--- /dev/null
+From aeb7cdf94718261fc03b5136bac386b27c458597 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Nov 2023 16:26:59 +0000
+Subject: afs: Fix afs_server_list to be cleaned up with RCU
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit e6bace7313d61e31f2b16fa3d774fd8cb3cb869e ]
+
+afs_server_list is accessed with the rcu_read_lock() held from
+volume->servers, so it needs to be cleaned up correctly.
+
+Fix this by using kfree_rcu() instead of kfree().
+
+Fixes: 8a070a964877 ("afs: Detect cell aliases 1 - Cells with root volumes")
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/internal.h | 1 +
+ fs/afs/server_list.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/afs/internal.h b/fs/afs/internal.h
+index 567e61b553f56..183200c6ce20e 100644
+--- a/fs/afs/internal.h
++++ b/fs/afs/internal.h
+@@ -556,6 +556,7 @@ struct afs_server_entry {
+ };
+
+ struct afs_server_list {
++ struct rcu_head rcu;
+ afs_volid_t vids[AFS_MAXTYPES]; /* Volume IDs */
+ refcount_t usage;
+ unsigned char nr_servers;
+diff --git a/fs/afs/server_list.c b/fs/afs/server_list.c
+index ed9056703505f..b59896b1de0af 100644
+--- a/fs/afs/server_list.c
++++ b/fs/afs/server_list.c
+@@ -17,7 +17,7 @@ void afs_put_serverlist(struct afs_net *net, struct afs_server_list *slist)
+ for (i = 0; i < slist->nr_servers; i++)
+ afs_unuse_server(net, slist->servers[i].server,
+ afs_server_trace_put_slist);
+- kfree(slist);
++ kfree_rcu(slist, rcu);
+ }
+ }
+
+--
+2.42.0
+
--- /dev/null
+From 829d24b1728a8a5a3f37a6bf07e7f2a0706f5b03 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Nov 2023 22:03:28 +0000
+Subject: afs: Fix file locking on R/O volumes to operate in local mode
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit b590eb41be766c5a63acc7e8896a042f7a4e8293 ]
+
+AFS doesn't really do locking on R/O volumes as fileservers don't maintain
+state with each other and thus a lock on a R/O volume file on one
+fileserver will not be be visible to someone looking at the same file on
+another fileserver.
+
+Further, the server may return an error if you try it.
+
+Fix this by doing what other AFS clients do and handle filelocking on R/O
+volume files entirely within the client and don't touch the server.
+
+Fixes: 6c6c1d63c243 ("afs: Provide mount-time configurable byte-range file locking emulation")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/super.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/afs/super.c b/fs/afs/super.c
+index 34c68724c98be..910e73bb5a089 100644
+--- a/fs/afs/super.c
++++ b/fs/afs/super.c
+@@ -406,6 +406,8 @@ static int afs_validate_fc(struct fs_context *fc)
+ return PTR_ERR(volume);
+
+ ctx->volume = volume;
++ if (volume->type != AFSVL_RWVOL)
++ ctx->flock_mode = afs_flock_mode_local;
+ }
+
+ return 0;
+--
+2.42.0
+
--- /dev/null
+From 878177e5e16ecad44032b7cb761fc18be1479f68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jun 2023 09:43:54 +0100
+Subject: afs: Make error on cell lookup failure consistent with OpenAFS
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 2a4ca1b4b77850544408595e2433f5d7811a9daa ]
+
+When kafs tries to look up a cell in the DNS or the local config, it will
+translate a lookup failure into EDESTADDRREQ whereas OpenAFS translates it
+into ENOENT. Applications such as West expect the latter behaviour and
+fail if they see the former.
+
+This can be seen by trying to mount an unknown cell:
+
+ # mount -t afs %example.com:cell.root /mnt
+ mount: /mnt: mount(2) system call failed: Destination address required.
+
+Fixes: 4d673da14533 ("afs: Support the AFS dynamic root")
+Reported-by: Markus Suvanto <markus.suvanto@gmail.com>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216637
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/dynroot.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c
+index db832cc931c87..b35c6081dbfe1 100644
+--- a/fs/afs/dynroot.c
++++ b/fs/afs/dynroot.c
+@@ -131,8 +131,8 @@ static int afs_probe_cell_name(struct dentry *dentry)
+
+ ret = dns_query(net->net, "afsdb", name, len, "srv=1",
+ NULL, NULL, false);
+- if (ret == -ENODATA)
+- ret = -EDESTADDRREQ;
++ if (ret == -ENODATA || ret == -ENOKEY)
++ ret = -ENOENT;
+ return ret;
+ }
+
+--
+2.42.0
+
--- /dev/null
+From dea44c5d4f1b717a9cb92ab872050aaae4d7cea5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Oct 2023 01:25:07 +0100
+Subject: afs: Return ENOENT if no cell DNS record can be found
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 0167236e7d66c5e1e85d902a6abc2529b7544539 ]
+
+Make AFS return error ENOENT if no cell SRV or AFSDB DNS record (or
+cellservdb config file record) can be found rather than returning
+EDESTADDRREQ.
+
+Also add cell name lookup info to the cursor dump.
+
+Fixes: d5c32c89b208 ("afs: Fix cell DNS lookup")
+Reported-by: Markus Suvanto <markus.suvanto@gmail.com>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=216637
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/vl_rotate.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/fs/afs/vl_rotate.c b/fs/afs/vl_rotate.c
+index 488e58490b16e..eb415ce563600 100644
+--- a/fs/afs/vl_rotate.c
++++ b/fs/afs/vl_rotate.c
+@@ -58,6 +58,12 @@ static bool afs_start_vl_iteration(struct afs_vl_cursor *vc)
+ }
+
+ /* Status load is ordered after lookup counter load */
++ if (cell->dns_status == DNS_LOOKUP_GOT_NOT_FOUND) {
++ pr_warn("No record of cell %s\n", cell->name);
++ vc->error = -ENOENT;
++ return false;
++ }
++
+ if (cell->dns_source == DNS_RECORD_UNAVAILABLE) {
+ vc->error = -EDESTADDRREQ;
+ return false;
+@@ -285,6 +291,7 @@ bool afs_select_vlserver(struct afs_vl_cursor *vc)
+ */
+ static void afs_vl_dump_edestaddrreq(const struct afs_vl_cursor *vc)
+ {
++ struct afs_cell *cell = vc->cell;
+ static int count;
+ int i;
+
+@@ -294,6 +301,9 @@ static void afs_vl_dump_edestaddrreq(const struct afs_vl_cursor *vc)
+
+ rcu_read_lock();
+ pr_notice("EDESTADDR occurred\n");
++ pr_notice("CELL: %s err=%d\n", cell->name, cell->error);
++ pr_notice("DNS: src=%u st=%u lc=%x\n",
++ cell->dns_source, cell->dns_status, cell->dns_lookup_count);
+ pr_notice("VC: ut=%lx ix=%u ni=%hu fl=%hx err=%hd\n",
+ vc->untried, vc->index, vc->nr_iterations, vc->flags, vc->error);
+
+--
+2.42.0
+
--- /dev/null
+From 912d227a6e3e420d11729de003a94dd5522ca5f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Nov 2023 00:44:33 +0530
+Subject: amd-xgbe: handle corner-case during sfp hotplug
+
+From: Raju Rangoju <Raju.Rangoju@amd.com>
+
+[ Upstream commit 676ec53844cbdf2f47e68a076cdff7f0ec6cbe3f ]
+
+Force the mode change for SFI in Fixed PHY configurations. Fixed PHY
+configurations needs PLL to be enabled while doing mode set. When the
+SFP module isn't connected during boot, driver assumes AN is ON and
+attempts auto-negotiation. However, if the connected SFP comes up in
+Fixed PHY configuration the link will not come up as PLL isn't enabled
+while the initial mode set command is issued. So, force the mode change
+for SFI in Fixed PHY configuration to fix link issues.
+
+Fixes: e57f7a3feaef ("amd-xgbe: Prepare for working with more than one type of phy")
+Acked-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
+Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
+Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+index ca7372369b3e6..60be836b294bb 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+@@ -1178,7 +1178,19 @@ static int xgbe_phy_config_fixed(struct xgbe_prv_data *pdata)
+ if (pdata->phy.duplex != DUPLEX_FULL)
+ return -EINVAL;
+
+- xgbe_set_mode(pdata, mode);
++ /* Force the mode change for SFI in Fixed PHY config.
++ * Fixed PHY configs needs PLL to be enabled while doing mode set.
++ * When the SFP module isn't connected during boot, driver assumes
++ * AN is ON and attempts autonegotiation. However, if the connected
++ * SFP comes up in Fixed PHY config, the link will not come up as
++ * PLL isn't enabled while the initial mode set command is issued.
++ * So, force the mode change for SFI in Fixed PHY configuration to
++ * fix link issues.
++ */
++ if (mode == XGBE_MODE_SFI)
++ xgbe_change_mode(pdata, mode);
++ else
++ xgbe_set_mode(pdata, mode);
+
+ return 0;
+ }
+--
+2.42.0
+
--- /dev/null
+From dfb297f882d2109a198326969972d8e875322b55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Nov 2023 00:44:34 +0530
+Subject: amd-xgbe: handle the corner-case during tx completion
+
+From: Raju Rangoju <Raju.Rangoju@amd.com>
+
+[ Upstream commit 7121205d5330c6a3cb3379348886d47c77b78d06 ]
+
+The existing implementation uses software logic to accumulate tx
+completions until the specified time (1ms) is met and then poll them.
+However, there exists a tiny gap which leads to a race between
+resetting and checking the tx_activate flag. Due to this the tx
+completions are not reported to upper layer and tx queue timeout
+kicks-in restarting the device.
+
+To address this, introduce a tx cleanup mechanism as part of the
+periodic maintenance process.
+
+Fixes: c5aa9e3b8156 ("amd-xgbe: Initial AMD 10GbE platform driver")
+Acked-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
+Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
+Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+index 555db1871ec9f..8d823bc147001 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+@@ -682,10 +682,24 @@ static void xgbe_service(struct work_struct *work)
+ static void xgbe_service_timer(struct timer_list *t)
+ {
+ struct xgbe_prv_data *pdata = from_timer(pdata, t, service_timer);
++ struct xgbe_channel *channel;
++ unsigned int i;
+
+ queue_work(pdata->dev_workqueue, &pdata->service_work);
+
+ mod_timer(&pdata->service_timer, jiffies + HZ);
++
++ if (!pdata->tx_usecs)
++ return;
++
++ for (i = 0; i < pdata->channel_count; i++) {
++ channel = pdata->channel[i];
++ if (!channel->tx_ring || channel->tx_timer_active)
++ break;
++ channel->tx_timer_active = 1;
++ mod_timer(&channel->tx_timer,
++ jiffies + usecs_to_jiffies(pdata->tx_usecs));
++ }
+ }
+
+ static void xgbe_init_timers(struct xgbe_prv_data *pdata)
+--
+2.42.0
+
--- /dev/null
+From 6d0ff961f23167ec98a9e1a7e3305b960e7c0db4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Nov 2023 00:44:35 +0530
+Subject: amd-xgbe: propagate the correct speed and duplex status
+
+From: Raju Rangoju <Raju.Rangoju@amd.com>
+
+[ Upstream commit 7a2323ac24a50311f64a3a9b54ed5bef5821ecae ]
+
+xgbe_get_link_ksettings() does not propagate correct speed and duplex
+information to ethtool during cable unplug. Due to which ethtool reports
+incorrect values for speed and duplex.
+
+Address this by propagating correct information.
+
+Fixes: 7c12aa08779c ("amd-xgbe: Move the PHY support into amd-xgbe")
+Acked-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
+Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
+Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c b/drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c
+index bafc51c34e0be..5bb7b2210b811 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c
+@@ -314,10 +314,15 @@ static int xgbe_get_link_ksettings(struct net_device *netdev,
+
+ cmd->base.phy_address = pdata->phy.address;
+
+- cmd->base.autoneg = pdata->phy.autoneg;
+- cmd->base.speed = pdata->phy.speed;
+- cmd->base.duplex = pdata->phy.duplex;
++ if (netif_carrier_ok(netdev)) {
++ cmd->base.speed = pdata->phy.speed;
++ cmd->base.duplex = pdata->phy.duplex;
++ } else {
++ cmd->base.speed = SPEED_UNKNOWN;
++ cmd->base.duplex = DUPLEX_UNKNOWN;
++ }
+
++ cmd->base.autoneg = pdata->phy.autoneg;
+ cmd->base.port = PORT_NONE;
+
+ XGBE_LM_COPY(cmd, supported, lks, supported);
+--
+2.42.0
+
--- /dev/null
+From b38c58e955100ede2490e6aa43be8287a02c918e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Nov 2023 15:07:41 -0800
+Subject: arm/xen: fix xen_vcpu_info allocation alignment
+
+From: Stefano Stabellini <sstabellini@kernel.org>
+
+[ Upstream commit 7bf9a6b46549852a37e6d07e52c601c3c706b562 ]
+
+xen_vcpu_info is a percpu area than needs to be mapped by Xen.
+Currently, it could cross a page boundary resulting in Xen being unable
+to map it:
+
+[ 0.567318] kernel BUG at arch/arm64/xen/../../arm/xen/enlighten.c:164!
+[ 0.574002] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
+
+Fix the issue by using __alloc_percpu and requesting alignment for the
+memory allocation.
+
+Signed-off-by: Stefano Stabellini <stefano.stabellini@amd.com>
+
+Link: https://lore.kernel.org/r/alpine.DEB.2.22.394.2311221501340.2053963@ubuntu-linux-20-04-desktop
+Fixes: 24d5373dda7c ("arm/xen: Use alloc_percpu rather than __alloc_percpu")
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/xen/enlighten.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/xen/enlighten.c b/arch/arm/xen/enlighten.c
+index 27277d6bbfa5a..59de416c61a30 100644
+--- a/arch/arm/xen/enlighten.c
++++ b/arch/arm/xen/enlighten.c
+@@ -359,7 +359,8 @@ static int __init xen_guest_init(void)
+ * for secondary CPUs as they are brought up.
+ * For uniformity we use VCPUOP_register_vcpu_info even on cpu0.
+ */
+- xen_vcpu_info = alloc_percpu(struct vcpu_info);
++ xen_vcpu_info = __alloc_percpu(sizeof(struct vcpu_info),
++ 1 << fls(sizeof(struct vcpu_info) - 1));
+ if (xen_vcpu_info == NULL)
+ return -ENOMEM;
+
+--
+2.42.0
+
--- /dev/null
+From 28c53d3261cae9cb2884d90c8d243a79eded86ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Oct 2023 04:00:07 +0000
+Subject: ata: pata_isapnp: Add missing error check for devm_ioport_map()
+
+From: Chen Ni <nichen@iscas.ac.cn>
+
+[ Upstream commit a6925165ea82b7765269ddd8dcad57c731aa00de ]
+
+Add missing error return check for devm_ioport_map() and return the
+error if this function call fails.
+
+Fixes: 0d5ff566779f ("libata: convert to iomap")
+Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/pata_isapnp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/ata/pata_isapnp.c b/drivers/ata/pata_isapnp.c
+index 43bb224430d3c..8892931ea8676 100644
+--- a/drivers/ata/pata_isapnp.c
++++ b/drivers/ata/pata_isapnp.c
+@@ -82,6 +82,9 @@ static int isapnp_init_one(struct pnp_dev *idev, const struct pnp_device_id *dev
+ if (pnp_port_valid(idev, 1)) {
+ ctl_addr = devm_ioport_map(&idev->dev,
+ pnp_port_start(idev, 1), 1);
++ if (!ctl_addr)
++ return -ENOMEM;
++
+ ap->ioaddr.altstatus_addr = ctl_addr;
+ ap->ioaddr.ctl_addr = ctl_addr;
+ ap->ops = &isapnp_port_ops;
+--
+2.42.0
+
--- /dev/null
+From 587092ff90f1823231536925ee605ce708ed58dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Nov 2023 12:42:05 +0800
+Subject: drm/panel: auo,b101uan08.3: Fine tune the panel power sequence
+
+From: Xuxin Xiong <xuxinxiong@huaqin.corp-partner.google.com>
+
+[ Upstream commit 6965809e526917b73c8f9178173184dcf13cec4b ]
+
+For "auo,b101uan08.3" this panel, it is stipulated in the panel spec that
+MIPI needs to keep the LP11 state before the lcm_reset pin is pulled high.
+
+Fixes: 56ad624b4cb5 ("drm/panel: support for auo, b101uan08.3 wuxga dsi video mode panel")
+Signed-off-by: Xuxin Xiong <xuxinxiong@huaqin.corp-partner.google.com>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20231114044205.613421-1-xuxinxiong@huaqin.corp-partner.google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c b/drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c
+index 3229e5eabbd21..9e518213a54ff 100644
+--- a/drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c
++++ b/drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c
+@@ -697,6 +697,7 @@ static const struct panel_desc auo_b101uan08_3_desc = {
+ .mode_flags = MIPI_DSI_MODE_VIDEO | MIPI_DSI_MODE_VIDEO_SYNC_PULSE |
+ MIPI_DSI_MODE_LPM,
+ .init_cmds = auo_b101uan08_3_init_cmd,
++ .lp11_before_reset = true,
+ };
+
+ static const struct drm_display_mode boe_tv105wum_nw0_default_mode = {
+--
+2.42.0
+
--- /dev/null
+From 8a74d9e475f0f773bf1a69b7e104c27f1c48a199 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 May 2023 17:49:55 +0800
+Subject: drm/panel: boe-tv101wum-nl6: Fine tune the panel power sequence
+
+From: Shuijing Li <shuijing.li@mediatek.com>
+
+[ Upstream commit 812562b8d881ce6d33fed8052b3a10b718430fb5 ]
+
+For "boe,tv105wum-nw0" this special panel, it is stipulated in
+the panel spec that MIPI needs to keep the LP11 state before
+the lcm_reset pin is pulled high.
+
+Signed-off-by: Shuijing Li <shuijing.li@mediatek.com>
+Signed-off-by: Xinlei Lee <xinlei.lee@mediatek.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230515094955.15982-3-shuijing.li@mediatek.com
+Stable-dep-of: 6965809e5269 ("drm/panel: auo,b101uan08.3: Fine tune the panel power sequence")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c b/drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c
+index db9d0b86d5428..3229e5eabbd21 100644
+--- a/drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c
++++ b/drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c
+@@ -36,6 +36,7 @@ struct panel_desc {
+ const struct panel_init_cmd *init_cmds;
+ unsigned int lanes;
+ bool discharge_on_disable;
++ bool lp11_before_reset;
+ };
+
+ struct boe_panel {
+@@ -551,6 +552,10 @@ static int boe_panel_prepare(struct drm_panel *panel)
+
+ usleep_range(5000, 10000);
+
++ if (boe->desc->lp11_before_reset) {
++ mipi_dsi_dcs_nop(boe->dsi);
++ usleep_range(1000, 2000);
++ }
+ gpiod_set_value(boe->enable_gpio, 1);
+ usleep_range(1000, 2000);
+ gpiod_set_value(boe->enable_gpio, 0);
+@@ -719,6 +724,7 @@ static const struct panel_desc boe_tv105wum_nw0_desc = {
+ .mode_flags = MIPI_DSI_MODE_VIDEO | MIPI_DSI_MODE_VIDEO_SYNC_PULSE |
+ MIPI_DSI_MODE_LPM,
+ .init_cmds = boe_init_cmd,
++ .lp11_before_reset = true,
+ };
+
+ static int boe_panel_get_modes(struct drm_panel *panel,
+--
+2.42.0
+
--- /dev/null
+From a61bd95862d279a91116377b8195a65eb6766180 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Oct 2023 00:33:15 +0200
+Subject: drm/panel: simple: Fix Innolux G101ICE-L01 bus flags
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 06fc41b09cfbc02977acd9189473593a37d82d9b ]
+
+Add missing .bus_flags = DRM_BUS_FLAG_DE_HIGH to this panel description,
+ones which match both the datasheet and the panel display_timing flags .
+
+Fixes: 1e29b840af9f ("drm/panel: simple: Add Innolux G101ICE-L01 panel")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20231008223315.279215-1-marex@denx.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panel/panel-simple.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c
+index e58eb93e9bc9e..28d1e661f99b1 100644
+--- a/drivers/gpu/drm/panel/panel-simple.c
++++ b/drivers/gpu/drm/panel/panel-simple.c
+@@ -2555,6 +2555,7 @@ static const struct panel_desc innolux_g101ice_l01 = {
+ .disable = 200,
+ },
+ .bus_format = MEDIA_BUS_FMT_RGB888_1X7X4_SPWG,
++ .bus_flags = DRM_BUS_FLAG_DE_HIGH,
+ .connector_type = DRM_MODE_CONNECTOR_LVDS,
+ };
+
+--
+2.42.0
+
--- /dev/null
+From f419012be36b9c99791382d5e62c3edf7713393c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Oct 2023 00:32:56 +0200
+Subject: drm/panel: simple: Fix Innolux G101ICE-L01 timings
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 3f9a91b6c00e655d27bd785dcda1742dbdc31bda ]
+
+The Innolux G101ICE-L01 datasheet [1] page 17 table
+6.1 INPUT SIGNAL TIMING SPECIFICATIONS
+indicates that maximum vertical blanking time is 40 lines.
+Currently the driver uses 29 lines.
+
+Fix it, and since this panel is a DE panel, adjust the timings
+to make them less hostile to controllers which cannot do 1 px
+HSA/VSA, distribute the delays evenly between all three parts.
+
+[1] https://www.data-modul.com/sites/default/files/products/G101ICE-L01-C2-specification-12042389.pdf
+
+Fixes: 1e29b840af9f ("drm/panel: simple: Add Innolux G101ICE-L01 panel")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20231008223256.279196-1-marex@denx.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panel/panel-simple.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c
+index 28d1e661f99b1..d9f1675c348e5 100644
+--- a/drivers/gpu/drm/panel/panel-simple.c
++++ b/drivers/gpu/drm/panel/panel-simple.c
+@@ -2532,13 +2532,13 @@ static const struct panel_desc innolux_g070y2_l01 = {
+ static const struct display_timing innolux_g101ice_l01_timing = {
+ .pixelclock = { 60400000, 71100000, 74700000 },
+ .hactive = { 1280, 1280, 1280 },
+- .hfront_porch = { 41, 80, 100 },
+- .hback_porch = { 40, 79, 99 },
+- .hsync_len = { 1, 1, 1 },
++ .hfront_porch = { 30, 60, 70 },
++ .hback_porch = { 30, 60, 70 },
++ .hsync_len = { 22, 40, 60 },
+ .vactive = { 800, 800, 800 },
+- .vfront_porch = { 5, 11, 14 },
+- .vback_porch = { 4, 11, 14 },
+- .vsync_len = { 1, 1, 1 },
++ .vfront_porch = { 3, 8, 14 },
++ .vback_porch = { 3, 8, 14 },
++ .vsync_len = { 4, 7, 12 },
+ .flags = DISPLAY_FLAGS_DE_HIGH,
+ };
+
+--
+2.42.0
+
--- /dev/null
+From 984f5cafc0578e2b38c0c702c81323bd17ac5853 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Oct 2023 19:14:58 +0000
+Subject: drm/rockchip: vop: Fix color for RGB888/BGR888 format on VOP full
+
+From: Jonas Karlman <jonas@kwiboo.se>
+
+[ Upstream commit bb0a05acd6121ff0e810b44fdc24dbdfaa46b642 ]
+
+Use of DRM_FORMAT_RGB888 and DRM_FORMAT_BGR888 on e.g. RK3288, RK3328
+and RK3399 result in wrong colors being displayed.
+
+The issue can be observed using modetest:
+
+ modetest -s <connector_id>@<crtc_id>:1920x1080-60@RG24
+ modetest -s <connector_id>@<crtc_id>:1920x1080-60@BG24
+
+Vendor 4.4 kernel apply an inverted rb swap for these formats on VOP
+full framework (IP version 3.x) compared to VOP little framework (2.x).
+
+Fix colors by applying different rb swap for VOP full framework (3.x)
+and VOP little framework (2.x) similar to vendor 4.4 kernel.
+
+Fixes: 85a359f25388 ("drm/rockchip: Add BGR formats to VOP")
+Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
+Tested-by: Diederik de Haas <didi.debian@cknow.org>
+Reviewed-by: Christopher Obbard <chris.obbard@collabora.com>
+Tested-by: Christopher Obbard <chris.obbard@collabora.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20231026191500.2994225-1-jonas@kwiboo.se
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
+index e53b1ecbd7bc0..c7106f1165466 100644
+--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
+@@ -249,14 +249,22 @@ static inline void vop_cfg_done(struct vop *vop)
+ VOP_REG_SET(vop, common, cfg_done, 1);
+ }
+
+-static bool has_rb_swapped(uint32_t format)
++static bool has_rb_swapped(uint32_t version, uint32_t format)
+ {
+ switch (format) {
+ case DRM_FORMAT_XBGR8888:
+ case DRM_FORMAT_ABGR8888:
+- case DRM_FORMAT_BGR888:
+ case DRM_FORMAT_BGR565:
+ return true;
++ /*
++ * full framework (IP version 3.x) only need rb swapped for RGB888 and
++ * little framework (IP version 2.x) only need rb swapped for BGR888,
++ * check for 3.x to also only rb swap BGR888 for unknown vop version
++ */
++ case DRM_FORMAT_RGB888:
++ return VOP_MAJOR(version) == 3;
++ case DRM_FORMAT_BGR888:
++ return VOP_MAJOR(version) != 3;
+ default:
+ return false;
+ }
+@@ -998,7 +1006,7 @@ static void vop_plane_atomic_update(struct drm_plane *plane,
+ VOP_WIN_SET(vop, win, dsp_info, dsp_info);
+ VOP_WIN_SET(vop, win, dsp_st, dsp_st);
+
+- rb_swap = has_rb_swapped(fb->format->format);
++ rb_swap = has_rb_swapped(vop->data->version, fb->format->format);
+ VOP_WIN_SET(vop, win, rb_swap, rb_swap);
+
+ /*
+--
+2.42.0
+
--- /dev/null
+From ce55382dc437f6866bb4bfd6e763649a54b88636 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Apr 2023 11:38:36 +0800
+Subject: ext4: add a new helper to check if es must be kept
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit 9649eb18c6288f514cacffdd699d5cd999c2f8f6 ]
+
+In the extent status tree, we have extents which we can just drop without
+issues and extents we must not drop - this depends on the extent's status
+- currently ext4_es_is_delayed() extents must stay, others may be dropped.
+
+A helper function is added to help determine if the current extent can
+be dropped, although only ext4_es_is_delayed() extents cannot be dropped
+currently.
+
+Suggested-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20230424033846.4732-3-libaokun1@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Stable-dep-of: 8e387c89e96b ("ext4: make sure allocate pending entry not fail")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/extents_status.c | 34 +++++++++++++++++++++-------------
+ 1 file changed, 21 insertions(+), 13 deletions(-)
+
+diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c
+index 7806adcc41a7a..cf6a21baddbc4 100644
+--- a/fs/ext4/extents_status.c
++++ b/fs/ext4/extents_status.c
+@@ -448,6 +448,19 @@ static void ext4_es_list_del(struct inode *inode)
+ spin_unlock(&sbi->s_es_lock);
+ }
+
++/*
++ * Returns true if we cannot fail to allocate memory for this extent_status
++ * entry and cannot reclaim it until its status changes.
++ */
++static inline bool ext4_es_must_keep(struct extent_status *es)
++{
++ /* fiemap, bigalloc, and seek_data/hole need to use it. */
++ if (ext4_es_is_delayed(es))
++ return true;
++
++ return false;
++}
++
+ static struct extent_status *
+ ext4_es_alloc_extent(struct inode *inode, ext4_lblk_t lblk, ext4_lblk_t len,
+ ext4_fsblk_t pblk)
+@@ -460,10 +473,8 @@ ext4_es_alloc_extent(struct inode *inode, ext4_lblk_t lblk, ext4_lblk_t len,
+ es->es_len = len;
+ es->es_pblk = pblk;
+
+- /*
+- * We don't count delayed extent because we never try to reclaim them
+- */
+- if (!ext4_es_is_delayed(es)) {
++ /* We never try to reclaim a must kept extent, so we don't count it. */
++ if (!ext4_es_must_keep(es)) {
+ if (!EXT4_I(inode)->i_es_shk_nr++)
+ ext4_es_list_add(inode);
+ percpu_counter_inc(&EXT4_SB(inode->i_sb)->
+@@ -481,8 +492,8 @@ static void ext4_es_free_extent(struct inode *inode, struct extent_status *es)
+ EXT4_I(inode)->i_es_all_nr--;
+ percpu_counter_dec(&EXT4_SB(inode->i_sb)->s_es_stats.es_stats_all_cnt);
+
+- /* Decrease the shrink counter when this es is not delayed */
+- if (!ext4_es_is_delayed(es)) {
++ /* Decrease the shrink counter when we can reclaim the extent. */
++ if (!ext4_es_must_keep(es)) {
+ BUG_ON(EXT4_I(inode)->i_es_shk_nr == 0);
+ if (!--EXT4_I(inode)->i_es_shk_nr)
+ ext4_es_list_del(inode);
+@@ -854,7 +865,7 @@ int ext4_es_insert_extent(struct inode *inode, ext4_lblk_t lblk,
+ if (err == -ENOMEM && __es_shrink(EXT4_SB(inode->i_sb),
+ 128, EXT4_I(inode)))
+ goto retry;
+- if (err == -ENOMEM && !ext4_es_is_delayed(&newes))
++ if (err == -ENOMEM && !ext4_es_must_keep(&newes))
+ err = 0;
+
+ if (sbi->s_cluster_ratio > 1 && test_opt(inode->i_sb, DELALLOC) &&
+@@ -1704,11 +1715,8 @@ static int es_do_reclaim_extents(struct ext4_inode_info *ei, ext4_lblk_t end,
+
+ (*nr_to_scan)--;
+ node = rb_next(&es->rb_node);
+- /*
+- * We can't reclaim delayed extent from status tree because
+- * fiemap, bigallic, and seek_data/hole need to use it.
+- */
+- if (ext4_es_is_delayed(es))
++
++ if (ext4_es_must_keep(es))
+ goto next;
+ if (ext4_es_is_referenced(es)) {
+ ext4_es_clear_referenced(es);
+@@ -1772,7 +1780,7 @@ void ext4_clear_inode_es(struct inode *inode)
+ while (node) {
+ es = rb_entry(node, struct extent_status, rb_node);
+ node = rb_next(node);
+- if (!ext4_es_is_delayed(es)) {
++ if (!ext4_es_must_keep(es)) {
+ rb_erase(&es->rb_node, &tree->root);
+ ext4_es_free_extent(inode, es);
+ }
+--
+2.42.0
+
--- /dev/null
+From f1d2a3280fd475afe458865e4e0f676469953529 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Apr 2023 11:38:37 +0800
+Subject: ext4: factor out __es_alloc_extent() and __es_free_extent()
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit 73a2f033656be11298912201ad50615307b4477a ]
+
+Factor out __es_alloc_extent() and __es_free_extent(), which only allocate
+and free extent_status in these two helpers.
+
+The ext4_es_alloc_extent() function is split into __es_alloc_extent()
+and ext4_es_init_extent(). In __es_alloc_extent() we allocate memory using
+GFP_KERNEL | __GFP_NOFAIL | __GFP_ZERO if the memory allocation cannot
+fail, otherwise we use GFP_ATOMIC. and the ext4_es_init_extent() is used to
+initialize extent_status and update related variables after a successful
+allocation.
+
+This is to prepare for the use of pre-allocated extent_status later.
+
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20230424033846.4732-4-libaokun1@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Stable-dep-of: 8e387c89e96b ("ext4: make sure allocate pending entry not fail")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/extents_status.c | 30 +++++++++++++++++++-----------
+ 1 file changed, 19 insertions(+), 11 deletions(-)
+
+diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c
+index cf6a21baddbc4..012033db41062 100644
+--- a/fs/ext4/extents_status.c
++++ b/fs/ext4/extents_status.c
+@@ -461,14 +461,17 @@ static inline bool ext4_es_must_keep(struct extent_status *es)
+ return false;
+ }
+
+-static struct extent_status *
+-ext4_es_alloc_extent(struct inode *inode, ext4_lblk_t lblk, ext4_lblk_t len,
+- ext4_fsblk_t pblk)
++static inline struct extent_status *__es_alloc_extent(bool nofail)
++{
++ if (!nofail)
++ return kmem_cache_alloc(ext4_es_cachep, GFP_ATOMIC);
++
++ return kmem_cache_zalloc(ext4_es_cachep, GFP_KERNEL | __GFP_NOFAIL);
++}
++
++static void ext4_es_init_extent(struct inode *inode, struct extent_status *es,
++ ext4_lblk_t lblk, ext4_lblk_t len, ext4_fsblk_t pblk)
+ {
+- struct extent_status *es;
+- es = kmem_cache_alloc(ext4_es_cachep, GFP_ATOMIC);
+- if (es == NULL)
+- return NULL;
+ es->es_lblk = lblk;
+ es->es_len = len;
+ es->es_pblk = pblk;
+@@ -483,8 +486,11 @@ ext4_es_alloc_extent(struct inode *inode, ext4_lblk_t lblk, ext4_lblk_t len,
+
+ EXT4_I(inode)->i_es_all_nr++;
+ percpu_counter_inc(&EXT4_SB(inode->i_sb)->s_es_stats.es_stats_all_cnt);
++}
+
+- return es;
++static inline void __es_free_extent(struct extent_status *es)
++{
++ kmem_cache_free(ext4_es_cachep, es);
+ }
+
+ static void ext4_es_free_extent(struct inode *inode, struct extent_status *es)
+@@ -501,7 +507,7 @@ static void ext4_es_free_extent(struct inode *inode, struct extent_status *es)
+ s_es_stats.es_stats_shk_cnt);
+ }
+
+- kmem_cache_free(ext4_es_cachep, es);
++ __es_free_extent(es);
+ }
+
+ /*
+@@ -803,10 +809,12 @@ static int __es_insert_extent(struct inode *inode, struct extent_status *newes)
+ }
+ }
+
+- es = ext4_es_alloc_extent(inode, newes->es_lblk, newes->es_len,
+- newes->es_pblk);
++ es = __es_alloc_extent(false);
+ if (!es)
+ return -ENOMEM;
++ ext4_es_init_extent(inode, es, newes->es_lblk, newes->es_len,
++ newes->es_pblk);
++
+ rb_link_node(&es->rb_node, parent, p);
+ rb_insert_color(&es->rb_node, &tree->root);
+
+--
+2.42.0
+
--- /dev/null
+From 1fcf051e479a11979397dfbf206ebacbf609cd68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Aug 2023 15:08:08 +0800
+Subject: ext4: fix slab-use-after-free in ext4_es_insert_extent()
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit 768d612f79822d30a1e7d132a4d4b05337ce42ec ]
+
+Yikebaer reported an issue:
+==================================================================
+BUG: KASAN: slab-use-after-free in ext4_es_insert_extent+0xc68/0xcb0
+fs/ext4/extents_status.c:894
+Read of size 4 at addr ffff888112ecc1a4 by task syz-executor/8438
+
+CPU: 1 PID: 8438 Comm: syz-executor Not tainted 6.5.0-rc5 #1
+Call Trace:
+ [...]
+ kasan_report+0xba/0xf0 mm/kasan/report.c:588
+ ext4_es_insert_extent+0xc68/0xcb0 fs/ext4/extents_status.c:894
+ ext4_map_blocks+0x92a/0x16f0 fs/ext4/inode.c:680
+ ext4_alloc_file_blocks.isra.0+0x2df/0xb70 fs/ext4/extents.c:4462
+ ext4_zero_range fs/ext4/extents.c:4622 [inline]
+ ext4_fallocate+0x251c/0x3ce0 fs/ext4/extents.c:4721
+ [...]
+
+Allocated by task 8438:
+ [...]
+ kmem_cache_zalloc include/linux/slab.h:693 [inline]
+ __es_alloc_extent fs/ext4/extents_status.c:469 [inline]
+ ext4_es_insert_extent+0x672/0xcb0 fs/ext4/extents_status.c:873
+ ext4_map_blocks+0x92a/0x16f0 fs/ext4/inode.c:680
+ ext4_alloc_file_blocks.isra.0+0x2df/0xb70 fs/ext4/extents.c:4462
+ ext4_zero_range fs/ext4/extents.c:4622 [inline]
+ ext4_fallocate+0x251c/0x3ce0 fs/ext4/extents.c:4721
+ [...]
+
+Freed by task 8438:
+ [...]
+ kmem_cache_free+0xec/0x490 mm/slub.c:3823
+ ext4_es_try_to_merge_right fs/ext4/extents_status.c:593 [inline]
+ __es_insert_extent+0x9f4/0x1440 fs/ext4/extents_status.c:802
+ ext4_es_insert_extent+0x2ca/0xcb0 fs/ext4/extents_status.c:882
+ ext4_map_blocks+0x92a/0x16f0 fs/ext4/inode.c:680
+ ext4_alloc_file_blocks.isra.0+0x2df/0xb70 fs/ext4/extents.c:4462
+ ext4_zero_range fs/ext4/extents.c:4622 [inline]
+ ext4_fallocate+0x251c/0x3ce0 fs/ext4/extents.c:4721
+ [...]
+==================================================================
+
+The flow of issue triggering is as follows:
+1. remove es
+ raw es es removed es1
+|-------------------| -> |----|.......|------|
+
+2. insert es
+ es insert es1 merge with es es1 merge with es and free es1
+|----|.......|------| -> |------------|------| -> |-------------------|
+
+es merges with newes, then merges with es1, frees es1, then determines
+if es1->es_len is 0 and triggers a UAF.
+
+The code flow is as follows:
+ext4_es_insert_extent
+ es1 = __es_alloc_extent(true);
+ es2 = __es_alloc_extent(true);
+ __es_remove_extent(inode, lblk, end, NULL, es1)
+ __es_insert_extent(inode, &newes, es1) ---> insert es1 to es tree
+ __es_insert_extent(inode, &newes, es2)
+ ext4_es_try_to_merge_right
+ ext4_es_free_extent(inode, es1) ---> es1 is freed
+ if (es1 && !es1->es_len)
+ // Trigger UAF by determining if es1 is used.
+
+We determine whether es1 or es2 is used immediately after calling
+__es_remove_extent() or __es_insert_extent() to avoid triggering a
+UAF if es1 or es2 is freed.
+
+Reported-by: Yikebaer Aizezi <yikebaer61@gmail.com>
+Closes: https://lore.kernel.org/lkml/CALcu4raD4h9coiyEBL4Bm0zjDwxC2CyPiTwsP3zFuhot6y9Beg@mail.gmail.com
+Fixes: 2a69c450083d ("ext4: using nofail preallocation in ext4_es_insert_extent()")
+Cc: stable@kernel.org
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20230815070808.3377171-1-libaokun1@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Stable-dep-of: 8e387c89e96b ("ext4: make sure allocate pending entry not fail")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/extents_status.c | 44 +++++++++++++++++++++++++++-------------
+ 1 file changed, 30 insertions(+), 14 deletions(-)
+
+diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c
+index 1327cd9505db7..6c55ab427e650 100644
+--- a/fs/ext4/extents_status.c
++++ b/fs/ext4/extents_status.c
+@@ -883,23 +883,29 @@ int ext4_es_insert_extent(struct inode *inode, ext4_lblk_t lblk,
+ err1 = __es_remove_extent(inode, lblk, end, NULL, es1);
+ if (err1 != 0)
+ goto error;
++ /* Free preallocated extent if it didn't get used. */
++ if (es1) {
++ if (!es1->es_len)
++ __es_free_extent(es1);
++ es1 = NULL;
++ }
+
+ err2 = __es_insert_extent(inode, &newes, es2);
+ if (err2 == -ENOMEM && !ext4_es_must_keep(&newes))
+ err2 = 0;
+ if (err2 != 0)
+ goto error;
++ /* Free preallocated extent if it didn't get used. */
++ if (es2) {
++ if (!es2->es_len)
++ __es_free_extent(es2);
++ es2 = NULL;
++ }
+
+ if (sbi->s_cluster_ratio > 1 && test_opt(inode->i_sb, DELALLOC) &&
+ (status & EXTENT_STATUS_WRITTEN ||
+ status & EXTENT_STATUS_UNWRITTEN))
+ __revise_pending(inode, lblk, len);
+-
+- /* es is pre-allocated but not used, free it. */
+- if (es1 && !es1->es_len)
+- __es_free_extent(es1);
+- if (es2 && !es2->es_len)
+- __es_free_extent(es2);
+ error:
+ write_unlock(&EXT4_I(inode)->i_es_lock);
+ if (err1 || err2)
+@@ -1496,8 +1502,12 @@ int ext4_es_remove_extent(struct inode *inode, ext4_lblk_t lblk,
+ */
+ write_lock(&EXT4_I(inode)->i_es_lock);
+ err = __es_remove_extent(inode, lblk, end, &reserved, es);
+- if (es && !es->es_len)
+- __es_free_extent(es);
++ /* Free preallocated extent if it didn't get used. */
++ if (es) {
++ if (!es->es_len)
++ __es_free_extent(es);
++ es = NULL;
++ }
+ write_unlock(&EXT4_I(inode)->i_es_lock);
+ if (err)
+ goto retry;
+@@ -2055,19 +2065,25 @@ int ext4_es_insert_delayed_block(struct inode *inode, ext4_lblk_t lblk,
+ err1 = __es_remove_extent(inode, lblk, lblk, NULL, es1);
+ if (err1 != 0)
+ goto error;
++ /* Free preallocated extent if it didn't get used. */
++ if (es1) {
++ if (!es1->es_len)
++ __es_free_extent(es1);
++ es1 = NULL;
++ }
+
+ err2 = __es_insert_extent(inode, &newes, es2);
+ if (err2 != 0)
+ goto error;
++ /* Free preallocated extent if it didn't get used. */
++ if (es2) {
++ if (!es2->es_len)
++ __es_free_extent(es2);
++ es2 = NULL;
++ }
+
+ if (allocated)
+ __insert_pending(inode, lblk);
+-
+- /* es is pre-allocated but not used, free it. */
+- if (es1 && !es1->es_len)
+- __es_free_extent(es1);
+- if (es2 && !es2->es_len)
+- __es_free_extent(es2);
+ error:
+ write_unlock(&EXT4_I(inode)->i_es_lock);
+ if (err1 || err2)
+--
+2.42.0
+
--- /dev/null
+From ac30d7f610d05a8d36f976f53726e74e3baedcaa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Aug 2023 17:26:05 +0800
+Subject: ext4: make sure allocate pending entry not fail
+
+From: Zhang Yi <yi.zhang@huawei.com>
+
+[ Upstream commit 8e387c89e96b9543a339f84043cf9df15fed2632 ]
+
+__insert_pending() allocate memory in atomic context, so the allocation
+could fail, but we are not handling that failure now. It could lead
+ext4_es_remove_extent() to get wrong reserved clusters, and the global
+data blocks reservation count will be incorrect. The same to
+extents_status entry preallocation, preallocate pending entry out of the
+i_es_lock with __GFP_NOFAIL, make sure __insert_pending() and
+__revise_pending() always succeeds.
+
+Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
+Cc: stable@kernel.org
+Link: https://lore.kernel.org/r/20230824092619.1327976-3-yi.zhang@huaweicloud.com
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/extents_status.c | 123 ++++++++++++++++++++++++++++-----------
+ 1 file changed, 89 insertions(+), 34 deletions(-)
+
+diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c
+index 6c55ab427e650..cccbdfd49a86b 100644
+--- a/fs/ext4/extents_status.c
++++ b/fs/ext4/extents_status.c
+@@ -152,8 +152,9 @@ static int __es_remove_extent(struct inode *inode, ext4_lblk_t lblk,
+ static int es_reclaim_extents(struct ext4_inode_info *ei, int *nr_to_scan);
+ static int __es_shrink(struct ext4_sb_info *sbi, int nr_to_scan,
+ struct ext4_inode_info *locked_ei);
+-static void __revise_pending(struct inode *inode, ext4_lblk_t lblk,
+- ext4_lblk_t len);
++static int __revise_pending(struct inode *inode, ext4_lblk_t lblk,
++ ext4_lblk_t len,
++ struct pending_reservation **prealloc);
+
+ int __init ext4_init_es(void)
+ {
+@@ -450,6 +451,19 @@ static void ext4_es_list_del(struct inode *inode)
+ spin_unlock(&sbi->s_es_lock);
+ }
+
++static inline struct pending_reservation *__alloc_pending(bool nofail)
++{
++ if (!nofail)
++ return kmem_cache_alloc(ext4_pending_cachep, GFP_ATOMIC);
++
++ return kmem_cache_zalloc(ext4_pending_cachep, GFP_KERNEL | __GFP_NOFAIL);
++}
++
++static inline void __free_pending(struct pending_reservation *pr)
++{
++ kmem_cache_free(ext4_pending_cachep, pr);
++}
++
+ /*
+ * Returns true if we cannot fail to allocate memory for this extent_status
+ * entry and cannot reclaim it until its status changes.
+@@ -841,11 +855,12 @@ int ext4_es_insert_extent(struct inode *inode, ext4_lblk_t lblk,
+ {
+ struct extent_status newes;
+ ext4_lblk_t end = lblk + len - 1;
+- int err1 = 0;
+- int err2 = 0;
++ int err1 = 0, err2 = 0, err3 = 0;
+ struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
+ struct extent_status *es1 = NULL;
+ struct extent_status *es2 = NULL;
++ struct pending_reservation *pr = NULL;
++ bool revise_pending = false;
+
+ if (EXT4_SB(inode->i_sb)->s_mount_state & EXT4_FC_REPLAY)
+ return 0;
+@@ -873,11 +888,17 @@ int ext4_es_insert_extent(struct inode *inode, ext4_lblk_t lblk,
+
+ ext4_es_insert_extent_check(inode, &newes);
+
++ revise_pending = sbi->s_cluster_ratio > 1 &&
++ test_opt(inode->i_sb, DELALLOC) &&
++ (status & (EXTENT_STATUS_WRITTEN |
++ EXTENT_STATUS_UNWRITTEN));
+ retry:
+ if (err1 && !es1)
+ es1 = __es_alloc_extent(true);
+ if ((err1 || err2) && !es2)
+ es2 = __es_alloc_extent(true);
++ if ((err1 || err2 || err3) && revise_pending && !pr)
++ pr = __alloc_pending(true);
+ write_lock(&EXT4_I(inode)->i_es_lock);
+
+ err1 = __es_remove_extent(inode, lblk, end, NULL, es1);
+@@ -902,13 +923,18 @@ int ext4_es_insert_extent(struct inode *inode, ext4_lblk_t lblk,
+ es2 = NULL;
+ }
+
+- if (sbi->s_cluster_ratio > 1 && test_opt(inode->i_sb, DELALLOC) &&
+- (status & EXTENT_STATUS_WRITTEN ||
+- status & EXTENT_STATUS_UNWRITTEN))
+- __revise_pending(inode, lblk, len);
++ if (revise_pending) {
++ err3 = __revise_pending(inode, lblk, len, &pr);
++ if (err3 != 0)
++ goto error;
++ if (pr) {
++ __free_pending(pr);
++ pr = NULL;
++ }
++ }
+ error:
+ write_unlock(&EXT4_I(inode)->i_es_lock);
+- if (err1 || err2)
++ if (err1 || err2 || err3)
+ goto retry;
+
+ ext4_es_print_tree(inode);
+@@ -1316,7 +1342,7 @@ static unsigned int get_rsvd(struct inode *inode, ext4_lblk_t end,
+ rc->ndelonly--;
+ node = rb_next(&pr->rb_node);
+ rb_erase(&pr->rb_node, &tree->root);
+- kmem_cache_free(ext4_pending_cachep, pr);
++ __free_pending(pr);
+ if (!node)
+ break;
+ pr = rb_entry(node, struct pending_reservation,
+@@ -1913,11 +1939,13 @@ static struct pending_reservation *__get_pending(struct inode *inode,
+ *
+ * @inode - file containing the cluster
+ * @lblk - logical block in the cluster to be added
++ * @prealloc - preallocated pending entry
+ *
+ * Returns 0 on successful insertion and -ENOMEM on failure. If the
+ * pending reservation is already in the set, returns successfully.
+ */
+-static int __insert_pending(struct inode *inode, ext4_lblk_t lblk)
++static int __insert_pending(struct inode *inode, ext4_lblk_t lblk,
++ struct pending_reservation **prealloc)
+ {
+ struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
+ struct ext4_pending_tree *tree = &EXT4_I(inode)->i_pending_tree;
+@@ -1943,10 +1971,15 @@ static int __insert_pending(struct inode *inode, ext4_lblk_t lblk)
+ }
+ }
+
+- pr = kmem_cache_alloc(ext4_pending_cachep, GFP_ATOMIC);
+- if (pr == NULL) {
+- ret = -ENOMEM;
+- goto out;
++ if (likely(*prealloc == NULL)) {
++ pr = __alloc_pending(false);
++ if (!pr) {
++ ret = -ENOMEM;
++ goto out;
++ }
++ } else {
++ pr = *prealloc;
++ *prealloc = NULL;
+ }
+ pr->lclu = lclu;
+
+@@ -1976,7 +2009,7 @@ static void __remove_pending(struct inode *inode, ext4_lblk_t lblk)
+ if (pr != NULL) {
+ tree = &EXT4_I(inode)->i_pending_tree;
+ rb_erase(&pr->rb_node, &tree->root);
+- kmem_cache_free(ext4_pending_cachep, pr);
++ __free_pending(pr);
+ }
+ }
+
+@@ -2037,10 +2070,10 @@ int ext4_es_insert_delayed_block(struct inode *inode, ext4_lblk_t lblk,
+ bool allocated)
+ {
+ struct extent_status newes;
+- int err1 = 0;
+- int err2 = 0;
++ int err1 = 0, err2 = 0, err3 = 0;
+ struct extent_status *es1 = NULL;
+ struct extent_status *es2 = NULL;
++ struct pending_reservation *pr = NULL;
+
+ if (EXT4_SB(inode->i_sb)->s_mount_state & EXT4_FC_REPLAY)
+ return 0;
+@@ -2060,6 +2093,8 @@ int ext4_es_insert_delayed_block(struct inode *inode, ext4_lblk_t lblk,
+ es1 = __es_alloc_extent(true);
+ if ((err1 || err2) && !es2)
+ es2 = __es_alloc_extent(true);
++ if ((err1 || err2 || err3) && allocated && !pr)
++ pr = __alloc_pending(true);
+ write_lock(&EXT4_I(inode)->i_es_lock);
+
+ err1 = __es_remove_extent(inode, lblk, lblk, NULL, es1);
+@@ -2082,11 +2117,18 @@ int ext4_es_insert_delayed_block(struct inode *inode, ext4_lblk_t lblk,
+ es2 = NULL;
+ }
+
+- if (allocated)
+- __insert_pending(inode, lblk);
++ if (allocated) {
++ err3 = __insert_pending(inode, lblk, &pr);
++ if (err3 != 0)
++ goto error;
++ if (pr) {
++ __free_pending(pr);
++ pr = NULL;
++ }
++ }
+ error:
+ write_unlock(&EXT4_I(inode)->i_es_lock);
+- if (err1 || err2)
++ if (err1 || err2 || err3)
+ goto retry;
+
+ ext4_es_print_tree(inode);
+@@ -2192,21 +2234,24 @@ unsigned int ext4_es_delayed_clu(struct inode *inode, ext4_lblk_t lblk,
+ * @inode - file containing the range
+ * @lblk - logical block defining the start of range
+ * @len - length of range in blocks
++ * @prealloc - preallocated pending entry
+ *
+ * Used after a newly allocated extent is added to the extents status tree.
+ * Requires that the extents in the range have either written or unwritten
+ * status. Must be called while holding i_es_lock.
+ */
+-static void __revise_pending(struct inode *inode, ext4_lblk_t lblk,
+- ext4_lblk_t len)
++static int __revise_pending(struct inode *inode, ext4_lblk_t lblk,
++ ext4_lblk_t len,
++ struct pending_reservation **prealloc)
+ {
+ struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
+ ext4_lblk_t end = lblk + len - 1;
+ ext4_lblk_t first, last;
+ bool f_del = false, l_del = false;
++ int ret = 0;
+
+ if (len == 0)
+- return;
++ return 0;
+
+ /*
+ * Two cases - block range within single cluster and block range
+@@ -2227,7 +2272,9 @@ static void __revise_pending(struct inode *inode, ext4_lblk_t lblk,
+ f_del = __es_scan_range(inode, &ext4_es_is_delonly,
+ first, lblk - 1);
+ if (f_del) {
+- __insert_pending(inode, first);
++ ret = __insert_pending(inode, first, prealloc);
++ if (ret < 0)
++ goto out;
+ } else {
+ last = EXT4_LBLK_CMASK(sbi, end) +
+ sbi->s_cluster_ratio - 1;
+@@ -2235,9 +2282,11 @@ static void __revise_pending(struct inode *inode, ext4_lblk_t lblk,
+ l_del = __es_scan_range(inode,
+ &ext4_es_is_delonly,
+ end + 1, last);
+- if (l_del)
+- __insert_pending(inode, last);
+- else
++ if (l_del) {
++ ret = __insert_pending(inode, last, prealloc);
++ if (ret < 0)
++ goto out;
++ } else
+ __remove_pending(inode, last);
+ }
+ } else {
+@@ -2245,18 +2294,24 @@ static void __revise_pending(struct inode *inode, ext4_lblk_t lblk,
+ if (first != lblk)
+ f_del = __es_scan_range(inode, &ext4_es_is_delonly,
+ first, lblk - 1);
+- if (f_del)
+- __insert_pending(inode, first);
+- else
++ if (f_del) {
++ ret = __insert_pending(inode, first, prealloc);
++ if (ret < 0)
++ goto out;
++ } else
+ __remove_pending(inode, first);
+
+ last = EXT4_LBLK_CMASK(sbi, end) + sbi->s_cluster_ratio - 1;
+ if (last != end)
+ l_del = __es_scan_range(inode, &ext4_es_is_delonly,
+ end + 1, last);
+- if (l_del)
+- __insert_pending(inode, last);
+- else
++ if (l_del) {
++ ret = __insert_pending(inode, last, prealloc);
++ if (ret < 0)
++ goto out;
++ } else
+ __remove_pending(inode, last);
+ }
++out:
++ return ret;
+ }
+--
+2.42.0
+
--- /dev/null
+From 295a1afaaee5f8f997d64a0cbeed47e40c10c151 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Apr 2023 11:38:38 +0800
+Subject: ext4: use pre-allocated es in __es_insert_extent()
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit 95f0b320339a977cf69872eac107122bf536775d ]
+
+Pass a extent_status pointer prealloc to __es_insert_extent(). If the
+pointer is non-null, it is used directly when a new extent_status is
+needed to avoid memory allocation failures.
+
+Suggested-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20230424033846.4732-5-libaokun1@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Stable-dep-of: 8e387c89e96b ("ext4: make sure allocate pending entry not fail")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/extents_status.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c
+index 012033db41062..0d810ce7580d1 100644
+--- a/fs/ext4/extents_status.c
++++ b/fs/ext4/extents_status.c
+@@ -144,7 +144,8 @@
+ static struct kmem_cache *ext4_es_cachep;
+ static struct kmem_cache *ext4_pending_cachep;
+
+-static int __es_insert_extent(struct inode *inode, struct extent_status *newes);
++static int __es_insert_extent(struct inode *inode, struct extent_status *newes,
++ struct extent_status *prealloc);
+ static int __es_remove_extent(struct inode *inode, ext4_lblk_t lblk,
+ ext4_lblk_t end, int *reserved);
+ static int es_reclaim_extents(struct ext4_inode_info *ei, int *nr_to_scan);
+@@ -769,7 +770,8 @@ static inline void ext4_es_insert_extent_check(struct inode *inode,
+ }
+ #endif
+
+-static int __es_insert_extent(struct inode *inode, struct extent_status *newes)
++static int __es_insert_extent(struct inode *inode, struct extent_status *newes,
++ struct extent_status *prealloc)
+ {
+ struct ext4_es_tree *tree = &EXT4_I(inode)->i_es_tree;
+ struct rb_node **p = &tree->root.rb_node;
+@@ -809,7 +811,10 @@ static int __es_insert_extent(struct inode *inode, struct extent_status *newes)
+ }
+ }
+
+- es = __es_alloc_extent(false);
++ if (prealloc)
++ es = prealloc;
++ else
++ es = __es_alloc_extent(false);
+ if (!es)
+ return -ENOMEM;
+ ext4_es_init_extent(inode, es, newes->es_lblk, newes->es_len,
+@@ -869,7 +874,7 @@ int ext4_es_insert_extent(struct inode *inode, ext4_lblk_t lblk,
+ if (err != 0)
+ goto error;
+ retry:
+- err = __es_insert_extent(inode, &newes);
++ err = __es_insert_extent(inode, &newes, NULL);
+ if (err == -ENOMEM && __es_shrink(EXT4_SB(inode->i_sb),
+ 128, EXT4_I(inode)))
+ goto retry;
+@@ -919,7 +924,7 @@ void ext4_es_cache_extent(struct inode *inode, ext4_lblk_t lblk,
+
+ es = __es_tree_search(&EXT4_I(inode)->i_es_tree.root, lblk);
+ if (!es || es->es_lblk > end)
+- __es_insert_extent(inode, &newes);
++ __es_insert_extent(inode, &newes, NULL);
+ write_unlock(&EXT4_I(inode)->i_es_lock);
+ }
+
+@@ -1365,7 +1370,7 @@ static int __es_remove_extent(struct inode *inode, ext4_lblk_t lblk,
+ orig_es.es_len - len2;
+ ext4_es_store_pblock_status(&newes, block,
+ ext4_es_status(&orig_es));
+- err = __es_insert_extent(inode, &newes);
++ err = __es_insert_extent(inode, &newes, NULL);
+ if (err) {
+ es->es_lblk = orig_es.es_lblk;
+ es->es_len = orig_es.es_len;
+@@ -2020,7 +2025,7 @@ int ext4_es_insert_delayed_block(struct inode *inode, ext4_lblk_t lblk,
+ if (err != 0)
+ goto error;
+ retry:
+- err = __es_insert_extent(inode, &newes);
++ err = __es_insert_extent(inode, &newes, NULL);
+ if (err == -ENOMEM && __es_shrink(EXT4_SB(inode->i_sb),
+ 128, EXT4_I(inode)))
+ goto retry;
+--
+2.42.0
+
--- /dev/null
+From b673cbde8bde03735cf6049935a49becc784ffe8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Apr 2023 11:38:39 +0800
+Subject: ext4: use pre-allocated es in __es_remove_extent()
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit bda3efaf774fb687c2b7a555aaec3006b14a8857 ]
+
+When splitting extent, if the second extent can not be dropped, we return
+-ENOMEM and use GFP_NOFAIL to preallocate an extent_status outside of
+i_es_lock and pass it to __es_remove_extent() to be used as the second
+extent. This ensures that __es_remove_extent() is executed successfully,
+thus ensuring consistency in the extent status tree. If the second extent
+is not undroppable, we simply drop it and return 0. Then retry is no longer
+necessary, remove it.
+
+Now, __es_remove_extent() will always remove what it should, maybe more.
+
+Suggested-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20230424033846.4732-6-libaokun1@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Stable-dep-of: 8e387c89e96b ("ext4: make sure allocate pending entry not fail")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/extents_status.c | 26 +++++++++++++-------------
+ 1 file changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c
+index 0d810ce7580d1..10550d62a6763 100644
+--- a/fs/ext4/extents_status.c
++++ b/fs/ext4/extents_status.c
+@@ -147,7 +147,8 @@ static struct kmem_cache *ext4_pending_cachep;
+ static int __es_insert_extent(struct inode *inode, struct extent_status *newes,
+ struct extent_status *prealloc);
+ static int __es_remove_extent(struct inode *inode, ext4_lblk_t lblk,
+- ext4_lblk_t end, int *reserved);
++ ext4_lblk_t end, int *reserved,
++ struct extent_status *prealloc);
+ static int es_reclaim_extents(struct ext4_inode_info *ei, int *nr_to_scan);
+ static int __es_shrink(struct ext4_sb_info *sbi, int nr_to_scan,
+ struct ext4_inode_info *locked_ei);
+@@ -870,7 +871,7 @@ int ext4_es_insert_extent(struct inode *inode, ext4_lblk_t lblk,
+ ext4_es_insert_extent_check(inode, &newes);
+
+ write_lock(&EXT4_I(inode)->i_es_lock);
+- err = __es_remove_extent(inode, lblk, end, NULL);
++ err = __es_remove_extent(inode, lblk, end, NULL, NULL);
+ if (err != 0)
+ goto error;
+ retry:
+@@ -1314,6 +1315,7 @@ static unsigned int get_rsvd(struct inode *inode, ext4_lblk_t end,
+ * @lblk - first block in range
+ * @end - last block in range
+ * @reserved - number of cluster reservations released
++ * @prealloc - pre-allocated es to avoid memory allocation failures
+ *
+ * If @reserved is not NULL and delayed allocation is enabled, counts
+ * block/cluster reservations freed by removing range and if bigalloc
+@@ -1321,7 +1323,8 @@ static unsigned int get_rsvd(struct inode *inode, ext4_lblk_t end,
+ * error code on failure.
+ */
+ static int __es_remove_extent(struct inode *inode, ext4_lblk_t lblk,
+- ext4_lblk_t end, int *reserved)
++ ext4_lblk_t end, int *reserved,
++ struct extent_status *prealloc)
+ {
+ struct ext4_es_tree *tree = &EXT4_I(inode)->i_es_tree;
+ struct rb_node *node;
+@@ -1329,14 +1332,12 @@ static int __es_remove_extent(struct inode *inode, ext4_lblk_t lblk,
+ struct extent_status orig_es;
+ ext4_lblk_t len1, len2;
+ ext4_fsblk_t block;
+- int err;
++ int err = 0;
+ bool count_reserved = true;
+ struct rsvd_count rc;
+
+ if (reserved == NULL || !test_opt(inode->i_sb, DELALLOC))
+ count_reserved = false;
+-retry:
+- err = 0;
+
+ es = __es_tree_search(&tree->root, lblk);
+ if (!es)
+@@ -1370,14 +1371,13 @@ static int __es_remove_extent(struct inode *inode, ext4_lblk_t lblk,
+ orig_es.es_len - len2;
+ ext4_es_store_pblock_status(&newes, block,
+ ext4_es_status(&orig_es));
+- err = __es_insert_extent(inode, &newes, NULL);
++ err = __es_insert_extent(inode, &newes, prealloc);
+ if (err) {
++ if (!ext4_es_must_keep(&newes))
++ return 0;
++
+ es->es_lblk = orig_es.es_lblk;
+ es->es_len = orig_es.es_len;
+- if ((err == -ENOMEM) &&
+- __es_shrink(EXT4_SB(inode->i_sb),
+- 128, EXT4_I(inode)))
+- goto retry;
+ goto out;
+ }
+ } else {
+@@ -1477,7 +1477,7 @@ int ext4_es_remove_extent(struct inode *inode, ext4_lblk_t lblk,
+ * is reclaimed.
+ */
+ write_lock(&EXT4_I(inode)->i_es_lock);
+- err = __es_remove_extent(inode, lblk, end, &reserved);
++ err = __es_remove_extent(inode, lblk, end, &reserved, NULL);
+ write_unlock(&EXT4_I(inode)->i_es_lock);
+ ext4_es_print_tree(inode);
+ ext4_da_release_space(inode, reserved);
+@@ -2021,7 +2021,7 @@ int ext4_es_insert_delayed_block(struct inode *inode, ext4_lblk_t lblk,
+
+ write_lock(&EXT4_I(inode)->i_es_lock);
+
+- err = __es_remove_extent(inode, lblk, lblk, NULL);
++ err = __es_remove_extent(inode, lblk, lblk, NULL, NULL);
+ if (err != 0)
+ goto error;
+ retry:
+--
+2.42.0
+
--- /dev/null
+From bd61f6478c8dc17613736fd425a59885ae733326 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Apr 2023 11:38:41 +0800
+Subject: ext4: using nofail preallocation in ext4_es_insert_delayed_block()
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit 4a2d98447b37bcb68a7f06a1078edcb4f7e6ce7e ]
+
+Similar to in ext4_es_remove_extent(), we use a no-fail preallocation
+to avoid inconsistencies, except that here we may have to preallocate
+two extent_status.
+
+Suggested-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20230424033846.4732-8-libaokun1@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Stable-dep-of: 8e387c89e96b ("ext4: make sure allocate pending entry not fail")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/extents_status.c | 33 ++++++++++++++++++++++-----------
+ 1 file changed, 22 insertions(+), 11 deletions(-)
+
+diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c
+index 4af825eb0cb45..4163a4801f969 100644
+--- a/fs/ext4/extents_status.c
++++ b/fs/ext4/extents_status.c
+@@ -2013,7 +2013,10 @@ int ext4_es_insert_delayed_block(struct inode *inode, ext4_lblk_t lblk,
+ bool allocated)
+ {
+ struct extent_status newes;
+- int err = 0;
++ int err1 = 0;
++ int err2 = 0;
++ struct extent_status *es1 = NULL;
++ struct extent_status *es2 = NULL;
+
+ if (EXT4_SB(inode->i_sb)->s_mount_state & EXT4_FC_REPLAY)
+ return 0;
+@@ -2028,29 +2031,37 @@ int ext4_es_insert_delayed_block(struct inode *inode, ext4_lblk_t lblk,
+
+ ext4_es_insert_extent_check(inode, &newes);
+
++retry:
++ if (err1 && !es1)
++ es1 = __es_alloc_extent(true);
++ if ((err1 || err2) && !es2)
++ es2 = __es_alloc_extent(true);
+ write_lock(&EXT4_I(inode)->i_es_lock);
+
+- err = __es_remove_extent(inode, lblk, lblk, NULL, NULL);
+- if (err != 0)
++ err1 = __es_remove_extent(inode, lblk, lblk, NULL, es1);
++ if (err1 != 0)
+ goto error;
+-retry:
+- err = __es_insert_extent(inode, &newes, NULL);
+- if (err == -ENOMEM && __es_shrink(EXT4_SB(inode->i_sb),
+- 128, EXT4_I(inode)))
+- goto retry;
+- if (err != 0)
++
++ err2 = __es_insert_extent(inode, &newes, es2);
++ if (err2 != 0)
+ goto error;
+
+ if (allocated)
+ __insert_pending(inode, lblk);
+
++ /* es is pre-allocated but not used, free it. */
++ if (es1 && !es1->es_len)
++ __es_free_extent(es1);
++ if (es2 && !es2->es_len)
++ __es_free_extent(es2);
+ error:
+ write_unlock(&EXT4_I(inode)->i_es_lock);
++ if (err1 || err2)
++ goto retry;
+
+ ext4_es_print_tree(inode);
+ ext4_print_pending_tree(inode);
+-
+- return err;
++ return 0;
+ }
+
+ /*
+--
+2.42.0
+
--- /dev/null
+From 6a7ddfa60c78e553ebe22b987a4b8c9788ba2080 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Apr 2023 11:38:42 +0800
+Subject: ext4: using nofail preallocation in ext4_es_insert_extent()
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit 2a69c450083db164596c75c0f5b4d9c4c0e18eba ]
+
+Similar to in ext4_es_insert_delayed_block(), we use preallocations that
+do not fail to avoid inconsistencies, but we do not care about es that are
+not must be kept, and we return 0 even if such es memory allocation fails.
+
+Suggested-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20230424033846.4732-9-libaokun1@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Stable-dep-of: 8e387c89e96b ("ext4: make sure allocate pending entry not fail")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/extents_status.c | 38 ++++++++++++++++++++++++++------------
+ 1 file changed, 26 insertions(+), 12 deletions(-)
+
+diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c
+index 4163a4801f969..1327cd9505db7 100644
+--- a/fs/ext4/extents_status.c
++++ b/fs/ext4/extents_status.c
+@@ -841,8 +841,11 @@ int ext4_es_insert_extent(struct inode *inode, ext4_lblk_t lblk,
+ {
+ struct extent_status newes;
+ ext4_lblk_t end = lblk + len - 1;
+- int err = 0;
++ int err1 = 0;
++ int err2 = 0;
+ struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
++ struct extent_status *es1 = NULL;
++ struct extent_status *es2 = NULL;
+
+ if (EXT4_SB(inode->i_sb)->s_mount_state & EXT4_FC_REPLAY)
+ return 0;
+@@ -870,29 +873,40 @@ int ext4_es_insert_extent(struct inode *inode, ext4_lblk_t lblk,
+
+ ext4_es_insert_extent_check(inode, &newes);
+
++retry:
++ if (err1 && !es1)
++ es1 = __es_alloc_extent(true);
++ if ((err1 || err2) && !es2)
++ es2 = __es_alloc_extent(true);
+ write_lock(&EXT4_I(inode)->i_es_lock);
+- err = __es_remove_extent(inode, lblk, end, NULL, NULL);
+- if (err != 0)
++
++ err1 = __es_remove_extent(inode, lblk, end, NULL, es1);
++ if (err1 != 0)
++ goto error;
++
++ err2 = __es_insert_extent(inode, &newes, es2);
++ if (err2 == -ENOMEM && !ext4_es_must_keep(&newes))
++ err2 = 0;
++ if (err2 != 0)
+ goto error;
+-retry:
+- err = __es_insert_extent(inode, &newes, NULL);
+- if (err == -ENOMEM && __es_shrink(EXT4_SB(inode->i_sb),
+- 128, EXT4_I(inode)))
+- goto retry;
+- if (err == -ENOMEM && !ext4_es_must_keep(&newes))
+- err = 0;
+
+ if (sbi->s_cluster_ratio > 1 && test_opt(inode->i_sb, DELALLOC) &&
+ (status & EXTENT_STATUS_WRITTEN ||
+ status & EXTENT_STATUS_UNWRITTEN))
+ __revise_pending(inode, lblk, len);
+
++ /* es is pre-allocated but not used, free it. */
++ if (es1 && !es1->es_len)
++ __es_free_extent(es1);
++ if (es2 && !es2->es_len)
++ __es_free_extent(es2);
+ error:
+ write_unlock(&EXT4_I(inode)->i_es_lock);
++ if (err1 || err2)
++ goto retry;
+
+ ext4_es_print_tree(inode);
+-
+- return err;
++ return 0;
+ }
+
+ /*
+--
+2.42.0
+
--- /dev/null
+From 221a9154e12c49ccdd40c8f7594625f51c1dd608 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Apr 2023 11:38:40 +0800
+Subject: ext4: using nofail preallocation in ext4_es_remove_extent()
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit e9fe2b882bd5b26b987c9ba110c2222796f72af5 ]
+
+If __es_remove_extent() returns an error it means that when splitting
+extent, allocating an extent that must be kept failed, where returning
+an error directly would cause the extent tree to be inconsistent. So we
+use GFP_NOFAIL to pre-allocate an extent_status and pass it to
+__es_remove_extent() to avoid this problem.
+
+In addition, since the allocated memory is outside the i_es_lock, the
+extent_status tree may change and the pre-allocated extent_status is
+no longer needed, so we release the pre-allocated extent_status when
+es->es_len is not initialized.
+
+Suggested-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20230424033846.4732-7-libaokun1@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Stable-dep-of: 8e387c89e96b ("ext4: make sure allocate pending entry not fail")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/extents_status.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ext4/extents_status.c b/fs/ext4/extents_status.c
+index 10550d62a6763..4af825eb0cb45 100644
+--- a/fs/ext4/extents_status.c
++++ b/fs/ext4/extents_status.c
+@@ -1457,6 +1457,7 @@ int ext4_es_remove_extent(struct inode *inode, ext4_lblk_t lblk,
+ ext4_lblk_t end;
+ int err = 0;
+ int reserved = 0;
++ struct extent_status *es = NULL;
+
+ if (EXT4_SB(inode->i_sb)->s_mount_state & EXT4_FC_REPLAY)
+ return 0;
+@@ -1471,17 +1472,25 @@ int ext4_es_remove_extent(struct inode *inode, ext4_lblk_t lblk,
+ end = lblk + len - 1;
+ BUG_ON(end < lblk);
+
++retry:
++ if (err && !es)
++ es = __es_alloc_extent(true);
+ /*
+ * ext4_clear_inode() depends on us taking i_es_lock unconditionally
+ * so that we are sure __es_shrink() is done with the inode before it
+ * is reclaimed.
+ */
+ write_lock(&EXT4_I(inode)->i_es_lock);
+- err = __es_remove_extent(inode, lblk, end, &reserved, NULL);
++ err = __es_remove_extent(inode, lblk, end, &reserved, es);
++ if (es && !es->es_len)
++ __es_free_extent(es);
+ write_unlock(&EXT4_I(inode)->i_es_lock);
++ if (err)
++ goto retry;
++
+ ext4_es_print_tree(inode);
+ ext4_da_release_space(inode, reserved);
+- return err;
++ return 0;
+ }
+
+ static int __es_shrink(struct ext4_sb_info *sbi, int nr_to_scan,
+--
+2.42.0
+
--- /dev/null
+From 9fc8f1117cb811b82494e066c45dfb9c212f6e6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 15:29:23 +0200
+Subject: HID: core: store the unique system identifier in hid_device
+
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+
+[ Upstream commit 1e839143d674603b0bbbc4c513bca35404967dbc ]
+
+This unique identifier is currently used only for ensuring uniqueness in
+sysfs. However, this could be handful for userspace to refer to a specific
+hid_device by this id.
+
+2 use cases are in my mind: LEDs (and their naming convention), and
+HID-BPF.
+
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Link: https://lore.kernel.org/r/20220902132938.2409206-9-benjamin.tissoires@redhat.com
+Stable-dep-of: fc43e9c857b7 ("HID: fix HID device resource race between HID core and debugging support")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-core.c | 4 +++-
+ include/linux/hid.h | 2 ++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
+index d941023c56289..35046adf1294e 100644
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -2442,10 +2442,12 @@ int hid_add_device(struct hid_device *hdev)
+ hid_warn(hdev, "bad device descriptor (%d)\n", ret);
+ }
+
++ hdev->id = atomic_inc_return(&id);
++
+ /* XXX hack, any other cleaner solution after the driver core
+ * is converted to allow more than 20 bytes as the device name? */
+ dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
+- hdev->vendor, hdev->product, atomic_inc_return(&id));
++ hdev->vendor, hdev->product, hdev->id);
+
+ hid_debug_register(hdev, dev_name(&hdev->dev));
+ ret = device_add(&hdev->dev);
+diff --git a/include/linux/hid.h b/include/linux/hid.h
+index c3478e396829e..4fa40d2e821f2 100644
+--- a/include/linux/hid.h
++++ b/include/linux/hid.h
+@@ -630,6 +630,8 @@ struct hid_device { /* device report descriptor */
+ struct list_head debug_list;
+ spinlock_t debug_list_lock;
+ wait_queue_head_t debug_wait;
++
++ unsigned int id; /* system unique id */
+ };
+
+ #define to_hid_device(pdev) \
+--
+2.42.0
+
--- /dev/null
+From 10704522fb58e81002be8efd4946b23ab70ff73a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Oct 2023 12:32:39 +0800
+Subject: HID: fix HID device resource race between HID core and debugging
+ support
+
+From: Charles Yi <be286@163.com>
+
+[ Upstream commit fc43e9c857b7aa55efba9398419b14d9e35dcc7d ]
+
+hid_debug_events_release releases resources bound to the HID device instance.
+hid_device_release releases the underlying HID device instance potentially
+before hid_debug_events_release has completed releasing debug resources bound
+to the same HID device instance.
+
+Reference count to prevent the HID device instance from being torn down
+preemptively when HID debugging support is used. When count reaches zero,
+release core resources of HID device instance using hiddev_free.
+
+The crash:
+
+[ 120.728477][ T4396] kernel BUG at lib/list_debug.c:53!
+[ 120.728505][ T4396] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
+[ 120.739806][ T4396] Modules linked in: bcmdhd dhd_static_buf 8822cu pcie_mhi r8168
+[ 120.747386][ T4396] CPU: 1 PID: 4396 Comm: hidt_bridge Not tainted 5.10.110 #257
+[ 120.754771][ T4396] Hardware name: Rockchip RK3588 EVB4 LP4 V10 Board (DT)
+[ 120.761643][ T4396] pstate: 60400089 (nZCv daIf +PAN -UAO -TCO BTYPE=--)
+[ 120.768338][ T4396] pc : __list_del_entry_valid+0x98/0xac
+[ 120.773730][ T4396] lr : __list_del_entry_valid+0x98/0xac
+[ 120.779120][ T4396] sp : ffffffc01e62bb60
+[ 120.783126][ T4396] x29: ffffffc01e62bb60 x28: ffffff818ce3a200
+[ 120.789126][ T4396] x27: 0000000000000009 x26: 0000000000980000
+[ 120.795126][ T4396] x25: ffffffc012431000 x24: ffffff802c6d4e00
+[ 120.801125][ T4396] x23: ffffff8005c66f00 x22: ffffffc01183b5b8
+[ 120.807125][ T4396] x21: ffffff819df2f100 x20: 0000000000000000
+[ 120.813124][ T4396] x19: ffffff802c3f0700 x18: ffffffc01d2cd058
+[ 120.819124][ T4396] x17: 0000000000000000 x16: 0000000000000000
+[ 120.825124][ T4396] x15: 0000000000000004 x14: 0000000000003fff
+[ 120.831123][ T4396] x13: ffffffc012085588 x12: 0000000000000003
+[ 120.837123][ T4396] x11: 00000000ffffbfff x10: 0000000000000003
+[ 120.843123][ T4396] x9 : 455103d46b329300 x8 : 455103d46b329300
+[ 120.849124][ T4396] x7 : 74707572726f6320 x6 : ffffffc0124b8cb5
+[ 120.855124][ T4396] x5 : ffffffffffffffff x4 : 0000000000000000
+[ 120.861123][ T4396] x3 : ffffffc011cf4f90 x2 : ffffff81fee7b948
+[ 120.867122][ T4396] x1 : ffffffc011cf4f90 x0 : 0000000000000054
+[ 120.873122][ T4396] Call trace:
+[ 120.876259][ T4396] __list_del_entry_valid+0x98/0xac
+[ 120.881304][ T4396] hid_debug_events_release+0x48/0x12c
+[ 120.886617][ T4396] full_proxy_release+0x50/0xbc
+[ 120.891323][ T4396] __fput+0xdc/0x238
+[ 120.895075][ T4396] ____fput+0x14/0x24
+[ 120.898911][ T4396] task_work_run+0x90/0x148
+[ 120.903268][ T4396] do_exit+0x1bc/0x8a4
+[ 120.907193][ T4396] do_group_exit+0x8c/0xa4
+[ 120.911458][ T4396] get_signal+0x468/0x744
+[ 120.915643][ T4396] do_signal+0x84/0x280
+[ 120.919650][ T4396] do_notify_resume+0xd0/0x218
+[ 120.924262][ T4396] work_pending+0xc/0x3f0
+
+[ Rahul Rameshbabu <sergeantsagara@protonmail.com>: rework changelog ]
+Fixes: cd667ce24796 ("HID: use debugfs for events/reports dumping")
+Signed-off-by: Charles Yi <be286@163.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-core.c | 12 ++++++++++--
+ drivers/hid/hid-debug.c | 3 +++
+ include/linux/hid.h | 3 +++
+ 3 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
+index 35046adf1294e..7b76405df8c47 100644
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -702,15 +702,22 @@ static void hid_close_report(struct hid_device *device)
+ * Free a device structure, all reports, and all fields.
+ */
+
+-static void hid_device_release(struct device *dev)
++void hiddev_free(struct kref *ref)
+ {
+- struct hid_device *hid = to_hid_device(dev);
++ struct hid_device *hid = container_of(ref, struct hid_device, ref);
+
+ hid_close_report(hid);
+ kfree(hid->dev_rdesc);
+ kfree(hid);
+ }
+
++static void hid_device_release(struct device *dev)
++{
++ struct hid_device *hid = to_hid_device(dev);
++
++ kref_put(&hid->ref, hiddev_free);
++}
++
+ /*
+ * Fetch a report description item from the data stream. We support long
+ * items, though they are not used yet.
+@@ -2490,6 +2497,7 @@ struct hid_device *hid_allocate_device(void)
+ spin_lock_init(&hdev->debug_list_lock);
+ sema_init(&hdev->driver_input_lock, 1);
+ mutex_init(&hdev->ll_open_lock);
++ kref_init(&hdev->ref);
+
+ return hdev;
+ }
+diff --git a/drivers/hid/hid-debug.c b/drivers/hid/hid-debug.c
+index 03da865e423c7..b8274bdd7d27f 100644
+--- a/drivers/hid/hid-debug.c
++++ b/drivers/hid/hid-debug.c
+@@ -1096,6 +1096,7 @@ static int hid_debug_events_open(struct inode *inode, struct file *file)
+ goto out;
+ }
+ list->hdev = (struct hid_device *) inode->i_private;
++ kref_get(&list->hdev->ref);
+ file->private_data = list;
+ mutex_init(&list->read_mutex);
+
+@@ -1188,6 +1189,8 @@ static int hid_debug_events_release(struct inode *inode, struct file *file)
+ list_del(&list->node);
+ spin_unlock_irqrestore(&list->hdev->debug_list_lock, flags);
+ kfifo_free(&list->hid_debug_fifo);
++
++ kref_put(&list->hdev->ref, hiddev_free);
+ kfree(list);
+
+ return 0;
+diff --git a/include/linux/hid.h b/include/linux/hid.h
+index 4fa40d2e821f2..ad97435d8e01d 100644
+--- a/include/linux/hid.h
++++ b/include/linux/hid.h
+@@ -630,10 +630,13 @@ struct hid_device { /* device report descriptor */
+ struct list_head debug_list;
+ spinlock_t debug_list_lock;
+ wait_queue_head_t debug_wait;
++ struct kref ref;
+
+ unsigned int id; /* system unique id */
+ };
+
++void hiddev_free(struct kref *ref);
++
+ #define to_hid_device(pdev) \
+ container_of(pdev, struct hid_device, dev)
+
+--
+2.42.0
+
--- /dev/null
+From 8a4091712a7e2bdc91c7dac0990d5111ecdba0d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Nov 2023 22:17:59 +0800
+Subject: ipv4: Correct/silence an endian warning in __ip_do_redirect
+
+From: Kunwu Chan <chentao@kylinos.cn>
+
+[ Upstream commit c0e2926266af3b5acf28df0a8fc6e4d90effe0bb ]
+
+net/ipv4/route.c:783:46: warning: incorrect type in argument 2 (different base types)
+net/ipv4/route.c:783:46: expected unsigned int [usertype] key
+net/ipv4/route.c:783:46: got restricted __be32 [usertype] new_gw
+
+Fixes: 969447f226b4 ("ipv4: use new_gw for redirect neigh lookup")
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
+Link: https://lore.kernel.org/r/20231119141759.420477-1-chentao@kylinos.cn
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/route.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index ea5329cb0fce2..12c59d700942f 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -786,7 +786,7 @@ static void __ip_do_redirect(struct rtable *rt, struct sk_buff *skb, struct flow
+ goto reject_redirect;
+ }
+
+- n = __ipv4_neigh_lookup(rt->dst.dev, new_gw);
++ n = __ipv4_neigh_lookup(rt->dst.dev, (__force u32)new_gw);
+ if (!n)
+ n = neigh_create(&arp_tbl, &new_gw, rt->dst.dev);
+ if (!IS_ERR(n)) {
+--
+2.42.0
+
--- /dev/null
+From b27368bd6507bbe1de51580967bbc3fb3b61b89e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Nov 2023 12:41:26 +0100
+Subject: lockdep: Fix block chain corruption
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit bca4104b00fec60be330cd32818dd5c70db3d469 ]
+
+Kent reported an occasional KASAN splat in lockdep. Mark then noted:
+
+> I suspect the dodgy access is to chain_block_buckets[-1], which hits the last 4
+> bytes of the redzone and gets (incorrectly/misleadingly) attributed to
+> nr_large_chain_blocks.
+
+That would mean @size == 0, at which point size_to_bucket() returns -1
+and the above happens.
+
+alloc_chain_hlocks() has 'size - req', for the first with the
+precondition 'size >= rq', which allows the 0.
+
+This code is trying to split a block, del_chain_block() takes what we
+need, and add_chain_block() puts back the remainder, except in the
+above case the remainder is 0 sized and things go sideways.
+
+Fixes: 810507fe6fd5 ("locking/lockdep: Reuse freed chain_hlocks entries")
+Reported-by: Kent Overstreet <kent.overstreet@linux.dev>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Tested-by: Kent Overstreet <kent.overstreet@linux.dev>
+Link: https://lkml.kernel.org/r/20231121114126.GH8262@noisy.programming.kicks-ass.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/locking/lockdep.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
+index e6a282bc16652..770ff5bf14878 100644
+--- a/kernel/locking/lockdep.c
++++ b/kernel/locking/lockdep.c
+@@ -3416,7 +3416,8 @@ static int alloc_chain_hlocks(int req)
+ size = chain_block_size(curr);
+ if (likely(size >= req)) {
+ del_chain_block(0, size, chain_block_next(curr));
+- add_chain_block(curr + req, size - req);
++ if (size > req)
++ add_chain_block(curr + req, size - req);
+ return curr;
+ }
+ }
+--
+2.42.0
+
--- /dev/null
+From ddb1498832c71883c203ff626b38540cb668a8db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Mar 2022 11:35:30 +0530
+Subject: media: camss: Replace hard coded value with parameter
+
+From: Souptick Joarder (HPE) <jrdr.linux@gmail.com>
+
+[ Upstream commit a312f8982632fb1a882a8dc3c9fd127d082c1c02 ]
+
+Kernel test robot reported below warning ->
+drivers/media/platform/qcom/camss/camss-csid-gen2.c:407:3:
+warning: Value stored to 'val' is never read
+[clang-analyzer-deadcode.DeadStores]
+
+Replace hard coded value with val.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Souptick Joarder (HPE) <jrdr.linux@gmail.com>
+Reviewed-by: Robert Foss <robert.foss@linaro.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Stable-dep-of: e655d1ae9703 ("media: qcom: camss: Fix set CSI2_RX_CFG1_VC_MODE when VC is greater than 3")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/qcom/camss/camss-csid-170.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/qcom/camss/camss-csid-170.c b/drivers/media/platform/qcom/camss/camss-csid-170.c
+index 82f59933ad7b3..c234b8d67bc59 100644
+--- a/drivers/media/platform/qcom/camss/camss-csid-170.c
++++ b/drivers/media/platform/qcom/camss/camss-csid-170.c
+@@ -398,7 +398,7 @@ static void csid_configure_stream(struct csid_device *csid, u8 enable)
+ writel_relaxed(val, csid->base + CSID_RDI_FRM_DROP_PERIOD(0));
+
+ val = 0;
+- writel_relaxed(0, csid->base + CSID_RDI_FRM_DROP_PATTERN(0));
++ writel_relaxed(val, csid->base + CSID_RDI_FRM_DROP_PATTERN(0));
+
+ val = 1;
+ writel_relaxed(val, csid->base + CSID_RDI_IRQ_SUBSAMPLE_PERIOD(0));
+--
+2.42.0
+
--- /dev/null
+From 3ab3b7c95c9db7b8daddff7a3ac61dc81394071d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Dec 2022 11:40:34 +0200
+Subject: media: camss: sm8250: Virtual channels for CSID
+
+From: Milen Mitkov <quic_mmitkov@quicinc.com>
+
+[ Upstream commit 3c4ed72a16bc6733cda9c65048af74a2e8eaa0eb ]
+
+CSID hardware on SM8250 can demux up to 4 simultaneous streams
+based on virtual channel (vc) or datatype (dt).
+The CSID subdevice entity now has 4 source ports that can be
+enabled/disabled and thus can control which virtual channels
+are enabled. Datatype demuxing not tested.
+
+In order to keep a valid internal state of the subdevice,
+implicit format propagation from the sink to the source pads
+has been preserved. However, the format on each source pad
+can be different and in that case it must be configured explicitly.
+
+CSID's s_stream is called when any stream is started or stopped.
+It will call configure_streams() that will rewrite IRQ settings to HW.
+When multiple streams are running simultaneously there is an issue
+when writing IRQ settings for one stream while another is still
+running, thus avoid re-writing settings if they were not changed
+in link setup, or by fully powering off the CSID hardware.
+
+Signed-off-by: Milen Mitkov <quic_mmitkov@quicinc.com>
+Reviewed-by: Robert Foss <robert.foss@linaro.org>
+Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Acked-by: Robert Foss <robert.foss@linaro.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Stable-dep-of: e655d1ae9703 ("media: qcom: camss: Fix set CSI2_RX_CFG1_VC_MODE when VC is greater than 3")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../platform/qcom/camss/camss-csid-170.c | 54 ++++++++++++-------
+ .../media/platform/qcom/camss/camss-csid.c | 44 ++++++++++-----
+ .../media/platform/qcom/camss/camss-csid.h | 11 +++-
+ 3 files changed, 74 insertions(+), 35 deletions(-)
+
+diff --git a/drivers/media/platform/qcom/camss/camss-csid-170.c b/drivers/media/platform/qcom/camss/camss-csid-170.c
+index c234b8d67bc59..7ccf0c11a1a21 100644
+--- a/drivers/media/platform/qcom/camss/camss-csid-170.c
++++ b/drivers/media/platform/qcom/camss/camss-csid-170.c
+@@ -327,13 +327,14 @@ static const struct csid_format csid_formats[] = {
+ },
+ };
+
+-static void csid_configure_stream(struct csid_device *csid, u8 enable)
++static void __csid_configure_stream(struct csid_device *csid, u8 enable, u8 vc)
+ {
+ struct csid_testgen_config *tg = &csid->testgen;
+ u32 val;
+ u32 phy_sel = 0;
+ u8 lane_cnt = csid->phy.lane_cnt;
+- struct v4l2_mbus_framefmt *input_format = &csid->fmt[MSM_CSID_PAD_SRC];
++ /* Source pads matching RDI channels on hardware. Pad 1 -> RDI0, Pad 2 -> RDI1, etc. */
++ struct v4l2_mbus_framefmt *input_format = &csid->fmt[MSM_CSID_PAD_FIRST_SRC + vc];
+ const struct csid_format *format = csid_get_fmt_entry(csid->formats, csid->nformats,
+ input_format->code);
+
+@@ -344,8 +345,7 @@ static void csid_configure_stream(struct csid_device *csid, u8 enable)
+ phy_sel = csid->phy.csiphy_id;
+
+ if (enable) {
+- u8 vc = 0; /* Virtual Channel 0 */
+- u8 dt_id = vc * 4;
++ u8 dt_id = vc;
+
+ if (tg->enabled) {
+ /* Config Test Generator */
+@@ -388,42 +388,42 @@ static void csid_configure_stream(struct csid_device *csid, u8 enable)
+ val |= format->data_type << RDI_CFG0_DATA_TYPE;
+ val |= vc << RDI_CFG0_VIRTUAL_CHANNEL;
+ val |= dt_id << RDI_CFG0_DT_ID;
+- writel_relaxed(val, csid->base + CSID_RDI_CFG0(0));
++ writel_relaxed(val, csid->base + CSID_RDI_CFG0(vc));
+
+ /* CSID_TIMESTAMP_STB_POST_IRQ */
+ val = 2 << RDI_CFG1_TIMESTAMP_STB_SEL;
+- writel_relaxed(val, csid->base + CSID_RDI_CFG1(0));
++ writel_relaxed(val, csid->base + CSID_RDI_CFG1(vc));
+
+ val = 1;
+- writel_relaxed(val, csid->base + CSID_RDI_FRM_DROP_PERIOD(0));
++ writel_relaxed(val, csid->base + CSID_RDI_FRM_DROP_PERIOD(vc));
+
+ val = 0;
+- writel_relaxed(val, csid->base + CSID_RDI_FRM_DROP_PATTERN(0));
++ writel_relaxed(val, csid->base + CSID_RDI_FRM_DROP_PATTERN(vc));
+
+ val = 1;
+- writel_relaxed(val, csid->base + CSID_RDI_IRQ_SUBSAMPLE_PERIOD(0));
++ writel_relaxed(val, csid->base + CSID_RDI_IRQ_SUBSAMPLE_PERIOD(vc));
+
+ val = 0;
+- writel_relaxed(val, csid->base + CSID_RDI_IRQ_SUBSAMPLE_PATTERN(0));
++ writel_relaxed(val, csid->base + CSID_RDI_IRQ_SUBSAMPLE_PATTERN(vc));
+
+ val = 1;
+- writel_relaxed(val, csid->base + CSID_RDI_RPP_PIX_DROP_PERIOD(0));
++ writel_relaxed(val, csid->base + CSID_RDI_RPP_PIX_DROP_PERIOD(vc));
+
+ val = 0;
+- writel_relaxed(val, csid->base + CSID_RDI_RPP_PIX_DROP_PATTERN(0));
++ writel_relaxed(val, csid->base + CSID_RDI_RPP_PIX_DROP_PATTERN(vc));
+
+ val = 1;
+- writel_relaxed(val, csid->base + CSID_RDI_RPP_LINE_DROP_PERIOD(0));
++ writel_relaxed(val, csid->base + CSID_RDI_RPP_LINE_DROP_PERIOD(vc));
+
+ val = 0;
+- writel_relaxed(val, csid->base + CSID_RDI_RPP_LINE_DROP_PATTERN(0));
++ writel_relaxed(val, csid->base + CSID_RDI_RPP_LINE_DROP_PATTERN(vc));
+
+ val = 0;
+- writel_relaxed(val, csid->base + CSID_RDI_CTRL(0));
++ writel_relaxed(val, csid->base + CSID_RDI_CTRL(vc));
+
+- val = readl_relaxed(csid->base + CSID_RDI_CFG0(0));
++ val = readl_relaxed(csid->base + CSID_RDI_CFG0(vc));
+ val |= 1 << RDI_CFG0_ENABLE;
+- writel_relaxed(val, csid->base + CSID_RDI_CFG0(0));
++ writel_relaxed(val, csid->base + CSID_RDI_CFG0(vc));
+ }
+
+ if (tg->enabled) {
+@@ -449,7 +449,16 @@ static void csid_configure_stream(struct csid_device *csid, u8 enable)
+ val = HALT_CMD_RESUME_AT_FRAME_BOUNDARY << RDI_CTRL_HALT_CMD;
+ else
+ val = HALT_CMD_HALT_AT_FRAME_BOUNDARY << RDI_CTRL_HALT_CMD;
+- writel_relaxed(val, csid->base + CSID_RDI_CTRL(0));
++ writel_relaxed(val, csid->base + CSID_RDI_CTRL(vc));
++}
++
++static void csid_configure_stream(struct csid_device *csid, u8 enable)
++{
++ u8 i;
++ /* Loop through all enabled VCs and configure stream for each */
++ for (i = 0; i < MSM_CSID_MAX_SRC_STREAMS; i++)
++ if (csid->phy.en_vc & BIT(i))
++ __csid_configure_stream(csid, enable, i);
+ }
+
+ static int csid_configure_testgen_pattern(struct csid_device *csid, s32 val)
+@@ -495,6 +504,7 @@ static irqreturn_t csid_isr(int irq, void *dev)
+ struct csid_device *csid = dev;
+ u32 val;
+ u8 reset_done;
++ int i;
+
+ val = readl_relaxed(csid->base + CSID_TOP_IRQ_STATUS);
+ writel_relaxed(val, csid->base + CSID_TOP_IRQ_CLEAR);
+@@ -503,8 +513,12 @@ static irqreturn_t csid_isr(int irq, void *dev)
+ val = readl_relaxed(csid->base + CSID_CSI2_RX_IRQ_STATUS);
+ writel_relaxed(val, csid->base + CSID_CSI2_RX_IRQ_CLEAR);
+
+- val = readl_relaxed(csid->base + CSID_CSI2_RDIN_IRQ_STATUS(0));
+- writel_relaxed(val, csid->base + CSID_CSI2_RDIN_IRQ_CLEAR(0));
++ /* Read and clear IRQ status for each enabled RDI channel */
++ for (i = 0; i < MSM_CSID_MAX_SRC_STREAMS; i++)
++ if (csid->phy.en_vc & BIT(i)) {
++ val = readl_relaxed(csid->base + CSID_CSI2_RDIN_IRQ_STATUS(i));
++ writel_relaxed(val, csid->base + CSID_CSI2_RDIN_IRQ_CLEAR(i));
++ }
+
+ val = 1 << IRQ_CMD_CLEAR;
+ writel_relaxed(val, csid->base + CSID_IRQ_CMD);
+diff --git a/drivers/media/platform/qcom/camss/camss-csid.c b/drivers/media/platform/qcom/camss/camss-csid.c
+index a1637b78568b2..2a294587ec9d9 100644
+--- a/drivers/media/platform/qcom/camss/camss-csid.c
++++ b/drivers/media/platform/qcom/camss/camss-csid.c
+@@ -180,6 +180,8 @@ static int csid_set_power(struct v4l2_subdev *sd, int on)
+ return ret;
+ }
+
++ csid->phy.need_vc_update = true;
++
+ enable_irq(csid->irq);
+
+ ret = csid->ops->reset(csid);
+@@ -229,7 +231,10 @@ static int csid_set_stream(struct v4l2_subdev *sd, int enable)
+ return -ENOLINK;
+ }
+
+- csid->ops->configure_stream(csid, enable);
++ if (csid->phy.need_vc_update) {
++ csid->ops->configure_stream(csid, enable);
++ csid->phy.need_vc_update = false;
++ }
+
+ return 0;
+ }
+@@ -440,6 +445,7 @@ static int csid_set_format(struct v4l2_subdev *sd,
+ {
+ struct csid_device *csid = v4l2_get_subdevdata(sd);
+ struct v4l2_mbus_framefmt *format;
++ int i;
+
+ format = __csid_get_format(csid, sd_state, fmt->pad, fmt->which);
+ if (format == NULL)
+@@ -448,14 +454,14 @@ static int csid_set_format(struct v4l2_subdev *sd,
+ csid_try_format(csid, sd_state, fmt->pad, &fmt->format, fmt->which);
+ *format = fmt->format;
+
+- /* Propagate the format from sink to source */
++ /* Propagate the format from sink to source pads */
+ if (fmt->pad == MSM_CSID_PAD_SINK) {
+- format = __csid_get_format(csid, sd_state, MSM_CSID_PAD_SRC,
+- fmt->which);
++ for (i = MSM_CSID_PAD_FIRST_SRC; i < MSM_CSID_PADS_NUM; ++i) {
++ format = __csid_get_format(csid, sd_state, i, fmt->which);
+
+- *format = fmt->format;
+- csid_try_format(csid, sd_state, MSM_CSID_PAD_SRC, format,
+- fmt->which);
++ *format = fmt->format;
++ csid_try_format(csid, sd_state, i, format, fmt->which);
++ }
+ }
+
+ return 0;
+@@ -695,7 +701,6 @@ static int csid_link_setup(struct media_entity *entity,
+ struct csid_device *csid;
+ struct csiphy_device *csiphy;
+ struct csiphy_lanes_cfg *lane_cfg;
+- struct v4l2_subdev_format format = { 0 };
+
+ sd = media_entity_to_v4l2_subdev(entity);
+ csid = v4l2_get_subdevdata(sd);
+@@ -718,11 +723,22 @@ static int csid_link_setup(struct media_entity *entity,
+ lane_cfg = &csiphy->cfg.csi2->lane_cfg;
+ csid->phy.lane_cnt = lane_cfg->num_data;
+ csid->phy.lane_assign = csid_get_lane_assign(lane_cfg);
++ }
++ /* Decide which virtual channels to enable based on which source pads are enabled */
++ if (local->flags & MEDIA_PAD_FL_SOURCE) {
++ struct v4l2_subdev *sd = media_entity_to_v4l2_subdev(entity);
++ struct csid_device *csid = v4l2_get_subdevdata(sd);
++ struct device *dev = csid->camss->dev;
++
++ if (flags & MEDIA_LNK_FL_ENABLED)
++ csid->phy.en_vc |= BIT(local->index - 1);
++ else
++ csid->phy.en_vc &= ~BIT(local->index - 1);
+
+- /* Reset format on source pad to sink pad format */
+- format.pad = MSM_CSID_PAD_SRC;
+- format.which = V4L2_SUBDEV_FORMAT_ACTIVE;
+- csid_set_format(&csid->subdev, NULL, &format);
++ csid->phy.need_vc_update = true;
++
++ dev_dbg(dev, "%s: Enabled CSID virtual channels mask 0x%x\n",
++ __func__, csid->phy.en_vc);
+ }
+
+ return 0;
+@@ -773,6 +789,7 @@ int msm_csid_register_entity(struct csid_device *csid,
+ struct v4l2_subdev *sd = &csid->subdev;
+ struct media_pad *pads = csid->pads;
+ struct device *dev = csid->camss->dev;
++ int i;
+ int ret;
+
+ v4l2_subdev_init(sd, &csid_v4l2_ops);
+@@ -809,7 +826,8 @@ int msm_csid_register_entity(struct csid_device *csid,
+ }
+
+ pads[MSM_CSID_PAD_SINK].flags = MEDIA_PAD_FL_SINK;
+- pads[MSM_CSID_PAD_SRC].flags = MEDIA_PAD_FL_SOURCE;
++ for (i = MSM_CSID_PAD_FIRST_SRC; i < MSM_CSID_PADS_NUM; ++i)
++ pads[i].flags = MEDIA_PAD_FL_SOURCE;
+
+ sd->entity.function = MEDIA_ENT_F_PROC_VIDEO_PIXEL_FORMATTER;
+ sd->entity.ops = &csid_media_ops;
+diff --git a/drivers/media/platform/qcom/camss/camss-csid.h b/drivers/media/platform/qcom/camss/camss-csid.h
+index 814ebc7c29d65..6b5485fe18332 100644
+--- a/drivers/media/platform/qcom/camss/camss-csid.h
++++ b/drivers/media/platform/qcom/camss/camss-csid.h
+@@ -19,8 +19,13 @@
+ #include <media/v4l2-subdev.h>
+
+ #define MSM_CSID_PAD_SINK 0
+-#define MSM_CSID_PAD_SRC 1
+-#define MSM_CSID_PADS_NUM 2
++#define MSM_CSID_PAD_FIRST_SRC 1
++#define MSM_CSID_PADS_NUM 5
++
++#define MSM_CSID_PAD_SRC (MSM_CSID_PAD_FIRST_SRC)
++
++/* CSID hardware can demultiplex up to 4 outputs */
++#define MSM_CSID_MAX_SRC_STREAMS 4
+
+ #define DATA_TYPE_EMBEDDED_DATA_8BIT 0x12
+ #define DATA_TYPE_YUV420_8BIT 0x18
+@@ -81,6 +86,8 @@ struct csid_phy_config {
+ u8 csiphy_id;
+ u8 lane_cnt;
+ u32 lane_assign;
++ u32 en_vc;
++ u8 need_vc_update;
+ };
+
+ struct csid_device;
+--
+2.42.0
+
--- /dev/null
+From 40fe33146f58af3f58e9517290550845142c81cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Aug 2023 16:16:15 +0100
+Subject: media: qcom: camss: Fix csid-gen2 for test pattern generator
+
+From: Andrey Konovalov <andrey.konovalov@linaro.org>
+
+[ Upstream commit 87889f1b7ea40d2544b49c62092e6ef2792dced7 ]
+
+In the current driver csid Test Pattern Generator (TPG) doesn't work.
+This change:
+- fixes writing frame width and height values into CSID_TPG_DT_n_CFG_0
+- fixes the shift by one between test_pattern control value and the
+ actual pattern.
+- drops fixed VC of 0x0a which testing showed prohibited some test
+ patterns in the CSID to produce output.
+So that TPG starts working, but with the below limitations:
+- only test_pattern=9 works as it should
+- test_pattern=8 and test_pattern=7 produce black frame (all zeroes)
+- the rest of test_pattern's don't work (yavta doesn't get the data)
+- regardless of the CFA pattern set by 'media-ctl -V' the actual pixel
+ order is always the same (RGGB for any RAW8 or RAW10P format in
+ 4608x2592 resolution).
+
+Tested with:
+
+RAW10P format, VC0:
+ media-ctl -V '"msm_csid0":0[fmt:SRGGB10/4608x2592 field:none]'
+ media-ctl -V '"msm_vfe0_rdi0":0[fmt:SRGGB10/4608x2592 field:none]'
+ media-ctl -l '"msm_csid0":1->"msm_vfe0_rdi0":0[1]'
+ v4l2-ctl -d /dev/v4l-subdev6 -c test_pattern=9
+ yavta -B capture-mplane --capture=3 -n 3 -f SRGGB10P -s 4608x2592 /dev/video0
+
+RAW10P format, VC1:
+ media-ctl -V '"msm_csid0":2[fmt:SRGGB10/4608x2592 field:none]'
+ media-ctl -V '"msm_vfe0_rdi1":0[fmt:SRGGB10/4608x2592 field:none]'
+ media-ctl -l '"msm_csid0":2->"msm_vfe0_rdi1":0[1]'
+ v4l2-ctl -d /dev/v4l-subdev6 -c test_pattern=9
+ yavta -B capture-mplane --capture=3 -n 3 -f SRGGB10P -s 4608x2592 /dev/video1
+
+RAW8 format, VC0:
+ media-ctl --reset
+ media-ctl -V '"msm_csid0":0[fmt:SRGGB8/4608x2592 field:none]'
+ media-ctl -V '"msm_vfe0_rdi0":0[fmt:SRGGB8/4608x2592 field:none]'
+ media-ctl -l '"msm_csid0":1->"msm_vfe0_rdi0":0[1]'
+ yavta -B capture-mplane --capture=3 -n 3 -f SRGGB8 -s 4608x2592 /dev/video0
+
+Fixes: eebe6d00e9bf ("media: camss: Add support for CSID hardware version Titan 170")
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrey Konovalov <andrey.konovalov@linaro.org>
+Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/qcom/camss/camss-csid-170.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/media/platform/qcom/camss/camss-csid-170.c b/drivers/media/platform/qcom/camss/camss-csid-170.c
+index 270a960165b53..f7839e994bda6 100644
+--- a/drivers/media/platform/qcom/camss/camss-csid-170.c
++++ b/drivers/media/platform/qcom/camss/camss-csid-170.c
+@@ -348,9 +348,6 @@ static void __csid_configure_stream(struct csid_device *csid, u8 enable, u8 vc)
+ u8 dt_id = vc;
+
+ if (tg->enabled) {
+- /* Config Test Generator */
+- vc = 0xa;
+-
+ /* configure one DT, infinite frames */
+ val = vc << TPG_VC_CFG0_VC_NUM;
+ val |= INTELEAVING_MODE_ONE_SHOT << TPG_VC_CFG0_LINE_INTERLEAVING_MODE;
+@@ -363,14 +360,14 @@ static void __csid_configure_stream(struct csid_device *csid, u8 enable, u8 vc)
+
+ writel_relaxed(0x12345678, csid->base + CSID_TPG_LFSR_SEED);
+
+- val = input_format->height & 0x1fff << TPG_DT_n_CFG_0_FRAME_HEIGHT;
+- val |= input_format->width & 0x1fff << TPG_DT_n_CFG_0_FRAME_WIDTH;
++ val = (input_format->height & 0x1fff) << TPG_DT_n_CFG_0_FRAME_HEIGHT;
++ val |= (input_format->width & 0x1fff) << TPG_DT_n_CFG_0_FRAME_WIDTH;
+ writel_relaxed(val, csid->base + CSID_TPG_DT_n_CFG_0(0));
+
+ val = format->data_type << TPG_DT_n_CFG_1_DATA_TYPE;
+ writel_relaxed(val, csid->base + CSID_TPG_DT_n_CFG_1(0));
+
+- val = tg->mode << TPG_DT_n_CFG_2_PAYLOAD_MODE;
++ val = (tg->mode - 1) << TPG_DT_n_CFG_2_PAYLOAD_MODE;
+ val |= 0xBE << TPG_DT_n_CFG_2_USER_SPECIFIED_PAYLOAD;
+ val |= format->decode_format << TPG_DT_n_CFG_2_ENCODE_FORMAT;
+ writel_relaxed(val, csid->base + CSID_TPG_DT_n_CFG_2(0));
+--
+2.42.0
+
--- /dev/null
+From 336977f691a85e7e41063f395d58c7b0732989a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Aug 2023 16:16:14 +0100
+Subject: media: qcom: camss: Fix set CSI2_RX_CFG1_VC_MODE when VC is greater
+ than 3
+
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+
+[ Upstream commit e655d1ae9703286cef7fda8675cad62f649dc183 ]
+
+VC_MODE = 0 implies a two bit VC address.
+VC_MODE = 1 is required for VCs with a larger address than two bits.
+
+Fixes: eebe6d00e9bf ("media: camss: Add support for CSID hardware version Titan 170")
+Cc: stable@vger.kernel.org
+Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/qcom/camss/camss-csid-170.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/media/platform/qcom/camss/camss-csid-170.c b/drivers/media/platform/qcom/camss/camss-csid-170.c
+index 7ccf0c11a1a21..270a960165b53 100644
+--- a/drivers/media/platform/qcom/camss/camss-csid-170.c
++++ b/drivers/media/platform/qcom/camss/camss-csid-170.c
+@@ -442,6 +442,8 @@ static void __csid_configure_stream(struct csid_device *csid, u8 enable, u8 vc)
+ writel_relaxed(val, csid->base + CSID_CSI2_RX_CFG0);
+
+ val = 1 << CSI2_RX_CFG1_PACKET_ECC_CORRECTION_EN;
++ if (vc > 3)
++ val |= 1 << CSI2_RX_CFG1_VC_MODE;
+ val |= 1 << CSI2_RX_CFG1_MISR_EN;
+ writel_relaxed(val, csid->base + CSID_CSI2_RX_CFG1); // csi2_vc_mode_shift_val ?
+
+--
+2.42.0
+
--- /dev/null
+From 0d6c1e5d7e64c2df96dde047a8db6bea9837aa54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Oct 2023 16:54:34 +0800
+Subject: MIPS: KVM: Fix a build warning about variable set but not used
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Huacai Chen <chenhuacai@loongson.cn>
+
+[ Upstream commit 83767a67e7b6a0291cde5681ec7e3708f3f8f877 ]
+
+After commit 411740f5422a ("KVM: MIPS/MMU: Implement KVM_CAP_SYNC_MMU")
+old_pte is no longer used in kvm_mips_map_page(). So remove it to fix a
+build warning about variable set but not used:
+
+ arch/mips/kvm/mmu.c: In function 'kvm_mips_map_page':
+>> arch/mips/kvm/mmu.c:701:29: warning: variable 'old_pte' set but not used [-Wunused-but-set-variable]
+ 701 | pte_t *ptep, entry, old_pte;
+ | ^~~~~~~
+
+Cc: stable@vger.kernel.org
+Fixes: 411740f5422a960 ("KVM: MIPS/MMU: Implement KVM_CAP_SYNC_MMU")
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202310070530.aARZCSfh-lkp@intel.com/
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/kvm/mmu.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/arch/mips/kvm/mmu.c b/arch/mips/kvm/mmu.c
+index 1bfd1b501d823..72b5249452273 100644
+--- a/arch/mips/kvm/mmu.c
++++ b/arch/mips/kvm/mmu.c
+@@ -593,7 +593,7 @@ static int kvm_mips_map_page(struct kvm_vcpu *vcpu, unsigned long gpa,
+ gfn_t gfn = gpa >> PAGE_SHIFT;
+ int srcu_idx, err;
+ kvm_pfn_t pfn;
+- pte_t *ptep, entry, old_pte;
++ pte_t *ptep, entry;
+ bool writeable;
+ unsigned long prot_bits;
+ unsigned long mmu_seq;
+@@ -665,7 +665,6 @@ static int kvm_mips_map_page(struct kvm_vcpu *vcpu, unsigned long gpa,
+ entry = pfn_pte(pfn, __pgprot(prot_bits));
+
+ /* Write the PTE */
+- old_pte = *ptep;
+ set_pte(ptep, entry);
+
+ err = 0;
+--
+2.42.0
+
--- /dev/null
+From 1ab49fb9ba6a6d6dcd68bfb93031a9ee9fde4c4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Nov 2023 16:42:17 -0800
+Subject: net: axienet: Fix check for partial TX checksum
+
+From: Samuel Holland <samuel.holland@sifive.com>
+
+[ Upstream commit fd0413bbf8b11f56e8aa842783b0deda0dfe2926 ]
+
+Due to a typo, the code checked the RX checksum feature in the TX path.
+
+Fixes: 8a3b7a252dca ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver")
+Signed-off-by: Samuel Holland <samuel.holland@sifive.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
+Link: https://lore.kernel.org/r/20231122004219.3504219-1-samuel.holland@sifive.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+index e7f6c29b8dd82..63f33126d02fe 100644
+--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c
+@@ -763,7 +763,7 @@ axienet_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+ if (lp->features & XAE_FEATURE_FULL_TX_CSUM) {
+ /* Tx Full Checksum Offload Enabled */
+ cur_p->app0 |= 2;
+- } else if (lp->features & XAE_FEATURE_PARTIAL_RX_CSUM) {
++ } else if (lp->features & XAE_FEATURE_PARTIAL_TX_CSUM) {
+ csum_start_off = skb_transport_offset(skb);
+ csum_index_off = csum_start_off + skb->csum_offset;
+ /* Tx Partial Checksum Offload Enabled */
+--
+2.42.0
+
--- /dev/null
+From cf13e1fdd3ad410d8d71aa7bb4ad91b9c0e140aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Nov 2023 10:37:05 +0800
+Subject: net/smc: avoid data corruption caused by decline
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: D. Wythe <alibuda@linux.alibaba.com>
+
+[ Upstream commit e6d71b437abc2f249e3b6a1ae1a7228e09c6e563 ]
+
+We found a data corruption issue during testing of SMC-R on Redis
+applications.
+
+The benchmark has a low probability of reporting a strange error as
+shown below.
+
+"Error: Protocol error, got "\xe2" as reply type byte"
+
+Finally, we found that the retrieved error data was as follows:
+
+0xE2 0xD4 0xC3 0xD9 0x04 0x00 0x2C 0x20 0xA6 0x56 0x00 0x16 0x3E 0x0C
+0xCB 0x04 0x02 0x01 0x00 0x00 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00
+0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xE2
+
+It is quite obvious that this is a SMC DECLINE message, which means that
+the applications received SMC protocol message.
+We found that this was caused by the following situations:
+
+client server
+ ¦ clc proposal
+ ------------->
+ ¦ clc accept
+ <-------------
+ ¦ clc confirm
+ ------------->
+wait llc confirm
+ send llc confirm
+ ¦failed llc confirm
+ ¦ x------
+(after 2s)timeout
+ wait llc confirm rsp
+
+wait decline
+
+(after 1s) timeout
+ (after 2s) timeout
+ ¦ decline
+ -------------->
+ ¦ decline
+ <--------------
+
+As a result, a decline message was sent in the implementation, and this
+message was read from TCP by the already-fallback connection.
+
+This patch double the client timeout as 2x of the server value,
+With this simple change, the Decline messages should never cross or
+collide (during Confirm link timeout).
+
+This issue requires an immediate solution, since the protocol updates
+involve a more long-term solution.
+
+Fixes: 0fb0b02bd6fd ("net/smc: adapt SMC client code to use the LLC flow")
+Signed-off-by: D. Wythe <alibuda@linux.alibaba.com>
+Reviewed-by: Wen Gu <guwen@linux.alibaba.com>
+Reviewed-by: Wenjia Zhang <wenjia@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index 49cf523a783a2..8c11eb70c0f69 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -398,8 +398,12 @@ static int smcr_clnt_conf_first_link(struct smc_sock *smc)
+ struct smc_llc_qentry *qentry;
+ int rc;
+
+- /* receive CONFIRM LINK request from server over RoCE fabric */
+- qentry = smc_llc_wait(link->lgr, NULL, SMC_LLC_WAIT_TIME,
++ /* Receive CONFIRM LINK request from server over RoCE fabric.
++ * Increasing the client's timeout by twice as much as the server's
++ * timeout by default can temporarily avoid decline messages of
++ * both sides crossing or colliding
++ */
++ qentry = smc_llc_wait(link->lgr, NULL, 2 * SMC_LLC_WAIT_TIME,
+ SMC_LLC_CONFIRM_LINK);
+ if (!qentry) {
+ struct smc_clc_msg_decline dclc;
+--
+2.42.0
+
--- /dev/null
+From 92cb614315c3c0b8dde84c1bf26377aa378bcff1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Nov 2023 13:06:29 +0100
+Subject: net: usb: ax88179_178a: fix failed operations during ax88179_reset
+
+From: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
+
+[ Upstream commit 0739af07d1d947af27c877f797cb82ceee702515 ]
+
+Using generic ASIX Electronics Corp. AX88179 Gigabit Ethernet device,
+the following test cycle has been implemented:
+ - power on
+ - check logs
+ - shutdown
+ - after detecting the system shutdown, disconnect power
+ - after approximately 60 seconds of sleep, power is restored
+Running some cycles, sometimes error logs like this appear:
+ kernel: ax88179_178a 2-9:1.0 (unnamed net_device) (uninitialized): Failed to write reg index 0x0001: -19
+ kernel: ax88179_178a 2-9:1.0 (unnamed net_device) (uninitialized): Failed to read reg index 0x0001: -19
+ ...
+These failed operation are happening during ax88179_reset execution, so
+the initialization could not be correct.
+
+In order to avoid this, we need to increase the delay after reset and
+clock initial operations. By using these larger values, many cycles
+have been run and no failed operations appear.
+
+It would be better to check some status register to verify when the
+operation has finished, but I do not have found any available information
+(neither in the public datasheets nor in the manufacturer's driver). The
+only available information for the necessary delays is the maufacturer's
+driver (original values) but the proposed values are not enough for the
+tested devices.
+
+Fixes: e2ca90c276e1f ("ax88179_178a: ASIX AX88179_178A USB 3.0/2.0 to gigabit ethernet adapter driver")
+Reported-by: Herb Wei <weihao.bj@ieisystem.com>
+Tested-by: Herb Wei <weihao.bj@ieisystem.com>
+Signed-off-by: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
+Link: https://lore.kernel.org/r/20231120120642.54334-1-jtornosm@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/ax88179_178a.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c
+index 0a2c3860179e7..c419baf478134 100644
+--- a/drivers/net/usb/ax88179_178a.c
++++ b/drivers/net/usb/ax88179_178a.c
+@@ -1700,11 +1700,11 @@ static int ax88179_reset(struct usbnet *dev)
+
+ *tmp16 = AX_PHYPWR_RSTCTL_IPRL;
+ ax88179_write_cmd(dev, AX_ACCESS_MAC, AX_PHYPWR_RSTCTL, 2, 2, tmp16);
+- msleep(200);
++ msleep(500);
+
+ *tmp = AX_CLK_SELECT_ACS | AX_CLK_SELECT_BCS;
+ ax88179_write_cmd(dev, AX_ACCESS_MAC, AX_CLK_SELECT, 1, 1, tmp);
+- msleep(100);
++ msleep(200);
+
+ /* Ethernet PHY Auto Detach*/
+ ax88179_auto_detach(dev, 0);
+--
+2.42.0
+
--- /dev/null
+From 542251a1cf600d96f0a0f7b97c54ad084f939449 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Nov 2023 08:13:36 -0500
+Subject: nvmet: nul-terminate the NQNs passed in the connect command
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 1c22e0295a5eb571c27b53c7371f95699ef705ff ]
+
+The host and subsystem NQNs are passed in the connect command payload and
+interpreted as nul-terminated strings. Ensure they actually are
+nul-terminated before using them.
+
+Fixes: a07b4970f464 "nvmet: add a generic NVMe target")
+Reported-by: Alon Zahavi <zahavi.alon@gmail.com>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/fabrics-cmd.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/nvme/target/fabrics-cmd.c b/drivers/nvme/target/fabrics-cmd.c
+index 7d0454cee9205..e5ee3d3ce1649 100644
+--- a/drivers/nvme/target/fabrics-cmd.c
++++ b/drivers/nvme/target/fabrics-cmd.c
+@@ -206,6 +206,8 @@ static void nvmet_execute_admin_connect(struct nvmet_req *req)
+ goto out;
+ }
+
++ d->subsysnqn[NVMF_NQN_FIELD_LEN - 1] = '\0';
++ d->hostnqn[NVMF_NQN_FIELD_LEN - 1] = '\0';
+ status = nvmet_alloc_ctrl(d->subsysnqn, d->hostnqn, req,
+ le32_to_cpu(c->kato), &ctrl);
+ if (status)
+@@ -263,6 +265,8 @@ static void nvmet_execute_io_connect(struct nvmet_req *req)
+ goto out;
+ }
+
++ d->subsysnqn[NVMF_NQN_FIELD_LEN - 1] = '\0';
++ d->hostnqn[NVMF_NQN_FIELD_LEN - 1] = '\0';
+ ctrl = nvmet_ctrl_find_get(d->subsysnqn, d->hostnqn,
+ le16_to_cpu(d->cntlid), req);
+ if (!ctrl) {
+--
+2.42.0
+
--- /dev/null
+From 2e967e99c33d7d2a6550c823d6131749bf58aa08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Nov 2023 16:10:18 +0530
+Subject: octeontx2-pf: Fix memory leak during interface down
+
+From: Suman Ghosh <sumang@marvell.com>
+
+[ Upstream commit 5f228d7c8a539714c1e9b7e7534f76bb7979f268 ]
+
+During 'ifconfig <netdev> down' one RSS memory was not getting freed.
+This patch fixes the same.
+
+Fixes: 81a4362016e7 ("octeontx2-pf: Add RSS multi group support")
+Signed-off-by: Suman Ghosh <sumang@marvell.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c
+index a718d42daeb5e..8cb4b16ffad77 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c
+@@ -1838,6 +1838,8 @@ int otx2_stop(struct net_device *netdev)
+ /* Clear RSS enable flag */
+ rss = &pf->hw.rss_info;
+ rss->enable = false;
++ if (!netif_is_rxfh_configured(netdev))
++ kfree(rss->rss_ctx[DEFAULT_RSS_CONTEXT_GROUP]);
+
+ /* Cleanup Queue IRQ */
+ vec = pci_irq_vector(pf->pdev,
+--
+2.42.0
+
--- /dev/null
+From dc48792ade0a38f5542376a001da74b6f64bde3b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Nov 2023 22:26:24 +0530
+Subject: octeontx2-pf: Fix ntuple rule creation to direct packet to VF with
+ higher Rx queue than its PF
+
+From: Suman Ghosh <sumang@marvell.com>
+
+[ Upstream commit 4aa1d8f89b10cdc25a231dabf808d8935e0b137a ]
+
+It is possible to add a ntuple rule which would like to direct packet to
+a VF whose number of queues are greater/less than its PF's queue numbers.
+For example a PF can have 2 Rx queues but a VF created on that PF can have
+8 Rx queues. As of today, ntuple rule will reject rule because it is
+checking the requested queue number against PF's number of Rx queues.
+As a part of this fix if the action of a ntuple rule is to move a packet
+to a VF's queue then the check is removed. Also, a debug information is
+printed to aware user that it is user's responsibility to cross check if
+the requested queue number on that VF is a valid one.
+
+Fixes: f0a1913f8a6f ("octeontx2-pf: Add support for ethtool ntuple filters")
+Signed-off-by: Suman Ghosh <sumang@marvell.com>
+Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20231121165624.3664182-1-sumang@marvell.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../marvell/octeontx2/nic/otx2_flows.c | 20 ++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c
+index 483f660cebc40..c3e5ebc416676 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c
+@@ -1002,6 +1002,7 @@ int otx2_add_flow(struct otx2_nic *pfvf, struct ethtool_rxnfc *nfc)
+ struct ethhdr *eth_hdr;
+ bool new = false;
+ int err = 0;
++ u64 vf_num;
+ u32 ring;
+
+ if (!flow_cfg->max_flows) {
+@@ -1014,7 +1015,21 @@ int otx2_add_flow(struct otx2_nic *pfvf, struct ethtool_rxnfc *nfc)
+ if (!(pfvf->flags & OTX2_FLAG_NTUPLE_SUPPORT))
+ return -ENOMEM;
+
+- if (ring >= pfvf->hw.rx_queues && fsp->ring_cookie != RX_CLS_FLOW_DISC)
++ /* Number of queues on a VF can be greater or less than
++ * the PF's queue. Hence no need to check for the
++ * queue count. Hence no need to check queue count if PF
++ * is installing for its VF. Below is the expected vf_num value
++ * based on the ethtool commands.
++ *
++ * e.g.
++ * 1. ethtool -U <netdev> ... action -1 ==> vf_num:255
++ * 2. ethtool -U <netdev> ... action <queue_num> ==> vf_num:0
++ * 3. ethtool -U <netdev> ... vf <vf_idx> queue <queue_num> ==>
++ * vf_num:vf_idx+1
++ */
++ vf_num = ethtool_get_flow_spec_ring_vf(fsp->ring_cookie);
++ if (!is_otx2_vf(pfvf->pcifunc) && !vf_num &&
++ ring >= pfvf->hw.rx_queues && fsp->ring_cookie != RX_CLS_FLOW_DISC)
+ return -EINVAL;
+
+ if (fsp->location >= otx2_get_maxflows(flow_cfg))
+@@ -1096,6 +1111,9 @@ int otx2_add_flow(struct otx2_nic *pfvf, struct ethtool_rxnfc *nfc)
+ flow_cfg->nr_flows++;
+ }
+
++ if (flow->is_vf)
++ netdev_info(pfvf->netdev,
++ "Make sure that VF's queue number is within its queue limit\n");
+ return 0;
+ }
+
+--
+2.42.0
+
--- /dev/null
+afs-fix-afs_server_list-to-be-cleaned-up-with-rcu.patch
+afs-make-error-on-cell-lookup-failure-consistent-wit.patch
+drm-panel-boe-tv101wum-nl6-fine-tune-the-panel-power.patch
+drm-panel-auo-b101uan08.3-fine-tune-the-panel-power-.patch
+drm-panel-simple-fix-innolux-g101ice-l01-bus-flags.patch
+drm-panel-simple-fix-innolux-g101ice-l01-timings.patch
+wireguard-use-dev_stats_inc.patch
+octeontx2-pf-fix-memory-leak-during-interface-down.patch
+ata-pata_isapnp-add-missing-error-check-for-devm_iop.patch
+drm-rockchip-vop-fix-color-for-rgb888-bgr888-format-.patch
+hid-core-store-the-unique-system-identifier-in-hid_d.patch
+hid-fix-hid-device-resource-race-between-hid-core-an.patch
+ipv4-correct-silence-an-endian-warning-in-__ip_do_re.patch
+net-usb-ax88179_178a-fix-failed-operations-during-ax.patch
+net-smc-avoid-data-corruption-caused-by-decline.patch
+arm-xen-fix-xen_vcpu_info-allocation-alignment.patch
+octeontx2-pf-fix-ntuple-rule-creation-to-direct-pack.patch
+amd-xgbe-handle-corner-case-during-sfp-hotplug.patch
+amd-xgbe-handle-the-corner-case-during-tx-completion.patch
+amd-xgbe-propagate-the-correct-speed-and-duplex-stat.patch
+net-axienet-fix-check-for-partial-tx-checksum.patch
+afs-return-enoent-if-no-cell-dns-record-can-be-found.patch
+afs-fix-file-locking-on-r-o-volumes-to-operate-in-lo.patch
+nvmet-nul-terminate-the-nqns-passed-in-the-connect-c.patch
+usb-dwc3-qcom-fix-resource-leaks-on-probe-deferral.patch
+usb-dwc3-qcom-fix-acpi-platform-device-leak.patch
+lockdep-fix-block-chain-corruption.patch
+mips-kvm-fix-a-build-warning-about-variable-set-but-.patch
+media-camss-replace-hard-coded-value-with-parameter.patch
+media-camss-sm8250-virtual-channels-for-csid.patch
+media-qcom-camss-fix-set-csi2_rx_cfg1_vc_mode-when-v.patch
+media-qcom-camss-fix-csid-gen2-for-test-pattern-gene.patch
+ext4-add-a-new-helper-to-check-if-es-must-be-kept.patch
+ext4-factor-out-__es_alloc_extent-and-__es_free_exte.patch
+ext4-use-pre-allocated-es-in-__es_insert_extent.patch
+ext4-use-pre-allocated-es-in-__es_remove_extent.patch
+ext4-using-nofail-preallocation-in-ext4_es_remove_ex.patch
+ext4-using-nofail-preallocation-in-ext4_es_insert_de.patch
+ext4-using-nofail-preallocation-in-ext4_es_insert_ex.patch
+ext4-fix-slab-use-after-free-in-ext4_es_insert_exten.patch
+ext4-make-sure-allocate-pending-entry-not-fail.patch
--- /dev/null
+From c51888852f8a68bca97d576abf3de34c580ea42b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Nov 2023 18:36:50 +0100
+Subject: USB: dwc3: qcom: fix ACPI platform device leak
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit 9cf87666fc6e08572341fe08ecd909935998fbbd ]
+
+Make sure to free the "urs" platform device, which is created for some
+ACPI platforms, on probe errors and on driver unbind.
+
+Compile-tested only.
+
+Fixes: c25c210f590e ("usb: dwc3: qcom: add URS Host support for sdm845 ACPI boot")
+Cc: Shawn Guo <shawn.guo@linaro.org>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Acked-by: Andrew Halaney <ahalaney@redhat.com>
+Acked-by: Shawn Guo <shawn.guo@linaro.org>
+Link: https://lore.kernel.org/r/20231117173650.21161-4-johan+linaro@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/dwc3-qcom.c | 37 +++++++++++++++++++++++++++++-------
+ 1 file changed, 30 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c
+index d7240cdca07c1..5d67378bd77ce 100644
+--- a/drivers/usb/dwc3/dwc3-qcom.c
++++ b/drivers/usb/dwc3/dwc3-qcom.c
+@@ -704,9 +704,9 @@ static int dwc3_qcom_of_register_core(struct platform_device *pdev)
+ return ret;
+ }
+
+-static struct platform_device *
+-dwc3_qcom_create_urs_usb_platdev(struct device *dev)
++static struct platform_device *dwc3_qcom_create_urs_usb_platdev(struct device *dev)
+ {
++ struct platform_device *urs_usb = NULL;
+ struct fwnode_handle *fwh;
+ struct acpi_device *adev;
+ char name[8];
+@@ -726,9 +726,26 @@ dwc3_qcom_create_urs_usb_platdev(struct device *dev)
+
+ adev = to_acpi_device_node(fwh);
+ if (!adev)
+- return NULL;
++ goto err_put_handle;
++
++ urs_usb = acpi_create_platform_device(adev, NULL);
++ if (IS_ERR_OR_NULL(urs_usb))
++ goto err_put_handle;
++
++ return urs_usb;
+
+- return acpi_create_platform_device(adev, NULL);
++err_put_handle:
++ fwnode_handle_put(fwh);
++
++ return urs_usb;
++}
++
++static void dwc3_qcom_destroy_urs_usb_platdev(struct platform_device *urs_usb)
++{
++ struct fwnode_handle *fwh = urs_usb->dev.fwnode;
++
++ platform_device_unregister(urs_usb);
++ fwnode_handle_put(fwh);
+ }
+
+ static int dwc3_qcom_probe(struct platform_device *pdev)
+@@ -812,13 +829,13 @@ static int dwc3_qcom_probe(struct platform_device *pdev)
+ qcom->qscratch_base = devm_ioremap_resource(dev, parent_res);
+ if (IS_ERR(qcom->qscratch_base)) {
+ ret = PTR_ERR(qcom->qscratch_base);
+- goto clk_disable;
++ goto free_urs;
+ }
+
+ ret = dwc3_qcom_setup_irq(pdev);
+ if (ret) {
+ dev_err(dev, "failed to setup IRQs, err=%d\n", ret);
+- goto clk_disable;
++ goto free_urs;
+ }
+
+ /*
+@@ -837,7 +854,7 @@ static int dwc3_qcom_probe(struct platform_device *pdev)
+
+ if (ret) {
+ dev_err(dev, "failed to register DWC3 Core, err=%d\n", ret);
+- goto clk_disable;
++ goto free_urs;
+ }
+
+ ret = dwc3_qcom_interconnect_init(qcom);
+@@ -871,6 +888,9 @@ static int dwc3_qcom_probe(struct platform_device *pdev)
+ else
+ platform_device_del(qcom->dwc3);
+ platform_device_put(qcom->dwc3);
++free_urs:
++ if (qcom->urs_usb)
++ dwc3_qcom_destroy_urs_usb_platdev(qcom->urs_usb);
+ clk_disable:
+ for (i = qcom->num_clocks - 1; i >= 0; i--) {
+ clk_disable_unprepare(qcom->clks[i]);
+@@ -896,6 +916,9 @@ static int dwc3_qcom_remove(struct platform_device *pdev)
+ platform_device_del(qcom->dwc3);
+ platform_device_put(qcom->dwc3);
+
++ if (qcom->urs_usb)
++ dwc3_qcom_destroy_urs_usb_platdev(qcom->urs_usb);
++
+ for (i = qcom->num_clocks - 1; i >= 0; i--) {
+ clk_disable_unprepare(qcom->clks[i]);
+ clk_put(qcom->clks[i]);
+--
+2.42.0
+
--- /dev/null
+From 47a23ce2f7c6e87e74e7814c3246b85f3c2293ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Nov 2023 18:36:48 +0100
+Subject: USB: dwc3: qcom: fix resource leaks on probe deferral
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit 51392a1879ff06dc21b68aef4825f6ef68a7be42 ]
+
+The driver needs to deregister and free the newly allocated dwc3 core
+platform device on ACPI probe errors (e.g. probe deferral) and on driver
+unbind but instead it leaked those resources while erroneously dropping
+a reference to the parent platform device which is still in use.
+
+For OF probing the driver takes a reference to the dwc3 core platform
+device which has also always been leaked.
+
+Fix the broken ACPI tear down and make sure to drop the dwc3 core
+reference for both OF and ACPI.
+
+Fixes: 8fd95da2cfb5 ("usb: dwc3: qcom: Release the correct resources in dwc3_qcom_remove()")
+Fixes: 2bc02355f8ba ("usb: dwc3: qcom: Add support for booting with ACPI")
+Fixes: a4333c3a6ba9 ("usb: dwc3: Add Qualcomm DWC3 glue driver")
+Cc: stable@vger.kernel.org # 4.18
+Cc: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Cc: Lee Jones <lee@kernel.org>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Acked-by: Andrew Halaney <ahalaney@redhat.com>
+Link: https://lore.kernel.org/r/20231117173650.21161-2-johan+linaro@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 9cf87666fc6e ("USB: dwc3: qcom: fix ACPI platform device leak")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/dwc3-qcom.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c
+index 0180350a2c95c..d7240cdca07c1 100644
+--- a/drivers/usb/dwc3/dwc3-qcom.c
++++ b/drivers/usb/dwc3/dwc3-qcom.c
+@@ -695,6 +695,7 @@ static int dwc3_qcom_of_register_core(struct platform_device *pdev)
+ if (!qcom->dwc3) {
+ ret = -ENODEV;
+ dev_err(dev, "failed to get dwc3 platform device\n");
++ of_platform_depopulate(dev);
+ }
+
+ node_put:
+@@ -836,7 +837,7 @@ static int dwc3_qcom_probe(struct platform_device *pdev)
+
+ if (ret) {
+ dev_err(dev, "failed to register DWC3 Core, err=%d\n", ret);
+- goto depopulate;
++ goto clk_disable;
+ }
+
+ ret = dwc3_qcom_interconnect_init(qcom);
+@@ -868,7 +869,8 @@ static int dwc3_qcom_probe(struct platform_device *pdev)
+ if (np)
+ of_platform_depopulate(&pdev->dev);
+ else
+- platform_device_put(pdev);
++ platform_device_del(qcom->dwc3);
++ platform_device_put(qcom->dwc3);
+ clk_disable:
+ for (i = qcom->num_clocks - 1; i >= 0; i--) {
+ clk_disable_unprepare(qcom->clks[i]);
+@@ -891,7 +893,8 @@ static int dwc3_qcom_remove(struct platform_device *pdev)
+ if (np)
+ of_platform_depopulate(&pdev->dev);
+ else
+- platform_device_put(pdev);
++ platform_device_del(qcom->dwc3);
++ platform_device_put(qcom->dwc3);
+
+ for (i = qcom->num_clocks - 1; i >= 0; i--) {
+ clk_disable_unprepare(qcom->clks[i]);
+--
+2.42.0
+
--- /dev/null
+From 8b8af0d78894d2149461592c5c5c01440d0bae8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Nov 2023 14:17:33 +0000
+Subject: wireguard: use DEV_STATS_INC()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 93da8d75a66568ba4bb5b14ad2833acd7304cd02 ]
+
+wg_xmit() can be called concurrently, KCSAN reported [1]
+some device stats updates can be lost.
+
+Use DEV_STATS_INC() for this unlikely case.
+
+[1]
+BUG: KCSAN: data-race in wg_xmit / wg_xmit
+
+read-write to 0xffff888104239160 of 8 bytes by task 1375 on cpu 0:
+wg_xmit+0x60f/0x680 drivers/net/wireguard/device.c:231
+__netdev_start_xmit include/linux/netdevice.h:4918 [inline]
+netdev_start_xmit include/linux/netdevice.h:4932 [inline]
+xmit_one net/core/dev.c:3543 [inline]
+dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3559
+...
+
+read-write to 0xffff888104239160 of 8 bytes by task 1378 on cpu 1:
+wg_xmit+0x60f/0x680 drivers/net/wireguard/device.c:231
+__netdev_start_xmit include/linux/netdevice.h:4918 [inline]
+netdev_start_xmit include/linux/netdevice.h:4932 [inline]
+xmit_one net/core/dev.c:3543 [inline]
+dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3559
+...
+
+v2: also change wg_packet_consume_data_done() (Hangbin Liu)
+ and wg_packet_purge_staged_packets()
+
+Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Jason A. Donenfeld <Jason@zx2c4.com>
+Cc: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireguard/device.c | 4 ++--
+ drivers/net/wireguard/receive.c | 12 ++++++------
+ drivers/net/wireguard/send.c | 3 ++-
+ 3 files changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/wireguard/device.c b/drivers/net/wireguard/device.c
+index 5eaef79c06e16..e5e344af34237 100644
+--- a/drivers/net/wireguard/device.c
++++ b/drivers/net/wireguard/device.c
+@@ -193,7 +193,7 @@ static netdev_tx_t wg_xmit(struct sk_buff *skb, struct net_device *dev)
+ */
+ while (skb_queue_len(&peer->staged_packet_queue) > MAX_STAGED_PACKETS) {
+ dev_kfree_skb(__skb_dequeue(&peer->staged_packet_queue));
+- ++dev->stats.tx_dropped;
++ DEV_STATS_INC(dev, tx_dropped);
+ }
+ skb_queue_splice_tail(&packets, &peer->staged_packet_queue);
+ spin_unlock_bh(&peer->staged_packet_queue.lock);
+@@ -211,7 +211,7 @@ static netdev_tx_t wg_xmit(struct sk_buff *skb, struct net_device *dev)
+ else if (skb->protocol == htons(ETH_P_IPV6))
+ icmpv6_ndo_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH, 0);
+ err:
+- ++dev->stats.tx_errors;
++ DEV_STATS_INC(dev, tx_errors);
+ kfree_skb(skb);
+ return ret;
+ }
+diff --git a/drivers/net/wireguard/receive.c b/drivers/net/wireguard/receive.c
+index f500aaf678370..d38b24339a1f9 100644
+--- a/drivers/net/wireguard/receive.c
++++ b/drivers/net/wireguard/receive.c
+@@ -423,20 +423,20 @@ static void wg_packet_consume_data_done(struct wg_peer *peer,
+ net_dbg_skb_ratelimited("%s: Packet has unallowed src IP (%pISc) from peer %llu (%pISpfsc)\n",
+ dev->name, skb, peer->internal_id,
+ &peer->endpoint.addr);
+- ++dev->stats.rx_errors;
+- ++dev->stats.rx_frame_errors;
++ DEV_STATS_INC(dev, rx_errors);
++ DEV_STATS_INC(dev, rx_frame_errors);
+ goto packet_processed;
+ dishonest_packet_type:
+ net_dbg_ratelimited("%s: Packet is neither ipv4 nor ipv6 from peer %llu (%pISpfsc)\n",
+ dev->name, peer->internal_id, &peer->endpoint.addr);
+- ++dev->stats.rx_errors;
+- ++dev->stats.rx_frame_errors;
++ DEV_STATS_INC(dev, rx_errors);
++ DEV_STATS_INC(dev, rx_frame_errors);
+ goto packet_processed;
+ dishonest_packet_size:
+ net_dbg_ratelimited("%s: Packet has incorrect size from peer %llu (%pISpfsc)\n",
+ dev->name, peer->internal_id, &peer->endpoint.addr);
+- ++dev->stats.rx_errors;
+- ++dev->stats.rx_length_errors;
++ DEV_STATS_INC(dev, rx_errors);
++ DEV_STATS_INC(dev, rx_length_errors);
+ goto packet_processed;
+ packet_processed:
+ dev_kfree_skb(skb);
+diff --git a/drivers/net/wireguard/send.c b/drivers/net/wireguard/send.c
+index 95c853b59e1da..0d48e0f4a1ba3 100644
+--- a/drivers/net/wireguard/send.c
++++ b/drivers/net/wireguard/send.c
+@@ -333,7 +333,8 @@ static void wg_packet_create_data(struct wg_peer *peer, struct sk_buff *first)
+ void wg_packet_purge_staged_packets(struct wg_peer *peer)
+ {
+ spin_lock_bh(&peer->staged_packet_queue.lock);
+- peer->device->dev->stats.tx_dropped += peer->staged_packet_queue.qlen;
++ DEV_STATS_ADD(peer->device->dev, tx_dropped,
++ peer->staged_packet_queue.qlen);
+ __skb_queue_purge(&peer->staged_packet_queue);
+ spin_unlock_bh(&peer->staged_packet_queue.lock);
+ }
+--
+2.42.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
