf26f792ebff645d2dc517d75ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Aug 2023 13:52:10 +0000
+Subject: mptcp: annotate data-races around msk->rmem_fwd_alloc
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 9531e4a83febc3fb47ac77e24cfb5ea97e50034d ]
+
+msk->rmem_fwd_alloc can be read locklessly.
+
+Add mptcp_rmem_fwd_alloc_add(), similar to sk_forward_alloc_add(),
+and appropriate READ_ONCE()/WRITE_ONCE() annotations.
+
+Fixes: 6511882cdd82 ("mptcp: allocate fwd memory separately on the rx and tx path")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/protocol.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
+index 573db9c2bc1cd..6dd880d6b0518 100644
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -131,9 +131,15 @@ static void mptcp_drop(struct sock *sk, struct sk_buff *skb)
+ __kfree_skb(skb);
+ }
+
++static void mptcp_rmem_fwd_alloc_add(struct sock *sk, int size)
++{
++ WRITE_ONCE(mptcp_sk(sk)->rmem_fwd_alloc,
++ mptcp_sk(sk)->rmem_fwd_alloc + size);
++}
++
+ static void mptcp_rmem_charge(struct sock *sk, int size)
+ {
+- mptcp_sk(sk)->rmem_fwd_alloc -= size;
++ mptcp_rmem_fwd_alloc_add(sk, -size);
+ }
+
+ static bool mptcp_try_coalesce(struct sock *sk, struct sk_buff *to,
+@@ -174,7 +180,7 @@ static bool mptcp_ooo_try_coalesce(struct mptcp_sock *msk, struct sk_buff *to,
+ static void __mptcp_rmem_reclaim(struct sock *sk, int amount)
+ {
+ amount >>= PAGE_SHIFT;
+- mptcp_sk(sk)->rmem_fwd_alloc -= amount << PAGE_SHIFT;
++ mptcp_rmem_charge(sk, amount << PAGE_SHIFT);
+ __sk_mem_reduce_allocated(sk, amount);
+ }
+
+@@ -183,7 +189,7 @@ static void mptcp_rmem_uncharge(struct sock *sk, int size)
+ struct mptcp_sock *msk = mptcp_sk(sk);
+ int reclaimable;
+
+- msk->rmem_fwd_alloc += size;
++ mptcp_rmem_fwd_alloc_add(sk, size);
+ reclaimable = msk->rmem_fwd_alloc - sk_unused_reserved_mem(sk);
+
+ /* see sk_mem_uncharge() for the rationale behind the following schema */
+@@ -338,7 +344,7 @@ static bool mptcp_rmem_schedule(struct sock *sk, struct sock *ssk, int size)
+ if (!__sk_mem_raise_allocated(sk, size, amt, SK_MEM_RECV))
+ return false;
+
+- msk->rmem_fwd_alloc += amount;
++ mptcp_rmem_fwd_alloc_add(sk, amount);
+ return true;
+ }
+
+@@ -3279,7 +3285,7 @@ void mptcp_destroy_common(struct mptcp_sock *msk, unsigned int flags)
+ * inet_sock_destruct() will dispose it
+ */
+ sk_forward_alloc_add(sk, msk->rmem_fwd_alloc);
+- msk->rmem_fwd_alloc = 0;
++ WRITE_ONCE(msk->rmem_fwd_alloc, 0);
+ mptcp_token_destroy(msk);
+ mptcp_pm_free_anno_list(msk);
+ mptcp_free_local_addr_list(msk);
+@@ -3562,7 +3568,8 @@ static void mptcp_shutdown(struct sock *sk, int how)
+
+ static int mptcp_forward_alloc_get(const struct sock *sk)
+ {
+- return READ_ONCE(sk->sk_forward_alloc) + mptcp_sk(sk)->rmem_fwd_alloc;
++ return READ_ONCE(sk->sk_forward_alloc) +
++ READ_ONCE(mptcp_sk(sk)->rmem_fwd_alloc);
+ }
+
+ static int mptcp_ioctl_outq(const struct mptcp_sock *msk, u64 v)
+--
+2.40.1
+
--- /dev/null
+From 95233a8c15ec54347d9d85a8117c407d5b13aea1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Aug 2023 13:52:09 +0000
+Subject: net: annotate data-races around sk->sk_forward_alloc
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 5e6300e7b3a4ab5b72a82079753868e91fbf9efc ]
+
+Every time sk->sk_forward_alloc is read locklessly,
+add a READ_ONCE().
+
+Add sk_forward_alloc_add() helper to centralize updates,
+to reduce number of WRITE_ONCE().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sock.h | 12 +++++++++---
+ net/core/sock.c | 8 ++++----
+ net/ipv4/tcp_output.c | 2 +-
+ net/ipv4/udp.c | 6 +++---
+ net/mptcp/protocol.c | 6 +++---
+ 5 files changed, 20 insertions(+), 14 deletions(-)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index d1f936ed97556..fe695e8bfe289 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -1049,6 +1049,12 @@ static inline void sk_wmem_queued_add(struct sock *sk, int val)
+ WRITE_ONCE(sk->sk_wmem_queued, sk->sk_wmem_queued + val);
+ }
+
++static inline void sk_forward_alloc_add(struct sock *sk, int val)
++{
++ /* Paired with lockless reads of sk->sk_forward_alloc */
++ WRITE_ONCE(sk->sk_forward_alloc, sk->sk_forward_alloc + val);
++}
++
+ void sk_stream_write_space(struct sock *sk);
+
+ /* OOB backlog add */
+@@ -1401,7 +1407,7 @@ static inline int sk_forward_alloc_get(const struct sock *sk)
+ if (sk->sk_prot->forward_alloc_get)
+ return sk->sk_prot->forward_alloc_get(sk);
+ #endif
+- return sk->sk_forward_alloc;
++ return READ_ONCE(sk->sk_forward_alloc);
+ }
+
+ static inline bool __sk_stream_memory_free(const struct sock *sk, int wake)
+@@ -1697,14 +1703,14 @@ static inline void sk_mem_charge(struct sock *sk, int size)
+ {
+ if (!sk_has_account(sk))
+ return;
+- sk->sk_forward_alloc -= size;
++ sk_forward_alloc_add(sk, -size);
+ }
+
+ static inline void sk_mem_uncharge(struct sock *sk, int size)
+ {
+ if (!sk_has_account(sk))
+ return;
+- sk->sk_forward_alloc += size;
++ sk_forward_alloc_add(sk, size);
+ sk_mem_reclaim(sk);
+ }
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 6ff58fa5f41ed..aa628c6314f64 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1034,7 +1034,7 @@ static int sock_reserve_memory(struct sock *sk, int bytes)
+ mem_cgroup_uncharge_skmem(sk->sk_memcg, pages);
+ return -ENOMEM;
+ }
+- sk->sk_forward_alloc += pages << PAGE_SHIFT;
++ sk_forward_alloc_add(sk, pages << PAGE_SHIFT);
+
+ WRITE_ONCE(sk->sk_reserved_mem,
+ sk->sk_reserved_mem + (pages << PAGE_SHIFT));
+@@ -3082,10 +3082,10 @@ int __sk_mem_schedule(struct sock *sk, int size, int kind)
+ {
+ int ret, amt = sk_mem_pages(size);
+
+- sk->sk_forward_alloc += amt << PAGE_SHIFT;
++ sk_forward_alloc_add(sk, amt << PAGE_SHIFT);
+ ret = __sk_mem_raise_allocated(sk, size, amt, kind);
+ if (!ret)
+- sk->sk_forward_alloc -= amt << PAGE_SHIFT;
++ sk_forward_alloc_add(sk, -(amt << PAGE_SHIFT));
+ return ret;
+ }
+ EXPORT_SYMBOL(__sk_mem_schedule);
+@@ -3117,7 +3117,7 @@ void __sk_mem_reduce_allocated(struct sock *sk, int amount)
+ void __sk_mem_reclaim(struct sock *sk, int amount)
+ {
+ amount >>= PAGE_SHIFT;
+- sk->sk_forward_alloc -= amount << PAGE_SHIFT;
++ sk_forward_alloc_add(sk, -(amount << PAGE_SHIFT));
+ __sk_mem_reduce_allocated(sk, amount);
+ }
+ EXPORT_SYMBOL(__sk_mem_reclaim);
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index 26bd039f9296f..dc3166e56169f 100644
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -3380,7 +3380,7 @@ void sk_forced_mem_schedule(struct sock *sk, int size)
+ if (delta <= 0)
+ return;
+ amt = sk_mem_pages(delta);
+- sk->sk_forward_alloc += amt << PAGE_SHIFT;
++ sk_forward_alloc_add(sk, amt << PAGE_SHIFT);
+ sk_memory_allocated_add(sk, amt);
+
+ if (mem_cgroup_sockets_enabled && sk->sk_memcg)
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index 42c1f7d9a980a..b2aa7777521f6 100644
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1474,9 +1474,9 @@ static void udp_rmem_release(struct sock *sk, int size, int partial,
+ spin_lock(&sk_queue->lock);
+
+
+- sk->sk_forward_alloc += size;
++ sk_forward_alloc_add(sk, size);
+ amt = (sk->sk_forward_alloc - partial) & ~(PAGE_SIZE - 1);
+- sk->sk_forward_alloc -= amt;
++ sk_forward_alloc_add(sk, -amt);
+
+ if (amt)
+ __sk_mem_reduce_allocated(sk, amt >> PAGE_SHIFT);
+@@ -1582,7 +1582,7 @@ int __udp_enqueue_schedule_skb(struct sock *sk, struct sk_buff *skb)
+ sk->sk_forward_alloc += delta;
+ }
+
+- sk->sk_forward_alloc -= size;
++ sk_forward_alloc_add(sk, -size);
+
+ /* no need to setup a destructor, we will explicitly release the
+ * forward allocated memory on dequeue
+diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
+index 61fefa1a82db2..573db9c2bc1cd 100644
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -1802,7 +1802,7 @@ static int mptcp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
+ }
+
+ /* data successfully copied into the write queue */
+- sk->sk_forward_alloc -= total_ts;
++ sk_forward_alloc_add(sk, -total_ts);
+ copied += psize;
+ dfrag->data_len += psize;
+ frag_truesize += psize;
+@@ -3278,7 +3278,7 @@ void mptcp_destroy_common(struct mptcp_sock *msk, unsigned int flags)
+ /* move all the rx fwd alloc into the sk_mem_reclaim_final in
+ * inet_sock_destruct() will dispose it
+ */
+- sk->sk_forward_alloc += msk->rmem_fwd_alloc;
++ sk_forward_alloc_add(sk, msk->rmem_fwd_alloc);
+ msk->rmem_fwd_alloc = 0;
+ mptcp_token_destroy(msk);
+ mptcp_pm_free_anno_list(msk);
+@@ -3562,7 +3562,7 @@ static void mptcp_shutdown(struct sock *sk, int how)
+
+ static int mptcp_forward_alloc_get(const struct sock *sk)
+ {
+- return sk->sk_forward_alloc + mptcp_sk(sk)->rmem_fwd_alloc;
++ return READ_ONCE(sk->sk_forward_alloc) + mptcp_sk(sk)->rmem_fwd_alloc;
+ }
+
+ static int mptcp_ioctl_outq(const struct mptcp_sock *msk, u64 v)
+--
+2.40.1
+
--- /dev/null
+From 3ae90c9fe46da1be848099c7a688ec228dd9d57d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Sep 2023 00:53:38 +0300
+Subject: net: dsa: sja1105: complete tc-cbs offload support on SJA1110
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 180a7419fe4adc8d9c8e0ef0fd17bcdd0cf78acd ]
+
+The blamed commit left this delta behind:
+
+ struct sja1105_cbs_entry {
+ - u64 port;
+ - u64 prio;
+ + u64 port; /* Not used for SJA1110 */
+ + u64 prio; /* Not used for SJA1110 */
+ u64 credit_hi;
+ u64 credit_lo;
+ u64 send_slope;
+ u64 idle_slope;
+ };
+
+but did not actually implement tc-cbs offload fully for the new switch.
+The offload is accepted, but it doesn't work.
+
+The difference compared to earlier switch generations is that now, the
+table of CBS shapers is sparse, because there are many more shapers, so
+the mapping between a {port, prio} and a table index is static, rather
+than requiring us to store the port and prio into the sja1105_cbs_entry.
+
+So, the problem is that the code programs the CBS shaper parameters at a
+dynamic table index which is incorrect.
+
+All that needs to be done for SJA1110 CBS shapers to work is to bypass
+the logic which allocates shapers in a dense manner, as for SJA1105, and
+use the fixed mapping instead.
+
+Fixes: 3e77e59bf8cf ("net: dsa: sja1105: add support for the SJA1110 switch family")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/sja1105/sja1105.h | 2 ++
+ drivers/net/dsa/sja1105/sja1105_main.c | 13 +++++++++++++
+ drivers/net/dsa/sja1105/sja1105_spi.c | 4 ++++
+ 3 files changed, 19 insertions(+)
+
+diff --git a/drivers/net/dsa/sja1105/sja1105.h b/drivers/net/dsa/sja1105/sja1105.h
+index fb3cd4c78faa8..a831bb0a52074 100644
+--- a/drivers/net/dsa/sja1105/sja1105.h
++++ b/drivers/net/dsa/sja1105/sja1105.h
+@@ -132,6 +132,8 @@ struct sja1105_info {
+ int max_frame_mem;
+ int num_ports;
+ bool multiple_cascade_ports;
++ /* Every {port, TXQ} has its own CBS shaper */
++ bool fixed_cbs_mapping;
+ enum dsa_tag_protocol tag_proto;
+ const struct sja1105_dynamic_table_ops *dyn_ops;
+ const struct sja1105_table_ops *static_ops;
+diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c
+index 9dd5cdcda2843..ff94c5996fafb 100644
+--- a/drivers/net/dsa/sja1105/sja1105_main.c
++++ b/drivers/net/dsa/sja1105/sja1105_main.c
+@@ -2122,12 +2122,22 @@ static void sja1105_bridge_leave(struct dsa_switch *ds, int port,
+ }
+
+ #define BYTES_PER_KBIT (1000LL / 8)
++/* Port 0 (the uC port) does not have CBS shapers */
++#define SJA1110_FIXED_CBS(port, prio) ((((port) - 1) * SJA1105_NUM_TC) + (prio))
+
+ static int sja1105_find_cbs_shaper(struct sja1105_private *priv,
+ int port, int prio)
+ {
+ int i;
+
++ if (priv->info->fixed_cbs_mapping) {
++ i = SJA1110_FIXED_CBS(port, prio);
++ if (i >= 0 && i < priv->info->num_cbs_shapers)
++ return i;
++
++ return -1;
++ }
++
+ for (i = 0; i < priv->info->num_cbs_shapers; i++)
+ if (priv->cbs[i].port == port && priv->cbs[i].prio == prio)
+ return i;
+@@ -2139,6 +2149,9 @@ static int sja1105_find_unused_cbs_shaper(struct sja1105_private *priv)
+ {
+ int i;
+
++ if (priv->info->fixed_cbs_mapping)
++ return -1;
++
+ for (i = 0; i < priv->info->num_cbs_shapers; i++)
+ if (!priv->cbs[i].idle_slope && !priv->cbs[i].send_slope)
+ return i;
+diff --git a/drivers/net/dsa/sja1105/sja1105_spi.c b/drivers/net/dsa/sja1105/sja1105_spi.c
+index d3c9ad6d39d46..e6b61aef4127c 100644
+--- a/drivers/net/dsa/sja1105/sja1105_spi.c
++++ b/drivers/net/dsa/sja1105/sja1105_spi.c
+@@ -781,6 +781,7 @@ const struct sja1105_info sja1110a_info = {
+ .tag_proto = DSA_TAG_PROTO_SJA1110,
+ .can_limit_mcast_flood = true,
+ .multiple_cascade_ports = true,
++ .fixed_cbs_mapping = true,
+ .ptp_ts_bits = 32,
+ .ptpegr_ts_bytes = 8,
+ .max_frame_mem = SJA1110_MAX_FRAME_MEMORY,
+@@ -831,6 +832,7 @@ const struct sja1105_info sja1110b_info = {
+ .tag_proto = DSA_TAG_PROTO_SJA1110,
+ .can_limit_mcast_flood = true,
+ .multiple_cascade_ports = true,
++ .fixed_cbs_mapping = true,
+ .ptp_ts_bits = 32,
+ .ptpegr_ts_bytes = 8,
+ .max_frame_mem = SJA1110_MAX_FRAME_MEMORY,
+@@ -881,6 +883,7 @@ const struct sja1105_info sja1110c_info = {
+ .tag_proto = DSA_TAG_PROTO_SJA1110,
+ .can_limit_mcast_flood = true,
+ .multiple_cascade_ports = true,
++ .fixed_cbs_mapping = true,
+ .ptp_ts_bits = 32,
+ .ptpegr_ts_bytes = 8,
+ .max_frame_mem = SJA1110_MAX_FRAME_MEMORY,
+@@ -931,6 +934,7 @@ const struct sja1105_info sja1110d_info = {
+ .tag_proto = DSA_TAG_PROTO_SJA1110,
+ .can_limit_mcast_flood = true,
+ .multiple_cascade_ports = true,
++ .fixed_cbs_mapping = true,
+ .ptp_ts_bits = 32,
+ .ptpegr_ts_bytes = 8,
+ .max_frame_mem = SJA1110_MAX_FRAME_MEMORY,
+--
+2.40.1
+
--- /dev/null
+From 566571936dc2a343bfe7f8acf192392b82f6c4ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Sep 2023 00:53:36 +0300
+Subject: net: dsa: sja1105: fix bandwidth discrepancy between tc-cbs software
+ and offload
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 954ad9bf13c4f95a4958b5f8433301f2ab99e1f5 ]
+
+More careful measurement of the tc-cbs bandwidth shows that the stream
+bandwidth (effectively idleslope) increases, there is a larger and
+larger discrepancy between the rate limit obtained by the software
+Qdisc, and the rate limit obtained by its offloaded counterpart.
+
+The discrepancy becomes so large, that e.g. at an idleslope of 40000
+(40Mbps), the offloaded cbs does not actually rate limit anything, and
+traffic will pass at line rate through a 100 Mbps port.
+
+The reason for the discrepancy is that the hardware documentation I've
+been following is incorrect. UM11040.pdf (for SJA1105P/Q/R/S) states
+about IDLE_SLOPE that it is "the rate (in unit of bytes/sec) at which
+the credit counter is increased".
+
+Cross-checking with UM10944.pdf (for SJA1105E/T) and UM11107.pdf
+(for SJA1110), the wording is different: "This field specifies the
+value, in bytes per second times link speed, by which the credit counter
+is increased".
+
+So there's an extra scaling for link speed that the driver is currently
+not accounting for, and apparently (empirically), that link speed is
+expressed in Kbps.
+
+I've pondered whether to pollute the sja1105_mac_link_up()
+implementation with CBS shaper reprogramming, but I don't think it is
+worth it. IMO, the UAPI exposed by tc-cbs requires user space to
+recalculate the sendslope anyway, since the formula for that depends on
+port_transmit_rate (see man tc-cbs), which is not an invariant from tc's
+perspective.
+
+So we use the offload->sendslope and offload->idleslope to deduce the
+original port_transmit_rate from the CBS formula, and use that value to
+scale the offload->sendslope and offload->idleslope to values that the
+hardware understands.
+
+Some numerical data points:
+
+ 40Mbps stream, max interfering frame size 1500, port speed 100M
+ ---------------------------------------------------------------
+
+ tc-cbs parameters:
+ idleslope 40000 sendslope -60000 locredit -900 hicredit 600
+
+ which result in hardware values:
+
+ Before (doesn't work) After (works)
+ credit_hi 600 600
+ credit_lo 900 900
+ send_slope 7500000 75
+ idle_slope 5000000 50
+
+ 40Mbps stream, max interfering frame size 1500, port speed 1G
+ -------------------------------------------------------------
+
+ tc-cbs parameters:
+ idleslope 40000 sendslope -960000 locredit -1440 hicredit 60
+
+ which result in hardware values:
+
+ Before (doesn't work) After (works)
+ credit_hi 60 60
+ credit_lo 1440 1440
+ send_slope 120000000 120
+ idle_slope 5000000 5
+
+ 5.12Mbps stream, max interfering frame size 1522, port speed 100M
+ -----------------------------------------------------------------
+
+ tc-cbs parameters:
+ idleslope 5120 sendslope -94880 locredit -1444 hicredit 77
+
+ which result in hardware values:
+
+ Before (doesn't work) After (works)
+ credit_hi 77 77
+ credit_lo 1444 1444
+ send_slope 11860000 118
+ idle_slope 640000 6
+
+Tested on SJA1105T, SJA1105S and SJA1110A, at 1Gbps and 100Mbps.
+
+Fixes: 4d7525085a9b ("net: dsa: sja1105: offload the Credit-Based Shaper qdisc")
+Reported-by: Yanan Yang <yanan.yang@nxp.com>
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/sja1105/sja1105_main.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c
+index 947e8f7c09880..377f177502003 100644
+--- a/drivers/net/dsa/sja1105/sja1105_main.c
++++ b/drivers/net/dsa/sja1105/sja1105_main.c
+@@ -2157,6 +2157,7 @@ static int sja1105_setup_tc_cbs(struct dsa_switch *ds, int port,
+ {
+ struct sja1105_private *priv = ds->priv;
+ struct sja1105_cbs_entry *cbs;
++ s64 port_transmit_rate_kbps;
+ int index;
+
+ if (!offload->enable)
+@@ -2174,9 +2175,17 @@ static int sja1105_setup_tc_cbs(struct dsa_switch *ds, int port,
+ */
+ cbs->credit_hi = offload->hicredit;
+ cbs->credit_lo = abs(offload->locredit);
+- /* User space is in kbits/sec, hardware in bytes/sec */
+- cbs->idle_slope = offload->idleslope * BYTES_PER_KBIT;
+- cbs->send_slope = abs(offload->sendslope * BYTES_PER_KBIT);
++ /* User space is in kbits/sec, while the hardware in bytes/sec times
++ * link speed. Since the given offload->sendslope is good only for the
++ * current link speed anyway, and user space is likely to reprogram it
++ * when that changes, don't even bother to track the port's link speed,
++ * but deduce the port transmit rate from idleslope - sendslope.
++ */
++ port_transmit_rate_kbps = offload->idleslope - offload->sendslope;
++ cbs->idle_slope = div_s64(offload->idleslope * BYTES_PER_KBIT,
++ port_transmit_rate_kbps);
++ cbs->send_slope = div_s64(abs(offload->sendslope * BYTES_PER_KBIT),
++ port_transmit_rate_kbps);
+ /* Convert the negative values from 64-bit 2's complement
+ * to 32-bit 2's complement (for the case of 0x80000000 whose
+ * negative is still negative).
+--
+2.40.1
+
--- /dev/null
+From 072bd8e8f4f1aa0897b58ced9bc86bdde4c1ee30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Sep 2023 00:53:37 +0300
+Subject: net: dsa: sja1105: fix -ENOSPC when replacing the same tc-cbs too
+ many times
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 894cafc5c62ccced758077bd4e970dc714c42637 ]
+
+After running command [2] too many times in a row:
+
+[1] $ tc qdisc add dev sw2p0 root handle 1: mqprio num_tc 8 \
+ map 0 1 2 3 4 5 6 7 queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0
+[2] $ tc qdisc replace dev sw2p0 parent 1:1 cbs offload 1 \
+ idleslope 120000 sendslope -880000 locredit -1320 hicredit 180
+
+(aka more than priv->info->num_cbs_shapers times)
+
+we start seeing the following error message:
+
+Error: Specified device failed to setup cbs hardware offload.
+
+This comes from the fact that ndo_setup_tc(TC_SETUP_QDISC_CBS) presents
+the same API for the qdisc create and replace cases, and the sja1105
+driver fails to distinguish between the 2. Thus, it always thinks that
+it must allocate the same shaper for a {port, queue} pair, when it may
+instead have to replace an existing one.
+
+Fixes: 4d7525085a9b ("net: dsa: sja1105: offload the Credit-Based Shaper qdisc")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/sja1105/sja1105_main.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c
+index 377f177502003..9dd5cdcda2843 100644
+--- a/drivers/net/dsa/sja1105/sja1105_main.c
++++ b/drivers/net/dsa/sja1105/sja1105_main.c
+@@ -2123,6 +2123,18 @@ static void sja1105_bridge_leave(struct dsa_switch *ds, int port,
+
+ #define BYTES_PER_KBIT (1000LL / 8)
+
++static int sja1105_find_cbs_shaper(struct sja1105_private *priv,
++ int port, int prio)
++{
++ int i;
++
++ for (i = 0; i < priv->info->num_cbs_shapers; i++)
++ if (priv->cbs[i].port == port && priv->cbs[i].prio == prio)
++ return i;
++
++ return -1;
++}
++
+ static int sja1105_find_unused_cbs_shaper(struct sja1105_private *priv)
+ {
+ int i;
+@@ -2163,9 +2175,14 @@ static int sja1105_setup_tc_cbs(struct dsa_switch *ds, int port,
+ if (!offload->enable)
+ return sja1105_delete_cbs_shaper(priv, port, offload->queue);
+
+- index = sja1105_find_unused_cbs_shaper(priv);
+- if (index < 0)
+- return -ENOSPC;
++ /* The user may be replacing an existing shaper */
++ index = sja1105_find_cbs_shaper(priv, port, offload->queue);
++ if (index < 0) {
++ /* That isn't the case - see if we can allocate a new one */
++ index = sja1105_find_unused_cbs_shaper(priv);
++ if (index < 0)
++ return -ENOSPC;
++ }
+
+ cbs = &priv->cbs[index];
+ cbs->port = port;
+--
+2.40.1
+
--- /dev/null
+From e11160dc69b6d69a73bee828b3df4cff9ebe1bd7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Aug 2023 13:00:37 +0200
+Subject: net: fib: avoid warn splat in flow dissector
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 8aae7625ff3f0bd5484d01f1b8d5af82e44bec2d ]
+
+New skbs allocated via nf_send_reset() have skb->dev == NULL.
+
+fib*_rules_early_flow_dissect helpers already have a 'struct net'
+argument but its not passed down to the flow dissector core, which
+will then WARN as it can't derive a net namespace to use:
+
+ WARNING: CPU: 0 PID: 0 at net/core/flow_dissector.c:1016 __skb_flow_dissect+0xa91/0x1cd0
+ [..]
+ ip_route_me_harder+0x143/0x330
+ nf_send_reset+0x17c/0x2d0 [nf_reject_ipv4]
+ nft_reject_inet_eval+0xa9/0xf2 [nft_reject_inet]
+ nft_do_chain+0x198/0x5d0 [nf_tables]
+ nft_do_chain_inet+0xa4/0x110 [nf_tables]
+ nf_hook_slow+0x41/0xc0
+ ip_local_deliver+0xce/0x110
+ ..
+
+Cc: Stanislav Fomichev <sdf@google.com>
+Cc: David Ahern <dsahern@kernel.org>
+Cc: Ido Schimmel <idosch@nvidia.com>
+Fixes: 812fa71f0d96 ("netfilter: Dissect flow after packet mangling")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=217826
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://lore.kernel.org/r/20230830110043.30497-1-fw@strlen.de
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ip6_fib.h | 5 ++++-
+ include/net/ip_fib.h | 5 ++++-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/include/net/ip6_fib.h b/include/net/ip6_fib.h
+index 6268963d95994..a92f6eb853068 100644
+--- a/include/net/ip6_fib.h
++++ b/include/net/ip6_fib.h
+@@ -610,7 +610,10 @@ static inline bool fib6_rules_early_flow_dissect(struct net *net,
+ if (!net->ipv6.fib6_rules_require_fldissect)
+ return false;
+
+- skb_flow_dissect_flow_keys(skb, flkeys, flag);
++ memset(flkeys, 0, sizeof(*flkeys));
++ __skb_flow_dissect(net, skb, &flow_keys_dissector,
++ flkeys, NULL, 0, 0, 0, flag);
++
+ fl6->fl6_sport = flkeys->ports.src;
+ fl6->fl6_dport = flkeys->ports.dst;
+ fl6->flowi6_proto = flkeys->basic.ip_proto;
+diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
+index a378eff827c74..f0c13864180e2 100644
+--- a/include/net/ip_fib.h
++++ b/include/net/ip_fib.h
+@@ -418,7 +418,10 @@ static inline bool fib4_rules_early_flow_dissect(struct net *net,
+ if (!net->ipv4.fib_rules_require_fldissect)
+ return false;
+
+- skb_flow_dissect_flow_keys(skb, flkeys, flag);
++ memset(flkeys, 0, sizeof(*flkeys));
++ __skb_flow_dissect(net, skb, &flow_keys_dissector,
++ flkeys, NULL, 0, 0, 0, flag);
++
+ fl4->fl4_sport = flkeys->ports.src;
+ fl4->fl4_dport = flkeys->ports.dst;
+ fl4->flowi4_proto = flkeys->basic.ip_proto;
+--
+2.40.1
+
--- /dev/null
+From 19e39913021b8f2e36cf1e29ec5e10ec3a32d9da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Sep 2023 15:20:14 +0800
+Subject: net: hns3: fix byte order conversion issue in
+ hclge_dbg_fd_tcam_read()
+
+From: Hao Chen <chenhao418@huawei.com>
+
+[ Upstream commit efccf655e99b6907ca07a466924e91805892e7d3 ]
+
+req1->tcam_data is defined as "u8 tcam_data[8]", and we convert it as
+(u32 *) without considerring byte order conversion,
+it may result in printing wrong data for tcam_data.
+
+Convert tcam_data to (__le32 *) first to fix it.
+
+Fixes: b5a0b70d77b9 ("net: hns3: refactor dump fd tcam of debugfs")
+Signed-off-by: Hao Chen <chenhao418@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c
+index 5cb8f1818e51c..a1c59f4aae988 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c
+@@ -1517,7 +1517,7 @@ static int hclge_dbg_fd_tcam_read(struct hclge_dev *hdev, bool sel_x,
+ struct hclge_desc desc[3];
+ int pos = 0;
+ int ret, i;
+- u32 *req;
++ __le32 *req;
+
+ hclge_cmd_setup_basic_desc(&desc[0], HCLGE_OPC_FD_TCAM_OP, true);
+ desc[0].flag |= cpu_to_le16(HCLGE_COMM_CMD_FLAG_NEXT);
+@@ -1542,22 +1542,22 @@ static int hclge_dbg_fd_tcam_read(struct hclge_dev *hdev, bool sel_x,
+ tcam_msg.loc);
+
+ /* tcam_data0 ~ tcam_data1 */
+- req = (u32 *)req1->tcam_data;
++ req = (__le32 *)req1->tcam_data;
+ for (i = 0; i < 2; i++)
+ pos += scnprintf(tcam_buf + pos, HCLGE_DBG_TCAM_BUF_SIZE - pos,
+- "%08x\n", *req++);
++ "%08x\n", le32_to_cpu(*req++));
+
+ /* tcam_data2 ~ tcam_data7 */
+- req = (u32 *)req2->tcam_data;
++ req = (__le32 *)req2->tcam_data;
+ for (i = 0; i < 6; i++)
+ pos += scnprintf(tcam_buf + pos, HCLGE_DBG_TCAM_BUF_SIZE - pos,
+- "%08x\n", *req++);
++ "%08x\n", le32_to_cpu(*req++));
+
+ /* tcam_data8 ~ tcam_data12 */
+- req = (u32 *)req3->tcam_data;
++ req = (__le32 *)req3->tcam_data;
+ for (i = 0; i < 5; i++)
+ pos += scnprintf(tcam_buf + pos, HCLGE_DBG_TCAM_BUF_SIZE - pos,
+- "%08x\n", *req++);
++ "%08x\n", le32_to_cpu(*req++));
+
+ return ret;
+ }
+--
+2.40.1
+
--- /dev/null
+From fc2ddd47828e3f84fd15aeac33b1a0ce8efcff4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Sep 2023 15:20:15 +0800
+Subject: net: hns3: fix debugfs concurrency issue between kfree buffer and
+ read
+
+From: Hao Chen <chenhao418@huawei.com>
+
+[ Upstream commit c295160b1d95e885f1af4586a221cb221d232d10 ]
+
+Now in hns3_dbg_uninit(), there may be concurrency between
+kfree buffer and read, it may result in memory error.
+
+Moving debugfs_remove_recursive() in front of kfree buffer to ensure
+they don't happen at the same time.
+
+Fixes: 5e69ea7ee2a6 ("net: hns3: refactor the debugfs process")
+Signed-off-by: Hao Chen <chenhao418@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
+index 69d1549e63a98..00eed9835cb55 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
+@@ -1406,9 +1406,9 @@ int hns3_dbg_init(struct hnae3_handle *handle)
+ return 0;
+
+ out:
+- mutex_destroy(&handle->dbgfs_lock);
+ debugfs_remove_recursive(handle->hnae3_dbgfs);
+ handle->hnae3_dbgfs = NULL;
++ mutex_destroy(&handle->dbgfs_lock);
+ return ret;
+ }
+
+@@ -1416,6 +1416,9 @@ void hns3_dbg_uninit(struct hnae3_handle *handle)
+ {
+ u32 i;
+
++ debugfs_remove_recursive(handle->hnae3_dbgfs);
++ handle->hnae3_dbgfs = NULL;
++
+ for (i = 0; i < ARRAY_SIZE(hns3_dbg_cmd); i++)
+ if (handle->dbgfs_buf[i]) {
+ kvfree(handle->dbgfs_buf[i]);
+@@ -1423,8 +1426,6 @@ void hns3_dbg_uninit(struct hnae3_handle *handle)
+ }
+
+ mutex_destroy(&handle->dbgfs_lock);
+- debugfs_remove_recursive(handle->hnae3_dbgfs);
+- handle->hnae3_dbgfs = NULL;
+ }
+
+ void hns3_dbg_register_debugfs(const char *debugfs_dir_name)
+--
+2.40.1
+
--- /dev/null
+From aa1bc60726ad1ee5fcc6946e1768bdc1e4101fe1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Sep 2023 15:20:16 +0800
+Subject: net: hns3: fix invalid mutex between tc qdisc and dcb ets command
+ issue
+
+From: Jijie Shao <shaojijie@huawei.com>
+
+[ Upstream commit fa5564945f7d15ae2390b00c08b6abaef0165cda ]
+
+We hope that tc qdisc and dcb ets commands can not be used crosswise.
+If we want to use any of the commands to configure tc,
+We must use the other command to clear the existing configuration.
+
+However, when we configure a single tc with tc qdisc,
+we can still configure it with dcb ets.
+Because we use mqprio_active as the tag of tc qdisc configuration,
+but with dcb ets, we do not check mqprio_active.
+
+This patch fix this issue by check mqprio_active before
+executing the dcb ets command. and add dcb_ets_active to
+replace HCLGE_FLAG_DCB_ENABLE and HCLGE_FLAG_MQPRIO_ENABLE
+at the hclge layer,
+
+Fixes: cacde272dd00 ("net: hns3: Add hclge_dcb module for the support of DCB feature")
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hnae3.h | 1 +
+ .../hisilicon/hns3/hns3pf/hclge_dcb.c | 20 +++++--------------
+ .../hisilicon/hns3/hns3pf/hclge_main.c | 5 +++--
+ .../hisilicon/hns3/hns3pf/hclge_main.h | 2 --
+ 4 files changed, 9 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hnae3.h b/drivers/net/ethernet/hisilicon/hns3/hnae3.h
+index fcb8b6dc5ab92..c693bb701ba3e 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hnae3.h
++++ b/drivers/net/ethernet/hisilicon/hns3/hnae3.h
+@@ -797,6 +797,7 @@ struct hnae3_tc_info {
+ u8 max_tc; /* Total number of TCs */
+ u8 num_tc; /* Total number of enabled TCs */
+ bool mqprio_active;
++ bool dcb_ets_active;
+ };
+
+ #define HNAE3_MAX_DSCP 64
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c
+index 09362823140d5..2740f0d703e4f 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c
+@@ -251,7 +251,7 @@ static int hclge_ieee_setets(struct hnae3_handle *h, struct ieee_ets *ets)
+ int ret;
+
+ if (!(hdev->dcbx_cap & DCB_CAP_DCBX_VER_IEEE) ||
+- hdev->flag & HCLGE_FLAG_MQPRIO_ENABLE)
++ h->kinfo.tc_info.mqprio_active)
+ return -EINVAL;
+
+ ret = hclge_ets_validate(hdev, ets, &num_tc, &map_changed);
+@@ -267,10 +267,7 @@ static int hclge_ieee_setets(struct hnae3_handle *h, struct ieee_ets *ets)
+ }
+
+ hclge_tm_schd_info_update(hdev, num_tc);
+- if (num_tc > 1)
+- hdev->flag |= HCLGE_FLAG_DCB_ENABLE;
+- else
+- hdev->flag &= ~HCLGE_FLAG_DCB_ENABLE;
++ h->kinfo.tc_info.dcb_ets_active = num_tc > 1;
+
+ ret = hclge_ieee_ets_to_tm_info(hdev, ets);
+ if (ret)
+@@ -463,7 +460,7 @@ static u8 hclge_getdcbx(struct hnae3_handle *h)
+ struct hclge_vport *vport = hclge_get_vport(h);
+ struct hclge_dev *hdev = vport->back;
+
+- if (hdev->flag & HCLGE_FLAG_MQPRIO_ENABLE)
++ if (h->kinfo.tc_info.mqprio_active)
+ return 0;
+
+ return hdev->dcbx_cap;
+@@ -587,7 +584,8 @@ static int hclge_setup_tc(struct hnae3_handle *h,
+ if (!test_bit(HCLGE_STATE_NIC_REGISTERED, &hdev->state))
+ return -EBUSY;
+
+- if (hdev->flag & HCLGE_FLAG_DCB_ENABLE)
++ kinfo = &vport->nic.kinfo;
++ if (kinfo->tc_info.dcb_ets_active)
+ return -EINVAL;
+
+ ret = hclge_mqprio_qopt_check(hdev, mqprio_qopt);
+@@ -601,7 +599,6 @@ static int hclge_setup_tc(struct hnae3_handle *h,
+ if (ret)
+ return ret;
+
+- kinfo = &vport->nic.kinfo;
+ memcpy(&old_tc_info, &kinfo->tc_info, sizeof(old_tc_info));
+ hclge_sync_mqprio_qopt(&kinfo->tc_info, mqprio_qopt);
+ kinfo->tc_info.mqprio_active = tc > 0;
+@@ -610,13 +607,6 @@ static int hclge_setup_tc(struct hnae3_handle *h,
+ if (ret)
+ goto err_out;
+
+- hdev->flag &= ~HCLGE_FLAG_DCB_ENABLE;
+-
+- if (tc > 1)
+- hdev->flag |= HCLGE_FLAG_MQPRIO_ENABLE;
+- else
+- hdev->flag &= ~HCLGE_FLAG_MQPRIO_ENABLE;
+-
+ return hclge_notify_init_up(hdev);
+
+ err_out:
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+index 84ecd8b9be48c..884e45fb6b72e 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -11132,6 +11132,7 @@ static void hclge_get_mdix_mode(struct hnae3_handle *handle,
+
+ static void hclge_info_show(struct hclge_dev *hdev)
+ {
++ struct hnae3_handle *handle = &hdev->vport->nic;
+ struct device *dev = &hdev->pdev->dev;
+
+ dev_info(dev, "PF info begin:\n");
+@@ -11148,9 +11149,9 @@ static void hclge_info_show(struct hclge_dev *hdev)
+ dev_info(dev, "This is %s PF\n",
+ hdev->flag & HCLGE_FLAG_MAIN ? "main" : "not main");
+ dev_info(dev, "DCB %s\n",
+- hdev->flag & HCLGE_FLAG_DCB_ENABLE ? "enable" : "disable");
++ handle->kinfo.tc_info.dcb_ets_active ? "enable" : "disable");
+ dev_info(dev, "MQPRIO %s\n",
+- hdev->flag & HCLGE_FLAG_MQPRIO_ENABLE ? "enable" : "disable");
++ handle->kinfo.tc_info.mqprio_active ? "enable" : "disable");
+ dev_info(dev, "Default tx spare buffer size: %u\n",
+ hdev->tx_spare_buf_size);
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.h
+index 13f23d606e77b..f6fef790e16c1 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.h
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.h
+@@ -916,8 +916,6 @@ struct hclge_dev {
+
+ #define HCLGE_FLAG_MAIN BIT(0)
+ #define HCLGE_FLAG_DCB_CAPABLE BIT(1)
+-#define HCLGE_FLAG_DCB_ENABLE BIT(2)
+-#define HCLGE_FLAG_MQPRIO_ENABLE BIT(3)
+ u32 flag;
+
+ u32 pkt_buf_size; /* Total pf buf size for tx/rx */
+--
+2.40.1
+
--- /dev/null
+From 5873f45d2f859c3fe2f721365ee6acb0b469cf56 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Sep 2023 15:20:17 +0800
+Subject: net: hns3: fix the port information display when sfp is absent
+
+From: Yisen Zhuang <yisen.zhuang@huawei.com>
+
+[ Upstream commit 674d9591a32d01df75d6b5fffed4ef942a294376 ]
+
+When sfp is absent or unidentified, the port type should be
+displayed as PORT_OTHERS, rather than PORT_FIBRE.
+
+Fixes: 88d10bd6f730 ("net: hns3: add support for multiple media type")
+Signed-off-by: Yisen Zhuang <yisen.zhuang@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
+index cdf76fb58d45e..e22835ae8a941 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
+@@ -776,7 +776,9 @@ static int hns3_get_link_ksettings(struct net_device *netdev,
+ hns3_get_ksettings(h, cmd);
+ break;
+ case HNAE3_MEDIA_TYPE_FIBER:
+- if (module_type == HNAE3_MODULE_TYPE_CR)
++ if (module_type == HNAE3_MODULE_TYPE_UNKNOWN)
++ cmd->base.port = PORT_OTHER;
++ else if (module_type == HNAE3_MODULE_TYPE_CR)
+ cmd->base.port = PORT_DA;
+ else
+ cmd->base.port = PORT_FIBRE;
+--
+2.40.1
+
--- /dev/null
+From 9655098e11c2b08f9706f2c895962054db8eacb7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Sep 2023 15:20:12 +0800
+Subject: net: hns3: fix tx timeout issue
+
+From: Jian Shen <shenjian15@huawei.com>
+
+[ Upstream commit 61a1deacc3d4fd3d57d7fda4d935f7f7503e8440 ]
+
+Currently, the driver knocks the ring doorbell before updating
+the ring->last_to_use in tx flow. if the hardware transmiting
+packet and napi poll scheduling are fast enough, it may get
+the old ring->last_to_use in drivers' napi poll.
+In this case, the driver will think the tx is not completed, and
+return directly without clear the flag __QUEUE_STATE_STACK_XOFF,
+which may cause tx timeout.
+
+Fixes: 20d06ca2679c ("net: hns3: optimize the tx clean process")
+Signed-off-by: Jian Shen <shenjian15@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+index 61f833d61f583..9942b21cd6193 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -2102,8 +2102,12 @@ static void hns3_tx_doorbell(struct hns3_enet_ring *ring, int num,
+ */
+ if (test_bit(HNS3_NIC_STATE_TX_PUSH_ENABLE, &priv->state) && num &&
+ !ring->pending_buf && num <= HNS3_MAX_PUSH_BD_NUM && doorbell) {
++ /* This smp_store_release() pairs with smp_load_aquire() in
++ * hns3_nic_reclaim_desc(). Ensure that the BD valid bit
++ * is updated.
++ */
++ smp_store_release(&ring->last_to_use, ring->next_to_use);
+ hns3_tx_push_bd(ring, num);
+- WRITE_ONCE(ring->last_to_use, ring->next_to_use);
+ return;
+ }
+
+@@ -2114,6 +2118,11 @@ static void hns3_tx_doorbell(struct hns3_enet_ring *ring, int num,
+ return;
+ }
+
++ /* This smp_store_release() pairs with smp_load_aquire() in
++ * hns3_nic_reclaim_desc(). Ensure that the BD valid bit is updated.
++ */
++ smp_store_release(&ring->last_to_use, ring->next_to_use);
++
+ if (ring->tqp->mem_base)
+ hns3_tx_mem_doorbell(ring);
+ else
+@@ -2121,7 +2130,6 @@ static void hns3_tx_doorbell(struct hns3_enet_ring *ring, int num,
+ ring->tqp->io_base + HNS3_RING_TX_RING_TAIL_REG);
+
+ ring->pending_buf = 0;
+- WRITE_ONCE(ring->last_to_use, ring->next_to_use);
+ }
+
+ static void hns3_tsyn(struct net_device *netdev, struct sk_buff *skb,
+@@ -3562,9 +3570,8 @@ static void hns3_reuse_buffer(struct hns3_enet_ring *ring, int i)
+ static bool hns3_nic_reclaim_desc(struct hns3_enet_ring *ring,
+ int *bytes, int *pkts, int budget)
+ {
+- /* pair with ring->last_to_use update in hns3_tx_doorbell(),
+- * smp_store_release() is not used in hns3_tx_doorbell() because
+- * the doorbell operation already have the needed barrier operation.
++ /* This smp_load_acquire() pairs with smp_store_release() in
++ * hns3_tx_doorbell().
+ */
+ int ltu = smp_load_acquire(&ring->last_to_use);
+ int ntc = ring->next_to_clean;
+--
+2.40.1
+
--- /dev/null
+From 5edb332f30b62c0f992d18563559fad030568a47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Sep 2023 15:20:18 +0800
+Subject: net: hns3: remove GSO partial feature bit
+
+From: Jie Wang <wangjie125@huawei.com>
+
+[ Upstream commit 60326634f6c54528778de18bfef1e8a7a93b3771 ]
+
+HNS3 NIC does not support GSO partial packets segmentation. Actually tunnel
+packets for example NvGRE packets segment offload and checksum offload is
+already supported. There is no need to keep gso partial feature bit. So
+this patch removes it.
+
+Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC")
+Signed-off-by: Jie Wang <wangjie125@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+index 9942b21cd6193..8aae179554a81 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -3315,8 +3315,6 @@ static void hns3_set_default_feature(struct net_device *netdev)
+
+ netdev->priv_flags |= IFF_UNICAST_FLT;
+
+- netdev->gso_partial_features |= NETIF_F_GSO_GRE_CSUM;
+-
+ netdev->features |= NETIF_F_HW_VLAN_CTAG_FILTER |
+ NETIF_F_HW_VLAN_CTAG_TX | NETIF_F_HW_VLAN_CTAG_RX |
+ NETIF_F_RXCSUM | NETIF_F_SG | NETIF_F_GSO |
+--
+2.40.1
+
--- /dev/null
+From 2ba91b40d6cd8aa4e1a6371c581db6d7fb3fd836 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Aug 2023 22:41:27 -0600
+Subject: net: ipv6/addrconf: avoid integer underflow in ipv6_create_tempaddr
+
+From: Alex Henrie <alexhenrie24@gmail.com>
+
+[ Upstream commit f31867d0d9d82af757c1e0178b659438f4c1ea3c ]
+
+The existing code incorrectly casted a negative value (the result of a
+subtraction) to an unsigned value without checking. For example, if
+/proc/sys/net/ipv6/conf/*/temp_prefered_lft was set to 1, the preferred
+lifetime would jump to 4 billion seconds. On my machine and network the
+shortest lifetime that avoided underflow was 3 seconds.
+
+Fixes: 76506a986dc3 ("IPv6: fix DESYNC_FACTOR")
+Signed-off-by: Alex Henrie <alexhenrie24@gmail.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/addrconf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index 48a6486951cd6..83be842198244 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -1368,7 +1368,7 @@ static int ipv6_create_tempaddr(struct inet6_ifaddr *ifp, bool block)
+ * idev->desync_factor if it's larger
+ */
+ cnf_temp_preferred_lft = READ_ONCE(idev->cnf.temp_prefered_lft);
+- max_desync_factor = min_t(__u32,
++ max_desync_factor = min_t(long,
+ idev->cnf.max_desync_factor,
+ cnf_temp_preferred_lft - regen_advance);
+
+--
+2.40.1
+
--- /dev/null
+From 40d0d8e7e1857cd678fecea806a1925c7fad4803 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Sep 2023 06:53:23 +0200
+Subject: net: phy: micrel: Correct bit assignments for phy_device flags
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit 719c5e37e99d2fd588d1c994284d17650a66354c ]
+
+Previously, the defines for phy_device flags in the Micrel driver were
+ambiguous in their representation. They were intended to be bit masks
+but were mistakenly defined as bit positions. This led to the following
+issues:
+
+- MICREL_KSZ8_P1_ERRATA, designated for KSZ88xx switches, overlapped
+ with MICREL_PHY_FXEN and MICREL_PHY_50MHZ_CLK.
+- Due to this overlap, the code path for MICREL_PHY_FXEN, tailored for
+ the KSZ8041 PHY, was not executed for KSZ88xx PHYs.
+- Similarly, the code associated with MICREL_PHY_50MHZ_CLK wasn't
+ triggered for KSZ88xx.
+
+To rectify this, all three flags have now been explicitly converted to
+use the `BIT()` macro, ensuring they are defined as bit masks and
+preventing potential overlaps in the future.
+
+Fixes: 49011e0c1555 ("net: phy: micrel: ksz886x/ksz8081: add cabletest support")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/micrel_phy.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/include/linux/micrel_phy.h b/include/linux/micrel_phy.h
+index 1f7c33b2f5a3f..e164facb0f363 100644
+--- a/include/linux/micrel_phy.h
++++ b/include/linux/micrel_phy.h
+@@ -38,9 +38,9 @@
+ #define PHY_ID_KSZ9477 0x00221631
+
+ /* struct phy_device dev_flags definitions */
+-#define MICREL_PHY_50MHZ_CLK 0x00000001
+-#define MICREL_PHY_FXEN 0x00000002
+-#define MICREL_KSZ8_P1_ERRATA 0x00000003
++#define MICREL_PHY_50MHZ_CLK BIT(0)
++#define MICREL_PHY_FXEN BIT(1)
++#define MICREL_KSZ8_P1_ERRATA BIT(2)
+
+ #define MICREL_KSZ9021_EXTREG_CTRL 0xB
+ #define MICREL_KSZ9021_EXTREG_DATA_WRITE 0xC
+--
+2.40.1
+
--- /dev/null
+From ffb40dfce3e3f16cfa266c16d0517fbd800dad2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Aug 2023 10:12:44 +0000
+Subject: net: read sk->sk_family once in sk_mc_loop()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit a3e0fdf71bbe031de845e8e08ed7fba49f9c702c ]
+
+syzbot is playing with IPV6_ADDRFORM quite a lot these days,
+and managed to hit the WARN_ON_ONCE(1) in sk_mc_loop()
+
+We have many more similar issues to fix.
+
+WARNING: CPU: 1 PID: 1593 at net/core/sock.c:782 sk_mc_loop+0x165/0x260
+Modules linked in:
+CPU: 1 PID: 1593 Comm: kworker/1:3 Not tainted 6.1.40-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
+Workqueue: events_power_efficient gc_worker
+RIP: 0010:sk_mc_loop+0x165/0x260 net/core/sock.c:782
+Code: 34 1b fd 49 81 c7 18 05 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ff e8 25 36 6d fd 4d 8b 37 eb 13 e8 db 33 1b fd <0f> 0b b3 01 eb 34 e8 d0 33 1b fd 45 31 f6 49 83 c6 38 4c 89 f0 48
+RSP: 0018:ffffc90000388530 EFLAGS: 00010246
+RAX: ffffffff846d9b55 RBX: 0000000000000011 RCX: ffff88814f884980
+RDX: 0000000000000102 RSI: ffffffff87ae5160 RDI: 0000000000000011
+RBP: ffffc90000388550 R08: 0000000000000003 R09: ffffffff846d9a65
+R10: 0000000000000002 R11: ffff88814f884980 R12: dffffc0000000000
+R13: ffff88810dbee000 R14: 0000000000000010 R15: ffff888150084000
+FS: 0000000000000000(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000020000180 CR3: 000000014ee5b000 CR4: 00000000003506e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+<IRQ>
+[<ffffffff8507734f>] ip6_finish_output2+0x33f/0x1ae0 net/ipv6/ip6_output.c:83
+[<ffffffff85062766>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline]
+[<ffffffff85062766>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211
+[<ffffffff85061f8c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline]
+[<ffffffff85061f8c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232
+[<ffffffff852071cf>] dst_output include/net/dst.h:444 [inline]
+[<ffffffff852071cf>] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161
+[<ffffffff83618fb4>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline]
+[<ffffffff83618fb4>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]
+[<ffffffff83618fb4>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
+[<ffffffff83618fb4>] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677
+[<ffffffff8361ddd9>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229
+[<ffffffff84763fc0>] netdev_start_xmit include/linux/netdevice.h:4925 [inline]
+[<ffffffff84763fc0>] xmit_one net/core/dev.c:3644 [inline]
+[<ffffffff84763fc0>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660
+[<ffffffff8494c650>] sch_direct_xmit+0x2a0/0x9c0 net/sched/sch_generic.c:342
+[<ffffffff8494d883>] qdisc_restart net/sched/sch_generic.c:407 [inline]
+[<ffffffff8494d883>] __qdisc_run+0xb13/0x1e70 net/sched/sch_generic.c:415
+[<ffffffff8478c426>] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125
+[<ffffffff84796eac>] net_tx_action+0x7ac/0x940 net/core/dev.c:5247
+[<ffffffff858002bd>] __do_softirq+0x2bd/0x9bd kernel/softirq.c:599
+[<ffffffff814c3fe8>] invoke_softirq kernel/softirq.c:430 [inline]
+[<ffffffff814c3fe8>] __irq_exit_rcu+0xc8/0x170 kernel/softirq.c:683
+[<ffffffff814c3f09>] irq_exit_rcu+0x9/0x20 kernel/softirq.c:695
+
+Fixes: 7ad6848c7e81 ("ip: fix mc_loop checks for tunnels with multicast outer addresses")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://lore.kernel.org/r/20230830101244.1146934-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index fc475845c94d5..fa988063630db 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -761,7 +761,8 @@ bool sk_mc_loop(struct sock *sk)
+ return false;
+ if (!sk)
+ return true;
+- switch (sk->sk_family) {
++ /* IPV6_ADDRFORM can change sk->sk_family under us. */
++ switch (READ_ONCE(sk->sk_family)) {
+ case AF_INET:
+ return inet_sk(sk)->mc_loop;
+ #if IS_ENABLED(CONFIG_IPV6)
+--
+2.40.1
+
--- /dev/null
+From b423f4e2c872f9a099a3006bfa209d08242e1fe8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Aug 2023 12:35:41 +0000
+Subject: net/sched: fq_pie: avoid stalls in fq_pie_timer()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 8c21ab1bae945686c602c5bfa4e3f3352c2452c5 ]
+
+When setting a high number of flows (limit being 65536),
+fq_pie_timer() is currently using too much time as syzbot reported.
+
+Add logic to yield the cpu every 2048 flows (less than 150 usec
+on debug kernels).
+It should also help by not blocking qdisc fast paths for too long.
+Worst case (65536 flows) would need 31 jiffies for a complete scan.
+
+Relevant extract from syzbot report:
+
+rcu: INFO: rcu_preempt detected expedited stalls on CPUs/tasks: { 0-.... } 2663 jiffies s: 873 root: 0x1/.
+rcu: blocking rcu_node structures (internal RCU debug):
+Sending NMI from CPU 1 to CPUs 0:
+NMI backtrace for cpu 0
+CPU: 0 PID: 5177 Comm: syz-executor273 Not tainted 6.5.0-syzkaller-00453-g727dbda16b83 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
+RIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline]
+RIP: 0010:write_comp_data+0x21/0x90 kernel/kcov.c:236
+Code: 2e 0f 1f 84 00 00 00 00 00 65 8b 05 01 b2 7d 7e 49 89 f1 89 c6 49 89 d2 81 e6 00 01 00 00 49 89 f8 65 48 8b 14 25 80 b9 03 00 <a9> 00 01 ff 00 74 0e 85 f6 74 59 8b 82 04 16 00 00 85 c0 74 4f 8b
+RSP: 0018:ffffc90000007bb8 EFLAGS: 00000206
+RAX: 0000000000000101 RBX: ffffc9000dc0d140 RCX: ffffffff885893b0
+RDX: ffff88807c075940 RSI: 0000000000000100 RDI: 0000000000000001
+RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: ffffc9000dc0d178
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+FS: 0000555555d54380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f6b442f6130 CR3: 000000006fe1c000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <NMI>
+ </NMI>
+ <IRQ>
+ pie_calculate_probability+0x480/0x850 net/sched/sch_pie.c:415
+ fq_pie_timer+0x1da/0x4f0 net/sched/sch_fq_pie.c:387
+ call_timer_fn+0x1a0/0x580 kernel/time/timer.c:1700
+
+Fixes: ec97ecf1ebe4 ("net: sched: add Flow Queue PIE packet scheduler")
+Link: https://lore.kernel.org/lkml/00000000000017ad3f06040bf394@google.com/
+Reported-by: syzbot+e46fbd5289363464bc13@syzkaller.appspotmail.com
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
+Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://lore.kernel.org/r/20230829123541.3745013-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_fq_pie.c | 27 +++++++++++++++++++--------
+ 1 file changed, 19 insertions(+), 8 deletions(-)
+
+diff --git a/net/sched/sch_fq_pie.c b/net/sched/sch_fq_pie.c
+index 591d87d5e5c0f..68e6acd0f130d 100644
+--- a/net/sched/sch_fq_pie.c
++++ b/net/sched/sch_fq_pie.c
+@@ -61,6 +61,7 @@ struct fq_pie_sched_data {
+ struct pie_params p_params;
+ u32 ecn_prob;
+ u32 flows_cnt;
++ u32 flows_cursor;
+ u32 quantum;
+ u32 memory_limit;
+ u32 new_flow_count;
+@@ -375,22 +376,32 @@ static int fq_pie_change(struct Qdisc *sch, struct nlattr *opt,
+ static void fq_pie_timer(struct timer_list *t)
+ {
+ struct fq_pie_sched_data *q = from_timer(q, t, adapt_timer);
++ unsigned long next, tupdate;
+ struct Qdisc *sch = q->sch;
+ spinlock_t *root_lock; /* to lock qdisc for probability calculations */
+- u32 idx;
++ int max_cnt, i;
+
+ rcu_read_lock();
+ root_lock = qdisc_lock(qdisc_root_sleeping(sch));
+ spin_lock(root_lock);
+
+- for (idx = 0; idx < q->flows_cnt; idx++)
+- pie_calculate_probability(&q->p_params, &q->flows[idx].vars,
+- q->flows[idx].backlog);
+-
+- /* reset the timer to fire after 'tupdate' jiffies. */
+- if (q->p_params.tupdate)
+- mod_timer(&q->adapt_timer, jiffies + q->p_params.tupdate);
++ /* Limit this expensive loop to 2048 flows per round. */
++ max_cnt = min_t(int, q->flows_cnt - q->flows_cursor, 2048);
++ for (i = 0; i < max_cnt; i++) {
++ pie_calculate_probability(&q->p_params,
++ &q->flows[q->flows_cursor].vars,
++ q->flows[q->flows_cursor].backlog);
++ q->flows_cursor++;
++ }
+
++ tupdate = q->p_params.tupdate;
++ next = 0;
++ if (q->flows_cursor >= q->flows_cnt) {
++ q->flows_cursor = 0;
++ next = tupdate;
++ }
++ if (tupdate)
++ mod_timer(&q->adapt_timer, jiffies + next);
+ spin_unlock(root_lock);
+ rcu_read_unlock();
+ }
+--
+2.40.1
+
--- /dev/null
+From ff390dfce881fd91e1a474d4864d37d6c6b3c4f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Sep 2023 12:22:37 -0400
+Subject: net: sched: sch_qfq: Fix UAF in qfq_dequeue()
+
+From: valis <sec@valis.email>
+
+[ Upstream commit 8fc134fee27f2263988ae38920bc03da416b03d8 ]
+
+When the plug qdisc is used as a class of the qfq qdisc it could trigger a
+UAF. This issue can be reproduced with following commands:
+
+ tc qdisc add dev lo root handle 1: qfq
+ tc class add dev lo parent 1: classid 1:1 qfq weight 1 maxpkt 512
+ tc qdisc add dev lo parent 1:1 handle 2: plug
+ tc filter add dev lo parent 1: basic classid 1:1
+ ping -c1 127.0.0.1
+
+and boom:
+
+[ 285.353793] BUG: KASAN: slab-use-after-free in qfq_dequeue+0xa7/0x7f0
+[ 285.354910] Read of size 4 at addr ffff8880bad312a8 by task ping/144
+[ 285.355903]
+[ 285.356165] CPU: 1 PID: 144 Comm: ping Not tainted 6.5.0-rc3+ #4
+[ 285.357112] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
+[ 285.358376] Call Trace:
+[ 285.358773] <IRQ>
+[ 285.359109] dump_stack_lvl+0x44/0x60
+[ 285.359708] print_address_description.constprop.0+0x2c/0x3c0
+[ 285.360611] kasan_report+0x10c/0x120
+[ 285.361195] ? qfq_dequeue+0xa7/0x7f0
+[ 285.361780] qfq_dequeue+0xa7/0x7f0
+[ 285.362342] __qdisc_run+0xf1/0x970
+[ 285.362903] net_tx_action+0x28e/0x460
+[ 285.363502] __do_softirq+0x11b/0x3de
+[ 285.364097] do_softirq.part.0+0x72/0x90
+[ 285.364721] </IRQ>
+[ 285.365072] <TASK>
+[ 285.365422] __local_bh_enable_ip+0x77/0x90
+[ 285.366079] __dev_queue_xmit+0x95f/0x1550
+[ 285.366732] ? __pfx_csum_and_copy_from_iter+0x10/0x10
+[ 285.367526] ? __pfx___dev_queue_xmit+0x10/0x10
+[ 285.368259] ? __build_skb_around+0x129/0x190
+[ 285.368960] ? ip_generic_getfrag+0x12c/0x170
+[ 285.369653] ? __pfx_ip_generic_getfrag+0x10/0x10
+[ 285.370390] ? csum_partial+0x8/0x20
+[ 285.370961] ? raw_getfrag+0xe5/0x140
+[ 285.371559] ip_finish_output2+0x539/0xa40
+[ 285.372222] ? __pfx_ip_finish_output2+0x10/0x10
+[ 285.372954] ip_output+0x113/0x1e0
+[ 285.373512] ? __pfx_ip_output+0x10/0x10
+[ 285.374130] ? icmp_out_count+0x49/0x60
+[ 285.374739] ? __pfx_ip_finish_output+0x10/0x10
+[ 285.375457] ip_push_pending_frames+0xf3/0x100
+[ 285.376173] raw_sendmsg+0xef5/0x12d0
+[ 285.376760] ? do_syscall_64+0x40/0x90
+[ 285.377359] ? __static_call_text_end+0x136578/0x136578
+[ 285.378173] ? do_syscall_64+0x40/0x90
+[ 285.378772] ? kasan_enable_current+0x11/0x20
+[ 285.379469] ? __pfx_raw_sendmsg+0x10/0x10
+[ 285.380137] ? __sock_create+0x13e/0x270
+[ 285.380673] ? __sys_socket+0xf3/0x180
+[ 285.381174] ? __x64_sys_socket+0x3d/0x50
+[ 285.381725] ? entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+[ 285.382425] ? __rcu_read_unlock+0x48/0x70
+[ 285.382975] ? ip4_datagram_release_cb+0xd8/0x380
+[ 285.383608] ? __pfx_ip4_datagram_release_cb+0x10/0x10
+[ 285.384295] ? preempt_count_sub+0x14/0xc0
+[ 285.384844] ? __list_del_entry_valid+0x76/0x140
+[ 285.385467] ? _raw_spin_lock_bh+0x87/0xe0
+[ 285.386014] ? __pfx__raw_spin_lock_bh+0x10/0x10
+[ 285.386645] ? release_sock+0xa0/0xd0
+[ 285.387148] ? preempt_count_sub+0x14/0xc0
+[ 285.387712] ? freeze_secondary_cpus+0x348/0x3c0
+[ 285.388341] ? aa_sk_perm+0x177/0x390
+[ 285.388856] ? __pfx_aa_sk_perm+0x10/0x10
+[ 285.389441] ? check_stack_object+0x22/0x70
+[ 285.390032] ? inet_send_prepare+0x2f/0x120
+[ 285.390603] ? __pfx_inet_sendmsg+0x10/0x10
+[ 285.391172] sock_sendmsg+0xcc/0xe0
+[ 285.391667] __sys_sendto+0x190/0x230
+[ 285.392168] ? __pfx___sys_sendto+0x10/0x10
+[ 285.392727] ? kvm_clock_get_cycles+0x14/0x30
+[ 285.393328] ? set_normalized_timespec64+0x57/0x70
+[ 285.393980] ? _raw_spin_unlock_irq+0x1b/0x40
+[ 285.394578] ? __x64_sys_clock_gettime+0x11c/0x160
+[ 285.395225] ? __pfx___x64_sys_clock_gettime+0x10/0x10
+[ 285.395908] ? _copy_to_user+0x3e/0x60
+[ 285.396432] ? exit_to_user_mode_prepare+0x1a/0x120
+[ 285.397086] ? syscall_exit_to_user_mode+0x22/0x50
+[ 285.397734] ? do_syscall_64+0x71/0x90
+[ 285.398258] __x64_sys_sendto+0x74/0x90
+[ 285.398786] do_syscall_64+0x64/0x90
+[ 285.399273] ? exit_to_user_mode_prepare+0x1a/0x120
+[ 285.399949] ? syscall_exit_to_user_mode+0x22/0x50
+[ 285.400605] ? do_syscall_64+0x71/0x90
+[ 285.401124] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+[ 285.401807] RIP: 0033:0x495726
+[ 285.402233] Code: ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 2c 00 00 00 0f 09
+[ 285.404683] RSP: 002b:00007ffcc25fb618 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+[ 285.405677] RAX: ffffffffffffffda RBX: 0000000000000040 RCX: 0000000000495726
+[ 285.406628] RDX: 0000000000000040 RSI: 0000000002518750 RDI: 0000000000000000
+[ 285.407565] RBP: 00000000005205ef R08: 00000000005f8838 R09: 000000000000001c
+[ 285.408523] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000002517634
+[ 285.409460] R13: 00007ffcc25fb6f0 R14: 0000000000000003 R15: 0000000000000000
+[ 285.410403] </TASK>
+[ 285.410704]
+[ 285.410929] Allocated by task 144:
+[ 285.411402] kasan_save_stack+0x1e/0x40
+[ 285.411926] kasan_set_track+0x21/0x30
+[ 285.412442] __kasan_slab_alloc+0x55/0x70
+[ 285.412973] kmem_cache_alloc_node+0x187/0x3d0
+[ 285.413567] __alloc_skb+0x1b4/0x230
+[ 285.414060] __ip_append_data+0x17f7/0x1b60
+[ 285.414633] ip_append_data+0x97/0xf0
+[ 285.415144] raw_sendmsg+0x5a8/0x12d0
+[ 285.415640] sock_sendmsg+0xcc/0xe0
+[ 285.416117] __sys_sendto+0x190/0x230
+[ 285.416626] __x64_sys_sendto+0x74/0x90
+[ 285.417145] do_syscall_64+0x64/0x90
+[ 285.417624] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+[ 285.418306]
+[ 285.418531] Freed by task 144:
+[ 285.418960] kasan_save_stack+0x1e/0x40
+[ 285.419469] kasan_set_track+0x21/0x30
+[ 285.419988] kasan_save_free_info+0x27/0x40
+[ 285.420556] ____kasan_slab_free+0x109/0x1a0
+[ 285.421146] kmem_cache_free+0x1c2/0x450
+[ 285.421680] __netif_receive_skb_core+0x2ce/0x1870
+[ 285.422333] __netif_receive_skb_one_core+0x97/0x140
+[ 285.423003] process_backlog+0x100/0x2f0
+[ 285.423537] __napi_poll+0x5c/0x2d0
+[ 285.424023] net_rx_action+0x2be/0x560
+[ 285.424510] __do_softirq+0x11b/0x3de
+[ 285.425034]
+[ 285.425254] The buggy address belongs to the object at ffff8880bad31280
+[ 285.425254] which belongs to the cache skbuff_head_cache of size 224
+[ 285.426993] The buggy address is located 40 bytes inside of
+[ 285.426993] freed 224-byte region [ffff8880bad31280, ffff8880bad31360)
+[ 285.428572]
+[ 285.428798] The buggy address belongs to the physical page:
+[ 285.429540] page:00000000f4b77674 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xbad31
+[ 285.430758] flags: 0x100000000000200(slab|node=0|zone=1)
+[ 285.431447] page_type: 0xffffffff()
+[ 285.431934] raw: 0100000000000200 ffff88810094a8c0 dead000000000122 0000000000000000
+[ 285.432757] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
+[ 285.433562] page dumped because: kasan: bad access detected
+[ 285.434144]
+[ 285.434320] Memory state around the buggy address:
+[ 285.434828] ffff8880bad31180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 285.435580] ffff8880bad31200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 285.436264] >ffff8880bad31280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 285.436777] ^
+[ 285.437106] ffff8880bad31300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
+[ 285.437616] ffff8880bad31380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 285.438126] ==================================================================
+[ 285.438662] Disabling lock debugging due to kernel taint
+
+Fix this by:
+1. Changing sch_plug's .peek handler to qdisc_peek_dequeued(), a
+function compatible with non-work-conserving qdiscs
+2. Checking the return value of qdisc_dequeue_peeked() in sch_qfq.
+
+Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
+Reported-by: valis <sec@valis.email>
+Signed-off-by: valis <sec@valis.email>
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://lore.kernel.org/r/20230901162237.11525-1-jhs@mojatatu.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_plug.c | 2 +-
+ net/sched/sch_qfq.c | 22 +++++++++++++++++-----
+ 2 files changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/net/sched/sch_plug.c b/net/sched/sch_plug.c
+index ea8c4a7174bba..35f49edf63dbf 100644
+--- a/net/sched/sch_plug.c
++++ b/net/sched/sch_plug.c
+@@ -207,7 +207,7 @@ static struct Qdisc_ops plug_qdisc_ops __read_mostly = {
+ .priv_size = sizeof(struct plug_sched_data),
+ .enqueue = plug_enqueue,
+ .dequeue = plug_dequeue,
+- .peek = qdisc_peek_head,
++ .peek = qdisc_peek_dequeued,
+ .init = plug_init,
+ .change = plug_change,
+ .reset = qdisc_reset_queue,
+diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
+index e150d08f182d8..ed01634af82c2 100644
+--- a/net/sched/sch_qfq.c
++++ b/net/sched/sch_qfq.c
+@@ -973,10 +973,13 @@ static void qfq_update_eligible(struct qfq_sched *q)
+ }
+
+ /* Dequeue head packet of the head class in the DRR queue of the aggregate. */
+-static void agg_dequeue(struct qfq_aggregate *agg,
+- struct qfq_class *cl, unsigned int len)
++static struct sk_buff *agg_dequeue(struct qfq_aggregate *agg,
++ struct qfq_class *cl, unsigned int len)
+ {
+- qdisc_dequeue_peeked(cl->qdisc);
++ struct sk_buff *skb = qdisc_dequeue_peeked(cl->qdisc);
++
++ if (!skb)
++ return NULL;
+
+ cl->deficit -= (int) len;
+
+@@ -986,6 +989,8 @@ static void agg_dequeue(struct qfq_aggregate *agg,
+ cl->deficit += agg->lmax;
+ list_move_tail(&cl->alist, &agg->active);
+ }
++
++ return skb;
+ }
+
+ static inline struct sk_buff *qfq_peek_skb(struct qfq_aggregate *agg,
+@@ -1131,11 +1136,18 @@ static struct sk_buff *qfq_dequeue(struct Qdisc *sch)
+ if (!skb)
+ return NULL;
+
+- qdisc_qstats_backlog_dec(sch, skb);
+ sch->q.qlen--;
++
++ skb = agg_dequeue(in_serv_agg, cl, len);
++
++ if (!skb) {
++ sch->q.qlen++;
++ return NULL;
++ }
++
++ qdisc_qstats_backlog_dec(sch, skb);
+ qdisc_bstats_update(sch, skb);
+
+- agg_dequeue(in_serv_agg, cl, len);
+ /* If lmax is lowered, through qfq_change_class, for a class
+ * owning pending packets with larger size than the new value
+ * of lmax, then the following condition may hold.
+--
+2.40.1
+
--- /dev/null
+From bdab86b7b4b5f2c2a174840ec9ac3e6fdb48f082 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Aug 2023 13:52:08 +0000
+Subject: net: use sk_forward_alloc_get() in sk_get_meminfo()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 66d58f046c9d3a8f996b7138d02e965fd0617de0 ]
+
+inet_sk_diag_fill() has been changed to use sk_forward_alloc_get(),
+but sk_get_meminfo() was forgotten.
+
+Fixes: 292e6077b040 ("net: introduce sk_forward_alloc_get()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index fa988063630db..6ff58fa5f41ed 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -3715,7 +3715,7 @@ void sk_get_meminfo(const struct sock *sk, u32 *mem)
+ mem[SK_MEMINFO_RCVBUF] = READ_ONCE(sk->sk_rcvbuf);
+ mem[SK_MEMINFO_WMEM_ALLOC] = sk_wmem_alloc_get(sk);
+ mem[SK_MEMINFO_SNDBUF] = READ_ONCE(sk->sk_sndbuf);
+- mem[SK_MEMINFO_FWD_ALLOC] = sk->sk_forward_alloc;
++ mem[SK_MEMINFO_FWD_ALLOC] = sk_forward_alloc_get(sk);
+ mem[SK_MEMINFO_WMEM_QUEUED] = READ_ONCE(sk->sk_wmem_queued);
+ mem[SK_MEMINFO_OPTMEM] = atomic_read(&sk->sk_omem_alloc);
+ mem[SK_MEMINFO_BACKLOG] = READ_ONCE(sk->sk_backlog.len);
+--
+2.40.1
+
--- /dev/null
+From f742fd436f3d7d37e5f9a96087778510d51e65d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Sep 2023 10:50:20 -0300
+Subject: netfilter: nfnetlink_osf: avoid OOB read
+
+From: Wander Lairson Costa <wander@redhat.com>
+
+[ Upstream commit f4f8a7803119005e87b716874bec07c751efafec ]
+
+The opt_num field is controlled by user mode and is not currently
+validated inside the kernel. An attacker can take advantage of this to
+trigger an OOB read and potentially leak information.
+
+BUG: KASAN: slab-out-of-bounds in nf_osf_match_one+0xbed/0xd10 net/netfilter/nfnetlink_osf.c:88
+Read of size 2 at addr ffff88804bc64272 by task poc/6431
+
+CPU: 1 PID: 6431 Comm: poc Not tainted 6.0.0-rc4 #1
+Call Trace:
+ nf_osf_match_one+0xbed/0xd10 net/netfilter/nfnetlink_osf.c:88
+ nf_osf_find+0x186/0x2f0 net/netfilter/nfnetlink_osf.c:281
+ nft_osf_eval+0x37f/0x590 net/netfilter/nft_osf.c:47
+ expr_call_ops_eval net/netfilter/nf_tables_core.c:214
+ nft_do_chain+0x2b0/0x1490 net/netfilter/nf_tables_core.c:264
+ nft_do_chain_ipv4+0x17c/0x1f0 net/netfilter/nft_chain_filter.c:23
+ [..]
+
+Also add validation to genre, subtype and version fields.
+
+Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
+Reported-by: Lucas Leong <wmliang@infosec.exchange>
+Signed-off-by: Wander Lairson Costa <wander@redhat.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_osf.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
+index 8f1bfa6ccc2d9..50723ba082890 100644
+--- a/net/netfilter/nfnetlink_osf.c
++++ b/net/netfilter/nfnetlink_osf.c
+@@ -315,6 +315,14 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
+
+ f = nla_data(osf_attrs[OSF_ATTR_FINGER]);
+
++ if (f->opt_num > ARRAY_SIZE(f->opt))
++ return -EINVAL;
++
++ if (!memchr(f->genre, 0, MAXGENRELEN) ||
++ !memchr(f->subtype, 0, MAXGENRELEN) ||
++ !memchr(f->version, 0, MAXGENRELEN))
++ return -EINVAL;
++
+ kf = kmalloc(sizeof(struct nf_osf_finger), GFP_KERNEL);
+ if (!kf)
+ return -ENOMEM;
+--
+2.40.1
+
--- /dev/null
+From 2eea3c0a1859b417942a83d031e8b8068044d096 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Sep 2023 23:13:56 +0200
+Subject: netfilter: nftables: exthdr: fix 4-byte stack OOB write
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit fd94d9dadee58e09b49075240fe83423eb1dcd36 ]
+
+If priv->len is a multiple of 4, then dst[len / 4] can write past
+the destination array which leads to stack corruption.
+
+This construct is necessary to clean the remainder of the register
+in case ->len is NOT a multiple of the register size, so make it
+conditional just like nft_payload.c does.
+
+The bug was added in 4.1 cycle and then copied/inherited when
+tcp/sctp and ip option support was added.
+
+Bug reported by Zero Day Initiative project (ZDI-CAN-21950,
+ZDI-CAN-21951, ZDI-CAN-21961).
+
+Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
+Fixes: 935b7f643018 ("netfilter: nft_exthdr: add TCP option matching")
+Fixes: 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks")
+Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_exthdr.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
+index c307c57a93e57..efb50c2b41f32 100644
+--- a/net/netfilter/nft_exthdr.c
++++ b/net/netfilter/nft_exthdr.c
+@@ -35,6 +35,14 @@ static unsigned int optlen(const u8 *opt, unsigned int offset)
+ return opt[offset + 1];
+ }
+
++static int nft_skb_copy_to_reg(const struct sk_buff *skb, int offset, u32 *dest, unsigned int len)
++{
++ if (len % NFT_REG32_SIZE)
++ dest[len / NFT_REG32_SIZE] = 0;
++
++ return skb_copy_bits(skb, offset, dest, len);
++}
++
+ static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,
+ struct nft_regs *regs,
+ const struct nft_pktinfo *pkt)
+@@ -56,8 +64,7 @@ static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,
+ }
+ offset += priv->offset;
+
+- dest[priv->len / NFT_REG32_SIZE] = 0;
+- if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0)
++ if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0)
+ goto err;
+ return;
+ err:
+@@ -153,8 +160,7 @@ static void nft_exthdr_ipv4_eval(const struct nft_expr *expr,
+ }
+ offset += priv->offset;
+
+- dest[priv->len / NFT_REG32_SIZE] = 0;
+- if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0)
++ if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0)
+ goto err;
+ return;
+ err:
+@@ -210,7 +216,8 @@ static void nft_exthdr_tcp_eval(const struct nft_expr *expr,
+ if (priv->flags & NFT_EXTHDR_F_PRESENT) {
+ *dest = 1;
+ } else {
+- dest[priv->len / NFT_REG32_SIZE] = 0;
++ if (priv->len % NFT_REG32_SIZE)
++ dest[priv->len / NFT_REG32_SIZE] = 0;
+ memcpy(dest, opt + offset, priv->len);
+ }
+
+@@ -388,9 +395,8 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr,
+ offset + ntohs(sch->length) > pkt->skb->len)
+ break;
+
+- dest[priv->len / NFT_REG32_SIZE] = 0;
+- if (skb_copy_bits(pkt->skb, offset + priv->offset,
+- dest, priv->len) < 0)
++ if (nft_skb_copy_to_reg(pkt->skb, offset + priv->offset,
++ dest, priv->len) < 0)
+ break;
+ return;
+ }
+--
+2.40.1
+
--- /dev/null
+From aaf50b6d8c856ce495fcdfef8bb064d4c130b782 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Sep 2023 12:18:16 +0530
+Subject: octeontx2-af: Fix truncation of smq in CN10K NIX AQ enqueue mbox
+ handler
+
+From: Geetha sowjanya <gakula@marvell.com>
+
+[ Upstream commit 29fe7a1b62717d58f033009874554d99d71f7d37 ]
+
+The smq value used in the CN10K NIX AQ instruction enqueue mailbox
+handler was truncated to 9-bit value from 10-bit value because of
+typecasting the CN10K mbox request structure to the CN9K structure.
+Though this hasn't caused any problems when programming the NIX SQ
+context to the HW because the context structure is the same size.
+However, this causes a problem when accessing the structure parameters.
+This patch reads the right smq value for each platform.
+
+Fixes: 30077d210c83 ("octeontx2-af: cn10k: Update NIX/NPA context structure")
+Signed-off-by: Geetha sowjanya <gakula@marvell.com>
+Signed-off-by: Sunil Kovvuri Goutham <sgoutham@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/marvell/octeontx2/af/rvu_nix.c | 21 +++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
+index c85e0180d96da..1f3a8cf42765e 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
+@@ -834,6 +834,21 @@ static int nix_aq_enqueue_wait(struct rvu *rvu, struct rvu_block *block,
+ return 0;
+ }
+
++static void nix_get_aq_req_smq(struct rvu *rvu, struct nix_aq_enq_req *req,
++ u16 *smq, u16 *smq_mask)
++{
++ struct nix_cn10k_aq_enq_req *aq_req;
++
++ if (!is_rvu_otx2(rvu)) {
++ aq_req = (struct nix_cn10k_aq_enq_req *)req;
++ *smq = aq_req->sq.smq;
++ *smq_mask = aq_req->sq_mask.smq;
++ } else {
++ *smq = req->sq.smq;
++ *smq_mask = req->sq_mask.smq;
++ }
++}
++
+ static int rvu_nix_blk_aq_enq_inst(struct rvu *rvu, struct nix_hw *nix_hw,
+ struct nix_aq_enq_req *req,
+ struct nix_aq_enq_rsp *rsp)
+@@ -845,6 +860,7 @@ static int rvu_nix_blk_aq_enq_inst(struct rvu *rvu, struct nix_hw *nix_hw,
+ struct rvu_block *block;
+ struct admin_queue *aq;
+ struct rvu_pfvf *pfvf;
++ u16 smq, smq_mask;
+ void *ctx, *mask;
+ bool ena;
+ u64 cfg;
+@@ -916,13 +932,14 @@ static int rvu_nix_blk_aq_enq_inst(struct rvu *rvu, struct nix_hw *nix_hw,
+ if (rc)
+ return rc;
+
++ nix_get_aq_req_smq(rvu, req, &smq, &smq_mask);
+ /* Check if SQ pointed SMQ belongs to this PF/VF or not */
+ if (req->ctype == NIX_AQ_CTYPE_SQ &&
+ ((req->op == NIX_AQ_INSTOP_INIT && req->sq.ena) ||
+ (req->op == NIX_AQ_INSTOP_WRITE &&
+- req->sq_mask.ena && req->sq_mask.smq && req->sq.ena))) {
++ req->sq_mask.ena && req->sq.ena && smq_mask))) {
+ if (!is_valid_txschq(rvu, blkaddr, NIX_TXSCH_LVL_SMQ,
+- pcifunc, req->sq.smq))
++ pcifunc, smq))
+ return NIX_AF_ERR_AQ_ENQUEUE;
+ }
+
+--
+2.40.1
+
--- /dev/null
+From 2b617f4d0d1cdcf295794dea2f9af371d2d07a13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Aug 2023 18:22:14 -0300
+Subject: perf annotate bpf: Don't enclose non-debug code with an assert()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 979e9c9fc9c2a761303585e07fe2699bdd88182f ]
+
+In 616b14b47a86d880 ("perf build: Conditionally define NDEBUG") we
+started using NDEBUG=1 when DEBUG=1 isn't present, so code that is
+enclosed with assert() is not called.
+
+In dd317df072071903 ("perf build: Make binutil libraries opt in") we
+stopped linking against binutils-devel, for licensing reasons.
+
+Recently people asked me why annotation of BPF programs wasn't working,
+i.e. this:
+
+ $ perf annotate bpf_prog_5280546344e3f45c_kfree_skb
+
+was returning:
+
+ case SYMBOL_ANNOTATE_ERRNO__NO_LIBOPCODES_FOR_BPF:
+ scnprintf(buf, buflen, "Please link with binutils's libopcode to enable BPF annotation");
+
+This was on a fedora rpm, so its new enough that I had to try to test by
+rebuilding using BUILD_NONDISTRO=1, only to get it segfaulting on me.
+
+This combination made this libopcode function not to be called:
+
+ assert(bfd_check_format(bfdf, bfd_object));
+
+Changing it to:
+
+ if (!bfd_check_format(bfdf, bfd_object))
+ abort();
+
+Made it work, looking at this "check" function made me realize it
+changes the 'bfdf' internal state, i.e. we better call it.
+
+So stop using assert() on it, just call it and abort if it fails.
+
+Probably it is better to propagate the error, etc, but it seems it is
+unlikely to fail from the usage done so far and we really need to stop
+using libopcodes, so do the quick fix above and move on.
+
+With it we have BPF annotation back working when built with
+BUILD_NONDISTRO=1:
+
+ ⬢[acme@toolbox perf-tools-next]$ perf annotate --stdio2 bpf_prog_5280546344e3f45c_kfree_skb | head
+ No kallsyms or vmlinux with build-id 939bc71a1a51cdc434e60af93c7e734f7d5c0e7e was found
+ Samples: 12 of event 'cpu-clock:ppp', 4000 Hz, Event count (approx.): 3000000, [percent: local period]
+ bpf_prog_5280546344e3f45c_kfree_skb() bpf_prog_5280546344e3f45c_kfree_skb
+ Percent int kfree_skb(struct trace_event_raw_kfree_skb *args) {
+ nop
+ 33.33 xchg %ax,%ax
+ push %rbp
+ mov %rsp,%rbp
+ sub $0x180,%rsp
+ push %rbx
+ push %r13
+ ⬢[acme@toolbox perf-tools-next]$
+
+Fixes: 6987561c9e86eace ("perf annotate: Enable annotation of BPF programs")
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Mohamed Mahmoud <mmahmoud@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Dave Tucker <datucker@redhat.com>
+Cc: Derek Barbosa <debarbos@redhat.com>
+Cc: Song Liu <songliubraving@fb.com>
+Link: https://lore.kernel.org/lkml/ZMrMzoQBe0yqMek1@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/annotate.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c
+index db475e44f42fa..a9122ea3b44c4 100644
+--- a/tools/perf/util/annotate.c
++++ b/tools/perf/util/annotate.c
+@@ -1756,8 +1756,11 @@ static int symbol__disassemble_bpf(struct symbol *sym,
+ perf_exe(tpath, sizeof(tpath));
+
+ bfdf = bfd_openr(tpath, NULL);
+- assert(bfdf);
+- assert(bfd_check_format(bfdf, bfd_object));
++ if (bfdf == NULL)
++ abort();
++
++ if (!bfd_check_format(bfdf, bfd_object))
++ abort();
+
+ s = open_memstream(&buf, &buf_size);
+ if (!s) {
+@@ -1805,7 +1808,8 @@ static int symbol__disassemble_bpf(struct symbol *sym,
+ #else
+ disassemble = disassembler(bfdf);
+ #endif
+- assert(disassemble);
++ if (disassemble == NULL)
++ abort();
+
+ fflush(s);
+ do {
+--
+2.40.1
+
--- /dev/null
+From 2d78e79100d306e9766a7013037feb56b6e1763c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Aug 2023 09:41:52 -0700
+Subject: perf test stat_bpf_counters_cgrp: Enhance perf stat cgroup BPF
+ counter test
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit a84260e314029e6dc9904fd6eabf8d9fd7965351 ]
+
+It has system-wide test and cpu-list test but the cpu-list test fails
+sometimes. It runs sleep command on CPU1 and measure both user.slice
+and system.slice cgroups by default (on systemd-based systems).
+
+But if the system was idle enough, sometime the system.slice gets no
+count and it makes the test failing. Maybe that's because it only looks
+at the CPU1, let's add CPU0 to increase the chance it finds some tasks.
+
+Fixes: 7901086014bbaa3a ("perf test: Add a new test for perf stat cgroup BPF counter")
+Reported-by: Arnaldo Carvalho de Melo <acme@kernel.org>
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: bpf@vger.kernel.org
+Link: https://lore.kernel.org/r/20230825164152.165610-3-namhyung@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/shell/stat_bpf_counters_cgrp.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/tests/shell/stat_bpf_counters_cgrp.sh b/tools/perf/tests/shell/stat_bpf_counters_cgrp.sh
+index a74440a00b6b6..e75d0780dc788 100755
+--- a/tools/perf/tests/shell/stat_bpf_counters_cgrp.sh
++++ b/tools/perf/tests/shell/stat_bpf_counters_cgrp.sh
+@@ -60,7 +60,7 @@ check_system_wide_counted()
+
+ check_cpu_list_counted()
+ {
+- check_cpu_list_counted_output=$(perf stat -C 1 --bpf-counters --for-each-cgroup ${test_cgroups} -e cpu-clock -x, taskset -c 1 sleep 1 2>&1)
++ check_cpu_list_counted_output=$(perf stat -C 0,1 --bpf-counters --for-each-cgroup ${test_cgroups} -e cpu-clock -x, taskset -c 1 sleep 1 2>&1)
+ if echo ${check_cpu_list_counted_output} | grep -q -F "<not "; then
+ echo "Some CPU events are not counted"
+ if [ "${verbose}" = "1" ]; then
+--
+2.40.1
+
--- /dev/null
+From 6d26a3345533a7fa3ff2fb9740c929d1626c4453 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 Jul 2023 23:57:39 +0530
+Subject: perf test stat_bpf_counters_cgrp: Fix shellcheck issue about logical
+ operators
+
+From: Kajol Jain <kjain@linux.ibm.com>
+
+[ Upstream commit 0dd1f815545d7210150642741c364521cc5cf116 ]
+
+Running shellcheck on lock_contention.sh generates below warning:
+
+In stat_bpf_counters_cgrp.sh line 28:
+ if [ -d /sys/fs/cgroup/system.slice -a -d /sys/fs/cgroup/user.slice ]; then
+ ^-- SC2166 (warning): Prefer [ p ] && [ q ] as [ p -a q ] is not well defined.
+
+In stat_bpf_counters_cgrp.sh line 34:
+ local self_cgrp=$(grep perf_event /proc/self/cgroup | cut -d: -f3)
+ ^-------------^ SC3043 (warning): In POSIX sh, 'local' is undefined.
+ ^-------^ SC2155 (warning): Declare and assign separately to avoid masking return values.
+ ^-- SC2046 (warning): Quote this to prevent word splitting.
+
+In stat_bpf_counters_cgrp.sh line 51:
+ local output
+ ^----------^ SC3043 (warning): In POSIX sh, 'local' is undefined.
+
+In stat_bpf_counters_cgrp.sh line 65:
+ local output
+ ^----------^ SC3043 (warning): In POSIX sh, 'local' is undefined.
+
+Fixed above warnings by:
+- Changing the expression [p -a q] to [p] && [q].
+- Fixing shellcheck warnings for local usage, by prefixing
+ function name to the variable.
+
+Signed-off-by: Kajol Jain <kjain@linux.ibm.com>
+Acked-by: Ian Rogers <irogers@google.com>
+Cc: Disha Goel <disgoel@linux.vnet.ibm.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: linuxppc-dev@lists.ozlabs.org
+Link: https://lore.kernel.org/r/20230709182800.53002-6-atrajeev@linux.vnet.ibm.com
+Signed-off-by: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Stable-dep-of: a84260e31402 ("perf test stat_bpf_counters_cgrp: Enhance perf stat cgroup BPF counter test")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../tests/shell/stat_bpf_counters_cgrp.sh | 28 ++++++++-----------
+ 1 file changed, 12 insertions(+), 16 deletions(-)
+
+diff --git a/tools/perf/tests/shell/stat_bpf_counters_cgrp.sh b/tools/perf/tests/shell/stat_bpf_counters_cgrp.sh
+index d724855d097c2..a74440a00b6b6 100755
+--- a/tools/perf/tests/shell/stat_bpf_counters_cgrp.sh
++++ b/tools/perf/tests/shell/stat_bpf_counters_cgrp.sh
+@@ -25,22 +25,22 @@ check_bpf_counter()
+ find_cgroups()
+ {
+ # try usual systemd slices first
+- if [ -d /sys/fs/cgroup/system.slice -a -d /sys/fs/cgroup/user.slice ]; then
++ if [ -d /sys/fs/cgroup/system.slice ] && [ -d /sys/fs/cgroup/user.slice ]; then
+ test_cgroups="system.slice,user.slice"
+ return
+ fi
+
+ # try root and self cgroups
+- local self_cgrp=$(grep perf_event /proc/self/cgroup | cut -d: -f3)
+- if [ -z ${self_cgrp} ]; then
++ find_cgroups_self_cgrp=$(grep perf_event /proc/self/cgroup | cut -d: -f3)
++ if [ -z ${find_cgroups_self_cgrp} ]; then
+ # cgroup v2 doesn't specify perf_event
+- self_cgrp=$(grep ^0: /proc/self/cgroup | cut -d: -f3)
++ find_cgroups_self_cgrp=$(grep ^0: /proc/self/cgroup | cut -d: -f3)
+ fi
+
+- if [ -z ${self_cgrp} ]; then
++ if [ -z ${find_cgroups_self_cgrp} ]; then
+ test_cgroups="/"
+ else
+- test_cgroups="/,${self_cgrp}"
++ test_cgroups="/,${find_cgroups_self_cgrp}"
+ fi
+ }
+
+@@ -48,13 +48,11 @@ find_cgroups()
+ # Just check if it runs without failure and has non-zero results.
+ check_system_wide_counted()
+ {
+- local output
+-
+- output=$(perf stat -a --bpf-counters --for-each-cgroup ${test_cgroups} -e cpu-clock -x, sleep 1 2>&1)
+- if echo ${output} | grep -q -F "<not "; then
++ check_system_wide_counted_output=$(perf stat -a --bpf-counters --for-each-cgroup ${test_cgroups} -e cpu-clock -x, sleep 1 2>&1)
++ if echo ${check_system_wide_counted_output} | grep -q -F "<not "; then
+ echo "Some system-wide events are not counted"
+ if [ "${verbose}" = "1" ]; then
+- echo ${output}
++ echo ${check_system_wide_counted_output}
+ fi
+ exit 1
+ fi
+@@ -62,13 +60,11 @@ check_system_wide_counted()
+
+ check_cpu_list_counted()
+ {
+- local output
+-
+- output=$(perf stat -C 1 --bpf-counters --for-each-cgroup ${test_cgroups} -e cpu-clock -x, taskset -c 1 sleep 1 2>&1)
+- if echo ${output} | grep -q -F "<not "; then
++ check_cpu_list_counted_output=$(perf stat -C 1 --bpf-counters --for-each-cgroup ${test_cgroups} -e cpu-clock -x, taskset -c 1 sleep 1 2>&1)
++ if echo ${check_cpu_list_counted_output} | grep -q -F "<not "; then
+ echo "Some CPU events are not counted"
+ if [ "${verbose}" = "1" ]; then
+- echo ${output}
++ echo ${check_cpu_list_counted_output}
+ fi
+ exit 1
+ fi
+--
+2.40.1
+
--- /dev/null
+From 4ff09af8c5815f6479cad971eca98f137420a5fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Aug 2023 09:11:21 -0300
+Subject: perf top: Don't pass an ERR_PTR() directly to perf_session__delete()
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit ef23cb593304bde0cc046fd4cc83ae7ea2e24f16 ]
+
+While debugging a segfault on 'perf lock contention' without an
+available perf.data file I noticed that it was basically calling:
+
+ perf_session__delete(ERR_PTR(-1))
+
+Resulting in:
+
+ (gdb) run lock contention
+ Starting program: /root/bin/perf lock contention
+ [Thread debugging using libthread_db enabled]
+ Using host libthread_db library "/lib64/libthread_db.so.1".
+ failed to open perf.data: No such file or directory (try 'perf record' first)
+ Initializing perf session failed
+
+ Program received signal SIGSEGV, Segmentation fault.
+ 0x00000000005e7515 in auxtrace__free (session=0xffffffffffffffff) at util/auxtrace.c:2858
+ 2858 if (!session->auxtrace)
+ (gdb) p session
+ $1 = (struct perf_session *) 0xffffffffffffffff
+ (gdb) bt
+ #0 0x00000000005e7515 in auxtrace__free (session=0xffffffffffffffff) at util/auxtrace.c:2858
+ #1 0x000000000057bb4d in perf_session__delete (session=0xffffffffffffffff) at util/session.c:300
+ #2 0x000000000047c421 in __cmd_contention (argc=0, argv=0x7fffffffe200) at builtin-lock.c:2161
+ #3 0x000000000047dc95 in cmd_lock (argc=0, argv=0x7fffffffe200) at builtin-lock.c:2604
+ #4 0x0000000000501466 in run_builtin (p=0xe597a8 <commands+552>, argc=2, argv=0x7fffffffe200) at perf.c:322
+ #5 0x00000000005016d5 in handle_internal_command (argc=2, argv=0x7fffffffe200) at perf.c:375
+ #6 0x0000000000501824 in run_argv (argcp=0x7fffffffe02c, argv=0x7fffffffe020) at perf.c:419
+ #7 0x0000000000501b11 in main (argc=2, argv=0x7fffffffe200) at perf.c:535
+ (gdb)
+
+So just set it to NULL after using PTR_ERR(session) to decode the error
+as perf_session__delete(NULL) is supported.
+
+The same problem was found in 'perf top' after an audit of all
+perf_session__new() failure handling.
+
+Fixes: 6ef81c55a2b6584c ("perf session: Return error code for perf_session__new() function on failure")
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Alexey Budankov <alexey.budankov@linux.intel.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Jeremie Galarneau <jeremie.galarneau@efficios.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kate Stewart <kstewart@linuxfoundation.org>
+Cc: Mamatha Inamdar <mamatha4@linux.vnet.ibm.com>
+Cc: Mukesh Ojha <mojha@codeaurora.org>
+Cc: Nageswara R Sastry <rnsastry@linux.vnet.ibm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+Cc: Shawn Landden <shawn@git.icu>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tzvetomir Stoyanov <tstoyanov@vmware.com>
+Link: https://lore.kernel.org/lkml/ZN4Q2rxxsL08A8rd@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-top.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/builtin-top.c b/tools/perf/builtin-top.c
+index 4b3ff7687236e..f9917848cdad0 100644
+--- a/tools/perf/builtin-top.c
++++ b/tools/perf/builtin-top.c
+@@ -1751,6 +1751,7 @@ int cmd_top(int argc, const char **argv)
+ top.session = perf_session__new(NULL, NULL);
+ if (IS_ERR(top.session)) {
+ status = PTR_ERR(top.session);
++ top.session = NULL;
+ goto out_delete_evlist;
+ }
+
+--
+2.40.1
+
--- /dev/null
+From f21e5caa25402a61f99428dd2b6676fe214558e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Jul 2023 15:37:14 -0300
+Subject: perf trace: Really free the evsel->priv area
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 7962ef13651a9163f07b530607392ea123482e8a ]
+
+In 3cb4d5e00e037c70 ("perf trace: Free syscall tp fields in
+evsel->priv") it only was freeing if strcmp(evsel->tp_format->system,
+"syscalls") returned zero, while the corresponding initialization of
+evsel->priv was being performed if it was _not_ zero, i.e. if the tp
+system wasn't 'syscalls'.
+
+Just stop looking for that and free it if evsel->priv was set, which
+should be equivalent.
+
+Also use the pre-existing evsel_trace__delete() function.
+
+This resolves these leaks, detected with:
+
+ $ make EXTRA_CFLAGS="-fsanitize=address" BUILD_BPF_SKEL=1 CORESIGHT=1 O=/tmp/build/perf-tools-next -C tools/perf install-bin
+
+ =================================================================
+ ==481565==ERROR: LeakSanitizer: detected memory leaks
+
+ Direct leak of 40 byte(s) in 1 object(s) allocated from:
+ #0 0x7f7343cba097 in calloc (/lib64/libasan.so.8+0xba097)
+ #1 0x987966 in zalloc (/home/acme/bin/perf+0x987966)
+ #2 0x52f9b9 in evsel_trace__new /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:307
+ #3 0x52f9b9 in evsel__syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:333
+ #4 0x52f9b9 in evsel__init_raw_syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:458
+ #5 0x52f9b9 in perf_evsel__raw_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:480
+ #6 0x540e8b in trace__add_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3212
+ #7 0x540e8b in trace__run /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3891
+ #8 0x540e8b in cmd_trace /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:5156
+ #9 0x5ef262 in run_builtin /home/acme/git/perf-tools-next/tools/perf/perf.c:323
+ #10 0x4196da in handle_internal_command /home/acme/git/perf-tools-next/tools/perf/perf.c:377
+ #11 0x4196da in run_argv /home/acme/git/perf-tools-next/tools/perf/perf.c:421
+ #12 0x4196da in main /home/acme/git/perf-tools-next/tools/perf/perf.c:537
+ #13 0x7f7342c4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
+
+ Direct leak of 40 byte(s) in 1 object(s) allocated from:
+ #0 0x7f7343cba097 in calloc (/lib64/libasan.so.8+0xba097)
+ #1 0x987966 in zalloc (/home/acme/bin/perf+0x987966)
+ #2 0x52f9b9 in evsel_trace__new /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:307
+ #3 0x52f9b9 in evsel__syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:333
+ #4 0x52f9b9 in evsel__init_raw_syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:458
+ #5 0x52f9b9 in perf_evsel__raw_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:480
+ #6 0x540dd1 in trace__add_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3205
+ #7 0x540dd1 in trace__run /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3891
+ #8 0x540dd1 in cmd_trace /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:5156
+ #9 0x5ef262 in run_builtin /home/acme/git/perf-tools-next/tools/perf/perf.c:323
+ #10 0x4196da in handle_internal_command /home/acme/git/perf-tools-next/tools/perf/perf.c:377
+ #11 0x4196da in run_argv /home/acme/git/perf-tools-next/tools/perf/perf.c:421
+ #12 0x4196da in main /home/acme/git/perf-tools-next/tools/perf/perf.c:537
+ #13 0x7f7342c4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
+
+ SUMMARY: AddressSanitizer: 80 byte(s) leaked in 2 allocation(s).
+ [root@quaco ~]#
+
+With this we plug all leaks with "perf trace sleep 1".
+
+Fixes: 3cb4d5e00e037c70 ("perf trace: Free syscall tp fields in evsel->priv")
+Acked-by: Ian Rogers <irogers@google.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Riccardo Mancini <rickyman7@gmail.com>
+Link: https://lore.kernel.org/lkml/20230719202951.534582-5-acme@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-trace.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
+index 6392fcf2610c4..93dab6423a048 100644
+--- a/tools/perf/builtin-trace.c
++++ b/tools/perf/builtin-trace.c
+@@ -3124,13 +3124,8 @@ static void evlist__free_syscall_tp_fields(struct evlist *evlist)
+ struct evsel *evsel;
+
+ evlist__for_each_entry(evlist, evsel) {
+- struct evsel_trace *et = evsel->priv;
+-
+- if (!et || !evsel->tp_format || strcmp(evsel->tp_format->system, "syscalls"))
+- continue;
+-
+- zfree(&et->fmt);
+- free(et);
++ evsel_trace__delete(evsel->priv);
++ evsel->priv = NULL;
+ }
+ }
+
+--
+2.40.1
+
--- /dev/null
+From df08c6705404d07d4412c0073ebeecb53cffd53a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Apr 2023 09:50:08 -0300
+Subject: perf trace: Use zfree() to reduce chances of use after free
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 9997d5dd177c52017fa0541bf236a4232c8148e6 ]
+
+Do defensive programming by using zfree() to initialize freed pointers
+to NULL, so that eventual use after free result in a NULL pointer deref
+instead of more subtle behaviour.
+
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Stable-dep-of: 7962ef13651a ("perf trace: Really free the evsel->priv area")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-trace.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
+index 97b17f8941dc0..6392fcf2610c4 100644
+--- a/tools/perf/builtin-trace.c
++++ b/tools/perf/builtin-trace.c
+@@ -2293,7 +2293,7 @@ static void syscall__exit(struct syscall *sc)
+ if (!sc)
+ return;
+
+- free(sc->arg_fmt);
++ zfree(&sc->arg_fmt);
+ }
+
+ static int trace__sys_enter(struct trace *trace, struct evsel *evsel,
+@@ -3129,7 +3129,7 @@ static void evlist__free_syscall_tp_fields(struct evlist *evlist)
+ if (!et || !evsel->tp_format || strcmp(evsel->tp_format->system, "syscalls"))
+ continue;
+
+- free(et->fmt);
++ zfree(&et->fmt);
+ free(et);
+ }
+ }
+@@ -4765,11 +4765,11 @@ static void trace__exit(struct trace *trace)
+ int i;
+
+ strlist__delete(trace->ev_qualifier);
+- free(trace->ev_qualifier_ids.entries);
++ zfree(&trace->ev_qualifier_ids.entries);
+ if (trace->syscalls.table) {
+ for (i = 0; i <= trace->sctbl->syscalls.max_id; i++)
+ syscall__exit(&trace->syscalls.table[i]);
+- free(trace->syscalls.table);
++ zfree(&trace->syscalls.table);
+ }
+ syscalltbl__delete(trace->sctbl);
+ zfree(&trace->perfconfig_events);
+--
+2.40.1
+
--- /dev/null
+From f352c16d066aa530ea5a92c93df2f2021b46a5b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Aug 2023 16:57:58 +0530
+Subject: perf vendor events: Drop some of the JSON/events for power10 platform
+
+From: Kajol Jain <kjain@linux.ibm.com>
+
+[ Upstream commit e104df97b8dcfbab2e42de634b99bf03f0805d85 ]
+
+Drop some of the JSON/events for power10 platform due to counter
+data mismatch.
+
+Fixes: 32daa5d7899e0343 ("perf vendor events: Initial JSON/events list for power10 platform")
+Signed-off-by: Kajol Jain <kjain@linux.ibm.com>
+Cc: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+Cc: Disha Goel <disgoel@linux.ibm.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Kajol Jain <kjain@linux.ibm.com>
+Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: linuxppc-dev@lists.ozlabs.org
+Link: https://lore.kernel.org/r/20230814112803.1508296-2-kjain@linux.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../arch/powerpc/power10/floating_point.json | 7 -------
+ tools/perf/pmu-events/arch/powerpc/power10/marked.json | 10 ----------
+ tools/perf/pmu-events/arch/powerpc/power10/others.json | 5 -----
+ .../perf/pmu-events/arch/powerpc/power10/pipeline.json | 10 ----------
+ .../pmu-events/arch/powerpc/power10/translation.json | 5 -----
+ 5 files changed, 37 deletions(-)
+ delete mode 100644 tools/perf/pmu-events/arch/powerpc/power10/floating_point.json
+
+diff --git a/tools/perf/pmu-events/arch/powerpc/power10/floating_point.json b/tools/perf/pmu-events/arch/powerpc/power10/floating_point.json
+deleted file mode 100644
+index 54acb55e2c8c6..0000000000000
+--- a/tools/perf/pmu-events/arch/powerpc/power10/floating_point.json
++++ /dev/null
+@@ -1,7 +0,0 @@
+-[
+- {
+- "EventCode": "0x4016E",
+- "EventName": "PM_THRESH_NOT_MET",
+- "BriefDescription": "Threshold counter did not meet threshold."
+- }
+-]
+diff --git a/tools/perf/pmu-events/arch/powerpc/power10/marked.json b/tools/perf/pmu-events/arch/powerpc/power10/marked.json
+index 131f8d0e88317..f2436fc5537ce 100644
+--- a/tools/perf/pmu-events/arch/powerpc/power10/marked.json
++++ b/tools/perf/pmu-events/arch/powerpc/power10/marked.json
+@@ -19,11 +19,6 @@
+ "EventName": "PM_MRK_BR_TAKEN_CMPL",
+ "BriefDescription": "Marked Branch Taken instruction completed."
+ },
+- {
+- "EventCode": "0x20112",
+- "EventName": "PM_MRK_NTF_FIN",
+- "BriefDescription": "The marked instruction became the oldest in the pipeline before it finished. It excludes instructions that finish at dispatch."
+- },
+ {
+ "EventCode": "0x2C01C",
+ "EventName": "PM_EXEC_STALL_DMISS_OFF_CHIP",
+@@ -64,11 +59,6 @@
+ "EventName": "PM_L1_ICACHE_MISS",
+ "BriefDescription": "Demand instruction cache miss."
+ },
+- {
+- "EventCode": "0x30130",
+- "EventName": "PM_MRK_INST_FIN",
+- "BriefDescription": "marked instruction finished. Excludes instructions that finish at dispatch. Note that stores always finish twice since the address gets issued to the LSU and the data gets issued to the VSU."
+- },
+ {
+ "EventCode": "0x34146",
+ "EventName": "PM_MRK_LD_CMPL",
+diff --git a/tools/perf/pmu-events/arch/powerpc/power10/others.json b/tools/perf/pmu-events/arch/powerpc/power10/others.json
+index e691041ee8678..36c5bbc64c3be 100644
+--- a/tools/perf/pmu-events/arch/powerpc/power10/others.json
++++ b/tools/perf/pmu-events/arch/powerpc/power10/others.json
+@@ -29,11 +29,6 @@
+ "EventName": "PM_DISP_SS0_2_INSTR_CYC",
+ "BriefDescription": "Cycles in which Superslice 0 dispatches either 1 or 2 instructions."
+ },
+- {
+- "EventCode": "0x1F15C",
+- "EventName": "PM_MRK_STCX_L2_CYC",
+- "BriefDescription": "Cycles spent in the nest portion of a marked Stcx instruction. It starts counting when the operation starts to drain to the L2 and it stops counting when the instruction retires from the Instruction Completion Table (ICT) in the Instruction Sequencing Unit (ISU)."
+- },
+ {
+ "EventCode": "0x10066",
+ "EventName": "PM_ADJUNCT_CYC",
+diff --git a/tools/perf/pmu-events/arch/powerpc/power10/pipeline.json b/tools/perf/pmu-events/arch/powerpc/power10/pipeline.json
+index 449f57e8ba6af..799893c56f32b 100644
+--- a/tools/perf/pmu-events/arch/powerpc/power10/pipeline.json
++++ b/tools/perf/pmu-events/arch/powerpc/power10/pipeline.json
+@@ -194,11 +194,6 @@
+ "EventName": "PM_TLBIE_FIN",
+ "BriefDescription": "TLBIE instruction finished in the LSU. Two TLBIEs can finish each cycle. All will be counted."
+ },
+- {
+- "EventCode": "0x3D058",
+- "EventName": "PM_SCALAR_FSQRT_FDIV_ISSUE",
+- "BriefDescription": "Scalar versions of four floating point operations: fdiv,fsqrt (xvdivdp, xvdivsp, xvsqrtdp, xvsqrtsp)."
+- },
+ {
+ "EventCode": "0x30066",
+ "EventName": "PM_LSU_FIN",
+@@ -269,11 +264,6 @@
+ "EventName": "PM_IC_MISS_CMPL",
+ "BriefDescription": "Non-speculative instruction cache miss, counted at completion."
+ },
+- {
+- "EventCode": "0x4D050",
+- "EventName": "PM_VSU_NON_FLOP_CMPL",
+- "BriefDescription": "Non-floating point VSU instructions completed."
+- },
+ {
+ "EventCode": "0x4D052",
+ "EventName": "PM_2FLOP_CMPL",
+diff --git a/tools/perf/pmu-events/arch/powerpc/power10/translation.json b/tools/perf/pmu-events/arch/powerpc/power10/translation.json
+index 3e47b804a0a8f..961e2491e73f6 100644
+--- a/tools/perf/pmu-events/arch/powerpc/power10/translation.json
++++ b/tools/perf/pmu-events/arch/powerpc/power10/translation.json
+@@ -4,11 +4,6 @@
+ "EventName": "PM_MRK_START_PROBE_NOP_CMPL",
+ "BriefDescription": "Marked Start probe nop (AND R0,R0,R0) completed."
+ },
+- {
+- "EventCode": "0x20016",
+- "EventName": "PM_ST_FIN",
+- "BriefDescription": "Store finish count. Includes speculative activity."
+- },
+ {
+ "EventCode": "0x20018",
+ "EventName": "PM_ST_FWD",
+--
+2.40.1
+
--- /dev/null
+From 143f2e604524a110ffc3868fb5ae09feb745ba53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Aug 2023 16:57:59 +0530
+Subject: perf vendor events: Drop STORES_PER_INST metric event for power10
+ platform
+
+From: Kajol Jain <kjain@linux.ibm.com>
+
+[ Upstream commit 4836b9a85ef148c7c9779b66fab3f7279e488d90 ]
+
+Drop STORES_PER_INST metric event for the power10 platform, as the
+metric expression of STORES_PER_INST metric event using dropped event
+PM_ST_FIN.
+
+Fixes: 3ca3af7d1f230d1f ("perf vendor events power10: Add metric events JSON file for power10 platform")
+Signed-off-by: Kajol Jain <kjain@linux.ibm.com>
+Cc: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+Cc: Disha Goel <disgoel@linux.ibm.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Kajol Jain <kjain@linux.ibm.com>
+Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: linuxppc-dev@lists.ozlabs.org
+Link: https://lore.kernel.org/r/20230814112803.1508296-3-kjain@linux.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/pmu-events/arch/powerpc/power10/metrics.json | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/tools/perf/pmu-events/arch/powerpc/power10/metrics.json b/tools/perf/pmu-events/arch/powerpc/power10/metrics.json
+index b57526fa44f2d..6e76f65c314ce 100644
+--- a/tools/perf/pmu-events/arch/powerpc/power10/metrics.json
++++ b/tools/perf/pmu-events/arch/powerpc/power10/metrics.json
+@@ -453,12 +453,6 @@
+ "MetricGroup": "General",
+ "MetricName": "LOADS_PER_INST"
+ },
+- {
+- "BriefDescription": "Average number of finished stores per completed instruction",
+- "MetricExpr": "PM_ST_FIN / PM_RUN_INST_CMPL",
+- "MetricGroup": "General",
+- "MetricName": "STORES_PER_INST"
+- },
+ {
+ "BriefDescription": "Percentage of demand loads that reloaded from beyond the L2 per completed instruction",
+ "MetricExpr": "PM_DATA_FROM_L2MISS / PM_RUN_INST_CMPL * 100",
+--
+2.40.1
+
--- /dev/null
+From b40c3b22ab8853137d08ca1fe05ae3f3a1519fcc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Aug 2023 16:57:57 +0530
+Subject: perf vendor events: Update the JSON/events descriptions for power10
+ platform
+
+From: Kajol Jain <kjain@linux.ibm.com>
+
+[ Upstream commit 3286f88f31da060ac2789cee247153961ba57e49 ]
+
+Update the description for some of the JSON/events for power10 platform.
+
+Fixes: 32daa5d7899e0343 ("perf vendor events: Initial JSON/events list for power10 platform")
+Signed-off-by: Kajol Jain <kjain@linux.ibm.com>
+Cc: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+Cc: Disha Goel <disgoel@linux.ibm.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Kajol Jain <kjain@linux.ibm.com>
+Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: linuxppc-dev@lists.ozlabs.org
+Link: https://lore.kernel.org/r/20230814112803.1508296-1-kjain@linux.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../arch/powerpc/power10/cache.json | 4 +-
+ .../arch/powerpc/power10/frontend.json | 30 ++++++------
+ .../arch/powerpc/power10/marked.json | 20 ++++----
+ .../arch/powerpc/power10/memory.json | 6 +--
+ .../arch/powerpc/power10/others.json | 48 +++++++++----------
+ .../arch/powerpc/power10/pipeline.json | 20 ++++----
+ .../pmu-events/arch/powerpc/power10/pmc.json | 4 +-
+ .../arch/powerpc/power10/translation.json | 6 +--
+ 8 files changed, 69 insertions(+), 69 deletions(-)
+
+diff --git a/tools/perf/pmu-events/arch/powerpc/power10/cache.json b/tools/perf/pmu-events/arch/powerpc/power10/cache.json
+index 605be14f441c8..9cb929bb64afd 100644
+--- a/tools/perf/pmu-events/arch/powerpc/power10/cache.json
++++ b/tools/perf/pmu-events/arch/powerpc/power10/cache.json
+@@ -17,7 +17,7 @@
+ {
+ "EventCode": "0x34056",
+ "EventName": "PM_EXEC_STALL_LOAD_FINISH",
+- "BriefDescription": "Cycles in which the oldest instruction in the pipeline was finishing a load after its data was reloaded from a data source beyond the local L1; cycles in which the LSU was processing an L1-hit; cycles in which the NTF instruction merged with another load in the LMQ; cycles in which the NTF instruction is waiting for a data reload for a load miss, but the data comes back with a non-NTF instruction."
++ "BriefDescription": "Cycles in which the oldest instruction in the pipeline was finishing a load after its data was reloaded from a data source beyond the local L1; cycles in which the LSU was processing an L1-hit; cycles in which the next-to-finish (NTF) instruction merged with another load in the LMQ; cycles in which the NTF instruction is waiting for a data reload for a load miss, but the data comes back with a non-NTF instruction."
+ },
+ {
+ "EventCode": "0x3006C",
+@@ -27,7 +27,7 @@
+ {
+ "EventCode": "0x300F4",
+ "EventName": "PM_RUN_INST_CMPL_CONC",
+- "BriefDescription": "PowerPC instructions completed by this thread when all threads in the core had the run-latch set."
++ "BriefDescription": "PowerPC instruction completed by this thread when all threads in the core had the run-latch set."
+ },
+ {
+ "EventCode": "0x4C016",
+diff --git a/tools/perf/pmu-events/arch/powerpc/power10/frontend.json b/tools/perf/pmu-events/arch/powerpc/power10/frontend.json
+index 558f9530f54ec..61e9e0222c873 100644
+--- a/tools/perf/pmu-events/arch/powerpc/power10/frontend.json
++++ b/tools/perf/pmu-events/arch/powerpc/power10/frontend.json
+@@ -7,7 +7,7 @@
+ {
+ "EventCode": "0x10006",
+ "EventName": "PM_DISP_STALL_HELD_OTHER_CYC",
+- "BriefDescription": "Cycles in which the NTC instruction is held at dispatch for any other reason."
++ "BriefDescription": "Cycles in which the next-to-complete (NTC) instruction is held at dispatch for any other reason."
+ },
+ {
+ "EventCode": "0x10010",
+@@ -32,12 +32,12 @@
+ {
+ "EventCode": "0x1D05E",
+ "EventName": "PM_DISP_STALL_HELD_HALT_CYC",
+- "BriefDescription": "Cycles in which the NTC instruction is held at dispatch because of power management."
++ "BriefDescription": "Cycles in which the next-to-complete (NTC) instruction is held at dispatch because of power management."
+ },
+ {
+ "EventCode": "0x1E050",
+ "EventName": "PM_DISP_STALL_HELD_STF_MAPPER_CYC",
+- "BriefDescription": "Cycles in which the NTC instruction is held at dispatch because the STF mapper/SRB was full. Includes GPR (count, link, tar), VSR, VMR, FPR."
++ "BriefDescription": "Cycles in which the next-to-complete (NTC) instruction is held at dispatch because the STF mapper/SRB was full. Includes GPR (count, link, tar), VSR, VMR, FPR."
+ },
+ {
+ "EventCode": "0x1F054",
+@@ -67,7 +67,7 @@
+ {
+ "EventCode": "0x100F6",
+ "EventName": "PM_IERAT_MISS",
+- "BriefDescription": "IERAT Reloaded to satisfy an IERAT miss. All page sizes are counted by this event."
++ "BriefDescription": "IERAT Reloaded to satisfy an IERAT miss. All page sizes are counted by this event. This event only counts instruction demand access."
+ },
+ {
+ "EventCode": "0x100F8",
+@@ -77,7 +77,7 @@
+ {
+ "EventCode": "0x20006",
+ "EventName": "PM_DISP_STALL_HELD_ISSQ_FULL_CYC",
+- "BriefDescription": "Cycles in which the NTC instruction is held at dispatch due to Issue queue full. Includes issue queue and branch queue."
++ "BriefDescription": "Cycles in which the next-to-complete (NTC) instruction is held at dispatch due to Issue queue full. Includes issue queue and branch queue."
+ },
+ {
+ "EventCode": "0x20114",
+@@ -102,7 +102,7 @@
+ {
+ "EventCode": "0x2D01A",
+ "EventName": "PM_DISP_STALL_IC_MISS",
+- "BriefDescription": "Cycles when dispatch was stalled for this thread due to an Icache Miss."
++ "BriefDescription": "Cycles when dispatch was stalled for this thread due to an instruction cache miss."
+ },
+ {
+ "EventCode": "0x2E018",
+@@ -112,7 +112,7 @@
+ {
+ "EventCode": "0x2E01A",
+ "EventName": "PM_DISP_STALL_HELD_XVFC_MAPPER_CYC",
+- "BriefDescription": "Cycles in which the NTC instruction is held at dispatch because the XVFC mapper/SRB was full."
++ "BriefDescription": "Cycles in which the next-to-complete (NTC) instruction is held at dispatch because the XVFC mapper/SRB was full."
+ },
+ {
+ "EventCode": "0x2C142",
+@@ -137,7 +137,7 @@
+ {
+ "EventCode": "0x30004",
+ "EventName": "PM_DISP_STALL_FLUSH",
+- "BriefDescription": "Cycles when dispatch was stalled because of a flush that happened to an instruction(s) that was not yet NTC. PM_EXEC_STALL_NTC_FLUSH only includes instructions that were flushed after becoming NTC."
++ "BriefDescription": "Cycles when dispatch was stalled because of a flush that happened to an instruction(s) that was not yet next-to-complete (NTC). PM_EXEC_STALL_NTC_FLUSH only includes instructions that were flushed after becoming NTC."
+ },
+ {
+ "EventCode": "0x3000A",
+@@ -157,7 +157,7 @@
+ {
+ "EventCode": "0x30018",
+ "EventName": "PM_DISP_STALL_HELD_SCOREBOARD_CYC",
+- "BriefDescription": "Cycles in which the NTC instruction is held at dispatch while waiting on the Scoreboard. This event combines VSCR and FPSCR together."
++ "BriefDescription": "Cycles in which the next-to-complete (NTC) instruction is held at dispatch while waiting on the Scoreboard. This event combines VSCR and FPSCR together."
+ },
+ {
+ "EventCode": "0x30026",
+@@ -182,7 +182,7 @@
+ {
+ "EventCode": "0x3D05C",
+ "EventName": "PM_DISP_STALL_HELD_RENAME_CYC",
+- "BriefDescription": "Cycles in which the NTC instruction is held at dispatch because the mapper/SRB was full. Includes GPR (count, link, tar), VSR, VMR, FPR and XVFC."
++ "BriefDescription": "Cycles in which the next-to-complete (NTC) instruction is held at dispatch because the mapper/SRB was full. Includes GPR (count, link, tar), VSR, VMR, FPR and XVFC."
+ },
+ {
+ "EventCode": "0x3E052",
+@@ -192,7 +192,7 @@
+ {
+ "EventCode": "0x3E054",
+ "EventName": "PM_LD_MISS_L1",
+- "BriefDescription": "Load Missed L1, counted at execution time (can be greater than loads finished). LMQ merges are not included in this count. i.e. if a load instruction misses on an address that is already allocated on the LMQ, this event will not increment for that load). Note that this count is per slice, so if a load spans multiple slices this event will increment multiple times for a single load."
++ "BriefDescription": "Load missed L1, counted at finish time. LMQ merges are not included in this count. i.e. if a load instruction misses on an address that is already allocated on the LMQ, this event will not increment for that load). Note that this count is per slice, so if a load spans multiple slices this event will increment multiple times for a single load."
+ },
+ {
+ "EventCode": "0x301EA",
+@@ -202,7 +202,7 @@
+ {
+ "EventCode": "0x300FA",
+ "EventName": "PM_INST_FROM_L3MISS",
+- "BriefDescription": "The processor's instruction cache was reloaded from a source other than the local core's L1, L2, or L3 due to a demand miss."
++ "BriefDescription": "The processor's instruction cache was reloaded from beyond the local core's L3 due to a demand miss."
+ },
+ {
+ "EventCode": "0x40006",
+@@ -232,16 +232,16 @@
+ {
+ "EventCode": "0x4E01A",
+ "EventName": "PM_DISP_STALL_HELD_CYC",
+- "BriefDescription": "Cycles in which the NTC instruction is held at dispatch for any reason."
++ "BriefDescription": "Cycles in which the next-to-complete (NTC) instruction is held at dispatch for any reason."
+ },
+ {
+ "EventCode": "0x4003C",
+ "EventName": "PM_DISP_STALL_HELD_SYNC_CYC",
+- "BriefDescription": "Cycles in which the NTC instruction is held at dispatch because of a synchronizing instruction that requires the ICT to be empty before dispatch."
++ "BriefDescription": "Cycles in which the next-to-complete (NTC) instruction is held at dispatch because of a synchronizing instruction that requires the ICT to be empty before dispatch."
+ },
+ {
+ "EventCode": "0x44056",
+ "EventName": "PM_VECTOR_ST_CMPL",
+- "BriefDescription": "Vector store instructions completed."
++ "BriefDescription": "Vector store instruction completed."
+ }
+ ]
+diff --git a/tools/perf/pmu-events/arch/powerpc/power10/marked.json b/tools/perf/pmu-events/arch/powerpc/power10/marked.json
+index 58b5dfe3a2731..131f8d0e88317 100644
+--- a/tools/perf/pmu-events/arch/powerpc/power10/marked.json
++++ b/tools/perf/pmu-events/arch/powerpc/power10/marked.json
+@@ -62,7 +62,7 @@
+ {
+ "EventCode": "0x200FD",
+ "EventName": "PM_L1_ICACHE_MISS",
+- "BriefDescription": "Demand iCache Miss."
++ "BriefDescription": "Demand instruction cache miss."
+ },
+ {
+ "EventCode": "0x30130",
+@@ -72,7 +72,7 @@
+ {
+ "EventCode": "0x34146",
+ "EventName": "PM_MRK_LD_CMPL",
+- "BriefDescription": "Marked loads completed."
++ "BriefDescription": "Marked load instruction completed."
+ },
+ {
+ "EventCode": "0x3E158",
+@@ -82,12 +82,12 @@
+ {
+ "EventCode": "0x3E15A",
+ "EventName": "PM_MRK_ST_FIN",
+- "BriefDescription": "The marked instruction was a store of any kind."
++ "BriefDescription": "Marked store instruction finished."
+ },
+ {
+ "EventCode": "0x30068",
+ "EventName": "PM_L1_ICACHE_RELOADED_PREF",
+- "BriefDescription": "Counts all Icache prefetch reloads ( includes demand turned into prefetch)."
++ "BriefDescription": "Counts all instruction cache prefetch reloads (includes demand turned into prefetch)."
+ },
+ {
+ "EventCode": "0x301E4",
+@@ -102,12 +102,12 @@
+ {
+ "EventCode": "0x300FE",
+ "EventName": "PM_DATA_FROM_L3MISS",
+- "BriefDescription": "The processor's data cache was reloaded from a source other than the local core's L1, L2, or L3 due to a demand miss."
++ "BriefDescription": "The processor's L1 data cache was reloaded from beyond the local core's L3 due to a demand miss."
+ },
+ {
+ "EventCode": "0x40012",
+ "EventName": "PM_L1_ICACHE_RELOADED_ALL",
+- "BriefDescription": "Counts all Icache reloads includes demand, prefetch, prefetch turned into demand and demand turned into prefetch."
++ "BriefDescription": "Counts all instruction cache reloads includes demand, prefetch, prefetch turned into demand and demand turned into prefetch."
+ },
+ {
+ "EventCode": "0x40134",
+@@ -117,22 +117,22 @@
+ {
+ "EventCode": "0x4505A",
+ "EventName": "PM_SP_FLOP_CMPL",
+- "BriefDescription": "Single Precision floating point instructions completed."
++ "BriefDescription": "Single Precision floating point instruction completed."
+ },
+ {
+ "EventCode": "0x4D058",
+ "EventName": "PM_VECTOR_FLOP_CMPL",
+- "BriefDescription": "Vector floating point instructions completed."
++ "BriefDescription": "Vector floating point instruction completed."
+ },
+ {
+ "EventCode": "0x4D05A",
+ "EventName": "PM_NON_MATH_FLOP_CMPL",
+- "BriefDescription": "Non Math instructions completed."
++ "BriefDescription": "Non Math instruction completed."
+ },
+ {
+ "EventCode": "0x401E0",
+ "EventName": "PM_MRK_INST_CMPL",
+- "BriefDescription": "marked instruction completed."
++ "BriefDescription": "Marked instruction completed."
+ },
+ {
+ "EventCode": "0x400FE",
+diff --git a/tools/perf/pmu-events/arch/powerpc/power10/memory.json b/tools/perf/pmu-events/arch/powerpc/power10/memory.json
+index 843b51f531e95..c4c10ca98cad7 100644
+--- a/tools/perf/pmu-events/arch/powerpc/power10/memory.json
++++ b/tools/perf/pmu-events/arch/powerpc/power10/memory.json
+@@ -47,7 +47,7 @@
+ {
+ "EventCode": "0x10062",
+ "EventName": "PM_LD_L3MISS_PEND_CYC",
+- "BriefDescription": "Cycles L3 miss was pending for this thread."
++ "BriefDescription": "Cycles in which an L3 miss was pending for this thread."
+ },
+ {
+ "EventCode": "0x20010",
+@@ -132,7 +132,7 @@
+ {
+ "EventCode": "0x300FC",
+ "EventName": "PM_DTLB_MISS",
+- "BriefDescription": "The DPTEG required for the load/store instruction in execution was missing from the TLB. It includes pages of all sizes for demand and prefetch activity."
++ "BriefDescription": "The DPTEG required for the load/store instruction in execution was missing from the TLB. This event only counts for demand misses."
+ },
+ {
+ "EventCode": "0x4D02C",
+@@ -142,7 +142,7 @@
+ {
+ "EventCode": "0x4003E",
+ "EventName": "PM_LD_CMPL",
+- "BriefDescription": "Loads completed."
++ "BriefDescription": "Load instruction completed."
+ },
+ {
+ "EventCode": "0x4C040",
+diff --git a/tools/perf/pmu-events/arch/powerpc/power10/others.json b/tools/perf/pmu-events/arch/powerpc/power10/others.json
+index 7d0de1a2860b4..e691041ee8678 100644
+--- a/tools/perf/pmu-events/arch/powerpc/power10/others.json
++++ b/tools/perf/pmu-events/arch/powerpc/power10/others.json
+@@ -2,12 +2,12 @@
+ {
+ "EventCode": "0x10016",
+ "EventName": "PM_VSU0_ISSUE",
+- "BriefDescription": "VSU instructions issued to VSU pipe 0."
++ "BriefDescription": "VSU instruction issued to VSU pipe 0."
+ },
+ {
+ "EventCode": "0x1001C",
+ "EventName": "PM_ULTRAVISOR_INST_CMPL",
+- "BriefDescription": "PowerPC instructions that completed while the thread was in ultravisor state."
++ "BriefDescription": "PowerPC instruction completed while the thread was in ultravisor state."
+ },
+ {
+ "EventCode": "0x100F0",
+@@ -17,12 +17,12 @@
+ {
+ "EventCode": "0x10134",
+ "EventName": "PM_MRK_ST_DONE_L2",
+- "BriefDescription": "Marked stores completed in L2 (RC machine done)."
++ "BriefDescription": "Marked store completed in L2."
+ },
+ {
+ "EventCode": "0x1505E",
+ "EventName": "PM_LD_HIT_L1",
+- "BriefDescription": "Loads that finished without experiencing an L1 miss."
++ "BriefDescription": "Load finished without experiencing an L1 miss."
+ },
+ {
+ "EventCode": "0x1F056",
+@@ -42,7 +42,7 @@
+ {
+ "EventCode": "0x101E4",
+ "EventName": "PM_MRK_L1_ICACHE_MISS",
+- "BriefDescription": "Marked Instruction suffered an icache Miss."
++ "BriefDescription": "Marked instruction suffered an instruction cache miss."
+ },
+ {
+ "EventCode": "0x101EA",
+@@ -72,7 +72,7 @@
+ {
+ "EventCode": "0x2E010",
+ "EventName": "PM_ADJUNCT_INST_CMPL",
+- "BriefDescription": "PowerPC instructions that completed while the thread is in Adjunct state."
++ "BriefDescription": "PowerPC instruction completed while the thread was in Adjunct state."
+ },
+ {
+ "EventCode": "0x2E014",
+@@ -122,7 +122,7 @@
+ {
+ "EventCode": "0x201E4",
+ "EventName": "PM_MRK_DATA_FROM_L3MISS",
+- "BriefDescription": "The processor's data cache was reloaded from a source other than the local core's L1, L2, or L3 due to a demand miss for a marked load."
++ "BriefDescription": "The processor's L1 data cache was reloaded from beyond the local core's L3 due to a demand miss for a marked instruction."
+ },
+ {
+ "EventCode": "0x201E8",
+@@ -132,17 +132,17 @@
+ {
+ "EventCode": "0x200F2",
+ "EventName": "PM_INST_DISP",
+- "BriefDescription": "PowerPC instructions dispatched."
++ "BriefDescription": "PowerPC instruction dispatched."
+ },
+ {
+ "EventCode": "0x30132",
+ "EventName": "PM_MRK_VSU_FIN",
+- "BriefDescription": "VSU marked instructions finished. Excludes simple FX instructions issued to the Store Unit."
++ "BriefDescription": "VSU marked instruction finished. Excludes simple FX instructions issued to the Store Unit."
+ },
+ {
+ "EventCode": "0x30038",
+ "EventName": "PM_EXEC_STALL_DMISS_LMEM",
+- "BriefDescription": "Cycles in which the oldest instruction in the pipeline was waiting for a load miss to resolve from the local memory, local OpenCapp cache, or local OpenCapp memory."
++ "BriefDescription": "Cycles in which the oldest instruction in the pipeline was waiting for a load miss to resolve from the local memory, local OpenCAPI cache, or local OpenCAPI memory."
+ },
+ {
+ "EventCode": "0x3F04A",
+@@ -152,12 +152,12 @@
+ {
+ "EventCode": "0x3405A",
+ "EventName": "PM_PRIVILEGED_INST_CMPL",
+- "BriefDescription": "PowerPC Instructions that completed while the thread is in Privileged state."
++ "BriefDescription": "PowerPC instruction completed while the thread was in Privileged state."
+ },
+ {
+ "EventCode": "0x3F150",
+ "EventName": "PM_MRK_ST_DRAIN_CYC",
+- "BriefDescription": "cycles to drain st from core to L2."
++ "BriefDescription": "Cycles in which the marked store drained from the core to the L2."
+ },
+ {
+ "EventCode": "0x3F054",
+@@ -182,7 +182,7 @@
+ {
+ "EventCode": "0x4001C",
+ "EventName": "PM_VSU_FIN",
+- "BriefDescription": "VSU instructions finished."
++ "BriefDescription": "VSU instruction finished."
+ },
+ {
+ "EventCode": "0x4C01A",
+@@ -197,7 +197,7 @@
+ {
+ "EventCode": "0x4D022",
+ "EventName": "PM_HYPERVISOR_INST_CMPL",
+- "BriefDescription": "PowerPC instructions that completed while the thread is in hypervisor state."
++ "BriefDescription": "PowerPC instruction completed while the thread was in hypervisor state."
+ },
+ {
+ "EventCode": "0x4D026",
+@@ -212,32 +212,32 @@
+ {
+ "EventCode": "0x40030",
+ "EventName": "PM_INST_FIN",
+- "BriefDescription": "Instructions finished."
++ "BriefDescription": "Instruction finished."
+ },
+ {
+ "EventCode": "0x44146",
+ "EventName": "PM_MRK_STCX_CORE_CYC",
+- "BriefDescription": "Cycles spent in the core portion of a marked Stcx instruction. It starts counting when the instruction is decoded and stops counting when it drains into the L2."
++ "BriefDescription": "Cycles spent in the core portion of a marked STCX instruction. It starts counting when the instruction is decoded and stops counting when it drains into the L2."
+ },
+ {
+ "EventCode": "0x44054",
+ "EventName": "PM_VECTOR_LD_CMPL",
+- "BriefDescription": "Vector load instructions completed."
++ "BriefDescription": "Vector load instruction completed."
+ },
+ {
+ "EventCode": "0x45054",
+ "EventName": "PM_FMA_CMPL",
+- "BriefDescription": "Two floating point instructions completed (FMA class of instructions: fmadd, fnmadd, fmsub, fnmsub). Scalar instructions only."
++ "BriefDescription": "Two floating point instruction completed (FMA class of instructions: fmadd, fnmadd, fmsub, fnmsub). Scalar instructions only."
+ },
+ {
+ "EventCode": "0x45056",
+ "EventName": "PM_SCALAR_FLOP_CMPL",
+- "BriefDescription": "Scalar floating point instructions completed."
++ "BriefDescription": "Scalar floating point instruction completed."
+ },
+ {
+ "EventCode": "0x4505C",
+ "EventName": "PM_MATH_FLOP_CMPL",
+- "BriefDescription": "Math floating point instructions completed."
++ "BriefDescription": "Math floating point instruction completed."
+ },
+ {
+ "EventCode": "0x4D05E",
+@@ -252,21 +252,21 @@
+ {
+ "EventCode": "0x401E6",
+ "EventName": "PM_MRK_INST_FROM_L3MISS",
+- "BriefDescription": "The processor's instruction cache was reloaded from a source other than the local core's L1, L2, or L3 due to a demand miss for a marked instruction."
++ "BriefDescription": "The processor's instruction cache was reloaded from beyond the local core's L3 due to a demand miss for a marked instruction."
+ },
+ {
+ "EventCode": "0x401E8",
+ "EventName": "PM_MRK_DATA_FROM_L2MISS",
+- "BriefDescription": "The processor's data cache was reloaded from a source other than the local core's L1 or L2 due to a demand miss for a marked load."
++ "BriefDescription": "The processor's L1 data cache was reloaded from a source beyond the local core's L2 due to a demand miss for a marked instruction."
+ },
+ {
+ "EventCode": "0x400F0",
+ "EventName": "PM_LD_DEMAND_MISS_L1_FIN",
+- "BriefDescription": "Load Missed L1, counted at finish time."
++ "BriefDescription": "Load missed L1, counted at finish time."
+ },
+ {
+ "EventCode": "0x400FA",
+ "EventName": "PM_RUN_INST_CMPL",
+- "BriefDescription": "Completed PowerPC instructions gated by the run latch."
++ "BriefDescription": "PowerPC instruction completed while the run latch is set."
+ }
+ ]
+diff --git a/tools/perf/pmu-events/arch/powerpc/power10/pipeline.json b/tools/perf/pmu-events/arch/powerpc/power10/pipeline.json
+index b8aded6045faa..449f57e8ba6af 100644
+--- a/tools/perf/pmu-events/arch/powerpc/power10/pipeline.json
++++ b/tools/perf/pmu-events/arch/powerpc/power10/pipeline.json
+@@ -2,7 +2,7 @@
+ {
+ "EventCode": "0x100FE",
+ "EventName": "PM_INST_CMPL",
+- "BriefDescription": "PowerPC instructions completed."
++ "BriefDescription": "PowerPC instruction completed."
+ },
+ {
+ "EventCode": "0x1000C",
+@@ -12,7 +12,7 @@
+ {
+ "EventCode": "0x1000E",
+ "EventName": "PM_MMA_ISSUED",
+- "BriefDescription": "MMA instructions issued."
++ "BriefDescription": "MMA instruction issued."
+ },
+ {
+ "EventCode": "0x10012",
+@@ -107,7 +107,7 @@
+ {
+ "EventCode": "0x2D012",
+ "EventName": "PM_VSU1_ISSUE",
+- "BriefDescription": "VSU instructions issued to VSU pipe 1."
++ "BriefDescription": "VSU instruction issued to VSU pipe 1."
+ },
+ {
+ "EventCode": "0x2D018",
+@@ -122,7 +122,7 @@
+ {
+ "EventCode": "0x2E01E",
+ "EventName": "PM_EXEC_STALL_NTC_FLUSH",
+- "BriefDescription": "Cycles in which the oldest instruction in the pipeline was executing in any unit before it was flushed. Note that if the flush of the oldest instruction happens after finish, the cycles from dispatch to issue will be included in PM_DISP_STALL and the cycles from issue to finish will be included in PM_EXEC_STALL and its corresponding children. This event will also count cycles when the previous NTF instruction is still completing and the new NTF instruction is stalled at dispatch."
++ "BriefDescription": "Cycles in which the oldest instruction in the pipeline was executing in any unit before it was flushed. Note that if the flush of the oldest instruction happens after finish, the cycles from dispatch to issue will be included in PM_DISP_STALL and the cycles from issue to finish will be included in PM_EXEC_STALL and its corresponding children. This event will also count cycles when the previous next-to-finish (NTF) instruction is still completing and the new NTF instruction is stalled at dispatch."
+ },
+ {
+ "EventCode": "0x2013C",
+@@ -137,7 +137,7 @@
+ {
+ "EventCode": "0x201E2",
+ "EventName": "PM_MRK_LD_MISS_L1",
+- "BriefDescription": "Marked DL1 Demand Miss counted at finish time."
++ "BriefDescription": "Marked demand data load miss counted at finish time."
+ },
+ {
+ "EventCode": "0x200F4",
+@@ -172,7 +172,7 @@
+ {
+ "EventCode": "0x30028",
+ "EventName": "PM_CMPL_STALL_MEM_ECC",
+- "BriefDescription": "Cycles in which the oldest instruction in the pipeline was waiting for the non-speculative finish of either a stcx waiting for its result or a load waiting for non-critical sectors of data and ECC."
++ "BriefDescription": "Cycles in which the oldest instruction in the pipeline was waiting for the non-speculative finish of either a STCX waiting for its result or a load waiting for non-critical sectors of data and ECC."
+ },
+ {
+ "EventCode": "0x30036",
+@@ -187,12 +187,12 @@
+ {
+ "EventCode": "0x3F044",
+ "EventName": "PM_VSU2_ISSUE",
+- "BriefDescription": "VSU instructions issued to VSU pipe 2."
++ "BriefDescription": "VSU instruction issued to VSU pipe 2."
+ },
+ {
+ "EventCode": "0x30058",
+ "EventName": "PM_TLBIE_FIN",
+- "BriefDescription": "TLBIE instructions finished in the LSU. Two TLBIEs can finish each cycle. All will be counted."
++ "BriefDescription": "TLBIE instruction finished in the LSU. Two TLBIEs can finish each cycle. All will be counted."
+ },
+ {
+ "EventCode": "0x3D058",
+@@ -252,7 +252,7 @@
+ {
+ "EventCode": "0x4E012",
+ "EventName": "PM_EXEC_STALL_UNKNOWN",
+- "BriefDescription": "Cycles in which the oldest instruction in the pipeline completed without an ntf_type pulse. The ntf_pulse was missed by the ISU because the NTF finishes and completions came too close together."
++ "BriefDescription": "Cycles in which the oldest instruction in the pipeline completed without an ntf_type pulse. The ntf_pulse was missed by the ISU because the next-to-finish (NTF) instruction finishes and completions came too close together."
+ },
+ {
+ "EventCode": "0x4D020",
+@@ -267,7 +267,7 @@
+ {
+ "EventCode": "0x45058",
+ "EventName": "PM_IC_MISS_CMPL",
+- "BriefDescription": "Non-speculative icache miss, counted at completion."
++ "BriefDescription": "Non-speculative instruction cache miss, counted at completion."
+ },
+ {
+ "EventCode": "0x4D050",
+diff --git a/tools/perf/pmu-events/arch/powerpc/power10/pmc.json b/tools/perf/pmu-events/arch/powerpc/power10/pmc.json
+index b5d1bd39cfb22..364fedbfb490b 100644
+--- a/tools/perf/pmu-events/arch/powerpc/power10/pmc.json
++++ b/tools/perf/pmu-events/arch/powerpc/power10/pmc.json
+@@ -12,11 +12,11 @@
+ {
+ "EventCode": "0x45052",
+ "EventName": "PM_4FLOP_CMPL",
+- "BriefDescription": "Four floating point instructions completed (fadd, fmul, fsub, fcmp, fsel, fabs, fnabs, fres, fsqrte, fneg)."
++ "BriefDescription": "Four floating point instruction completed (fadd, fmul, fsub, fcmp, fsel, fabs, fnabs, fres, fsqrte, fneg)."
+ },
+ {
+ "EventCode": "0x4D054",
+ "EventName": "PM_8FLOP_CMPL",
+- "BriefDescription": "Four Double Precision vector instructions completed."
++ "BriefDescription": "Four Double Precision vector instruction completed."
+ }
+ ]
+diff --git a/tools/perf/pmu-events/arch/powerpc/power10/translation.json b/tools/perf/pmu-events/arch/powerpc/power10/translation.json
+index db3766dca07c5..3e47b804a0a8f 100644
+--- a/tools/perf/pmu-events/arch/powerpc/power10/translation.json
++++ b/tools/perf/pmu-events/arch/powerpc/power10/translation.json
+@@ -17,7 +17,7 @@
+ {
+ "EventCode": "0x2011C",
+ "EventName": "PM_MRK_NTF_CYC",
+- "BriefDescription": "Cycles during which the marked instruction is the oldest in the pipeline (NTF or NTC)."
++ "BriefDescription": "Cycles in which the marked instruction is the oldest in the pipeline (next-to-finish or next-to-complete)."
+ },
+ {
+ "EventCode": "0x2E01C",
+@@ -37,7 +37,7 @@
+ {
+ "EventCode": "0x200FE",
+ "EventName": "PM_DATA_FROM_L2MISS",
+- "BriefDescription": "The processor's data cache was reloaded from a source other than the local core's L1 or L2 due to a demand miss."
++ "BriefDescription": "The processor's L1 data cache was reloaded from a source beyond the local core's L2 due to a demand miss."
+ },
+ {
+ "EventCode": "0x30010",
+@@ -52,6 +52,6 @@
+ {
+ "EventCode": "0x4D05C",
+ "EventName": "PM_DPP_FLOP_CMPL",
+- "BriefDescription": "Double-Precision or Quad-Precision instructions completed."
++ "BriefDescription": "Double-Precision or Quad-Precision instruction completed."
+ }
+ ]
+--
+2.40.1
+
--- /dev/null
+From f2c56734ec2f9af0de5749d943b665b373918d23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Mar 2023 19:54:17 +0100
+Subject: pwm: atmel-tcb: Convert to platform remove callback returning void
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 9609284a76978daf53a54e05cff36873a75e4d13 ]
+
+The .remove() callback for a platform driver returns an int which makes
+many driver authors wrongly assume it's possible to do error handling by
+returning an error code. However the value returned is (mostly) ignored
+and this typically results in resource leaks. To improve here there is a
+quest to make the remove callback return void. In the first step of this
+quest all drivers are converted to .remove_new() which already returns
+void.
+
+Trivially convert this driver from always returning zero in the remove
+callback to the void returning variant.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Reviewed-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Stable-dep-of: c11622324c02 ("pwm: atmel-tcb: Fix resource freeing in error path and remove")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-atmel-tcb.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/pwm/pwm-atmel-tcb.c b/drivers/pwm/pwm-atmel-tcb.c
+index 2837b4ce8053c..4a116dc44f6e7 100644
+--- a/drivers/pwm/pwm-atmel-tcb.c
++++ b/drivers/pwm/pwm-atmel-tcb.c
+@@ -500,7 +500,7 @@ static int atmel_tcb_pwm_probe(struct platform_device *pdev)
+ return err;
+ }
+
+-static int atmel_tcb_pwm_remove(struct platform_device *pdev)
++static void atmel_tcb_pwm_remove(struct platform_device *pdev)
+ {
+ struct atmel_tcb_pwm_chip *tcbpwm = platform_get_drvdata(pdev);
+
+@@ -509,8 +509,6 @@ static int atmel_tcb_pwm_remove(struct platform_device *pdev)
+ clk_disable_unprepare(tcbpwm->slow_clk);
+ clk_put(tcbpwm->slow_clk);
+ clk_put(tcbpwm->clk);
+-
+- return 0;
+ }
+
+ static const struct of_device_id atmel_tcb_pwm_dt_ids[] = {
+@@ -564,7 +562,7 @@ static struct platform_driver atmel_tcb_pwm_driver = {
+ .pm = &atmel_tcb_pwm_pm_ops,
+ },
+ .probe = atmel_tcb_pwm_probe,
+- .remove = atmel_tcb_pwm_remove,
++ .remove_new = atmel_tcb_pwm_remove,
+ };
+ module_platform_driver(atmel_tcb_pwm_driver);
+
+--
+2.40.1
+
--- /dev/null
+From 40f29920df0dd2b1502275164f10a535d892db7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Jul 2023 21:20:10 +0200
+Subject: pwm: atmel-tcb: Fix resource freeing in error path and remove
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit c11622324c023415fb69196c5fc3782d2b8cced0 ]
+
+Several resources were not freed in the error path and the remove
+function. Add the forgotten items.
+
+Fixes: 34cbcd72588f ("pwm: atmel-tcb: Add sama5d2 support")
+Fixes: 061f8572a31c ("pwm: atmel-tcb: Switch to new binding")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Reviewed-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-atmel-tcb.c | 23 +++++++++++++++++------
+ 1 file changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/pwm/pwm-atmel-tcb.c b/drivers/pwm/pwm-atmel-tcb.c
+index 613dd1810fb53..2826fc216d291 100644
+--- a/drivers/pwm/pwm-atmel-tcb.c
++++ b/drivers/pwm/pwm-atmel-tcb.c
+@@ -450,16 +450,20 @@ static int atmel_tcb_pwm_probe(struct platform_device *pdev)
+ tcbpwm->clk = of_clk_get_by_name(np->parent, clk_name);
+ if (IS_ERR(tcbpwm->clk))
+ tcbpwm->clk = of_clk_get_by_name(np->parent, "t0_clk");
+- if (IS_ERR(tcbpwm->clk))
+- return PTR_ERR(tcbpwm->clk);
++ if (IS_ERR(tcbpwm->clk)) {
++ err = PTR_ERR(tcbpwm->clk);
++ goto err_slow_clk;
++ }
+
+ match = of_match_node(atmel_tcb_of_match, np->parent);
+ config = match->data;
+
+ if (config->has_gclk) {
+ tcbpwm->gclk = of_clk_get_by_name(np->parent, "gclk");
+- if (IS_ERR(tcbpwm->gclk))
+- return PTR_ERR(tcbpwm->gclk);
++ if (IS_ERR(tcbpwm->gclk)) {
++ err = PTR_ERR(tcbpwm->gclk);
++ goto err_clk;
++ }
+ }
+
+ tcbpwm->chip.dev = &pdev->dev;
+@@ -470,7 +474,7 @@ static int atmel_tcb_pwm_probe(struct platform_device *pdev)
+
+ err = clk_prepare_enable(tcbpwm->slow_clk);
+ if (err)
+- goto err_slow_clk;
++ goto err_gclk;
+
+ spin_lock_init(&tcbpwm->lock);
+
+@@ -485,6 +489,12 @@ static int atmel_tcb_pwm_probe(struct platform_device *pdev)
+ err_disable_clk:
+ clk_disable_unprepare(tcbpwm->slow_clk);
+
++err_gclk:
++ clk_put(tcbpwm->gclk);
++
++err_clk:
++ clk_put(tcbpwm->clk);
++
+ err_slow_clk:
+ clk_put(tcbpwm->slow_clk);
+
+@@ -498,8 +508,9 @@ static void atmel_tcb_pwm_remove(struct platform_device *pdev)
+ pwmchip_remove(&tcbpwm->chip);
+
+ clk_disable_unprepare(tcbpwm->slow_clk);
+- clk_put(tcbpwm->slow_clk);
++ clk_put(tcbpwm->gclk);
+ clk_put(tcbpwm->clk);
++ clk_put(tcbpwm->slow_clk);
+ }
+
+ static const struct of_device_id atmel_tcb_pwm_dt_ids[] = {
+--
+2.40.1
+
--- /dev/null
+From 7d1c48677579784adf33a988a591b1cc9c01b490 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Jul 2023 21:20:09 +0200
+Subject: pwm: atmel-tcb: Harmonize resource allocation order
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 0323e8fedd1ef25342cf7abf3a2024f5670362b8 ]
+
+Allocate driver data as first resource in the probe function. This way it
+can be used during allocation of the other resources (instead of assigning
+these to local variables first and update driver data only when it's
+allocated). Also as driver data is allocated using a devm function this
+should happen first to have the order of freeing resources in the error
+path and the remove function in reverse.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Stable-dep-of: c11622324c02 ("pwm: atmel-tcb: Fix resource freeing in error path and remove")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-atmel-tcb.c | 49 +++++++++++++++----------------------
+ 1 file changed, 20 insertions(+), 29 deletions(-)
+
+diff --git a/drivers/pwm/pwm-atmel-tcb.c b/drivers/pwm/pwm-atmel-tcb.c
+index 4a116dc44f6e7..613dd1810fb53 100644
+--- a/drivers/pwm/pwm-atmel-tcb.c
++++ b/drivers/pwm/pwm-atmel-tcb.c
+@@ -422,13 +422,14 @@ static int atmel_tcb_pwm_probe(struct platform_device *pdev)
+ struct atmel_tcb_pwm_chip *tcbpwm;
+ const struct atmel_tcb_config *config;
+ struct device_node *np = pdev->dev.of_node;
+- struct regmap *regmap;
+- struct clk *clk, *gclk = NULL;
+- struct clk *slow_clk;
+ char clk_name[] = "t0_clk";
+ int err;
+ int channel;
+
++ tcbpwm = devm_kzalloc(&pdev->dev, sizeof(*tcbpwm), GFP_KERNEL);
++ if (tcbpwm == NULL)
++ return -ENOMEM;
++
+ err = of_property_read_u32(np, "reg", &channel);
+ if (err < 0) {
+ dev_err(&pdev->dev,
+@@ -437,47 +438,37 @@ static int atmel_tcb_pwm_probe(struct platform_device *pdev)
+ return err;
+ }
+
+- regmap = syscon_node_to_regmap(np->parent);
+- if (IS_ERR(regmap))
+- return PTR_ERR(regmap);
++ tcbpwm->regmap = syscon_node_to_regmap(np->parent);
++ if (IS_ERR(tcbpwm->regmap))
++ return PTR_ERR(tcbpwm->regmap);
+
+- slow_clk = of_clk_get_by_name(np->parent, "slow_clk");
+- if (IS_ERR(slow_clk))
+- return PTR_ERR(slow_clk);
++ tcbpwm->slow_clk = of_clk_get_by_name(np->parent, "slow_clk");
++ if (IS_ERR(tcbpwm->slow_clk))
++ return PTR_ERR(tcbpwm->slow_clk);
+
+ clk_name[1] += channel;
+- clk = of_clk_get_by_name(np->parent, clk_name);
+- if (IS_ERR(clk))
+- clk = of_clk_get_by_name(np->parent, "t0_clk");
+- if (IS_ERR(clk))
+- return PTR_ERR(clk);
++ tcbpwm->clk = of_clk_get_by_name(np->parent, clk_name);
++ if (IS_ERR(tcbpwm->clk))
++ tcbpwm->clk = of_clk_get_by_name(np->parent, "t0_clk");
++ if (IS_ERR(tcbpwm->clk))
++ return PTR_ERR(tcbpwm->clk);
+
+ match = of_match_node(atmel_tcb_of_match, np->parent);
+ config = match->data;
+
+ if (config->has_gclk) {
+- gclk = of_clk_get_by_name(np->parent, "gclk");
+- if (IS_ERR(gclk))
+- return PTR_ERR(gclk);
+- }
+-
+- tcbpwm = devm_kzalloc(&pdev->dev, sizeof(*tcbpwm), GFP_KERNEL);
+- if (tcbpwm == NULL) {
+- err = -ENOMEM;
+- goto err_slow_clk;
++ tcbpwm->gclk = of_clk_get_by_name(np->parent, "gclk");
++ if (IS_ERR(tcbpwm->gclk))
++ return PTR_ERR(tcbpwm->gclk);
+ }
+
+ tcbpwm->chip.dev = &pdev->dev;
+ tcbpwm->chip.ops = &atmel_tcb_pwm_ops;
+ tcbpwm->chip.npwm = NPWM;
+ tcbpwm->channel = channel;
+- tcbpwm->regmap = regmap;
+- tcbpwm->clk = clk;
+- tcbpwm->gclk = gclk;
+- tcbpwm->slow_clk = slow_clk;
+ tcbpwm->width = config->counter_width;
+
+- err = clk_prepare_enable(slow_clk);
++ err = clk_prepare_enable(tcbpwm->slow_clk);
+ if (err)
+ goto err_slow_clk;
+
+@@ -495,7 +486,7 @@ static int atmel_tcb_pwm_probe(struct platform_device *pdev)
+ clk_disable_unprepare(tcbpwm->slow_clk);
+
+ err_slow_clk:
+- clk_put(slow_clk);
++ clk_put(tcbpwm->slow_clk);
+
+ return err;
+ }
+--
+2.40.1
+
--- /dev/null
+From 2646f2bda035980658d3755045db5e5ada6b9d43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Jul 2023 17:52:57 +0200
+Subject: pwm: lpc32xx: Remove handling of PWM channels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Vladimir Zapolskiy <vz@mleia.com>
+
+[ Upstream commit 4aae44f65827f0213a7361cf9c32cfe06114473f ]
+
+Because LPC32xx PWM controllers have only a single output which is
+registered as the only PWM device/channel per controller, it is known in
+advance that pwm->hwpwm value is always 0. On basis of this fact
+simplify the code by removing operations with pwm->hwpwm, there is no
+controls which require channel number as input.
+
+Even though I wasn't aware at the time when I forward ported that patch,
+this fixes a null pointer dereference as lpc32xx->chip.pwms is NULL
+before devm_pwmchip_add() is called.
+
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Vladimir Zapolskiy <vz@mleia.com>
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Fixes: 3d2813fb17e5 ("pwm: lpc32xx: Don't modify HW state in .probe() after the PWM chip was registered")
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-lpc32xx.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/pwm/pwm-lpc32xx.c b/drivers/pwm/pwm-lpc32xx.c
+index 86a0ea0f6955c..806f0bb3ad6d8 100644
+--- a/drivers/pwm/pwm-lpc32xx.c
++++ b/drivers/pwm/pwm-lpc32xx.c
+@@ -51,10 +51,10 @@ static int lpc32xx_pwm_config(struct pwm_chip *chip, struct pwm_device *pwm,
+ if (duty_cycles > 255)
+ duty_cycles = 255;
+
+- val = readl(lpc32xx->base + (pwm->hwpwm << 2));
++ val = readl(lpc32xx->base);
+ val &= ~0xFFFF;
+ val |= (period_cycles << 8) | duty_cycles;
+- writel(val, lpc32xx->base + (pwm->hwpwm << 2));
++ writel(val, lpc32xx->base);
+
+ return 0;
+ }
+@@ -69,9 +69,9 @@ static int lpc32xx_pwm_enable(struct pwm_chip *chip, struct pwm_device *pwm)
+ if (ret)
+ return ret;
+
+- val = readl(lpc32xx->base + (pwm->hwpwm << 2));
++ val = readl(lpc32xx->base);
+ val |= PWM_ENABLE;
+- writel(val, lpc32xx->base + (pwm->hwpwm << 2));
++ writel(val, lpc32xx->base);
+
+ return 0;
+ }
+@@ -81,9 +81,9 @@ static void lpc32xx_pwm_disable(struct pwm_chip *chip, struct pwm_device *pwm)
+ struct lpc32xx_pwm_chip *lpc32xx = to_lpc32xx_pwm_chip(chip);
+ u32 val;
+
+- val = readl(lpc32xx->base + (pwm->hwpwm << 2));
++ val = readl(lpc32xx->base);
+ val &= ~PWM_ENABLE;
+- writel(val, lpc32xx->base + (pwm->hwpwm << 2));
++ writel(val, lpc32xx->base);
+
+ clk_disable_unprepare(lpc32xx->clk);
+ }
+@@ -141,9 +141,9 @@ static int lpc32xx_pwm_probe(struct platform_device *pdev)
+ lpc32xx->chip.npwm = 1;
+
+ /* If PWM is disabled, configure the output to the default value */
+- val = readl(lpc32xx->base + (lpc32xx->chip.pwms[0].hwpwm << 2));
++ val = readl(lpc32xx->base);
+ val &= ~PWM_PIN_LEVEL;
+- writel(val, lpc32xx->base + (lpc32xx->chip.pwms[0].hwpwm << 2));
++ writel(val, lpc32xx->base);
+
+ ret = devm_pwmchip_add(&pdev->dev, &lpc32xx->chip);
+ if (ret < 0) {
+--
+2.40.1
+
--- /dev/null
+From ad61aa6c54948ca2ea4d0a023d80cd657d350a5f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Aug 2023 13:59:59 +0300
+Subject: s390/zcrypt: don't leak memory if dev_set_name() fails
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 6252f47b78031979ad919f971dc8468b893488bd ]
+
+When dev_set_name() fails, zcdn_create() doesn't free the newly
+allocated resources. Do it.
+
+Fixes: 00fab2350e6b ("s390/zcrypt: multiple zcrypt device nodes support")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20230831110000.24279-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/crypto/zcrypt_api.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/s390/crypto/zcrypt_api.c b/drivers/s390/crypto/zcrypt_api.c
+index f94b43ce9a658..28e34d155334b 100644
+--- a/drivers/s390/crypto/zcrypt_api.c
++++ b/drivers/s390/crypto/zcrypt_api.c
+@@ -441,6 +441,7 @@ static int zcdn_create(const char *name)
+ ZCRYPT_NAME "_%d", (int)MINOR(devt));
+ nodename[sizeof(nodename) - 1] = '\0';
+ if (dev_set_name(&zcdndev->device, nodename)) {
++ kfree(zcdndev);
+ rc = -EINVAL;
+ goto unlockout;
+ }
+--
+2.40.1
+
--- /dev/null
+From 8b51f7b3c74685071e0dea5c8a867a444c28d0a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Aug 2023 09:45:19 +0000
+Subject: sctp: annotate data-races around sk->sk_wmem_queued
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit dc9511dd6f37fe803f6b15b61b030728d7057417 ]
+
+sk->sk_wmem_queued can be read locklessly from sctp_poll()
+
+Use sk_wmem_queued_add() when the field is changed,
+and add READ_ONCE() annotations in sctp_writeable()
+and sctp_assocs_seq_show()
+
+syzbot reported:
+
+BUG: KCSAN: data-race in sctp_poll / sctp_wfree
+
+read-write to 0xffff888149d77810 of 4 bytes by interrupt on cpu 0:
+sctp_wfree+0x170/0x4a0 net/sctp/socket.c:9147
+skb_release_head_state+0xb7/0x1a0 net/core/skbuff.c:988
+skb_release_all net/core/skbuff.c:1000 [inline]
+__kfree_skb+0x16/0x140 net/core/skbuff.c:1016
+consume_skb+0x57/0x180 net/core/skbuff.c:1232
+sctp_chunk_destroy net/sctp/sm_make_chunk.c:1503 [inline]
+sctp_chunk_put+0xcd/0x130 net/sctp/sm_make_chunk.c:1530
+sctp_datamsg_put+0x29a/0x300 net/sctp/chunk.c:128
+sctp_chunk_free+0x34/0x50 net/sctp/sm_make_chunk.c:1515
+sctp_outq_sack+0xafa/0xd70 net/sctp/outqueue.c:1381
+sctp_cmd_process_sack net/sctp/sm_sideeffect.c:834 [inline]
+sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1366 [inline]
+sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]
+sctp_do_sm+0x12c7/0x31b0 net/sctp/sm_sideeffect.c:1169
+sctp_assoc_bh_rcv+0x2b2/0x430 net/sctp/associola.c:1051
+sctp_inq_push+0x108/0x120 net/sctp/inqueue.c:80
+sctp_rcv+0x116e/0x1340 net/sctp/input.c:243
+sctp6_rcv+0x25/0x40 net/sctp/ipv6.c:1120
+ip6_protocol_deliver_rcu+0x92f/0xf30 net/ipv6/ip6_input.c:437
+ip6_input_finish net/ipv6/ip6_input.c:482 [inline]
+NF_HOOK include/linux/netfilter.h:303 [inline]
+ip6_input+0xbd/0x1b0 net/ipv6/ip6_input.c:491
+dst_input include/net/dst.h:468 [inline]
+ip6_rcv_finish+0x1e2/0x2e0 net/ipv6/ip6_input.c:79
+NF_HOOK include/linux/netfilter.h:303 [inline]
+ipv6_rcv+0x74/0x150 net/ipv6/ip6_input.c:309
+__netif_receive_skb_one_core net/core/dev.c:5452 [inline]
+__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5566
+process_backlog+0x21f/0x380 net/core/dev.c:5894
+__napi_poll+0x60/0x3b0 net/core/dev.c:6460
+napi_poll net/core/dev.c:6527 [inline]
+net_rx_action+0x32b/0x750 net/core/dev.c:6660
+__do_softirq+0xc1/0x265 kernel/softirq.c:553
+run_ksoftirqd+0x17/0x20 kernel/softirq.c:921
+smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164
+kthread+0x1d7/0x210 kernel/kthread.c:389
+ret_from_fork+0x2e/0x40 arch/x86/kernel/process.c:145
+ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
+
+read to 0xffff888149d77810 of 4 bytes by task 17828 on cpu 1:
+sctp_writeable net/sctp/socket.c:9304 [inline]
+sctp_poll+0x265/0x410 net/sctp/socket.c:8671
+sock_poll+0x253/0x270 net/socket.c:1374
+vfs_poll include/linux/poll.h:88 [inline]
+do_pollfd fs/select.c:873 [inline]
+do_poll fs/select.c:921 [inline]
+do_sys_poll+0x636/0xc00 fs/select.c:1015
+__do_sys_ppoll fs/select.c:1121 [inline]
+__se_sys_ppoll+0x1af/0x1f0 fs/select.c:1101
+__x64_sys_ppoll+0x67/0x80 fs/select.c:1101
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+value changed: 0x00019e80 -> 0x0000cc80
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 17828 Comm: syz-executor.1 Not tainted 6.5.0-rc7-syzkaller-00185-g28f20a19294d #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Xin Long <lucien.xin@gmail.com>
+Link: https://lore.kernel.org/r/20230830094519.950007-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/proc.c | 2 +-
+ net/sctp/socket.c | 10 +++++-----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/net/sctp/proc.c b/net/sctp/proc.c
+index f13d6a34f32f2..ec00ee75d59a6 100644
+--- a/net/sctp/proc.c
++++ b/net/sctp/proc.c
+@@ -282,7 +282,7 @@ static int sctp_assocs_seq_show(struct seq_file *seq, void *v)
+ assoc->init_retries, assoc->shutdown_retries,
+ assoc->rtx_data_chunks,
+ refcount_read(&sk->sk_wmem_alloc),
+- sk->sk_wmem_queued,
++ READ_ONCE(sk->sk_wmem_queued),
+ sk->sk_sndbuf,
+ sk->sk_rcvbuf);
+ seq_printf(seq, "\n");
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index a11b0d903514c..32e3669adf146 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -68,7 +68,7 @@
+ #include <net/sctp/stream_sched.h>
+
+ /* Forward declarations for internal helper functions. */
+-static bool sctp_writeable(struct sock *sk);
++static bool sctp_writeable(const struct sock *sk);
+ static void sctp_wfree(struct sk_buff *skb);
+ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
+ size_t msg_len);
+@@ -139,7 +139,7 @@ static inline void sctp_set_owner_w(struct sctp_chunk *chunk)
+
+ refcount_add(sizeof(struct sctp_chunk), &sk->sk_wmem_alloc);
+ asoc->sndbuf_used += chunk->skb->truesize + sizeof(struct sctp_chunk);
+- sk->sk_wmem_queued += chunk->skb->truesize + sizeof(struct sctp_chunk);
++ sk_wmem_queued_add(sk, chunk->skb->truesize + sizeof(struct sctp_chunk));
+ sk_mem_charge(sk, chunk->skb->truesize);
+ }
+
+@@ -9139,7 +9139,7 @@ static void sctp_wfree(struct sk_buff *skb)
+ struct sock *sk = asoc->base.sk;
+
+ sk_mem_uncharge(sk, skb->truesize);
+- sk->sk_wmem_queued -= skb->truesize + sizeof(struct sctp_chunk);
++ sk_wmem_queued_add(sk, -(skb->truesize + sizeof(struct sctp_chunk)));
+ asoc->sndbuf_used -= skb->truesize + sizeof(struct sctp_chunk);
+ WARN_ON(refcount_sub_and_test(sizeof(struct sctp_chunk),
+ &sk->sk_wmem_alloc));
+@@ -9292,9 +9292,9 @@ void sctp_write_space(struct sock *sk)
+ * UDP-style sockets or TCP-style sockets, this code should work.
+ * - Daisy
+ */
+-static bool sctp_writeable(struct sock *sk)
++static bool sctp_writeable(const struct sock *sk)
+ {
+- return sk->sk_sndbuf > sk->sk_wmem_queued;
++ return READ_ONCE(sk->sk_sndbuf) > READ_ONCE(sk->sk_wmem_queued);
+ }
+
+ /* Wait for an association to go into ESTABLISHED state. If timeout is 0,
+--
+2.40.1
+
nfs-fix-a-potential-data-corruption.patch
nfsv4-pnfs-minor-fix-for-cleanup-path-in-nfs4_get_device_info.patch
bus-mhi-host-skip-mhi-reset-if-device-is-in-rddm.patch
+kbuild-rpm-pkg-define-_arch-conditionally.patch
+kbuild-do-not-run-depmod-for-make-modules_sign.patch
+tpm_crb-fix-an-error-handling-path-in-crb_acpi_add.patch
+gfs2-switch-to-wait_event-in-gfs2_logd.patch
+gfs2-low-memory-forced-flush-fixes.patch
+mailbox-qcom-ipcc-fix-incorrect-num_chans-counting.patch
+kconfig-fix-possible-buffer-overflow.patch
+input-iqs7222-configure-power-mode-before-triggering.patch
+perf-trace-use-zfree-to-reduce-chances-of-use-after-.patch
+perf-trace-really-free-the-evsel-priv-area.patch
+pwm-atmel-tcb-convert-to-platform-remove-callback-re.patch
+pwm-atmel-tcb-harmonize-resource-allocation-order.patch
+pwm-atmel-tcb-fix-resource-freeing-in-error-path-and.patch
+backlight-gpio_backlight-drop-output-gpio-direction-.patch
+input-tca6416-keypad-always-expect-proper-irq-number.patch
+input-tca6416-keypad-fix-interrupt-enable-disbalance.patch
+perf-annotate-bpf-don-t-enclose-non-debug-code-with-.patch
+x86-virt-drop-unnecessary-check-on-extended-cpuid-le.patch
+perf-vendor-events-update-the-json-events-descriptio.patch
+perf-vendor-events-drop-some-of-the-json-events-for-.patch
+perf-vendor-events-drop-stores_per_inst-metric-event.patch
+perf-top-don-t-pass-an-err_ptr-directly-to-perf_sess.patch
+kvm-svm-name-and-check-reserved-fields-with-structs-.patch
+kvm-svm-correct-the-size-of-spec_ctrl-field-in-vmcb-.patch
+watchdog-intel-mid_wdt-add-module_alias-to-allow-aut.patch
+pwm-lpc32xx-remove-handling-of-pwm-channels.patch
+perf-test-stat_bpf_counters_cgrp-fix-shellcheck-issu.patch
+perf-test-stat_bpf_counters_cgrp-enhance-perf-stat-c.patch
+drm-i915-mark-requests-for-guc-virtual-engines-to-av.patch
+blk-throttle-use-calculate_io-bytes_allowed-for-thro.patch
+blk-throttle-consider-carryover_ios-bytes-in-throtl_.patch
+cifs-use-fs_context-for-automounts.patch
+smb-propagate-error-code-of-extract_sharename.patch
+net-sched-fq_pie-avoid-stalls-in-fq_pie_timer.patch
+sctp-annotate-data-races-around-sk-sk_wmem_queued.patch
+ipv4-annotate-data-races-around-fi-fib_dead.patch
+net-read-sk-sk_family-once-in-sk_mc_loop.patch
+net-fib-avoid-warn-splat-in-flow-dissector.patch
+xsk-fix-xsk_diag-use-after-free-error-during-socket-.patch
+ceph-make-members-in-struct-ceph_mds_request_args_ex.patch
+drm-i915-gvt-verify-pfn-is-valid-before-dereferencin.patch
+drm-i915-gvt-put-the-page-reference-obtained-by-kvm-.patch
+drm-i915-gvt-drop-unused-helper-intel_vgpu_reset_gtt.patch
+net-use-sk_forward_alloc_get-in-sk_get_meminfo.patch
+net-annotate-data-races-around-sk-sk_forward_alloc.patch
+mptcp-annotate-data-races-around-msk-rmem_fwd_alloc.patch
+ipv4-ignore-dst-hint-for-multipath-routes.patch
+ipv6-ignore-dst-hint-for-multipath-routes.patch
+igb-disable-virtualization-features-on-82580.patch
+gve-fix-frag_list-chaining.patch
+veth-fixing-transmit-return-status-for-dropped-packe.patch
+net-ipv6-addrconf-avoid-integer-underflow-in-ipv6_cr.patch
+net-phy-micrel-correct-bit-assignments-for-phy_devic.patch
+bpf-sockmap-fix-skb-refcnt-race-after-locking-change.patch
+af_unix-fix-data-races-around-user-unix_inflight.patch
+af_unix-fix-data-race-around-unix_tot_inflight.patch
+af_unix-fix-data-races-around-sk-sk_shutdown.patch
+af_unix-fix-data-race-around-sk-sk_err.patch
+net-sched-sch_qfq-fix-uaf-in-qfq_dequeue.patch
+kcm-destroy-mutex-in-kcm_exit_net.patch
+octeontx2-af-fix-truncation-of-smq-in-cn10k-nix-aq-e.patch
+igc-change-igc_min-to-allow-set-rx-tx-value-between-.patch
+igbvf-change-igbvf_min-to-allow-set-rx-tx-value-betw.patch
+igb-change-igb_min-to-allow-set-rx-tx-value-between-.patch
+s390-zcrypt-don-t-leak-memory-if-dev_set_name-fails.patch
+idr-fix-param-name-in-idr_alloc_cyclic-doc.patch
+ip_tunnels-use-dev_stats_inc.patch
+net-dsa-sja1105-fix-bandwidth-discrepancy-between-tc.patch
+net-dsa-sja1105-fix-enospc-when-replacing-the-same-t.patch
+net-dsa-sja1105-complete-tc-cbs-offload-support-on-s.patch
+bpf-remove-prog-active-check-for-bpf_lsm-and-bpf_ite.patch
+bpf-invoke-__bpf_prog_exit_sleepable_recur-on-recurs.patch
+bpf-assign-bpf_tramp_run_ctx-saved_run_ctx-before-re.patch
+netfilter-nftables-exthdr-fix-4-byte-stack-oob-write.patch
+netfilter-nfnetlink_osf-avoid-oob-read.patch
+net-hns3-fix-tx-timeout-issue.patch
+net-hns3-fix-byte-order-conversion-issue-in-hclge_db.patch
+net-hns3-fix-debugfs-concurrency-issue-between-kfree.patch
+net-hns3-fix-invalid-mutex-between-tc-qdisc-and-dcb-.patch
+net-hns3-fix-the-port-information-display-when-sfp-i.patch
+net-hns3-remove-gso-partial-feature-bit.patch
+sh-boards-fix-ceu-buffer-size-passed-to-dma_declare_.patch
--- /dev/null
+From 5ae4363848a6f48988a8fb5caea3d34503785a21 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Jul 2023 14:07:42 +0200
+Subject: sh: boards: Fix CEU buffer size passed to
+ dma_declare_coherent_memory()
+
+From: Petr Tesarik <petr.tesarik.ext@huawei.com>
+
+[ Upstream commit fb60211f377b69acffead3147578f86d0092a7a5 ]
+
+In all these cases, the last argument to dma_declare_coherent_memory() is
+the buffer end address, but the expected value should be the size of the
+reserved region.
+
+Fixes: 39fb993038e1 ("media: arch: sh: ap325rxa: Use new renesas-ceu camera driver")
+Fixes: c2f9b05fd5c1 ("media: arch: sh: ecovec: Use new renesas-ceu camera driver")
+Fixes: f3590dc32974 ("media: arch: sh: kfr2r09: Use new renesas-ceu camera driver")
+Fixes: 186c446f4b84 ("media: arch: sh: migor: Use new renesas-ceu camera driver")
+Fixes: 1a3c230b4151 ("media: arch: sh: ms7724se: Use new renesas-ceu camera driver")
+Signed-off-by: Petr Tesarik <petr.tesarik.ext@huawei.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Jacopo Mondi <jacopo.mondi@ideasonboard.com>
+Reviewed-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Link: https://lore.kernel.org/r/20230724120742.2187-1-petrtesarik@huaweicloud.com
+Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sh/boards/mach-ap325rxa/setup.c | 2 +-
+ arch/sh/boards/mach-ecovec24/setup.c | 6 ++----
+ arch/sh/boards/mach-kfr2r09/setup.c | 2 +-
+ arch/sh/boards/mach-migor/setup.c | 2 +-
+ arch/sh/boards/mach-se/7724/setup.c | 6 ++----
+ 5 files changed, 7 insertions(+), 11 deletions(-)
+
+diff --git a/arch/sh/boards/mach-ap325rxa/setup.c b/arch/sh/boards/mach-ap325rxa/setup.c
+index c77b5f00a66a3..d8f8dca4d7968 100644
+--- a/arch/sh/boards/mach-ap325rxa/setup.c
++++ b/arch/sh/boards/mach-ap325rxa/setup.c
+@@ -530,7 +530,7 @@ static int __init ap325rxa_devices_setup(void)
+ device_initialize(&ap325rxa_ceu_device.dev);
+ dma_declare_coherent_memory(&ap325rxa_ceu_device.dev,
+ ceu_dma_membase, ceu_dma_membase,
+- ceu_dma_membase + CEU_BUFFER_MEMORY_SIZE - 1);
++ CEU_BUFFER_MEMORY_SIZE);
+
+ platform_device_add(&ap325rxa_ceu_device);
+
+diff --git a/arch/sh/boards/mach-ecovec24/setup.c b/arch/sh/boards/mach-ecovec24/setup.c
+index 674da7ebd8b7f..7ec03d4a4edf0 100644
+--- a/arch/sh/boards/mach-ecovec24/setup.c
++++ b/arch/sh/boards/mach-ecovec24/setup.c
+@@ -1454,15 +1454,13 @@ static int __init arch_setup(void)
+ device_initialize(&ecovec_ceu_devices[0]->dev);
+ dma_declare_coherent_memory(&ecovec_ceu_devices[0]->dev,
+ ceu0_dma_membase, ceu0_dma_membase,
+- ceu0_dma_membase +
+- CEU_BUFFER_MEMORY_SIZE - 1);
++ CEU_BUFFER_MEMORY_SIZE);
+ platform_device_add(ecovec_ceu_devices[0]);
+
+ device_initialize(&ecovec_ceu_devices[1]->dev);
+ dma_declare_coherent_memory(&ecovec_ceu_devices[1]->dev,
+ ceu1_dma_membase, ceu1_dma_membase,
+- ceu1_dma_membase +
+- CEU_BUFFER_MEMORY_SIZE - 1);
++ CEU_BUFFER_MEMORY_SIZE);
+ platform_device_add(ecovec_ceu_devices[1]);
+
+ gpiod_add_lookup_table(&cn12_power_gpiod_table);
+diff --git a/arch/sh/boards/mach-kfr2r09/setup.c b/arch/sh/boards/mach-kfr2r09/setup.c
+index 20f4db778ed6a..c6d556dfbbbe6 100644
+--- a/arch/sh/boards/mach-kfr2r09/setup.c
++++ b/arch/sh/boards/mach-kfr2r09/setup.c
+@@ -603,7 +603,7 @@ static int __init kfr2r09_devices_setup(void)
+ device_initialize(&kfr2r09_ceu_device.dev);
+ dma_declare_coherent_memory(&kfr2r09_ceu_device.dev,
+ ceu_dma_membase, ceu_dma_membase,
+- ceu_dma_membase + CEU_BUFFER_MEMORY_SIZE - 1);
++ CEU_BUFFER_MEMORY_SIZE);
+
+ platform_device_add(&kfr2r09_ceu_device);
+
+diff --git a/arch/sh/boards/mach-migor/setup.c b/arch/sh/boards/mach-migor/setup.c
+index f60061283c482..773ee767d0c4e 100644
+--- a/arch/sh/boards/mach-migor/setup.c
++++ b/arch/sh/boards/mach-migor/setup.c
+@@ -604,7 +604,7 @@ static int __init migor_devices_setup(void)
+ device_initialize(&migor_ceu_device.dev);
+ dma_declare_coherent_memory(&migor_ceu_device.dev,
+ ceu_dma_membase, ceu_dma_membase,
+- ceu_dma_membase + CEU_BUFFER_MEMORY_SIZE - 1);
++ CEU_BUFFER_MEMORY_SIZE);
+
+ platform_device_add(&migor_ceu_device);
+
+diff --git a/arch/sh/boards/mach-se/7724/setup.c b/arch/sh/boards/mach-se/7724/setup.c
+index b60a2626e18b2..6495f93540654 100644
+--- a/arch/sh/boards/mach-se/7724/setup.c
++++ b/arch/sh/boards/mach-se/7724/setup.c
+@@ -940,15 +940,13 @@ static int __init devices_setup(void)
+ device_initialize(&ms7724se_ceu_devices[0]->dev);
+ dma_declare_coherent_memory(&ms7724se_ceu_devices[0]->dev,
+ ceu0_dma_membase, ceu0_dma_membase,
+- ceu0_dma_membase +
+- CEU_BUFFER_MEMORY_SIZE - 1);
++ CEU_BUFFER_MEMORY_SIZE);
+ platform_device_add(ms7724se_ceu_devices[0]);
+
+ device_initialize(&ms7724se_ceu_devices[1]->dev);
+ dma_declare_coherent_memory(&ms7724se_ceu_devices[1]->dev,
+ ceu1_dma_membase, ceu1_dma_membase,
+- ceu1_dma_membase +
+- CEU_BUFFER_MEMORY_SIZE - 1);
++ CEU_BUFFER_MEMORY_SIZE);
+ platform_device_add(ms7724se_ceu_devices[1]);
+
+ return platform_add_devices(ms7724se_devices,
+--
+2.40.1
+
--- /dev/null
+From 443a3ab5c30d9a984237351fc89a419426b13f5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Aug 2023 16:38:31 +0300
+Subject: smb: propagate error code of extract_sharename()
+
+From: Katya Orlova <e.orlova@ispras.ru>
+
+[ Upstream commit efc0b0bcffcba60d9c6301063d25a22a4744b499 ]
+
+In addition to the EINVAL, there may be an ENOMEM.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 70431bfd825d ("cifs: Support fscache indexing rewrite")
+Signed-off-by: Katya Orlova <e.orlova@ispras.ru>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/fscache.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/smb/client/fscache.c b/fs/smb/client/fscache.c
+index f6f3a6b75601b..e73625b5d0cc6 100644
+--- a/fs/smb/client/fscache.c
++++ b/fs/smb/client/fscache.c
+@@ -48,7 +48,7 @@ int cifs_fscache_get_super_cookie(struct cifs_tcon *tcon)
+ sharename = extract_sharename(tcon->tree_name);
+ if (IS_ERR(sharename)) {
+ cifs_dbg(FYI, "%s: couldn't extract sharename\n", __func__);
+- return -EINVAL;
++ return PTR_ERR(sharename);
+ }
+
+ slen = strlen(sharename);
+--
+2.40.1
+
--- /dev/null
+From 52240651edd1f073a188d3c97c67b627bc4f1d9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Feb 2023 11:58:48 +0100
+Subject: tpm_crb: Fix an error handling path in crb_acpi_add()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 9c377852ddfdc557b1370f196b0cfdf28d233460 ]
+
+Some error paths don't call acpi_put_table() before returning.
+Branch to the correct place instead of doing some direct return.
+
+Fixes: 4d2732882703 ("tpm_crb: Add support for CRB devices based on Pluton")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Matthew Garrett <mgarrett@aurora.tech>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/tpm/tpm_crb.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c
+index db0b774207d35..f45239e73c4ca 100644
+--- a/drivers/char/tpm/tpm_crb.c
++++ b/drivers/char/tpm/tpm_crb.c
+@@ -775,12 +775,13 @@ static int crb_acpi_add(struct acpi_device *device)
+ FW_BUG "TPM2 ACPI table has wrong size %u for start method type %d\n",
+ buf->header.length,
+ ACPI_TPM2_COMMAND_BUFFER_WITH_PLUTON);
+- return -EINVAL;
++ rc = -EINVAL;
++ goto out;
+ }
+ crb_pluton = ACPI_ADD_PTR(struct tpm2_crb_pluton, buf, sizeof(*buf));
+ rc = crb_map_pluton(dev, priv, buf, crb_pluton);
+ if (rc)
+- return rc;
++ goto out;
+ }
+
+ priv->sm = sm;
+--
+2.40.1
+
--- /dev/null
+From 164616fc394a0efe09219f82171f8fe4538d37d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Sep 2023 12:09:21 +0800
+Subject: veth: Fixing transmit return status for dropped packets
+
+From: Liang Chen <liangchen.linux@gmail.com>
+
+[ Upstream commit 151e887d8ff97e2e42110ffa1fb1e6a2128fb364 ]
+
+The veth_xmit function returns NETDEV_TX_OK even when packets are dropped.
+This behavior leads to incorrect calculations of statistics counts, as
+well as things like txq->trans_start updates.
+
+Fixes: e314dbdc1c0d ("[NET]: Virtual ethernet device driver.")
+Signed-off-by: Liang Chen <liangchen.linux@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/veth.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/veth.c b/drivers/net/veth.c
+index 727b9278b9fe5..36c5a41f84e44 100644
+--- a/drivers/net/veth.c
++++ b/drivers/net/veth.c
+@@ -313,6 +313,7 @@ static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev)
+ {
+ struct veth_priv *rcv_priv, *priv = netdev_priv(dev);
+ struct veth_rq *rq = NULL;
++ int ret = NETDEV_TX_OK;
+ struct net_device *rcv;
+ int length = skb->len;
+ bool use_napi = false;
+@@ -345,6 +346,7 @@ static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev)
+ } else {
+ drop:
+ atomic64_inc(&priv->dropped);
++ ret = NET_XMIT_DROP;
+ }
+
+ if (use_napi)
+@@ -352,7 +354,7 @@ static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev)
+
+ rcu_read_unlock();
+
+- return NETDEV_TX_OK;
++ return ret;
+ }
+
+ static u64 veth_stats_tx(struct net_device *dev, u64 *packets, u64 *bytes)
+--
+2.40.1
+
--- /dev/null
+From 2b7c3bfe4f87a33d5d677f728f83cdff0893d7a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Aug 2023 17:32:20 +0530
+Subject: watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load
+
+From: Raag Jadav <raag.jadav@intel.com>
+
+[ Upstream commit cf38e7691c85f1b09973b22a0b89bf1e1228d2f9 ]
+
+When built with CONFIG_INTEL_MID_WATCHDOG=m, currently the driver
+needs to be loaded manually, for the lack of module alias.
+This causes unintended resets in cases where watchdog timer is
+set-up by bootloader and the driver is not explicitly loaded.
+Add MODULE_ALIAS() to load the driver automatically at boot and
+avoid this issue.
+
+Fixes: 87a1ef8058d9 ("watchdog: add Intel MID watchdog driver support")
+Signed-off-by: Raag Jadav <raag.jadav@intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20230811120220.31578-1-raag.jadav@intel.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/intel-mid_wdt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/watchdog/intel-mid_wdt.c b/drivers/watchdog/intel-mid_wdt.c
+index 9b2173f765c8c..fb7fae750181b 100644
+--- a/drivers/watchdog/intel-mid_wdt.c
++++ b/drivers/watchdog/intel-mid_wdt.c
+@@ -203,3 +203,4 @@ module_platform_driver(mid_wdt_driver);
+ MODULE_AUTHOR("David Cohen <david.a.cohen@linux.intel.com>");
+ MODULE_DESCRIPTION("Watchdog Driver for Intel MID platform");
+ MODULE_LICENSE("GPL");
++MODULE_ALIAS("platform:intel_mid_wdt");
+--
+2.40.1
+
--- /dev/null
+From cda18403551c51557bb942111050e21798c7921c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Jul 2023 13:18:52 -0700
+Subject: x86/virt: Drop unnecessary check on extended CPUID level in
+ cpu_has_svm()
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit 5df8ecfe3632d5879d1f154f7aa8de441b5d1c89 ]
+
+Drop the explicit check on the extended CPUID level in cpu_has_svm(), the
+kernel's cached CPUID info will leave the entire SVM leaf unset if said
+leaf is not supported by hardware. Prior to using cached information,
+the check was needed to avoid false positives due to Intel's rather crazy
+CPUID behavior of returning the values of the maximum supported leaf if
+the specified leaf is unsupported.
+
+Fixes: 682a8108872f ("x86/kvm/svm: Simplify cpu_has_svm()")
+Link: https://lore.kernel.org/r/20230721201859.2307736-13-seanjc@google.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/virtext.h | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/arch/x86/include/asm/virtext.h b/arch/x86/include/asm/virtext.h
+index 3b12e6b994123..6c2e3ff3cb28f 100644
+--- a/arch/x86/include/asm/virtext.h
++++ b/arch/x86/include/asm/virtext.h
+@@ -101,12 +101,6 @@ static inline int cpu_has_svm(const char **msg)
+ return 0;
+ }
+
+- if (boot_cpu_data.extended_cpuid_level < SVM_CPUID_FUNC) {
+- if (msg)
+- *msg = "can't execute cpuid_8000000a";
+- return 0;
+- }
+-
+ if (!boot_cpu_has(X86_FEATURE_SVM)) {
+ if (msg)
+ *msg = "svm not available";
+--
+2.40.1
+
--- /dev/null
+From e0ac72c29d88944eaa5cbeb0af3cd005a439eae5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Aug 2023 12:01:17 +0200
+Subject: xsk: Fix xsk_diag use-after-free error during socket cleanup
+
+From: Magnus Karlsson <magnus.karlsson@intel.com>
+
+[ Upstream commit 3e019d8a05a38abb5c85d4f1e85fda964610aa14 ]
+
+Fix a use-after-free error that is possible if the xsk_diag interface
+is used after the socket has been unbound from the device. This can
+happen either due to the socket being closed or the device
+disappearing. In the early days of AF_XDP, the way we tested that a
+socket was not bound to a device was to simply check if the netdevice
+pointer in the xsk socket structure was NULL. Later, a better system
+was introduced by having an explicit state variable in the xsk socket
+struct. For example, the state of a socket that is on the way to being
+closed and has been unbound from the device is XSK_UNBOUND.
+
+The commit in the Fixes tag below deleted the old way of signalling
+that a socket is unbound, setting dev to NULL. This in the belief that
+all code using the old way had been exterminated. That was
+unfortunately not true as the xsk diagnostics code was still using the
+old way and thus does not work as intended when a socket is going
+down. Fix this by introducing a test against the state variable. If
+the socket is in the state XSK_UNBOUND, simply abort the diagnostic's
+netlink operation.
+
+Fixes: 18b1ab7aa76b ("xsk: Fix race at socket teardown")
+Reported-by: syzbot+822d1359297e2694f873@syzkaller.appspotmail.com
+Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Tested-by: syzbot+822d1359297e2694f873@syzkaller.appspotmail.com
+Tested-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Link: https://lore.kernel.org/bpf/20230831100119.17408-1-magnus.karlsson@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xdp/xsk_diag.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/xdp/xsk_diag.c b/net/xdp/xsk_diag.c
+index c014217f5fa7d..22b36c8143cfd 100644
+--- a/net/xdp/xsk_diag.c
++++ b/net/xdp/xsk_diag.c
+@@ -111,6 +111,9 @@ static int xsk_diag_fill(struct sock *sk, struct sk_buff *nlskb,
+ sock_diag_save_cookie(sk, msg->xdiag_cookie);
+
+ mutex_lock(&xs->mutex);
++ if (READ_ONCE(xs->state) == XSK_UNBOUND)
++ goto out_nlmsg_trim;
++
+ if ((req->xdiag_show & XDP_SHOW_INFO) && xsk_diag_put_info(xs, nlskb))
+ goto out_nlmsg_trim;
+
+--
+2.40.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
