--- /dev/null
+From f875620bf95ebde0b34a461e5d6766e117fd3ce4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Oct 2023 17:16:03 -0700
+Subject: ARM: OMAP: timer32K: fix all kernel-doc warnings
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 7eeca8ccd1066c68d6002dbbe26433f8c17c53eb ]
+
+Fix kernel-doc warnings reported by the kernel test robot:
+
+timer32k.c:186: warning: cannot understand function prototype: 'struct timespec64 persistent_ts; '
+timer32k.c:191: warning: Function parameter or member 'ts' not described in 'omap_read_persistent_clock64'
+timer32k.c:216: warning: Function parameter or member 'vbase' not described in 'omap_init_clocksource_32k'
+timer32k.c:216: warning: Excess function parameter 'pbase' description in 'omap_init_clocksource_32k'
+timer32k.c:216: warning: Excess function parameter 'size' description in 'omap_init_clocksource_32k'
+timer32k.c:216: warning: No description found for return value of 'omap_init_clocksource_32k'
+
+Fixes: a451570c008b ("ARM: OMAP: 32k counter: Provide y2038-safe omap_read_persistent_clock() replacement")
+Fixes: 1fe97c8f6a1d ("ARM: OMAP: Make OMAP clocksource source selection using kernel param")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/all/202310070106.8QSyJOm3-lkp@intel.com/
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Vaibhav Hiremath <hvaibhav@ti.com>
+Cc: Felipe Balbi <balbi@ti.com>
+Cc: Tony Lindgren <tony@atomide.com>
+Cc: Xunlei Pang <pang.xunlei@linaro.org>
+Cc: John Stultz <john.stultz@linaro.org>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Aaro Koskinen <aaro.koskinen@iki.fi>
+Cc: Janusz Krzysztofik <jmkrzyszt@gmail.com>
+Cc: linux-omap@vger.kernel.org
+Cc: linux-arm-kernel@lists.infradead.org
+Message-ID: <20231007001603.24972-1-rdunlap@infradead.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-omap1/timer32k.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/arch/arm/mach-omap1/timer32k.c b/arch/arm/mach-omap1/timer32k.c
+index 410d17d1d4431..f618a6df29382 100644
+--- a/arch/arm/mach-omap1/timer32k.c
++++ b/arch/arm/mach-omap1/timer32k.c
+@@ -176,17 +176,18 @@ static u64 notrace omap_32k_read_sched_clock(void)
+ return sync32k_cnt_reg ? readl_relaxed(sync32k_cnt_reg) : 0;
+ }
+
++static struct timespec64 persistent_ts;
++static cycles_t cycles;
++static unsigned int persistent_mult, persistent_shift;
++
+ /**
+ * omap_read_persistent_clock64 - Return time from a persistent clock.
++ * @ts: &struct timespec64 for the returned time
+ *
+ * Reads the time from a source which isn't disabled during PM, the
+ * 32k sync timer. Convert the cycles elapsed since last read into
+ * nsecs and adds to a monotonically increasing timespec64.
+ */
+-static struct timespec64 persistent_ts;
+-static cycles_t cycles;
+-static unsigned int persistent_mult, persistent_shift;
+-
+ static void omap_read_persistent_clock64(struct timespec64 *ts)
+ {
+ unsigned long long nsecs;
+@@ -206,10 +207,9 @@ static void omap_read_persistent_clock64(struct timespec64 *ts)
+ /**
+ * omap_init_clocksource_32k - setup and register counter 32k as a
+ * kernel clocksource
+- * @pbase: base addr of counter_32k module
+- * @size: size of counter_32k to map
++ * @vbase: base addr of counter_32k module
+ *
+- * Returns 0 upon success or negative error code upon failure.
++ * Returns: %0 upon success or negative error code upon failure.
+ *
+ */
+ static int __init omap_init_clocksource_32k(void __iomem *vbase)
+--
+2.42.0
+
--- /dev/null
+From d780a9e16872a923cbe7c7288982b53719f8e08b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Oct 2023 12:47:26 +0100
+Subject: arm64: dts: rockchip: Add i2s0-2ch-bus-bclk-off pins to RK3399
+
+From: Christopher Obbard <chris.obbard@collabora.com>
+
+[ Upstream commit 3975e72b164dc8347a28dd0d5f11b346af534635 ]
+
+Commit 0efaf8078393 ("arm64: dts: rockchip: add i2s0-2ch-bus pins on
+rk3399") introduced a pinctl for i2s0 in two-channel mode. Commit
+91419ae0420f ("arm64: dts: rockchip: use BCLK to GPIO switch on rk3399")
+modified i2s0 to switch the corresponding pins off when idle.
+
+Although an idle pinctrl node was added for i2s0 in 8-channel mode, a
+similar idle pinctrl node for i2s0 in 2-channel mode was not added. Add
+it.
+
+Fixes: 91419ae0420f ("arm64: dts: rockchip: use BCLK to GPIO switch on rk3399")
+Signed-off-by: Christopher Obbard <chris.obbard@collabora.com>
+Link: https://lore.kernel.org/r/20231013114737.494410-2-chris.obbard@collabora.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3399.dtsi | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3399.dtsi b/arch/arm64/boot/dts/rockchip/rk3399.dtsi
+index 5f3caf01badeb..d6e6147652f36 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3399.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3399.dtsi
+@@ -2406,6 +2406,16 @@
+ <4 RK_PA0 1 &pcfg_pull_none>;
+ };
+
++ i2s0_2ch_bus_bclk_off: i2s0-2ch-bus-bclk-off {
++ rockchip,pins =
++ <3 RK_PD0 RK_FUNC_GPIO &pcfg_pull_none>,
++ <3 RK_PD1 1 &pcfg_pull_none>,
++ <3 RK_PD2 1 &pcfg_pull_none>,
++ <3 RK_PD3 1 &pcfg_pull_none>,
++ <3 RK_PD7 1 &pcfg_pull_none>,
++ <4 RK_PA0 1 &pcfg_pull_none>;
++ };
++
+ i2s0_8ch_bus: i2s0-8ch-bus {
+ rockchip,pins =
+ <3 RK_PD0 1 &pcfg_pull_none>,
+--
+2.42.0
+
--- /dev/null
+From 6b6c11f8c82d1e1eef324a5638becdbafaed3da7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Oct 2023 10:15:56 +0300
+Subject: clk: ti: Fix missing omap4 mcbsp functional clock and aliases
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit cc2d819dd7df94a72bde7b9b9331a6535084092d ]
+
+We are using a wrong mcbsp functional clock. The interconnect target module
+driver provided clock for mcbsp is not same as the mcbsp functional clock
+known as the gfclk main_clk. The mcbsp functional clocks for mcbsp should
+have been added before we dropped the legacy platform data.
+
+Additionally we are also missing the clock aliases for the clocks used by
+the audio driver if reparenting is needed. This causes audio driver errors
+like "CLKS: could not clk_get() prcm_fck" for mcbsp as reported by Andreas.
+The mcbsp clock aliases too should have been added before we dropped the
+legacy platform data.
+
+Let's add the clocks and aliases with a single patch to fix the issue.
+
+Fixes: 349355ce3a05 ("ARM: OMAP2+: Drop legacy platform data for omap4 mcbsp")
+Reported-by: Andreas Kemnade <andreas@kemnade.info>
+Reported-by: Péter Ujfalusi <peter.ujfalusi@gmail.com>
+Acked-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/omap4-l4-abe.dtsi | 6 ++++++
+ arch/arm/boot/dts/omap4-l4.dtsi | 2 ++
+ drivers/clk/ti/clk-44xx.c | 5 +++++
+ 3 files changed, 13 insertions(+)
+
+diff --git a/arch/arm/boot/dts/omap4-l4-abe.dtsi b/arch/arm/boot/dts/omap4-l4-abe.dtsi
+index 7ae8b620515c5..59f546a278f87 100644
+--- a/arch/arm/boot/dts/omap4-l4-abe.dtsi
++++ b/arch/arm/boot/dts/omap4-l4-abe.dtsi
+@@ -109,6 +109,8 @@
+ reg = <0x0 0xff>, /* MPU private access */
+ <0x49022000 0xff>; /* L3 Interconnect */
+ reg-names = "mpu", "dma";
++ clocks = <&abe_clkctrl OMAP4_MCBSP1_CLKCTRL 24>;
++ clock-names = "fck";
+ interrupts = <GIC_SPI 17 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "common";
+ ti,buffer-size = <128>;
+@@ -142,6 +144,8 @@
+ reg = <0x0 0xff>, /* MPU private access */
+ <0x49024000 0xff>; /* L3 Interconnect */
+ reg-names = "mpu", "dma";
++ clocks = <&abe_clkctrl OMAP4_MCBSP2_CLKCTRL 24>;
++ clock-names = "fck";
+ interrupts = <GIC_SPI 22 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "common";
+ ti,buffer-size = <128>;
+@@ -175,6 +179,8 @@
+ reg = <0x0 0xff>, /* MPU private access */
+ <0x49026000 0xff>; /* L3 Interconnect */
+ reg-names = "mpu", "dma";
++ clocks = <&abe_clkctrl OMAP4_MCBSP3_CLKCTRL 24>;
++ clock-names = "fck";
+ interrupts = <GIC_SPI 23 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "common";
+ ti,buffer-size = <128>;
+diff --git a/arch/arm/boot/dts/omap4-l4.dtsi b/arch/arm/boot/dts/omap4-l4.dtsi
+index 46b8f9efd4131..3fcef3080eaec 100644
+--- a/arch/arm/boot/dts/omap4-l4.dtsi
++++ b/arch/arm/boot/dts/omap4-l4.dtsi
+@@ -2043,6 +2043,8 @@
+ compatible = "ti,omap4-mcbsp";
+ reg = <0x0 0xff>; /* L4 Interconnect */
+ reg-names = "mpu";
++ clocks = <&l4_per_clkctrl OMAP4_MCBSP4_CLKCTRL 24>;
++ clock-names = "fck";
+ interrupts = <GIC_SPI 16 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "common";
+ ti,buffer-size = <128>;
+diff --git a/drivers/clk/ti/clk-44xx.c b/drivers/clk/ti/clk-44xx.c
+index 868bc7af21b0b..9b2824ed785b9 100644
+--- a/drivers/clk/ti/clk-44xx.c
++++ b/drivers/clk/ti/clk-44xx.c
+@@ -749,9 +749,14 @@ static struct ti_dt_clk omap44xx_clks[] = {
+ DT_CLK(NULL, "mcbsp1_sync_mux_ck", "abe-clkctrl:0028:26"),
+ DT_CLK(NULL, "mcbsp2_sync_mux_ck", "abe-clkctrl:0030:26"),
+ DT_CLK(NULL, "mcbsp3_sync_mux_ck", "abe-clkctrl:0038:26"),
++ DT_CLK("40122000.mcbsp", "prcm_fck", "abe-clkctrl:0028:26"),
++ DT_CLK("40124000.mcbsp", "prcm_fck", "abe-clkctrl:0030:26"),
++ DT_CLK("40126000.mcbsp", "prcm_fck", "abe-clkctrl:0038:26"),
+ DT_CLK(NULL, "mcbsp4_sync_mux_ck", "l4-per-clkctrl:00c0:26"),
++ DT_CLK("48096000.mcbsp", "prcm_fck", "l4-per-clkctrl:00c0:26"),
+ DT_CLK(NULL, "ocp2scp_usb_phy_phy_48m", "l3-init-clkctrl:00c0:8"),
+ DT_CLK(NULL, "otg_60m_gfclk", "l3-init-clkctrl:0040:24"),
++ DT_CLK(NULL, "pad_fck", "pad_clks_ck"),
+ DT_CLK(NULL, "per_mcbsp4_gfclk", "l4-per-clkctrl:00c0:24"),
+ DT_CLK(NULL, "pmd_stm_clock_mux_ck", "emu-sys-clkctrl:0000:20"),
+ DT_CLK(NULL, "pmd_trace_clk_mux_ck", "emu-sys-clkctrl:0000:22"),
+--
+2.42.0
+
--- /dev/null
+From fbef408135524b458ffaf9ae5282c559345cc207 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Oct 2023 10:15:56 +0300
+Subject: clk: ti: Fix missing omap5 mcbsp functional clock and aliases
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit 0b9a4a67c60d3e15b39a69d480a50ce7eeff9bc1 ]
+
+We are using a wrong mcbsp functional clock. The interconnect target module
+driver provided clock for mcbsp is not same as the mcbsp functional clock
+known as the gfclk main_clk. The mcbsp functional clocks for mcbsp should
+have been added before we dropped the legacy platform data.
+
+Additionally we are also missing the clock aliases for the clocks used by
+the audio driver if reparenting is needed. This causes audio driver errors
+like "CLKS: could not clk_get() prcm_fck" for mcbsp as reported by Andreas.
+The mcbsp clock aliases too should have been added before we dropped the
+legacy platform data.
+
+Let's add the clocks and aliases with a single patch to fix the issue
+similar to omap4. On omap5, there is no mcbsp4 instance on the l4_per
+interconnect.
+
+Fixes: b1da0fa21bd1 ("ARM: OMAP2+: Drop legacy platform data for omap5 mcbsp")
+Cc: H. Nikolaus Schaller <hns@goldelico.com>
+Reported-by: Andreas Kemnade <andreas@kemnade.info>
+Reported-by: Péter Ujfalusi <peter.ujfalusi@gmail.com>
+Acked-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/omap5-l4-abe.dtsi | 6 ++++++
+ drivers/clk/ti/clk-54xx.c | 4 ++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/arch/arm/boot/dts/omap5-l4-abe.dtsi b/arch/arm/boot/dts/omap5-l4-abe.dtsi
+index a03bca5a35844..97b0c3b5f573f 100644
+--- a/arch/arm/boot/dts/omap5-l4-abe.dtsi
++++ b/arch/arm/boot/dts/omap5-l4-abe.dtsi
+@@ -109,6 +109,8 @@
+ reg = <0x0 0xff>, /* MPU private access */
+ <0x49022000 0xff>; /* L3 Interconnect */
+ reg-names = "mpu", "dma";
++ clocks = <&abe_clkctrl OMAP5_MCBSP1_CLKCTRL 24>;
++ clock-names = "fck";
+ interrupts = <GIC_SPI 17 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "common";
+ ti,buffer-size = <128>;
+@@ -142,6 +144,8 @@
+ reg = <0x0 0xff>, /* MPU private access */
+ <0x49024000 0xff>; /* L3 Interconnect */
+ reg-names = "mpu", "dma";
++ clocks = <&abe_clkctrl OMAP5_MCBSP2_CLKCTRL 24>;
++ clock-names = "fck";
+ interrupts = <GIC_SPI 22 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "common";
+ ti,buffer-size = <128>;
+@@ -175,6 +179,8 @@
+ reg = <0x0 0xff>, /* MPU private access */
+ <0x49026000 0xff>; /* L3 Interconnect */
+ reg-names = "mpu", "dma";
++ clocks = <&abe_clkctrl OMAP5_MCBSP3_CLKCTRL 24>;
++ clock-names = "fck";
+ interrupts = <GIC_SPI 23 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "common";
+ ti,buffer-size = <128>;
+diff --git a/drivers/clk/ti/clk-54xx.c b/drivers/clk/ti/clk-54xx.c
+index b4aff76eb3735..74dfd5823f835 100644
+--- a/drivers/clk/ti/clk-54xx.c
++++ b/drivers/clk/ti/clk-54xx.c
+@@ -565,15 +565,19 @@ static struct ti_dt_clk omap54xx_clks[] = {
+ DT_CLK(NULL, "gpio8_dbclk", "l4per-clkctrl:00f8:8"),
+ DT_CLK(NULL, "mcbsp1_gfclk", "abe-clkctrl:0028:24"),
+ DT_CLK(NULL, "mcbsp1_sync_mux_ck", "abe-clkctrl:0028:26"),
++ DT_CLK("40122000.mcbsp", "prcm_fck", "abe-clkctrl:0028:26"),
+ DT_CLK(NULL, "mcbsp2_gfclk", "abe-clkctrl:0030:24"),
+ DT_CLK(NULL, "mcbsp2_sync_mux_ck", "abe-clkctrl:0030:26"),
++ DT_CLK("40124000.mcbsp", "prcm_fck", "abe-clkctrl:0030:26"),
+ DT_CLK(NULL, "mcbsp3_gfclk", "abe-clkctrl:0038:24"),
+ DT_CLK(NULL, "mcbsp3_sync_mux_ck", "abe-clkctrl:0038:26"),
++ DT_CLK("40126000.mcbsp", "prcm_fck", "abe-clkctrl:0038:26"),
+ DT_CLK(NULL, "mmc1_32khz_clk", "l3init-clkctrl:0008:8"),
+ DT_CLK(NULL, "mmc1_fclk", "l3init-clkctrl:0008:25"),
+ DT_CLK(NULL, "mmc1_fclk_mux", "l3init-clkctrl:0008:24"),
+ DT_CLK(NULL, "mmc2_fclk", "l3init-clkctrl:0010:25"),
+ DT_CLK(NULL, "mmc2_fclk_mux", "l3init-clkctrl:0010:24"),
++ DT_CLK(NULL, "pad_fck", "pad_clks_ck"),
+ DT_CLK(NULL, "sata_ref_clk", "l3init-clkctrl:0068:8"),
+ DT_CLK(NULL, "timer10_gfclk_mux", "l4per-clkctrl:0008:24"),
+ DT_CLK(NULL, "timer11_gfclk_mux", "l4per-clkctrl:0010:24"),
+--
+2.42.0
+
--- /dev/null
+From 4b311ee426108d794065d2f1aa2677d6ef1e1cde Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jun 2023 10:42:07 +0800
+Subject: drm/logicvc: Kconfig: select REGMAP and REGMAP_MMIO
+
+From: Sui Jingfeng <suijingfeng@loongson.cn>
+
+[ Upstream commit 4e6c38c38723a954b85aa9ee62603bb4a37acbb4 ]
+
+drm/logicvc driver is depend on REGMAP and REGMAP_MMIO, should select this
+two kconfig option, otherwise the driver failed to compile on platform
+without REGMAP_MMIO selected:
+
+ERROR: modpost: "__devm_regmap_init_mmio_clk" [drivers/gpu/drm/logicvc/logicvc-drm.ko] undefined!
+make[1]: *** [scripts/Makefile.modpost:136: Module.symvers] Error 1
+make: *** [Makefile:1978: modpost] Error 2
+
+Signed-off-by: Sui Jingfeng <suijingfeng@loongson.cn>
+Acked-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Fixes: efeeaefe9be5 ("drm: Add support for the LogiCVC display controller")
+Link: https://patchwork.freedesktop.org/patch/msgid/20230608024207.581401-1-suijingfeng@loongson.cn
+Signed-off-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/logicvc/Kconfig | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/logicvc/Kconfig b/drivers/gpu/drm/logicvc/Kconfig
+index fa7a883688094..1df22a852a23e 100644
+--- a/drivers/gpu/drm/logicvc/Kconfig
++++ b/drivers/gpu/drm/logicvc/Kconfig
+@@ -5,5 +5,7 @@ config DRM_LOGICVC
+ select DRM_KMS_HELPER
+ select DRM_KMS_DMA_HELPER
+ select DRM_GEM_DMA_HELPER
++ select REGMAP
++ select REGMAP_MMIO
+ help
+ DRM display driver for the logiCVC programmable logic block from Xylon
+--
+2.42.0
+
--- /dev/null
+From 22f357de3b82f231c338f64ee364e2f1d6b32a3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Oct 2023 11:29:08 +0800
+Subject: firmware/imx-dsp: Fix use_after_free in imx_dsp_setup_channels()
+
+From: Hao Ge <gehao@kylinos.cn>
+
+[ Upstream commit 1558b1a8dd388f5fcc3abc1e24de854a295044c3 ]
+
+dsp_chan->name and chan_name points to same block of memory,
+because dev_err still needs to be used it,so we need free
+it's memory after use to avoid use_after_free.
+
+Fixes: e527adfb9b7d ("firmware: imx-dsp: Fix an error handling path in imx_dsp_setup_channels()")
+Signed-off-by: Hao Ge <gehao@kylinos.cn>
+Reviewed-by: Daniel Baluta <daniel.baluta@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/imx/imx-dsp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/firmware/imx/imx-dsp.c b/drivers/firmware/imx/imx-dsp.c
+index 1f410809d3ee4..0f656e4191d5c 100644
+--- a/drivers/firmware/imx/imx-dsp.c
++++ b/drivers/firmware/imx/imx-dsp.c
+@@ -115,11 +115,11 @@ static int imx_dsp_setup_channels(struct imx_dsp_ipc *dsp_ipc)
+ dsp_chan->idx = i % 2;
+ dsp_chan->ch = mbox_request_channel_byname(cl, chan_name);
+ if (IS_ERR(dsp_chan->ch)) {
+- kfree(dsp_chan->name);
+ ret = PTR_ERR(dsp_chan->ch);
+ if (ret != -EPROBE_DEFER)
+ dev_err(dev, "Failed to request mbox chan %s ret %d\n",
+ chan_name, ret);
++ kfree(dsp_chan->name);
+ goto out;
+ }
+
+--
+2.42.0
+
--- /dev/null
+From 43256676a69dab9f4b7382f12166975b6fa0c62a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 22 Oct 2023 22:25:18 +0200
+Subject: gtp: fix fragmentation needed check with gso
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 4530e5b8e2dad63dcad2206232dd86e4b1489b6c ]
+
+Call skb_gso_validate_network_len() to check if packet is over PMTU.
+
+Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/gtp.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
+index acb20ad4e37eb..477b4d4f860bd 100644
+--- a/drivers/net/gtp.c
++++ b/drivers/net/gtp.c
+@@ -871,8 +871,9 @@ static int gtp_build_skb_ip4(struct sk_buff *skb, struct net_device *dev,
+
+ skb_dst_update_pmtu_no_confirm(skb, mtu);
+
+- if (!skb_is_gso(skb) && (iph->frag_off & htons(IP_DF)) &&
+- mtu < ntohs(iph->tot_len)) {
++ if (iph->frag_off & htons(IP_DF) &&
++ ((!skb_is_gso(skb) && skb->len > mtu) ||
++ (skb_is_gso(skb) && !skb_gso_validate_network_len(skb, mtu)))) {
+ netdev_dbg(dev, "packet too big, fragmentation needed\n");
+ icmp_ndo_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED,
+ htonl(mtu));
+--
+2.42.0
+
--- /dev/null
+From a036ddfca5cc43a4e1d31430a224c10d75c218b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 22 Oct 2023 22:25:17 +0200
+Subject: gtp: uapi: fix GTPA_MAX
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit adc8df12d91a2b8350b0cd4c7fec3e8546c9d1f8 ]
+
+Subtract one to __GTPA_MAX, otherwise GTPA_MAX is off by 2.
+
+Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/gtp.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/uapi/linux/gtp.h b/include/uapi/linux/gtp.h
+index 2f61298a7b779..3dcdb9e33cba2 100644
+--- a/include/uapi/linux/gtp.h
++++ b/include/uapi/linux/gtp.h
+@@ -33,6 +33,6 @@ enum gtp_attrs {
+ GTPA_PAD,
+ __GTPA_MAX,
+ };
+-#define GTPA_MAX (__GTPA_MAX + 1)
++#define GTPA_MAX (__GTPA_MAX - 1)
+
+ #endif /* _UAPI_LINUX_GTP_H_ */
+--
+2.42.0
+
--- /dev/null
+From f72239fc20635dd684c7907f93b670f4e8087039 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Oct 2023 18:37:20 +0200
+Subject: i40e: Fix I40E_FLAG_VF_VLAN_PRUNING value
+
+From: Ivan Vecera <ivecera@redhat.com>
+
+[ Upstream commit 665e7d83c5386f9abdc67b2e4b6e6d9579aadfcb ]
+
+Commit c87c938f62d8f1 ("i40e: Add VF VLAN pruning") added new
+PF flag I40E_FLAG_VF_VLAN_PRUNING but its value collides with
+existing I40E_FLAG_TOTAL_PORT_SHUTDOWN_ENABLED flag.
+
+Move the affected flag at the end of the flags and fix its value.
+
+Reproducer:
+[root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 link-down-on-close on
+[root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 vf-vlan-pruning on
+[root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 link-down-on-close off
+[ 6323.142585] i40e 0000:02:00.0: Setting link-down-on-close not supported on this port (because total-port-shutdown is enabled)
+netlink error: Operation not supported
+[root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 vf-vlan-pruning off
+[root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 link-down-on-close off
+
+The link-down-on-close flag cannot be modified after setting vf-vlan-pruning
+because vf-vlan-pruning shares the same bit with total-port-shutdown flag
+that prevents any modification of link-down-on-close flag.
+
+Fixes: c87c938f62d8 ("i40e: Add VF VLAN pruning")
+Cc: Mateusz Palczewski <mateusz.palczewski@intel.com>
+Cc: Simon Horman <horms@kernel.org>
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h
+index a81f918091ccf..7d4cc4eafd59e 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e.h
++++ b/drivers/net/ethernet/intel/i40e/i40e.h
+@@ -580,7 +580,6 @@ struct i40e_pf {
+ #define I40E_FLAG_DISABLE_FW_LLDP BIT(24)
+ #define I40E_FLAG_RS_FEC BIT(25)
+ #define I40E_FLAG_BASE_R_FEC BIT(26)
+-#define I40E_FLAG_VF_VLAN_PRUNING BIT(27)
+ /* TOTAL_PORT_SHUTDOWN
+ * Allows to physically disable the link on the NIC's port.
+ * If enabled, (after link down request from the OS)
+@@ -603,6 +602,7 @@ struct i40e_pf {
+ * in abilities field of i40e_aq_set_phy_config structure
+ */
+ #define I40E_FLAG_TOTAL_PORT_SHUTDOWN_ENABLED BIT(27)
++#define I40E_FLAG_VF_VLAN_PRUNING BIT(28)
+
+ struct i40e_client_instance *cinst;
+ bool stat_offsets_loaded;
+--
+2.42.0
+
--- /dev/null
+From 8c165e61be0768084200645529bfb370a01d5129 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Oct 2023 14:27:14 -0700
+Subject: i40e: Fix wrong check for I40E_TXR_FLAGS_WB_ON_ITR
+
+From: Ivan Vecera <ivecera@redhat.com>
+
+[ Upstream commit 77a8c982ff0d4c3a14022c6fe9e3dbfb327552ec ]
+
+The I40E_TXR_FLAGS_WB_ON_ITR is i40e_ring flag and not i40e_pf one.
+
+Fixes: 8e0764b4d6be42 ("i40e/i40evf: Add support for writeback on ITR feature for X722")
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://lore.kernel.org/r/20231023212714.178032-1-jacob.e.keller@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_txrx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
+index 494775d65bf28..6d26ee8eefae9 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
+@@ -2770,7 +2770,7 @@ int i40e_napi_poll(struct napi_struct *napi, int budget)
+ return budget;
+ }
+
+- if (vsi->back->flags & I40E_TXR_FLAGS_WB_ON_ITR)
++ if (q_vector->tx.ring[0].flags & I40E_TXR_FLAGS_WB_ON_ITR)
+ q_vector->arm_wb_state = false;
+
+ /* Exit the polling mode, but don't re-enable interrupts if stack might
+--
+2.42.0
+
--- /dev/null
+From 8d3bde1046f7d9748b1be8d9630f8ade0d6522c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Oct 2023 11:32:13 -0700
+Subject: iavf: in iavf_down, disable queues when removing the driver
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+[ Upstream commit 53798666648af3aa0dd512c2380576627237a800 ]
+
+In iavf_down, we're skipping the scheduling of certain operations if
+the driver is being removed. However, the IAVF_FLAG_AQ_DISABLE_QUEUES
+request must not be skipped in this case, because iavf_close waits
+for the transition to the __IAVF_DOWN state, which happens in
+iavf_virtchnl_completion after the queues are released.
+
+Without this fix, "rmmod iavf" takes half a second per interface that's
+up and prints the "Device resources not yet released" warning.
+
+Fixes: c8de44b577eb ("iavf: do not process adminq tasks when __IAVF_IN_REMOVE_TASK is set")
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Tested-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://lore.kernel.org/r/20231025183213.874283-1-jacob.e.keller@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index 1ae90f8f9941f..326bb5fdf5f90 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -1449,9 +1449,9 @@ void iavf_down(struct iavf_adapter *adapter)
+ adapter->aq_required |= IAVF_FLAG_AQ_DEL_FDIR_FILTER;
+ if (!list_empty(&adapter->adv_rss_list_head))
+ adapter->aq_required |= IAVF_FLAG_AQ_DEL_ADV_RSS_CFG;
+- adapter->aq_required |= IAVF_FLAG_AQ_DISABLE_QUEUES;
+ }
+
++ adapter->aq_required |= IAVF_FLAG_AQ_DISABLE_QUEUES;
+ mod_delayed_work(adapter->wq, &adapter->watchdog_task, 0);
+ }
+
+--
+2.42.0
+
--- /dev/null
+From 0d3ad15d7764402f040fe00b82d850bcf3bf69be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Oct 2023 09:13:46 +0200
+Subject: iavf: initialize waitqueues before starting watchdog_task
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+[ Upstream commit 7db3111043885c146e795c199d39c3f9042d97c0 ]
+
+It is not safe to initialize the waitqueues after queueing the
+watchdog_task. It will be using them.
+
+The chance of this causing a real problem is very small, because
+there will be some sleeping before any of the waitqueues get used.
+I got a crash only after inserting an artificial sleep in iavf_probe.
+
+Queue the watchdog_task as the last step in iavf_probe. Add a comment to
+prevent repeating the mistake.
+
+Fixes: fe2647ab0c99 ("i40evf: prevent VF close returning before state transitions to DOWN")
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index a39f7f0d6ab0b..1ae90f8f9941f 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -5020,8 +5020,6 @@ static int iavf_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ INIT_WORK(&adapter->finish_config, iavf_finish_config);
+ INIT_DELAYED_WORK(&adapter->watchdog_task, iavf_watchdog_task);
+ INIT_DELAYED_WORK(&adapter->client_task, iavf_client_task);
+- queue_delayed_work(adapter->wq, &adapter->watchdog_task,
+- msecs_to_jiffies(5 * (pdev->devfn & 0x07)));
+
+ /* Setup the wait queue for indicating transition to down status */
+ init_waitqueue_head(&adapter->down_waitqueue);
+@@ -5032,6 +5030,9 @@ static int iavf_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ /* Setup the wait queue for indicating virtchannel events */
+ init_waitqueue_head(&adapter->vc_waitqueue);
+
++ queue_delayed_work(adapter->wq, &adapter->watchdog_task,
++ msecs_to_jiffies(5 * (pdev->devfn & 0x07)));
++ /* Initialization goes on in the work. Do not add more of it below. */
+ return 0;
+
+ err_ioremap:
+--
+2.42.0
+
--- /dev/null
+From 13e2356742e1458d87217b2c6f3bed3681715c23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Oct 2023 13:40:35 -0700
+Subject: igb: Fix potential memory leak in igb_add_ethtool_nfc_entry
+
+From: Mateusz Palczewski <mateusz.palczewski@intel.com>
+
+[ Upstream commit 8c0b48e01daba5ca58f939a8425855d3f4f2ed14 ]
+
+Add check for return of igb_update_ethtool_nfc_entry so that in case
+of any potential errors the memory alocated for input will be freed.
+
+Fixes: 0e71def25281 ("igb: add support of RX network flow classification")
+Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
+Signed-off-by: Mateusz Palczewski <mateusz.palczewski@intel.com>
+Tested-by: Arpana Arland <arpanax.arland@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_ethtool.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_ethtool.c b/drivers/net/ethernet/intel/igb/igb_ethtool.c
+index 96fa1c420f910..ceff537d9d22d 100644
+--- a/drivers/net/ethernet/intel/igb/igb_ethtool.c
++++ b/drivers/net/ethernet/intel/igb/igb_ethtool.c
+@@ -2978,11 +2978,15 @@ static int igb_add_ethtool_nfc_entry(struct igb_adapter *adapter,
+ if (err)
+ goto err_out_w_lock;
+
+- igb_update_ethtool_nfc_entry(adapter, input, input->sw_idx);
++ err = igb_update_ethtool_nfc_entry(adapter, input, input->sw_idx);
++ if (err)
++ goto err_out_input_filter;
+
+ spin_unlock(&adapter->nfc_lock);
+ return 0;
+
++err_out_input_filter:
++ igb_erase_filter(adapter, input);
+ err_out_w_lock:
+ spin_unlock(&adapter->nfc_lock);
+ err_out:
+--
+2.42.0
+
--- /dev/null
+From a41638beee1d0b5c8b00b88081e09a28a02ecba0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Oct 2023 13:36:41 -0700
+Subject: igc: Fix ambiguity in the ethtool advertising
+
+From: Sasha Neftin <sasha.neftin@intel.com>
+
+[ Upstream commit e7684d29efdf37304c62bb337ea55b3428ca118e ]
+
+The 'ethtool_convert_link_mode_to_legacy_u32' method does not allow us to
+advertise 2500M speed support and TP (twisted pair) properly. Convert to
+'ethtool_link_ksettings_test_link_mode' to advertise supported speed and
+eliminate ambiguity.
+
+Fixes: 8c5ad0dae93c ("igc: Add ethtool support")
+Suggested-by: Dima Ruinskiy <dima.ruinskiy@intel.com>
+Suggested-by: Vitaly Lifshits <vitaly.lifshits@intel.com>
+Signed-off-by: Sasha Neftin <sasha.neftin@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://lore.kernel.org/r/20231019203641.3661960-1-jacob.e.keller@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_ethtool.c | 35 ++++++++++++++------
+ 1 file changed, 25 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_ethtool.c b/drivers/net/ethernet/intel/igc/igc_ethtool.c
+index e23b95edb05ef..81897f7a90a91 100644
+--- a/drivers/net/ethernet/intel/igc/igc_ethtool.c
++++ b/drivers/net/ethernet/intel/igc/igc_ethtool.c
+@@ -1817,7 +1817,7 @@ igc_ethtool_set_link_ksettings(struct net_device *netdev,
+ struct igc_adapter *adapter = netdev_priv(netdev);
+ struct net_device *dev = adapter->netdev;
+ struct igc_hw *hw = &adapter->hw;
+- u32 advertising;
++ u16 advertised = 0;
+
+ /* When adapter in resetting mode, autoneg/speed/duplex
+ * cannot be changed
+@@ -1842,18 +1842,33 @@ igc_ethtool_set_link_ksettings(struct net_device *netdev,
+ while (test_and_set_bit(__IGC_RESETTING, &adapter->state))
+ usleep_range(1000, 2000);
+
+- ethtool_convert_link_mode_to_legacy_u32(&advertising,
+- cmd->link_modes.advertising);
+- /* Converting to legacy u32 drops ETHTOOL_LINK_MODE_2500baseT_Full_BIT.
+- * We have to check this and convert it to ADVERTISE_2500_FULL
+- * (aka ETHTOOL_LINK_MODE_2500baseX_Full_BIT) explicitly.
+- */
+- if (ethtool_link_ksettings_test_link_mode(cmd, advertising, 2500baseT_Full))
+- advertising |= ADVERTISE_2500_FULL;
++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising,
++ 2500baseT_Full))
++ advertised |= ADVERTISE_2500_FULL;
++
++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising,
++ 1000baseT_Full))
++ advertised |= ADVERTISE_1000_FULL;
++
++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising,
++ 100baseT_Full))
++ advertised |= ADVERTISE_100_FULL;
++
++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising,
++ 100baseT_Half))
++ advertised |= ADVERTISE_100_HALF;
++
++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising,
++ 10baseT_Full))
++ advertised |= ADVERTISE_10_FULL;
++
++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising,
++ 10baseT_Half))
++ advertised |= ADVERTISE_10_HALF;
+
+ if (cmd->base.autoneg == AUTONEG_ENABLE) {
+ hw->mac.autoneg = 1;
+- hw->phy.autoneg_advertised = advertising;
++ hw->phy.autoneg_advertised = advertised;
+ if (adapter->fc_autoneg)
+ hw->fc.requested_mode = igc_fc_default;
+ } else {
+--
+2.42.0
+
--- /dev/null
+From 0e8f1c70114f828f57ece09c7bc4182bb4457943 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Oct 2023 12:21:04 +0000
+Subject: neighbour: fix various data-races
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit a9beb7e81bcb876615e1fbb3c07f3f9dba69831f ]
+
+1) tbl->gc_thresh1, tbl->gc_thresh2, tbl->gc_thresh3 and tbl->gc_interval
+ can be written from sysfs.
+
+2) tbl->last_flush is read locklessly from neigh_alloc()
+
+3) tbl->proxy_queue.qlen is read locklessly from neightbl_fill_info()
+
+4) neightbl_fill_info() reads cpu stats that can be changed concurrently.
+
+Fixes: c7fb64db001f ("[NETLINK]: Neighbour table configuration and statistics via rtnetlink")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20231019122104.1448310-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/neighbour.c | 67 +++++++++++++++++++++++---------------------
+ 1 file changed, 35 insertions(+), 32 deletions(-)
+
+diff --git a/net/core/neighbour.c b/net/core/neighbour.c
+index b20c9768d9f3f..41daa47d03934 100644
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -251,7 +251,8 @@ bool neigh_remove_one(struct neighbour *ndel, struct neigh_table *tbl)
+
+ static int neigh_forced_gc(struct neigh_table *tbl)
+ {
+- int max_clean = atomic_read(&tbl->gc_entries) - tbl->gc_thresh2;
++ int max_clean = atomic_read(&tbl->gc_entries) -
++ READ_ONCE(tbl->gc_thresh2);
+ unsigned long tref = jiffies - 5 * HZ;
+ struct neighbour *n, *tmp;
+ int shrunk = 0;
+@@ -280,7 +281,7 @@ static int neigh_forced_gc(struct neigh_table *tbl)
+ }
+ }
+
+- tbl->last_flush = jiffies;
++ WRITE_ONCE(tbl->last_flush, jiffies);
+
+ write_unlock_bh(&tbl->lock);
+
+@@ -464,17 +465,17 @@ static struct neighbour *neigh_alloc(struct neigh_table *tbl,
+ {
+ struct neighbour *n = NULL;
+ unsigned long now = jiffies;
+- int entries;
++ int entries, gc_thresh3;
+
+ if (exempt_from_gc)
+ goto do_alloc;
+
+ entries = atomic_inc_return(&tbl->gc_entries) - 1;
+- if (entries >= tbl->gc_thresh3 ||
+- (entries >= tbl->gc_thresh2 &&
+- time_after(now, tbl->last_flush + 5 * HZ))) {
+- if (!neigh_forced_gc(tbl) &&
+- entries >= tbl->gc_thresh3) {
++ gc_thresh3 = READ_ONCE(tbl->gc_thresh3);
++ if (entries >= gc_thresh3 ||
++ (entries >= READ_ONCE(tbl->gc_thresh2) &&
++ time_after(now, READ_ONCE(tbl->last_flush) + 5 * HZ))) {
++ if (!neigh_forced_gc(tbl) && entries >= gc_thresh3) {
+ net_info_ratelimited("%s: neighbor table overflow!\n",
+ tbl->id);
+ NEIGH_CACHE_STAT_INC(tbl, table_fulls);
+@@ -955,13 +956,14 @@ static void neigh_periodic_work(struct work_struct *work)
+
+ if (time_after(jiffies, tbl->last_rand + 300 * HZ)) {
+ struct neigh_parms *p;
+- tbl->last_rand = jiffies;
++
++ WRITE_ONCE(tbl->last_rand, jiffies);
+ list_for_each_entry(p, &tbl->parms_list, list)
+ p->reachable_time =
+ neigh_rand_reach_time(NEIGH_VAR(p, BASE_REACHABLE_TIME));
+ }
+
+- if (atomic_read(&tbl->entries) < tbl->gc_thresh1)
++ if (atomic_read(&tbl->entries) < READ_ONCE(tbl->gc_thresh1))
+ goto out;
+
+ for (i = 0 ; i < (1 << nht->hash_shift); i++) {
+@@ -2157,15 +2159,16 @@ static int neightbl_fill_info(struct sk_buff *skb, struct neigh_table *tbl,
+ ndtmsg->ndtm_pad2 = 0;
+
+ if (nla_put_string(skb, NDTA_NAME, tbl->id) ||
+- nla_put_msecs(skb, NDTA_GC_INTERVAL, tbl->gc_interval, NDTA_PAD) ||
+- nla_put_u32(skb, NDTA_THRESH1, tbl->gc_thresh1) ||
+- nla_put_u32(skb, NDTA_THRESH2, tbl->gc_thresh2) ||
+- nla_put_u32(skb, NDTA_THRESH3, tbl->gc_thresh3))
++ nla_put_msecs(skb, NDTA_GC_INTERVAL, READ_ONCE(tbl->gc_interval),
++ NDTA_PAD) ||
++ nla_put_u32(skb, NDTA_THRESH1, READ_ONCE(tbl->gc_thresh1)) ||
++ nla_put_u32(skb, NDTA_THRESH2, READ_ONCE(tbl->gc_thresh2)) ||
++ nla_put_u32(skb, NDTA_THRESH3, READ_ONCE(tbl->gc_thresh3)))
+ goto nla_put_failure;
+ {
+ unsigned long now = jiffies;
+- long flush_delta = now - tbl->last_flush;
+- long rand_delta = now - tbl->last_rand;
++ long flush_delta = now - READ_ONCE(tbl->last_flush);
++ long rand_delta = now - READ_ONCE(tbl->last_rand);
+ struct neigh_hash_table *nht;
+ struct ndt_config ndc = {
+ .ndtc_key_len = tbl->key_len,
+@@ -2173,7 +2176,7 @@ static int neightbl_fill_info(struct sk_buff *skb, struct neigh_table *tbl,
+ .ndtc_entries = atomic_read(&tbl->entries),
+ .ndtc_last_flush = jiffies_to_msecs(flush_delta),
+ .ndtc_last_rand = jiffies_to_msecs(rand_delta),
+- .ndtc_proxy_qlen = tbl->proxy_queue.qlen,
++ .ndtc_proxy_qlen = READ_ONCE(tbl->proxy_queue.qlen),
+ };
+
+ rcu_read_lock();
+@@ -2196,17 +2199,17 @@ static int neightbl_fill_info(struct sk_buff *skb, struct neigh_table *tbl,
+ struct neigh_statistics *st;
+
+ st = per_cpu_ptr(tbl->stats, cpu);
+- ndst.ndts_allocs += st->allocs;
+- ndst.ndts_destroys += st->destroys;
+- ndst.ndts_hash_grows += st->hash_grows;
+- ndst.ndts_res_failed += st->res_failed;
+- ndst.ndts_lookups += st->lookups;
+- ndst.ndts_hits += st->hits;
+- ndst.ndts_rcv_probes_mcast += st->rcv_probes_mcast;
+- ndst.ndts_rcv_probes_ucast += st->rcv_probes_ucast;
+- ndst.ndts_periodic_gc_runs += st->periodic_gc_runs;
+- ndst.ndts_forced_gc_runs += st->forced_gc_runs;
+- ndst.ndts_table_fulls += st->table_fulls;
++ ndst.ndts_allocs += READ_ONCE(st->allocs);
++ ndst.ndts_destroys += READ_ONCE(st->destroys);
++ ndst.ndts_hash_grows += READ_ONCE(st->hash_grows);
++ ndst.ndts_res_failed += READ_ONCE(st->res_failed);
++ ndst.ndts_lookups += READ_ONCE(st->lookups);
++ ndst.ndts_hits += READ_ONCE(st->hits);
++ ndst.ndts_rcv_probes_mcast += READ_ONCE(st->rcv_probes_mcast);
++ ndst.ndts_rcv_probes_ucast += READ_ONCE(st->rcv_probes_ucast);
++ ndst.ndts_periodic_gc_runs += READ_ONCE(st->periodic_gc_runs);
++ ndst.ndts_forced_gc_runs += READ_ONCE(st->forced_gc_runs);
++ ndst.ndts_table_fulls += READ_ONCE(st->table_fulls);
+ }
+
+ if (nla_put_64bit(skb, NDTA_STATS, sizeof(ndst), &ndst,
+@@ -2435,16 +2438,16 @@ static int neightbl_set(struct sk_buff *skb, struct nlmsghdr *nlh,
+ goto errout_tbl_lock;
+
+ if (tb[NDTA_THRESH1])
+- tbl->gc_thresh1 = nla_get_u32(tb[NDTA_THRESH1]);
++ WRITE_ONCE(tbl->gc_thresh1, nla_get_u32(tb[NDTA_THRESH1]));
+
+ if (tb[NDTA_THRESH2])
+- tbl->gc_thresh2 = nla_get_u32(tb[NDTA_THRESH2]);
++ WRITE_ONCE(tbl->gc_thresh2, nla_get_u32(tb[NDTA_THRESH2]));
+
+ if (tb[NDTA_THRESH3])
+- tbl->gc_thresh3 = nla_get_u32(tb[NDTA_THRESH3]);
++ WRITE_ONCE(tbl->gc_thresh3, nla_get_u32(tb[NDTA_THRESH3]));
+
+ if (tb[NDTA_GC_INTERVAL])
+- tbl->gc_interval = nla_get_msecs(tb[NDTA_GC_INTERVAL]);
++ WRITE_ONCE(tbl->gc_interval, nla_get_msecs(tb[NDTA_GC_INTERVAL]));
+
+ err = 0;
+
+--
+2.42.0
+
--- /dev/null
+From 826017a4ab72dddd30e6ec9f710c5b2028641983 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Oct 2023 09:20:53 +0300
+Subject: net: ethernet: adi: adin1110: Fix uninitialized variable
+
+From: Dell Jin <dell.jin.code@outlook.com>
+
+[ Upstream commit 965f9b8c0c1b37fa2a0e3ef56e40d5666d4cbb5c ]
+
+The spi_transfer struct has to have all it's fields initialized to 0 in
+this case, since not all of them are set before starting the transfer.
+Otherwise, spi_sync_transfer() will sometimes return an error.
+
+Fixes: a526a3cc9c8d ("net: ethernet: adi: adin1110: Fix SPI transfers")
+Signed-off-by: Dell Jin <dell.jin.code@outlook.com>
+Signed-off-by: Ciprian Regus <ciprian.regus@analog.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/adi/adin1110.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/adi/adin1110.c b/drivers/net/ethernet/adi/adin1110.c
+index ed2863ed6a5bb..7474afc0e8e73 100644
+--- a/drivers/net/ethernet/adi/adin1110.c
++++ b/drivers/net/ethernet/adi/adin1110.c
+@@ -294,7 +294,7 @@ static int adin1110_read_fifo(struct adin1110_port_priv *port_priv)
+ {
+ struct adin1110_priv *priv = port_priv->priv;
+ u32 header_len = ADIN1110_RD_HEADER_LEN;
+- struct spi_transfer t;
++ struct spi_transfer t = {0};
+ u32 frame_size_no_fcs;
+ struct sk_buff *rxb;
+ u32 frame_size;
+--
+2.42.0
+
--- /dev/null
+From c5b7ae96ed920d89c5e818544a54176f669b1e2a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Oct 2023 20:03:53 +0200
+Subject: net: ieee802154: adf7242: Fix some potential buffer overflow in
+ adf7242_stats_show()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit ca082f019d8fbb983f03080487946da714154bae ]
+
+strncat() usage in adf7242_debugfs_init() is wrong.
+The size given to strncat() is the maximum number of bytes that can be
+written, excluding the trailing NULL.
+
+Here, the size that is passed, DNAME_INLINE_LEN, does not take into account
+the size of "adf7242-" that is already in the array.
+
+In order to fix it, use snprintf() instead.
+
+Fixes: 7302b9d90117 ("ieee802154/adf7242: Driver for ADF7242 MAC IEEE802154")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/adf7242.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ieee802154/adf7242.c b/drivers/net/ieee802154/adf7242.c
+index 5cf218c674a5a..32d92bdabd234 100644
+--- a/drivers/net/ieee802154/adf7242.c
++++ b/drivers/net/ieee802154/adf7242.c
+@@ -1162,9 +1162,10 @@ static int adf7242_stats_show(struct seq_file *file, void *offset)
+
+ static void adf7242_debugfs_init(struct adf7242_local *lp)
+ {
+- char debugfs_dir_name[DNAME_INLINE_LEN + 1] = "adf7242-";
++ char debugfs_dir_name[DNAME_INLINE_LEN + 1];
+
+- strncat(debugfs_dir_name, dev_name(&lp->spi->dev), DNAME_INLINE_LEN);
++ snprintf(debugfs_dir_name, sizeof(debugfs_dir_name),
++ "adf7242-%s", dev_name(&lp->spi->dev));
+
+ lp->debugfs_root = debugfs_create_dir(debugfs_dir_name, NULL);
+
+--
+2.42.0
+
--- /dev/null
+From b85a859a2339295d6e9afe0cd99350366794c7a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Oct 2023 02:03:44 +0900
+Subject: net: usb: smsc95xx: Fix uninit-value access in smsc95xx_read_reg
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit 51a32e828109b4a209efde44505baa356b37a4ce ]
+
+syzbot reported the following uninit-value access issue [1]:
+
+smsc95xx 1-1:0.0 (unnamed net_device) (uninitialized): Failed to read reg index 0x00000030: -32
+smsc95xx 1-1:0.0 (unnamed net_device) (uninitialized): Error reading E2P_CMD
+=====================================================
+BUG: KMSAN: uninit-value in smsc95xx_reset+0x409/0x25f0 drivers/net/usb/smsc95xx.c:896
+ smsc95xx_reset+0x409/0x25f0 drivers/net/usb/smsc95xx.c:896
+ smsc95xx_bind+0x9bc/0x22e0 drivers/net/usb/smsc95xx.c:1131
+ usbnet_probe+0x100b/0x4060 drivers/net/usb/usbnet.c:1750
+ usb_probe_interface+0xc75/0x1210 drivers/usb/core/driver.c:396
+ really_probe+0x506/0xf40 drivers/base/dd.c:658
+ __driver_probe_device+0x2a7/0x5d0 drivers/base/dd.c:800
+ driver_probe_device+0x72/0x7b0 drivers/base/dd.c:830
+ __device_attach_driver+0x55a/0x8f0 drivers/base/dd.c:958
+ bus_for_each_drv+0x3ff/0x620 drivers/base/bus.c:457
+ __device_attach+0x3bd/0x640 drivers/base/dd.c:1030
+ device_initial_probe+0x32/0x40 drivers/base/dd.c:1079
+ bus_probe_device+0x3d8/0x5a0 drivers/base/bus.c:532
+ device_add+0x16ae/0x1f20 drivers/base/core.c:3622
+ usb_set_configuration+0x31c9/0x38c0 drivers/usb/core/message.c:2207
+ usb_generic_driver_probe+0x109/0x2a0 drivers/usb/core/generic.c:238
+ usb_probe_device+0x290/0x4a0 drivers/usb/core/driver.c:293
+ really_probe+0x506/0xf40 drivers/base/dd.c:658
+ __driver_probe_device+0x2a7/0x5d0 drivers/base/dd.c:800
+ driver_probe_device+0x72/0x7b0 drivers/base/dd.c:830
+ __device_attach_driver+0x55a/0x8f0 drivers/base/dd.c:958
+ bus_for_each_drv+0x3ff/0x620 drivers/base/bus.c:457
+ __device_attach+0x3bd/0x640 drivers/base/dd.c:1030
+ device_initial_probe+0x32/0x40 drivers/base/dd.c:1079
+ bus_probe_device+0x3d8/0x5a0 drivers/base/bus.c:532
+ device_add+0x16ae/0x1f20 drivers/base/core.c:3622
+ usb_new_device+0x15f6/0x22f0 drivers/usb/core/hub.c:2589
+ hub_port_connect drivers/usb/core/hub.c:5440 [inline]
+ hub_port_connect_change drivers/usb/core/hub.c:5580 [inline]
+ port_event drivers/usb/core/hub.c:5740 [inline]
+ hub_event+0x53bc/0x7290 drivers/usb/core/hub.c:5822
+ process_one_work kernel/workqueue.c:2630 [inline]
+ process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2703
+ worker_thread+0xf45/0x1490 kernel/workqueue.c:2784
+ kthread+0x3e8/0x540 kernel/kthread.c:388
+ ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
+
+Local variable buf.i225 created at:
+ smsc95xx_read_reg drivers/net/usb/smsc95xx.c:90 [inline]
+ smsc95xx_reset+0x203/0x25f0 drivers/net/usb/smsc95xx.c:892
+ smsc95xx_bind+0x9bc/0x22e0 drivers/net/usb/smsc95xx.c:1131
+
+CPU: 1 PID: 773 Comm: kworker/1:2 Not tainted 6.6.0-rc1-syzkaller-00125-ge42bebf6db29 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
+Workqueue: usb_hub_wq hub_event
+=====================================================
+
+Similar to e9c65989920f ("net: usb: smsc75xx: Fix uninit-value access in
+__smsc75xx_read_reg"), this issue is caused because usbnet_read_cmd() reads
+less bytes than requested (zero byte in the reproducer). In this case,
+'buf' is not properly filled.
+
+This patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads
+less bytes than requested.
+
+sysbot reported similar uninit-value access issue [2]. The root cause is
+the same as mentioned above, and this patch addresses it as well.
+
+Fixes: 2f7ca802bdae ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver")
+Reported-and-tested-by: syzbot+c74c24b43c9ae534f0e0@syzkaller.appspotmail.com
+Reported-and-tested-by: syzbot+2c97a98a5ba9ea9c23bd@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=c74c24b43c9ae534f0e0 [1]
+Closes: https://syzkaller.appspot.com/bug?extid=2c97a98a5ba9ea9c23bd [2]
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/smsc95xx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
+index 17da42fe605c3..a530f20ee2575 100644
+--- a/drivers/net/usb/smsc95xx.c
++++ b/drivers/net/usb/smsc95xx.c
+@@ -95,7 +95,9 @@ static int __must_check smsc95xx_read_reg(struct usbnet *dev, u32 index,
+ ret = fn(dev, USB_VENDOR_REQUEST_READ_REGISTER, USB_DIR_IN
+ | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+ 0, index, &buf, 4);
+- if (ret < 0) {
++ if (ret < 4) {
++ ret = ret < 0 ? ret : -ENODATA;
++
+ if (ret != -ENODEV)
+ netdev_warn(dev->net, "Failed to read reg index 0x%08x: %d\n",
+ index, ret);
+--
+2.42.0
+
--- /dev/null
+From 05f480069e3c3ff81b7d3c4062c6c078c20bc433 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Oct 2023 14:06:54 -0700
+Subject: r8152: Cancel hw_phy_work if we have an error in probe
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit bb8adff9123e492598162ac1baad01a53891aef6 ]
+
+The error handling in rtl8152_probe() is missing a call to cancel the
+hw_phy_work. Add it in to match what's in the cleanup code in
+rtl8152_disconnect().
+
+Fixes: a028a9e003f2 ("r8152: move the settings of PHY to a work queue")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Grant Grundler <grundler@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/r8152.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
+index 3cc8e324c5c6c..fb9c1f3f6e5a4 100644
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -9826,6 +9826,7 @@ static int rtl8152_probe(struct usb_interface *intf,
+
+ out1:
+ tasklet_kill(&tp->tx_tl);
++ cancel_delayed_work_sync(&tp->hw_phy_work);
+ if (tp->rtl_ops.unload)
+ tp->rtl_ops.unload(tp);
+ usb_set_intfdata(intf, NULL);
+--
+2.42.0
+
--- /dev/null
+From 36092c6c2055b8f0544eea0a6a2b9735cfe08f97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Oct 2023 14:06:52 -0700
+Subject: r8152: Increase USB control msg timeout to 5000ms as per spec
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit a5feba71ec9c14a54c3babdc732c5b6866d8ee43 ]
+
+According to the comment next to USB_CTRL_GET_TIMEOUT and
+USB_CTRL_SET_TIMEOUT, although sending/receiving control messages is
+usually quite fast, the spec allows them to take up to 5 seconds.
+Let's increase the timeout in the Realtek driver from 500ms to 5000ms
+(using the #defines) to account for this.
+
+This is not just a theoretical change. The need for the longer timeout
+was seen in testing. Specifically, if you drop a sc7180-trogdor based
+Chromebook into the kdb debugger and then "go" again after sitting in
+the debugger for a while, the next USB control message takes a long
+time. Out of ~40 tests the slowest USB control message was 4.5
+seconds.
+
+While dropping into kdb is not exactly an end-user scenario, the above
+is similar to what could happen due to an temporary interrupt storm,
+what could happen if there was a host controller (HW or SW) issue, or
+what could happen if the Realtek device got into a confused state and
+needed time to recover.
+
+This change is fairly critical since the r8152 driver in Linux doesn't
+expect register reads/writes (which are backed by USB control
+messages) to fail.
+
+Fixes: ac718b69301c ("net/usb: new driver for RTL8152")
+Suggested-by: Hayes Wang <hayeswang@realtek.com>
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Grant Grundler <grundler@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/r8152.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
+index fc1458f96e170..4c90f7053171c 100644
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -1211,7 +1211,7 @@ int get_registers(struct r8152 *tp, u16 value, u16 index, u16 size, void *data)
+
+ ret = usb_control_msg(tp->udev, tp->pipe_ctrl_in,
+ RTL8152_REQ_GET_REGS, RTL8152_REQT_READ,
+- value, index, tmp, size, 500);
++ value, index, tmp, size, USB_CTRL_GET_TIMEOUT);
+ if (ret < 0)
+ memset(data, 0xff, size);
+ else
+@@ -1234,7 +1234,7 @@ int set_registers(struct r8152 *tp, u16 value, u16 index, u16 size, void *data)
+
+ ret = usb_control_msg(tp->udev, tp->pipe_ctrl_out,
+ RTL8152_REQ_SET_REGS, RTL8152_REQT_WRITE,
+- value, index, tmp, size, 500);
++ value, index, tmp, size, USB_CTRL_SET_TIMEOUT);
+
+ kfree(tmp);
+
+@@ -9549,7 +9549,8 @@ u8 rtl8152_get_version(struct usb_interface *intf)
+
+ ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
+ RTL8152_REQ_GET_REGS, RTL8152_REQT_READ,
+- PLA_TCR0, MCU_TYPE_PLA, tmp, sizeof(*tmp), 500);
++ PLA_TCR0, MCU_TYPE_PLA, tmp, sizeof(*tmp),
++ USB_CTRL_GET_TIMEOUT);
+ if (ret > 0)
+ ocp_data = (__le32_to_cpu(*tmp) >> 16) & VERSION_MASK;
+
+--
+2.42.0
+
--- /dev/null
+From c6d2e07bd5d4fbee44dfb1d5a9a615d546e6cfae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Oct 2023 14:06:55 -0700
+Subject: r8152: Release firmware if we have an error in probe
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit b8d35024d4059ca550cba11ac9ab23a6c238d929 ]
+
+The error handling in rtl8152_probe() is missing a call to release
+firmware. Add it in to match what's in the cleanup code in
+rtl8152_disconnect().
+
+Fixes: 9370f2d05a2a ("r8152: support request_firmware for RTL8153")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Grant Grundler <grundler@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/r8152.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
+index fb9c1f3f6e5a4..c34974f7dfd26 100644
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -9829,6 +9829,7 @@ static int rtl8152_probe(struct usb_interface *intf,
+ cancel_delayed_work_sync(&tp->hw_phy_work);
+ if (tp->rtl_ops.unload)
+ tp->rtl_ops.unload(tp);
++ rtl8152_release_firmware(tp);
+ usb_set_intfdata(intf, NULL);
+ out:
+ free_netdev(netdev);
+--
+2.42.0
+
--- /dev/null
+From fd8d5a896f2f016138b87c5d2a5228c082e390f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Oct 2023 14:06:53 -0700
+Subject: r8152: Run the unload routine if we have errors during probe
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit 5dd17689526971c5ae12bc8398f34bd68cd0499e ]
+
+The rtl8152_probe() function lacks a call to the chip-specific
+unload() routine when it sees an error in probe. Add it in to match
+the cleanup code in rtl8152_disconnect().
+
+Fixes: ac718b69301c ("net/usb: new driver for RTL8152")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Grant Grundler <grundler@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/r8152.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
+index 4c90f7053171c..3cc8e324c5c6c 100644
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -9826,6 +9826,8 @@ static int rtl8152_probe(struct usb_interface *intf,
+
+ out1:
+ tasklet_kill(&tp->tx_tl);
++ if (tp->rtl_ops.unload)
++ tp->rtl_ops.unload(tp);
+ usb_set_intfdata(intf, NULL);
+ out:
+ free_netdev(netdev);
+--
+2.42.0
+
--- /dev/null
+From 344cbd3142941572a9ebcc0648fa0038a0fa94e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Oct 2023 21:34:38 +0200
+Subject: r8169: fix the KCSAN reported data race in rtl_rx while reading
+ desc->opts1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+
+[ Upstream commit f97eee484e71890131f9c563c5cc6d5a69e4308d ]
+
+KCSAN reported the following data-race bug:
+
+==================================================================
+BUG: KCSAN: data-race in rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4430 drivers/net/ethernet/realtek/r8169_main.c:4583) r8169
+
+race at unknown origin, with read to 0xffff888117e43510 of 4 bytes by interrupt on cpu 21:
+rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4430 drivers/net/ethernet/realtek/r8169_main.c:4583) r8169
+__napi_poll (net/core/dev.c:6527)
+net_rx_action (net/core/dev.c:6596 net/core/dev.c:6727)
+__do_softirq (kernel/softirq.c:553)
+__irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632)
+irq_exit_rcu (kernel/softirq.c:647)
+sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1074 (discriminator 14))
+asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:645)
+cpuidle_enter_state (drivers/cpuidle/cpuidle.c:291)
+cpuidle_enter (drivers/cpuidle/cpuidle.c:390)
+call_cpuidle (kernel/sched/idle.c:135)
+do_idle (kernel/sched/idle.c:219 kernel/sched/idle.c:282)
+cpu_startup_entry (kernel/sched/idle.c:378 (discriminator 1))
+start_secondary (arch/x86/kernel/smpboot.c:210 arch/x86/kernel/smpboot.c:294)
+secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:433)
+
+value changed: 0x80003fff -> 0x3402805f
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 21 PID: 0 Comm: swapper/21 Tainted: G L 6.6.0-rc2-kcsan-00143-gb5cbe7c00aa0 #41
+Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023
+==================================================================
+
+drivers/net/ethernet/realtek/r8169_main.c:
+==========================================
+ 4429
+ → 4430 status = le32_to_cpu(desc->opts1);
+ 4431 if (status & DescOwn)
+ 4432 break;
+ 4433
+ 4434 /* This barrier is needed to keep us from reading
+ 4435 * any other fields out of the Rx descriptor until
+ 4436 * we know the status of DescOwn
+ 4437 */
+ 4438 dma_rmb();
+ 4439
+ 4440 if (unlikely(status & RxRES)) {
+ 4441 if (net_ratelimit())
+ 4442 netdev_warn(dev, "Rx ERROR. status = %08x\n",
+
+Marco Elver explained that dma_rmb() doesn't prevent the compiler to tear up the access to
+desc->opts1 which can be written to concurrently. READ_ONCE() should prevent that from
+happening:
+
+ 4429
+ → 4430 status = le32_to_cpu(READ_ONCE(desc->opts1));
+ 4431 if (status & DescOwn)
+ 4432 break;
+ 4433
+
+As the consequence of this fix, this KCSAN warning was eliminated.
+
+Fixes: 6202806e7c03a ("r8169: drop member opts1_mask from struct rtl8169_private")
+Suggested-by: Marco Elver <elver@google.com>
+Cc: Heiner Kallweit <hkallweit1@gmail.com>
+Cc: nic_swsd@realtek.com
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: netdev@vger.kernel.org
+Link: https://lore.kernel.org/lkml/dc7fc8fa-4ea4-e9a9-30a6-7c83e6b53188@alu.unizg.hr/
+Signed-off-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+Acked-by: Marco Elver <elver@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/realtek/r8169_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c
+index f677f625a4939..80b6079b8a8e3 100644
+--- a/drivers/net/ethernet/realtek/r8169_main.c
++++ b/drivers/net/ethernet/realtek/r8169_main.c
+@@ -4413,7 +4413,7 @@ static int rtl_rx(struct net_device *dev, struct rtl8169_private *tp, int budget
+ dma_addr_t addr;
+ u32 status;
+
+- status = le32_to_cpu(desc->opts1);
++ status = le32_to_cpu(READ_ONCE(desc->opts1));
+ if (status & DescOwn)
+ break;
+
+--
+2.42.0
+
--- /dev/null
+From 573bf9bc69c25f29f60837cb303f204ed064e2ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Oct 2023 21:34:34 +0200
+Subject: r8169: fix the KCSAN reported data-race in rtl_tx() while reading
+ tp->cur_tx
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+
+[ Upstream commit c1c0ce31b2420d5c173228a2132a492ede03d81f ]
+
+KCSAN reported the following data-race:
+
+==================================================================
+BUG: KCSAN: data-race in rtl8169_poll [r8169] / rtl8169_start_xmit [r8169]
+
+write (marked) to 0xffff888102474b74 of 4 bytes by task 5358 on cpu 29:
+rtl8169_start_xmit (drivers/net/ethernet/realtek/r8169_main.c:4254) r8169
+dev_hard_start_xmit (./include/linux/netdevice.h:4889 ./include/linux/netdevice.h:4903 net/core/dev.c:3544 net/core/dev.c:3560)
+sch_direct_xmit (net/sched/sch_generic.c:342)
+__dev_queue_xmit (net/core/dev.c:3817 net/core/dev.c:4306)
+ip_finish_output2 (./include/linux/netdevice.h:3082 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv4/ip_output.c:233)
+__ip_finish_output (net/ipv4/ip_output.c:311 net/ipv4/ip_output.c:293)
+ip_finish_output (net/ipv4/ip_output.c:328)
+ip_output (net/ipv4/ip_output.c:435)
+ip_send_skb (./include/net/dst.h:458 net/ipv4/ip_output.c:127 net/ipv4/ip_output.c:1486)
+udp_send_skb (net/ipv4/udp.c:963)
+udp_sendmsg (net/ipv4/udp.c:1246)
+inet_sendmsg (net/ipv4/af_inet.c:840 (discriminator 4))
+sock_sendmsg (net/socket.c:730 net/socket.c:753)
+__sys_sendto (net/socket.c:2177)
+__x64_sys_sendto (net/socket.c:2185)
+do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
+entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
+
+read to 0xffff888102474b74 of 4 bytes by interrupt on cpu 21:
+rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4397 drivers/net/ethernet/realtek/r8169_main.c:4581) r8169
+__napi_poll (net/core/dev.c:6527)
+net_rx_action (net/core/dev.c:6596 net/core/dev.c:6727)
+__do_softirq (kernel/softirq.c:553)
+__irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632)
+irq_exit_rcu (kernel/softirq.c:647)
+common_interrupt (arch/x86/kernel/irq.c:247 (discriminator 14))
+asm_common_interrupt (./arch/x86/include/asm/idtentry.h:636)
+cpuidle_enter_state (drivers/cpuidle/cpuidle.c:291)
+cpuidle_enter (drivers/cpuidle/cpuidle.c:390)
+call_cpuidle (kernel/sched/idle.c:135)
+do_idle (kernel/sched/idle.c:219 kernel/sched/idle.c:282)
+cpu_startup_entry (kernel/sched/idle.c:378 (discriminator 1))
+start_secondary (arch/x86/kernel/smpboot.c:210 arch/x86/kernel/smpboot.c:294)
+secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:433)
+
+value changed: 0x002f4815 -> 0x002f4816
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 21 PID: 0 Comm: swapper/21 Tainted: G L 6.6.0-rc2-kcsan-00143-gb5cbe7c00aa0 #41
+Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023
+==================================================================
+
+The write side of drivers/net/ethernet/realtek/r8169_main.c is:
+==================
+ 4251 /* rtl_tx needs to see descriptor changes before updated tp->cur_tx */
+ 4252 smp_wmb();
+ 4253
+ → 4254 WRITE_ONCE(tp->cur_tx, tp->cur_tx + frags + 1);
+ 4255
+ 4256 stop_queue = !netif_subqueue_maybe_stop(dev, 0, rtl_tx_slots_avail(tp),
+ 4257 R8169_TX_STOP_THRS,
+ 4258 R8169_TX_START_THRS);
+
+The read side is the function rtl_tx():
+
+ 4355 static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp,
+ 4356 int budget)
+ 4357 {
+ 4358 unsigned int dirty_tx, bytes_compl = 0, pkts_compl = 0;
+ 4359 struct sk_buff *skb;
+ 4360
+ 4361 dirty_tx = tp->dirty_tx;
+ 4362
+ 4363 while (READ_ONCE(tp->cur_tx) != dirty_tx) {
+ 4364 unsigned int entry = dirty_tx % NUM_TX_DESC;
+ 4365 u32 status;
+ 4366
+ 4367 status = le32_to_cpu(tp->TxDescArray[entry].opts1);
+ 4368 if (status & DescOwn)
+ 4369 break;
+ 4370
+ 4371 skb = tp->tx_skb[entry].skb;
+ 4372 rtl8169_unmap_tx_skb(tp, entry);
+ 4373
+ 4374 if (skb) {
+ 4375 pkts_compl++;
+ 4376 bytes_compl += skb->len;
+ 4377 napi_consume_skb(skb, budget);
+ 4378 }
+ 4379 dirty_tx++;
+ 4380 }
+ 4381
+ 4382 if (tp->dirty_tx != dirty_tx) {
+ 4383 dev_sw_netstats_tx_add(dev, pkts_compl, bytes_compl);
+ 4384 WRITE_ONCE(tp->dirty_tx, dirty_tx);
+ 4385
+ 4386 netif_subqueue_completed_wake(dev, 0, pkts_compl, bytes_compl,
+ 4387 rtl_tx_slots_avail(tp),
+ 4388 R8169_TX_START_THRS);
+ 4389 /*
+ 4390 * 8168 hack: TxPoll requests are lost when the Tx packets are
+ 4391 * too close. Let's kick an extra TxPoll request when a burst
+ 4392 * of start_xmit activity is detected (if it is not detected,
+ 4393 * it is slow enough). -- FR
+ 4394 * If skb is NULL then we come here again once a tx irq is
+ 4395 * triggered after the last fragment is marked transmitted.
+ 4396 */
+ → 4397 if (tp->cur_tx != dirty_tx && skb)
+ 4398 rtl8169_doorbell(tp);
+ 4399 }
+ 4400 }
+
+Obviously from the code, an earlier detected data-race for tp->cur_tx was fixed in the
+line 4363:
+
+ 4363 while (READ_ONCE(tp->cur_tx) != dirty_tx) {
+
+but the same solution is required for protecting the other access to tp->cur_tx:
+
+ → 4397 if (READ_ONCE(tp->cur_tx) != dirty_tx && skb)
+ 4398 rtl8169_doorbell(tp);
+
+The write in the line 4254 is protected with WRITE_ONCE(), but the read in the line 4397
+might have suffered read tearing under some compiler optimisations.
+
+The fix eliminated the KCSAN data-race report for this bug.
+
+It is yet to be evaluated what happens if tp->cur_tx changes between the test in line 4363
+and line 4397. This test should certainly not be cached by the compiler in some register
+for such a long time, while asynchronous writes to tp->cur_tx might have occurred in line
+4254 in the meantime.
+
+Fixes: 94d8a98e6235c ("r8169: reduce number of workaround doorbell rings")
+Cc: Heiner Kallweit <hkallweit1@gmail.com>
+Cc: nic_swsd@realtek.com
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: Marco Elver <elver@google.com>
+Cc: netdev@vger.kernel.org
+Link: https://lore.kernel.org/lkml/dc7fc8fa-4ea4-e9a9-30a6-7c83e6b53188@alu.unizg.hr/
+Signed-off-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+Acked-by: Marco Elver <elver@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/realtek/r8169_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c
+index a9a0dca0c0305..5288daaf59b5b 100644
+--- a/drivers/net/ethernet/realtek/r8169_main.c
++++ b/drivers/net/ethernet/realtek/r8169_main.c
+@@ -4380,7 +4380,7 @@ static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp,
+ * If skb is NULL then we come here again once a tx irq is
+ * triggered after the last fragment is marked transmitted.
+ */
+- if (tp->cur_tx != dirty_tx && skb)
++ if (READ_ONCE(tp->cur_tx) != dirty_tx && skb)
+ rtl8169_doorbell(tp);
+ }
+ }
+--
+2.42.0
+
--- /dev/null
+From 187d6e811b0da6a74a8c76d6a631b7d331313a6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Oct 2023 21:34:36 +0200
+Subject: r8169: fix the KCSAN reported data-race in rtl_tx while reading
+ TxDescArray[entry].opts1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+
+[ Upstream commit dcf75a0f6bc136de94e88178ae5f51b7f879abc9 ]
+
+KCSAN reported the following data-race:
+
+==================================================================
+BUG: KCSAN: data-race in rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4368 drivers/net/ethernet/realtek/r8169_main.c:4581) r8169
+
+race at unknown origin, with read to 0xffff888140d37570 of 4 bytes by interrupt on cpu 21:
+rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4368 drivers/net/ethernet/realtek/r8169_main.c:4581) r8169
+__napi_poll (net/core/dev.c:6527)
+net_rx_action (net/core/dev.c:6596 net/core/dev.c:6727)
+__do_softirq (kernel/softirq.c:553)
+__irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632)
+irq_exit_rcu (kernel/softirq.c:647)
+sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1074 (discriminator 14))
+asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:645)
+cpuidle_enter_state (drivers/cpuidle/cpuidle.c:291)
+cpuidle_enter (drivers/cpuidle/cpuidle.c:390)
+call_cpuidle (kernel/sched/idle.c:135)
+do_idle (kernel/sched/idle.c:219 kernel/sched/idle.c:282)
+cpu_startup_entry (kernel/sched/idle.c:378 (discriminator 1))
+start_secondary (arch/x86/kernel/smpboot.c:210 arch/x86/kernel/smpboot.c:294)
+secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:433)
+
+value changed: 0xb0000042 -> 0x00000000
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 21 PID: 0 Comm: swapper/21 Tainted: G L 6.6.0-rc2-kcsan-00143-gb5cbe7c00aa0 #41
+Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023
+==================================================================
+
+The read side is in
+
+drivers/net/ethernet/realtek/r8169_main.c
+=========================================
+ 4355 static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp,
+ 4356 int budget)
+ 4357 {
+ 4358 unsigned int dirty_tx, bytes_compl = 0, pkts_compl = 0;
+ 4359 struct sk_buff *skb;
+ 4360
+ 4361 dirty_tx = tp->dirty_tx;
+ 4362
+ 4363 while (READ_ONCE(tp->cur_tx) != dirty_tx) {
+ 4364 unsigned int entry = dirty_tx % NUM_TX_DESC;
+ 4365 u32 status;
+ 4366
+ → 4367 status = le32_to_cpu(tp->TxDescArray[entry].opts1);
+ 4368 if (status & DescOwn)
+ 4369 break;
+ 4370
+ 4371 skb = tp->tx_skb[entry].skb;
+ 4372 rtl8169_unmap_tx_skb(tp, entry);
+ 4373
+ 4374 if (skb) {
+ 4375 pkts_compl++;
+ 4376 bytes_compl += skb->len;
+ 4377 napi_consume_skb(skb, budget);
+ 4378 }
+ 4379 dirty_tx++;
+ 4380 }
+ 4381
+ 4382 if (tp->dirty_tx != dirty_tx) {
+ 4383 dev_sw_netstats_tx_add(dev, pkts_compl, bytes_compl);
+ 4384 WRITE_ONCE(tp->dirty_tx, dirty_tx);
+ 4385
+ 4386 netif_subqueue_completed_wake(dev, 0, pkts_compl, bytes_compl,
+ 4387 rtl_tx_slots_avail(tp),
+ 4388 R8169_TX_START_THRS);
+ 4389 /*
+ 4390 * 8168 hack: TxPoll requests are lost when the Tx packets are
+ 4391 * too close. Let's kick an extra TxPoll request when a burst
+ 4392 * of start_xmit activity is detected (if it is not detected,
+ 4393 * it is slow enough). -- FR
+ 4394 * If skb is NULL then we come here again once a tx irq is
+ 4395 * triggered after the last fragment is marked transmitted.
+ 4396 */
+ 4397 if (READ_ONCE(tp->cur_tx) != dirty_tx && skb)
+ 4398 rtl8169_doorbell(tp);
+ 4399 }
+ 4400 }
+
+tp->TxDescArray[entry].opts1 is reported to have a data-race and READ_ONCE() fixes
+this KCSAN warning.
+
+ 4366
+ → 4367 status = le32_to_cpu(READ_ONCE(tp->TxDescArray[entry].opts1));
+ 4368 if (status & DescOwn)
+ 4369 break;
+ 4370
+
+Cc: Heiner Kallweit <hkallweit1@gmail.com>
+Cc: nic_swsd@realtek.com
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: Marco Elver <elver@google.com>
+Cc: netdev@vger.kernel.org
+Link: https://lore.kernel.org/lkml/dc7fc8fa-4ea4-e9a9-30a6-7c83e6b53188@alu.unizg.hr/
+Signed-off-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+Acked-by: Marco Elver <elver@google.com>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/realtek/r8169_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c
+index 5288daaf59b5b..f677f625a4939 100644
+--- a/drivers/net/ethernet/realtek/r8169_main.c
++++ b/drivers/net/ethernet/realtek/r8169_main.c
+@@ -4343,7 +4343,7 @@ static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp,
+ unsigned int entry = dirty_tx % NUM_TX_DESC;
+ u32 status;
+
+- status = le32_to_cpu(tp->TxDescArray[entry].opts1);
++ status = le32_to_cpu(READ_ONCE(tp->TxDescArray[entry].opts1));
+ if (status & DescOwn)
+ break;
+
+--
+2.42.0
+
drm-i915-pmu-check-if-pmu-is-closed-before-stopping-event.patch
drm-amd-disable-aspm-for-vi-w-all-intel-systems.patch
drm-dp_mst-fix-null-deref-in-get_mst_branch_device_by_guid_helper.patch
+arm-omap-timer32k-fix-all-kernel-doc-warnings.patch
+firmware-imx-dsp-fix-use_after_free-in-imx_dsp_setup.patch
+clk-ti-fix-missing-omap4-mcbsp-functional-clock-and-.patch
+clk-ti-fix-missing-omap5-mcbsp-functional-clock-and-.patch
+arm64-dts-rockchip-add-i2s0-2ch-bus-bclk-off-pins-to.patch
+r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch
+r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch-18717
+r8169-fix-the-kcsan-reported-data-race-in-rtl_rx-whi.patch
+iavf-initialize-waitqueues-before-starting-watchdog_.patch
+i40e-fix-i40e_flag_vf_vlan_pruning-value.patch
+treewide-spelling-fix-in-comment.patch
+igb-fix-potential-memory-leak-in-igb_add_ethtool_nfc.patch
+neighbour-fix-various-data-races.patch
+igc-fix-ambiguity-in-the-ethtool-advertising.patch
+net-ethernet-adi-adin1110-fix-uninitialized-variable.patch
+net-ieee802154-adf7242-fix-some-potential-buffer-ove.patch
+net-usb-smsc95xx-fix-uninit-value-access-in-smsc95xx.patch
+r8152-increase-usb-control-msg-timeout-to-5000ms-as-.patch
+r8152-run-the-unload-routine-if-we-have-errors-durin.patch
+r8152-cancel-hw_phy_work-if-we-have-an-error-in-prob.patch
+r8152-release-firmware-if-we-have-an-error-in-probe.patch
+tcp-fix-wrong-rto-timeout-when-received-sack-renegin.patch
+gtp-uapi-fix-gtpa_max.patch
+gtp-fix-fragmentation-needed-check-with-gso.patch
+i40e-fix-wrong-check-for-i40e_txr_flags_wb_on_itr.patch
+drm-logicvc-kconfig-select-regmap-and-regmap_mmio.patch
+iavf-in-iavf_down-disable-queues-when-removing-the-d.patch
--- /dev/null
+From 423dbb654744d1619e6dc78efd623f5ddb53b74a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Oct 2023 08:19:47 +0800
+Subject: tcp: fix wrong RTO timeout when received SACK reneging
+
+From: Fred Chen <fred.chenchen03@gmail.com>
+
+[ Upstream commit d2a0fc372aca561556e765d0a9ec365c7c12f0ad ]
+
+This commit fix wrong RTO timeout when received SACK reneging.
+
+When an ACK arrived pointing to a SACK reneging, tcp_check_sack_reneging()
+will rearm the RTO timer for min(1/2*srtt, 10ms) into to the future.
+
+But since the commit 62d9f1a6945b ("tcp: fix TLP timer not set when
+CA_STATE changes from DISORDER to OPEN") merged, the tcp_set_xmit_timer()
+is moved after tcp_fastretrans_alert()(which do the SACK reneging check),
+so the RTO timeout will be overwrited by tcp_set_xmit_timer() with
+icsk_rto instead of 1/2*srtt.
+
+Here is a packetdrill script to check this bug:
+0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
++0 bind(3, ..., ...) = 0
++0 listen(3, 1) = 0
+
+// simulate srtt to 100ms
++0 < S 0:0(0) win 32792 <mss 1000, sackOK,nop,nop,nop,wscale 7>
++0 > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK,nop,wscale 7>
++.1 < . 1:1(0) ack 1 win 1024
+
++0 accept(3, ..., ...) = 4
+
++0 write(4, ..., 10000) = 10000
++0 > P. 1:10001(10000) ack 1
+
+// inject sack
++.1 < . 1:1(0) ack 1 win 257 <sack 1001:10001,nop,nop>
++0 > . 1:1001(1000) ack 1
+
+// inject sack reneging
++.1 < . 1:1(0) ack 1001 win 257 <sack 9001:10001,nop,nop>
+
+// we expect rto fired in 1/2*srtt (50ms)
++.05 > . 1001:2001(1000) ack 1
+
+This fix remove the FLAG_SET_XMIT_TIMER from ack_flag when
+tcp_check_sack_reneging() set RTO timer with 1/2*srtt to avoid
+being overwrited later.
+
+Fixes: 62d9f1a6945b ("tcp: fix TLP timer not set when CA_STATE changes from DISORDER to OPEN")
+Signed-off-by: Fred Chen <fred.chenchen03@gmail.com>
+Reviewed-by: Neal Cardwell <ncardwell@google.com>
+Tested-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_input.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index 068221e742425..d63942202493d 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -2202,16 +2202,17 @@ void tcp_enter_loss(struct sock *sk)
+ * restore sanity to the SACK scoreboard. If the apparent reneging
+ * persists until this RTO then we'll clear the SACK scoreboard.
+ */
+-static bool tcp_check_sack_reneging(struct sock *sk, int flag)
++static bool tcp_check_sack_reneging(struct sock *sk, int *ack_flag)
+ {
+- if (flag & FLAG_SACK_RENEGING &&
+- flag & FLAG_SND_UNA_ADVANCED) {
++ if (*ack_flag & FLAG_SACK_RENEGING &&
++ *ack_flag & FLAG_SND_UNA_ADVANCED) {
+ struct tcp_sock *tp = tcp_sk(sk);
+ unsigned long delay = max(usecs_to_jiffies(tp->srtt_us >> 4),
+ msecs_to_jiffies(10));
+
+ inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,
+ delay, TCP_RTO_MAX);
++ *ack_flag &= ~FLAG_SET_XMIT_TIMER;
+ return true;
+ }
+ return false;
+@@ -2981,7 +2982,7 @@ static void tcp_fastretrans_alert(struct sock *sk, const u32 prior_snd_una,
+ tp->prior_ssthresh = 0;
+
+ /* B. In all the states check for reneging SACKs. */
+- if (tcp_check_sack_reneging(sk, flag))
++ if (tcp_check_sack_reneging(sk, ack_flag))
+ return;
+
+ /* C. Check consistency of the current state. */
+--
+2.42.0
+
--- /dev/null
+From e0e1918c728fa018dfad9bf59cf79baec1b2dbf1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Oct 2023 17:31:56 +0800
+Subject: treewide: Spelling fix in comment
+
+From: Kunwu Chan <chentao@kylinos.cn>
+
+[ Upstream commit fb71ba0ed8be9534493c80ba00142a64d9972a72 ]
+
+reques -> request
+
+Fixes: 09dde54c6a69 ("PS3: gelic: Add wireless support for PS3")
+Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/toshiba/ps3_gelic_wireless.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/toshiba/ps3_gelic_wireless.c b/drivers/net/ethernet/toshiba/ps3_gelic_wireless.c
+index dc14a66583ff3..44488c153ea25 100644
+--- a/drivers/net/ethernet/toshiba/ps3_gelic_wireless.c
++++ b/drivers/net/ethernet/toshiba/ps3_gelic_wireless.c
+@@ -1217,7 +1217,7 @@ static int gelic_wl_set_encodeext(struct net_device *netdev,
+ key_index = wl->current_key;
+
+ if (!enc->length && (ext->ext_flags & IW_ENCODE_EXT_SET_TX_KEY)) {
+- /* reques to change default key index */
++ /* request to change default key index */
+ pr_debug("%s: request to change default key to %d\n",
+ __func__, key_index);
+ wl->current_key = key_index;
+--
+2.42.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
