--- /dev/null
+From f186f8c26762ceca7fd9a3f2de436c9d8132c5c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jan 2023 00:22:59 -0800
+Subject: ALSA: hda/via: Avoid potential array out-of-bound in
+ add_secret_dac_path()
+
+From: Artemii Karasev <karasev@ispras.ru>
+
+[ Upstream commit b9cee506da2b7920b5ea02ccd8e78a907d0ee7aa ]
+
+snd_hda_get_connections() can return a negative error code.
+It may lead to accessing 'conn' array at a negative index.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Signed-off-by: Artemii Karasev <karasev@ispras.ru>
+Fixes: 30b4503378c9 ("ALSA: hda - Expose secret DAC-AA connection of some VIA codecs")
+Link: https://lore.kernel.org/r/20230119082259.3634-1-karasev@ispras.ru
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_via.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/pci/hda/patch_via.c b/sound/pci/hda/patch_via.c
+index a188901a83bb..29abc96dc146 100644
+--- a/sound/pci/hda/patch_via.c
++++ b/sound/pci/hda/patch_via.c
+@@ -821,6 +821,9 @@ static int add_secret_dac_path(struct hda_codec *codec)
+ return 0;
+ nums = snd_hda_get_connections(codec, spec->gen.mixer_nid, conn,
+ ARRAY_SIZE(conn) - 1);
++ if (nums < 0)
++ return nums;
++
+ for (i = 0; i < nums; i++) {
+ if (get_wcaps_type(get_wcaps(codec, conn[i])) == AC_WID_AUD_OUT)
+ return 0;
+--
+2.39.0
+
--- /dev/null
+From b67b7ef3b1498bdf6bfb648752d1a63ff4477c72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Jan 2023 22:35:03 +0100
+Subject: arm64: dts: imx8mm: Fix pad control for UART1_DTE_RX
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pierluigi Passaro <pierluigi.p@variscite.com>
+
+[ Upstream commit 47123900f3e4a7f769631d6ec15abf44086276f6 ]
+
+According section
+ 8.2.5.313 Select Input Register (IOMUXC_UART1_RXD_SELECT_INPUT)
+of
+ i.MX 8M Mini Applications Processor Reference Manual, Rev. 3, 11/2020
+the required setting for this specific pin configuration is "1"
+
+Signed-off-by: Pierluigi Passaro <pierluigi.p@variscite.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Fixes: c1c9d41319c3 ("dt-bindings: imx: Add pinctrl binding doc for imx8mm")
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mm-pinfunc.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mm-pinfunc.h b/arch/arm64/boot/dts/freescale/imx8mm-pinfunc.h
+index a003e6af3353..56271abfb7e0 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mm-pinfunc.h
++++ b/arch/arm64/boot/dts/freescale/imx8mm-pinfunc.h
+@@ -601,7 +601,7 @@
+ #define MX8MM_IOMUXC_UART1_RXD_GPIO5_IO22 0x234 0x49C 0x000 0x5 0x0
+ #define MX8MM_IOMUXC_UART1_RXD_TPSMP_HDATA24 0x234 0x49C 0x000 0x7 0x0
+ #define MX8MM_IOMUXC_UART1_TXD_UART1_DCE_TX 0x238 0x4A0 0x000 0x0 0x0
+-#define MX8MM_IOMUXC_UART1_TXD_UART1_DTE_RX 0x238 0x4A0 0x4F4 0x0 0x0
++#define MX8MM_IOMUXC_UART1_TXD_UART1_DTE_RX 0x238 0x4A0 0x4F4 0x0 0x1
+ #define MX8MM_IOMUXC_UART1_TXD_ECSPI3_MOSI 0x238 0x4A0 0x000 0x1 0x0
+ #define MX8MM_IOMUXC_UART1_TXD_GPIO5_IO23 0x238 0x4A0 0x000 0x5 0x0
+ #define MX8MM_IOMUXC_UART1_TXD_TPSMP_HDATA25 0x238 0x4A0 0x000 0x7 0x0
+--
+2.39.0
+
--- /dev/null
+From fd1f8f519120ec06fd5aed93146284dfbdf9b3da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jan 2023 12:27:41 +0900
+Subject: ata: libata: Fix sata_down_spd_limit() when no link speed is reported
+
+From: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+
+[ Upstream commit 69f2c9346313ba3d3dfa4091ff99df26c67c9021 ]
+
+Commit 2dc0b46b5ea3 ("libata: sata_down_spd_limit should return if
+driver has not recorded sstatus speed") changed the behavior of
+sata_down_spd_limit() to return doing nothing if a drive does not report
+a current link speed, to avoid reducing the link speed to the lowest 1.5
+Gbps speed.
+
+However, the change assumed that a speed was recorded before probing
+(e.g. before a suspend/resume) and set in link->sata_spd. This causes
+problems with adapters/drives combination failing to establish a link
+speed during probe autonegotiation. One example reported of this problem
+is an mvebu adapter with a 3Gbps port-multiplier box: autonegotiation
+fails, leaving no recorded link speed and no reported current link
+speed. Probe retries also fail as no action is taken by sata_set_spd()
+after each retry.
+
+Fix this by returning early in sata_down_spd_limit() only if we do have
+a recorded link speed, that is, if link->sata_spd is not 0. With this
+fix, a failed probe not leading to a recorded link speed is retried at
+the lower 1.5 Gbps speed, with the link speed potentially increased
+later on the second revalidate of the device if the device reports
+that it supports higher link speeds.
+
+Reported-by: Marius Dinu <marius@psihoexpert.ro>
+Fixes: 2dc0b46b5ea3 ("libata: sata_down_spd_limit should return if driver has not recorded sstatus speed")
+Reviewed-by: Niklas Cassel <niklas.cassel@wdc.com>
+Tested-by: Marius Dinu <marius@psihoexpert.ro>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
+index d13474c6d181..14150767be44 100644
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -3051,7 +3051,7 @@ int sata_down_spd_limit(struct ata_link *link, u32 spd_limit)
+ */
+ if (spd > 1)
+ mask &= (1 << (spd - 1)) - 1;
+- else
++ else if (link->sata_spd)
+ return -EINVAL;
+
+ /* were we already at the bottom? */
+--
+2.39.0
+
--- /dev/null
+From 17e35b959653408ddccee2f9eccbbcc5b02cb79b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jan 2023 12:48:15 -0800
+Subject: bpf: Fix a possible task gone issue with bpf_send_signal[_thread]()
+ helpers
+
+From: Yonghong Song <yhs@fb.com>
+
+[ Upstream commit bdb7fdb0aca8b96cef9995d3a57e251c2289322f ]
+
+In current bpf_send_signal() and bpf_send_signal_thread() helper
+implementation, irq_work is used to handle nmi context. Hao Sun
+reported in [1] that the current task at the entry of the helper
+might be gone during irq_work callback processing. To fix the issue,
+a reference is acquired for the current task before enqueuing into
+the irq_work so that the queued task is still available during
+irq_work callback processing.
+
+ [1] https://lore.kernel.org/bpf/20230109074425.12556-1-sunhao.th@gmail.com/
+
+Fixes: 8b401f9ed244 ("bpf: implement bpf_send_signal() helper")
+Tested-by: Hao Sun <sunhao.th@gmail.com>
+Reported-by: Hao Sun <sunhao.th@gmail.com>
+Signed-off-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/r/20230118204815.3331855-1-yhs@fb.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/bpf_trace.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
+index ab4f51716645..94e51d36fb49 100644
+--- a/kernel/trace/bpf_trace.c
++++ b/kernel/trace/bpf_trace.c
+@@ -1055,6 +1055,7 @@ static void do_bpf_send_signal(struct irq_work *entry)
+
+ work = container_of(entry, struct send_signal_irq_work, irq_work);
+ group_send_sig_info(work->sig, SEND_SIG_PRIV, work->task, work->type);
++ put_task_struct(work->task);
+ }
+
+ static int bpf_send_signal_common(u32 sig, enum pid_type type)
+@@ -1091,7 +1092,7 @@ static int bpf_send_signal_common(u32 sig, enum pid_type type)
+ * to the irq_work. The current task may change when queued
+ * irq works get executed.
+ */
+- work->task = current;
++ work->task = get_task_struct(current);
+ work->sig = sig;
+ work->type = type;
+ irq_work_queue(&work->irq_work);
+--
+2.39.0
+
--- /dev/null
+From 2f0d81fb6b7427579be45769fa785720234985f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jan 2023 16:22:13 +0200
+Subject: bpf: Fix to preserve reg parent/live fields when copying range info
+
+From: Eduard Zingerman <eddyz87@gmail.com>
+
+[ Upstream commit 71f656a50176915d6813751188b5758daa8d012b ]
+
+Register range information is copied in several places. The intent is
+to transfer range/id information from one register/stack spill to
+another. Currently this is done using direct register assignment, e.g.:
+
+static void find_equal_scalars(..., struct bpf_reg_state *known_reg)
+{
+ ...
+ struct bpf_reg_state *reg;
+ ...
+ *reg = *known_reg;
+ ...
+}
+
+However, such assignments also copy the following bpf_reg_state fields:
+
+struct bpf_reg_state {
+ ...
+ struct bpf_reg_state *parent;
+ ...
+ enum bpf_reg_liveness live;
+ ...
+};
+
+Copying of these fields is accidental and incorrect, as could be
+demonstrated by the following example:
+
+ 0: call ktime_get_ns()
+ 1: r6 = r0
+ 2: call ktime_get_ns()
+ 3: r7 = r0
+ 4: if r0 > r6 goto +1 ; r0 & r6 are unbound thus generated
+ ; branch states are identical
+ 5: *(u64 *)(r10 - 8) = 0xdeadbeef ; 64-bit write to fp[-8]
+ --- checkpoint ---
+ 6: r1 = 42 ; r1 marked as written
+ 7: *(u8 *)(r10 - 8) = r1 ; 8-bit write, fp[-8] parent & live
+ ; overwritten
+ 8: r2 = *(u64 *)(r10 - 8)
+ 9: r0 = 0
+ 10: exit
+
+This example is unsafe because 64-bit write to fp[-8] at (5) is
+conditional, thus not all bytes of fp[-8] are guaranteed to be set
+when it is read at (8). However, currently the example passes
+verification.
+
+First, the execution path 1-10 is examined by verifier.
+Suppose that a new checkpoint is created by is_state_visited() at (6).
+After checkpoint creation:
+- r1.parent points to checkpoint.r1,
+- fp[-8].parent points to checkpoint.fp[-8].
+At (6) the r1.live is set to REG_LIVE_WRITTEN.
+At (7) the fp[-8].parent is set to r1.parent and fp[-8].live is set to
+REG_LIVE_WRITTEN, because of the following code called in
+check_stack_write_fixed_off():
+
+static void save_register_state(struct bpf_func_state *state,
+ int spi, struct bpf_reg_state *reg,
+ int size)
+{
+ ...
+ state->stack[spi].spilled_ptr = *reg; // <--- parent & live copied
+ if (size == BPF_REG_SIZE)
+ state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN;
+ ...
+}
+
+Note the intent to mark stack spill as written only if 8 bytes are
+spilled to a slot, however this intent is spoiled by a 'live' field copy.
+At (8) the checkpoint.fp[-8] should be marked as REG_LIVE_READ but
+this does not happen:
+- fp[-8] in a current state is already marked as REG_LIVE_WRITTEN;
+- fp[-8].parent points to checkpoint.r1, parentage chain is used by
+ mark_reg_read() to mark checkpoint states.
+At (10) the verification is finished for path 1-10 and jump 4-6 is
+examined. The checkpoint.fp[-8] never gets REG_LIVE_READ mark and this
+spill is pruned from the cached states by clean_live_states(). Hence
+verifier state obtained via path 1-4,6 is deemed identical to one
+obtained via path 1-6 and program marked as safe.
+
+Note: the example should be executed with BPF_F_TEST_STATE_FREQ flag
+set to force creation of intermediate verifier states.
+
+This commit revisits the locations where bpf_reg_state instances are
+copied and replaces the direct copies with a call to a function
+copy_register_state(dst, src) that preserves 'parent' and 'live'
+fields of the 'dst'.
+
+Fixes: 679c782de14b ("bpf/verifier: per-register parent pointers")
+Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20230106142214.1040390-2-eddyz87@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 25 ++++++++++++++++++-------
+ 1 file changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index e06b84c7b890..7b461a70a0e6 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2278,13 +2278,24 @@ static bool __is_pointer_value(bool allow_ptr_leaks,
+ return reg->type != SCALAR_VALUE;
+ }
+
++/* Copy src state preserving dst->parent and dst->live fields */
++static void copy_register_state(struct bpf_reg_state *dst, const struct bpf_reg_state *src)
++{
++ struct bpf_reg_state *parent = dst->parent;
++ enum bpf_reg_liveness live = dst->live;
++
++ *dst = *src;
++ dst->parent = parent;
++ dst->live = live;
++}
++
+ static void save_register_state(struct bpf_func_state *state,
+ int spi, struct bpf_reg_state *reg,
+ int size)
+ {
+ int i;
+
+- state->stack[spi].spilled_ptr = *reg;
++ copy_register_state(&state->stack[spi].spilled_ptr, reg);
+ if (size == BPF_REG_SIZE)
+ state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN;
+
+@@ -2612,7 +2623,7 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env,
+ */
+ s32 subreg_def = state->regs[dst_regno].subreg_def;
+
+- state->regs[dst_regno] = *reg;
++ copy_register_state(&state->regs[dst_regno], reg);
+ state->regs[dst_regno].subreg_def = subreg_def;
+ } else {
+ for (i = 0; i < size; i++) {
+@@ -2639,7 +2650,7 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env,
+
+ if (dst_regno >= 0) {
+ /* restore register state from stack */
+- state->regs[dst_regno] = *reg;
++ copy_register_state(&state->regs[dst_regno], reg);
+ /* mark reg as written since spilled pointer state likely
+ * has its liveness marks cleared by is_state_visited()
+ * which resets stack/reg liveness for state transitions
+@@ -5900,7 +5911,7 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env,
+ */
+ if (!ptr_is_dst_reg) {
+ tmp = *dst_reg;
+- *dst_reg = *ptr_reg;
++ copy_register_state(dst_reg, ptr_reg);
+ }
+ ret = sanitize_speculative_path(env, NULL, env->insn_idx + 1,
+ env->insn_idx);
+@@ -7154,7 +7165,7 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
+ * to propagate min/max range.
+ */
+ src_reg->id = ++env->id_gen;
+- *dst_reg = *src_reg;
++ copy_register_state(dst_reg, src_reg);
+ dst_reg->live |= REG_LIVE_WRITTEN;
+ dst_reg->subreg_def = DEF_NOT_SUBREG;
+ } else {
+@@ -7165,7 +7176,7 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
+ insn->src_reg);
+ return -EACCES;
+ } else if (src_reg->type == SCALAR_VALUE) {
+- *dst_reg = *src_reg;
++ copy_register_state(dst_reg, src_reg);
+ /* Make sure ID is cleared otherwise
+ * dst_reg min/max could be incorrectly
+ * propagated into src_reg by find_equal_scalars()
+@@ -7985,7 +7996,7 @@ static void find_equal_scalars(struct bpf_verifier_state *vstate,
+
+ bpf_for_each_reg_in_vstate(vstate, state, reg, ({
+ if (reg->type == SCALAR_VALUE && reg->id == known_reg->id)
+- *reg = *known_reg;
++ copy_register_state(reg, known_reg);
+ }));
+ }
+
+--
+2.39.0
+
--- /dev/null
+From 15518bb104e16e2efefa52e404602b5d5fbfd0fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Jan 2023 13:41:44 +0100
+Subject: bpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener
+
+From: Jakub Sitnicki <jakub@cloudflare.com>
+
+[ Upstream commit ddce1e091757d0259107c6c0c7262df201de2b66 ]
+
+A listening socket linked to a sockmap has its sk_prot overridden. It
+points to one of the struct proto variants in tcp_bpf_prots. The variant
+depends on the socket's family and which sockmap programs are attached.
+
+A child socket cloned from a TCP listener initially inherits their sk_prot.
+But before cloning is finished, we restore the child's proto to the
+listener's original non-tcp_bpf_prots one. This happens in
+tcp_create_openreq_child -> tcp_bpf_clone.
+
+Today, in tcp_bpf_clone we detect if the child's proto should be restored
+by checking only for the TCP_BPF_BASE proto variant. This is not
+correct. The sk_prot of listening socket linked to a sockmap can point to
+to any variant in tcp_bpf_prots.
+
+If the listeners sk_prot happens to be not the TCP_BPF_BASE variant, then
+the child socket unintentionally is left if the inherited sk_prot by
+tcp_bpf_clone.
+
+This leads to issues like infinite recursion on close [1], because the
+child state is otherwise not set up for use with tcp_bpf_prot operations.
+
+Adjust the check in tcp_bpf_clone to detect all of tcp_bpf_prots variants.
+
+Note that it wouldn't be sufficient to check the socket state when
+overriding the sk_prot in tcp_bpf_update_proto in order to always use the
+TCP_BPF_BASE variant for listening sockets. Since commit
+b8b8315e39ff ("bpf, sockmap: Remove unhash handler for BPF sockmap usage")
+it is possible for a socket to transition to TCP_LISTEN state while already
+linked to a sockmap, e.g. connect() -> insert into map ->
+connect(AF_UNSPEC) -> listen().
+
+[1]: https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/
+
+Fixes: e80251555f0b ("tcp_bpf: Don't let child socket inherit parent protocol ops on copy")
+Reported-by: syzbot+04c21ed96d861dccc5cd@syzkaller.appspotmail.com
+Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/r/20230113-sockmap-fix-v2-2-1e0ee7ac2f90@cloudflare.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/util_macros.h | 12 ++++++++++++
+ net/ipv4/tcp_bpf.c | 4 ++--
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/util_macros.h b/include/linux/util_macros.h
+index 72299f261b25..43db6e47503c 100644
+--- a/include/linux/util_macros.h
++++ b/include/linux/util_macros.h
+@@ -38,4 +38,16 @@
+ */
+ #define find_closest_descending(x, a, as) __find_closest(x, a, as, >=)
+
++/**
++ * is_insidevar - check if the @ptr points inside the @var memory range.
++ * @ptr: the pointer to a memory address.
++ * @var: the variable which address and size identify the memory range.
++ *
++ * Evaluates to true if the address in @ptr lies within the memory
++ * range allocated to @var.
++ */
++#define is_insidevar(ptr, var) \
++ ((uintptr_t)(ptr) >= (uintptr_t)(var) && \
++ (uintptr_t)(ptr) < (uintptr_t)(var) + sizeof(var))
++
+ #endif
+diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
+index 6a1685461f89..926e29e84b40 100644
+--- a/net/ipv4/tcp_bpf.c
++++ b/net/ipv4/tcp_bpf.c
+@@ -6,6 +6,7 @@
+ #include <linux/bpf.h>
+ #include <linux/init.h>
+ #include <linux/wait.h>
++#include <linux/util_macros.h>
+
+ #include <net/inet_common.h>
+ #include <net/tls.h>
+@@ -642,10 +643,9 @@ struct proto *tcp_bpf_get_proto(struct sock *sk, struct sk_psock *psock)
+ */
+ void tcp_bpf_clone(const struct sock *sk, struct sock *newsk)
+ {
+- int family = sk->sk_family == AF_INET6 ? TCP_BPF_IPV6 : TCP_BPF_IPV4;
+ struct proto *prot = newsk->sk_prot;
+
+- if (prot == &tcp_bpf_prots[family][TCP_BPF_BASE])
++ if (is_insidevar(prot, tcp_bpf_prots))
+ newsk->sk_prot = sk->sk_prot_creator;
+ }
+ #endif /* CONFIG_BPF_STREAM_PARSER */
+--
+2.39.0
+
--- /dev/null
+From a5aa8d471997b45bebc8e3ba04bab0d0b2294535 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Sep 2021 17:49:41 -0700
+Subject: bpf: Support <8-byte scalar spill and refill
+
+From: Martin KaFai Lau <kafai@fb.com>
+
+[ Upstream commit 354e8f1970f821d4952458f77b1ab6c3eb24d530 ]
+
+The verifier currently does not save the reg state when
+spilling <8byte bounded scalar to the stack. The bpf program
+will be incorrectly rejected when this scalar is refilled to
+the reg and then used to offset into a packet header.
+The later patch has a simplified bpf prog from a real use case
+to demonstrate this case. The current work around is
+to reparse the packet again such that this offset scalar
+is close to where the packet data will be accessed to
+avoid the spill. Thus, the header is parsed twice.
+
+The llvm patch [1] will align the <8bytes spill to
+the 8-byte stack address. This can simplify the verifier
+support by avoiding to store multiple reg states for
+each 8 byte stack slot.
+
+This patch changes the verifier to save the reg state when
+spilling <8bytes scalar to the stack. This reg state saving
+is limited to spill aligned to the 8-byte stack address.
+The current refill logic has already called coerce_reg_to_size(),
+so coerce_reg_to_size() is not called on state->stack[spi].spilled_ptr
+during spill.
+
+When refilling in check_stack_read_fixed_off(), it checks
+the refill size is the same as the number of bytes marked with
+STACK_SPILL before restoring the reg state. When restoring
+the reg state to state->regs[dst_regno], it needs
+to avoid the state->regs[dst_regno].subreg_def being
+over written because it has been marked by the check_reg_arg()
+earlier [check_mem_access() is called after check_reg_arg() in
+do_check()]. Reordering check_mem_access() and check_reg_arg()
+will need a lot of changes in test_verifier's tests because
+of the difference in verifier's error message. Thus, the
+patch here is to save the state->regs[dst_regno].subreg_def
+first in check_stack_read_fixed_off().
+
+There are cases that the verifier needs to scrub the spilled slot
+from STACK_SPILL to STACK_MISC. After this patch the spill is not always
+in 8 bytes now, so it can no longer assume the other 7 bytes are always
+marked as STACK_SPILL. In particular, the scrub needs to avoid marking
+an uninitialized byte from STACK_INVALID to STACK_MISC. Otherwise, the
+verifier will incorrectly accept bpf program reading uninitialized bytes
+from the stack. A new helper scrub_spilled_slot() is created for this
+purpose.
+
+[1]: https://reviews.llvm.org/D109073
+
+Signed-off-by: Martin KaFai Lau <kafai@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20210922004941.625398-1-kafai@fb.com
+Stable-dep-of: 71f656a50176 ("bpf: Fix to preserve reg parent/live fields when copying range info")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 67 +++++++++++++++++++++++++++++++++----------
+ 1 file changed, 52 insertions(+), 15 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index a6c931fed39b..e06b84c7b890 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -570,6 +570,12 @@ static bool is_spilled_reg(const struct bpf_stack_state *stack)
+ return stack->slot_type[BPF_REG_SIZE - 1] == STACK_SPILL;
+ }
+
++static void scrub_spilled_slot(u8 *stype)
++{
++ if (*stype != STACK_INVALID)
++ *stype = STACK_MISC;
++}
++
+ static void print_verifier_state(struct bpf_verifier_env *env,
+ const struct bpf_func_state *state)
+ {
+@@ -2273,15 +2279,21 @@ static bool __is_pointer_value(bool allow_ptr_leaks,
+ }
+
+ static void save_register_state(struct bpf_func_state *state,
+- int spi, struct bpf_reg_state *reg)
++ int spi, struct bpf_reg_state *reg,
++ int size)
+ {
+ int i;
+
+ state->stack[spi].spilled_ptr = *reg;
+- state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN;
++ if (size == BPF_REG_SIZE)
++ state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN;
+
+- for (i = 0; i < BPF_REG_SIZE; i++)
+- state->stack[spi].slot_type[i] = STACK_SPILL;
++ for (i = BPF_REG_SIZE; i > BPF_REG_SIZE - size; i--)
++ state->stack[spi].slot_type[i - 1] = STACK_SPILL;
++
++ /* size < 8 bytes spill */
++ for (; i; i--)
++ scrub_spilled_slot(&state->stack[spi].slot_type[i - 1]);
+ }
+
+ /* check_stack_{read,write}_fixed_off functions track spill/fill of registers,
+@@ -2331,7 +2343,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
+ env->insn_aux_data[insn_idx].sanitize_stack_spill = true;
+ }
+
+- if (reg && size == BPF_REG_SIZE && register_is_bounded(reg) &&
++ if (reg && !(off % BPF_REG_SIZE) && register_is_bounded(reg) &&
+ !register_is_null(reg) && env->bpf_capable) {
+ if (dst_reg != BPF_REG_FP) {
+ /* The backtracking logic can only recognize explicit
+@@ -2344,7 +2356,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
+ if (err)
+ return err;
+ }
+- save_register_state(state, spi, reg);
++ save_register_state(state, spi, reg, size);
+ } else if (reg && is_spillable_regtype(reg->type)) {
+ /* register containing pointer is being spilled into stack */
+ if (size != BPF_REG_SIZE) {
+@@ -2356,7 +2368,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
+ verbose(env, "cannot spill pointers to stack into stack frame of the caller\n");
+ return -EINVAL;
+ }
+- save_register_state(state, spi, reg);
++ save_register_state(state, spi, reg, size);
+ } else {
+ u8 type = STACK_MISC;
+
+@@ -2365,7 +2377,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
+ /* Mark slots as STACK_MISC if they belonged to spilled ptr. */
+ if (is_spilled_reg(&state->stack[spi]))
+ for (i = 0; i < BPF_REG_SIZE; i++)
+- state->stack[spi].slot_type[i] = STACK_MISC;
++ scrub_spilled_slot(&state->stack[spi].slot_type[i]);
+
+ /* only mark the slot as written if all 8 bytes were written
+ * otherwise read propagation may incorrectly stop too soon
+@@ -2572,23 +2584,50 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env,
+ struct bpf_func_state *state = vstate->frame[vstate->curframe];
+ int i, slot = -off - 1, spi = slot / BPF_REG_SIZE;
+ struct bpf_reg_state *reg;
+- u8 *stype;
++ u8 *stype, type;
+
+ stype = reg_state->stack[spi].slot_type;
+ reg = ®_state->stack[spi].spilled_ptr;
+
+ if (is_spilled_reg(®_state->stack[spi])) {
+ if (size != BPF_REG_SIZE) {
++ u8 scalar_size = 0;
++
+ if (reg->type != SCALAR_VALUE) {
+ verbose_linfo(env, env->insn_idx, "; ");
+ verbose(env, "invalid size of register fill\n");
+ return -EACCES;
+ }
+- if (dst_regno >= 0) {
++
++ mark_reg_read(env, reg, reg->parent, REG_LIVE_READ64);
++ if (dst_regno < 0)
++ return 0;
++
++ for (i = BPF_REG_SIZE; i > 0 && stype[i - 1] == STACK_SPILL; i--)
++ scalar_size++;
++
++ if (!(off % BPF_REG_SIZE) && size == scalar_size) {
++ /* The earlier check_reg_arg() has decided the
++ * subreg_def for this insn. Save it first.
++ */
++ s32 subreg_def = state->regs[dst_regno].subreg_def;
++
++ state->regs[dst_regno] = *reg;
++ state->regs[dst_regno].subreg_def = subreg_def;
++ } else {
++ for (i = 0; i < size; i++) {
++ type = stype[(slot - i) % BPF_REG_SIZE];
++ if (type == STACK_SPILL)
++ continue;
++ if (type == STACK_MISC)
++ continue;
++ verbose(env, "invalid read from stack off %d+%d size %d\n",
++ off, i, size);
++ return -EACCES;
++ }
+ mark_reg_unknown(env, state->regs, dst_regno);
+- state->regs[dst_regno].live |= REG_LIVE_WRITTEN;
+ }
+- mark_reg_read(env, reg, reg->parent, REG_LIVE_READ64);
++ state->regs[dst_regno].live |= REG_LIVE_WRITTEN;
+ return 0;
+ }
+ for (i = 1; i < BPF_REG_SIZE; i++) {
+@@ -2619,8 +2658,6 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env,
+ }
+ mark_reg_read(env, reg, reg->parent, REG_LIVE_READ64);
+ } else {
+- u8 type;
+-
+ for (i = 0; i < size; i++) {
+ type = stype[(slot - i) % BPF_REG_SIZE];
+ if (type == STACK_MISC)
+@@ -4106,7 +4143,7 @@ static int check_stack_range_initialized(
+ if (clobber) {
+ __mark_reg_unknown(env, &state->stack[spi].spilled_ptr);
+ for (j = 0; j < BPF_REG_SIZE; j++)
+- state->stack[spi].slot_type[j] = STACK_MISC;
++ scrub_spilled_slot(&state->stack[spi].slot_type[j]);
+ }
+ goto mark;
+ }
+--
+2.39.0
+
--- /dev/null
+From ad954fdfb62b7541a93ce1a12da025a8f698d8a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Nov 2022 09:42:00 +0000
+Subject: bus: sunxi-rsb: Fix error handling in sunxi_rsb_init()
+
+From: Yuan Can <yuancan@huawei.com>
+
+[ Upstream commit f71eaf2708be7831428eacae7db25d8ec6b8b4c5 ]
+
+The sunxi_rsb_init() returns the platform_driver_register() directly
+without checking its return value, if platform_driver_register() failed,
+the sunxi_rsb_bus is not unregistered.
+Fix by unregister sunxi_rsb_bus when platform_driver_register() failed.
+
+Fixes: d787dcdb9c8f ("bus: sunxi-rsb: Add driver for Allwinner Reduced Serial Bus")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Reviewed-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Link: https://lore.kernel.org/r/20221123094200.12036-1-yuancan@huawei.com
+Signed-off-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bus/sunxi-rsb.c | 8 +++++++-
+ sound/soc/intel/boards/bytcr_rt5651.c | 2 +-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/bus/sunxi-rsb.c b/drivers/bus/sunxi-rsb.c
+index f8c29b888e6b..98cbb18f17fa 100644
+--- a/drivers/bus/sunxi-rsb.c
++++ b/drivers/bus/sunxi-rsb.c
+@@ -781,7 +781,13 @@ static int __init sunxi_rsb_init(void)
+ return ret;
+ }
+
+- return platform_driver_register(&sunxi_rsb_driver);
++ ret = platform_driver_register(&sunxi_rsb_driver);
++ if (ret) {
++ bus_unregister(&sunxi_rsb_bus);
++ return ret;
++ }
++
++ return 0;
+ }
+ module_init(sunxi_rsb_init);
+
+diff --git a/sound/soc/intel/boards/bytcr_rt5651.c b/sound/soc/intel/boards/bytcr_rt5651.c
+index bf8b87d45cb0..2c76f0abeeca 100644
+--- a/sound/soc/intel/boards/bytcr_rt5651.c
++++ b/sound/soc/intel/boards/bytcr_rt5651.c
+@@ -918,7 +918,6 @@ static int snd_byt_rt5651_mc_probe(struct platform_device *pdev)
+ if (adev) {
+ snprintf(byt_rt5651_codec_name, sizeof(byt_rt5651_codec_name),
+ "i2c-%s", acpi_dev_name(adev));
+- put_device(&adev->dev);
+ byt_rt5651_dais[dai_index].codecs->name = byt_rt5651_codec_name;
+ } else {
+ dev_err(&pdev->dev, "Error cannot find '%s' dev\n", mach->id);
+@@ -927,6 +926,7 @@ static int snd_byt_rt5651_mc_probe(struct platform_device *pdev)
+
+ codec_dev = bus_find_device_by_name(&i2c_bus_type, NULL,
+ byt_rt5651_codec_name);
++ acpi_dev_put(adev);
+ if (!codec_dev)
+ return -EPROBE_DEFER;
+
+--
+2.39.0
+
--- /dev/null
+From 18f1a0c51ab31aafabb1dd7384d3a76e97631648 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Sep 2021 17:42:00 +0800
+Subject: can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit d0553680f94c49bbe0e39eb50d033ba563b4212d ]
+
+The conclusion "j1939_session_deactivate() should be called with a
+session ref-count of at least 2" is incorrect. In some concurrent
+scenarios, j1939_session_deactivate can be called with the session
+ref-count less than 2. But there is not any problem because it
+will check the session active state before session putting in
+j1939_session_deactivate_locked().
+
+Here is the concurrent scenario of the problem reported by syzbot
+and my reproduction log.
+
+ cpu0 cpu1
+ j1939_xtp_rx_eoma
+j1939_xtp_rx_abort_one
+ j1939_session_get_by_addr [kref == 2]
+j1939_session_get_by_addr [kref == 3]
+j1939_session_deactivate [kref == 2]
+j1939_session_put [kref == 1]
+ j1939_session_completed
+ j1939_session_deactivate
+ WARN_ON_ONCE(kref < 2)
+
+=====================================================
+WARNING: CPU: 1 PID: 21 at net/can/j1939/transport.c:1088 j1939_session_deactivate+0x5f/0x70
+CPU: 1 PID: 21 Comm: ksoftirqd/1 Not tainted 5.14.0-rc7+ #32
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014
+RIP: 0010:j1939_session_deactivate+0x5f/0x70
+Call Trace:
+ j1939_session_deactivate_activate_next+0x11/0x28
+ j1939_xtp_rx_eoma+0x12a/0x180
+ j1939_tp_recv+0x4a2/0x510
+ j1939_can_recv+0x226/0x380
+ can_rcv_filter+0xf8/0x220
+ can_receive+0x102/0x220
+ ? process_backlog+0xf0/0x2c0
+ can_rcv+0x53/0xf0
+ __netif_receive_skb_one_core+0x67/0x90
+ ? process_backlog+0x97/0x2c0
+ __netif_receive_skb+0x22/0x80
+
+Fixes: 0c71437dd50d ("can: j1939: j1939_session_deactivate(): clarify lifetime of session object")
+Reported-by: syzbot+9981a614060dcee6eeca@syzkaller.appspotmail.com
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://lore.kernel.org/all/20210906094200.95868-1-william.xuanziyang@huawei.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/j1939/transport.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
+index 78f6a9110699..57d6aac7f435 100644
+--- a/net/can/j1939/transport.c
++++ b/net/can/j1939/transport.c
+@@ -1087,10 +1087,6 @@ static bool j1939_session_deactivate(struct j1939_session *session)
+ bool active;
+
+ j1939_session_list_lock(priv);
+- /* This function should be called with a session ref-count of at
+- * least 2.
+- */
+- WARN_ON_ONCE(kref_read(&session->kref) < 2);
+ active = j1939_session_deactivate_locked(session);
+ j1939_session_list_unlock(priv);
+
+--
+2.39.0
+
--- /dev/null
+From 31542afd87005792423487c73e558756b261e858 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jan 2023 10:02:19 +0100
+Subject: drm/vc4: hdmi: make CEC adapter name unique
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 51128c3f2a7c98055ea1d27e34910dc10977f618 ]
+
+The bcm2711 has two HDMI outputs, each with their own CEC adapter.
+The CEC adapter name has to be unique, but it is currently
+hardcoded to "vc4" for both outputs. Change this to use the card_name
+from the variant information in order to make the adapter name unique.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Fixes: 15b4511a4af6 ("drm/vc4: add HDMI CEC support")
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://patchwork.freedesktop.org/patch/msgid/dcf1db75-d9cc-62cc-fa12-baf1b2b3bf31@xs4all.nl
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_hdmi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c
+index 08175c3dd374..539ebf85fd7c 100644
+--- a/drivers/gpu/drm/vc4/vc4_hdmi.c
++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c
+@@ -1491,7 +1491,8 @@ static int vc4_hdmi_cec_init(struct vc4_hdmi *vc4_hdmi)
+ return 0;
+
+ vc4_hdmi->cec_adap = cec_allocate_adapter(&vc4_hdmi_cec_adap_ops,
+- vc4_hdmi, "vc4",
++ vc4_hdmi,
++ vc4_hdmi->variant->card_name,
+ CEC_CAP_DEFAULTS |
+ CEC_CAP_CONNECTOR_INFO, 1);
+ ret = PTR_ERR_OR_ZERO(vc4_hdmi->cec_adap);
+--
+2.39.0
+
--- /dev/null
+From 4f98fa3b85a2debdd8cb2f3bc17a03311abdaef9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Feb 2023 16:22:13 +0300
+Subject: efi: fix potential NULL deref in efi_mem_reserve_persistent
+
+From: Anton Gusev <aagusev@ispras.ru>
+
+[ Upstream commit 966d47e1f27c45507c5df82b2a2157e5a4fd3909 ]
+
+When iterating on a linked list, a result of memremap is dereferenced
+without checking it for NULL.
+
+This patch adds a check that falls back on allocating a new page in
+case memremap doesn't succeed.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 18df7577adae ("efi/memreserve: deal with memreserve entries in unmapped memory")
+Signed-off-by: Anton Gusev <aagusev@ispras.ru>
+[ardb: return -ENOMEM instead of breaking out of the loop]
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/efi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
+index a2765d668856..332739f3eded 100644
+--- a/drivers/firmware/efi/efi.c
++++ b/drivers/firmware/efi/efi.c
+@@ -950,6 +950,8 @@ int __ref efi_mem_reserve_persistent(phys_addr_t addr, u64 size)
+ /* first try to find a slot in an existing linked list entry */
+ for (prsv = efi_memreserve_root->next; prsv; ) {
+ rsv = memremap(prsv, sizeof(*rsv), MEMREMAP_WB);
++ if (!rsv)
++ return -ENOMEM;
+ index = atomic_fetch_add_unless(&rsv->count, 1, rsv->size);
+ if (index < rsv->size) {
+ rsv->entry[index].base = addr;
+--
+2.39.0
+
--- /dev/null
+From 293ddde34e695bc7da714ea01b71ff7e36703959 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Sep 2022 19:16:56 -0400
+Subject: fix "direction" argument of iov_iter_kvec()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit fc02f33787d8dd227b54f263eba983d5b249c032 ]
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/pvcalls-back.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/xen/pvcalls-back.c b/drivers/xen/pvcalls-back.c
+index a7d293fa8d14..3b5a8e2c4d47 100644
+--- a/drivers/xen/pvcalls-back.c
++++ b/drivers/xen/pvcalls-back.c
+@@ -129,13 +129,13 @@ static bool pvcalls_conn_back_read(void *opaque)
+ if (masked_prod < masked_cons) {
+ vec[0].iov_base = data->in + masked_prod;
+ vec[0].iov_len = wanted;
+- iov_iter_kvec(&msg.msg_iter, WRITE, vec, 1, wanted);
++ iov_iter_kvec(&msg.msg_iter, READ, vec, 1, wanted);
+ } else {
+ vec[0].iov_base = data->in + masked_prod;
+ vec[0].iov_len = array_size - masked_prod;
+ vec[1].iov_base = data->in;
+ vec[1].iov_len = wanted - vec[0].iov_len;
+- iov_iter_kvec(&msg.msg_iter, WRITE, vec, 2, wanted);
++ iov_iter_kvec(&msg.msg_iter, READ, vec, 2, wanted);
+ }
+
+ atomic_set(&map->read, 0);
+@@ -188,13 +188,13 @@ static bool pvcalls_conn_back_write(struct sock_mapping *map)
+ if (pvcalls_mask(prod, array_size) > pvcalls_mask(cons, array_size)) {
+ vec[0].iov_base = data->out + pvcalls_mask(cons, array_size);
+ vec[0].iov_len = size;
+- iov_iter_kvec(&msg.msg_iter, READ, vec, 1, size);
++ iov_iter_kvec(&msg.msg_iter, WRITE, vec, 1, size);
+ } else {
+ vec[0].iov_base = data->out + pvcalls_mask(cons, array_size);
+ vec[0].iov_len = array_size - pvcalls_mask(cons, array_size);
+ vec[1].iov_base = data->out;
+ vec[1].iov_len = size - vec[0].iov_len;
+- iov_iter_kvec(&msg.msg_iter, READ, vec, 2, size);
++ iov_iter_kvec(&msg.msg_iter, WRITE, vec, 2, size);
+ }
+
+ atomic_set(&map->write, 0);
+--
+2.39.0
+
--- /dev/null
+From 4ea2370cebfa2176ea7d674961e89b4e49d6980a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Sep 2022 19:04:18 -0400
+Subject: fix iov_iter_bvec() "direction" argument
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit b676668d99155e6859d99bbf2df18b3f03851902 ]
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_file.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/target/target_core_file.c b/drivers/target/target_core_file.c
+index 7143d03f0e02..18fbbe510d01 100644
+--- a/drivers/target/target_core_file.c
++++ b/drivers/target/target_core_file.c
+@@ -340,7 +340,7 @@ static int fd_do_rw(struct se_cmd *cmd, struct file *fd,
+ len += sg->length;
+ }
+
+- iov_iter_bvec(&iter, READ, bvec, sgl_nents, len);
++ iov_iter_bvec(&iter, is_write, bvec, sgl_nents, len);
+ if (is_write)
+ ret = vfs_iter_write(fd, &iter, &pos, 0);
+ else
+@@ -477,7 +477,7 @@ fd_execute_write_same(struct se_cmd *cmd)
+ len += se_dev->dev_attrib.block_size;
+ }
+
+- iov_iter_bvec(&iter, READ, bvec, nolb, len);
++ iov_iter_bvec(&iter, WRITE, bvec, nolb, len);
+ ret = vfs_iter_write(fd_dev->fd_file, &iter, &pos, 0);
+
+ kfree(bvec);
+--
+2.39.0
+
--- /dev/null
+From af3b057c32b98cea4de3a5d34ec5f3c8677221df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Jan 2023 13:32:29 +0100
+Subject: i2c: mxs: suppress probe-deferral error message
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+[ Upstream commit 78a4471fa1a76a8bef4919105de67660a89a1e9b ]
+
+During boot of I2SE Duckbill the kernel log contains a
+confusing error:
+
+ Failed to request dma
+
+This is caused by i2c-mxs tries to request a not yet available DMA
+channel (-EPROBE_DEFER). So suppress this message by using
+dev_err_probe().
+
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-mxs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-mxs.c b/drivers/i2c/busses/i2c-mxs.c
+index c4b08a924461..abad24808e85 100644
+--- a/drivers/i2c/busses/i2c-mxs.c
++++ b/drivers/i2c/busses/i2c-mxs.c
+@@ -842,8 +842,8 @@ static int mxs_i2c_probe(struct platform_device *pdev)
+ /* Setup the DMA */
+ i2c->dmach = dma_request_chan(dev, "rx-tx");
+ if (IS_ERR(i2c->dmach)) {
+- dev_err(dev, "Failed to request dma\n");
+- return PTR_ERR(i2c->dmach);
++ return dev_err_probe(dev, PTR_ERR(i2c->dmach),
++ "Failed to request dma\n");
+ }
+
+ platform_set_drvdata(pdev, i2c);
+--
+2.39.0
+
--- /dev/null
+From 62f5e47c984a3e2c2446c63dda1709079284b7cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jan 2023 22:38:05 -0800
+Subject: i2c: rk3x: fix a bunch of kernel-doc warnings
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 0582d984793d30442da88fe458674502bad1ad29 ]
+
+Fix multiple W=1 kernel-doc warnings in i2c-rk3x.c:
+
+drivers/i2c/busses/i2c-rk3x.c:83: warning: missing initial short description on line:
+ * struct i2c_spec_values:
+drivers/i2c/busses/i2c-rk3x.c:139: warning: missing initial short description on line:
+ * struct rk3x_i2c_calced_timings:
+drivers/i2c/busses/i2c-rk3x.c:162: warning: missing initial short description on line:
+ * struct rk3x_i2c_soc_data:
+drivers/i2c/busses/i2c-rk3x.c:242: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst
+ * Generate a START condition, which triggers a REG_INT_START interrupt.
+drivers/i2c/busses/i2c-rk3x.c:261: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst
+ * Generate a STOP condition, which triggers a REG_INT_STOP interrupt.
+drivers/i2c/busses/i2c-rk3x.c:304: warning: expecting prototype for Setup a read according to i2c(). Prototype was for rk3x_i2c_prepare_read() instead
+drivers/i2c/busses/i2c-rk3x.c:335: warning: expecting prototype for Fill the transmit buffer with data from i2c(). Prototype was for rk3x_i2c_fill_transmit_buf() instead
+drivers/i2c/busses/i2c-rk3x.c:535: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst
+ * Get timing values of I2C specification
+drivers/i2c/busses/i2c-rk3x.c:552: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst
+ * Calculate divider values for desired SCL frequency
+drivers/i2c/busses/i2c-rk3x.c:713: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst
+ * Calculate timing values for desired SCL frequency
+drivers/i2c/busses/i2c-rk3x.c:963: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst
+ * Setup I2C registers for an I2C operation specified by msgs, num.
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-rk3x.c | 44 +++++++++++++++++------------------
+ 1 file changed, 22 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-rk3x.c b/drivers/i2c/busses/i2c-rk3x.c
+index 02ddb237f69a..13c14eb175e9 100644
+--- a/drivers/i2c/busses/i2c-rk3x.c
++++ b/drivers/i2c/busses/i2c-rk3x.c
+@@ -80,7 +80,7 @@ enum {
+ #define DEFAULT_SCL_RATE (100 * 1000) /* Hz */
+
+ /**
+- * struct i2c_spec_values:
++ * struct i2c_spec_values - I2C specification values for various modes
+ * @min_hold_start_ns: min hold time (repeated) START condition
+ * @min_low_ns: min LOW period of the SCL clock
+ * @min_high_ns: min HIGH period of the SCL cloc
+@@ -136,7 +136,7 @@ static const struct i2c_spec_values fast_mode_plus_spec = {
+ };
+
+ /**
+- * struct rk3x_i2c_calced_timings:
++ * struct rk3x_i2c_calced_timings - calculated V1 timings
+ * @div_low: Divider output for low
+ * @div_high: Divider output for high
+ * @tuning: Used to adjust setup/hold data time,
+@@ -159,7 +159,7 @@ enum rk3x_i2c_state {
+ };
+
+ /**
+- * struct rk3x_i2c_soc_data:
++ * struct rk3x_i2c_soc_data - SOC-specific data
+ * @grf_offset: offset inside the grf regmap for setting the i2c type
+ * @calc_timings: Callback function for i2c timing information calculated
+ */
+@@ -239,7 +239,8 @@ static inline void rk3x_i2c_clean_ipd(struct rk3x_i2c *i2c)
+ }
+
+ /**
+- * Generate a START condition, which triggers a REG_INT_START interrupt.
++ * rk3x_i2c_start - Generate a START condition, which triggers a REG_INT_START interrupt.
++ * @i2c: target controller data
+ */
+ static void rk3x_i2c_start(struct rk3x_i2c *i2c)
+ {
+@@ -258,8 +259,8 @@ static void rk3x_i2c_start(struct rk3x_i2c *i2c)
+ }
+
+ /**
+- * Generate a STOP condition, which triggers a REG_INT_STOP interrupt.
+- *
++ * rk3x_i2c_stop - Generate a STOP condition, which triggers a REG_INT_STOP interrupt.
++ * @i2c: target controller data
+ * @error: Error code to return in rk3x_i2c_xfer
+ */
+ static void rk3x_i2c_stop(struct rk3x_i2c *i2c, int error)
+@@ -298,7 +299,8 @@ static void rk3x_i2c_stop(struct rk3x_i2c *i2c, int error)
+ }
+
+ /**
+- * Setup a read according to i2c->msg
++ * rk3x_i2c_prepare_read - Setup a read according to i2c->msg
++ * @i2c: target controller data
+ */
+ static void rk3x_i2c_prepare_read(struct rk3x_i2c *i2c)
+ {
+@@ -329,7 +331,8 @@ static void rk3x_i2c_prepare_read(struct rk3x_i2c *i2c)
+ }
+
+ /**
+- * Fill the transmit buffer with data from i2c->msg
++ * rk3x_i2c_fill_transmit_buf - Fill the transmit buffer with data from i2c->msg
++ * @i2c: target controller data
+ */
+ static void rk3x_i2c_fill_transmit_buf(struct rk3x_i2c *i2c)
+ {
+@@ -532,11 +535,10 @@ static irqreturn_t rk3x_i2c_irq(int irqno, void *dev_id)
+ }
+
+ /**
+- * Get timing values of I2C specification
+- *
++ * rk3x_i2c_get_spec - Get timing values of I2C specification
+ * @speed: Desired SCL frequency
+ *
+- * Returns: Matched i2c spec values.
++ * Return: Matched i2c_spec_values.
+ */
+ static const struct i2c_spec_values *rk3x_i2c_get_spec(unsigned int speed)
+ {
+@@ -549,13 +551,12 @@ static const struct i2c_spec_values *rk3x_i2c_get_spec(unsigned int speed)
+ }
+
+ /**
+- * Calculate divider values for desired SCL frequency
+- *
++ * rk3x_i2c_v0_calc_timings - Calculate divider values for desired SCL frequency
+ * @clk_rate: I2C input clock rate
+ * @t: Known I2C timing information
+ * @t_calc: Caculated rk3x private timings that would be written into regs
+ *
+- * Returns: 0 on success, -EINVAL if the goal SCL rate is too slow. In that case
++ * Return: %0 on success, -%EINVAL if the goal SCL rate is too slow. In that case
+ * a best-effort divider value is returned in divs. If the target rate is
+ * too high, we silently use the highest possible rate.
+ */
+@@ -710,13 +711,12 @@ static int rk3x_i2c_v0_calc_timings(unsigned long clk_rate,
+ }
+
+ /**
+- * Calculate timing values for desired SCL frequency
+- *
++ * rk3x_i2c_v1_calc_timings - Calculate timing values for desired SCL frequency
+ * @clk_rate: I2C input clock rate
+ * @t: Known I2C timing information
+ * @t_calc: Caculated rk3x private timings that would be written into regs
+ *
+- * Returns: 0 on success, -EINVAL if the goal SCL rate is too slow. In that case
++ * Return: %0 on success, -%EINVAL if the goal SCL rate is too slow. In that case
+ * a best-effort divider value is returned in divs. If the target rate is
+ * too high, we silently use the highest possible rate.
+ * The following formulas are v1's method to calculate timings.
+@@ -960,14 +960,14 @@ static int rk3x_i2c_clk_notifier_cb(struct notifier_block *nb, unsigned long
+ }
+
+ /**
+- * Setup I2C registers for an I2C operation specified by msgs, num.
+- *
+- * Must be called with i2c->lock held.
+- *
++ * rk3x_i2c_setup - Setup I2C registers for an I2C operation specified by msgs, num.
++ * @i2c: target controller data
+ * @msgs: I2C msgs to process
+ * @num: Number of msgs
+ *
+- * returns: Number of I2C msgs processed or negative in case of error
++ * Must be called with i2c->lock held.
++ *
++ * Return: Number of I2C msgs processed or negative in case of error
+ */
+ static int rk3x_i2c_setup(struct rk3x_i2c *i2c, struct i2c_msg *msgs, int num)
+ {
+--
+2.39.0
+
--- /dev/null
+From c2e3b54d7bdce944a508fc3b38657ae087b8cae7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Jan 2023 13:54:37 -0800
+Subject: igc: return an error if the mac type is unknown in
+ igc_ptp_systim_to_hwtstamp()
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit a2df8463e15c10a8a882090f3d7a760fdb7b189d ]
+
+clang static analysis reports
+drivers/net/ethernet/intel/igc/igc_ptp.c:673:3: warning: The left operand of
+ '+' is a garbage value [core.UndefinedBinaryOperatorResult]
+ ktime_add_ns(shhwtstamps.hwtstamp, adjust);
+ ^ ~~~~~~~~~~~~~~~~~~~~
+
+igc_ptp_systim_to_hwtstamp() silently returns without setting the hwtstamp
+if the mac type is unknown. This should be treated as an error.
+
+Fixes: 81b055205e8b ("igc: Add support for RX timestamping")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Acked-by: Sasha Neftin <sasha.neftin@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Link: https://lore.kernel.org/r/20230131215437.1528994-1-anthony.l.nguyen@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_ptp.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c
+index 4ab46eee3d93..ef53f7665b58 100644
+--- a/drivers/net/ethernet/intel/igc/igc_ptp.c
++++ b/drivers/net/ethernet/intel/igc/igc_ptp.c
+@@ -134,10 +134,12 @@ static int igc_ptp_feature_enable_i225(struct ptp_clock_info *ptp,
+ *
+ * We need to convert the system time value stored in the RX/TXSTMP registers
+ * into a hwtstamp which can be used by the upper level timestamping functions.
++ *
++ * Returns 0 on success.
+ **/
+-static void igc_ptp_systim_to_hwtstamp(struct igc_adapter *adapter,
+- struct skb_shared_hwtstamps *hwtstamps,
+- u64 systim)
++static int igc_ptp_systim_to_hwtstamp(struct igc_adapter *adapter,
++ struct skb_shared_hwtstamps *hwtstamps,
++ u64 systim)
+ {
+ switch (adapter->hw.mac.type) {
+ case igc_i225:
+@@ -147,8 +149,9 @@ static void igc_ptp_systim_to_hwtstamp(struct igc_adapter *adapter,
+ systim & 0xFFFFFFFF);
+ break;
+ default:
+- break;
++ return -EINVAL;
+ }
++ return 0;
+ }
+
+ /**
+@@ -372,7 +375,8 @@ static void igc_ptp_tx_hwtstamp(struct igc_adapter *adapter)
+
+ regval = rd32(IGC_TXSTMPL);
+ regval |= (u64)rd32(IGC_TXSTMPH) << 32;
+- igc_ptp_systim_to_hwtstamp(adapter, &shhwtstamps, regval);
++ if (igc_ptp_systim_to_hwtstamp(adapter, &shhwtstamps, regval))
++ return;
+
+ switch (adapter->link_speed) {
+ case SPEED_10:
+--
+2.39.0
+
--- /dev/null
+From 18af22eaff3133f5efd772b65f15470928d992e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Feb 2023 00:02:18 +0300
+Subject: net: openvswitch: fix flow memory leak in ovs_flow_cmd_new
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit 0c598aed445eb45b0ee7ba405f7ece99ee349c30 ]
+
+Syzkaller reports a memory leak of new_flow in ovs_flow_cmd_new() as it is
+not freed when an allocation of a key fails.
+
+BUG: memory leak
+unreferenced object 0xffff888116668000 (size 632):
+ comm "syz-executor231", pid 1090, jiffies 4294844701 (age 18.871s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000defa3494>] kmem_cache_zalloc include/linux/slab.h:654 [inline]
+ [<00000000defa3494>] ovs_flow_alloc+0x19/0x180 net/openvswitch/flow_table.c:77
+ [<00000000c67d8873>] ovs_flow_cmd_new+0x1de/0xd40 net/openvswitch/datapath.c:957
+ [<0000000010a539a8>] genl_family_rcv_msg_doit+0x22d/0x330 net/netlink/genetlink.c:739
+ [<00000000dff3302d>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
+ [<00000000dff3302d>] genl_rcv_msg+0x328/0x590 net/netlink/genetlink.c:800
+ [<000000000286dd87>] netlink_rcv_skb+0x153/0x430 net/netlink/af_netlink.c:2515
+ [<0000000061fed410>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
+ [<000000009dc0f111>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
+ [<000000009dc0f111>] netlink_unicast+0x545/0x7f0 net/netlink/af_netlink.c:1339
+ [<000000004a5ee816>] netlink_sendmsg+0x8e7/0xde0 net/netlink/af_netlink.c:1934
+ [<00000000482b476f>] sock_sendmsg_nosec net/socket.c:651 [inline]
+ [<00000000482b476f>] sock_sendmsg+0x152/0x190 net/socket.c:671
+ [<00000000698574ba>] ____sys_sendmsg+0x70a/0x870 net/socket.c:2356
+ [<00000000d28d9e11>] ___sys_sendmsg+0xf3/0x170 net/socket.c:2410
+ [<0000000083ba9120>] __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439
+ [<00000000c00628f8>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46
+ [<000000004abfdcf4>] entry_SYSCALL_64_after_hwframe+0x61/0xc6
+
+To fix this the patch rearranges the goto labels to reflect the order of
+object allocations and adds appropriate goto statements on the error
+paths.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: 68bb10101e6b ("openvswitch: Fix flow lookup to use unmasked key")
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Acked-by: Eelco Chaudron <echaudro@redhat.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230201210218.361970-1-pchelkin@ispras.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/datapath.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
+index 435f7f1be614..b625ab5e9a43 100644
+--- a/net/openvswitch/datapath.c
++++ b/net/openvswitch/datapath.c
+@@ -964,14 +964,14 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info)
+ key = kzalloc(sizeof(*key), GFP_KERNEL);
+ if (!key) {
+ error = -ENOMEM;
+- goto err_kfree_key;
++ goto err_kfree_flow;
+ }
+
+ ovs_match_init(&match, key, false, &mask);
+ error = ovs_nla_get_match(net, &match, a[OVS_FLOW_ATTR_KEY],
+ a[OVS_FLOW_ATTR_MASK], log);
+ if (error)
+- goto err_kfree_flow;
++ goto err_kfree_key;
+
+ ovs_flow_mask_key(&new_flow->key, key, true, &mask);
+
+@@ -979,14 +979,14 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info)
+ error = ovs_nla_get_identifier(&new_flow->id, a[OVS_FLOW_ATTR_UFID],
+ key, log);
+ if (error)
+- goto err_kfree_flow;
++ goto err_kfree_key;
+
+ /* Validate actions. */
+ error = ovs_nla_copy_actions(net, a[OVS_FLOW_ATTR_ACTIONS],
+ &new_flow->key, &acts, log);
+ if (error) {
+ OVS_NLERR(log, "Flow actions may not be safe on all matching packets.");
+- goto err_kfree_flow;
++ goto err_kfree_key;
+ }
+
+ reply = ovs_flow_cmd_alloc_info(acts, &new_flow->id, info, false,
+@@ -1086,10 +1086,10 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info)
+ kfree_skb(reply);
+ err_kfree_acts:
+ ovs_nla_free_flow_actions(acts);
+-err_kfree_flow:
+- ovs_flow_free(new_flow, false);
+ err_kfree_key:
+ kfree(key);
++err_kfree_flow:
++ ovs_flow_free(new_flow, false);
+ error:
+ return error;
+ }
+--
+2.39.0
+
--- /dev/null
+From f78b3286ca172f77812e5d6eaef99b4bb9b2d09a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jan 2023 19:23:26 +0100
+Subject: net: phy: dp83822: Fix null pointer access on DP83825/DP83826 devices
+
+From: Andre Kalb <andre.kalb@sma.de>
+
+[ Upstream commit 422ae7d9c7221e8d4c8526d0f54106307d69d2dc ]
+
+The probe() function is only used for the DP83822 PHY, leaving the
+private data pointer uninitialized for the smaller DP83825/26 models.
+While all uses of the private data structure are hidden in 82822 specific
+callbacks, configuring the interrupt is shared across all models.
+This causes a NULL pointer dereference on the smaller PHYs as it accesses
+the private data unchecked. Verifying the pointer avoids that.
+
+Fixes: 5dc39fd5ef35 ("net: phy: DP83822: Add ability to advertise Fiber connection")
+Signed-off-by: Andre Kalb <andre.kalb@sma.de>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/Y9FzniUhUtbaGKU7@pc6682
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/dp83822.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/phy/dp83822.c b/drivers/net/phy/dp83822.c
+index db651649e0b8..81412999445d 100644
+--- a/drivers/net/phy/dp83822.c
++++ b/drivers/net/phy/dp83822.c
+@@ -247,7 +247,8 @@ static int dp83822_config_intr(struct phy_device *phydev)
+ DP83822_ENERGY_DET_INT_EN |
+ DP83822_LINK_QUAL_INT_EN);
+
+- if (!dp83822->fx_enabled)
++ /* Private data pointer is NULL on DP83825/26 */
++ if (!dp83822 || !dp83822->fx_enabled)
+ misr_status |= DP83822_ANEG_COMPLETE_INT_EN |
+ DP83822_DUP_MODE_CHANGE_INT_EN |
+ DP83822_SPEED_CHANGED_INT_EN;
+@@ -267,7 +268,8 @@ static int dp83822_config_intr(struct phy_device *phydev)
+ DP83822_PAGE_RX_INT_EN |
+ DP83822_EEE_ERROR_CHANGE_INT_EN);
+
+- if (!dp83822->fx_enabled)
++ /* Private data pointer is NULL on DP83825/26 */
++ if (!dp83822 || !dp83822->fx_enabled)
+ misr_status |= DP83822_ANEG_ERR_INT_EN |
+ DP83822_WOL_PKT_INT_EN;
+
+--
+2.39.0
+
--- /dev/null
+From b14a6eaeb3dc07afb633e51767d030652bc6014f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jan 2023 15:14:02 -0800
+Subject: net: phy: meson-gxl: Add generic dummy stubs for MMD register access
+
+From: Chris Healy <healych@amazon.com>
+
+[ Upstream commit afc2336f89dc0fc0ef25b92366814524b0fd90fb ]
+
+The Meson G12A Internal PHY does not support standard IEEE MMD extended
+register access, therefore add generic dummy stubs to fail the read and
+write MMD calls. This is necessary to prevent the core PHY code from
+erroneously believing that EEE is supported by this PHY even though this
+PHY does not support EEE, as MMD register access returns all FFFFs.
+
+Fixes: 5c3407abb338 ("net: phy: meson-gxl: add g12a support")
+Reviewed-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: Chris Healy <healych@amazon.com>
+Reviewed-by: Jerome Brunet <jbrunet@baylibre.com>
+Link: https://lore.kernel.org/r/20230130231402.471493-1-cphealy@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/meson-gxl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/phy/meson-gxl.c b/drivers/net/phy/meson-gxl.c
+index e8f2ca625837..f7a9e6599a64 100644
+--- a/drivers/net/phy/meson-gxl.c
++++ b/drivers/net/phy/meson-gxl.c
+@@ -245,6 +245,8 @@ static struct phy_driver meson_gxl_phy[] = {
+ .config_intr = meson_gxl_config_intr,
+ .suspend = genphy_suspend,
+ .resume = genphy_resume,
++ .read_mmd = genphy_read_mmd_unsupported,
++ .write_mmd = genphy_write_mmd_unsupported,
+ },
+ };
+
+--
+2.39.0
+
--- /dev/null
+From 15ec2892624414a590418f210bc8b7f11fa0b145 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jan 2023 11:43:23 -0800
+Subject: net/x25: Fix to not accept on connected socket
+
+From: Hyunwoo Kim <v4bel@theori.io>
+
+[ Upstream commit f2b0b5210f67c56a3bcdf92ff665fb285d6e0067 ]
+
+When listen() and accept() are called on an x25 socket
+that connect() succeeds, accept() succeeds immediately.
+This is because x25_connect() queues the skb to
+sk->sk_receive_queue, and x25_accept() dequeues it.
+
+This creates a child socket with the sk of the parent
+x25 socket, which can cause confusion.
+
+Fix x25_listen() to return -EINVAL if the socket has
+already been successfully connect()ed to avoid this issue.
+
+Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/x25/af_x25.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
+index d231d4620c38..161dc194e634 100644
+--- a/net/x25/af_x25.c
++++ b/net/x25/af_x25.c
+@@ -492,6 +492,12 @@ static int x25_listen(struct socket *sock, int backlog)
+ int rc = -EOPNOTSUPP;
+
+ lock_sock(sk);
++ if (sock->state != SS_UNCONNECTED) {
++ rc = -EINVAL;
++ release_sock(sk);
++ return rc;
++ }
++
+ if (sk->sk_state != TCP_LISTEN) {
+ memset(&x25_sk(sk)->dest_addr, 0, X25_ADDR_LEN);
+ sk->sk_max_ack_backlog = backlog;
+--
+2.39.0
+
--- /dev/null
+From 14a2976a15387526c6cb06819046b75f4f3fa5c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jan 2023 11:39:29 +0100
+Subject: netfilter: br_netfilter: disable sabotage_in hook after first
+ suppression
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 2b272bb558f1d3a5aa95ed8a82253786fd1a48ba ]
+
+When using a xfrm interface in a bridged setup (the outgoing device is
+bridged), the incoming packets in the xfrm interface are only tracked
+in the outgoing direction.
+
+$ brctl show
+bridge name interfaces
+br_eth1 eth1
+
+$ conntrack -L
+tcp 115 SYN_SENT src=192... dst=192... [UNREPLIED] ...
+
+If br_netfilter is enabled, the first (encrypted) packet is received onR
+eth1, conntrack hooks are called from br_netfilter emulation which
+allocates nf_bridge info for this skb.
+
+If the packet is for local machine, skb gets passed up the ip stack.
+The skb passes through ip prerouting a second time. br_netfilter
+ip_sabotage_in supresses the re-invocation of the hooks.
+
+After this, skb gets decrypted in xfrm layer and appears in
+network stack a second time (after decryption).
+
+Then, ip_sabotage_in is called again and suppresses netfilter
+hook invocation, even though the bridge layer never called them
+for the plaintext incarnation of the packet.
+
+Free the bridge info after the first suppression to avoid this.
+
+I was unable to figure out where the regression comes from, as far as i
+can see br_netfilter always had this problem; i did not expect that skb
+is looped again with different headers.
+
+Fixes: c4b0e771f906 ("netfilter: avoid using skb->nf_bridge directly")
+Reported-and-tested-by: Wolfgang Nothdurft <wolfgang@linogate.de>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_netfilter_hooks.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
+index a718204c4bfd..f3c7cfba31e1 100644
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -871,6 +871,7 @@ static unsigned int ip_sabotage_in(void *priv,
+ if (nf_bridge && !nf_bridge->in_prerouting &&
+ !netif_is_l3_master(skb->dev) &&
+ !netif_is_l3_slave(skb->dev)) {
++ nf_bridge_info_free(skb);
+ state->okfn(state->net, state->sk, skb);
+ return NF_STOLEN;
+ }
+--
+2.39.0
+
--- /dev/null
+From e63c04123cdad28488f005a4d8635850653146fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jan 2023 18:32:50 -0800
+Subject: netrom: Fix use-after-free caused by accept on already connected
+ socket
+
+From: Hyunwoo Kim <v4bel@theori.io>
+
+[ Upstream commit 611792920925fb088ddccbe2783c7f92fdfb6b64 ]
+
+If you call listen() and accept() on an already connect()ed
+AF_NETROM socket, accept() can successfully connect.
+This is because when the peer socket sends data to sendmsg,
+the skb with its own sk stored in the connected socket's
+sk->sk_receive_queue is connected, and nr_accept() dequeues
+the skb waiting in the sk->sk_receive_queue.
+
+As a result, nr_accept() allocates and returns a sock with
+the sk of the parent AF_NETROM socket.
+
+And here use-after-free can happen through complex race conditions:
+```
+ cpu0 cpu1
+ 1. socket_2 = socket(AF_NETROM)
+ .
+ .
+ listen(socket_2)
+ accepted_socket = accept(socket_2)
+ 2. socket_1 = socket(AF_NETROM)
+ nr_create() // sk refcount : 1
+ connect(socket_1)
+ 3. write(accepted_socket)
+ nr_sendmsg()
+ nr_output()
+ nr_kick()
+ nr_send_iframe()
+ nr_transmit_buffer()
+ nr_route_frame()
+ nr_loopback_queue()
+ nr_loopback_timer()
+ nr_rx_frame()
+ nr_process_rx_frame(sk, skb); // sk : socket_1's sk
+ nr_state3_machine()
+ nr_queue_rx_frame()
+ sock_queue_rcv_skb()
+ sock_queue_rcv_skb_reason()
+ __sock_queue_rcv_skb()
+ __skb_queue_tail(list, skb); // list : socket_1's sk->sk_receive_queue
+ 4. listen(socket_1)
+ nr_listen()
+ uaf_socket = accept(socket_1)
+ nr_accept()
+ skb_dequeue(&sk->sk_receive_queue);
+ 5. close(accepted_socket)
+ nr_release()
+ nr_write_internal(sk, NR_DISCREQ)
+ nr_transmit_buffer() // NR_DISCREQ
+ nr_route_frame()
+ nr_loopback_queue()
+ nr_loopback_timer()
+ nr_rx_frame() // sk : socket_1's sk
+ nr_process_rx_frame() // NR_STATE_3
+ nr_state3_machine() // NR_DISCREQ
+ nr_disconnect()
+ nr_sk(sk)->state = NR_STATE_0;
+ 6. close(socket_1) // sk refcount : 3
+ nr_release() // NR_STATE_0
+ sock_put(sk); // sk refcount : 0
+ sk_free(sk);
+ close(uaf_socket)
+ nr_release()
+ sock_hold(sk); // UAF
+```
+
+KASAN report by syzbot:
+```
+BUG: KASAN: use-after-free in nr_release+0x66/0x460 net/netrom/af_netrom.c:520
+Write of size 4 at addr ffff8880235d8080 by task syz-executor564/5128
+
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
+ print_address_description mm/kasan/report.c:306 [inline]
+ print_report+0x15e/0x461 mm/kasan/report.c:417
+ kasan_report+0xbf/0x1f0 mm/kasan/report.c:517
+ check_region_inline mm/kasan/generic.c:183 [inline]
+ kasan_check_range+0x141/0x190 mm/kasan/generic.c:189
+ instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
+ atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:116 [inline]
+ __refcount_add include/linux/refcount.h:193 [inline]
+ __refcount_inc include/linux/refcount.h:250 [inline]
+ refcount_inc include/linux/refcount.h:267 [inline]
+ sock_hold include/net/sock.h:775 [inline]
+ nr_release+0x66/0x460 net/netrom/af_netrom.c:520
+ __sock_release+0xcd/0x280 net/socket.c:650
+ sock_close+0x1c/0x20 net/socket.c:1365
+ __fput+0x27c/0xa90 fs/file_table.c:320
+ task_work_run+0x16f/0x270 kernel/task_work.c:179
+ exit_task_work include/linux/task_work.h:38 [inline]
+ do_exit+0xaa8/0x2950 kernel/exit.c:867
+ do_group_exit+0xd4/0x2a0 kernel/exit.c:1012
+ get_signal+0x21c3/0x2450 kernel/signal.c:2859
+ arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306
+ exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
+ exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
+ syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
+ do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+RIP: 0033:0x7f6c19e3c9b9
+Code: Unable to access opcode bytes at 0x7f6c19e3c98f.
+RSP: 002b:00007fffd4ba2ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
+RAX: 0000000000000116 RBX: 0000000000000003 RCX: 00007f6c19e3c9b9
+RDX: 0000000000000318 RSI: 00000000200bd000 RDI: 0000000000000006
+RBP: 0000000000000003 R08: 000000000000000d R09: 000000000000000d
+R10: 0000000000000000 R11: 0000000000000246 R12: 000055555566a2c0
+R13: 0000000000000011 R14: 0000000000000000 R15: 0000000000000000
+ </TASK>
+
+Allocated by task 5128:
+ kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
+ kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+ ____kasan_kmalloc mm/kasan/common.c:371 [inline]
+ ____kasan_kmalloc mm/kasan/common.c:330 [inline]
+ __kasan_kmalloc+0xa3/0xb0 mm/kasan/common.c:380
+ kasan_kmalloc include/linux/kasan.h:211 [inline]
+ __do_kmalloc_node mm/slab_common.c:968 [inline]
+ __kmalloc+0x5a/0xd0 mm/slab_common.c:981
+ kmalloc include/linux/slab.h:584 [inline]
+ sk_prot_alloc+0x140/0x290 net/core/sock.c:2038
+ sk_alloc+0x3a/0x7a0 net/core/sock.c:2091
+ nr_create+0xb6/0x5f0 net/netrom/af_netrom.c:433
+ __sock_create+0x359/0x790 net/socket.c:1515
+ sock_create net/socket.c:1566 [inline]
+ __sys_socket_create net/socket.c:1603 [inline]
+ __sys_socket_create net/socket.c:1588 [inline]
+ __sys_socket+0x133/0x250 net/socket.c:1636
+ __do_sys_socket net/socket.c:1649 [inline]
+ __se_sys_socket net/socket.c:1647 [inline]
+ __x64_sys_socket+0x73/0xb0 net/socket.c:1647
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Freed by task 5128:
+ kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
+ kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+ kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:518
+ ____kasan_slab_free mm/kasan/common.c:236 [inline]
+ ____kasan_slab_free+0x13b/0x1a0 mm/kasan/common.c:200
+ kasan_slab_free include/linux/kasan.h:177 [inline]
+ __cache_free mm/slab.c:3394 [inline]
+ __do_kmem_cache_free mm/slab.c:3580 [inline]
+ __kmem_cache_free+0xcd/0x3b0 mm/slab.c:3587
+ sk_prot_free net/core/sock.c:2074 [inline]
+ __sk_destruct+0x5df/0x750 net/core/sock.c:2166
+ sk_destruct net/core/sock.c:2181 [inline]
+ __sk_free+0x175/0x460 net/core/sock.c:2192
+ sk_free+0x7c/0xa0 net/core/sock.c:2203
+ sock_put include/net/sock.h:1991 [inline]
+ nr_release+0x39e/0x460 net/netrom/af_netrom.c:554
+ __sock_release+0xcd/0x280 net/socket.c:650
+ sock_close+0x1c/0x20 net/socket.c:1365
+ __fput+0x27c/0xa90 fs/file_table.c:320
+ task_work_run+0x16f/0x270 kernel/task_work.c:179
+ exit_task_work include/linux/task_work.h:38 [inline]
+ do_exit+0xaa8/0x2950 kernel/exit.c:867
+ do_group_exit+0xd4/0x2a0 kernel/exit.c:1012
+ get_signal+0x21c3/0x2450 kernel/signal.c:2859
+ arch_do_signal_or_restart+0x79/0x5c0 arch/x86/kernel/signal.c:306
+ exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
+ exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
+ syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
+ do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+```
+
+To fix this issue, nr_listen() returns -EINVAL for sockets that
+successfully nr_connect().
+
+Reported-by: syzbot+caa188bdfc1eeafeb418@syzkaller.appspotmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/af_netrom.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
+index e5c8a295e640..5c04da4cfbad 100644
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -400,6 +400,11 @@ static int nr_listen(struct socket *sock, int backlog)
+ struct sock *sk = sock->sk;
+
+ lock_sock(sk);
++ if (sock->state != SS_UNCONNECTED) {
++ release_sock(sk);
++ return -EINVAL;
++ }
++
+ if (sk->sk_state != TCP_LISTEN) {
+ memset(&nr_sk(sk)->user_addr, 0, AX25_ADDR_LEN);
+ sk->sk_max_ack_backlog = backlog;
+--
+2.39.0
+
--- /dev/null
+From 03b58dfc499cc8a79d4c6fb77455a3fa89a45378 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jan 2023 20:34:36 +0800
+Subject: platform/x86: dell-wmi: Add a keymap for KEY_MUTE in type 0x0010
+ table
+
+From: Koba Ko <koba.ko@canonical.com>
+
+[ Upstream commit 83bcf3e52e9cfc727df33f1055ef0618c91719d0 ]
+
+Some platforms send the speaker-mute key from EC. dell-wmi can't
+recognize it.
+
+Add a new keymap for KEY_MUTE in type 0x0010 table.
+
+Signed-off-by: Koba Ko <koba.ko@canonical.com>
+Link: https://lore.kernel.org/r/20230117123436.200440-1-koba.ko@canonical.com
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/dell-wmi.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/platform/x86/dell-wmi.c b/drivers/platform/x86/dell-wmi.c
+index bbdb3e860892..6ef327a80ccf 100644
+--- a/drivers/platform/x86/dell-wmi.c
++++ b/drivers/platform/x86/dell-wmi.c
+@@ -259,6 +259,9 @@ static const struct key_entry dell_wmi_keymap_type_0010[] = {
+ { KE_KEY, 0x57, { KEY_BRIGHTNESSDOWN } },
+ { KE_KEY, 0x58, { KEY_BRIGHTNESSUP } },
+
++ /*Speaker Mute*/
++ { KE_KEY, 0x109, { KEY_MUTE} },
++
+ /* Mic mute */
+ { KE_KEY, 0x150, { KEY_MICMUTE } },
+
+--
+2.39.0
+
--- /dev/null
+From 0f7d250ec1e70929e4fed459f46722bf7c500439 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Mar 2021 16:37:47 +0000
+Subject: powerpc/bpf: Change register numbering for bpf_set/is_seen_register()
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit ed573b57e77a7860fe4026e1700faa2f6938caf1 ]
+
+Instead of using BPF register number as input in functions
+bpf_set_seen_register() and bpf_is_seen_register(), use
+CPU register number directly.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/0cd2506f598e7095ea43e62dca1f472de5474a0d.1616430991.git.christophe.leroy@csgroup.eu
+Stable-dep-of: 71f656a50176 ("bpf: Fix to preserve reg parent/live fields when copying range info")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/net/bpf_jit_comp64.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/arch/powerpc/net/bpf_jit_comp64.c b/arch/powerpc/net/bpf_jit_comp64.c
+index 0d47514e8870..7da59ddc90dd 100644
+--- a/arch/powerpc/net/bpf_jit_comp64.c
++++ b/arch/powerpc/net/bpf_jit_comp64.c
+@@ -32,12 +32,12 @@ static inline void bpf_flush_icache(void *start, void *end)
+
+ static inline bool bpf_is_seen_register(struct codegen_context *ctx, int i)
+ {
+- return (ctx->seen & (1 << (31 - b2p[i])));
++ return ctx->seen & (1 << (31 - i));
+ }
+
+ static inline void bpf_set_seen_register(struct codegen_context *ctx, int i)
+ {
+- ctx->seen |= (1 << (31 - b2p[i]));
++ ctx->seen |= 1 << (31 - i);
+ }
+
+ static inline bool bpf_has_stack_frame(struct codegen_context *ctx)
+@@ -48,7 +48,7 @@ static inline bool bpf_has_stack_frame(struct codegen_context *ctx)
+ * - the bpf program uses its stack area
+ * The latter condition is deduced from the usage of BPF_REG_FP
+ */
+- return ctx->seen & SEEN_FUNC || bpf_is_seen_register(ctx, BPF_REG_FP);
++ return ctx->seen & SEEN_FUNC || bpf_is_seen_register(ctx, b2p[BPF_REG_FP]);
+ }
+
+ /*
+@@ -125,11 +125,11 @@ static void bpf_jit_build_prologue(u32 *image, struct codegen_context *ctx)
+ * in the protected zone below the previous stack frame
+ */
+ for (i = BPF_REG_6; i <= BPF_REG_10; i++)
+- if (bpf_is_seen_register(ctx, i))
++ if (bpf_is_seen_register(ctx, b2p[i]))
+ PPC_BPF_STL(b2p[i], 1, bpf_jit_stack_offsetof(ctx, b2p[i]));
+
+ /* Setup frame pointer to point to the bpf stack area */
+- if (bpf_is_seen_register(ctx, BPF_REG_FP))
++ if (bpf_is_seen_register(ctx, b2p[BPF_REG_FP]))
+ EMIT(PPC_RAW_ADDI(b2p[BPF_REG_FP], 1,
+ STACK_FRAME_MIN_SIZE + ctx->stack_size));
+ }
+@@ -140,7 +140,7 @@ static void bpf_jit_emit_common_epilogue(u32 *image, struct codegen_context *ctx
+
+ /* Restore NVRs */
+ for (i = BPF_REG_6; i <= BPF_REG_10; i++)
+- if (bpf_is_seen_register(ctx, i))
++ if (bpf_is_seen_register(ctx, b2p[i]))
+ PPC_BPF_LL(b2p[i], 1, bpf_jit_stack_offsetof(ctx, b2p[i]));
+
+ /* Tear down our stack frame */
+@@ -356,9 +356,9 @@ static int bpf_jit_build_body(struct bpf_prog *fp, u32 *image,
+ * any issues.
+ */
+ if (dst_reg >= BPF_PPC_NVR_MIN && dst_reg < 32)
+- bpf_set_seen_register(ctx, insn[i].dst_reg);
++ bpf_set_seen_register(ctx, dst_reg);
+ if (src_reg >= BPF_PPC_NVR_MIN && src_reg < 32)
+- bpf_set_seen_register(ctx, insn[i].src_reg);
++ bpf_set_seen_register(ctx, src_reg);
+
+ switch (code) {
+ /*
+--
+2.39.0
+
--- /dev/null
+From 76f74e69efb95e4add82e5b687e062f2c989739f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Mar 2021 16:37:48 +0000
+Subject: powerpc/bpf: Move common helpers into bpf_jit.h
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit f1b1583d5faa86cb3dcb7b740594868debad7c30 ]
+
+Move functions bpf_flush_icache(), bpf_is_seen_register() and
+bpf_set_seen_register() in order to reuse them in future
+bpf_jit_comp32.c
+
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/28e8d5a75e64807d7e9d39a4b52658755e259f8c.1616430991.git.christophe.leroy@csgroup.eu
+Stable-dep-of: 71f656a50176 ("bpf: Fix to preserve reg parent/live fields when copying range info")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/net/bpf_jit.h | 35 +++++++++++++++++++++++++++++++
+ arch/powerpc/net/bpf_jit64.h | 19 -----------------
+ arch/powerpc/net/bpf_jit_comp64.c | 16 --------------
+ 3 files changed, 35 insertions(+), 35 deletions(-)
+
+diff --git a/arch/powerpc/net/bpf_jit.h b/arch/powerpc/net/bpf_jit.h
+index 1a5b4da8a235..cd9aab6ec2c5 100644
+--- a/arch/powerpc/net/bpf_jit.h
++++ b/arch/powerpc/net/bpf_jit.h
+@@ -117,6 +117,41 @@
+ #define COND_LT (CR0_LT | COND_CMP_TRUE)
+ #define COND_LE (CR0_GT | COND_CMP_FALSE)
+
++#define SEEN_FUNC 0x1000 /* might call external helpers */
++#define SEEN_STACK 0x2000 /* uses BPF stack */
++#define SEEN_TAILCALL 0x4000 /* uses tail calls */
++
++struct codegen_context {
++ /*
++ * This is used to track register usage as well
++ * as calls to external helpers.
++ * - register usage is tracked with corresponding
++ * bits (r3-r10 and r27-r31)
++ * - rest of the bits can be used to track other
++ * things -- for now, we use bits 16 to 23
++ * encoded in SEEN_* macros above
++ */
++ unsigned int seen;
++ unsigned int idx;
++ unsigned int stack_size;
++};
++
++static inline void bpf_flush_icache(void *start, void *end)
++{
++ smp_wmb(); /* smp write barrier */
++ flush_icache_range((unsigned long)start, (unsigned long)end);
++}
++
++static inline bool bpf_is_seen_register(struct codegen_context *ctx, int i)
++{
++ return ctx->seen & (1 << (31 - i));
++}
++
++static inline void bpf_set_seen_register(struct codegen_context *ctx, int i)
++{
++ ctx->seen |= 1 << (31 - i);
++}
++
+ #endif
+
+ #endif
+diff --git a/arch/powerpc/net/bpf_jit64.h b/arch/powerpc/net/bpf_jit64.h
+index 4d164e865b39..201b83bfa869 100644
+--- a/arch/powerpc/net/bpf_jit64.h
++++ b/arch/powerpc/net/bpf_jit64.h
+@@ -86,25 +86,6 @@ static const int b2p[] = {
+ } while(0)
+ #define PPC_BPF_STLU(r, base, i) do { EMIT(PPC_RAW_STDU(r, base, i)); } while(0)
+
+-#define SEEN_FUNC 0x1000 /* might call external helpers */
+-#define SEEN_STACK 0x2000 /* uses BPF stack */
+-#define SEEN_TAILCALL 0x4000 /* uses tail calls */
+-
+-struct codegen_context {
+- /*
+- * This is used to track register usage as well
+- * as calls to external helpers.
+- * - register usage is tracked with corresponding
+- * bits (r3-r10 and r27-r31)
+- * - rest of the bits can be used to track other
+- * things -- for now, we use bits 16 to 23
+- * encoded in SEEN_* macros above
+- */
+- unsigned int seen;
+- unsigned int idx;
+- unsigned int stack_size;
+-};
+-
+ #endif /* !__ASSEMBLY__ */
+
+ #endif
+diff --git a/arch/powerpc/net/bpf_jit_comp64.c b/arch/powerpc/net/bpf_jit_comp64.c
+index 7da59ddc90dd..ebad2c79cd6f 100644
+--- a/arch/powerpc/net/bpf_jit_comp64.c
++++ b/arch/powerpc/net/bpf_jit_comp64.c
+@@ -24,22 +24,6 @@ static void bpf_jit_fill_ill_insns(void *area, unsigned int size)
+ memset32(area, BREAKPOINT_INSTRUCTION, size/4);
+ }
+
+-static inline void bpf_flush_icache(void *start, void *end)
+-{
+- smp_wmb();
+- flush_icache_range((unsigned long)start, (unsigned long)end);
+-}
+-
+-static inline bool bpf_is_seen_register(struct codegen_context *ctx, int i)
+-{
+- return ctx->seen & (1 << (31 - i));
+-}
+-
+-static inline void bpf_set_seen_register(struct codegen_context *ctx, int i)
+-{
+- ctx->seen |= 1 << (31 - i);
+-}
+-
+ static inline bool bpf_has_stack_frame(struct codegen_context *ctx)
+ {
+ /*
+--
+2.39.0
+
--- /dev/null
+From 8770a685eb6aa0d38c23fd18f7724ca969bac539 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Feb 2021 12:28:29 -0800
+Subject: qede: add netpoll support for qede driver
+
+From: Bhaskar Upadhaya <bupadhaya@marvell.com>
+
+[ Upstream commit 961aa716235f58088e99acafbe66027d678061ce ]
+
+handle netpoll case when qede_poll is called by
+netpoll layer with budget 0
+
+Signed-off-by: Bhaskar Upadhaya <bupadhaya@marvell.com>
+Signed-off-by: Igor Russkikh <irusskikh@marvell.com>
+Signed-off-by: Ariel Elior <aelior@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 2ccce20d51fa ("qede: execute xdp_do_flush() before napi_complete_done()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qede/qede_fp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qede/qede_fp.c b/drivers/net/ethernet/qlogic/qede/qede_fp.c
+index d210632676d3..5b1885c0a8bd 100644
+--- a/drivers/net/ethernet/qlogic/qede/qede_fp.c
++++ b/drivers/net/ethernet/qlogic/qede/qede_fp.c
+@@ -1456,7 +1456,8 @@ int qede_poll(struct napi_struct *napi, int budget)
+ rx_work_done = (likely(fp->type & QEDE_FASTPATH_RX) &&
+ qede_has_rx_work(fp->rxq)) ?
+ qede_rx_int(fp, budget) : 0;
+- if (rx_work_done < budget) {
++ /* Handle case where we are called by netpoll with a budget of 0 */
++ if (rx_work_done < budget || !budget) {
+ if (!qede_poll_is_more_work(fp)) {
+ napi_complete_done(napi, rx_work_done);
+
+--
+2.39.0
+
--- /dev/null
+From 636b6e7272e80d4c0bf5356ba1fa94c8a29bc852 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jan 2023 08:48:57 +0100
+Subject: qede: execute xdp_do_flush() before napi_complete_done()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Magnus Karlsson <magnus.karlsson@intel.com>
+
+[ Upstream commit 2ccce20d51faa0178086163ccb6c84a099a87ab4 ]
+
+Make sure that xdp_do_flush() is always executed before
+napi_complete_done(). This is important for two reasons. First, a
+redirect to an XSKMAP assumes that a call to xdp_do_redirect() from
+napi context X on CPU Y will be followed by a xdp_do_flush() from the
+same napi context and CPU. This is not guaranteed if the
+napi_complete_done() is executed before xdp_do_flush(), as it tells
+the napi logic that it is fine to schedule napi context X on another
+CPU. Details from a production system triggering this bug using the
+veth driver can be found following the first link below.
+
+The second reason is that the XDP_REDIRECT logic in itself relies on
+being inside a single NAPI instance through to the xdp_do_flush() call
+for RCU protection of all in-kernel data structures. Details can be
+found in the second link below.
+
+Fixes: d1b25b79e162b ("qede: add .ndo_xdp_xmit() and XDP_REDIRECT support")
+Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Acked-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Link: https://lore.kernel.org/r/20221220185903.1105011-1-sbohrer@cloudflare.com
+Link: https://lore.kernel.org/all/20210624160609.292325-1-toke@redhat.com/
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qede/qede_fp.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qede/qede_fp.c b/drivers/net/ethernet/qlogic/qede/qede_fp.c
+index 5b1885c0a8bd..a632de208a7d 100644
+--- a/drivers/net/ethernet/qlogic/qede/qede_fp.c
++++ b/drivers/net/ethernet/qlogic/qede/qede_fp.c
+@@ -1456,6 +1456,10 @@ int qede_poll(struct napi_struct *napi, int budget)
+ rx_work_done = (likely(fp->type & QEDE_FASTPATH_RX) &&
+ qede_has_rx_work(fp->rxq)) ?
+ qede_rx_int(fp, budget) : 0;
++
++ if (fp->xdp_xmit & QEDE_XDP_REDIRECT)
++ xdp_do_flush();
++
+ /* Handle case where we are called by netpoll with a budget of 0 */
+ if (rx_work_done < budget || !budget) {
+ if (!qede_poll_is_more_work(fp)) {
+@@ -1475,9 +1479,6 @@ int qede_poll(struct napi_struct *napi, int budget)
+ qede_update_tx_producer(fp->xdp_tx);
+ }
+
+- if (fp->xdp_xmit & QEDE_XDP_REDIRECT)
+- xdp_do_flush_map();
+-
+ return rx_work_done;
+ }
+
+--
+2.39.0
+
--- /dev/null
+From 7c90b9c70118a40a4af3f4e01d6912a99c6db5e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Sep 2022 19:01:10 -0400
+Subject: READ is "data destination", not source...
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 355d2c2798e9dc39f6714fa7ef8902c0d4c5350b ]
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/rtrs/rtrs-clt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+index 5c39e4c4bef7..1a5805260778 100644
+--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c
++++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+@@ -902,7 +902,7 @@ static void rtrs_clt_init_req(struct rtrs_clt_io_req *req,
+ req->need_inv_comp = false;
+ req->inv_errno = 0;
+
+- iov_iter_kvec(&iter, READ, vec, 1, usr_len);
++ iov_iter_kvec(&iter, WRITE, vec, 1, usr_len);
+ len = _copy_from_iter(req->iu->buf, usr_len, &iter);
+ WARN_ON(len != usr_len);
+
+--
+2.39.0
+
--- /dev/null
+From 3c72b4243b44f3f35fdcdb8059b65903cf438495 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jan 2023 13:39:37 -0600
+Subject: scsi: iscsi_tcp: Fix UAF during login when accessing the shost
+ ipaddress
+
+From: Mike Christie <michael.christie@oracle.com>
+
+[ Upstream commit f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3 ]
+
+If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails,
+userspace could be accessing the host's ipaddress attr. If we then free the
+session via iscsi_session_teardown() while userspace is still accessing the
+session we will hit a use after free bug.
+
+Set the tcp_sw_host->session after we have completed session creation and
+can no longer fail.
+
+Link: https://lore.kernel.org/r/20230117193937.21244-3-michael.christie@oracle.com
+Signed-off-by: Mike Christie <michael.christie@oracle.com>
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Acked-by: Ding Hui <dinghui@sangfor.com.cn>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/iscsi_tcp.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
+index 6485c1aa9e74..252d7881f99c 100644
+--- a/drivers/scsi/iscsi_tcp.c
++++ b/drivers/scsi/iscsi_tcp.c
+@@ -802,7 +802,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
+ enum iscsi_host_param param, char *buf)
+ {
+ struct iscsi_sw_tcp_host *tcp_sw_host = iscsi_host_priv(shost);
+- struct iscsi_session *session = tcp_sw_host->session;
++ struct iscsi_session *session;
+ struct iscsi_conn *conn;
+ struct iscsi_tcp_conn *tcp_conn;
+ struct iscsi_sw_tcp_conn *tcp_sw_conn;
+@@ -812,6 +812,7 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost,
+
+ switch (param) {
+ case ISCSI_HOST_PARAM_IPADDRESS:
++ session = tcp_sw_host->session;
+ if (!session)
+ return -ENOTCONN;
+
+@@ -906,12 +907,14 @@ iscsi_sw_tcp_session_create(struct iscsi_endpoint *ep, uint16_t cmds_max,
+ if (!cls_session)
+ goto remove_host;
+ session = cls_session->dd_data;
+- tcp_sw_host = iscsi_host_priv(shost);
+- tcp_sw_host->session = session;
+
+ shost->can_queue = session->scsi_cmds_max;
+ if (iscsi_tcp_r2tpool_alloc(session))
+ goto remove_session;
++
++ /* We are now fully setup so expose the session to sysfs. */
++ tcp_sw_host = iscsi_host_priv(shost);
++ tcp_sw_host->session = session;
+ return cls_session;
+
+ remove_session:
+--
+2.39.0
+
--- /dev/null
+From 646f4b84d7848ec2357c026b17fa4cf8ea10df99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jan 2023 22:06:08 -0500
+Subject: scsi: Revert "scsi: core: map PQ=1, PDT=other values to
+ SCSI_SCAN_TARGET_PRESENT"
+
+From: Martin K. Petersen <martin.petersen@oracle.com>
+
+[ Upstream commit 15600159bcc6abbeae6b33a849bef90dca28b78f ]
+
+This reverts commit 948e922fc44611ee2de0c89583ca958cb5307d36.
+
+Not all targets that return PQ=1 and PDT=0 should be ignored. While
+the SCSI spec is vague in this department, there appears to be a
+critical mass of devices which rely on devices being accessible with
+this combination of reported values.
+
+Fixes: 948e922fc446 ("scsi: core: map PQ=1, PDT=other values to SCSI_SCAN_TARGET_PRESENT")
+Link: https://lore.kernel.org/r/yq1lelrleqr.fsf@ca-mkp.ca.oracle.com
+Acked-by: Bart Van Assche <bvanassche@acm.org>
+Acked-by: Martin Wilck <mwilck@suse.com>
+Acked-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_scan.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c
+index 8e474b145249..6f7c4d41c51d 100644
+--- a/drivers/scsi/scsi_scan.c
++++ b/drivers/scsi/scsi_scan.c
+@@ -1129,8 +1129,7 @@ static int scsi_probe_and_add_lun(struct scsi_target *starget,
+ * that no LUN is present, so don't add sdev in these cases.
+ * Two specific examples are:
+ * 1) NetApp targets: return PQ=1, PDT=0x1f
+- * 2) IBM/2145 targets: return PQ=1, PDT=0
+- * 3) USB UFI: returns PDT=0x1f, with the PQ bits being "reserved"
++ * 2) USB UFI: returns PDT=0x1f, with the PQ bits being "reserved"
+ * in the UFI 1.0 spec (we cannot rely on reserved bits).
+ *
+ * References:
+@@ -1144,8 +1143,8 @@ static int scsi_probe_and_add_lun(struct scsi_target *starget,
+ * PDT=00h Direct-access device (floppy)
+ * PDT=1Fh none (no FDD connected to the requested logical unit)
+ */
+- if (((result[0] >> 5) == 1 ||
+- (starget->pdt_1f_for_no_lun && (result[0] & 0x1f) == 0x1f)) &&
++ if (((result[0] >> 5) == 1 || starget->pdt_1f_for_no_lun) &&
++ (result[0] & 0x1f) == 0x1f &&
+ !scsi_is_wlun(lun)) {
+ SCSI_LOG_SCAN_BUS(3, sdev_printk(KERN_INFO, sdev,
+ "scsi scan: peripheral device type"
+--
+2.39.0
+
--- /dev/null
+From b773a91411357c1f783f8249981d27866f113396 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jan 2023 13:53:10 +0100
+Subject: scsi: target: core: Fix warning on RT kernels
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit 84ed64b1a7a7fcd507598dee7708c1f225123711 ]
+
+Calling spin_lock_irqsave() does not disable the interrupts on realtime
+kernels, remove the warning and replace assert_spin_locked() with
+lockdep_assert_held().
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20230110125310.55884-1-mlombard@redhat.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_tmr.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/target/target_core_tmr.c b/drivers/target/target_core_tmr.c
+index e4513ef09159..3efd5a3bd69d 100644
+--- a/drivers/target/target_core_tmr.c
++++ b/drivers/target/target_core_tmr.c
+@@ -82,8 +82,8 @@ static bool __target_check_io_state(struct se_cmd *se_cmd,
+ {
+ struct se_session *sess = se_cmd->se_sess;
+
+- assert_spin_locked(&sess->sess_cmd_lock);
+- WARN_ON_ONCE(!irqs_disabled());
++ lockdep_assert_held(&sess->sess_cmd_lock);
++
+ /*
+ * If command already reached CMD_T_COMPLETE state within
+ * target_complete_cmd() or CMD_T_FABRIC_STOP due to shutdown,
+--
+2.39.0
+
--- /dev/null
+From e936dfe5ae9fda4cca8fbec58c4cd23edebb8fae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Feb 2023 00:16:14 +0000
+Subject: selftests: net: udpgso_bench: Fix racing bug between the rx/tx
+ programs
+
+From: Andrei Gherzan <andrei.gherzan@canonical.com>
+
+[ Upstream commit dafe93b9ee21028d625dce347118b82659652eff ]
+
+"udpgro_bench.sh" invokes udpgso_bench_rx/udpgso_bench_tx programs
+subsequently and while doing so, there is a chance that the rx one is not
+ready to accept socket connections. This racing bug could fail the test
+with at least one of the following:
+
+./udpgso_bench_tx: connect: Connection refused
+./udpgso_bench_tx: sendmsg: Connection refused
+./udpgso_bench_tx: write: Connection refused
+
+This change addresses this by making udpgro_bench.sh wait for the rx
+program to be ready before firing off the tx one - up to a 10s timeout.
+
+Fixes: 3a687bef148d ("selftests: udp gso benchmark")
+Signed-off-by: Andrei Gherzan <andrei.gherzan@canonical.com>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/20230201001612.515730-3-andrei.gherzan@canonical.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/udpgso_bench.sh | 24 +++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/tools/testing/selftests/net/udpgso_bench.sh b/tools/testing/selftests/net/udpgso_bench.sh
+index dc932fd65363..640bc43452fa 100755
+--- a/tools/testing/selftests/net/udpgso_bench.sh
++++ b/tools/testing/selftests/net/udpgso_bench.sh
+@@ -7,6 +7,7 @@ readonly GREEN='\033[0;92m'
+ readonly YELLOW='\033[0;33m'
+ readonly RED='\033[0;31m'
+ readonly NC='\033[0m' # No Color
++readonly TESTPORT=8000
+
+ readonly KSFT_PASS=0
+ readonly KSFT_FAIL=1
+@@ -56,11 +57,26 @@ trap wake_children EXIT
+
+ run_one() {
+ local -r args=$@
++ local nr_socks=0
++ local i=0
++ local -r timeout=10
++
++ ./udpgso_bench_rx -p "$TESTPORT" &
++ ./udpgso_bench_rx -p "$TESTPORT" -t &
++
++ # Wait for the above test program to get ready to receive connections.
++ while [ "$i" -lt "$timeout" ]; do
++ nr_socks="$(ss -lnHi | grep -c "\*:${TESTPORT}")"
++ [ "$nr_socks" -eq 2 ] && break
++ i=$((i + 1))
++ sleep 1
++ done
++ if [ "$nr_socks" -ne 2 ]; then
++ echo "timed out while waiting for udpgso_bench_rx"
++ exit 1
++ fi
+
+- ./udpgso_bench_rx &
+- ./udpgso_bench_rx -t &
+-
+- ./udpgso_bench_tx ${args}
++ ./udpgso_bench_tx -p "$TESTPORT" ${args}
+ }
+
+ run_in_netns() {
+--
+2.39.0
+
--- /dev/null
+From 53e846910da76bf68bdb4e3e0c650e7169a081a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Feb 2023 00:16:10 +0000
+Subject: selftests: net: udpgso_bench_rx: Fix 'used uninitialized' compiler
+ warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andrei Gherzan <andrei.gherzan@canonical.com>
+
+[ Upstream commit c03c80e3a03ffb4f790901d60797e9810539d946 ]
+
+This change fixes the following compiler warning:
+
+/usr/include/x86_64-linux-gnu/bits/error.h:40:5: warning: ‘gso_size’ may
+be used uninitialized [-Wmaybe-uninitialized]
+ 40 | __error_noreturn (__status, __errnum, __format,
+ __va_arg_pack ());
+ |
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ udpgso_bench_rx.c: In function ‘main’:
+ udpgso_bench_rx.c:253:23: note: ‘gso_size’ was declared here
+ 253 | int ret, len, gso_size, budget = 256;
+
+Fixes: 3327a9c46352 ("selftests: add functionals test for UDP GRO")
+Signed-off-by: Andrei Gherzan <andrei.gherzan@canonical.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/20230201001612.515730-1-andrei.gherzan@canonical.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/udpgso_bench_rx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/udpgso_bench_rx.c b/tools/testing/selftests/net/udpgso_bench_rx.c
+index 6a193425c367..d0895bd1933f 100644
+--- a/tools/testing/selftests/net/udpgso_bench_rx.c
++++ b/tools/testing/selftests/net/udpgso_bench_rx.c
+@@ -250,7 +250,7 @@ static int recv_msg(int fd, char *buf, int len, int *gso_size)
+ static void do_flush_udp(int fd)
+ {
+ static char rbuf[ETH_MAX_MTU];
+- int ret, len, gso_size, budget = 256;
++ int ret, len, gso_size = 0, budget = 256;
+
+ len = cfg_read_all ? sizeof(rbuf) : 0;
+ while (budget--) {
+--
+2.39.0
+
--- /dev/null
+From a75b623ae79d260a3412f2f583fbdac73f0ed56e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Feb 2023 00:16:12 +0000
+Subject: selftests: net: udpgso_bench_rx/tx: Stop when wrong CLI args are
+ provided
+
+From: Andrei Gherzan <andrei.gherzan@canonical.com>
+
+[ Upstream commit db9b47ee9f5f375ab0c5daeb20321c75b4fa657d ]
+
+Leaving unrecognized arguments buried in the output, can easily hide a
+CLI/script typo. Avoid this by exiting when wrong arguments are provided to
+the udpgso_bench test programs.
+
+Fixes: 3a687bef148d ("selftests: udp gso benchmark")
+Signed-off-by: Andrei Gherzan <andrei.gherzan@canonical.com>
+Cc: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/20230201001612.515730-2-andrei.gherzan@canonical.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/udpgso_bench_rx.c | 2 ++
+ tools/testing/selftests/net/udpgso_bench_tx.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/tools/testing/selftests/net/udpgso_bench_rx.c b/tools/testing/selftests/net/udpgso_bench_rx.c
+index d0895bd1933f..4058c7451e70 100644
+--- a/tools/testing/selftests/net/udpgso_bench_rx.c
++++ b/tools/testing/selftests/net/udpgso_bench_rx.c
+@@ -336,6 +336,8 @@ static void parse_opts(int argc, char **argv)
+ cfg_verify = true;
+ cfg_read_all = true;
+ break;
++ default:
++ exit(1);
+ }
+ }
+
+diff --git a/tools/testing/selftests/net/udpgso_bench_tx.c b/tools/testing/selftests/net/udpgso_bench_tx.c
+index f1fdaa270291..b47b5c32039f 100644
+--- a/tools/testing/selftests/net/udpgso_bench_tx.c
++++ b/tools/testing/selftests/net/udpgso_bench_tx.c
+@@ -490,6 +490,8 @@ static void parse_opts(int argc, char **argv)
+ case 'z':
+ cfg_zerocopy = true;
+ break;
++ default:
++ exit(1);
+ }
+ }
+
+--
+2.39.0
+
--- /dev/null
+From f13b7529d9e19d49ef2482f6f8c6579b32270ca0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Feb 2023 00:16:16 +0000
+Subject: selftests: net: udpgso_bench_tx: Cater for pending datagrams zerocopy
+ benchmarking
+
+From: Andrei Gherzan <andrei.gherzan@canonical.com>
+
+[ Upstream commit 329c9cd769c2e306957df031efff656c40922c76 ]
+
+The test tool can check that the zerocopy number of completions value is
+valid taking into consideration the number of datagram send calls. This can
+catch the system into a state where the datagrams are still in the system
+(for example in a qdisk, waiting for the network interface to return a
+completion notification, etc).
+
+This change adds a retry logic of computing the number of completions up to
+a configurable (via CLI) timeout (default: 2 seconds).
+
+Fixes: 79ebc3c26010 ("net/udpgso_bench_tx: options to exercise TX CMSG")
+Signed-off-by: Andrei Gherzan <andrei.gherzan@canonical.com>
+Cc: Willem de Bruijn <willemb@google.com>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/20230201001612.515730-4-andrei.gherzan@canonical.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/udpgso_bench_tx.c | 34 +++++++++++++++----
+ 1 file changed, 27 insertions(+), 7 deletions(-)
+
+diff --git a/tools/testing/selftests/net/udpgso_bench_tx.c b/tools/testing/selftests/net/udpgso_bench_tx.c
+index b47b5c32039f..477392715a9a 100644
+--- a/tools/testing/selftests/net/udpgso_bench_tx.c
++++ b/tools/testing/selftests/net/udpgso_bench_tx.c
+@@ -62,6 +62,7 @@ static int cfg_payload_len = (1472 * 42);
+ static int cfg_port = 8000;
+ static int cfg_runtime_ms = -1;
+ static bool cfg_poll;
++static int cfg_poll_loop_timeout_ms = 2000;
+ static bool cfg_segment;
+ static bool cfg_sendmmsg;
+ static bool cfg_tcp;
+@@ -235,16 +236,17 @@ static void flush_errqueue_recv(int fd)
+ }
+ }
+
+-static void flush_errqueue(int fd, const bool do_poll)
++static void flush_errqueue(int fd, const bool do_poll,
++ unsigned long poll_timeout, const bool poll_err)
+ {
+ if (do_poll) {
+ struct pollfd fds = {0};
+ int ret;
+
+ fds.fd = fd;
+- ret = poll(&fds, 1, 500);
++ ret = poll(&fds, 1, poll_timeout);
+ if (ret == 0) {
+- if (cfg_verbose)
++ if ((cfg_verbose) && (poll_err))
+ fprintf(stderr, "poll timeout\n");
+ } else if (ret < 0) {
+ error(1, errno, "poll");
+@@ -254,6 +256,20 @@ static void flush_errqueue(int fd, const bool do_poll)
+ flush_errqueue_recv(fd);
+ }
+
++static void flush_errqueue_retry(int fd, unsigned long num_sends)
++{
++ unsigned long tnow, tstop;
++ bool first_try = true;
++
++ tnow = gettimeofday_ms();
++ tstop = tnow + cfg_poll_loop_timeout_ms;
++ do {
++ flush_errqueue(fd, true, tstop - tnow, first_try);
++ first_try = false;
++ tnow = gettimeofday_ms();
++ } while ((stat_zcopies != num_sends) && (tnow < tstop));
++}
++
+ static int send_tcp(int fd, char *data)
+ {
+ int ret, done = 0, count = 0;
+@@ -413,7 +429,8 @@ static int send_udp_segment(int fd, char *data)
+
+ static void usage(const char *filepath)
+ {
+- error(1, 0, "Usage: %s [-46acmHPtTuvz] [-C cpu] [-D dst ip] [-l secs] [-M messagenr] [-p port] [-s sendsize] [-S gsosize]",
++ error(1, 0, "Usage: %s [-46acmHPtTuvz] [-C cpu] [-D dst ip] [-l secs] "
++ "[-L secs] [-M messagenr] [-p port] [-s sendsize] [-S gsosize]",
+ filepath);
+ }
+
+@@ -423,7 +440,7 @@ static void parse_opts(int argc, char **argv)
+ int max_len, hdrlen;
+ int c;
+
+- while ((c = getopt(argc, argv, "46acC:D:Hl:mM:p:s:PS:tTuvz")) != -1) {
++ while ((c = getopt(argc, argv, "46acC:D:Hl:L:mM:p:s:PS:tTuvz")) != -1) {
+ switch (c) {
+ case '4':
+ if (cfg_family != PF_UNSPEC)
+@@ -452,6 +469,9 @@ static void parse_opts(int argc, char **argv)
+ case 'l':
+ cfg_runtime_ms = strtoul(optarg, NULL, 10) * 1000;
+ break;
++ case 'L':
++ cfg_poll_loop_timeout_ms = strtoul(optarg, NULL, 10) * 1000;
++ break;
+ case 'm':
+ cfg_sendmmsg = true;
+ break;
+@@ -679,7 +699,7 @@ int main(int argc, char **argv)
+ num_sends += send_udp(fd, buf[i]);
+ num_msgs++;
+ if ((cfg_zerocopy && ((num_msgs & 0xF) == 0)) || cfg_tx_tstamp)
+- flush_errqueue(fd, cfg_poll);
++ flush_errqueue(fd, cfg_poll, 500, true);
+
+ if (cfg_msg_nr && num_msgs >= cfg_msg_nr)
+ break;
+@@ -698,7 +718,7 @@ int main(int argc, char **argv)
+ } while (!interrupted && (cfg_runtime_ms == -1 || tnow < tstop));
+
+ if (cfg_zerocopy || cfg_tx_tstamp)
+- flush_errqueue(fd, true);
++ flush_errqueue_retry(fd, num_sends);
+
+ if (close(fd))
+ error(1, errno, "close");
+--
+2.39.0
+
firewire-fix-memory-leak-for-payload-of-request-subaction-to-iec-61883-1-fcp-region.patch
+bus-sunxi-rsb-fix-error-handling-in-sunxi_rsb_init.patch
+bpf-fix-a-possible-task-gone-issue-with-bpf_send_sig.patch
+alsa-hda-via-avoid-potential-array-out-of-bound-in-a.patch
+powerpc-bpf-change-register-numbering-for-bpf_set-is.patch
+powerpc-bpf-move-common-helpers-into-bpf_jit.h.patch
+bpf-support-8-byte-scalar-spill-and-refill.patch
+bpf-fix-to-preserve-reg-parent-live-fields-when-copy.patch
+bpf-sockmap-check-for-any-of-tcp_bpf_prots-when-clon.patch
+arm64-dts-imx8mm-fix-pad-control-for-uart1_dte_rx.patch
+drm-vc4-hdmi-make-cec-adapter-name-unique.patch
+scsi-revert-scsi-core-map-pq-1-pdt-other-values-to-s.patch
+vhost-net-clear-the-pending-messages-when-the-backen.patch
+write-is-data-source-not-destination.patch
+read-is-data-destination-not-source.patch
+fix-iov_iter_bvec-direction-argument.patch
+fix-direction-argument-of-iov_iter_kvec.patch
+virtio-net-execute-xdp_do_flush-before-napi_complete.patch
+sfc-correctly-advertise-tunneled-ipv6-segmentation.patch
+net-phy-dp83822-fix-null-pointer-access-on-dp83825-d.patch
+netrom-fix-use-after-free-caused-by-accept-on-alread.patch
+netfilter-br_netfilter-disable-sabotage_in-hook-afte.patch
+squashfs-harden-sanity-check-in-squashfs_read_xattr_.patch
+net-phy-meson-gxl-add-generic-dummy-stubs-for-mmd-re.patch
+igc-return-an-error-if-the-mac-type-is-unknown-in-ig.patch
+can-j1939-fix-errant-warn_on_once-in-j1939_session_d.patch
+ata-libata-fix-sata_down_spd_limit-when-no-link-spee.patch
+selftests-net-udpgso_bench_rx-fix-used-uninitialized.patch
+selftests-net-udpgso_bench_rx-tx-stop-when-wrong-cli.patch
+selftests-net-udpgso_bench-fix-racing-bug-between-th.patch
+selftests-net-udpgso_bench_tx-cater-for-pending-data.patch
+virtio-net-keep-stop-to-follow-mirror-sequence-of-op.patch
+net-openvswitch-fix-flow-memory-leak-in-ovs_flow_cmd.patch
+efi-fix-potential-null-deref-in-efi_mem_reserve_pers.patch
+qede-add-netpoll-support-for-qede-driver.patch
+qede-execute-xdp_do_flush-before-napi_complete_done.patch
+i2c-mxs-suppress-probe-deferral-error-message.patch
+scsi-target-core-fix-warning-on-rt-kernels.patch
+scsi-iscsi_tcp-fix-uaf-during-login-when-accessing-t.patch
+i2c-rk3x-fix-a-bunch-of-kernel-doc-warnings.patch
+platform-x86-dell-wmi-add-a-keymap-for-key_mute-in-t.patch
+net-x25-fix-to-not-accept-on-connected-socket.patch
--- /dev/null
+From 1a634bd223a08ecd24c68a40e6af2130dbb91fb9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jan 2023 15:35:13 +0100
+Subject: sfc: correctly advertise tunneled IPv6 segmentation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Íñigo Huguet <ihuguet@redhat.com>
+
+[ Upstream commit ffffd2454a7a1bc9f7242b12c4cc0b05c12692b4 ]
+
+Recent sfc NICs are TSO capable for some tunnel protocols. However, it
+was not working properly because the feature was not advertised in
+hw_enc_features, but in hw_features only.
+
+Setting up a GENEVE tunnel and using iperf3 to send IPv4 and IPv6 traffic
+to the tunnel show, with tcpdump, that the IPv4 packets still had ~64k
+size but the IPv6 ones had only ~1500 bytes (they had been segmented by
+software, not offloaded). With this patch segmentation is offloaded as
+expected and the traffic is correctly received at the other end.
+
+Fixes: 24b2c3751aa3 ("sfc: advertise encapsulated offloads on EF10")
+Reported-by: Tianhao Zhao <tizhao@redhat.com>
+Signed-off-by: Íñigo Huguet <ihuguet@redhat.com>
+Acked-by: Martin Habets <habetsm.xilinx@gmail.com>
+Link: https://lore.kernel.org/r/20230125143513.25841-1-ihuguet@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sfc/efx.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/sfc/efx.c b/drivers/net/ethernet/sfc/efx.c
+index 718308076341..29c8d2c99004 100644
+--- a/drivers/net/ethernet/sfc/efx.c
++++ b/drivers/net/ethernet/sfc/efx.c
+@@ -1047,8 +1047,11 @@ static int efx_pci_probe_post_io(struct efx_nic *efx)
+ /* Determine netdevice features */
+ net_dev->features |= (efx->type->offload_features | NETIF_F_SG |
+ NETIF_F_TSO | NETIF_F_RXCSUM | NETIF_F_RXALL);
+- if (efx->type->offload_features & (NETIF_F_IPV6_CSUM | NETIF_F_HW_CSUM))
++ if (efx->type->offload_features & (NETIF_F_IPV6_CSUM | NETIF_F_HW_CSUM)) {
+ net_dev->features |= NETIF_F_TSO6;
++ if (efx_has_cap(efx, TX_TSO_V2_ENCAP))
++ net_dev->hw_enc_features |= NETIF_F_TSO6;
++ }
+ /* Check whether device supports TSO */
+ if (!efx->type->tso_versions || !efx->type->tso_versions(efx))
+ net_dev->features &= ~NETIF_F_ALL_TSO;
+--
+2.39.0
+
--- /dev/null
+From 71b8f2fedad4c51d660871af995574c3f563fac6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jan 2023 13:52:26 +0300
+Subject: squashfs: harden sanity check in squashfs_read_xattr_id_table
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+[ Upstream commit 72e544b1b28325fe78a4687b980871a7e4101f76 ]
+
+While mounting a corrupted filesystem, a signed integer '*xattr_ids' can
+become less than zero. This leads to the incorrect computation of 'len'
+and 'indexes' values which can cause null-ptr-deref in copy_bio_to_actor()
+or out-of-bounds accesses in the next sanity checks inside
+squashfs_read_xattr_id_table().
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Link: https://lkml.kernel.org/r/20230117105226.329303-2-pchelkin@ispras.ru
+Fixes: 506220d2ba21 ("squashfs: add more sanity checks in xattr id lookup")
+Reported-by: <syzbot+082fa4af80a5bb1a9843@syzkaller.appspotmail.com>
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Cc: Phillip Lougher <phillip@squashfs.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/squashfs/xattr_id.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/squashfs/xattr_id.c b/fs/squashfs/xattr_id.c
+index 087cab8c78f4..f6d78cbc3e74 100644
+--- a/fs/squashfs/xattr_id.c
++++ b/fs/squashfs/xattr_id.c
+@@ -76,7 +76,7 @@ __le64 *squashfs_read_xattr_id_table(struct super_block *sb, u64 table_start,
+ /* Sanity check values */
+
+ /* there is always at least one xattr id */
+- if (*xattr_ids == 0)
++ if (*xattr_ids <= 0)
+ return ERR_PTR(-EINVAL);
+
+ len = SQUASHFS_XATTR_BLOCK_BYTES(*xattr_ids);
+--
+2.39.0
+
--- /dev/null
+From 199b66fe1964f31af8fd016251c7ca6de4a11570 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jan 2023 10:15:18 -0500
+Subject: vhost/net: Clear the pending messages when the backend is removed
+
+From: Eric Auger <eric.auger@redhat.com>
+
+[ Upstream commit 9526f9a2b762af16be94a72aca5d65c677d28f50 ]
+
+When the vhost iotlb is used along with a guest virtual iommu
+and the guest gets rebooted, some MISS messages may have been
+recorded just before the reboot and spuriously executed by
+the virtual iommu after the reboot.
+
+As vhost does not have any explicit reset user API,
+VHOST_NET_SET_BACKEND looks a reasonable point where to clear
+the pending messages, in case the backend is removed.
+
+Export vhost_clear_msg() and call it in vhost_net_set_backend()
+when fd == -1.
+
+Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Suggested-by: Jason Wang <jasowang@redhat.com>
+Fixes: 6b1e6cc7855b0 ("vhost: new device IOTLB API")
+Message-Id: <20230117151518.44725-3-eric.auger@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/net.c | 3 +++
+ drivers/vhost/vhost.c | 3 ++-
+ drivers/vhost/vhost.h | 1 +
+ 3 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
+index 5beb20768b20..b9c8e4025214 100644
+--- a/drivers/vhost/net.c
++++ b/drivers/vhost/net.c
+@@ -1517,6 +1517,9 @@ static long vhost_net_set_backend(struct vhost_net *n, unsigned index, int fd)
+ nvq = &n->vqs[index];
+ mutex_lock(&vq->mutex);
+
++ if (fd == -1)
++ vhost_clear_msg(&n->dev);
++
+ /* Verify that ring has been setup correctly. */
+ if (!vhost_vq_access_ok(vq)) {
+ r = -EFAULT;
+diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
+index da00a5c57db6..1f9a1554ce5f 100644
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -669,7 +669,7 @@ void vhost_dev_stop(struct vhost_dev *dev)
+ }
+ EXPORT_SYMBOL_GPL(vhost_dev_stop);
+
+-static void vhost_clear_msg(struct vhost_dev *dev)
++void vhost_clear_msg(struct vhost_dev *dev)
+ {
+ struct vhost_msg_node *node, *n;
+
+@@ -687,6 +687,7 @@ static void vhost_clear_msg(struct vhost_dev *dev)
+
+ spin_unlock(&dev->iotlb_lock);
+ }
++EXPORT_SYMBOL_GPL(vhost_clear_msg);
+
+ void vhost_dev_cleanup(struct vhost_dev *dev)
+ {
+diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h
+index b063324c7669..8f80d6b0d843 100644
+--- a/drivers/vhost/vhost.h
++++ b/drivers/vhost/vhost.h
+@@ -183,6 +183,7 @@ long vhost_dev_ioctl(struct vhost_dev *, unsigned int ioctl, void __user *argp);
+ long vhost_vring_ioctl(struct vhost_dev *d, unsigned int ioctl, void __user *argp);
+ bool vhost_vq_access_ok(struct vhost_virtqueue *vq);
+ bool vhost_log_access_ok(struct vhost_dev *);
++void vhost_clear_msg(struct vhost_dev *dev);
+
+ int vhost_get_vq_desc(struct vhost_virtqueue *,
+ struct iovec iov[], unsigned int iov_count,
+--
+2.39.0
+
--- /dev/null
+From 840d3ce1fdaa05874c6ea40d8362eafec4a3884d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jan 2023 08:48:59 +0100
+Subject: virtio-net: execute xdp_do_flush() before napi_complete_done()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Magnus Karlsson <magnus.karlsson@intel.com>
+
+[ Upstream commit ad7e615f646c9b5b2cf655cdfb9d91a28db4f25a ]
+
+Make sure that xdp_do_flush() is always executed before
+napi_complete_done(). This is important for two reasons. First, a
+redirect to an XSKMAP assumes that a call to xdp_do_redirect() from
+napi context X on CPU Y will be followed by a xdp_do_flush() from the
+same napi context and CPU. This is not guaranteed if the
+napi_complete_done() is executed before xdp_do_flush(), as it tells
+the napi logic that it is fine to schedule napi context X on another
+CPU. Details from a production system triggering this bug using the
+veth driver can be found following the first link below.
+
+The second reason is that the XDP_REDIRECT logic in itself relies on
+being inside a single NAPI instance through to the xdp_do_flush() call
+for RCU protection of all in-kernel data structures. Details can be
+found in the second link below.
+
+Fixes: 186b3c998c50 ("virtio-net: support XDP_REDIRECT")
+Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Acked-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Link: https://lore.kernel.org/r/20221220185903.1105011-1-sbohrer@cloudflare.com
+Link: https://lore.kernel.org/all/20210624160609.292325-1-toke@redhat.com/
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/virtio_net.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index c942cd6a2c65..0605c28c684b 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -1525,13 +1525,13 @@ static int virtnet_poll(struct napi_struct *napi, int budget)
+
+ received = virtnet_receive(rq, budget, &xdp_xmit);
+
++ if (xdp_xmit & VIRTIO_XDP_REDIR)
++ xdp_do_flush();
++
+ /* Out of packets? */
+ if (received < budget)
+ virtqueue_napi_complete(napi, rq->vq, received);
+
+- if (xdp_xmit & VIRTIO_XDP_REDIR)
+- xdp_do_flush();
+-
+ if (xdp_xmit & VIRTIO_XDP_TX) {
+ sq = virtnet_xdp_get_sq(vi);
+ if (virtqueue_kick_prepare(sq->vq) && virtqueue_notify(sq->vq)) {
+--
+2.39.0
+
--- /dev/null
+From 30db76b82617e23936675d86477186eb348efead Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Feb 2023 18:35:16 +0200
+Subject: virtio-net: Keep stop() to follow mirror sequence of open()
+
+From: Parav Pandit <parav@nvidia.com>
+
+[ Upstream commit 63b114042d8a9c02d9939889177c36dbdb17a588 ]
+
+Cited commit in fixes tag frees rxq xdp info while RQ NAPI is
+still enabled and packet processing may be ongoing.
+
+Follow the mirror sequence of open() in the stop() callback.
+This ensures that when rxq info is unregistered, no rx
+packet processing is ongoing.
+
+Fixes: 754b8a21a96d ("virtio_net: setup xdp_rxq_info")
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: Parav Pandit <parav@nvidia.com>
+Link: https://lore.kernel.org/r/20230202163516.12559-1-parav@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/virtio_net.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index 0605c28c684b..d53321116136 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -1928,8 +1928,8 @@ static int virtnet_close(struct net_device *dev)
+ cancel_delayed_work_sync(&vi->refill);
+
+ for (i = 0; i < vi->max_queue_pairs; i++) {
+- xdp_rxq_info_unreg(&vi->rq[i].xdp_rxq);
+ napi_disable(&vi->rq[i].napi);
++ xdp_rxq_info_unreg(&vi->rq[i].xdp_rxq);
+ virtnet_napi_tx_disable(&vi->sq[i].napi);
+ }
+
+--
+2.39.0
+
--- /dev/null
+From 683b6b5694f44715f3472909f1882042b43d3b88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Sep 2022 18:59:12 -0400
+Subject: WRITE is "data source", not destination...
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 974c36fb828aeae7b4f9063f94860ae6c5633efd ]
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/fsi/fsi-sbefifo.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/fsi/fsi-sbefifo.c b/drivers/fsi/fsi-sbefifo.c
+index 84cb965bfed5..97045a8d9422 100644
+--- a/drivers/fsi/fsi-sbefifo.c
++++ b/drivers/fsi/fsi-sbefifo.c
+@@ -640,7 +640,7 @@ static void sbefifo_collect_async_ffdc(struct sbefifo *sbefifo)
+ }
+ ffdc_iov.iov_base = ffdc;
+ ffdc_iov.iov_len = SBEFIFO_MAX_FFDC_SIZE;
+- iov_iter_kvec(&ffdc_iter, WRITE, &ffdc_iov, 1, SBEFIFO_MAX_FFDC_SIZE);
++ iov_iter_kvec(&ffdc_iter, READ, &ffdc_iov, 1, SBEFIFO_MAX_FFDC_SIZE);
+ cmd[0] = cpu_to_be32(2);
+ cmd[1] = cpu_to_be32(SBEFIFO_CMD_GET_SBE_FFDC);
+ rc = sbefifo_do_command(sbefifo, cmd, 2, &ffdc_iter);
+@@ -737,7 +737,7 @@ int sbefifo_submit(struct device *dev, const __be32 *command, size_t cmd_len,
+ rbytes = (*resp_len) * sizeof(__be32);
+ resp_iov.iov_base = response;
+ resp_iov.iov_len = rbytes;
+- iov_iter_kvec(&resp_iter, WRITE, &resp_iov, 1, rbytes);
++ iov_iter_kvec(&resp_iter, READ, &resp_iov, 1, rbytes);
+
+ /* Perform the command */
+ mutex_lock(&sbefifo->lock);
+@@ -817,7 +817,7 @@ static ssize_t sbefifo_user_read(struct file *file, char __user *buf,
+ /* Prepare iov iterator */
+ resp_iov.iov_base = buf;
+ resp_iov.iov_len = len;
+- iov_iter_init(&resp_iter, WRITE, &resp_iov, 1, len);
++ iov_iter_init(&resp_iter, READ, &resp_iov, 1, len);
+
+ /* Perform the command */
+ mutex_lock(&sbefifo->lock);
+--
+2.39.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
