--- /dev/null
+From 50054c39e45f5c300a72f0218e6e08fa937c2a15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 May 2023 11:00:06 +0200
+Subject: af_key: Reject optional tunnel/BEET mode templates in outbound
+ policies
+
+From: Tobias Brunner <tobias@strongswan.org>
+
+[ Upstream commit cf3128a7aca55b2eefb68281d44749c683bdc96f ]
+
+xfrm_state_find() uses `encap_family` of the current template with
+the passed local and remote addresses to find a matching state.
+If an optional tunnel or BEET mode template is skipped in a mixed-family
+scenario, there could be a mismatch causing an out-of-bounds read as
+the addresses were not replaced to match the family of the next template.
+
+While there are theoretical use cases for optional templates in outbound
+policies, the only practical one is to skip IPComp states in inbound
+policies if uncompressed packets are received that are handled by an
+implicitly created IPIP state instead.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Tobias Brunner <tobias@strongswan.org>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/key/af_key.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/net/key/af_key.c b/net/key/af_key.c
+index 1d6ae1df3886b..d34fed1a484a7 100644
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -1940,7 +1940,8 @@ static u32 gen_reqid(struct net *net)
+ }
+
+ static int
+-parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_ipsecrequest *rq)
++parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_policy *pol,
++ struct sadb_x_ipsecrequest *rq)
+ {
+ struct net *net = xp_net(xp);
+ struct xfrm_tmpl *t = xp->xfrm_vec + xp->xfrm_nr;
+@@ -1958,9 +1959,12 @@ parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_ipsecrequest *rq)
+ if ((mode = pfkey_mode_to_xfrm(rq->sadb_x_ipsecrequest_mode)) < 0)
+ return -EINVAL;
+ t->mode = mode;
+- if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_USE)
++ if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_USE) {
++ if ((mode == XFRM_MODE_TUNNEL || mode == XFRM_MODE_BEET) &&
++ pol->sadb_x_policy_dir == IPSEC_DIR_OUTBOUND)
++ return -EINVAL;
+ t->optional = 1;
+- else if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_UNIQUE) {
++ } else if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_UNIQUE) {
+ t->reqid = rq->sadb_x_ipsecrequest_reqid;
+ if (t->reqid > IPSEC_MANUAL_REQID_MAX)
+ t->reqid = 0;
+@@ -2002,7 +2006,7 @@ parse_ipsecrequests(struct xfrm_policy *xp, struct sadb_x_policy *pol)
+ rq->sadb_x_ipsecrequest_len < sizeof(*rq))
+ return -EINVAL;
+
+- if ((err = parse_ipsecrequest(xp, rq)) < 0)
++ if ((err = parse_ipsecrequest(xp, pol, rq)) < 0)
+ return err;
+ len -= rq->sadb_x_ipsecrequest_len;
+ rq = (void*)((u8*)rq + rq->sadb_x_ipsecrequest_len);
+--
+2.39.2
+
--- /dev/null
+From b6d30c1cef8a50d86b1da948e417ee3fe83fb226 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 May 2023 12:07:11 +0300
+Subject: ALSA: firewire-digi00x: prevent potential use after free
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit c0e72058d5e21982e61a29de6b098f7c1f0db498 ]
+
+This code was supposed to return an error code if init_stream()
+failed, but it instead freed dg00x->rx_stream and returned success.
+This potentially leads to a use after free.
+
+Fixes: 9a08067ec318 ("ALSA: firewire-digi00x: support AMDTP domain")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/c224cbd5-d9e2-4cd4-9bcf-2138eb1d35c6@kili.mountain
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/firewire/digi00x/digi00x-stream.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/sound/firewire/digi00x/digi00x-stream.c b/sound/firewire/digi00x/digi00x-stream.c
+index a15f55b0dce37..295163bb8abb6 100644
+--- a/sound/firewire/digi00x/digi00x-stream.c
++++ b/sound/firewire/digi00x/digi00x-stream.c
+@@ -259,8 +259,10 @@ int snd_dg00x_stream_init_duplex(struct snd_dg00x *dg00x)
+ return err;
+
+ err = init_stream(dg00x, &dg00x->tx_stream);
+- if (err < 0)
++ if (err < 0) {
+ destroy_stream(dg00x, &dg00x->rx_stream);
++ return err;
++ }
+
+ err = amdtp_domain_init(&dg00x->domain);
+ if (err < 0) {
+--
+2.39.2
+
--- /dev/null
+From f0e34036417488091d2122cccf4838cbc513dffa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 May 2023 12:32:21 -0500
+Subject: ALSA: hda/realtek: Apply HP B&O top speaker profile to Pavilion 15
+
+From: Ryan C. Underwood <nemesis@icequake.net>
+
+[ Upstream commit 92553ee03166ef8fa978e7683f9f4af30c9c4e6b ]
+
+The Pavilion 15 line has B&O top speakers similar to the x360 and
+applying the same profile produces good sound. Without this, the
+sound would be tinny and underpowered without either applying
+model=alc295-hp-x360 or booting another OS first.
+
+Signed-off-by: Ryan Underwood <nemesis@icequake.net>
+Fixes: 563785edfcef ("ALSA: hda/realtek - Add quirk entry for HP Pavilion 15")
+Link: https://lore.kernel.org/r/ZF0mpcMz3ezP9KQw@icequake.net
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 86d07d06bd0cd..5d1ab9170361a 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9008,7 +9008,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x103c, 0x802f, "HP Z240", ALC221_FIXUP_HP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x103c, 0x8077, "HP", ALC256_FIXUP_HP_HEADSET_MIC),
+ SND_PCI_QUIRK(0x103c, 0x8158, "HP", ALC256_FIXUP_HP_HEADSET_MIC),
+- SND_PCI_QUIRK(0x103c, 0x820d, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3),
++ SND_PCI_QUIRK(0x103c, 0x820d, "HP Pavilion 15", ALC295_FIXUP_HP_X360),
+ SND_PCI_QUIRK(0x103c, 0x8256, "HP", ALC221_FIXUP_HP_FRONT_MIC),
+ SND_PCI_QUIRK(0x103c, 0x827e, "HP x360", ALC295_FIXUP_HP_X360),
+ SND_PCI_QUIRK(0x103c, 0x827f, "HP x360", ALC269_FIXUP_HP_MUTE_LED_MIC3),
+--
+2.39.2
+
--- /dev/null
+From cc519e572470e45211c69f6979a8ba1d81ef27d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 May 2023 18:16:36 +0800
+Subject: ASoC: fsl_micfil: Fix error handler with pm_runtime_enable
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit 17955aba7877a4494d8093ae5498e19469b01d57 ]
+
+There is error message when defer probe happens:
+
+fsl-micfil-dai 30ca0000.micfil: Unbalanced pm_runtime_enable!
+
+Fix the error handler with pm_runtime_enable and add
+fsl_micfil_remove() for pm_runtime_disable.
+
+Fixes: 47a70e6fc9a8 ("ASoC: Add MICFIL SoC Digital Audio Interface driver.")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com
+Link: https://lore.kernel.org/r/1683540996-6136-1-git-send-email-shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_micfil.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/fsl/fsl_micfil.c b/sound/soc/fsl/fsl_micfil.c
+index 38d4d1b7cfe39..acc820da46ebf 100644
+--- a/sound/soc/fsl/fsl_micfil.c
++++ b/sound/soc/fsl/fsl_micfil.c
+@@ -763,7 +763,7 @@ static int fsl_micfil_probe(struct platform_device *pdev)
+ ret = devm_snd_dmaengine_pcm_register(&pdev->dev, NULL, 0);
+ if (ret) {
+ dev_err(&pdev->dev, "failed to pcm register\n");
+- return ret;
++ goto err_pm_disable;
+ }
+
+ ret = devm_snd_soc_register_component(&pdev->dev, &fsl_micfil_component,
+@@ -771,9 +771,20 @@ static int fsl_micfil_probe(struct platform_device *pdev)
+ if (ret) {
+ dev_err(&pdev->dev, "failed to register component %s\n",
+ fsl_micfil_component.name);
++ goto err_pm_disable;
+ }
+
+ return ret;
++
++err_pm_disable:
++ pm_runtime_disable(&pdev->dev);
++
++ return ret;
++}
++
++static void fsl_micfil_remove(struct platform_device *pdev)
++{
++ pm_runtime_disable(&pdev->dev);
+ }
+
+ static int __maybe_unused fsl_micfil_runtime_suspend(struct device *dev)
+@@ -834,6 +845,7 @@ static const struct dev_pm_ops fsl_micfil_pm_ops = {
+
+ static struct platform_driver fsl_micfil_driver = {
+ .probe = fsl_micfil_probe,
++ .remove_new = fsl_micfil_remove,
+ .driver = {
+ .name = "fsl-micfil-dai",
+ .pm = &fsl_micfil_pm_ops,
+--
+2.39.2
+
--- /dev/null
+From 8a02d7f06ffe77f45aec4085db9f21bf4c39d1f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 May 2023 21:45:35 +0200
+Subject: bridge: always declare tunnel functions
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 89dcd87ce534a3a7f267cfd58505803006f51301 ]
+
+When CONFIG_BRIDGE_VLAN_FILTERING is disabled, two functions are still
+defined but have no prototype or caller. This causes a W=1 warning for
+the missing prototypes:
+
+net/bridge/br_netlink_tunnel.c:29:6: error: no previous prototype for 'vlan_tunid_inrange' [-Werror=missing-prototypes]
+net/bridge/br_netlink_tunnel.c:199:5: error: no previous prototype for 'br_vlan_tunnel_info' [-Werror=missing-prototypes]
+
+The functions are already contitional on CONFIG_BRIDGE_VLAN_FILTERING,
+and I coulnd't easily figure out the right set of #ifdefs, so just
+move the declarations out of the #ifdef to avoid the warning,
+at a small cost in code size over a more elaborate fix.
+
+Fixes: 188c67dd1906 ("net: bridge: vlan options: add support for tunnel id dumping")
+Fixes: 569da0822808 ("net: bridge: vlan options: add support for tunnel mapping set/del")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://lore.kernel.org/r/20230516194625.549249-3-arnd@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_private_tunnel.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/bridge/br_private_tunnel.h b/net/bridge/br_private_tunnel.h
+index 2b053289f0166..efb096025151a 100644
+--- a/net/bridge/br_private_tunnel.h
++++ b/net/bridge/br_private_tunnel.h
+@@ -27,6 +27,10 @@ int br_process_vlan_tunnel_info(const struct net_bridge *br,
+ int br_get_vlan_tunnel_info_size(struct net_bridge_vlan_group *vg);
+ int br_fill_vlan_tunnel_info(struct sk_buff *skb,
+ struct net_bridge_vlan_group *vg);
++bool vlan_tunid_inrange(const struct net_bridge_vlan *v_curr,
++ const struct net_bridge_vlan *v_last);
++int br_vlan_tunnel_info(const struct net_bridge_port *p, int cmd,
++ u16 vid, u32 tun_id, bool *changed);
+
+ #ifdef CONFIG_BRIDGE_VLAN_FILTERING
+ /* br_vlan_tunnel.c */
+@@ -43,10 +47,6 @@ void br_handle_ingress_vlan_tunnel(struct sk_buff *skb,
+ struct net_bridge_vlan_group *vg);
+ int br_handle_egress_vlan_tunnel(struct sk_buff *skb,
+ struct net_bridge_vlan *vlan);
+-bool vlan_tunid_inrange(const struct net_bridge_vlan *v_curr,
+- const struct net_bridge_vlan *v_last);
+-int br_vlan_tunnel_info(const struct net_bridge_port *p, int cmd,
+- u16 vid, u32 tun_id, bool *changed);
+ #else
+ static inline int vlan_tunnel_init(struct net_bridge_vlan_group *vg)
+ {
+--
+2.39.2
+
--- /dev/null
+From f22f96461cf8fc6fb896d90af1c896fe3df1af42 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 May 2023 21:09:11 +0200
+Subject: cassini: Fix a memory leak in the error handling path of
+ cas_init_one()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 412cd77a2c24b191c65ea53025222418db09817c ]
+
+cas_saturn_firmware_init() allocates some memory using vmalloc(). This
+memory is freed in the .remove() function but not it the error handling
+path of the probe.
+
+Add the missing vfree() to avoid a memory leak, should an error occur.
+
+Fixes: fcaa40669cd7 ("cassini: use request_firmware")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sun/cassini.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/sun/cassini.c b/drivers/net/ethernet/sun/cassini.c
+index 6472425539e15..21e4df8466c91 100644
+--- a/drivers/net/ethernet/sun/cassini.c
++++ b/drivers/net/ethernet/sun/cassini.c
+@@ -5123,6 +5123,8 @@ static int cas_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+ cas_shutdown(cp);
+ mutex_unlock(&cp->pm_mutex);
+
++ vfree(cp->fw_data);
++
+ pci_iounmap(pdev, cp->regs);
+
+
+--
+2.39.2
+
--- /dev/null
+From 0227c1d3caf976c6c75ba6672c5937e4cae1f38f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 May 2023 06:25:44 +0000
+Subject: cpupower: Make TSC read per CPU for Mperf monitor
+
+From: Wyes Karny <wyes.karny@amd.com>
+
+[ Upstream commit c2adb1877b76fc81ae041e1db1a6ed2078c6746b ]
+
+System-wide TSC read could cause a drift in C0 percentage calculation.
+Because if first TSC is read and then one by one mperf is read for all
+cpus, this introduces drift between mperf reading of later CPUs and TSC
+reading. To lower this drift read TSC per CPU and also just after mperf
+read. This technique improves C0 percentage calculation in Mperf monitor.
+
+Before fix: (System 100% busy)
+
+ | Mperf || RAPL || Idle_Stats
+ PKG|CORE| CPU| C0 | Cx | Freq || pack | core || POLL | C1 | C2
+ 0| 0| 0| 87.15| 12.85| 2695||168659003|3970468|| 0.00| 0.00| 0.00
+ 0| 0| 256| 84.62| 15.38| 2695||168659003|3970468|| 0.00| 0.00| 0.00
+ 0| 1| 1| 87.15| 12.85| 2695||168659003|3970468|| 0.00| 0.00| 0.00
+ 0| 1| 257| 84.08| 15.92| 2695||168659003|3970468|| 0.00| 0.00| 0.00
+ 0| 2| 2| 86.61| 13.39| 2695||168659003|3970468|| 0.00| 0.00| 0.00
+ 0| 2| 258| 83.26| 16.74| 2695||168659003|3970468|| 0.00| 0.00| 0.00
+ 0| 3| 3| 86.61| 13.39| 2695||168659003|3970468|| 0.00| 0.00| 0.00
+ 0| 3| 259| 83.60| 16.40| 2695||168659003|3970468|| 0.00| 0.00| 0.00
+ 0| 4| 4| 86.33| 13.67| 2695||168659003|3970468|| 0.00| 0.00| 0.00
+ 0| 4| 260| 83.33| 16.67| 2695||168659003|3970468|| 0.00| 0.00| 0.00
+ 0| 5| 5| 86.06| 13.94| 2695||168659003|3970468|| 0.00| 0.00| 0.00
+ 0| 5| 261| 83.05| 16.95| 2695||168659003|3970468|| 0.00| 0.00| 0.00
+ 0| 6| 6| 85.51| 14.49| 2695||168659003|3970468|| 0.00| 0.00| 0.00
+
+After fix: (System 100% busy)
+
+ | Mperf || RAPL || Idle_Stats
+ PKG|CORE| CPU| C0 | Cx | Freq || pack | core || POLL | C1 | C2
+ 0| 0| 0| 98.03| 1.97| 2415||163295480|3811189|| 0.00| 0.00| 0.00
+ 0| 0| 256| 98.50| 1.50| 2394||163295480|3811189|| 0.00| 0.00| 0.00
+ 0| 1| 1| 99.99| 0.01| 2401||163295480|3811189|| 0.00| 0.00| 0.00
+ 0| 1| 257| 99.99| 0.01| 2375||163295480|3811189|| 0.00| 0.00| 0.00
+ 0| 2| 2| 99.99| 0.01| 2401||163295480|3811189|| 0.00| 0.00| 0.00
+ 0| 2| 258|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00
+ 0| 3| 3|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00
+ 0| 3| 259| 99.99| 0.01| 2435||163295480|3811189|| 0.00| 0.00| 0.00
+ 0| 4| 4|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00
+ 0| 4| 260|100.00| 0.00| 2435||163295480|3811189|| 0.00| 0.00| 0.00
+ 0| 5| 5| 99.99| 0.01| 2401||163295480|3811189|| 0.00| 0.00| 0.00
+ 0| 5| 261|100.00| 0.00| 2435||163295480|3811189|| 0.00| 0.00| 0.00
+ 0| 6| 6|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00
+ 0| 6| 262|100.00| 0.00| 2435||163295480|3811189|| 0.00| 0.00| 0.00
+
+Cc: Thomas Renninger <trenn@suse.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Dominik Brodowski <linux@dominikbrodowski.net>
+
+Fixes: 7fe2f6399a84 ("cpupowerutils - cpufrequtils extended with quite some features")
+Signed-off-by: Wyes Karny <wyes.karny@amd.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../utils/idle_monitor/mperf_monitor.c | 31 +++++++++----------
+ 1 file changed, 14 insertions(+), 17 deletions(-)
+
+diff --git a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c
+index e7d48cb563c0e..ae6af354a81db 100644
+--- a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c
++++ b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c
+@@ -70,8 +70,8 @@ static int max_freq_mode;
+ */
+ static unsigned long max_frequency;
+
+-static unsigned long long tsc_at_measure_start;
+-static unsigned long long tsc_at_measure_end;
++static unsigned long long *tsc_at_measure_start;
++static unsigned long long *tsc_at_measure_end;
+ static unsigned long long *mperf_previous_count;
+ static unsigned long long *aperf_previous_count;
+ static unsigned long long *mperf_current_count;
+@@ -169,7 +169,7 @@ static int mperf_get_count_percent(unsigned int id, double *percent,
+ aperf_diff = aperf_current_count[cpu] - aperf_previous_count[cpu];
+
+ if (max_freq_mode == MAX_FREQ_TSC_REF) {
+- tsc_diff = tsc_at_measure_end - tsc_at_measure_start;
++ tsc_diff = tsc_at_measure_end[cpu] - tsc_at_measure_start[cpu];
+ *percent = 100.0 * mperf_diff / tsc_diff;
+ dprint("%s: TSC Ref - mperf_diff: %llu, tsc_diff: %llu\n",
+ mperf_cstates[id].name, mperf_diff, tsc_diff);
+@@ -206,7 +206,7 @@ static int mperf_get_count_freq(unsigned int id, unsigned long long *count,
+
+ if (max_freq_mode == MAX_FREQ_TSC_REF) {
+ /* Calculate max_freq from TSC count */
+- tsc_diff = tsc_at_measure_end - tsc_at_measure_start;
++ tsc_diff = tsc_at_measure_end[cpu] - tsc_at_measure_start[cpu];
+ time_diff = timespec_diff_us(time_start, time_end);
+ max_frequency = tsc_diff / time_diff;
+ }
+@@ -225,33 +225,27 @@ static int mperf_get_count_freq(unsigned int id, unsigned long long *count,
+ static int mperf_start(void)
+ {
+ int cpu;
+- unsigned long long dbg;
+
+ clock_gettime(CLOCK_REALTIME, &time_start);
+- mperf_get_tsc(&tsc_at_measure_start);
+
+- for (cpu = 0; cpu < cpu_count; cpu++)
++ for (cpu = 0; cpu < cpu_count; cpu++) {
++ mperf_get_tsc(&tsc_at_measure_start[cpu]);
+ mperf_init_stats(cpu);
++ }
+
+- mperf_get_tsc(&dbg);
+- dprint("TSC diff: %llu\n", dbg - tsc_at_measure_start);
+ return 0;
+ }
+
+ static int mperf_stop(void)
+ {
+- unsigned long long dbg;
+ int cpu;
+
+- for (cpu = 0; cpu < cpu_count; cpu++)
++ for (cpu = 0; cpu < cpu_count; cpu++) {
+ mperf_measure_stats(cpu);
++ mperf_get_tsc(&tsc_at_measure_end[cpu]);
++ }
+
+- mperf_get_tsc(&tsc_at_measure_end);
+ clock_gettime(CLOCK_REALTIME, &time_end);
+-
+- mperf_get_tsc(&dbg);
+- dprint("TSC diff: %llu\n", dbg - tsc_at_measure_end);
+-
+ return 0;
+ }
+
+@@ -353,7 +347,8 @@ struct cpuidle_monitor *mperf_register(void)
+ aperf_previous_count = calloc(cpu_count, sizeof(unsigned long long));
+ mperf_current_count = calloc(cpu_count, sizeof(unsigned long long));
+ aperf_current_count = calloc(cpu_count, sizeof(unsigned long long));
+-
++ tsc_at_measure_start = calloc(cpu_count, sizeof(unsigned long long));
++ tsc_at_measure_end = calloc(cpu_count, sizeof(unsigned long long));
+ mperf_monitor.name_len = strlen(mperf_monitor.name);
+ return &mperf_monitor;
+ }
+@@ -364,6 +359,8 @@ void mperf_unregister(void)
+ free(aperf_previous_count);
+ free(mperf_current_count);
+ free(aperf_current_count);
++ free(tsc_at_measure_start);
++ free(tsc_at_measure_end);
+ free(is_valid);
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 36646e8f795ef681fe5c392610a28e087048d8d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Apr 2023 23:04:11 +0200
+Subject: drm/exynos: fix g2d_open/close helper function definitions
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 2ef0785b30bd6549ddbc124979f1b6596e065ae2 ]
+
+The empty stub functions are defined as global functions, which
+causes a warning because of missing prototypes:
+
+drivers/gpu/drm/exynos/exynos_drm_g2d.h:37:5: error: no previous prototype for 'g2d_open'
+drivers/gpu/drm/exynos/exynos_drm_g2d.h:42:5: error: no previous prototype for 'g2d_close'
+
+Mark them as 'static inline' to avoid the warning and to make
+them behave as intended.
+
+Fixes: eb4d9796fa34 ("drm/exynos: g2d: Convert to driver component API")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/exynos/exynos_drm_g2d.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/exynos/exynos_drm_g2d.h b/drivers/gpu/drm/exynos/exynos_drm_g2d.h
+index 74ea3c26deadc..1a5ae781b56c6 100644
+--- a/drivers/gpu/drm/exynos/exynos_drm_g2d.h
++++ b/drivers/gpu/drm/exynos/exynos_drm_g2d.h
+@@ -34,11 +34,11 @@ static inline int exynos_g2d_exec_ioctl(struct drm_device *dev, void *data,
+ return -ENODEV;
+ }
+
+-int g2d_open(struct drm_device *drm_dev, struct drm_file *file)
++static inline int g2d_open(struct drm_device *drm_dev, struct drm_file *file)
+ {
+ return 0;
+ }
+
+-void g2d_close(struct drm_device *drm_dev, struct drm_file *file)
++static inline void g2d_close(struct drm_device *drm_dev, struct drm_file *file)
+ { }
+ #endif
+--
+2.39.2
+
--- /dev/null
+From 06a8522ce4121dbf06b90e520ba8d8c8969cf04a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Apr 2023 15:56:57 +0100
+Subject: drm/msm/dp: unregister audio driver during unbind
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit 85c636284cb63b7740b4ae98881ace92158068d3 ]
+
+while binding the code always registers a audio driver, however there
+is no corresponding unregistration done in unbind. This leads to multiple
+redundant audio platform devices if dp_display_bind and dp_display_unbind
+happens multiple times during startup. On X13s platform this resulted in
+6 to 9 audio codec device instead of just 3 codec devices for 3 dp ports.
+
+Fix this by unregistering codecs on unbind.
+
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Fixes: d13e36d7d222 ("drm/msm/dp: add audio support for Display Port on MSM")
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/533324/
+Link: https://lore.kernel.org/r/20230421145657.12186-1-srinivas.kandagatla@linaro.org
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dp/dp_audio.c | 12 ++++++++++++
+ drivers/gpu/drm/msm/dp/dp_audio.h | 2 ++
+ drivers/gpu/drm/msm/dp/dp_display.c | 1 +
+ 3 files changed, 15 insertions(+)
+
+diff --git a/drivers/gpu/drm/msm/dp/dp_audio.c b/drivers/gpu/drm/msm/dp/dp_audio.c
+index d7e4a39a904e2..0eaaaa94563a3 100644
+--- a/drivers/gpu/drm/msm/dp/dp_audio.c
++++ b/drivers/gpu/drm/msm/dp/dp_audio.c
+@@ -577,6 +577,18 @@ static struct hdmi_codec_pdata codec_data = {
+ .i2s = 1,
+ };
+
++void dp_unregister_audio_driver(struct device *dev, struct dp_audio *dp_audio)
++{
++ struct dp_audio_private *audio_priv;
++
++ audio_priv = container_of(dp_audio, struct dp_audio_private, dp_audio);
++
++ if (audio_priv->audio_pdev) {
++ platform_device_unregister(audio_priv->audio_pdev);
++ audio_priv->audio_pdev = NULL;
++ }
++}
++
+ int dp_register_audio_driver(struct device *dev,
+ struct dp_audio *dp_audio)
+ {
+diff --git a/drivers/gpu/drm/msm/dp/dp_audio.h b/drivers/gpu/drm/msm/dp/dp_audio.h
+index 84e5f4a5d26ba..4ab78880af829 100644
+--- a/drivers/gpu/drm/msm/dp/dp_audio.h
++++ b/drivers/gpu/drm/msm/dp/dp_audio.h
+@@ -53,6 +53,8 @@ struct dp_audio *dp_audio_get(struct platform_device *pdev,
+ int dp_register_audio_driver(struct device *dev,
+ struct dp_audio *dp_audio);
+
++void dp_unregister_audio_driver(struct device *dev, struct dp_audio *dp_audio);
++
+ /**
+ * dp_audio_put()
+ *
+diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c
+index 15e38ad7aefb4..38d37345c216b 100644
+--- a/drivers/gpu/drm/msm/dp/dp_display.c
++++ b/drivers/gpu/drm/msm/dp/dp_display.c
+@@ -267,6 +267,7 @@ static void dp_display_unbind(struct device *dev, struct device *master,
+ kthread_stop(dp->ev_tsk);
+
+ dp_power_client_deinit(dp->power);
++ dp_unregister_audio_driver(dev, dp->audio);
+ dp_aux_unregister(dp->aux);
+ priv->dp = NULL;
+ }
+--
+2.39.2
+
--- /dev/null
+From cac42285a326b3ad3fdc1da3e8d7b2d022b532cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Feb 2022 20:33:52 -0800
+Subject: drm/msm/dpu: Add INTF_5 interrupts
+
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+
+[ Upstream commit 148e852f290fe8be9fa69953bee2f958befd65d4 ]
+
+SC8180x has the eDP controller wired up to INTF_5, so add the interrupt
+register block for this interface to the list.
+
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20220215043353.1256754-1-bjorn.andersson@linaro.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Stable-dep-of: e9d9ce5462fe ("drm/msm/dpu: Move non-MDP_TOP INTF_INTR offsets out of hwio header")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c | 6 ++++++
+ drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.h | 1 +
+ 2 files changed, 7 insertions(+)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
+index 2e816f232e859..996011e356f7b 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
+@@ -20,6 +20,7 @@
+ #define MDP_INTF_2_OFF 0x6B000
+ #define MDP_INTF_3_OFF 0x6B800
+ #define MDP_INTF_4_OFF 0x6C000
++#define MDP_INTF_5_OFF 0x6C800
+ #define MDP_AD4_0_OFF 0x7C000
+ #define MDP_AD4_1_OFF 0x7D000
+ #define MDP_AD4_INTR_EN_OFF 0x41c
+@@ -87,6 +88,11 @@ static const struct dpu_intr_reg dpu_intr_set[] = {
+ MDP_INTF_4_OFF+INTF_INTR_EN,
+ MDP_INTF_4_OFF+INTF_INTR_STATUS
+ },
++ {
++ MDP_INTF_5_OFF+INTF_INTR_CLEAR,
++ MDP_INTF_5_OFF+INTF_INTR_EN,
++ MDP_INTF_5_OFF+INTF_INTR_STATUS
++ },
+ {
+ MDP_AD4_0_OFF + MDP_AD4_INTR_CLEAR_OFF,
+ MDP_AD4_0_OFF + MDP_AD4_INTR_EN_OFF,
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.h b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.h
+index ac83c1159815f..d90dac77c26fe 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.h
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.h
+@@ -22,6 +22,7 @@ enum dpu_hw_intr_reg {
+ MDP_INTF2_INTR,
+ MDP_INTF3_INTR,
+ MDP_INTF4_INTR,
++ MDP_INTF5_INTR,
+ MDP_AD4_0_INTR,
+ MDP_AD4_1_INTR,
+ MDP_INTF0_7xxx_INTR,
+--
+2.39.2
+
--- /dev/null
+From e0e9b072620462dff03e423f53d30f7740c1dece Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Apr 2023 00:37:17 +0200
+Subject: drm/msm/dpu: Move non-MDP_TOP INTF_INTR offsets out of hwio header
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit e9d9ce5462fecdeefec87953de71df4d025cbc72 ]
+
+These offsets do not fall under the MDP TOP block and do not fit the
+comment right above. Move them to dpu_hw_interrupts.c next to the
+repsective MDP_INTF_x_OFF interrupt block offsets.
+
+Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support")
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/534203/
+Link: https://lore.kernel.org/r/20230411-dpu-intf-te-v4-3-27ce1a5ab5c6@somainline.org
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c | 5 ++++-
+ drivers/gpu/drm/msm/disp/dpu1/dpu_hwio.h | 3 ---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
+index 996011e356f7b..ac0c221f8aa19 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.c
+@@ -12,7 +12,7 @@
+
+ /**
+ * Register offsets in MDSS register file for the interrupt registers
+- * w.r.t. to the MDP base
++ * w.r.t. the MDP base
+ */
+ #define MDP_SSPP_TOP0_OFF 0x0
+ #define MDP_INTF_0_OFF 0x6A000
+@@ -21,6 +21,9 @@
+ #define MDP_INTF_3_OFF 0x6B800
+ #define MDP_INTF_4_OFF 0x6C000
+ #define MDP_INTF_5_OFF 0x6C800
++#define INTF_INTR_EN 0x1c0
++#define INTF_INTR_STATUS 0x1c4
++#define INTF_INTR_CLEAR 0x1c8
+ #define MDP_AD4_0_OFF 0x7C000
+ #define MDP_AD4_1_OFF 0x7D000
+ #define MDP_AD4_INTR_EN_OFF 0x41c
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hwio.h b/drivers/gpu/drm/msm/disp/dpu1/dpu_hwio.h
+index c8156ed4b7fb8..93081e82c6d74 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hwio.h
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hwio.h
+@@ -20,9 +20,6 @@
+ #define HIST_INTR_EN 0x01c
+ #define HIST_INTR_STATUS 0x020
+ #define HIST_INTR_CLEAR 0x024
+-#define INTF_INTR_EN 0x1C0
+-#define INTF_INTR_STATUS 0x1C4
+-#define INTF_INTR_CLEAR 0x1C8
+ #define SPLIT_DISPLAY_EN 0x2F4
+ #define SPLIT_DISPLAY_UPPER_PIPE_CTRL 0x2F8
+ #define DSPP_IGC_COLOR0_RAM_LUTN 0x300
+--
+2.39.2
+
--- /dev/null
+From 4631390d04a8c3bff6c29be1fb1ce1608f26523f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Apr 2023 00:37:22 +0200
+Subject: drm/msm/dpu: Remove duplicate register defines from INTF
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit 202c044203ac5860e3025169105368d99f9bc6a2 ]
+
+The INTF_FRAME_LINE_COUNT_EN, INTF_FRAME_COUNT and INTF_LINE_COUNT
+registers are already defined higher up, in the right place when sorted
+numerically.
+
+Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support")
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/534231/
+Link: https://lore.kernel.org/r/20230411-dpu-intf-te-v4-8-27ce1a5ab5c6@somainline.org
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c
+index 284f5610dc35b..916e2a4756c09 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c
+@@ -53,11 +53,6 @@
+ #define INTF_TPG_RGB_MAPPING 0x11C
+ #define INTF_PROG_FETCH_START 0x170
+ #define INTF_PROG_ROT_START 0x174
+-
+-#define INTF_FRAME_LINE_COUNT_EN 0x0A8
+-#define INTF_FRAME_COUNT 0x0AC
+-#define INTF_LINE_COUNT 0x0B0
+-
+ #define INTF_MUX 0x25C
+
+ static const struct dpu_intf_cfg *_intf_offset(enum dpu_intf intf,
+--
+2.39.2
+
--- /dev/null
+From 60f2836565a22369741930c3c79a69e98e5bc61a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Apr 2023 20:21:32 +0800
+Subject: dt-bindings: display/msm: dsi-controller-main: Document qcom,
+ master-dsi and qcom, sync-dual-dsi
+
+From: Jianhua Lu <lujianhua000@gmail.com>
+
+[ Upstream commit ca29699a57ecee6084a4056f5bfd6f11dd359a71 ]
+
+This fixes warning:
+ sm8250-xiaomi-elish-csot.dtb: dsi@ae94000: Unevaluated properties are not allowed ('qcom,master-dsi', 'qcom,sync-dual-dsi' were unexpected)
+
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Acked-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Jianhua Lu <lujianhua000@gmail.com>
+Fixes: 4dbe55c97741 ("dt-bindings: msm: dsi: add yaml schemas for DSI bindings")
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/534306/
+Link: https://lore.kernel.org/r/20230427122132.24840-1-lujianhua000@gmail.com
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../bindings/display/msm/dsi-controller-main.yaml | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/Documentation/devicetree/bindings/display/msm/dsi-controller-main.yaml b/Documentation/devicetree/bindings/display/msm/dsi-controller-main.yaml
+index 283a12cd3e144..4b2cd556483c0 100644
+--- a/Documentation/devicetree/bindings/display/msm/dsi-controller-main.yaml
++++ b/Documentation/devicetree/bindings/display/msm/dsi-controller-main.yaml
+@@ -64,6 +64,18 @@ properties:
+ Indicates if the DSI controller is driving a panel which needs
+ 2 DSI links.
+
++ qcom,master-dsi:
++ type: boolean
++ description: |
++ Indicates if the DSI controller is the master DSI controller when
++ qcom,dual-dsi-mode enabled.
++
++ qcom,sync-dual-dsi:
++ type: boolean
++ description: |
++ Indicates if the DSI controller needs to sync the other DSI controller
++ with MIPI DCS commands when qcom,dual-dsi-mode enabled.
++
+ assigned-clocks:
+ minItems: 2
+ maxItems: 2
+--
+2.39.2
+
--- /dev/null
+From 5db7a13a7f4a16ee347ee7a74c19341dcb09f596 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 May 2023 19:22:11 -0400
+Subject: erspan: get the proto with the md version for collect_md
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit d80fc101d2eb9b3188c228d61223890aeea480a4 ]
+
+In commit 20704bd1633d ("erspan: build the header with the right proto
+according to erspan_ver"), it gets the proto with t->parms.erspan_ver,
+but t->parms.erspan_ver is not used by collect_md branch, and instead
+it should get the proto with md->version for collect_md.
+
+Thanks to Kevin for pointing this out.
+
+Fixes: 20704bd1633d ("erspan: build the header with the right proto according to erspan_ver")
+Fixes: 94d7d8f29287 ("ip6_gre: add erspan v2 support")
+Reported-by: Kevin Traynor <ktraynor@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Reviewed-by: William Tu <u9012063@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_gre.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
+index a91f93ec7d2b4..0b041ab79ad90 100644
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -1015,12 +1015,14 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
+ ntohl(tun_id),
+ ntohl(md->u.index), truncate,
+ false);
++ proto = htons(ETH_P_ERSPAN);
+ } else if (md->version == 2) {
+ erspan_build_header_v2(skb,
+ ntohl(tun_id),
+ md->u.md2.dir,
+ get_hwid(&md->u.md2),
+ truncate, false);
++ proto = htons(ETH_P_ERSPAN2);
+ } else {
+ goto tx_err;
+ }
+@@ -1043,24 +1045,25 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
+ break;
+ }
+
+- if (t->parms.erspan_ver == 1)
++ if (t->parms.erspan_ver == 1) {
+ erspan_build_header(skb, ntohl(t->parms.o_key),
+ t->parms.index,
+ truncate, false);
+- else if (t->parms.erspan_ver == 2)
++ proto = htons(ETH_P_ERSPAN);
++ } else if (t->parms.erspan_ver == 2) {
+ erspan_build_header_v2(skb, ntohl(t->parms.o_key),
+ t->parms.dir,
+ t->parms.hwid,
+ truncate, false);
+- else
++ proto = htons(ETH_P_ERSPAN2);
++ } else {
+ goto tx_err;
++ }
+
+ fl6.daddr = t->parms.raddr;
+ }
+
+ /* Push GRE header. */
+- proto = (t->parms.erspan_ver == 1) ? htons(ETH_P_ERSPAN)
+- : htons(ETH_P_ERSPAN2);
+ gre_build_header(skb, 8, TUNNEL_SEQ, proto, 0, htonl(atomic_fetch_inc(&t->o_seqno)));
+
+ /* TooBig packet may have updated dst->dev's mtu */
+--
+2.39.2
+
--- /dev/null
+From 8f2504bb8d8d6e51a021e1f9607d3f397b9631fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 May 2023 10:41:46 -0700
+Subject: igb: fix bit_shift to be in [1..8] range
+
+From: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+
+[ Upstream commit 60d758659f1fb49e0d5b6ac2691ede8c0958795b ]
+
+In igb_hash_mc_addr() the expression:
+ "mc_addr[4] >> 8 - bit_shift", right shifting "mc_addr[4]"
+shift by more than 7 bits always yields zero, so hash becomes not so different.
+Add initialization with bit_shift = 1 and add a loop condition to ensure
+bit_shift will be always in [1..8] range.
+
+Fixes: 9d5c824399de ("igb: PCI-Express 82575 Gigabit Ethernet driver")
+Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/e1000_mac.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/e1000_mac.c b/drivers/net/ethernet/intel/igb/e1000_mac.c
+index 1277c5c7d0996..7be0c7ce9394b 100644
+--- a/drivers/net/ethernet/intel/igb/e1000_mac.c
++++ b/drivers/net/ethernet/intel/igb/e1000_mac.c
+@@ -426,7 +426,7 @@ void igb_mta_set(struct e1000_hw *hw, u32 hash_value)
+ static u32 igb_hash_mc_addr(struct e1000_hw *hw, u8 *mc_addr)
+ {
+ u32 hash_value, hash_mask;
+- u8 bit_shift = 0;
++ u8 bit_shift = 1;
+
+ /* Register count multiplied by bits per register */
+ hash_mask = (hw->mac.mta_reg_count * 32) - 1;
+@@ -434,7 +434,7 @@ static u32 igb_hash_mc_addr(struct e1000_hw *hw, u8 *mc_addr)
+ /* For a mc_filter_type of 0, bit_shift is the number of left-shifts
+ * where 0xFF would still fall within the hash mask.
+ */
+- while (hash_mask >> bit_shift != 0xFF)
++ while (hash_mask >> bit_shift != 0xFF && bit_shift < 4)
+ bit_shift++;
+
+ /* The portion of the address that is used for the hash table
+--
+2.39.2
+
--- /dev/null
+From 9e81ac6c74ca54c3cd0151f20592b045952051ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Mar 2023 12:55:14 +0000
+Subject: media: netup_unidvb: fix use-after-free at del_timer()
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+[ Upstream commit 0f5bb36bf9b39a2a96e730bf4455095b50713f63 ]
+
+When Universal DVB card is detaching, netup_unidvb_dma_fini()
+uses del_timer() to stop dma->timeout timer. But when timer
+handler netup_unidvb_dma_timeout() is running, del_timer()
+could not stop it. As a result, the use-after-free bug could
+happen. The process is shown below:
+
+ (cleanup routine) | (timer routine)
+ | mod_timer(&dev->tx_sim_timer, ..)
+netup_unidvb_finidev() | (wait a time)
+ netup_unidvb_dma_fini() | netup_unidvb_dma_timeout()
+ del_timer(&dma->timeout); |
+ | ndev->pci_dev->dev //USE
+
+Fix by changing del_timer() to del_timer_sync().
+
+Link: https://lore.kernel.org/linux-media/20230308125514.4208-1-duoming@zju.edu.cn
+Fixes: 52b1eaf4c59a ("[media] netup_unidvb: NetUP Universal DVB-S/S2/T/T2/C PCI-E card driver")
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/netup_unidvb/netup_unidvb_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c
+index 77bae14685513..a71814e2772d1 100644
+--- a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c
++++ b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c
+@@ -697,7 +697,7 @@ static void netup_unidvb_dma_fini(struct netup_unidvb_dev *ndev, int num)
+ netup_unidvb_dma_enable(dma, 0);
+ msleep(50);
+ cancel_work_sync(&dma->work);
+- del_timer(&dma->timeout);
++ del_timer_sync(&dma->timeout);
+ }
+
+ static int netup_unidvb_dma_setup(struct netup_unidvb_dev *ndev)
+--
+2.39.2
+
--- /dev/null
+From 250762bb7d02017e7f5d0e3d5427bd352b48f49e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 May 2023 16:07:27 -0700
+Subject: net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop()
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 93e0401e0fc0c54b0ac05b687cd135c2ac38187c ]
+
+The call to phy_stop() races with the later call to phy_disconnect(),
+resulting in concurrent phy_suspend() calls being run from different
+CPUs. The final call to phy_disconnect() ensures that the PHY is
+stopped and suspended, too.
+
+Fixes: c96e731c93ff ("net: bcmgenet: connect and disconnect from the PHY state machine")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+index 92cd2916e8015..35bf840716d57 100644
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -3416,7 +3416,6 @@ static void bcmgenet_netif_stop(struct net_device *dev)
+ /* Disable MAC transmit. TX DMA disabled must be done before this */
+ umac_enable_set(priv, CMD_TX_EN, false);
+
+- phy_stop(dev->phydev);
+ bcmgenet_disable_rx_napi(priv);
+ bcmgenet_intr_disable(priv);
+
+--
+2.39.2
+
--- /dev/null
+From 44076550c89cc8762df383223ff0fc0d5e0cea9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 May 2023 19:56:07 -0700
+Subject: net: bcmgenet: Restore phy_stop() depending upon suspend/close
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 225c657945c4a6307741cb3cc89467eadcc26e9b ]
+
+Removing the phy_stop() from bcmgenet_netif_stop() ended up causing
+warnings from the PHY library that phy_start() is called from the
+RUNNING state since we are no longer stopping the PHY state machine
+during bcmgenet_suspend().
+
+Restore the call to phy_stop() but make it conditional on being called
+from the close or suspend path.
+
+Fixes: c96e731c93ff ("net: bcmgenet: connect and disconnect from the PHY state machine")
+Fixes: 93e0401e0fc0 ("net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop()")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Link: https://lore.kernel.org/r/20230515025608.2587012-1-f.fainelli@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+index 35bf840716d57..9d4f406408c9d 100644
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -3401,7 +3401,7 @@ static int bcmgenet_open(struct net_device *dev)
+ return ret;
+ }
+
+-static void bcmgenet_netif_stop(struct net_device *dev)
++static void bcmgenet_netif_stop(struct net_device *dev, bool stop_phy)
+ {
+ struct bcmgenet_priv *priv = netdev_priv(dev);
+
+@@ -3416,6 +3416,8 @@ static void bcmgenet_netif_stop(struct net_device *dev)
+ /* Disable MAC transmit. TX DMA disabled must be done before this */
+ umac_enable_set(priv, CMD_TX_EN, false);
+
++ if (stop_phy)
++ phy_stop(dev->phydev);
+ bcmgenet_disable_rx_napi(priv);
+ bcmgenet_intr_disable(priv);
+
+@@ -3441,7 +3443,7 @@ static int bcmgenet_close(struct net_device *dev)
+
+ netif_dbg(priv, ifdown, dev, "bcmgenet_close\n");
+
+- bcmgenet_netif_stop(dev);
++ bcmgenet_netif_stop(dev, false);
+
+ /* Really kill the PHY state machine and disconnect from it */
+ phy_disconnect(dev->phydev);
+@@ -4241,7 +4243,7 @@ static int bcmgenet_suspend(struct device *d)
+
+ netif_device_detach(dev);
+
+- bcmgenet_netif_stop(dev);
++ bcmgenet_netif_stop(dev, true);
+
+ if (!device_may_wakeup(d))
+ phy_suspend(dev->phydev);
+--
+2.39.2
+
--- /dev/null
+From 3d87495fda982bfcf94420a077e3a6309ae57237 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 May 2023 09:38:54 +0200
+Subject: net: dsa: mv88e6xxx: Fix mv88e6393x EPC write command offset
+
+From: Marco Migliore <m.migliore@tiesse.com>
+
+[ Upstream commit 1323e0c6e1d7e103d59384c3ac50f72b17a6936c ]
+
+According to datasheet, the command opcode must be specified
+into bits [14:12] of the Extended Port Control register (EPC).
+
+Fixes: de776d0d316f ("net: dsa: mv88e6xxx: add support for mv88e6393x family")
+Signed-off-by: Marco Migliore <m.migliore@tiesse.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mv88e6xxx/port.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/mv88e6xxx/port.h b/drivers/net/dsa/mv88e6xxx/port.h
+index 03382b66f8003..3e68d534eaca5 100644
+--- a/drivers/net/dsa/mv88e6xxx/port.h
++++ b/drivers/net/dsa/mv88e6xxx/port.h
+@@ -267,7 +267,7 @@
+ /* Offset 0x10: Extended Port Control Command */
+ #define MV88E6393X_PORT_EPC_CMD 0x10
+ #define MV88E6393X_PORT_EPC_CMD_BUSY 0x8000
+-#define MV88E6393X_PORT_EPC_CMD_WRITE 0x0300
++#define MV88E6393X_PORT_EPC_CMD_WRITE 0x3000
+ #define MV88E6393X_PORT_EPC_INDEX_PORT_ETYPE 0x02
+
+ /* Offset 0x11: Extended Port Control Data */
+--
+2.39.2
+
--- /dev/null
+From 2e9788457577d2f79bf39a308b400114cf8913e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 May 2023 22:00:20 +0200
+Subject: net: fec: Better handle pm_runtime_get() failing in .remove()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit f816b9829b19394d318e01953aa3b2721bca040d ]
+
+In the (unlikely) event that pm_runtime_get() (disguised as
+pm_runtime_resume_and_get()) fails, the remove callback returned an
+error early. The problem with this is that the driver core ignores the
+error value and continues removing the device. This results in a
+resource leak. Worse the devm allocated resources are freed and so if a
+callback of the driver is called later the register mapping is already
+gone which probably results in a crash.
+
+Fixes: a31eda65ba21 ("net: fec: fix clock count mis-match")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20230510200020.1534610-1-u.kleine-koenig@pengutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
+index afb30d679a473..c0c96de7a9de4 100644
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -4054,9 +4054,11 @@ fec_drv_remove(struct platform_device *pdev)
+ struct device_node *np = pdev->dev.of_node;
+ int ret;
+
+- ret = pm_runtime_resume_and_get(&pdev->dev);
++ ret = pm_runtime_get_sync(&pdev->dev);
+ if (ret < 0)
+- return ret;
++ dev_err(&pdev->dev,
++ "Failed to resume device in remove callback (%pe)\n",
++ ERR_PTR(ret));
+
+ cancel_work_sync(&fep->tx_timeout_work);
+ fec_ptp_stop(pdev);
+@@ -4069,8 +4071,13 @@ fec_drv_remove(struct platform_device *pdev)
+ of_phy_deregister_fixed_link(np);
+ of_node_put(fep->phy_node);
+
+- clk_disable_unprepare(fep->clk_ahb);
+- clk_disable_unprepare(fep->clk_ipg);
++ /* After pm_runtime_get_sync() failed, the clks are still off, so skip
++ * disabling them again.
++ */
++ if (ret >= 0) {
++ clk_disable_unprepare(fep->clk_ahb);
++ clk_disable_unprepare(fep->clk_ipg);
++ }
+ pm_runtime_put_noidle(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
+
+--
+2.39.2
+
--- /dev/null
+From 1585635038536e608e73fc3d2dd14b5d4f51a2a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 18:00:11 +0800
+Subject: net: hns3: fix output information incomplete for dumping tx queue
+ info with debugfs
+
+From: Jie Wang <wangjie125@huawei.com>
+
+[ Upstream commit 89f6bfb071182f05d7188c255b0e7251c3806f16 ]
+
+In function hns3_dump_tx_queue_info, The print buffer is not enough when
+the tx BD number is configured to 32760. As a result several BD
+information wouldn't be displayed.
+
+So fix it by increasing the tx queue print buffer length.
+
+Fixes: 630a6738da82 ("net: hns3: adjust string spaces of some parameters of tx bd info in debugfs")
+Signed-off-by: Jie Wang <wangjie125@huawei.com>
+Signed-off-by: Hao Lan <lanhao@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 2 +-
+ drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
+index 15ce1a33649ee..3158c08a3aa9c 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
+@@ -123,7 +123,7 @@ static struct hns3_dbg_cmd_info hns3_dbg_cmd[] = {
+ .name = "tx_bd_queue",
+ .cmd = HNAE3_DBG_CMD_TX_BD,
+ .dentry = HNS3_DBG_DENTRY_TX_BD,
+- .buf_len = HNS3_DBG_READ_LEN_4MB,
++ .buf_len = HNS3_DBG_READ_LEN_5MB,
+ .init = hns3_dbg_bd_file_init,
+ },
+ {
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h
+index 814f7491ca08d..fb0c907cec852 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.h
+@@ -8,6 +8,7 @@
+ #define HNS3_DBG_READ_LEN_128KB 0x20000
+ #define HNS3_DBG_READ_LEN_1MB 0x100000
+ #define HNS3_DBG_READ_LEN_4MB 0x400000
++#define HNS3_DBG_READ_LEN_5MB 0x500000
+ #define HNS3_DBG_WRITE_LEN 1024
+
+ #define HNS3_DBG_DATA_STR_LEN 32
+--
+2.39.2
+
--- /dev/null
+From 6e25f202c64d3b9ee36e2d392dab89ee4ed0fd2f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 18:00:13 +0800
+Subject: net: hns3: fix reset delay time to avoid configuration timeout
+
+From: Jie Wang <wangjie125@huawei.com>
+
+[ Upstream commit 814d0c786068e858d889ada3153bff82f64223ad ]
+
+Currently the hns3 vf function reset delays 5000ms before vf rebuild
+process. In product applications, this delay is too long for application
+configurations and causes configuration timeout.
+
+According to the tests, 500ms delay is enough for reset process except PF
+FLR. So this patch modifies delay to 500ms in these scenarios.
+
+Fixes: 6988eb2a9b77 ("net: hns3: Add support to reset the enet/ring mgmt layer")
+Signed-off-by: Jie Wang <wangjie125@huawei.com>
+Signed-off-by: Hao Lan <lanhao@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+index 3c1ff33132213..bc140e3620d6c 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+@@ -1885,7 +1885,10 @@ static int hclgevf_reset_wait(struct hclgevf_dev *hdev)
+ * might happen in case reset assertion was made by PF. Yes, this also
+ * means we might end up waiting bit more even for VF reset.
+ */
+- msleep(5000);
++ if (hdev->reset_type == HNAE3_VF_FULL_RESET)
++ msleep(5000);
++ else
++ msleep(500);
+
+ return 0;
+ }
+--
+2.39.2
+
--- /dev/null
+From b8d03d63014dc8e7e16850ab17458fc69b609f9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 18:00:12 +0800
+Subject: net: hns3: fix sending pfc frames after reset issue
+
+From: Jijie Shao <shaojijie@huawei.com>
+
+[ Upstream commit f14db07064727dd3bc0906c77a6d2759c1bbb395 ]
+
+To prevent the system from abnormally sending PFC frames after an
+abnormal reset. The hns3 driver notifies the firmware to disable pfc
+before reset.
+
+Fixes: 35d93a30040c ("net: hns3: adjust the process of PF reset")
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: Hao Lan <lanhao@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 15 +++++++++------
+ .../net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c | 4 ++--
+ .../net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h | 5 +++++
+ 3 files changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+index f4d58fcdba272..bfdc021f4a190 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -8134,12 +8134,15 @@ static void hclge_ae_stop(struct hnae3_handle *handle)
+ /* If it is not PF reset or FLR, the firmware will disable the MAC,
+ * so it only need to stop phy here.
+ */
+- if (test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state) &&
+- hdev->reset_type != HNAE3_FUNC_RESET &&
+- hdev->reset_type != HNAE3_FLR_RESET) {
+- hclge_mac_stop_phy(hdev);
+- hclge_update_link_status(hdev);
+- return;
++ if (test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state)) {
++ hclge_pfc_pause_en_cfg(hdev, HCLGE_PFC_TX_RX_DISABLE,
++ HCLGE_PFC_DISABLE);
++ if (hdev->reset_type != HNAE3_FUNC_RESET &&
++ hdev->reset_type != HNAE3_FLR_RESET) {
++ hclge_mac_stop_phy(hdev);
++ hclge_update_link_status(hdev);
++ return;
++ }
+ }
+
+ hclge_reset_tqp(handle);
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c
+index afc47c9b5ec46..97a6864f60ef4 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c
+@@ -171,8 +171,8 @@ int hclge_mac_pause_en_cfg(struct hclge_dev *hdev, bool tx, bool rx)
+ return hclge_cmd_send(&hdev->hw, &desc, 1);
+ }
+
+-static int hclge_pfc_pause_en_cfg(struct hclge_dev *hdev, u8 tx_rx_bitmap,
+- u8 pfc_bitmap)
++int hclge_pfc_pause_en_cfg(struct hclge_dev *hdev, u8 tx_rx_bitmap,
++ u8 pfc_bitmap)
+ {
+ struct hclge_desc desc;
+ struct hclge_pfc_en_cmd *pfc = (struct hclge_pfc_en_cmd *)desc.data;
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h
+index 5df18cc3ee556..2c5256d7f9962 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h
+@@ -155,6 +155,9 @@ struct hclge_bp_to_qs_map_cmd {
+ u32 rsvd1;
+ };
+
++#define HCLGE_PFC_DISABLE 0
++#define HCLGE_PFC_TX_RX_DISABLE 0
++
+ struct hclge_pfc_en_cmd {
+ u8 tx_rx_en_bitmap;
+ u8 pri_en_bitmap;
+@@ -226,6 +229,8 @@ void hclge_tm_schd_info_update(struct hclge_dev *hdev, u8 num_tc);
+ void hclge_tm_pfc_info_update(struct hclge_dev *hdev);
+ int hclge_tm_dwrr_cfg(struct hclge_dev *hdev);
+ int hclge_tm_init_hw(struct hclge_dev *hdev, bool init);
++int hclge_pfc_pause_en_cfg(struct hclge_dev *hdev, u8 tx_rx_bitmap,
++ u8 pfc_bitmap);
+ int hclge_mac_pause_en_cfg(struct hclge_dev *hdev, bool tx, bool rx);
+ int hclge_pause_addr_cfg(struct hclge_dev *hdev, const u8 *mac_addr);
+ void hclge_pfc_rx_stats_get(struct hclge_dev *hdev, u64 *stats);
+--
+2.39.2
+
--- /dev/null
+From 682a88dc5a294bcc6e5a2d1b69eedea867fe38a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 May 2023 20:54:40 +0800
+Subject: net: nsh: Use correct mac_offset to unwind gso skb in
+ nsh_gso_segment()
+
+From: Dong Chenchen <dongchenchen2@huawei.com>
+
+[ Upstream commit c83b49383b595be50647f0c764a48c78b5f3c4f8 ]
+
+As the call trace shows, skb_panic was caused by wrong skb->mac_header
+in nsh_gso_segment():
+
+invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
+CPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1
+RIP: 0010:skb_panic+0xda/0xe0
+call Trace:
+ skb_push+0x91/0xa0
+ nsh_gso_segment+0x4f3/0x570
+ skb_mac_gso_segment+0x19e/0x270
+ __skb_gso_segment+0x1e8/0x3c0
+ validate_xmit_skb+0x452/0x890
+ validate_xmit_skb_list+0x99/0xd0
+ sch_direct_xmit+0x294/0x7c0
+ __dev_queue_xmit+0x16f0/0x1d70
+ packet_xmit+0x185/0x210
+ packet_snd+0xc15/0x1170
+ packet_sendmsg+0x7b/0xa0
+ sock_sendmsg+0x14f/0x160
+
+The root cause is:
+nsh_gso_segment() use skb->network_header - nhoff to reset mac_header
+in skb_gso_error_unwind() if inner-layer protocol gso fails.
+However, skb->network_header may be reset by inner-layer protocol
+gso function e.g. mpls_gso_segment. skb->mac_header reset by the
+inaccurate network_header will be larger than skb headroom.
+
+nsh_gso_segment
+ nhoff = skb->network_header - skb->mac_header;
+ __skb_pull(skb,nsh_len)
+ skb_mac_gso_segment
+ mpls_gso_segment
+ skb_reset_network_header(skb);//skb->network_header+=nsh_len
+ return -EINVAL;
+ skb_gso_error_unwind
+ skb_push(skb, nsh_len);
+ skb->mac_header = skb->network_header - nhoff;
+ // skb->mac_header > skb->headroom, cause skb_push panic
+
+Use correct mac_offset to restore mac_header and get rid of nhoff.
+
+Fixes: c411ed854584 ("nsh: add GSO support")
+Reported-by: syzbot+632b5d9964208bfef8c0@syzkaller.appspotmail.com
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nsh/nsh.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/net/nsh/nsh.c b/net/nsh/nsh.c
+index e9ca007718b7e..0f23e5e8e03eb 100644
+--- a/net/nsh/nsh.c
++++ b/net/nsh/nsh.c
+@@ -77,13 +77,12 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb,
+ netdev_features_t features)
+ {
+ struct sk_buff *segs = ERR_PTR(-EINVAL);
++ u16 mac_offset = skb->mac_header;
+ unsigned int nsh_len, mac_len;
+ __be16 proto;
+- int nhoff;
+
+ skb_reset_network_header(skb);
+
+- nhoff = skb->network_header - skb->mac_header;
+ mac_len = skb->mac_len;
+
+ if (unlikely(!pskb_may_pull(skb, NSH_BASE_HDR_LEN)))
+@@ -108,15 +107,14 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb,
+ segs = skb_mac_gso_segment(skb, features);
+ if (IS_ERR_OR_NULL(segs)) {
+ skb_gso_error_unwind(skb, htons(ETH_P_NSH), nsh_len,
+- skb->network_header - nhoff,
+- mac_len);
++ mac_offset, mac_len);
+ goto out;
+ }
+
+ for (skb = segs; skb; skb = skb->next) {
+ skb->protocol = htons(ETH_P_NSH);
+ __skb_push(skb, nsh_len);
+- skb_set_mac_header(skb, -nhoff);
++ skb->mac_header = mac_offset;
+ skb->network_header = skb->mac_header + mac_len;
+ skb->mac_len = mac_len;
+ }
+--
+2.39.2
+
--- /dev/null
+From d9679744b5bfe0ed7ab0bc514d739d0e9dd08cce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 May 2023 18:21:39 +0530
+Subject: net: phy: dp83867: add w/a for packet errors seen with short cables
+
+From: Grygorii Strashko <grygorii.strashko@ti.com>
+
+[ Upstream commit 0b01db274028f5acd207332686ffc92ac77491ac ]
+
+Introduce the W/A for packet errors seen with short cables (<1m) between
+two DP83867 PHYs.
+
+The W/A recommended by DM requires FFE Equalizer Configuration tuning by
+writing value 0x0E81 to DSP_FFE_CFG register (0x012C), surrounded by hard
+and soft resets as follows:
+
+write_reg(0x001F, 0x8000); //hard reset
+write_reg(DSP_FFE_CFG, 0x0E81);
+write_reg(0x001F, 0x4000); //soft reset
+
+Since DP83867 PHY DM says "Changing this register to 0x0E81, will not
+affect Long Cable performance.", enable the W/A by default.
+
+Fixes: 2a10154abcb7 ("net: phy: dp83867: Add TI dp83867 phy")
+Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/dp83867.c | 22 +++++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/dp83867.c b/drivers/net/phy/dp83867.c
+index 783e30451e30d..6230dd5e29902 100644
+--- a/drivers/net/phy/dp83867.c
++++ b/drivers/net/phy/dp83867.c
+@@ -41,6 +41,7 @@
+ #define DP83867_STRAP_STS1 0x006E
+ #define DP83867_STRAP_STS2 0x006f
+ #define DP83867_RGMIIDCTL 0x0086
++#define DP83867_DSP_FFE_CFG 0x012c
+ #define DP83867_RXFCFG 0x0134
+ #define DP83867_RXFPMD1 0x0136
+ #define DP83867_RXFPMD2 0x0137
+@@ -841,8 +842,27 @@ static int dp83867_phy_reset(struct phy_device *phydev)
+
+ usleep_range(10, 20);
+
+- return phy_modify(phydev, MII_DP83867_PHYCTRL,
++ err = phy_modify(phydev, MII_DP83867_PHYCTRL,
+ DP83867_PHYCR_FORCE_LINK_GOOD, 0);
++ if (err < 0)
++ return err;
++
++ /* Configure the DSP Feedforward Equalizer Configuration register to
++ * improve short cable (< 1 meter) performance. This will not affect
++ * long cable performance.
++ */
++ err = phy_write_mmd(phydev, DP83867_DEVADDR, DP83867_DSP_FFE_CFG,
++ 0x0e81);
++ if (err < 0)
++ return err;
++
++ err = phy_write(phydev, DP83867_CTRL, DP83867_SW_RESTART);
++ if (err < 0)
++ return err;
++
++ usleep_range(10, 20);
++
++ return 0;
+ }
+
+ static void dp83867_link_change_notify(struct phy_device *phydev)
+--
+2.39.2
+
--- /dev/null
+From df0156ca3ed88a65be2839207b53996f90fb6c2a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 May 2023 14:15:15 +0200
+Subject: netfilter: nf_tables: fix nft_trans type confusion
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit e3c361b8acd636f5fe80c02849ca175201edf10c ]
+
+nft_trans_FOO objects all share a common nft_trans base structure, but
+trailing fields depend on the real object size. Access is only safe after
+trans->msg_type check.
+
+Check for rule type first. Found by code inspection.
+
+Fixes: 1a94e38d254b ("netfilter: nf_tables: add NFTA_RULE_ID attribute")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 091df8a7cb1e7..f20244a91d781 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -3595,12 +3595,10 @@ static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
+ struct nft_trans *trans;
+
+ list_for_each_entry(trans, &nft_net->commit_list, list) {
+- struct nft_rule *rule = nft_trans_rule(trans);
+-
+ if (trans->msg_type == NFT_MSG_NEWRULE &&
+ trans->ctx.chain == chain &&
+ id == nft_trans_rule_id(trans))
+- return rule;
++ return nft_trans_rule(trans);
+ }
+ return ERR_PTR(-ENOENT);
+ }
+--
+2.39.2
+
--- /dev/null
+From 96395bef357ae1ab6010728e561e0d752ae0e1ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 May 2023 22:39:30 +0200
+Subject: netfilter: nft_set_rbtree: fix null deref on element insertion
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 61ae320a29b0540c16931816299eb86bf2b66c08 ]
+
+There is no guarantee that rb_prev() will not return NULL in nft_rbtree_gc_elem():
+
+general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN
+KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
+ nft_add_set_elem+0x14b0/0x2990
+ nf_tables_newsetelem+0x528/0xb30
+
+Furthermore, there is a possible use-after-free while iterating,
+'node' can be free'd so we need to cache the next value to use.
+
+Fixes: c9e6978e2725 ("netfilter: nft_set_rbtree: Switch to node list walk for overlap detection")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_set_rbtree.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
+index 19ea4d3c35535..2f114aa10f1a7 100644
+--- a/net/netfilter/nft_set_rbtree.c
++++ b/net/netfilter/nft_set_rbtree.c
+@@ -221,7 +221,7 @@ static int nft_rbtree_gc_elem(const struct nft_set *__set,
+ {
+ struct nft_set *set = (struct nft_set *)__set;
+ struct rb_node *prev = rb_prev(&rbe->node);
+- struct nft_rbtree_elem *rbe_prev;
++ struct nft_rbtree_elem *rbe_prev = NULL;
+ struct nft_set_gc_batch *gcb;
+
+ gcb = nft_set_gc_batch_check(set, NULL, GFP_ATOMIC);
+@@ -229,17 +229,21 @@ static int nft_rbtree_gc_elem(const struct nft_set *__set,
+ return -ENOMEM;
+
+ /* search for expired end interval coming before this element. */
+- do {
++ while (prev) {
+ rbe_prev = rb_entry(prev, struct nft_rbtree_elem, node);
+ if (nft_rbtree_interval_end(rbe_prev))
+ break;
+
+ prev = rb_prev(prev);
+- } while (prev != NULL);
++ }
++
++ if (rbe_prev) {
++ rb_erase(&rbe_prev->node, &priv->root);
++ atomic_dec(&set->nelems);
++ }
+
+- rb_erase(&rbe_prev->node, &priv->root);
+ rb_erase(&rbe->node, &priv->root);
+- atomic_sub(2, &set->nelems);
++ atomic_dec(&set->nelems);
+
+ nft_set_gc_batch_add(gcb, rbe);
+ nft_set_gc_batch_complete(gcb);
+@@ -268,7 +272,7 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set,
+ struct nft_set_ext **ext)
+ {
+ struct nft_rbtree_elem *rbe, *rbe_le = NULL, *rbe_ge = NULL;
+- struct rb_node *node, *parent, **p, *first = NULL;
++ struct rb_node *node, *next, *parent, **p, *first = NULL;
+ struct nft_rbtree *priv = nft_set_priv(set);
+ u8 genmask = nft_genmask_next(net);
+ int d, err;
+@@ -307,7 +311,9 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set,
+ * Values stored in the tree are in reversed order, starting from
+ * highest to lowest value.
+ */
+- for (node = first; node != NULL; node = rb_next(node)) {
++ for (node = first; node != NULL; node = next) {
++ next = rb_next(node);
++
+ rbe = rb_entry(node, struct nft_rbtree_elem, node);
+
+ if (!nft_set_elem_active(&rbe->ext, genmask))
+--
+2.39.2
+
--- /dev/null
+From cbf4b6f4dfa35b245eef32cf66c79a35b647d408 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Apr 2023 09:46:18 +0200
+Subject: Revert "Fix XFRM-I support for nested ESP tunnels"
+
+From: Martin Willi <martin@strongswan.org>
+
+[ Upstream commit 5fc46f94219d1d103ffb5f0832be9da674d85a73 ]
+
+This reverts commit b0355dbbf13c0052931dd14c38c789efed64d3de.
+
+The reverted commit clears the secpath on packets received via xfrm interfaces
+to support nested IPsec tunnels. This breaks Netfilter policy matching using
+xt_policy in the FORWARD chain, as the secpath is missing during forwarding.
+Additionally, Benedict Wong reports that it breaks Transport-in-Tunnel mode.
+
+Fix this regression by reverting the commit until we have a better approach
+for nested IPsec tunnels.
+
+Fixes: b0355dbbf13c ("Fix XFRM-I support for nested ESP tunnels")
+Link: https://lore.kernel.org/netdev/20230412085615.124791-1-martin@strongswan.org/
+Signed-off-by: Martin Willi <martin@strongswan.org>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_interface.c | 54 +++------------------------------------
+ net/xfrm/xfrm_policy.c | 3 ---
+ 2 files changed, 4 insertions(+), 53 deletions(-)
+
+diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c
+index 694eec6ca147e..1e8b26eecb3f8 100644
+--- a/net/xfrm/xfrm_interface.c
++++ b/net/xfrm/xfrm_interface.c
+@@ -207,52 +207,6 @@ static void xfrmi_scrub_packet(struct sk_buff *skb, bool xnet)
+ skb->mark = 0;
+ }
+
+-static int xfrmi_input(struct sk_buff *skb, int nexthdr, __be32 spi,
+- int encap_type, unsigned short family)
+-{
+- struct sec_path *sp;
+-
+- sp = skb_sec_path(skb);
+- if (sp && (sp->len || sp->olen) &&
+- !xfrm_policy_check(NULL, XFRM_POLICY_IN, skb, family))
+- goto discard;
+-
+- XFRM_SPI_SKB_CB(skb)->family = family;
+- if (family == AF_INET) {
+- XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
+- XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL;
+- } else {
+- XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct ipv6hdr, daddr);
+- XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = NULL;
+- }
+-
+- return xfrm_input(skb, nexthdr, spi, encap_type);
+-discard:
+- kfree_skb(skb);
+- return 0;
+-}
+-
+-static int xfrmi4_rcv(struct sk_buff *skb)
+-{
+- return xfrmi_input(skb, ip_hdr(skb)->protocol, 0, 0, AF_INET);
+-}
+-
+-static int xfrmi6_rcv(struct sk_buff *skb)
+-{
+- return xfrmi_input(skb, skb_network_header(skb)[IP6CB(skb)->nhoff],
+- 0, 0, AF_INET6);
+-}
+-
+-static int xfrmi4_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
+-{
+- return xfrmi_input(skb, nexthdr, spi, encap_type, AF_INET);
+-}
+-
+-static int xfrmi6_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
+-{
+- return xfrmi_input(skb, nexthdr, spi, encap_type, AF_INET6);
+-}
+-
+ static int xfrmi_rcv_cb(struct sk_buff *skb, int err)
+ {
+ const struct xfrm_mode *inner_mode;
+@@ -820,8 +774,8 @@ static struct pernet_operations xfrmi_net_ops = {
+ };
+
+ static struct xfrm6_protocol xfrmi_esp6_protocol __read_mostly = {
+- .handler = xfrmi6_rcv,
+- .input_handler = xfrmi6_input,
++ .handler = xfrm6_rcv,
++ .input_handler = xfrm_input,
+ .cb_handler = xfrmi_rcv_cb,
+ .err_handler = xfrmi6_err,
+ .priority = 10,
+@@ -871,8 +825,8 @@ static struct xfrm6_tunnel xfrmi_ip6ip_handler __read_mostly = {
+ #endif
+
+ static struct xfrm4_protocol xfrmi_esp4_protocol __read_mostly = {
+- .handler = xfrmi4_rcv,
+- .input_handler = xfrmi4_input,
++ .handler = xfrm4_rcv,
++ .input_handler = xfrm_input,
+ .cb_handler = xfrmi_rcv_cb,
+ .err_handler = xfrmi4_err,
+ .priority = 10,
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index 37eeda0f123cd..c15ef8003caa9 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -3663,9 +3663,6 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
+ goto reject;
+ }
+
+- if (if_id)
+- secpath_reset(skb);
+-
+ xfrm_pols_put(pols, npols);
+ return 1;
+ }
+--
+2.39.2
+
--- /dev/null
+From 0ee472f9dd77728142a0cae241b828756c825bcf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 May 2023 11:12:42 +0200
+Subject: s390/cio: include subchannels without devices also for evaluation
+
+From: Vineeth Vijayan <vneethv@linux.ibm.com>
+
+[ Upstream commit b1b0d5aec1cf9f9a900a14964f869c68688d923e ]
+
+Currently when the new channel-path is enabled, we do evaluation only
+on the subchannels with a device connected on it. This is because,
+in the past, if the device in the subchannel is not working or not
+available, we used to unregister the subchannels. But, from the 'commit
+2297791c92d0 ("s390/cio: dont unregister subchannel from child-drivers")'
+we allow subchannels with or without an active device connected
+on it. So, when we do the io_subchannel_verify, make sure that,
+we are evaluating the subchannels without any device too.
+
+Fixes: 2297791c92d0 ("s390/cio: dont unregister subchannel from child-drivers")
+Reported-by: Boris Fiuczynski <fiuczy@linux.ibm.com>
+Signed-off-by: Vineeth Vijayan <vneethv@linux.ibm.com>
+Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/cio/device.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c
+index 61cde02b23fec..b21fa57d1a46b 100644
+--- a/drivers/s390/cio/device.c
++++ b/drivers/s390/cio/device.c
+@@ -1116,6 +1116,8 @@ static void io_subchannel_verify(struct subchannel *sch)
+ cdev = sch_get_cdev(sch);
+ if (cdev)
+ dev_fsm_event(cdev, DEV_EVENT_VERIFY);
++ else
++ css_schedule_eval(sch->schid);
+ }
+
+ static void io_subchannel_terminate_path(struct subchannel *sch, u8 mask)
+--
+2.39.2
+
--- /dev/null
+From 958775351ba84f81081ff2c2e6a6b3359f4b521a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 May 2023 10:20:41 -0700
+Subject: scsi: storvsc: Don't pass unused PFNs to Hyper-V host
+
+From: Michael Kelley <mikelley@microsoft.com>
+
+[ Upstream commit 4e81a6cba517cb33584308a331f14f5e3fec369b ]
+
+In a SCSI request, storvsc pre-allocates space for up to
+MAX_PAGE_BUFFER_COUNT physical frame numbers to be passed to Hyper-V. If
+the size of the I/O request requires more PFNs, a separate memory area of
+exactly the correct size is dynamically allocated.
+
+But when the pre-allocated area is used, current code always passes
+MAX_PAGE_BUFFER_COUNT PFNs to Hyper-V, even if fewer are needed. While
+this doesn't break anything because the additional PFNs are always zero,
+more bytes than necessary are copied into the VMBus channel ring buffer.
+This takes CPU cycles and wastes space in the ring buffer. For a typical 4
+Kbyte I/O that requires only a single PFN, 248 unnecessary bytes are
+copied.
+
+Fix this by setting the payload_sz based on the actual number of PFNs
+required, not the size of the pre-allocated space.
+
+Reported-by: John Starks <jostarks@microsoft.com>
+Fixes: 8f43710543ef ("scsi: storvsc: Support PAGE_SIZE larger than 4K")
+Signed-off-by: Michael Kelley <mikelley@microsoft.com>
+Link: https://lore.kernel.org/r/1684171241-16209-1-git-send-email-mikelley@microsoft.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/storvsc_drv.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
+index 83a3d9f085d84..c9b1500c2ab87 100644
+--- a/drivers/scsi/storvsc_drv.c
++++ b/drivers/scsi/storvsc_drv.c
+@@ -1843,7 +1843,7 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd)
+
+ length = scsi_bufflen(scmnd);
+ payload = (struct vmbus_packet_mpb_array *)&cmd_request->mpb;
+- payload_sz = sizeof(cmd_request->mpb);
++ payload_sz = 0;
+
+ if (sg_count) {
+ unsigned int hvpgoff, hvpfns_to_add;
+@@ -1851,10 +1851,10 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd)
+ unsigned int hvpg_count = HVPFN_UP(offset_in_hvpg + length);
+ u64 hvpfn;
+
+- if (hvpg_count > MAX_PAGE_BUFFER_COUNT) {
++ payload_sz = (hvpg_count * sizeof(u64) +
++ sizeof(struct vmbus_packet_mpb_array));
+
+- payload_sz = (hvpg_count * sizeof(u64) +
+- sizeof(struct vmbus_packet_mpb_array));
++ if (hvpg_count > MAX_PAGE_BUFFER_COUNT) {
+ payload = kzalloc(payload_sz, GFP_ATOMIC);
+ if (!payload)
+ return SCSI_MLQUEUE_DEVICE_BUSY;
+--
+2.39.2
+
--- /dev/null
+From 9322046705d95eaaad031626d783659370352f6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 May 2023 13:16:37 +0200
+Subject: selftests: seg6: disable DAD on IPv6 router cfg for
+ srv6_end_dt4_l3vpn_test
+
+From: Andrea Mayer <andrea.mayer@uniroma2.it>
+
+[ Upstream commit 21a933c79a33add3612808f3be4ad65dd4dc026b ]
+
+The srv6_end_dt4_l3vpn_test instantiates a virtual network consisting of
+several routers (rt-1, rt-2) and hosts.
+When the IPv6 addresses of rt-{1,2} routers are configured, the Deduplicate
+Address Detection (DAD) kicks in when enabled in the Linux distros running
+the selftests. DAD is used to check whether an IPv6 address is already
+assigned in a network. Such a mechanism consists of sending an ICMPv6 Echo
+Request and waiting for a reply.
+As the DAD process could take too long to complete, it may cause the
+failing of some tests carried out by the srv6_end_dt4_l3vpn_test script.
+
+To make the srv6_end_dt4_l3vpn_test more robust, we disable DAD on routers
+since we configure the virtual network manually and do not need any address
+deduplication mechanism at all.
+
+Fixes: 2195444e09b4 ("selftests: add selftest for the SRv6 End.DT4 behavior")
+Signed-off-by: Andrea Mayer <andrea.mayer@uniroma2.it>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh b/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh
+index 1003119773e5d..37f08d582d2fe 100755
+--- a/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh
++++ b/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh
+@@ -232,10 +232,14 @@ setup_rt_networking()
+ local nsname=rt-${rt}
+
+ ip netns add ${nsname}
++
++ ip netns exec ${nsname} sysctl -wq net.ipv6.conf.all.accept_dad=0
++ ip netns exec ${nsname} sysctl -wq net.ipv6.conf.default.accept_dad=0
++
+ ip link set veth-rt-${rt} netns ${nsname}
+ ip -netns ${nsname} link set veth-rt-${rt} name veth0
+
+- ip -netns ${nsname} addr add ${IPv6_RT_NETWORK}::${rt}/64 dev veth0
++ ip -netns ${nsname} addr add ${IPv6_RT_NETWORK}::${rt}/64 dev veth0 nodad
+ ip -netns ${nsname} link set veth0 up
+ ip -netns ${nsname} link set lo up
+
+--
+2.39.2
+
--- /dev/null
+From e3eac71692c056f2b2059063c55b5c9091d58d2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 May 2023 13:16:38 +0200
+Subject: selftets: seg6: disable rp_filter by default in
+ srv6_end_dt4_l3vpn_test
+
+From: Andrea Mayer <andrea.mayer@uniroma2.it>
+
+[ Upstream commit f97b8401e0deb46ad1e4245c21f651f64f55aaa6 ]
+
+On some distributions, the rp_filter is automatically set (=1) by
+default on a netdev basis (also on VRFs).
+In an SRv6 End.DT4 behavior, decapsulated IPv4 packets are routed using
+the table associated with the VRF bound to that tunnel. During lookup
+operations, the rp_filter can lead to packet loss when activated on the
+VRF.
+Therefore, we chose to make this selftest more robust by explicitly
+disabling the rp_filter during tests (as it is automatically set by some
+Linux distributions).
+
+Fixes: 2195444e09b4 ("selftests: add selftest for the SRv6 End.DT4 behavior")
+Reported-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: Andrea Mayer <andrea.mayer@uniroma2.it>
+Tested-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../testing/selftests/net/srv6_end_dt4_l3vpn_test.sh | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh b/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh
+index 37f08d582d2fe..f962823628119 100755
+--- a/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh
++++ b/tools/testing/selftests/net/srv6_end_dt4_l3vpn_test.sh
+@@ -258,6 +258,12 @@ setup_hs()
+
+ # set the networking for the host
+ ip netns add ${hsname}
++
++ # disable the rp_filter otherwise the kernel gets confused about how
++ # to route decap ipv4 packets.
++ ip netns exec ${rtname} sysctl -wq net.ipv4.conf.all.rp_filter=0
++ ip netns exec ${rtname} sysctl -wq net.ipv4.conf.default.rp_filter=0
++
+ ip -netns ${hsname} link add veth0 type veth peer name ${rtveth}
+ ip -netns ${hsname} link set ${rtveth} netns ${rtname}
+ ip -netns ${hsname} addr add ${IPv4_HS_NETWORK}.${hs}/24 dev veth0
+@@ -276,11 +282,6 @@ setup_hs()
+
+ ip netns exec ${rtname} sysctl -wq net.ipv4.conf.${rtveth}.proxy_arp=1
+
+- # disable the rp_filter otherwise the kernel gets confused about how
+- # to route decap ipv4 packets.
+- ip netns exec ${rtname} sysctl -wq net.ipv4.conf.all.rp_filter=0
+- ip netns exec ${rtname} sysctl -wq net.ipv4.conf.${rtveth}.rp_filter=0
+-
+ ip netns exec ${rtname} sh -c "echo 1 > /proc/sys/net/vrf/strict_mode"
+ }
+
+--
+2.39.2
+
--- /dev/null
+From b04f425156c0f812c1a64d2ff62555edab45a8d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Apr 2023 11:19:15 -0700
+Subject: serial: 8250_bcm7271: balance clk_enable calls
+
+From: Doug Berger <opendmb@gmail.com>
+
+[ Upstream commit 8a3b5477256a54ae4a470dcebbcf8cdc18e4696d ]
+
+The sw_baud clock must be disabled when the device driver is not
+connected to the device. This now occurs when probe fails and
+upon remove.
+
+Fixes: 41a469482de2 ("serial: 8250: Add new 8250-core based Broadcom STB driver")
+Reported-by: XuDong Liu <m202071377@hust.edu.cn>
+Link: https://lore.kernel.org/lkml/20230424125100.4783-1-m202071377@hust.edu.cn/
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20230427181916.2983697-2-opendmb@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_bcm7271.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/8250/8250_bcm7271.c b/drivers/tty/serial/8250/8250_bcm7271.c
+index 87ff28a3a94c5..513ed24cba5ce 100644
+--- a/drivers/tty/serial/8250/8250_bcm7271.c
++++ b/drivers/tty/serial/8250/8250_bcm7271.c
+@@ -1036,7 +1036,7 @@ static int brcmuart_probe(struct platform_device *pdev)
+ if (clk_rate == 0) {
+ dev_err(dev, "clock-frequency or clk not defined\n");
+ ret = -EINVAL;
+- goto release_dma;
++ goto err_clk_disable;
+ }
+
+ dev_dbg(dev, "DMA is %senabled\n", priv->dma_enabled ? "" : "not ");
+@@ -1123,6 +1123,8 @@ static int brcmuart_probe(struct platform_device *pdev)
+ serial8250_unregister_port(priv->line);
+ err:
+ brcmuart_free_bufs(dev, priv);
++err_clk_disable:
++ clk_disable_unprepare(baud_mux_clk);
+ release_dma:
+ if (priv->dma_enabled)
+ brcmuart_arbitration(priv, 0);
+@@ -1137,6 +1139,7 @@ static int brcmuart_remove(struct platform_device *pdev)
+ hrtimer_cancel(&priv->hrt);
+ serial8250_unregister_port(priv->line);
+ brcmuart_free_bufs(&pdev->dev, priv);
++ clk_disable_unprepare(priv->baud_mux_clk);
+ if (priv->dma_enabled)
+ brcmuart_arbitration(priv, 0);
+ return 0;
+--
+2.39.2
+
--- /dev/null
+From 6c6666d9c1677818afd5a7a8e8005a3ecbd9549c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Apr 2023 11:19:16 -0700
+Subject: serial: 8250_bcm7271: fix leak in `brcmuart_probe`
+
+From: Doug Berger <opendmb@gmail.com>
+
+[ Upstream commit f264f2f6f4788dc031cef60a0cf2881902736709 ]
+
+Smatch reports:
+drivers/tty/serial/8250/8250_bcm7271.c:1120 brcmuart_probe() warn:
+'baud_mux_clk' from clk_prepare_enable() not released on lines: 1032.
+
+The issue is fixed by using a managed clock.
+
+Fixes: 41a469482de2 ("serial: 8250: Add new 8250-core based Broadcom STB driver")
+Reported-by: XuDong Liu <m202071377@hust.edu.cn>
+Link: https://lore.kernel.org/lkml/20230424125100.4783-1-m202071377@hust.edu.cn/
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20230427181916.2983697-3-opendmb@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_bcm7271.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/8250/8250_bcm7271.c b/drivers/tty/serial/8250/8250_bcm7271.c
+index 513ed24cba5ce..f95047160b4d2 100644
+--- a/drivers/tty/serial/8250/8250_bcm7271.c
++++ b/drivers/tty/serial/8250/8250_bcm7271.c
+@@ -1016,7 +1016,7 @@ static int brcmuart_probe(struct platform_device *pdev)
+ of_property_read_u32(np, "clock-frequency", &clk_rate);
+
+ /* See if a Baud clock has been specified */
+- baud_mux_clk = of_clk_get_by_name(np, "sw_baud");
++ baud_mux_clk = devm_clk_get(dev, "sw_baud");
+ if (IS_ERR(baud_mux_clk)) {
+ if (PTR_ERR(baud_mux_clk) == -EPROBE_DEFER) {
+ ret = -EPROBE_DEFER;
+--
+2.39.2
+
--- /dev/null
+From e4ead7250a0ad78fe03e012b5353615456839501 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Apr 2023 11:16:36 +0800
+Subject: serial: arc_uart: fix of_iomap leak in `arc_serial_probe`
+
+From: Ke Zhang <m202171830@hust.edu.cn>
+
+[ Upstream commit 8ab5fc55d7f65d58a3c3aeadf11bdf60267cd2bd ]
+
+Smatch reports:
+
+drivers/tty/serial/arc_uart.c:631 arc_serial_probe() warn:
+'port->membase' from of_iomap() not released on lines: 631.
+
+In arc_serial_probe(), if uart_add_one_port() fails,
+port->membase is not released, which would cause a resource leak.
+
+To fix this, I replace of_iomap with devm_platform_ioremap_resource.
+
+Fixes: 8dbe1d5e09a7 ("serial/arc: inline the probe helper")
+Signed-off-by: Ke Zhang <m202171830@hust.edu.cn>
+Reviewed-by: Dongliang Mu <dzm91@hust.edu.cn>
+Link: https://lore.kernel.org/r/20230428031636.44642-1-m202171830@hust.edu.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/arc_uart.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/tty/serial/arc_uart.c b/drivers/tty/serial/arc_uart.c
+index 596217d10d5c7..4d0e992f78445 100644
+--- a/drivers/tty/serial/arc_uart.c
++++ b/drivers/tty/serial/arc_uart.c
+@@ -607,10 +607,11 @@ static int arc_serial_probe(struct platform_device *pdev)
+ }
+ uart->baud = val;
+
+- port->membase = of_iomap(np, 0);
+- if (!port->membase)
++ port->membase = devm_platform_ioremap_resource(pdev, 0);
++ if (IS_ERR(port->membase)) {
+ /* No point of dev_err since UART itself is hosed here */
+- return -ENXIO;
++ return PTR_ERR(port->membase);
++ }
+
+ port->irq = irq_of_parse_and_map(np, 0);
+
+--
+2.39.2
+
platform-x86-hp-wmi-support-touchpad-on-off.patch
platform-x86-move-existing-hp-drivers-to-a-new-hp-su.patch
platform-x86-hp-wmi-add-micmute-to-hp_wmi_keymap-str.patch
+xfrm-don-t-check-the-default-policy-if-the-policy-al.patch
+revert-fix-xfrm-i-support-for-nested-esp-tunnels.patch
+drm-msm-dp-unregister-audio-driver-during-unbind.patch
+drm-msm-dpu-add-intf_5-interrupts.patch
+drm-msm-dpu-move-non-mdp_top-intf_intr-offsets-out-o.patch
+drm-msm-dpu-remove-duplicate-register-defines-from-i.patch
+dt-bindings-display-msm-dsi-controller-main-document.patch
+asoc-fsl_micfil-fix-error-handler-with-pm_runtime_en.patch
+cpupower-make-tsc-read-per-cpu-for-mperf-monitor.patch
+af_key-reject-optional-tunnel-beet-mode-templates-in.patch
+selftests-seg6-disable-dad-on-ipv6-router-cfg-for-sr.patch
+selftets-seg6-disable-rp_filter-by-default-in-srv6_e.patch
+net-fec-better-handle-pm_runtime_get-failing-in-.rem.patch
+net-phy-dp83867-add-w-a-for-packet-errors-seen-with-.patch
+alsa-firewire-digi00x-prevent-potential-use-after-fr.patch
+alsa-hda-realtek-apply-hp-b-o-top-speaker-profile-to.patch
+vsock-avoid-to-close-connected-socket-after-the-time.patch
+tcp-fix-possible-sk_priority-leak-in-tcp_v4_send_res.patch
+serial-arc_uart-fix-of_iomap-leak-in-arc_serial_prob.patch
+serial-8250_bcm7271-balance-clk_enable-calls.patch
+serial-8250_bcm7271-fix-leak-in-brcmuart_probe.patch
+erspan-get-the-proto-with-the-md-version-for-collect.patch
+net-hns3-fix-output-information-incomplete-for-dumpi.patch
+net-hns3-fix-sending-pfc-frames-after-reset-issue.patch
+net-hns3-fix-reset-delay-time-to-avoid-configuration.patch
+media-netup_unidvb-fix-use-after-free-at-del_timer.patch
+sunrpc-double-free-xprt_ctxt-while-still-in-use.patch
+tracing-introduce-helpers-to-safely-handle-dynamic-s.patch
+sunrpc-clean-up-svc_deferred_class-trace-events.patch
+sunrpc-remove-dead-code-in-svc_tcp_release_rqst.patch
+sunrpc-remove-svc_rqst-rq_xprt_hlen.patch
+sunrpc-always-free-ctxt-when-freeing-deferred-reques.patch
+sunrpc-fix-trace_svc_register-call-site.patch
+drm-exynos-fix-g2d_open-close-helper-function-defini.patch
+net-nsh-use-correct-mac_offset-to-unwind-gso-skb-in-.patch
+virtio-net-maintain-reverse-cleanup-order.patch
+virtio_net-fix-error-unwinding-of-xdp-initialization.patch
+tipc-add-tipc_bearer_min_mtu-to-calculate-min-mtu.patch
+tipc-do-not-update-mtu-if-msg_max-is-too-small-in-mt.patch
+tipc-check-the-bearer-min-mtu-properly-when-setting-.patch
+s390-cio-include-subchannels-without-devices-also-fo.patch
+net-bcmgenet-remove-phy_stop-from-bcmgenet_netif_sto.patch
+net-bcmgenet-restore-phy_stop-depending-upon-suspend.patch
+wifi-mac80211-fix-min-center-freq-offset-tracing.patch
+wifi-iwlwifi-mvm-fix-cancel_delayed_work_sync-deadlo.patch
+wifi-iwlwifi-mvm-don-t-trust-firmware-n_channels.patch
+scsi-storvsc-don-t-pass-unused-pfns-to-hyper-v-host.patch
+cassini-fix-a-memory-leak-in-the-error-handling-path.patch
+net-dsa-mv88e6xxx-fix-mv88e6393x-epc-write-command-o.patch
+igb-fix-bit_shift-to-be-in-1.8-range.patch
+vlan-fix-a-potential-uninit-value-in-vlan_dev_hard_s.patch
+netfilter-nf_tables-fix-nft_trans-type-confusion.patch
+netfilter-nft_set_rbtree-fix-null-deref-on-element-i.patch
+bridge-always-declare-tunnel-functions.patch
--- /dev/null
+From 0c425df52d98dc9d0c9cc3bc868496657e35f403 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 May 2023 09:42:47 +1000
+Subject: SUNRPC: always free ctxt when freeing deferred request
+
+From: NeilBrown <neilb@suse.de>
+
+[ Upstream commit 948f072ada23e0a504c5e4d7d71d4c83bd0785ec ]
+
+Since the ->xprt_ctxt pointer was added to svc_deferred_req, it has not
+been sufficient to use kfree() to free a deferred request. We may need
+to free the ctxt as well.
+
+As freeing the ctxt is all that ->xpo_release_rqst() does, we repurpose
+it to explicit do that even when the ctxt is not stored in an rqst.
+So we now have ->xpo_release_ctxt() which is given an xprt and a ctxt,
+which may have been taken either from an rqst or from a dreq. The
+caller is now responsible for clearing that pointer after the call to
+->xpo_release_ctxt.
+
+We also clear dr->xprt_ctxt when the ctxt is moved into a new rqst when
+revisiting a deferred request. This ensures there is only one pointer
+to the ctxt, so the risk of double freeing in future is reduced. The
+new code in svc_xprt_release which releases both the ctxt and any
+rq_deferred depends on this.
+
+Fixes: 773f91b2cf3f ("SUNRPC: Fix NFSD's request deferral on RDMA transports")
+Signed-off-by: NeilBrown <neilb@suse.de>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/sunrpc/svc_rdma.h | 2 +-
+ include/linux/sunrpc/svc_xprt.h | 2 +-
+ net/sunrpc/svc_xprt.c | 23 +++++++++++++-----
+ net/sunrpc/svcsock.c | 30 +++++++++++++-----------
+ net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 11 ++++-----
+ net/sunrpc/xprtrdma/svc_rdma_transport.c | 2 +-
+ 6 files changed, 41 insertions(+), 29 deletions(-)
+
+diff --git a/include/linux/sunrpc/svc_rdma.h b/include/linux/sunrpc/svc_rdma.h
+index 24aa159d29a7f..fbc4bd423b355 100644
+--- a/include/linux/sunrpc/svc_rdma.h
++++ b/include/linux/sunrpc/svc_rdma.h
+@@ -176,7 +176,7 @@ extern struct svc_rdma_recv_ctxt *
+ extern void svc_rdma_recv_ctxt_put(struct svcxprt_rdma *rdma,
+ struct svc_rdma_recv_ctxt *ctxt);
+ extern void svc_rdma_flush_recv_queues(struct svcxprt_rdma *rdma);
+-extern void svc_rdma_release_rqst(struct svc_rqst *rqstp);
++extern void svc_rdma_release_ctxt(struct svc_xprt *xprt, void *ctxt);
+ extern int svc_rdma_recvfrom(struct svc_rqst *);
+
+ /* svc_rdma_rw.c */
+diff --git a/include/linux/sunrpc/svc_xprt.h b/include/linux/sunrpc/svc_xprt.h
+index 571f605bc91ef..154eee6bc6a01 100644
+--- a/include/linux/sunrpc/svc_xprt.h
++++ b/include/linux/sunrpc/svc_xprt.h
+@@ -23,7 +23,7 @@ struct svc_xprt_ops {
+ int (*xpo_sendto)(struct svc_rqst *);
+ int (*xpo_result_payload)(struct svc_rqst *, unsigned int,
+ unsigned int);
+- void (*xpo_release_rqst)(struct svc_rqst *);
++ void (*xpo_release_ctxt)(struct svc_xprt *xprt, void *ctxt);
+ void (*xpo_detach)(struct svc_xprt *);
+ void (*xpo_free)(struct svc_xprt *);
+ void (*xpo_secure_port)(struct svc_rqst *rqstp);
+diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
+index 5da8e87979f15..5ff8f902f14d2 100644
+--- a/net/sunrpc/svc_xprt.c
++++ b/net/sunrpc/svc_xprt.c
+@@ -530,13 +530,23 @@ void svc_reserve(struct svc_rqst *rqstp, int space)
+ }
+ EXPORT_SYMBOL_GPL(svc_reserve);
+
++static void free_deferred(struct svc_xprt *xprt, struct svc_deferred_req *dr)
++{
++ if (!dr)
++ return;
++
++ xprt->xpt_ops->xpo_release_ctxt(xprt, dr->xprt_ctxt);
++ kfree(dr);
++}
++
+ static void svc_xprt_release(struct svc_rqst *rqstp)
+ {
+ struct svc_xprt *xprt = rqstp->rq_xprt;
+
+- xprt->xpt_ops->xpo_release_rqst(rqstp);
++ xprt->xpt_ops->xpo_release_ctxt(xprt, rqstp->rq_xprt_ctxt);
++ rqstp->rq_xprt_ctxt = NULL;
+
+- kfree(rqstp->rq_deferred);
++ free_deferred(xprt, rqstp->rq_deferred);
+ rqstp->rq_deferred = NULL;
+
+ pagevec_release(&rqstp->rq_pvec);
+@@ -1054,7 +1064,7 @@ static void svc_delete_xprt(struct svc_xprt *xprt)
+ spin_unlock_bh(&serv->sv_lock);
+
+ while ((dr = svc_deferred_dequeue(xprt)) != NULL)
+- kfree(dr);
++ free_deferred(xprt, dr);
+
+ call_xpt_users(xprt);
+ svc_xprt_put(xprt);
+@@ -1166,8 +1176,8 @@ static void svc_revisit(struct cache_deferred_req *dreq, int too_many)
+ if (too_many || test_bit(XPT_DEAD, &xprt->xpt_flags)) {
+ spin_unlock(&xprt->xpt_lock);
+ trace_svc_defer_drop(dr);
++ free_deferred(xprt, dr);
+ svc_xprt_put(xprt);
+- kfree(dr);
+ return;
+ }
+ dr->xprt = NULL;
+@@ -1212,14 +1222,13 @@ static struct cache_deferred_req *svc_defer(struct cache_req *req)
+ dr->addrlen = rqstp->rq_addrlen;
+ dr->daddr = rqstp->rq_daddr;
+ dr->argslen = rqstp->rq_arg.len >> 2;
+- dr->xprt_ctxt = rqstp->rq_xprt_ctxt;
+
+ /* back up head to the start of the buffer and copy */
+ skip = rqstp->rq_arg.len - rqstp->rq_arg.head[0].iov_len;
+ memcpy(dr->args, rqstp->rq_arg.head[0].iov_base - skip,
+ dr->argslen << 2);
+ }
+- WARN_ON_ONCE(rqstp->rq_xprt_ctxt != dr->xprt_ctxt);
++ dr->xprt_ctxt = rqstp->rq_xprt_ctxt;
+ rqstp->rq_xprt_ctxt = NULL;
+ trace_svc_defer(rqstp);
+ svc_xprt_get(rqstp->rq_xprt);
+@@ -1253,6 +1262,8 @@ static noinline int svc_deferred_recv(struct svc_rqst *rqstp)
+ rqstp->rq_daddr = dr->daddr;
+ rqstp->rq_respages = rqstp->rq_pages;
+ rqstp->rq_xprt_ctxt = dr->xprt_ctxt;
++
++ dr->xprt_ctxt = NULL;
+ svc_xprt_received(rqstp->rq_xprt);
+ return dr->argslen << 2;
+ }
+diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
+index 9a0a27d1199f5..6fc7a8c523696 100644
+--- a/net/sunrpc/svcsock.c
++++ b/net/sunrpc/svcsock.c
+@@ -111,27 +111,27 @@ static void svc_reclassify_socket(struct socket *sock)
+ #endif
+
+ /**
+- * svc_tcp_release_rqst - Release transport-related resources
+- * @rqstp: request structure with resources to be released
++ * svc_tcp_release_ctxt - Release transport-related resources
++ * @xprt: the transport which owned the context
++ * @ctxt: the context from rqstp->rq_xprt_ctxt or dr->xprt_ctxt
+ *
+ */
+-static void svc_tcp_release_rqst(struct svc_rqst *rqstp)
++static void svc_tcp_release_ctxt(struct svc_xprt *xprt, void *ctxt)
+ {
+ }
+
+ /**
+- * svc_udp_release_rqst - Release transport-related resources
+- * @rqstp: request structure with resources to be released
++ * svc_udp_release_ctxt - Release transport-related resources
++ * @xprt: the transport which owned the context
++ * @ctxt: the context from rqstp->rq_xprt_ctxt or dr->xprt_ctxt
+ *
+ */
+-static void svc_udp_release_rqst(struct svc_rqst *rqstp)
++static void svc_udp_release_ctxt(struct svc_xprt *xprt, void *ctxt)
+ {
+- struct sk_buff *skb = rqstp->rq_xprt_ctxt;
++ struct sk_buff *skb = ctxt;
+
+- if (skb) {
+- rqstp->rq_xprt_ctxt = NULL;
++ if (skb)
+ consume_skb(skb);
+- }
+ }
+
+ union svc_pktinfo_u {
+@@ -559,7 +559,8 @@ static int svc_udp_sendto(struct svc_rqst *rqstp)
+ unsigned int sent;
+ int err;
+
+- svc_udp_release_rqst(rqstp);
++ svc_udp_release_ctxt(xprt, rqstp->rq_xprt_ctxt);
++ rqstp->rq_xprt_ctxt = NULL;
+
+ svc_set_cmsg_data(rqstp, cmh);
+
+@@ -628,7 +629,7 @@ static const struct svc_xprt_ops svc_udp_ops = {
+ .xpo_recvfrom = svc_udp_recvfrom,
+ .xpo_sendto = svc_udp_sendto,
+ .xpo_result_payload = svc_sock_result_payload,
+- .xpo_release_rqst = svc_udp_release_rqst,
++ .xpo_release_ctxt = svc_udp_release_ctxt,
+ .xpo_detach = svc_sock_detach,
+ .xpo_free = svc_sock_free,
+ .xpo_has_wspace = svc_udp_has_wspace,
+@@ -1156,7 +1157,8 @@ static int svc_tcp_sendto(struct svc_rqst *rqstp)
+ unsigned int sent;
+ int err;
+
+- svc_tcp_release_rqst(rqstp);
++ svc_tcp_release_ctxt(xprt, rqstp->rq_xprt_ctxt);
++ rqstp->rq_xprt_ctxt = NULL;
+
+ atomic_inc(&svsk->sk_sendqlen);
+ mutex_lock(&xprt->xpt_mutex);
+@@ -1201,7 +1203,7 @@ static const struct svc_xprt_ops svc_tcp_ops = {
+ .xpo_recvfrom = svc_tcp_recvfrom,
+ .xpo_sendto = svc_tcp_sendto,
+ .xpo_result_payload = svc_sock_result_payload,
+- .xpo_release_rqst = svc_tcp_release_rqst,
++ .xpo_release_ctxt = svc_tcp_release_ctxt,
+ .xpo_detach = svc_tcp_sock_detach,
+ .xpo_free = svc_sock_free,
+ .xpo_has_wspace = svc_tcp_has_wspace,
+diff --git a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
+index f760342861694..3ad4291148a68 100644
+--- a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
++++ b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
+@@ -239,21 +239,20 @@ void svc_rdma_recv_ctxt_put(struct svcxprt_rdma *rdma,
+ }
+
+ /**
+- * svc_rdma_release_rqst - Release transport-specific per-rqst resources
+- * @rqstp: svc_rqst being released
++ * svc_rdma_release_ctxt - Release transport-specific per-rqst resources
++ * @xprt: the transport which owned the context
++ * @vctxt: the context from rqstp->rq_xprt_ctxt or dr->xprt_ctxt
+ *
+ * Ensure that the recv_ctxt is released whether or not a Reply
+ * was sent. For example, the client could close the connection,
+ * or svc_process could drop an RPC, before the Reply is sent.
+ */
+-void svc_rdma_release_rqst(struct svc_rqst *rqstp)
++void svc_rdma_release_ctxt(struct svc_xprt *xprt, void *vctxt)
+ {
+- struct svc_rdma_recv_ctxt *ctxt = rqstp->rq_xprt_ctxt;
+- struct svc_xprt *xprt = rqstp->rq_xprt;
++ struct svc_rdma_recv_ctxt *ctxt = vctxt;
+ struct svcxprt_rdma *rdma =
+ container_of(xprt, struct svcxprt_rdma, sc_xprt);
+
+- rqstp->rq_xprt_ctxt = NULL;
+ if (ctxt)
+ svc_rdma_recv_ctxt_put(rdma, ctxt);
+ }
+diff --git a/net/sunrpc/xprtrdma/svc_rdma_transport.c b/net/sunrpc/xprtrdma/svc_rdma_transport.c
+index 94b20fb471356..f776f0cb471f0 100644
+--- a/net/sunrpc/xprtrdma/svc_rdma_transport.c
++++ b/net/sunrpc/xprtrdma/svc_rdma_transport.c
+@@ -81,7 +81,7 @@ static const struct svc_xprt_ops svc_rdma_ops = {
+ .xpo_recvfrom = svc_rdma_recvfrom,
+ .xpo_sendto = svc_rdma_sendto,
+ .xpo_result_payload = svc_rdma_result_payload,
+- .xpo_release_rqst = svc_rdma_release_rqst,
++ .xpo_release_ctxt = svc_rdma_release_ctxt,
+ .xpo_detach = svc_rdma_detach,
+ .xpo_free = svc_rdma_free,
+ .xpo_has_wspace = svc_rdma_has_wspace,
+--
+2.39.2
+
--- /dev/null
+From 1bb0f5e96cc2ca6752e93d2a2b5b870d972108c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Apr 2022 15:50:12 -0400
+Subject: SUNRPC: Clean up svc_deferred_class trace events
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit 45cb7955c180a2a34d291e68938250c4f9bd294f ]
+
+Replace the temporary fix from commit 4d5004451ab2 ("SUNRPC: Fix the
+svc_deferred_event trace class") with the use of __sockaddr and
+friends, which is the preferred solution (but only available in 5.18
+and newer).
+
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Stable-dep-of: 948f072ada23 ("SUNRPC: always free ctxt when freeing deferred request")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/sunrpc.h | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/include/trace/events/sunrpc.h b/include/trace/events/sunrpc.h
+index 2a598fb45bf4f..d49426c0444c9 100644
+--- a/include/trace/events/sunrpc.h
++++ b/include/trace/events/sunrpc.h
+@@ -1923,19 +1923,18 @@ DECLARE_EVENT_CLASS(svc_deferred_event,
+ TP_STRUCT__entry(
+ __field(const void *, dr)
+ __field(u32, xid)
+- __array(__u8, addr, INET6_ADDRSTRLEN + 10)
++ __sockaddr(addr, dr->addrlen)
+ ),
+
+ TP_fast_assign(
+ __entry->dr = dr;
+ __entry->xid = be32_to_cpu(*(__be32 *)(dr->args +
+ (dr->xprt_hlen>>2)));
+- snprintf(__entry->addr, sizeof(__entry->addr) - 1,
+- "%pISpc", (struct sockaddr *)&dr->addr);
++ __assign_sockaddr(addr, &dr->addr, dr->addrlen);
+ ),
+
+- TP_printk("addr=%s dr=%p xid=0x%08x", __entry->addr, __entry->dr,
+- __entry->xid)
++ TP_printk("addr=%pISpc dr=%p xid=0x%08x", __get_sockaddr(addr),
++ __entry->dr, __entry->xid)
+ );
+
+ #define DEFINE_SVC_DEFERRED_EVENT(name) \
+--
+2.39.2
+
--- /dev/null
+From b7db5bf3edfa6279b5fe0cce9216769885a55807 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 May 2023 09:41:49 +1000
+Subject: SUNRPC: double free xprt_ctxt while still in use
+
+From: NeilBrown <neilb@suse.de>
+
+[ Upstream commit eb8d3a2c809abd73ab0a060fe971d6b9019aa3c1 ]
+
+When an RPC request is deferred, the rq_xprt_ctxt pointer is moved out
+of the svc_rqst into the svc_deferred_req.
+When the deferred request is revisited, the pointer is copied into
+the new svc_rqst - and also remains in the svc_deferred_req.
+
+In the (rare?) case that the request is deferred a second time, the old
+svc_deferred_req is reused - it still has all the correct content.
+However in that case the rq_xprt_ctxt pointer is NOT cleared so that
+when xpo_release_xprt is called, the ctxt is freed (UDP) or possible
+added to a free list (RDMA).
+When the deferred request is revisited for a second time, it will
+reference this ctxt which may be invalid, and the free the object a
+second time which is likely to oops.
+
+So change svc_defer() to *always* clear rq_xprt_ctxt, and assert that
+the value is now stored in the svc_deferred_req.
+
+Fixes: 773f91b2cf3f ("SUNRPC: Fix NFSD's request deferral on RDMA transports")
+Signed-off-by: NeilBrown <neilb@suse.de>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/svc_xprt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
+index 935bba065636c..139ef1951a0e8 100644
+--- a/net/sunrpc/svc_xprt.c
++++ b/net/sunrpc/svc_xprt.c
+@@ -1214,13 +1214,14 @@ static struct cache_deferred_req *svc_defer(struct cache_req *req)
+ dr->argslen = rqstp->rq_arg.len >> 2;
+ dr->xprt_hlen = rqstp->rq_xprt_hlen;
+ dr->xprt_ctxt = rqstp->rq_xprt_ctxt;
+- rqstp->rq_xprt_ctxt = NULL;
+
+ /* back up head to the start of the buffer and copy */
+ skip = rqstp->rq_arg.len - rqstp->rq_arg.head[0].iov_len;
+ memcpy(dr->args, rqstp->rq_arg.head[0].iov_base - skip,
+ dr->argslen << 2);
+ }
++ WARN_ON_ONCE(rqstp->rq_xprt_ctxt != dr->xprt_ctxt);
++ rqstp->rq_xprt_ctxt = NULL;
+ trace_svc_defer(rqstp);
+ svc_xprt_get(rqstp->rq_xprt);
+ dr->xprt = rqstp->rq_xprt;
+--
+2.39.2
+
--- /dev/null
+From cfcf213987f433809dee73bb371fd799edccb83c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 May 2023 15:51:48 -0400
+Subject: SUNRPC: Fix trace_svc_register() call site
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit 07a27305938559fb35f7a46fb90a5e37728bdee6 ]
+
+The trace event recorded incorrect values for the registered family,
+protocol, and port because the arguments are in the wrong order.
+
+Fixes: b4af59328c25 ("SUNRPC: Trace server-side rpcbind registration events")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/svc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
+index 74a1c9116a785..36a3ad9336d6f 100644
+--- a/net/sunrpc/svc.c
++++ b/net/sunrpc/svc.c
+@@ -1024,7 +1024,7 @@ static int __svc_register(struct net *net, const char *progname,
+ #endif
+ }
+
+- trace_svc_register(progname, version, protocol, port, family, error);
++ trace_svc_register(progname, version, family, protocol, port, error);
+ return error;
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 8378669d037be02618244b1052f221a02063b502 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 3 Apr 2022 12:25:55 -0400
+Subject: SUNRPC: Remove dead code in svc_tcp_release_rqst()
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit 4af8b42e5629b97bdde287d5d6c250535d324676 ]
+
+Clean up: svc_tcp_sendto() always sets rq_xprt_ctxt to NULL.
+
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Stable-dep-of: 948f072ada23 ("SUNRPC: always free ctxt when freeing deferred request")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/svcsock.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
+index 6ea3d87e11475..a28a6820852b2 100644
+--- a/net/sunrpc/svcsock.c
++++ b/net/sunrpc/svcsock.c
+@@ -117,15 +117,6 @@ static void svc_reclassify_socket(struct socket *sock)
+ */
+ static void svc_tcp_release_rqst(struct svc_rqst *rqstp)
+ {
+- struct sk_buff *skb = rqstp->rq_xprt_ctxt;
+-
+- if (skb) {
+- struct svc_sock *svsk =
+- container_of(rqstp->rq_xprt, struct svc_sock, sk_xprt);
+-
+- rqstp->rq_xprt_ctxt = NULL;
+- skb_free_datagram_locked(svsk->sk_sk, skb);
+- }
+ }
+
+ /**
+--
+2.39.2
+
--- /dev/null
+From 0f6d9837cc34aeb7ca14f3e6a05ecdf4e6041481 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Apr 2022 14:38:59 -0400
+Subject: SUNRPC: Remove svc_rqst::rq_xprt_hlen
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit 983084b2672c593959e3148d6a17c8b920797dde ]
+
+Clean up: This field is now always set to zero.
+
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Stable-dep-of: 948f072ada23 ("SUNRPC: always free ctxt when freeing deferred request")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/sunrpc/svc.h | 2 --
+ include/trace/events/sunrpc.h | 3 +--
+ net/sunrpc/svc_xprt.c | 10 ++++------
+ net/sunrpc/svcsock.c | 2 --
+ net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 1 -
+ 5 files changed, 5 insertions(+), 13 deletions(-)
+
+diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h
+index 045f34add206f..664a54e330af3 100644
+--- a/include/linux/sunrpc/svc.h
++++ b/include/linux/sunrpc/svc.h
+@@ -246,7 +246,6 @@ struct svc_rqst {
+ void * rq_xprt_ctxt; /* transport specific context ptr */
+ struct svc_deferred_req*rq_deferred; /* deferred request we are replaying */
+
+- size_t rq_xprt_hlen; /* xprt header len */
+ struct xdr_buf rq_arg;
+ struct xdr_stream rq_arg_stream;
+ struct xdr_stream rq_res_stream;
+@@ -386,7 +385,6 @@ struct svc_deferred_req {
+ size_t daddrlen;
+ void *xprt_ctxt;
+ struct cache_deferred_req handle;
+- size_t xprt_hlen;
+ int argslen;
+ __be32 args[];
+ };
+diff --git a/include/trace/events/sunrpc.h b/include/trace/events/sunrpc.h
+index d49426c0444c9..f09bbb6c918e2 100644
+--- a/include/trace/events/sunrpc.h
++++ b/include/trace/events/sunrpc.h
+@@ -1928,8 +1928,7 @@ DECLARE_EVENT_CLASS(svc_deferred_event,
+
+ TP_fast_assign(
+ __entry->dr = dr;
+- __entry->xid = be32_to_cpu(*(__be32 *)(dr->args +
+- (dr->xprt_hlen>>2)));
++ __entry->xid = be32_to_cpu(*(__be32 *)dr->args);
+ __assign_sockaddr(addr, &dr->addr, dr->addrlen);
+ ),
+
+diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
+index 139ef1951a0e8..5da8e87979f15 100644
+--- a/net/sunrpc/svc_xprt.c
++++ b/net/sunrpc/svc_xprt.c
+@@ -1212,7 +1212,6 @@ static struct cache_deferred_req *svc_defer(struct cache_req *req)
+ dr->addrlen = rqstp->rq_addrlen;
+ dr->daddr = rqstp->rq_daddr;
+ dr->argslen = rqstp->rq_arg.len >> 2;
+- dr->xprt_hlen = rqstp->rq_xprt_hlen;
+ dr->xprt_ctxt = rqstp->rq_xprt_ctxt;
+
+ /* back up head to the start of the buffer and copy */
+@@ -1241,22 +1240,21 @@ static noinline int svc_deferred_recv(struct svc_rqst *rqstp)
+ trace_svc_defer_recv(dr);
+
+ /* setup iov_base past transport header */
+- rqstp->rq_arg.head[0].iov_base = dr->args + (dr->xprt_hlen>>2);
++ rqstp->rq_arg.head[0].iov_base = dr->args;
+ /* The iov_len does not include the transport header bytes */
+- rqstp->rq_arg.head[0].iov_len = (dr->argslen<<2) - dr->xprt_hlen;
++ rqstp->rq_arg.head[0].iov_len = dr->argslen << 2;
+ rqstp->rq_arg.page_len = 0;
+ /* The rq_arg.len includes the transport header bytes */
+- rqstp->rq_arg.len = dr->argslen<<2;
++ rqstp->rq_arg.len = dr->argslen << 2;
+ rqstp->rq_prot = dr->prot;
+ memcpy(&rqstp->rq_addr, &dr->addr, dr->addrlen);
+ rqstp->rq_addrlen = dr->addrlen;
+ /* Save off transport header len in case we get deferred again */
+- rqstp->rq_xprt_hlen = dr->xprt_hlen;
+ rqstp->rq_daddr = dr->daddr;
+ rqstp->rq_respages = rqstp->rq_pages;
+ rqstp->rq_xprt_ctxt = dr->xprt_ctxt;
+ svc_xprt_received(rqstp->rq_xprt);
+- return (dr->argslen<<2) - dr->xprt_hlen;
++ return dr->argslen << 2;
+ }
+
+
+diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
+index a28a6820852b2..9a0a27d1199f5 100644
+--- a/net/sunrpc/svcsock.c
++++ b/net/sunrpc/svcsock.c
+@@ -250,8 +250,6 @@ static ssize_t svc_tcp_read_msg(struct svc_rqst *rqstp, size_t buflen,
+ ssize_t len;
+ size_t t;
+
+- rqstp->rq_xprt_hlen = 0;
+-
+ clear_bit(XPT_DATA, &svsk->sk_xprt.xpt_flags);
+
+ for (i = 0, t = 0; t < buflen; i++, t += PAGE_SIZE) {
+diff --git a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
+index 387a5da09dafb..f760342861694 100644
+--- a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
++++ b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
+@@ -826,7 +826,6 @@ int svc_rdma_recvfrom(struct svc_rqst *rqstp)
+ goto out_err;
+ if (ret == 0)
+ goto out_drop;
+- rqstp->rq_xprt_hlen = 0;
+
+ if (svc_rdma_is_reverse_direction_reply(xprt, ctxt))
+ goto out_backchannel;
+--
+2.39.2
+
--- /dev/null
+From 2a96170d8877cbcac816bec199ead6e25700a730 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 May 2023 11:47:49 +0000
+Subject: tcp: fix possible sk_priority leak in tcp_v4_send_reset()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 1e306ec49a1f206fd2cc89a42fac6e6f592a8cc1 ]
+
+When tcp_v4_send_reset() is called with @sk == NULL,
+we do not change ctl_sk->sk_priority, which could have been
+set from a prior invocation.
+
+Change tcp_v4_send_reset() to set sk_priority and sk_mark
+fields before calling ip_send_unicast_reply().
+
+This means tcp_v4_send_reset() and tcp_v4_send_ack()
+no longer have to clear ctl_sk->sk_mark after
+their call to ip_send_unicast_reply().
+
+Fixes: f6c0f5d209fa ("tcp: honor SO_PRIORITY in TIME_WAIT state")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Antoine Tenart <atenart@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_ipv4.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index 63472c9b39ae4..db05ab4287e30 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -820,6 +820,9 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb)
+ inet_twsk(sk)->tw_priority : sk->sk_priority;
+ transmit_time = tcp_transmit_time(sk);
+ xfrm_sk_clone_policy(ctl_sk, sk);
++ } else {
++ ctl_sk->sk_mark = 0;
++ ctl_sk->sk_priority = 0;
+ }
+ ip_send_unicast_reply(ctl_sk,
+ skb, &TCP_SKB_CB(skb)->header.h4.opt,
+@@ -827,7 +830,6 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb)
+ &arg, arg.iov[0].iov_len,
+ transmit_time);
+
+- ctl_sk->sk_mark = 0;
+ xfrm_sk_free_policy(ctl_sk);
+ sock_net_set(ctl_sk, &init_net);
+ __TCP_INC_STATS(net, TCP_MIB_OUTSEGS);
+@@ -926,7 +928,6 @@ static void tcp_v4_send_ack(const struct sock *sk,
+ &arg, arg.iov[0].iov_len,
+ transmit_time);
+
+- ctl_sk->sk_mark = 0;
+ sock_net_set(ctl_sk, &init_net);
+ __TCP_INC_STATS(net, TCP_MIB_OUTSEGS);
+ local_bh_enable();
+--
+2.39.2
+
--- /dev/null
+From c0529661f5aad6196e90479c09c5912b756f510a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 May 2023 15:52:27 -0400
+Subject: tipc: add tipc_bearer_min_mtu to calculate min mtu
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 3ae6d66b605be604644d4bb5708a7ffd9cf1abe8 ]
+
+As different media may requires different min mtu, and even the
+same media with different net family requires different min mtu,
+add tipc_bearer_min_mtu() to calculate min mtu accordingly.
+
+This API will be used to check the new mtu when doing the link
+mtu negotiation in the next patch.
+
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 56077b56cd3f ("tipc: do not update mtu if msg_max is too small in mtu negotiation")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/bearer.c | 13 +++++++++++++
+ net/tipc/bearer.h | 3 +++
+ net/tipc/udp_media.c | 5 +++--
+ 3 files changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
+index b0ad61b4b1013..897fc8fc08a0b 100644
+--- a/net/tipc/bearer.c
++++ b/net/tipc/bearer.c
+@@ -541,6 +541,19 @@ int tipc_bearer_mtu(struct net *net, u32 bearer_id)
+ return mtu;
+ }
+
++int tipc_bearer_min_mtu(struct net *net, u32 bearer_id)
++{
++ int mtu = TIPC_MIN_BEARER_MTU;
++ struct tipc_bearer *b;
++
++ rcu_read_lock();
++ b = bearer_get(net, bearer_id);
++ if (b)
++ mtu += b->encap_hlen;
++ rcu_read_unlock();
++ return mtu;
++}
++
+ /* tipc_bearer_xmit_skb - sends buffer to destination over bearer
+ */
+ void tipc_bearer_xmit_skb(struct net *net, u32 bearer_id,
+diff --git a/net/tipc/bearer.h b/net/tipc/bearer.h
+index 57c6a1a719e24..483f90958857e 100644
+--- a/net/tipc/bearer.h
++++ b/net/tipc/bearer.h
+@@ -146,6 +146,7 @@ struct tipc_media {
+ * @identity: array index of this bearer within TIPC bearer array
+ * @disc: ptr to link setup request
+ * @net_plane: network plane ('A' through 'H') currently associated with bearer
++ * @encap_hlen: encap headers length
+ * @up: bearer up flag (bit 0)
+ * @refcnt: tipc_bearer reference counter
+ *
+@@ -170,6 +171,7 @@ struct tipc_bearer {
+ u32 identity;
+ struct tipc_discoverer *disc;
+ char net_plane;
++ u16 encap_hlen;
+ unsigned long up;
+ refcount_t refcnt;
+ };
+@@ -232,6 +234,7 @@ int tipc_bearer_setup(void);
+ void tipc_bearer_cleanup(void);
+ void tipc_bearer_stop(struct net *net);
+ int tipc_bearer_mtu(struct net *net, u32 bearer_id);
++int tipc_bearer_min_mtu(struct net *net, u32 bearer_id);
+ bool tipc_bearer_bcast_support(struct net *net, u32 bearer_id);
+ void tipc_bearer_xmit_skb(struct net *net, u32 bearer_id,
+ struct sk_buff *skb,
+diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
+index c2bb818704c8f..0a85244fd6188 100644
+--- a/net/tipc/udp_media.c
++++ b/net/tipc/udp_media.c
+@@ -738,8 +738,8 @@ static int tipc_udp_enable(struct net *net, struct tipc_bearer *b,
+ udp_conf.local_ip.s_addr = local.ipv4.s_addr;
+ udp_conf.use_udp_checksums = false;
+ ub->ifindex = dev->ifindex;
+- if (tipc_mtu_bad(dev, sizeof(struct iphdr) +
+- sizeof(struct udphdr))) {
++ b->encap_hlen = sizeof(struct iphdr) + sizeof(struct udphdr);
++ if (tipc_mtu_bad(dev, b->encap_hlen)) {
+ err = -EINVAL;
+ goto err;
+ }
+@@ -760,6 +760,7 @@ static int tipc_udp_enable(struct net *net, struct tipc_bearer *b,
+ else
+ udp_conf.local_ip6 = local.ipv6;
+ ub->ifindex = dev->ifindex;
++ b->encap_hlen = sizeof(struct ipv6hdr) + sizeof(struct udphdr);
+ b->mtu = 1280;
+ #endif
+ } else {
+--
+2.39.2
+
--- /dev/null
+From 746ac57889fdfeb5322f04b7320a855a6d3a2b91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 May 2023 15:52:29 -0400
+Subject: tipc: check the bearer min mtu properly when setting it by netlink
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 35a089b5d793d2bfd2cc7cfa6104545184de2ce7 ]
+
+Checking the bearer min mtu with tipc_udp_mtu_bad() only works for
+IPv4 UDP bearer, and IPv6 UDP bearer has a different value for the
+min mtu. This patch checks with encap_hlen + TIPC_MIN_BEARER_MTU
+for min mtu, which works for both IPv4 and IPv6 UDP bearer.
+
+Note that tipc_udp_mtu_bad() is still used to check media min mtu
+in __tipc_nl_media_set(), as m->mtu currently is only used by the
+IPv4 UDP bearer as its default mtu value.
+
+Fixes: 682cd3cf946b ("tipc: confgiure and apply UDP bearer MTU on running links")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/bearer.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
+index 897fc8fc08a0b..1048607a1528a 100644
+--- a/net/tipc/bearer.c
++++ b/net/tipc/bearer.c
+@@ -1151,8 +1151,8 @@ int __tipc_nl_bearer_set(struct sk_buff *skb, struct genl_info *info)
+ return -EINVAL;
+ }
+ #ifdef CONFIG_TIPC_MEDIA_UDP
+- if (tipc_udp_mtu_bad(nla_get_u32
+- (props[TIPC_NLA_PROP_MTU]))) {
++ if (nla_get_u32(props[TIPC_NLA_PROP_MTU]) <
++ b->encap_hlen + TIPC_MIN_BEARER_MTU) {
+ NL_SET_ERR_MSG(info->extack,
+ "MTU value is out-of-range");
+ return -EINVAL;
+--
+2.39.2
+
--- /dev/null
+From 8b69368f9f627d32c4f67927451439540958e383 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 May 2023 15:52:28 -0400
+Subject: tipc: do not update mtu if msg_max is too small in mtu negotiation
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 56077b56cd3fb78e1c8619e29581ba25a5c55e86 ]
+
+When doing link mtu negotiation, a malicious peer may send Activate msg
+with a very small mtu, e.g. 4 in Shuang's testing, without checking for
+the minimum mtu, l->mtu will be set to 4 in tipc_link_proto_rcv(), then
+n->links[bearer_id].mtu is set to 4294967228, which is a overflow of
+'4 - INT_H_SIZE - EMSG_OVERHEAD' in tipc_link_mss().
+
+With tipc_link.mtu = 4, tipc_link_xmit() kept printing the warning:
+
+ tipc: Too large msg, purging xmit list 1 5 0 40 4!
+ tipc: Too large msg, purging xmit list 1 15 0 60 4!
+
+And with tipc_link_entry.mtu 4294967228, a huge skb was allocated in
+named_distribute(), and when purging it in tipc_link_xmit(), a crash
+was even caused:
+
+ general protection fault, probably for non-canonical address 0x2100001011000dd: 0000 [#1] PREEMPT SMP PTI
+ CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Not tainted 6.3.0.neta #19
+ RIP: 0010:kfree_skb_list_reason+0x7e/0x1f0
+ Call Trace:
+ <IRQ>
+ skb_release_data+0xf9/0x1d0
+ kfree_skb_reason+0x40/0x100
+ tipc_link_xmit+0x57a/0x740 [tipc]
+ tipc_node_xmit+0x16c/0x5c0 [tipc]
+ tipc_named_node_up+0x27f/0x2c0 [tipc]
+ tipc_node_write_unlock+0x149/0x170 [tipc]
+ tipc_rcv+0x608/0x740 [tipc]
+ tipc_udp_recv+0xdc/0x1f0 [tipc]
+ udp_queue_rcv_one_skb+0x33e/0x620
+ udp_unicast_rcv_skb.isra.72+0x75/0x90
+ __udp4_lib_rcv+0x56d/0xc20
+ ip_protocol_deliver_rcu+0x100/0x2d0
+
+This patch fixes it by checking the new mtu against tipc_bearer_min_mtu(),
+and not updating mtu if it is too small.
+
+Fixes: ed193ece2649 ("tipc: simplify link mtu negotiation")
+Reported-by: Shuang Li <shuali@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/link.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/net/tipc/link.c b/net/tipc/link.c
+index 8fdd3b23bd123..655a2e1b6dfe4 100644
+--- a/net/tipc/link.c
++++ b/net/tipc/link.c
+@@ -2199,7 +2199,7 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
+ struct tipc_msg *hdr = buf_msg(skb);
+ struct tipc_gap_ack_blks *ga = NULL;
+ bool reply = msg_probe(hdr), retransmitted = false;
+- u32 dlen = msg_data_sz(hdr), glen = 0;
++ u32 dlen = msg_data_sz(hdr), glen = 0, msg_max;
+ u16 peers_snd_nxt = msg_next_sent(hdr);
+ u16 peers_tol = msg_link_tolerance(hdr);
+ u16 peers_prio = msg_linkprio(hdr);
+@@ -2238,6 +2238,9 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
+ switch (mtyp) {
+ case RESET_MSG:
+ case ACTIVATE_MSG:
++ msg_max = msg_max_pkt(hdr);
++ if (msg_max < tipc_bearer_min_mtu(l->net, l->bearer_id))
++ break;
+ /* Complete own link name with peer's interface name */
+ if_name = strrchr(l->name, ':') + 1;
+ if (sizeof(l->name) - (if_name - l->name) <= TIPC_MAX_IF_NAME)
+@@ -2282,8 +2285,8 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
+ l->peer_session = msg_session(hdr);
+ l->in_session = true;
+ l->peer_bearer_id = msg_bearer_id(hdr);
+- if (l->mtu > msg_max_pkt(hdr))
+- l->mtu = msg_max_pkt(hdr);
++ if (l->mtu > msg_max)
++ l->mtu = msg_max;
+ break;
+
+ case STATE_MSG:
+--
+2.39.2
+
--- /dev/null
+From f9ed6fa8878a6c183cc95b72e2123d2ee4eb90da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Jan 2022 12:43:55 -0500
+Subject: tracing: Introduce helpers to safely handle dynamic-sized sockaddrs
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit d07c9ad622474616e94572e59e725c2c4a494fb4 ]
+
+Enable a struct sockaddr to be stored in a trace record as a
+dynamically-sized field. The common cases are AF_INET and AF_INET6
+which are different sizes, and are vastly smaller than a struct
+sockaddr_storage.
+
+These are safer because, when used properly, the size of the
+sockaddr destination field in each trace record is now guaranteed
+to be the same as the source address that is being copied into it.
+
+Link: https://lore.kernel.org/all/164182978641.8391.8277203495236105391.stgit@bazille.1015granger.net/
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Stable-dep-of: 948f072ada23 ("SUNRPC: always free ctxt when freeing deferred request")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/bpf_probe.h | 6 ++++
+ include/trace/perf.h | 6 ++++
+ include/trace/trace_events.h | 55 ++++++++++++++++++++++++++++++++++--
+ 3 files changed, 65 insertions(+), 2 deletions(-)
+
+diff --git a/include/trace/bpf_probe.h b/include/trace/bpf_probe.h
+index 04939b2d2f192..26ec024c3d58a 100644
+--- a/include/trace/bpf_probe.h
++++ b/include/trace/bpf_probe.h
+@@ -21,6 +21,9 @@
+ #undef __get_bitmask
+ #define __get_bitmask(field) (char *)__get_dynamic_array(field)
+
++#undef __get_sockaddr
++#define __get_sockaddr(field) ((struct sockaddr *)__get_dynamic_array(field))
++
+ #undef __get_rel_dynamic_array
+ #define __get_rel_dynamic_array(field) \
+ ((void *)(&__entry->__rel_loc_##field) + \
+@@ -37,6 +40,9 @@
+ #undef __get_rel_bitmask
+ #define __get_rel_bitmask(field) (char *)__get_rel_dynamic_array(field)
+
++#undef __get_rel_sockaddr
++#define __get_rel_sockaddr(field) ((struct sockaddr *)__get_rel_dynamic_array(field))
++
+ #undef __perf_count
+ #define __perf_count(c) (c)
+
+diff --git a/include/trace/perf.h b/include/trace/perf.h
+index 5d48c46a30083..5800d13146c3d 100644
+--- a/include/trace/perf.h
++++ b/include/trace/perf.h
+@@ -21,6 +21,9 @@
+ #undef __get_bitmask
+ #define __get_bitmask(field) (char *)__get_dynamic_array(field)
+
++#undef __get_sockaddr
++#define __get_sockaddr(field) ((struct sockaddr *)__get_dynamic_array(field))
++
+ #undef __get_rel_dynamic_array
+ #define __get_rel_dynamic_array(field) \
+ ((void *)__entry + \
+@@ -38,6 +41,9 @@
+ #undef __get_rel_bitmask
+ #define __get_rel_bitmask(field) (char *)__get_rel_dynamic_array(field)
+
++#undef __get_rel_sockaddr
++#define __get_rel_sockaddr(field) ((struct sockaddr *)__get_rel_dynamic_array(field))
++
+ #undef __perf_count
+ #define __perf_count(c) (__count = (c))
+
+diff --git a/include/trace/trace_events.h b/include/trace/trace_events.h
+index 7f0b91dfb532d..e6b19ab357815 100644
+--- a/include/trace/trace_events.h
++++ b/include/trace/trace_events.h
+@@ -108,6 +108,9 @@ TRACE_MAKE_SYSTEM_STR();
+ #undef __bitmask
+ #define __bitmask(item, nr_bits) __dynamic_array(char, item, -1)
+
++#undef __sockaddr
++#define __sockaddr(field, len) __dynamic_array(u8, field, len)
++
+ #undef __rel_dynamic_array
+ #define __rel_dynamic_array(type, item, len) u32 __rel_loc_##item;
+
+@@ -120,6 +123,9 @@ TRACE_MAKE_SYSTEM_STR();
+ #undef __rel_bitmask
+ #define __rel_bitmask(item, nr_bits) __rel_dynamic_array(char, item, -1)
+
++#undef __rel_sockaddr
++#define __rel_sockaddr(field, len) __rel_dynamic_array(u8, field, len)
++
+ #undef TP_STRUCT__entry
+ #define TP_STRUCT__entry(args...) args
+
+@@ -212,11 +218,14 @@ TRACE_MAKE_SYSTEM_STR();
+ #undef __string
+ #define __string(item, src) __dynamic_array(char, item, -1)
+
++#undef __string_len
++#define __string_len(item, src, len) __dynamic_array(char, item, -1)
++
+ #undef __bitmask
+ #define __bitmask(item, nr_bits) __dynamic_array(unsigned long, item, -1)
+
+-#undef __string_len
+-#define __string_len(item, src, len) __dynamic_array(char, item, -1)
++#undef __sockaddr
++#define __sockaddr(field, len) __dynamic_array(u8, field, len)
+
+ #undef __rel_dynamic_array
+ #define __rel_dynamic_array(type, item, len) u32 item;
+@@ -230,6 +239,9 @@ TRACE_MAKE_SYSTEM_STR();
+ #undef __rel_bitmask
+ #define __rel_bitmask(item, nr_bits) __rel_dynamic_array(unsigned long, item, -1)
+
++#undef __rel_sockaddr
++#define __rel_sockaddr(field, len) __rel_dynamic_array(u8, field, len)
++
+ #undef DECLARE_EVENT_CLASS
+ #define DECLARE_EVENT_CLASS(call, proto, args, tstruct, assign, print) \
+ struct trace_event_data_offsets_##call { \
+@@ -349,6 +361,12 @@ TRACE_MAKE_SYSTEM_STR();
+ trace_print_bitmask_seq(p, __bitmask, __bitmask_size); \
+ })
+
++#undef __get_sockaddr
++#define __get_sockaddr(field) ((struct sockaddr *)__get_dynamic_array(field))
++
++#undef __get_rel_sockaddr
++#define __get_rel_sockaddr(field) ((struct sockaddr *)__get_rel_dynamic_array(field))
++
+ #undef __print_flags
+ #define __print_flags(flag, delim, flag_array...) \
+ ({ \
+@@ -520,6 +538,9 @@ static struct trace_event_functions trace_event_type_funcs_##call = { \
+ #undef __bitmask
+ #define __bitmask(item, nr_bits) __dynamic_array(unsigned long, item, -1)
+
++#undef __sockaddr
++#define __sockaddr(field, len) __dynamic_array(u8, field, len)
++
+ #undef __rel_dynamic_array
+ #define __rel_dynamic_array(_type, _item, _len) { \
+ .type = "__rel_loc " #_type "[]", .name = #_item, \
+@@ -535,6 +556,9 @@ static struct trace_event_functions trace_event_type_funcs_##call = { \
+ #undef __rel_bitmask
+ #define __rel_bitmask(item, nr_bits) __rel_dynamic_array(unsigned long, item, -1)
+
++#undef __rel_sockaddr
++#define __rel_sockaddr(field, len) __rel_dynamic_array(u8, field, len)
++
+ #undef DECLARE_EVENT_CLASS
+ #define DECLARE_EVENT_CLASS(call, proto, args, tstruct, func, print) \
+ static struct trace_event_fields trace_event_fields_##call[] = { \
+@@ -626,6 +650,12 @@ static struct trace_event_fields trace_event_fields_##call[] = { \
+ #define __rel_bitmask(item, nr_bits) __rel_dynamic_array(unsigned long, item, \
+ __bitmask_size_in_longs(nr_bits))
+
++#undef __sockaddr
++#define __sockaddr(field, len) __dynamic_array(u8, field, len)
++
++#undef __rel_sockaddr
++#define __rel_sockaddr(field, len) __rel_dynamic_array(u8, field, len)
++
+ #undef DECLARE_EVENT_CLASS
+ #define DECLARE_EVENT_CLASS(call, proto, args, tstruct, assign, print) \
+ static inline notrace int trace_event_get_offsets_##call( \
+@@ -790,6 +820,15 @@ static inline notrace int trace_event_get_offsets_##call( \
+ #define __assign_bitmask(dst, src, nr_bits) \
+ memcpy(__get_bitmask(dst), (src), __bitmask_size_in_bytes(nr_bits))
+
++#undef __sockaddr
++#define __sockaddr(field, len) __dynamic_array(u8, field, len)
++
++#undef __get_sockaddr
++#define __get_sockaddr(field) ((struct sockaddr *)__get_dynamic_array(field))
++
++#define __assign_sockaddr(dest, src, len) \
++ memcpy(__get_dynamic_array(dest), src, len)
++
+ #undef __rel_dynamic_array
+ #define __rel_dynamic_array(type, item, len) \
+ __entry->__rel_loc_##item = __data_offsets.item;
+@@ -821,6 +860,16 @@ static inline notrace int trace_event_get_offsets_##call( \
+ #define __assign_rel_bitmask(dst, src, nr_bits) \
+ memcpy(__get_rel_bitmask(dst), (src), __bitmask_size_in_bytes(nr_bits))
+
++#undef __rel_sockaddr
++#define __rel_sockaddr(field, len) __rel_dynamic_array(u8, field, len)
++
++#undef __get_rel_sockaddr
++#define __get_rel_sockaddr(field) ((struct sockaddr *)__get_rel_dynamic_array(field))
++
++#define __assign_rel_sockaddr(dest, src, len) \
++ memcpy(__get_rel_dynamic_array(dest), src, len)
++
++
+ #undef TP_fast_assign
+ #define TP_fast_assign(args...) args
+
+@@ -885,10 +934,12 @@ static inline void ftrace_test_probe_##call(void) \
+ #undef __get_dynamic_array_len
+ #undef __get_str
+ #undef __get_bitmask
++#undef __get_sockaddr
+ #undef __get_rel_dynamic_array
+ #undef __get_rel_dynamic_array_len
+ #undef __get_rel_str
+ #undef __get_rel_bitmask
++#undef __get_rel_sockaddr
+ #undef __print_array
+ #undef __print_hex_dump
+
+--
+2.39.2
+
--- /dev/null
+From f3413cb1f7f02373df675f5b49d34ad269d059b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Feb 2023 15:37:38 +0200
+Subject: virtio-net: Maintain reverse cleanup order
+
+From: Parav Pandit <parav@nvidia.com>
+
+[ Upstream commit 27369c9c2b722617063d6b80c758ab153f1d95d4 ]
+
+To easily audit the code, better to keep the device stop()
+sequence to be mirror of the device open() sequence.
+
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: Parav Pandit <parav@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 5306623a9826 ("virtio_net: Fix error unwinding of XDP initialization")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/virtio_net.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index 9f2d691908b42..cdd28a11f5191 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -1999,9 +1999,9 @@ static int virtnet_close(struct net_device *dev)
+ cancel_delayed_work_sync(&vi->refill);
+
+ for (i = 0; i < vi->max_queue_pairs; i++) {
++ virtnet_napi_tx_disable(&vi->sq[i].napi);
+ napi_disable(&vi->rq[i].napi);
+ xdp_rxq_info_unreg(&vi->rq[i].xdp_rxq);
+- virtnet_napi_tx_disable(&vi->sq[i].napi);
+ }
+
+ return 0;
+--
+2.39.2
+
--- /dev/null
+From 1ceb6ef84868e38afc467808eae62a0f94feb781 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 11:18:12 -0400
+Subject: virtio_net: Fix error unwinding of XDP initialization
+
+From: Feng Liu <feliu@nvidia.com>
+
+[ Upstream commit 5306623a9826aa7d63b32c6a3803c798a765474d ]
+
+When initializing XDP in virtnet_open(), some rq xdp initialization
+may hit an error causing net device open failed. However, previous
+rqs have already initialized XDP and enabled NAPI, which is not the
+expected behavior. Need to roll back the previous rq initialization
+to avoid leaks in error unwinding of init code.
+
+Also extract helper functions of disable and enable queue pairs.
+Use newly introduced disable helper function in error unwinding and
+virtnet_close. Use enable helper function in virtnet_open.
+
+Fixes: 754b8a21a96d ("virtio_net: setup xdp_rxq_info")
+Signed-off-by: Feng Liu <feliu@nvidia.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Reviewed-by: William Tu <witu@nvidia.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/virtio_net.c | 61 +++++++++++++++++++++++++++++-----------
+ 1 file changed, 44 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index cdd28a11f5191..0351f86494f16 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -1604,6 +1604,38 @@ static int virtnet_poll(struct napi_struct *napi, int budget)
+ return received;
+ }
+
++static void virtnet_disable_queue_pair(struct virtnet_info *vi, int qp_index)
++{
++ virtnet_napi_tx_disable(&vi->sq[qp_index].napi);
++ napi_disable(&vi->rq[qp_index].napi);
++ xdp_rxq_info_unreg(&vi->rq[qp_index].xdp_rxq);
++}
++
++static int virtnet_enable_queue_pair(struct virtnet_info *vi, int qp_index)
++{
++ struct net_device *dev = vi->dev;
++ int err;
++
++ err = xdp_rxq_info_reg(&vi->rq[qp_index].xdp_rxq, dev, qp_index,
++ vi->rq[qp_index].napi.napi_id);
++ if (err < 0)
++ return err;
++
++ err = xdp_rxq_info_reg_mem_model(&vi->rq[qp_index].xdp_rxq,
++ MEM_TYPE_PAGE_SHARED, NULL);
++ if (err < 0)
++ goto err_xdp_reg_mem_model;
++
++ virtnet_napi_enable(vi->rq[qp_index].vq, &vi->rq[qp_index].napi);
++ virtnet_napi_tx_enable(vi, vi->sq[qp_index].vq, &vi->sq[qp_index].napi);
++
++ return 0;
++
++err_xdp_reg_mem_model:
++ xdp_rxq_info_unreg(&vi->rq[qp_index].xdp_rxq);
++ return err;
++}
++
+ static int virtnet_open(struct net_device *dev)
+ {
+ struct virtnet_info *vi = netdev_priv(dev);
+@@ -1617,22 +1649,20 @@ static int virtnet_open(struct net_device *dev)
+ if (!try_fill_recv(vi, &vi->rq[i], GFP_KERNEL))
+ schedule_delayed_work(&vi->refill, 0);
+
+- err = xdp_rxq_info_reg(&vi->rq[i].xdp_rxq, dev, i, vi->rq[i].napi.napi_id);
++ err = virtnet_enable_queue_pair(vi, i);
+ if (err < 0)
+- return err;
+-
+- err = xdp_rxq_info_reg_mem_model(&vi->rq[i].xdp_rxq,
+- MEM_TYPE_PAGE_SHARED, NULL);
+- if (err < 0) {
+- xdp_rxq_info_unreg(&vi->rq[i].xdp_rxq);
+- return err;
+- }
+-
+- virtnet_napi_enable(vi->rq[i].vq, &vi->rq[i].napi);
+- virtnet_napi_tx_enable(vi, vi->sq[i].vq, &vi->sq[i].napi);
++ goto err_enable_qp;
+ }
+
+ return 0;
++
++err_enable_qp:
++ disable_delayed_refill(vi);
++ cancel_delayed_work_sync(&vi->refill);
++
++ for (i--; i >= 0; i--)
++ virtnet_disable_queue_pair(vi, i);
++ return err;
+ }
+
+ static int virtnet_poll_tx(struct napi_struct *napi, int budget)
+@@ -1998,11 +2028,8 @@ static int virtnet_close(struct net_device *dev)
+ /* Make sure refill_work doesn't re-enable napi! */
+ cancel_delayed_work_sync(&vi->refill);
+
+- for (i = 0; i < vi->max_queue_pairs; i++) {
+- virtnet_napi_tx_disable(&vi->sq[i].napi);
+- napi_disable(&vi->rq[i].napi);
+- xdp_rxq_info_unreg(&vi->rq[i].xdp_rxq);
+- }
++ for (i = 0; i < vi->max_queue_pairs; i++)
++ virtnet_disable_queue_pair(vi, i);
+
+ return 0;
+ }
+--
+2.39.2
+
--- /dev/null
+From b8372aca1d7cdace021b185998d85afa5f3dde93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 May 2023 14:23:42 +0000
+Subject: vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit dacab578c7c6cd06c50c89dfa36b0e0f10decd4e ]
+
+syzbot triggered the following splat [1], sending an empty message
+through pppoe_sendmsg().
+
+When VLAN_FLAG_REORDER_HDR flag is set, vlan_dev_hard_header()
+does not push extra bytes for the VLAN header, because vlan is offloaded.
+
+Unfortunately vlan_dev_hard_start_xmit() first reads veth->h_vlan_proto
+before testing (vlan->flags & VLAN_FLAG_REORDER_HDR).
+
+We need to swap the two conditions.
+
+[1]
+BUG: KMSAN: uninit-value in vlan_dev_hard_start_xmit+0x171/0x7f0 net/8021q/vlan_dev.c:111
+vlan_dev_hard_start_xmit+0x171/0x7f0 net/8021q/vlan_dev.c:111
+__netdev_start_xmit include/linux/netdevice.h:4883 [inline]
+netdev_start_xmit include/linux/netdevice.h:4897 [inline]
+xmit_one net/core/dev.c:3580 [inline]
+dev_hard_start_xmit+0x253/0xa20 net/core/dev.c:3596
+__dev_queue_xmit+0x3c7f/0x5ac0 net/core/dev.c:4246
+dev_queue_xmit include/linux/netdevice.h:3053 [inline]
+pppoe_sendmsg+0xa93/0xb80 drivers/net/ppp/pppoe.c:900
+sock_sendmsg_nosec net/socket.c:724 [inline]
+sock_sendmsg net/socket.c:747 [inline]
+____sys_sendmsg+0xa24/0xe40 net/socket.c:2501
+___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555
+__sys_sendmmsg+0x411/0xa50 net/socket.c:2641
+__do_sys_sendmmsg net/socket.c:2670 [inline]
+__se_sys_sendmmsg net/socket.c:2667 [inline]
+__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2667
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Uninit was created at:
+slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:774
+slab_alloc_node mm/slub.c:3452 [inline]
+kmem_cache_alloc_node+0x543/0xab0 mm/slub.c:3497
+kmalloc_reserve+0x148/0x470 net/core/skbuff.c:520
+__alloc_skb+0x3a7/0x850 net/core/skbuff.c:606
+alloc_skb include/linux/skbuff.h:1277 [inline]
+sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2583
+pppoe_sendmsg+0x3af/0xb80 drivers/net/ppp/pppoe.c:867
+sock_sendmsg_nosec net/socket.c:724 [inline]
+sock_sendmsg net/socket.c:747 [inline]
+____sys_sendmsg+0xa24/0xe40 net/socket.c:2501
+___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555
+__sys_sendmmsg+0x411/0xa50 net/socket.c:2641
+__do_sys_sendmmsg net/socket.c:2670 [inline]
+__se_sys_sendmmsg net/socket.c:2667 [inline]
+__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2667
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+CPU: 0 PID: 29770 Comm: syz-executor.0 Not tainted 6.3.0-rc6-syzkaller-gc478e5b17829 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/8021q/vlan_dev.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
+index b6d456c7952ed..3d0f0d0a323b5 100644
+--- a/net/8021q/vlan_dev.c
++++ b/net/8021q/vlan_dev.c
+@@ -108,8 +108,8 @@ static netdev_tx_t vlan_dev_hard_start_xmit(struct sk_buff *skb,
+ * NOTE: THIS ASSUMES DIX ETHERNET, SPECIFICALLY NOT SUPPORTING
+ * OTHER THINGS LIKE FDDI/TokenRing/802.3 SNAPs...
+ */
+- if (veth->h_vlan_proto != vlan->vlan_proto ||
+- vlan->flags & VLAN_FLAG_REORDER_HDR) {
++ if (vlan->flags & VLAN_FLAG_REORDER_HDR ||
++ veth->h_vlan_proto != vlan->vlan_proto) {
+ u16 vlan_tci;
+ vlan_tci = vlan->vlan_id;
+ vlan_tci |= vlan_dev_get_egress_qos_mask(dev, skb->priority);
+--
+2.39.2
+
--- /dev/null
+From d18e48b4e6fd2e050553a0fe0f3ea3246f5b94aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 May 2023 19:34:30 +0800
+Subject: vsock: avoid to close connected socket after the timeout
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Zhuang Shengen <zhuangshengen@huawei.com>
+
+[ Upstream commit 6d4486efe9c69626cab423456169e250a5cd3af5 ]
+
+When client and server establish a connection through vsock,
+the client send a request to the server to initiate the connection,
+then start a timer to wait for the server's response. When the server's
+RESPONSE message arrives, the timer also times out and exits. The
+server's RESPONSE message is processed first, and the connection is
+established. However, the client's timer also times out, the original
+processing logic of the client is to directly set the state of this vsock
+to CLOSE and return ETIMEDOUT. It will not notify the server when the port
+is released, causing the server port remain.
+when client's vsock_connect timeout,it should check sk state is
+ESTABLISHED or not. if sk state is ESTABLISHED, it means the connection
+is established, the client should not set the sk state to CLOSE
+
+Note: I encountered this issue on kernel-4.18, which can be fixed by
+this patch. Then I checked the latest code in the community
+and found similar issue.
+
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Signed-off-by: Zhuang Shengen <zhuangshengen@huawei.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/af_vsock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index dc36a46ce0e75..9a65a2f195853 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1415,7 +1415,7 @@ static int vsock_connect(struct socket *sock, struct sockaddr *addr,
+ vsock_transport_cancel_pkt(vsk);
+ vsock_remove_connected(vsk);
+ goto out_wait;
+- } else if (timeout == 0) {
++ } else if ((sk->sk_state != TCP_ESTABLISHED) && (timeout == 0)) {
+ err = -ETIMEDOUT;
+ sk->sk_state = TCP_CLOSE;
+ sock->state = SS_UNCONNECTED;
+--
+2.39.2
+
--- /dev/null
+From 3b9eb119a696238ce4d688321bfa7e93735ced06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 May 2023 12:15:53 +0300
+Subject: wifi: iwlwifi: mvm: don't trust firmware n_channels
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 682b6dc29d98e857e6ca4bbc077c7dc2899b7473 ]
+
+If the firmware sends us a corrupted MCC response with
+n_channels much larger than the command response can be,
+we might copy far too much (uninitialized) memory and
+even crash if the n_channels is large enough to make it
+run out of the one page allocated for the FW response.
+
+Fix that by checking the lengths. Doing a < comparison
+would be sufficient, but the firmware should be doing
+it correctly, so check more strictly.
+
+Fixes: dcaf9f5ecb6f ("iwlwifi: mvm: add MCC update FW API")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230514120631.d7b233139eb4.I51fd319df8e9d41881fc8450e83d78049518a79a@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/nvm.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c b/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c
+index da705fcaf0fcc..8a9732b5b9652 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c
+@@ -445,6 +445,11 @@ iwl_mvm_update_mcc(struct iwl_mvm *mvm, const char *alpha2,
+ struct iwl_mcc_update_resp *mcc_resp = (void *)pkt->data;
+
+ n_channels = __le32_to_cpu(mcc_resp->n_channels);
++ if (iwl_rx_packet_payload_len(pkt) !=
++ struct_size(mcc_resp, channels, n_channels)) {
++ resp_cp = ERR_PTR(-EINVAL);
++ goto exit;
++ }
+ resp_len = sizeof(struct iwl_mcc_update_resp) +
+ n_channels * sizeof(__le32);
+ resp_cp = kmemdup(mcc_resp, resp_len, GFP_KERNEL);
+@@ -456,6 +461,11 @@ iwl_mvm_update_mcc(struct iwl_mvm *mvm, const char *alpha2,
+ struct iwl_mcc_update_resp_v3 *mcc_resp_v3 = (void *)pkt->data;
+
+ n_channels = __le32_to_cpu(mcc_resp_v3->n_channels);
++ if (iwl_rx_packet_payload_len(pkt) !=
++ struct_size(mcc_resp_v3, channels, n_channels)) {
++ resp_cp = ERR_PTR(-EINVAL);
++ goto exit;
++ }
+ resp_len = sizeof(struct iwl_mcc_update_resp) +
+ n_channels * sizeof(__le32);
+ resp_cp = kzalloc(resp_len, GFP_KERNEL);
+--
+2.39.2
+
--- /dev/null
+From 47acb7693fb09cf7fa48728b0588ba3fae339000 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 May 2023 12:15:46 +0300
+Subject: wifi: iwlwifi: mvm: fix cancel_delayed_work_sync() deadlock
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit c2d8b7f257b2398f2d866205365895e038beca12 ]
+
+Lockdep points out that we can deadlock here by calling
+cancel_delayed_work_sync() because that might be already
+running and gotten interrupted by the NAPI soft-IRQ.
+Even just calling something that can sleep is wrong in
+this context though.
+
+Luckily, it doesn't even really matter since the things
+we need to do are idempotent, so just drop the _sync().
+
+Fixes: e5d153ec54f0 ("iwlwifi: mvm: fix CSA AP side")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230514120631.b1813c823b4d.I9d20cc06d24fa40b6774d3dd95ea5e2bf8dd015b@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
+index efccdd3f33773..49c28c96fdf28 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
+@@ -1907,7 +1907,7 @@ void iwl_mvm_rx_mpdu_mq(struct iwl_mvm *mvm, struct napi_struct *napi,
+ RCU_INIT_POINTER(mvm->csa_tx_blocked_vif, NULL);
+ /* Unblock BCAST / MCAST station */
+ iwl_mvm_modify_all_sta_disable_tx(mvm, mvmvif, false);
+- cancel_delayed_work_sync(&mvm->cs_tx_unblock_dwork);
++ cancel_delayed_work(&mvm->cs_tx_unblock_dwork);
+ }
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 1e73b823af439b242706d02393d9d4424138dc62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 May 2023 16:45:01 +0300
+Subject: wifi: mac80211: fix min center freq offset tracing
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 248e4776514bf70236e6b1a54c65aa5324c8b1eb ]
+
+We need to set the correct trace variable, otherwise we're
+overwriting something else instead and the right one that
+we print later is not initialized.
+
+Fixes: b6011960f392 ("mac80211: handle channel frequency offset")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230504134511.828474-2-gregory.greenman@intel.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/trace.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/trace.h b/net/mac80211/trace.h
+index 9e8381bef7ed8..8a9b62f6e9236 100644
+--- a/net/mac80211/trace.h
++++ b/net/mac80211/trace.h
+@@ -67,7 +67,7 @@
+ __entry->min_freq_offset = (c)->chan ? (c)->chan->freq_offset : 0; \
+ __entry->min_chan_width = (c)->width; \
+ __entry->min_center_freq1 = (c)->center_freq1; \
+- __entry->freq1_offset = (c)->freq1_offset; \
++ __entry->min_freq1_offset = (c)->freq1_offset; \
+ __entry->min_center_freq2 = (c)->center_freq2;
+ #define MIN_CHANDEF_PR_FMT " min_control:%d.%03d MHz min_width:%d min_center: %d.%03d/%d MHz"
+ #define MIN_CHANDEF_PR_ARG __entry->min_control_freq, __entry->min_freq_offset, \
+--
+2.39.2
+
--- /dev/null
+From 520d80e7d916248142c4389011e8b59d6a46b213 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Apr 2023 15:12:16 +0200
+Subject: xfrm: don't check the default policy if the policy allows the packet
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 430cac487400494c19a8b85299e979bb07b4671f ]
+
+The current code doesn't let a simple "allow" policy counteract a
+default policy blocking all incoming packets:
+
+ ip x p setdefault in block
+ ip x p a src 192.168.2.1/32 dst 192.168.2.2/32 dir in action allow
+
+At this stage, we have an allow policy (with or without transforms)
+for this packet. It doesn't matter what the default policy says, since
+the policy we looked up lets the packet through. The case of a
+blocking policy is already handled separately, so we can remove this
+check.
+
+Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_policy.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index 0540e9f72b2fe..37eeda0f123cd 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -3636,12 +3636,6 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
+ }
+ xfrm_nr = ti;
+
+- if (net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK &&
+- !xfrm_nr) {
+- XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOSTATES);
+- goto reject;
+- }
+-
+ if (npols > 1) {
+ xfrm_tmpl_sort(stp, tpp, xfrm_nr, family);
+ tpp = stp;
+--
+2.39.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
