--- /dev/null
+From fd7c815c94920de7403c9f12d2f2ef4f8157afea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Oct 2023 13:13:47 +0200
+Subject: arm64: dts: mediatek: mt8195: Set DSU PMU status to fail
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+
+[ Upstream commit d192615c307ec9f74cd0582880ece698533eb99b ]
+
+The DSU PMU allows monitoring performance events in the DSU cluster,
+which is done by configuring and reading back values from the DSU PMU
+system registers. However, for write-access to be allowed by ELs lower
+than EL3, the EL3 firmware needs to update the setting on the ACTLR3_EL3
+register, as it is disallowed by default.
+
+That configuration is not done on the firmware used by the MT8195 SoC,
+as a consequence, booting a MT8195-based machine like
+mt8195-cherry-tomato-r2 with CONFIG_ARM_DSU_PMU enabled hangs the kernel
+just as it writes to the CLUSTERPMOVSCLR_EL1 register, since the
+instruction faults to EL3, and BL31 apparently just re-runs the
+instruction over and over.
+
+Mark the DSU PMU node in the Devicetree with status "fail", as the
+machine doesn't have a suitable firmware to make use of it from the
+kernel, and allowing its driver to probe would hang the kernel.
+
+Fixes: 37f2582883be ("arm64: dts: Add mediatek SoC mt8195 and evaluation board")
+Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20230720200753.322133-1-nfraprado@collabora.com
+Link: https://lore.kernel.org/r/20231003-mediatek-fixes-v6-7-v1-5-dad7cd62a8ff@collabora.com
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8195.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8195.dtsi b/arch/arm64/boot/dts/mediatek/mt8195.dtsi
+index 2c2b946b614bf..ef2764a595eda 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8195.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8195.dtsi
+@@ -229,6 +229,7 @@ dsu-pmu {
+ interrupts = <GIC_SPI 18 IRQ_TYPE_LEVEL_HIGH 0>;
+ cpus = <&cpu0>, <&cpu1>, <&cpu2>, <&cpu3>,
+ <&cpu4>, <&cpu5>, <&cpu6>, <&cpu7>;
++ status = "fail";
+ };
+
+ dmic_codec: dmic-codec {
+--
+2.40.1
+
--- /dev/null
+From c1694f13ae3275e89cd56ecd0819cff03b517487 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Oct 2023 11:14:13 -0500
+Subject: bpf: Fix verifier log for async callback return values
+
+From: David Vernet <void@manifault.com>
+
+[ Upstream commit 829955981c557c7fc7416581c4cd68a8a0c28620 ]
+
+The verifier, as part of check_return_code(), verifies that async
+callbacks such as from e.g. timers, will return 0. It does this by
+correctly checking that R0->var_off is in tnum_const(0), which
+effectively checks that it's in a range of 0. If this condition fails,
+however, it prints an error message which says that the value should
+have been in (0x0; 0x1). This results in possibly confusing output such
+as the following in which an async callback returns 1:
+
+ At async callback the register R0 has value (0x1; 0x0) should have been in (0x0; 0x1)
+
+The fix is easy -- we should just pass the tnum_const(0) as the correct
+range to verbose_invalid_scalar(), which will then print the following:
+
+ At async callback the register R0 has value (0x1; 0x0) should have been in (0x0; 0x0)
+
+Fixes: bfc6bb74e4f1 ("bpf: Implement verifier support for validation of async callbacks.")
+Signed-off-by: David Vernet <void@manifault.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20231009161414.235829-1-void@manifault.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 3052680201e57..eb3f52be115d6 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -10778,7 +10778,7 @@ static int check_return_code(struct bpf_verifier_env *env)
+ struct tnum enforce_attach_type_range = tnum_unknown;
+ const struct bpf_prog *prog = env->prog;
+ struct bpf_reg_state *reg;
+- struct tnum range = tnum_range(0, 1);
++ struct tnum range = tnum_range(0, 1), const_0 = tnum_const(0);
+ enum bpf_prog_type prog_type = resolve_prog_type(env->prog);
+ int err;
+ struct bpf_func_state *frame = env->cur_state->frame[0];
+@@ -10826,8 +10826,8 @@ static int check_return_code(struct bpf_verifier_env *env)
+ return -EINVAL;
+ }
+
+- if (!tnum_in(tnum_const(0), reg->var_off)) {
+- verbose_invalid_scalar(env, reg, &range, "async callback", "R0");
++ if (!tnum_in(const_0, reg->var_off)) {
++ verbose_invalid_scalar(env, reg, &const_0, "async callback", "R0");
+ return -EINVAL;
+ }
+ return 0;
+--
+2.40.1
+
--- /dev/null
+From aa468ac1d298e7ac4e48f28977f8ee3c63f090f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Aug 2023 09:22:05 +0000
+Subject: can: isotp: isotp_sendmsg(): fix TX state detection and wait behavior
+
+From: Lukas Magel <lukas.magel@posteo.net>
+
+[ Upstream commit d9c2ba65e651467de739324d978b04ed8729f483 ]
+
+With patch [1], isotp_poll was updated to also queue the poller in the
+so->wait queue, which is used for send state changes. Since the queue
+now also contains polling tasks that are not interested in sending, the
+queue fill state can no longer be used as an indication of send
+readiness. As a consequence, nonblocking writes can lead to a race and
+lock-up of the socket if there is a second task polling the socket in
+parallel.
+
+With this patch, isotp_sendmsg does not consult wq_has_sleepers but
+instead tries to atomically set so->tx.state and waits on so->wait if it
+is unable to do so. This behavior is in alignment with isotp_poll, which
+also checks so->tx.state to determine send readiness.
+
+V2:
+- Revert direct exit to goto err_event_drop
+
+[1] https://lore.kernel.org/all/20230331125511.372783-1-michal.sojka@cvut.cz
+
+Reported-by: Maxime Jayat <maxime.jayat@mobile-devices.fr>
+Closes: https://lore.kernel.org/linux-can/11328958-453f-447f-9af8-3b5824dfb041@munic.io/
+Signed-off-by: Lukas Magel <lukas.magel@posteo.net>
+Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Fixes: 79e19fa79cb5 ("can: isotp: isotp_ops: fix poll() to not report false EPOLLOUT events")
+Link: https://github.com/pylessard/python-udsoncan/issues/178#issuecomment-1743786590
+Link: https://lore.kernel.org/all/20230827092205.7908-1-lukas.magel@posteo.net
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/isotp.c | 19 ++++++++-----------
+ 1 file changed, 8 insertions(+), 11 deletions(-)
+
+diff --git a/net/can/isotp.c b/net/can/isotp.c
+index 8c97f4061ffd7..545889935d39c 100644
+--- a/net/can/isotp.c
++++ b/net/can/isotp.c
+@@ -925,21 +925,18 @@ static int isotp_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
+ if (!so->bound || so->tx.state == ISOTP_SHUTDOWN)
+ return -EADDRNOTAVAIL;
+
+-wait_free_buffer:
+- /* we do not support multiple buffers - for now */
+- if (wq_has_sleeper(&so->wait) && (msg->msg_flags & MSG_DONTWAIT))
+- return -EAGAIN;
++ while (cmpxchg(&so->tx.state, ISOTP_IDLE, ISOTP_SENDING) != ISOTP_IDLE) {
++ /* we do not support multiple buffers - for now */
++ if (msg->msg_flags & MSG_DONTWAIT)
++ return -EAGAIN;
+
+- /* wait for complete transmission of current pdu */
+- err = wait_event_interruptible(so->wait, so->tx.state == ISOTP_IDLE);
+- if (err)
+- goto err_event_drop;
+-
+- if (cmpxchg(&so->tx.state, ISOTP_IDLE, ISOTP_SENDING) != ISOTP_IDLE) {
+ if (so->tx.state == ISOTP_SHUTDOWN)
+ return -EADDRNOTAVAIL;
+
+- goto wait_free_buffer;
++ /* wait for complete transmission of current pdu */
++ err = wait_event_interruptible(so->wait, so->tx.state == ISOTP_IDLE);
++ if (err)
++ goto err_event_drop;
+ }
+
+ if (!size || size > MAX_MSG_LENGTH) {
+--
+2.40.1
+
--- /dev/null
+From 2e7e14439bcd6bc805f83042a5ea27e366a0501c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Sep 2023 09:13:43 +1000
+Subject: can: sun4i_can: Only show Kconfig if ARCH_SUNXI is set
+
+From: John Watts <contact@jookia.org>
+
+[ Upstream commit 1f223208ebdef84f21c15e9958c005a93c871aa2 ]
+
+When adding the RISCV option I didn't gate it behind ARCH_SUNXI.
+As a result this option shows up with Allwinner support isn't enabled.
+Fix that by requiring ARCH_SUNXI to be set if RISCV is set.
+
+Fixes: 8abb95250ae6 ("can: sun4i_can: Add support for the Allwinner D1")
+Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Closes: https://lore.kernel.org/linux-sunxi/CAMuHMdV2m54UAH0X2dG7stEg=grFihrdsz4+o7=_DpBMhjTbkw@mail.gmail.com/
+Signed-off-by: John Watts <contact@jookia.org>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/all/20230905231342.2042759-2-contact@jookia.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/Kconfig b/drivers/net/can/Kconfig
+index 8236aabebb394..e45b95a13157b 100644
+--- a/drivers/net/can/Kconfig
++++ b/drivers/net/can/Kconfig
+@@ -174,7 +174,7 @@ config CAN_SLCAN
+
+ config CAN_SUN4I
+ tristate "Allwinner A10 CAN controller"
+- depends on MACH_SUN4I || MACH_SUN7I || RISCV || COMPILE_TEST
++ depends on MACH_SUN4I || MACH_SUN7I || (RISCV && ARCH_SUNXI) || COMPILE_TEST
+ help
+ Say Y here if you want to use CAN controller found on Allwinner
+ A10/A20/D1 SoCs.
+--
+2.40.1
+
--- /dev/null
+From 88d4b29e7ab698ae6c8501dd747e2fc6263e463f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Aug 2023 16:01:08 -0700
+Subject: drm/msm/dp: Add newlines to debug printks
+
+From: Stephen Boyd <swboyd@chromium.org>
+
+[ Upstream commit eba8c99a0fc45da1c8d5b5f5bd1dc2e79229a767 ]
+
+These debug printks are missing newlines, causing drm debug logs to be
+hard to read. Add newlines so that the messages are on their own line.
+
+Cc: Kuogee Hsieh <quic_khsieh@quicinc.com>
+Cc: Vinod Polimera <quic_vpolimer@quicinc.com>
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Fixes: 601f0479c583 ("drm/msm/dp: add logs across DP driver for ease of debugging")
+Fixes: cd779808cccd ("drm/msm/dp: Add basic PSR support for eDP")
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/554533/
+Link: https://lore.kernel.org/r/20230825230109.2264345-1-swboyd@chromium.org
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dp/dp_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/dp/dp_link.c b/drivers/gpu/drm/msm/dp/dp_link.c
+index 36bb6191d2f03..cb66d1126ea96 100644
+--- a/drivers/gpu/drm/msm/dp/dp_link.c
++++ b/drivers/gpu/drm/msm/dp/dp_link.c
+@@ -1068,7 +1068,7 @@ int dp_link_process_request(struct dp_link *dp_link)
+ }
+ }
+
+- drm_dbg_dp(link->drm_dev, "sink request=%#x",
++ drm_dbg_dp(link->drm_dev, "sink request=%#x\n",
+ dp_link->sink_request);
+ return ret;
+ }
+--
+2.40.1
+
--- /dev/null
+From 7bb6239a12eeed6dab63ae7a3d8c076e932b0115 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Aug 2023 15:19:50 -0700
+Subject: drm/msm/dp: do not reinitialize phy unless retry during link training
+
+From: Kuogee Hsieh <quic_khsieh@quicinc.com>
+
+[ Upstream commit 0c1a2e69bcb506f48ebf94bd199bab0b93f66da2 ]
+
+DP PHY re-initialization done using dp_ctrl_reinitialize_mainlink() will
+cause PLL unlocked initially and then PLL gets locked at the end of
+initialization. PLL_UNLOCKED interrupt will fire during this time if the
+interrupt mask is enabled.
+
+However currently DP driver link training implementation incorrectly
+re-initializes PHY unconditionally during link training as the PHY was
+already configured in dp_ctrl_enable_mainlink_clocks().
+
+Fix this by re-initializing the PHY only if the previous link training
+failed.
+
+[drm:dp_aux_isr] *ERROR* Unexpected DP AUX IRQ 0x01000000 when not busy
+
+Fixes: c943b4948b58 ("drm/msm/dp: add displayPort driver support")
+Closes: https://gitlab.freedesktop.org/drm/msm/-/issues/30
+Signed-off-by: Kuogee Hsieh <quic_khsieh@quicinc.com>
+Tested-by: Abhinav Kumar <quic_abhinavk@quicinc.com> # sc7280
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Tested-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/551847/
+Link: https://lore.kernel.org/r/1691533190-19335-1-git-send-email-quic_khsieh@quicinc.com
+[quic_abhinavk@quicinc.com: added line break in commit text]
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dp/dp_ctrl.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/dp/dp_ctrl.c b/drivers/gpu/drm/msm/dp/dp_ctrl.c
+index dd26ca651a054..103eef9f059a0 100644
+--- a/drivers/gpu/drm/msm/dp/dp_ctrl.c
++++ b/drivers/gpu/drm/msm/dp/dp_ctrl.c
+@@ -1711,13 +1711,6 @@ int dp_ctrl_on_link(struct dp_ctrl *dp_ctrl)
+ return rc;
+
+ while (--link_train_max_retries) {
+- rc = dp_ctrl_reinitialize_mainlink(ctrl);
+- if (rc) {
+- DRM_ERROR("Failed to reinitialize mainlink. rc=%d\n",
+- rc);
+- break;
+- }
+-
+ training_step = DP_TRAINING_NONE;
+ rc = dp_ctrl_setup_main_link(ctrl, &training_step);
+ if (rc == 0) {
+@@ -1769,6 +1762,12 @@ int dp_ctrl_on_link(struct dp_ctrl *dp_ctrl)
+ /* stop link training before start re training */
+ dp_ctrl_clear_training_pattern(ctrl);
+ }
++
++ rc = dp_ctrl_reinitialize_mainlink(ctrl);
++ if (rc) {
++ DRM_ERROR("Failed to reinitialize mainlink. rc=%d\n", rc);
++ break;
++ }
+ }
+
+ if (ctrl->link->sink_request & DP_TEST_LINK_PHY_TEST_PATTERN)
+--
+2.40.1
+
--- /dev/null
+From 23b54f3a029d0203ee85432e49ea0f57928a9f46 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Sep 2023 18:26:16 -0700
+Subject: drm/msm/dpu: change _dpu_plane_calc_bw() to use u64 to avoid overflow
+
+From: Abhinav Kumar <quic_abhinavk@quicinc.com>
+
+[ Upstream commit 95e681ca3b65e4ce3d2537b47672d787b7d30375 ]
+
+_dpu_plane_calc_bw() uses integer variables to calculate the bandwidth
+used during plane bandwidth calculations. However for high resolution
+displays this overflows easily and leads to below errors
+
+[dpu error]crtc83 failed performance check -7
+
+Promote the intermediate variables to u64 to avoid overflow.
+
+changes in v2:
+ - change to u64 where actually needed in the math
+
+Fixes: c33b7c0389e1 ("drm/msm/dpu: add support for clk and bw scaling for display")
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reported-by: Nia Espera <nespera@igalia.com>
+Closes: https://gitlab.freedesktop.org/drm/msm/-/issues/32
+Tested-by: Nia Espera <nespera@igalia.com>
+Patchwork: https://patchwork.freedesktop.org/patch/556288/
+Link: https://lore.kernel.org/r/20230908012616.20654-1-quic_abhinavk@quicinc.com
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
+index 3fbda2a1f77fc..62d48c0f905e4 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c
+@@ -142,6 +142,7 @@ static void _dpu_plane_calc_bw(struct drm_plane *plane,
+ const struct dpu_format *fmt = NULL;
+ struct dpu_kms *dpu_kms = _dpu_plane_get_kms(plane);
+ int src_width, src_height, dst_height, fps;
++ u64 plane_pixel_rate, plane_bit_rate;
+ u64 plane_prefill_bw;
+ u64 plane_bw;
+ u32 hw_latency_lines;
+@@ -164,13 +165,12 @@ static void _dpu_plane_calc_bw(struct drm_plane *plane,
+ scale_factor = src_height > dst_height ?
+ mult_frac(src_height, 1, dst_height) : 1;
+
+- plane_bw =
+- src_width * mode->vtotal * fps * fmt->bpp *
+- scale_factor;
++ plane_pixel_rate = src_width * mode->vtotal * fps;
++ plane_bit_rate = plane_pixel_rate * fmt->bpp;
+
+- plane_prefill_bw =
+- src_width * hw_latency_lines * fps * fmt->bpp *
+- scale_factor * mode->vtotal;
++ plane_bw = plane_bit_rate * scale_factor;
++
++ plane_prefill_bw = plane_bw * hw_latency_lines;
+
+ if ((vbp+vpw) > hw_latency_lines)
+ do_div(plane_prefill_bw, (vbp+vpw));
+--
+2.40.1
+
--- /dev/null
+From ee093fd18ebe4516b41a4290829d0c328ab288c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Sep 2023 15:59:40 +0300
+Subject: drm/msm/dsi: fix irq_of_parse_and_map() error checking
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 6a1d4c7976dd1ee7c9f80bc8e62801ec7b1f2f58 ]
+
+The irq_of_parse_and_map() function returns zero on error. It
+never returns negative error codes. Fix the check.
+
+Fixes: a689554ba6ed ("drm/msm: Initial add DSI connector support")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/557715/
+Link: https://lore.kernel.org/r/4f3c5c98-04f7-43f7-900f-5d7482c83eef@moroto.mountain
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dsi/dsi_host.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
+index 6c1ebeb9023eb..e20cd3dd2c6cc 100644
+--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
+@@ -1972,10 +1972,9 @@ int msm_dsi_host_init(struct msm_dsi *msm_dsi)
+ }
+
+ msm_host->irq = irq_of_parse_and_map(pdev->dev.of_node, 0);
+- if (msm_host->irq < 0) {
+- ret = msm_host->irq;
+- dev_err(&pdev->dev, "failed to get irq: %d\n", ret);
+- return ret;
++ if (!msm_host->irq) {
++ dev_err(&pdev->dev, "failed to get irq\n");
++ return -EINVAL;
+ }
+
+ /* do not autoenable, will be enabled later */
+--
+2.40.1
+
--- /dev/null
+From 35e54e88b0f8da54d8eecd2e438140591eeb9a0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Sep 2023 13:44:25 -0700
+Subject: drm/msm/dsi: skip the wait for video mode done if not applicable
+
+From: Abhinav Kumar <quic_abhinavk@quicinc.com>
+
+[ Upstream commit ab483e3adcc178254eb1ce0fbdfbea65f86f1006 ]
+
+dsi_wait4video_done() API waits for the DSI video mode engine to
+become idle so that we can transmit the DCS commands in the
+beginning of BLLP. However, with the current sequence, the MDP
+timing engine is turned on after the panel's pre_enable() callback
+which can send out the DCS commands needed to power up the panel.
+
+During those cases, this API will always timeout and print out the
+error spam leading to long bootup times and log flooding.
+
+Fix this by checking if the DSI video engine was actually busy before
+waiting for it to become idle otherwise this is a redundant wait.
+
+changes in v2:
+ - move the reg read below the video mode check
+ - minor fixes in commit text
+
+Closes: https://gitlab.freedesktop.org/drm/msm/-/issues/34
+Fixes: a689554ba6ed ("drm/msm: Initial add DSI connector support")
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/557853/
+Link: https://lore.kernel.org/r/20230915204426.19011-1-quic_abhinavk@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dsi/dsi_host.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
+index b433ccfe4d7da..6c1ebeb9023eb 100644
+--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
+@@ -1098,9 +1098,21 @@ static void dsi_wait4video_done(struct msm_dsi_host *msm_host)
+
+ static void dsi_wait4video_eng_busy(struct msm_dsi_host *msm_host)
+ {
++ u32 data;
++
+ if (!(msm_host->mode_flags & MIPI_DSI_MODE_VIDEO))
+ return;
+
++ data = dsi_read(msm_host, REG_DSI_STATUS0);
++
++ /* if video mode engine is not busy, its because
++ * either timing engine was not turned on or the
++ * DSI controller has finished transmitting the video
++ * data already, so no need to wait in those cases
++ */
++ if (!(data & DSI_STATUS0_VIDEO_MODE_ENGINE_BUSY))
++ return;
++
+ if (msm_host->power_on && msm_host->enabled) {
+ dsi_wait4video_done(msm_host);
+ /* delay 4 ms to skip BLLP */
+--
+2.40.1
+
--- /dev/null
+From c025561aed583422ec3fb2ba05427eecde179c0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Sep 2023 18:02:03 +0800
+Subject: drm/vmwgfx: fix typo of sizeof argument
+
+From: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
+
+[ Upstream commit 39465cac283702a7d4a507a558db81898029c6d3 ]
+
+Since size of 'header' pointer and '*header' structure is equal on 64-bit
+machines issue probably didn't cause any wrong behavior. But anyway,
+fixing typo is required.
+
+Fixes: 7a73ba7469cb ("drm/vmwgfx: Use TTM handles instead of SIDs as user-space surface handles.")
+Co-developed-by: Ivanov Mikhail <ivanov.mikhail1@huawei-partners.com>
+Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
+Reviewed-by: Zack Rusin <zackr@vmware.com>
+Signed-off-by: Zack Rusin <zackr@vmware.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230905100203.1716731-1-konstantin.meskhidze@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+index 58ca9adf09871..7e59469e1cb9f 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+@@ -1614,7 +1614,7 @@ static int vmw_cmd_tex_state(struct vmw_private *dev_priv,
+ {
+ VMW_DECLARE_CMD_VAR(*cmd, SVGA3dCmdSetTextureState);
+ SVGA3dTextureState *last_state = (SVGA3dTextureState *)
+- ((unsigned long) header + header->size + sizeof(header));
++ ((unsigned long) header + header->size + sizeof(*header));
+ SVGA3dTextureState *cur_state = (SVGA3dTextureState *)
+ ((unsigned long) header + sizeof(*cmd));
+ struct vmw_resource *ctx;
+--
+2.40.1
+
--- /dev/null
+From a48c130ea0bb4ed842e7d7e5532aade89a800f5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Oct 2023 15:36:45 +0200
+Subject: ethtool: Fix mod state of verbose no_mask bitset
+
+From: Kory Maincent <kory.maincent@bootlin.com>
+
+[ Upstream commit 108a36d07c01edbc5942d27c92494d1c6e4d45a0 ]
+
+A bitset without mask in a _SET request means we want exactly the bits in
+the bitset to be set. This works correctly for compact format but when
+verbose format is parsed, ethnl_update_bitset32_verbose() only sets the
+bits present in the request bitset but does not clear the rest. The commit
+6699170376ab fixes this issue by clearing the whole target bitmap before we
+start iterating. The solution proposed brought an issue with the behavior
+of the mod variable. As the bitset is always cleared the old val will
+always differ to the new val.
+
+Fix it by adding a new temporary variable which save the state of the old
+bitmap.
+
+Fixes: 6699170376ab ("ethtool: fix application of verbose no_mask bitset")
+Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20231009133645.44503-1-kory.maincent@bootlin.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ethtool/bitset.c | 32 ++++++++++++++++++++++++++------
+ 1 file changed, 26 insertions(+), 6 deletions(-)
+
+diff --git a/net/ethtool/bitset.c b/net/ethtool/bitset.c
+index 0515d6604b3b9..883ed9be81f9f 100644
+--- a/net/ethtool/bitset.c
++++ b/net/ethtool/bitset.c
+@@ -431,8 +431,10 @@ ethnl_update_bitset32_verbose(u32 *bitmap, unsigned int nbits,
+ ethnl_string_array_t names,
+ struct netlink_ext_ack *extack, bool *mod)
+ {
++ u32 *orig_bitmap, *saved_bitmap = NULL;
+ struct nlattr *bit_attr;
+ bool no_mask;
++ bool dummy;
+ int rem;
+ int ret;
+
+@@ -448,8 +450,22 @@ ethnl_update_bitset32_verbose(u32 *bitmap, unsigned int nbits,
+ }
+
+ no_mask = tb[ETHTOOL_A_BITSET_NOMASK];
+- if (no_mask)
+- ethnl_bitmap32_clear(bitmap, 0, nbits, mod);
++ if (no_mask) {
++ unsigned int nwords = DIV_ROUND_UP(nbits, 32);
++ unsigned int nbytes = nwords * sizeof(u32);
++
++ /* The bitmap size is only the size of the map part without
++ * its mask part.
++ */
++ saved_bitmap = kcalloc(nwords, sizeof(u32), GFP_KERNEL);
++ if (!saved_bitmap)
++ return -ENOMEM;
++ memcpy(saved_bitmap, bitmap, nbytes);
++ ethnl_bitmap32_clear(bitmap, 0, nbits, &dummy);
++ orig_bitmap = saved_bitmap;
++ } else {
++ orig_bitmap = bitmap;
++ }
+
+ nla_for_each_nested(bit_attr, tb[ETHTOOL_A_BITSET_BITS], rem) {
+ bool old_val, new_val;
+@@ -458,13 +474,14 @@ ethnl_update_bitset32_verbose(u32 *bitmap, unsigned int nbits,
+ if (nla_type(bit_attr) != ETHTOOL_A_BITSET_BITS_BIT) {
+ NL_SET_ERR_MSG_ATTR(extack, bit_attr,
+ "only ETHTOOL_A_BITSET_BITS_BIT allowed in ETHTOOL_A_BITSET_BITS");
+- return -EINVAL;
++ ret = -EINVAL;
++ goto out;
+ }
+ ret = ethnl_parse_bit(&idx, &new_val, nbits, bit_attr, no_mask,
+ names, extack);
+ if (ret < 0)
+- return ret;
+- old_val = bitmap[idx / 32] & ((u32)1 << (idx % 32));
++ goto out;
++ old_val = orig_bitmap[idx / 32] & ((u32)1 << (idx % 32));
+ if (new_val != old_val) {
+ if (new_val)
+ bitmap[idx / 32] |= ((u32)1 << (idx % 32));
+@@ -474,7 +491,10 @@ ethnl_update_bitset32_verbose(u32 *bitmap, unsigned int nbits,
+ }
+ }
+
+- return 0;
++ ret = 0;
++out:
++ kfree(saved_bitmap);
++ return ret;
+ }
+
+ static int ethnl_compact_sanity_checks(unsigned int nbits,
+--
+2.40.1
+
--- /dev/null
+From 734f2b8e5964745da219fa0ce1c3378971e0ad6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Oct 2023 11:30:49 +0800
+Subject: ieee802154: ca8210: Fix a potential UAF in ca8210_probe
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit f990874b1c98fe8e57ee9385669f501822979258 ]
+
+If of_clk_add_provider() fails in ca8210_register_ext_clock(),
+it calls clk_unregister() to release priv->clk and returns an
+error. However, the caller ca8210_probe() then calls ca8210_remove(),
+where priv->clk is freed again in ca8210_unregister_ext_clock(). In
+this case, a use-after-free may happen in the second time we call
+clk_unregister().
+
+Fix this by removing the first clk_unregister(). Also, priv->clk could
+be an error code on failure of clk_register_fixed_rate(). Use
+IS_ERR_OR_NULL to catch this case in ca8210_unregister_ext_clock().
+
+Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Message-ID: <20231007033049.22353-1-dinghao.liu@zju.edu.cn>
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/ca8210.c | 17 +++--------------
+ 1 file changed, 3 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c
+index d0b5129439ed6..c2201e0adc46c 100644
+--- a/drivers/net/ieee802154/ca8210.c
++++ b/drivers/net/ieee802154/ca8210.c
+@@ -2740,7 +2740,6 @@ static int ca8210_register_ext_clock(struct spi_device *spi)
+ struct device_node *np = spi->dev.of_node;
+ struct ca8210_priv *priv = spi_get_drvdata(spi);
+ struct ca8210_platform_data *pdata = spi->dev.platform_data;
+- int ret = 0;
+
+ if (!np)
+ return -EFAULT;
+@@ -2757,18 +2756,8 @@ static int ca8210_register_ext_clock(struct spi_device *spi)
+ dev_crit(&spi->dev, "Failed to register external clk\n");
+ return PTR_ERR(priv->clk);
+ }
+- ret = of_clk_add_provider(np, of_clk_src_simple_get, priv->clk);
+- if (ret) {
+- clk_unregister(priv->clk);
+- dev_crit(
+- &spi->dev,
+- "Failed to register external clock as clock provider\n"
+- );
+- } else {
+- dev_info(&spi->dev, "External clock set as clock provider\n");
+- }
+
+- return ret;
++ return of_clk_add_provider(np, of_clk_src_simple_get, priv->clk);
+ }
+
+ /**
+@@ -2780,8 +2769,8 @@ static void ca8210_unregister_ext_clock(struct spi_device *spi)
+ {
+ struct ca8210_priv *priv = spi_get_drvdata(spi);
+
+- if (!priv->clk)
+- return
++ if (IS_ERR_OR_NULL(priv->clk))
++ return;
+
+ of_clk_del_provider(spi->dev.of_node);
+ clk_unregister(priv->clk);
+--
+2.40.1
+
--- /dev/null
+From b781010fbe52ef1beb6457c2c5e31d95d0e5d09f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Oct 2023 15:53:09 +0300
+Subject: ixgbe: fix crash with empty VF macvlan list
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 7b5add9af567c44e12196107f0fe106e194034fd ]
+
+The adapter->vf_mvs.l list needs to be initialized even if the list is
+empty. Otherwise it will lead to crashes.
+
+Fixes: a1cbb15c1397 ("ixgbe: Add macvlan support for VF")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Link: https://lore.kernel.org/r/ZSADNdIw8zFx1xw2@kadam
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
+index 29cc609880712..ea88ac04ab9ad 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
+@@ -28,6 +28,9 @@ static inline void ixgbe_alloc_vf_macvlans(struct ixgbe_adapter *adapter,
+ struct vf_macvlans *mv_list;
+ int num_vf_macvlans, i;
+
++ /* Initialize list of VF macvlans */
++ INIT_LIST_HEAD(&adapter->vf_mvs.l);
++
+ num_vf_macvlans = hw->mac.num_rar_entries -
+ (IXGBE_MAX_PF_MACVLANS + 1 + num_vfs);
+ if (!num_vf_macvlans)
+@@ -36,8 +39,6 @@ static inline void ixgbe_alloc_vf_macvlans(struct ixgbe_adapter *adapter,
+ mv_list = kcalloc(num_vf_macvlans, sizeof(struct vf_macvlans),
+ GFP_KERNEL);
+ if (mv_list) {
+- /* Initialize list of VF macvlans */
+- INIT_LIST_HEAD(&adapter->vf_mvs.l);
+ for (i = 0; i < num_vf_macvlans; i++) {
+ mv_list[i].vf = -1;
+ mv_list[i].free = true;
+--
+2.40.1
+
--- /dev/null
+From faaf24d435fd3d40e90d400f5ee63ff58749a63a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Oct 2023 17:00:12 +0300
+Subject: mlxsw: fix mlxsw_sp2_nve_vxlan_learning_set() return type
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 1e0b72a2a6432c0ef67ee5ce8d9172a7c20bba25 ]
+
+The mlxsw_sp2_nve_vxlan_learning_set() function is supposed to return
+zero on success or negative error codes. So it needs to be type int
+instead of bool.
+
+Fixes: 4ee70efab68d ("mlxsw: spectrum_nve: Add support for VXLAN on Spectrum-2")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_nve_vxlan.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_nve_vxlan.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_nve_vxlan.c
+index d309b77a01944..cdd8818b49d0a 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_nve_vxlan.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_nve_vxlan.c
+@@ -308,8 +308,8 @@ const struct mlxsw_sp_nve_ops mlxsw_sp1_nve_vxlan_ops = {
+ .fdb_clear_offload = mlxsw_sp_nve_vxlan_clear_offload,
+ };
+
+-static bool mlxsw_sp2_nve_vxlan_learning_set(struct mlxsw_sp *mlxsw_sp,
+- bool learning_en)
++static int mlxsw_sp2_nve_vxlan_learning_set(struct mlxsw_sp *mlxsw_sp,
++ bool learning_en)
+ {
+ char tnpc_pl[MLXSW_REG_TNPC_LEN];
+
+--
+2.40.1
+
--- /dev/null
+From 9833636d30de98c79c80fc1faf5661711bbe9b5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Oct 2023 11:19:04 +0200
+Subject: net: dsa: qca8k: fix potential MDIO bus conflict when accessing
+ internal PHYs via management frames
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Behún <kabel@kernel.org>
+
+[ Upstream commit 526c8ee04bdbd4d8d19a583b1f3b06700229a815 ]
+
+Besides the QCA8337 switch the Turris 1.x device has on it's MDIO bus
+also Micron ethernet PHY (dedicated to the WAN port).
+
+We've been experiencing a strange behavior of the WAN ethernet
+interface, wherein the WAN PHY started timing out the MDIO accesses, for
+example when the interface was brought down and then back up.
+
+Bisecting led to commit 2cd548566384 ("net: dsa: qca8k: add support for
+phy read/write with mgmt Ethernet"), which added support to access the
+QCA8337 switch's internal PHYs via management ethernet frames.
+
+Connecting the MDIO bus pins onto an oscilloscope, I was able to see
+that the MDIO bus was active whenever a request to read/write an
+internal PHY register was done via an management ethernet frame.
+
+My theory is that when the switch core always communicates with the
+internal PHYs via the MDIO bus, even when externally we request the
+access via ethernet. This MDIO bus is the same one via which the switch
+and internal PHYs are accessible to the board, and the board may have
+other devices connected on this bus. An ASCII illustration may give more
+insight:
+
+ +---------+
+ +----| |
+ | | WAN PHY |
+ | +--| |
+ | | +---------+
+ | |
+ | | +----------------------------------+
+ | | | QCA8337 |
+MDC | | | +-------+ |
+------o-+--|--------o------------o--| | |
+MDIO | | | | | PHY 1 |-|--to RJ45
+--------o--|---o----+---------o--+--| | |
+ | | | | | +-------+ |
+ | +-------------+ | o--| | |
+ | | MDIO MDC | | | | PHY 2 |-|--to RJ45
+eth1 | | | o--+--| | |
+-----------|-|port0 | | | +-------+ |
+ | | | | o--| | |
+ | | switch core | | | | PHY 3 |-|--to RJ45
+ | +-------------+ o--+--| | |
+ | | | +-------+ |
+ | | o--| ... | |
+ +----------------------------------+
+
+When we send a request to read an internal PHY register via an ethernet
+management frame via eth1, the switch core receives the ethernet frame
+on port 0 and then communicates with the internal PHY via MDIO. At this
+time, other potential devices, such as the WAN PHY on Turris 1.x, cannot
+use the MDIO bus, since it may cause a bus conflict.
+
+Fix this issue by locking the MDIO bus even when we are accessing the
+PHY registers via ethernet management frames.
+
+Fixes: 2cd548566384 ("net: dsa: qca8k: add support for phy read/write with mgmt Ethernet")
+Signed-off-by: Marek Behún <kabel@kernel.org>
+Reviewed-by: Christian Marangi <ansuelsmth@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/qca/qca8k-8xxx.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/drivers/net/dsa/qca/qca8k-8xxx.c b/drivers/net/dsa/qca/qca8k-8xxx.c
+index b3f7988668996..1e94ba1031ece 100644
+--- a/drivers/net/dsa/qca/qca8k-8xxx.c
++++ b/drivers/net/dsa/qca/qca8k-8xxx.c
+@@ -544,6 +544,15 @@ qca8k_phy_eth_command(struct qca8k_priv *priv, bool read, int phy,
+ goto err_read_skb;
+ }
+
++ /* It seems that accessing the switch's internal PHYs via management
++ * packets still uses the MDIO bus within the switch internally, and
++ * these accesses can conflict with external MDIO accesses to other
++ * devices on the MDIO bus.
++ * We therefore need to lock the MDIO bus onto which the switch is
++ * connected.
++ */
++ mutex_lock(&priv->bus->mdio_lock);
++
+ /* Actually start the request:
+ * 1. Send mdio master packet
+ * 2. Busy Wait for mdio master command
+@@ -556,6 +565,7 @@ qca8k_phy_eth_command(struct qca8k_priv *priv, bool read, int phy,
+ mgmt_master = priv->mgmt_master;
+ if (!mgmt_master) {
+ mutex_unlock(&mgmt_eth_data->mutex);
++ mutex_unlock(&priv->bus->mdio_lock);
+ ret = -EINVAL;
+ goto err_mgmt_master;
+ }
+@@ -643,6 +653,7 @@ qca8k_phy_eth_command(struct qca8k_priv *priv, bool read, int phy,
+ QCA8K_ETHERNET_TIMEOUT);
+
+ mutex_unlock(&mgmt_eth_data->mutex);
++ mutex_unlock(&priv->bus->mdio_lock);
+
+ return ret;
+
+--
+2.40.1
+
--- /dev/null
+From 460a3f20c8f1231f6995151d3405862d5ae314dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Oct 2023 21:06:33 +0300
+Subject: net: macsec: indicate next pn update when offloading
+
+From: Radu Pirea (NXP OSS) <radu-nicolae.pirea@oss.nxp.com>
+
+[ Upstream commit 0412cc846a1ef38697c3f321f9b174da91ecd3b5 ]
+
+Indicate next PN update using update_pn flag in macsec_context.
+Offloaded MACsec implementations does not know whether or not the
+MACSEC_SA_ATTR_PN attribute was passed for an SA update and assume
+that next PN should always updated, but this is not always true.
+
+The PN can be reset to its initial value using the following command:
+$ ip macsec set macsec0 tx sa 0 off #octeontx2-pf case
+
+Or, the update PN command will succeed even if the driver does not support
+PN updates.
+$ ip macsec set macsec0 tx sa 0 pn 1 on #mscc phy driver case
+
+Comparing the initial PN with the new PN value is not a solution. When
+the user updates the PN using its initial value the command will
+succeed, even if the driver does not support it. Like this:
+$ ip macsec add macsec0 tx sa 0 pn 1 on key 00 \
+ead3664f508eb06c40ac7104cdae4ce5
+$ ip macsec set macsec0 tx sa 0 pn 1 on #mlx5 case
+
+Signed-off-by: Radu Pirea (NXP OSS) <radu-nicolae.pirea@oss.nxp.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: e0a8c918daa5 ("net: phy: mscc: macsec: reject PN update requests")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macsec.c | 2 ++
+ include/net/macsec.h | 1 +
+ 2 files changed, 3 insertions(+)
+
+diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
+index 578f470e9fad9..81453e84b6413 100644
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -2384,6 +2384,7 @@ static int macsec_upd_txsa(struct sk_buff *skb, struct genl_info *info)
+
+ ctx.sa.assoc_num = assoc_num;
+ ctx.sa.tx_sa = tx_sa;
++ ctx.sa.update_pn = !!prev_pn.full64;
+ ctx.secy = secy;
+
+ ret = macsec_offload(ops->mdo_upd_txsa, &ctx);
+@@ -2477,6 +2478,7 @@ static int macsec_upd_rxsa(struct sk_buff *skb, struct genl_info *info)
+
+ ctx.sa.assoc_num = assoc_num;
+ ctx.sa.rx_sa = rx_sa;
++ ctx.sa.update_pn = !!prev_pn.full64;
+ ctx.secy = secy;
+
+ ret = macsec_offload(ops->mdo_upd_rxsa, &ctx);
+diff --git a/include/net/macsec.h b/include/net/macsec.h
+index 5b9c61c4d3a62..65c93959c2dc5 100644
+--- a/include/net/macsec.h
++++ b/include/net/macsec.h
+@@ -257,6 +257,7 @@ struct macsec_context {
+ struct macsec_secy *secy;
+ struct macsec_rx_sc *rx_sc;
+ struct {
++ bool update_pn;
+ unsigned char assoc_num;
+ u8 key[MACSEC_MAX_KEY_LEN];
+ union {
+--
+2.40.1
+
--- /dev/null
+From f27f20b720383ebc801258608cb016f420a7e07d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Oct 2023 22:37:06 -0700
+Subject: net/mlx5e: Again mutually exclude RX-FCS and RX-port-timestamp
+
+From: Will Mortensen <will@extrahop.com>
+
+[ Upstream commit da6192ca72d5ad913d109d43dc896290ad05d98f ]
+
+Commit 1e66220948df8 ("net/mlx5e: Update rx ring hw mtu upon each rx-fcs
+flag change") seems to have accidentally inverted the logic added in
+commit 0bc73ad46a76 ("net/mlx5e: Mutually exclude RX-FCS and
+RX-port-timestamp").
+
+The impact of this is a little unclear since it seems the FCS scattered
+with RX-FCS is (usually?) correct regardless.
+
+Fixes: 1e66220948df8 ("net/mlx5e: Update rx ring hw mtu upon each rx-fcs flag change")
+Tested-by: Charlotte Tan <charlotte@extrahop.com>
+Reviewed-by: Charlotte Tan <charlotte@extrahop.com>
+Cc: Adham Faris <afaris@nvidia.com>
+Cc: Aya Levin <ayal@nvidia.com>
+Cc: Tariq Toukan <tariqt@nvidia.com>
+Cc: Moshe Shemesh <moshe@nvidia.com>
+Cc: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Will Mortensen <will@extrahop.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://lore.kernel.org/r/20231006053706.514618-1-will@extrahop.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 4e7daa382bc05..42e6f2fcf5f59 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -3862,13 +3862,14 @@ static int set_feature_rx_fcs(struct net_device *netdev, bool enable)
+ struct mlx5e_channels *chs = &priv->channels;
+ struct mlx5e_params new_params;
+ int err;
++ bool rx_ts_over_crc = !enable;
+
+ mutex_lock(&priv->state_lock);
+
+ new_params = chs->params;
+ new_params.scatter_fcs_en = enable;
+ err = mlx5e_safe_switch_params(priv, &new_params, mlx5e_set_rx_port_ts_wrap,
+- &new_params.scatter_fcs_en, true);
++ &rx_ts_over_crc, true);
+ mutex_unlock(&priv->state_lock);
+ return err;
+ }
+--
+2.40.1
+
--- /dev/null
+From 119cd2b4a2a9fae7c3640e41b2f0d1d9ac2fff54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Oct 2023 21:06:36 +0300
+Subject: net/mlx5e: macsec: use update_pn flag instead of PN comparation
+
+From: Radu Pirea (NXP OSS) <radu-nicolae.pirea@oss.nxp.com>
+
+[ Upstream commit fde2f2d7f23d39f2fc699ba6d91ac3f4a2e637ca ]
+
+When updating the SA, use the new update_pn flags instead of comparing the
+new PN with the initial one.
+
+Comparing the initial PN value with the new value will allow the user
+to update the SA using the initial PN value as a parameter like this:
+$ ip macsec add macsec0 tx sa 0 pn 1 on key 00 \
+ead3664f508eb06c40ac7104cdae4ce5
+$ ip macsec set macsec0 tx sa 0 pn 1 off
+
+Fixes: 8ff0ac5be144 ("net/mlx5: Add MACsec offload Tx command support")
+Fixes: aae3454e4d4c ("net/mlx5e: Add MACsec offload Rx command support")
+Signed-off-by: Radu Pirea (NXP OSS) <radu-nicolae.pirea@oss.nxp.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
+index 0f8f3ce35537d..a7832a0180ee6 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/macsec.c
+@@ -611,7 +611,7 @@ static int mlx5e_macsec_upd_txsa(struct macsec_context *ctx)
+ goto out;
+ }
+
+- if (tx_sa->next_pn != ctx_tx_sa->next_pn_halves.lower) {
++ if (ctx->sa.update_pn) {
+ netdev_err(netdev, "MACsec offload: update TX sa %d PN isn't supported\n",
+ assoc_num);
+ err = -EINVAL;
+@@ -1016,7 +1016,7 @@ static int mlx5e_macsec_upd_rxsa(struct macsec_context *ctx)
+ goto out;
+ }
+
+- if (rx_sa->next_pn != ctx_rx_sa->next_pn_halves.lower) {
++ if (ctx->sa.update_pn) {
+ netdev_err(ctx->netdev,
+ "MACsec offload update RX sa %d PN isn't supported\n",
+ assoc_num);
+--
+2.40.1
+
--- /dev/null
+From 7b2bf5f0bc7ac48cbc8cb78a76345012e82f4ef1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Oct 2023 12:31:10 +0000
+Subject: net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 31c07dffafce914c1d1543c135382a11ff058d93 ]
+
+Sili Luo reported a race in nfc_llcp_sock_get(), leading to UAF.
+
+Getting a reference on the socket found in a lookup while
+holding a lock should happen before releasing the lock.
+
+nfc_llcp_sock_get_sn() has a similar problem.
+
+Finally nfc_llcp_recv_snl() needs to make sure the socket
+found by nfc_llcp_sock_from_sn() does not disappear.
+
+Fixes: 8f50020ed9b8 ("NFC: LLCP late binding")
+Reported-by: Sili Luo <rootlab@huawei.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Willy Tarreau <w@1wt.eu>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20231009123110.3735515-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/llcp_core.c | 30 ++++++++++++------------------
+ 1 file changed, 12 insertions(+), 18 deletions(-)
+
+diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
+index 6705bb895e239..1dac28136e6a3 100644
+--- a/net/nfc/llcp_core.c
++++ b/net/nfc/llcp_core.c
+@@ -203,17 +203,13 @@ static struct nfc_llcp_sock *nfc_llcp_sock_get(struct nfc_llcp_local *local,
+
+ if (tmp_sock->ssap == ssap && tmp_sock->dsap == dsap) {
+ llcp_sock = tmp_sock;
++ sock_hold(&llcp_sock->sk);
+ break;
+ }
+ }
+
+ read_unlock(&local->sockets.lock);
+
+- if (llcp_sock == NULL)
+- return NULL;
+-
+- sock_hold(&llcp_sock->sk);
+-
+ return llcp_sock;
+ }
+
+@@ -346,7 +342,8 @@ static int nfc_llcp_wks_sap(const char *service_name, size_t service_name_len)
+
+ static
+ struct nfc_llcp_sock *nfc_llcp_sock_from_sn(struct nfc_llcp_local *local,
+- const u8 *sn, size_t sn_len)
++ const u8 *sn, size_t sn_len,
++ bool needref)
+ {
+ struct sock *sk;
+ struct nfc_llcp_sock *llcp_sock, *tmp_sock;
+@@ -382,6 +379,8 @@ struct nfc_llcp_sock *nfc_llcp_sock_from_sn(struct nfc_llcp_local *local,
+
+ if (memcmp(sn, tmp_sock->service_name, sn_len) == 0) {
+ llcp_sock = tmp_sock;
++ if (needref)
++ sock_hold(&llcp_sock->sk);
+ break;
+ }
+ }
+@@ -423,7 +422,8 @@ u8 nfc_llcp_get_sdp_ssap(struct nfc_llcp_local *local,
+ * to this service name.
+ */
+ if (nfc_llcp_sock_from_sn(local, sock->service_name,
+- sock->service_name_len) != NULL) {
++ sock->service_name_len,
++ false) != NULL) {
+ mutex_unlock(&local->sdp_lock);
+
+ return LLCP_SAP_MAX;
+@@ -824,16 +824,7 @@ static struct nfc_llcp_sock *nfc_llcp_connecting_sock_get(struct nfc_llcp_local
+ static struct nfc_llcp_sock *nfc_llcp_sock_get_sn(struct nfc_llcp_local *local,
+ const u8 *sn, size_t sn_len)
+ {
+- struct nfc_llcp_sock *llcp_sock;
+-
+- llcp_sock = nfc_llcp_sock_from_sn(local, sn, sn_len);
+-
+- if (llcp_sock == NULL)
+- return NULL;
+-
+- sock_hold(&llcp_sock->sk);
+-
+- return llcp_sock;
++ return nfc_llcp_sock_from_sn(local, sn, sn_len, true);
+ }
+
+ static const u8 *nfc_llcp_connect_sn(const struct sk_buff *skb, size_t *sn_len)
+@@ -1298,7 +1289,8 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
+ }
+
+ llcp_sock = nfc_llcp_sock_from_sn(local, service_name,
+- service_name_len);
++ service_name_len,
++ true);
+ if (!llcp_sock) {
+ sap = 0;
+ goto add_snl;
+@@ -1318,6 +1310,7 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
+
+ if (sap == LLCP_SAP_MAX) {
+ sap = 0;
++ nfc_llcp_sock_put(llcp_sock);
+ goto add_snl;
+ }
+
+@@ -1335,6 +1328,7 @@ static void nfc_llcp_recv_snl(struct nfc_llcp_local *local,
+
+ pr_debug("%p %d\n", llcp_sock, sap);
+
++ nfc_llcp_sock_put(llcp_sock);
+ add_snl:
+ sdp = nfc_llcp_build_sdres_tlv(tid, sap);
+ if (sdp == NULL)
+--
+2.40.1
+
--- /dev/null
+From 0d0e4488ad4aab2c6a1f3856f3faa501f10f9f3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Oct 2023 21:06:35 +0300
+Subject: net: phy: mscc: macsec: reject PN update requests
+
+From: Radu Pirea (NXP OSS) <radu-nicolae.pirea@oss.nxp.com>
+
+[ Upstream commit e0a8c918daa58700609ebd45e3fcd49965be8bbc ]
+
+Updating the PN is not supported.
+Return -EINVAL if update_pn is true.
+
+The following command succeeded, but it should fail because the driver
+does not update the PN:
+ip macsec set macsec0 tx sa 0 pn 232 on
+
+Fixes: 28c5107aa904 ("net: phy: mscc: macsec support")
+Signed-off-by: Radu Pirea (NXP OSS) <radu-nicolae.pirea@oss.nxp.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/mscc/mscc_macsec.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/phy/mscc/mscc_macsec.c b/drivers/net/phy/mscc/mscc_macsec.c
+index f81b077618f40..81fd9bfef5271 100644
+--- a/drivers/net/phy/mscc/mscc_macsec.c
++++ b/drivers/net/phy/mscc/mscc_macsec.c
+@@ -844,6 +844,9 @@ static int vsc8584_macsec_upd_rxsa(struct macsec_context *ctx)
+ struct macsec_flow *flow;
+ int ret;
+
++ if (ctx->sa.update_pn)
++ return -EINVAL;
++
+ flow = vsc8584_macsec_find_flow(ctx, MACSEC_INGR);
+ if (IS_ERR(flow))
+ return PTR_ERR(flow);
+@@ -897,6 +900,9 @@ static int vsc8584_macsec_upd_txsa(struct macsec_context *ctx)
+ struct macsec_flow *flow;
+ int ret;
+
++ if (ctx->sa.update_pn)
++ return -EINVAL;
++
+ flow = vsc8584_macsec_find_flow(ctx, MACSEC_EGR);
+ if (IS_ERR(flow))
+ return PTR_ERR(flow);
+--
+2.40.1
+
--- /dev/null
+From 4f25ab1cf49c2cc29cd9956e11c5eccd3d9ae10f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Oct 2023 17:33:54 +0000
+Subject: net: refine debug info in skb_checksum_help()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 26c29961b142444cd99361644c30fa1e9b3da6be ]
+
+syzbot uses panic_on_warn.
+
+This means that the skb_dump() I added in the blamed commit are
+not even called.
+
+Rewrite this so that we get the needed skb dump before syzbot crashes.
+
+Fixes: eeee4b77dc52 ("net: add more debug info in skb_checksum_help()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/20231006173355.2254983-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index a2e3c6470ab3f..5374761f5af2c 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3274,15 +3274,19 @@ int skb_checksum_help(struct sk_buff *skb)
+
+ offset = skb_checksum_start_offset(skb);
+ ret = -EINVAL;
+- if (WARN_ON_ONCE(offset >= skb_headlen(skb))) {
++ if (unlikely(offset >= skb_headlen(skb))) {
+ DO_ONCE_LITE(skb_dump, KERN_ERR, skb, false);
++ WARN_ONCE(true, "offset (%d) >= skb_headlen() (%u)\n",
++ offset, skb_headlen(skb));
+ goto out;
+ }
+ csum = skb_checksum(skb, offset, skb->len - offset, 0);
+
+ offset += skb->csum_offset;
+- if (WARN_ON_ONCE(offset + sizeof(__sum16) > skb_headlen(skb))) {
++ if (unlikely(offset + sizeof(__sum16) > skb_headlen(skb))) {
+ DO_ONCE_LITE(skb_dump, KERN_ERR, skb, false);
++ WARN_ONCE(true, "offset+2 (%zu) > skb_headlen() (%u)\n",
++ offset + sizeof(__sum16), skb_headlen(skb));
+ goto out;
+ }
+ ret = skb_ensure_writable(skb, offset + sizeof(__sum16));
+--
+2.40.1
+
--- /dev/null
+From 06ed17707d11f054406fb8f530ba45db99028444 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Oct 2023 16:40:48 +0200
+Subject: net/smc: Fix pos miscalculation in statistics
+
+From: Nils Hoppmann <niho@linux.ibm.com>
+
+[ Upstream commit a950a5921db450c74212327f69950ff03419483a ]
+
+SMC_STAT_PAYLOAD_SUB(_smc_stats, _tech, key, _len, _rc) will calculate
+wrong bucket positions for payloads of exactly 4096 bytes and
+(1 << (m + 12)) bytes, with m == SMC_BUF_MAX - 1.
+
+Intended bucket distribution:
+Assume l == size of payload, m == SMC_BUF_MAX - 1.
+
+Bucket 0 : 0 < l <= 2^13
+Bucket n, 1 <= n <= m-1 : 2^(n+12) < l <= 2^(n+13)
+Bucket m : l > 2^(m+12)
+
+Current solution:
+_pos = fls64((l) >> 13)
+[...]
+_pos = (_pos < m) ? ((l == 1 << (_pos + 12)) ? _pos - 1 : _pos) : m
+
+For l == 4096, _pos == -1, but should be _pos == 0.
+For l == (1 << (m + 12)), _pos == m, but should be _pos == m - 1.
+
+In order to avoid special treatment of these corner cases, the
+calculation is adjusted. The new solution first subtracts the length by
+one, and then calculates the correct bucket by shifting accordingly,
+i.e. _pos = fls64((l - 1) >> 13), l > 0.
+This not only fixes the issues named above, but also makes the whole
+bucket assignment easier to follow.
+
+Same is done for SMC_STAT_RMB_SIZE_SUB(_smc_stats, _tech, k, _len),
+where the calculation of the bucket position is similar to the one
+named above.
+
+Fixes: e0e4b8fa5338 ("net/smc: Add SMC statistics support")
+Suggested-by: Halil Pasic <pasic@linux.ibm.com>
+Signed-off-by: Nils Hoppmann <niho@linux.ibm.com>
+Reviewed-by: Halil Pasic <pasic@linux.ibm.com>
+Reviewed-by: Wenjia Zhang <wenjia@linux.ibm.com>
+Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/smc_stats.h | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/net/smc/smc_stats.h b/net/smc/smc_stats.h
+index 4dbc237b7c19e..ee22d6f9a86aa 100644
+--- a/net/smc/smc_stats.h
++++ b/net/smc/smc_stats.h
+@@ -93,13 +93,14 @@ do { \
+ typeof(_smc_stats) stats = (_smc_stats); \
+ typeof(_tech) t = (_tech); \
+ typeof(_len) l = (_len); \
+- int _pos = fls64((l) >> 13); \
++ int _pos; \
+ typeof(_rc) r = (_rc); \
+ int m = SMC_BUF_MAX - 1; \
+ this_cpu_inc((*stats).smc[t].key ## _cnt); \
+- if (r <= 0) \
++ if (r <= 0 || l <= 0) \
+ break; \
+- _pos = (_pos < m) ? ((l == 1 << (_pos + 12)) ? _pos - 1 : _pos) : m; \
++ _pos = fls64((l - 1) >> 13); \
++ _pos = (_pos <= m) ? _pos : m; \
+ this_cpu_inc((*stats).smc[t].key ## _pd.buf[_pos]); \
+ this_cpu_add((*stats).smc[t].key ## _bytes, r); \
+ } \
+@@ -139,9 +140,12 @@ while (0)
+ do { \
+ typeof(_len) _l = (_len); \
+ typeof(_tech) t = (_tech); \
+- int _pos = fls((_l) >> 13); \
++ int _pos; \
+ int m = SMC_BUF_MAX - 1; \
+- _pos = (_pos < m) ? ((_l == 1 << (_pos + 12)) ? _pos - 1 : _pos) : m; \
++ if (_l <= 0) \
++ break; \
++ _pos = fls((_l - 1) >> 13); \
++ _pos = (_pos <= m) ? _pos : m; \
+ this_cpu_inc((*(_smc_stats)).smc[t].k ## _rmbsize.buf[_pos]); \
+ } \
+ while (0)
+--
+2.40.1
+
--- /dev/null
+From c19f4d54d2fe06c145859cff20f39fa4c7d7d40c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Oct 2023 16:00:54 -0400
+Subject: nfc: nci: assert requested protocol is valid
+
+From: Jeremy Cline <jeremy@jcline.org>
+
+[ Upstream commit 354a6e707e29cb0c007176ee5b8db8be7bd2dee0 ]
+
+The protocol is used in a bit mask to determine if the protocol is
+supported. Assert the provided protocol is less than the maximum
+defined so it doesn't potentially perform a shift-out-of-bounds and
+provide a clearer error for undefined protocols vs unsupported ones.
+
+Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation")
+Reported-and-tested-by: syzbot+0839b78e119aae1fec78@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=0839b78e119aae1fec78
+Signed-off-by: Jeremy Cline <jeremy@jcline.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20231009200054.82557-1-jeremy@jcline.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/nci/core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
+index 4ffdf2f45c444..7535afd1537e9 100644
+--- a/net/nfc/nci/core.c
++++ b/net/nfc/nci/core.c
+@@ -908,6 +908,11 @@ static int nci_activate_target(struct nfc_dev *nfc_dev,
+ return -EINVAL;
+ }
+
++ if (protocol >= NFC_PROTO_MAX) {
++ pr_err("the requested nfc protocol is invalid\n");
++ return -EINVAL;
++ }
++
+ if (!(nci_target->supported_protocols & (1 << protocol))) {
+ pr_err("target does not support the requested protocol 0x%x\n",
+ protocol);
+--
+2.40.1
+
--- /dev/null
+From e9452acb603150912fb7fac8178521033b1315f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Oct 2023 14:17:06 +0300
+Subject: phy: lynx-28g: cancel the CDR check work item on the remove path
+
+From: Ioana Ciornei <ioana.ciornei@nxp.com>
+
+[ Upstream commit f200bab3756fe81493a1b280180dafa1d9ccdcf7 ]
+
+The blamed commit added the CDR check work item but didn't cancel it on
+the remove path. Fix this by adding a remove function which takes care
+of it.
+
+Fixes: 8f73b37cf3fb ("phy: add support for the Layerscape SerDes 28G")
+Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/freescale/phy-fsl-lynx-28g.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/phy/freescale/phy-fsl-lynx-28g.c b/drivers/phy/freescale/phy-fsl-lynx-28g.c
+index 569f12af2aafa..9d55dbee2e0a5 100644
+--- a/drivers/phy/freescale/phy-fsl-lynx-28g.c
++++ b/drivers/phy/freescale/phy-fsl-lynx-28g.c
+@@ -603,6 +603,14 @@ static int lynx_28g_probe(struct platform_device *pdev)
+ return PTR_ERR_OR_ZERO(provider);
+ }
+
++static void lynx_28g_remove(struct platform_device *pdev)
++{
++ struct device *dev = &pdev->dev;
++ struct lynx_28g_priv *priv = dev_get_drvdata(dev);
++
++ cancel_delayed_work_sync(&priv->cdr_check);
++}
++
+ static const struct of_device_id lynx_28g_of_match_table[] = {
+ { .compatible = "fsl,lynx-28g" },
+ { },
+@@ -611,6 +619,7 @@ MODULE_DEVICE_TABLE(of, lynx_28g_of_match_table);
+
+ static struct platform_driver lynx_28g_driver = {
+ .probe = lynx_28g_probe,
++ .remove_new = lynx_28g_remove,
+ .driver = {
+ .name = "lynx-28g",
+ .of_match_table = lynx_28g_of_match_table,
+--
+2.40.1
+
--- /dev/null
+From 8d65aaead628926684f9ac5d392728d2edca8037 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Oct 2023 14:17:07 +0300
+Subject: phy: lynx-28g: lock PHY while performing CDR lock workaround
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 0ac87fe54a171d18c5fb5345e3ee8d14e1b06f4b ]
+
+lynx_28g_cdr_lock_check() runs once per second in a workqueue to reset
+the lane receiver if the CDR has not locked onto bit transitions in the
+RX stream. But the PHY consumer may do stuff with the PHY simultaneously,
+and that isn't okay. Block concurrent generic PHY calls by holding the
+PHY mutex from this workqueue.
+
+Fixes: 8f73b37cf3fb ("phy: add support for the Layerscape SerDes 28G")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/freescale/phy-fsl-lynx-28g.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/phy/freescale/phy-fsl-lynx-28g.c b/drivers/phy/freescale/phy-fsl-lynx-28g.c
+index 9d55dbee2e0a5..d49aa59c7d812 100644
+--- a/drivers/phy/freescale/phy-fsl-lynx-28g.c
++++ b/drivers/phy/freescale/phy-fsl-lynx-28g.c
+@@ -507,11 +507,12 @@ static void lynx_28g_cdr_lock_check(struct work_struct *work)
+ for (i = 0; i < LYNX_28G_NUM_LANE; i++) {
+ lane = &priv->lane[i];
+
+- if (!lane->init)
+- continue;
++ mutex_lock(&lane->phy->mutex);
+
+- if (!lane->powered_up)
++ if (!lane->init || !lane->powered_up) {
++ mutex_unlock(&lane->phy->mutex);
+ continue;
++ }
+
+ rrstctl = lynx_28g_lane_read(lane, LNaRRSTCTL);
+ if (!(rrstctl & LYNX_28G_LNaRRSTCTL_CDR_LOCK)) {
+@@ -520,6 +521,8 @@ static void lynx_28g_cdr_lock_check(struct work_struct *work)
+ rrstctl = lynx_28g_lane_read(lane, LNaRRSTCTL);
+ } while (!(rrstctl & LYNX_28G_LNaRRSTCTL_RST_DONE));
+ }
++
++ mutex_unlock(&lane->phy->mutex);
+ }
+ queue_delayed_work(system_power_efficient_wq, &priv->cdr_check,
+ msecs_to_jiffies(1000));
+--
+2.40.1
+
--- /dev/null
+From 41a66bf7ee836832d5bc3da8e09def9c11dcfddc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Oct 2023 14:17:08 +0300
+Subject: phy: lynx-28g: serialize concurrent phy_set_mode_ext() calls to
+ shared registers
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 139ad1143151a07be93bf741d4ea7c89e59f89ce ]
+
+The protocol converter configuration registers PCC8, PCCC, PCCD
+(implemented by the driver), as well as others, control protocol
+converters from multiple lanes (each represented as a different
+struct phy). So, if there are simultaneous calls to phy_set_mode_ext()
+to lanes sharing the same PCC register (either for the "old" or for the
+"new" protocol), corruption of the values programmed to hardware is
+possible, because lynx_28g_rmw() has no locking.
+
+Add a spinlock in the struct lynx_28g_priv shared by all lanes, and take
+the global spinlock from the phy_ops :: set_mode() implementation. There
+are no other callers which modify PCC registers.
+
+Fixes: 8f73b37cf3fb ("phy: add support for the Layerscape SerDes 28G")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/freescale/phy-fsl-lynx-28g.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/phy/freescale/phy-fsl-lynx-28g.c b/drivers/phy/freescale/phy-fsl-lynx-28g.c
+index d49aa59c7d812..0a8b40edc3f31 100644
+--- a/drivers/phy/freescale/phy-fsl-lynx-28g.c
++++ b/drivers/phy/freescale/phy-fsl-lynx-28g.c
+@@ -126,6 +126,10 @@ struct lynx_28g_lane {
+ struct lynx_28g_priv {
+ void __iomem *base;
+ struct device *dev;
++ /* Serialize concurrent access to registers shared between lanes,
++ * like PCCn
++ */
++ spinlock_t pcc_lock;
+ struct lynx_28g_pll pll[LYNX_28G_NUM_PLL];
+ struct lynx_28g_lane lane[LYNX_28G_NUM_LANE];
+
+@@ -396,6 +400,8 @@ static int lynx_28g_set_mode(struct phy *phy, enum phy_mode mode, int submode)
+ if (powered_up)
+ lynx_28g_power_off(phy);
+
++ spin_lock(&priv->pcc_lock);
++
+ switch (submode) {
+ case PHY_INTERFACE_MODE_SGMII:
+ case PHY_INTERFACE_MODE_1000BASEX:
+@@ -412,6 +418,8 @@ static int lynx_28g_set_mode(struct phy *phy, enum phy_mode mode, int submode)
+ lane->interface = submode;
+
+ out:
++ spin_unlock(&priv->pcc_lock);
++
+ /* Power up the lane if necessary */
+ if (powered_up)
+ lynx_28g_power_on(phy);
+@@ -595,6 +603,7 @@ static int lynx_28g_probe(struct platform_device *pdev)
+
+ dev_set_drvdata(dev, priv);
+
++ spin_lock_init(&priv->pcc_lock);
+ INIT_DELAYED_WORK(&priv->cdr_check, lynx_28g_cdr_lock_check);
+
+ queue_delayed_work(system_power_efficient_wq, &priv->cdr_check,
+--
+2.40.1
+
--- /dev/null
+From 9afbaf35ee42a095b43361bf0e750954cb956d0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Aug 2023 13:15:28 +0300
+Subject: pinctrl: nuvoton: wpcm450: fix out of bounds write
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mikhail Kobuk <m.kobuk@ispras.ru>
+
+[ Upstream commit 87d315a34133edcb29c4cadbf196ec6c30dfd47b ]
+
+Write into 'pctrl->gpio_bank' happens before the check for GPIO index
+validity, so out of bounds write may happen.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: a1d1e0e3d80a ("pinctrl: nuvoton: Add driver for WPCM450")
+Signed-off-by: Mikhail Kobuk <m.kobuk@ispras.ru>
+Reviewed-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Reviewed-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
+Link: https://lore.kernel.org/r/20230825101532.6624-1-m.kobuk@ispras.ru
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/nuvoton/pinctrl-wpcm450.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/pinctrl/nuvoton/pinctrl-wpcm450.c b/drivers/pinctrl/nuvoton/pinctrl-wpcm450.c
+index 8193b92da4031..274e01d5212d5 100644
+--- a/drivers/pinctrl/nuvoton/pinctrl-wpcm450.c
++++ b/drivers/pinctrl/nuvoton/pinctrl-wpcm450.c
+@@ -1041,13 +1041,13 @@ static int wpcm450_gpio_register(struct platform_device *pdev,
+ if (ret < 0)
+ return ret;
+
+- gpio = &pctrl->gpio_bank[reg];
+- gpio->pctrl = pctrl;
+-
+ if (reg >= WPCM450_NUM_BANKS)
+ return dev_err_probe(dev, -EINVAL,
+ "GPIO index %d out of range!\n", reg);
+
++ gpio = &pctrl->gpio_bank[reg];
++ gpio->pctrl = pctrl;
++
+ bank = &wpcm450_banks[reg];
+ gpio->bank = bank;
+
+--
+2.40.1
+
--- /dev/null
+From f9ecb95483aa1d87104b887b0ce9c694bf0efa32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Oct 2023 16:00:08 -0400
+Subject: pinctrl: renesas: rzn1: Enable missing PINMUX
+
+From: Ralph Siemsen <ralph.siemsen@linaro.org>
+
+[ Upstream commit f055ff23c331f28aa4ace4b72dc56f63b9a726c8 ]
+
+Enable pin muxing (eg. programmable function), so that the RZ/N1 GPIO
+pins will be configured as specified by the pinmux in the DTS.
+
+This used to be enabled implicitly via CONFIG_GENERIC_PINMUX_FUNCTIONS,
+however that was removed, since the RZ/N1 driver does not call any of
+the generic pinmux functions.
+
+Fixes: 1308fb4e4eae14e6 ("pinctrl: rzn1: Do not select GENERIC_PIN{CTRL_GROUPS,MUX_FUNCTIONS}")
+Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20231004200008.1306798-1-ralph.siemsen@linaro.org
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/renesas/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pinctrl/renesas/Kconfig b/drivers/pinctrl/renesas/Kconfig
+index 0903a0a418319..1ef8759802618 100644
+--- a/drivers/pinctrl/renesas/Kconfig
++++ b/drivers/pinctrl/renesas/Kconfig
+@@ -240,6 +240,7 @@ config PINCTRL_RZN1
+ depends on OF
+ depends on ARCH_RZN1 || COMPILE_TEST
+ select GENERIC_PINCONF
++ select PINMUX
+ help
+ This selects pinctrl driver for Renesas RZ/N1 devices.
+
+--
+2.40.1
+
--- /dev/null
+From d3b88eea80aff34153c87ad5a5e42f1bf1ae2197 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Oct 2023 10:12:00 +0900
+Subject: ravb: Fix up dma_free_coherent() call in ravb_remove()
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+[ Upstream commit e6864af61493113558c502b5cd0d754c19b93277 ]
+
+In ravb_remove(), dma_free_coherent() should be call after
+unregister_netdev(). Otherwise, this controller is possible to use
+the freed buffer.
+
+Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/20231005011201.14368-2-yoshihiro.shimoda.uh@renesas.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
+index 894e2690c6437..4bf371f744a35 100644
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -2907,8 +2907,6 @@ static int ravb_remove(struct platform_device *pdev)
+ clk_disable_unprepare(priv->gptp_clk);
+ clk_disable_unprepare(priv->refclk);
+
+- dma_free_coherent(ndev->dev.parent, priv->desc_bat_size, priv->desc_bat,
+- priv->desc_bat_dma);
+ /* Set reset mode */
+ ravb_write(ndev, CCC_OPC_RESET, CCC);
+ unregister_netdev(ndev);
+@@ -2916,6 +2914,8 @@ static int ravb_remove(struct platform_device *pdev)
+ netif_napi_del(&priv->napi[RAVB_NC]);
+ netif_napi_del(&priv->napi[RAVB_BE]);
+ ravb_mdio_release(priv);
++ dma_free_coherent(ndev->dev.parent, priv->desc_bat_size, priv->desc_bat,
++ priv->desc_bat_dma);
+ pm_runtime_put_sync(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
+ reset_control_assert(priv->rstc);
+--
+2.40.1
+
--- /dev/null
+From 3d4598d7969a44b33ccae389523d4161758d6e98 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Oct 2023 10:12:01 +0900
+Subject: ravb: Fix use-after-free issue in ravb_tx_timeout_work()
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+[ Upstream commit 3971442870713de527684398416970cf025b4f89 ]
+
+The ravb_stop() should call cancel_work_sync(). Otherwise,
+ravb_tx_timeout_work() is possible to use the freed priv after
+ravb_remove() was called like below:
+
+CPU0 CPU1
+ ravb_tx_timeout()
+ravb_remove()
+unregister_netdev()
+free_netdev(ndev)
+// free priv
+ ravb_tx_timeout_work()
+ // use priv
+
+unregister_netdev() will call .ndo_stop() so that ravb_stop() is
+called. And, after phy_stop() is called, netif_carrier_off()
+is also called. So that .ndo_tx_timeout() will not be called
+after phy_stop().
+
+Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
+Reported-by: Zheng Wang <zyytlz.wz@163.com>
+Closes: https://lore.kernel.org/netdev/20230725030026.1664873-1-zyytlz.wz@163.com/
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/20231005011201.14368-3-yoshihiro.shimoda.uh@renesas.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
+index 4bf371f744a35..9a52283d77544 100644
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -2183,6 +2183,8 @@ static int ravb_close(struct net_device *ndev)
+ of_phy_deregister_fixed_link(np);
+ }
+
++ cancel_work_sync(&priv->work);
++
+ if (info->multi_irqs) {
+ free_irq(priv->tx_irqs[RAVB_NC], ndev);
+ free_irq(priv->rx_irqs[RAVB_NC], ndev);
+--
+2.40.1
+
--- /dev/null
+From 13687337e743c2fcf3073ac63afdd15352af345f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Feb 2023 21:52:03 +0800
+Subject: riscv, bpf: Factor out emit_call for kernel and bpf context
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pu Lehui <pulehui@huawei.com>
+
+[ Upstream commit 0fd1fd0104954380477353aea29c347e85dff16d ]
+
+The current emit_call function is not suitable for kernel function call as
+it store return value to bpf R0 register. We can separate it out for common
+use. Meanwhile, simplify judgment logic, that is, fixed function address
+can use jal or auipc+jalr, while the unfixed can use only auipc+jalr.
+
+Signed-off-by: Pu Lehui <pulehui@huawei.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Tested-by: Björn Töpel <bjorn@rivosinc.com>
+Acked-by: Björn Töpel <bjorn@rivosinc.com>
+Link: https://lore.kernel.org/bpf/20230215135205.1411105-3-pulehui@huaweicloud.com
+Stable-dep-of: 2f1b0d3d7331 ("riscv, bpf: Sign-extend return values")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/net/bpf_jit_comp64.c | 30 +++++++++++++-----------------
+ 1 file changed, 13 insertions(+), 17 deletions(-)
+
+diff --git a/arch/riscv/net/bpf_jit_comp64.c b/arch/riscv/net/bpf_jit_comp64.c
+index f2417ac54edd6..69ebab81d9352 100644
+--- a/arch/riscv/net/bpf_jit_comp64.c
++++ b/arch/riscv/net/bpf_jit_comp64.c
+@@ -428,12 +428,12 @@ static void emit_sext_32_rd(u8 *rd, struct rv_jit_context *ctx)
+ *rd = RV_REG_T2;
+ }
+
+-static int emit_jump_and_link(u8 rd, s64 rvoff, bool force_jalr,
++static int emit_jump_and_link(u8 rd, s64 rvoff, bool fixed_addr,
+ struct rv_jit_context *ctx)
+ {
+ s64 upper, lower;
+
+- if (rvoff && is_21b_int(rvoff) && !force_jalr) {
++ if (rvoff && fixed_addr && is_21b_int(rvoff)) {
+ emit(rv_jal(rd, rvoff >> 1), ctx);
+ return 0;
+ } else if (in_auipc_jalr_range(rvoff)) {
+@@ -454,24 +454,17 @@ static bool is_signed_bpf_cond(u8 cond)
+ cond == BPF_JSGE || cond == BPF_JSLE;
+ }
+
+-static int emit_call(bool fixed, u64 addr, struct rv_jit_context *ctx)
++static int emit_call(u64 addr, bool fixed_addr, struct rv_jit_context *ctx)
+ {
+ s64 off = 0;
+ u64 ip;
+- u8 rd;
+- int ret;
+
+ if (addr && ctx->insns) {
+ ip = (u64)(long)(ctx->insns + ctx->ninsns);
+ off = addr - ip;
+ }
+
+- ret = emit_jump_and_link(RV_REG_RA, off, !fixed, ctx);
+- if (ret)
+- return ret;
+- rd = bpf_to_rv_reg(BPF_REG_0, ctx);
+- emit_mv(rd, RV_REG_A0, ctx);
+- return 0;
++ return emit_jump_and_link(RV_REG_RA, off, fixed_addr, ctx);
+ }
+
+ static void emit_atomic(u8 rd, u8 rs, s16 off, s32 imm, bool is64,
+@@ -913,7 +906,7 @@ int bpf_jit_emit_insn(const struct bpf_insn *insn, struct rv_jit_context *ctx,
+ /* JUMP off */
+ case BPF_JMP | BPF_JA:
+ rvoff = rv_offset(i, off, ctx);
+- ret = emit_jump_and_link(RV_REG_ZERO, rvoff, false, ctx);
++ ret = emit_jump_and_link(RV_REG_ZERO, rvoff, true, ctx);
+ if (ret)
+ return ret;
+ break;
+@@ -1032,17 +1025,20 @@ int bpf_jit_emit_insn(const struct bpf_insn *insn, struct rv_jit_context *ctx,
+ /* function call */
+ case BPF_JMP | BPF_CALL:
+ {
+- bool fixed;
++ bool fixed_addr;
+ u64 addr;
+
+ mark_call(ctx);
+- ret = bpf_jit_get_func_addr(ctx->prog, insn, extra_pass, &addr,
+- &fixed);
++ ret = bpf_jit_get_func_addr(ctx->prog, insn, extra_pass,
++ &addr, &fixed_addr);
+ if (ret < 0)
+ return ret;
+- ret = emit_call(fixed, addr, ctx);
++
++ ret = emit_call(addr, fixed_addr, ctx);
+ if (ret)
+ return ret;
++
++ emit_mv(bpf_to_rv_reg(BPF_REG_0, ctx), RV_REG_A0, ctx);
+ break;
+ }
+ /* tail call */
+@@ -1057,7 +1053,7 @@ int bpf_jit_emit_insn(const struct bpf_insn *insn, struct rv_jit_context *ctx,
+ break;
+
+ rvoff = epilogue_offset(ctx);
+- ret = emit_jump_and_link(RV_REG_ZERO, rvoff, false, ctx);
++ ret = emit_jump_and_link(RV_REG_ZERO, rvoff, true, ctx);
+ if (ret)
+ return ret;
+ break;
+--
+2.40.1
+
--- /dev/null
+From de3cae023253db9c516db6bc537c228ca16b83b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Oct 2023 14:07:05 +0200
+Subject: riscv, bpf: Sign-extend return values
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Björn Töpel <bjorn@rivosinc.com>
+
+[ Upstream commit 2f1b0d3d733169eb11680bfa97c266ae5e757148 ]
+
+The RISC-V architecture does not expose sub-registers, and hold all
+32-bit values in a sign-extended format [1] [2]:
+
+ | The compiler and calling convention maintain an invariant that all
+ | 32-bit values are held in a sign-extended format in 64-bit
+ | registers. Even 32-bit unsigned integers extend bit 31 into bits
+ | 63 through 32. Consequently, conversion between unsigned and
+ | signed 32-bit integers is a no-op, as is conversion from a signed
+ | 32-bit integer to a signed 64-bit integer.
+
+While BPF, on the other hand, exposes sub-registers, and use
+zero-extension (similar to arm64/x86).
+
+This has led to some subtle bugs, where a BPF JITted program has not
+sign-extended the a0 register (return value in RISC-V land), passed
+the return value up the kernel, e.g.:
+
+ | int from_bpf(void);
+ |
+ | long foo(void)
+ | {
+ | return from_bpf();
+ | }
+
+Here, a0 would be 0xffff_ffff, instead of the expected
+0xffff_ffff_ffff_ffff.
+
+Internally, the RISC-V JIT uses a5 as a dedicated register for BPF
+return values.
+
+Keep a5 zero-extended, but explicitly sign-extend a0 (which is used
+outside BPF land). Now that a0 (RISC-V ABI) and a5 (BPF ABI) differs,
+a0 is only moved to a5 for non-BPF native calls (BPF_PSEUDO_CALL).
+
+Fixes: 2353ecc6f91f ("bpf, riscv: add BPF JIT for RV64G")
+Signed-off-by: Björn Töpel <bjorn@rivosinc.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://github.com/riscv/riscv-isa-manual/releases/download/riscv-isa-release-056b6ff-2023-10-02/unpriv-isa-asciidoc.pdf # [2]
+Link: https://github.com/riscv-non-isa/riscv-elf-psabi-doc/releases/download/draft-20230929-e5c800e661a53efe3c2678d71a306323b60eb13b/riscv-abi.pdf # [2]
+Link: https://lore.kernel.org/bpf/20231004120706.52848-2-bjorn@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/net/bpf_jit_comp64.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch/riscv/net/bpf_jit_comp64.c b/arch/riscv/net/bpf_jit_comp64.c
+index 69ebab81d9352..8f5d3c57d58ad 100644
+--- a/arch/riscv/net/bpf_jit_comp64.c
++++ b/arch/riscv/net/bpf_jit_comp64.c
+@@ -236,7 +236,7 @@ static void __build_epilogue(bool is_tail_call, struct rv_jit_context *ctx)
+ emit_addi(RV_REG_SP, RV_REG_SP, stack_adjust, ctx);
+ /* Set return value. */
+ if (!is_tail_call)
+- emit_mv(RV_REG_A0, RV_REG_A5, ctx);
++ emit_addiw(RV_REG_A0, RV_REG_A5, 0, ctx);
+ emit_jalr(RV_REG_ZERO, is_tail_call ? RV_REG_T3 : RV_REG_RA,
+ is_tail_call ? 4 : 0, /* skip TCC init */
+ ctx);
+@@ -1038,7 +1038,8 @@ int bpf_jit_emit_insn(const struct bpf_insn *insn, struct rv_jit_context *ctx,
+ if (ret)
+ return ret;
+
+- emit_mv(bpf_to_rv_reg(BPF_REG_0, ctx), RV_REG_A0, ctx);
++ if (insn->src_reg != BPF_PSEUDO_CALL)
++ emit_mv(bpf_to_rv_reg(BPF_REG_0, ctx), RV_REG_A0, ctx);
+ break;
+ }
+ /* tail call */
+--
+2.40.1
+
alsa-hda-realtek-add-quirk-for-mute-leds-on-hp-envy-.patch
alsa-hda-realtek-alc287-i2s-speaker-platform-support.patch
alsa-hda-realtek-alc287-merge-rtk-codec-with-cs-cs35.patch
+pinctrl-nuvoton-wpcm450-fix-out-of-bounds-write.patch
+drm-msm-dp-do-not-reinitialize-phy-unless-retry-duri.patch
+drm-msm-dsi-skip-the-wait-for-video-mode-done-if-not.patch
+drm-msm-dsi-fix-irq_of_parse_and_map-error-checking.patch
+drm-msm-dpu-change-_dpu_plane_calc_bw-to-use-u64-to-.patch
+drm-msm-dp-add-newlines-to-debug-printks.patch
+phy-lynx-28g-cancel-the-cdr-check-work-item-on-the-r.patch
+phy-lynx-28g-lock-phy-while-performing-cdr-lock-work.patch
+phy-lynx-28g-serialize-concurrent-phy_set_mode_ext-c.patch
+net-dsa-qca8k-fix-potential-mdio-bus-conflict-when-a.patch
+can-isotp-isotp_sendmsg-fix-tx-state-detection-and-w.patch
+can-sun4i_can-only-show-kconfig-if-arch_sunxi-is-set.patch
+arm64-dts-mediatek-mt8195-set-dsu-pmu-status-to-fail.patch
+ravb-fix-up-dma_free_coherent-call-in-ravb_remove.patch
+ravb-fix-use-after-free-issue-in-ravb_tx_timeout_wor.patch
+ieee802154-ca8210-fix-a-potential-uaf-in-ca8210_prob.patch
+mlxsw-fix-mlxsw_sp2_nve_vxlan_learning_set-return-ty.patch
+xen-netback-use-default-tx-queue-size-for-vifs.patch
+riscv-bpf-factor-out-emit_call-for-kernel-and-bpf-co.patch
+riscv-bpf-sign-extend-return-values.patch
+drm-vmwgfx-fix-typo-of-sizeof-argument.patch
+bpf-fix-verifier-log-for-async-callback-return-value.patch
+net-refine-debug-info-in-skb_checksum_help.patch
+net-macsec-indicate-next-pn-update-when-offloading.patch
+net-phy-mscc-macsec-reject-pn-update-requests.patch
+net-mlx5e-macsec-use-update_pn-flag-instead-of-pn-co.patch
+ixgbe-fix-crash-with-empty-vf-macvlan-list.patch
+net-mlx5e-again-mutually-exclude-rx-fcs-and-rx-port-.patch
+net-nfc-fix-races-in-nfc_llcp_sock_get-and-nfc_llcp_.patch
+ethtool-fix-mod-state-of-verbose-no_mask-bitset.patch
+net-smc-fix-pos-miscalculation-in-statistics.patch
+pinctrl-renesas-rzn1-enable-missing-pinmux.patch
+nfc-nci-assert-requested-protocol-is-valid.patch
+workqueue-override-implicit-ordered-attribute-in-wor.patch
--- /dev/null
+From 332c28f99ce378e7439f82c920b40b8e5cd9bf30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Oct 2023 22:48:42 -0400
+Subject: workqueue: Override implicit ordered attribute in
+ workqueue_apply_unbound_cpumask()
+
+From: Waiman Long <longman@redhat.com>
+
+[ Upstream commit ca10d851b9ad0338c19e8e3089e24d565ebfffd7 ]
+
+Commit 5c0338c68706 ("workqueue: restore WQ_UNBOUND/max_active==1
+to be ordered") enabled implicit ordered attribute to be added to
+WQ_UNBOUND workqueues with max_active of 1. This prevented the changing
+of attributes to these workqueues leading to fix commit 0a94efb5acbb
+("workqueue: implicit ordered attribute should be overridable").
+
+However, workqueue_apply_unbound_cpumask() was not updated at that time.
+So sysfs changes to wq_unbound_cpumask has no effect on WQ_UNBOUND
+workqueues with implicit ordered attribute. Since not all WQ_UNBOUND
+workqueues are visible on sysfs, we are not able to make all the
+necessary cpumask changes even if we iterates all the workqueue cpumasks
+in sysfs and changing them one by one.
+
+Fix this problem by applying the corresponding change made
+to apply_workqueue_attrs_locked() in the fix commit to
+workqueue_apply_unbound_cpumask().
+
+Fixes: 5c0338c68706 ("workqueue: restore WQ_UNBOUND/max_active==1 to be ordered")
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/workqueue.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/workqueue.c b/kernel/workqueue.c
+index 1e1557e42d2cc..bc1a97ee40b21 100644
+--- a/kernel/workqueue.c
++++ b/kernel/workqueue.c
+@@ -5355,9 +5355,13 @@ static int workqueue_apply_unbound_cpumask(const cpumask_var_t unbound_cpumask)
+ list_for_each_entry(wq, &workqueues, list) {
+ if (!(wq->flags & WQ_UNBOUND))
+ continue;
++
+ /* creating multiple pwqs breaks ordering guarantee */
+- if (wq->flags & __WQ_ORDERED)
+- continue;
++ if (!list_empty(&wq->pwqs)) {
++ if (wq->flags & __WQ_ORDERED_EXPLICIT)
++ continue;
++ wq->flags &= ~__WQ_ORDERED;
++ }
+
+ ctx = apply_wqattrs_prepare(wq, wq->unbound_attrs, unbound_cpumask);
+ if (!ctx) {
+--
+2.40.1
+
--- /dev/null
+From 594ce493c019d130262eca737224013fbb8d6174 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Oct 2023 16:08:31 +0200
+Subject: xen-netback: use default TX queue size for vifs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Roger Pau Monne <roger.pau@citrix.com>
+
+[ Upstream commit 66cf7435a26917c0c4d6245ad9137e7606e84fdf ]
+
+Do not set netback interfaces (vifs) default TX queue size to the ring size.
+The TX queue size is not related to the ring size, and using the ring size (32)
+as the queue size can lead to packet drops. Note the TX side of the vif
+interface in the netback domain is the one receiving packets to be injected
+to the guest.
+
+Do not explicitly set the TX queue length to any value when creating the
+interface, and instead use the system default. Note that the queue length can
+also be adjusted at runtime.
+
+Fixes: f942dc2552b8 ('xen network backend driver')
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Acked-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/xen-netback/interface.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c
+index f3f2c07423a6a..fc3bb63b9ac3e 100644
+--- a/drivers/net/xen-netback/interface.c
++++ b/drivers/net/xen-netback/interface.c
+@@ -41,8 +41,6 @@
+ #include <asm/xen/hypercall.h>
+ #include <xen/balloon.h>
+
+-#define XENVIF_QUEUE_LENGTH 32
+-
+ /* Number of bytes allowed on the internal guest Rx queue. */
+ #define XENVIF_RX_QUEUE_BYTES (XEN_NETIF_RX_RING_SIZE/2 * PAGE_SIZE)
+
+@@ -530,8 +528,6 @@ struct xenvif *xenvif_alloc(struct device *parent, domid_t domid,
+ dev->features = dev->hw_features | NETIF_F_RXCSUM;
+ dev->ethtool_ops = &xenvif_ethtool_ops;
+
+- dev->tx_queue_len = XENVIF_QUEUE_LENGTH;
+-
+ dev->min_mtu = ETH_MIN_MTU;
+ dev->max_mtu = ETH_MAX_MTU - VLAN_ETH_HLEN;
+
+--
+2.40.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
