--- /dev/null
+From 13965018a3d36e591267c0b19b1bfed5b7e8d43a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Feb 2023 13:01:48 +0530
+Subject: arm64: kgdb: Set PSTATE.SS to 1 to re-enable single-step
+
+From: Sumit Garg <sumit.garg@linaro.org>
+
+[ Upstream commit af6c0bd59f4f3ad5daad2f7b777954b1954551d5 ]
+
+Currently only the first attempt to single-step has any effect. After
+that all further stepping remains "stuck" at the same program counter
+value.
+
+Refer to the ARM Architecture Reference Manual (ARM DDI 0487E.a) D2.12,
+PSTATE.SS=1 should be set at each step before transferring the PE to the
+'Active-not-pending' state. The problem here is PSTATE.SS=1 is not set
+since the second single-step.
+
+After the first single-step, the PE transferes to the 'Inactive' state,
+with PSTATE.SS=0 and MDSCR.SS=1, thus PSTATE.SS won't be set to 1 due to
+kernel_active_single_step()=true. Then the PE transferes to the
+'Active-pending' state when ERET and returns to the debugger by step
+exception.
+
+Before this patch:
+==================
+Entering kdb (current=0xffff3376039f0000, pid 1) on processor 0 due to Keyboard Entry
+[0]kdb>
+
+[0]kdb>
+[0]kdb> bp write_sysrq_trigger
+Instruction(i) BP #0 at 0xffffa45c13d09290 (write_sysrq_trigger)
+ is enabled addr at ffffa45c13d09290, hardtype=0 installed=0
+
+[0]kdb> go
+$ echo h > /proc/sysrq-trigger
+
+Entering kdb (current=0xffff4f7e453f8000, pid 175) on processor 1 due to Breakpoint @ 0xffffad651a309290
+[1]kdb> ss
+
+Entering kdb (current=0xffff4f7e453f8000, pid 175) on processor 1 due to SS trap @ 0xffffad651a309294
+[1]kdb> ss
+
+Entering kdb (current=0xffff4f7e453f8000, pid 175) on processor 1 due to SS trap @ 0xffffad651a309294
+[1]kdb>
+
+After this patch:
+=================
+Entering kdb (current=0xffff6851c39f0000, pid 1) on processor 0 due to Keyboard Entry
+[0]kdb> bp write_sysrq_trigger
+Instruction(i) BP #0 at 0xffffc02d2dd09290 (write_sysrq_trigger)
+ is enabled addr at ffffc02d2dd09290, hardtype=0 installed=0
+
+[0]kdb> go
+$ echo h > /proc/sysrq-trigger
+
+Entering kdb (current=0xffff6851c53c1840, pid 174) on processor 1 due to Breakpoint @ 0xffffc02d2dd09290
+[1]kdb> ss
+
+Entering kdb (current=0xffff6851c53c1840, pid 174) on processor 1 due to SS trap @ 0xffffc02d2dd09294
+[1]kdb> ss
+
+Entering kdb (current=0xffff6851c53c1840, pid 174) on processor 1 due to SS trap @ 0xffffc02d2dd09298
+[1]kdb> ss
+
+Entering kdb (current=0xffff6851c53c1840, pid 174) on processor 1 due to SS trap @ 0xffffc02d2dd0929c
+[1]kdb>
+
+Fixes: 44679a4f142b ("arm64: KGDB: Add step debugging support")
+Co-developed-by: Wei Li <liwei391@huawei.com>
+Signed-off-by: Wei Li <liwei391@huawei.com>
+Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
+Tested-by: Douglas Anderson <dianders@chromium.org>
+Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
+Tested-by: Daniel Thompson <daniel.thompson@linaro.org>
+Link: https://lore.kernel.org/r/20230202073148.657746-3-sumit.garg@linaro.org
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/debug-monitors.h | 1 +
+ arch/arm64/kernel/debug-monitors.c | 5 +++++
+ arch/arm64/kernel/kgdb.c | 2 ++
+ 3 files changed, 8 insertions(+)
+
+diff --git a/arch/arm64/include/asm/debug-monitors.h b/arch/arm64/include/asm/debug-monitors.h
+index 41b065f1be88c..13630e8078ff4 100644
+--- a/arch/arm64/include/asm/debug-monitors.h
++++ b/arch/arm64/include/asm/debug-monitors.h
+@@ -125,6 +125,7 @@ void user_regs_reset_single_step(struct user_pt_regs *regs,
+ void kernel_enable_single_step(struct pt_regs *regs);
+ void kernel_disable_single_step(void);
+ int kernel_active_single_step(void);
++void kernel_rewind_single_step(struct pt_regs *regs);
+
+ #ifdef CONFIG_HAVE_HW_BREAKPOINT
+ int reinstall_suspended_bps(struct pt_regs *regs);
+diff --git a/arch/arm64/kernel/debug-monitors.c b/arch/arm64/kernel/debug-monitors.c
+index 2ccd0a99d8b35..970ce09078873 100644
+--- a/arch/arm64/kernel/debug-monitors.c
++++ b/arch/arm64/kernel/debug-monitors.c
+@@ -434,6 +434,11 @@ int kernel_active_single_step(void)
+ }
+ NOKPROBE_SYMBOL(kernel_active_single_step);
+
++void kernel_rewind_single_step(struct pt_regs *regs)
++{
++ set_regs_spsr_ss(regs);
++}
++
+ /* ptrace API */
+ void user_enable_single_step(struct task_struct *task)
+ {
+diff --git a/arch/arm64/kernel/kgdb.c b/arch/arm64/kernel/kgdb.c
+index 7fd7a9cd86161..05790fce1a854 100644
+--- a/arch/arm64/kernel/kgdb.c
++++ b/arch/arm64/kernel/kgdb.c
+@@ -223,6 +223,8 @@ int kgdb_arch_handle_exception(int exception_vector, int signo,
+ */
+ if (!kernel_active_single_step())
+ kernel_enable_single_step(linux_regs);
++ else
++ kernel_rewind_single_step(linux_regs);
+ err = 0;
+ break;
+ default:
+--
+2.39.2
+
--- /dev/null
+From a2747c15f76e822d8cd7cdc21b57840fe5b28b49 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Jan 2023 09:32:27 +0100
+Subject: clk: add missing of_node_put() in "assigned-clocks" property parsing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Clément Léger <clement.leger@bootlin.com>
+
+[ Upstream commit 27a6e1b09a782517fddac91259970ac466a3f7b6 ]
+
+When returning from of_parse_phandle_with_args(), the np member of the
+of_phandle_args structure should be put after usage. Add missing
+of_node_put() calls in both __set_clk_parents() and __set_clk_rates().
+
+Fixes: 86be408bfbd8 ("clk: Support for clock parents and rates assigned from device tree")
+Signed-off-by: Clément Léger <clement.leger@bootlin.com>
+Link: https://lore.kernel.org/r/20230131083227.10990-1-clement.leger@bootlin.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk-conf.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/clk-conf.c b/drivers/clk/clk-conf.c
+index 49819b546134b..5c6760e45a16e 100644
+--- a/drivers/clk/clk-conf.c
++++ b/drivers/clk/clk-conf.c
+@@ -36,9 +36,12 @@ static int __set_clk_parents(struct device_node *node, bool clk_supplier)
+ else
+ return rc;
+ }
+- if (clkspec.np == node && !clk_supplier)
++ if (clkspec.np == node && !clk_supplier) {
++ of_node_put(clkspec.np);
+ return 0;
++ }
+ pclk = of_clk_get_from_provider(&clkspec);
++ of_node_put(clkspec.np);
+ if (IS_ERR(pclk)) {
+ if (PTR_ERR(pclk) != -EPROBE_DEFER)
+ pr_warn("clk: couldn't get parent clock %d for %pOF\n",
+@@ -51,10 +54,12 @@ static int __set_clk_parents(struct device_node *node, bool clk_supplier)
+ if (rc < 0)
+ goto err;
+ if (clkspec.np == node && !clk_supplier) {
++ of_node_put(clkspec.np);
+ rc = 0;
+ goto err;
+ }
+ clk = of_clk_get_from_provider(&clkspec);
++ of_node_put(clkspec.np);
+ if (IS_ERR(clk)) {
+ if (PTR_ERR(clk) != -EPROBE_DEFER)
+ pr_warn("clk: couldn't get assigned clock %d for %pOF\n",
+@@ -96,10 +101,13 @@ static int __set_clk_rates(struct device_node *node, bool clk_supplier)
+ else
+ return rc;
+ }
+- if (clkspec.np == node && !clk_supplier)
++ if (clkspec.np == node && !clk_supplier) {
++ of_node_put(clkspec.np);
+ return 0;
++ }
+
+ clk = of_clk_get_from_provider(&clkspec);
++ of_node_put(clkspec.np);
+ if (IS_ERR(clk)) {
+ if (PTR_ERR(clk) != -EPROBE_DEFER)
+ pr_warn("clk: couldn't get clock %d for %pOF\n",
+--
+2.39.2
+
--- /dev/null
+From e5cfeb89c1e3dbfe6fb9df60550a2726561f7098 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Feb 2023 17:18:25 +0200
+Subject: dmaengine: at_xdmac: do not enable all cyclic channels
+
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+
+[ Upstream commit f8435befd81dd85b7b610598551fadf675849bc1 ]
+
+Do not global enable all the cyclic channels in at_xdmac_resume(). Instead
+save the global status in at_xdmac_suspend() and re-enable the cyclic
+channel only if it was active before suspend.
+
+Fixes: e1f7c9eee707 ("dmaengine: at_xdmac: creation of the atmel eXtended DMA Controller driver")
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Link: https://lore.kernel.org/r/20230214151827.1050280-6-claudiu.beznea@microchip.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/at_xdmac.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c
+index c8dd0eef0b67b..3f9f1d6e3b501 100644
+--- a/drivers/dma/at_xdmac.c
++++ b/drivers/dma/at_xdmac.c
+@@ -223,6 +223,7 @@ struct at_xdmac {
+ int irq;
+ struct clk *clk;
+ u32 save_gim;
++ u32 save_gs;
+ struct dma_pool *at_xdmac_desc_pool;
+ struct at_xdmac_chan chan[0];
+ };
+@@ -1880,6 +1881,7 @@ static int atmel_xdmac_suspend(struct device *dev)
+ }
+ }
+ atxdmac->save_gim = at_xdmac_read(atxdmac, AT_XDMAC_GIM);
++ atxdmac->save_gs = at_xdmac_read(atxdmac, AT_XDMAC_GS);
+
+ at_xdmac_off(atxdmac);
+ clk_disable_unprepare(atxdmac->clk);
+@@ -1917,7 +1919,8 @@ static int atmel_xdmac_resume(struct device *dev)
+ at_xdmac_chan_write(atchan, AT_XDMAC_CNDC, atchan->save_cndc);
+ at_xdmac_chan_write(atchan, AT_XDMAC_CIE, atchan->save_cim);
+ wmb();
+- at_xdmac_write(atxdmac, AT_XDMAC_GE, atchan->mask);
++ if (atxdmac->save_gs & atchan->mask)
++ at_xdmac_write(atxdmac, AT_XDMAC_GE, atchan->mask);
+ }
+ }
+ return 0;
+--
+2.39.2
+
--- /dev/null
+From a6decf2ef1a9f4fe277af20d026d7e38a158ff83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jan 2023 16:40:52 +0100
+Subject: drm/probe-helper: Cancel previous job before starting new one
+
+From: Dom Cobley <popcornmix@gmail.com>
+
+[ Upstream commit a8e47884f1906cd7440fafa056adc8817568e73e ]
+
+Currently we schedule a call to output_poll_execute from
+drm_kms_helper_poll_enable for 10s in future. Later we try to replace
+that in drm_helper_probe_single_connector_modes with a 0s schedule with
+delayed_event set.
+
+But as there is already a job in the queue this fails, and the immediate
+job we wanted with delayed_event set doesn't occur until 10s later.
+
+And that call acts as if connector state has changed, reprobing modes.
+This has a side effect of waking up a display that has been blanked.
+
+Make sure we cancel the old job before submitting the immediate one.
+
+Fixes: 162b6a57ac50 ("drm/probe-helper: don't lose hotplug event")
+Acked-by: Daniel Vetter <daniel@ffwll.ch>
+Signed-off-by: Dom Cobley <popcornmix@gmail.com>
+[Maxime: Switched to mod_delayed_work]
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230127154052.452524-1-maxime@cerno.tech
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_probe_helper.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_probe_helper.c b/drivers/gpu/drm/drm_probe_helper.c
+index adbabf16c07b2..f76eced3ff94f 100644
+--- a/drivers/gpu/drm/drm_probe_helper.c
++++ b/drivers/gpu/drm/drm_probe_helper.c
+@@ -465,8 +465,9 @@ int drm_helper_probe_single_connector_modes(struct drm_connector *connector,
+ */
+ dev->mode_config.delayed_event = true;
+ if (dev->mode_config.poll_enabled)
+- schedule_delayed_work(&dev->mode_config.output_poll_work,
+- 0);
++ mod_delayed_work(system_wq,
++ &dev->mode_config.output_poll_work,
++ 0);
+ }
+
+ /* Re-enable polling in case the global poll config changed. */
+--
+2.39.2
+
--- /dev/null
+From 40ff9076d565210667b6623d2189c99e497bd5c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jan 2023 15:17:34 -0800
+Subject: drm/rockchip: Drop unbalanced obj unref
+
+From: Rob Clark <robdclark@chromium.org>
+
+[ Upstream commit 8ee3b0e85f6ccd9e6c527bc50eaba774c3bb18d0 ]
+
+In the error path, rockchip_drm_gem_object_mmap() is dropping an obj
+reference that it doesn't own.
+
+Fixes: 41315b793e13 ("drm/rockchip: use drm_gem_mmap helpers")
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230119231734.2884543-1-robdclark@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rockchip/rockchip_drm_gem.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_gem.c b/drivers/gpu/drm/rockchip/rockchip_drm_gem.c
+index bde65186a3c37..8ba3a682dd9ad 100644
+--- a/drivers/gpu/drm/rockchip/rockchip_drm_gem.c
++++ b/drivers/gpu/drm/rockchip/rockchip_drm_gem.c
+@@ -268,9 +268,6 @@ static int rockchip_drm_gem_object_mmap(struct drm_gem_object *obj,
+ else
+ ret = rockchip_drm_gem_object_mmap_dma(obj, vma);
+
+- if (ret)
+- drm_gem_vm_close(vma);
+-
+ return ret;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 327c2e7add5ea238440c59cac4e1b77b09de4747 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Feb 2023 09:55:17 -0300
+Subject: drm/vgem: add missing mutex_destroy
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit 7c18189b14b33c1fbf76480b1bd217877c086e67 ]
+
+vgem_fence_open() instantiates a mutex for a particular fence
+instance, but never destroys it by calling mutex_destroy() in
+vgem_fence_close().
+
+So, add the missing mutex_destroy() to guarantee proper resource
+destruction.
+
+Fixes: 407779848445 ("drm/vgem: Attach sw fences to exported vGEM dma-buf (ioctl)")
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Reviewed-by: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>
+Signed-off-by: Maíra Canal <mairacanal@riseup.net>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230202125517.427976-1-mcanal@igalia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vgem/vgem_fence.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/vgem/vgem_fence.c b/drivers/gpu/drm/vgem/vgem_fence.c
+index 8fd52f211e9d9..673db9bf3c5d1 100644
+--- a/drivers/gpu/drm/vgem/vgem_fence.c
++++ b/drivers/gpu/drm/vgem/vgem_fence.c
+@@ -280,4 +280,5 @@ void vgem_fence_close(struct vgem_file *vfile)
+ {
+ idr_for_each(&vfile->fence_idr, __vgem_fence_idr_fini, vfile);
+ idr_destroy(&vfile->fence_idr);
++ mutex_destroy(&vfile->fence_mutex);
+ }
+--
+2.39.2
+
--- /dev/null
+From 6ccf44ca995c95e89139dd46894b4871f253d71f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Feb 2023 19:42:58 -0800
+Subject: ia64: mm/contig: fix section mismatch warning/error
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 58deeb4ef3b054498747d0929d94ac53ab90981f ]
+
+alloc_per_cpu_data() is called by find_memory(), which is marked as
+__init. Therefore alloc_per_cpu_data() can also be marked as __init to
+remedy this modpost problem.
+
+WARNING: modpost: vmlinux.o: section mismatch in reference: alloc_per_cpu_data (section: .text) -> memblock_alloc_try_nid (section: .init.text)
+
+Link: https://lkml.kernel.org/r/20230223034258.12917-1-rdunlap@infradead.org
+Fixes: 4b9ddc7cf272 ("[IA64] Fix section mismatch in contig.c version of per_cpu_init()")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/ia64/mm/contig.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/ia64/mm/contig.c b/arch/ia64/mm/contig.c
+index 52715a71aede0..179d354e02321 100644
+--- a/arch/ia64/mm/contig.c
++++ b/arch/ia64/mm/contig.c
+@@ -129,7 +129,7 @@ void *per_cpu_init(void)
+ return __per_cpu_start + __per_cpu_offset[smp_processor_id()];
+ }
+
+-static inline void
++static inline __init void
+ alloc_per_cpu_data(void)
+ {
+ cpu_data = __alloc_bootmem(PERCPU_PAGE_SIZE * num_possible_cpus(),
+--
+2.39.2
+
--- /dev/null
+From 24f9a331973157057815ff57eb5a57b280b228d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Apr 2023 12:52:39 -0400
+Subject: IB/hfi1: Fix SDMA mmu_rb_node not being evicted in LRU order
+
+From: Patrick Kelsey <pat.kelsey@cornelisnetworks.com>
+
+[ Upstream commit 9fe8fec5e43d5a80f43cbf61aaada1b047a1eb61 ]
+
+hfi1_mmu_rb_remove_unless_exact() did not move mmu_rb_node objects in
+mmu_rb_handler->lru_list after getting a cache hit on an mmu_rb_node.
+
+As a result, hfi1_mmu_rb_evict() was not guaranteed to evict truly
+least-recently used nodes.
+
+This could be a performance issue for an application when that
+application:
+- Uses some long-lived buffers frequently.
+- Uses a large number of buffers once.
+- Hits the mmu_rb_handler cache size or pinned-page limits, forcing
+ mmu_rb_handler cache entries to be evicted.
+
+In this case, the one-time use buffers cause the long-lived buffer
+entries to eventually filter to the end of the LRU list where
+hfi1_mmu_rb_evict() will consider evicting a frequently-used long-lived
+entry instead of evicting one of the one-time use entries.
+
+Fix this by inserting new mmu_rb_node at the tail of
+mmu_rb_handler->lru_list and move mmu_rb_ndoe to the tail of
+mmu_rb_handler->lru_list when the mmu_rb_node is a hit in
+hfi1_mmu_rb_remove_unless_exact(). Change hfi1_mmu_rb_evict() to evict
+from the head of mmu_rb_handler->lru_list instead of the tail.
+
+Fixes: 0636e9ab8355 ("IB/hfi1: Add cache evict LRU list")
+Signed-off-by: Brendan Cunningham <bcunningham@cornelisnetworks.com>
+Signed-off-by: Patrick Kelsey <pat.kelsey@cornelisnetworks.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
+Link: https://lore.kernel.org/r/168088635931.3027109.10423156330761536044.stgit@252.162.96.66.static.eigbox.net
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/mmu_rb.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/mmu_rb.c b/drivers/infiniband/hw/hfi1/mmu_rb.c
+index 175002c046ede..42eddaf3a9947 100644
+--- a/drivers/infiniband/hw/hfi1/mmu_rb.c
++++ b/drivers/infiniband/hw/hfi1/mmu_rb.c
+@@ -177,7 +177,7 @@ int hfi1_mmu_rb_insert(struct mmu_rb_handler *handler,
+ goto unlock;
+ }
+ __mmu_int_rb_insert(mnode, &handler->root);
+- list_add(&mnode->list, &handler->lru_list);
++ list_add_tail(&mnode->list, &handler->lru_list);
+
+ ret = handler->ops->insert(handler->ops_arg, mnode);
+ if (ret) {
+@@ -224,8 +224,10 @@ bool hfi1_mmu_rb_remove_unless_exact(struct mmu_rb_handler *handler,
+ spin_lock_irqsave(&handler->lock, flags);
+ node = __mmu_rb_search(handler, addr, len);
+ if (node) {
+- if (node->addr == addr && node->len == len)
++ if (node->addr == addr && node->len == len) {
++ list_move_tail(&node->list, &handler->lru_list);
+ goto unlock;
++ }
+ __mmu_int_rb_remove(node, &handler->root);
+ list_del(&node->list); /* remove from LRU list */
+ ret = true;
+@@ -246,8 +248,7 @@ void hfi1_mmu_rb_evict(struct mmu_rb_handler *handler, void *evict_arg)
+ INIT_LIST_HEAD(&del_list);
+
+ spin_lock_irqsave(&handler->lock, flags);
+- list_for_each_entry_safe_reverse(rbnode, ptr, &handler->lru_list,
+- list) {
++ list_for_each_entry_safe(rbnode, ptr, &handler->lru_list, list) {
+ if (handler->ops->evict(handler->ops_arg, rbnode, evict_arg,
+ &stop)) {
+ __mmu_int_rb_remove(rbnode, &handler->root);
+@@ -259,9 +260,7 @@ void hfi1_mmu_rb_evict(struct mmu_rb_handler *handler, void *evict_arg)
+ }
+ spin_unlock_irqrestore(&handler->lock, flags);
+
+- while (!list_empty(&del_list)) {
+- rbnode = list_first_entry(&del_list, struct mmu_rb_node, list);
+- list_del(&rbnode->list);
++ list_for_each_entry_safe(rbnode, ptr, &del_list, list) {
+ handler->ops->remove(handler->ops_arg, rbnode);
+ }
+ }
+--
+2.39.2
+
--- /dev/null
+From 6ae8799207199cef02c26701b0e97b413ac32976 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Apr 2023 20:40:35 +0800
+Subject: ipv4: Fix potential uninit variable access bug in __ip_make_skb()
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit 99e5acae193e369b71217efe6f1dad42f3f18815 ]
+
+Like commit ea30388baebc ("ipv6: Fix an uninit variable access bug in
+__ip6_make_skb()"). icmphdr does not in skb linear region under the
+scenario of SOCK_RAW socket. Access icmp_hdr(skb)->type directly will
+trigger the uninit variable access bug.
+
+Use a local variable icmp_type to carry the correct value in different
+scenarios.
+
+Fixes: 96793b482540 ("[IPV4]: Add ICMPMsgStats MIB (RFC 4293)")
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_output.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
+index aab18ab49e3b9..c5c9dc0f41cbc 100644
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -1415,9 +1415,19 @@ struct sk_buff *__ip_make_skb(struct sock *sk,
+ cork->dst = NULL;
+ skb_dst_set(skb, &rt->dst);
+
+- if (iph->protocol == IPPROTO_ICMP)
+- icmp_out_count(net, ((struct icmphdr *)
+- skb_transport_header(skb))->type);
++ if (iph->protocol == IPPROTO_ICMP) {
++ u8 icmp_type;
++
++ /* For such sockets, transhdrlen is zero when do ip_append_data(),
++ * so icmphdr does not in skb linear region and can not get icmp_type
++ * by icmp_hdr(skb)->type.
++ */
++ if (sk->sk_type == SOCK_RAW && !inet_sk(sk)->hdrincl)
++ icmp_type = fl4->fl4_icmp_type;
++ else
++ icmp_type = icmp_hdr(skb)->type;
++ icmp_out_count(net, icmp_type);
++ }
+
+ ip_cork_release(cork);
+ out:
+--
+2.39.2
+
--- /dev/null
+From c9b9a2de51c34da076236e8456a01e4bd7cff815 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 Apr 2023 19:12:22 +0000
+Subject: ixgbe: Allow flow hash to be set via ethtool
+
+From: Joe Damato <jdamato@fastly.com>
+
+[ Upstream commit 4f3ed1293feb9502dc254b05802faf1ad3317ac6 ]
+
+ixgbe currently returns `EINVAL` whenever the flowhash it set by ethtool
+because the ethtool code in the kernel passes a non-zero value for hfunc
+that ixgbe should allow.
+
+When ethtool is called with `ETHTOOL_SRXFHINDIR`,
+`ethtool_set_rxfh_indir` will call ixgbe's set_rxfh function
+with `ETH_RSS_HASH_NO_CHANGE`. This value should be accepted.
+
+When ethtool is called with `ETHTOOL_SRSSH`, `ethtool_set_rxfh` will
+call ixgbe's set_rxfh function with `rxfh.hfunc`, which appears to be
+hardcoded in ixgbe to always be `ETH_RSS_HASH_TOP`. This value should
+also be accepted.
+
+Before this patch:
+
+$ sudo ethtool -L eth1 combined 10
+$ sudo ethtool -X eth1 default
+Cannot set RX flow hash configuration: Invalid argument
+
+After this patch:
+
+$ sudo ethtool -L eth1 combined 10
+$ sudo ethtool -X eth1 default
+$ sudo ethtool -x eth1
+RX flow hash indirection table for eth1 with 10 RX ring(s):
+ 0: 0 1 2 3 4 5 6 7
+ 8: 8 9 0 1 2 3 4 5
+ 16: 6 7 8 9 0 1 2 3
+ 24: 4 5 6 7 8 9 0 1
+ ...
+
+Fixes: 1c7cf0784e4d ("ixgbe: support for ethtool set_rxfh")
+Signed-off-by: Joe Damato <jdamato@fastly.com>
+Reviewed-by: Sridhar Samudrala <sridhar.samudrala@intel.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
+index f7e68083200cf..4bfa9ba8201b1 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
+@@ -3020,8 +3020,8 @@ static int ixgbe_set_rxfh(struct net_device *netdev, const u32 *indir,
+ int i;
+ u32 reta_entries = ixgbe_rss_indir_tbl_entries(adapter);
+
+- if (hfunc)
+- return -EINVAL;
++ if (hfunc != ETH_RSS_HASH_NO_CHANGE && hfunc != ETH_RSS_HASH_TOP)
++ return -EOPNOTSUPP;
+
+ /* Fill out the redirection table */
+ if (indir) {
+--
+2.39.2
+
--- /dev/null
+From 3440a3b907e9f5c98f7cd13738e3537767e9d047 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 Apr 2023 19:12:23 +0000
+Subject: ixgbe: Enable setting RSS table to default values
+
+From: Joe Damato <jdamato@fastly.com>
+
+[ Upstream commit e85d3d55875f7a1079edfbc4e4e98d6f8aea9ac7 ]
+
+ethtool uses `ETHTOOL_GRXRINGS` to compute how many queues are supported
+by RSS. The driver should return the smaller of either:
+ - The maximum number of RSS queues the device supports, OR
+ - The number of RX queues configured
+
+Prior to this change, running `ethtool -X $iface default` fails if the
+number of queues configured is larger than the number supported by RSS,
+even though changing the queue count correctly resets the flowhash to
+use all supported queues.
+
+Other drivers (for example, i40e) will succeed but the flow hash will
+reset to support the maximum number of queues supported by RSS, even if
+that amount is smaller than the configured amount.
+
+Prior to this change:
+
+$ sudo ethtool -L eth1 combined 20
+$ sudo ethtool -x eth1
+RX flow hash indirection table for eth1 with 20 RX ring(s):
+ 0: 0 1 2 3 4 5 6 7
+ 8: 8 9 10 11 12 13 14 15
+ 16: 0 1 2 3 4 5 6 7
+ 24: 8 9 10 11 12 13 14 15
+ 32: 0 1 2 3 4 5 6 7
+...
+
+You can see that the flowhash was correctly set to use the maximum
+number of queues supported by the driver (16).
+
+However, asking the NIC to reset to "default" fails:
+
+$ sudo ethtool -X eth1 default
+Cannot set RX flow hash configuration: Invalid argument
+
+After this change, the flowhash can be reset to default which will use
+all of the available RSS queues (16) or the configured queue count,
+whichever is smaller.
+
+Starting with eth1 which has 10 queues and a flowhash distributing to
+all 10 queues:
+
+$ sudo ethtool -x eth1
+RX flow hash indirection table for eth1 with 10 RX ring(s):
+ 0: 0 1 2 3 4 5 6 7
+ 8: 8 9 0 1 2 3 4 5
+ 16: 6 7 8 9 0 1 2 3
+...
+
+Increasing the queue count to 48 resets the flowhash to distribute to 16
+queues, as it did before this patch:
+
+$ sudo ethtool -L eth1 combined 48
+$ sudo ethtool -x eth1
+RX flow hash indirection table for eth1 with 16 RX ring(s):
+ 0: 0 1 2 3 4 5 6 7
+ 8: 8 9 10 11 12 13 14 15
+ 16: 0 1 2 3 4 5 6 7
+...
+
+Due to the other bugfix in this series, the flowhash can be set to use
+queues 0-5:
+
+$ sudo ethtool -X eth1 equal 5
+$ sudo ethtool -x eth1
+RX flow hash indirection table for eth1 with 16 RX ring(s):
+ 0: 0 1 2 3 4 0 1 2
+ 8: 3 4 0 1 2 3 4 0
+ 16: 1 2 3 4 0 1 2 3
+...
+
+Due to this bugfix, the flowhash can be reset to default and use 16
+queues:
+
+$ sudo ethtool -X eth1 default
+$ sudo ethtool -x eth1
+RX flow hash indirection table for eth1 with 16 RX ring(s):
+ 0: 0 1 2 3 4 5 6 7
+ 8: 8 9 10 11 12 13 14 15
+ 16: 0 1 2 3 4 5 6 7
+...
+
+Fixes: 91cd94bfe4f0 ("ixgbe: add basic support for setting and getting nfc controls")
+Signed-off-by: Joe Damato <jdamato@fastly.com>
+Reviewed-by: Sridhar Samudrala <sridhar.samudrala@intel.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
+index 4bfa9ba8201b1..55b2b6eaae2bf 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
+@@ -2554,6 +2554,14 @@ static int ixgbe_get_rss_hash_opts(struct ixgbe_adapter *adapter,
+ return 0;
+ }
+
++static int ixgbe_rss_indir_tbl_max(struct ixgbe_adapter *adapter)
++{
++ if (adapter->hw.mac.type < ixgbe_mac_X550)
++ return 16;
++ else
++ return 64;
++}
++
+ static int ixgbe_get_rxnfc(struct net_device *dev, struct ethtool_rxnfc *cmd,
+ u32 *rule_locs)
+ {
+@@ -2562,7 +2570,8 @@ static int ixgbe_get_rxnfc(struct net_device *dev, struct ethtool_rxnfc *cmd,
+
+ switch (cmd->cmd) {
+ case ETHTOOL_GRXRINGS:
+- cmd->data = adapter->num_rx_queues;
++ cmd->data = min_t(int, adapter->num_rx_queues,
++ ixgbe_rss_indir_tbl_max(adapter));
+ ret = 0;
+ break;
+ case ETHTOOL_GRXCLSRLCNT:
+@@ -2964,14 +2973,6 @@ static int ixgbe_set_rxnfc(struct net_device *dev, struct ethtool_rxnfc *cmd)
+ return ret;
+ }
+
+-static int ixgbe_rss_indir_tbl_max(struct ixgbe_adapter *adapter)
+-{
+- if (adapter->hw.mac.type < ixgbe_mac_X550)
+- return 16;
+- else
+- return 64;
+-}
+-
+ static u32 ixgbe_get_rxfh_key_size(struct net_device *netdev)
+ {
+ return IXGBE_RSS_KEY_SIZE;
+--
+2.39.2
+
--- /dev/null
+From 7b99eb01a044e841da073f8636a0eb033330c74b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Mar 2023 19:15:29 -0700
+Subject: linux/vt_buffer.h: allow either builtin or modular for macros
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 2b76ffe81e32afd6d318dc4547e2ba8c46207b77 ]
+
+Fix build errors on ARCH=alpha when CONFIG_MDA_CONSOLE=m.
+This allows the ARCH macros to be the only ones defined.
+
+In file included from ../drivers/video/console/mdacon.c:37:
+../arch/alpha/include/asm/vga.h:17:40: error: expected identifier or '(' before 'volatile'
+ 17 | static inline void scr_writew(u16 val, volatile u16 *addr)
+ | ^~~~~~~~
+../include/linux/vt_buffer.h:24:34: note: in definition of macro 'scr_writew'
+ 24 | #define scr_writew(val, addr) (*(addr) = (val))
+ | ^~~~
+../include/linux/vt_buffer.h:24:40: error: expected ')' before '=' token
+ 24 | #define scr_writew(val, addr) (*(addr) = (val))
+ | ^
+../arch/alpha/include/asm/vga.h:17:20: note: in expansion of macro 'scr_writew'
+ 17 | static inline void scr_writew(u16 val, volatile u16 *addr)
+ | ^~~~~~~~~~
+../arch/alpha/include/asm/vga.h:25:29: error: expected identifier or '(' before 'volatile'
+ 25 | static inline u16 scr_readw(volatile const u16 *addr)
+ | ^~~~~~~~
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Jiri Slaby <jirislaby@kernel.org>
+Cc: dri-devel@lists.freedesktop.org
+Cc: linux-fbdev@vger.kernel.org
+Link: https://lore.kernel.org/r/20230329021529.16188-1-rdunlap@infradead.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/vt_buffer.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/vt_buffer.h b/include/linux/vt_buffer.h
+index 848db1b1569ff..919d999a8c1db 100644
+--- a/include/linux/vt_buffer.h
++++ b/include/linux/vt_buffer.h
+@@ -16,7 +16,7 @@
+
+ #include <linux/string.h>
+
+-#if defined(CONFIG_VGA_CONSOLE) || defined(CONFIG_MDA_CONSOLE)
++#if IS_ENABLED(CONFIG_VGA_CONSOLE) || IS_ENABLED(CONFIG_MDA_CONSOLE)
+ #include <asm/vga.h>
+ #endif
+
+--
+2.39.2
+
--- /dev/null
+From f9edf72a195ff502030d0ea75f19c1df86ee0d55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Feb 2023 17:42:41 -0800
+Subject: macintosh: via-pmu-led: requires ATA to be set
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 05dce4ba125336875cd3eed3c1503fa81cd2f691 ]
+
+LEDS_TRIGGER_DISK depends on ATA, so selecting LEDS_TRIGGER_DISK
+when ATA is not set/enabled causes a Kconfig warning:
+
+WARNING: unmet direct dependencies detected for LEDS_TRIGGER_DISK
+ Depends on [n]: NEW_LEDS [=y] && LEDS_TRIGGERS [=y] && ATA [=n]
+ Selected by [y]:
+ - ADB_PMU_LED_DISK [=y] && MACINTOSH_DRIVERS [=y] && ADB_PMU_LED [=y] && LEDS_CLASS [=y]
+
+Fix this by making ADB_PMU_LED_DISK depend on ATA.
+
+Seen on both PPC32 and PPC64.
+
+Fixes: 0e865a80c135 ("macintosh: Remove dependency on IDE_GD_ATA if ADB_PMU_LED_DISK is selected")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20230223014241.20878-1-rdunlap@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/macintosh/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/macintosh/Kconfig b/drivers/macintosh/Kconfig
+index 5e47d91da5193..aa42a41ba4389 100644
+--- a/drivers/macintosh/Kconfig
++++ b/drivers/macintosh/Kconfig
+@@ -94,6 +94,7 @@ config ADB_PMU_LED
+
+ config ADB_PMU_LED_DISK
+ bool "Use front LED as DISK LED by default"
++ depends on ATA
+ depends on ADB_PMU_LED
+ depends on LEDS_CLASS
+ select LEDS_TRIGGERS
+--
+2.39.2
+
--- /dev/null
+From 78fd33913cf92eac8013d7606c7b449ad12875a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Mar 2023 11:35:58 +0800
+Subject: macintosh/windfarm_smu_sat: Add missing of_node_put()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit 631cf002826007ab7415258ee647dcaf8845ad5a ]
+
+We call of_node_get() in wf_sat_probe() after sat is created,
+so we need the of_node_put() before *kfree(sat)*.
+
+Fixes: ac171c46667c ("[PATCH] powerpc: Thermal control for dual core G5s")
+Signed-off-by: Liang He <windhl@126.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20230330033558.2562778-1-windhl@126.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/macintosh/windfarm_smu_sat.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/macintosh/windfarm_smu_sat.c b/drivers/macintosh/windfarm_smu_sat.c
+index a0f61eb853c55..644e123510c52 100644
+--- a/drivers/macintosh/windfarm_smu_sat.c
++++ b/drivers/macintosh/windfarm_smu_sat.c
+@@ -172,6 +172,7 @@ static void wf_sat_release(struct kref *ref)
+
+ if (sat->nr >= 0)
+ sats[sat->nr] = NULL;
++ of_node_put(sat->node);
+ kfree(sat);
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 4d78ceab23a3e2c044c126adf2925858ff184030 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Mar 2023 15:38:53 +0800
+Subject: md/raid10: fix leak of 'r10bio->remaining' for recovery
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 26208a7cffd0c7cbf14237ccd20c7270b3ffeb7e ]
+
+raid10_sync_request() will add 'r10bio->remaining' for both rdev and
+replacement rdev. However, if the read io fails, recovery_request_write()
+returns without issuing the write io, in this case, end_sync_request()
+is only called once and 'remaining' is leaked, cause an io hang.
+
+Fix the problem by decreasing 'remaining' according to if 'bio' and
+'repl_bio' is valid.
+
+Fixes: 24afd80d99f8 ("md/raid10: handle recovery of replacement devices.")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/20230310073855.1337560-5-yukuai1@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid10.c | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
+index 3ad0a1460eb77..95c3a21cd7335 100644
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -2234,11 +2234,22 @@ static void recovery_request_write(struct mddev *mddev, struct r10bio *r10_bio)
+ {
+ struct r10conf *conf = mddev->private;
+ int d;
+- struct bio *wbio, *wbio2;
++ struct bio *wbio = r10_bio->devs[1].bio;
++ struct bio *wbio2 = r10_bio->devs[1].repl_bio;
++
++ /* Need to test wbio2->bi_end_io before we call
++ * generic_make_request as if the former is NULL,
++ * the latter is free to free wbio2.
++ */
++ if (wbio2 && !wbio2->bi_end_io)
++ wbio2 = NULL;
+
+ if (!test_bit(R10BIO_Uptodate, &r10_bio->state)) {
+ fix_recovery_read_error(r10_bio);
+- end_sync_request(r10_bio);
++ if (wbio->bi_end_io)
++ end_sync_request(r10_bio);
++ if (wbio2)
++ end_sync_request(r10_bio);
+ return;
+ }
+
+@@ -2247,14 +2258,6 @@ static void recovery_request_write(struct mddev *mddev, struct r10bio *r10_bio)
+ * and submit the write request
+ */
+ d = r10_bio->devs[1].devnum;
+- wbio = r10_bio->devs[1].bio;
+- wbio2 = r10_bio->devs[1].repl_bio;
+- /* Need to test wbio2->bi_end_io before we call
+- * generic_make_request as if the former is NULL,
+- * the latter is free to free wbio2.
+- */
+- if (wbio2 && !wbio2->bi_end_io)
+- wbio2 = NULL;
+ if (wbio->bi_end_io) {
+ atomic_inc(&conf->mirrors[d].rdev->nr_pending);
+ md_sync_acct(conf->mirrors[d].rdev->bdev, bio_sectors(wbio));
+--
+2.39.2
+
--- /dev/null
+From 115a6ca458cf1a9c55764a1b23b572d9affa3cf4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 11:00:23 +0100
+Subject: media: av7110: prevent underflow in write_ts_to_decoder()
+
+From: Dan Carpenter <error27@gmail.com>
+
+[ Upstream commit eed9496a0501357aa326ddd6b71408189ed872eb ]
+
+The buf[4] value comes from the user via ts_play(). It is a value in
+the u8 range. The final length we pass to av7110_ipack_instant_repack()
+is "len - (buf[4] + 1) - 4" so add a check to ensure that the length is
+not negative. It's not clear that passing a negative len value does
+anything bad necessarily, but it's not best practice.
+
+With the new bounds checking the "if (!len)" condition is no longer
+possible or required so remove that.
+
+Fixes: fd46d16d602a ("V4L/DVB (11759): dvb-ttpci: Add TS replay capability")
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/ttpci/av7110_av.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/pci/ttpci/av7110_av.c b/drivers/media/pci/ttpci/av7110_av.c
+index 2aa4ba675194e..43b780aadf5fe 100644
+--- a/drivers/media/pci/ttpci/av7110_av.c
++++ b/drivers/media/pci/ttpci/av7110_av.c
+@@ -836,10 +836,10 @@ static int write_ts_to_decoder(struct av7110 *av7110, int type, const u8 *buf, s
+ av7110_ipack_flush(ipack);
+
+ if (buf[3] & ADAPT_FIELD) {
++ if (buf[4] > len - 1 - 4)
++ return 0;
+ len -= buf[4] + 1;
+ buf += buf[4] + 1;
+- if (!len)
+- return 0;
+ }
+
+ av7110_ipack_instant_repack(buf + 4, len - 4, ipack);
+--
+2.39.2
+
--- /dev/null
+From cf9fd04dc5c1210c5d4f00f0516ad0e3d7caa435 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Feb 2023 08:14:42 +0100
+Subject: media: bdisp: Add missing check for create_workqueue
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 2371adeab717d8fe32144a84f3491a03c5838cfb ]
+
+Add the check for the return value of the create_workqueue
+in order to avoid NULL pointer dereference.
+
+Fixes: 28ffeebbb7bd ("[media] bdisp: 2D blitter driver using v4l2 mem2mem framework")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/sti/bdisp/bdisp-v4l2.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/media/platform/sti/bdisp/bdisp-v4l2.c b/drivers/media/platform/sti/bdisp/bdisp-v4l2.c
+index 79de7d413cf5e..d7432e0e3e6e1 100644
+--- a/drivers/media/platform/sti/bdisp/bdisp-v4l2.c
++++ b/drivers/media/platform/sti/bdisp/bdisp-v4l2.c
+@@ -1308,6 +1308,8 @@ static int bdisp_probe(struct platform_device *pdev)
+ init_waitqueue_head(&bdisp->irq_queue);
+ INIT_DELAYED_WORK(&bdisp->timeout_work, bdisp_irq_timeout);
+ bdisp->work_queue = create_workqueue(BDISP_NAME);
++ if (!bdisp->work_queue)
++ return -ENOMEM;
+
+ spin_lock_init(&bdisp->slock);
+ mutex_init(&bdisp->lock);
+--
+2.39.2
+
--- /dev/null
+From 2fc9db5a8a57746d3a9edeac0a9160e93e770a9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Mar 2023 16:15:06 +0800
+Subject: media: dm1105: Fix use after free bug in dm1105_remove due to race
+ condition
+
+From: Zheng Wang <zyytlz.wz@163.com>
+
+[ Upstream commit 5abda7a16698d4d1f47af1168d8fa2c640116b4a ]
+
+In dm1105_probe, it called dm1105_ir_init and bound
+&dm1105->ir.work with dm1105_emit_key.
+When it handles IRQ request with dm1105_irq,
+it may call schedule_work to start the work.
+
+When we call dm1105_remove to remove the driver, there
+may be a sequence as follows:
+
+Fix it by finishing the work before cleanup in dm1105_remove
+
+CPU0 CPU1
+
+ |dm1105_emit_key
+dm1105_remove |
+ dm1105_ir_exit |
+ rc_unregister_device |
+ rc_free_device |
+ rc_dev_release |
+ kfree(dev); |
+ |
+ | rc_keydown
+ | //use
+
+Fixes: 34d2f9bf189c ("V4L/DVB: dm1105: use dm1105_dev & dev instead of dm1105dvb")
+Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/dm1105/dm1105.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/pci/dm1105/dm1105.c b/drivers/media/pci/dm1105/dm1105.c
+index 7c3900dec3686..df08297911546 100644
+--- a/drivers/media/pci/dm1105/dm1105.c
++++ b/drivers/media/pci/dm1105/dm1105.c
+@@ -1185,6 +1185,7 @@ static void dm1105_remove(struct pci_dev *pdev)
+ struct dvb_demux *dvbdemux = &dev->demux;
+ struct dmx_demux *dmx = &dvbdemux->dmx;
+
++ cancel_work_sync(&dev->ir.work);
+ dm1105_ir_exit(dev);
+ dmx->close(dmx);
+ dvb_net_release(&dev->dvbnet);
+--
+2.39.2
+
--- /dev/null
+From fe0a60efa93b40d0b21784a9c05a99724d5af5d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Apr 2023 23:28:01 +0800
+Subject: net: amd: Fix link leak when verifying config failed
+
+From: Gencen Gan <gangecen@hust.edu.cn>
+
+[ Upstream commit d325c34d9e7e38d371c0a299d415e9b07f66a1fb ]
+
+After failing to verify configuration, it returns directly without
+releasing link, which may cause memory leak.
+
+Paolo Abeni thinks that the whole code of this driver is quite
+"suboptimal" and looks unmainatained since at least ~15y, so he
+suggests that we could simply remove the whole driver, please
+take it into consideration.
+
+Simon Horman suggests that the fix label should be set to
+"Linux-2.6.12-rc2" considering that the problem has existed
+since the driver was introduced and the commit above doesn't
+seem to exist in net/net-next.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Gan Gecen <gangecen@hust.edu.cn>
+Reviewed-by: Dongliang Mu <dzm91@hust.edu.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/nmclan_cs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/amd/nmclan_cs.c b/drivers/net/ethernet/amd/nmclan_cs.c
+index 9c152d85840d7..c9d2a6f150624 100644
+--- a/drivers/net/ethernet/amd/nmclan_cs.c
++++ b/drivers/net/ethernet/amd/nmclan_cs.c
+@@ -652,7 +652,7 @@ static int nmclan_config(struct pcmcia_device *link)
+ } else {
+ pr_notice("mace id not found: %x %x should be 0x40 0x?9\n",
+ sig[0], sig[1]);
+- return -ENODEV;
++ goto failed;
+ }
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 14334e4ea438b7bad46e1c7ab8f22fca4844dd0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Mar 2023 01:10:08 +0000
+Subject: net/packet: convert po->auxdata to an atomic flag
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit fd53c297aa7b077ae98a3d3d2d3aa278a1686ba6 ]
+
+po->auxdata can be read while another thread
+is changing its value, potentially raising KCSAN splat.
+
+Convert it to PACKET_SOCK_AUXDATA flag.
+
+Fixes: 8dc419447415 ("[PACKET]: Add optional checksum computation for recvmsg")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/packet/af_packet.c | 8 +++-----
+ net/packet/diag.c | 2 +-
+ net/packet/internal.h | 4 ++--
+ 3 files changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index ce6afdb50933b..8b44ad304a656 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3480,7 +3480,7 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
+ memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa, copy_len);
+ }
+
+- if (pkt_sk(sk)->auxdata) {
++ if (packet_sock_flag(pkt_sk(sk), PACKET_SOCK_AUXDATA)) {
+ struct tpacket_auxdata aux;
+
+ aux.tp_status = TP_STATUS_USER;
+@@ -3865,9 +3865,7 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
+ if (copy_from_user(&val, optval, sizeof(val)))
+ return -EFAULT;
+
+- lock_sock(sk);
+- po->auxdata = !!val;
+- release_sock(sk);
++ packet_sock_flag_set(po, PACKET_SOCK_AUXDATA, val);
+ return 0;
+ }
+ case PACKET_ORIGDEV:
+@@ -4009,7 +4007,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+
+ break;
+ case PACKET_AUXDATA:
+- val = po->auxdata;
++ val = packet_sock_flag(po, PACKET_SOCK_AUXDATA);
+ break;
+ case PACKET_ORIGDEV:
+ val = packet_sock_flag(po, PACKET_SOCK_ORIGDEV);
+diff --git a/net/packet/diag.c b/net/packet/diag.c
+index bf5928e5df035..d9f912ad23dfa 100644
+--- a/net/packet/diag.c
++++ b/net/packet/diag.c
+@@ -22,7 +22,7 @@ static int pdiag_put_info(const struct packet_sock *po, struct sk_buff *nlskb)
+ pinfo.pdi_flags = 0;
+ if (po->running)
+ pinfo.pdi_flags |= PDI_RUNNING;
+- if (po->auxdata)
++ if (packet_sock_flag(po, PACKET_SOCK_AUXDATA))
+ pinfo.pdi_flags |= PDI_AUXDATA;
+ if (packet_sock_flag(po, PACKET_SOCK_ORIGDEV))
+ pinfo.pdi_flags |= PDI_ORIGDEV;
+diff --git a/net/packet/internal.h b/net/packet/internal.h
+index f39dcc7608bc6..3d871cae85b8c 100644
+--- a/net/packet/internal.h
++++ b/net/packet/internal.h
+@@ -117,8 +117,7 @@ struct packet_sock {
+ struct mutex pg_vec_lock;
+ unsigned long flags;
+ unsigned int running; /* bind_lock must be held */
+- unsigned int auxdata:1, /* writer must hold sock lock */
+- has_vnet_hdr:1,
++ unsigned int has_vnet_hdr:1, /* writer must hold sock lock */
+ tp_loss:1,
+ tp_tx_has_off:1;
+ int pressure;
+@@ -144,6 +143,7 @@ static struct packet_sock *pkt_sk(struct sock *sk)
+
+ enum packet_sock_flags {
+ PACKET_SOCK_ORIGDEV,
++ PACKET_SOCK_AUXDATA,
+ };
+
+ static inline void packet_sock_flag_set(struct packet_sock *po,
+--
+2.39.2
+
--- /dev/null
+From dcf8ddc946faa69febc2a5d6d4d223ee959f4016 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Mar 2023 01:10:07 +0000
+Subject: net/packet: convert po->origdev to an atomic flag
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit ee5675ecdf7a4e713ed21d98a70c2871d6ebed01 ]
+
+syzbot/KCAN reported that po->origdev can be read
+while another thread is changing its value.
+
+We can avoid this splat by converting this field
+to an actual bit.
+
+Following patches will convert remaining 1bit fields.
+
+Fixes: 80feaacb8a64 ("[AF_PACKET]: Add option to return orig_dev to userspace.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/packet/af_packet.c | 10 ++++------
+ net/packet/diag.c | 2 +-
+ net/packet/internal.h | 22 +++++++++++++++++++++-
+ 3 files changed, 26 insertions(+), 8 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 1be5fb6af0178..ce6afdb50933b 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2144,7 +2144,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
+ sll = &PACKET_SKB_CB(skb)->sa.ll;
+ sll->sll_hatype = dev->type;
+ sll->sll_pkttype = skb->pkt_type;
+- if (unlikely(po->origdev))
++ if (unlikely(packet_sock_flag(po, PACKET_SOCK_ORIGDEV)))
+ sll->sll_ifindex = orig_dev->ifindex;
+ else
+ sll->sll_ifindex = dev->ifindex;
+@@ -2410,7 +2410,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
+ sll->sll_hatype = dev->type;
+ sll->sll_protocol = skb->protocol;
+ sll->sll_pkttype = skb->pkt_type;
+- if (unlikely(po->origdev))
++ if (unlikely(packet_sock_flag(po, PACKET_SOCK_ORIGDEV)))
+ sll->sll_ifindex = orig_dev->ifindex;
+ else
+ sll->sll_ifindex = dev->ifindex;
+@@ -3879,9 +3879,7 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
+ if (copy_from_user(&val, optval, sizeof(val)))
+ return -EFAULT;
+
+- lock_sock(sk);
+- po->origdev = !!val;
+- release_sock(sk);
++ packet_sock_flag_set(po, PACKET_SOCK_ORIGDEV, val);
+ return 0;
+ }
+ case PACKET_VNET_HDR:
+@@ -4014,7 +4012,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
+ val = po->auxdata;
+ break;
+ case PACKET_ORIGDEV:
+- val = po->origdev;
++ val = packet_sock_flag(po, PACKET_SOCK_ORIGDEV);
+ break;
+ case PACKET_VNET_HDR:
+ val = po->has_vnet_hdr;
+diff --git a/net/packet/diag.c b/net/packet/diag.c
+index 7ef1c881ae741..bf5928e5df035 100644
+--- a/net/packet/diag.c
++++ b/net/packet/diag.c
+@@ -24,7 +24,7 @@ static int pdiag_put_info(const struct packet_sock *po, struct sk_buff *nlskb)
+ pinfo.pdi_flags |= PDI_RUNNING;
+ if (po->auxdata)
+ pinfo.pdi_flags |= PDI_AUXDATA;
+- if (po->origdev)
++ if (packet_sock_flag(po, PACKET_SOCK_ORIGDEV))
+ pinfo.pdi_flags |= PDI_ORIGDEV;
+ if (po->has_vnet_hdr)
+ pinfo.pdi_flags |= PDI_VNETHDR;
+diff --git a/net/packet/internal.h b/net/packet/internal.h
+index f10294800aafb..f39dcc7608bc6 100644
+--- a/net/packet/internal.h
++++ b/net/packet/internal.h
+@@ -115,9 +115,9 @@ struct packet_sock {
+ int copy_thresh;
+ spinlock_t bind_lock;
+ struct mutex pg_vec_lock;
++ unsigned long flags;
+ unsigned int running; /* bind_lock must be held */
+ unsigned int auxdata:1, /* writer must hold sock lock */
+- origdev:1,
+ has_vnet_hdr:1,
+ tp_loss:1,
+ tp_tx_has_off:1;
+@@ -142,4 +142,24 @@ static struct packet_sock *pkt_sk(struct sock *sk)
+ return (struct packet_sock *)sk;
+ }
+
++enum packet_sock_flags {
++ PACKET_SOCK_ORIGDEV,
++};
++
++static inline void packet_sock_flag_set(struct packet_sock *po,
++ enum packet_sock_flags flag,
++ bool val)
++{
++ if (val)
++ set_bit(flag, &po->flags);
++ else
++ clear_bit(flag, &po->flags);
++}
++
++static inline bool packet_sock_flag(const struct packet_sock *po,
++ enum packet_sock_flags flag)
++{
++ return test_bit(flag, &po->flags);
++}
++
+ #endif
+--
+2.39.2
+
--- /dev/null
+From a105a14304820fd123ceda9de693ced025437d5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 18:45:53 -0400
+Subject: NFSv4.1: Always send a RECLAIM_COMPLETE after establishing lease
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 40882deb83c29d8df4470d4e5e7f137b6acf7ad1 ]
+
+The spec requires that we always at least send a RECLAIM_COMPLETE when
+we're done establishing the lease and recovering any state.
+
+Fixes: fce5c838e133 ("nfs41: RECLAIM_COMPLETE functionality")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4state.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c
+index 9616f7eacd4cb..85e005efc9779 100644
+--- a/fs/nfs/nfs4state.c
++++ b/fs/nfs/nfs4state.c
+@@ -65,6 +65,8 @@
+
+ #define OPENOWNER_POOL_SIZE 8
+
++static void nfs4_state_start_reclaim_reboot(struct nfs_client *clp);
++
+ const nfs4_stateid zero_stateid = {
+ { .data = { 0 } },
+ .type = NFS4_SPECIAL_STATEID_TYPE,
+@@ -321,6 +323,8 @@ int nfs41_init_clientid(struct nfs_client *clp, struct rpc_cred *cred)
+ status = nfs4_proc_create_session(clp, cred);
+ if (status != 0)
+ goto out;
++ if (!(clp->cl_exchange_flags & EXCHGID4_FLAG_CONFIRMED_R))
++ nfs4_state_start_reclaim_reboot(clp);
+ nfs41_finish_session_reset(clp);
+ nfs_mark_client_ready(clp, NFS_CS_READY);
+ out:
+--
+2.39.2
+
--- /dev/null
+From 8fddb19a1e0d8d113cda22d92ca924765a3806ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Apr 2023 18:21:09 +0100
+Subject: of: Fix modalias string generation
+
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+
+[ Upstream commit b19a4266c52de78496fe40f0b37580a3b762e67d ]
+
+The helper generating an OF based modalias (of_device_get_modalias())
+works fine, but due to the use of snprintf() internally it needs a
+buffer one byte longer than what should be needed just for the entire
+string (excluding the '\0'). Most users of this helper are sysfs hooks
+providing the modalias string to users. They all provide a PAGE_SIZE
+buffer which is way above the number of bytes required to fit the
+modalias string and hence do not suffer from this issue.
+
+There is another user though, of_device_request_module(), which is only
+called by drivers/usb/common/ulpi.c. This request module function is
+faulty, but maybe because in most cases there is an alternative, ULPI
+driver users have not noticed it.
+
+In this function, of_device_get_modalias() is called twice. The first
+time without buffer just to get the number of bytes required by the
+modalias string (excluding the null byte), and a second time, after
+buffer allocation, to fill the buffer. The allocation asks for an
+additional byte, in order to store the trailing '\0'. However, the
+buffer *length* provided to of_device_get_modalias() excludes this extra
+byte. The internal use of snprintf() with a length that is exactly the
+number of bytes to be written has the effect of using the last available
+byte to store a '\0', which then smashes the last character of the
+modalias string.
+
+Provide the actual size of the buffer to of_device_get_modalias() to fix
+this issue.
+
+Note: the "str[size - 1] = '\0';" line is not really needed as snprintf
+will anyway end the string with a null byte, but there is a possibility
+that this function might be called on a struct device_node without
+compatible, in this case snprintf() would not be executed. So we keep it
+just to avoid possible unbounded strings.
+
+Cc: Stephen Boyd <sboyd@kernel.org>
+Cc: Peter Chen <peter.chen@kernel.org>
+Fixes: 9c829c097f2f ("of: device: Support loading a module with OF based modalias")
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20230404172148.82422-2-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/device.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/of/device.c b/drivers/of/device.c
+index 64b710265d390..3255c97b14f64 100644
+--- a/drivers/of/device.c
++++ b/drivers/of/device.c
+@@ -257,12 +257,15 @@ int of_device_request_module(struct device *dev)
+ if (size < 0)
+ return size;
+
+- str = kmalloc(size + 1, GFP_KERNEL);
++ /* Reserve an additional byte for the trailing '\0' */
++ size++;
++
++ str = kmalloc(size, GFP_KERNEL);
+ if (!str)
+ return -ENOMEM;
+
+ of_device_get_modalias(dev, str, size);
+- str[size] = '\0';
++ str[size - 1] = '\0';
+ ret = request_module(str);
+ kfree(str);
+
+--
+2.39.2
+
--- /dev/null
+From 1df784937a5671ad43d77ca3e7b8dec1cd2c6de2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Feb 2023 10:35:08 +0800
+Subject: perf/core: Fix hardlockup failure caused by perf throttle
+
+From: Yang Jihong <yangjihong1@huawei.com>
+
+[ Upstream commit 15def34e2635ab7e0e96f1bc32e1b69609f14942 ]
+
+commit e050e3f0a71bf ("perf: Fix broken interrupt rate throttling")
+introduces a change in throttling threshold judgment. Before this,
+compare hwc->interrupts and max_samples_per_tick, then increase
+hwc->interrupts by 1, but this commit reverses order of these two
+behaviors, causing the semantics of max_samples_per_tick to change.
+In literal sense of "max_samples_per_tick", if hwc->interrupts ==
+max_samples_per_tick, it should not be throttled, therefore, the judgment
+condition should be changed to "hwc->interrupts > max_samples_per_tick".
+
+In fact, this may cause the hardlockup to fail, The minimum value of
+max_samples_per_tick may be 1, in this case, the return value of
+__perf_event_account_interrupt function is 1.
+As a result, nmi_watchdog gets throttled, which would stop PMU (Use x86
+architecture as an example, see x86_pmu_handle_irq).
+
+Fixes: e050e3f0a71b ("perf: Fix broken interrupt rate throttling")
+Signed-off-by: Yang Jihong <yangjihong1@huawei.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20230227023508.102230-1-yangjihong1@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index 392e48bbba448..20ba0d90e8ae1 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -7490,8 +7490,8 @@ __perf_event_account_interrupt(struct perf_event *event, int throttle)
+ hwc->interrupts = 1;
+ } else {
+ hwc->interrupts++;
+- if (unlikely(throttle
+- && hwc->interrupts >= max_samples_per_tick)) {
++ if (unlikely(throttle &&
++ hwc->interrupts > max_samples_per_tick)) {
+ __this_cpu_inc(perf_throttled_count);
+ tick_dep_set_cpu(smp_processor_id(), TICK_DEP_BIT_PERF_EVENTS);
+ hwc->interrupts = MAX_INTERRUPTS;
+--
+2.39.2
+
--- /dev/null
+From 0d1a66c815798848ce65995e62a1ac9ab2340211 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Nov 2022 19:16:34 +0800
+Subject: phy: tegra: xusb: Add missing tegra_xusb_port_unregister for
+ usb2_port and ulpi_port
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit e024854048e733391b31fe5a398704b31b9af803 ]
+
+The tegra_xusb_port_unregister should be called when usb2_port
+and ulpi_port map fails in tegra_xusb_add_usb2_port() or in
+tegra_xusb_add_ulpi_port(), fix it.
+
+Fixes: 53d2a715c240 ("phy: Add Tegra XUSB pad controller support")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Link: https://lore.kernel.org/r/20221129111634.1547747-1-cuigaosheng1@huawei.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/tegra/xusb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/phy/tegra/xusb.c b/drivers/phy/tegra/xusb.c
+index 9c55e0f45ea8a..d0483712637b9 100644
+--- a/drivers/phy/tegra/xusb.c
++++ b/drivers/phy/tegra/xusb.c
+@@ -596,6 +596,7 @@ static int tegra_xusb_add_usb2_port(struct tegra_xusb_padctl *padctl,
+ usb2->base.lane = usb2->base.ops->map(&usb2->base);
+ if (IS_ERR(usb2->base.lane)) {
+ err = PTR_ERR(usb2->base.lane);
++ tegra_xusb_port_unregister(&usb2->base);
+ goto out;
+ }
+
+@@ -648,6 +649,7 @@ static int tegra_xusb_add_ulpi_port(struct tegra_xusb_padctl *padctl,
+ ulpi->base.lane = ulpi->base.ops->map(&ulpi->base);
+ if (IS_ERR(ulpi->base.lane)) {
+ err = PTR_ERR(ulpi->base.lane);
++ tegra_xusb_port_unregister(&ulpi->base);
+ goto out;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 5c0363d9e519f1442e18a76f60d083f534ffacf8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Mar 2023 23:56:57 +0100
+Subject: power: supply: generic-adc-battery: fix unit scaling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sebastian Reichel <sre@kernel.org>
+
+[ Upstream commit 44263f50065969f2344808388bd589740f026167 ]
+
+power-supply properties are reported in µV, µA and µW.
+The IIO API provides mV, mA, mW, so the values need to
+be multiplied by 1000.
+
+Fixes: e60fea794e6e ("power: battery: Generic battery driver using IIO")
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Reviewed-by: Matti Vaittinen <mazziesaccount@gmail.com>
+Signed-off-by: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/generic-adc-battery.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/power/supply/generic-adc-battery.c b/drivers/power/supply/generic-adc-battery.c
+index c5bde3c24c319..42a9e03744c7d 100644
+--- a/drivers/power/supply/generic-adc-battery.c
++++ b/drivers/power/supply/generic-adc-battery.c
+@@ -138,6 +138,9 @@ static int read_channel(struct gab *adc_bat, enum power_supply_property psp,
+ result);
+ if (ret < 0)
+ pr_err("read channel error\n");
++ else
++ *result *= 1000;
++
+ return ret;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From ce3c1b86993018308131e1b0b3e12c44237b2bd0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Feb 2023 23:01:13 -0800
+Subject: powerpc/mpc512x: fix resource printk format warning
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 7538c97e2b80ff6b7a8ea2ecf16a04355461b439 ]
+
+Use "%pa" format specifier for resource_size_t to avoid a compiler
+printk format warning.
+
+../arch/powerpc/platforms/512x/clock-commonclk.c: In function 'mpc5121_clk_provide_backwards_compat':
+../arch/powerpc/platforms/512x/clock-commonclk.c:989:44: error: format '%x' expects argument of type 'unsigned int', but argument 4 has type 'resource_size_t' {aka 'long long unsigned int'} [-Werror=format=]
+ 989 | snprintf(devname, sizeof(devname), "%08x.%s", res.start, np->name); \
+ | ^~~~~~~~~ ~~~~~~~~~
+ | |
+ | resource_size_t {aka long long unsigned int}
+
+Prevents 24 such warnings.
+
+Fixes: 01f25c371658 ("clk: mpc512x: add backwards compat to the CCF code")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20230223070116.660-2-rdunlap@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/512x/clock-commonclk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/platforms/512x/clock-commonclk.c b/arch/powerpc/platforms/512x/clock-commonclk.c
+index b3097fe6441b9..1019d78e44bb4 100644
+--- a/arch/powerpc/platforms/512x/clock-commonclk.c
++++ b/arch/powerpc/platforms/512x/clock-commonclk.c
+@@ -985,7 +985,7 @@ static void mpc5121_clk_provide_migration_support(void)
+
+ #define NODE_PREP do { \
+ of_address_to_resource(np, 0, &res); \
+- snprintf(devname, sizeof(devname), "%08x.%s", res.start, np->name); \
++ snprintf(devname, sizeof(devname), "%pa.%s", &res.start, np->name); \
+ } while (0)
+
+ #define NODE_CHK(clkname, clkitem, regnode, regflag) do { \
+--
+2.39.2
+
--- /dev/null
+From 213098c3afc199325ba774c55817d379f43de157 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Mar 2023 15:33:41 -0600
+Subject: powerpc/rtas: use memmove for potentially overlapping buffer copy
+
+From: Nathan Lynch <nathanl@linux.ibm.com>
+
+[ Upstream commit 271208ee5e335cb1ad280d22784940daf7ddf820 ]
+
+Using memcpy() isn't safe when buf is identical to rtas_err_buf, which
+can happen during boot before slab is up. Full context which may not
+be obvious from the diff:
+
+ if (altbuf) {
+ buf = altbuf;
+ } else {
+ buf = rtas_err_buf;
+ if (slab_is_available())
+ buf = kmalloc(RTAS_ERROR_LOG_MAX, GFP_ATOMIC);
+ }
+ if (buf)
+ memcpy(buf, rtas_err_buf, RTAS_ERROR_LOG_MAX);
+
+This was found by inspection and I'm not aware of it causing problems
+in practice. It appears to have been introduced by commit
+033ef338b6e0 ("powerpc: Merge rtas.c into arch/powerpc/kernel"); the
+old ppc64 version of this code did not have this problem.
+
+Use memmove() instead.
+
+Fixes: 033ef338b6e0 ("powerpc: Merge rtas.c into arch/powerpc/kernel")
+Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
+Reviewed-by: Andrew Donnellan <ajd@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20230220-rtas-queue-for-6-4-v1-2-010e4416f13f@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/rtas.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c
+index 5d84b412b2fd4..35f1f8b2f6253 100644
+--- a/arch/powerpc/kernel/rtas.c
++++ b/arch/powerpc/kernel/rtas.c
+@@ -400,7 +400,7 @@ static char *__fetch_rtas_last_error(char *altbuf)
+ buf = kmalloc(RTAS_ERROR_LOG_MAX, GFP_ATOMIC);
+ }
+ if (buf)
+- memcpy(buf, rtas_err_buf, RTAS_ERROR_LOG_MAX);
++ memmove(buf, rtas_err_buf, RTAS_ERROR_LOG_MAX);
+ }
+
+ return buf;
+--
+2.39.2
+
--- /dev/null
+From f7f691fc4b99486e73c7dc7f524a17e30f71327b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Feb 2023 23:01:16 -0800
+Subject: powerpc/sysdev/tsi108: fix resource printk format warnings
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 55d8bd02cc1b9f1063993b5c42c9cabf4af67dea ]
+
+Use "%pa" format specifier for resource_size_t to avoid a compiler
+printk format warning.
+
+ arch/powerpc/sysdev/tsi108_pci.c: In function 'tsi108_setup_pci':
+ include/linux/kern_levels.h:5:25: error: format '%x' expects argument of type 'unsigned int', but argument 2 has type 'resource_size_t'
+
+Fixes: c4342ff92bed ("[POWERPC] Update mpc7448hpc2 board irq support using device tree")
+Fixes: 2b9d7467a6db ("[POWERPC] Add tsi108 pci and platform device data register function")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+[mpe: Use pr_info() and unsplit string]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20230223070116.660-5-rdunlap@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/sysdev/tsi108_pci.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/arch/powerpc/sysdev/tsi108_pci.c b/arch/powerpc/sysdev/tsi108_pci.c
+index 28ff1f53cefc1..6bd50c690006f 100644
+--- a/arch/powerpc/sysdev/tsi108_pci.c
++++ b/arch/powerpc/sysdev/tsi108_pci.c
+@@ -229,9 +229,8 @@ int __init tsi108_setup_pci(struct device_node *dev, u32 cfg_phys, int primary)
+
+ (hose)->ops = &tsi108_direct_pci_ops;
+
+- printk(KERN_INFO "Found tsi108 PCI host bridge at 0x%08x. "
+- "Firmware bus number: %d->%d\n",
+- rsrc.start, hose->first_busno, hose->last_busno);
++ pr_info("Found tsi108 PCI host bridge at 0x%pa. Firmware bus number: %d->%d\n",
++ &rsrc.start, hose->first_busno, hose->last_busno);
+
+ /* Interpret the "ranges" property */
+ /* This also maps the I/O region and sets isa_io/mem_base */
+--
+2.39.2
+
--- /dev/null
+From 55a4c4931e16b6cbfcf739a534c62b9971d9a249 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Feb 2023 23:01:14 -0800
+Subject: powerpc/wii: fix resource printk format warnings
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 7b69600d4da0049244e9be2f5ef5a2f8e04fcd9a ]
+
+Use "%pa" format specifier for resource_size_t to avoid compiler
+printk format warnings.
+
+../arch/powerpc/platforms/embedded6xx/flipper-pic.c: In function 'flipper_pic_init':
+../include/linux/kern_levels.h:5:25: error: format '%x' expects argument of type 'unsigned int', but argument 2 has type 'resource_size_t' {aka 'long long unsigned int'} [-Werror=format=]
+../arch/powerpc/platforms/embedded6xx/flipper-pic.c:148:9: note: in expansion of macro 'pr_info'
+ 148 | pr_info("controller at 0x%08x mapped to 0x%p\n", res.start, io_base);
+ | ^~~~~~~
+
+../arch/powerpc/platforms/embedded6xx/hlwd-pic.c: In function 'hlwd_pic_init':
+../include/linux/kern_levels.h:5:25: error: format '%x' expects argument of type 'unsigned int', but argument 2 has type 'resource_size_t' {aka 'long long unsigned int'} [-Werror=format=]
+../arch/powerpc/platforms/embedded6xx/hlwd-pic.c:174:9: note: in expansion of macro 'pr_info'
+ 174 | pr_info("controller at 0x%08x mapped to 0x%p\n", res.start, io_base);
+ | ^~~~~~~
+
+../arch/powerpc/platforms/embedded6xx/wii.c: In function 'wii_ioremap_hw_regs':
+../include/linux/kern_levels.h:5:25: error: format '%x' expects argument of type 'unsigned int', but argument 3 has type 'resource_size_t' {aka 'long long unsigned int'} [-Werror=format=]
+../arch/powerpc/platforms/embedded6xx/wii.c:77:17: note: in expansion of macro 'pr_info'
+ 77 | pr_info("%s at 0x%08x mapped to 0x%p\n", name,
+ | ^~~~~~~
+
+Fixes: 028ee972f032 ("powerpc: gamecube/wii: flipper interrupt controller support")
+Fixes: 9c21025c7845 ("powerpc: wii: hollywood interrupt controller support")
+Fixes: 5a7ee3198dfa ("powerpc: wii: platform support")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20230223070116.660-3-rdunlap@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/embedded6xx/flipper-pic.c | 2 +-
+ arch/powerpc/platforms/embedded6xx/hlwd-pic.c | 2 +-
+ arch/powerpc/platforms/embedded6xx/wii.c | 4 ++--
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/powerpc/platforms/embedded6xx/flipper-pic.c b/arch/powerpc/platforms/embedded6xx/flipper-pic.c
+index ade83829d5e8b..416375b346ba6 100644
+--- a/arch/powerpc/platforms/embedded6xx/flipper-pic.c
++++ b/arch/powerpc/platforms/embedded6xx/flipper-pic.c
+@@ -157,7 +157,7 @@ struct irq_domain * __init flipper_pic_init(struct device_node *np)
+ }
+ io_base = ioremap(res.start, resource_size(&res));
+
+- pr_info("controller at 0x%08x mapped to 0x%p\n", res.start, io_base);
++ pr_info("controller at 0x%pa mapped to 0x%p\n", &res.start, io_base);
+
+ __flipper_quiesce(io_base);
+
+diff --git a/arch/powerpc/platforms/embedded6xx/hlwd-pic.c b/arch/powerpc/platforms/embedded6xx/hlwd-pic.c
+index db2ea6b6889de..7b7d659fd1568 100644
+--- a/arch/powerpc/platforms/embedded6xx/hlwd-pic.c
++++ b/arch/powerpc/platforms/embedded6xx/hlwd-pic.c
+@@ -178,7 +178,7 @@ struct irq_domain *hlwd_pic_init(struct device_node *np)
+ return NULL;
+ }
+
+- pr_info("controller at 0x%08x mapped to 0x%p\n", res.start, io_base);
++ pr_info("controller at 0x%pa mapped to 0x%p\n", &res.start, io_base);
+
+ __hlwd_quiesce(io_base);
+
+diff --git a/arch/powerpc/platforms/embedded6xx/wii.c b/arch/powerpc/platforms/embedded6xx/wii.c
+index 2914529c06955..eabbced08d5f9 100644
+--- a/arch/powerpc/platforms/embedded6xx/wii.c
++++ b/arch/powerpc/platforms/embedded6xx/wii.c
+@@ -143,8 +143,8 @@ static void __iomem *wii_ioremap_hw_regs(char *name, char *compatible)
+
+ hw_regs = ioremap(res.start, resource_size(&res));
+ if (hw_regs) {
+- pr_info("%s at 0x%08x mapped to 0x%p\n", name,
+- res.start, hw_regs);
++ pr_info("%s at 0x%pa mapped to 0x%p\n", name,
++ &res.start, hw_regs);
+ }
+
+ out_put:
+--
+2.39.2
+
--- /dev/null
+From cc81db7acea1de156d6e11eb674c3b8cee941b1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Mar 2023 20:40:43 +0000
+Subject: pstore: Revert pmsg_lock back to a normal mutex
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: John Stultz <jstultz@google.com>
+
+[ Upstream commit 5239a89b06d6b199f133bf0ffea421683187f257 ]
+
+This reverts commit 76d62f24db07f22ccf9bc18ca793c27d4ebef721.
+
+So while priority inversion on the pmsg_lock is an occasional
+problem that an rt_mutex would help with, in uses where logging
+is writing to pmsg heavily from multiple threads, the pmsg_lock
+can be heavily contended.
+
+After this change landed, it was reported that cases where the
+mutex locking overhead was commonly adding on the order of 10s
+of usecs delay had suddenly jumped to ~msec delay with rtmutex.
+
+It seems the slight differences in the locks under this level
+of contention causes the normal mutexes to utilize the spinning
+optimizations, while the rtmutexes end up in the sleeping
+slowpath (which allows additional threads to pile on trying
+to take the lock).
+
+In this case, it devolves to a worse case senerio where the lock
+acquisition and scheduling overhead dominates, and each thread
+is waiting on the order of ~ms to do ~us of work.
+
+Obviously, having tons of threads all contending on a single
+lock for logging is non-optimal, so the proper fix is probably
+reworking pstore pmsg to have per-cpu buffers so we don't have
+contention.
+
+Additionally, Steven Rostedt has provided some furhter
+optimizations for rtmutexes that improves the rtmutex spinning
+path, but at least in my testing, I still see the test tripping
+into the sleeping path on rtmutexes while utilizing the spinning
+path with mutexes.
+
+But in the short term, lets revert the change to the rt_mutex
+and go back to normal mutexes to avoid a potentially major
+performance regression. And we can work on optimizations to both
+rtmutexes and finer-grained locking for pstore pmsg in the
+future.
+
+Cc: Wei Wang <wvw@google.com>
+Cc: Midas Chien<midaschieh@google.com>
+Cc: "Chunhui Li (李春辉)" <chunhui.li@mediatek.com>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Anton Vorontsov <anton@enomsg.org>
+Cc: "Guilherme G. Piccoli" <gpiccoli@igalia.com>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: kernel-team@android.com
+Fixes: 76d62f24db07 ("pstore: Switch pmsg_lock to an rt_mutex to avoid priority inversion")
+Reported-by: "Chunhui Li (李春辉)" <chunhui.li@mediatek.com>
+Signed-off-by: John Stultz <jstultz@google.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20230308204043.2061631-1-jstultz@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/pstore/pmsg.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/fs/pstore/pmsg.c b/fs/pstore/pmsg.c
+index ffc13ea196d2a..24db02de17874 100644
+--- a/fs/pstore/pmsg.c
++++ b/fs/pstore/pmsg.c
+@@ -15,10 +15,9 @@
+ #include <linux/device.h>
+ #include <linux/fs.h>
+ #include <linux/uaccess.h>
+-#include <linux/rtmutex.h>
+ #include "internal.h"
+
+-static DEFINE_RT_MUTEX(pmsg_lock);
++static DEFINE_MUTEX(pmsg_lock);
+
+ static ssize_t write_pmsg(struct file *file, const char __user *buf,
+ size_t count, loff_t *ppos)
+@@ -37,9 +36,9 @@ static ssize_t write_pmsg(struct file *file, const char __user *buf,
+ if (!access_ok(VERIFY_READ, buf, count))
+ return -EFAULT;
+
+- rt_mutex_lock(&pmsg_lock);
++ mutex_lock(&pmsg_lock);
+ ret = psinfo->write_user(&record, buf);
+- rt_mutex_unlock(&pmsg_lock);
++ mutex_unlock(&pmsg_lock);
+ return ret ? ret : count;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 23ad06a67d806d50fef6fb3ded13650cc6589371 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Mar 2023 15:44:08 +0300
+Subject: RDMA/rdmavt: Delete unnecessary NULL check
+
+From: Natalia Petrova <n.petrova@fintech.ru>
+
+[ Upstream commit b73a0b80c69de77d8d4942abb37066531c0169b2 ]
+
+There is no need to check 'rdi->qp_dev' for NULL. The field 'qp_dev'
+is created in rvt_register_device() which will fail if the 'qp_dev'
+allocation fails in rvt_driver_qp_init(). Overwise this pointer
+doesn't changed and passed to rvt_qp_exit() by the next step.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 0acb0cc7ecc1 ("IB/rdmavt: Initialize and teardown of qpn table")
+Signed-off-by: Natalia Petrova <n.petrova@fintech.ru>
+Link: https://lore.kernel.org/r/20230303124408.16685-1-n.petrova@fintech.ru
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rdmavt/qp.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/infiniband/sw/rdmavt/qp.c b/drivers/infiniband/sw/rdmavt/qp.c
+index b0309876f4bb1..2bfcd47b58baa 100644
+--- a/drivers/infiniband/sw/rdmavt/qp.c
++++ b/drivers/infiniband/sw/rdmavt/qp.c
+@@ -318,8 +318,6 @@ void rvt_qp_exit(struct rvt_dev_info *rdi)
+ if (qps_inuse)
+ rvt_pr_err(rdi, "QP memory leak! %u still in use\n",
+ qps_inuse);
+- if (!rdi->qp_dev)
+- return;
+
+ kfree(rdi->qp_dev->qp_table);
+ free_qpn_table(&rdi->qp_dev->qpn_table);
+--
+2.39.2
+
--- /dev/null
+From 51190cd585d749a13c9745d66b331962fa041700 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Apr 2023 18:30:06 +0800
+Subject: Revert "Bluetooth: btsdio: fix use after free bug in btsdio_remove
+ due to unfinished work"
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit db2bf510bd5d57f064d9e1db395ed86a08320c54 ]
+
+This reverts commit 1e9ac114c4428fdb7ff4635b45d4f46017e8916f.
+
+This patch introduces a possible null-ptr-def problem. Revert it. And the
+fixed bug by this patch have resolved by commit 73f7b171b7c0 ("Bluetooth:
+btsdio: fix use after free bug in btsdio_remove due to race condition").
+
+Fixes: 1e9ac114c442 ("Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work")
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btsdio.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/bluetooth/btsdio.c b/drivers/bluetooth/btsdio.c
+index bd55bf7a9914c..20142bc77554c 100644
+--- a/drivers/bluetooth/btsdio.c
++++ b/drivers/bluetooth/btsdio.c
+@@ -353,7 +353,6 @@ static void btsdio_remove(struct sdio_func *func)
+
+ BT_DBG("func %p", func);
+
+- cancel_work_sync(&data->work);
+ if (!data)
+ return;
+
+--
+2.39.2
+
--- /dev/null
+From 0783d91bdf78e9b0eb2e8ffb641fad4efba4c4e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 12:32:11 +0100
+Subject: scm: fix MSG_CTRUNC setting condition for SO_PASSSEC
+
+From: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
+
+[ Upstream commit a02d83f9947d8f71904eda4de046630c3eb6802c ]
+
+Currently, kernel would set MSG_CTRUNC flag if msg_control buffer
+wasn't provided and SO_PASSCRED was set or if there was pending SCM_RIGHTS.
+
+For some reason we have no corresponding check for SO_PASSSEC.
+
+In the recvmsg(2) doc we have:
+ MSG_CTRUNC
+ indicates that some control data was discarded due to lack
+ of space in the buffer for ancillary data.
+
+So, we need to set MSG_CTRUNC flag for all types of SCM.
+
+This change can break applications those don't check MSG_CTRUNC flag.
+
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: Leon Romanovsky <leon@kernel.org>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
+
+v2:
+- commit message was rewritten according to Eric's suggestion
+Acked-by: Paul Moore <paul@paul-moore.com>
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/scm.h | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/scm.h b/include/net/scm.h
+index 903771c8d4e33..1268a051f1aa2 100644
+--- a/include/net/scm.h
++++ b/include/net/scm.h
+@@ -104,16 +104,27 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc
+ }
+ }
+ }
++
++static inline bool scm_has_secdata(struct socket *sock)
++{
++ return test_bit(SOCK_PASSSEC, &sock->flags);
++}
+ #else
+ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm)
+ { }
++
++static inline bool scm_has_secdata(struct socket *sock)
++{
++ return false;
++}
+ #endif /* CONFIG_SECURITY_NETWORK */
+
+ static __inline__ void scm_recv(struct socket *sock, struct msghdr *msg,
+ struct scm_cookie *scm, int flags)
+ {
+ if (!msg->msg_control) {
+- if (test_bit(SOCK_PASSCRED, &sock->flags) || scm->fp)
++ if (test_bit(SOCK_PASSCRED, &sock->flags) || scm->fp ||
++ scm_has_secdata(sock))
+ msg->msg_flags |= MSG_CTRUNC;
+ scm_destroy(scm);
+ return;
+--
+2.39.2
+
--- /dev/null
+From 24f17fddb75eb2ac8f7b33b75278ce8d08647a9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Mar 2023 17:51:09 +0000
+Subject: scsi: megaraid: Fix mega_cmd_done() CMDID_INT_CMDS
+
+From: Danila Chernetsov <listdansp@mail.ru>
+
+[ Upstream commit 75cb113cd43f06aaf4f1bda0069cfd5b98e909eb ]
+
+When cmdid == CMDID_INT_CMDS, the 'cmds' pointer is NULL but is
+dereferenced below.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 0f2bb84d2a68 ("[SCSI] megaraid: simplify internal command handling")
+Signed-off-by: Danila Chernetsov <listdansp@mail.ru>
+Link: https://lore.kernel.org/r/20230317175109.18585-1-listdansp@mail.ru
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/megaraid.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c
+index eed6d45b80251..b6a62c8c26715 100644
+--- a/drivers/scsi/megaraid.c
++++ b/drivers/scsi/megaraid.c
+@@ -1443,6 +1443,7 @@ mega_cmd_done(adapter_t *adapter, u8 completed[], int nstatus, int status)
+ */
+ if (cmdid == CMDID_INT_CMDS) {
+ scb = &adapter->int_scb;
++ cmd = scb->cmd;
+
+ list_del_init(&scb->list);
+ scb->state = SCB_FREE;
+--
+2.39.2
+
--- /dev/null
+From a095d305afb26a74772995a656f11cf12853ccb6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Mar 2023 20:56:19 -0500
+Subject: scsi: target: iscsit: Fix TAS handling during conn cleanup
+
+From: Mike Christie <michael.christie@oracle.com>
+
+[ Upstream commit cc79da306ebb2edb700c3816b90219223182ac3c ]
+
+Fix a bug added in commit f36199355c64 ("scsi: target: iscsi: Fix cmd abort
+fabric stop race").
+
+If CMD_T_TAS is set on the se_cmd we must call iscsit_free_cmd() to do the
+last put on the cmd and free it, because the connection is down and we will
+not up sending the response and doing the put from the normal I/O
+path.
+
+Add a check for CMD_T_TAS in iscsit_release_commands_from_conn() so we now
+detect this case and run iscsit_free_cmd().
+
+Fixes: f36199355c64 ("scsi: target: iscsi: Fix cmd abort fabric stop race")
+Signed-off-by: Mike Christie <michael.christie@oracle.com>
+Link: https://lore.kernel.org/r/20230319015620.96006-9-michael.christie@oracle.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/iscsi/iscsi_target.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
+index d9fcef82ddf59..d801f5b388b8a 100644
+--- a/drivers/target/iscsi/iscsi_target.c
++++ b/drivers/target/iscsi/iscsi_target.c
+@@ -4088,9 +4088,12 @@ static void iscsit_release_commands_from_conn(struct iscsi_conn *conn)
+ list_for_each_entry_safe(cmd, cmd_tmp, &tmp_list, i_conn_node) {
+ struct se_cmd *se_cmd = &cmd->se_cmd;
+
+- if (se_cmd->se_tfo != NULL) {
+- spin_lock_irq(&se_cmd->t_state_lock);
+- if (se_cmd->transport_state & CMD_T_ABORTED) {
++ if (!se_cmd->se_tfo)
++ continue;
++
++ spin_lock_irq(&se_cmd->t_state_lock);
++ if (se_cmd->transport_state & CMD_T_ABORTED) {
++ if (!(se_cmd->transport_state & CMD_T_TAS))
+ /*
+ * LIO's abort path owns the cleanup for this,
+ * so put it back on the list and let
+@@ -4098,11 +4101,10 @@ static void iscsit_release_commands_from_conn(struct iscsi_conn *conn)
+ */
+ list_move_tail(&cmd->i_conn_node,
+ &conn->conn_cmd_list);
+- } else {
+- se_cmd->transport_state |= CMD_T_FABRIC_STOP;
+- }
+- spin_unlock_irq(&se_cmd->t_state_lock);
++ } else {
++ se_cmd->transport_state |= CMD_T_FABRIC_STOP;
+ }
++ spin_unlock_irq(&se_cmd->t_state_lock);
+ }
+ spin_unlock_bh(&conn->cmd_lock);
+
+--
+2.39.2
+
--- /dev/null
+From ef4da801cec60eff29f3c6e38aaf9c2b59b564c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Apr 2023 13:29:11 -0400
+Subject: selinux: ensure av_permissions.h is built when needed
+
+From: Paul Moore <paul@paul-moore.com>
+
+[ Upstream commit 4ce1f694eb5d8ca607fed8542d32a33b4f1217a5 ]
+
+The Makefile rule responsible for building flask.h and
+av_permissions.h only lists flask.h as a target which means that
+av_permissions.h is only generated when flask.h needs to be
+generated. This patch fixes this by adding av_permissions.h as a
+target to the rule.
+
+Fixes: 8753f6bec352 ("selinux: generate flask headers during kernel build")
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/selinux/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/selinux/Makefile b/security/selinux/Makefile
+index 3efb0dda95b55..08ba8ca81d403 100644
+--- a/security/selinux/Makefile
++++ b/security/selinux/Makefile
+@@ -22,5 +22,5 @@ quiet_cmd_flask = GEN $(obj)/flask.h $(obj)/av_permissions.h
+ cmd_flask = $< $(obj)/flask.h $(obj)/av_permissions.h
+
+ targets += flask.h av_permissions.h
+-$(obj)/flask.h: scripts/selinux/genheaders/genheaders FORCE
++$(obj)/flask.h $(obj)/av_permissions.h &: scripts/selinux/genheaders/genheaders FORCE
+ $(call if_changed,flask)
+--
+2.39.2
+
--- /dev/null
+From 623eb197554c4fab8ccf70272099a1421ec786b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Apr 2023 15:59:19 +0200
+Subject: selinux: fix Makefile dependencies of flask.h
+
+From: Ondrej Mosnacek <omosnace@redhat.com>
+
+[ Upstream commit bcab1adeaad4b39a1e04cb98979a367d08253f03 ]
+
+Make the flask.h target depend on the genheaders binary instead of
+classmap.h to ensure that it is rebuilt if any of the dependencies of
+genheaders are changed.
+
+Notably this fixes flask.h not being rebuilt when
+initial_sid_to_string.h is modified.
+
+Fixes: 8753f6bec352 ("selinux: generate flask headers during kernel build")
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/selinux/Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/security/selinux/Makefile b/security/selinux/Makefile
+index c7161f8792b2d..3efb0dda95b55 100644
+--- a/security/selinux/Makefile
++++ b/security/selinux/Makefile
+@@ -19,8 +19,8 @@ ccflags-y := -I$(srctree)/security/selinux -I$(srctree)/security/selinux/include
+ $(addprefix $(obj)/,$(selinux-y)): $(obj)/flask.h
+
+ quiet_cmd_flask = GEN $(obj)/flask.h $(obj)/av_permissions.h
+- cmd_flask = scripts/selinux/genheaders/genheaders $(obj)/flask.h $(obj)/av_permissions.h
++ cmd_flask = $< $(obj)/flask.h $(obj)/av_permissions.h
+
+ targets += flask.h av_permissions.h
+-$(obj)/flask.h: $(src)/include/classmap.h FORCE
++$(obj)/flask.h: scripts/selinux/genheaders/genheaders FORCE
+ $(call if_changed,flask)
+--
+2.39.2
+
--- /dev/null
+From 2eed74e61146367d4ccf4a0b7d8c06bcbf9d633b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Apr 2023 10:02:39 -0700
+Subject: serial: 8250: Add missing wakeup event reporting
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 0ba9e3a13c6adfa99e32b2576d20820ab10ad48a ]
+
+An 8250 UART configured as a wake-up source would not have reported
+itself through sysfs as being the source of wake-up, correct that.
+
+Fixes: b3b708fa2780 ("wake up from a serial port")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20230414170241.2016255-1-f.fainelli@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_port.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c
+index fe1de63269d1a..cdc1b2b0f4bc6 100644
+--- a/drivers/tty/serial/8250/8250_port.c
++++ b/drivers/tty/serial/8250/8250_port.c
+@@ -23,6 +23,7 @@
+ #include <linux/moduleparam.h>
+ #include <linux/ioport.h>
+ #include <linux/init.h>
++#include <linux/irq.h>
+ #include <linux/console.h>
+ #include <linux/sysrq.h>
+ #include <linux/delay.h>
+@@ -1886,6 +1887,7 @@ int serial8250_handle_irq(struct uart_port *port, unsigned int iir)
+ unsigned char status;
+ unsigned long flags;
+ struct uart_8250_port *up = up_to_u8250p(port);
++ struct tty_port *tport = &port->state->port;
+ bool skip_rx = false;
+
+ if (iir & UART_IIR_NO_INT)
+@@ -1909,6 +1911,8 @@ int serial8250_handle_irq(struct uart_port *port, unsigned int iir)
+ skip_rx = true;
+
+ if (status & (UART_LSR_DR | UART_LSR_BI) && !skip_rx) {
++ if (irqd_is_wakeup_set(irq_get_irq_data(port->irq)))
++ pm_wakeup_event(tport->tty->dev, 0);
+ if (!up->dma || handle_rx_dma(up, iir))
+ status = serial8250_rx_chars(up, status);
+ }
+--
+2.39.2
+
revert-ubifs-dirty_cow_znode-fix-memleak-in-error-handling-path.patch
ubi-fix-return-value-overwrite-issue-in-try_write_vid_and_data.patch
ubifs-free-memory-for-tmpfile-name.patch
+selinux-fix-makefile-dependencies-of-flask.h.patch
+selinux-ensure-av_permissions.h-is-built-when-needed.patch
+drm-rockchip-drop-unbalanced-obj-unref.patch
+drm-vgem-add-missing-mutex_destroy.patch
+drm-probe-helper-cancel-previous-job-before-starting.patch
+media-bdisp-add-missing-check-for-create_workqueue.patch
+media-av7110-prevent-underflow-in-write_ts_to_decode.patch
+x86-apic-fix-atomic-update-of-offset-in-reserve_eilv.patch
+media-dm1105-fix-use-after-free-bug-in-dm1105_remove.patch
+x86-ioapic-don-t-return-0-from-arch_dynirq_lower_bou.patch
+arm64-kgdb-set-pstate.ss-to-1-to-re-enable-single-st.patch
+wifi-ath6kl-minor-fix-for-allocation-size.patch
+wifi-ath5k-fix-an-off-by-one-check-in-ath5k_eeprom_r.patch
+wifi-ath6kl-reduce-warn-to-dev_dbg-in-callback.patch
+scm-fix-msg_ctrunc-setting-condition-for-so_passsec.patch
+vlan-partially-enable-siocshwtstamp-in-container.patch
+net-packet-convert-po-origdev-to-an-atomic-flag.patch
+net-packet-convert-po-auxdata-to-an-atomic-flag.patch
+scsi-target-iscsit-fix-tas-handling-during-conn-clea.patch
+scsi-megaraid-fix-mega_cmd_done-cmdid_int_cmds.patch
+md-raid10-fix-leak-of-r10bio-remaining-for-recovery.patch
+wifi-iwlwifi-make-the-loop-for-card-preparation-effe.patch
+wifi-iwlwifi-mvm-check-firmware-response-size.patch
+ixgbe-allow-flow-hash-to-be-set-via-ethtool.patch
+ixgbe-enable-setting-rss-table-to-default-values.patch
+ipv4-fix-potential-uninit-variable-access-bug-in-__i.patch
+revert-bluetooth-btsdio-fix-use-after-free-bug-in-bt.patch
+net-amd-fix-link-leak-when-verifying-config-failed.patch
+tcp-udp-fix-memleaks-of-sk-and-zerocopy-skbs-with-tx.patch
+pstore-revert-pmsg_lock-back-to-a-normal-mutex.patch
+linux-vt_buffer.h-allow-either-builtin-or-modular-fo.patch
+spi-fsl-spi-fix-cpm-qe-mode-litte-endian.patch
+of-fix-modalias-string-generation.patch
+ia64-mm-contig-fix-section-mismatch-warning-error.patch
+uapi-linux-const.h-prefer-iso-friendly-__typeof__.patch
+sh-sq-fix-incorrect-element-size-for-allocating-bitm.patch
+usb-chipidea-fix-missing-goto-in-ci_hdrc_probe.patch
+tty-serial-fsl_lpuart-adjust-buffer-length-to-the-in.patch
+serial-8250-add-missing-wakeup-event-reporting.patch
+staging-rtl8192e-fix-w_disable-does-not-work-after-s.patch
+spmi-add-a-check-for-remove-callback-when-removing-a.patch
+spi-bcm63xx-remove-pm_sleep-based-conditional-compil.patch
+macintosh-windfarm_smu_sat-add-missing-of_node_put.patch
+powerpc-mpc512x-fix-resource-printk-format-warning.patch
+powerpc-wii-fix-resource-printk-format-warnings.patch
+powerpc-sysdev-tsi108-fix-resource-printk-format-war.patch
+macintosh-via-pmu-led-requires-ata-to-be-set.patch
+powerpc-rtas-use-memmove-for-potentially-overlapping.patch
+perf-core-fix-hardlockup-failure-caused-by-perf-thro.patch
+rdma-rdmavt-delete-unnecessary-null-check.patch
+power-supply-generic-adc-battery-fix-unit-scaling.patch
+clk-add-missing-of_node_put-in-assigned-clocks-prope.patch
+ib-hfi1-fix-sdma-mmu_rb_node-not-being-evicted-in-lr.patch
+nfsv4.1-always-send-a-reclaim_complete-after-establi.patch
+sunrpc-remove-the-maximum-number-of-retries-in-call_.patch
+phy-tegra-xusb-add-missing-tegra_xusb_port_unregiste.patch
+dmaengine-at_xdmac-do-not-enable-all-cyclic-channels.patch
--- /dev/null
+From 2ebf3efc95faab17af8e5a1e4e322fc778391c81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Apr 2023 13:48:52 +0200
+Subject: sh: sq: Fix incorrect element size for allocating bitmap buffer
+
+From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+
+[ Upstream commit 80f746e2bd0e1da3fdb49a53570e54a1a225faac ]
+
+The Store Queue code allocates a bitmap buffer with the size of
+multiple of sizeof(long) in sq_api_init(). While the buffer size
+is calculated correctly, the code uses the wrong element size to
+allocate the buffer which results in the allocated bitmap buffer
+being too small.
+
+Fix this by allocating the buffer with kcalloc() with element size
+sizeof(long) instead of kzalloc() whose elements size defaults to
+sizeof(char).
+
+Fixes: d7c30c682a27 ("sh: Store Queue API rework.")
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Link: https://lore.kernel.org/r/20230419114854.528677-1-glaubitz@physik.fu-berlin.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sh/kernel/cpu/sh4/sq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/sh/kernel/cpu/sh4/sq.c b/arch/sh/kernel/cpu/sh4/sq.c
+index 4ca78ed71ad2c..c218bae8fe208 100644
+--- a/arch/sh/kernel/cpu/sh4/sq.c
++++ b/arch/sh/kernel/cpu/sh4/sq.c
+@@ -383,7 +383,7 @@ static int __init sq_api_init(void)
+ if (unlikely(!sq_cache))
+ return ret;
+
+- sq_bitmap = kzalloc(size, GFP_KERNEL);
++ sq_bitmap = kcalloc(size, sizeof(long), GFP_KERNEL);
+ if (unlikely(!sq_bitmap))
+ goto out;
+
+--
+2.39.2
+
--- /dev/null
+From 5d6d21696db98be3c7db3d076e3d87fa93cb24cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Apr 2023 17:46:15 +0530
+Subject: spi: bcm63xx: remove PM_SLEEP based conditional compilation
+
+From: Dhruva Gole <d-gole@ti.com>
+
+[ Upstream commit 25f0617109496e1aff49594fbae5644286447a0f ]
+
+Get rid of conditional compilation based on CONFIG_PM_SLEEP because
+it may introduce build issues with certain configs where it maybe disabled
+This is because if above config is not enabled the suspend-resume
+functions are never part of the code but the bcm63xx_spi_pm_ops struct
+still inits them to non-existent suspend-resume functions.
+
+Fixes: b42dfed83d95 ("spi: add Broadcom BCM63xx SPI controller driver")
+
+Signed-off-by: Dhruva Gole <d-gole@ti.com>
+Link: https://lore.kernel.org/r/20230420121615.967487-1-d-gole@ti.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-bcm63xx.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/spi/spi-bcm63xx.c b/drivers/spi/spi-bcm63xx.c
+index bfe5754768f97..c7b67388709fe 100644
+--- a/drivers/spi/spi-bcm63xx.c
++++ b/drivers/spi/spi-bcm63xx.c
+@@ -625,7 +625,6 @@ static int bcm63xx_spi_remove(struct platform_device *pdev)
+ return 0;
+ }
+
+-#ifdef CONFIG_PM_SLEEP
+ static int bcm63xx_spi_suspend(struct device *dev)
+ {
+ struct spi_master *master = dev_get_drvdata(dev);
+@@ -652,7 +651,6 @@ static int bcm63xx_spi_resume(struct device *dev)
+
+ return 0;
+ }
+-#endif
+
+ static const struct dev_pm_ops bcm63xx_spi_pm_ops = {
+ SET_SYSTEM_SLEEP_PM_OPS(bcm63xx_spi_suspend, bcm63xx_spi_resume)
+--
+2.39.2
+
--- /dev/null
+From 51fb6cd98c13ef4aa6f3910e73fc8c10fbfdc541 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Apr 2023 19:59:46 +0200
+Subject: spi: fsl-spi: Fix CPM/QE mode Litte Endian
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit c20c57d9868d7f9fd1b2904c7801b07e128f6322 ]
+
+CPM has the same problem as QE so for CPM also use the fix added
+by commit 0398fb70940e ("spi/spi_mpc8xxx: Fix QE mode Litte Endian"):
+
+ CPM mode uses Little Endian so words > 8 bits are byte swapped.
+ Workaround this by always enforcing wordsize 8 for 16 and 32 bits
+ words. Unfortunately this will not work for LSB transfers
+ where wordsize is > 8 bits so disable these for now.
+
+Also limit the workaround to 16 and 32 bits words because it can
+only work for multiples of 8-bits.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: Joakim Tjernlund <Joakim.Tjernlund@infinera.com>
+Fixes: 0398fb70940e ("spi/spi_mpc8xxx: Fix QE mode Litte Endian")
+Link: https://lore.kernel.org/r/1b7d3e84b1128f42c1887dd2fb9cdf390f541bc1.1680371809.git.christophe.leroy@csgroup.eu
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-fsl-spi.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/spi/spi-fsl-spi.c b/drivers/spi/spi-fsl-spi.c
+index cd784552de7f1..479d10dc6cb84 100644
+--- a/drivers/spi/spi-fsl-spi.c
++++ b/drivers/spi/spi-fsl-spi.c
+@@ -205,8 +205,8 @@ static int mspi_apply_qe_mode_quirks(struct spi_mpc8xxx_cs *cs,
+ struct spi_device *spi,
+ int bits_per_word)
+ {
+- /* QE uses Little Endian for words > 8
+- * so transform all words > 8 into 8 bits
++ /* CPM/QE uses Little Endian for words > 8
++ * so transform 16 and 32 bits words into 8 bits
+ * Unfortnatly that doesn't work for LSB so
+ * reject these for now */
+ /* Note: 32 bits word, LSB works iff
+@@ -214,9 +214,11 @@ static int mspi_apply_qe_mode_quirks(struct spi_mpc8xxx_cs *cs,
+ if (spi->mode & SPI_LSB_FIRST &&
+ bits_per_word > 8)
+ return -EINVAL;
+- if (bits_per_word > 8)
++ if (bits_per_word <= 8)
++ return bits_per_word;
++ if (bits_per_word == 16 || bits_per_word == 32)
+ return 8; /* pretend its 8 bits */
+- return bits_per_word;
++ return -EINVAL;
+ }
+
+ static int fsl_spi_setup_transfer(struct spi_device *spi,
+@@ -246,7 +248,7 @@ static int fsl_spi_setup_transfer(struct spi_device *spi,
+ bits_per_word = mspi_apply_cpu_mode_quirks(cs, spi,
+ mpc8xxx_spi,
+ bits_per_word);
+- else if (mpc8xxx_spi->flags & SPI_QE)
++ else
+ bits_per_word = mspi_apply_qe_mode_quirks(cs, spi,
+ bits_per_word);
+
+--
+2.39.2
+
--- /dev/null
+From 24053f4133242d88de36cc440cf8b8abb2dc7395 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Apr 2023 15:38:34 -0700
+Subject: spmi: Add a check for remove callback when removing a SPMI driver
+
+From: Jishnu Prakash <quic_jprakash@quicinc.com>
+
+[ Upstream commit b56eef3e16d888883fefab47425036de80dd38fc ]
+
+When removing a SPMI driver, there can be a crash due to NULL pointer
+dereference if it does not have a remove callback defined. This is
+one such call trace observed when removing the QCOM SPMI PMIC driver:
+
+ dump_backtrace.cfi_jt+0x0/0x8
+ dump_stack_lvl+0xd8/0x16c
+ panic+0x188/0x498
+ __cfi_slowpath+0x0/0x214
+ __cfi_slowpath+0x1dc/0x214
+ spmi_drv_remove+0x16c/0x1e0
+ device_release_driver_internal+0x468/0x79c
+ driver_detach+0x11c/0x1a0
+ bus_remove_driver+0xc4/0x124
+ driver_unregister+0x58/0x84
+ cleanup_module+0x1c/0xc24 [qcom_spmi_pmic]
+ __do_sys_delete_module+0x3ec/0x53c
+ __arm64_sys_delete_module+0x18/0x28
+ el0_svc_common+0xdc/0x294
+ el0_svc+0x38/0x9c
+ el0_sync_handler+0x8c/0xf0
+ el0_sync+0x1b4/0x1c0
+
+If a driver has all its resources allocated through devm_() APIs and
+does not need any other explicit cleanup, it would not require a
+remove callback to be defined. Hence, add a check for remove callback
+presence before calling it when removing a SPMI driver.
+
+Link: https://lore.kernel.org/r/1671601032-18397-2-git-send-email-quic_jprakash@quicinc.com
+Fixes: 6f00f8c8635f ("mfd: qcom-spmi-pmic: Use devm_of_platform_populate()")
+Fixes: 5a86bf343976 ("spmi: Linux driver framework for SPMI")
+Signed-off-by: Jishnu Prakash <quic_jprakash@quicinc.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Link: https://lore.kernel.org/r/20230413223834.4084793-7-sboyd@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spmi/spmi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spmi/spmi.c b/drivers/spmi/spmi.c
+index aa3edabc2b0fe..55f1cad836ba2 100644
+--- a/drivers/spmi/spmi.c
++++ b/drivers/spmi/spmi.c
+@@ -356,7 +356,8 @@ static int spmi_drv_remove(struct device *dev)
+ const struct spmi_driver *sdrv = to_spmi_driver(dev->driver);
+
+ pm_runtime_get_sync(dev);
+- sdrv->remove(to_spmi_device(dev));
++ if (sdrv->remove)
++ sdrv->remove(to_spmi_device(dev));
+ pm_runtime_put_noidle(dev);
+
+ pm_runtime_disable(dev);
+--
+2.39.2
+
--- /dev/null
+From f4da1b16f1c1326daea03116790882b815d68c88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Apr 2023 22:02:01 +0200
+Subject: staging: rtl8192e: Fix W_DISABLE# does not work after stop/start
+
+From: Philipp Hortmann <philipp.g.hortmann@gmail.com>
+
+[ Upstream commit 3fac2397f562eb669ddc2f45867a253f3fc26184 ]
+
+When loading the driver for rtl8192e, the W_DISABLE# switch is working as
+intended. But when the WLAN is turned off in software and then turned on
+again the W_DISABLE# does not work anymore. Reason for this is that in
+the function _rtl92e_dm_check_rf_ctrl_gpio() the bfirst_after_down is
+checked and returned when true. bfirst_after_down is set true when
+switching the WLAN off in software. But it is not set to false again
+when WLAN is turned on again.
+
+Add bfirst_after_down = false in _rtl92e_sta_up to reset bit and fix
+above described bug.
+
+Fixes: 94a799425eee ("From: wlanfae <wlanfae@realtek.com> [PATCH 1/8] rtl8192e: Import new version of driver from realtek")
+Signed-off-by: Philipp Hortmann <philipp.g.hortmann@gmail.com>
+Link: https://lore.kernel.org/r/20230418200201.GA17398@matrix-ESPRIMO-P710
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/rtl8192e/rtl8192e/rtl_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/staging/rtl8192e/rtl8192e/rtl_core.c b/drivers/staging/rtl8192e/rtl8192e/rtl_core.c
+index e1ede9fd4920b..8420bdae1a5cc 100644
+--- a/drivers/staging/rtl8192e/rtl8192e/rtl_core.c
++++ b/drivers/staging/rtl8192e/rtl8192e/rtl_core.c
+@@ -778,6 +778,7 @@ static int _rtl92e_sta_up(struct net_device *dev, bool is_silent_reset)
+ else
+ netif_wake_queue(dev);
+
++ priv->bfirst_after_down = false;
+ return 0;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 83f989885731328a256f5f17bca14ea8646fb0eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Apr 2023 13:19:02 -0700
+Subject: SUNRPC: remove the maximum number of retries in call_bind_status
+
+From: Dai Ngo <dai.ngo@oracle.com>
+
+[ Upstream commit 691d0b782066a6eeeecbfceb7910a8f6184e6105 ]
+
+Currently call_bind_status places a hard limit of 3 to the number of
+retries on EACCES error. This limit was done to prevent NLM unlock
+requests from being hang forever when the server keeps returning garbage.
+However this change causes problem for cases when NLM service takes
+longer than 9 seconds to register with the port mapper after a restart.
+
+This patch removes this hard coded limit and let the RPC handles
+the retry based on the standard hard/soft task semantics.
+
+Fixes: 0b760113a3a1 ("NLM: Don't hang forever on NLM unlock requests")
+Reported-by: Helen Chao <helen.chao@oracle.com>
+Tested-by: Helen Chao <helen.chao@oracle.com>
+Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/sunrpc/sched.h | 3 +--
+ net/sunrpc/clnt.c | 3 ---
+ net/sunrpc/sched.c | 1 -
+ 3 files changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/include/linux/sunrpc/sched.h b/include/linux/sunrpc/sched.h
+index c9548a63d09bb..0f7c8f820aa3f 100644
+--- a/include/linux/sunrpc/sched.h
++++ b/include/linux/sunrpc/sched.h
+@@ -88,8 +88,7 @@ struct rpc_task {
+ #endif
+ unsigned char tk_priority : 2,/* Task priority */
+ tk_garb_retry : 2,
+- tk_cred_retry : 2,
+- tk_rebind_retry : 2;
++ tk_cred_retry : 2;
+ };
+
+ typedef void (*rpc_action)(struct rpc_task *);
+diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
+index 411925b043cce..de917d45e512a 100644
+--- a/net/sunrpc/clnt.c
++++ b/net/sunrpc/clnt.c
+@@ -1827,9 +1827,6 @@ call_bind_status(struct rpc_task *task)
+ status = -EOPNOTSUPP;
+ break;
+ }
+- if (task->tk_rebind_retry == 0)
+- break;
+- task->tk_rebind_retry--;
+ rpc_delay(task, 3*HZ);
+ goto retry_timeout;
+ case -ETIMEDOUT:
+diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c
+index 4e0ebb4780df8..b368f5aabe291 100644
+--- a/net/sunrpc/sched.c
++++ b/net/sunrpc/sched.c
+@@ -697,7 +697,6 @@ rpc_init_task_statistics(struct rpc_task *task)
+ /* Initialize retry counters */
+ task->tk_garb_retry = 2;
+ task->tk_cred_retry = 2;
+- task->tk_rebind_retry = 2;
+
+ /* starting timestamp */
+ task->tk_start = ktime_get();
+--
+2.39.2
+
--- /dev/null
+From e64eac31bdef97baaf613f62c4fdfa2e4e221887 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Apr 2023 15:20:22 -0700
+Subject: tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 50749f2dd6854a41830996ad302aef2ffaf011d8 ]
+
+syzkaller reported [0] memory leaks of an UDP socket and ZEROCOPY
+skbs. We can reproduce the problem with these sequences:
+
+ sk = socket(AF_INET, SOCK_DGRAM, 0)
+ sk.setsockopt(SOL_SOCKET, SO_TIMESTAMPING, SOF_TIMESTAMPING_TX_SOFTWARE)
+ sk.setsockopt(SOL_SOCKET, SO_ZEROCOPY, 1)
+ sk.sendto(b'', MSG_ZEROCOPY, ('127.0.0.1', 53))
+ sk.close()
+
+sendmsg() calls msg_zerocopy_alloc(), which allocates a skb, sets
+skb->cb->ubuf.refcnt to 1, and calls sock_hold(). Here, struct
+ubuf_info_msgzc indirectly holds a refcnt of the socket. When the
+skb is sent, __skb_tstamp_tx() clones it and puts the clone into
+the socket's error queue with the TX timestamp.
+
+When the original skb is received locally, skb_copy_ubufs() calls
+skb_unclone(), and pskb_expand_head() increments skb->cb->ubuf.refcnt.
+This additional count is decremented while freeing the skb, but struct
+ubuf_info_msgzc still has a refcnt, so __msg_zerocopy_callback() is
+not called.
+
+The last refcnt is not released unless we retrieve the TX timestamped
+skb by recvmsg(). Since we clear the error queue in inet_sock_destruct()
+after the socket's refcnt reaches 0, there is a circular dependency.
+If we close() the socket holding such skbs, we never call sock_put()
+and leak the count, sk, and skb.
+
+TCP has the same problem, and commit e0c8bccd40fc ("net: stream:
+purge sk_error_queue in sk_stream_kill_queues()") tried to fix it
+by calling skb_queue_purge() during close(). However, there is a
+small chance that skb queued in a qdisc or device could be put
+into the error queue after the skb_queue_purge() call.
+
+In __skb_tstamp_tx(), the cloned skb should not have a reference
+to the ubuf to remove the circular dependency, but skb_clone() does
+not call skb_copy_ubufs() for zerocopy skb. So, we need to call
+skb_orphan_frags_rx() for the cloned skb to call skb_copy_ubufs().
+
+[0]:
+BUG: memory leak
+unreferenced object 0xffff88800c6d2d00 (size 1152):
+ comm "syz-executor392", pid 264, jiffies 4294785440 (age 13.044s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 cd af e8 81 00 00 00 00 ................
+ 02 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............
+ backtrace:
+ [<0000000055636812>] sk_prot_alloc+0x64/0x2a0 net/core/sock.c:2024
+ [<0000000054d77b7a>] sk_alloc+0x3b/0x800 net/core/sock.c:2083
+ [<0000000066f3c7e0>] inet_create net/ipv4/af_inet.c:319 [inline]
+ [<0000000066f3c7e0>] inet_create+0x31e/0xe40 net/ipv4/af_inet.c:245
+ [<000000009b83af97>] __sock_create+0x2ab/0x550 net/socket.c:1515
+ [<00000000b9b11231>] sock_create net/socket.c:1566 [inline]
+ [<00000000b9b11231>] __sys_socket_create net/socket.c:1603 [inline]
+ [<00000000b9b11231>] __sys_socket_create net/socket.c:1588 [inline]
+ [<00000000b9b11231>] __sys_socket+0x138/0x250 net/socket.c:1636
+ [<000000004fb45142>] __do_sys_socket net/socket.c:1649 [inline]
+ [<000000004fb45142>] __se_sys_socket net/socket.c:1647 [inline]
+ [<000000004fb45142>] __x64_sys_socket+0x73/0xb0 net/socket.c:1647
+ [<0000000066999e0e>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ [<0000000066999e0e>] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80
+ [<0000000017f238c1>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+BUG: memory leak
+unreferenced object 0xffff888017633a00 (size 240):
+ comm "syz-executor392", pid 264, jiffies 4294785440 (age 13.044s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 2d 6d 0c 80 88 ff ff .........-m.....
+ backtrace:
+ [<000000002b1c4368>] __alloc_skb+0x229/0x320 net/core/skbuff.c:497
+ [<00000000143579a6>] alloc_skb include/linux/skbuff.h:1265 [inline]
+ [<00000000143579a6>] sock_omalloc+0xaa/0x190 net/core/sock.c:2596
+ [<00000000be626478>] msg_zerocopy_alloc net/core/skbuff.c:1294 [inline]
+ [<00000000be626478>] msg_zerocopy_realloc+0x1ce/0x7f0 net/core/skbuff.c:1370
+ [<00000000cbfc9870>] __ip_append_data+0x2adf/0x3b30 net/ipv4/ip_output.c:1037
+ [<0000000089869146>] ip_make_skb+0x26c/0x2e0 net/ipv4/ip_output.c:1652
+ [<00000000098015c2>] udp_sendmsg+0x1bac/0x2390 net/ipv4/udp.c:1253
+ [<0000000045e0e95e>] inet_sendmsg+0x10a/0x150 net/ipv4/af_inet.c:819
+ [<000000008d31bfde>] sock_sendmsg_nosec net/socket.c:714 [inline]
+ [<000000008d31bfde>] sock_sendmsg+0x141/0x190 net/socket.c:734
+ [<0000000021e21aa4>] __sys_sendto+0x243/0x360 net/socket.c:2117
+ [<00000000ac0af00c>] __do_sys_sendto net/socket.c:2129 [inline]
+ [<00000000ac0af00c>] __se_sys_sendto net/socket.c:2125 [inline]
+ [<00000000ac0af00c>] __x64_sys_sendto+0xe1/0x1c0 net/socket.c:2125
+ [<0000000066999e0e>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ [<0000000066999e0e>] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80
+ [<0000000017f238c1>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Fixes: f214f915e7db ("tcp: enable MSG_ZEROCOPY")
+Fixes: b5947e5d1e71 ("udp: msg_zerocopy")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skbuff.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index 9dae8009b407d..71827da47274c 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -4420,6 +4420,9 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb,
+ skb = alloc_skb(0, GFP_ATOMIC);
+ } else {
+ skb = skb_clone(orig_skb, GFP_ATOMIC);
++
++ if (skb_orphan_frags_rx(skb, GFP_ATOMIC))
++ return;
+ }
+ if (!skb)
+ return;
+--
+2.39.2
+
--- /dev/null
+From 448e513a5f603920bf805c5f30584fa36444395f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Apr 2023 14:55:55 -0500
+Subject: tty: serial: fsl_lpuart: adjust buffer length to the intended size
+
+From: Shenwei Wang <shenwei.wang@nxp.com>
+
+[ Upstream commit f73fd750552524b06b5d77ebfdd106ccc8fcac61 ]
+
+Based on the fls function definition provided below, we should not
+subtract 1 to obtain the correct buffer length:
+
+fls(0) = 0, fls(1) = 1, fls(0x80000000) = 32.
+
+Fixes: 5887ad43ee02 ("tty: serial: fsl_lpuart: Use cyclic DMA for Rx")
+Signed-off-by: Shenwei Wang <shenwei.wang@nxp.com>
+Link: https://lore.kernel.org/r/20230410195555.1003900-1-shenwei.wang@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/fsl_lpuart.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c
+index 20dd476e4d1a1..e7ab8ec032cfe 100644
+--- a/drivers/tty/serial/fsl_lpuart.c
++++ b/drivers/tty/serial/fsl_lpuart.c
+@@ -998,7 +998,7 @@ static inline int lpuart_start_rx_dma(struct lpuart_port *sport)
+ * 10ms at any baud rate.
+ */
+ sport->rx_dma_rng_buf_len = (DMA_RX_TIMEOUT * baud / bits / 1000) * 2;
+- sport->rx_dma_rng_buf_len = (1 << (fls(sport->rx_dma_rng_buf_len) - 1));
++ sport->rx_dma_rng_buf_len = (1 << fls(sport->rx_dma_rng_buf_len));
+ if (sport->rx_dma_rng_buf_len < 16)
+ sport->rx_dma_rng_buf_len = 16;
+
+--
+2.39.2
+
--- /dev/null
+From a4883c38661d3b34b7e7b7968303f9e2a3245912 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Apr 2023 10:27:47 +0100
+Subject: uapi/linux/const.h: prefer ISO-friendly __typeof__
+
+From: Kevin Brodsky <kevin.brodsky@arm.com>
+
+[ Upstream commit 31088f6f7906253ef4577f6a9b84e2d42447dba0 ]
+
+typeof is (still) a GNU extension, which means that it cannot be used when
+building ISO C (e.g. -std=c99). It should therefore be avoided in uapi
+headers in favour of the ISO-friendly __typeof__.
+
+Unfortunately this issue could not be detected by
+CONFIG_UAPI_HEADER_TEST=y as the __ALIGN_KERNEL() macro is not expanded in
+any uapi header.
+
+This matters from a userspace perspective, not a kernel one. uapi
+headers and their contents are expected to be usable in a variety of
+situations, and in particular when building ISO C applications (with
+-std=c99 or similar).
+
+This particular problem can be reproduced by trying to use the
+__ALIGN_KERNEL macro directly in application code, say:
+
+#include <linux/const.h>
+
+int align(int x, int a)
+{
+ return __KERNEL_ALIGN(x, a);
+}
+
+and trying to build that with -std=c99.
+
+Link: https://lkml.kernel.org/r/20230411092747.3759032-1-kevin.brodsky@arm.com
+Fixes: a79ff731a1b2 ("netfilter: xtables: make XT_ALIGN() usable in exported headers by exporting __ALIGN_KERNEL()")
+Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>
+Reported-by: Ruben Ayrapetyan <ruben.ayrapetyan@arm.com>
+Tested-by: Ruben Ayrapetyan <ruben.ayrapetyan@arm.com>
+Reviewed-by: Petr Vorel <pvorel@suse.cz>
+Tested-by: Petr Vorel <pvorel@suse.cz>
+Reviewed-by: Masahiro Yamada <masahiroy@kernel.org>
+Cc: Sam Ravnborg <sam@ravnborg.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/const.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/uapi/linux/const.h b/include/uapi/linux/const.h
+index 0bd39530b2e38..4ef7c87d12492 100644
+--- a/include/uapi/linux/const.h
++++ b/include/uapi/linux/const.h
+@@ -28,7 +28,7 @@
+ #define _BITUL(x) (_AC(1,UL) << (x))
+ #define _BITULL(x) (_AC(1,ULL) << (x))
+
+-#define __ALIGN_KERNEL(x, a) __ALIGN_KERNEL_MASK(x, (typeof(x))(a) - 1)
++#define __ALIGN_KERNEL(x, a) __ALIGN_KERNEL_MASK(x, (__typeof__(x))(a) - 1)
+ #define __ALIGN_KERNEL_MASK(x, mask) (((x) + (mask)) & ~(mask))
+
+ #define __KERNEL_DIV_ROUND_UP(n, d) (((n) + (d) - 1) / (d))
+--
+2.39.2
+
--- /dev/null
+From 55d48c9b3a140dff34d56423ae3d56af811964ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Apr 2023 13:58:52 +0800
+Subject: usb: chipidea: fix missing goto in `ci_hdrc_probe`
+
+From: Yinhao Hu <dddddd@hust.edu.cn>
+
+[ Upstream commit d6f712f53b79f5017cdcefafb7a5aea9ec52da5d ]
+
+From the comment of ci_usb_phy_init, it returns an error code if
+usb_phy_init has failed, and it should do some clean up, not just
+return directly.
+
+Fix this by goto the error handling.
+
+Fixes: 74475ede784d ("usb: chipidea: move PHY operation to core")
+Reviewed-by: Dongliang Mu <dzm91@hust.edu.cn>
+Acked-by: Peter Chen <peter.chen@kernel.org>
+Signed-off-by: Yinhao Hu <dddddd@hust.edu.cn>
+Link: https://lore.kernel.org/r/20230412055852.971991-1-dddddd@hust.edu.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/chipidea/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/chipidea/core.c b/drivers/usb/chipidea/core.c
+index 48fbb6302e60e..4cacb91c47291 100644
+--- a/drivers/usb/chipidea/core.c
++++ b/drivers/usb/chipidea/core.c
+@@ -987,7 +987,7 @@ static int ci_hdrc_probe(struct platform_device *pdev)
+ ret = ci_usb_phy_init(ci);
+ if (ret) {
+ dev_err(dev, "unable to init phy: %d\n", ret);
+- return ret;
++ goto ulpi_exit;
+ }
+
+ ci->hw_bank.phys = res->start;
+--
+2.39.2
+
--- /dev/null
+From 82a30ef8297ef5ceefd302e9967cf10bf2c66dd3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 08:33:02 -0700
+Subject: vlan: partially enable SIOCSHWTSTAMP in container
+
+From: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+
+[ Upstream commit 731b73dba359e3ff00517c13aa0daa82b34ff466 ]
+
+Setting timestamp filter was explicitly disabled on vlan devices in
+containers because it might affect other processes on the host. But it's
+absolutely legit in case when real device is in the same namespace.
+
+Fixes: 873017af7784 ("vlan: disable SIOCSHWTSTAMP in container")
+Signed-off-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/8021q/vlan_dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
+index ed3717dc2d201..e871d3b27c479 100644
+--- a/net/8021q/vlan_dev.c
++++ b/net/8021q/vlan_dev.c
+@@ -367,7 +367,7 @@ static int vlan_dev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
+
+ switch (cmd) {
+ case SIOCSHWTSTAMP:
+- if (!net_eq(dev_net(dev), &init_net))
++ if (!net_eq(dev_net(dev), dev_net(real_dev)))
+ break;
+ case SIOCGMIIPHY:
+ case SIOCGMIIREG:
+--
+2.39.2
+
--- /dev/null
+From 02fe2fab521f2a02e3e45abf78e50e32948e3e12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Feb 2023 16:15:48 +0300
+Subject: wifi: ath5k: fix an off by one check in ath5k_eeprom_read_freq_list()
+
+From: Dan Carpenter <error27@gmail.com>
+
+[ Upstream commit 4c856ee12df85aabd437c3836ed9f68d94268358 ]
+
+This loop checks that i < max at the start of loop but then it does
+i++ which could put it past the end of the array. It's harmless to
+check again and prevent a potential out of bounds.
+
+Fixes: 1048643ea94d ("ath5k: Clean up eeprom parsing and add missing calibration data")
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Reviewed-by: Luis Chamberlain <mcgrof@kernel.org>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/Y+D9hPQrHfWBJhXz@kili
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath5k/eeprom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath5k/eeprom.c b/drivers/net/wireless/ath/ath5k/eeprom.c
+index 01163b3339451..92f5c8e830901 100644
+--- a/drivers/net/wireless/ath/ath5k/eeprom.c
++++ b/drivers/net/wireless/ath/ath5k/eeprom.c
+@@ -529,7 +529,7 @@ ath5k_eeprom_read_freq_list(struct ath5k_hw *ah, int *offset, int max,
+ ee->ee_n_piers[mode]++;
+
+ freq2 = (val >> 8) & 0xff;
+- if (!freq2)
++ if (!freq2 || i >= max)
+ break;
+
+ pc[i++].freq = ath5k_eeprom_bin2freq(ee,
+--
+2.39.2
+
--- /dev/null
+From e4adf38968bc5294b0376d8216738d9393753e64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Feb 2023 20:31:37 +0200
+Subject: wifi: ath6kl: minor fix for allocation size
+
+From: Alexey V. Vissarionov <gremlin@altlinux.org>
+
+[ Upstream commit 778f83f889e7fca37780d9640fcbd0229ae38eaa ]
+
+Although the "param" pointer occupies more or equal space compared
+to "*param", the allocation size should use the size of variable
+itself.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: bdcd81707973cf8a ("Add ath6kl cleaned up driver")
+Signed-off-by: Alexey V. Vissarionov <gremlin@altlinux.org>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20230117110414.GC12547@altlinux.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath6kl/bmi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath6kl/bmi.c b/drivers/net/wireless/ath/ath6kl/bmi.c
+index 334dbd834b3a6..8380ee76bdde7 100644
+--- a/drivers/net/wireless/ath/ath6kl/bmi.c
++++ b/drivers/net/wireless/ath/ath6kl/bmi.c
+@@ -246,7 +246,7 @@ int ath6kl_bmi_execute(struct ath6kl *ar, u32 addr, u32 *param)
+ return -EACCES;
+ }
+
+- size = sizeof(cid) + sizeof(addr) + sizeof(param);
++ size = sizeof(cid) + sizeof(addr) + sizeof(*param);
+ if (size > ar->bmi.max_cmd_size) {
+ WARN_ON(1);
+ return -EINVAL;
+--
+2.39.2
+
--- /dev/null
+From e8b3f4cc2dae19f6c5cd7631a8e511151f0e5f0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Feb 2023 12:28:05 +0200
+Subject: wifi: ath6kl: reduce WARN to dev_dbg() in callback
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit 75c4a8154cb6c7239fb55d5550f481f6765fb83c ]
+
+The warn is triggered on a known race condition, documented in the code above
+the test, that is correctly handled. Using WARN() hinders automated testing.
+Reducing severity.
+
+Fixes: de2070fc4aa7 ("ath6kl: Fix kernel panic on continuous driver load/unload")
+Reported-and-tested-by: syzbot+555908813b2ea35dae9a@syzkaller.appspotmail.com
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20230126182431.867984-1-pchelkin@ispras.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath6kl/htc_pipe.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath6kl/htc_pipe.c b/drivers/net/wireless/ath/ath6kl/htc_pipe.c
+index 546243e117379..634cde696272c 100644
+--- a/drivers/net/wireless/ath/ath6kl/htc_pipe.c
++++ b/drivers/net/wireless/ath/ath6kl/htc_pipe.c
+@@ -969,8 +969,8 @@ static int ath6kl_htc_pipe_rx_complete(struct ath6kl *ar, struct sk_buff *skb,
+ * Thus the possibility of ar->htc_target being NULL
+ * via ath6kl_recv_complete -> ath6kl_usb_io_comp_work.
+ */
+- if (WARN_ON_ONCE(!target)) {
+- ath6kl_err("Target not yet initialized\n");
++ if (!target) {
++ ath6kl_dbg(ATH6KL_DBG_HTC, "Target not yet initialized\n");
+ status = -EINVAL;
+ goto free_skb;
+ }
+--
+2.39.2
+
--- /dev/null
+From cd234b86dc1f219f23eb43d3ffdfbf138c780413 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 Apr 2023 15:47:38 +0300
+Subject: wifi: iwlwifi: make the loop for card preparation effective
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+[ Upstream commit 28965ec0b5d9112585f725660e2ff13218505ace ]
+
+Since we didn't reset t to 0, only the first iteration of the loop
+did checked the ready bit several times.
+From the second iteration and on, we just tested the bit once and
+continued to the next iteration.
+
+Reported-and-tested-by: Lorenzo Zolfanelli <lorenzo@zolfa.nl>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216452
+Fixes: 289e5501c314 ("iwlwifi: fix the preparation of the card")
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230416154301.615b683ab9c8.Ic52c3229d3345b0064fa34263293db095d88daf8@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+index 4d3cbe554f5bf..647ca6479a1e7 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+@@ -562,7 +562,6 @@ static int iwl_pcie_set_hw_ready(struct iwl_trans *trans)
+ int iwl_pcie_prepare_card_hw(struct iwl_trans *trans)
+ {
+ int ret;
+- int t = 0;
+ int iter;
+
+ IWL_DEBUG_INFO(trans, "iwl_trans_prepare_card_hw enter\n");
+@@ -577,6 +576,8 @@ int iwl_pcie_prepare_card_hw(struct iwl_trans *trans)
+ usleep_range(1000, 2000);
+
+ for (iter = 0; iter < 10; iter++) {
++ int t = 0;
++
+ /* If HW is not ready, prepare the conditions to check again */
+ iwl_set_bit(trans, CSR_HW_IF_CONFIG_REG,
+ CSR_HW_IF_CONFIG_REG_PREPARE);
+--
+2.39.2
+
--- /dev/null
+From 2a4213feb83768845f48a7ade7d1b66beb485918 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Apr 2023 11:41:33 +0300
+Subject: wifi: iwlwifi: mvm: check firmware response size
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 13513cec93ac9902d0b896976d8bab3758a9881c ]
+
+Check the firmware response size for responses to the
+memory read/write command in debugfs before using it.
+
+Fixes: 2b55f43f8e47 ("iwlwifi: mvm: Add mem debugfs entry")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230417113648.0d56fcaf68ee.I70e9571f3ed7263929b04f8fabad23c9b999e4ea@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c
+index 714996187236e..7a830a9f702f7 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c
+@@ -1721,6 +1721,11 @@ static ssize_t iwl_dbgfs_mem_read(struct file *file, char __user *user_buf,
+ if (ret < 0)
+ return ret;
+
++ if (iwl_rx_packet_payload_len(hcmd.resp_pkt) < sizeof(*rsp)) {
++ ret = -EIO;
++ goto out;
++ }
++
+ rsp = (void *)hcmd.resp_pkt->data;
+ if (le32_to_cpu(rsp->status) != DEBUG_MEM_STATUS_SUCCESS) {
+ ret = -ENXIO;
+@@ -1798,6 +1803,11 @@ static ssize_t iwl_dbgfs_mem_write(struct file *file,
+ if (ret < 0)
+ return ret;
+
++ if (iwl_rx_packet_payload_len(hcmd.resp_pkt) < sizeof(*rsp)) {
++ ret = -EIO;
++ goto out;
++ }
++
+ rsp = (void *)hcmd.resp_pkt->data;
+ if (rsp->status != DEBUG_MEM_STATUS_SUCCESS) {
+ ret = -ENXIO;
+--
+2.39.2
+
--- /dev/null
+From 34f7fd2ff978935732512b129738fcae2c35eb8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Feb 2023 17:09:17 +0100
+Subject: x86/apic: Fix atomic update of offset in reserve_eilvt_offset()
+
+From: Uros Bizjak <ubizjak@gmail.com>
+
+[ Upstream commit f96fb2df3eb31ede1b34b0521560967310267750 ]
+
+The detection of atomic update failure in reserve_eilvt_offset() is
+not correct. The value returned by atomic_cmpxchg() should be compared
+to the old value from the location to be updated.
+
+If these two are the same, then atomic update succeeded and
+"eilvt_offsets[offset]" location is updated to "new" in an atomic way.
+
+Otherwise, the atomic update failed and it should be retried with the
+value from "eilvt_offsets[offset]" - exactly what atomic_try_cmpxchg()
+does in a correct and more optimal way.
+
+Fixes: a68c439b1966c ("apic, x86: Check if EILVT APIC registers are available (AMD only)")
+Signed-off-by: Uros Bizjak <ubizjak@gmail.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/r/20230227160917.107820-1-ubizjak@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/apic/apic.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
+index 488e0853a44df..c3a4eeabe7534 100644
+--- a/arch/x86/kernel/apic/apic.c
++++ b/arch/x86/kernel/apic/apic.c
+@@ -411,10 +411,9 @@ static unsigned int reserve_eilvt_offset(int offset, unsigned int new)
+ if (vector && !eilvt_entry_is_changeable(vector, new))
+ /* may not change if vectors are different */
+ return rsvd;
+- rsvd = atomic_cmpxchg(&eilvt_offsets[offset], rsvd, new);
+- } while (rsvd != new);
++ } while (!atomic_try_cmpxchg(&eilvt_offsets[offset], &rsvd, new));
+
+- rsvd &= ~APIC_EILVT_MASKED;
++ rsvd = new & ~APIC_EILVT_MASKED;
+ if (rsvd && rsvd != vector)
+ pr_info("LVT offset %d assigned for vector 0x%02x\n",
+ offset, rsvd);
+--
+2.39.2
+
--- /dev/null
+From 3d885d1dec96d5ca4722368c406d91865c8e817e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Mar 2023 00:30:04 -0700
+Subject: x86/ioapic: Don't return 0 from arch_dynirq_lower_bound()
+
+From: Saurabh Sengar <ssengar@linux.microsoft.com>
+
+[ Upstream commit 5af507bef93c09a94fb8f058213b489178f4cbe5 ]
+
+arch_dynirq_lower_bound() is invoked by the core interrupt code to
+retrieve the lowest possible Linux interrupt number for dynamically
+allocated interrupts like MSI.
+
+The x86 implementation uses this to exclude the IO/APIC GSI space.
+This works correctly as long as there is an IO/APIC registered, but
+returns 0 if not. This has been observed in VMs where the BIOS does
+not advertise an IO/APIC.
+
+0 is an invalid interrupt number except for the legacy timer interrupt
+on x86. The return value is unchecked in the core code, so it ends up
+to allocate interrupt number 0 which is subsequently considered to be
+invalid by the caller, e.g. the MSI allocation code.
+
+The function has already a check for 0 in the case that an IO/APIC is
+registered, as ioapic_dynirq_base is 0 in case of device tree setups.
+
+Consolidate this and zero check for both ioapic_dynirq_base and gsi_top,
+which is used in the case that no IO/APIC is registered.
+
+Fixes: 3e5bedc2c258 ("x86/apic: Fix arch_dynirq_lower_bound() bug for DT enabled machines")
+Signed-off-by: Saurabh Sengar <ssengar@linux.microsoft.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/r/1679988604-20308-1-git-send-email-ssengar@linux.microsoft.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/apic/io_apic.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c
+index de74bca6a8ff6..1cceb30357aaf 100644
+--- a/arch/x86/kernel/apic/io_apic.c
++++ b/arch/x86/kernel/apic/io_apic.c
+@@ -2357,17 +2357,21 @@ static int io_apic_get_redir_entries(int ioapic)
+
+ unsigned int arch_dynirq_lower_bound(unsigned int from)
+ {
++ unsigned int ret;
++
+ /*
+ * dmar_alloc_hwirq() may be called before setup_IO_APIC(), so use
+ * gsi_top if ioapic_dynirq_base hasn't been initialized yet.
+ */
+- if (!ioapic_initialized)
+- return gsi_top;
++ ret = ioapic_dynirq_base ? : gsi_top;
++
+ /*
+- * For DT enabled machines ioapic_dynirq_base is irrelevant and not
+- * updated. So simply return @from if ioapic_dynirq_base == 0.
++ * For DT enabled machines ioapic_dynirq_base is irrelevant and
++ * always 0. gsi_top can be 0 if there is no IO/APIC registered.
++ * 0 is an invalid interrupt number for dynamic allocations. Return
++ * @from instead.
+ */
+- return ioapic_dynirq_base ? : from;
++ return ret ? : from;
+ }
+
+ #ifdef CONFIG_X86_32
+--
+2.39.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
